DOCSLIB.ORG

Keyone 4.0 Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Keyone 4.0 Security Target Security Target KeyOne 4.0 © Copyright 1999-2014 Safelayer Secure Communications, S.A. All rights reserved. KeyOne 4.0 Security Target This document is copyright of Safelayer Secure Communications, S.A. Its contents are confidential and access is restricted to Safelayer Secure Communications, S.A. personnel. No part of this document may be copied, reproduced or stored in any form or by any means, electronic, mechanical, recording, or in any other way, without the permission of Safelayer Secure Communications, S.A. Safelayer Secure Communications, S.A. Phone: +34 93 508 80 90 Fax: +34 93 508 80 91 Web: www.safelayer.com Email: [email protected] 95A278AC 2.1 CONTENTS 1 – Introduction ................................................................................................................................... 3 1.1 Security Target and TOE Reference ............................................................................................... 3 1.2 TOE Overview ..................................................................................................................................... 4 1.2.1 KeyOne Certification Authority 4 1.2.2 KeyOne Registration Authority 4 1.2.3 KeyOne Validation Authority 5 1.2.4 Environment Components 5 1.3 TOE Description .................................................................................................................................. 6 1.3.1 Physical Scope of the TOE 6 1.3.2 Logical Scope of the TOE 7 1.3.3 The TOE 9 1.3.4 Conformance Claims 16 1.3.5 Legal, Business and Technical Agreements 17 2 – Security Problem Definition ........................................................................................................ 21 2.1 Secure Usage Assumptions ............................................................................................................ 21 2.2 Threats ............................................................................................................................................... 23 2.3 Organizational Security Policies .................................................................................................... 24 3 – Security Objectives ..................................................................................................................... 25 3.1 Security Objectives for the TOE ..................................................................................................... 25 3.2 Security Objectives for the Environment ..................................................................................... 26 3.2.1 Non-IT security Objectives for the Environment 26 3.2.2 IT Security Objectives for the Environment 27 3.3 Security Objectives for both the TOE and the Environment ..................................................... 28 4 – Security Requirements ................................................................................................................ 31 4.1 TOE Security Requirements ............................................................................................................ 31 4.1.1 TOE Security Functional Requirements 31 4.1.2 TOE Extended Security Functional Requirements 48 4.1.3 TOE Security Assurance Requirements 69 4.2 Security requirements for the IT environment ............................................................................. 80 4.2.1 Security Functional Requirements for the IT environment 80 4.2.2 Proprietary Extended Security Requirements for the IT environment 94 4.2.3 Proprietary Extended Security Non-IT Requirements for the environment 94 4.2.4 CIMC Extended Security Functional Requirements 95 4.3 Security Rationale ........................................................................................................................... 96 4.3.1 Security Objectives Rationale 96 4.3.2 Security Requirements Rationale 109 4.3.3 Internal consistency and Mutual Support 118 5 – TOE Summary Specification ..................................................................................................... 123 5.1 Audit Data Management ............................................................................................................ 123 5.1.1 Functional requirements satisfied by the TOE 123 5.2 Secure Database .......................................................................................................................... 132 5.2.1 Internal structure of an i3D database 133 5.2.2 Functional requirements satisfied by the TOE 136 5.3 Access Control Management .................................................................................................... 