BSI activities in developing PPs and the BSI-PP/ST-Guide Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security

BSI activities in developing PPs and the BSI-PP/ST-Guide

Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security

ICCC September 2007

Frank Grefrath

Frank Grefrath September 2007 Slide 2

Agenda

BSI-activities in PP-certification

Introduction of the PP “Digitales Wahlstift-System, V. 1.0.1“

Introduction of the BSI-PP/ST-Guide


Recently certified PPs in BSI-CC-Scheme

BSI-PP-0031-2007: “Protection Profile Digitales Wahlstift-System, V. 1.0.1“

The PP defines the minimum requirements for IT-security of systems for technical assistance in elections on the basis of a digital election pen

BSI-PP-0034-2007: “Mobile Synchronisation Services Protection Profile, V. 1.1”

The purpose of such a system is to provide secure remote access of mobile users (e.g. using a PDA) to e-mail or PIM (personal information management) services located in a company’s intranet


Recently certified PPs in BSI-scheme

BSI-PP-0035-2007: „Security IC Platform Protection Profile” (Update of BSI-PP-0002-2001)

The defined TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact-based and/or contactless) and volatile and non-volatile memories (hardware)

Different PPs for the German electronic health systems are currently under evaluation


Protection Profile for a digital election systemSystem Overview

A digital election system which is compliant to the PP serves for electronic assistance in complex elections

The voter makes his votes with a digital pen on a special kind of paper

The camera of the pen records his votes and then the data is transferred to a PC

There the data is analysed, the votes are counted automatically and a protection against manipulation of the election result is generated


Protection Profile for a digital election systemMotivation / Benefit

Voting takes place in a familiar way for the voter making crosses with a pen on paper

Vote counting can be carried out much faster and easier Typical failures in manual counting can be avoided In cases of doubt the electronic election result can be

controlled by manually counting the paper ballots Complex elections can be conducted without great

manpower requirements


Protection Profile for a digital election systemMain IT-Security Features

Recording the votes on the paper ballots with the pen Transferring the election data to a PC via USB Storing the data on the PC without being traceable to the

voter Analysing the votes and dividing them into valid,

doubtable and invalid votes Judging of the doubtable votes by the scrutineers Automatic calculation of the election result Generation and display of a proof of origin Logging of security relevant events


Protection Profile for a digital election systemPhysical Boundaries of the TOE

Hardware: Digital election pens and docking stations

Firmware: Firmware of the digital election pen Recording the marks on the paper

Software: TOE application software for Controlling the pens Storing of the election data during the election Judging and counting the votes Generating a proof of origin Logging security relevant events


Protection Profile for a digital election systemTOE Security Environment

The PP contains assumptions covering the following aspects:

Usage assumptions resulting from the German election law Trustworthy and carefully working administrators and

scrutineers Correctly and securely configured PC platform

The TOE counters the following threats: Disclosure of election data and protocol data Disturbance and manipulation of the technical procedures Unrealised manipulation of the election pen and the election

result Successful tracing between election data and voter


Protection Profile for a digital election systemGeneral Regulations

Validity: Valid until June 30th, 2008 CC Assurance level: EAL 3 Combined evaluation:

EAL3-CC-certification by the BSI Approval by the Physikalisch Technische Bundesanstalt

according to the German election law with source code analysis and emission measurement


BSI PP/ST-GuideIntroduction

CC, Version 3.1

Intended audience for the guide: PP/ST-readers, with less or without CC-knowledge PP/ST-writers Evaluators, certifiers


BSI PP/ST-GuideStructure of the guide

What is the purpose of PPs/STs? Which role does a PP play when purchasing a product?

Reading PPs/STs

Writing of PPs in two different methods Stove-piping method Explanation method

Writing of STs


BSI PP/ST-Guide Stove-Piping-Method

Procedure: Determine which SFRs for the TOE and which security

objectives for the operational environment are desired Create a single security objective for the TOE for each

SFR Create an OSP for each security objective for the TOE Create an assumption for each security objective for

the operational environment Write the remaining chapters (PP introduction and

conformance claims)


BSI PP/ST-Guide Stove-Piping-Method

Advantages: Simple and fast method to write a PP The PP almost automatically meets many of the

requirements of the APE-class

Disadvantages: The question why the TOE implements the description

of the PP is not answered The PP merely states on three different levels (TOE

security environment, security objectives, SFRs) “This is what the TOE does.”


BSI PP/ST-Guide Explanation Method - Overview

Focus is lying on deriving the various items in a PP, rather than simply stating them.

Procedure (part 1): Write the conformance claims Analyse the OSPs Analyse the threats

Derive the security objectives for the TOE and the operational environment including the security objectives rationale


BSI PP/ST-Guide Explanation Method - Overview

Procedure (part 2): Derive the SFRs including the Security Requirements

Rationale Define the SARs and explain why you have chosen

them Write the PP introduction


BSI PP/ST-Guide Explanation Method - Analysing the SPD

Analysing the OSPs Laws, rules, practices or guidelines

Analysing the threats Question for definition: What happens when I don't

have a TOE? What are the assets to be protected? What are the adverse actions? Who are the threat agents?

Assumptions will not be defined


BSI PP/ST-Guide Explanation Method - Deriving the objectives

Deriving the security objectives for the TOE and the operational environment

Purpose: Providing a high-level, natural language solution of

the problem

Building a bridge between the threats and OSPs on one side, and the SFRs on the other side

Three questions: Where will the TOE be placed and can it be

physically attacked there? What is the purpose of the TOE? How is the TOE managed?


BSI PP/ST-Guide Explanation Method - Deriving the SFRs

Deriving the SFRs Not yet worked out, but will be added in the next

version Considered approach:

Short introducing statement to CC Part 2 Different examples for each functional class Possibly more detailed explanations to certain

aspects like the definition of access control policies, information flow policies or an I&A policy


BSI PP/ST-Guide Publication

The Guide is currently developed by the BSI in a project

Upon completion the Guide will be published on the BSI homepage: http://www.bsi.de


Contact

Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security

Godesberger Allee 185-18953175 Bonn

Frank GrefrathTel: +49 (0)228-9582-5838Fax: +49 (0)[email protected]

Documents

BSI activities in developing PPs and the BSI-PP/ST-Guide Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security