Protection profile for trustworthy systems supporting time stamping

This European Standard specifies a protection profile for trustworthy systems supporting time stamping.

Schutzprofil für vertrauenswürdige Systeme, die Zeitstempel unterstützen

Profil de protection pour systèmes fiables d’horodatage

La présente Norme européenne spécifie un profil de protection pour des systèmes fiables d’horodatage.

Profil zaščite zaupanja vrednih sistemov, ki podpirajo časovne žige

Ta evropski standard določa profil zaščite zaupanja vrednih sistemov, ki podpirajo časovne žige.

General Information

Status
Published
Publication Date
29-Sep-2019
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
05-Sep-2019
Due Date
10-Nov-2019
Completion Date
30-Sep-2019

Buy Standard

Standard
SIST EN 419231:2019 - BARVE na PDF-str 16,17,18,19
English language
63 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 419231:2019
01-november-2019
Profil zaščite zaupanja vrednih sistemov, ki podpirajo časovne žige
Protection profile for trustworthy systems supporting time stamping
Schutzprofil für vertrauenswürdige Systeme, die Zeitstempel unterstützen
Profil de protection pour systèmes fiables d’horodatage
Ta slovenski standard je istoveten z: EN 419231:2019
ICS:
35.030 Informacijska varnost IT Security
35.040.01 Kodiranje informacij na Information coding in general
splošno
SIST EN 419231:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 419231:2019
---------------------- Page: 2 ----------------------
SIST EN 419231:2019
EN 419231
EUROPEAN STANDARD
NORME EUROPÉENNE
August 2019
EUROPÄISCHE NORM
ICS 35.030; 35.040.01
English Version
Protection profile for trustworthy systems supporting
time stamping

Profil de protection pour des systèmes fiables Schutzprofil für vertrauenswürdige Systeme, die

d'horodatage Zeitstempel unterstützen
This European Standard was approved by CEN on 7 July 2019.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 419231:2019 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

Introduction .................................................................................................................................................................... 4

1 Scope .................................................................................................................................................................... 5

2 Normative references .................................................................................................................................... 5

3 Terms, definitions and abbreviations ..................................................................................................... 5

3.1 Terms and definitions ................................................................................................................................... 5

3.2 Abbreviations ................................................................................................................................................ 11

4 Introduction ................................................................................................................................................... 12

4.1 PP reference ................................................................................................................................................... 12

4.2 TOE overview ................................................................................................................................................. 12

5 Conformance claims .................................................................................................................................... 18

5.1 CC conformance claim ................................................................................................................................ 18

5.2 PP claim ........................................................................................................................................................... 18

5.3 Conformance rationale .............................................................................................................................. 18

5.4 Conformance statement ............................................................................................................................. 18

6 Security problem definition ..................................................................................................................... 19

6.1 TOE assets ....................................................................................................................................................... 19

6.2 Threats ............................................................................................................................................................. 21

6.3 Organizational security policies ............................................................................................................. 24

6.4 Assumptions ................................................................................................................................................... 25

7 Security objectives ....................................................................................................................................... 27

7.1 General ............................................................................................................................................................. 27

7.2 Security objectives for the TOE ............................................................................................................... 27

7.3 Security objectives for the operational environment ..................................................................... 29

7.4 Security objectives rationale ................................................................................................................... 31

8 Security functional requirements .......................................................................................................... 37

8.1 General ............................................................................................................................................................. 37

8.2 Subjects, objects, operations and security attributes ..................................................................... 37

8.3 Security requirements operations ......................................................................................................... 40

8.4 User Data Protection (FDP) ...................................................................................................................... 40

8.5 Security Management (FMT) .................................................................................................................... 47

8.6 Protection of the TSF (FPT) ...................................................................................................................... 50

8.7 Trusted Path/Channels (FTP).................................................................................................................. 50

8.8 Cryptographic Support (FCS) ................................................................................................................... 51