141 5.3.1 Users, groups and roles 141 5.3.2 Controlling the access to the KeyOne functions 143 Security Target 1 KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 Introduction 5.3.3 Functional requirements satisfied by the TOE 143 5.4 Identification and Authentication .............................................................................................. 148 5.4.1 Authentication of the initial users 148 5.4.2 Special groups of users 149 5.4.3 Authentication modes 149 5.4.4 Functional requirements satisfied by security functions 150 5.5 Management of security parameters and functions .............................................................. 152 5.5.1 Functions of KeyOne System 153 5.5.2 KeyOne Configuration 154 5.5.3 Managing the KeyOne Configuration 154 5.5.4 Protecting the KeyOne Configuration 155 5.5.5 Functional requirements satisfied by security functions 156 5.6 Secure Communications ............................................................................................................. 156 5.6.1 KeyOne batches 156 5.6.2 Functional requirements satisfied by security functions 159 5.7 Certification and keys Management ........................................................................................ 163 5.7.1 Functional requirements satisfied by security functions 163 5.8 Private Secure Store ..................................................................................................................... 171 5.8.1 Private Secure Store Functionality 171 5.8.2 Functional requirements satisfied by security functions 172 5.9 Backup and Recovery ................................................................................................................. 173 5.9.1 Functional requirements satisfied by security functions 173 6 – Bibliography, Definitions and Acronyms ................................................................................ 175 6.1 Bibliography ................................................................................................................................... 175 6.2 Definitions ....................................................................................................................................... 177 6.3 Acronyms ....................................................................................................................................... 178 2 Security Target KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 CHAPTER 1 1 Introduction 1.1 Security Target and TOE Reference Document Identifier 95A278AC v2.1 Title Security Target – KeyOne 4.0 Issue Date September, 2014 Release Identifier Release Base: 4.0.13S2R1 Release Patches: 4.0.13S2R1_B01, 4.0.13S2R1_B02 Authors Safelayer Secure Communications S.A. CC Version Common Criteria version 3.1 Release 4 Evaluated TOE KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0, CRL Authority Add-in for KeyOne CA, ePassport Country Verifying CA Add-in for KeyOne CA and ePassport Document Verifier Add-in for KeyOne CA. TOE Name KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0 From a commercial point of view, the products evaluated correspond to the "Evaluated TOE" row of the previous table, i.e., the following products: KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0, the CRL Authority Add-in for KeyOne CA, the ePassport Country Verifying CA Add-in for KeyOne CA and the ePassport Document Verifier Add-in for KeyOne CA. Security Target 3 KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 Introduction 1.2 TOE Overview 1.2.1 KeyOne Certification Authority KeyOne CA is a software application that performs the Certification Authority functions of issuing public key digital certificates using the syntax defined in ITU-T X.509v3.KeyOne CA forms part of the Safelayer Public Key Infrastructure (PKI) solution. KeyOne CA can act as a Root CA, Subordinate CA, Cross CA, Bridge CA, Online CA and Offline CA. Depending on how it is used, the CA operates in conjunction with a Registration Authority product that assumes the entity registration functions. KeyOne CA can also operate in conjunction with the Validation Authority product to provide the digital certificate validation service. The main functions of KeyOne CA are to: • Generate and protect the private keys via the use of cryptographic devices (HSM). • Automatically manage the life-cycle and the coexistence of the private keys of the CA. • Manage recognized RAs and assign them certification policies. • Generate the ITU-T X509v3 digital certificates (for users and applications) requested by the RAs. • Generate and publish lists of revoked and suspended digital certificates (CRLs). • Report on the status of the digital certificates so the validation service (VA) can publish it via OCSP. • Guarantee the secure auditing of the events and actions carried out in the system. KeyOne CA is designed to facilitate compliance with the security requirements for trustworthy systems managing certificates for electronic signatures (CEN CWA 14167- 1) in terms of roles and events.
