BSI activities in developing PPs and the BSI-PP/ST-Guide
Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security
ICCC September 2007
Frank Grefrath
Frank Grefrath September 2007 Slide 2
Agenda
BSI-activities in PP-certification
Introduction of the PP “Digitales Wahlstift-System, V. 1.0.1“
Introduction of the BSI-PP/ST-Guide
Frank Grefrath September 2007 Slide 3
Recently certified PPs in BSI-CC-Scheme
BSI-PP-0031-2007: “Protection Profile Digitales Wahlstift-System, V. 1.0.1“
The PP defines the minimum requirements for IT-security of systems for technical assistance in elections on the basis of a digital election pen
BSI-PP-0034-2007: “Mobile Synchronisation Services Protection Profile, V. 1.1”
The purpose of such a system is to provide secure remote access of mobile users (e.g. using a PDA) to e-mail or PIM (personal information management) services located in a company’s intranet
Frank Grefrath September 2007 Slide 4
Recently certified PPs in BSI-scheme
BSI-PP-0035-2007: „Security IC Platform Protection Profile” (Update of BSI-PP-0002-2001)
The defined TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact-based and/or contactless) and volatile and non-volatile memories (hardware)
Different PPs for the German electronic health systems are currently under evaluation
Frank Grefrath September 2007 Slide 5
Protection Profile for a digital election systemSystem Overview
A digital election system which is compliant to the PP serves for electronic assistance in complex elections
The voter makes his votes with a digital pen on a special kind of paper
The camera of the pen records his votes and then the data is transferred to a PC
There the data is analysed, the votes are counted automatically and a protection against manipulation of the election result is generated
Frank Grefrath September 2007 Slide 6
Protection Profile for a digital election systemMotivation / Benefit
Voting takes place in a familiar way for the voter making crosses with a pen on paper
Vote counting can be carried out much faster and easier Typical failures in manual counting can be avoided In cases of doubt the electronic election result can be
controlled by manually counting the paper ballots Complex elections can be conducted without great
manpower requirements
Frank Grefrath September 2007 Slide 7
Protection Profile for a digital election systemMain IT-Security Features
Recording the votes on the paper ballots with the pen Transferring the election data to a PC via USB Storing the data on the PC without being traceable to the
voter Analysing the votes and dividing them into valid,
doubtable and invalid votes Judging of the doubtable votes by the scrutineers Automatic calculation of the election result Generation and display of a proof of origin Logging of security relevant events
Frank Grefrath September 2007 Slide 8
Protection Profile for a digital election systemPhysical Boundaries of the TOE
Hardware: Digital election pens and docking stations
Firmware: Firmware of the digital election pen Recording the marks on the paper
Software: TOE application software for Controlling the pens Storing of the election data during the election Judging and counting the votes Generating a proof of origin Logging security relevant events
Frank Grefrath September 2007 Slide 9
Protection Profile for a digital election systemTOE Security Environment
The PP contains assumptions covering the following aspects:
Usage assumptions resulting from the German election law Trustworthy and carefully working administrators and
scrutineers Correctly and securely configured PC platform
The TOE counters the following threats: Disclosure of election data and protocol data Disturbance and manipulation of the technical procedures Unrealised manipulation of the election pen and the election
result Successful tracing between election data and voter
Frank Grefrath September 2007 Slide 10
Protection Profile for a digital election systemGeneral Regulations
Validity: Valid until June 30th, 2008 CC Assurance level: EAL 3 Combined evaluation:
EAL3-CC-certification by the BSI Approval by the Physikalisch Technische Bundesanstalt
according to the German election law with source code analysis and emission measurement
Frank Grefrath September 2007 Slide 11
BSI PP/ST-GuideIntroduction
CC, Version 3.1
Intended audience for the guide: PP/ST-readers, with less or without CC-knowledge PP/ST-writers Evaluators, certifiers
Frank Grefrath September 2007 Slide 12
BSI PP/ST-GuideStructure of the guide
What is the purpose of PPs/STs? Which role does a PP play when purchasing a product?
Reading PPs/STs
Writing of PPs in two different methods Stove-piping method Explanation method
Writing of STs
Frank Grefrath September 2007 Slide 13
BSI PP/ST-Guide Stove-Piping-Method
Procedure: Determine which SFRs for the TOE and which security
objectives for the operational environment are desired Create a single security objective for the TOE for each
SFR Create an OSP for each security objective for the TOE Create an assumption for each security objective for
the operational environment Write the remaining chapters (PP introduction and
conformance claims)
Frank Grefrath September 2007 Slide 14
BSI PP/ST-Guide Stove-Piping-Method
Advantages: Simple and fast method to write a PP The PP almost automatically meets many of the
requirements of the APE-class
Disadvantages: The question why the TOE implements the description
of the PP is not answered The PP merely states on three different levels (TOE
security environment, security objectives, SFRs) “This is what the TOE does.”
Frank Grefrath September 2007 Slide 15
BSI PP/ST-Guide Explanation Method - Overview
Focus is lying on deriving the various items in a PP, rather than simply stating them.
Procedure (part 1): Write the conformance claims Analyse the OSPs Analyse the threats
Derive the security objectives for the TOE and the operational environment including the security objectives rationale
Frank Grefrath September 2007 Slide 16
BSI PP/ST-Guide Explanation Method - Overview
Procedure (part 2): Derive the SFRs including the Security Requirements
Rationale Define the SARs and explain why you have chosen
them Write the PP introduction
Frank Grefrath September 2007 Slide 17
BSI PP/ST-Guide Explanation Method - Analysing the SPD
Analysing the OSPs Laws, rules, practices or guidelines
Analysing the threats Question for definition: What happens when I don't
have a TOE? What are the assets to be protected? What are the adverse actions? Who are the threat agents?
Assumptions will not be defined
Frank Grefrath September 2007 Slide 18
BSI PP/ST-Guide Explanation Method - Deriving the objectives
Deriving the security objectives for the TOE and the operational environment
Purpose: Providing a high-level, natural language solution of
the problem
Building a bridge between the threats and OSPs on one side, and the SFRs on the other side
Three questions: Where will the TOE be placed and can it be
physically attacked there? What is the purpose of the TOE? How is the TOE managed?
Frank Grefrath September 2007 Slide 19
BSI PP/ST-Guide Explanation Method - Deriving the SFRs
Deriving the SFRs Not yet worked out, but will be added in the next
version Considered approach:
Short introducing statement to CC Part 2 Different examples for each functional class Possibly more detailed explanations to certain
aspects like the definition of access control policies, information flow policies or an I&A policy
Frank Grefrath September 2007 Slide 20
BSI PP/ST-Guide Publication
The Guide is currently developed by the BSI in a project
Upon completion the Guide will be published on the BSI homepage: http://www.bsi.de
Frank Grefrath September 2007 Slide 21
Contact
Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security
Godesberger Allee 185-18953175 Bonn
Frank GrefrathTel: +49 (0)228-9582-5838Fax: +49 (0)[email protected]