BSI TR-ESOR C.1
Contents
1. Container Name XML Schema Binary Preservation Signature Time XAIP_ OK Valid No Future No Signature XAIP OK Sig Valid No Future Valid XAIP OK SigWrong Valid No Future Not Valid XAIP_ OK EXPIRED Valid No Past No Signature XAIP OK EXPIRED Sig Valid No Past Valid XAIP OK EXPIRED SigWrong Valid No Past Not Valid XAIP_ NOK Not Valid No Future No Signature XAIP NOK Sig Not Valid No Future Valid XAIP NOK SigWrong Not Valid No Future Not Valid XAIP_NOK_EXPIRED Not Valid No Past No Signature XAIP NOK EXPIRED Sig Not Valid No Past Valid XAIP NOK EXPIRED SigWrong Not Valid No Past Not Valid BIN_OK Yes Future No Signature BIN _OK Sig Yes Future Valid BIN _OK SigWrong Yes Future Not Valid BIN_OK_EXPIRED Yes Past No Signature BIN _OK EXPIRED Sig Yes Past Valid BIN_OK EXPIRED SigWrong Yes Past Not Valid Table 1 Definition of test data 44 Occurring Abbreviations Abbreviation Meaning AES 128 Advanced Encryption Standard 128 bits AOID Archive Object Identifier 16 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification ATS Archive Time Stamp BIN Binary BSI Federal Office for Information Security C14N Canonical XML CA Certification Authority CMS Cryptographic Message Syntax CRL C2. Requirement M1 A4 2 6 Test Purpose The test shall verify that any changes of metadata or data objects within an XAIP or BIN is based on the principles defined in the TR documentation Configuration CONFIG_ArchiSafe Pre test conditions The middleware documentation is available e The user has administration rights on the system e Test case S 4 24 has been tested successfully Step Test sequence Expected Results Observations l Check the middleware documentation for the procedure The data update function is documented as defined in the TR of the update process If the update functionality is supported it is important that per update version a new version manifest will be created new updated data will be added for removed data just the links in the new version manifest will be removed the data keeps stored in the XAIP BIN 2 Store an XAIP_OK or BIN_OK using the interface The call is successful a valid AOID is returned function Archive Submission Request 3 Use the Archive Update Request with the returned The call is possible no error is returned AOID to update metadata in the archived XAIP_OK BIN_OK 4 Use the Archive Retrieval Request with returned The call is successful the version manifest has been changed AOID to request an XAIP_OK and check if the version manifest has been changed 5 Use the Archive Update Request with the returned The call is possible no error i
3. be received 5 Use the interface function Archive Retrieval Request The call of the function with this AOID and versionID as the AOID from the archived BIN_OK and an older parameters is possible and versionID e the appropriate version of BIN OK embedded in an XAIP will be received 6 Use the interface function Archive Evidence Request The call of the function with this AOID and versionID as the AOID from the archived BIN_OK and an older parameters is possible and versionID e the appropriate Evidence Record of BIN_OK will be received e The retrieved Evidence Record could be positively verified by a appropriate tool T Compare the two hash values of the Evidence Records The hash values of the two Evidence Records are not equal This demonstrates that per archive object and also per version of archive object a unique hash value will be generated Verdict 94 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 11 M 3 11 Canonicalisation of XML is performed prior to hashing and noted in XAIP Requirement M3 A4 3 1 M3 A4 3 2 Test Purpose The test shall verify that the algorithm used for the canonicalisation is entered into the corresponding field of the Package Headers of the XAIP before the canonicalisation and hash value calculation Note In the case the product supports submission of BIN data only the test case may passed as fulfilled
4. Verdict Federal Office for Information Security 35 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 11 A 11 SASL Support Identifier A 11 Requirement AS A6 1 5 Test P urpose The test verifies that design and implementation of the interface supports the Simple Authentication and Security Layer SASL Configuration CONFIG_Common Pre test conditions Step Test sequence Expected Results Observations l Check the TOT interface design documentation whether The TOT interfaces support SASL SASL is supported Verdict 36 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 Module 1 ArchiSafe Pre supposition A product which claims to comply with the M 1 ArchiSafe specification of this TR has to pass e all test cases in this section and e all test cases for the interface S 4 specified in Section 5 5 4 or prove that it supports functional analogous interfaces Federal Office for Information Security 37 BSI TR ESOR C 1 Functional Conformity Test Specification 5 2 1 M 1 01 ArchiSafe module satisfies the requirements of PP 0049 Requirement MD A7 3 2 M1 A3 3 1 Test Purpose The test shall verify that the ArchiSafe module satisfies the requirements of PP 0049 ACMPP protection profile as published by the Federal Office for Information Security BSI Configuration CONFIG_ArchiSaf
5. SignRequest if the function exists 6 Observe the output of the interface function A positive feedback will be received no error message or error SignResponse code Ta Transfer the hash of the archival information package The call of the function with this hash as parameter is possible XAIP_OK Sig or BIN_OK Sig to the TOT using the interface S3 function TimestampRequest 8 Observe the output of the interface function A positive feedback will be received no error message or error TimestampResponse code 9 Transfer the archival information package XAIP_OK or The call of the function with this XAIP BIN as parameter is BIN_OK to the TOT using the interface S3 function possible HashRequest 10 Observe the output of the interface function A positive feedback will be received no error message or error HashResponse code Verdict 30 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 7 A 07 Secure administration interfaces Requirement MD A6 1 4 Test Purpose The test shall verify that the middleware supports secure external administration and configuration possibilities of administration and configuration Configuration CONFIG_ArchiSafe Pre test conditions The middleware is installed and configured The middleware documentation is available e The user has administration rights on the system Step Test sequ
6. canonicalised e g entering some blanks between tags Check that no AOID and no canonicalisation algorithm is stated in the XAIP Configuration CONFIG_Common Pre test conditions Developer documents are present Step Test sequence Expected Results Observations l Prepare an XAIP_OK in such a way that it is not respective S 4 function Calculate the hash values for the special XAIP and the XAIP retrieved in step 3 manually see annex TR ESOR M 3 chapter 2 4 1 for details 2 Submit this special XAIP to the archive using the This works without error respective S 4 function 3 Retrieve this special XAIP using the respective S 4 This works The XAIP is retrieved function 4 Compare the retrieved XAIP and the original XAIP The retrieved XAIP is canonicalised and the AOID and the canonicalisation algorithm is stated in the XAIP 5 Retrieve the ERS for the special XAIP using the The ERS can be retrieved The hash value used in the ERS matches to the canonicalised XAIP containing the AOID and the canonicalisation algorithm Federal Office for Information Security 95 BSI TR ESOR C 1 Functional Conformity Test Specification Verdict 5 4 12 M 3 12 Hashing of relevant parts is performed with suitable algorithms Requirement M3 A4 4 1 M3 A4 4 2 Test Purpose The test shall verify that the calculation of the hash value for the rel
7. Configuration CONFIG_ArchiSafe including at least two different and separated clients configured Pre test conditions e If required perform identification and authentication e Ifrequired the tester has to manually simulate access requests as if they were issued by client applications e The call of the function Archive Submission Request by a client application A with a XAIP_OK or a BIN_OK as a parameter is possible A positive feedback is received No error message or error code occurs An AOID A1 is assigned The call of the function Archive Submission Request by a client application A with another XAIP_OK ora BIN_OK as a parameter is possible A positive feedback is received No error message or error code occurs An AOID A2 is assigned e The call of the function Archive Submission Request by a client application B with a XAIP_OK or a BIN_OK as a parameter is possible A positive feedback is received No error message or error code occurs An AOID B1 is assigned Step Test sequence Expected Results Observations l By using client application A Using the interface The call of the function with this AOID as a parameter is possible function Archive Retrieval Request and the AOID A1 to request the XAIP 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 3 By using cl
8. 5 4 3 M 3 03 ArchiSig Module implements specified functions Requirement M3 A4 0 1 Test Purpose The test shall verify that an ArchiSig Module provides at least the following functions e Archive Submission e Generation of an AOID e Performing canonicalisation e Generating hash values e Generating an initial time stamp e Passing archive objects to the storage e Renewal of Archive Time Stamps e Renewal of hash trees e Generating an ERS for an specified archive object Configuration CONFIG_Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check whether a Archive Submission function exists Yes such a function exists 2 Check whether a function for the generation of AOIDs Yes such a function exists or the feature is declares to be done by exists or the guidance states that this function shall be another module provided by other modules like the storage 3 Check whether a function for XML canonicalisation Yes ArchiSig ensures that all XML objects are canonicalised exists before hashed Note For products which supports the storage processing of BIN data only this step may be passed as fulfilled 4 Check whether ArchiSig is able to generate hash values Yes ArchiSig is able to calculate hash values by using a Crypto e g by using a Crypto Module Module a Check whether ArchiSig is able to generate initial Yes ArchiSi
9. 5 5 6 1 Archive Submission Request The test cases of the Archive Submission Request function of the interface S 4 sec 5 5 4 1 Archive Submission Request are also relevant here 5 5 6 2 Archive Update Request The test cases of the Archive Update Request function of the interface S 4 sec 5 5 4 2 Archive Update Request are also relevant here 5 5 6 3 Archive Evidence Request The test cases of the Archive Evidence Request function of the interface S 4 sec 5 5 4 4 Archive Evidence Request are also relevant here 5 6 Annex TR ESOR F All requirements of Annex TR ESOR F are tested at the respective modules or interfaces Federal Office for Information Security 177 BSI TR ESOR C 1 Functional Conformity Test Specification 5 7 Annex TR ESOR S All requirements of Annex TR ESOR S are tested at the respective modules or interfaces 178 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification 6 Annexes C 1 The file Requirements 20110929 ods contains a list of all requirements of the Technical Guideline 03125 and a mapping of these requirements to the test cases described here Federal Office for Information Security 179
10. A positive feedback is received No error message or error code occurs An AOID is assigned 3 Using the interface function Archive Deletion Request and the AOID from step 2 to request the deletion of the XAIP_OK_ Sig or BIN OK Sig Do not provide a reason for deletion The call of the function with this AOID as a parameter is possible 4 Observe the output of the interface function Archive Deletion Response A negative feedback is received An error message or error code occurs The XAIP BIN is not deleted 3 Using the interface function Archive Deletion Request and an invalid AOID request the deletion of an XAIP or BIN Provide a reason for deletion The call of the function with this AOID as a parameter is possible 6 Observe the output of the interface function Archive Deletion Response A negative feedback is received An error message or error code occurs No XAIP BIN is deleted 7 Using the interface function Archive Deletion Request The call of the function with this AOID as a parameter is possible 164 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification and the AOID from step 2 request the deletion of the XAIP_OK_ Sig or BIN_OK Sig Provide a reason for deletion 8 Observe the output of the interface function Archive Deletion Response A positive feedback is received No error
11. Archive Submission Request and measure the assured performance for executing the request i e the time the Archive Submission Request will be answered by an Archive Submission Response Please take care to just measure the TOT performance not other modules systems 3 Store an XAIP_OK_ Sig or BIN_OK_Sig using the The measure confirms the assured performance interface function Archive Submission Request and measure the assured performance to execute the request i e the time the Archive Submission Request will be answered by an Archive Submission Response Please take care to just measure the TOT performance not other modules systems 4 Repeat steps 2 and 3 at least with 3 data objects which The measure confirms the assured performance differ notably in the size Federal Office for Information Security 175 BSI TR ESOR C 1 Functional Conformity Test Specification Use the AOID retrieved in step 2 for calling an Archive Retrieval Request for the retrieval of the corresponding XAIP_OK BIN_OK and measure the assured performance to execute the request i e measure the time the Archive Retrieval Request will be answered by an Archive Retrieval Response Please take care to just measure the TOT performance not other modules systems The measure confirms the assured performance Use the AOID retrieved in step for calling an Archive Retrieval Request for the retrieval of the correspond
