Security Target KeyOne 4.0 © Copyright 1999-2014 Safelayer Secure Communications, S.A. All rights reserved. KeyOne 4.0 Security Target This document is copyright of Safelayer Secure Communications, S.A. Its contents are confidential and access is restricted to Safelayer Secure Communications, S.A. personnel. No part of this document may be copied, reproduced or stored in any form or by any means, electronic, mechanical, recording, or in any other way, without the permission of Safelayer Secure Communications, S.A. Safelayer Secure Communications, S.A. Phone: +34 93 508 80 90 Fax: +34 93 508 80 91 Web: www.safelayer.com Email: [email protected] 95A278AC 2.1 CONTENTS 1 – Introduction ................................................................................................................................... 3 1.1 Security Target and TOE Reference ............................................................................................... 3 1.2 TOE Overview ..................................................................................................................................... 4 1.2.1 KeyOne Certification Authority 4 1.2.2 KeyOne Registration Authority 4 1.2.3 KeyOne Validation Authority 5 1.2.4 Environment Components 5 1.3 TOE Description .................................................................................................................................. 6 1.3.1 Physical Scope of the TOE 6 1.3.2 Logical Scope of the TOE 7 1.3.3 The TOE 9 1.3.4 Conformance Claims 16 1.3.5 Legal, Business and Technical Agreements 17 2 – Security Problem Definition ........................................................................................................ 21 2.1 Secure Usage Assumptions ............................................................................................................ 21 2.2 Threats ............................................................................................................................................... 23 2.3 Organizational Security Policies .................................................................................................... 24 3 – Security Objectives ..................................................................................................................... 25 3.1 Security Objectives for the TOE ..................................................................................................... 25 3.2 Security Objectives for the Environment ..................................................................................... 26 3.2.1 Non-IT security Objectives for the Environment 26 3.2.2 IT Security Objectives for the Environment 27 3.3 Security Objectives for both the TOE and the Environment ..................................................... 28 4 – Security Requirements ................................................................................................................ 31 4.1 TOE Security Requirements ............................................................................................................ 31 4.1.1 TOE Security Functional Requirements 31 4.1.2 TOE Extended Security Functional Requirements 48 4.1.3 TOE Security Assurance Requirements 69 4.2 Security requirements for the IT environment ............................................................................. 80 4.2.1 Security Functional Requirements for the IT environment 80 4.2.2 Proprietary Extended Security Requirements for the IT environment 94 4.2.3 Proprietary Extended Security Non-IT Requirements for the environment 94 4.2.4 CIMC Extended Security Functional Requirements 95 4.3 Security Rationale ........................................................................................................................... 96 4.3.1 Security Objectives Rationale 96 4.3.2 Security Requirements Rationale 109 4.3.3 Internal consistency and Mutual Support 118 5 – TOE Summary Specification ..................................................................................................... 123 5.1 Audit Data Management ............................................................................................................ 123 5.1.1 Functional requirements satisfied by the TOE 123 5.2 Secure Database .......................................................................................................................... 132 5.2.1 Internal structure of an i3D database 133 5.2.2 Functional requirements satisfied by the TOE 136 5.3 Access Control Management .................................................................................................... 141 5.3.1 Users, groups and roles 141 5.3.2 Controlling the access to the KeyOne functions 143 Security Target 1 KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 Introduction 5.3.3 Functional requirements satisfied by the TOE 143 5.4 Identification and Authentication .............................................................................................. 148 5.4.1 Authentication of the initial users 148 5.4.2 Special groups of users 149 5.4.3 Authentication modes 149 5.4.4 Functional requirements satisfied by security functions 150 5.5 Management of security parameters and functions .............................................................. 152 5.5.1 Functions of KeyOne System 153 5.5.2 KeyOne Configuration 154 5.5.3 Managing the KeyOne Configuration 154 5.5.4 Protecting the KeyOne Configuration 155 5.5.5 Functional requirements satisfied by security functions 156 5.6 Secure Communications ............................................................................................................. 156 5.6.1 KeyOne batches 156 5.6.2 Functional requirements satisfied by security functions 159 5.7 Certification and keys Management ........................................................................................ 163 5.7.1 Functional requirements satisfied by security functions 163 5.8 Private Secure Store ..................................................................................................................... 171 5.8.1 Private Secure Store Functionality 171 5.8.2 Functional requirements satisfied by security functions 172 5.9 Backup and Recovery ................................................................................................................. 173 5.9.1 Functional requirements satisfied by security functions 173 6 – Bibliography, Definitions and Acronyms ................................................................................ 175 6.1 Bibliography ................................................................................................................................... 175 6.2 Definitions ....................................................................................................................................... 177 6.3 Acronyms ....................................................................................................................................... 178 2 Security Target KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 CHAPTER 1 1 Introduction 1.1 Security Target and TOE Reference Document Identifier 95A278AC v2.1 Title Security Target – KeyOne 4.0 Issue Date September, 2014 Release Identifier Release Base: 4.0.13S2R1 Release Patches: 4.0.13S2R1_B01, 4.0.13S2R1_B02 Authors Safelayer Secure Communications S.A. CC Version Common Criteria version 3.1 Release 4 Evaluated TOE KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0, CRL Authority Add-in for KeyOne CA, ePassport Country Verifying CA Add-in for KeyOne CA and ePassport Document Verifier Add-in for KeyOne CA. TOE Name KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0 From a commercial point of view, the products evaluated correspond to the "Evaluated TOE" row of the previous table, i.e., the following products: KeyOne CA 4.0, KeyOne XRA 4.0, KeyOne VA 4.0, the CRL Authority Add-in for KeyOne CA, the ePassport Country Verifying CA Add-in for KeyOne CA and the ePassport Document Verifier Add-in for KeyOne CA. Security Target 3 KeyOne 4.0 WWW.SAFELAYER.COM 95A278AC 2.1 Introduction 1.2 TOE Overview 1.2.1 KeyOne Certification Authority KeyOne CA is a software application that performs the Certification Authority functions of issuing public key digital certificates using the syntax defined in ITU-T X.509v3.KeyOne CA forms part of the Safelayer Public Key Infrastructure (PKI) solution. KeyOne CA can act as a Root CA, Subordinate CA, Cross CA, Bridge CA, Online CA and Offline CA. Depending on how it is used, the CA operates in conjunction with a Registration Authority product that assumes the entity registration functions. KeyOne CA can also operate in conjunction with the Validation Authority product to provide the digital certificate validation service. The main functions of KeyOne CA are to: • Generate and protect the private keys via the use of cryptographic devices (HSM). • Automatically manage the life-cycle and the coexistence of the private keys of the CA. • Manage recognized RAs and assign them certification policies. • Generate the ITU-T X509v3 digital certificates (for users and applications) requested by the RAs. • Generate and publish lists of revoked and suspended digital certificates (CRLs). • Report on the status of the digital certificates so the validation service (VA) can publish it via OCSP. • Guarantee the secure auditing of the events and actions carried out in the system. KeyOne CA is designed to facilitate compliance with the security requirements for trustworthy systems managing certificates for electronic signatures (CEN CWA 14167- 1) in terms of roles and events.