PP(Protection Profile) for E-Certificate Issuance System @ ICCC 2010 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
2. http://www.security.re.kr2
Why we use the e-Document
Issuance Service?
§ Definition
§ Should one go to the school just to get a report card?
§ e-Government services: Government-guaranteed documents issued
via Internet
§ What will change?
AS-
IS
TO-
BE
…
Document Issuing
System
Forgery Prevention
System
Claimed & issued on Web page
Issued by email
User Printing
Forge-Proof
Document
3. http://www.security.re.kr3
Upsides and Requirements
§ Upsides
§ Requirements
Aspects Description
Quick Available 24/7
Economical Low cost compared to issuing off-line
Accessible Everywhere with the Internet services
Security feature Technical feature
Confidentiality of the
Issuing System
• Cryptography for e-documents issued
• Screen control
• UI control
• Printer control
Forgery Prevention for
Print-out
• Watermark
• 2D Barcode
• Copy Detector
Reliability of the
Issuing Organization
• PKI authentication
4. http://www.security.re.kr4
Terms and Definition
§ Original Document
§ Original Document refers to electronic document and its proper and
secure print-outs that is an object of issue.
§ Electronic Document
§ Electronic Document means an electronic file of a structured
document standardized with a pair of form and data of the
document.
§ Issue System
§ Issue System refers commonly to a system of issuing organizations
that issues electronic documents.
§ Detect Software
§ Detect Software refers to a program that extracts digital information.
Using scanners, it detects 2D high-density barcodes and invisible
watermarks attached to print-outs. It extracts digital information by
analyzing the 2D high-density barcodes and invisible watermarks.
5. http://www.security.re.kr5
Terms and Definition
§ Forgery Prevention Elements
§ Forgery Prevention Elements refer to all kinds of devices
(identification elements) that give reliability to print-outs of
electronic documents and make it possible for regular users to
distinguish whether the print-outs are authentic or not by
viewing the documents or using tools. EPS's Forgery
Prevention Elements are 2D high-density barcodes, invisible
watermarks, copy detector marks and so on.
§ Secure Print-out
§ Secure Print-out means a print-out of an electronic document
that contains functions (high-density 2D barcodes, invisible
watermarks) for print-out security.
6. http://www.security.re.kr6
System Structure
Web Server
Requests
document
Apply for document
Document Issuing System
Document
DB
Requests info for document
Data required
for document2D barcode created
Original
document
Original
document
Certificate of
issuing
organization
Issues
document
Printed
document
WAS
Compressed/
Encrypted
User Control
Module
Document Verification
Module
Server
Module
7. http://www.security.re.kr7
Threat Factors
User PC
Printer
Printed
document Copier
Scanner
Document
Issuing
Server
Original
document
Web Browser
Sniffering on networkLeaking source by
saving or capturing on
Web browser
Leaking source via
temporary files of
Web browser
Leaking source by
using print spool file
Leaking source by
virtual printer
Forging by
high-end scanner
Copying by
digital copier
Forged
document
Submit to
authorities
8. http://www.security.re.kr8
Core Security Functions
Function 1. Web Protection
CoreCore
SecuritySecurity
FunctionsFunctions
• Controls printing, saving, copying from web browser
• Prevents document capturing from capture/remote program
• Limits pop-up menus by clicking mouse right-button
• Prevents information leakage by cache or temporary files
Function 2. Printer control
• High-density 2D barcode with Error Correction Code
• Digital Signature Verification with publisher confirmation
• Detection Program
• Digital Watermark to protect image seal/log
• All data for the issuance is encrypted in metafile
Function 3. Prevention & Verification
• Limits print spool file
• Counts/limits the numbers of prints
• Prevents printing from virtual printers(ex. PDF Writer)
• Controls printer drivers & Checks printer’s status
9. http://www.security.re.kr9
Function 1. Web Protection
User PC
Printer
Printed
document Copier
Scanner
Document
Issuing
Server
Original
document
Web Browser
Sniffering on networkLeaking source by
saving or capturing on
Web browser
Leaking source by
virtual printer
Forging by
high-end scanner
Copying by
digital copier
Forged
document
Submit to
authorities
Leaking source by
using print spool file
Leaking source via
temporary files of
Web browser
10. http://www.security.re.kr10
Function 1. Web Protection
§ Web Protection
Secure Web Page
• Control Web Browser Menus
• Limit to produce cache/
temp file
• Preventing copying by
keyboard or mouse
• Limit the use of pop-up menu
• Encryption
• Preventing link by URL
• Limit use of Clipboard
• Blocking image capture
• Preventing capture by
keyboard
• Protect document screen
from remote program
Browser Control
Encrypted Meta File
Capture Prevention
11. http://www.security.re.kr11
Function 2. Printer control
User PC
Printer
Printed
document Copier
Scanner
Document
Issuing
Server
Original
document
Web Browser
Sniffering on network
Submit to
authorities
Forged
document
Forging by
high-end scanner
Copying by
digital copier
Leaking source by
virtual printer
Leaking source by
using print spool file
Leaking source by
saving or capturing on
Web browser
Leaking source via
temporary files of
Web browser
12. http://www.security.re.kr12
Function 2. Printer control
• Control virtual printers by checking
print port(WMF, PDF Writer, FAX, etc.)
