Security Target KeyOne 3.0 © Copyright 1999-2006 Safelayer Secure Communications, S.A. All rights reserved. KeyOne 3.0 Security Target This document is copyright of Safelayer Secure Communications, S.A. Its contents are confidential and access is restricted to Safelayer Secure Communications, S.A. personnel. No part of this document may be copied, reproduced or stored in any form or by any means, electronic, mechanical, recording, or in any other way, without the permission of Safelayer Secure Communications, S.A. Safelayer Secure Communications, S.A. Phone: +34 93 508 80 90 Fax: +34 93 508 80 91 Web: www.safelayer.com Email: [email protected] CONTENTS 1 – Introduction ...................................................................................................................................1 1.1 Identification...................................................................................................................................... 1 1.2 Overview ............................................................................................................................................ 1 1.3 Conformance .................................................................................................................................... 2 1.4 Conventions ....................................................................................................................................... 3 2 – TOE Description .............................................................................................................................5 2.1 Description of the Trustworthy System KeyOne 3.0 ...................................................................... 6 2.1.1 TOE Core Services 6 2.1.2 TOE Additional Services 9 2.1.3 TOE Users 11 2.1.4 Overall Architecture 12 2.1.5 Logical Architecture 13 2.1.6 Supported Services 14 2.1.7 Physical Architecture 16 2.2 Use Cases ......................................................................................................................................... 20 3 – TOE Security Environment...........................................................................................................23 3.1 Secure Usage Assumptions............................................................................................................ 23 3.1.1 Personnel 23 3.1.2 Connectivity 24 3.1.3 Physical 24 3.2 Threats............................................................................................................................................... 25 3.2.1 Authorized Users 25 3.2.2 System 25 3.2.3 Cryptography 26 3.2.4 External Attacks 26 3.3 Organizational Security Policies.................................................................................................... 26 4 – Security Objectives.....................................................................................................................29 4.1 Security Objectives for the TOE..................................................................................................... 29 4.1.1 Authorized Users 29 4.1.2 System 29 4.1.3 Cryptography 29 4.1.4 External Attacks 30 4.2 Security Objectives for the Environment ..................................................................................... 30 4.2.1 Non-IT security objectives for the environment 30 4.2.2 IT security objectives for the environment 32 4.3 Security Objectives for both the TOE and the Environment..................................................... 32 5 – IT Security Requirements ............................................................................................................35 5.1 TOE Security Requirements ............................................................................................................ 35 5.1.1 TOE Security Functional Requirements 35 5.1.2 TOE Extended Security Functional Requirements 50 5.1.3 TOE Security Assurance Requirements 60 5.2 Security requirements for the IT environment ............................................................................. 75 5.2.1 Security Functional Requirements for the IT environment 75 5.2.2 Propietary Extended Security Requirements for the IT environment 90 5.2.3 Propietary Extended Security Non-IT Requirements for the environment 91 5.2.4 CIMC Extended Security Functional Requirements 91 Security Target KeyOne 3.0 WWW.SAFELAYER.COM 6 – TOE Summary Specification.......................................................................................................93 6.1 TOE Security Functions.................................................................................................................... 93 6.1.1 Audit Data Management 93 6.1.2 Secure Database 104 6.1.3 Access Control Management 114 6.1.4 Identification and Authentication 125 6.1.5 Secure Communications 135 6.1.6 Certification Management 149 6.1.7 Private Secure Store 158 6.1.8 Key Archive Management 160 6.1.9 Backup and Recovery 161 6.2 Mapping Table between functional requirements and security functions ......................... 163 6.3 Strength Of Functions ................................................................................................................... 168 6.3.1 Authentication Mechanisms 168 6.3.2 Cryptographic Modules 168 6.4 Assurance measures..................................................................................................................... 171 6.5 Security functions using probabilistic or permutational mechanisms................................... 178 7 – Claims........................................................................................................................................181 8 – Rationale ...................................................................................................................................183 8.1 Security Objectives Rationale..................................................................................................... 183 8.1.1 Security Objectives Coverage 183 8.1.2 Security Objectives Sufficiency 187 8.2 Security Requirements Rationale................................................................................................ 197 8.2.1 Security Requirements Coverage 197 8.2.2 Security Requirements Sufficiency 202 8.2.3 Rationale for operations of Security Requirements 208 8.3 Internal Consistency and Mutual Support ................................................................................ 212 8.3.1 Rationale that Dependencies are Satisfied 212 8.3.2 Rationale that Requirements are Mutually Supportive 219 8.4 Rationale for Strength of Function ............................................................................................. 221 8.5 Assurance Requirements Rationale.......................................................................................... 222 8.5.1 Rationale for CIMC security level 3 222 8.5.2 Rationale for EAL4 223 8.6 Rationale for the propietary extended security requirements .............................................. 224 8.6.1 Propietary extended security requirements 224 9 – Bibliography, Definitions and Acronyms ................................................................................227 9.1 Bibliography ................................................................................................................................... 227 9.2 Definitions ....................................................................................................................................... 229 9.3 Acronyms ....................................................................................................................................... 232 Appendix A – Considerations about the license file ..................................................................235 Security Target KeyOne 3.0 WWW.SAFELAYER.COM B4E6DBC0 1.39 CHAPTER 1 1 Introduction 1.1 Identification Document ID B4E6DBC0 v1.39 Title Security Target KeyOne 3.0 Issue Date October 24, 2006 Release ID 3.0 04S2R1 Authors Safelayer Secure Communications S.A.. State Issued CC Version 2.2 Evaluated TOE KeyOne 3.0 04S2R1: KeyOne CA, KeyOne LRA, KeyOne RA, KeyOne VA and KeyOne TSA Patches: 3.0_04S2R1_B01, 3.0_04S2R1_B02, 3.0_04S2R1_B03, 3.0_04S2R1_B04, 3.0_04S2R1_B05, 3.0_04S2R1_B06, 3.0_04S2R1_B07, 3.0_04S2R1_B08 In order to fulfill with the EAL4+ security guarantees of the KeyOne product included in this Security Target, the license file used in the TOE does not have to allow the execution of scripts launched in unsecure mode (activation of the --unsecure flag). For more information about the license file, see the Appendix A Considerations about the license file, page 235. 1.2 Overview The purpose of this ST is to specify functional and assurance security requirements implemented by KeyOne 3.0 04S2R1 TWS, which is the Target of Evaluation. The content of the document is organized in the following chapters: Chapter 1, provides labelling and descriptive information about the ST and the TOE that it refers to, a TOE summarize in narrative form and a conformance claim with CC requirements. Security Target 1 KeyOne 3.0 WWW.SAFELAYER.COM B4E6DBC0 1.39 Introduction Chapter 2, provides a description of TOE services, gives an overview of the TOE users who will interact with it, describes the layout physical and logical architectures of the system and the contribution of each subsystem to the identified services. Finally, a list of the most common security services covered by the TOE and potential business applications where it should be useful. Chapter 3, provides a security problem