1
DBsign for HTML Applications Version 4.0
Security Target
Release Date: April 4, 2011
Version: 1.0
Prepared By: Saffire Systems
P.O. Box 3054
Champaign, IL 61826
Prepared For: Gradkell Systems, Inc.
4910 University Square Suite 2
Huntsville, AL 35816
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. i
Table of Contents
1 INTRODUCTION..............................................................................................................................................1
1.1 ST REFERENCE............................................................................................................................................1
1.2 TOE REFERENCE.........................................................................................................................................1
1.3 DOCUMENT TERMINOLOGY.........................................................................................................................1
1.3.1 ST Specific Terminology........................................................................................................................1
1.3.2 Acronyms ...............................................................................................................................................1
1.4 OVERVIEW ..................................................................................................................................................2
1.5 TOE DESCRIPTION ......................................................................................................................................4
1.5.1 Architecture Description .......................................................................................................................4
1.5.2 Physical Boundaries..............................................................................................................................5
1.5.2.1 Hardware Components.................................................................................................................................7
1.5.2.2 Software Components..................................................................................................................................7
1.5.2.3 Guidance Documentation.............................................................................................................................9
1.5.3 Logical Boundaries................................................................................................................................9
1.5.3.1 Audit .......................................................................................................................................................... 10
1.5.3.2 User Policy................................................................................................................................................. 10
1.5.3.3 Security Management ................................................................................................................................ 10
1.5.3.4 Digital Signature Support........................................................................................................................... 11
1.5.3.5 Self Protection............................................................................................................................................ 12
1.5.4 Items Excluded from the TOE..............................................................................................................13
2 CONFORMANCE CLAIMS ..........................................................................................................................14
2.1 CC CONFORMANCE CLAIMS .....................................................................................................................14
2.2 PP AND PACKAGE CLAIMS ........................................................................................................................14
2.3 CONFORMANCE CLAIM RATIONALE..........................................................................................................15
2.3.1 Security Problem Definition Conformance Rationale .........................................................................15
2.3.2 Security Objectives Conformance Rationale .......................................................................................15
2.3.3 Security Requirements Conformance Rationale ..................................................................................15
3 SECURITY PROBLEM DEFINITION.........................................................................................................18
3.1 RELATIONSHIP BETWEEN BASIC ROBUSTNESS LEVEL AND THE FORMATION OF APPLICABLE ASSUMPTIONS,
THREATS AND THE POLICIES OF THE TSE.................................................................................................................18
3.2 ASSUMPTIONS ...........................................................................................................................................18
3.3 THREATS ...................................................................................................................................................18
3.3.1 Threats for CPV - Basic Package........................................................................................................19
3.3.2 Threats for CPV – Basic Policy Package ............................................................................................20
3.3.3 Threats for CPV –Policy Mapping Package........................................................................................20
3.3.4 Threats for CPV – Name Constraints Package ...................................................................................20
3.3.5 Threats for PKI Signature Generation Package..................................................................................20
3.3.6 Threats for PKI Signature Verification Package.................................................................................20
3.3.7 Threats for Online Certificate Status Protocol (OCSP) Client Package.............................................21
3.3.8 Threats for Certificate Revocation List (CRL) Validation Package ....................................................21
3.3.9 Threats for Audit Package...................................................................................................................21
3.4 ORGANISATIONAL SECURITY POLICIES .....................................................................................................21
4 SECURITY OBJECTIVES.............................................................................................................................23
4.1 IT SECURITY OBJECTIVES FOR THE ENVIRONMENT..................................................................................23
4.2 NON-IT SECURITY OBJECTIVES FOR THE ENVIRONMENT .........................................................................24
4.3 SECURITY OBJECTIVES FOR THE TOE ......................................................................................................24
4.3.1 Security Objectives for CPV - Basic Package .....................................................................................24
4.3.2 Security Objectives for CPV – Basic Policy Package..........................................................................25
4.3.3 Security Objectives for CPV –Policy Mapping Package.....................................................................25
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. ii
4.3.4 Security Objectives for CPV – Name Constraints Package.................................................................25
4.3.5 Security Objectives for PKI Signature Generation Package ...............................................................25
4.3.6 Security Objectives for PKI Signature Verification Package ..............................................................25
4.3.7 Security Objectives for Online Certificate Status Protocol (OCSP) Client Package ..........................26
4.3.8 Security Objectives for Certificate Revocation List (CRL) Validation Package..................................26
4.3.9 Security Objectives for Audit Package ................................................................................................26
4.3.9.1 Security Objectives for DBsign features....................................................................................................26
4.4 SECURITY OBJECTIVES RATIONALE ..........................................................................................................26
4.4.1 Environmental Security Objectives Rationale .....................................................................................26
4.4.2 Security Objectives Rationale for Packages........................................................................................34
4.4.2.1 Security Objectives Rationale for CPV - Basic Package............................................................................ 34
4.4.2.2 Security Objectives Rationale for CPV – Basic Policy Package................................................................ 36
4.4.2.3 Security Objectives Rationale for CPV –Policy Mapping Package ........................................................... 36
4.4.2.4 Security Objectives Rationale for CPV – Name Constraints Package ....................................................... 37
4.4.2.5 Security Objectives Rationale for PKI Signature Generation Package ...................................................... 38
4.4.2.6 Security Objectives Rationale for PKI Signature Verification Package..................................................... 38
4.4.2.7 Security Objectives Rationale for Online Certificate Status Protocol (OCSP) Client Package.................. 39
4.4.2.8 Security Objectives Rationale for Certificate Revocation List (CRL) Validation Package........................ 40
4.4.2.9 Security Objectives Rationale for Audit Package ...................................................................................... 41
4.4.2.10 Security Objectives Rationale for DBsign additional features ................................................................... 41
5 EXTENDED COMPONENTS DEFINITION...............................................................................................43
5.1 FIA IDENTIFICATION AND AUTHENTICATION............................................................................................43
5.1.1 FIA_UAU_ENV_(EXT).1 Timing of authentication with a third party ...............................................44
5.1.2 FIA_UID_TRD.1 Timing of identification with a third party..............................................................44
6 SECURITY REQUIREMENTS .....................................................................................................................46
6.1 CONVENTIONS...........................................................................................................................................46
6.2 IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS .....................................................................46
6.2.1 Security Audit (FAU)...........................................................................................................................47
6.2.1.1 FAU_GEN.1-NIAP-0407:1 Audit Data Generation................................................................................... 47
6.2.1.2 FAU_GEN.2-NIAP-0410:1 User identity association ............................................................................... 49
6.2.1.3 FAU_SAR.1 Audit Review........................................................................................................................ 49
6.2.1.4 FAU_SAR.2 Restricted Audit Review....................................................................................................... 49
6.2.1.5 FAU_SAR.3 Selectable Audit Review ...................................................................................................... 49
6.2.1.6 FAU_SEL.1-NIAP-0407 Selective Audit ..................................................................................................49
6.2.1.7 FAU_STG.1-NIAP-0429 Protected Audit Trail Storage............................................................................ 50
6.2.1.8 FAU_STG.NIAP-0429-1 Site-configurable Prevention of audit data loss................................................. 50
6.2.2 Cryptographic Operations (FCS) ........................................................................................................50
6.2.2.1 FCS_CRM_FPS_(EXT).1 FIPS compliant cryptographic module ............................................................ 50
6.2.3 User Data Protection (FDP) ...............................................................................................................50
6.2.3.1 FDP_ACC.1:1 Subset access control – PKI Credential Management........................................................ 50
6.2.3.2 FDP_ACF.1-NIAP-0407 Security attribute based access control – PKI Credential Management............. 50
6.2.3.3 FDP_RIP.2 Full residual information protection ....................................................................................... 51
6.2.4 Identification and Authentication (FIA)...............................................................................................51
6.2.4.1 FIA_AFL.1 Authentication failure handling.............................................................................................. 51
6.2.4.2 FIA_ATD.1 User Attribute Definition....................................................................................................... 51
6.2.4.3 FIA_UAU.2 User authentication before any action .................................................................................. 51
6.2.4.4 FIA_UAU.7 Protected authentication feedback......................................................................................... 51
6.2.4.5 FIA_UID.2 User identification before any action..................................................................................... 51
6.2.4.6 FIA_USB.1 User-subject binding ............................................................................................................. 52
6.2.5 FMT Security Management .................................................................................................................52
6.2.5.1 FMT_MOF.1:1 Management of security functions behaviour – IT Environment ..................................... 52
6.2.5.2 FMT_MSA.1:1 Management of security attributes – IT Environment ...................................................... 52
6.2.5.3 FMT_MSA.3-NIAP-0429 Static attributes initialization ........................................................................... 52
6.2.5.4 FMT_MTD.1:1 Management of TSF data – I&A Data ............................................................................. 52
6.2.5.5 FMT_MTD.1:2 Management of TSF data – Authentication Data ............................................................. 52
6.2.5.6 FMT_MTD.1:3 Management of TSF data – I&A Attempts ...................................................................... 52
6.2.5.7 FMT_MTD.1:4 Management of TSF data – Trust Anchors ...................................................................... 52
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. iii
6.2.5.8 FMT_MTD.1:5 Management of TSF data – Time..................................................................................... 53
6.2.5.9 FMT_SMF.1:1 Specification of management functions – IT Environment............................................... 53
6.2.5.10 FMT_SMR.1 Security roles....................................................................................................................... 53
6.2.6 Protection of TSF (FPT)......................................................................................................................53
6.2.6.1 FPT_STM.1 Security roles......................................................................................................................... 53
6.2.6.2 FPT_TST_SOF_(EXT).1 Security roles ....................................................................................................53
6.2.7 TOE Access (FTA)...............................................................................................................................53
6.2.7.1 FTA_SSL.1 TSF-initiated session locking.................................................................................................53
6.2.7.2 FTA_SSL.2 User-initiated locking ............................................................................................................ 54
6.2.7.3 FTA_TAB.1 Default TOE access banners.................................................................................................54
6.3 TOE SECURITY FUNCTIONAL REQUIREMENTS..........................................................................................54
6.3.1 Certification Path Validation – Basic Package...................................................................................55
6.3.1.1 FDP_CPD_(EXT).1 Certification path development................................................................................. 55
6.3.1.2 FDP_DAU_CPI_(EXT).1 Certification path initialization - basic............................................................. 56
6.3.1.3 FDP_CPV_(EXT).1 Certificate processing - basic .................................................................................... 56
6.3.1.4 FDP_DAU_CPV_(EXT).2 Intermediate certificate processing - basic...................................................... 57
6.3.1.5 FDP_DAU_CPO_(EXT).1 Certification path output- basic ...................................................................... 57
6.3.2 Certification Path Validation – Basic Policy Package........................................................................57
6.3.2.1 FDP_DAU_CPI_(EXT).2 Certification path initialization – basic policy.................................................. 57
6.3.2.2 FDP_DAU_CPO_(EXT).2 Certification path output – basic policy.......................................................... 58
6.3.3 Certification Path Validation –Policy Mapping Package ...................................................................58
6.3.3.1 FDP_DAU_CPI_(EXT).3 Certification path initialization –policy mapping............................................. 58
6.3.3.2 FDP_DAU_CPV_(EXT).3 Intermediate certificate processing - policy mapping..................................... 58
6.3.3.3 FDP_DAU_CPO_(EXT).3 Certification path output – policy mapping .................................................... 58
6.3.4 Certification Path Validation –Name Constraints Package................................................................58
6.3.4.1 FDP_DAU_CPI_(EXT).4 Certification path initialization –names ........................................................... 58
6.3.4.2 FDP_DAU_CPV_(EXT).4 Certificate processing – name constraints ...................................................... 59
6.3.4.3 FDP_DAU_CPV_(EXT).5 Intermediate Certificate processing – name constraints..................................59
6.3.5 PKI Signature Generation Package ....................................................................................................59
6.3.5.1 FDP_ETC_SIG_(EXT).1 Export of PKI Signature.................................................................................... 59
6.3.6 PKI Signature Verfication Package.....................................................................................................59
6.3.6.1 FDP_ITC_SIG_(EXT).1 Import of PKI Signature..................................................................................... 59
6.3.6.2 FDP_DAU_SIG_(EXT).1 Export of PKI Signature .................................................................................. 59
6.3.7 Online Certificate Status Protocol Client Package .............................................................................60
6.3.7.1 FDP_DAU_OCS_(EXT).1 Basic OCSP Client ......................................................................................... 60
6.3.8 Certificate Revocation List (CRL) Validation Package.......................................................................61
6.3.8.1 FDP_DAU_CRL_(EXT).1 Basic CRL Checking...................................................................................... 61
6.3.9 Audit Package......................................................................................................................................61
6.3.9.1 FAU_GEN.1-NIAP-0407:2 Audit data generation - TOE ......................................................................... 61
6.3.9.2 FAU_GEN.2-NIAP-0410:2 User identity association - TOE..................................................................... 63
6.3.10 DBsign Additional SFRs .................................................................................................................63
6.3.10.1 FDP_ACC.1:2 Subset access control......................................................................................................... 63
6.3.10.2 FDP_ACF.1 Security attribute based access control.................................................................................. 63
6.3.10.3 FIA_UAU_ENV_(EXT).1 Timing of Authentication with a third party ................................................... 64
6.3.10.4 FIA_UID_ENV_(EXT).1 Timing of Identification with a third party ....................................................... 64
6.3.10.5 FMT_MOF.1:2 Management of security functions behaviour – TOE....................................................... 64
6.3.10.6 FMT_MSA.1;2 Management of security attributes – User Policy............................................................. 65
6.3.10.7 FMT_MSA.3 Static Attributes Initialization.............................................................................................. 65
6.3.10.8 FMT_SMF.1:2 Specification of management functions – IT Environment............................................... 65
6.4 TOE SECURITY ASSURANCE REQUIREMENTS ...........................................................................................65
6.5 SECURITY REQUIREMENTS RATIONALE ....................................................................................................67
6.5.1 IT Environment Dependency Rationale...............................................................................................67
6.5.2 TOE Dependency Rationale ................................................................................................................68
6.5.3 IT Environment SFR Tracings and Rationale......................................................................................70
6.5.4 TOE SFR Tracings and Rationale .......................................................................................................76
6.5.4.1 Security Objectives Rationale for CPV - Basic Package............................................................................ 77
6.5.4.2 Security Objectives Rationale for CPV – Basic Policy Package................................................................ 78
6.5.4.3 Security Objectives Rationale for CPV –Policy Mapping Package ........................................................... 79
6.5.4.4 Security Objectives Rationale for CPV –Name Constraints Package ........................................................ 79
6.5.4.5 Security Objectives Rationale for PKI Signature Generation Package ...................................................... 80
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. iv
6.5.4.6 Security Objectives Rationale for PKI Signature Verification Package..................................................... 80
6.5.4.7 Security Objectives Rationale for Online Certificate Status Protocol (OCSP) Package ............................ 80
6.5.4.8 Security Objectives Rationale for Certificate Revocation List (CRL) Validation Package........................ 81
6.5.4.9 Security Objectives Rationale for Audit Package ...................................................................................... 81
6.5.4.10 Security Objectives Rationale for DBsign Additional SFRs...................................................................... 82
6.5.5 SAR Rationale......................................................................................................................................82
7 TOE SUMMARY SPECIFICATION ............................................................................................................84
7.1 AUDITING..................................................................................................................................................84
7.2 USER POLICY ............................................................................................................................................85
7.3 SECURITY MANAGEMENT .........................................................................................................................86
7.4 CERTIFICATION PATH PROCESSING ...........................................................................................................87
7.5 CERTIFICATE REVOCATION PROCESSING ..................................................................................................88
7.6 PKI SIGNATURE GENERATION ..................................................................................................................89
7.7 PKI SIGNATURE VERIFICATION.................................................................................................................89
List of Tables
Table 1: Mapping the TOE Base Assumptions, Threats, and OSPs to Objectives....................... 27
Table 2: Mapping the Base Objectives to Threats, Assumptions or OSPs................................... 33
Table 3: Mapping of Threats to Objectives for CPV – Basic Package......................................... 34
Table 4: Mapping of Objectives to Threats for CPV – Basic Package......................................... 35
Table 5: Mapping of Threats to Objectives for CPV – Basic Policy Package ............................. 36
Table 6: Mapping of Objectives to Threats for CPV – Basic Package......................................... 36
Table 7: Mapping of Threats to Objectives for CPV –Policy Mapping Package......................... 36
Table 8: Mapping of Objectives to Threats for CPV –Policy Mapping Package......................... 37
Table 9: Mapping of Threats to Objectives for CPV –Name Constraints Package...................... 37
Table 10: Mapping of Objectives to Threats for CPV – Name Constraints Package................... 37
Table 11: Mapping of Threats to Objectives for PKI Signature Generation Package.................. 38
Table 12: Mapping of Objectives to Threats for PKI Signature Generation Package.................. 38
Table 13: Mapping of Threats to Objectives for PKI Signature Verification Package ................ 38
Table 14: Mapping of Objectives to Threats for PKI Signature Verification Package ................ 39
Table 15: Mapping of Threats to Objectives for OCSP Client Package....................................... 39
Table 16: Mapping of Objectives to Threats for OCSP Client Package....................................... 40
Table 17: Mapping of Threats to Objectives for OCSP Client Package....................................... 40
Table 18: Mapping of Objectives to Threats for OCSP Client Package....................................... 41
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. v
Table 19: Mapping of Threats to Objectives for PKI Signature Generation Package.................. 41
Table 20: Mapping of Objectives to Threats for PKI Signature Generation Package.................. 41
Table 21: Mapping of Threats to Objectives for DBsign additional features............................... 41
Table 22: Mapping of Objectives to Threats for DBsign additional features............................... 42
Table 23: IT Environment Security Functional Requirements..................................................... 47
Table 24: IT Environment Auditable Events................................................................................ 49
Table 25: Security Functional Requirements................................................................................ 55
Table 26: TOE Auditable Events.................................................................................................. 63
Table 27: Security Assurance Requirements ............................................................................... 67
Table 28: Mappings between TOE SFRs and Security Objectives .............................................. 77
List of Figures
Figure 1: DBsign Configurations.................................................................................................... 5
Figure 2: DBsign Physical Boundaries........................................................................................... 6
Figure 3: DBsign Execution Architecture....................................................................................... 7
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 1
1 Introduction
This section identifies the Security Target, Target of Evaluation (TOE), conformance claims, ST
organization, document conventions, and terminology. It also includes an overview of the
evaluated product.
1.1 ST Reference
This section will provide information necessary to identify and control the Security Target and
the TOE.
ST Title DBsign for HTML Applications Version 4.0 Security
Target
Version: 1.0
Publication Date: April 4, 2011
ST Author Saffire Systems
Assurance Level: EAL2 augmented with ALC_FLR.2
1.2 TOE Reference
The TOE claiming conformance to this ST is identified as:
DBsign for HTML Applications version 4.0
1.3 Document Terminology
Please refer to CC Part 1 Section 2.3 for definitions of commonly used CC terms.
Please refer to Appendix B, Glossary of the U.S. Government Basic Robustness Public Key-
Enabled Applications (PKE) PP for definitions of terms relating to the PP.
1.3.1 ST Specific Terminology
DBS Name of DBsign schema in which the system tables are stored
1.3.2 Acronyms
API Application Programming Interface
CC Common Criteria
DB Database
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 2
EAL2 Evaluation Assurance Level 2
HTTPS Secure Hyper-Text Transfer Protocol
IT Information Technology
JRE Java Runtime Environment
LDAP Lightweight Directory Access Protocol
OSP Organisational Security Policy
PKI Public Key Infrastructure
PP Protection Profile
RDBMS Relational Database Management Systems
SFP Security Function Policy
SFR Security Functional Requirement
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TOI Time of Interest
TSC TSF Scope of Control
TSF TOE Security Functions
TSP TOE Security Policy
1.4 Overview
DBsign is a software only solution providing a digital signature system that supports
cryptographic data integrity and non-repudiation for data stored in relational databases. DBsign
supports digital signature operations for data stored within a database and other data provided by
the application. A co-existing application can interface to DBsign using DBsign’s API to
perform digital signature operations for the given application. DBsign includes the following
major components:
Client-side signing component called the DBsign Universal Web Signer (DBsign UWS)
Server-side component called the DBsign Server
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 3
DBsign Administration Tools, a set of graphical administration tools used to administer
DBsign configuration data
These components work together to make the integration of digital signatures into applications a
quick and easy process.
The DBsign UWS includes a simple, high-level application programming interface (API) that
minimizes changes to existing application code. The existing application can also interface with
the DBsign Server to perform digital signature related operations through an API accessed via
HTTP requests. No specialized cryptographic or digital signature knowledge is required of
developers or users. The DBsign UWS provides an interface to DBsign for a co-existing
application so that the co-existing application may integrate the digital signature security
functionalities of DBsign without the need of having to integrate the actual source code of
DBsign into the co-existing application. Therefore, DBsign may be programmatically integrated
into a co-existing application without the capability of modifying the security functionalities
incorporated by DBsign.
The DBsign Administration Tools is a Graphical User Interface (GUI) that allows for the DBsign
Administrator to control the security and configuration parameters under which DBsign operates.
The tools provide a means for the DBsign administrator to centrally configure and maintain the
digital signature system. The DBsign Administration Tools may be used to configure and
maintain multiple DBsign installations by connecting to different RDBMS databases when
executing the tools.
DBsign relies upon FIPS 140 validated cryptographic modules in the IT environment to provide
all of the cryptographic operations, including digital signature generation and verification.
DBsign accesses the FIPS 140 validated cryptographic modules via PKCS #11 and the Microsoft
CryptoAPI. PKCS#11 and the Microsoft CryptoAPI are standardized APIs that provide access to
cryptographic modules.
