@@ -232,25 +232,30 @@ For the purposes of the present document, the [following] abbreviations [given i
|TSP|Trust Service Provider|
# 4 Product context
# 4 Product contexts
> NOTE: This section's structure is built upon CEN/CLC JTC13 PT01's deliverable and might require restructuring based on its progress.
The present clause describes general and higher assurance product contexts for software products with digital elements used as part of Public Key Infrastructure (PKI) to manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates.
## 4.1 General
## 4.1 Use
The present clause describes general and higher assurance product contexts for software products with digital elements used as part of Public Key Infrastructure (PKI) to manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates.
### 4.1.1 PKI products
## 4.1.1 General
The present clause describes product contexts for products with digital elements used as part of a public key infrastructure (PKI) that manage the
validation, creation, issuance, distribution, status publication, renewal or revocation of digital
certificates, or the generation, storage, escrow, exchange, destruction or rotation of
cryptographic keys associated with such digital certificates.
<mark>
PSC: The existing structure implies there is a single product with different security profiles. In practice, there will be different products for different contexts. It is clearer to present these separately with any general comments collected in 4.1.
</mark>
## 4.2 Out of scope use/environments
### 4.1.2 Out of scope use/environments
_List uses/environments covered by other legislation or standards, such as industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc. Hoping to have a reusable generic list of these soon._
<mark> FIXME </mark>
## 4.3 Product overview and architecture
### 4.1.3 Product overview and architecture
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._
@@ -261,27 +266,23 @@ _Explain the overall architecture and relationship among the parts of the produc
<mark> FIXME: Use generic architectural descriptions (monolithic, microkernel, ...) or create a list of orthogonal properties (hardware access control for drivers, address space separation, ...) and differentiate based on that?
<mark> PSC: This could be used for a generic architecture description.</marK>
## 4.3 Use cases
### 4.1.4 Use cases
## 4.4 Essential functions
<mark> PSC: Suggest removing as this will be specific to each individual product context.</mark>
## 4.5 Security Profiles
The reasonably foreseeable use of the product is to support certification services provided by a Certification Authority (CA) to the public or to organisations in a critical sector, and where a compromise carries a significant risk of impact to the security of other products, networks or services, or to the health, security or safety of the public.
### 4.1.5 Essential functions
EXAMPLE 1: Software used to issue certificates for public web sites.
<mark>PSC: Suggest removing as this will be specific to each individual product context.</mark>
NOTE 1: Critical sectors include those listed in Annex I or II of Directive (EU) 2022/2555.
EXAMPLE 2: Software used to issue certificates for the energy sector.
The product supports one or more of the following component services (see ETSI EN 319 411-1):
- Registration service: registers and receives certificate requests from subscribers; verifies the identity and, if applicable, attributes of a subject; and passes verified certificate requests to the certificate generation service.
@@ -325,7 +326,7 @@ EXAMPLE 6: This service publishes Certificate Revocation Lists (CRLs) and respon
Each component service will require configuration and maintenance by system administrators.
#### 4.5.1.2.2 Logging
#### 4.2.2.2 Logging
In both contexts, the product will support logging of security events such as account access attempts, product configuration changes, and system warnings or errors.
The product will typically support some logging of events relevant to each of the component service it provides:
@@ -336,7 +337,7 @@ The product will typically support some logging of events relevant to each of th
- Revocation management service events such as revocation requests and results.
#### 4.5.1.2.2 Accounts
#### 4.2.2.3 Accounts
In both contexts, the product will support one or more of the following user accounts:
- System administrator account: authorized to install, configure and update the product.
@@ -347,9 +348,11 @@ NOTE: This might consist of separate registration service operator, certificate
- System auditor account: authorized to view audit logs and other system data.
**Deployment**In the general context, the enterprise will have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
In the general context, the enterprise will have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
The PKI software can be expected to be deployed on servers within the enterprise's server rooms or data centre, or on a platform hosted by the enterprise's cloud service provider.
@@ -359,17 +362,17 @@ If the certificate generation service in the production system uses a secure cry
NOTE 2: Security requirements for secure cryptographic devices are out of scope of the present document.
4.5.1.2 Physical security
#### 4.2.3.2 Physical security
An enterprise server room or data centre can be expected to have some physical access controls.
A cloud service provider can be expected to have strong physical security measures in place, but the servers hosting the PKI software are unlikely to be physically separated from other infrastructure.
4.5.1.3 Network security
#### 4.2.3.3 Network security
The enterprise can be expected to implement security controls such as firewalls on the edge of their network and deploy malware detection and removal software on their infrastructure.
@@ -379,61 +382,22 @@ The enterprise can be expected to implement security controls such as firewalls
| Auditor | Personnel authorized to view and maintain audit logs.|
||
#### 4.5.1.5 SP1 - Threats
From Certificate Issuing and Management Components Protection Profile Version 1.5 11 August, 2011
Threats - Authorized Users
T.Administrative errors of omission - Administrators, Operators, Officers or Auditors fail to perform some function essential to security.
T.Administrators, Operators, Officers and Auditors commit errors or hostile actions – An Administrator, Operator, Officer or Auditor commits errors that change the intended security policy of the system or application or maliciously modify the system’s configuration to allow security violations to occur.
T.User abuses authorization to collect and/or send data - User abuses granted authorizations to improperly collect and/or send sensitive or security-critical data.
T.User error makes data inaccessible - User accidentally deletes user data rendering user data inaccessible.
