3.5 SFRs
3.5.2 Data Flows
Compared to the PP the components FDP_IFC.1 Subset Information Flow Con-trol and FDP_IFF.1 Simple Security Attributes have now been assigned specic values to identify and dene the Payment Application Data Flow Control SFP. Below the elements with assignments are stated and described.
FDP_IFC.1.1 The TSF shall enforce the Payment Application Data Flow Control SFP on data owing between the payment terminal and the POS application which causes information to ow into and out of the audit trail.
3.5. SFRS CHAPTER 3. ST
Class Modication
FAU_GEN.1 Assignment Iterated
FAU_GEN.2 Moved
FAU_SAR.1 Moved
FAU_SAR.2 Moved
FAU_STG.1 Moved
FCS_CKM.1 New
FCS_CKM.2 New
FCS_CKM.4 New
FCS_COP.1 New
FDP_IFC.1 Assignment FDP_IFF.1 Assignment
FDP_ITT.1 New
FDP_ITT.3 New
FIA_UAU.2 Moved
FIA_UAU.6 Moved
FIA_UID.2 Moved
FMT_MOF.1 Assignment Iterated FMT_MSA.1 Assignment
FMT_MSA.2 New
FMT_MSA.3 Assignment FMT_MTD.1 Assignment
Iterated FMT_SMF.1 Assignment
Iterated
FMT_SMR.1 Moved
Assignment
FPT_ITT.1 New
FPT_STM.1 Moved
FTA_SSL.1 Moved
FTA_SSL.2 Moved
FTP_ITC.1 New
Table 3.5: Modications to SFRs relative to the PP.
Now it is explicitly stated that the Payment Application Data Flow Control SFP shall be enforced on the data ows between the payment terminal and the POS application. All identied data ows included in the SFP are described in section 3.2.4.
CHAPTER 3. ST 3.5. SFRS
FDP_IFF.1.1 The TSF shall enforce the Payment Application Data Flow Control SFP based on the following types of subject and information security attributes:
a) Type of input/output device used in the data ow.
b) Role of user creating and receiving the data.
c) Type and sensitivity of the data.
d) Media in which the data ows.
e) Possible threat agents.
Here it is stated that the Payment Application Data Flow Control SFP shall be enforced on the basis of a threat analysis based on the listed security attributes.
FDP_IFF.1.2 The TSF shall permit an information ow between a controlled sub-ject and controlled information via a controlled operation if the following rules hold:
a) A threat analysis of the input/output device data ow is carried out.
b) and the following countermeasures to achieve desired high level of pro-tection for the data ow are implemented:
1) Secure authentication between the payment application and client en-suring correct authorization of the end points.
2) Encryption of the data ow using 3DES or AES ensuring the con-dentiality and integrity of the data.
This functional element states that a data ow can only be allowed if a threat analysis of the data ow has been conducted and counter measures to ensure a high level of protection of the data ow is implemented. The threat analysis conducted in section B.2.4 concluded that a high level of protection is needed due to the sensitivity of the data.
Therefore, the TOE shall be able to provide mutual authentication between the PA and PAC ensuring that the PAC is communicating with the authentic PA. Furthermore, the data ow shall be encrypted using 3DES or AES with appropriate key lengths.
In order to secure the data ows a trusted channel between the PA and PAC shall be implemented. In order to achieve this the class FTP Trusted Path/Channel is examined. This class provides the family FTP_ITC Inter-TSF Trusted Channel which denes requirements for creation of a trusted channel for secure communica-tion.
When the trusted channel is established communication between the PA and PAC will be considered as internal TOE transfer instead of inter-TSF transfer3. To fur-ther strengthen the requirements to the security of the data ows the components
3See gure 1.2 [CC204] p. 4.
3.5. SFRS CHAPTER 3. ST
FDP_ITT.1 Basic Internal Transfer Protection and FPT_ITT Internal TOE Data Transfer are introduced as both user and TSF data are transferred in the trusted channel. FDP_ITT.1 enforces the Payment Application Data Flow Control SFP to prevent modication and disclosure of user data transferred between the PA and PAC. FPT_ITT.1 protects TSF data from disclosure and modication when data is transmitted between the PA and the PAC.
As the trusted channel makes use of cryptographic functions, securing communica-tion, cryptographic support must be implemented. The class FCS Cryptographic Support provides this. It contains the two families FCS_CKM Cryptographic Key Management and FCS_COP Cryptographic Operation.
FCS_COP.1 Cryptographic Operation is used to dene which cryptographic op-erations the TOE shall support in order to implement encryption of the data ows and mutual authentication of the PA and PAC. It states that the TLS protocol shall be used to implement these functions with one of the following TLS cipher suites as described in [DA99] and [Cho02]:
a) TLS_RSA_WITH_3DES_EDE_CBC_SHA, b) TLS_RSA_WITH_AES_128_CBC_SHA, or
c) TLS_RSA_WITH_AES_256_CBC_SHA.
FCS_COP.1 has dependency on FCS_CKM.1 Cryptographic Key Generation and FCS_CKM.4 Cryptographic Key Destruction.
FCS_CKM.1 requires that the TOE shall generate cryptographic keys in accordance with a Secure Hash Standard based (SHS) random number generation as specied in FIPS 186 [U.S00] appendix 3 or an equivalent SHS based algorithm. Symmet-ric key sizes must be in accordance with the ones specied in FCS_COP.1 above.
FCS_CKM.4 requires that the TOE shall destroy cryptographic keys using any FIPS 140 level 1 validated key destruction method.
As keys are exchanged between the PA and the PAC a cryptographic key distri-bution method shall be stated. FCS_CKM.2 Cryptographic Key Distridistri-bution requires that cryptographic keys shall be distributed using RSA based key exchange, given by the TLS cipher suites, complying with FIPS 140.
FCS_COP.1, FCS_CKM.1, FCS_CKM.2, and FCS_CKM.4 all have dependency on FMT_MSA.2 Secure Security Attributes which is described in section 3.5.5.
To ensure integrity of the data ows the component FDP_ITT.3 Integrity Mon-itoring is implemented. It requires the TOE to enforce the Payment Application Data Flow Control SFP to monitor the transmitted data for cryptographic integrity
CHAPTER 3. ST 3.5. SFRS
errors. If errors are detected data shall be attempted to be resend a specied number of times before alerting the administrator.