In the evaluated configuration, DBsign must be used with the following FIPS 140-2 validated
cryptographic modules that are in the IT environment:
Windows cryptographic modules accessible via the Microsoft Crypto API that are
included with the Windows operating system
Network Security Services (NSS) Cryptographic Module (software versions 3.2.2 &
3.11.4) accessed via PKCS #11
Other FIPS 140-2 validated modules accessed via Microsoft CryptoAPI and PKCS #11
FIPS 140-2 validated modules that execute within a MAC OS X operating system and are
accessed via PKCS #11 or Apple Security Framework
In the evaluated configuration, DBsign must be used on the following Common Criteria
validated operating systems that are installed and configured in the CC evaluated configuration:
Microsoft Windows XP Professional and higher (32-bit and 64-bit)
Microsoft Windows Server 2003 and higher (32-bit and 64-bit) (including Microsoft
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 4
Windows Server 2008)
Red Hat Enterprise Linux 5 and higher (32-bit and 64-bit)
Sun Solaris 8 and higher for SPARC platform (32-bit and 64-bit)
Sun Solaris 10 and higher for INTEL platform (32-bit and 64-bit)
Apple Mac OS X 10.6 and higher (32-bit and 64-bit)
Oracle Enterprise Linux 5.1 and higher (32-bit and 64-bit)
In addition, the following products must be included on the DBsign platforms:
Java: Sun JRE 1.5 or higher (32-bit and 64-bit as available)
Browser:
o Microsoft Internet Explorer (IE) 6 or higher (32-bit or 64-bit) or
o Mozilla Firefox 3 and higher (32-bit and 64-bit) or
o Apple Safari 3 and higher (32-bit and 64-bit)
1.5 TOE Description
1.5.1 Architecture Description
DBsign is a software only TOE. The client communicates with DBsign Server via the DBsign
UWS, an applet downloaded to and executed within their web browser on the client machine.
Therefore, the web browser is pointed to the web server hosting DBsign version 4.0 via HTTPS
and the web server redirects the query to the application server in which DBsign Server resides.
DBsign Server then communicates to a database to retrieve data to be signed by the client via a
network protocol recognized by the database (i.e. SQL*Net for Oracle). DBsign supports most
Relational Database Management Systems (RDBMS).
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 5
Figure 1: DBsign Configurations
DBsign additionally provides optional security features called the User Policy and Notary
Signing features. The User Policy feature provides access control enforcement to digital
signatures using templates. The Notary Signing feature provides server-side signing capability.
1.5.2 Physical Boundaries
This section identifies the hardware and software components of the product and denotes which
are in the TOE and which are in the environment.
DBsign can be executed on a single physical computer, however in most cases the deployment
consists of multiple physical computers. DBsign supports multiple clients to a server, however,
at least one client, which could reside on the server, is required to support the full functionality
of DBsign. The first computer is the client, which includes an operating system, a web browser
client, and its underlying hardware. The DBsign UWS applet is downloaded to the client system
and executed by the web browser’s Java Virtual Machine (JVM). The second computer is the
application server, which includes an operating system, web server, Java application server,
application logic, the DBsign Administration Tools, the DBsign Server, and its underlying
hardware. If there are only two computers, this second computer also includes the RDBMS.
Otherwise, the third computer is the database server which includes an operating system,
RDBMS, and its underlying hardware. The TOE also requires connectivity between the client
and server to support the digital signature operations performed by DBsign.
Figure 2 depicts the physical architecture of DBsign at installation time (not during execution).
The grayed rectangles labeled “DBsign Universal Web Signer”, “DBsign Server”, and “DBsign
Admin Tools” including the API components included within the grayed rectangles represent the
TOE components and boundaries in a physical aspect in relation to the non-TOE components.
Client
Application
Server with
RDBMS
installed
HTTPS
Client Application
Server
HTTPS
Database
Server
(RDBMS)
Database
Protocol
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 6
(Note: the DBsign Universal Web Signer component is an applet that is downloaded to and
executed on the web browser on the client.) The non-TOE components of the client include the
operating system, web browser, and its underlying hardware. The non-TOE components of the
server include the operating system, web server, Java application server, application logic, an
RDBMS1
, and the underlying hardware. In addition, the HTTPS protocol used to communicate
between the client and server is also a non-TOE component.
Figure 2: DBsign Physical Boundaries
HTML applications have a “thin-client” architecture. The user interface of the application
executes on the client workstation. Most, if not all, of an application’s business logic is executed
in an application server. A current trend is to move some business logic in an application down
to the browser in Javascript. HTML applications use DBsign to perform digital signature
operations for data stored within a database and other data provided by the application. Figure 3
below depicts the location of the TOE components when they are executing. Note that the
DBsign UWS applet is installed on the Server, but download to and executed on the Client. As
shown in Figure 3, database-driven HTML applications can be composed of at least three tiers:
(Note: It is possible to combine these platforms or to create additional tiers.)
Client Workstation Executes the web browser to provide the user interface for the application
Application Server Executes the application’s business logic2
1
The audit data and DBS tables reside in the RDBMS, which is in the TOE environment.
2
Figure 3 depicts the web server, application server, and the DBsign Server executing on the same physical
Client Server
HTTPS
Web Browser
Operating System
Web
Server
Operating System
DBsign
Admin
Tools
DBsign
Server
DBsign API
RDBMS
Java
App
Server
App
Logic
TOE Component IT Environment Component
DBsign Universal
Web Signer
DBsign UWS API
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 7
Database Server Stores application data
Figure 3: DBsign Execution Architecture
1.5.2.1 Hardware Components
The hardware components required for the TOE is the underlying hardware required for the
operating system on which DBsign will be installed. Please refer to the minimum supported
hardware requirements specified for the selected operating system.
1.5.2.2 Software Components
This table identifies software components and indicates whether or not each component is in the
TOE.
TOE or
Environment
Component Description
TOE DBsign Universal Web Signer An applet installed on the Server and
downloaded to/executed on the web browser
on the client.
TOE DBsign Servlet DBsign application installed on the Server
TOE DBsign Administration Tools Administration tools installed on the Server.
platform. These three components can be on the same physical platform or multiple platforms.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 8
TOE or
Environment
Component Description
Environment Underlying Operating System The following OSs that are CC validated
at EAL2 or higher:
Microsoft Windows XP Professional
and higher (32-bit and 64-bit)
Microsoft Windows Server 2003 and
higher (32-bit and 64-bit)
Red Hat Enterprise Linux (32-bit and
64-bit)
Sun Solaris 8 and higher for SPARC
platform (32-bit and 64-bit)
Sun Solaris 10 and higher for INTEL
platform (32-bit and 64-bit)
Apple Mac OS X (32-bit and 64-bit)
Environment Browser Microsoft Internet Explorer (IE) 6 or
higher (32-bit or 64-bit) or
Mozilla Firefox 3 and higher (32-bit
and 64-bit)
Apple Safari 3 and higher (32-bit and
64-bit)
Environment Sun Java 1.5 (or higher) Java
Runtime Environment (JRE)
Required for DBsign Administration Tools
Environment RDBMS Relational Database Management System
installed on the Server
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 9
TOE or
Environment
Component Description
Environment FIPS 140-2 validated
cryptographic module
Microsoft CryptoAPI Cryptographic
Service Providers (CSPs) included
with the Windows operating system
Network Security Services (NSS)
Cryptographic Module (software
versions 3.2.2 & 3.11.4) accessed via
PKCS #11
Any other FIPS 140-2 validated
modules accessed via Microsoft
CryptoAPI and PKCS #11
FIPS 140-2 validated modules that
execute within a MAC OS X operating
system and are accessed via PKCS #11
or Apple Security Framework
1.5.2.3 Guidance Documentation
The TOE includes the following administrative, installation, and application developer guidance:
DBsign Concepts Manual, Version 4.0, 2010
DBsign for HTML Applications: Integration Manual, Version 4.0, 2010
DBsign for HTML Applications Installation Manual, Version 4.0, 2010
DBsign Administration Tools Manual, Version 4.0, 2010
DBsign Configuration Editor Manual, Version 4.0, 2010
DBsign for HTML Applications Version 4.0 Release Notes, 2010
DBsign NIAP Configuration Manual, Version 4.0, 2010
1.5.3 Logical Boundaries
This section contains the product features and denotes which are in the TOE.
This section identifies the logical boundaries of the TOE in terms of the IT security features
provided by the TOE. The IT security features include auditing and digital signature support. A
description of each IT security feature identified is provided in the following subsections.
The TOE relies upon the underlying operating system, cryptographic module, and application to
provide protection of the TSF and provide a mechanism for secure communication between the
client and server.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 10
1.5.3.1 Audit
The TOE provides auditing record generation capabilities for startup and shutdown of the audit
functions, management functions, digitally signing data and verifying the digital signature of
data. The auditing record generation capabilities of the TOE also report any integrity violations
for verifications that are performed. It also identifies the specific data that has been modified.
Audit record generation occurs on both the client and server system.
The audit records are stored in flat text files on the underlying operating systems. The TOE
depends upon the IT environment to provide a mechanism (via a text viewer/editor) for viewing
the events recorded in the audit log. The TOE also relies upon the underlying operating systems
to protect the audit records.
1.5.3.2 User Policy
The TOE provides the optional ability to restrict access to the digital signing operations. By
default, the User Policy system is disabled. The User Policy feature can be used to restrict:
Who may digitally sign documents in the RDBMS
Which certificates may be used to sign documents
What types of documents individual users may sign
To support the User Policy feature, DBsign maintains a list of authorized users and associated
certificates, but does not authenticate these users.
1.5.3.3 Security Management
The TOE includes multiple graphical user interfaces which are available for the DBsign
administrator to manage the TOE. (The DBsign administrator is defined by the DB. The DB
administrator creates and manages the DBsign administrator account in the DB.) These
management features include the following:
Manage the DBsign signature templates which are used to define how DBsign operates
on data in the RDBMS
Modify the descriptions of the DBsign security levels
Configure the DBsign User Policy feature (enable, disable, define/query/edit DBsign user
definition, specify user’s certificates)
Configure the list of certificate authorities DBsign trusts to issue certificates to end users
Configure the audit log settings
Manage the certificates and CRLs that DBsign stores in the RDBMS
Configure the list of OCSP responders DBsign trusts to provide certificate revocation
status information
Create and populate the DBsign System Tables with initial data
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 11
All of the TSF configuration data is stored in the RDBMS: The DBsign Administration tools
communicate directly with the RDBMS using a JDBC driver as required by the RDBMS. The
RDBMS defines the communication protocol that be used to connect to it. The DBsign server
communicates directly with the RDBMS to obtain the TSF configuration data. The DBsign
Administration tools that communicate directly with the RDBMS require users to identify and
authenticate themselves to the RDBMS prior to performing TSF-mediated administrative
functions.
An additional tool is provided for creating a new DBsign configuration file. This tool does not
install or activate the new DBsign configuration file. An administrative user on the DBsign
server must install the new DBsign configuration file for it to be used. This tool does not require
users to identify or authenticate themselves as the functionality provided by the tool does not
impact the security functionality of the system until it is installed by an operating system
administrator.
1.5.3.4 Digital Signature Support
The TOE provides the capability to request digital signature operations of the FIPS 140-2
validated cryptographic module which is in the IT environment. The digital signatures operations
include digitally signing data and verifying digitally signed data. The TOE utilizes the defined
digital signature operations to integrate with third-party applications that require the use of the
digital signature operations that the TOE provides.
The TOE user data includes the data passed to and from DBsign as well as the certificates,
CRLs, OCSP requests and OCSP responses.
The TSF data includes the list of trust anchors which is managed by the DBsign administrator
and signed for protection.
1.5.3.4.1 Certification Path Validation
The TOE provides for all X.509 validation checks, including both certification path development
and certification path validation. Certification path validation consists of validating certificates
starting with one certified by a trust anchor and ending with the one issue to the subscriber of
interest.
Public key certificates in a certification path can be categorized in three types for the purpose of
certification path validation:
Trust Anchors: The trust anchors can be in the form of self-signed certificates. The trust
anchor is used to obtain the Distinguished Name (DN), public key, algorithm identifier,
and the public key parameters (if applicable). DBsign permits validation of trust anchor if
it is in the form of a self-signed certificate, including validating signature and verifying
that the self-signed certificate validity period has not expired.
Intermediate certificates: These are the certificates issued to the CAs. All certificates in a
certification path are intermediate certificates, except the last one.
End certificate: This is the last certificate in the certification path and is issued to the
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 12
subscriber of interest. This is typically an end-entity (i.e., not a CA) certificate. However,
this package permits this certificate to be a CA certificate also.
The certification path validation provided by the TOE includes processes for the following
security related certificate extenstions checks: no-check, keyUsage, extendedKeyUsage,
basicConstraints, certificatePolicies, PolicyMapping, inhibitAnyPolicy, policyConstraints,
nameConstraints.
1.5.3.4.2 PKI Signature Generation
The TOE performs the following functions on behalf of the requesting applications:
Select the appropriate private key;
Invoke a signature generation function using the selected private key; and
Generate and include signature information that identifies the signer and is useful in
efficient signature verification.
1.5.3.4.3 PKI Signature Verification
The TOE performs the following functions on behalf of the requesting applications:
Process the signature information, e.g. the PKCS 7 blob;
Invoke a signature verification function with the public key obtained from certification
path validation; and
Verify the signature information.
1.5.3.4.4 Online Certificate Status Protocol Client
The TOE performs the following functions to determine the revocation state of public key
certificates at the request of the application:
Generate Online Certificate Status Protocol (OCSP) requests
Validate OCSP responses
1.5.3.4.5 Certificate Revocation List (CRL) Validation
The TOE provides the ability to determine the revocation state of public key certificates using a
CRL.
1.5.3.5 Self Protection
The TOE provides protection mechanisms for its security functions. One of the protection
mechanisms is that the TSF requires the administrative users to be authenticated by the IT
environment before any administrative operations can be performed, whether those functions are
related to the management of user accounts, configuration of the User Policy or the configuration
of cryptographic operations.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 13
The TOE relies upon the IT environment to protect the confidentiality of all data being
transmitted between IT entities sending information through the TOE (via HTTPS). All functions
of the TOE are confined to the TOE itself. There is no concept of a non-administrative user
session with the TOE. External entities request an operation from the TOE and the TOE responds
with the requested output. All external TSF interfaces are well defined. In this way, the TOE is
self-contained and maintains its own execution domain which further protects it from
interference and tampering by untrusted subjects.
1.5.4 Items Excluded from the TOE
There are no items excluded from the TOE.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 14
2 Conformance Claims
2.1 CC Conformance Claims
This ST was developed to Common Criteria (CC) for Information Technology Security
Evaluation – September, 2006 Version 3.1, Revision 3, CCMB-2006-09-001
The ST claims to be
CC Version 3.1 Part 1 conformant
CC Version 3.1 Part 2 extended
CC Version 3.1 Part 3 conformant
2.2 PP and Package Claims
The ST claims to be Evaluation Assurance Level 2 with augmentation.
The PP to which this ST conforms is defined in terms of packages. The ST claims conformance
to the following Protection Profile (PP):
U.S. Government Basic Robustness Public Key-Enabled Applications (PKE) PP with the
following packages
1. Certification Path Validation (CPV) – Basic
2. CPV – Basic Policy
3. CPV - Policy Mapping
4. CPV – Name Constraints
5. PKI Signature Generation
6. PKI Signature Verification
7. Online Certificate Status Protocol (OCSP) Client
8. Certificate Revocation List (CRL) Validation
9. Audit
at Basic Robustness Assurance, Version 2.8, May 1, 2007.
The ST claims conformance to the following packages defined in the PKE PP as noted in the
following table.
Package Conformance Claim
CPV – Basic Conformant
CPV – Basic Policy Conformant
CPV - Policy Mapping Conformant
CPV – Name Constraints Conformant
PKI Signature Generation Conformant
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 15
Package Conformance Claim
PKI Signature Verification Conformant
OCSP Client Conformant
CRL Validation Conformant
Audit Conformant
2.3 Conformance Claim Rationale
The PKE PP requires demonstrable conformance. This section demonstrates the following:
1. The statement of the security problem definition of the ST is equivalent or more restrictive
than the statement of the security problem definition in the PP.
2. The statement of security objectives of the ST is equivalent or more restrictive than the
statement of security objectives in the PP.
3. The statement of security requirements of the ST is equivalent or more restrictive than the
statement of security requirements in the PP.
2.3.1 Security Problem Definition Conformance Rationale
The statements of threats, policies, and assumptions have been copied verbatim from the PKE
PP. No additional threats, policies, or assumptions have been added.
2.3.2 Security Objectives Conformance Rationale
The statement of security objectives and the corresponding rationale have been copied verbatim
from the PKE PP.
The ST includes two additional TOE security objectives: O.ACCESS and O.MANAGE. These
security objectives define additional TOE functionality that does not interfere with the
functionality provided in the TOE security objectives from the PKE PP.
2.3.3 Security Requirements Conformance Rationale
The statement of IT environment SFRs and the corresponding rationale have been copied
verbatim from the PKE PP, except that the security requirement operations left uncompleted in
the PKE PP have been completed in this ST and a few of the SFRs have been iterated since they
are used more than once in the ST. The operations completed in this ST are denoted as described
in Section 6.1.
The statement of TOE SFRs and the corresponding rationale have been copied verbatim from the
PKE PP, except for the following
a) The security requirement operations left uncompleted in the PKE PP have been
completed in this ST. The operations completed in this ST are denoted as described in
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 16
Section 6.1.
b) The PKE PP assumed reverse certification path building. The TOE implements
forward certification path building. Functionally, both methods accurately and
adequately build and verify the certification path. The following SFR elements was
refined to reflect the functionality provided by the TSF:
FDP_CPD_(EXT).1.1
c) DBsign supports both CRL and OCSP revocation checking. If one of the checks pass,
the other is not performed. This was clarified by refining the following SFR element
and adding an ST Application Note:
FDP_DAU_CPV_(EXT).1.4
d) The PKE PP assumes that certification path output is requested by the users of the
TOE. For DBsign, the users requesting digital signing services are not interested in
receiving certification path output, instead this information is used between internal
components of the TSF. Functionally, the TSF does process and provide the
certification path output for its own use as requested by the application. The
following SFRs were refined to reflect the functionality provided by the TSF:
FDP_DAU_CPO_(EXT).1
FDP_DAU_CPO_(EXT).2
FDP_DAU_CPO_(EXT).3
e) The following SFRS copied verbatim from the PKE PP have been iterated since this
ST used these components more than once:
FDP_ACC.1 iterated to FDP_ACC.1:1
FMT_MOF.1 iterated to FMT_MOF.1:1
FMT_MSA.1 iterated to FMT_MSA.1:1
FMT_SMF.1 iterated to FMT_SMF.1:1
f) Some of the functionality provided by DBsign is not always performed, but can be
performed if configured or enabled by an administrator. The following SFRs were
refined to describe this capability:
FDP_ETC_SIG_(EXT).1
FDP_ITS_SIG_(EXT).1
FDP_DAU_OCS_(EXT).1
The ST includes eight additional TOE SFRs, identified below. These SFRs have either been
copied from CC Part 2 with the appropriate operations performed or are defined in Section 5.
These SFRs define additional TOE functionality that increase the functionality restrictions
required by the TOE.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 17
FIA_UAU_ENV_(EXT).1
FIA_UAU_ENV_(EXT).1
FDP_ACC.1:2
FDP_ACF.1
FMT_MOF.1:2
FMT_MSA.1:2
FMT_MSA.3
FMT_SMF.1:2
The statement of SARs is EAL2 augmented with ALC_FLR.2, which corresponds exactly with
the Basic Robustness assurance package defined in the PKE PP.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 18
3 Security Problem Definition
This section contains assumptions regarding the security environment and the intended usage of
the TOE and threats on the TOE and the TOE environment.
3.1 Relationship between Basic Robustness Level and the formation of
applicable assumptions, threats and the policies of the TSE
Basic robustness TOEs falls in the upper left area of the robustness figures discussed in
Appendix D of the PKE PP. A Basic Robustness TOE is considered sufficient for low threat
environments or where compromise of protected information will not have a significant impact
on mission objectives. This implies that the motivation of the threat agents will be low in
environments that are suitable for TOEs of this robustness. In general, basic robustness results in
“good commercial practices” that counter threats based in casual and accidental disclosure or
compromise of data protected by the TOE.
Threat agent motivation can be considered in a variety of ways. One possibility is that the value
of the data process or protected by the TOE will generally be seen as of little value to the
adversary (i.e., compromise will have little or no impact on mission objectives). Another
possibility, (where higher value data is processed or protected by the TOE) is that procuring
organizations will provide other controls or safeguards (i.e., controls that the TOE itself does not
enforce) in the fielded system in order to increase the threat agent motivation level for
compromise beyond a level of what is considered reasonable or expected to be applied.
3.2 Assumptions
This section identifies Secure Usage Assumptions for the IT environment.
A.Configuration The TOE will be properly installed and configured.
A.Basic The attack potential on the TOE is assumed to be “Basic”.
A.NO_EVIL Administrators are non-hostile, appropriately trained and follow all
administrator guidance.
A.PHYSICAL It is assumed that the environment provides the TOE with appropriate
physical security, commensurate with the value of the IT assets protected
by the TOE.
3.3 Threats
The threats identified in this section may be addressed by the TOE. The asset under attack is the
information transiting the TOE. In general, the threat agent includes, but is not limited to: 1)
people with TOE access who are expected to possess “average” expertise, few resources, and
moderate motivation, or 2) failure of the TOE.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 19
T.AUDIT_COMPROMISE A user or process may view audit records, cause audit
records to be lost or modified, or prevent future audit records from being
recorded, thus masking a user’s action.
T.CHANGE_TIME An unauthorized user may change the TSF notion of time resulting in
accepting old revocation information or expired certificates.
T.CRYPTO_COMPROMISE A user or process may cause key, data, or executable code
associated with the cryptographic functionality to be inappropriately
accessed (viewed, modified, or deleted), thus compromising the
cryptographic mechanisms and the data protected by those mechanisms.
T.MASQUERADE A user or process may masquerade as another entity in order to gain
unauthorized access to data or TOE resources.
T.POOR_TEST Lack of or insufficient tests to demonstrate that all TOE security functions
operate correctly (including in a fielded TOE) may result in incorrect TOE
behavior being undiscovered thereby causing potential security
vulnerabilities.
T.RESIDUAL_DATA A user or process may gain unauthorized access to data through
reallocation of TOE resources from one user or process to another.
T.TSF_COMPROMISE A user or process may cause, through an unsophisticated attack,
TSF data, security attributes, or executable code to be inappropriately
accessed (viewed, modified, or deleted).
T.UNATTENDED_SESSION A user may gain unauthorized access to an unattended
session.
T.UNAUTHORIZED_ACCESS A user may gain access to user data for which they are not
authorized according to the TOE security policy.
