Re: FCS_COP and FCS_CKM interdependency

Subject: Re: FCS_COP and FCS_CKM interdependency
From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>
Date: Wed, 25 Feb 2004 16:56:59 +0900
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
References: <4E25ECBBC03F874CBAD03399254ADFDE10FB8D@US-Columbia-CIST.mail.saic.com>


"Arnold, James L. Jr." wrote on Tuesday, February 24, 2004 11:05 PM

> Now that the topic has been brought up, I believe that the dependencies
for
> the FCS class of requirements are not correct.
>
> In particular, dependency on secure security attributes (FMT_MSA.2)
> certainly has nothing to do with key destruction (FCS_CKM.4) and it also
> isn't necessary for most cryptographic operations (FCS_COP). I am also not
> sure that key generation (FCS_CKM.1) should depend on FMT_MSA.2 since the
> generated keys aren't necessarily based on the acceptance of "secure
> attributes" but rather could be based on random or other pre-existing
data.
> Note that the FMT_MSA.2 dependencies of all of the FCS class components
> yield a problem in that FMT_MSA.2 is dependent on either an access control
> or information flow policy. However, encryption seems valid without either
> policy (e.g., encrypting the backing store to prevent scavenging or
> encrypting tunnels to prevent disclosure of flows without actually control
> the flow of information). It is also not clear why key generation
> (FCS_CKM.1) or cryptographic operations (FCS_COP) are dependent on key
> destruction (FCS_CKM.4).
>

I tend to agree.


> I tend to think generally that key generation has no dependencies and
> cryptographic operations and key destruction depend only on key
generation.

I am thinking differently.
There are two aspects in thinking about dependencies.
One is the aspect of holding correct sequence of operations in regard to
requirements.
The other is the aspect of satisfying the requirement securely.

For example:
FAU_GEN.1.2 needs "date and time of the event".
>From the aspect of the correct sequence of operations, it depends on the
existence of time generation routine or time read invocation routine.
However, from the aspect of satisfying the requirement securely, it depends
on the reliability of the provided time value (i.e., FPT_STM.1).

I think CC intends primarily the latter aspect on dependencies.
>From this point of view, I tend to think (oppositely from Jim) that secure
key generation has dependencies on secure key destruction and secure key
destruction has no dependencies.
However, I agree with Jim that it appears too much indirect in this case
too.



> If it is believed that key generation needs some support, then FMT_MSA.2
is
> not it; especially since that requirement is problematic in itself since
it
> doesn't support an assignment to narrow the scope of applicable
attributes.
> Rather, I think this is a case for a considered management requirement as
> opposed to a dependency.
>
> Furthermore, the dependencies in class FCS are generally more extensive
and
> less obviously related that most of the other CC Part 2-defined
> dependencies. For example, other requirements include only direct
> dependencies while these requirements appear to include some indirect
> dependencies.
>
> The point is that all of the dependencies in the FCS class should be
> revisited. They should really be necessary and they should be consistent
> with the rest of the dependencies in Part 2.
>

I agree and I suspect less obviously related dependecies are also in the
outside of FCS class.


> > -----Original Message-----
> > From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Nir Naaman
> > Sent: Tuesday, February 24, 2004 7:46 AM
> > To: Multiple recipients of list
> > Subject: RE: FCS_COP and FCS_CKM interdependency
> >
> >
> > It is.
> > Dependencies for FCS_COP.1 are listed in CC Part 2 as:
> >
> > Dependencies: [FDP_ITC.1 Import of user data without security attributes
> > or FCS_CKM.1 Cryptographic key generation]
> >           FCS_CKM.4 Cryptographic key destruction
> >                       FMT_MSA.2 Secure security attributes
> >
> >     Nir
> >
> > > -----Original Message-----
> > > From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of
> > > Magos×'nyi Ö±rp×'d
> > > Sent: Tuesday, February 24, 2004 1:29 PM
> > > To: Multiple recipients of list
> > > Subject: FCS_COP and FCS_CKM interdependency
> > >
> > >
> > >
> > > Hi!
> > >
> > > Isn't FCS_COP dependent on FCS_CKM?
> > > How can one use crypto securely without managing the keys?
> > >
> > > --
> > > GNU GPL: csak tiszta forrÃ¡sbÃ³l
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
>

References:
- RE: FCS_COP and FCS_CKM interdependency
  - From: "Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>

Prev by Date: Re: Final Interpretation for RI 137 - Rules governing binding should be specifiable
Next by Date: Re: Final Interpretation for RI 137 - Rules governing binding should be specifiable
Prev by thread: RE: FCS_COP and FCS_CKM interdependency
Next by thread: RE: FCS_COP and FCS_CKM interdependency

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov