Integrating requirements into a Protection Profiles

Lessons learned from machine-readable travel documents (MRTD) PP consolidation
12th International Common Criteria Conference (12ICCC) 2011, Kuala Lumpur, Malaysia

28. September 2011

International standards provide the grounding for identity documents, like [ICAO 9303] for machine-readable travel documents (MRTD). Such products must integrate functionality of several standards. Without consolidation each developer has to deal with the complexity of multiple PPs and conflicting demands due to diverse parts of the product. Because strict conformance enforces replication, integration of several PPs increases redundancy in the ST. Also the different parts of the product may diverge in terms of assumptions, security objectives and measures.

In the present project consolidation aims on an MRTD preferring the protocols EAC [PP55] and PACE [PP68], while maintaining support for BAC [PP56]. The aim of the consolidated PP is to facilitate smooth development of integrated products. The consolidation process is guided by amendments to the standards [ICAO_MRTDSupp] and technical reports [BSI-03110-2.05] that describe the security properties in technical detail. The aim of a consolidated PP is a clearly structure of the security requirements, facilitating a lean process for the product developer.

Common Criteria together with the according protection profiles define conformance goals which rely to the multiple standards. On the level of an ST, merging of product related SFRs while maintaining strict conformance may fail. On the more abstract level of the PP, efforts can be shrinked down without violating the CC. The talk will show different strategies for achieving conformance in the context of PPs but also amendments and TRs. A summary of the lessons learned will be provided.

Slides are available via http://12iccc.cybersecurity.my/

This entry was posted in Assurance, Talks. Bookmark the permalink.