@@ -406,9 +406,9 @@ Table 4.1 provides a list of system administrations assets for the PKI product.
| SYS02: User account data | Includes user authentation credentials and access rights |
| SYS03: Event log data | Includes system administration and component service event logs|
| SYS11: System configuration management <br> function | Used to change to system configuration settings and reset to <br> default values |
| SYS12: Software update function | Used to manage installation of a software updates |
| SYS13: User account management function | Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts |
| SYS14: Event log management function | Used to view event log data |
| SYS12: User account management function | Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts |
| SYS13: Event log management function | Used to view event log data |
| SYS14: Software update function | Used to manage installation of a software updates |
If the PKI product does provide support for subscriber management as part of its registration services, then the subscriber data and subscriber management function assets will not be present.
If the PKI product does not provide support for subscriber management as part of its registration services, then the subscriber data (REG01) and subscriber management function (REG11) assets will not be present.
#### 4.2.6.3 Certificate generation service
@@ -444,19 +444,23 @@ Table 4.3 provides a list of assets for a PKI product that supports certificate
| Asset | Description |
| --- | --- |
| GEN01: CA private key data | CA private signing keys. Can be stored on the secure cryptographic <br> module, if used |
| GEN02: Subject private key data | Subject private decryption keys, if key recovery is supported |
If the PKI product does not support the use of subject key generation or subject key recovery, then the subject private key data will not be present and the key management function will only be used to manage CA private keys.
If the PKI product supports the use of a secure cryptographic device, then the CA key data (GEN01) can be stored on the secure device.
If the PKI product does not support registration services, then certificate requests can either be submitted directly via the certificate generation service user interface or via a related logical interface.
If the PKI product does not support the use of a secure cryptographic device, then the secure cryptographic device interface (GEN22) will not be present.
If the PKI product does not support the use of subject key generation or subject key recovery, then the subject key data (GEN02) will not be present and the key management function (GEN11) will only be used to manage CA private keys.
If the PKI product does not support registration services, then certificate requests can either be submitted directly via the certificate generation service user interface (GEN21) or via a related logical interface.
#### 4.2.6.4 Dissemination service
@@ -491,9 +495,10 @@ Table 4.5 provides a list of assets for a PKI product that supports revocation m
| REV21: Revocation management user interface | E.g., remotely accessible web portal |
The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the revocation management function and user interface assets can be considered part of the corresponding certificate generation function and user interface assets.
The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the revocation management function (REV11) and user interface (REV21) assets can be considered part of the corresponding certificate generation function (GEN12) and user interface (GEN21) assets.
#### 4.2.6.6 Certificate status service
@@ -514,16 +519,87 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate
### 4.2.7 Threats
#### 4.2.7.1 System administration
<divalign="center">
| Threat | Asset | Property |
| --- | :---: | :---: |
| T_SYS01: Exploiting insecure settings in default system configuration <br> data | SYS01 | Secure by<br> Default |
| T_SYS02: Modifying settings in unprotected system configuration data | SYS01 | Integrity |
| T_SYS03: Disclosing sensitive parameters in unprotected system <br> configuration data | SYS01 | Confidentiality |
| T_SYS04: Exploiting insecure user authentication credentials or access <br> rights in default user account data | SYS02 | Secure by<br> Default |
| T_SYS05: Modifying user authentication credentials or access rights in <br> unprotected user account data | SYS02 | Integrity |
| T_SYS06: Disclosing user authentication credentials in unprotected user <br> account data | SYS02 | Confidentiality |
| T_SYS07: Modifying or deleting events in unprotected event log data | SYS03 | Integrity, <br> Non-repudiation |
| T_SYS08: Accessing settings or sensitive paramters via an unprotected <br> system configuration management function | SYS11 | Authorisation |
| T_SYS09: Accessing user authentication credentials or access rights via <br> an unprotected user account management function | SYS12 | Authorisation |
| T_SYS10: Accessing event logs via an unprotcted event log management <br> function | SYS13 | Authorisation |
| T_SYS11: Disabling or rolling back software updates via an unprotected <br> software update function | SYS14 | Authorisation |
| T_SYS12: Modifying settings in configuration data transferred via an <br> unprotected remote administration interface | SYS21 | Integrity |