Load more

Recommended publications
  • Cen Workshop Agreement Cwa 15264-1
    CEN CWA 15264-1 WORKSHOP April 2005 AGREEMENT ICS 35.240.15 English version Architecture for a European interoperable eID system within a smart card infrastructure This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG Management Centre: rue de Stassart, 36 B-1050 Brussels © 2005 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No.:CWA 15264-1:2005 E CWA
    [Show full text]
  • USPTO CPS Document
    Certificate Policy for the United States Patent and Trademark Office April 28, 2021 Version 4.0 Prepared by: United States Patent and Trademark Office Public Key Infrastructure Policy Authority Approved: Date: Henry J. Holcombe Jr. Chief Information Officer United States Patent and Trademark Office Public Key Infrastructure Certificate Policy Version 4.0 This page is intentionally left blank. United States Patent and Trademark Office Public Key Infrastructure Certificate Policy Version 4.0 REVISION HISTORY Version Date Editor Change Description 1.1-1.3 8/20/04 Darryl Version 1.3 was the first signed version. Clemons 1.4 12/8/04 Amit Jain Modified sections 1.4.2, 2.7.1, 3.1.4, 3.2.1, 4.2.1, 4.4.4, 4.5.1, 4.5.5, 4.6.5, 5.3.1, 6.1.5, and 6.4.1 to incorporate necessary modifications identified by FBCA/CPWG. 1.4 12/14/04 Greg McCain Changed column title from ‘Author’ to ‘Editor’ in the Revision History table. 1.5 03/27/07 Greg McCain Updated to reflect USPTO organizational changes related to management or operational responsibilities for: Security Policy Security Operations User Account Creation and Maintenance 2.0 08/06/07 John Michie Updated to reflect the new RFC 3647 format 2.1 01/11/10 Greg McCain Updated following review and recommendations and Amit Jain from External Auditor. 2.1 04/16/10 Amit Jain Updated the contact information 2.2 5/25/10 Amit Jain Updates made based on agreements with CPWG to cross-certify at medium-hardware 2.3 6/9/10 Amit Jain Changed CRL lifetime to 18 hours in section 4.9.7 2.4 7/9/12 Jermaine Changes to implement FBCA CP change proposals: Harris and 2010-01, 2010-02, 2010-06, 2010-07, 2010-08, Amit Jain 2011-01, 2011-02, 2011-06 and 2011-07.
    [Show full text]
  • Treasury Shared Service Provider
    National Aeronautics and Space Administration George C. Marshall Space Flight Center NASA Enterprise Competency Center Huntsville, Alabama 35812 NASA Operational Certificate Authority Registration Practice Statement Version 3.0 January 2015 National Aeronautics and Space Administration George C. Marshall Space Flight Center Huntsville, Alabama 35812 This page is intentionally blank. NOCA RPS Signature: __________________________ _______________ NASA ICAM Program Executive Date Signature: __________________________ _______________ Treasury Program Management Authority Date NOCA RPS i This page is intentionally blank NOCA RPS ii Revision History Document Document Revision Details Initials Section Version Date 1.0 9/2009 Original SSP CPS Revision to Adopt changes into the NASA 1.2 1/2010 SJL ALL Registration practice statement Revised document for review by NASA and 2.0 9/2010 SJL ALL Treasury Final revision after 10/2010 audit findings 2.1 4/2011 SJL ALL 2/2011 Revision to document to update changes to 2.2 6/2011 SJL ALL NOCA Revision to document transition of PKI 2.3 11/2011 TWB ALL Operations to NEACC Rewrite of document based on FY 2011 2.4 07/2012 TDW ALL Treasury audit review Revise RPS based on FY 2012 Treasury 2.5 08/2013 TDW ALL audit findings Revised based on FY 2013 Treasury audit 5, 7, and 3.0 01/2015 TDW findings 8 Preface The registration process is the first step in establishing trust in the end entity certificates of a Certification Authority (CA). This process binds the authenticated identity of a person or device to a digital certificate signed by the CA. Registration Authorities (RA) within the National Aeronautics and Space Administration (NASA) include Security Officers (SO), Super RAs, RAs, and Trusted Agents (TA).
    [Show full text]
  • Vmware View Certificate Revocation Checking
    Vmware View Certificate Revocation Checking Is Wakefield humbling when Cyrille express attractively? Stinko Tammy offsets that impounders platitudinise prepossessingly and regraded abloom. Loony and coltish Pieter allegorizes, but Garcon successively gybing her impasse. Open the Group Policy Management Console. IE for you to set the proxy as necessary. Back up the old root CA certificate. Set, import the root CA certificate files, and then choose OK. My client computers stopped communicating with the SCCM server after I switch it to HTTPS. Better to check broken chain of certificate installed or its validity. Please try again later. The administrator can also view and query their virtualization properties, protection status, and security compliance using several dashboards and queries. OCSP stapling eliminates the need for a browser to request the OCSP response directly from the CA. CA cert hence I uploaded only Root CA. OSCP infrastructure related issue. In this setup we will be using certificated generated by the corporate Microsoft Certificate Authority, using Active Directory Certificate Services. The padlock is still green. Upgrade the Offload Scan Server. There will be a folder called certs. Platform Security Virtual Appliance Manager MER file. PKI authentication does not provide authorization. USB token as lost, a signer could have left the company and is no longer authorised to sign, or the certificate could have been compromised. The serial number that the authority assigned to the certificate. If the event is on another computer, the display information had to be saved with the event. Enter a vmware view connection server tells you may reduce the need to the crl and prevent tampering.
