S 4.86 Secure separation of roles and configuration with crypto modules

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

Many cryptographic security components offer the option of distinguishing between multiple user roles and the associated actions that can be executed by the authorised personnel. Depending on protection requirements, access control and authentication mechanisms may be necessary in this connection in order to be able to verify whether a user is in fact authorised to execute the desired service. The various roles can be sensibly subdivided as follows:

• User role, whose function is the utilisation and application of the security component (e.g. subscriber or user)
• Operator role, with responsibility for installation and crypto management (e.g. security administrator)

Plus at least one:

• Maintenance role, with responsibility for maintenance and repair work (e.g. maintenance engineer, auditor)

If the crypto components offer the option of separating the user role and the administrator role, this should be done. The administration should also specify basic settings, such as the password length or key length, to ensure that it is impossible for users to select insecure settings out of convenience or lack of knowledge.

In addition to the various roles, it is also necessary in the same way to distinguish between the various actions or the services provided by the security component. A crypto module should provide the following services, at the very least:

• Status indication, for output of the current status of the crypto component
• Self-test, for the initialisation and execution of autonomous self-tests
• Bypass, for activating and deactivating a bypass by means of which plaintext information or unsecured data is transported through the crypto module

It is essential for staff to be authenticated with respect to the security component, and a wide range of different techniques can be used: passwords, PINs, cryptographic keys, biometric features etc. The crypto component should be configured such that the authentication information has to be re-entered every time there is a role change or after a specified period of inactivity. It is also advisable in this connection to set a restriction on the number of authentication attempts (for example by setting the maximum operating error counter to 3).

Review questions:

• Are the administrative options of crypto components used to specify secure basic settings?
• Does the authentication information have to be re-entered every time there is a role change or after a specified period of inactivity?