VE 14: Difference between revisions

Jump to navigation Jump to search

VE 14 (view source)

Revision as of 21:25, 5 April 2006

1,131 bytes added ,  5 April 2006
m
no edit summary
No edit summary
 
mNo edit summary
Line 1: Line 1:
==Appendix C: Cryptographic Security Policy==
==Appendix C: Cryptographic Security Policy==
'''AS14.01: (Levels 1, 2, 3, and 4)''' The cryptographic module security policy shall be included in the documentation provided by the vendor.
<P ALIGN=LEFT STYLE="margin-top: 0.19in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>AS14.01: (Levels 1, 2, 3, and 4)</FONT></B>The cryptographic module security policy shall be included in the documentation provided by the vendor.</FONT></FONT></FONT></P>
Required Vendor Information
<P ALIGN=LEFT STYLE="margin-top: 0.11in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>VE14.01.01</FONT></B> A diagram or image of the physical cryptographic module (if appropriate) shall be included in the security policy. The image may be used to indicate the security relevant features of the cryptographic module (e.g., tamper evidence, status indicator(s), user interface(s), power connection(s), etc).</FONT></FONT></FONT></P>
VE14.01.01: A diagram or image of the physical cryptographic module (if appropriate) shall be included in the security policy. The image may be used to indicate the security relevant features of the cryptographic module (e.g., tamper evidence, status indicator(s), user interface(s), power connection(s), etc).
Required Test Procedures
'''TE14.01.01''': The tester shall verify that the diagram or image is representational of the cryptographic module tested.
===C.1 Definition of Cryptographic Module Security Policy===
===C.1 Definition of Cryptographic Module Security Policy===
'''AS14.02''': (Levels 1, 2, 3, and 4) The cryptographic module security policy shall consist of:
<P ALIGN=LEFT STYLE="margin-top: 0.19in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>AS14.02: (Levels 1, 2, 3, and 4)</FONT></B>The cryptographic module security policy shall consist of:
a specification of the security rules, under which the cryptographic module shall operate, including the security rules derived from the requirements of the standard and the additional security rules imposed by the vendor.
a specification of the security rules, under which the cryptographic module shall operate, including the security rules derived from the requirements of the standard and the additional security rules imposed by the vendor.
Note: This assertion is tested as part of AS14.05-AS14.09.
Note: This assertion is tested as part of AS14.05-AS14.09.</FONT></FONT></FONT></P>
AS14.03: (Levels 1, 2, 3, and 4) The specification shall be sufficiently detailed to answer the following questions:
<P ALIGN=LEFT STYLE="margin-top: 0.19in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>AS14.03: (Levels 1, 2, 3, and 4)</FONT></B> The specification shall be sufficiently detailed to answer the following questions:
 
* What access does operator X, performing service Y while in role Z, have to security-relevant data item W for every role, service, and security-relevant data item contained in the cryptographic module?
What access does operator X, performing service Y while in role Z, have to security-relevant data item W for every role, service, and security-relevant data item contained in the cryptographic module?
 
• What physical mechanisms are implemented to protect the cryptographic module and what actions are required to ensure that the physical security of the module is maintained?


What security mechanisms are implemented in the cryptographic module to mitigate against attacks for which testable requirements are not defined in the standard?
* What physical mechanisms are implemented to protect the cryptographic module and what actions are required to ensure that the physical security of the module is maintained?


Note: This assertion is tested as part of AS14.05-AS14.09.
* What security mechanisms are implemented in the cryptographic module to mitigate against attacks for which testable requirements are not defined in the standard?
<br>
Note: This assertion is tested as part of AS14.05-AS14.09.</FONT></FONT></FONT></P>
===C.2 Purpose of Cryptographic Module Security Policy===
===C.2 Purpose of Cryptographic Module Security Policy===
Note: This assertion is not separately tested.
Note: This assertion is not separately tested.
===C.3 Specification of the cryptographic Module Security Policy===
===C.3 Specification of the cryptographic Module Security Policy===
'''AS14.04: (Levels 1, 2, 3, and 4)''' The cryptographic module security policy shall be expressed in terms of roles, services, and cryptographic keys and CSPs. At a minimum, the following shall be specified:
<P ALIGN=LEFT STYLE="margin-top: 0.19in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>AS14.04: (Levels 1, 2, 3, and 4)</FONT></B>The cryptographic module security policy shall be expressed in terms of roles, services, and cryptographic keys and CSPs. At a minimum, the following shall be specified:


an identification and authentication (I&A) policy,
* an identification and authentication (I&A) policy,


an access control policy,
* an access control policy,


a physical security policy, and
* a physical security policy, and
 
• a security policy for mitigation of other attacks.


* a security policy for mitigation of other attacks.
<br>
Note: This assertion is tested as part of AS14.05-AS14.09.
Note: This assertion is tested as part of AS14.05-AS14.09.
 
</FONT></FONT></FONT></P>
===C.3.1 Identification and Authentication Policy===
===C.3.1 Identification and Authentication Policy===
'''AS14.05: (Levels 1, 2, 3, and 4)''' The cryptographic module security policy shall specify an identification and authentication policy, including
<P ALIGN=LEFT STYLE="margin-top: 0.19in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=4>AS14.01: (Levels 1, 2, 3, and 4)</FONT></B>The cryptographic module security policy shall be included in the documentation provided by the vendor.</FONT></FONT></FONT></P>'''AS14.05: (Levels 1, 2, 3, and 4)''' The cryptographic module security policy shall specify an identification and authentication policy, including


all roles (e.g., user, crypto officer, and maintenance) and associated type of authentication (e.g., identity-based, role-based, or none) and
* all roles (e.g., user, crypto officer, and maintenance) and associated type of authentication (e.g., identity-based, role-based, or none) and


the authentication data required of each role or operator (e.g., password or biometric data) and the corresponding strength of the authentication mechanism.
* the authentication data required of each role or operator (e.g., password or biometric data) and the corresponding strength of the authentication mechanism.


Required Vendor Information
Required Vendor Information
Neil.williams
198

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/23432"

Navigation menu