General System Requirements. This section specifies the security requirements for whole of a Cryptographic Key Recovery System. Further requirements are listed under individual components. General Requirements: Confidentiality. All keys and data held by the in a Cryptographic Key Recovery System shall be protected against disclosure to unauthorized individuals. Policy. System Policy must include the ability to decide when (if ever) key recovery is to be used, the mechanism(s) of use, and who is authorized as requestors. Strength. The security of a Cryptographic Key Recovery System should not be dependent on any mathematical or other assumptions which are not required to maintain the security of the underlying cryptosystem. Configurable Capability: Single Point of Failure. The Cryptographic Key Recovery System should be designed so that it could be configured to operate such that a failure by a single person, procedure or mechanism does not compromise the confidentiality of the keys or data. Optional Capabilities: Identity. Users may be capable of hiding the identity of their Key Recovery Agents(s) from all but authorized requestors. A Key Recovery Agent may be capable of hiding the identity of its users. Interoperability. A Cryptographic Key Recovery System may be able to validate itself and its policy to another Cryptographic Key Recovery System and limit interoperability (by refusals of warnings) based on the results of validation information. End User Product Requirements. This section specifies the security requirements for products intended for use by individuals to encrypt or decrypt data in a Cryptographic Key Recovery System. General Requirements: Confidentiality. No keys or plaintext data held by an end user in a Cryptographic Key Recovery System shall be disclosed to unauthorized individuals. Policy. To the extent left undecided by System Policy, end users products should enable users to decide when (if ever) key recovery is to be used, the mechanism(s) of use, and who is authorized as requestors. Configurable Capability: Single Point of Failure. End user products should be designed so that they could be configured to operate such that a failure by a single procedure or mechanism does not compromise the confidentiality of the keys or data. Optional Capabilities: Key Recovery Agent Identity. Users may be capable of hiding the identity of their Key Recovery Agents(s) from all but authorized requestors. Non-Repudiation. End user products may provide non-repudiation with proof of origin and proof of receipt for all communication with a Key Recovery Agent. Interoperability. An end user product may be able to validate itself and its policy to another end user product and limit interoperability (by refusals of warnings) based on the results of validation information. Key Recovery Agent Security. This section specifies the security requirements for Key Recovery Agents. Generally, Key Recovery Agents should protect all sensitive information from access, modification, or destruction. General Requirements: Confidentiality. All keys and data held by the Key Recovery Agent shall be protected against disclosure to unauthorized individuals. A Key Recovery Agent shall implement appropriate security policies to ensure the confidentiality of the keys or data held. A Key Recovery Agent shall provide appropriate protection to keys or data during a release to an authorized requestor. Policy. System Policy must include the ability to decide when (if ever) key recovery is to be used, the mechanism(s) of use, and who is authorized as requestors. Configurable Capabilities: Single Point of Failure. The Key Recovery Agent should be designed so that it could be configured to operate such that a failure by a single person, procedure or mechanism does not compromise the confidentiality of the keys or data. Confidentiality. A Key Recovery Agent should be designed so that it could be configured such that users are prevented from viewing or printing plaintext keys. A Key Recovery Agent should be designed so that it could be configured to maintain the confidentiality of information related to lawfully authorized release requests (e.g. identity of requestor, identity of user) Integrity. A Key Recovery Agent should be designed so that it could be configured to provide data to "prove" that keys and data have not been altered. Access Control. A Key Recovery Agent should be designed so that it could be configured to operate such that individuals must uniquely identify themselves and be authenticated prior to accessing keys or data. A Key Recovery Agent should be designed so that it could be configured to require authentication of release requests. Non-Repudiation. A Key Recovery Agent should be designed so that it could be configured to operate such that proof of origin and proof of receipt is provided for the transfer of key recovery information to an authorized requestor. Audit. A Key Recovery Agent should be designed so that it could be configured to maintain data regarding recovery requests received, release of keys or other material required to requestors, database changes, system administration access, and dates of such events. Optional Capabilities: Capabilities. A Key Recovery Agent may support different capabilities for different types of authorized requestors. Key Recovery Agent Identity. Users may be capable of hiding the identity of their Key Recovery Agents(s) from all but authorized requestors. A Key Recovery Agent may be capable of hiding the identity of its users. Non-Repudiation. A Key Recovery Agent may provide non-repudiation with proof of origin and proof of receipt for the receipt of keys or data from a user. Product Vendor Security. There are no security requirements for Product Vendors, only for the products they produce. Registration Agent Security. This section specifies the security requirements for Registration Agents. Generally, Registration Agents should protect all sensitive information from modification. General Requirements: Integrity. A Registration Agent should be designed so that it can be configured to provide data to "prove" that the vendor-specific information it maintains has not been altered. Non-Repudiation. A Registration Agent should be designed so that it can be configured to provide proof of origin and proof of receipt for the transfer of vendor-specific information. Authentic Public Key Source Security. This section specifies the security requirements for Authentic Public Key Sources. Generally, Authentic Public Key Source should protect all sensitive information from access, modification, or destruction. General Requirements: Confidentiality. All private keys generated and maintained by the Authentic Public Key Source shall be protected against disclosure to unauthorized individuals. Policy. System Policy must include the ability to decide when the Authentic Public Key Source's private key is to be used, the mechanism(s) of use, and who is authorized to use it. Configurable Capabilities: Single Point of Failure. The Authentic Public Key Source should be designed so that it could be configured to operate such that a failure by a single person, procedure or mechanism does not compromise the confidentiality of the keys or data. Confidentiality. An Authentic Public Key Source should be designed so that it could be configured such that users are prevented from viewing or printing plaintext keys. An Authentic Public Key Source should be designed so that it could be configured to maintain the confidentiality of operations it performs. Integrity. An Authentic Public Key Source should be designed so that it could be configured to provide data to "prove" that keys and data have not been altered. Access Control. An Authentic Public Key Source should be designed so that it could be configured to operate such that individuals must uniquely identify themselves and be authenticated prior to accessing keys or data. Audit. An Authentic Public Key Source should be designed so that it could be configured to maintain data regarding the generation and use of private keys and dates of such events. Optional Capabilities: Capabilities. An Authentic Public Key Source may support different capabilities for different types of Key Recovery Systems (Private Key Escrow versus Key Encapsulation). Licensing Agent Security. This section specifies the security requirements for Licensing Agents. Generally, Licensing Agents should protect the transfer of Key Recovery Agent authorization information. General Requirement: Non-Repudiation. A Licensing Agent should be designed so that it can be configured to provide proof of origin and proof of receipt for the transfer of Key Recovery Agent authorization information. ?? # MIF code [0155] repeat [00] # MIF code [0155] repeat [00] > >