Protection Profile for

E-Certificate Issuance System

Hyunjung Lee, Dongho Won, Seungjoo Kim
Sungkyunkwan University, Information Security Group, Korea
http://www.security.re.kr

http://www.security.re.kr
 Why we use the e-Document
Issuance Service?

§ Definition
§ Should one go to the school just to get a report card?
§ e-Government services: Government-guaranteed documents issued
via Internet
§ What will change?
AS-
IS

Forge-Proof Forgery Prevention Document Issuing

Document System System

TO- User Printing

Claimed & issued on Web page
BE

…
Issued by email

2 http://www.security.re.kr
Upsides and Requirements

§ Upsides
Aspects Description
Quick Available 24/7
Economical Low cost compared to issuing off-line
Accessible Everywhere with the Internet services
§ Requirements
Security feature Technical feature
• Cryptography for e-documents issued
Confidentiality of the • Screen control
Issuing System • UI control
• Printer control
• Watermark
Forgery Prevention for
• 2D Barcode
Print-out
• Copy Detector
Reliability of the
• PKI authentication
Issuing Organization
3 http://www.security.re.kr
Terms and Definition

§ Original Document
§ Original Document refers to electronic document and its proper and
secure print-outs that is an object of issue.
§ Electronic Document
§ Electronic Document means an electronic file of a structured
document standardized with a pair of form and data of the
document.
§ Issue System
§ Issue System refers commonly to a system of issuing organizations
that issues electronic documents.
§ Detect Software
§ Detect Software refers to a program that extracts digital information.
Using scanners, it detects 2D high-density barcodes and invisible
watermarks attached to print-outs. It extracts digital information by
analyzing the 2D high-density barcodes and invisible watermarks.
4 http://www.security.re.kr
Terms and Definition

§ Forgery Prevention Elements

§ Forgery Prevention Elements refer to all kinds of devices
(identification elements) that give reliability to print-outs of
electronic documents and make it possible for regular users to
distinguish whether the print-outs are authentic or not by
viewing the documents or using tools. EPS's Forgery
Prevention Elements are 2D high-density barcodes, invisible
watermarks, copy detector marks and so on.
§ Secure Print-out
§ Secure Print-out means a print-out of an electronic document
that contains functions (high-density 2D barcodes, invisible
watermarks) for print-out security.

5 http://www.security.re.kr
System Structure

Apply for document Requests info for document

WAS
Document Issuing System
Server
Web Server Module
Data required
2D barcode created for document

Compressed/ Document
Requests Encrypted DB
document Original Certificate of Original
Issues document issuing document
document organization

Printed
User Control Document Verification
document
Module Module

6 http://www.security.re.kr
 Threat Factors

Leaking source by Sniffering on network

saving or capturing on
Web browser

Web Browser Original Document

User PC
document Issuing
Leaking source via Server
temporary files of
Web browser Forging by
high-end scanner
Leaking source by
using print spool file

Leaking source by Scanner

virtual printer Copying by
digital copier
Forged Submit to
document authorities
Printed
Printer document Copier

7 http://www.security.re.kr
Core Security Functions

Function 1. Web Protection

• Controls printing, saving, copying from web browser

• Prevents document capturing from capture/remote program
• Limits pop-up menus by clicking mouse right-button
• Prevents information leakage by cache or temporary files

Function 2. Printer control

Core
Security • Limits print spool file
Functions • Counts/limits the numbers of prints
• Prevents printing from virtual printers(ex. PDF Writer)
• Controls printer drivers & Checks printer’s status

Function 3. Prevention & Verification

• High-density 2D barcode with Error Correction Code

• Digital Signature Verification with publisher confirmation
• Detection Program
• Digital Watermark to protect image seal/log
• All data for the issuance is encrypted in metafile

8 http://www.security.re.kr
 Function 1. Web Protection

Leaking source by Sniffering on network

saving or capturing on
Web browser

Web Browser Original Document

User PC
document Issuing
Leaking source via Server
temporary files of
Web browser Forging by
high-end scanner
Leaking source by
using print spool file

Leaking source by Scanner

virtual printer Copying by
digital copier
Forged Submit to
document authorities
Printed
Printer document Copier

9 http://www.security.re.kr
Function 1. Web Protection
§ Web Protection
Browser Control
• Control Web Browser Menus
• Limit to produce cache/
temp file
• Preventing copying by
keyboard or mouse
• Limit the use of pop-up menu
10
Secure Web Page
Capture Prevention
Encrypted Meta File • Blocking image capture
• Preventing capture by
keyboard
• Encryption
• Preventing link by URL • Protect document screen
• Limit use of Clipboard from remote program
http://www.security.re.kr
 Function 2. Printer control

Leaking source by Sniffering on network

saving or capturing on
Web browser

Web Browser Original Document

User PC
document Issuing
Leaking source via Server
temporary files of
Web browser Forging by
high-end scanner
Leaking source by
using print spool file

Leaking source by Scanner

virtual printer Copying by
digital copier
Forged Submit to
document authorities
Printed
Printer document Copier

11 http://www.security.re.kr
Function 2. Printer control

• Control virtual printers by checking

print port(WMF, PDF Writer, FAX, etc.) • Checking the number of the prints:
the document only can be printed as
• Limit generation or Intercepting print Many times as the service provider
spool file and internet temporary files. desired.

