Re: FDP_DAU Versus FCO_NRO

[Gary Stoneburner <stoneburner@nist.gov>]

A requirement to detect changes is a requirement for integrity. 
FDP_UIT.1 is a requirement to determine whether change has
occurred.  This appears to be what your customers desire. 
(FDP_UIT.2 and FDP_UIT.3 include the capability to correct
errors.)

Digital signature is a mechanism that provides both FCO_NRO and
FDP_UIT.  Another viewpoint is that FCO_NRO is not digital
signature, but instead is one of the needs that is being met when digital
signature is used.

Cheers,
Gary

At 08:39 AM 11/20/02, YOKOTA HIROFUMI wrote:

Thanks for the guidance.
 
Let me continue the question.
What I am concerned is customer's data exchange system through the internet.
 
In the internet, messages are not protected from modification, deletion,
insersion, and replay errors.
 
However, it's OK. They use the internet as it is, since the current quality of the internet
 is sufficient for the purpose of their data exchange system.
 
Therefore, in the system, they have no requirement for the integrity.
Sometimes, communication errors might occur, but they do not mind.
So, the data exchange system does not need FDP_UIT(data exchange integrity).
 
Their requirement is not the integrity, but
 
1) the authentication of the data,
 
and
 
2) detection of errors.
 
This is simply accomplished by implementing the digital signature.
 
Although the digital signature does not ensure the integrity ( i.e.  it does not
protect data from modification), it detects errors for transmitted data and,
when received without error, guarantees the validity of the originator and
 transmitted information.
 
Then, how could we express this requirements using the CC functional components?
 
In the CC manuals, FCO_NRO does not mention any bit about authentication.
 
Looking at FDP_DAU, I suppose that
"gurantee of validity of information" means "data authentication.". 
 
Then, regarding FCO_NRO,
 does "verification of evidence of origin" mean "data authentication"?
 
----- Original Message -----

From: Gary Stoneburner

To: Multiple recipients of list

Sent: Wednesday, November 20, 2002 1:08 AM

Subject: Re: FDP_DAU Versus FCO_NRO

Per paragraph 646 in Common Criteria version 2.1: "author should consider including integrity requirements such as FDP_UIT".

For verification of origin and of the integrity of data transmitted the requirements are:

        FCO_NRO.1 (or .2) and FDP_UIT.1 (or .2 or .3)

The family FDP_DAU is intended for data that is not being transmitted, but is maintaining integrity of the data while remaining within the TSF.  An example of a FDP_DAU mechanism is Tripwire.

Please note that there is an error in the CC v2.1, paragraph 178, Family Behaviour for FDP_DAU: 

        "In contrast to Class FAU, this family is intended to be applied to 'static' data rather than data that is being transferred"

should be

        "In contrast to family FDP_UIT, this family is intended to be applied to 'static' data rather than data that is being transferred".

Cheers,

Gary Stoneburner

At 09:12 AM 11/19/02, YOKOTA HIROFUMI wrote:

Please help.

CC part2 annex F.3 says the following.

Component in FDP_DAU (Data authentication) family is used when there is a

requirement for 'static' data authentication, i.e. where data is to be

signed but

not transmitted. (Note that the FCO_NRO(Non-repudiation of origin) family

provides

 for non-repudiation of origin of information received during a data

exchange.)

I'm confused in this description.

Is this saying that FDP_DAU is used for 'static' data authentication, and

FCO_NRO is used for 'transmitted data' authentication?

I don't think so.

FDP_DAU: provide a capability to generate/verify evidence that can be used

               as a gurantee of the validity of information.

FCO_NRO: is able to generate/verify evidence of origin for transmitted

information.

As we can see above,

FDP_DAU is for a gurantee of the validity of information.

FCO_NRO is for evidence of origin for transmitted information.

I do not think the usage of those families are exchangeable between

 'static' and 'transmitted' situation.

I do not think FCO_NRO provides a gurantee of the validity of information.

Does it?

Then, what families are required to express requirements

for 'transmitted' data authentication together with evidence of the origin ?

I believe, FDP_DAU plus FCO_NRO are required.

Am I wrong?

    Hirohumi Yokota

**************************************************************************

* Opinions expressed are not intended to reflect an official position

**************************************************************************

* Gary Stoneburner

* Computer Security Division, National Institute of Standards & Technology

* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930         

* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov

**************************************************************************

**************************************************************************
* Opinions expressed are not intended to reflect an official position
**************************************************************************
* Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930         
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************