8.9 Identification and Authentication (FIA) .............................................................................................. 52

8.10 Security Audit (FAU) ................................................................................................................................... 52

9 Security assurance requirements .......................................................................................................... 54

10 Security requirements rationale ............................................................................................................ 55

10.1 Security functional requirements rationale ....................................................................................... 55

10.2 Security assurance requirements rationale ....................................................................................... 61

Bibliography ................................................................................................................................................................. 63

---------------------- Page: 4 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
European foreword

This document (EN 419231:2019) has been prepared by Technical Committee CEN/TC 224 “Personal

identification, electronic signature and cards and their related systems and operations”, the secretariat

of which is held by AFNOR.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by February 2020, and conflicting national standards shall

be withdrawn at the latest by February 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document has been prepared under a mandate given to CEN by the European Commission and the

European Free Trade Association.

According to the CEN-CENELEC Internal Regulations, the national standards organisations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,

Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,

Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North

Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United

Kingdom.
---------------------- Page: 5 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
Introduction

This document specifies a protection profile for a software component that is part of time stamping

system that provides time-stamp tokens to requesters. The TOE operational environment is composed of

an operating system, other software applications, drivers and an external UTC time source that is

considered to be trusted by the TOE. When a cryptographic module is being used, it is outside of the TOE

perimeter.

The TOE is expected to be protected by physical and organisational protection measures implemented

by the TOE environment. Those measures are expected to restrict the TOE physical access (e.g. for

administration purposes) to authorized persons only and are expected to require dual control.

ETSI EN 319 421 specifies additional policy and security requirements relating to the operation and

management practices of TSPs issuing time-stamps.

This protection profile is issued by the European Committee for Standardization, Information Society

Standardization System (CEN/ISSS).
Correspondence and comments to this document should be referred to:
Editor: Dr. Jorge López Hernández-Ardieta
Email: jlhardieta@indra.es
Main contributor: Mr. Julien Groslambert
Email: julien.groslambert@mybusinesseducation.fr
After EN approval the contact address will be:
CEN/ISSS Secretariat
Rue de Stassart 36
1050 Brussels, Belgium
Tel +32 2 550 0813
Fax +32 2 550 0966
Email: isss@cenorm.be
For Revision history, see Annex A.
For document structure, see Annex B.
---------------------- Page: 6 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
1 Scope

This document specifies a protection profile for trustworthy systems supporting time stamping.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

CEN/TS 419221-2, Protection Profiles for TSP cryptographic modules - Part 2: Cryptographic module for

CSP signing operations with backup

CEN/TS 419221-4, Protection Profiles for TSP cryptographic modules - Part 4: Cryptographic module for

CSP signing operations without backup

EN 419221-5, Protection Profiles for TSP Cryptographic Modules - Part 5: Cryptographic Module for Trust

Services

ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT

security

ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic

modules

ETSI EN 319 421:2016, Electronic Signatures and Infrastructures (ESI) - Policy and Security Requirements

for Trust Service Providers providing Time-Stamping
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
Coordinated Universal Time
UTC
time scale based on the second as defined in TF.460-6

Note 1 to entry: For most practical purposes UTC is equivalent to mean solar time at the prime meridian (0°).

More specifically, UTC is a compromise between the highly stable atomic time (Temps Atomique International -

TAI) and solar time derived from the irregular Earth rotation (related to the Greenwich mean sidereal time (GMST)

by a conventional relationship).
The following documents are equivalent to ISO/IEC 15408:

Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; Version 3.1, Revision

4. CCMB-2012-09-002, September 2012.

Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components; Version 3.1, Revision

4. CCMB-2012-09-003, September 2012.
---------------------- Page: 7 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.1.2
requester

legal or natural person to whom a time-stamp token is issued and who is bound to any requester

obligations
3.1.3
time-stamping policy

named set of rules that indicates the applicability of a time-stamp token to a particular community and/or

class of application with common security requirements
3.1.4
time-stamp token

data object that binds a representation of a datum to a particular time, thus establishing evidence that

the datum existed before that time
3.1.5
time-stamping authority
TSA

authority which issues time-stamp tokens using one or more time stamping units (TSUs)