| T_SYS13: Disclosing sensitive parameters in configuration data transferred <br> via an unprotected remoted administration interface | SYS21 | Confidentiality |
| T_SYS14: Accessing system administration functions via an unprotected <br> remote administration interface | SYS21 | Authentication |
| T_SYS15: Denying system administrator access via an unprotected remote <br> administration interface | SYS21 | Availability |
| T_SYS16: Accessing system administration functions via an unprotected <br> local administration interface | SYS22 | Authentication |
<strong>Table 4.6.</strong> System administration threats
</div>
#### 4.2.7.2 Registration service
<divalign="center">
| Threat | Asset | Property |
| --- | :---: | :---: |
| T_REG01: Modifying information in unprotected subscriber data | REG01 | Integrity |
| T_REG02: Disclosing sensitive information in unprotected subscriber data | REG01 | Confidentiality |
| T_REG04: Accessing information via an unprotected subscriber management <br> function | REG 11 | Authorisation |
| T_REG05: Approving a certificate request via an unprotected certificate <br> request management function | REG12 | Authorisation |
| T_REG06: Modifying information in subscriber data or certificate requests <br> transferred via an unprotected registration user interface | REG21 | Integrity |
| T_REG07: Disclosing sensitive information in subscriber data transferred via <br> an unprotected registration user interface | REG21 | Confidentiality |
| T_REG08: Accessing registration service functions via an unprotected <br> registration user interface | REG21 |Authentication |
| T_REG09: Denying system operator access via an unprotected registration <br> user interface | REG21 | Availability |
| T_REG10: Denying subscriber access via an unprotected certificate request API | REG22 | Availability |
<strong>Table 4.7.</strong> Registration threats
</div>
If the PKI product does not provide support for subscriber management as part of its registration services, then the threats to the subscriber data (T_REG01, T_REG02) and subscriber management function (T_REG04) are not present.
#### 4.2.7.3 Certificate generation service
<divalign="center">
| Threat | Asset | Property |
| --- | --- | --- |
| An attacker modifies a parameter in unprotected system configuration <br> data | SYS01 System configuration <br> data | Integrity |
| An attacker modifies a parameter via an unprotected system configuration <br> management function | System configuration <br> management function | Authorisation, <br> Authentication |
| An attacker | |
| --- | :---: | :---: |
| T_GEN01: Modifying CA private keys in unprotected CA key data | GEN01 | Integrity |
| T_GEN02: Disclosing CA private keys in unprotected CA key data | GEN01 | Confidentiality |
| T_GEN03: Deleting CA private keys in unprotected CA key data | GEN01 | Availability |
| T_GEN04: Modifying subject private keys in unprotected subject key data | GEN02 | Integrity |
| T_GEN05: Disclosing subject private keys in unprotected subject key data | GEN02 | Confidentiality |
| T_GEN06: Deleting subject private keys in unprotected subject key data | GEN02 | Availability |
| T_GEN07: Accessing CA or subject private keys via an unprotected key <br> management function | GEN11 | Authorisation |
| T_GEN08: Accessing signing operations via an unprotected certificate <br> generation function | GEN12 | Authorisation |
| T_GEN09: Accessing certificate generation functions via an unprotected <br> certificate generation user interface | GEN21 | Authentication |
| T_GEN10: Denying system operator access via an unprotected certificate <br> generation user interface | GEN21 | Availability |
| T_GEN11: Modifying information transferred between the product and a secure <br> cryptographic device via an unprotected secure cryptographic device API | GEN22 | Integrity |
| T_GEN12: Disclosing sensitive information transferred between the product and <br> a secure cryptographic device via an unprotected secure cryptographic device API | GEN22 | Confidentiality |
| T_GEN13: Disrupting the operation of the secure cryptographic device by requests <br> from the product over the secure cryographic device API | GEN22 | Impact |
NOTE 1: Accessing the functionality of the secure cryptographic device via an API that does not provide authentication or authorisation is a threat to the secure cryptoraphic device, not to the cyber security of the PKI product.
NOTE 2: Denying access to the secure cryptographic device via an API that does not provide availability is a threat to the secure cryptographic device, not to the cyber security of the PKI product. However, if the operation of the secure cryptographic device is impacted by, for example, the number of signing requests from the PKI product then this is relevant to the cyber security of the PKI product as it violates the principle of minimising the impact of the product on other devices and networks (T_GEN13).
If the PKI product does not support the use of a secure cryptographic device, then the threats to the secure cryptographic device interface (T_GEN11 and T_GEN12) will not be present.
If the product does not support subject key generation or key recovery, the threats to the subject key data (T_GEN04, T_GEN05 and T_GEN06) will not be present and the threat to the key management function (T_GEN07) will only cover the CA key data.
