Security Target of Huawei 3900 Series LTE eNodeB Software

  • View
    224

  • Download
    9

Embed Size (px)

Text of Security Target of Huawei 3900 Series LTE eNodeB Software

  • Security Target of Huawei 3900 Series LTE eNodeB Software

    Version: 2.6 Last Update: 2011-10-17 Author: Huawei Technologies Co., Ltd.

  • Huawei 3900 Series LTE eNodeB Software Security Target

    - 2 -

    Table of Contents 1. Introduction ___________________________________________________________________81.1. ST Reference __________________________________________________________________81.2. TOE Reference_________________________________________________________________81.3. TOE Overview _________________________________________________________________81.3.1.TOE usage ____________________________________________________________________91.3.2.TOE type_____________________________________________________________________101.3.3.Non TOE Hardware and Software________________________________________________111.4. TOE Description ______________________________________________________________161.4.1.Logical Scope _________________________________________________________________161.4.2.Physical Scope ________________________________________________________________202. Conformance claim ____________________________________________________________223. Security Problem Definition _____________________________________________________233.1. TOE Assets ___________________________________________________________________233.2. Threats ______________________________________________________________________233.2.1.Threats by Eavesdropper _______________________________________________________243.2.2.Threats by Internal Attacker ____________________________________________________243.2.3.Threats by restricted authorized user _____________________________________________243.3. Organizational Policies _________________________________________________________253.3.1.P1.Audit _____________________________________________________________________253.3.2.P2.S1_Encryption _____________________________________________________________253.3.3.P3.X2_Encryption _____________________________________________________________253.3.4.P4.UU_Encryption_____________________________________________________________253.4. Assumptions __________________________________________________________________253.4.1.Physical ______________________________________________________________________253.4.2.Personnel ____________________________________________________________________253.4.3.Connectivity __________________________________________________________________263.4.4.Support ______________________________________________________________________263.4.5.SecurePKI____________________________________________________________________264. Security Objectives ____________________________________________________________274.1. Security Objectives for the TOE__________________________________________________274.2. Security Objectives for the Operational Environment________________________________284.3. Security Objectives rationale ____________________________________________________284.3.1.Coverage _____________________________________________________________________284.3.2.Sufficiency ___________________________________________________________________295. Security Requirements for the TOE_______________________________________________325.1. Security Requirements _________________________________________________________325.1.1.Security Audit (FAU)___________________________________________________________325.1.1.1. FAU_GEN.1 Audit data generation __________________________________________325.1.1.2. FAU_GEN.2 User identity association ________________________________________325.1.1.3. FAU_SAR.1 Audit review __________________________________________________335.1.1.4. FAU_SAR.3 Selectable Audit review _________________________________________335.1.1.5. FAU_STG.1 Protected audit trail storage _____________________________________335.1.1.6. FAU_STG.3 Action in case of possible audit data loss ___________________________335.1.2.Cryptographic Support (FCS) ___________________________________________________335.1.2.1. FCS_COP.1/Sign Cryptographic operation____________________________________33

  • Huawei 3900 Series LTE eNodeB Software Security Target

    - 3 -

    5.1.2.2. FCS_COP.1/SSL Cryptographic operation ____________________________________345.1.2.3. FCS_COP.1/UU Cryptographic operation_____________________________________345.1.2.4. FCS_COP.1/S1 Cryptographic operation _____________________________________345.1.2.5. FCS_COP.1/X2 Cryptographic operation _____________________________________345.1.2.6. FCS_CKM.1/SSL Cryptographic key generation _______________________________355.1.2.7. FCS_CKM.1/UU Cryptographic key generation________________________________355.1.2.8. FCS_CKM.1/S1 Cryptographic key generation ________________________________355.1.2.9. FCS_CKM.1/X2 Cryptographic key generation ________________________________355.1.3.User Data Protection (FDP) _____________________________________________________355.1.3.1. FDP_ACC.1/Local Subset access control ______________________________________355.1.3.2. FDP_ACF.1/Local Security attribute based access control _______________________365.1.3.3. FDP_ACC.1/Domain Subset access control ____________________________________365.1.3.4. FDP_ACF.1/Domain Security attribute based access control _____________________365.1.3.5. FDP_ACC.1/EMSCOMM Subset access control________________________________375.1.3.6. FDP_ACF.1/EMSCOMM Security attribute based access control _________________375.1.4.Identification and Authentication (FIA) ___________________________________________385.1.4.1. FIA_AFL.1 Authentication failure handling ___________________________________385.1.4.2. FIA_ATD.1 User attribute definition _________________________________________385.1.4.3. FIA_SOS.1 Verification of secrets ___________________________________________395.1.4.4. FIA_UAU.1 Timing of authentication ________________________________________395.1.4.5. FIA_UAU.5 Multiple authentication mechanisms_______________________________395.1.4.6. FIA_UID.1 Timing of identification__________________________________________395.1.5.Security Management (FMT) ____________________________________________________405.1.5.1. FMT_MSA.1 Management of security attributes _______________________________405.1.5.2. FMT_MSA.3 Static attribute initialization ____________________________________405.1.5.3. FMT_SMF.1 Specification of Management Functions ___________________________405.1.5.4. FMT_SMR.1 Security roles_________________________________________________415.1.6.TOE access (FTA) _____________________________________________________________415.1.6.1. FTA_TSE.1/SEP TOE session establishment___________________________________415.1.6.2. FTA_TSE.1/Local TOE session establishment _________________________________415.1.7.Trusted Path/Channels (FTP)____________________________________________________425.1.7.1. FTP_TRP.1/WebLMT Trusted path _________________________________________425.1.7.2. FTP_ITC.1/IntegratedPort Inter-TSF trusted channel __________________________425.2. Security Functional Requirements Rationale _______________________________________425.2.1.Coverage _____________________________________________________________________425.2.2.Sufficiency ___________________________________________________________________445.2.3.Security Requirements Dependency Rationale ______________________________________455.3. Security Assurance Requirements ________________________________________________475.4. Security Assurance Requirements Rationale _______________________________________486. TOE Summary Specification ____________________________________________________496.1. TOE Security Functionality _____________________________________________________496.1.1.Authentication ________________________________________________________________496.1.2.Access control_________________________________________________________________496.1.3.Auditing _____________________________________________________________________516.1.4.Communications security _______________________________________________________516.1.5.UU Interface Encryption________________________________________________________526.1.6.S1 Interface Encryption ________________________________________________________526.1.7.X2 Interface Encryption ________________________________________________________53

  • Huawei 3900 Series LTE eNodeB Software Security Target

    - 4 -

    6.1.8.Resource management__________________________________________________________536.1.9.Security function management ___________________________________________________546.1.10. Digital Signature__________________________________________________________557. Abbreviations, Terminology and References________________________________________577.1. Abbreviations _________________________________________________________________577.2. Terminology __________________________________________________________________587.3. References____________________________________________________________________58

  • Huawei 3900 Series LTE eNodeB Software Security Target

    - 5 -

    List of figures Figure 1 LTE/SAE network __________________________________________________________11 Figure 2 BBU3900 subrack __________________________________________________________11 Figure 3 Non TOE hardware and software environment _________________________________12 Figure 4 Software architecture _______________________________________________________16 Figure 5 TOE Logical Scope_________________________________________________________17

  • Huawei 3900 Series LTE eNodeB Software Security Target

    - 6 -

    List of tables Table 1 Physical Scope _____________________________________________________________21 Table 2 TOE assets ________________________________________________________________23 Table 3 Threats agents _____________________________________________________________23 Tabl