12. Archive Submission possible Request 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code 4 Using the interface function Archive Deletion Request and the AOID from step 2 request the deletion of the XAIP_OK_EXPIRED or BIN_OK_EXPIRED The call of the function with this AOID as a parameter is possible 5 Observe the output of the interface function Archive Deletion Response A positive feedback is received No error message or error code occurs The XAIP BIN is deleted Submission Response 6 Use a storage for the test which does not support deletion 7 Store an XAIP_OK_EXPIRED or BIN_OK_EXPIRED The call of the function with this XAIP BIN as a parameter is using the interface function Archive Submission possible Request 8 Observe the output of the interface function Archive A positive feedback is received No error message or error code occurs An AOID is assigned 9 Using the interface function Archive Deletion Request The call of the function with this AOID as a parameter is possible Federal Office for Information Security 167 BSI TR ESOR C 1 Functional Conformity Test Specification and the AOID from step 8 to delete the XAIP BIN 10 Observe the output of the interface function Archive An error message or error code is rece
13. Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Transfer several XAIP_OK BIN_OK to the TOT using The call of the function with this XAIP BIN as a parameter is 130 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification the interface function Archive Submission Request possible Archive Update Request function 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs A unique AOID is assigned to each and every XAIP BIN 3 Check the log files of the TOT for a record about the There is a record showing the positive XML schema verification of XML schema check the XAIP In the case of storing BINs skip this step 4 Use the Archive Retrieval Request function with the The call of the function with this AOID s as parameters is possible AOID s from step 2 as parameters 5 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs The originally stored XAIP s or XAIP s which embody the BIN s were retrieved 6 Compare the retrieved XAIP s and the XAIP s resp the The contents are identical The retrieved XAIP s contain embodied BIN s and the BIN s stored in step 1 addit
14. Archive Retrieval Request with the AOID from step 2 without a Version ID and with all possible and valid version ID s see steps 4 and 6 10 Observe the output of the interface function Archive Retrieval Response A negative feedback will be received An error message or error code occurs No XAIP is retrieved in any case Verdict Federal Office for Information Security 163 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 5 3 S 4 5 03 Deletion requires reason expiration and AOID MD AS 1 26 MD AS 1 27 M1 A4 4 4 M1 A4 4 6 Requirement Test Purpose The test shall verify that an Archive Deletion Request will not delete an XAIP BIN before its expiration if the AOID is invalid or there is no reason given for the deletion and that the log file will always log the deletion including the reason interface function Archive Submission Request possible Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the middleware e Tests S 4 5 01 and S 4 5 03 have been performed successfully e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Store an XAIP_OK_ Sig or BIN OK Sig using the The call of the function with this XAIP BIN as a parameter is _UOK_sig _UOK_sig g 2 Observe the output of the interface function Archive Submission Response
15. Federal Office for Information Security 105 BSI TR ESOR C 1 Functional Conformity Test Specification Stamp sequences are also covered by the hash tree renewal see M 3 sec 2 4 4 Verdict 106 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 19 M 3 19 Authenticity and integrity of ArchiSig Module needs to be guaranteed Requirement M3 A5 1 3 Test Purpose Check whether the authenticity and integrity of the installed ArchiSig Module is guaranteed during operation Configuration CONFIG_Common Pre test conditions e User manual is present e Development and design documents are present Step Test sequence Expected Results Observations l Check the user manual whether there are statements how The guidance contains such statements and the statements are clear to ensure the authenticity and integrity of the installed and understandable ArchiSig Module during operation 2 Check whether the ArchiSig Module is a signed software The ArchiSig Module is signed or otherwise integrity proteced module e g hardware sealed 3 Check the user manual whether the ArchiSig Module The ArchiSig Module includes a function to verify its own includes a function to verify its own integrity as self integrity as self defence against manipulation defence against manipulation Verdict Federal Office for Informatio
16. If archive objects are updated a new version ID is to be issued Check if the interface function Archive Update Request exists Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the Middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l The function exists 2 Submit an XAIP_OK or BIN_OK with data to the TOT The call of the function with this XAIP BIN as a parameter is using the interface function Archive Submission possible Request 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned 4 Using the interface function Archive Update Request The call of the function with this binary data and the AOID as and the AOID from step 3 to add additional content to parameters is possible the XAIP BIN 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 6 Using the interface function Archive Update Request The call of the function with this data and the AOID as parameters and the AOID from step 3 to add additional metadata to is possible the XAIP BIN 7 Observe the output of the interface function Archive A p
17. TimestampRequest for each hash algorithm supported by the Cryptographic Module The requestData contain the corresponding hash algorithm identifier The request of the qualified time stamp with algorithm identifier in requestData as parameter is possible A positive feedback will be received no error message or error code The time stamp shall be received for at least one algorithm 3 Request a time stamp using the interface function Timestamp Request where the time of the executing the request has been manipulated in such a manner that it differs substantial from the moment of the request The crypto module returns an error message indicating that the returned time is incorrect 4 Request a time stamp using the interface function The crypto module returns an error message indicating that the Timestamp Request where signature of the timestamp signature of the timestamp is invalid is invalid Verdict 76 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 24 M 2 24 Time stamps need to bear qualified electronic signature Requirement M2 A5 3 2 Test Purpose The Cryptographic Module checks whether requested qualified time stamps include a qualified electronic signature from the time stamp issuer Configuration CONFIG Common Pre test conditions e Cryptographic Module is configured if possible to check whethe
18. A TLS tunnel cannot be established on client application site Verdict Federal Office for Information Security 25 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 3 3 A 03 3 TLS tunnels are based on suitable cryptographic procedures Requirement AF A6 2 3 Test Purpose The test shall verify that TLS tunnels use cryptographic procedures that are strong enough to ensure data integrity and confidentiality Configuration CONFIG _ArchiSafe includes TLS enforcement by ArchiSafe if an ArchiSafe Module is present Pre test conditions e The middleware documentation is available The IT system documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations l Verify that the client application also uses a TLS tunnel The client application is configured in such a way that a TLS for the communication with the S 4 interface of tunnel with certificate based mutual authentication will be used ArchiSafe 2 Try to establish an encrypted TLS tunnel using a weak A TLS tunnel cannot be established encryption algorithm e g RC2 DES on client application site as Try to establish an encrypted TLS tunnel using a strong A TLS tunnel can be established encryption algorithm e g AES 128 on client application site 4 Try to establish an encrypted TLS tunnel
19. Test Purpose The Cryptographic Module should be certified pursuant to SigG and SigV The test checks whether the Cryptographic Module is certified accordingly Configuration CONFIG_Common Pre test conditions e User manual and developer documents are present Step Test sequence Expected Results Observations l Check user manual if the product has certifications The product that provides the functions of the Cryptographic pursuant to the Signature Act Module has certification Verdict Federal Office for Information Security 57 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 6 M 2 06 Random number generators fulfil the BSI requirements Identifier M 2 06 Requirement M 2 A4 1 2 Test Purpose The random number generators used by the Cryptographic Module fulfil the requirements set forth in the BSI Technical Guidelines TR 03116 and TR 02102 pursuant to AIS 20 for pseudo random number generators or according to AIS 31 for physical random number generators Configuration CONFIG_Common Pre test conditions e User manual and developer documents are present Step Test sequence Expected Results Observations l Check user manual and developer documents whether The random number generators fulfil the defined requirements set the random number generators fulfil the requirements defined by set for the BSI Technical Guidelines TR 03116 and TR 02102 pursuant to AIS20 for pseudo rand
20. The data element s of all addresses XAIPs BINs are received 8 Compare the retrieved data element with the version that The data elements are equal has originally been stored in the XAIP BIN in step 1 9 Use the interface function Archive Data Request with The call of the function with these parameters is possible an invalid AOID and an arbitrary dataLocation parameter 10 Observe the output of the interface function Archive A negative feedback is received An error message or error code is Data Response returned No data element is received 11 Use the interface function Archive Data Request with The call of the function with these parameters is possible the AOID from step 2 with an invalid dataLocation parameter 12 Observe the output of the interface function Archive A negative feedback is received An error message or error code is Data Response returned No data element is received Verdict Federal Office for Information Security 171 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 7 4 7 01 ArchiSafe Module is robust against incorrect parameters Requirement M1 A4 0 2 Test Purpose The test shall verify that the ArchiSafe Module s functionality is not negatively affected by false or incorrectly parametrised requests Note Keep in mind to skip any step which will not supported by the TOT especially regarding the Archive Submission Requests Co
21. The other test cases are ordered according to the interface specifications S 1 S 6 The reason for that is that these tests will only be performed on the level of external interfaces of a certain product If a product claims compliance with the module specified in the Technical Guideline the respective interfaces of the module product will be tested or the product proves that it supports functional analogous interfaces Below this structural level the test cases are ordered according to the logical functions of this interface e g Archive Submission or Archive Deletion For each logical function of the interface a set of test cases test all relevant requirements Each test case is identified by a unique ID The test case description also refers to the respective requirements which will be partly tested with this test case The test case also states the purpose of the test as a summary of the test case The baseline configuration of the test system will be stated as well as all pre conditions which must exist prior performance of the test The test case defines the single test steps which must be performed in the given order Per test step the expected result is defined and there is space that the tester could document the actual findings Finally the tester can state the final verdict of the test case PASS FAIL FAIL shall be assigned if any of the test steps does not match the expected result and a justification for this differ
22. delete the XAIP_OK_ Sig or the BIN_OK_Sig with a reason for deletion 5 Observe the output of the interface function Archive A positive feedback is received No error message or error code Deletion Response occurs The XAIP BIN is deleted 6 Check the log for the log data of the deletion procedure The log contains all the data about the deletion of the XAIP BIN including the reason why it was deleted Verdict 166 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 5 5 4 5 05 Error message if deletion is not supported Identifier S 4 5 05 Requirement M1 A4 4 2 Test Purpose The test shall verify that the ArchiSafe module answers an Archive Deletion Request with an error message if the ECM long term storage has no deletion function or the used storage media does not allow deletion Submission Response occurs An AOID is assigned Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write delete permissions The user manual for the ECM Long term storage is available e A storage system which supports deletion and a storage system which doesnt support deletion are present Step Test sequence Expected Results Observations l Use a storage for the test which supports deletion 2 Store an XAIP_OK_EXPIRED or BIN_OK_EXPIRED The call of the function with this XAIP BINas a parameter is using the interface function