T.UNIDENTIFIED_ACTIONS The administrator may not have the ability to notice
potential security violations, thus limiting the administrator’s ability to
identify and take action against a possible security breach.
3.3.1 Threats for CPV - Basic Package
T.Certificate_Modi An untrusted user may modify a certificate resulting in using a wrong
public key.
T.DOS_CPV_Basic The revocation information or access to revocation information could be
made unavailable, resulting in loss of system availability.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 20
T.Expired_Certificate An expired (and possibly revoked) certificate as of TOI could be used for
signature verification.
T.Untrusted_CA An untrusted entity (Certification Authority (CA)) may issue certificates
to bogus entities, permitting those entities to assume identity of other
legitimate users.
T.No_Crypto The user public key and related information may not be available to carry
out the cryptographic function.
T.Path_Not_Found A valid certification path is not found due to lack of system functionality.
T.Revoked_Certificate A revoked certificate could be used as valid, resulting in security
compromise
T.User_CA A user could act as a CA, issuing unauthorized certificates.
3.3.2 Threats for CPV – Basic Policy Package
T.Unknown_Policies The user may not know the policies under which a certificate was issued.
3.3.3 Threats for CPV –Policy Mapping Package
T.Mapping The user may accept unacceptable certificates or reject acceptable
certificates due to improper certificate policy mapping.
T.Wrong_Policy_Dec The user may accept certificates that were not generated with the diligence
and security acceptable to the user. The user may reject certificates that
were generated with the diligence and security acceptable to the user.
3.3.4 Threats for CPV – Name Constraints Package
T.Name_Collision The user may accept certificates from CA where the CA’s understanding
and the user’s understanding of the names differ, i.e., user and CA
associate different identity with the same name.
3.3.5 Threats for PKI Signature Generation Package
T.Clueless_PKI_Sig The user may try only inappropriate certificates for signature verification
because the signature does not include a hint.
3.3.6 Threats for PKI Signature Verification Package
T.Assumed_Identity_PKI_Ver A user may assume the identity of another user in order to
verify a PKI signature.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 21
T.Clueless_PKI_Ver The user may try only inappropriate certificates for signature verification
because hints in the signature are ignored.
3.3.7 Threats for Online Certificate Status Protocol (OCSP) Client Package
T.DOS_OCSP The OCSP response of access to the OCSP response could be made
unavailable, resulting in loss of system availability.
T.Replay_OCSP_Info The user may accept an OCSP response from well before TOI resulting in
accepting a revoked certificate.
T.Wrong_OCSP_Info The user may accept a revoked certificate or reject a valid certificate due
to a wrong OCSP response.
3.3.8 Threats for Certificate Revocation List (CRL) Validation Package
T.DOS_CRL The CRL or access to CRL could be made unavailable, resulting in loss of
system availability.
T.Replay_Revoc_Info_CRL The user may accept a CRL issued well before TOI resulting in
accepting a revoked certificate.
T.Wrong_Revoc_Info_CRL The user may accept a revoked certificate or reject a valid
certificate due to a wrong CRL.
3.3.9 Threats for Audit Package
T.PKE_Accountability The PKE related audit events cannot be linked to individual
actions.
3.4 Organisational Security Policies
The environment must include and comply with the following organizational security policies.
P.ACCESS_BANNER The IT Environment shall display an initial banner describing
restrictions of use, legal agreements, or any other appropriate
information to which users consent by accessing the system.
P.ACCOUNTABILITY The authorized users of the TOE shall be held accountable for their
actions within the TOE.
P.CRYPTOGRAPHY Only NIST FIPS validated cryptography (methods and
implementations) are acceptable for key management (i.e., generation,
access, distribution, destruction, handling, and storage of keys) and
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 22
cryptographic services (i.e., encryption, decryption, signature, hashing,
key exchange, and random number generation services).
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 23
4 Security Objectives
This chapter describes the security objectives for the TOE and the TOE’s IT environment. The
security objectives are divided between TOE Security Objectives (i.e., security objectives
addressed directly by the TOE) and Security Objectives for the Environment (i.e., security
objectives addressed by the IT domain or by non-technical or procedural means).
4.1 IT Security Objectives For The Environment
The following IT security objectives for the environment are to be addressed by the TOE
environment by technical means.
OE.AUDIT_GENERATION The IT Environment will provide the capability to detect and create
records of security-relevant events associated with users.
OE.AUDIT_PROTECTION The IT Environment will provide the capability to protect audit
information.
OE.AUDIT_REVIEW The IT environment will provide the capability to selectively view
audit information.
OE.CORRECT_TSF_OPERATION The IT Environment will provide the capability to test the
TSF to ensure the correct operation of the TSF at a customer’s site.
OE.CRYPTOGRAPHY The TOE shall use NIST FIPS 140-2 validated cryptographic
services provided by the IT Environment.
OE.DISPLAY_BANNER The IT Environment will display an advisory warning regarding
use of the TOE.
OE.MANAGE The IT Environment will provide all the functions and facilities
necessary to support the administrators in their management of the
security of the TOE, and restrict these functions and facilities from
unauthorized use.
OE.MEDIATE The IT Environment will protect user data in accordance with its
security policy.
OE.RESIDUAL_INFORMATION The IT Environment will ensure that any information
contained in a protected resource within its Scope of Control is not
released when the resource is reallocated.
OE.SELF_PROTECTION The IT Environment will maintain a domain for its own execution
that protects it and its resources from external interference,
tampering, or unauthorized disclosure.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 24
OE.TIME_STAMPS The IT Environment will provide reliable time stamps and the
capability for the administrator to set the time used for these time
stamps.
OE.TIME_TOE The IT Environment will provide reliable time for the TOE use.
OE.TOE_ACCESS The IT Environment will provide mechanisms that control a user’s
logical access to the TOE.
OE.TOE_PROTECTION The IT Environment will protect the TOE and TOE resources from
external interference, tampering, or unauthorized disclosure and
modification.
4.2 Non-IT Security Objectives For The Environment
The non-IT security objectives for the environment listed below are to be satisfied without
imposing technical requirements on the TOE. Thus, they will be satisfied through application of
procedural or administrative measures.
OE.Basic The TOE will be designed and implemented for a minimum attack
potential of “Basic” as validated by the vulnerability analysis.
OE.Configuration The TOE will be installed and configured properly for starting up the TOE
in a secure state.
OE.NO_EVIL Sites using the TOE will ensure that administrators are non-hostile,
appropriately trained and follow all administrator guidance.
OE.PHYSICAL The non-IT environment will provide an acceptable level of physical
security so that the TOE cannot be tampered with or be subject to side
channel attacks such as the various forms of power analysis and timing
analysis.
4.3 Security Objectives For The TOE
This section defines the IT security objectives that are to be addressed by the TOE.
4.3.1 Security Objectives for CPV - Basic Package
O.Availability The TSF shall continue to provide security services even if revocation
information is not available.
O.Correct_Temporal The TSF shall provide accurate temporal validation results.
O.Current_Certificate The TSF shall only accept certificates that are not expired as of TOI.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 25
O.Get_KeyInfo The TSF shall provide the user public key and related information in
order to carry out cryptographic functions.
O.Path_Find The TSF shall be able to find a certification path from a trust anchor to
the subscriber.
O.Trusted_Keys The TSF shall use trusted public keys in certification path validation.
O.User The TSF shall only accept certificates issued by a CA.
O.Verified_Certificate The TSF shall only accept certificates with verifiable signatures.
O.Valid_Certificate The TSF shall use certificates that are valid, i.e., not revoked.
4.3.2 Security Objectives for CPV – Basic Policy Package
O.Provide_Policy_Info The TSF shall provide certificate policies for which the
certification path is valid.
4.3.3 Security Objectives for CPV –Policy Mapping Package
O.Map_Policies The TSF shall map certificate policies in accordance with user and CA
constraints.
O.Policy_Enforce The TSF shall validate a certification path in accordance with certificate
policies acceptable to the user.
4.3.4 Security Objectives for CPV – Name Constraints Package
O.Authorised_Names The TSF shall validate a certificate only if the CA is authorized to issue a
certificate to the subject.
4.3.5 Security Objectives for PKI Signature Generation Package
O.Give_Sig_Hints The TSF shall provide hints for selecting correct certificate for signature
verification.
4.3.6 Security Objectives for PKI Signature Verification Package
O.Use_Sig_Hints The TSF shall use hints for selecting correct certificates for signature
verification.
O.Linkage_Sig_Ver The TSF shall use the correct user public key for signature verification.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 26
4.3.7 Security Objectives for Online Certificate Status Protocol (OCSP) Client Package
O.Accurate_OCSP_Info The TSF shall accept only accurate OCSP responses.
O.Auth_OCSP_Info The TSF shall accept the revocation information from an authorized
source for OCSP transactions.
O.Current_OCSP_Info The TSF accept only OCSP responses current as of TOI.
O.User_Override_Time_OCSP The TSF shall permit the user to override the time checks
on the OCSP response.
4.3.8 Security Objectives for Certificate Revocation List (CRL) Validation Package
O.Accurate_Rev_Info The TSF shall accept only accurate revocation information.
O.Auth_Rev_Info The TSF shall accept the revocation information from an authorized
source for CRL.
O.Current_Rev_Info The TSF shall accept only CRL that are current as of TOI.
O.User_Override_Time_CRLThe TSF shall permit the user to override the time checks on the
CRL.
4.3.9 Security Objectives for Audit Package
O.PKE_Audit The TSF shall audit security relevant PKE events.
4.3.9.1 Security Objectives for DBsign features
O.ACCESS The TSF shall provide the ability to restrict access to the digital signing
operations.
O.MANAGE The TSF will provide all the functions and facilities necessary to manage
and configure the security of the TOE and restrict these functions and
facilities from unauthorized use.
4.4 Security Objectives Rationale
4.4.1 Environmental Security Objectives Rationale
Table 1 maps base assumptions, OSPs, and threats to objectives, demonstrating that all
assumptions, OSPs, and threats are mapped to at least one objective. Table 2 maps base
objectives to threats, OSPs, and assumptions, demonstrating that all objectives are mapped to at
least one threat, OSP, or assumption.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 27
Table 1: Mapping the TOE Base Assumptions, Threats, and OSPs to Objectives
Assumption/OSP/Threat Objectives
A.Configuration OE.Configuration
A.Basic OE.Basic
A.NO_EVIL OE.NO_EVIL
A.PHYSICAL OE.PHYSICAL
P.ACCESS_BANNER OE.DISPLAY_BANNER
P.ACCOUNTABILITY OE.AUDIT_GENERATION
OE.TIME_STAMPS
OE.TOE_ACCESS
OE.TIME_TOE
P.CRYPTOGRAPHY OE.CRYPTOGRAPHY
T.AUDIT_COMPROMISE OE.AUDIT_PROTECTION
OE.RESIDUAL_INFORMATION
OE.SELF_PROTECTION
OE.TOE_PROTECTION
T.CHANGE_TIME OE.TIME_TOE
T.CRYPTO_COMPROMISE OE.CRYPTOGRAPHY
OE.PHYSICAL
T.MASQUERADE OE.TOE_ACCESS
T.POOR_TEST OE.CORRECT_TSF_OPERATION
T.RESIDUAL_DATA OE.RESIDUAL_INFORMATION
T.TSF_COMPROMISE OE.RESIDUAL_INFORMATION
OE.SELF_PROTECTION
OE.TOE_PROTECTION
OE.MANAGE
T.UNATTENDED_SESSION OE.TOE_ACCESS
T.UNAUTHORIZED_ACCESS OE.MEDIATE
T.UNIDENTIFIED_ACTIONS OE.AUDIT_REVIEW
OE.AUDIT_GENERATION
OE.TIME_STAMPS
OE.TIME_TOE
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 28
A.NO_EVIL states that administrators are non-hostile, appropriately trained and follow all
administrator guidance. This assumption is mapped to:
OE.NO_EVIL, which states that sites using the TOE will ensure that administrators
are non-hostile, appropriately trained and follow all administrator guidance.
A.PHYSICAL states that environment provides the TOE with appropriate physical security,
commensurate with the value of the IT assets protected by the TOE.. This assumption is mapped
to:
OE.PHYSICAL, which states that the non-IT environment will provide an
acceptable level of physical security so that the TOE cannot be tampered with or be
subject to side channel attacks such as the various forms of power analysis and timing
analysis.
A.Configuration states that the TOE will be properly installed and configured. This assumption
is mapped to:
OE.Configuration, which states that the TOE shall be installed and configured
properly for starting up the TOE in a secure state.
A.Basic states that the attack potential on the TOE is assumed to be ”Basic”. A.Basic is mapped
to:
OE.Basic, which states that the TOE will be designed for a minimum attack potential
of “Basic” as validated by the vulnerability analysis.
P.ACCESS_BANNER states that the IT Environment shall display an initial banner describing
restrictions of use, legal agreements, or any other appropriate information to which users consent
by accessing the system. This policy is mapped to:
OE.DISPLAY_BANNER which states that the IT Environment will display an
advisory warning regarding use of the TOE. OE.DISPLAY_BANNER satisfies this
policy by ensuring that the TOE displays an administrator configurable banner that
provides all interactive users with a warning about the unauthorized use of the TOE
P.ACCOUNTABILITY states that the authorized users of the TOE shall be held accountable
for their actions within the TOE. This policy is mapped to:
OE.AUDIT_GENERATION which states that the IT Environment will provide the
capability to detect and create records of security-relevant events associated with
users. OE.AUDIT_GENERATION addresses this policy by providing the
administrator with the capability of configuring the audit mechanism to record the
actions of a specific user, or review the audit trail based on the identity of the user.
Additionally, the administrator’s ID is recorded when any security relevant change is
made (e.g. access rule modification, start-stop of the audit mechanism, establishment
of a trusted channel, etc.).
OE.TIME_STAMPS which states that the IT Environment will provide reliable time
stamps and the capability for the administrator to set the time used for these time
stamps. OE.TIME_STAMPS plays a role in supporting this policy by requiring the
IT Environment to provide a reliable time stamp (configured locally by the Security
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 29
Administrator or via an external NTP server). The audit mechanism is required to
include the current date and time in each audit record. All audit records that include
the user ID, will also include the date and time that the event occurred.
OE.TIME_TOE which states that the IT Environment will provide reliable time for
the TOE use. OE.TIME_STAMPS plays a role in supporting this policy by
permitting the TOE to provide reliable time on audit records generated by the TOE.
OE.TOE_ACCESS which states that the IT Environment will provide mechanisms
that control a user’s logical access to the TOE. OE.TOE_ACCESS supports this
policy by requiring the IT Environment to identify and authenticate all authorized
users prior to allowing any TOE access or any TOE mediated access on behalf of
those users.
P.CRYPTOGRAPHY states that only NIST FIPS validated cryptography (methods and
implementations) are acceptable for key management (i.e.; generation, access, distribution,
destruction, handling, and storage of keys) and cryptographic services (i.e.; encryption,
decryption, signature, hashing, key exchange, and random number generation services). This
policy is mapped to:
OE.CRYPTOGRAPHY which states The TOE shall use NIST FIPS 140-2 validated
cryptographic services provided by the IT Environment. OE.CRYPTOGRAPHY
satisfies this policy by requiring the IT Environment to implement NIST FIPS
validated cryptographic services. These services will provide confidentiality and
integrity services as required by the IT Environment and the TOE.
T.AUDIT_COMPROMISE states that a user or process may view audit records, cause audit
records to be lost or modified, or prevent future audit records from being recorded, thus masking
a user’s action. This threat is mapped to:
OE.AUDIT_PROTECTION which states that the IT Environment will provide the
capability to protect audit information. OE.AUDIT_PROTECT contributes to
mitigating this threat by controlling access to the audit trail. Only an administrator is
allowed to read the audit trail, no one is allowed to modify audit records, the
administrator is the only one allowed to delete the audit trail, and the IT Environment
has the capability to prevent auditable actions from occurring if the audit trail is full.
OE.RESIDUAL_INFORMATION which states that the IT Environment will
ensure that any information contained in a protected resource within its Scope of
Control is not released when the resource is reallocated.
OE.RESIDUAL_INFORMATION prevents a user not authorized to read the audit
trail from access to audit information that might otherwise be persistent in a resource
(e.g., memory). By ensuring the IT Environment prevents residual information in a
resource, audit information will not become available to any user or process except
those explicitly authorized for that data.
OE.SELF_PROTECTION which states that the IT Environment will maintain a
domain for its own execution that protects it and its resources from external
interference, tampering, or unauthorized disclosure. OE.SELF_PROTECTION
contributes to countering this threat by ensuring that the IT Environment can protect
itself from users. If the IT Environment could not maintain and control its domain of
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 30
execution, it could not be trusted to control access to the resources under its control,
which includes the audit trail which are always invoked is also critical to the
migration of this threat.
OE.TOE_PROTECTION which states The IT Environment will protect the TOE
and TOE resources from external interference, tampering, or unauthorized disclosure
and modification. OE.TOE_PROTECTION contributes to countering this threat by
ensuring that the IT Environment can protect TOE. If the TOE could not be protected,
it could not be trusted to provide accurate audit information.
T.CHANGE_TIME states that an unauthorized user may change the TSF notion of time
resulting in accepting old revocation information or expired certificates. This threat is mapped to:
OE.TIME_TOE which states that the IT Environment will provide reliable time for
the TOE use. OE.TIME_TOE protects against this threat by ensuring that the IT
Environment does not permit users to change the time.
T.CRYPTO_COMPROMISE states that a user or process may cause key, data or executable
code associated with the cryptographic functionality to be inappropriately accessed (viewed,
modified, or deleted), thus compromising the cryptographic mechanisms and the data protected
by those mechanisms. This threat is mapped to:
OE.CRYPTOGRAPHY which states that the TOE shall use NIST FIPS 140-2
validated cryptographic services provided by the IT Environment.
OE.CRYPTOGRAPHY protects against this threat by ensuring that the
cryptography used is sound and has been validated.
OE.PHYSICAL which states that the non-IT environment will provide an acceptable
level of physical security so that the TOE cannot be tampered with or be subject to
side channel attacks such as the various forms of power analysis and timing analysis.
OE.PHYSICAL contributes to protection against this threat by providing physical
protection from side channel attacks protects against the attempts to compromise the
cryptographic mechanisms.
T.MASQUERADE states that a user or process may masquerade as another entity in order to
gain unauthorized access to data or TOE resources. This threat is mapped to:
OE.TOE_ACCESS which states that the IT Environment will provide mechanisms
that control a user’s logical access to the TOE. OE.TOE_ACCESS mitigates this
threat by controlling the logical access to the TOE and its resources. By constraining
how and when authorized users can access the TOE, and by mandating the type and
strength of the authentication mechanism this objective helps mitigate the possibility
of a user attempting to login and masquerade as an authorized user. In addition, this
objective provides the administrator the means to control the number of failed login
attempts a user can generate before an account is locked out, further reducing the
possibility of a user gaining unauthorized access to the TOE.
T.POOR_TEST states that lack of or insufficient tests to demonstrate that all TOE security
functions operate correctly (including in a fielded TOE) may result in incorrect TOE behavior
being undiscovered thereby causing potential security vulnerabilities. This threat is mapped to:
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 31
OE.CORRECT_TSF_OPERATION which states that the IT Environment will
provide the capability to test the TSF to ensure the correct operation of the TSF at a
customer’s site. OE.CORRECT_TSF_OPERATION ensures that once the TOE is
installed at a customer’s location, the capability exists that the integrity of the TSF
(hardware and software) can be demonstrated, and thus providing end users the
confidence that the TOE’s security policies continue to be enforced.
T.RESIDUAL_DATA states that a user or process may gain unauthorized access to data
through reallocation of TOE resources from one user or process to another. This threat is mapped
to:
OE.RESIDUAL_INFORMATION which states that the IT Environment will
ensure that any information contained in a protected resource within its Scope of
Control is not released when the resource is reallocated.
OE.RESIDUAL_INFORMATION counters this threat by ensuring that TSF data
and user data is not persistent when resources are released by one user/process and
allocated to another user/process.
T.TSF_COMPROMISE states that a user or process may cause, through an unsophisticated
attack, TSF data, security attributes, or executable code to be inappropriately accessed (viewed,
modified, or deleted). This threat is mapped to:
OE.RESIDUAL_INFORMATION which states that the IT Environment will
ensure that any information contained in a protected resource within its Scope of
Control is not released when the resource is reallocated.
OE.RESIDUAL_INFORMATION is necessary to mitigate this threat, because even
if the security mechanisms do not allow a user to explicitly view TSF data, if TSF
data were to inappropriately reside in a resource that was made available to a user,
that user would be able to inappropriately view the TSF data
OE.SELF_PROTECTION which states that the IT Environment will maintain a
domain for its own execution that protects it and its resources from external
interference, tampering, or unauthorized disclosure. OE.SELF_PROTECTION is
necessary to mitigate this threat to provide the TOE a domain for its own execution
that protects itself and its resources from external interference, tampering, or
unauthorized disclosure through its own interfaces. This feature in turn ensures that
other processes can not interfere with the IT Environment and defeat the IT
Environment mechanisms.
OE.TOE_PROTECTION which states that the IT Environment will protect the
TOE and TOE resources from external interference, tampering, or unauthorized
disclosure and modification. OE.TOE_PROTECTION is necessary to mitigate this
threat by ensuring that the IT Environment will protect the TOE. This feature ensures
that other processes can not defeat the TOE protection mechanisms.
OE.MANAGE which states that the IT Environment will provide all the functions
and facilities necessary to support the administrators in their management of the
security of the TOE, and restrict these functions and facilities from unauthorized use.
OE.MANAGE is necessary because an access control policy is not specified to
control access to TSF data and the TSF relies upon the RDBMS to protect, maintain
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 32
and store the TSF data. This objective is used to dictate who is able to view and
modify TSF data, as well as the behavior of TSF functions
T.UNATTENDED_SESSION states that a user may gain unauthorized access to an unattended
session. This threat is mapped to:
OE.TOE_ACCESS which states that the IT Environment will provide mechanisms
that control a user’s logical access to the TOE. OE.TOE_ACCESS helps to mitigate
this threat by including mechanisms that place controls on user’s sessions. User and
administrator’s sessions are locked. Locking the session reduces the opportunity of
someone gaining unauthorized access the session when the console is unattended.
