Раздел: Документация
0 ... 98 99 100 101 102 103 104 ... 117 I.4 Unobservability (FPR UNO) Unobservability ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used. User notes Unobservability approaches the user identity from a different direction than the previous families Anonymity, Pseudonymity and Unlinkability. In this case, the intent is to hide the use of a resource or service, rather than to hide the users identity. A number of techniques can be applied to implement unobservability. Examples of techniques to provide unobservability are: a)Allocation of information impacting unobservability: Unobservability relevant information (e.g. information that describes that an operation occurred) can be allocated in several locations within the TOE. The information might be allocated to a single randomly chosen part of the TOE such that an attacker does not know which part of the TOE should be attacked. An alternative system might distribute the information such that no single part of the TOE has sufficient information that, if circumvented, the privacy of the user would be compromised. This technique is explicitly addressed in FPRUNO.2. b)Broadcast: When information is broadcast (e.g. ethernet, radio), users cannot determine who actually received and used that information. This technique is especially useful when information should reach receivers which have to fear a stigma for being interested in that information (e.g. sensitive medical information). c)Cryptographic protection and message padding: People observing a message stream might obtain information from the fact that a message is transferred and from attributes on that message. By traffic padding, message padding and encrypting the message stream, the transmission of a message and its attributes can be protected. Sometimes, users should not see the use of a resource, but an authorised user must be allowed to see the use of the resource in order to perform his duties. In such cases, the FPRUNO.4 could be used, which provides the capability for one or more authorised users to see the usage. This family makes use of the concept "parts of the TOE". This is considered any part of the TOE that is either physically or logically separated from other parts of the TOE. In the case of logical separation FPTSEP may be relevant. Unobservability of communications may be an important factor in many areas, such as the enforcement of constitutional rights, organisational policies, or in defence related applications. FPRUNO.1 Unobservability User application notes This component requires that the use of a function or resource cannot be observed by unauthorised users. In addition to this component, a PP/ST author might want to incorporate Covert Channel Analysis. Operations Assignment: In FPRUNO.1.1 the PP/ST author should specify the list of users and/or subjects against which the TSF must provide protection. For example, even if the PP/ST author specifies a single user or subject role, the TSF must not only provide protection against each individual user or subject, but must protect with respect to cooperating users and/or subjects. A set of users, for example, could be a group of users which can operate under the same role or can all use the same process(es). For FPRUNO.1.1 the PP/ST author should identify the list of operations that are subjected to the unobservability requirement. Other users/subjects will then not be able to observe the operations on a covered object in the specified list (e.g. reading and writing to the object). For FPRUNO.1.1 the PP/ST author should identify the list of objects which are covered by the unobservability requirement. An example could be a specific mail server or ftp site. In FPR UNO.1.1 the PP/ST author should specify the set of protected users and/ or subjects whose unobservability information will be protected. An example could be: "users accessing the system through the internet". FPRUNO.2 Allocation of information impacting unobservability User application notes This component requires that the use of a function or resource cannot be observed by specified users or subjects. Furthermore this component specifies that information related to the privacy of the user is distributed within the TOE such that attackers might not know which part of the TOE to target, or they need to attack multiple parts of the TOE. An example of the use of this component is the use of a randomly allocated node to provide a function. In such a case the component might require that the privacy related information shall only be available to one identified part of the TOE, and will not be communicated outside this part of the TOE. A more complex example can be found in some voting algorithms. Several parts of the TOE will be involved in the service, but no individual part of the TOE will be able to violate the policy. So a person may cast a vote (or not) without the TOE being able to determine whether a vote has been cast and what the vote happened to be (unless the vote was unanimous). In addition to this component, a PP/ST author might want to incorporate Covert Channel Analysis. Operations Assignment: In FPRUNO.2.1 the PP/ST author should specify the list of users and/or subjects against which the TSF must provide protection. For example, even if the PP/ST author specifies a single user or subject role, the TSF must not only provide protection against each individual user or subject, but must protect with respect to cooperating users and/ or subjects. A set of users, for example, could be a group of users which can operate under the same role or can all use the same process(es). For FPRUNO.2.1 the PP/ST author should identify the list of operations that are subjected to the unobservability requirement. Other users/subjects will then not be able to observe the operations on a covered object in the specified list (e.g. reading and writing to the object). For FPRUNO.2.1 the PP/ST author should identify the list of objects which are covered by the unobservability requirement. An example could be a specific mail server or ftp site. In FPRUNO.2.1 the PP/ST author should specify the set of protected users and/or subjects whose unobservability information will be protected. An example could be: "users accessing the system through the internet". For FPRUNO.2.2 the PP/ST author should identify which privacy related information should be distributed in a controlled manner. Examples of this information could be: IP address of subject, IP address of object, time, used encryption keys. For FPRUNO.2.2 the PP/ST author should specify the conditions to which the dissemination of the information should adhere. These conditions should be maintained throughout the lifetime of the privacy related information of each instance. Examples of these conditions could be: "the information shall only be present at a single separated part of the TOE and shall not be communicated outside this part of the TOE.", "the information shall only reside in a single separated part of the TOE, but shall be moved to another part of the TOE periodically", "the information shall be distributed between the different parts of the TOE such that compromise of any 5 separated parts of the TOE will not compromise the security policy". FPRUNO.3 Unobservability without soliciting information User application notes This component is used to require that the TSF does not try to obtain information that might compromise unobservability when provided specific services. Therefore the TSF will not solicit (i.e. try to obtain from other entities) any information that might be used to compromise unobservability. Operations Assignment: In FPRUNO.3.1 the PP/ST author should identify the list of services which are subject to the unobservability requirement, for example, "the accessing of job descriptions". 0 ... 98 99 100 101 102 103 104 ... 117
|