3.1.6
time-stamping unit
TSU

set of hardware and software which is managed as a unit and has a single time-stamp token signing key

active at a time
3.1.7
TSA system

composition of IT products and components organized to support the provision of time-stamping

services
3.1.8
time-stamping service
service that generates and provides time-stamp tokens
3.1.9
electronic signature

data in electronic form which is attached to or logically associated with other electronic data in electronic

form and which is used by the signatory to sign
[SOURCE: Reg. eIDAS]
---------------------- Page: 8 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.1.10
advanced electronic signature
electronic signature which meets the following requirements:
a) it is uniquely linked to the signatory;
b) it is capable of identifying the signatory;

c) it is created using electronic signature creation data that the signatory can, with a high level of

confidence, use under his sole control; and

d) it is linked to the data signed therewith in such a way that any subsequent change in the data are

detectable
[SOURCE: Reg. eIDAS modified]
3.1.11
qualified electronic signature

advanced electronic signature that is created by a qualified electronic signature creation device, and

which is based on a qualified certificate for electronic signatures
[SOURCE: Reg. eIDAS]
3.1.12
signatory
natural person who creates an electronic signature
[SOURCE: Reg. eIDAS]
3.1.13
electronic signature-creation data
unique data which is used by the signatory to create an electronic signature
[SOURCE: Reg. eIDAS]
3.1.14
electronic signature-creation device
configured software or hardware used to create an electronic signature
[SOURCE: Reg. eIDAS]
3.1.15
qualified electronic- signature-creation device

electronic signature creation device that meets the requirements in Annex II of eIDAS Regulation

[SOURCE: Reg. eIDAS modifed]
3.1.16
signature-verification-data or validation data
data that is used to validate an electronic signature or an electronic seal
[SOURCE: Reg. eIDAS]
---------------------- Page: 9 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.1.17
certificate for electronic signature

electronic attestation which links electronic signature validation data to a natural person and confirms

at least the name or the pseudonym of that person
[SOURCE: Reg. eIDAS]
3.1.18
qualified certificate for electronic signature

certificate for electronic signatures that is issued by a qualified trust service provider and meets the

requirements laid down in Annex I of eIDAS Regulation
[SOURCE: Reg. eIDAS modified]
3.1.19
certification-service-provider

electronic service normally provided for remuneration which consists of issuance of certificates related

to the services of creation, verification, and validation of electronic signatures and electronic seals

[SOURCE: Reg. eIDAS modified]
3.1.20
trustworthy system

information system or product implemented as either hardware and/or software that produces reliable

and authentic records which are protected against modification and additionally ensures the technical

and cryptographic security of the processes supported by it
3.1.21
self-signed certificate
certificate for one CA signed by that CA
[SOURCE: RFC 5280]
3.1.22
certificate policy

named set of rules that indicates the applicability of a certificate to a particular community and/or class

of application with common security requirements
[SOURCE: ISO/IEC 9594-8; ITU-T X.509]
3.1.23
certification authority (CA)

authority trusted by one or more users to create and assign certificates. Optionally the certification

authority may create the users’ keys
[SOURCE: ISO/IEC 9594-8; ITU-T X.509]
3.1.24
end entity

certificate subject which uses its private key for purposes other than signing certificates

[SOURCE: ISO/IEC 9594-8; ITU-T X.509]
---------------------- Page: 10 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.1.25
relying party
user or agent that relies on the data in a certificate in making decisions
[SOURCE: RFC 5280]
3.1.26
security policy

set of rules laid down by the security authority governing the use and provision of security services and

facilities
[SOURCE: ISO/IEC 9594-8; ITU-T X.509]
3.1.27
activation data

data values, other than keys, that are required to operate cryptographic devices and that need to be

protected (e. g., a PIN, a passphrase, or a manually-held key share)
[SOURCE: RFC 3647]
3.1.28
public key
that key of an entity’s asymmetric key pair which can be made public
[SOURCE: ISO/IEC 9798-1]
3.1.29
private key

that key of an entity's asymmetric key pair which should only be used by that entity