• Limit generation or Intercepting print
spool file and internet temporary files.
• Control virtual printers by checking
print port(WMF, PDF Writer, FAX, etc.)
• Limit generation or Intercepting print
spool file and internet temporary files.
• Checking the number of the prints:
the document only can be printed as
Many times as the service provider
desired.
• Checking the number of the prints:
the document only can be printed as
Many times as the service provider
desired.
LimitationLimitation Print Count ControlPrint Count Control
Print
control
Print
control
13. http://www.security.re.kr13
Function 3. Prevention & Verification
User PC
Printer
Printed
document Copier
Scanner
Web Browser
Submit to
authorities
Forged
document
Copying by
digital copier
Forging by
high-end scanner
Leaking source by
saving or capturing on
Web browser
Leaking source by
using print spool file
Leaking source by
virtual printer
Leaking source via
temporary files of
Web browser
Sniffering on network
Original
document
Document
Issuing
Server
14. http://www.security.re.kr14
Function 3. Prevention & Verification
§ 2D Barcode
§ Comparison between original document with the
document brought from the 2D barcode, enables
a verification of document forgery.
§ Embedding the entire original document data and
digital signed data (hash code) into high-density
2D barcode for the legal proof of originality and
to prevent any forgery.
§ Digital Watermark
§ Embedding important hidden information into
organization’s logo / official seals / images
invisibly by using watermarks for its genuineness
of a document.
§ This reinforces 2D barcode in terms of forgery.
§ Dopy Detector
§ Scanning for any change to the code inserted in the original document
15. http://www.security.re.kr15
Detector ModuleDetector ModuleServer ModuleServer Module
TOE(Target of Evaluation)
Identification &
Authentication
Security
Management
Audit Record
Mail Server
TSF Data Protection
Administrator
User Data Protection
Security Audit
Cryptographic
Support
TSF Data
User Data Protection
(Data Authentication)Verifier
User ModuleUser Module
User Data Protection
Cryptographic
Support
User
Network
16. http://www.security.re.kr16
The Contents of Protection Profile
PP Introduction
Conformance Claims
Security Problem
Definition
Security Objectives
Extended Components
Definition
Security Requirements
PP Reference
TOE Overview
CC conformance Claim
PP Claim, Package Claim
Conformance Rationale
Conformance Statement
Assumptions
Threats
Organizational Security Objectives
Security Objectives for the TOE
Security Objectives for the Operational Environment
Security Objectives Rationale
Extended Components Definition
Security Functional Requirements
Security Assurance Requirements
Security Requirements Rationale
Protection Profile
17. http://www.security.re.kr17
Threats(1/2)
Threats Description
T.Network Sniffering
A threat agent may disclose, modify, or delete the data of an e-document
while the document is being issued via network by the issuing system.
T.Screen Capturing
The data of an e-document may be leaked by saving or capturing on the
Web browser.
T.Temporary File Storage
The data of an e-document may be leaked from temporary files if the Web
browser holds a directory for them to be saved.
T.Print Spool
A threat agent may leak an e-document as it is in the printer spool files while
the document is being printed.
T.Virtual Printer
A threat agent may leak the data of e-document using a virtual printer while
the document is being printed.
T.Forgery by Scanner
A threat agent may forge the printed document using a high-resolution
scanner.
T.Copy
A threat agent may make more copies of the e-document than issued by the
document issuing organization.
§ Asset : Electronic Document
18. http://www.security.re.kr18
Threats(2/2)
Threats Description
T.Unauthorized System
Modification
Unauthorized modification of the system, affecting operational
capabilities, can occur.
T.Audit Record Alteration
A threat agent may forge the records of e-document issuance in the
issuing system.
T.System Data Alteration Alteration of system data can occur.
T.Recording failure
A threat agent may exhaust the storage to make the TOE fail to record
security-relevant events and document issuance log.
T.Consecutive Authentication
Attempt
A threat agent may have access to the TOE with the authority of an
authorized user by consecutively attempting authentication.
T.TSF data tampering
Attacker can modify TSF data in unauthorized way to avoid record or
cause misusage.
§ Asset : TOE
19. http://www.security.re.kr19
Assumptions
Assumptions Description
A.Trusted Administrator
It is assumed that the administrators are non-hostile, well trained and follow
all administrator guidance.
A.Timestamp
It is assumed that the TOE environment provides a secure timestamp that
fulfills RFC 1305.
A.Physical Security
The e-document issuing system is located in a physically secure
environment that can only be accessed by an authorized administrator.
A.Secure Installation and
Operation
The TOE will be distributed and installed on a user PC in a secure manner.
A.Network Any traffic flow required by the TOE services will always be allowed.
A.OS Enhancement
Services or means not required by the e-document issuing system will be
removed from the operating system and vulnerabilities of the operating
system will be fixed properly to ensure its reliability and stability.
20. http://www.security.re.kr20
Organizational Security Policy
Policies Description
P.Audit
The TOE must audit every auditable event and keep the audit record secure.
