Certification Report: 2010-35-INF

Certification Report: 2010-35-INF

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

REF: 2010-35-INF-627 V1

Distribution: Public

Date: 18.04.2011

Created: CERT3

Reviewed: TECNICO

Approved: JEFEAREA

CERTIFICATION REPORT FOR EADS AIR SEGMENT SYSTEMS PROTECTION

PROFILE (ASS-PP), Issue B

Dossier: 2010-35 EADS AIR SEGMENT SYSTEMS PP Issue B

References:

Issue B

- [EXT-1201] Evaluation Technical Report of EADS AIR SEGMENT SYSTEMS

PP Issue B, 01.03.2011, Ed. 1.0, CESTI-INTA

Certification report of EADS AIR SEGMENT SYSTEMS PROTECTION PROFILE

ISSUE B, as requested by EADS-CASA in [EXT-1108] dated 13-12-2010, and evaluated by the laboratory CESTI-INTA, as detailed in the Evaluation Technical

Report [EXT-1201] received on March 8 th

2011, and in compliance with CCRA and

SOGIS for components up to EAL4.

Página 1 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

Table Of Contents

SUMMARY........................................................................................................................................................... 3

PP S

UMMARY

..................................................................................................................................................... 3

S

ECURITY

A

SSURANCE

C

OMPONENTS

................................................................................................................ 3

S

ECURITY

F

UNCTIONAL

C

OMPONENTS

............................................................................................................... 4

IDENTIFICATION .............................................................................................................................................. 4

SECURITY POLICIES ....................................................................................................................................... 4

ASSUMPTIONS AND OPERATIONAL ENVIRONMENT............................................................................ 5

T

HREATS

............................................................................................................................................................ 6

O

PERATIONAL ENVIRONMENT OBJECTIVES

......................................................................................................... 7

TOE ARCHITECTURE ...................................................................................................................................... 8

DOCUMENTS ...................................................................................................................................................... 9

TOE TESTING ..................................................................................................................................................... 9

TOE CONFIGURATION .................................................................................................................................... 9

EVALUATION RESULTS .................................................................................................................................. 9

COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM ....................................... 10

CERTIFIER RECOMMENDATIONS ............................................................................................................ 10

GLOSSARY ........................................................................................................................................................ 10

BIBLIOGRAPHY............................................................................................................................................... 11

SECURITY TARGET........................................................................................................................................ 11

Página 2 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

SUMMARY

This document constitutes the Certification Report for the protection profile “EADS

AIR SEGMENT SYSTEMS”, Issue B, developed by EADS-CASA.

Developer/manufacturer: EADS-CASA

Sponsor: EADS-CASA

Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de

Inteligencia (CNI).

ITSEF: CESTI-INTA

Protection Profile: -

Evaluation Level: CC v3.1 r3 EAL3.

Evaluation end date: 01/03/2011.

All the assurance components required by the level EAL3 have been assigned a

“PASS” verdict. Consequently, the laboratory (CESTI-INTA) assigns the “PASS”

VERDICT to the whole evaluation due all the evaluator actions are satisfied for the

EAL3 methodology, as define by of the Common Criteria [CC-P3] and the Common

Methodology [CEM].

Considering the obtained evidences during the instruction of the certification request of the EADS AIR SEGMENT SYSTEMS PROTECTION PROFILE, Issue B, a positive resolution is proposed.

PP Summary

Air Segment Systems are these systems used by the aircraft crew or by the aircraft computers and sensors to store, record or manage information during mission.

This TOE reference to a military-purpose Air Segment Systems which allows to fly the aircraft, to manage the mission data and to use data links.

Security Assurance Components

The protection profile was evaluated with all the evidence required to fulfil EAL3, according to CC Part 3 [CC-P3].

Assurance Class: Protection Profile Evaluation (APE)

Assurance Components:

- APE_CCL.1

- APE_ECD.1

- APE_INT.1

- APE_OBJ.2

- APE_REQ.2

- APE_SPD.1

Página 3 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

Security Functional Components

The security functional components contained in this PP are based on the components in [CC-P2]. The functional components satisfied by the protection profile are:

- FAU_GEN.1 Audit Data Generation

- FAU_SAR.1 Audit review

- FAU_SAR.2 Restricted audit review

- FCS_CKM.4 Cryptographic key destruction

- FCS_COP.1 Cryptographic operation

- FDP_ACC.1 Subset access control

- FDP_ACF.1 Security attribute based access control

- FDP_IFC.1 Subset information flow control

- FDP_IFF.1 Simple security attributes

- FDP_ITC.1 Import of user data without security attributes

- FDP_RIP.1 Subset residual information protection

- FDP_UCT.1 Basic data exchange confidentiality

- FDP_UIT.1 Data exchange integrity

- FMT_MSA.1 Management of security attributes

- FMT_MSA.3 Static attribute initialisation

- FMT_SMR.1 Security roles

- FPT_STM.1 Reliable time stamps

IDENTIFICATION

Protection Profile: EADS AIR SEGMENT SYSTEMS PROTECTION PROFILE, Issue

B

Document no. : DT-T-MEP24-10002

Evaluation Level: CC v3.1 r3 EAL3

SECURITY POLICIES

The usage of the Protection Profile implies to implement some organizational policies that assure the commitment of different demands of security. The details

Página 4 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN about them are included in the Protection Profile. In synthesis, the necessity settles down to implement the following organizational policies.

