Projekta Nr.-
NosaukumsIn November 2024, a set of five implementing acts related to European Digital Identity Wallets was adopted. As part of the overall EUDI architecture a ‘wallet secure cryptographic application’ (WSCA) is described. The main objective of the proposed work item is to develop a Common Criteria Protection Profile (PP) for such WSCA to ensure that the security requirements for a WSCA component of the European Digital Identity Wallet are clearly defined, standardized, and aligned with EUCC evaluation criteria. The following course of action is envisioned: 1. Understand the WSCA Layer Requirements a. Review the Implementing Acts: Thoroughly analyze the sections of the implementing acts that describe the WSCA layer. Understand its role within the EUDI wallet architecture, its interactions with other components, and its security objectives. b. Identify Security Assets and Objectives: Determine the specific security objectives for the WSCA layer, such as confidentiality, integrity, availability, authentication, and non-repudiation. 2. Define the Security Environment a. Threat Analysis: Conduct a comprehensive threat analysis to identify potential threats to the WSCA layer. Consider both external and internal threats, including unauthorized access, data breaches, and denial of service attacks. b. Assumptions and Dependencies: Document any assumptions about the operational environment and dependencies on other components or systems. It shall be noted that a technology-agnostic PP is envisioned, allowing the industry to develop the WSCA based on different cryptographic devices (WSCDs) such as (embedded) secure elements (eSE) or hardware security modules (HSM), which are envisioned to be widely certified already. 3. Develop Security Functional Requirements (SFRs) a. Select Relevant SFRs: Based on the identified security objectives and threat analysis, select appropriate Security Functional Requirements from the Common Criteria catalog. b. Tailor SFRs: Customize the selected SFRs to address the specific needs and context of the WSCA layer. 4. Develop Security Assurance Requirements (SARs) a. Select Assurance Requirements: Choose Security Assurance Requirements that align with the desired level of assurance for the WSCA layer. b. Draft a rationale for considering the criticality of the WSCA layer within the EUDI architecture. 5. Draft the Protection Profile Document a. Structure the PP: Organize the Protection Profile document according to the Common Criteria guidelines, including sections for introduction, security problem definition, security objectives, SFRs, SARs, and rationale. b. Include Rationale: Provide a clear rationale for the selection of SFRs and SARs, demonstrating how they address the identified threats and meet the security objectives. 6. Submit for Standardization and Certification a. Compile the final draft of the Protection Profile and prepare any necessary documentation for submission to the relevant standardization bodies. b. In parallel to standardization, Common Criteria certification is prepared, including selection of certification body and evaluation facility, and examination of funding possibilities for this sub-task. By following these steps, the task of developing a Common Criteria Protection Profile for the WSCA layer can be effectively managed, ensuring that it meets the security needs of the European Digital Identity Wallet and aligns with European standards.
Reģistrācijas numurs (WIID)82149
Darbības sfēraIn November 2024, a set of five implementing acts related to European Digital Identity Wallets was adopted. As part of the overall EUDI architecture a ‘wallet secure cryptographic application’ (WSCA) is described. The main objective of the proposed work item is to develop a Common Criteria Protection Profile (PP) for such WSCA to ensure that the security requirements for a WSCA component of the European Digital Identity Wallet are clearly defined, standardized, and aligned with EUCC evaluation criteria. The following course of action is envisioned: 1. Understand the WSCA Layer Requirements a. Review the Implementing Acts: Thoroughly analyze the sections of the implementing acts that describe the WSCA layer. Understand its role within the EUDI wallet architecture, its interactions with other components, and its security objectives. b. Identify Security Assets and Objectives: Determine the specific security objectives for the WSCA layer, such as confidentiality, integrity, availability, authentication, and non-repudiation. 2. Define the Security Environment a. Threat Analysis: Conduct a comprehensive threat analysis to identify potential threats to the WSCA layer. Consider both external and internal threats, including unauthorized access, data breaches, and denial of service attacks. b. Assumptions and Dependencies: Document any assumptions about the operational environment and dependencies on other components or systems. It shall be noted that a technology-agnostic PP is envisioned, allowing the industry to develop the WSCA based on different cryptographic devices (WSCDs) such as (embedded) secure elements (eSE) or hardware security modules (HSM), which are envisioned to be widely certified already. 3. Develop Security Functional Requirements (SFRs) a. Select Relevant SFRs: Based on the identified security objectives and threat analysis, select appropriate Security Functional Requirements from the Common Criteria catalog. b. Tailor SFRs: Customize the selected SFRs to address the specific needs and context of the WSCA layer. 4. Develop Security Assurance Requirements (SARs) a. Select Assurance Requirements: Choose Security Assurance Requirements that align with the desired level of assurance for the WSCA layer. b. Draft a rationale for considering the criticality of the WSCA layer within the EUDI architecture. 5. Draft the Protection Profile Document a. Structure the PP: Organize the Protection Profile document according to the Common Criteria guidelines, including sections for introduction, security problem definition, security objectives, SFRs, SARs, and rationale. b. Include Rationale: Provide a clear rationale for the selection of SFRs and SARs, demonstrating how they address the identified threats and meet the security objectives. 6. Submit for Standardization and Certification a. Compile the final draft of the Protection Profile and prepare any necessary documentation for submission to the relevant standardization bodies. b. In parallel to standardization, Common Criteria certification is prepared, including selection of certification body and evaluation facility, and examination of funding possibilities for this sub-task. By following these steps, the task of developing a Common Criteria Protection Profile for the WSCA layer can be effectively managed, ensuring that it meets the security needs of the European Digital Identity Wallet and aligns with European standards.
StatussIzstrādē
ICS grupaNav uzstādīts