[SOURCE: ISO/IEC 9798-1]
3.1.30
hash function

function which maps string of bits to fixed-length strings of bits, satisfying the following two properties:

a) it is computationally infeasible to find for a given output an input which maps to this output;

b) it is computationally infeasible to find for a given input a second input which maps to the same output

[SOURCE: ISO/IEC 10118-1]
---------------------- Page: 11 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.1.31
digital signature

data appended to, or a cryptographic transformation (see cryptography) of, a data unit that allows a

recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g.

by the recipient
[SOURCE: ISO 7498-2:1989]
3.1.32
authentication data
data used to verify the claimed identity of a user requesting services from TWS
3.1.33
subject

entity identified in a certificate as the holder of the private key associated with the public key given in the

certificate
3.1.34
registration service

service that verifies the identity and, if applicable, any specific attributes of a subject

Note 1 to entry: The results of this service are passed to the Certificate Generation Service

3.1.35
certificate generation service

service that creates and sign certificates based on the identity and other attributes verified by the

registration service
3.1.36
dissemination service

service that disseminates certificates to subjects, and if the subject consents, to relying parties as well as

the CA’s policy & practice information to subjects and relying parties
3.1.37
revocation management service

service that processes requests and reports relating to revocation to determine the necessary action to

be taken

Note 1 to entry: The results of this service are distributed through the Revocation Status Service

3.1.38
revocation status service

service that provides certificate revocation status information to relying parties; this service may be a

real-time service or may be based on revocation status information which is updated at regular intervals

3.1.39
cryptographic device

hardware-based cryptographic device that generates stores and protects cryptographic keys and

provides a secure environment in which to perform cryptographic functions
3.1.40
subject device provision service
service that prepares and provides a signature creation device to subjects
---------------------- Page: 12 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
3.2 Abbreviations
For the purposes of this document, the following abbreviations apply.
ARL Authority Revocation List
CA Certification Authority
CEN Comité Européen de Normalisation (European Committee for Standardization)
CEN/ISSS CEN Information Society Standardization System
CP Certificate Policy
CRL Certificate Revocation List
CSP Certification Service Provider
EC European Commission
EESSI European Electronic Signature Standardization Initiative
ETSI European Telecommunications Standards Institute
HSM Hardware Security Module
ISSS Information Society Standardization System
NQC Non-Qualified Certificate
OCSP Online Certificate Status Protocol
OS Operating System
OSP Organisational Security Policy
PKI Public Key Infrastructure
PP Protection Profile
QC Qualified Certificate
SCDev Signature-Creation Device
SSCD Secure-Signature-Creation Device
ST Security Target
TSA Time-Stamping Authority
TSP Trust Service Provider
TSS Time-Stamping Service
TST Time-Stamp Token
TWS Trustworthy System
WORM Write Once Read Many
WS/E-SIGN CEN/ISSS Electronic Signatures workshop
---------------------- Page: 13 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
4 Introduction
4.1 PP reference
Title: Protection profile for trustworthy systems supporting time stamping
Authors: Jorge López Hernández-Ardieta, Julien Groslambert
Version: 0,17
Publication date: 24th September 2018
4.2 TOE overview
4.2.1 TOE type

The TOE corresponds to a software component running on an operating system and that provides time-

stamps generation services to its requesters. Hardware and other software components (e.g. operating

system, drivers, and other software applications) that might be needed by the TOE to provide its services

are considered part of the TOE operational environment. The TOE shall use a hardware secure module

(HSM) for the implementation of the cryptographic operations.
4.2.2 TOE usage and major security features

The TOE is a software component that provides services for the generation of time-stamps in a manner

that:

— It is able to receive and process time-stamping requests from external users (requesters), protecting

the integrity of the requests when managed by the TOE.