P.ACCOUNTABILITY

The users of the TOE shall be held accountable for their actions within the TOE.

P.AUTHORISED_USERS

Only those users who have been authorized access to information within the system may access the TOE.

P.NEED_TO_KNOW

The TOE must limit the access to, modification of, and deletion of the objects to those authorized users which have a “need to know” for that information. The access rights to specific data objects are determined by the owner of the object, the role of the subject attempting access, and the implicit and explicit access rights to the object granted to the role by the object owner.

ASSUMPTIONS AND OPERATIONAL ENVIRONMENT

The following assumptions are constraints to the conditions used to assure the security properties and functionalities compiled by the protection profile.

In order to assure the secure use of a product compliant with this protection profile, the TOE, it is necessary to start from these assumptions for its operational environment. If this is not possible and any of them could not be assumed, it would not be possible to assure the secure operation of the product.

A.CLEARANCE

All persons requiring access to the Aircraft TOE which manage sensitive data shall have a clearance that dominates the protecting marking of that data, prior to any authorised access.

A.AUDIT_REVIEW

The ISM shall inspect the security audit and accounting log(s) on a regular and sufficiently frequent basis to detect any patterns of user behaviour that may be a threat to security.

A.CRYPTO_MANAGE

Information marked as ‘CRYPTO’ shall always be handled and stored in accordance with its Protective Marking and Caveat.

Página 5 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

A.INSTALL

All software or hardware installed in the Aircraft TOE equipment shall be subjected to rigorous configuration management procedures, stringent quality control and comprehensive testing.

A.PHYSICAL_ACCESS

In controlled areas and/or scenarios all personnel accessing the Aircraft where the

TOE is located shall be reliably identified before access is granted.

A.TAMPER_SEALS

Tamper seals shall be fitted to Aircraft TOE equipment dependent on the design and as deemed necessary by the Security Accreditation Authority.

A.SYOPS

All users will be trained in accordance with their duties and will read, understand, and obey all the relevant Security Operating Procedures.

A.USER_CONFIDENCE

Privileged users shall be trusted not to abuse their privilege.

Threats

This section describes the security threats that are to be countered by the TOE, its operational environment, or a combination of the two.

T.CAPTURE

Hostile forces capture the equipment while combat, transport or accessing premises and steal information.

T.DATA_CORRUPTION

An attacker from inside or outside the organisation gains access to the equipment of the information system and corrupts or delete the sensitive information in an unauthorised manner.

T.EAVESDROPPING

Someone inside or outside the organisation connects a sniffer device to the network to store and analyse transmitted information.

Página 6 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

T.INFORMATION_THEFT

Someone inside or outside the organisation accessing digital media with the intention of stealing and using the information on them.

T.REMANANCE

An attacker recovers information from removed electronic media.

T.TELECOM_FAILURE

An attacker, through sabotage or disturbance of the telecom installation, gains access to the telecommunications equipment.

T.UNAUTHORIZED_USE

An attacker from inside or outside the organisation accesses the information system and uses one of its services to penetrate it, runs unauthorised operations or steal information.

T.UNTRUSTWORTHY_DATA

Outside sources send false data being used inside the organisation compromising the system.

Operational environment objectives

The TOE requires the cooperation from its operational environment to fulfil the requirements listed in the Protection Profile. This section identifies the IT security objectives that are to be satisfied by the imposing of technical or procedural requirements on the TOE operational environment. These security objectives are assumed by the Protection Profile to be permanently in place in the TOE environment. With this purpose, the security objectives declared for the TOE environment are the following.

O.E_ADMIN

Those responsible for the administration of the TOE are competent and trustworthy individuals, capable of managing the TOE and the security of the information it contains.

O.E_AUDITDATA

Those responsible for the TOE must ensure that the audit functionality is used and managed effectively. In particular: a) Procedures must exist to ensure that the audit trail for the product (i.e., all networked components containing an audit trail) is regularly analysed and archived, to allow retrospective inspection.

Página 7 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN b) The auditing system must be configured such that the loss of audit data is minimised upon planned or unplanned shutdown or lack of available audit storage. c)The media on which audit data is stored must not be physically removable from the platform by unauthorised users.

O.E_AWARE

The personnel must be made accountable and informed of possible sanctions. The personnel must be made aware of the obligation of professional secrecy and discretion. The system user shall be informed about the accounting of their activities in the system.

O.E_INSTALL

Those responsible for the TOE must establish and implement procedures to ensure that the hardware, software and firmware components that comprise the system are installed and configured in a secure manner.

O.E_LOCATE

While not flying or being transported, the operational environment must ensure that the TOE shall be located within controlled access facilities of the MOB which will prevent unauthorised physical access. The physical controls at the MOB will alert the system authorities to the physical presence of attackers within the controlled space where the TOE is located.