Limitation Print Count Control

Print
control

12 http://www.security.re.kr
 Function 3. Prevention & Verification

Leaking source by Sniffering on network

saving or capturing on
Web browser

Web Browser Original Document

User PC
document Issuing
Leaking source via Server
temporary files of
Web browser Forging by
high-end scanner
Leaking source by
using print spool file

Leaking source by Scanner

virtual printer Copying by
digital copier
Forged Submit to
document authorities
Printed
Printer document Copier

13 http://www.security.re.kr
 Function 3. Prevention & Verification

§ 2D Barcode
§ Comparison between original document with the
document brought from the 2D barcode, enables
a verification of document forgery.
§ Embedding the entire original document data and
digital signed data (hash code) into high-density
2D barcode for the legal proof of originality and
to prevent any forgery.
§ Digital Watermark
§ Embedding important hidden information into
organization’s logo / official seals / images
invisibly by using watermarks for its genuineness
of a document.
§ This reinforces 2D barcode in terms of forgery.

§ Dopy Detector
§ Scanning for any change to the code inserted in the original document

14 http://www.security.re.kr
 TOE(Target of Evaluation)

Server Module Detector Module

Identification & User Data Protection

Authentication Verifier (Data Authentication)
Administrator

Security Audit

Audit Record
Security
Management User Module

Mail Server Cryptographic

TSF Data Protection Support

User
User Data Protection
TSF Data User Data Protection

Cryptographic
Support

Network

15 http://www.security.re.kr
The Contents of Protection Profile

Protection Profile

PP Reference
PP Introduction TOE Overview

CC conformance Claim
Conformance Claims PP Claim, Package Claim
Conformance Rationale
Conformance Statement

Security Problem Assumptions

Threats
Definition Organizational Security Objectives

Security Objectives for the TOE

Security Objectives Security Objectives for the Operational Environment
Security Objectives Rationale

Extended Components Extended Components Definition

Definition
Security Functional Requirements
Security Requirements Security Assurance Requirements
Security Requirements Rationale

16 http://www.security.re.kr
Threats(1/2)

§ Asset : Electronic Document

Threats Description

A threat agent may disclose, modify, or delete the data of an e-document

T.Network Sniffering
while the document is being issued via network by the issuing system.
The data of an e-document may be leaked by saving or capturing on the
T.Screen Capturing
Web browser.
The data of an e-document may be leaked from temporary files if the Web
T.Temporary File Storage
browser holds a directory for them to be saved.
A threat agent may leak an e-document as it is in the printer spool files while
T.Print Spool
the document is being printed.
A threat agent may leak the data of e-document using a virtual printer while
T.Virtual Printer
the document is being printed.
A threat agent may forge the printed document using a high-resolution
T.Forgery by Scanner
scanner.
A threat agent may make more copies of the e-document than issued by the
T.Copy
document issuing organization.

17 http://www.security.re.kr
Threats(2/2)

§ Asset : TOE
Threats Description

T.Unauthorized System Unauthorized modification of the system, affecting operational

Modification capabilities, can occur.

A threat agent may forge the records of e-document issuance in the

T.Audit Record Alteration
issuing system.

T.System Data Alteration Alteration of system data can occur.

A threat agent may exhaust the storage to make the TOE fail to record
T.Recording failure
security-relevant events and document issuance log.

T.Consecutive Authentication A threat agent may have access to the TOE with the authority of an
Attempt authorized user by consecutively attempting authentication.

Attacker can modify TSF data in unauthorized way to avoid record or

T.TSF data tampering
cause misusage.

18 http://www.security.re.kr
Assumptions

Assumptions Description

It is assumed that the administrators are non-hostile, well trained and follow
A.Trusted Administrator
all administrator guidance.
It is assumed that the TOE environment provides a secure timestamp that
A.Timestamp
fulfills RFC 1305.
The e-document issuing system is located in a physically secure
A.Physical Security
environment that can only be accessed by an authorized administrator.
A.Secure Installation and
The TOE will be distributed and installed on a user PC in a secure manner.
Operation

A.Network Any traffic flow required by the TOE services will always be allowed.

Services or means not required by the e-document issuing system will be

A.OS Enhancement removed from the operating system and vulnerabilities of the operating
system will be fixed properly to ensure its reliability and stability.

19 http://www.security.re.kr
Organizational Security Policy

Policies Description

The TOE must audit every auditable event and keep the audit record secure.
P.Audit
This audit record is protected from unauthorized access.
An authorized administrator shall manage the TOE, audit log, and so on in a
P.Secure Management
secure way.
A user shall be identified and authenticated before using e-document issuance
P.Authorized User
services.
A software to help verify the authenticity of an e-document shall be distributed
P.Verifying Module
for anyone to use.
The TOE must be capable of being restored to a secure state without losing
P.Recover
any fatal data.

