ECMA TR 78-1999 ECMA Protection Profile E - COFC Public Business Class《ECMA保护轮廓 E-COFC 公共商业级》.pdf

1、ECMA Technical Report TR/78December 1999Standardizing Information and Communication SystemsPhone: +41 22 849.60.00 - Fax: +41 22 849.60.01 - URL: http:/www.ecma.ch - Internet: helpdeskecma.chECMA Protection ProfileE - COFC Public Business Class.ECMA Technical Report TR/78December 1999Standardizing I

2、nformation and Communication SystemsPhone: +41 22 849.60.00 - Fax: +41 22 849.60.01 - URL: http:/www.ecma.ch - Internet: helpdeskecma.chLL TR-078.DOC 28-02-00 10,04ECMA Protection ProfileE - COFC Public Business Class.Brief HistoryAfter the ECMA Technical Committee TC36 “IT Security“ had completed t

3、he development of the StandardECMA-271 “Extended Commercially Oriented Functionality Class for Security Evaluation (E - COFC)“ it was quitenatural to continue with the development of a Protection Profile, i.e. a Profile that combines the functional criteria ofthe E - COFC with a set of assurance cri

4、teria. It was decided to use the Common Criteria for this purpose, since thesecriteria were in the process of being standardized by ISO/IEC JTC1/SC27.Due to the active support of the US National Institute of Standardization and Technology (NIST) in TC36 it waspossible to build this profile, based on

5、 the Public Business Class of E - COFC. Starting point and basis of theE - COFC PP development was the NIST PP Version 0.31 by Gary Stoneburner (NIST), 23 July 1998. Kristina C.Rogers (Cygnacom Solutions) was then given the task to convert the E - COFC Public Business Class into aProtection Profile.

6、 This work was then adopted by TC36 and updated to include those changes which meanwhile weremade to the E - COFC in its second edition.The purpose of developing a Protection Profile was to demonstrate how the E - COFC criteria can be applied for ITsystem evaluations.This Technical Report ECMA TR/78

7、 gives the technical details. Another Technical Report will explain theapplication of the Profile and discuss its limitations. This report is under preparation.Adopted as ECMA Technical Report TR/78 by the General Assembly of 16 December 1999.- i -Table of Contents1 Introduction 31.1 Identification

8、31.2 Protection Profile overview 32 TOE description 32.1 E - COFC overview 32.2 The TOE environment 32.3 Hierarchical classes 43 Security environment 53.1 Secure usage assumptions 53.2 Organizational security policies 53.3 Threats to security 54 Security objectives 74.1 TOE security objectives 74.2

9、Environmental security objectives 95 Security requirements 105.1 TOE security functional requirements 105.1.1 Class FAU: Security audit 125.1.2 Class FCO: Communication 135.1.3 Class FCS: Cryptographic support 145.1.4 Class FDP: User data protection 155.1.5 Class FIA: Identification and authenticati

10、on 175.1.6 Class FMT: Security management 195.1.7 Class FPR: Privacy 215.1.8 Class FPT: Protection of the TOE security functions 215.1.9 Class FRU: Resource utilization 235.1.10 Class FTA: TOE access 235.1.11 Class FTP: Trusted path channels 245.1.12 New components 245.2 TOE assurance requirements 2

11、55.2.1 Class ACM: Configuration management 265.2.2 Class ADO: Delivery and operation 265.2.3 Class ADV: Development (ADV) 275.2.4 Class AGD: Guidance documents 295.2.5 Class ALC: Life cycle support 305.2.6 Class ATE: Tests 315.2.7 Class AVA: Vulnerability assessment 325.2.8 Class AMA: Maintenance of

12、 assurance 335.3 Security requirements for the IT environment 33- ii -Annex A PP Rationale 35A.1 Introduction to PP Rationale 35A.2 Security objectives rationale 35A.3 Functional requirements rationale 41A.4 Functional requirements dependencies 47A.5 Assurance requirements rationale 50A.6 Mapping of

13、 E - COFC threats to PP threats 51A.7 Mapping of E - COFC threats and Countermeasures to Protection Profile objectives 54A.8 Mapping of E - COFC functionalities to CC functional components 61A.9 Mapping of CC functional components to E - COFC functionalities 87Annex B Glossary 91Annex C References 9