— The integrity of the time-stamps produced by the TOE is protected when created and managed by

the TOE and during transfer from the TOE to an external entity.

— Any external entity can verify the authentication of the time-stamps produced by the TOE.

— The TOE services (user identity and role management, TSU initialisation, start of TSU operation, stop

of TSU operation, finalisation of TSU operation, generation of key pair, public key export for

certificate request, certificate import, timestamp token generation and internal audit) are only used

in an authorized way.

— The time included in the time-stamps is synchronised with a trusted UTC time source.

The TOE shall provide the following additional functions to protect the TOE services:

— User authentication and access control, except for requesters (see roles below).

— Auditing of security-relevant events produced within the TOE boundaries.
The TOE shall handle the following user data:

— Time-stamping request: Time-stamping request sent by the requester to the TOE in order to obtain

a time-stamp.

— Time-stamp: Time-stamp generated and signed by the TOE based on the time-stamp request

information, and using the active private key of the time stamping context of the TSU.

— Time-stamp context: Set of data that comprises all the information needed to operate a TSU.

---------------------- Page: 14 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)

— Internal clock: Internal time used by the TSU that provides the date and time corresponding to UTC

time included in each time-stamp.

— Cryptographic key pair: Public key used by external entities to verify the integrity and origin

authentication of the TOE signed time-stamps, and handler to the private key used by the TSU to

digitally sign the time-stamps.
— Audit data: Internal audit records produced by the TOE.
The TOE shall, as a minimum, support the following user categories (roles):

— Requester of the TOE services: external entity that sends time-stamping requests to the TOE and

expects to receive a time-stamp signed by the TOE.

— Security Officer: Overall responsibility for administering the implementation of the security practices

as well as administering the TSU.

— System Administrator: Authorized to install, configure and maintain the TOE and the trustworthy

systems of the operational environment for time-stamping management.

— System Operator: Responsible for operating the TOE and the trustworthy systems of the operational

environment on a day-to-day basis. Authorized to perform system backup and recovery.

— System Auditor: Authorized to view archives and audit logs of the TOE and the trustworthy systems

of the operational environment.

Any user accessing the time-stamp generation service is regarded as a Requester. This service may be not

authenticated and there may be no access control mechanism. Notwithstanding, the TOE will not process

the authentication data, and thus the requests will be treated as non-authenticated.

The TOE may support other roles or sub-roles in addition to the roles specified above. The roles may also

be allowed to perform additional functions provided by the TOE as long as the separation between

different roles is given. None of those additional roles shall be able to access the security-related and

management services restricted to the Security Officer role.

The interface to the TOE may be either shared between the different user categories, or separated for

certain functions. Authentication for all user categories shall be identity-based, except for the Requester,

who accesses non-authenticated services.

Figure 1 shows an overview of the TOE and its relations with the operational environment and TOE users.

---------------------- Page: 15 ----------------------
SIST EN 419231:2019
EN 419231:2019 (E)
Figure 1 — The TOE in its environment

The TOE is a piece of software that is part of a time-stamping system. The time-stamping system is also

composed of a computer (typically a server containing hardware, an operating system (OS) and some

drivers) running the TOE and a cryptographic module. The TOE is directly interacting with the requester,

that exchange with the TOE to obtain timestamps and a Security Officer that is in charge of the

configuration of the TOE. The Time Stamping System in general is in interaction with the System

Administrator, System Operator and System Auditor on one hand, and an external trusted time source on

the other hand.

The Time Stamping System is part of the operational environment where the TOE resides. It contains

non-TOE elements such as the Operating System or the Cryptographic Module. Figure 2 shows the details

of the TOE in terms of functional components that are part of it, as well as the messages/opera

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.