23. 5 4 1 Requirement M 3 01 ArchiSig Module should be realised as a separate module M3 A3 1 4 Test Purpose The test shall verify that the ArchiSig Module runs as an independent application or independent functionally delimited part of an application on a trustworthy IT system and is neither a logical nor functional component of upstream IT specialist applications Configuration CONFIG Common Pre test conditions User manual is present Step Test sequence Expected Results Observations 1 Check TOT and the user manual whether the ArchiSig Module is an independent application or independent functionally delimited part of an application The ArchiSig Module is an independent application or independent part of an application Check whether the IT system is trustworthy on which the module is implemented For this purpose the vendor could provide a specially hardened system or could assume a specially hardened system The test fails if no settings for the baseline system are assumed or already provided There are statements about the trustworthy IT system Check the TOT and or the user manual whether the ArchiSig Module is either a logical or functional component of the upstream IT specialist applications The ArchiSig Module is neither a logical nor functional component of upstream IT specialist applications Verdict 5 For example if the
24. Design documents are present Step Test sequence Expected Results Observations l Check the vendor documentation for information The Cryptographic Module includes a function to record all whether the Cryptographic Module includes a function security functions in a meaningful and traceable manner to record all security functions in a meaningful and traceable manner 2 Check the log files records of the Cryptographic The log files record the execution of the security functions in a module meaningful and traceable manner Verdict Federal Office for Information Security 71 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 19 M 2 19 Responsivity to unauthorized access Identifier M 2 19 Requirement M2 A6 2 4 Test Purpose Check whether the Cryptographic Module is capable of cancelling the execution of a function with a meaningful and comprehensible error message in the event of unauthorised access in the module s security functions Configuration CONFIG_Common Pre test conditions Developer documents are present e User manual is present Step Test sequence Expected Results Observations 1 Check the vendor documentation for information The Cryptographic Module is capable of cancelling the whether the Cryptographic Module is capable of execution of functions cancelling the execution of a function 2 Check the vendor documentation fo
25. Office for Information Security 117 BSI TR ESOR C 1 Functional Conformity Test Specification the XAIP 6 Check the output of the Archive Update Response A new version ID is received The AOID kept identical function T Use the Archive Retrieval Request function with the The function call is possible AOID from step 3 to retrieve the XAIP from the storage 8 Check the output of the Archive Retrieval Response The archive data object is received in the specified XML format function 9 Use the Archive Evidence Request function with the The function call is possible AOID from step 3 to check the XAIPs authenticity and integrity 10 Check the output of the Archive Evidence Response An Evidence Record is received function 11 Use the Archive Data Request function with the AOID The function call is possible from step 3 and the dataLocation parameter to identify an individual data element within the XAIP 12 Check the output of the Archive Data Response The requested data value and the corresponding locationValue are function received 13 Use the Archive Deletion Request function with the The function call is possible AOID from step 3 to delete the XAIP 14 Check the result of the Archive Deletion Response The XAIP has been deleted from the storage function by attempting to retrieve the deleted XAIP calling the Archive Retri
26. Response occurs An XAIP is received 13 Compare the retrieved XAIP with the XAIP stored in The XAIP reflects all changes done in step 3 step 1 and all the changes done in step 3 Verdict 142 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 2 8 4 2 08 Update shall not impair the probative value Requirement MD AS5 1 14 M1 A4 2 7 Test Purpose The test shall verify that the probative value is not compromised by changes interface function Archive Submission Request possible Configuration CONFIG_ArchiSafe Pre test conditions Tester has read write and administrative permissions on the Middleware e Test S 4 2 07 has been performed successfully e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Store an XAIP_OK or BIN_OK to the TOT using the The call of the function with this XAIP BIN as a parameter is 2 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or error code occurs An AOID is assigned interface function Archive Retrieval Request 3 Change the hash algorithm The hash algorithm is changed 4 Initiate the hash tree renewal process The re hash process is initiated 5 Using the interface function Archive Update Request The call of the function with this AOID a
27. Use the interface function Archive Data Request with The request is answered with a clear and understandable error an AOID that contains too many characters message or an error code 21 Use the interface function Archive Data Request with a The request is answered with a clear and understandable error valid AOID and a dataLocation parameter that contains message or an error code invalid characters 22 Use the interface function Archive Data Request with a The request is answered with a clear and understandable error valid AOID and a dataLocation parameter that contains too many characters message or an error code Federal Office for Information Security 173 BSI TR ESOR C 1 Functional Conformity Test Specification 23 Use the interface function Archive Deletion Request The request is answered with a clear and understandable error with no parameters message or an error code 24 Use the interface function Archive Deletion Request The request is answered with a clear and understandable error with an AOID that contains invalid characters message or an error code 25 Use the interface function Archive Deletion Request The request is answered with a clear and understandable error with an AOID that contains too many characters message or an error code 26 Use the interface function Archive Deletion Request The request is answered w
28. Verdict 98 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 14 M 3 14 Time stamp renewal creates initial archive time stamps Requirement M3 A4 5 1 M3 A4 5 2 M3 A4 7 1 Test Purpose The test shall verify that when the function for renewal of the Archive Time Stamp is requested an Initial Archive Time Stamp pursuant to the ERS standard will be created at least for the hash values of newly archived or changed Archival Information Packages that have not yet been secured with an Initial Archive Time Stamp and stored in the storage unit of the ArchiSig Module Configuration CONFIG_Common Pre test conditions e User manual is present e User has administrator rights on the system e Ifrequired perform identification and authentication e There are already archived Archival Information Packages without Archive Time Stamp in the ECM long term storage Step Test sequence Expected Results Observations l Use the function for renewal of the Initial Archive Time The renewal of the Initial Archive Time Stamps is done Stamp 2 Request the ERS for the archive object archived or The ERS must contain the hash value of the archive object and an updated at the very last initial time stamp The time stamp should show the time of calling the function in step 1 or an earlier time 2 Disconnect the Crypto Module from the ArchiSig The calculation of the i
29. XML based Archive Information Package XML Extensible Markup Language XSD XML Schema Description 18 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 The Test Cases for Conformity Level 1 Functional Conformity 5 1 5 1 1 Tests for all products A 01 Middleware modules should be realised as separate modules Identifier A 01 Requirement M1 A3 2 1 M1 A3 1 1 Test Purpose The test shall verify that the middleware or middleware components runs as independent applications or independent functionally delimited parts of an application on a trustworthy IT system They are neither a logical nor functional component of upstream IT specialist applications and can be replaced by new functionally compatible implementations at any time Configuration CONFIG_Common Pre test conditions The middleware documentation is available Step Test sequence Expected Results Observations l Check the definition of the modules in the middleware The middleware is based on modular components which can be documentation Check especially the interface definitions replaced by new implementations or there are explanations why and whether there is a guidance for upgrading the this is not necessary The interfaces and an upgrade strategies are modules to a new product version documented 2 Check whether the IT system is trustworthy on which the There are vendor statements abo
30. a T ays casa toasted ea dents T EEN EAO 115 TAINICE O Za tates ae tas tarteeseeateashe seeesened a E a a a A sae E AS 115 Dt De MLETIACE 9 Snes bot asaesc at orsatbate ceevnasbovauyes e aea e OE Se EE AAE a TEET EE E TE E aE A 115 5 9 3 1 Timestamp Requests eosin a a a a aa R ea eia 115 5 59 32 Verify a LE E EEE E A E 116 PAEA n EIN Ea S EA E E E EO E 116 So Antere S4 essas a eri e aa A TA E N treme abated E e e 116 5 5 4 1 Archive Submission Request cccesccssceseseceeeeeeseceseceaeceseceeeceecseeeaeeeaeceaeceneeeeeseeeeaeees 117 5 5 4 1 1 S 4 1 01 Archive Submission Request supports storage of XML based Archival Information Packages cccccscccsssesssscsseesseeeesceeeeeeseecsaeeeeecseeeceeeeeeeenseeseeeeseseaeeeeseeteeeeess 117 5 5 4 1 2 S 4 1 02 Archive Submission yields unique AOID ccceccceeesseeeteeesteeeeeeneeeees 119 5 5 4 1 3 S 4 1 03 Archive Submission with valid binary object is possible 00000000000 121 5 5 4 1 4 S 4 1 04 Archive Submission is always possible ccccccscceessececeeestteeeeessneeees 122 5 5 4 1 5 S 4 1 05 Archive Submission includes signature verification and storage of results E P E PEE E E aati ME aea setts esa shee ou uta skoda teh ula aVlee vedas testes T E A NA 123 5 5 4 1 6 S 4 1 06 Archive Submission Request does not change the data objects within the XAP or BIN es cs nn a a a ood acs eas E an toed ne aa aT eria tee 125 5 5 4 1 7 S 4 1 07 Archive Submi
31. available any more 5 Check whether the actions performed by the The log file shows the performed administrative actions administration interfaces are recorded in a log file 6 Check whether the administration interfaces allow It is not possible to alter a digitally signed document while altering digitally signed documents while bypassing the bypassing the required cryptographic functions required cryptographic functions Verdict Federal Office for Information Security 33 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 9 A 09 Administration interfaces are available for authorised accounts only Requirement MD A7 3 15 Test Purpose The test shall verify that any administration interfaces of the middleware or of any individual components are accessible to authorised accounts only Configuration CONFIG_Common Pre test conditions Step Test sequence Expected Results Observations 1 Check if there is an official definition of an authorised The authorised accounts are defined account 2 Try to access the administration interfaces without It is not possible to access the administration interfaces without authentication authentication 3 Try to intercept the authentication of an authorised The administration interfaces cannot be accessed person to perform a replay attack 4 Try to access the administration interfaces by guessing The administration interfaces cannot b
32. for security and published The used hash algorithms are in the list of the recommended algorithms 2 Check the user manual for the supported hash algorithms The Cryptographic Module supports all previously used hash Verdict Federal Office for Information Security 59 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 8 M 2 08 Crypto Module uses recommended algorithms for generating signatures Pre supposition A product which claims to comply the M 2 Crypto Module specification of this TR and which intends to generate signatures by itself has to pass the following test case Requirement M2 A4 3 1 Test Purpose Section I No 2 SigV from 22 November 2001 ALGCAT The algorithms implemented by the Cryptographic module for calculating hash values necessary for signatures comply with the current version of the algorithm catalogue Geeignete Algorithmen zur Erf llung der Anforderungen nach 17 Abs 1 bis 3 SigG vom 22 Mai 2001 in Verbindung mit Anlage 1 Abschnitt I Nr 2 SigV vom 22 November 2001 Suitable algorithms to fulfil requirements accordant to 17 Par 1 through 3 SigG from 22 May 2001 together with Annex 1 Configuration CONFIG Common Pre test conditions e User manual and developer documents are present Step Test sequence Expected Results Observations l Check the user manual whether the Crypto Module T
33. for S 4 interface or a functional analogous interface is accessible e Developer documents of S 4 interface the functional analogous interface are accessible Step Test sequence Expected Results Observations l Check if the middleware documentation contains the The necessary functions are defined in the documentation description of the necessary functions 2 Store an XAIP_OK_ Sig or BIN_OK_Sig using the The function call is possible Archive Submission Request function 3 Check the output of the Archive Submission Response The XAIP BIN object is assigned an AOID and returned function successfully 4 If the function Archive Update Request is The function call is possible implemented use the Archive Update Request function with the AOID from step 3 to change the data stored within the XAIP BIN a If the function Archive Update Request is A new version ID is received implemented check the output of the Archive Update Response function Federal Office for Information Security 41 BSI TR ESOR C 1 Functional Conformity Test Specification Use the Archive Retrieval Request function with the AOID from step 3 to retrieve a XAIP from the storage The function call is possible Check the output of the Archive Retrieval Response function The archive data object is received in XAIP format Use the Archive Evidence Request