T.UNAUTHORIZED_ACCESS states that a user may gain access to user data for which they
are not authorized according to the TOE security policy. This threat is mapped to:
OE.MEDIATE which states that the IT Environment will protect user data in
accordance with its security policy. OE.MEDIATE ensures that all accesses to user
data are subject to mediation, unless said data has been specifically identified as
public data. The TOE requires successful authentication prior to gaining access to any
controlled-access content. By implementing strong authentication to gain access to
these services, an attacker’s opportunity to successfully conduct a man-in-the-middle
and/or password guessing attack is greatly reduced. Lastly, the IT Environment will
ensure that all configured enforcement functions (authentication, access control rules,
etc.) must be invoked prior to allowing a user to gain access to TOE or TOE mediated
services. The IT Environment restricts the ability to modify the security attributes
associated with access control rules, access to authenticated and unauthenticated
services, etc to the Administrator. This feature ensures that no other user can modify
the information flow policy to bypass the intended TOE security policy.
T.UNIDENTIFIED_ACTIONS states that the administrator may not have the ability to notice
potential security violations, thus limiting the administrator’s ability to identify and take action
against a possible security breach. This threat is mapped to:
OE.AUDIT_REVIEW which states that the IT Environment will provide the
capability to selectively view audit information. OE.AUDIT_REVIEW helps to
mitigate this threat by providing the Administrator with a required minimum set of
configurable audit events that could indicate a potential security violation. By
configuring these auditable events, the IT Environment and TOE monitors the
occurrences of these events (e.g. set number of authentication failures, set number of
information policy flow failures, self-test failures, etc.).
OE.AUDIT_GENERATION which states that the IT Environment will provide the
capability to detect and create records of security-relevant events associated with
users. OE.AUDIT_GENERATION helps to mitigate this threat by recording actions
for later review
OE.TIME_STAMPS which states that the IT Environment will provide reliable time
stamps and the capability for the administrator to set the time used for these time
stamps. OE.TIME_STAMPS helps to mitigate this threat by ensuring that audit
records have correct timestamps.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 33
OE.TIME_TOE which states that the IT Environment will provide reliable time for
the TOE use. OE.TIME_STAMPS plays a role in supporting this policy by
permitting the TOE to provide reliable time on audit records generated by the TOE.
In Table 2, the Base Objectives are mapped back to threats and assumptions, thereby
demonstrating that every objective is mapped to a threat or assumption. Explanation of the
mapping is defined above and is not repeated following Table 2. Note, once again, these threats,
assumption, OSPs, and objectives are included in every PP in this PP family.
Table 2: Mapping the Base Objectives to Threats, Assumptions or OSPs
Objectives Assumption/OSP/Threat
OE.AUDIT_GENERATION P.ACCOUNTABILITY
T.UNIDENTIFIED_ACTIONS
OE.AUDIT_PROTECTION T.AUDIT_COMPROMISE
OE.AUDIT_REVIEW T.UNIDENTIFIED_ACTIONS
OE.Configuration A.Configuration
OE.CORRECT_TSF_OPERATION T.POOR_TEST
OE.CRYPTOGRAPHY P.CRYPTOGRAPHY
T.CRYPTO_COMPROMISE
OE.DISPLAY_BANNER P.ACCESS_BANNER
OE.Basic A.Basic
OE.MANAGE T.TSF_COMPROMISE
OE.MEDIATE T.UNAUTHORIZED_ACCESS
OE.NO_EVIL A.NO_EVIL
OE.PHYSICAL A.PHYSICAL
T.CRYPTO_COMPROMISE
OE.RESIDUAL_INFORMATION T.AUDIT_COMPROMISE
T.RESIDUAL_DATA
T.TSF_COMPROMISE
OE.SELF_PROTECTION T.AUDIT_COMPROMISE
T.TSF_COMPROMISE
OE.TIME_STAMPS P.ACCOUNTABILITY
T.UNIDENTIFIED_ACTIONS
OE.TIME_TOE P.ACCOUNTABILITY
T.CHANGE_TIME
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 34
Objectives Assumption/OSP/Threat
T.UNIDENTIFIED_ACTIONS
OE.TOE_ACCESS P.ACCOUNTABILITY
T.MASQUERADE
T.UNATTENDED_SESSION
OE.TOE_PROTECTION T.AUDIT_COMPROMISE
T.TSF_COMPROMISE
4.4.2 Security Objectives Rationale for Packages
The following subsections provide the mapping and rationale for the security objectives and
threats associated with each individual package.
4.4.2.1 Security Objectives Rationale for CPV - Basic Package
The following tables demonstrate the mapping of threats to objectives and objectives to threats
for the CPV – Basic Package. Explanatory text is provided below the tables to support the
mappings.
Table 3: Mapping of Threats to Objectives for CPV – Basic Package
Threat Objectives
T.Certificate_Modi O.Verified_Certificate
T.DOS_CPV_Basic O.Availability
T.Expired_Certificate O.Correct_Temporal
O.Current_Certificate
T.Untrusted_CA O.Trusted_Keys
T.No_Crypto O.Get_KeyInfo
T.Path_Not_Found O.Path_Find
T.Revoked_Certificate O.Valid_Certificate
T.User_CA O.User
T.Certificate_Modi states that an untrusted user may modify a certificate resulting in using a
wrong public key. This threat is mapped to:
O.Verified_Certificate, which states that the TSF shall only accept certificates with
verifiable signatures.
T.DOS_CPV_Basic states that the revocation information or access to revocation information
could be made unavailable, resulting in loss of system availability. This threat is mapped to:
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 35
O.Availability, which states that the TSF shall continue to provide security services
even if revocation information is not available.
T.Expired_Certificate states that an expired (and possibly revoked) certificate as of TOI could
be used for signature verification. This threat is mapped to:
O.Correct_Temporal, which states that the TSF shall provide accurate temporal
validation results.
O.Current_Certificate, which states that the TSF shall only accept certificates that
are not expired as of TOI.
T.Untrusted_CA states that an untrusted entity (Certification Authority (CA)) may issue
certificates to bogus entities, permitting those entities to assume identity of other legitimate
users. This threat is mapped to:
O.Trusted_Keys, which states that the TSF shall use trusted public keys in
certification path validation.
T.No_Crypto states that the user public key and related information may not be available to
carry out the cryptographic function. This threat is mapped to:
O.Get_KeyInfo, which states that the TSF shall provide the user public key and
related information in order to carry out cryptographic functions.
T.Path_Not_Found states that a valid certification path is not found due to lack of system
functionality. This threat is mapped to:
O.Path_Find, which states that the TSF shall be able to find a certification path from
a trust anchor to the subscriber.
T.Revoked_Certificate states that a revoked certificate could be used as valid, resulting in
security compromise. This threat is mapped to:
O.Valid_Certificate, which states that the TSF shall use certificates that are valid,
i.e., not revoked.
T.User_CA states that a user could act as a CA, issuing unauthorized certificates. This threat is
mapped to:
O.User, which states that the TSF shall only accept certificates issued by a CA.
Table 4 maps objectives for the CPV – Basic Package to threats, demonstrating that every
objective is mapped to a threat. The mapping is described in the text above and is not repeated
following Table 4.
Table 4: Mapping of Objectives to Threats for CPV – Basic Package
Objectives Threat
O.Availability T.DOS_CPV_Basic
O.Correct_Temporal T.Expired_Certificate
O.Current_Certificate T.Expired_Certificate
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 36
Objectives Threat
O.Get_KeyInfo T.No_Crypto
O.Path_Find T.Path_Not_Found
O.Trusted_Keys T.Untrusted_CA
O.User T.User_CA
O.Valid_Certificate T.Revoked_Certificate
O.Verified_Certificate T.Certificate_Modi
4.4.2.2 Security Objectives Rationale for CPV – Basic Policy Package
The mapping of threats to objectives for the CPV – Basic Policy package is shown in Table 5.
Text that further supports the mapping is provided following Table 5.
Table 5: Mapping of Threats to Objectives for CPV – Basic Policy Package
Threat Objectives
T.Unknown_Policies O.Provide_Policy_Info
T.Unknown_Policies states that the user may not know the policies under which a certificate
was issued. This threat is mapped to:
O.Provide_Policy_Info, which states that the TSF shall provide certificate policies
for which the certification path is valid.
Table 6 maps objectives for the CPV – Basic Policy package to threats, demonstrating that every
objective is mapped to a threat. The mapping is described in the text above and is not repeated
following Table 6.
Table 6: Mapping of Objectives to Threats for CPV – Basic Package
Objectives Threat
O.Provide_Policy_Info T.Unknown_Policies
4.4.2.3 Security Objectives Rationale for CPV –Policy Mapping Package
The mapping of threats to objectives for the CPV –Policy Mapping package is shown in Table 7.
Text that further supports the mapping is provided following Table 7.
Table 7: Mapping of Threats to Objectives for CPV –Policy Mapping Package
Threat Objectives
T.Mapping O.Map_Policies
T.Wrong_Policy_Dec O.Policy_Enforce
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 37
T.Mapping states that the user may accept unacceptable certificates or reject acceptable
certificates due to improper certificate policy mapping. This threat is addressed by:
O.Map_Policies, which states that the TSF shall map certificate policies in
accordance with user and CA constraints.
T.Wrong_Policy_Dec states that the user may accept certificates that were not generated with
the diligence and security acceptable to the user. The user may reject certificates that were
generated with the diligence and security acceptable to the user. This threat is addressed by:
O.Policy_Enforce, which states that the TSF shall validate a certification path in
accordance with certificate policies acceptable to the user.
Table 8 maps objectives for the CPV – Policy Mapping package to threats, demonstrating that
every objective is mapped to a threat. The mapping is described in the text above and is not
repeated following Table 8.
Table 8: Mapping of Objectives to Threats for CPV –Policy Mapping Package
Objectives Threat
O.Map_Policies T.Mapping
O.Policy_Enforce T.Wrong_Policy_Dec
4.4.2.4 Security Objectives Rationale for CPV – Name Constraints Package
The mapping of threats to objectives for the CPV –Name Constraints package is shown in Table
9. Text that further supports the mapping is provided following Table 9.
Table 9: Mapping of Threats to Objectives for CPV –Name Constraints Package
Threat Objectives
T.Name_Collision O.Authorised_Names
T.Name_Collision states that the user may accept certificates from CA where the CA’s
understanding and the user’s understanding of the names differ, i.e., user and CA associate
different identity with the same name. This threat is addressed by:
O.Authorised_Names, which states that the TSF shall validate a certificate only if
the CA is authorized to issue a certificate to the subject.
Table 10 maps objectives for the CPV – Name Constraints Package to threats, demonstrating that
every objective is mapped to a threat. The mapping is described in the text above and is not
repeated following Table 10.
Table 10: Mapping of Objectives to Threats for CPV – Name Constraints Package
Objectives Threat
O.Authorised_Names T.Name_Collision
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 38
4.4.2.5 Security Objectives Rationale for PKI Signature Generation Package
The mapping of threats to objectives for the PKI Signature Generation package is shown in
Table 11. Text that further supports the mapping is provided following Table 11.
Table 11: Mapping of Threats to Objectives for PKI Signature Generation Package
Threat Objectives
T.Clueless_PKI O.Give_Sig_Hints
T.Clueless_PKI_Sig states that the user may try only inappropriate certificates for PKI signature
verification because the signature does not include a hint. This threat is addressed by:
O.Give_Sig_Hints, which states that the TSF shall give hints for selecting correct
certificates or keys for PKI signature.
Table 12 maps objectives for the PKI Signature Generation package to threats, demonstrating
that every objective is mapped to a threat. The mapping is described in the text above and is not
repeated following Table 12.
Table 12: Mapping of Objectives to Threats for PKI Signature Generation Package
Objectives Threat
O.Give_Sig_Hints T.Clueless_PKI
4.4.2.6 Security Objectives Rationale for PKI Signature Verification Package
The mapping of threats to objectives for the PKI Signature Verification package is shown in
Table 13. Text that further supports the mapping is provided following Table 13.
Table 13: Mapping of Threats to Objectives for PKI Signature Verification Package
Threat Objectives
T.Assumed_Identity_PKI_Ver O.Linkage_Sig_Ver
T.Clueless_PKI_Ver O.Use_Sig_Hints
T.Assumed_Identity_PKI_Ver states that a user may assume the identity of another user for
PKI signature verification. This threat is addressed by:
O.Linkage_Sig_Ver, which states that the TSF shall use the correct user public key
for signature verification.
T.Clueless_PKI_Ver states that the user may try only inappropriate certificates for PKI
signature verification by ignoring hints in the signature. This threat is addressed by:
O.Use_Sig_Hints, which states that the TSF shall provide hints for selecting correct
certificates or keys for signature verification.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 39
Table 14 maps objectives The PKI Signature Verification package to threats, demonstrating that
every objective is mapped to a threat. The mapping is described in the text above and is not
repeated following Table 14.
Table 14: Mapping of Objectives to Threats for PKI Signature Verification Package
Objectives Threat
O.Linkage_Sig_Ver T.Assumed_Identity_PKI_Ver
O.Use_Sig_Hints T.Clueless_PKI_Ver
4.4.2.7 Security Objectives Rationale for Online Certificate Status Protocol (OCSP) Client
Package
The mapping of threats to objectives for the OCSP Client package is shown in Table 19. Text
that further supports the mapping is provided following Table 19.
Table 15: Mapping of Threats to Objectives for OCSP Client Package
Threat Objectives
T.DOS_OCSP O.User_Override_Time_OCSP
T.Right_OCSP_Info O.Current_OCSP_Info
T.Wrong_OCSP_Info O.Accurate_OCSP_Info
O.Auth_OCSP_Info
T.DOS_OSCP states that the OCSP response or access to the OCSP response could be made
unavailable, resulting in loss of system availability. This threat is mapped to:
O.User_Override_Time_OCSP, which states that the TSF shall permit the user to
override the time checks on the OCSP response.
T.Replay_OCSP_Info states that the user may accept revocation information from well before
TOI resulting in accepting revoked certificate for OCSP transactions. This threat is mapped to:
O.Current_OCSP_Info, which states that the TSF accept only OCSP responses
current as of TOI .
T.Wrong_OCSP_Info states that the user may accept a revoked certificate or reject a valid
certificate due to wrong revocation information. This threat is mapped to:
O.Accurate_OCSP_Info, which states that the TSF shall accept only accurate OCSP
responses.
O.Auth_OCSP_Info, which states that the TSF shall accept the OCSP response from
an authorized source.
Table 16 maps objectives for the OCSP Client package to threats, demonstrating that every
objective is mapped to a threat. The mapping is described in the text above and is not repeated
following Table 16.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 40
Table 16: Mapping of Objectives to Threats for OCSP Client Package
Objectives Threat
O.Accurate_OCSP_Info T.Wrong_OCSP_Info
O.Auth_OCSP_Info T.Wrong_OCSP_Info
O.Current_OCSP_Info T.Right_OCSP_Info
O.User_Override_Time_OCSP T.DOS_OCSP
4.4.2.8 Security Objectives Rationale for Certificate Revocation List (CRL) Validation
Package
The mapping of threats to objectives for the CRL Validation package is shown in Table 17. Text
that further supports the mapping is provided following Table 17.
Table 17: Mapping of Threats to Objectives for OCSP Client Package
Threat Objectives
T.DOS_CRL O.User_Override_Time_CRL
T.Replay_Revoc_Info_CRL O.Current_Rev_Info
T.Wrong_Revoc_Info_CRL O.Accurate_Rev_Info
O.Auth_Rev_Info
T.DOS_CRL states that the CRL or access to the CRL could be made unavailable, resulting in
loss of system availability. This threat is mapped to:
O.User_Override_Time_CRL, which states that the TSF shall permit the user to
override the time checks on the CRL.
T.Replay_Revoc_Info_CRL states that the user may accept a CRL issued well before TOI
resulting in accepting currently revoked certificate. This threat is mapped to:
O.Current_Rev_Info, which states that the TSF shall accept only CRL that are
current as TOI.
T.Wrong_Revoc_Info_CRL states that the user may accept a revoked certificate or reject a
valid certificate due to wrong revocation information. This threat is mapped to:
O.Accurate_Rev_Info, which states that the TSF shall accept only accurate
revocation information.
O.Auth_Rev_Info, which states that the TSF shall accept the revocation information
from an authorized source for CRL.
Table 18 maps objectives for the CRL Validation package to threats, demonstrating that every
objective is mapped to a threat. The mapping is described in the text above and is not repeated
following Table 18.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 41
Table 18: Mapping of Objectives to Threats for OCSP Client Package
Objectives Threat
O.Accurate_Rev_Info T.Wrong_Revoc_Info_CRL
O.Auth_Rev_Info T.Wrong_Revoc_Info_CRL
O.Current_Rev_Info T.Replay_Revoc_Info_CRL
O.User_Override_Time_CRL T.DOS_CRL
4.4.2.9 Security Objectives Rationale for Audit Package
The mapping of threats to objectives for the Audit package is shown in Table 19. Text that
further supports the mapping is provided following Table 19.
Table 19: Mapping of Threats to Objectives for PKI Signature Generation Package
Threat Objectives
T.PKE_Accountability O.PKE_Audit
T.PKE_Accountability states that the PKE related audit events cannot be linked to individual
actions. This threat is mapped to:
O.PKE_Audit, which states that the TSF shall audit security relevant PKE events.
This coupled with the base audit functions provided by the IT Environment mitigate
this threat.
Table 20 maps objectives for the Audit package to threats, demonstrating that every objective is
mapped to a threat. The mapping is described in the text above and is not repeated following
Table 20.
Table 20: Mapping of Objectives to Threats for PKI Signature Generation Package
Objectives Threat
O.PKE_Audit T.PKE_Accountability
4.4.2.10 Security Objectives Rationale for DBsign additional features
The mapping of threats to objectives for the additional DBsign features is shown in Table 21.
Text that further supports the mapping is provided following Table 21.
Table 21: Mapping of Threats to Objectives for DBsign additional features
Threat Objectives
T.UNAUTHORIZED_ACCESS O.ACCESS
T.TSF_COMPROMISE O.MANAGE
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 42
T.TSF_COMPROMISE states that a user or process may cause, through an unsophisticated
attack, TSF data, security attributes, or executable code to be inappropriately accessed (viewed,
modified, or deleted). This threat is mapped to:
O.MANAGE which states that the TSF will provide all the functions and facilities
necessary to manage and configure the security of the TOE, and restrict these
functions and facilities from unauthorized use. This objective is used to dictate who is
able to view and modify TSF data, as well as the behavior of TSF functions
T.UNAUTHORIZED_ACCESS states that a user may gain access to user data for which they
are not authorized according to the TOE security policy. This threat is mapped to:
O.ACCESS which states that the TSF shall provide the ability to restrict access to the
digital signing operations. O.ACCESS provides the ability to control which users can
access certificates used to digitally sign RDBMS data.
Table 22 maps objectives for the additional DBsign features to threats, demonstrating that every
objective is mapped to a threat. The mapping is described in the text above and is not repeated
following Table 22.
Table 22: Mapping of Objectives to Threats for DBsign additional features
Objectives Threat
O.ACCESS T.UNAUTHORIZED_ACCESS
O.MANAGE T.TSF_COMPROMISE
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 43
5 Extended Components Definition
This section defines the newly defined components (also known as extended components) used
to define the security requirements for this ST. The extended components used in this ST are
members of existing CC Part 2 families and are based on the existing CC Part 2 SFRs.
Extended components are denoted by their name ending with "_(EXT)" or a NIAP interpretation
tag, such as “-NIAP-0407”.
The following extended components used in this ST are defined in the PKE PP:
FAU_GEN.1-NIAP-0407:1 Audit data generation
FAU_GEN.2-NIAP-0410:1 User identity association
FAU_SEL.1-NIAP-0407 Selective audit
FAU_STG.1-NIAP-0429 Protected audit trail storage
FAU_STG.NIAP-0429-1 Protected audit trail storage
FCS_CRM_FPS_(EXT).1 FIPS compliant cryptographic module
FDP_ACF.1-NIAP-0407 Security attribute based access control – PKI Credential
Management
FMT_MSA.3-NIAP-0429 Static attribute initialization
FPT_TST_SOF_(EXT).1 TSF testing for Software only TOEs
FDP_CPD_(EXT).1 Certification path development
FDP_DAU_CPI_(EXT).1 Certification path initialization – basic
FDP_DAU_CPV_(EXT).1 Certificate processing – basic
FDP_DAU_CPV_(EXT).2 Intermediate certificate processing – basic
FDP_DAU_CPO_(EXT).1 Certification path output – basic
FDP_DAU_CPI_(EXT).2 Certification path initialization – basic policy
FDP_DAU_CPO_(EXT).2 Certification path output – basic policy
FDP_DAU_CPI_(EXT).3 Certification path initialization –policy mapping
FDP_DAU_CPV_(EXT).3 Intermediate certificate processing – policy mapping
FDP_DAU_CPO_(EXT).3 Certification path output – policy mapping
FDP_DAU_CPI_(EXT).4 Certification path initialization –names
FDP_DAU_CPV_(EXT).4 Certificate processing – name constraints
FDP_DAU_CPV_(EXT).5 Intermediate certificate processing – name constraints
FDP_ETC_SIG_(EXT).1 Export of PKI Signature
FDP_ITC_SIG_(EXT).1 Import of PKI Signature
FDP_DAU_SIG_(EXT).1 Signature Blob Verification
FDP_DAU_OCS_(EXT).1 Basic OCSP Client
FDP_DAU_CRL_(EXT).1 Basic CRL Checking
FAU_GEN.1-NIAP-0407:2 Audit data generation - TOE
FAU_GEN.2-NIAP-0410:2 User identity association - TOE
5.1 FIA Identification and Authentication
The FIA class is extended to include 2 additional components.
The FIA class addresses the requirements to verify a claimed user identity. The extended
components defined in this section require the TOE to ensure that claimed user identities are
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 44
verified by the IT environment.
5.1.1 FIA_UAU_ENV_(EXT).1 Timing of authentication with a third party
FIA_UAU_ENV_(EXT).1 is a member of the FIA_UAU family. This extended requirement is
necessary since a CC Part 2 SFR does not exist that allows for the authentication to be performed
by the IT environment, but required by the TOE. This extended SFR is based on CC Part 2
FIA_UAU.1.