20 http://www.security.re.kr
Security Objectives for the TOE

Security
Description
Objectives

O.Transferred Data The TOE shall ensure confidentiality and integrity of an e-document transferred
Protection on network.

O.Stored Data The TOE shall protect the TSF data stored in it from unauthorized disclosure,
Protection modification, or deletion.

The TOE shall provide a secure print function to prevent data leakage by
O.Secure Print
temporary files or a virtual printer while an e-document is being printed.
The TOE shall provide a function to display digital data such as e-document on
O.Data Authentication a secured print-out and a function to analyze 2D barcode, which verifies the
authenticity of the print-out.
The TOE shall provide a screen protection function to prevent data leakage by
O.Screen Protection using a screen capturing key that the OS provides(e.g. PrintScreen), capture
program, and remote program while an e-document is being viewed.

O.Web Browser The TOE shall provide a security function to prevent data leakage by controlling
Control use of applications for viewing an e-document, e.g. Web browser, Report tool.

21 http://www.security.re.kr
Security Objectives for the TOE

Security
Description
Objectives
The TOE shall provide a function to display digital data such as e-document on
O.Verification a secured print-out and a function to analyze 2D barcode, which verifies the
authenticity of the print-out.

The TOE shall provide a means to prevent forgery of an e-document, which

O.Forgery Prevention
include 2D barcodes, watermark, or electronic signature.

O.Identification and The TOE shall uniquely identify its administrator and authenticate a user prior to
Authentication allowing access.

The TOE shall generate and maintain the record of all security-relevant events
O.Audit
to ensure they can be traced and shall provide a means to review the records.

The TOE shall provide a means for the authorized administrator of the TOE to
O.Management
efficiently manage the TOE in a secure manner.

22 http://www.security.re.kr
Security Objectives for the
Operational Environment

Security Objectives Description

OE.Trusted Authorized administrator must be trained as to establishment and

Administrator maintenance of security policies in practice.

OE.Timestamp The TOE environment shall provide a secure timestamp that fulfills RFC 1305.

The e-document issuing system shall be located in a physically secure

OE.Physical Security
environment that can only be accessed by an authorized administrator.

OE.Secure Installation
The TOE shall be distributed and installed on a user PC in a secure manner.
and Operation

Services or means not required by the e-document issuing system shall be

OE.OS Enhancement removed from the operating system and vulnerabilities of the operating system
shall be fixed properly to ensure its reliability and stability.

OE.Network Any traffic flow required by the TOE services shall always be allowed.

23 http://www.security.re.kr
Security Functional Requirements

Class Components

FAU_ARP.1(Security alarms)
FAU_GEN.1(Audit data generation), GEN.2(User identity association)
Security Audit FAU_SAA.1(Potential violation analysis)
FAU_SAR.1(Audit review), SAR.2(Restricted audit review)
FAU_STG.2(Guarantees of audit data availability)
FCS_CKM.1(Cryptographic key management), CKM.2(Cryptographic key
Cryptographic
distribution), CKM.4(Cryptographic key destruction)
support
FCS_COP.1(Cryptographic operation)

FDP_ACC.1(Subset access control), ACF.1(Security attribute based access

control)
FDP_DAU.2(Data authentication with identity of guarantor)
User data
FDP_IFC.1(Subset information flow control), IFF.1(Simple security attributes)
Protection
FDP_ITT.1(Basic internal transfer protection)
FDP_RIP.1(Subset residual information protection)
FDP_UCT.1(Basic data exchange confidentiality), UIT.1(Data exchange Integrity)

24 http://www.security.re.kr
Security Functional Requirements

Class Components

FIA_ATD.1(User attribute definition)

Identification & FIA_SOS.1(Verification of secrets)
Authentication FIA_UAU.1(Timing of authentication)
FIA_UID.1(User identification before any action)

FMT_MOF.1(Management of security functions behavior)

Security FMT_MSA.1(Management of security attributes), MSA.2(Secure
Management security attributes), MSA.3(Static attribute initialization)
FMT_SMR.1(Security roles), SMR.2(Restrictions on security roles)

FPT_FLS.1(Failure with preservation of secure sate)

Protection of the
FPT_STM.1(Reliable time stamp)
TSF
FPT_TST.1(TST testing)

25 http://www.security.re.kr
Security Assurance Requirements

§ Our Protection Profile adopts EAL4+ Level

§ TOE is a critical information system
§ The result of attack can cause terrible confusion in society
§ Depending on User environment, this system is important
to maintain.
§ We extend security assurance requirement to reinforce
verification of implementation
§ Extended requirements are ADV_IMP.2, ATE_DPT.3,
ALC_FLR.3, AVA_VAN.4

26 http://www.security.re.kr
Thank You!
E-mail : chelee3@gmail.com

http://www.security.re.kr