34. function with the AOID from step 3 to check the XAIPs BINs authenticity and integrity The function call is possible Check the output of the Archive Evidence Response function An Evidence Record is received 10 Use the Archive Data Request function with the AOID from step 3 and a valid dataLocation parameter to identify an individual data element within the XAIP or BIN The function call is possible 11 Check the output of the Archive Data Response function The requested data value and the original locationValue are received 12 Use the Archive Deletion Request function with the AOID from step 3 to delete the XAIP or the BIN The function call is possible 13 Check the output of the Archive Deletion Response function The XAIP or BIN has been deleted from the storage 14 Check the results of the test cases S 4 1 01 S 4 1 07 S 4 2 01 S 4 2 03 S 4 3 02 S 4 4 02 S 4 4 03 S 4 5 01 S 4 5 04 S 4 6 01 or functional analogous test cases The tests are performed successfully Verdict 42 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 5 M 1 05 Using interfaces S 1 and S 6 is possible Pre supposition A product which claims to functionally comply with the interfaces specification S 1 and S 6 of this TR or part of it has to pass the following test cas
35. interface function Archive A positive feedback is received No error message or error code Evidence Response occurs Evidence Records per AOID are received 3 Check the retrieved Evidence Records with an There is a correct Evidence Record in ERS notation as specified in appropriate tool RFC 4998 or RFC 6283 for each XAIP AOID or BIN AOID The AOIDs are exactly these AOIDs passed over as parameters 4 Using the interface function Archive Evidence Request The call of the function with one AOID as a parameter is possible with one valid AOID as parameter in one function call a Observe the output of the interface function Archive A positive feedback is received No error message or error code Evidence Response occurs An Evidence Record is received 6 Check the retrieved Evidence Record by an appropriate There is a correct Evidence Record in ERS notation as specified in tool RFC 4998 or RFC 6283 and contains one or more reduced Archive Time Stamps in ERS notation The AOID is exactly the AOID passed over as parameter The tool shows that the ERS is formed correctly 156 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 7 Use the interface function Archive Evidence Request and an AOID which does not exist to request an Evidence Record The call of the function with this AOID as a parameter is possible 8 Observe the output of the i
36. interface function Archive Submission Request 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned to the archived XAIP BIN 3 Try to update this XAIP or BIN using the interface The call of the function should be possible function Archive Update Request with the AOID from step 2 without any data object as a parameter 4 Observe the output of the interface function Archive An error message or error code will be received Update Response a Try to update the archived data object using the interface The call of the function should be possible function Archive Update Request with the AOID from step 2 with an empty XAIP_OK BIN OK 6 Observe the output of the interface function Archive An error message or error code will be received Update Response T Try to update the archived data object using the interface The call of the function should be possible function Archive Update Request with the AOID from step 2 with a valid XAIP_OK BIN_OK 8 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 9 Retrieve the originally stored version by issuing an The call of the function is possible 136 Federal Office for Information Security BSI TR ESOR C Conformity Test Spec
37. is received Step Test sequence Expected Results Observations l Using the interface function Archive Evidence Request The call of the function with this AOID as parameter is possible and a valid AOID to request the Evidence Record for the XAIP BIN 2 Observe and check the output of the interface function A positive feedback is received No error message or error code 3 Using the interface function Archive Evidence Request with a valid AOID and an assigned version ID indicating the very first version to request the Evidence Record for the archived XAIP BIN The call of the function with this AOID and the Version ID as parameters is possible 4 Observe and check the output of the interface function Archive Evidence Response with an appropriate tool A positive feedback will be received no error message or error code A correct Evidence Record in ERS as specified in RFC 4998 or RFC 6283 is received gt Evaluate the received Evidence Records from step 2 and 4 by using an appropriate tool The Evidence Records are valid with respect to specification in RFC 4998 or RFC 6283 integer and contain the necessary data to prove the integrity and authenticity of the XAIP versions The hash values of the Evidence Records from step 2 and 4 are 158 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification different and cover therefore the different ver
38. parameters can be The hash algorithm and parameters can be changed in a quick and changed in a quick and uncomplicated manner uncomplicated manner 2 Check whether a signature algorithm and parameters The signature algorithm and parameters can be changed in a quick can be changed in a quick and uncomplicated manner and uncomplicated manner Verdict Federal Office for Information Security 55 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 4 M 2 04 Crypto Module should fulfil the requirements of TR 03112 Identifier M 2 04 Requirement MD A7 3 7 Test Purpose The interfaces of the Cryptographic Module should fulfil the requirements of the BSI Technical Guideline TR 03112 eCard API Framework Configuration CONFIG_Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check if at least the external interfaces of the The external interfaces may be implemented in software e g Cryptographic Module are implemented in software libraries APT 2 If step 1 passed A conformity statement to TR 03112 exist Check whether there is a conformity statement to TR 03112 Verdict 56 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 5 M 2 05 Crypto Module should be certified according to SigG Identifier M 2 05 Requirement M A3 3 1
39. relevant here 5 5 3 3 Hash Request The test cases M 2 07 sec 5 3 7 M 2 07 Support of Hash functions M 2 08 sec 5 3 8 M 2 08 Crypto Module uses recommended algorithms for generating signatures M 2 09 sec 5 3 9 M 2 09 Crypto Module supports canonicalisation for the verification of XML signatures and M 2 10 sec 5 3 10 M 2 10 Canonicalisation procedures do not change the content data are also relevant here 5 5 4 Interface S4 The TR ESOR S 4 interface should make it possible for the business applications to access the ECM long term storage in a standardised and functional manner Furthermore the interface should reliably prevent unauthorised access to the ECM long term storage Note The term ArchiSafe in the following means the logical entry in the archive middleware aside from the actual implementation Pre supposition A product which claims to functionally comply with the Interface S 4 specification of this TR has to pass e all test cases in this section or to prove that it supports functional analogous interfaces 116 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 Archive Submission Request 5 5 4 1 1 4 1 01 Archive Submission Request supports storage of XML based Archival Information Packages Requirement AF A3 6 1 AF A6 2 1 Test Purpose The test shall verify that the Archive Submission Request works well with XAIP format or mo
40. the test cases and should be used to actually perform the tests 4 3 1 1 CONFIG Common This is the standard configuration for all tests The test setup shall contain the product to be tested Target of Testing TOT The test setup shall contain all other modules of the reference architecture including the storage functionally not covered by the TOT The purpose is that a functionally complete system can be tested The TOT and all other modules required shall be installed and configured according to the respective guidance including all security recommendations The TOT and all other modules shall be physically and logically interconnected The connections shall be secured as described in the respective guidance documents e g enabling encryption explicit physical connection The test system shall be connected to an external Certification Service Provider as required by the TOT or the tests At least it is recommended to install three different client applications for using and testing the multi client capability of the middleware if the TOT supports provides a multi client capability In this case the middleware in turn shall be configured to handle these three applications as different clients multi client capability Per client application at least two user accounts and an administrator account shall be configured The complete test setup shall be up and running and in an operational and working mode 4 3 1 2 CONF
41. vendor just states that the product runs on the platform XYZ the test fails If the vendor states that the products runs on the platform XYZ and the security white paper of the vendor of this platform have to be considers the test passes Federal Office for Information Security 81 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 2 M 3 02 Using interface S 3 is possible Pre supposition A product which claims to comply with the interfaces specification S 3 of this TR or part of it has to pass the following test case or part of it or prove that they support functional analogous interfaces Requirement M3 A3 2 2 Test Purpose The test shall verify that the ArchiSig module is able to access the other modules of the middleware via dedicated interfaces as described in the annexes TR ESOR M 2 and TR ESOR S of this technical guideline Configuration CONFIG_ArchiSig Pre test conditions The middleware documentation is available Step Test sequence Expected Results Observations l Check whether the ArchiSig documentation contains the The interface is described in the documentation description of how to connect to the interface S 3 2 Check whether it is possible for the ArchiSig module to Communication is possible communicate with the Crypto Module via the S 3 interface Verdict 82 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification
42. with illegal A TLS tunnel cannot be established parameters in the handshake message 5 Try to establish an encrypted TLS tunnel with a wrong or A TLS tunnel cannot be established incomplete certificate 6 Try to establish an encrypted TLS tunnel with a A TLS tunnel cannot be established certificate expired 7 Try to establish an encrypted TLS tunnel with a wrong A TLS tunnel cannot be established MAC algorithm Verdict 26 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 4 A 04 Authentication procedure is resistant against replay attacks Requirement AS A6 1 3 Test Purpose The test shall verify that it is impossible to bypass authentication mechanisms of two components by a replay attack Configuration CONFIG_Common Pre test conditions Step Test sequence Expected Results Observations Start logging the data traffic between the TOT and The data logging process has been started another component 2 Establish a valid and mutually authenticated connection A valid connection is established and a valid answer from the TOT between the two components and place a request from is received source to target module TOT 3 Close the connection of the two components The complete data exchange between the components has been intercepted and logged 4 Replay the intercepted data in order to establish
43. with the AOID The function call is possible The requested data value and the from step 3 and the dataLocation parameter to identify original locationValue are received an individual data element within the XAIP BIN 8 Use the Archive Deletion Request function with the The function call is possible AOID from step 3 to delete the XAIP BIN 9 Check the deletion by calling the Archive Retrieval The Archive Retrieval Response indicates that no stored object 44 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification Request with AOID from step 3 with corresponding AOID can be found in the storage 10 Check the log file for logs of all the access procedures The log file contains all the access procedures from the previous from the previous steps steps and also the return codes error success and actual return values Verdict Federal Office for Information Security 45 BSI TR ESOR C 1 Functional Conformity Test Specification 5 2 7 M 1 07 Access to log files is possible by authorized persons only Requirement M1 A4 0 4 Test Purpose The test shall verify that only authorised persons are able to access the log files that have been created by the ArchiSafe module Configuration CONFIG_ArchiSafe Pre test conditions The ArchiSafe module is installed and configured e The user has administration rights on the system Step Test sequen