Management: FIA_UAU_ENV_(EXT).1
The following actions could be considered for the management functions in FMT:
Managing the list of actions that can be taken before the user is authenticated.
Audit: FIA_UAU_ENV_(EXT).1
The following actions should be auditable if FAU_GEN Security audit data generation is
included in the PP/ST:
Minimal: Unsuccessful use of the authentication mechanism;
Basic: All use of the authentication mechanism;
Detailed: All TSF mediated actions performed before authentication of the user.
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification or
FIA_UID_ENV_(EXT).1 Time of identification with a third party.
FIA_UAU_ENV_(EXT).1.1 The TSF shall allow [assignment: list of TSF mediated actions] on
behalf of the user to be performed before the user is authenticated by the
IT environment.
FIA_UAU_ENV_(EXT).1.2 The TSF shall require each user to be successfully authenticated by
the IT environment before allowing any other TSF-mediated actions on
behalf of that user.
5.1.2 FIA_UID_TRD.1 Timing of identification with a third party
FIA_UID_ENV_(EXT).1 is a member of the FIA_UID family. This extended requirement is
necessary since a CC Part 2 SFR does not exist that allows for the identification to be performed
by the IT environment, but required by the TOE. This extended SFR is based on CC Part 2
FIA_UID.1.
Management: FIA_UID_ENV_(EXT).1
The following actions could be considered for the management functions in FMT:
If an authorized administrator can change the actions allowed before identification, the
managing of the action lists.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 45
Audit: FIA_UID_ENV_(EXT).1
The following actions should be auditable if FAU_GEN Security audit data generation is
included in the PP/ST:
Minimal: Unsuccessful use of the user identification mechanism, including the user identity
provided;
Basic: All use of the user identification mechanism, including the user identity provided.
Hierarchical to: No other components.
Dependencies: None
FIA_UID_ENV_(EXT).1.1 The TSF shall allow [assignment: list of TSF mediated actions] on
behalf of the user to be performed before the user is identified by the IT
environment.
FIA_UID_ENV_(EXT).1.2 The TSF shall require each user to be successfully identified by the
IT environment before allowing any other TSF-mediated actions on behalf
of that user.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 46
6 Security Requirements
The security requirements that are levied on the TOE are specified in this section of the ST.
6.1 Conventions
The CC defines four operations on security functional requirements. The conventions below
define the conventions used in this ST to identify the operations completed in the PP and the
operations completed in this ST by the ST author. All operations completed in the PP are
surrounded by square brackets ([operation]). When NIAP Interpretations are included in
requirements, the additions from the interpretations are displayed as refinements.
Assignment made in PP: [indicated with bold text]
Selection made in PP: [indicated with underlined text]
Refinement made in PP: [additions indicated with bold text and italics]
[deletions indicated with strike-through bold text and italics]
Iteration made in PP: [indicated with typical CC requirement naming followed by a
colon and number for each iteration (e.g., FMT_MSA.1:1)]
Assignment made in ST: indicated with bold text
Selection made in ST: indicated with underlined text
Refinement made in ST: additions indicated with bold text and italics
deletions indicated with strike-through bold text and italics
Iteration made in ST: indicated with typical CC requirement naming followed by a colon
and number for each iteration (e.g., FMT_MSA.1:1)
6.2 IT Environment Security Functional Requirements
All IT environment security functional requirements included in this ST are listed in the
following table. Extended SFRs are identified as “Part 2 extended” and their name ends with
"_(EXT)" or a NIAP interpretation tag, such as “-NIAP-0407”.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 47
SFR Ttile Part 2 or Extended
FAU_GEN.1-NIAP-0407:1 Audit data generation Part 2 Extended
FAU_GEN.2-NIAP-0410:1 User identity association Part 2 Extended
FAU_SAR.1 Audit review Part 2
FAU_SAR.2 Restricted audit review Part 2
FAU_SAR.3 Selectable audit review Part 2
FAU_SEL.1-NIAP-0407 Selective audit Part 2 Extended
FAU_STG.1-NIAP-0429 Protected audit trail storage Part 2 Extended
FAU_STG.NIAP-0429-1 Protected audit trail storage Part 2 Extended
FCS_CRM_FPS_(EXT).1 FIPS compliant cryptographic module Part 2 Extended
FDP_ACC.1:1 Subset access control – PKI Credential
Management
Part 2
FDP_ACF.1-NIAP-0407 Security attribute based access control – PKI
Credential Management
Part 2 Extended
FDP_RIP.2 Full residual information protection Part 2
FIA_AFL.1 Authentication failure handling Part 2
FIA_ATD.1 User attribute definition Part 2
FIA_UAU.2 User authentication before any action Part 2
FIA_UAU.7 Protected authentication feedback Part 2
FIA_UID.2 User identification before any action Part 2
FIA_USB.1 User-subject binding Part 2
FMT_MOF.1:1 Management of security function behavior – IT
Environment
Part 2
FMT_MSA.1:1 Management of security attributes – IT
Environment
Part 2
FMT_MSA.3-NIAP-0429 Static attribute initialization Part 2 Extended
FMT_MTD.1:1 Management of TSF data – I&A Data Part 2
FMT_MTD.1:2 Management of TSF data – Authentication Data Part 2
FMT_MTD.1:3 Management of TSF data – I&A Attempts Part 2
FMT_MTD.1:4 Management of TSF data – Trust Anchors Part 2
FMT_MTD.1:5 Management of TSF data – Time Part 2
FMT_SMF.1:1 Specification of management functions – IT
Environment
Part 2
FMT_SMR.1 Security roles Part 2
FPT_STM.1 Reliable time stamps Part 2
FPT_TST_SOF_(EXT).1 TSF testing for Software only TOEs Part 2 Extended
FTA_SSL.1 TSF-initiated session locking Part 2
FTA_SSL.2 User-initiated locking Part 2
FTA_TAB.1 Default TOE access banners Part 2
Table 23: IT Environment Security Functional Requirements
6.2.1 Security Audit (FAU)
6.2.1.1 FAU_GEN.1-NIAP-0407:1 Audit Data Generation
FAU_GEN.1.1-NIAP-0407:;1 The [IT Environment] shall able to generate an audit record of the
following auditable events:
a) Start-up and shutdown of the audit functions;
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 48
b) All auditable events listed in Table 24; and
c) no additional events.
FAU_GEN.1.2-NIAP-0407:;1 The [IT Environment] shall record within each audit record at least the
following information:
a) Date and time of the event, type of event, subject identity (if applicable), and the
outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, information specified in column three
of Table 24 below.
Requirement Auditable Events Additional Audit Record Contents
FAU_GEN.1-NIAP-0407:1 None
FAU_GEN.2-NIAP-0410:1 None
FAU_SAR.1 Opening the audit trail The identity of the Audit
Administrator performing the
function
FAU_SAR.2 Unsuccessful attempts to read
information from the audit
records
The identity of the administrator
performing the function
FAU_SAR.3 None
FAU_SEL.1-NIAP-0407 All modifications to the audit
configuration that occur while the
audit collection functions are
operating
The identity of the Security
Administrator performing the
function
FAU_STG.1-NIAP-0429 None
FAU_STG.NIAP-0429 None
FCS_CRM_FPS_(EXT).1 None
FDP_ACC.1:1 None
FDP_ACF.1-NIAP-0407 All requests to perform an
operation on an object covered by
the SFP
Object identity
FDP_RIP.2 None
FIA_AFL.1 Reaching of the threshold for the
unsuccessful authentication
attempts
FIA_ATD.1 None
FIA_UAU.2 All use of authentication
mechanism
FIA_UAU.7 None
FIA_UID.2 All use of identification
mechanism
User identity
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 49
Requirement Auditable Events Additional Audit Record Contents
FIA_USB.1 Success and failure of binding of
user security attributes to a
subject (e.g. success and failure to
create a subject).
FMT_SMF.1:1 Use of management function Management function
FMT_SMR.1 Modifications to the group of
users that are part of a role
FPT_STM.1 Change to the time
FTA_TAB.1 None
Table 24: IT Environment Auditable Events
6.2.1.2 FAU_GEN.2-NIAP-0410:1 User identity association
FAU_GEN.2.1-NIAP-0410;1 For audit events resulting from actions of identified users, the [IT
Environment] shall able to associate each auditable event with the identity of the
user that caused the event.
6.2.1.3 FAU_SAR.1 Audit Review
FAU_SAR.1.1 The [IT Environment] shall provide [the administrator] with the capability to read
[all audit information] from the audit records.
FAU_SAR.1.2 The [IT Environment] shall provide the audit records in a manner suitable for the
user to interpret the information.
6.2.1.4 FAU_SAR.2 Restricted Audit Review
FAU_SAR.2.1 The [IT Environment] shall prohibit all users read access to the audit records, except
those users that have been granted explicit read-access.
6.2.1.5 FAU_SAR.3 Selectable Audit Review
FAU_SAR.3.1 The [IT Environment] shall provide the ability to perform [searches and sorting]
and no other operation of audit data based on [date, time, user identity and]
category, event identifier, computer, success of auditable security events, and
failure of security events.
6.2.1.6 FAU_SEL.1-NIAP-0407 Selective Audit
FAU_SEL.1.1-NIAP-0407 The [IT Environment] shall [allow only the administrator] to include or
exclude auditable events from the set of all auditable events based on the following
attributes:
a) User identity;
b) Event type;
c) Object identity, host identity
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 50
d) Success of auditable security events;
e) Failure of auditable security events; and
f) No additional criteria
6.2.1.7 FAU_STG.1-NIAP-0429 Protected Audit Trail Storage
FAU_STG.1.1-NIAP-0429 The [IT Environment] shall [restrict the deletion of] stored audit records
in the audit trail [to the administrator].
FAU_STG.1.2-NIAP-0429 The [IT Environment] shall be able to [prevent] modifications to the
audit records in the audit trail.
6.2.1.8 FAU_STG.NIAP-0429-1 Site-configurable Prevention of audit data loss
FAU_STG.NIAP-0429-1.1 The [IT Environment] shall provide an authorized administrator with the
capability to select one or more of the following actions [prevent auditable events
except those taken by the authorized user with special rights, overwrite the oldest
stored audit records] and no additional options to be taken if the audit trail is full.
FAU_STG.NIAP-0429-1.2 The [IT Environment] shall prevent auditable events except those taken
by the authorized user with special rights and no other action if the audit trail is full
and no other action has been selected.
6.2.2 Cryptographic Operations (FCS)
6.2.2.1 FCS_CRM_FPS_(EXT).1 FIPS compliant cryptographic module
FCS_CRM_FPS_(EXT).1.1 The IT environment shall provide all cryptographic modules necessary
for the TSF.
FCS_CRM_FPS_(EXT).1.2 Each cryptographic module shall be FIPS 140 series Level 1 validated.
6.2.3 User Data Protection (FDP)
6.2.3.1 FDP_ACC.1:1 Subset access control – PKI Credential Management
FDP_ACC.1.1;1 The [IT Environment] shall enforce the [PKI credential management SFP] on
Subjects: User
Objects: [cryptographic key, public key certificate], no additional objects
Operations: Import, export, and delete public key certificate, no additional
operations.
6.2.3.2 FDP_ACF.1-NIAP-0407 Security attribute based access control – PKI Credential
Management
FDP_ACF.1.1-NIAP-0407 The [IT Environment] shall enforce the [PKI credential management
SFP] to objects based on the following: list of subjects: [all subjects]; list of
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 51
objects:[cryptographic keys and public key certificate]; list of subject and object
attributes: [identity of subject and the set of roles that the subject is authorized to
assume] key access rights.
FDP_ACF.1.2-NIAP-0407 The [IT Environment] shall enforce the following rules to determine if
an operation among controlled subjects and controlled objects is allowed public key
certificates may be imported, exported, deleted by owner.
FDP_ACF.1.3-NIAP-0407 The [IT Environment] shall explicitly authorize access of subjects to
objects based on the following additional rules: no other rules.
FDP_ACF.1.4-NIAP-0407 The [IT Environment] shall explicitly deny access of subjects to objects
based on the following additional rules: no other rules.
6.2.3.3 FDP_RIP.2 Full residual information protection
FDP_RIP.2 The [IT Environment] shall ensure that any previous information content of a
resource is made unavailable upon the allocation of the resource to all objects.
6.2.4 Identification and Authentication (FIA)
6.2.4.1 FIA_AFL.1 Authentication failure handling
FIA_AFL.1.1 The [IT Environment] shall detect when [an administrator configurable positive
integer within] the range of 3 to 10 unsuccessful authentication attempts occur
related to user authentication.
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met or
surpassed], the [IT Environment] shall [prevent all entities requesting
authentication other than the administrator from performing activities that
require authentication until an action is taken by the administrator].
6.2.4.2 FIA_ATD.1 User Attribute Definition
FIA_ATD.1.1 The [IT Environment] shall maintain the following list of security attributes
belonging to individual users: [user ID, role].
6.2.4.3 FIA_UAU.2 User authentication before any action
FIA_UAU.2.1 The [IT Environment] shall require each user to be successfully authenticated before
allowing any other [IT Environment] mediated actions on behalf of that user.
6.2.4.4 FIA_UAU.7 Protected authentication feedback
FIA_UAU.7.1 The [IT Environment] shall provide only obscured feedback to the user while the
authentication is in progress.
6.2.4.5 FIA_UID.2 User identification before any action
FIA_UID.2.1 The [IT Environment] shall require each user to be successfully identified before
allowing any other [IT Environment]-mediated actions on behalf of that user.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 52
6.2.4.6 FIA_USB.1 User-subject binding
FIA_USB.1.1 The [IT Environment] shall associate the following user security attributes with
subjects acting on behalf of that user: [all user security attributes].
FIA_USB.1.2 The [IT Environment] shall enforce the following rules on the initial association of
user security attributes with subjects acting on the behalf of users: [none].
FIA_USB.1.3 The [IT Environment] shall enforce the following rules governing changes to the
user security attributes associated with subjects acting on the behalf of users: [none].
6.2.5 FMT Security Management
6.2.5.1 FMT_MOF.1:1 Management of security functions behaviour – IT Environment
FMT_MOF.1.1;1 The [IT Environment] shall restrict the ability to disable, enable the functions
[audit,] and no other functions to [the administrator].
6.2.5.2 FMT_MSA.1:1 Management of security attributes – IT Environment
FMT_MSA.1.1;1 The [IT Environment] shall enforce the [PKI credential management SFP] to
restrict the ability to query, modify, delete the security attributes user role, key
identifier, association between private key and public key certificate to user.
6.2.5.3 FMT_MSA.3-NIAP-0429 Static attributes initialization
FMT_MSA.3.1-NIAP-0429 The [IT Environment] shall enforce the [PKI credential management
SFP] to provide [specific] default values for security attributes for security attributes
that are used to enforce the SFP.
FMT_MSA.3.2-NIAP-0429 The [IT Environment] shall allow the administrator to specify
alternative initial values to override the default values when an object or information
is created.
6.2.5.4 FMT_MTD.1:1 Management of TSF data – I&A Data
FMT_MTD.1.1;1 The [IT Environment] shall restrict the ability to [initialize and modify] the
[identification data and authentication data] to administrator.
6.2.5.5 FMT_MTD.1:2 Management of TSF data – Authentication Data
FMT_MTD.1.1;2 The [IT Environment] shall restrict the ability to [modify] the [authentication data]
to administrator and the user owning the account.
6.2.5.6 FMT_MTD.1:3 Management of TSF data – I&A Attempts
FMT_MTD.1.1;3 The [IT Environment] shall restrict the ability to [initialize and modify] the
[number of unsuccessful authentication attempts] to administrator.
6.2.5.7 FMT_MTD.1:4 Management of TSF data – Trust Anchors
FMT_MTD.1.1;4 The [IT Environment] shall restrict the ability to [add and delete] the [trust
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 53
anchors] to administrator.
6.2.5.8 FMT_MTD.1:5 Management of TSF data – Time
FMT_MTD.1.1;5 The [IT Environment] shall restrict the ability to [initialize and modify] the [system
time] to administrator.
6.2.5.9 FMT_SMF.1:1 Specification of management functions – IT Environment
FMT_SMF.1.1;1 The [IT Environment] shall be capable of performing the following
management functions: [audit management, user identity management,
trust anchor management, system time management], no additional
security management functions.
6.2.5.10 FMT_SMR.1 Security roles
FMT_SMR.1.1 The [IT Environment] shall maintain the roles [user, administrator],
DBsign administrator.
FMT_SMR.1.2 The [IT Environment] shall be able to associate users with roles.
6.2.6 Protection of TSF (FPT)
6.2.6.1 FPT_STM.1 Security roles
FPT_STM.1.1 The [IT Environment] shall be able to provide reliable time stamps for its
own and TSF use.
6.2.6.2 FPT_TST_SOF_(EXT).1 Security roles
FPT_TST_SOF_(EXT).1.1 The [IT Environment] shall provide administrator with the
capability to verify the integrity of the following TSF data: none.
FPT_TST_SOF_(EXT).1.2 The [IT Environment] shall provide administrator with the
capability to verify the integrity of stored TSF executable code.
6.2.7 TOE Access (FTA)
6.2.7.1 FTA_SSL.1 TSF-initiated session locking
FTA_SSL.1.1 The [IT Environment] shall lock an interactive session after an
administrator configurable specified time interval of user inactivity
by:
a) clearing or overwriting display devices, making the current contents
unreadable;
b) disabling any activity of the user’s data access/display devices other
than unlocking the session.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 54
FTA_SSL.1.2 The [IT Environment] shall require the following events to occur prior to
unlocking the session: [authentication by the user].
6.2.7.2 FTA_SSL.2 User-initiated locking
FTA_SSL.2.1 The [IT Environment] shall allow user-initiated locking of the user’s own
interactive session, by:
c) clearing or overwriting display devices, making the current contents
unreadable;
d) disabling any activity of the user’s data access/display devices other
than unlocking the session.
FTA_SSL.2.2 The [IT Environment] shall require the following events to occur prior to
unlocking the session: [authentication by the user].
6.2.7.3 FTA_TAB.1 Default TOE access banners
FTA_TAB.1.1 Before establishing a user session, the [IT Environment] shall display an
advisory warning message regarding unauthorized use of the [System].
6.3 TOE Security Functional Requirements
All TOE security functional requirements included in this ST are listed in the following table.
Extended SFRs are identified as “Part 2 extended” and their name ends with "_(EXT)" or a
NIAP interpretation tag, such as “-NIAP-0407”.
PP Package
Name
SFR Title Part 2 or Extended
CPV – Basic FDP_CPD_(EXT).1 Certification path development Part 2 Extended
FDP_DAU_CPI_(EXT).1 Certification path initialization –
basic
Part 2 Extended
FDP_DAU_CPV_(EXT).1 Certificate processing – basic Part 2 Extended
FDP_DAU_CPV_(EXT).2 Intermediate certificate
processing – basic
Part 2 Extended
FDP_DAU_CPO_(EXT).1 Certification path output – basic Part 2 Extended
CPV – Basic
Policy
FDP_DAU_CPI_(EXT).2 Certification path initialization –
basic policy
Part 2 Extended
FDP_DAU_CPO_(EXT).2 Certification path output – basic
policy
Part 2 Extended
CPV – Policy
Mapping
FDP_DAU_CPI_(EXT).3 Certification path initialization –
policy mapping
Part 2 Extended
FDP_DAU_CPV_(EXT).3 Intermediate certificate
processing – policy mapping
Part 2 Extended
FDP_DAU_CPO_(EXT).3 Certification path output – policy
mapping
Part 2 Extended
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 55
PP Package
Name
SFR Title Part 2 or Extended
CPV – Name
Constraints
FDP_DAU_CPI_(EXT).4 Certification path initialization –
names
Part 2 Extended
FDP_DAU_CPV_(EXT).4 Certificate processing – name
constraints
Part 2 Extended
FDP_DAU_CPV_(EXT).5 Intermediate certificate
processing – name constraints
Part 2 Extended
PKI Signature
Generation
FDP_ETC_SIG_(EXT).1 Export of PKI Signature Part 2 Extended
PKI Signature
Verification
FDP_ITC_SIG_(EXT).1 Import of PKI Signature Part 2 Extended
FDP_DAU_SIG_(EXT).1 Signature Blob Verification Part 2 Extended
OCSP Client FDP_DAU_OCS_(EXT).1 Basic OCSP Client Part 2 Extended
CRL Validation FDP_DAU_CRL_(EXT).1 Basic CRL Checking Part 2 Extended
Audit FAU_GEN.1-NIAP-0407:2 Audit data generation - TOE Part 2 Extended
FAU_GEN.2-NIAP-0410:2 User identity association - TOE Part 2 Extended
DBsign
Features
FDP_ACC.1:2 Subset access control Part 2
FDP_ACF.1 Security attribute based access
control
Part 2
FIA_UAU_ENV_(EXT).1 Timing of authentication with a
third party
Part 2 Extended
FIA_UID_ENV_(EXT).1 Timing of identification with a
third party
Part 2 Extended
FMT_MOF.1:2 Management of security function
behavior - TOE
Part 2
FMT_MSA.1:2 Management of security
attributes – User Policy
Part 2
FMT_MSA.3 Static attribute initialization Part 2
FMT_SMF.1:2 Specification of management
functions – IT Environment
Part 2
Table 25: Security Functional Requirements
6.3.1 Certification Path Validation – Basic Package
6.3.1.1 FDP_CPD_(EXT).1 Certification path development
FDP_CPD_(EXT).1.1 The TSF shall develop a certification path from the subscriber to from a trust
anchor provided by [administrator] to the subscriber using matching rules for the
following subscriber certificate fields or extensions:
a) distinguished name.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 56
FDP_CPD_(EXT).1.2 The TSF shall develop the certification path using the following additional
matching rule:
a) none..
FDP_CPD_(EXT).1.3 The TSF shall develop the certification path using the following additional
matching rule:
a) none.
FDP_CPD_(EXT).1.4 The TSF shall bypass any matching rules except none if additional certification
paths are required.
6.3.1.2 FDP_DAU_CPI_(EXT).1 Certification path initialization - basic
FDP_DAU_CPI_(EXT).1.1 The TSF shall use the trust anchor provided by administrator.
