Security Service Packages: Partitioning the Security Space

The Common Criteria has been developed, through an international effort, to represent elementary security specifications. Protection Profiles for Security Service Packages (SSPs) are being investigated as a way to bundle these security specifications into larger packages than currently provided by the Common Criteria. The basic utility of an SSP is to provide some assistance in selecting appropriate security functional requirements (SFRs) in the construction of Protection Profiles and Security Targets. As a consequence, the principal challenge in using and evaluating an SSP is to understand the subtle relationships between the SSP under consideration and any unresolved Target of Evaluation (TOE) environmental threats and assumptions. This article describes a project that produced a draft SSP for access control and used the draft SSP to help write a Security Target.A Security Target was developed for the Axalto Cryptoflextm smart card using the access control SSP. While the SSP did make this task easier, it also illustrated the problem of choosing to write an SSP aimed at a “typical” system utilization versus a “minimal” system. The Cryptoflextm is a minimal system implementing access control. As a result, there were some problems discriminating between requirements for the card and requirements for the system using the card. Our experience with SSPs indicates that some systems will have to augment the SSP’s security requirements; others (such as the smart card) will delete requirements from the SSP. The value of using a Security Service Package to write an ST is therefore to make documents easier and quicker to write, to enhance completeness, and to promote consistency across the set of SSPs.