44. 100 5 4 16 M 3 16 Time stamps shall be verified prior to reneWal eccccescessseeeseceeteeeeteeeeeeesneensneees 102 5 4 17 M 3 17 Time stamp renewal can only be requested by authorised users through administrative interfaces nrin sone das a a e ade che ecus E Te obstuety E ee Miysed e a ieira 104 5 4 18 M 3 18 Hash tree renewal can only be requested through administrative interface 105 5 4 19 M 3 19 Authenticity and integrity of ArchiSig Module needs to be guaranteed 107 5 4 20 M 3 20 ArchiSig Module should be able to maintain parallel hash trees cccessees 108 5 4 21 M 3 21 Resigning procedure is efficient and produces Evidence Records ccceeeees 109 5 4 22 M 3 22 Deletion of an archive object shall not impair the conclusiveness of others 110 5 5 Interface functions nemana ra cede Gk beds ioe cd bused laden geen ib op a a aa a E TA ea 112 5 5 1 Interface S Locrenan hae a a N E lease tek cag cava ses A R Rah ote cake CRGas Lenore ee oeok 112 SS lel Verify REGuest on cous feestedezeatl ocd anand ac shveceevhaw e el bs oie a a E EEAS anea bees 112 5 5 1 1 1 S 1 1 01 Verify Request Verification of signature includes certificate path VAAL ON ast ecuch cass e ta deus cea act dea a EE locheeueds cacesgesets E rE AE EaR ESEA 112 5 5 1 1 2 S 1 1 02 Verify Request Unavailable CRL results in invalid certificate 114 SOLZ Si pt REGUCS tese a
45. 2 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 8 A 08 No security breach induced by administration interfaces or components Requirement MD A7 3 16 M 2 A6 3 3 Test Purpose The test shall verify that security characteristics of the middleware overall and of individual components as well as the integrity and the authenticity of the stored data and documents can not compromised by an administration interface of the middleware or individual components without being noticed Configuration CONFIG_Common Pre test conditions Step Test sequence Expected Results Observations l Check whether the access to administration interfaces is When accessing the administration interfaces the user is asked for possible without any means of identification and authentication authentication pA Check whether any archive data can be accessed using No unauthorised access to any documents is possible the administrative interfaces that should not be accessible for the authenticated administrator 3 Check whether any administration settings can be No unauthorised access to any administration setting is possible accessed that should not be accessible for an authenticated non administrative user 4 Check whether the administrative interface can still be After logging out of any administration interface none of its used for administration after logging out functions are
46. 2 9 4 2 09 Update can not delete data Versions can be retrieved separately MD AS 1 15 MD AS 1 19 M1 A4 2 2 M1 A4 2 7 Requirement Test Purpose archive retrieval request The test shall verify that the update function cannot be used to completely and ultimately delete any data meta data or complete XAIPs BINs The test shall verify that it is possible to retrieve each version of a changed data structure individually by using the version ID as a parameter when issuing the Submission Response occurs An AOID is assigned and returned Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the Middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations 1 Store an XAIP_OK or BIN_OK with data to the TOT The call of the function with this XAIP BIN as a parameter is using the interface function Archive Submission possible Request 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code 3 Using the interface function Archive Update Request and the AOID from step 2 add an additional data element to the already existing archive data object The call of the function with a data element and the AOID as parameters is possible Request and the AOID from step 2 try to replace the existing data element with an empty elemen
47. IG ArchiSafe This configuration is based on CONFIG_Common Additionally the ArchiSafe Module if TOT shall be configured as follows 14 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification e Ifconfigurable a XSD defining the XAIPs shall be configured Preferable the XAIP described in Annex TR ESOR F should be used e Ifconfigurable the XSD verification of XAIP containers during Archive Submission and Archive Update shall be enabled e Ifconfigurable the signature verification during Archive Submission and Archive Update shall be enabled e Ifconfigurable the S 4 interface shall only be accessible using a TLS tunnel with certificate based mutual authentication 4 3 2 Standard Test Objects For most of the tests test data is required In order to make the tests repeatable this section defines some standard test objects The following table provides an overview of the test objects available These test objects are referred in the test cases by their unique name The actual test objects the files are provided as appendix to this document Container Name contains the unique name of the container and is identical to the file name e XML Schema valid means that a XML based object conforms with the specified XML Schema not valid means that a XML based object does not conform with the specified XML Schema e means that
48. N_OK_SigWrong by using the Archive Retrieval Request function and the AOID from step 9 The BIN_OK_ SigWrong is retrieved in the XAIP format including all assigned metadata and the BIN data as content 13 Check the retrieved XAIP and all the metadata whether the signature verification information are included The certificates certification verification information and the signature verification information are included in the retrieved XAIP Verdict 124 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 6 S 4 1 06 Archive Submission Request does not change the data objects within the XAIP or BIN Requirement M1 A4 1 5 Test Purpose The test shall verify that the ArchiSafe module does not change the data objects within the XAIPs or BINs Configuration CONFIG_ArchiSafe Pre test conditions e If required perform identification and authentication Step Test sequence Expected Results Observations 1 Store an XAIP_OK_ Sig or BIN OK Sig using the The call of the function is possible interface function Archive Submission Request 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned to the XAIP BIN 3 Request the XAIP with the Archive Retrieval Request The call of the function is possible functio
49. OID as a parameter is possible and a valid AOID to request the deletion of an archived XAIP_OK Sig or BIN_OK Sig Do not provide a reason for deletion 2 Observe the output of the interface function Archive A negative feedback is received An error message or error code Deletion Response occurs The XAIP BIN is not deleted 3 Using the interface function Archive Deletion Request The call of the function with this AOID as a parameter is possible and the AOID to request the deletion of the archived XAIP_OK Sig or BIN_OK Sig Provide a reason for deletion 4 Observe the output of the interface function Archive A negative feedback is received An error message or error code Deletion Response occurs The XAIP BIN is not deleted 3 Authenticate against the application with the credentials The user has been authenticated successfully of a user who is authorised not only to access the XAIP 160 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification submitted but also to delete data before it is expired 6 6 Using the interface function Archive Deletion Request and the AOID to request the deletion of the XAIP_OK Sig or BIN _OK_ Sig Do not provide a reason for deletion The call of the function with this AOID as a parameter is possible 7 Observe the output of the interface function Archive Deletion Response A ne
50. P using the the AOID from step 3 and check whether all changes are reflected The retrieved version of the XAIP reflects all changes made in the XAIP or BIN Especially a version manifest per version exists 15 Check the log file for logs of the changes and update procedures The log files contain messages about all the changes Verdict 7 older version of the XAIP would be requested the element would be included and available This remove means that the element is not longer part of the most current version of the XAIP Nevertheless the element is still stored in the XAIP for evidence purposes If an Federal Office for Information Security 135 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 4 4 2 04 Archive Update requires data and creates new version Requirement M1 A4 2 2 M1 A4 2 7 Test Purpose The test shall verify that the ArchiSafe module can only update an archive data object when the data object or meta data that should be updated are part of the request and not empty and that the original data object is not changed but a new version of the XAIP is created Configuration CONFIG_ArchiSafe Pre test conditions e If required perform identification and authentication Step Test sequence Expected Results Observations l Store an XAIP_OK Sig or BIN_OK Sig using the The call of the function is possible
51. Records was performed successfully 13 Check the Evidence Records for information about the The ERS should contain the new archive time stamp All the hash Archive Time Stamp and signature check of steps values of the parallel Archive Time Stamps are covered by the new 9 10 11 OCSP Responses CRL Reports and the hash Archive Time Stamp algorithm used for this time stamp Verdict Federal Office for Information Security 103 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 17 M 3 17 Time stamp renewal can only be requested by authorised users through administrative interfaces Requirement M3 A4 7 6 Test Purpose The test shall verify that the function Renewal of Archive Time Stamp can beside the automated function only be requested manually by authorised users through administrative interfaces and will be logged Configuration CONFIG_Common Pre test conditions e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check whether there is a function Renewal of Archive There may be a function or not Time Stamp for manual start of the renewal process at i If not the remaining test steps do not need to be performed and the all test is considered to be passed 2 Use the function Renewal of Archive Time Stamp with A positive feedback will be received no error message or err
52. Sig qualified time stamp The ArchiSig module must stop the has tree renewal and log an exception 8 Request an Evidence Record for one known AOID Requesting of an Evidence Record was performed successfully 9 Check the Evidence Records by an appropriate tool for information about the Archive Time Stamp and signature check OCSP Responses CRL Reports The check of the tool shows that the ERS resp the time stamp chain is not integer 10 Start the hash tree renewal process manually or wait the The hash tree renewal process was started successfully preconfigured period of time till automatic renewal process 11 Observe the requests of the ArchiSig module to the ArchiSig will request verification of the very last Archive Time Cryptographic Module Stamp signature 12 Emulation the Cryptographic Module sends positive response Sending of positive response was performed successfully 13 Check the log files of the ArchiSig Module or observe otherwise the reaction of ArchiSig ArchiSig should continue and finish the hash tree renewal 14 Request an Evidence Record for one known AOID Requesting of an Evidence Record was performed successfully 15 Check the Evidence Records by an appropriate tool for information about the archive time stamp and signature check of steps 11 12 13 OCSP Responses CRL Reports The check of the tool shows that the ERS resp the time stamp chain for
53. Step Test sequence Expected Results Observations l Use the Archive Retrieval Request with valid AOIDs The function calls with the given AOIDs are possible to request a number at least 20 of XAIPs in sequence from one client application 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs The requested XAIPs are retrieved successfully 3 If possible use the Archive Retrieval Request with The function calls with the given AOIDs are possible valid AOIDs to request a number at least 20 of XAIPs from at least 2 client applications simultaneously Request the same XAIPs from both clients 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs The requested XAIPs are retrieved successfully by both client applications Verdict 50 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 11 M 1 11 Access rights are enforced for individual archive objects Requirement M1 A4 0 6 M1 A5 0 1 M1 A5 0 3 Test Purpose The test shall verify that client software can only access archive objects for which it has access rights This is also stringently enforced when several archival information packages are requested simultaneously and as applicable there are only access rights to a few of them
54. VK_ sig _UK_ sig 8 2 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or error code occurs An AOID is assigned 3 Store another XAIP_OK_ Sig or BIN_OK_Sig using the interface function Archive Submission Request The call of the function with this XAIP BIN as a parameter is possible 4 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or error code occurs Another AOID is assigned 5 Perform an Archive Evidence Request with the AOID received in step 2 The function call is possible 6 Observe the output of the interface function Archive Evidence Response An Evidence Record for the XAIP BIN that has been stored in step 1 is received 7 Perform an Archive Evidence Request with the AOID received in step 4 The function call is possible 8 Observe the output of the interface function Archive Evidence Response An archive Evidence Record for the XAIP BIN that has been stored in step 3 is received 9 Using the interface function Archive Deletion Request and the AOID from step 2 delete the XAIP_OK_ Sig or BIN_OK Sig The call of the function with this AOID as a parameter is possible 110 Federal Office for Information Security BSI TR ESOR C Conformity Test Sp
55. _OK add metadata 13 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is assigned 14 Request the XAIP with the AOID from step 2 and the The call of the function with this AOID as a parameter is possible interface function Archive Retrieval Request 15 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 16 Request Evidence Records using the AOID from step2 The call of the function with this AOID as a parameter is possible and the interface function Archive Evidence Request 17 Observe the output of the interface function Archive A positive feedback is received No error message or error code Evidence Response occurs An Evidence Record is received 18 Verify the retrieved ERS by using an appropriate tool The tool shows that the ERS is integer 19 Compare the ERS from step 17 with the ERS from step The evidence data from step 17 differs from the evidence data 10 retrieved in step 10 20 Using the interface function Archive Update Request The call of the function with this AOID and binary data as and the AOID from step 2 to delete the parameters is possible XAIP_OK BIN_OK added in step 5 21 Observe the output of the interface function Archive A positive feedback is rece
56. a valid No connection is established authenticated connection between the attacker and the TOT Verdict Federal Office for Information Security 27 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 5 A 05 Protection of communication channel and interface is robust against DoS attacks Requirement AS A6 1 4 Test Purpose The test shall verify that any unauthorised access to authentication or payload data during communication is reliably prevented and that the interface is implemented in such a way that denial of service DoS or consequential errors such as buffer overflow or SQL injections are not possible Configuration CONFIG_Common Pre test conditions If required perform identification and authentication Step Test sequence Expected Results Observations l Start logging the data traffic between the TOT and another component The data logging process has been started 2 Establish a valid and mutually authenticated connection between the two components and place a request from source to target module TOT A valid connection is established and a valid answer from the TOT is received the TOT interface in a short period of time and check if its availability is affected DoS Use several client applications on several computers in parallel in order to completely fill the network bandwidth of at least 10 Mbit provided to the TOT a Close the connec
57. aR Bundesamt fiir Sicherheit in der Informationstechnik BSI Technical Guideline 03125 Preservation of Evidence of Cryptographically Signed Documents Annex TR ESOR C 1 Conformity Test Specification Level 1 Functional Conformity Designation Functional Conformity Test Specification Level 1 Abbreviation BSI TR ESOR C 1 Version 1 1 Date 14 06 12 Preservation of Evidence of Cryptographically Signed Documents TR ESOR BSI TR 03125 Federal Office for Information Security Post Box 20 03 63 53133 Bonn Phone 49 228 99 9582 0 E Mail digsig bsi bund de Internet http www bsi bund de Federal Office for Information Security 2012 Federal Office for Information Security Functional Conformity Test Specification Table of Contents Le Tinto Guth Oia e sis as seas Shag cesceaeseeneasceesseeneansocuncenaaaycecvenssa su ecenasaucge A EEE 8 Pies OM Salil eee Re RATT OC ee Oe Tee eC Ce eee 10 33 The Test Craters ses cssccstescesgeeiestcgscavakeus opadevicdeasea ge steh ua peas bebe uanend dente eated ont r N ais 11 4 Test Approach ea eck a a bbe chad a a tee wh ated sed ea ee eee R 13 4 1 Structure of the Test Case Specifications cccceccccssscessseceseceeseeeseeseneceseeceseeceeeesaeeeeseeesaeenseeensaes 13 4 2 Strictness of Test Result AssessMment cccccccessscessscesecesceesseeceseeenseeeeseecsseceseecnseeseeeeneessteeeseeaaes 13 4 3 Baseline for all Test Cases
58. ameter is possible and an existing AOID request an Evidence Record 3 Observe the output of the interface function Archive A positive feedback will be received no error message or error Evidence Response code An Evidence Record will be received 4 Check whether the Evidence Record contains the hash The Evidence Record contains the hash value value of the archive object 3 Check whether the Evidence Record contains an Archive The Evidence Record contains such a sequence Time Stamp Sequence which demonstrates the integrity of the archive object 6 Check whether the time stamps of the Archive Time All time stamps are qualified time stamps i e time stamps Federal Office for Information Security 87 BSI TR ESOR C 1 Functional Conformity Test Specification Stamp Sequence are qualified time stamps and contain a completed by a qualified signature qualified electronic signature which demonstrates the integrity and possibly the authenticity of the archive object 7 Check whether the Evidence Record has an allowed The Evidence Record has an allowed format RFC4998 format RFC4998 RFC6283 RFC6283 Verdict 88 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 7 M 3 07 ArchiSig Module should not implement cryptographic functions Requirement M3 A3 1 5 M3 A4 4 3 Test Purpose The test shall verify that the Arch
59. and S 6 is possible cccceccsceesseeeteeesseeeseeeseeceseeeeneeeeseeneeeeeneeaes 43 5 2 6 M 1 06 Comprehensive and configurable options for logging cceessceesseeeteeeeteeeseeeeeesaees 44 5 2 7 M 1 07 Access to log files is possible by authorized persons OMLY cccscecesseeceesseteeeeeeseees 46 Federal Office for Information Security 3 Preservation of Evidence of Cryptographically Signed Documents TR ESOR BSI TR 03125 5 2 8 M 1 08 Changing metadata or data objects results in a new version of stored XAIP or BIN 47 5 2 9 M 1 09 ArchiSafe module should be capable of serving and separating multiple clients 49 5 2 10 M 1 10 ArchiSafe Module is thread safe eecesceesecesececeeereeeeeseceaecesecececeeeeeeseeesaeeseeaeeres 50 5 2 11 M 1 11 Access rights are enforced for individual archive Objects cccccccssseceeeseteeeeesseees 51 5 3 Module 2 Cry pte Modul ex s ios cizeses cub cazasa sates cease sats ietea basics eaten sista ca tha avs ans e a aa a EE iE ait 53 5 3 1 M 2 01 Crypto Module is a signature application component according to 17 Par 2 SigG 53 5 3 2 M 2 02 Crypto Module may be SSCD according to 17 Par 1 SigGu eee eesceeeesteeeeeeeees 54 5 3 3 M 2 03 Cryptographic algorithms must be suitable and exchangeable cccsccceessseeeeeeees 55 5 3 4 M 2 04 Crypto Module should fulfil the requirements of TR 03112 cc
60. andable error with a version ID that contains invalid characters message or an error code 13 Use the interface function Archive Retrieval Request The request is answered with a clear and understandable error with a version ID that contains too many characters message or an error code 14 Use the interface function Archive Evidence Request The request is answered with a clear and understandable error with no parameters message or an error code 15 Use the interface function Archive Evidence Request The request is answered with a clear and understandable error with an AOID that contains invalid characters message or an error code 16 Use the interface function Archive Evidence Request The request is answered with a clear and understandable error with an AOID that contains too many characters message or an error code 17 Use the interface function Archive Evidence Request The request is answered with a clear and understandable error with a version ID that contains invalid characters message or an error code 18 Use the interface function Archive Evidence Request The request is answered with a clear and understandable error with a version ID that contains too many characters message or an error code 19 Use the interface function Archive Data Request with The request is answered with a clear and understandable error an AOID that contains invalid characters message or an error code 20
61. are known e Tester emulate a TR ESOR M 2 Cryptographic Module e Test case M 3 16 was performed successfully e Some archive objects are already archived Step Test sequence Expected Results Observations 1 Ensure that ArchiSig creates a new Archive Time Stamp ATS is generated e g by using a Crypto Module 2 Request an Evidence Records for one known AOID Requesting of an Evidence Record was performed successfully a Check the Evidence Record for information about time The information about the time stamps its signatures and the stamps and verifications OCSP Responses CRL verification information of the signatures are present and show all Reports of signatures of time stamps information required for validation of the time stamp up to the certificate of a trustworthy root CA 4 Start the hash tree renewal process The hash tree renewal process was started successfully 100 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 Observe the requests of the ArchiSig module to the ArchiSig will request verification of the very last Archive Time Cryptographic Module Stamp signature 6 Emulation the Cryptographic Module send negative Sending of negative response was performed successfully response os Check the log files of the ArchiSig Module or observe ArchiSig should at least mention the failed verification of the otherwise the reaction of Archi
62. ation 10 Check the XML schema of the retrieved XAIPs The XML schema of all the XAIPs must comply with an XSD configured by the user or a default XSD of the TOT Verdict Federal Office for Information Security 153 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 4 Archive Evidence Request 5 5 4 4 1 4 4 01 Preservation of evidence does not impair possibility to use documents Requirement MD A6 1 2 Test Purpose The test shall verify that the procedures used for the preservation of evidence of signed electronic documents do not impair the ability to continue using the electronic documents from the archive Retrieval Response occurs An XAJP is received Configuration CONFIG_ArchiSafe Pre test conditions e Ifrequired perform identification and authentication e The call of the function Archive Submission Request with a XAIP_OK _Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned e The call of the function Archive Submission Request with a BIN _OK_ Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned Step Test sequence Expected Results Observations l Start the signature renewal process The signature renewal is in process a Use the interface function Archive Retrieval Request The call of the function is p
63. ation whether the Crypto The Crypto Module may have such a function Module provides functions to directly and explicitly access read the private keys or to perform cryptographic operations with these keys If not this test case is finished and considered to be passed 3 Verify each of these functions whether an identification Every function requires at least authentication prior execution and authentication is required prior to actual execution of the function 4 Check vendor documentation for information about The keys are stored in a protection system implemented as a where keys are stored in the system hardware solution e g USB tokens or a smart card If yes this test case is finished and considered to be passed 5 Check vendor documentation for information about how The Public Key Cryptography Standard 12 PKCS 12 format is keys are stored software based typically as file used to store keys and X 509v3 certificates Verdict 68 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 16 M 2 16 Suitability of cryptographic algorithms should be defined by policy file Identifier M 2 16 Requirement M3 A5 3 2 Test Purpose Check whether the validity periods of hash and signature algorithms are stored and managed in the form of a policy file Configuration CONFIG_Common Pre test conditions e User manual is prese
64. c eeceeeseeeetteeeeeeeees 56 5 3 5 M 2 05 Crypto Module should be certified according to SiGG ccccecsseessseceteeeeeeetteeeeeseaes 57 5 3 6 M 2 06 Random number generators fulfil the BSI requirements ccccssceesssceeeetteeeeeseees 58 5 3 7 M 2 07 Support of Hash functions ccccecscceesseesseeesseeeseeeeseeeseeceeeceseeessecsesecesaeeeseeesteeeeneaaes 59 5 3 8 M 2 08 Crypto Module uses recommended algorithms for generating signatures 60 5 3 9 M 2 09 Crypto Module supports canonicalisation for the verification of XML signatures 61 5 3 10 M 2 10 Canonicalisation procedures do not change the content data cccceseesseeetteeeeees 63 5 3 11 M 2 11 XML Signatures follow the recommendations of RFC3275 ccccssccesseeeestteeeeeeees 64 5 3 12 M 2 12 Reliable verification of electronic Signatures cccecescesseeessceeteeesneeeeeseneeeeesetnees 65 5 3 13 M 2 13 Crypto Module shall have function to validate certificate Chains cesceeseeees 66 5 3 14 M 2 14 Verification of signatures yields standardised and comprehensive verification report APAE EE A AA A anchor E E E EA neanea 67 5 3 15 M 2 15 Protecting private Keys ccccscccsssceesseesseeesseeesceceseecseeceseeceseessaeessseeeeeeseeeesseeeeesnsnaes 68 5 3 16 M 2 16 Suitability of cryptographic algorithms should be defined by policy file 69 5 3 17 M 2 17 Protec
65. cation 5 5 4 1 9 4 1 09 Application protocol is routing capable Identifier S 4 1 09 Requirement AF A6 2 11 Test Purpose The test shall verify that the protocol on the application layer is routing capable Configuration CONFIG _ArchiSafe Pre test conditions The application documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations 1 Check the ArchiSafe documentation for the used The used protocol is routing capable e g XML RPC or SOAP protocol that maps the client requests and the archive system answers Verdict 128 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 10 S 4 1 10 WSDL and Document literal encoding for SOAP should be used Identifier S 4 1 10 Requirement AF A6 2 12 Test Purpose The test shall verify whether SOAP Document Literal Encoding is used and if the external interfaces of all archive system components are published via WSDL Configuration CONFIG _ArchiSafe Pre test conditions The middleware documentation is available The application documentation is available Step Test sequence Expected Results Observations l Check the middleware documentation for the use of WSDL is used to publis