FDP_DAU_CPI_(EXT).1.2 The TSF shall obtain the time of interest called “TOI” from a reliable
source local environment.
FDP_DAU_CPI_(EXT).1.3 The TSF shall perform the following checks on the trust anchor
a) none.
FDP_DAU_CPI_(EXT).1.4 The TSF shall derive from the trust anchor:
a) subject distinguished name,
b) subject public key,
c) subject public key algorithm object identifier,
d) subject public key parameters.
6.3.1.3 FDP_CPV_(EXT).1 Certificate processing - basic
FDP_DAU_CPV_(EXT).1.1 The TSF shall reject a certificate if any of the following checks fails:
a) Use parent-public-key, parent-public-key-algorithm-identifier, and parent-public-
key-parameters to verify the signature on the certificate;
b) notBefore field in the trust anchor <= TOI;
c) notAfter field in the trust anchor => TOI;
d) issuer field in the certificate = parent-DN; or
e) TSF is able to process all extensions marked critical.
FDP_DAU_CPV_(EXT).1.2 The TSF shall bypass the revocation status check if the certificate
contains no-check extension.
FDP_DAU_CPV_(EXT).1.3 The TSF shall bypass the revocation status check if the revocation
information is not available and administrator overrides revocation checking.
ST Application Note: DBsign provides the ability for the administrator to enable or disable revocation
checking. If revocation checking is disabled, DBsign does not check for revocation
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 57
information. If revocation checking is enabled and no revocation information is
available, DBsign returns an error indicating that the revocation status is unknown.
FDP_DAU_CPV_(EXT).1.4 The TSF shall reject a certificate if the revocation status using CRL or
OCSP demonstrates that the certificate is revoked.
ST Application Note: DBsign supports both CRL and OCSP revocation checking. If one succeeds, the
other is not performed.
FDP_DAU_CPV_(EXT).1.5 The TSF shall update the public key parameters state machine using the
following rules:
a) Obtain the parameters from the subjectPublickeyInfo filed of certificate if the
parameters are presnt in the field; else
b) Retain the old parameters state if the subject public key algorithm of current
certificate and parent public key algorithm of current certificate below to the
same family of algorithms; else
c) Set parameters = “null”.
6.3.1.4 FDP_DAU_CPV_(EXT).2 Intermediate certificate processing - basic
FDP_DAU_CPV_(EXT).2.1 The TSF shall reject an intermediate certificate if any of the following
additional checks fails:
a) basicConstraints field is present with cA=TRUE;
b) pathLenConstraint is not violated; or
c) if a critical keyUsage extension is present, ,keyCertSign bit is set.
6.3.1.5 FDP_DAU_CPO_(EXT).1 Certification path output- basic
FDP_DAU_CPO_(EXT).1.1 The TSF shall output provide for use internally certification path
validation failure if any certificate in the certification path is rejected.
FDP_DAU_CPO_(EXT).1.2 The TSF shall output provide for use internally the following variables
from the end certificate: subject DN, subject public key algorithm identifier, subject
public key, critical keyUsage extension
FDP_DAU_CPO_(EXT).1.3 The TSF shall output provide for use internally the following additional
variables from the end certificate certificate.
FDP_DAU_CPO_(EXT).1.4 The TSF shall output provide for use internally the subject public key
parameters from the certification path parameter state machine.
6.3.2 Certification Path Validation – Basic Policy Package
6.3.2.1 FDP_DAU_CPI_(EXT).2 Certification path initialization – basic policy
FDP_DAU_CPI_(EXT).2.1 The TSF shall use the initial-certificate-policies provided by application
developer.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 58
6.3.2.2 FDP_DAU_CPO_(EXT).2 Certification path output – basic policy
FDP_DAU_CPO_(EXT).2.1 The TSF shall output provide for use internally the certificate policies
using the following rule: intersection of certificatePolicies extensions in all the
certificates in certification path and initial-certificate-policies.
6.3.3 Certification Path Validation –Policy Mapping Package
6.3.3.1 FDP_DAU_CPI_(EXT).3 Certification path initialization –policy mapping
FDP_DAU_CPI_(EXT).3.1 The TSF shall use the explicit-policy-indicator, policy-mapping-inhibit-
indicator, inhibit-any-policy-indicator provided by application developer.
6.3.3.2 FDP_DAU_CPV_(EXT).3 Intermediate certificate processing - policy mapping
FDP_DAU_CPV_(EXT).3.1 The TSF shall use the intermediate certificate to update the following
state variables in accordance with X.509 Standard::
a) explicit-policy-indicator;
b) policy-mapping-inhibit-indicator
c) inhibit-any-policy-indicator.
6.3.3.3 FDP_DAU_CPO_(EXT).3 Certification path output – policy mapping
FDP_DAU_CPO_(EXT).3.1 The TSF shall perform policy processing in accordance with X.509
standard.
FDP_DAU_CPO_(EXT).3.2 The TSF shall map policies in the calculation of the policies intersection
if and only if policy-mapping-inhibit-indicator is not set.
FDP_DAU_CPO_(EXT).3.3 During the calculation of the policy intersection, the TSF shall match
any-policy to all policies if and only if inhibit-any-policy-indicator is not set.
FDP_DAU_CPO_(EXT)3.4 The TSF shall output provide for use internally certification path failure
if the intersection of certificatePolicies (as modified by policy mapping and inhibit-
any-policy) is null and explicit-policy-indicator is set.
FDP_DAU_CPO_(EXT).3.5 The TSF shall output provide for use internally certification path failure
if the intersection of certificatePolicies (as modified by policy mapping and inhibit-
any-policy) and initial-certificate-policies is null and explicit-policy-indicator is set.
FDP_DAU_CPO_(EXT).3.6 The TSF shall output provide for use internally policy mapping history.
FDP_DAU_CPO_(EXT).3.7 The TSF shall output provide for use internally policy qualifiers
applicable to output policies.
6.3.4 Certification Path Validation –Name Constraints Package
6.3.4.1 FDP_DAU_CPI_(EXT).4 Certification path initialization –names
FDP_DAU_CPI_(EXT).4.1 The TSF shall initialize the following: permitted-subtrees = ∞, excluded-
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 59
subtrees = Ø.
6.3.4.2 FDP_DAU_CPV_(EXT).4 Certificate processing – name constraints
FDP_DAU_CPV_(EXT).4.1 The TSF shall reject a certificate if any one of the following is not
satisfied:
a) subject DN is in at least one of the permitted-subtrees for DN;
b) subject DN is in none of the excluded-subtrees for DN;
c) each hierarchical name form of type DN, RFC-822, URL in the
subjectAlternateName field is in at least one of the permitted-subtrees for
that name form; or
d) each hierarchical name from of type DN, RFC-822, URL in the
subjectAlternateName field is in none of the excluded-subtrees for that name
form.
6.3.4.3 FDP_DAU_CPV_(EXT).5 Intermediate Certificate processing – name constraints
FDP_DAU_CPV_(EXT).5.1 The TSF shall use the intermediate certificate to update the following
states:
a) permitted-subtrees
b) excluded-subtrees.
6.3.5 PKI Signature Generation Package
6.3.5.1 FDP_ETC_SIG_(EXT).1 Export of PKI Signature
FDP_ETC_SIG_(EXT).1.1 The TSF shall invoke the cryptographic module with the user selected
private key to generate digital signature.
FDP_ETC_SIG_(EXT).1.2 The TSF shall include the following information with the digital
signature hashing algorithm, signature algorithm, signing time, and if configured by
the administrator signer public key certificate, certificate chain, signed data.
6.3.6 PKI Signature Verfication Package
6.3.6.1 FDP_ITC_SIG_(EXT).1 Import of PKI Signature
FDP_ITC_SIG_(EXT).1.1 The TSF shall use the following information from the signed data
hashing algorithm, signature algorithm, signing time, and if so configured by the
administrator signer public key certificate, certificate chain, signed data during
signature verification.
6.3.6.2 FDP_DAU_SIG_(EXT).1 Export of PKI Signature
FDP_DAU_SIG_(EXT).1.1 The TSF shall invoke the cryptographic module with the following
information from Certification Path Validation to verify digital signature on signed
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 60
data: subject public key algorithm, subject public key, subject public key parameters.
FDP_DAU_SIG_(EXT).1.2 The TSF shall verify that the KeyUsage extension output from the
Certification Path Validation has the nonRepudiation or digital signature.
FDP_DAU_SIG_(EXT).1.3 The TSF shall apply the following additional checks revocation
checking.
6.3.7 Online Certificate Status Protocol Client Package
6.3.7.1 FDP_DAU_OCS_(EXT).1 Basic OCSP Client
FDP_DAU_OCS_(EXT).1.1 The TSF shall formulate the OCSP requests in accordance with PKIX
RFC 2560.
FDP_DAU_OCS_(EXT).1.2 The OCSP request shall contain the following extensions: none unless
nonces are enabled by the administrator, then nonce.
FDP_DAU_OCS_(EXT).1.3 The TSF shall obtain the public key, algorithm, and public key
parameters of the OCSP Responder from OCSP responder certificate..
FDP_DAU_OCS_(EXT).1.4 The TSF shall perform the following additional function establish trust in
OCSP responder certificate using certification path validation – basic policy,
certification path validation – policy mapping, certification path validation – name
constraint.
FDP_DAU_OCS_(EXT).1.5 The TSF shall invoke the cryptographic module to verify signature on
the OCSP response using trusted public key, algorithm, and public key parameters of
the OCSP responder.
FDP_DAU_OCS_(EXT).1.6 The TSF shall verify that if the OCSP responder certificate contains
extendedKeyUsage extension, the extension contains the PKIX OID for ocsp-signing
or the anyExtendedKeyUsage OID.
FDP_DAU_OCS_(EXT).1.7 The TSF shall match the responderID in the OCSP response with the
corresponding information in the responder certificate
FDP_DAU_OCS_(EXT).1.8 The TSF shall match the certID in a request with certID in
singleResponse.
FDP_DAU_OCS_(EXT).1.9 The TSF shall reject the OCSP response for an entry if all of the
following are true:
a) time checks are not overridden;
b) TOI > producedAt + x where x is provided by administrator;
c) TOI > thisUpdate for entry + x where x is provided by administrator; and
d) TOI > nextUpdate for entry + x if nextUpdate is present and where x is provided
by administrator.
FDP_DAU_OCS_(EXT).1.10 The TSF shall permit none to override time checks.
FDP_DAU_OCS_(EXT).1.11 The TSF shall reject OCSP response if the response contains “critical”
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 61
extension(s) that TSF does not process.
FDP_DAU_OCS_(EXT).1.12 The TSF shall perform the following additional checks none unless
nonces are enabled by the administrator, then request nonce = response nonce.
6.3.8 Certificate Revocation List (CRL) Validation Package
6.3.8.1 FDP_DAU_CRL_(EXT).1 Basic CRL Checking
FDP_DAU_CRL_(EXT).1.1 The TSF shall obtain the CRL from local cache, location pointed to by
the CRL DP in public key certificate of interest.
FDP_DAU_CRL_(EXT).1.2 The TSF shall obtain the trusted public key, algorithm, and public key
parameters of the CRL issuer.
FDP_DAU_CRL_(EXT).1.3 The TSF shall invoke the cryptographic module to verify signature on
the CRL using trusted public key, algorithm, and public key parameters of the CRL
issuer.
FDP_DAU_CRL_(EXT).1.4 The TSF shall verify that if a critical keyUsage extension is present in
CRL issuer certificate, cRLSign bit in the extension is set in the certificate.
FDP_DAU_CRL_(EXT).1.5 The TSF shall match the issuer field in the CRL with what it assumes to
be the CRL issuer.
FDP_DAU_CRL_(EXT).1.6 The TSF shall reject the CRL if all of the following are true:
a) Time check are not overridden;
b) TOI > thisUpdate + x where x is provided by, administrator; and
c) TOI > nextUpdate + x if nextUpdate is present and where x is provided by
administrator.
FDP_DAU_CRL_(EXT).1.7 The TSF shall permit none to override time checks.
FDP_DAU_CRL_(EXT).1.8 The TSF shall reject CRL if the CRL contains “critical” extension(s) that
TSF does not process.
FDP_DAU_CRL_(EXT).1.9 The TSF shall perform the following additional checks none.
6.3.9 Audit Package
6.3.9.1 FAU_GEN.1-NIAP-0407:2 Audit data generation - TOE
FAU_GEN.1.1-NIAP-0407;2 The TSF shall be able to generate an audit record of the following
auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events listed in Table 26; and
c) No additional events.
FAU_GEN.1.2-NIAP-0407;2 The TSF shall record within each audit record at least the following
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 62
information:
a) Date and time of the event, type of event, subject identity (if applicable), and the
outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, information specified in column
three of Table 26 below.
SFR Auditable Events Additional Audit Record
Contents
FDP_CPD_(EXT).1 Success or failure to build path For success, matching rules
bypassed
FDP_DAU_CPI_(EXT).1 None
FDP_DAU_CPV_(EXT).1 Success or failure of certificate
processing
Bypass of revocation status checking
For failure, reason(s) for
failure
FDP_DAU_CPV_(EXT).2 Success or failure of certificate
processing
For failure, reasons for failure
FDP_DAU_CPO_(EXT).1 None
FDP_DAU_CPI_(EXT).2 None
FDP_DAU_CPO_(EXT).2 None
FDP_DAU_CPI_(EXT).3 None
FDP_DAU_CPV_(EXT).3 None
FDP_DAU_CPO_(EXT).3 Success or failure
FDP_DAU_CPI_(EXT).4 None
FDP_DAU_CPV_(EXT).4 Success or failure
FDP_DAU_CPV_(EXT).5 None
FDP_ETC_SIG_(EXT).1 Invocation of the function
FDP_ITC_SIG_(EXT).1 Invocation of the function
FDP_DAU_SIG_(EXT).1 Success or failure In case of failure, reason for
failure
FDP_DAU_OCS_(EXT).1 Rejection of OCSP response
Override time checks
Reason for rejection
FDP_DAU_CRL_(EXT).1 Rejection of CRL
Override time checks
Reason for rejection
FAU_GEN.1-NIAP-0407:2 None
FAU_GEN.2-NIAP-0410:2 None
FDP_ACF.1 All requests to perform an operation
using a certificate or digital signature
template that fail due to the User
Policy
FIA_UAU_ENV_(EXT).1 All use of the authentication
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 63
SFR Auditable Events Additional Audit Record
Contents
mechanism in the IT environment
FIA_UID_ENV_(EXT).1 All use of the identification
mechanism in the IT environment
FMT_MOF.1:2 All modifications in behaviour of the
functions of the TSF.
FMT_MSA.1:2 Modifications of the values of
security attributes.
FMT_MSA.3 Modifications of the default setting.
Table 26: TOE Auditable Events
6.3.9.2 FAU_GEN.2-NIAP-0410:2 User identity association - TOE
FAU_GEN.2.1-NIAP-0410;2 For audit events resulting from actions of identified users, the TSF shall
be able to associate each auditable event with the identity of the user that caused that
event.
6.3.10 DBsign Additional SFRs
6.3.10.1 FDP_ACC.1:2 Subset access control
FDP_ACC.1.1:2 The TSF shall enforce the User Policy on.
Subjects: client users
Objects: certificates, digital signature templates
Operations: sign
6.3.10.2 FDP_ACF.1 Security attribute based access control
FDP_ACF.1.1 The TSF shall enforce the User Policy to objects based on the following.
Client user subjects: user name, active flag, list of allowed
certificate/security level pairs
Certificate object: security level
Digital Signature Template object: security level
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among
controlled subjects and controlled objects is allowed:
a) If the User Policy feature is not enabled, permit access
b) If the User Policy feature is enabled, the client user subject’s active flag
is not set to “N” and the security level of the template is higher than the
security level of the user’s certificate, allow the user to sign access
c) If the User Access Control feature is enabled, the client user subject’s
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 64
active flag is not set to “N”, and the subject user identity is included in
the list of authorized user identities associated with the object, permit
access
d) Else deny access.
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the
following additional rules: the User Access Control feature is not enabled:
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following
additional rules: the client user subject’s active flag is set to “N”:
6.3.10.3 FIA_UAU_ENV_(EXT).1 Timing of Authentication with a third party
FIA_UAU_ENV_(EXT).1.1 The TSF shall allow all actions, except use of the Administration
Tools identified in Section 7.3 on behalf of the user to be performed before the
user is authenticated by the IT environment.
FIA_UAU_ENV_(EXT).1.2 The TSF shall require each user to be successfully authenticated by the
IT environment before allowing any other TSF-mediated actions on behalf of that
user.
6.3.10.4 FIA_UID_ENV_(EXT).1 Timing of Identification with a third party
FIA_UID_ENV_(EXT).1.1 The TSF shall allow all actions, except use of the Administration
Tools identified in Section 7.3 on behalf of the user to be performed before the
user is identified by the IT environment.
FIA_UID_ENV_(EXT).1.2 The TSF shall require each user to be successfully identified by the IT
environment before allowing any other TSF-mediated actions on behalf of that
user.
6.3.10.5 FMT_MOF.1:2 Management of security functions behaviour – TOE
FMT_MOF.1.1;2 The TSF shall restrict the ability to determine the behaviour of, disable, enable,
modify the behaviour of the functions
a) Manage the DBsign signature templates which are used to define how
DBsign operates on data in the RDBMS
b) Modify the descriptions of the DBsign security levels
c) Configure the DBsign User Policy feature
d) Configure the list of certificate authorities DBsign trusts to issue
certificates to end users
e) Configure the audit log settings
f) Manage the certificates and CRLs that DBsign stores in the RDBMS
g) Configure the list of OCSP responders DBsign trusts to provide
certificate revocation status information
h) Create and populate the DBsign System Tables with initial data
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 65
to the DBsign administrator.
6.3.10.6 FMT_MSA.1;2 Management of security attributes – User Policy
FMT_MSA.1.1;2 The TSF shall enforce the User Policy to restrict the ability to modify, delete, create
the security attributes User Policy security attributes to DBsign administrator.
6.3.10.7 FMT_MSA.3 Static Attributes Initialization
FMT_MSA.3.1 The TSF shall enforce the User Policy to provide restrictive default values for
security attributes that are used to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the DBsign administrator to specify alternative initial values to
override the default values when an object or information is created.
6.3.10.8 FMT_SMF.1:2 Specification of management functions – IT Environment
FMT_SMF.1.1;2 The TSF shall be capable of performing the following management
functions:
a) Manage the DBsign signature templates which are used to define
how DBsign operates on data in the RDBMS
b) Modify the descriptions of the DBsign security levels
c) Configure the DBsign User Policy feature (enable, disable,
define/query/edit DBsign user definition, specify user’s certificates)
d) Configure the list of certificate authorities DBsign trusts to issue
certificates to end users
e) Configure the audit log settings
f) Manage the certificates and CRLs that DBsign stores in the RDBMS
g) Configure the list of OCSP responders DBsign trusts to provide
certificate revocation status information
h) Create and populate the DBsign System Tables with initial data
6.4 TOE Security Assurance Requirements
The Security assurance requirements (SARs) provide grounds for confidence that the TOE meets
its security objectives (for example, configuration management, testing, and vulnerability
assessment).
This TOE claims Basic Robustness assurance as defined in the PP. A Basic Robustness TOE is
considered sufficient for low threat environments or where compromise of protected information
will not have a significant impact on mission objectives. This implies that the motivation of the
threat agents will be low in environments that are suitable for TOEs of this robustness. In
general, basic robustness results in “good commercial practices” that counter threats based in
casual and accidental disclosure or compromise of data protected by the TOE. The basic
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 66
robustness assurance requirements are based on this principle and consist of EAL 2 augmented
with the following addition:
• ALC_FLR.2 Flaw Reporting Procedures
The following table provides a list of the assurance requirements needed for Basic Robustness.
These Security Assurance Requirements are drawn from the CC, Part 3, Version 3.1, Revision 3,
July 2009.
Assurance Class
Assurance
Component ID
Assurance Component Name
ADV: Development
ADV_ARC.1 Security architecture description
ADV_FSP.2 Security-enforcing functional specification
ADV_TDS.1 Basic design
AGD: Guidance
documents
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC: Life-cycle support
ALC_CMC.2 Use of a CM System
ALC_CMS.2 Parts of the TOE CM coverage
ALC_DEL.1 Delivery procedures
ALC_FLR.2 Flaw reporting procedures
ASE: Security Target
evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE: Tests
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
AVA: Vulnerability
assessment
AVA_VAN.2 Vulnerability analysis
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 67
Table 27: Security Assurance Requirements
6.5 Security Requirements Rationale
6.5.1 IT Environment Dependency Rationale
This section includes a table of all IT environment SFRs and their associated dependencies. All
dependencies are satisfied.
Requirement Dependencies
FAU_GEN.1-NIAP-0407:1 FPT_STM.1
FAU_GEN.2-NIAP-0410:1 FAU_GEN.1 (met by FAU_GEN.1-NIAP-0407:1)
FIA_UID.1 (met by FIA_UID.2)
FAU_SAR.1 FAU_GEN.1 (met by FAU_GEN.1-NIAP-0407:1)
FAU_SAR.2 FAU_SAR.1
FAU_SAR.3 FAU_SAR.1
FAU_SEL.1-NIAP-0407 FAU_GEN.1 (met by FAU_GEN.1-NIAP-0407:1)
FMT_MTD.1
FAU_STG.1-NIAP-0429 FAU_GEN.1 (met by FAU_GEN.1-NIAP-0407:1)
FAU_STG.NIAP-0429-1 FAU_STG.1 (met by FAU_STG.1-NIAP-0429)
FMT_MTD.1
FCS_CRM_FPS_(EXT).1 None
FDP_ACC.1:1 FDP_ACF.1 (met by FDP_ACF.1-NIAP-0407)
FDP_ACF.1-NIAP-0407 FDP_ACC.1
FMT_MSA.3 (met by FMT_MSA.3-NIAP-0429)
FDP_RIP.2 None
FIA_AFL.1 FIA_UAU.1 (met by FIA_UAU.2)
FIA_ATD.1 None
FIA_UAU.2 FIA_UID.1 (met by FIA_UID.2)
FIA_UAU.7 FIA_UAU.1 (met by FIA_UAU.2)
FIA_UID.2 None
FIA_USB.1 FIA_ATD.1
FMT_MOF.1:1 FMT_SMF.1 (satisfied by FMT_SMF.1:1)
FMT_SMR.1
FMT_MSA.1:1 FMT_SMF.1 (satisfied by FMT_SMF.1:1)
FMT_SMR.1
FDP_ACC.1 or FDP_IFC (satisfied by FDP_ACC.1:1)
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 68
Requirement Dependencies
FMT_MSA.3-NIAP-0429 FMT_MSA.1
FMT_SMR.1
FMT_MTD.1:1 through 5 FMT_SMF.1 (satisfied by FMT_SMF.1:1)
FMT_SMR.1
FMT_SMF.1:1 None
FMT_SMR.1 FIA_UID.1 (met by FIA_UID.2)
FPT_STM.1 None
FPT_TST_SOF_(EXT).1 None
FTA_SSL.1 FIA_UAU.1 (met by FIA_UAU.2)
FTA_SSL.2 FIA_UAU.1 (met by FIA_UAU.2)
FTA_TAB.1 None
6.5.2 TOE Dependency Rationale
This section includes a table of all the TOE security functional requirements and their associated
dependencies. All dependencies are satisfied by TOE or IT environment SFRs.
