@@ -200,6 +200,16 @@ The following referenced documents may be useful in implementing an ETSI deliver
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
## 3.3 Abbreviations
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
| Abreviation | Definition |
|--------------|-------------------------|
|AA|Authorization Authority (synonym to PCA)|
@@ -224,14 +234,6 @@ For the purposes of the present document, the [following] terms [given in ... an
|TSL|Trust-service Status List|
|TSP|Trust Service Provider|
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
## 3.3 Abbreviations
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
# 4 Product context
@@ -439,6 +441,11 @@ A Public Key Infrastructure (PKI) dedicated to Communicating Intelligent Transpo
The PKI architecture and its functionalities considered here are the one standardized by the ETSI in ETSI TS 102 940 and ETSI TS 102 941.
The C-ITS PKI shall provide the different services required by the RCA, EC and AA roles defined by the European C-ITS trust model. In the figure we also identify the role of a Misbehaviour Authority (MA): entity responsible to receive misbehaviour reports coming from ITS-S identifying other misbehaving ITS and emits action requests to the other C-ITS PKI authorities to react to misbehaving behaviour of ITS-S. The current PP does not define requirement for the MA services since the MA communication and services are not yet fully define and standardized. However the PP should be updated when it is.
#### 4.5.3.1 SP3 - Assets
<tableborder="1">
@@ -604,12 +611,209 @@ The C-ITS PKI shall provide the different services required by the RCA, EC and A
| Creation, deletion, management of user accounts | Users account can be created or deleted and the different account privileges can be set up according to the role | Configuration and management administrator|
| Verification of the C-ITS PKI secure state | Verification of the current state of the C-ITS PKI to verify that it is in a secure state (e.g. Code integrity validation regarding its signature, verification of the keys integrity, verification of the certificates validity) |Configuration and management administrator, Officer|
<td>Physical security commensurate with the value of the TOE and the data it contains shall be provided by the environment. Root CA CPOC TLM uses authorized personnel to continually monitor the facility housing equipment on a 7x24x365 basis. The operational environment (e.g. physical facility) shall never be left unattended. The personnel of the operational environment shall never have access to the secure areas of root CAs or SubCAs unless authorized. Equipment and data (HSM activation data backup of key pair computer log key ceremony script certificate request …) shall always be protected from unauthorized access. The physical security mechanisms for equipment at a minimum shall be in place to: · Monitor either manually or electronically for unauthorized intrusion at all times. · Ensure no unauthorized access to the hardware and activation data is permitted. · Ensure all removable media and paper containing sensitive plain-text information is stored in secure container. · Any individual non-authorized on permanent basis who is entering secure areas shall not be left without oversight by an authorized employee of the facilities (i.e. root CA CPOC and TLM facilities) · Ensure an access log is maintained and inspected periodically. · Provide at least 2 layers of increasing security such as perimeter building and operational room. · Require two trusted role physical access controls to both the cryptographic HSM and activation data.</td>
</tr>
<tr>
<td>AE.Trusted_Admin</td>
<td>TOE administrators shall follow and apply all administrator guidance in a trusted manner.</td>
</tr>
<tr>
<td>AE.Trusted_Hosts</td>
<td>It is assumed that the platform hosting the TOE is managed by a competent and trusted administrator and does not allow any attacker to access the hard disk when sensitive data are processed on the workstation by an authorized user. The user workstation must ensure effective protection against eavesdropping and unauthorized data transmission e.g.: correctly configured firewall up to-date antivirus software anti-spyware access to privileged accounts is protected all software security update have been installed and current version do not contain known vulnerabilities. It is assumed that there are no general-purpose computing capabilities (e.g. compilers or user applications) available on the TOE other than those services necessary for the operation administration and support of the TAE.</td>
</tr>
<tr>
<td>AE.Auditors Review Audit Logs</td>
<td>Audit Logs shall be reviewed in response to alerts based on irregularities and incidents within their CA systems and in addition periodically every year. Audit log is archived at least weekly. Log records related to certificate life cycles are kept at least five years after the corresponding certificate expires.</td>
</tr>
<tr>
<td>AE.HSM</td>