66. cccccccccssccsssecssecesteesssecssreesseeceseeceeecneeceseesaecessecseeecneeseeeeeeeeneeesseaas 14 4 3 1 Standard Test Configurations meceni ee ie i aea e ea ae in E a iaie 14 4 3 1 1 CONFIG COMMON eenn E E a aa ES Eee E A a R a Ee EESE 14 4 3 L CONG Ar hiSa feint e a a tev daa O vie Tea Ea ire a creep aant 14 4 32 Standard Test Objects niinen e E EE vein E E a a e e 15 4 4 Occurring Apbreviatons anren E E AA a A a TA a A N 16 5 The Test Cases for Conformity Level 1 Functional Conformity essessessessessessresessrsrrrrrerrsseres 19 5 1 Te sts for all products s2cc ecssestiv ce tiedivessiezet ls conta a leeds Wen E od ad etiand bode E E A s 19 5 1 1 A 01 Middleware modules should be realised as separate modules ccccsceesseeesteeetteeseees 19 5 1 2 A 02 XML based Interfaces iunn oien E saccounidibagesccvelabendaetvesssediesdendeededs 21 5 1 3 A 03 No access without mutual authentication ccceesscesscessecsececeseeeeseeeeeeeeeeeseeeneeeseeaas 22 5 1 3 1 A 03 1 Mutual authenticated TLS between client application and ArchiSafe Module or an equivalent middleware inter face cccecsccssscssecssceeeseeeeseeeeeecsneeeaecseecneecsseeseeeseseeseeesaes 24 5 1 3 2 A 03 2 Mutual authenticated TLS between XML module and ArchiSafe Module or an equivalent middleware interface ccccscccsseessecssecesceessecceseceseecseeeeseeeceeeeeeeeseeeeeeeseneeeesenaees 25 5 1 3 3 A 03 3 TLS tunnels are based on s
67. ce Expected Results Observations l Check the vendor documentation whether there is a There is such a description or the documentation refers to the description how to restrict the access to the log records access control mechanism of the underlying platform 2 Check the vendor documentation whether there are There are such recommendations It is recommended that only the recommendations regarding the access control authorized persons shall be able to access read the log files restrictions for the log files Nobody shall be able to modify the log files Only administrators are allowed to delete the log files after archiving or after the end of use 3 Configure access restrictions as recommended in the Successfully possible guidance 4 Verify that an unauthorized person is not able to access Access is not possible the log records Please take all recommended security mechanisms into account also the organizational and physical ones Verdict 46 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 8 M 1 08 Changing metadata or data objects results in a new version of stored XAIP or BIN Pre supposition A product which claims to to comply with the update functionality according to M 1 04 and S 4 2 01 Archive Update Request of this TR has to pass the following test case or prove that it supports functional analogous functions
68. certificate was verified The verification results are included There must be an indication that this certificate is a trusted root CA certificate Verdict 66 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 14 M 2 14 Verification of signatures yields standardised and comprehensive verification report M2 A5 1 10 M2 A5 1 11 M2 A5 1 12 Requirement Test Purpose The Cryptographic Module is able to generate signature verification results in standardised formats The Cryptographic Module shall be able to return the signature verification results including related certificate information The Cryptographic Module shall offer a function that is able to validate user certificates for electronic signatures Verification shall be complete up to a trustworthy module has a function that is able to demonstrably verify the presence and validity status of user certificates for electronic signatures at the time of signature creation root Configuration CONFIG_Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check the user manual whether the cryptographic The cryptographic module provides such a function 2 Transfer the archival information package XAIP_OK Sig and or BIN OK Sig to the TOT using the interface function VerifyRequest The call of the function with this signed object as paramet
69. cially useful to get more information about the context of the requirement The context is sometimes very important to understand the intention of a requirement Column ID In this column the document specific ID of the requirement is listed Column Description The description of the specific requirement is repeated here Column Key requirement This column is checked if the requirement is a key requirement A key requirement is a requirement which specifies the core functionality of a module All non core requirements are also important and to be tested but the key requirements are the most important requirements for this module from the evidence preservation point of view and the focus of the tests should be directed to those e Column Conformity Level 1 This column is marked by a cross if the requirement relates to Conformity Level 1 This means that this requirement is also relevant to pass Conformity Level 2 e Column Conformity Level 2 This column is marked by a cross if the requirement relates only to Conformity Level 2 It may be possible that a requirement is marked for Conformity Level 1 and for Conformity Level 2 This may be possible when e g a should requirement of Conformity Level 1 becomes a shall requirement in Conformity Level 2 or an optional requirement in Conformity Level 1 becomes an obligatory requirement in Conformity Level 2 For clarification if a product wants to
70. container Configuration CONFIG_ArchiSafe Pre test conditions e Middleware documentation is available e Ifrequired perform identification and authentication The following steps must be accomplished before starting the test 1 The call of the function Archive Submission Request with a XAIP_OK as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned 2 The call of the function Archive Submission Request with a XAIP_OK_ Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned 3 The call of the function Archive Submission Request with a BIN_OK as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned 4 The call of the function Archive Submission Request with a BIN_OK_ Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned Step Test sequence Expected Results Observations l Using the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and the AOID from step 1 in the pre test conditions to request the XAIP 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is r
71. d RFC3275 Note if the TOT doesn t support XML signatures the test case can be passed as fulfilled Configuration CONFIG_Common Pre test conditions e User manual is present e Developer documents are present Step Test sequence Expected Results Observations l If the product claims to be able to generate electronic Electronic signatures of XML data are generating according to signatures check the user manual and developer XML Signature Standard RFC3275 documents if electronic signatures of XML data are Alternatively the TOT is certified according to BSI TR 03112 generated according to XML Signature Standard RFC 3275 2 Check the user manual and developer documents ifthe The canonicalisation procedure is used when using RFC 3275 canonicalisation procedure is used when using RFC 3275 format format Verdict 64 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 12 M 2 12 Reliable verification of electronic signatures Identifier M 2 12 Requirement M2 A5 1 4 M 2 AS5 1 5 M2 A5 1 6 M2 A5 1 7 Test Purpose The Cryptographic Module that conforms to this Guideline shall provide functions for the reliable verification of electronic signatures The signature verification function of the Cryptographic Module supports the signature data formats XML Signature and CMS Signature at a mi
72. d and write access to ArchiSig s own database and the archive database in the ECM long term storage possible for the ArchiSig Module This is an interface of a component which is not part of the TR ESOR middle ware Therefore no conformity tests will be specified here 5 5 3 Interface 8 3 The primary purpose of the TR ESOR S 3 interface between the ArchiSig Module and the Cryptographic Module is the generation of hash values and the generation and verification of qualified time stamps Both kinds of data are needed for the development of the Merkle hash trees MER 1980 Pre supposition A product which claims to functionally comply with the Interface S 3 specification of this TR has to pass e all test cases in this section or prove that it supports functional analogous interfaces 5 5 3 1 Timestamp Request The test cases M 2 22 sec 5 3 22 M 2 22 Crypto Module is able to request qualified time stamps M 2 23 sec 5 3 23 M 2 23 Crypto Module supports RFC 3161 and suitable algorithms M 2 24 sec 5 3 24 M 2 24 Time stamps need to bear qualified electronic signature and M 2 25 sec 5 3 25 M 2 25 Crypto Module shall verify signatures of received time stamps are also relevant here Federal Office for Information Security 115 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 3 2 Verify Request The test cases of the Verify Request function of the interface S 1 sec 5 5 1 1 Verify Request are also
73. d infrastructure landscape e The central Middleware module M 1 which regulates the flow of information in the Middleware that implements the security requirements for the interfaces with the IT applications and which ensures that the application systems are decoupled from the ECM long term storage e The Cryptographic module M 2 and the associated interfaces S 1 and S 3 that provide the functions needed for the creation optional and verification of electronic signatures the post verification of electronic certificates and for the obtainment of qualified time stamps for the Middleware Furthermore it can provide the functions for the encryption and decryption of data and documents e The ArchiSig module TR ESOR M 3 with the interface S 6 that provides the functions needed for the preservation of evidence of the digitally signed documents An ECM long term storage with the interfaces S 2 and S 5 that assumes the physical archiving storage and also the storage of the meta data that preserve evidence This ECM long term storage is no longer directly a part of the Technical Guideline but requirements may be induced through the two interfaces that are still part of the TR ESOR Middleware The application layer that can include an XML adapter is not a direct part of this Technical Guideline either even though this XML adapter can be implemented as part of a Middleware The IT Reference Architecture depicted in Figure 1 is base
74. d on the ArchiSafe Reference Architecture and is supposed to make possible and support the logical functional interoperability of future products with the goals and requirements of the Technical Guideline For more information see http www archisafe de 8 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification Application wer Application Application tes TR ESOR Middleware ArchiSafe Module TR M 1 ArchiSig Module TR M 3 Crypto Module TR M 2 ECMilong term storage Figure 1 Schematic Depiction of the IT Reference Architecture This Technical Guideline is modularly structured and the individual annexes to the Main Document specify the functional and technological security requirements for the needed IT components and interfaces of the TR ESOR Middleware The specifications are strictly platform product and manufacturer independent The document at hand bears the designation Annex TR ESOR C 1 and describes and specifies the conformity tests for the conformity level 1 Functional Conformity Federal Office for Information Security 9 BSI TR ESOR C 1 Functional Conformity Test Specification 2 Overview Products or systems which want to get certified according to this Technical Guideline have to demonstrate their conformance to the specifications There are three conformance levels defined which mainly differ in the technica
75. dified XML formats with the same functionality Note If the interface S 4 supports Archive Submission Requests for BINs only the test will be considered as sucessfully passed middleware s user manual with the XAIP structure described in TR ESOR Annex TR ESOR F in TR ESOR Annex TR ESOR F Deviations are explained and equal functionality is provided If required it is explained how a transformation of XAIP to the present XML format is possible Configuration CONFIG_ArchiSafe Pre test conditions e The middleware s user manual is available Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Compare the description of the XML data format in the The implemented XML format complies with the structure defined AOID from step 3 to change the data contained within 2 Check the interface functions and their possible Data and metadata to be archived shall always be contained in an parameters XML container and only be passed in this container to the ArchiSafe 3 Store an XAIP_OK_ Sig transformed in the respective The function call is possible XML format using the Archive Submission Request function 4 Check the output of the Archive Submission Response The XAIP object is assigned an AOID and stored successfully function 5 Use the Archive Update Request function with the The function call is possible Federal
76. e Pre test conditions Step Test sequence Expected Results Observations 1 Check whether there is a Common Criteria certificate of There is a such a certificate the ArchiSafe module under testing same product same version showing compliance with the PP 0049 ACMPP 2 If test step 1 fails The TOT is within the process of a Common Criteria evaluation Check whether the ArchiSafe module under testing and the ST claims compliance with ACMPP same product same version is currently in a Common Criteria evaluation and whether the Security Target claims compliance with the PP 0049 ACMPP Verdict 38 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 2 M 1 02 ArchiSafe module is separated and deployed on a trustworthy IT system Requirement M1 A3 1 2 M1 A3 1 4 Test Purpose The test shall verify that the ArchiSafe module is a component of the middleware and runs as an independent application or as an independent functionally separated part of an application on a trustworthy IT system Configuration CONFIG_ArchiSafe Pre test conditions The middleware documentation is available e The IT system documentation is available Step Test sequence Expected Results Observations l Check the IT system documentation about the There are recommendations or requirements to ensure the implemented security mechanisms for the underl