Requirement Dependencies
CPV – Basic Package
FDP_CPD_(EXT).1 None
FDP_DAU_CPI_(EXT).1 FCS_COP.1 (met by FCS_CRM_FPS_(EXT).1)
FPT_STM.1
FDP_DAU_CPV_(EXT).1 FCS_COP.1 (met by FCS_CRM_FPS_(EXT).1)
FPT_STM.1
FDP_DAU_OCS_(EXT).1 or FDP_DAU_CRL_(EXT).1
FDP_DAU_CPV_(EXT).2 FDP_DAU_CPV_(EXT).1
FDP_DAU_CPO_(EXT).1 FDP_DAU_CPV_(EXT).1
CPV – Basic Policy Package
FDP_DAU_CPI_(EXT).2 FDP_DAU_CPI_(EXT).1 (See Note 1)
FDP_DAU_CPO_(EXT).2 FDP_DAU_CPO_(EXT).1 (See Note 1)
CPV – Policy Mapping Package
FDP_DAU_CPI_(EXT).3 FDP_DAU_CPI_(EXT).2 (See Note 2)
FDP_DAU_CPV_(EXT).3 FDP_DAU_CPV_(EXT).2 (See Note 3)
FDP_DAU_CPO_(EXT).3 FDP_DAU_CPO_(EXT).2 (See Note 2)
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 69
Requirement Dependencies
CPV – Name Constraints Package
FDP_DAU_CPI_(EXT).4 FDP_DAU_CPI_(EXT).1 (See Note 1)
FDP_DAU_CPV_(EXT).4 FDP_DAU_CPV_(EXT).1 (See Note 1)
FDP_DAU_CPV_(EXT).5 FDP_DAU_CPV_(EXT).2 (See Note 1)
PKI Signature Generation Package
FDP_ETC_SIG_(EXT).1 FCS_CRM_FPS_(EXT).1
PKI Signature Verification Package
FDP_ITC_SIG_(EXT).1 None
FDP_DAU_SIG_(EXT).1 FCS_CRM_FPS_(EXT).1
FDP_DAU_CPO_(EXT).1 (See Note 1)
Online Certificate Status Protocol Client Package
FDP_DAU_OCS_(EXT).1 FCS_CRM_FPS_(EXT).1
FPT_STM.1
Certificate Revocation List (CRL) Validation Package
FDP_DAU_CRL_(EXT).1 FCS_CRM_FPS_(EXT).1
FPT_STM.1
Audit Package
FAU_GEN.1-NIAP-0407:2 FPT_STM.1
FAU_GEN.2-NIAP-0410:2 FAU_GEN.1 (met by FAU_GEN.1-NIAP-0407:2)
FIA_UID.1 (met by FIA_UID.2 in the IT Environment)
DBsign Additional SFRs
FDP_ACC.1:2 FDP_ACF.1
FDP_ACF.1 FDP_ACC.1
FMT_MSA.3
FIA_UAU_ENV_(EXT).1 FIA_UID.1 or FIA_UID_ENV_(EXT).1
FIA_UID_ENV_(EXT).1 None
FMT_MOF.1:2 FMT_SMF.1 (satisfied by FMT_SMF.1:2)
FMT_SMR.1 (met by FMT_SMR.1 in the IT Environment)
FMT_MSA.1:2 FMT_SMF.1 (satisfied by FMT_SMF.1:2)
FMT_SMR.1
FDP_ACC.1 or FDP_IFC (satisfied by FDP_ACC.1:2)
FMT_MSA.3 FMT_MSA.1 (met by FMT_MSA.1:2 in the IT Environment)
FMT_SMR.1 (met by FMT_SMR.1 in the IT Environment)
FMT_SMF.1:2 None
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 70
Note 1: The dependency is satisfied by including the CPV – Basic Package
Note 2: The dependency is satisfied by including the CPV – Basic Policy Package
Note 3: The dependency is satisfied by including the CPV – Basic Package and the CPV – Basic
Policy Package.
6.5.3 IT Environment SFR Tracings and Rationale
Objective SFRs
OE.AUDIT_GENERATION FAU_GEN.1-NIAP-0407:1
FAU_GEN.2-NIAP-0410:1
FIA_USB.1
FAU_SEL.1-NIAP-0407
OE.AUDIT_PROTECTION FAU_SAR.2
FAU_STG.1-NIAP-0429
FAU_STG.NIAP-0429-1
FMT_MOF.1:1
OE.AUDIT_REVIEW FAU_SAR.1
FAU_SAR.3
OE.Configuration AGD_PRE.1
OE.CORRECT_TSF_OPERATION FPT_TST_SOF_(EXT).1
ATE_COV.1
ATE_IND.1
ATE_FUN.1;
OE.CRYPTOGRAPHY FCS_CRM_FPS_(EXT).1
OE.DISPLAY_BANNER FTA_TAB.1
OE.Basic AVA_VAN.2
OE.MANAGE FMT_MOF.1:1
FMT_MSA.1:1
FMT_MSA.3-NIAP-0429
FMT_MTD.1:1
FMT_MTD.1:2
FMT_MTD.1:3
FMT_MTD.1:4
FMT_MTD.1:5
FMT_SMF.1:1
FMT_SMR.1
OE.MEDIATE FDP_ACC.1
FDP_ACF.1-NIAP-0407
OE.NO_EVIL AGD_OPE.1
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 71
Objective SFRs
OE.PHYSICAL AGD_PRE.1
OE.RESIDUAL_INFORMATION FDP_RIP.2
OE.SELF_PROTECTION ADV_ARC.1
OE.TIME_STAMPS FPT_STM.1
FMT_SMF.1:1
FMT_MTD.1:5
OE.TIME_TOE FPT_STM.1
OE.TOE_ACCESS FIA_AFL.1
FIA_ATD.1
FIA_UID.2
FIA_UAU.2
FIA_UAU.7
FTA_SSL.1
FTA_SSL.2
OE.TOE_PROTECTION ADV_ARC.1
OE.AUDIT_GENERATION state that the IT Environment will provide the capability to detect
and create records of security-relevant events associated with users. This objective is satisfied by
the following requirements:
FAU_GEN.1-NIAP-0407:1defines the set of events that the IT Environment must be
capable of recording. This requirement ensures that the Administrator has the ability to
audit any security relevant event that takes place in the TOE. This requirement also
defines the information that must be contained in the audit record for each auditable
event. This requirement also places a requirement on the level of detail that is recorded
on any additional security functional requirements an ST author adds to this PP.
FAU_GEN.2-NIAP-0410:1 ensures that the audit records associate a user identity with
the auditable event.
FIA_USB.1 plays a role is satisfying this objective by requiring a binding of security
attributes associated with users that are authenticated with the subjects that represent
them in the IT Environment. This only applies to authorized users, since the identity of
unauthenticated users cannot be confirmed. Therefore, the audit trail may not always
have the proper identity of the subject that causes an audit record to be generated.
FAU_SEL.1-NIAP-0407 allows the Administrator to configure which auditable events
will be recorded in the audit trail. This provides the administrator with the flexibility in
recording only those events that are deemed necessary by site policy, thus reducing the
amount of resources consumed by the audit mechanism
OE.AUDIT_PROTECTION states that the IT Environment will provide the capability to
protect audit information. This objective is satisfied by the following requirements:
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 72
FAU_SAR.2 restricts the ability to read the audit trail to the Administrator, thus
preventing the disclosure of the audit data to any other user. However, the IT
Environment is not expected to prevent the disclosure of audit data if it has been archived
or saved in another form (e.g., moved or copied to an ordinary file).
FAU_STG.1-NIAP-0429; FAU_STG.NIAP-0429-1: The FAU_STG family dictates
how the audit trail is protected. FAU_STG.1-NIAP-0429 restricts the ability to delete
audit records to the administrator. FAU_STG.NIAP-0429-1 defines the actions that must
be available to the administrator, as well as the action to be taken if there is no response.
This helps to ensure that audit records are kept until the administrator deems they are no
longer necessary. This requirement also ensures that no one has the ability to modify
audit records (e.g., edit any of the information contained in an audit record). This ensures
the integrity of the audit trail is maintained.
FMT_MOF.1:! restricts the capability to modify the behavior of the audit function to the
administrator. This requirement ensures that only administrator can turn audit on or off,
this ensuring users actions are audited according to a site defined policy.
OE.AUDIT_REVIEW states that the IT Environment will provide the capability to selectively
view audit information. This objective is satisfied by the following requirements:
FAU_SAR.1 provides the administrator with the capability to read all the audit data
contained in the audit trail. This requirement also mandates the audit information be
presented in a manner that is suitable for the administrator to interpret the audit trail,
which is subject to interpretation. It is expected that the audit information be presented in
such a way that the administrator can examine an audit record and have the appropriate
information (that required by FAU_GEN.2) presented together to facilitate the analysis of
the audit review
FAU_SAR.3 complements FAU_SAR.1 by providing the administrator the flexibility to
specify criteria that can be used to search or sort the audit records residing in the audit
trail. FAU_SAR.3 requires the administrator be able to establish the audit review criteria
based on a user ID and source subject identity, so that the actions of a user can be readily
identified and analyzed.
OE.Configuration states that the TOE shall be installed and configured properly for starting up
the TOE in a secure state. This objective covers A.Configuration, an assumption that states that
the TOE will be properly installed and configured. This objective is supported by:
The startup and installation guides required by the AGD_PRE.1 assurance requirement,
which states that accurate installation and configuration documentation must be provided
that allows the TOE to be properly (i.e., in a secure state) installed and configured.
OE.CORRECT_TSF_OPERATION states that the IT Environment will provide the capability
to test the TSF to ensure the correct operation of the TSF at a customer’s site.
FPT_TST_SOF_(EXT).1 is necessary to ensure the correctness of the TSF
configuration files and TSF data and executable. If TSF software is corrupted it is
possible that the TSF would no longer be able to enforce the security policies. This also
holds true for TSF data, if TSF data is corrupted, the TOE may not correctly enforce its
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 73
security policies.
ATE security assurance requirements will provide assurance that the TOE has been
tested to ensure the correct operation of the TSF. Work units for ATE_COV.1,
ATE_FUN.1, and ATE_IND.1 will demonstrate that the TOE testing contained enough
coverage to test TOE TSF functionality.
OE.CRYPTOGRAPHY states that the TOE shall use NIST FIPS 140-2 validated cryptographic
services provided by the IT Environment. This objective is satisfied by the following
requirements:
FCS_CRM_FPS_(EXT).1, FIPS compliant cryptographic module, which requires that
the IT Environment shall provide all cryptographic modules necessary for the TSF and
that each cryptographic module shall be FIPS 140 series Level 1 validated.
OE.DISPLAY_BANNER states that the IT Environment will display an advisory warning
regarding use of the TOE. This objective is satisfied by the following requirements:
FTA_TAB.1 meets this objective by requiring the IT Environment to display an
administrator defined banner before a user can establish an authenticated session. This
banner is under complete control of the administrator in which they specify any warnings
regarding unauthorized use of the TOE and remove any product or version information if
they desire.
OE.Basic states that the TOE shall be designed and implemented for a minimum attack potential
of “Basic” as validated by the vulnerability analysis. This objective covers the vulnerability
analysis (AVA_VAN.2).
OE.MANAGE states that the IT Environment will provide all the functions and facilities
necessary to support the administrators in their management of the security of the TOE, and
restrict these functions and facilities from unauthorized use. This objective is satisfied by the
following requirements:
FMT_MOF.1:1 requires that the ability to use particular TOE capabilities be restricted
to the Administrator.
FMT_MSA.1:1 requires that the ability to perform operations on security attributes be
restricted to particular roles.
FMT_MSA.3-NIAP-0429 requires that default values used for security attributes are
restrictive, and that the Administrator has the ability to override those values.
FMT_MTD.1:1, FMT_MTD.1:2, FMT_MTD.1:3, FMT_MTD.1:4, and
FMT_MFT.1:5 require that the ability to manipulate IT Environment and TOE data is
restricted to Administrators and authorized users.
FMT_SMF.1:1 requires that appropriate administrators manage the audit and other
functions.
FMT_SMR.1 defines the specific security roles to be supported to perform the functions
listed in the list above.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 74
OE.MEDIATE states that the IT Environment will protect user data in accordance with its
security policy. This objective is satisfied by the following requirements:
FDP_ACC.1:1 defines that an Access Control policy that will be enforced on a list of
subjects acting on the behalf of users attempting to gain access to a list of named objects.
All the operations between subject and object covered are defined by the policy. The
“subjects” are generally the IT Environment's “Agents.” The “named objects” are things
that the IT Environment is protecting for itself and for the TOE
FDP_ACF.1-NIAP-0407 defines the Security Attribute used to provide Access Control
to objects based on the following above Access Control policy and access control rules
based on those security attributes.
OE.NO_EVIL states that sites using the TOE will ensure that administrators are non-hostile,
appropriately trained and follow all administrator guidance. This objective is supported by:
The user guidance document as defined under assurance requirements AGD_OPE.1.
OE.PHYSICAL states that the non-IT environment will provide an acceptable level of physical
security so that the TOE cannot be tampered with or be subject to side channel attacks such as
the various forms of power analysis and timing analysis. This objective is supported by:
The preparative procedures as defined under assurance requirements AGD_PRE.1. The
user guidance defines the security policy for the installation and operation of the TOE.
OE.RESIDUAL_INFORMATION which states that the IT Environment will ensure that any
information contained in a protected resource within its Scope of Control is not released when
the resource is reallocated. This objective is satisfied by the following requirements:
FDP_RIP.2 is used to ensure the contents of resources are not available to subjects other
than those explicitly granted access to the data.
OE.SELF_PROTECTION which states that the IT Environment will maintain a domain for its
own execution that protects it and its resources from external interference, tampering, or
unauthorized disclosure. This objective is satisfied by the following requirements:
ADV_ARC.1 provides an architecture that ensures that the IT Environment makes policy
decisions on all interfaces that perform operations on subjects and objects that are scoped
by the policies. Without this non-bypassability requirement, the IT Environment could
not be relied upon to completely enforce the security policies, since an interface(s) may
otherwise exist that would provide a user with access to TOE resources (including TSF
data and executable code) regardless of the defined policies. This includes controlling the
accessibility to interfaces, as well as what access control is provided within the interfaces.
ADV_ARC.1 will also provides an architecture that ensure the IT Environment provides
a domain that protects itself from untrusted users. If the IT Environment cannot protect
itself it cannot be relied upon to enforce its security policies.
OE.TIME_STAMPS states that the IT Environment will provide reliable time stamps and the
capability for the administrator to set the time used for these time stamps. This objective is
satisfied by the following requirements:
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 75
FPT_STM.1 requires that the IT Environment provide time stamps for its own use and
for the TOE use.
FMT_SMF.1:1 requires that the IT Environment provide an administrator with the
capability to modify system time.
FMT_MTD.1:5 requires that the IT Environment restrict the capability to modify system
time to an administrator.
OE.TIME_TOE states that The IT Environment will provide reliable time for the TOE use. This
objective is satisfied by the following requirements:
FPT_STM.1 requires that the IT Environment provide time stamps for its own use and
for the TOE use.
OE.TOE_ACCESS states that the IT Environment will provide mechanisms that control a
user’s logical access to the TOE. This objective is satisfied by the following requirements:
FIA_AFL.1 provides a detection mechanism for unsuccessful authentication attempts by
the users. The requirement enables an administrator settable threshold that prevents
unauthorized users from gaining access to authorized user’s account by guessing
authentication data by locking the targeted account. Thus, limiting an unauthorized user’s
ability to gain unauthorized access to the TOE.
FIA_ATD.1 defines the attributes of users, including a user ID that is used to by the IT
Environment to determine a user’s identity and enforce what type of access the user has
to the IT Environment (e.g., the IT Environment associates a user ID with any role(s)
they may assume).
FIA_UID.2 requires that a user be identified to the IT Environment in order to do
anything.
FIA_UAU.2 requires that a user be authenticated by the IT Environment in order to do
anything.
FIA_UAU.7 provides that the authentication data provided by the user is not echoed back
in plaintext, thus serving to protect that data.
FTA_SSL.1 and FTA_SSL.2 components deal with automatic session locking and
termination, either initiated by the IT Environment or a user. They protect from an
unauthorized entity to use the unattended session.
OE.TOE_PROTECTION states that the IT Environment will protect the TOE and TOE
resources from external interference, tampering, or unauthorized disclosure and modification.
This objective is satisfied by the following requirements:
ADV_ARC.1 provides an architecture that ensures that the IT Environment provides a
domain that protects TSF from untrusted users. If the TSF cannot be protected, it cannot
be relied upon to enforce its security policies.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 76
6.5.4 TOE SFR Tracings and Rationale
Objective SFRs
Mapping for CPV – Basic Package
O.Availability FDP_DAU_CPV_(EXT).1
O.Correct_Temporal FDP_DAU_CPI_(EXT).1
O.Current_Certificate FDP_DAU_CPV_(EXT).1
O.Get_KeyInfo FDP_DAU_CPO_(EXT).1
O.Path_Find FDP_CPD_(EXT).1
O.Trusted_Keys FDP_DAU_CPI_(EXT).1
O.User FDP_DAU_CPV_(EXT).2
O.Verified_Certificate FDP_DAU_CPV_(EXT).1
O.Valid_Certificate FDP_DAU_CPV_(EXT).1
Mapping for CPV – Basic Policy Package
O.Provide_Policy_Info FDP_DAU_CPV_(EXT).2
FDP_DAU_CPO_(EXT).2
Mapping for CPV –Policy Mapping Package
O.Map_Policies FDP_DAU_CPI_(EXT).3
FDP_DAU_CPV_(EXT).3
FDP_DAU_CPO_(EXT).3
O.Policy_Enforce FDP_DAU_CPI_(EXT).3
FDP_DAU_CPV_(EXT).3
FDP_DAU_CPO_(EXT).3
Mapping for CPV – Name Contraints Package
O.Authorised_Names FDP_DAU_CPI_(EXT).4
FDP_DAU_CPV_(EXT).4
FDP_DAU_CPV_(EXT).5
Mapping for PKI Signature Generation Package
O.Give_Sig_Hints FDP_ETC_SIG_(EXT).1
Mapping for PKI Signature Verification Package
O.Use_Sig_Hints FDP_ITC_SIG_(EXT).1
O.Linkage_Sig_Ver FDP_DAU_SIG_(EXT).1
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 77
Objective SFRs
Mapping for Online Certificate Status Protocol (OCSP) Client Package
O.Accurate_OCSP_Info FDP_DAU_OCS_(EXT).1
O.Auth_OCSP_Info FDP_DAU_OCS_(EXT).1
O.Current_OCSP_Info FDP_DAU_OCS_(EXT).1
O.User_Override_Time_OCSP FDP_DAU_OCS_(EXT).1
Mapping for Certificate Revocation List (CRL) Validation Package
O.Accurate_Rev_Info FDP_DAU_CRL_(EXT).1
O.Auth_Rev_Info FDP_DAU_CRL_(EXT).1
O.Current_Rev_Info FDP_DAU_CRL_(EXT).1
O.User_Override_Time_CRL FDP_DAU_CRL_(EXT).1
Mapping for Audit Package
O.PKE_Audit FAU_GEN.1-NIAP-0407:2
FAU_GEN.2-NIAP-0410:2
Mapping for DBsign Additional SFRs
O.ACCESS FDP_ACC.1:2
FDP_ACF.1
O.MANAGE FIA_UAU_ENV_(EXT).1
FIA_UID_ENV_(EXT).1
FMT_MOF.1:2
FMT_MSA.1:2
FMT_MSA.3
FMT_SMF.1:2
Table 28: Mappings between TOE SFRs and Security Objectives
6.5.4.1 Security Objectives Rationale for CPV - Basic Package
O.Availability states that the TSF shall continue to provide security services even if revocation
information is not available. This objective is met by:
FDP_DAU_CPV_(EXT).1, Certificate processing – basic, which requires that the TSF
bypass the revocation check if the revocation information is not available.
O.Correct_Temporal states that the TSF shall provide accurate temporal validation results. This
objective is met by:
FDP_DAU_CPI_(EXT).1, Certification path initialisation – basic, which requires that
the TSF obtain the time of interest called “TOI" from a reliable source.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 78
O.Current_Certificate states that the TSF shall only accept certificates that are not expired as
of TOI. This objective is met by:
FDP_DAU_CPV_(EXT).1, which requires that the TSF accept a certificate only if the
specified checks succeed, including that the certificate is not expired as of TOI.
O.Get_KeyInfo states that the TSF shall provide the user public key and related information in
order to carry out cryptographic functions. This objective is met by:
FDP_DAU_CPO_(EXT).1, Certification path output – basic, which requires that the
TSF output the subject public key from the certification path and other information
specified by the ST author.
O.Path_Find states that the TSF shall be able to find a certification path from a trust anchor to
the subscriber. This objective is met by:
FDP_CPD_(EXT).1, Certification path development, which requires that the TSF shall
develop a certification path from a trust anchor to the subscriber.
O.Trusted_Keys states that the TSF shall use trusted public keys in certification path validation.
