NSA: Key Recovery for End Systems PP
This PP is one in a series of protection profiles describing Key Recovery System (KRS)
components. KRSs provide a means to recover the key used for confidentiality within an
encrypted association and/or the confidentiality-protected data that has become unobtainable.
KRS components include End System component(s), End System component(s) with requestor
functionality, Requestor component(s), and Key Recovery Agent (KRA) component(s). Other
component(s) such as the Licensing Agent, the PKI source, and the Registration Agent are
considered to interact with the KRS, but are not a part of the system.
The Target of Evaluation (TOE) is the software application used by the KRS End System
component and the End System component that optionally implements Requestor functionality.
End Systems are parties or clients who generate confidentiality-protected data and wish to have
their data made recoverable through key recovery techniques. End Systems with requestor
functionality are end entities that interact with one or more KRA(s) to recover the key needed to
decrypt confidentiality-protected data generated by End Systems or to recover the actual data.
The two primary techniques are:
Key Encapsulation – Technique where key(s), key part(s) or related information is
encrypted specifically for the KRA and is associated with the encrypted data.
Key Escrow – Technique where the secret or private key(s), key parts, or key related
information to be recovered is held by one or more KRAs.
This PP is applicable to both key recovery techniques.
End Systems are the parties or clients who generate confidentiality-protected data and wish
to have their data made recoverable through key recovery techniques should this data become
unobtainable. There are two possible TOE configurations. One configuration consists of a
software application that implements End System key recovery functionality.
The other configuration consists of a software application implementing end system key
recovery functionality integrated with End System Requestor functionality. Requestors are those
entities which interact with one, or more KRAs to recover the key needed to decrypt
confidentiality-protected data generated by End Systems and/or to recover the actual data. End
System Requestors may only recover their personal data. Personal data includes both data
originated from and received by the end system.
Both TOE configurations are limited to the software which implements End System and
optionally, End System Requestor functionality and does not include any underlying
cryptomodules, operating systems or hardware.
The TOE configuration is based, in part, upon requirements and criteria from three
documents: the Technical Advisory Committee (TAC) report titled
Requirements for Key Recovery Products,
the requirements detailed in the
Information Assurance Technical Framework (IATF) Release 2.0
dated August 1999, and the criteria defined in the
Key Recovery Evaluation Criteria (KREC)
dated October 2, 1998. This PP describes a minimum set of
Information Technology (IT) security requirements that should be implemented by an End
System to provide maximum security within a KRS.