<td>The TOE environment provides a certified HSM which shall be used for: · Generating using administering and storing of private keys Generating and using of random numbers (assessment of the random number generation function shall be part of the security evaluation and certification) Creating backups of the private keys Deletion of private keys. The communication channel between the TOE and the HSM is physical secured (dedicated link). The cryptographic module shall be certified with one of the following Protection Profiles (PPs) with the Assurance Level EAL-4 or higher: · PPs for HSMs: · CEN EN 419221-2: Protection profiles for TSP Cryptographic modules-- Part 2: o Cryptographic Module for CSP signing operations with backup o CEN EN 419221-4: Protection profiles for TSP Cryptographic modules-- Part 4: Cryptographic module for CSP signing operations without backup o CEN EN 419221-5: Protection profiles for TSP Cryptographic modules-- Part 5: - Cryptographic Module for Trust Services · PPs for Smartcards: o CEN EN 419211-2: Protection profiles for secure signature creation device -- Part 2: Device with key generation o CEN EN 419211-3: Protection profiles for secure signature creation device - Part 3: Device with key import</td>
</tr>
<tr>
<td>AE.Trusted_Time_Source</td>
<td>The runtime environment provides the TOE with exact date and time to ensure time stamp functions (audit traces generation request validity verification).</td>
</tr>
<tr>
<td>AE.Deployment</td>
<td>The TOE can be used to provide services to different kind of authorities. For each of those authority’s type the TOE shall be correctly configured and shall only provide services corresponding to the entity e.g. a RCA should not be able to deliver ATs an AA should not respond to EC requests etc.</td>
<td>A Remote attacker may exploit interactions between the TOE and the ITS-S to expose or tamper sensitive TOE or user data.</td>
<td>Canonical Public Key Enrolment Credential (EC) Authorization Ticket (AT) Canonical ID Tag HMAC key CRL CTL misbehavior report.</td>
</tr>
<tr>
<td>T.DOS</td>
<td>A Remote attacker disables communication between the TOE and the ITS station.</td>
<td>Software/execution of the software</td>
</tr>
<tr>
<td>T.ITS-S_Impersonation</td>
<td>A Remote attacker (Rogue ITS-S) sends fake requests in order to get valid EC and AT with forged attributes or fake MR in order to have targeted ITS-S to be considered misbehaving by the TAE.</td>
<td>EC AT MR</td>
</tr>
<tr>
<td>T.TrustListsReplay</td>
<td>A Remote attacker intercepts and respond to an ITS-S requesting for trust list (CRL CTL ECTL) updates by sending an old version.</td>
<td>CRL CTL ECTL</td>
</tr>
<tr>
<td>T.GlobalMisbehaviourReportingTampering</td>
<td>A Remote attacker may exploit interactions between the MA and the EA or AA in order to modify global misbehaving detection information in order to force wrong reaction either on correct ITS-S station or misbehaving stations.</td>
<td>A Remote attacker may exploit interactions between the EA and AA in order to modify Authorization validation requests or responses to allow or deny inappropriate AT generation.</td>
<td>AT software</td>
</tr>
<tr>
<td>T.RegistrationTampering</td>
<td>A Remote attacker may exploit interactions between the manufacturer and the EA in order to modify or deny an ITS-S registration.</td>
<td>Canonical ID Canonical Public Key ITS-S Profile</td>
</tr>
<tr>
<td>Local attacker and Rogue Users</td>
</tr>
<tr>
<td>T.PrivateKeys</td>
<td>A Local attacker or Rogue user disclose or tamper to the TOE secrets i.e. Data encryption key or CA private keys.</td>
<td>Data encryption key CA private keys</td>
</tr>
<tr>
<td>T_Logs_Tampering</td>
<td>A Local attacker or Rogue user tries to modify the TOE’s Log File in order to hide its activities.</td>
<td>TSF Data</td>
</tr>
<tr>
<td>T_Logs_Discolsure</td>
<td>A Local attacker or Rogue user tries to gain access to the TOE’s Log File in order to gain sensitive information on the TOE’s security status and functions as well as other C-ITS stations.</td>
<td>TSF Data</td>
</tr>
<tr>
<td>T.Configuration_Tampering</td>
<td>A Local attacker or Rogue user tries to modify the TOE’s Certificate Policy configuration data and therefore compromise the integrity of the TOE’s applications or communication security.</td>
<td>Certificate Policy configuration data</td>
</tr>
<tr>
<td>T.Stored_Certificates_Tampering</td>
<td>A Local attacker or Rogue user tries to modify stored CA Certificates Enrolment Credential (EC) Authorization Ticket (AT) TLM certificate content and therefore compromise the confidentiality or integrity of the TOE’s communications.</td>
<td>An attacker (Remote attacker Local attacker or Rogue user) may gain access to TOE information by impersonating an authorized user or via privilege escalation of the TOE and thus disclose or manipulate TOE assets.</td>
<td>Canonical Public Key CA Certificates Enrolment Credential (EC) Authorization Ticket (AT) TLM certificate Canonical ID Tag HMAC key Certificate Policy configuration CRL CTL ITS-S Profile ECTL.</td>
</tr>
<tr>
<td>T.Software_Tampering</td>
<td>A Local or Remote attacker tries to modify the TOE’s software and therefore compromise the integrity of the TOE’s applications.</td>
