NSA: Key Recovery for Third Party Requestors PP
This Protection Profile is one in a series of Protection Profiles describing Key Recovery
System (KRS) components. Key Recovery Systems provide a means to access the key used for
confidentiality and/or the confidentiality-protected data within an encrypted association that has
become unattainable. KRS components include End Systems, End System component(s) that
optionally implement End-User Requestor functionality, Third-Party Requestor component(s),
and Key Recovery Agent (KRA) component(s). Although the Licensing Agent, Registration
Agent, and PKI source are not a part of the KRS, they may be required to ensure the optimal
implementation of the KRS.
The Target of Evaluation (TOE) is the software application used by the KRS Third Party Requestor component.
Third Party Requestors are organisations that interact with one or more
KRAs to recover the key needed to decrypt the confidentiality-protected data and/or to recover
the confidentiality protected data generated by end systems. Third Party Requestors typically
have to provide proof of authorisation for key recovery to the relevant KRAs and may also be
responsible for the location and collection of the Key Recovery Information (KRI).
Third Party Requestors are the parties which interact with one or more KRAs to recover
either the key needed to decrypt the confidentiality protected data and/or the confidentiality
protected data itself, that was generated by the End System. The TOE is first accessed by the
person performing the role of requestor. After the requestor has been properly identified and
authenticated, the Third Party Requestor system accepts the KRI and its associated cipher text
from an End System requesting recovery. The requestor validates the KRI and is also able to
identify which KRAs are relevant to the key recovery process. The requestor then establishes an
association with the relevant KRA(s) and generates a key recovery request(s) for the specific
KRI. The KRA authenticates the requestor and determines if the requestor has authorised access
to the recovered key. The requestor is responsible for providing proof of authorisation to the
KRA. The KRA recovers either the key and/or the plaintext data from the KRI, and returns the
response to the requestor system. The Third Party Requestor system processes the key recovery
response and returns either the recovered key and/or the plaintext data to the end system.
The KRS Third Party Requestor system TOE consists of a software application as well as the
underlying software cryptomodule(s)
The TOE protects both TSF and User Data. TSF data within the Third Party Requestor
system includes the authentication data for the user, KRI, audit data, and other data that affects
the operation of the TOE. User data includes the associated cipher text and the privately held
keying information from the KRA or other source. The user referred to herein is the user of the
key recovery request system, i.e., the human operator who submits key recovery requests, acting
on behalf of authorised individuals..UNCLASSIFIED
The TOE maintains several roles for those persons authorised to access the system. They
consist of the security administrator, system administrator, crypto officer, the audit administrator,
and the operator. These are all trusted roles. The security administrator is responsible for the
management of all security functions except for audit and cryptographic support such as
identification and authentication, access control and security management. The system
administrator operates the system, runs backups, and configures the system. The crypto officer is
responsible for key management. The audit administrator manages the audit log and audit
profiles. The operator is responsible for submitting third party key recovery requests on behalf
of individuals who are authorised to access the confidentiality-protected data.
The TOE security policy and key recovery policy are defined in a policy document. This
requirement is addressed in this protection profile by the requirement for an informal security
policy model. The security policy model must address and be consistent with the assignments
left to the ST author. In addition, the developer must ensure that the policy requirements are
reflected in the Administrative and User Guidance to ensure that they are followed by
administrators and users.
The TOE security requirements are based, in part, upon requirements and criteria from three
documents: the criteria defined in the Key Recovery Evaluation Criteria (KREC) prepared by
CygnaCom Solutions, Inc. dated October 2, 1998, the Technical Advisory Committee (TAC)
report titled Requirements for Key Recovery Products dated November 1998, and the
requirements detailed in the Information Assurance Technical Framework (IATF) Release 2.0
dated August 1999. The TAC report is a draft Federal Information Processing Standard (FIPS)
for key recovery products.
This PP describes a minimum set of Information Technology (IT) security requirements that
must be implemented by any Third Party Requestor that is part of a Key Recovery System.