This audit record is protected from unauthorized access.
P.Secure Management
An authorized administrator shall manage the TOE, audit log, and so on in a
secure way.
P.Authorized User
A user shall be identified and authenticated before using e-document issuance
services.
P.Verifying Module
A software to help verify the authenticity of an e-document shall be distributed
for anyone to use.
P.Recover
The TOE must be capable of being restored to a secure state without losing
any fatal data.
21. http://www.security.re.kr21
Security Objectives for the TOE
Security
Objectives
Description
O.Transferred Data
Protection
The TOE shall ensure confidentiality and integrity of an e-document transferred
on network.
O.Stored Data
Protection
The TOE shall protect the TSF data stored in it from unauthorized disclosure,
modification, or deletion.
O.Secure Print
The TOE shall provide a secure print function to prevent data leakage by
temporary files or a virtual printer while an e-document is being printed.
O.Data Authentication
The TOE shall provide a function to display digital data such as e-document on
a secured print-out and a function to analyze 2D barcode, which verifies the
authenticity of the print-out.
O.Screen Protection
The TOE shall provide a screen protection function to prevent data leakage by
using a screen capturing key that the OS provides(e.g. PrintScreen), capture
program, and remote program while an e-document is being viewed.
O.Web Browser
Control
The TOE shall provide a security function to prevent data leakage by controlling
use of applications for viewing an e-document, e.g. Web browser, Report tool.
22. http://www.security.re.kr22
Security Objectives for the TOE
Security
Objectives
Description
O.Verification
The TOE shall provide a function to display digital data such as e-document on
a secured print-out and a function to analyze 2D barcode, which verifies the
authenticity of the print-out.
O.Forgery Prevention
The TOE shall provide a means to prevent forgery of an e-document, which
include 2D barcodes, watermark, or electronic signature.
O.Identification and
Authentication
The TOE shall uniquely identify its administrator and authenticate a user prior to
allowing access.
O.Audit
The TOE shall generate and maintain the record of all security-relevant events
to ensure they can be traced and shall provide a means to review the records.
O.Management
The TOE shall provide a means for the authorized administrator of the TOE to
efficiently manage the TOE in a secure manner.
23. http://www.security.re.kr23
Security Objectives for the
Operational Environment
Security Objectives Description
OE.Trusted
Administrator
Authorized administrator must be trained as to establishment and
maintenance of security policies in practice.
OE.Timestamp The TOE environment shall provide a secure timestamp that fulfills RFC 1305.
OE.Physical Security
The e-document issuing system shall be located in a physically secure
environment that can only be accessed by an authorized administrator.
OE.Secure Installation
and Operation
The TOE shall be distributed and installed on a user PC in a secure manner.
OE.OS Enhancement
Services or means not required by the e-document issuing system shall be
removed from the operating system and vulnerabilities of the operating system
shall be fixed properly to ensure its reliability and stability.
OE.Network Any traffic flow required by the TOE services shall always be allowed.
24. http://www.security.re.kr24
Security Functional Requirements
Class Components
Security Audit
FAU_ARP.1(Security alarms)
FAU_GEN.1(Audit data generation), GEN.2(User identity association)
FAU_SAA.1(Potential violation analysis)
FAU_SAR.1(Audit review), SAR.2(Restricted audit review)
FAU_STG.2(Guarantees of audit data availability)
Cryptographic
support
FCS_CKM.1(Cryptographic key management), CKM.2(Cryptographic key
distribution), CKM.4(Cryptographic key destruction)
FCS_COP.1(Cryptographic operation)
User data
Protection
FDP_ACC.1(Subset access control), ACF.1(Security attribute based access
control)
FDP_DAU.2(Data authentication with identity of guarantor)
FDP_IFC.1(Subset information flow control), IFF.1(Simple security attributes)
FDP_ITT.1(Basic internal transfer protection)
FDP_RIP.1(Subset residual information protection)
FDP_UCT.1(Basic data exchange confidentiality), UIT.1(Data exchange Integrity)
25. http://www.security.re.kr25
Security Functional Requirements
Class Components
Identification &
Authentication
FIA_ATD.1(User attribute definition)
FIA_SOS.1(Verification of secrets)
FIA_UAU.1(Timing of authentication)
FIA_UID.1(User identification before any action)
Security
Management
FMT_MOF.1(Management of security functions behavior)
FMT_MSA.1(Management of security attributes), MSA.2(Secure
security attributes), MSA.3(Static attribute initialization)
FMT_SMR.1(Security roles), SMR.2(Restrictions on security roles)
Protection of the
TSF
FPT_FLS.1(Failure with preservation of secure sate)
FPT_STM.1(Reliable time stamp)
FPT_TST.1(TST testing)
26. http://www.security.re.kr26
Security Assurance Requirements
§ Our Protection Profile adopts EAL4+ Level
§ TOE is a critical information system
§ The result of attack can cause terrible confusion in society
§ Depending on User environment, this system is important
to maintain.
§ We extend security assurance requirement to reinforce
verification of implementation
§ Extended requirements are ADV_IMP.2, ATE_DPT.3,
ALC_FLR.3, AVA_VAN.4