Commit d8f6a109 authored by Pierre Andouche's avatar Pierre Andouche
Browse files

Comment 365

parent b4c741bd

EN-304-624.md

+10 −10
Original line number Diff line number Diff line
@@ -1023,7 +1023,7 @@ The considered threats for the C-ITS PKI are illustrated in the following figure 
| Local attacker and Rogue Users |

| T.PrivateKeys | A Local attacker or Rogue user disclose or tamper to the PKI secrets i.e. Data encryption key or CA private keys. | Data encryption key CA private keys |

| T.Logs_Tampering | A Local attacker or Rogue user tries to modify the PKI’s Log File in order to hide its activities. | PKI Data |

| T.Logs_Discolsure | A Local attacker or Rogue user tries to gain access to the PKI’s Log File in order to gain sensitive information on the PKI’s security status and functions as well as other C-ITS stations. | PKI Data |

| T.Logs_Disclosure | A Local attacker or Rogue user tries to gain access to the PKI’s Log File in order to gain sensitive information on the PKI’s security status and functions as well as other C-ITS stations. | PKI Data |

| T.Configuration_Tampering | A Local attacker or Rogue user tries to modify the PKI’s Certificate Policy configuration data and therefore compromise the integrity of the PKI’s applications or communication security. | Certificate Policy configuration data |

| T.Stored_Certificates_Tampering | A Local attacker or Rogue user tries to modify stored CA Certificates Enrolment Credential (EC) Authorization Ticket (AT) TLM certificate content and therefore compromise the confidentiality or integrity of the PKI’s communications. | CA Certificates Enrolment Credential (EC) Authorization Ticket (AT) TLM certificate |

| All attackers |
@@ -1043,42 +1043,42 @@ The considered threats for the C-ITS PKI are illustrated in the following figure 


    a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and



  - RATIONALE: The audit record timestamping and subject identification ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure

  - RATIONALE: The audit record timestamping and subject identification ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure

  - NOTE: The audit shall not include in plaintext any private or secret keys or other critical security parameters.

  - APPLICABILITY: All use cases.



- REFERENCE: 	REQ-5.1-02

  - REQUIREMENT: The audit record shall identify the timing source used to generate the timestamp. The timestamp shall be in the scope of the integrity protection of the audit record (to prevent manipulation of the time stamp after the event).

  - RATIONALE: The audit record intergrity and timestamping validity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure

  - RATIONALE: The audit record intergrity and timestamping validity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure

  - APPLICABILITY: All use cases.



- REFERENCE: REQ-5.1-03

  - REQUIREMENT: For audit events resulting from actions of identified users, the PKI shall be able to associate each auditable event with the identity of the user that caused the event.

  - RATIONALE: The audit record intergrity and timestamping validity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure

  - RATIONALE: The audit record intergrity and timestamping validity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure

  - APPLICABILITY: All use cases.





- REFERENCE: REQ-5.1-04

  - REQUIREMENT: The PKI shall protect the stored audit records in the audit log from unauthorised deletion.

  - RATIONALE: The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure.

  - RATIONALE: The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure.

  - APPLICABILITY: All use cases.





- REFERENCE: REQ-5.1-05

  - REQUIREMENT: The PKI shall be able to detect unauthorised modifications to the stored audit records during the audit.

   - RATIONALE: The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure.

   - RATIONALE: The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure.

  - APPLICABILITY: All use cases.



- REFERENCE: REQ-5.1-06

  - REQUIREMENT: The PKI shall prevent auditable events, except those taken by the auditor, if the audit log is full.

  - RATIONALE: If the PKI system is properly deployed—with appropriate policies, effective system management, and regular log reviews—an overload of logs should be seen as a symptom of a potentially significant security issue. In such cases, corrective actions should be taken before operations return to normal. Meanwhile, a full audit log should never result in the loss of old audit records or prevent future auditable events from being recorded.  The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure

  - RATIONALE: If the PKI system is properly deployed—with appropriate policies, effective system management, and regular log reviews—an overload of logs should be seen as a symptom of a potentially significant security issue. In such cases, corrective actions should be taken before operations return to normal. Meanwhile, a full audit log should never result in the loss of old audit records or prevent future auditable events from being recorded.  The audit record intergrity and availability ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure

  - APPLICABILITY: Not applicable when PKI system operates using log rotation/pruning or any other mechanisms ensuring that audit logs cannot be full.



-	REFERENCE: REQ-5.1-07

-	REQUIREMENT: The PKI shall periodically create an audit log signing event in which it computes a digital signature, keyed hash, or authentication code over the entries in the audit log. The digital signature, keyed hash, or authentication code shall be computed over, at least:

a)	every entry that has been added to the audit log since the previous audit log signing event;

b)	the digital signature, keyed hash, or authentication code from the previous audit log signed event. The digital signature, keyed hash, or authentication code from the audit log signing event shall be included in the audit log.

-	RATIONALE: All entries of the audit log, and the order and exhaustivity of batches of entries should impact authenticity checks of the audit log. The audit record integrity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators function : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure.

-	RATIONALE: All entries of the audit log, and the order and exhaustivity of batches of entries should impact authenticity checks of the audit log. The audit record integrity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators function : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure.

NOTE:	An audit log signing event is performed even if no entry was added to the audit log since the last one.

-	APPLICABILITY: UC3 and UC4
@@ -1086,7 +1086,7 @@ NOTE: An audit log signing event is performed even if no entry was added to the 
-	REQUIREMENT: The PKI shall ensure the integrity of audit logs. 

-	RATIONALE: Integrity protection of audit logs ensures that all auditable events are traceable and that PKI operations can be reliably tracked for accountability and security monitoring. Not all integrity protection mechanisms can be foreseen so for



It covers misuse of users and administrators function : T_SYS02,T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure.

It covers misuse of users and administrators function : T_SYS02,T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure.

-	APPLICABILITY: UC1, UC2

- NOTE: Not all integrity protection mechanisms can be foreseen so for use cases with lower regulation of standardization constraints (UC1, UC2) other appoaches can be valid and so not identified here.
@@ -1095,7 +1095,7 @@ It covers misuse of users and administrators function : T_SYS02,T_SYS05, T_SYS07 


- REFERENCE: REQ-5.1-08

  - REQUIREMENT: The specified frequency at which the audit log signing event occurs shall be configurable.

  - RATIONALE: The audit record intergrity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Discolsure.

  - RATIONALE: The audit record intergrity ensure that all auditable events are traceable and misuse of the PKI functions can be traced. It covers misuse of users and administrators fonction : T_SYS02, T_SYS04, T_SYS05, T_SYS07, T_SYS10, T_REG01, T_REG03, T.Logs_Tampering, T.Logs_Disclosure.

  - APPLICABILITY: All use cases.



## 5.2 Secret management