O.E_NO_KEYS_LEAK

To avoid sensitive data compromise the crypto keys must be correctly managed.

O.E_PROTECT

The operational environment must ensure that the TOE hardware and software critical to security policy enforcement shall be protected from unauthorised physical modification including unauthorised modifications by potentially hostile outsiders.

O.E_SECOP

Those responsible for the TOE must establish and implement procedures to ensure that the users will be trained in accordance with their duties and will read, understand, and obey all relevant Security Operating Procedures (SecOPs).

TOE ARCHITECTURE

The typical Air Mission Systems functionality is functionality related to:

Página 8 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

- general purpose, which includes such hydraulic system; fuel system; etc. (excluded of the security problem)

- management, which includes flight control and management functions; navigation systems; etc.

- mission, which includes mission monitoring and control; payload management; data recorders; etc.

- communication, which includes dialog with traffic air control; interconnection with other allied aircrafts; etc.

Depending on the type of aircraft the TOE will need other software, in example, if the aircraft is a manned aircraft, the TOE could require operating systems as Microsoft

Windows or Linux; or RDBMS as Microsoft SQL Server or Oracle. However if the aircraft is an unmanned aircraft it will require a RTOS.

DOCUMENTS

The protection profile is just one document identified as: “EADS AIR SEGMENT

SYSTEMS PROTECTION PROFILE, Issue B”.

TOE TESTING

Not applicable.

TOE CONFIGURATION

Air Segment Systems are systems located in the aircraft and are used on-flight and on-ground.

These systems shall implement security functions to protect the sensitive information from unauthorized disclosure based on cryptography, identification and authentication, access control or secure erase, as well as an integrity control of the information.

EVALUATION RESULTS

The protection profile “EADS AIR SEGMENT SYSTEMS PROTECTION PROFILE,

Issue B” has been evaluated using the Common Evaluation Methodology, v3.1 r3

[CEM], for conformance to the Common Criteria, v3.1, r3 [CC-P3].

All the assurance components required by the level EAL3 have been assigned a

“PASS” verdict. Consequently, the laboratory (CESTI-INTA) assigns the “PASS”

VERDICT to the whole evaluation due all the evaluator actions are satisfied for the

EAL3 level.

Página 9 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

COMMENTS & RECOMMENDATIONS FROM THE

EVALUATION TEAM

The following recommendations to the users of Protection Profile are highlighted as the result of the evaluation process.

The reader of this protection profile should be noted that the Protection profile

"EADS Air Segment Systems Protection Profile. Issue B":

- claims conformance to "Common Criteria for Information Technology Security

Evaluation Version 3.1 Revision 3 July 2009”.

- is CC Part2 Conformant

- is CC Part3 Conformant

- claims conformance to package EAL3

- does not claim conformance to another PP

- the conformance required for this Protection Profile is demonstrable

CERTIFIER RECOMMENDATIONS

Considering the obtained evidences during the instruction of the certification request of the protection profile “EADS AIR SEGMENT SYSTEMS PROTECTION PROFILE,

Issue B”, a positive resolution is proposed.

This certification is recognised under the terms of the Recognition Agreements

[CCRA] and [SOGIS] for components up to EAL4 according to the mutual recognition levels of them and the accreditation status of the Spanish Scheme.

GLOSSARY

CC Common Criteria

CCN Centro Criptológico Nacional

CCRA Common Criteria Recognition Arrangement

CEM Common Evaluation Methodology

CESTI Centro de Evaluación de la Seguridad de las Tecnologías de la Información

CNI Centro Nacional de Inteligencia

EAL Evaluation Assurance Level

INTA Instituto Nacional de Técnica Aeroespacial

ISM Information Security Manager

IT Information Technology

ITSEF Information Technology Security Evaluation Facility

MOB Main Operating Base

PP Protection Profile

Página 10 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

MINISTERIO DE DEFENSA

CENTRO NACIONAL DE INTELIGENCIA

CENTRO CRIPTOLÓGICO NACIONAL

ORGANISMO DE CERTIFICACIÓN

RDBMS Relational Database Management System

RTOS Real Time Operating System

SecOps Security Operating Procedures

SOGIS Senior Officers Group for Information Security

TOE Target of Evaluation (the product that will be compliant with this PP)

BIBLIOGRAPHY

The following standards and documents have been used for the evaluation of the product:

[CC-P1] Common Criteria for Information Technology Security Evaluation- Part 1:

Introduction and general model, Version 3.1, r3, July 2009.

[CC-P2] Common Criteria for Information Technology Security Evaluation Part 2:

Security functional components, Version 3.1, r3, July 2009.

[CC-P3] Common Criteria for Information Technology Security Evaluation Part 3:

Security assurance components, Version 3.1, r3, July 2009.

[CEM] Common Evaluation Methodology for Information Technology Security:

Introduction and general model, Version 3.1, r3, July 2009.

SECURITY TARGET

Not applicable

Página 11 de 11

Avenida del Padre Huidobro s/n

Fax: + 34 91 372 58 08

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project