Security Testing and Evaluation Labs

NSA: PKI Directory PP

The Target of Evaluation (TOE) is made up of a Directory System Agent (DSA) and its associated Administrative Directory User Agents (ADUAs). The TOE is a multi-user system that operates in a single level network.

The DoD Class 4 PKI Protection Profile specifies functional requirements in the areas of identification, authentication, access control, audit, confidentiality, integrity, availability, non-repudiation, secure replication, security management, and protection of the trusted security functions (TSF).

The Directory Target of Evaluation (TOE) is a software application that serves as a repository for Class 4 PKI data such as PKI certificates and certificate revocation lists. A Class 4 PKI directory is responsible for publishing PKI data for use by other trusted systems. Other non-PKI data such as location and phone number may be stored in a Directory along with the PKI data.

The Directory TOE is composed of a Directory System Agent (DSA) and one or more Administrative Directory User Agents (ADUAs) for trusted administrators. General users may access the directory using Directory User Agents (DUAs), but the DUA is not part of the TOE.

It is assumed that the Directory will use the X.500 information model. The DSA and ADUAs are part of a distributed system. Although the TOE consists of a single instance of a DSA, it is assumed that directory information will be distributed among multiple DSAs and DSAs will exchange information. The Directory Protection Profile has been written to be protocol-independent and to not be limited to the Directory Access Protocol (DAP) or the Lightweight Directory Access Protocol (LDAP)

The directory relies upon other trusted components of the distributed system to provide it with security services such as a trusted operating system, cryptographic operations, key management, key recovery, intrusion detection, and monitoring. The Directory Server will be situated in a secure enclave behind a firewall. Communications between remote sites will be encrypted.

The PP was written to address the IT security requirements for the directory components of the Global Directory Service (GDS) program and the KMI program. The IT security requirements specified in Sections 5.1 and Section 5.2 are the security requirements that a trusted product is evaluated against. The PP does not intend to specify non-security functional and architecture requirements.

According to the DoD X.509 Certificate Policy, the DoD Class 4 PKI level is intended for applications handling high value, unclassified information. Class 4 products can be used for applications requiring Class 2 and Class 3 as well as those requiring Class 4 as shown in the list below:

Class 4 Applications:

• Digital signature services for unclassified mission critical or national security information in an unencrypted network;
• Protection (authentication and confidentiality) for information crossing classification boundaries when such a crossing is already permitted under a system security policy (e.g. sending unclassified information through a High Assurance Guard (HAG) from SIPRNET to NIPRNET);
• Technical non-repudiation for large value financial or electronic commerce applications.

• Digital signature services for mission critical and national security information on an encrypted network;
• Privacy and authentication in support of access control security services (e.g., separation of communities of interests) for access to classified Special Compartmented or Special Access information on networks protected using NSA approved Type 1 cryptography appropriate to the data being protected, or on networks that are physically isolated and approved to process the classified data.
• Acceptable non-repudiation for small and medium value financial transactions other than transactions involving issuance or acceptance of contracts and contract modifications. This would include acceptance and payment for small and medium value financial transactions, travel claims, payroll, etc.

• Digital signature services for mission support or administrative data on any network;
• Key exchange for privacy of system high data in an encrypted network or for confidentiality of low value information on unclassified networks.