This objective is met by:
FDP_DAU_CPI_(EXT).1, Certification path initialisation -- basic, which requires that
the TSF use trusted public keys in the certification path validation.
O.User states that the TSF shall only accept certificates issued by a CA. This objective is met
by:
FDP_DAU_CPV_(EXT).2, Intermediate certificate processing – basic, which requires
that the TSF accept an intermediate certificate only when the certificate is issued by a
CA.
O.Verified_Certificate states that the TSF shall only accept certificates with verifiable
signatures. This objective is met by:
FDP_DAU_CPV_(EXT).1, Certificate processing – basic, which requires that the TSF
accept certificates only with verifiable signatures.
O.Valid_Certificate states that the TSF shall use certificates that are valid, i.e., not revoked.
This objective is met by:
FDP_DAU_CPV_(EXT).1, Certificate processing – basic, which requires that that the
TSF shall use only those certificates that are valid, i.e., revocation status demonstrates
that the certificate is not revoked.
6.5.4.2 Security Objectives Rationale for CPV – Basic Policy Package
O.Provide_Policy_Info states that the TSF shall provide certificate policies for which the
certification path is valid. This objective is met by:
FDP_DAU_CPI_(EXT).2, Certification path initialisation – basic policy, which requires
that the TSF shall use the initial-certificate-policies provided by user roles specified by
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 79
the ST author.
FDP_DAU_CPO_(EXT).2, Certification path output – basic policy, which requires that
The TSF shall output the certificate policies using the following rule: intersection of
certificatePolicies extensions in all the certificates in certification path and initial-
certificate-policies.
6.5.4.3 Security Objectives Rationale for CPV –Policy Mapping Package
O.Map_Policies states that the TSF shall map certificate policies in accordance with user and
CA constraints. This objective is met by:
FDP_DAU_CPI_(EXT).3, Certification path initialisation – policy mapping, which
requires that the TSF use the explicit-policy-indicator, policy-mapping-inhibit-indicator,
inhibit-any-policy-indicator provided by a role specified by the ST author.
FDP_DAU_CPV_(EXT).3, Intermediate certificate processing – policy mapping, which
requires that the TSF use the intermediate certificate to update specified state variables.
FDP_DAU_CPO_(EXT).3, Certification path output – policy mapping, which requires
that the TSF shall map policies in the calculation of the policies intersection according to
defined user and CA constraints.
O.Policy_Enforce states that the TSF shall validate a certification path in accordance with
certificate policies acceptable to the user. This objective is met by:
FDP_DAU_CPI_(EXT).3, Certification path initialisation – policy mapping, which
requires that the TSF use the explicit-policy-indicator, policy-mapping-inhibit-indicator,
inhibit-any-policy-indicator provided by a role specified by the ST author.
FDP_DAU_CPV_(EXT).3, Intermediate certificate processing – policy mapping, which
requires that the TSF use the intermediate certificate to update specified state variables.
FDP_DAU_CPO_(EXT).3, Certification path output – policy mapping, which requires
that the TSF shall map policies in the calculation of the policies intersection according to
defined user and CA constraints and that specified policies be enforced.
6.5.4.4 Security Objectives Rationale for CPV –Name Constraints Package
O.Authorised_Names states that the TSF shall validate a certificate only if the CA is authorized
to issue a certificate to the subject. This objective is met by:
FDP_DAU_CPI_(EXT).4, Certification path initialisation – names, which requires that
the TSF initialize the following: permitted-subtrees = ∞, excluded-subtrees = ∅.
FDP_DAU_CPV_(EXT).4, Intermediate certificate processing – name constraints,
which requires that the TSF accept a certificate only if the conditions specified by the
requirement, including verification of authorization, is satisfied.
FDP_DAU_CPV_(EXT).5, Intermediate Certificate processing – name constraints,
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 80
states that the TSF shall use the intermediate certificate to update the following states:
permitted-subtrees and excluded-subtrees.
6.5.4.5 Security Objectives Rationale for PKI Signature Generation Package
O.Give_Sig_Hints states that the TSF shall provide hints for selecting correct certificates for
PKI signature verification. This objective is met by:
FDP_ETC_SIG_(EXT).1, Export of PKI Signature, which requires that the TSF use the
user selected private to key perform digital signature and that the TSF include additional
information specified by the ST author with the digital signature to facilitate signature
verification.
6.5.4.6 Security Objectives Rationale for PKI Signature Verification Package
O.Use_Sig_Hints states that the TSF shall use hints for selecting correct certificates for
signature verification. This objective is met by:
FDP_ITC_SIG_(EXT).1, Import of PKI Signature, which requires that the TSF use the
following information from the signed data: hashing algorithm, signature algorithm,
signer public key certificate, signer DN, signer subject alternative name, signer subject
key identifier, or other data during signature verification.
O.Linkage_Sig_Ver states that the TSF shall use the correct user public key for signature
verification. This objective is met by:
FDP_DAU_SIG_(EXT).1, Signature Blob Verification, which requires that the TSF
invoke a cryptographic module with the following information from Certification Path
Validation to verify digital signature on signed data: subject public key algorithm, subject
public key, subject public key parameters and that the TSF perform other verification
checks as specified by the ST author.
6.5.4.7 Security Objectives Rationale for Online Certificate Status Protocol (OCSP) Package
O.Accurate_OCSP_Info states that the TSF shall accept only accurate OCSP responses. This
objective is met by:
FDP_DAU_OCS_(EXT).1, Basic OCSP Client, which requires that only accurate
revocation information be accepted from the OCSP responder.
O.Auth_OCSP_Info states that the TSF shall accept the OCSP responses from an authorized
source. This objective is met by:
FDP_DAU_OCS_(EXT).1, Basic OCSP Client, which requires that the OCSP responder
be verified as an authorized source.
O.Current_OCSP_Info states that the TSF may accept only OCSP responses current as of TOI.
This objective is met by:
FDP_DAU_OCS_(EXT).1, Basic OCSP Client, which requires that only reasonably
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 81
current as of TOI revocation information may be accepted through a series of policy and
parameter checks.
O.User_Override_Time_OCSP states that the TSF shall permit the user to override the time
checks on the OCSP response. This objective is met by:
FDP_DAU_OCS_(EXT).1, Basic OCSP Client, which requires that a role or roles
specified by the ST author be able to override the time checks on the OCSP response.
6.5.4.8 Security Objectives Rationale for Certificate Revocation List (CRL) Validation
Package
O.Accurate_Rev_Info states that the TSF shall accept only accurate revocation information.
This objective is met by:
FDP_DAU_CRL_(EXT).1, Basic CRL checking, which requires that the TSF accept
accurate revocation information. Accuracy is determined through a series of verification
and policy requirements within this extended stated requirement.
O.Auth_Rev_Info states that the TSF shall accept the revocation information from an
authorized source for CRL. This objective is met by:
FDP_DAU_CRL_(EXT).1, Basic CRL checking, which requires that the TSF accept
revocation information from an authorized source as selected or assigned by the ST
author.
O.Current_Rev_Info states that the TSF shall accept only CRL current as of TOI. This
objective is met by:
FDP_DAU_CRL_(EXT).1, Basic CRL checking, which requires that the TSF accept
only reasonably current as of TOI revocation information through a series of policy
requirements defined in FDP_DAU_CRL_(EXT).1.
O.User_Override_Time_CRL states that the TSF shall permit the user to override the time
checks on the CRL. This objective is met by:
FDP_DAU_CRL_(EXT).1, Basic CRL checking, which requires that the TSF accept the
CRL as current if a role assigned by the ST author overrides time checks.
6.5.4.9 Security Objectives Rationale for Audit Package
O.PKE_Audit states that the TSF shall audit security relevant PKE events. This objective is met
by:
FAU_GEN.1-NIAP-0407 defines the set of events that the TOE must be capable of
recording. This requirement ensures that the Administrator has the ability to audit events
that take place in the TOE. This requirement also defines the information that must be
contained in the audit record for each auditable event. This requirement also places a
requirement on the level of detail that is recorded on any additional security functional
requirements an ST author adds to this PP.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 82
FAU_GEN.2-NIAP-0410 ensures that the audit records associate a user identity with the
auditable event.
6.5.4.10 Security Objectives Rationale for DBsign Additional SFRs
O.ACCESS states that the TSF shall provide the ability to restrict access to the digital signing
operations. This objective is met by:
FDP_ACC.1:2 defines the User Policy that can be enforced on client users attempting to
sign RDBMS data using the certificate and digital signature template objects.
FDP_ACF.1-NIAP-0407 defines the Security Attributes used to implement the User
Policy and defines the access control rules based on those security attributes.
O.MANAGE states that the TSF will provide all the functions and facilities necessary to manage
and configure the security of the TOE and restrict these functions and facilities from
unauthorized use.
FIA_UAU_ENV_(EXT).1 requires that the TSF require that the IT environment
authenticate users prior to allowing them to perform security management functions..
FIA_UID_ENV_(EXT).1 requires that the TSF require that the IT environment identify
users prior to allowing them to perform security management functions..
FMT_MOF.1:2 requires that the ability to use particular TOE capabilities be restricted
to the DBsign Administrator.
FMT_MSA.1:2 require that the ability to perform operations on User Policy security
attributes be restricted to the DBsign administrator.
FMT_MSA.3 requires that default values used for security attributes are restrictive, and
that the DBsign Administrator has the ability to override those values.
FMT_SMF.1:2 requires that DBsign administrators manage the audit, User Policy,
Certificates, CRLs, and OCSP functions.
6.5.5 SAR Rationale
The TOE and this ST are EAL2 conformant, augmented with ALC_FLR.2
EAL2 was chosen to provide a low level of independently assured security in the absence of
ready availability of the complete development record from the vendor. The chosen assurance
level is consistent with the postulated low threat environment or with an environment where
compromise of protected information will not have a significant impact on mission objectives.
The motivation of the threat agents in which the TOE will operate is considered low. EAL2 was
chosen to provide a low level of assurance that is consistent with good commercial practices that
counter threats based in casual and accidental disclosure or compromise of data protected by the
TOE.
EAL2 is augmented with ALC_FLR.2 to assist in ensuring that discovered security flaws are
tracked and corrected by the developer and to provide flaw reporting procedures to the users of
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 83
the TOE.
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 84
7 TOE Summary Specification
This section presents a description of how the TOE SFRs are satisfied.
7.1 Auditing
The DBsign Universal Web Signer generates audit records for all audit events associated with
digitally signing data and verifying digitally signed data, including requests that fail due to the
User Policy.
The DBsign Server generates audit records for the following types of audit events:
Successful and failed requests to digitally sign data
Successful and failed requests to verify digitally signed data
The DBsign Administration Tools generates audit records for the following types of audit events:
All DB connection events (identification and authentication performed by the IT
environment at the request of the TOE)
All modifications in behaviour of the functions of the TSF as defined in FMT_MOF.1:2
All modifications of the values of User Policy security attributes as described in
FMT_MSA.1:2.
All modifications of the default settings described in FMT_MSA.3.
The audit logging feature may be enabled or disabled by the administrator. The evaluated
configuration of the TOE requires, at a minimum, the audit logging feature to be enabled and
configured to record the auditable events identified in Table 26. Audit record generation occurs
on both the client and server system.
Each audit event recorded includes the date and time of the event, type of event, subject identity
(if applicable, the record may include the user name obtained from the underlying OS), and the
outcome (success or failure) of the event.
For audit records of successful certification paths developed, the audit event record will include
the matching rules bypassed.
For audit records resulting from failed certificate processing or failed digital signature
verification, the audit event record will include the reason for the failure.
For audit records resulting from rejected OCSP responses or rejected CRLS, the reason for the
rejection is included in the audit event record.
The TSF does not allow for the bypass of revocation status checking, therefore there is no
associated audit record generated.
The audit records are stored in flat text files on the underlying operating systems. There is an
audit log file created for each administration tool, for the DBsign UWS, and for the DBsign
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 85
Server.
The TOE depends upon the IT environment to provide a mechanism (via a text viewer/editor) for
viewing the events recorded in the audit log. The TOE also relies upon the underlying operating
systems to protect the audit records.
This function implements the following SFRs:
FAU_GEN.1-NIAP-0407:2
FAU_GEN.2-NIAP-0410:2
7.2 User Policy
The TOE provides the optional ability to restrict access to the digital signing operations. By
default, the User Policy system is disabled. To support the User Policy feature, DBsign maintains
a list of authorized users and associated certificates, but does not authenticate these users.
DBsign relies on the underlying operating system to identify and authenticate the users.
Each DBsign user account has the following attributes:
User Name A name that uniquely identifies the user to DBsign
First Name The user’s first name; used for informational purposes only
Last Name The user’s last name; used for informational purposes only
Active Flag Indicates if the user account is active or disabled.
Certificates List of certificates with which the user is permitted to sign documents. If
there is more than one certificate associated with a user, DBsign will
prompt the user for which one to use.
Each certificate has the following attributes:
Security Level The DBsign security level of this certificate
Description A short description of this certificate’s intended use
Notary Flag A flag indicating whether the certificate is intended to be used for data
integrity or non-repudiation purposes.
Each digital signature template includes a security level. Digital signature templates define how
DBsign will operate on data stored in the RDBMS that is unique to the host application. DBsign
signature templates have the following qualities:
Specify which DB data elements to sign or verify
Specify which data values uniquely identify the data to be signed or verified
Specify the data format for each data item being retrieved
Specify how data is related enabling the representation of complex database relationships
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 86
Specify where to store digital signature information in the DB
When the DBsign User Policy feature is enabled, DBsign will not allow a user to sign a template
if the security level of the template is higher than the security level of the user’s certificate.
This function implements the following SFRs:
FDP_ACC.1:2
FDP_ACF.1
7.3 Security Management
The TOE provides a graphical user interface called the DBsign Administration Tools which
implement the security management functionality. The DBsign Administration Tools require that
administrators identify and authenticate themselves to the DB in order to connect to the DB and
use the selected tools. The DBsign Administration Tools access and store the TOE configuration
data in the DB.
The DBsign Database Login dialog box requires the administrator to specify a database
username, password and a database connection definition (used to select the database) prior to
modifying any the DBsign configuration data.
The TOE provides the following DBsign Administration Tools:
Template Designer Provides the abilty to view, create, edit or delete the digital
signature templates.
Security Level Manager Modify the descriptions of the DBsign security levels.
DBsign supports 10 security levels.
User Manager Configures the DBsign User Policy feature, including
defining, editing and deleting DBsign user definitions.
Trusted Certs Manager Configures the list of certificate authorities (CAs) that
DBsign trusts to issue certificates to end users.
Log Settings Manager Configures the types of audit records that are generated and
under what conditions the audit records are generated.
Certificate/CRL Browser Manages the certificates and CRLs that DBsign stores in the
database and provides the ability to view the trusted CA
certificates.
OCSP Responder Manager Configures the list of OCSP responders DBsign trusts to
provide certificate revocation status information.
Initial Table Creation Tool Creates and populates the DBsign System Tables in the DB
with initial data.
In addition, the TOE includes the DBsign Configuration File Editor. The DBsign Configuration
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 87
File Editor creates a new DBsign Server configuration file that can be installed on the DBsign
Server. The configuration options are divided into five categories
Global Settings – configuration items that control the operation of the DBsign Server
across all configured DBs.
Databases– configuration items pertaining to a specific DB, such as connection
parameters.
Crypto – configuration items pertaining to cryptographic operations, such as certificate
chains, signer’s certificates, etc.
Caches – configuration items that control how certificates and CRLs cached in memory
are managed
Instances – defines the DBsign Web Servlet instances
This function implements the following SFRs:
FIA_UAU_ENV_(EXT).1
FIA_UID_ENV_(EXT).1
FMT_MOF.1:2
FMT_MSA.1:2
FMT_MSA.3
FMT_SMF.1:2
7.4 Certification Path Processing
DBsign performs X.509 certification path validation checks. Certification path validation
consists of validating certificates starting with the one issued to the subscriber of interest and
ending with a trust anchor. DBsign supports X.509 version 3 Certificates.
All certification path processing performed by DBsign is X.509 and PKIX RFC3280 compliant.
There are three categories of public key certificates involved in certificate path validation:
Trust Anchors: The trust anchors can be in the form of self-signed certificates. The trust
anchor is used to obtain the Distinguished Name (DN), public key, algorithm identifier,
and the public key parameters (if applicable). DBsign permits validation of trust anchor if
it is in the form of a self-signed certificate, including validating signature and verifying
that the self-signed certificate validity period has not expired.
Intermediate certificates: These are the certificates issued to the CAs. All certificates in a
certification path are intermediate certificates, except the last one.
End certificate: This is the last certificate in the certification path and is issued to the
subscriber of interest. This is typically an end-entity (i.e., not a CA) certificate. However,
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 88
this package permits this certificate to be a CA certificate also.
DBsign processes the following security-related certificate extensions: no-check, keyUsage, and
basicConstraints.
DBsign provides the ability to validate certification paths as of the time of interest (TOI), which
can be the current time or earlier. DBsign depends upon the IT environment to provide
certificates and either OCSP responses or CRLs for the TOI.
DBsign performs the processing of the following certificate policy-related extensions:
certificatePolicies, policyMapping, inhibitAnyPolicy, policyConstraints, and nameConstraints
extensions.
This function implements the following SFRs. Refer to these SFR definitions for details on the
exact extensions, matching rules, TOI source, and constraints implemented by DBsign.
FDP_CPD_(EXT).1
FDP_DAU_CPI_(EXT).1
FDP_DAU_CPV_(EXT).1
FDP_DAU_CPV_(EXT).2
FDP_DAU_CPO_(EXT).1
FDP_DAU_CPI_(EXT).2
FDP_DAU_CPO_(EXT).2
FDP_DAU_CPI_(EXT).3
FDP_DAU_CPV_(EXT).3
FDP_DAU_CPO_(EXT).3
FDP_DAU_CPI_(EXT).4
FDP_DAU_CPV_(EXT).4
FDP_DAU_CPV_(EXT).5
7.5 Certificate Revocation Processing
DBsign sends Online Certificate Status Protocol (OCSP) requests in accordance with PKIX RFC
2560 and validates OCSP responses to determine the revocation status of public key certificates.
The DBsign administrator configures a list of OCSP responder certificates that are trusted to do
OCSP. DBsign establishes trust in the OCSP responder by performing Certification Path
Validation.
DBsign allows applications to determine the revocation status of a certificate using a Certificate
Revocation List (CRL). DBsign may be used to process CRLs obtained from locations indicated
by a CRL Distribution Point (CRLDP) extension in a certificate and from the local cache, which
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 89
is the DBsign certificate and CRL archive. The locations that may be indicated in the CRLDP
extension are LDAP or HTTP URLs. DBsign supports X.509 CRLs, version 2.
DBsign permits the use of the same public key for CRL signature verification as the one used for
verifying the signature on the certificate. DBsign can also develop a certification path to CRL
signers and then verify the signature.
This function implements the following SFRs. Refer to these SFR definitions for details on the
exact extensions, OCSP Responder sources, TOI constraints implemented by DBsign.
FDP_DAU_OCS_(EXT).1
FDP_DAU_CRL_(EXT).1
7.6 PKI Signature Generation
The TOE provides a digital signature function which enables a user to generate a digital
signature. The TOE digitally signs data using FIPS validated cryptographic modules in the IT
environment. Under normal operations, the client side of DBsign performs the digital signing
using the subscriber’s certification. Using the Notary Signing feature, the application can request
that the DBsign server perform the digital signing using a certificate issued to the application.
The Digital Signature security function provides DBsign the capability to digitally sign data
stored within a database, memory buffer, or file.
To digitally sign data stored within a database, a user must initiate a DBsign session and then
make a call to the DBS_MakeSig() API function. The DB_MakeSig() API function is a part of
the DBsign API which provides developers a way to integrate the DBsign digital signature
functionality into their product. When DBS_MakeSig() is called upon, DBsign checks the
primary key values as defined by the signature template. When the digital signing operation has
completed, DBS_MakeSig() logs the action to the DBsign audit log and records whether the
event was a success or failure.
To digitally sign application-constructed data stored in a memory buffer or a file, a user must
initiate a DBsign session and then make a call to the DBS_AppSign() API function.
The digital signatures always include the following information: hashing algorithm, signature
algorithm. In addition, DBsign supports the ability to include signed data, signing time, signer
cert, and cert chain.
This function implements the following SFRs:
FDP_ETC_SIG_(EXT).1
7.7 PKI Signature Verification
The TOE provides a digital signature function which verifies a digital signature applied to data.
This allows for the author of the signed data to be uniquely identified and for the authenticity and
integrity of the signed data to be verified. In addition, the digital signature function enforces
personal accountability for approved changes made by an administrator to the security sensitive
DBsign HTML Applications ST April 4, 2011
2009 Gradkell Systems, Inc.. All Rights Reserved. 90
configuration data contained in the DBsign system tables. The TOE verifies digitally signed data
and data integrity using FIPS validated cryptographic modules in the IT environment.
The TOE provides data integrity verification by enabling applications to verify the data integrity
of previous transactions from unauthorized modification, based on the originator’s digital
signature. The data integrity verification function is performed whenever the digital signature
function verifies digitally signed data using the DBS_CheckSig() API function of the DBsign
UWS or corresponding HTTP request to DBsign Server.
The digital signature verification uses the following information from the CPV: subject public
key algorithm, subject public key, subject public key parameters.
DBsign verifies the following keyUsage extension bits during signature verification:
nonRepudiation or digitalSignature.
The Digital Signature security function provides DBsign the capability to verify digitally signed
data stored within a database, memory buffer, or file.
To verify digitally signed data stored within a database, a user must initiate a DBsign session and
then make a call to the DBS_CheckSig() API function. The DBS_CheckSig()API function is a
part of the DBsign API which provides developers a way to integrate the DBsign digital
signature verification functionality into their product. When DBS_CheckSig() is called upon,
DBsign checks the primary key values as defined by the signature template. When the digital
signature verification operation has completed, DBS_CheckSig() logs the action to the DBsign
audit log and records whether the event was a success or failure.
To verify digitally signed application-constructed data stored within a memory buffer or file, a
user must initiate a DBsign session and then make a call to the DBS_AppVerifyBuffer() API
function or corresponding HTTP request.
This function implements the following SFRs:
FDP_ITC_SIG_(EXT).1
FDP_DAU_SIG_(EXT).1