    [Show full text]
  • Trustedx Security Target
    Security Target TrustedX © Copyright 1999-2010 Safelayer Secure Communications, S.A. All rights reserved. TrustedX Security Target This document is copyright of Safelayer Secure Communications, S.A. Its contents are confidential and access is restricted to Safelayer Secure Communications, S.A. personnel. No part of this document may be copied, reproduced or stored in any form or by any means, electronic, mechanical, recording, or in any other way, without the permission of Safelayer Secure Communications, S.A. Safelayer Secure Communications, S.A. Phone: +34 93 508 80 90 Fax: +34 93 508 80 91 Web: www.safelayer.com Email: [email protected] 0775BA94 1.7 CONTENTS Introduction.........................................................................................................................................3 1.1. Security Target and TOE Reference ...............................................................................................3 1.2. TOE Overview..................................................................................................................................... 3 1.3. TOE Description.................................................................................................................................. 5 1.3.1. TrustedX Architecture 5 1.3.2. TrustedX Service Components 8 1.3.3. Administration and User Interface 16 1.3.4. TrustedX Security Policy 18 1.3.5. Environment Components 20 1.3.6. Annex III and Annex IV of the [EUROPEAN_DIRECTIVE] 20 2 – Conformance Claims .................................................................................................................25
    [Show full text]
  • Gatekeeper Public Key Infrastructure Framework
    Gatekeeper Public Key Infrastructure Framework V 3.1 – December 2015 Digital Transformation Office © Commonwealth of Australia 2015 This work is copyright. Apart from any use as permitted under the Copyright Act 1968 and the rights explicitly granted below, all rights are reserved. Licence With the exception of the Commonwealth Coat of Arms and where otherwise noted, all material presented in this document is provided under a Creative Commons Attribution Non-Commercial 3.0 Australia licence. To view a copy of this licence, visit: http://creativecommons.org/licenses/by- nc/3.0/au/ You are free to copy, communicate and adapt the work for non-commercial purposes, as long as you attribute the authors. Except where otherwise noted, any reference to, reuse or distribution of all or part of this work must include the following attribution: Gatekeeper PKI Framework: © Commonwealth of Australia 2015. Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au) Contact us Enquiries or comments regarding this document are welcome at: Gatekeeper Competent Authority C/O Director, Trusted Digital Identity Team Digital Transformation Office Email: [email protected] Gatekeeper Public Key Infrastructure Framework – V 3.1 – December 2015 Page 2 of 91 Executive summary Information and Communication Technologies (ICT) are transforming the way we work and are driving change in many industries. Governments around the world understand their decisions can assist or impede businesses to adjust to an increasingly digital economy and society. The Commonwealth Government, as a key user of ICT has an important role to play in developing and supporting the infrastructures required to support this digital transformation.
    [Show full text]
  • RSA Keon Validation Server 2.0 Installation Guide
    RSA Keon Validation Server 2.0 Installation Guide Contact Information See our Web sites for regional Customer Support telephone and fax numbers. RSA Security Inc. RSA Security Ireland Limited www.rsasecurity.com www.rsasecurity.ie Trademarks ACE/Agent, ACE/Server, Because Knowledge is Security, BSAFE, ClearTrust, Keon, RC2, RC4, RC5, RSA, the RSA logo , RSA Secured, RSA Security, SecurCare, SecurID, Smart Rules, The Most Trusted Name in e- Security, and Virtual Business Units are registered trademarks, and e-Titlement, the RSA Secured logo, SecurWorld, and Transaction Authority are trademarks of RSA Security Inc. in the U.S and/or other countries. Microsoft, Windows, Windows 2000, Windows XP, Windows 2003, and Outlook are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Navigator and Enterprise Server are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. nFast, nShield, nForce and KeySafe are either registered trademarks or trademarks of nCipher Corporation Ltd. in the United States and/or other countries. Other product and service names mentioned herein may be the trademarks of their respective companies. Portions Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. License agreement This software and the associated documentation are proprietary and confidential to RSA Security, are furnished under license, and may be copied only in accordance with the terms of such license and with the inclusion of this notice and any other copyright, trademark or other proprietary markings or notices contained in the software and documentation.