14、31 Introduction1.1 IdentificationTitle: ECMA Protection Profile, E - COFC Public Business Class, Version 2.02Assurance level: EAL2 AugmentedRegistration: Keywords: electronic commerce, commercial functionality, operating systems, networks, distributedsystems, ECMA, E - COFC.1.2 Protection Profile ov

15、erviewThe Extended Commercially Oriented Functionality Class (E - COFC) Public Business (PB) ClassProtection Profile (PP) is based on the requirements for the Public Business Class contained in ECMA-271.The E - COFC PP is Part 2 extended with respect to its functional requirements and EAL2 augmented

16、 withrespect to its assurance requirements. The E - COFC PP applies to the security of data processing in acommercial business environment, independent of hardware and software platforms of the participatingsystems. Its functions are selected to satisfy the minimal set of security requirements for t

17、ypical businessapplications of interconnected systems. The IT Security Policy is based on a Confidentiality Policy, anIntegrity Policy, an Accountability Policy and an Availability Policy. These dedicated policies are enforcedby an appropriate IT security architecture which is decomposed into differ

18、ent domains, such as networksecurity, systems security and application security. This IT security architecture provides a specific set ofsecurity services and the associated security management. The security services and the securitymanagement are based on a specific set of protocols and mechanisms

19、(security enforcing functions) whichmay be realized by non-cryptographic (access control) and cryptographic means (symmetric methods,public key methods).The Protection Profile Rationale is provided in annex A.2 TOE description2.1 E - COFC overviewThe Extended Commercially Oriented Functionality Clas

20、s (E - COFC) is an ECMA standard, whichspecifies security evaluation criteria for interconnected IT systems. The systems are interconnected througha communication network, which is considered priori not trusted. The systems may be located at differentsites, cities or countries, and are connected thr

21、ough leased lines, public networks or private networks.The E - COFC Standard applies to the security of data processing in a commercial business environment,independent of hardware and software platforms of the participating systems. Its functions are selected tosatisfy the minimal set of security r

22、equirements for typical business applications of interconnected systems.The E - COFC is based on an IT Security Policy of a commercial enterprise taking typical environmentaland organizational constraints into account. As in reality the IT Security Policy is based on aConfidentiality Policy, an Inte

23、grity Policy, an Accountability Policy and an Availability Policy. Thesededicated policies are enforced by an appropriate IT security architecture which is decomposed intodifferent domains, such as network security, systems security and application security. This IT securityarchitecture provides a s

24、pecific set of security services and the associated security management. Thesecurity services and the security management are based on a specific set of protocols and mechanisms(security enforcing functions) which may be realized by non-cryptographic (access control) andcryptographic means (symmetri

25、c methods, public key methods). For consistency and ease of operation, aspecific key management may be an integral part of the security management, supporting specific securityservices and security mechanisms. With respect to the various system services applied, the securitymanagement system activat

26、es the adequate security enforcing functions. If cryptographic means areapplied, the associated keys and parameters are protected, distributed, and revocated such that unauthorizedpersons cant have access to them.2.2 The TOE environmentThe Target of Evaluation (TOE) environment is a commercial envir

27、onment, which consists of severalinterconnected IT systems. These systems provide on the basis of the installed operating systems differentapplications and communication facilities for the users and the applications respectively. The installed- 4 -systems, the communication network and the additiona

28、lly installed business applications or hardwaredevices constitute the TOE. The communication network is considered priori as not secure. The identifiedminimal security requirements of this standard shall be supported by the TOE but not necessarily by eachindividual system. The support of the securit

29、y enforcing functions within a system may be based on theOperating System (OS) or on the combination of the OS and secure hardware or software products.The TOE environment addresses the following technical constraints: A single system is a TOE component consisting of the underlying hardware H and th

30、e operating systemOS. The ID of the OS is defined by its name (domain name) and its network address. The hardware H isidentified by a factory assigned identification number. The TOE supports different types of entities such as users and processes. The users execute specifictasks in the system with r

31、espect to their different roles in the system environment. The users areaccountable for all system activities. A user is registered under the TOE. The TOE generates processesthat act on behalf of users. A process requests and consumes resources on behalf of its unique associateduser. A process may i

32、nvoke another process on a different system which is interconnected by thenetwork. The TOE may support a network management partitioned into several components, such as theconfiguration management, the fault management, the performance management and the securitymanagement. Although every component