Threats - System
T.Critical system component fails - Failure of one or more system components results in the loss of system critical functionality. Threat agent in this case is the CIMC hardware. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Flawed code - A system or applications developer delivers code that does not perform according to specifications or contains security flaws. Threat agent in this case is the PKI developer. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Malicious code exploitation - An authorized user, IT system, or hacker downloads and executes malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of the system assets. Threat agent could be an authorized user, PKI itself, or an unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying
party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Message content modification - A hacker modifies information that is intercepted from a communications link between two unsuspecting entities before passing it on to the intended recipient. Threat agent is an unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
### 4.2.5 SP1 - Threats
Threats – Cryptography
T.Disclosure of private and secret keys - A private or secret key is improperly disclosed. Threat agent is the authorized user or erroneous protocol. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Modification of private/secret keys - A secret/private key is modified. Threat agent is the authorized user or erroneous protocol. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP
Responses.
T.Sender denies sending information - The sender of a message denies sending the message to avoid accountability for sending the message and for subsequent action or inaction. Threat agent is a subscriber to CIMC. Adverse action can be reduced trust in CIMC.
Threats – External Attacks
T.Hacker gains access - A hacker masquerades as an authorized user to perform operations that will be attributed to the authorized user or a system process or gains undetected access to a system due to missing, weak and/or incorrectly implemented access control causing potential violations of integrity, confidentiality, or availability. Threat agent is the unauthorized user.
T.Hacker physical access - Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses. A hacker physically interacts with the system to exploit vulnerabilities in the physical environment, resulting in arbitrary security compromises. Threat agent is the unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Social engineering - A hacker uses social engineering techniques to gain information about system entry, system use, system design, or system operation. Threat agent is the unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
A Public Key Infrastructure (PKI) dedicated to Communicating Intelligent Transport Systems (C-ITS) is used to manage ITS related certificates to enable deployment of security functions over the different components of ITS systems, mainly signature and encryption of ITS messages. The PKI is responsible for the issuance, revocation, and overall management of certificates and certificate status information.
The PKI architecture and its functionalities considered here are the one standardized by the ETSI in ETSI TS 102 940 and ETSI TS 102 941.
The C-ITS PKI shall provide the different services required by the RCA, EC and AA roles defined by the European C-ITS trust model. In the figure we also identify the role of a Misbehaviour Authority (MA): entity responsible to receive misbehaviour reports coming from ITS-S identifying other misbehaving ITS and emits action requests to the other C-ITS PKI authorities to react to misbehaving behaviour of ITS-S. The current PP does not define requirement for the MA services since the MA communication and services are not yet fully define and standardized. However the PP should be updated when it is.
@@ -586,7 +550,7 @@ The C-ITS PKI shall provide the different services required by the RCA, EC and A
#### 4.5.3.2 SP3 - Essential Functions
### 4.4.2 SP3 - Essential Functions
|Function | description | Associated user/role |
|-|-|-|
@@ -837,6 +801,50 @@ The considered threats for the C-ITS PKI are illustrated in the following figure
## B.1.1 First subdivided clause of the annex
# Annex P: <br>CIMC Threats
_Old text moved from SP1 threats section_
From Certificate Issuing and Management Components Protection Profile Version 1.5 11 August, 2011
Threats - Authorized Users
T.Administrative errors of omission - Administrators, Operators, Officers or Auditors fail to perform some function essential to security.
T.Administrators, Operators, Officers and Auditors commit errors or hostile actions – An Administrator, Operator, Officer or Auditor commits errors that change the intended security policy of the system or application or maliciously modify the system’s configuration to allow security violations to occur.
T.User abuses authorization to collect and/or send data - User abuses granted authorizations to improperly collect and/or send sensitive or security-critical data.
T.User error makes data inaccessible - User accidentally deletes user data rendering user data inaccessible.
Threats - System
T.Critical system component fails - Failure of one or more system components results in the loss of system critical functionality. Threat agent in this case is the CIMC hardware. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Flawed code - A system or applications developer delivers code that does not perform according to specifications or contains security flaws. Threat agent in this case is the PKI developer. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Malicious code exploitation - An authorized user, IT system, or hacker downloads and executes malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of the system assets. Threat agent could be an authorized user, PKI itself, or an unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying
party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Message content modification - A hacker modifies information that is intercepted from a communications link between two unsuspecting entities before passing it on to the intended recipient. Threat agent is an unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
Threats – Cryptography
T.Disclosure of private and secret keys - A private or secret key is improperly disclosed. Threat agent is the authorized user or erroneous protocol. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Modification of private/secret keys - A secret/private key is modified. Threat agent is the authorized user or erroneous protocol. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP
Responses.
T.Sender denies sending information - The sender of a message denies sending the message to avoid accountability for sending the message and for subsequent action or inaction. Threat agent is a subscriber to CIMC. Adverse action can be reduced trust in CIMC.
Threats – External Attacks
T.Hacker gains access - A hacker masquerades as an authorized user to perform operations that will be attributed to the authorized user or a system process or gains undetected access to a system due to missing, weak and/or incorrectly implemented access control causing potential violations of integrity, confidentiality, or availability. Threat agent is the unauthorized user.
T.Hacker physical access - Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses. A hacker physically interacts with the system to exploit vulnerabilities in the physical environment, resulting in arbitrary security compromises. Threat agent is the unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
T.Social engineering - A hacker uses social engineering techniques to gain information about system entry, system use, system design, or system operation. Threat agent is the unauthorized user. Adverse action can be compromise of the security of the CIMC and/or relying party systems that rely on the PKI objects such as certificates, CRLs, or OCSP Responses.