    [Show full text]
  • Tumbleweed Valicert Validation Authority Security Target
    Tumbleweed Valicert Validation Authority Security Target Version 1.0 04/3/06 Prepared for: Tumbleweed Communications 700 Saginaw Drive Redwood City, CA 94063 Prepared By: Science Applications International Corporation Common Criteria Testing Laboratory 7125 Columbia Gateway Drive, Suite 300 Columbia, MD 21046 Security Target Version 1.0, 04/3/06 1. SECURITY TARGET INTRODUCTION...........................................................................................................4 1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION........................................................................................4 1.2 CONFORMANCE CLAIMS.................................................................................................................................4 1.3 CONVENTIONS ................................................................................................................................................4 2. TOE DESCRIPTION ..........................................................................................................................................6 2.1 TOE ARCHITECTURE......................................................................................................................................6 2.2 PHYSICAL BOUNDARIES ...............................................................................................................................11 2.3 LOGICAL BOUNDARIES.................................................................................................................................11
    [Show full text]
  • Keyone 3.0 Security Target
    Security Target KeyOne 3.0 © Copyright 1999-2006 Safelayer Secure Communications, S.A. All rights reserved. KeyOne 3.0 Security Target This document is copyright of Safelayer Secure Communications, S.A. Its contents are confidential and access is restricted to Safelayer Secure Communications, S.A. personnel. No part of this document may be copied, reproduced or stored in any form or by any means, electronic, mechanical, recording, or in any other way, without the permission of Safelayer Secure Communications, S.A. Safelayer Secure Communications, S.A. Phone: +34 93 508 80 90 Fax: +34 93 508 80 91 Web: www.safelayer.com Email: [email protected] CONTENTS 1 – Introduction ...................................................................................................................................1 1.1 Identification...................................................................................................................................... 1 1.2 Overview ............................................................................................................................................ 1 1.3 Conformance .................................................................................................................................... 2 1.4 Conventions ....................................................................................................................................... 3 2 – TOE Description .............................................................................................................................5
    [Show full text]
  • Doc 9303 Machine Readable Travel Documents Eighth Edition, 2021
    Doc 9303 Machine Readable Travel Documents Eighth Edition, 2021 Part 12: Public Key Infrastructure for MRTDs Approved by and published under the authority of the Secretary General INTERNATIONAL CIVIL AVIATION ORGANIZATION Doc 9303 Machine Readable Travel Documents Eighth Edition, 2021 Part 12: Public Key Infrastructure for MRTDs Approved by and published under the authority of the Secretary General INTERNATIONAL CIVIL AVIATION ORGANIZATION Published in separate English, Arabic, Chinese, French, Russian and Spanish editions by the INTERNATIONAL CIVIL AVIATION ORGANIZATION 999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7 Downloads and additional information are available at www.icao.int/security/mrtd Doc 9303, Machine Readable Travel Documents Part 12 — Public Key Infrastructure for MRTDs Order No.: 9303P12 ISBN 978-92-9265-422-1 (print version) © ICAO 2021 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, without prior permission in writing from the International Civil Aviation Organization. AMENDMENTS Amendments are announced in the supplements to the Products and Services Catalogue; the Catalogue and its supplements are available on the ICAO website at www.icao.int. The space below is provided to keep a record of such amendments. RECORD OF AMENDMENTS AND CORRIGENDA AMENDMENTS CORRIGENDA No. Date Entered by No. Date Entered by The designations employed and the presentation of the material in this publication do not imply the expression of any opinion whatsoever on the part of ICAO concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries.
    [Show full text]