33、contributes to the maintenance of the IT infrastructure, onlythe security management influences the specified security functionalities. The protocols applied betweenthe network management node and the agent node (retrieving and updating of configuration files) areconsidered as a special case of a in

34、ter-process communication. The TOE may support different types of inter-process communication, such as: Synchronous client server communication: To satisfy a client process, a server process may act as aclient to a third process, communicating on the basis of Remote Procedure Calls (RPC). Asynchrono

35、us client server communication: Client and server processes communicate on the basisof message passing. Dedicated network services: Examples include the File Transfer Protocol Service, the Remote Loginor Remote Execute Service, the Network File System, and the Network Information Services. Different

36、 network management protocols, such as Simple Network-Management Protocol (SNMP)or Common Management Information Protocol (CMIP). Several users may execute at a given time specific tasks on the same system. A user may have remote access to systems of the TOE via a terminal, personal computer, workst

37、ation, orlaptop. The TOE must execute the access control policy of the imposed IT Security Policy. The TOE may support resource sharing such as printer and mass storage on a network. The TOE may beconnected to the internet under the surveillance of flow control mechanisms which exclude irregularinte

38、rference with measures to counter the threats to the commercial environment.2.3 Hierarchical classesWith respect to the commercial requirements, the E - COFC is partitioned into the following threehierarchical classes of commercial security requirements: The Enterprise Business class (EB-class) (inc

39、ludes COFC, ECMA-205, requirements). The Contract Business class (CB-class) (includes the EB-class and COFC requirements). The Public Business class (PB-class) (includes the CB-class, EB-class and COFC requirements).Each subclass specifies the imposed commercial environment security requirements, th

40、e resulting threatsand the identified security functionalities. In practice, the subclasses may overlap each other. A minimal setof security functionalities is derived to counter these threats with appropriate countermeasures for thecommercial environment.- 5 -The ECMA-205 COFC requirements apply to

41、 a non-networked environment and are the lowest level of thehierarchy. They are included in the requirements for the Enterprise Business Class. This Protection Profileis for the Public Business Class, the highest level in the hierarchy. The Public Business Class includes therequirements for the Ente

42、rprise Business Class and the Contract Business Class.3 Security environmentThis clause identifies the following: Secure usage assumptions, Organizational security policies, and Threats to Security.3.1 Secure usage assumptionsThe specific conditions listed below are assumed to exist in an E - COFC P

43、ublic Business Classenvironment.Table 1 Security assumptionsType Name AssumptionPhysical A.PHYSICAL The processing resources of the TOEthat depend on hardware securityfeatures will be located withincontrolled access facilities thatmitigate unauthorized, physicalaccess.A.USER-TRUST Authorized users a

44、re trusted toprotect their authenticationinformation and to follow theirorganizational security policies withrespect to the protection of sensitiveinformation.PersonnelA.ADMIN The security features of the TOE arecompetently administered.3.2 Organizational security policiesThe E - COFC Public Busines

45、s Class Protection Profile is intended to reflect the requirements contained inECMA-271, Extended Commercially Oriented Functionality Class for Security Evaluation (E - COFC), forthe Public Business (PB) Class.3.3 Threats to securityThe threats in this clause are based on the threats identified in E

46、CMA-205 and ECMA-271. For a mappingfrom the threats identified here to the threats in the ECMA documents, please see the accompanyingRationale document.- 6 -Table 2 ThreatsThreat name Threat description1 T.Actions_Traced Unauthorized tracing of customer business actions may occur.2T.Blockage Two sys

47、tems may not be able to exchange data due to acommunications channel being blocked.3 T.Change_Data Information may be changed either while it being stored orprocessed within the TOE or during transmission. The changes maybe accidental or intentional. Changes include insertions,replacements, modifica

48、tions, and deletions. The type of informationthat can be changed includes user information, system information,business data, and commitment.4 T.Comm_Failure It may not be possible to set up a connection or transmit databetween two systems.5 T.Data_Theft Business process input data may be stolen.6T.

49、Deny_Dat An entity may deny ownership of business or commitment data.7 T.Deny_Receipt An entity may deny that it has received business or commitmentdata.8 T.Deny_Submit An entity may deny that it has submitted business or commitmentdata.9T.Disater Natural disasters may cause TOE or system failure.10 T.Disclose_Data Information may be disclosed in to unauthorized users. Thisincludes both user information, system information and businessdata. Information may be disclosed while being stored or processedin the TOE or during transmission. Disclosure of authent