77. e Perform authentication when required 2 Retrieve a XAIP using the AOID and an account A from XAIP could be retrieved a client A if TOT is multi client capable Perform authentication when required 3 Update the XAIP BIN several times using the AOID All updates are successfully performed and an account A from a client A if TOT is multi client capable Perform authentication when required 4 Disconnect from the TOT Any existing trusted channels are terminated 5 Reconnect to the TOT and try to retrieve a XAIP using Access denied the AOID and an account B from a client A if TOT is multi client capable Perform authentication when required 6 Update the XAIP BIN using the AOID and an account Access denied B from a client A if TOT is multi client capable Perform authentication when required I Retrieve a XAIP using the AOID and an account A from Access denied a client B if TOT is multi client capable Perform authentication when required 8 Update the XAIP BIN using the AOID and an account Access denied 138 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification A from a client B if TOT is multi client capable Perform authentication when required Verdict Federal Office for Information Security 139 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 6 4 2 06 Si
78. e Time Cryptographic Module Stamp signature 4 Emulation the Cryptographic Module sends a negative Sending of negative response was performed successfully response a Check the log files of the ArchiSig Module or observe ArchiSig shall mention the failed verification of the qualified time otherwise the reaction of ArchiSig stamp and stop the complete Archive Time Stamp 6 Request an Evidence Records for one known AOID Requesting of an Evidence Records was performed successfully Ta Check the Evidence Records for information about the The ERS should contain no new Archive Time Stamp Archive Time Stamp and signature check of steps 3 4 5 OCSP Responses CRL Reports 8 Start the complete Archive Time Stamp renewal process The complete Archive Time Stamp renewal process was started successfully 9 Observe the requests of the ArchiSig module to the ArchiSig will request verification of the very last Archive Time 102 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification Cryptographic Module Stamp signature 10 Emulation the Cryptographic Module send positive Sending of positive response was performed successfully response 11 Check the log files of the ArchiSig Module or observe ArchiSig should continue and finish the complete Archive Time otherwise the reaction of ArchiSig Stamp renewal 12 Request an Evidence Records for one known AOID Requesting of an Evidence
79. e accessed administrator credentials or unchanged system default credentials Verdict 34 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 10 A 10 Additional interfaces do not compromise security Requirement M3 A3 2 3 Test Purpose The test shall verify that the implementation of additional interfaces shall not compromise the guarantee of basic security relevant requirements see Chapter 5 Configuration CONFIG_Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations 1 Perform test cases A 4 and A 5 and check whether the The additional interfaces do not provide such a capability or do additional interfaces of the TOT enables an attacker to even not provide the property to connect from or to other modules spoof another trusted module e g ArchiSafe or the storage 2 Perform test cases A 4 and A 5 and check whether the The additional interfaces do not provide such a capability or do additional interfaces of the TOT enables an attacker to even not provide the property to connect from or to other modules submit a data object or to request Evidence Records by circumventing security features 3 Perform test cases A 4 and A 5 and check whether the The additional interfaces do not provide such a capability additional interfaces of the TOT enables an attacker to circumvent the self test function
80. e for Information Security 65 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 13 M 2 13 Crypto Module shall have function to validate certificate chains Requirement M2 A5 1 17 Test Purpose The Cryptographic Module shall have a function to validate certificate chains in order to verify the integrity of archived certificate chains and archived packages see RFC5280 Section 6 and TR ESOR M 3 package using a valid and not expired certificate issued by a Trust Center Configuration CONFIG_Common Pre test conditions e Certificate of a Certification Service Provider is present Step Test sequence Expected Results Observations l Sign the XAIP_OK or BIN_OK archival information The signed XAIP_OK BIN_OKwas created successfully for the signature of the XAIP BIN was verified 2 Transfer the signed XAIP_OK or BIN_OK to the TOT The call of the function with this XAIP BIN as parameter is using the interface function VerifyRequest possible 3 Observe the output of the interface function A positive feedback will be received the signature has been VerifyResponse verified 4 Check the verification results whether the certificate used The certificate used for the signature was verified The verification results are included 5 Check the verification results whether the CA certificate used for the signature of the certificate was verified The CA
81. e or part of it or prove that it supports functional analogous interfaces Requirement M1 A3 2 2 Test Purpose The test shall verify that the ArchiSafe module is able to access the other modules of the middleware via dedicated interfaces as described in the annexes TR ESOR M 2 TR ESOR M 3 and TR ESOR S of this technical guideline Configuration CONFIG_ArchiSafe Pre test conditions e The tests of test case M 1 01 have been successfully completed The middleware documentation is available Step Test sequence Expected Results Observations 1 Check if the ArchiSafe documentation contains the The interface is described in the documentation description of how to connect to the interface S 1 2 Check if the ArchiSafe documentation contains the The interface is described in the documentation description of how to connect to the interface S 6 3 Check if it is possible for the ArchiSafe module to Communication is possible communicate with the Crypto Module via the S 1 interface 4 Check if it is possible for the ArchiSafe module to Communication is possible communicate with the ArchiSig module via the S 6 interface Verdict Federal Office for Information Security 43 BSI TR ESOR C 1 Functional Conformity Test Specification 5 2 6 M 1 06 Comprehensive and configurable options for logging Identifier M 1 06 Requirement M1 A4 0 3 Test Purpose The test shall verify
82. eceived 3 Using the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and the AOID from step 2 in the pre test conditions to request the XAIP 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received a Using the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and the AOID from step 3 in the pre test conditions to 152 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification request the XAIP 6 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received ce Using the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and the AOID from step 4 in the pre test conditions to request the XAIP 8 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 9 Check the retrieved XAIPs All data objects can successfully be retrieved from the archive system encapsulated in valid XAIPs as defined in the middleware document
83. ecification 10 Observe the output of the interface function Archive A positive feedback is received No error message or error code Deletion Response occurs The XAIP BIN is deleted 11 Perform an Archive Evidence Request with the AOID The function call is possible received in step 4 12 Observe the output of the interface function Archive An Evidence Record for the XAIP BIN that has been stored in Evidence Response step 3 is received 13 Compare the two Evidence Records of the XAIP BIN The Evidence Records are equal It may be possible that in the that was stored in step 3 meantime an automated time stamp renewal of a hash tree renewal occurred This would be reflected in the ERS Verdict Federal Office for Information Security 111 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 Interface functions Note The following test specifications are based on the recommended reference architecture in chapter 7 1 of the main document of this technical guideline Thus in the following differences between expected and observed test results should be carefully interpreted by the testers respecting the fact that actual implementations of components and or modules of the middleware may deviate from the recommended reference architecture This may result also in different characteristics of implemented and provided interfaces It is worth noting therefore that tes
84. ecurity BSI TR ESOR C Conformity Test Specification 5 5 4 3 Archive Retrieval Request 5 5 4 3 1 S 4 3 01 AOID and secure channel is required for retrieval Requirement MD AS 1 17 MD A5 1 18 M1 A4 0 5 M1 A4 3 1 M1 A4 3 2 Test Purpose The test shall verify that the upstream IT applications can send and retrieve any data only through a secure communication channel and only if a valid AOID if required is used as a parameter Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read permissions on the Middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Start a data traffic capture tool to monitor the traffic Data traffic capturing is started between upstream client application and ArchiSafe 2 Store some XAIP_OK s or BIN_OK s using the interface The call of the function with this XAIP BIN as a parameter is function Archive Submission Request possible a Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned per stored object 4 Use the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and the AOID from step 2 to request the XAIP 2 Observe the output of the interface function Archive A positive feedback is rece
85. ed the certificate are standardized Verdict 74 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 22 M 2 22 Crypto Module is able to request qualified time stamps Requirement M2 A5 3 1 Test Purpose the Cryptographic Module The Cryptographic Module has a function to request a qualified time stamp The request can be made to a certification service provider or to a device controlled by Configuration CONFIG Common Pre test conditions e User manual is present e The Cryptographic module may be configured to request a time stamp by a service provider or an internal device Step Test sequence Expected Results Observations 1 Check the user manual whether the Cryptographic The Cryptographic Module has a function to request a qualified Module has a function to request a qualified time stamp time stamp 2 Request a qualified time stamp using the corresponding The request of the qualified time stamp is possible interface function a from a certificated service provider or b a certificated device controlled by the Cryptographic module eB Observe the output of the interface function A positive feedback will be received no error message or error code The time stamp shall be received 4 Check the time stamp whether it is a qualified one The time stamp is a qualified time stamp Verdict Federal Office for Informat
86. ed Results Observations l Request a qualified time stamp using the functions of the The Crypto Module performs the request Crypto Module 2 Check log files or other evidences whether the Crypto The Crypto Module has successfully verified the mathematical Module has verified the authenticity and integrity of the correctness of the signature received qualified time stamp the signature 3 Check log files or other evidences whether the Crypto The Crypto Module has verified successfully the signature Module has verified the certificate used for signature certificate 4 Check log files or other evidences whether the Crypto The Crypto Module has verified successfully the CA certificate Module has verified the CA certificate used to sign the certificate used for signature J Emulate the check of invalid signatures and certificates The Cryptographic module detects and logs the failures Verdict Federal Office for Information Security 79 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 Module 3 ArchiSig Module Pre supposition A product which claims to be conform to the M 3 ArchiSig specification of this TR has to pass e all test cases in this section and e all test cases for the interface S 6 specified in section 5 5 6 or prove that it supports functional analogous interfaces 80 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification
87. ed signature check The test shall verify that it is possible for the ArchiSafe module to enter signature verification results including the associated certificate information into the enables the automatic signature check while submitting an archive object Configuration CONFIG_ArchiSafe Pre test conditions Tester has Read Write permissions on the system e Perform authentication if necessary Step Test sequence Expected Results Observations l Verify that the configuration of the ArchiSafe module Automatic signature check can be enabled and is enabled Submission Response 2 Store an XAIP_OK_ Sig or BIN_OK Sig to the TOT The call of the function is possible using the interface function Archive Submission Request 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code occurs An AOID is assigned to the stored archive object 4 Store an XAIP_OK_SigWrong or BIN_OK_SigWrong to the TOT using the interface function Archive Submission Request The call of the function is possible 5 Observe the output of the interface function Archive Submission Response A negative feedback will be received An error message or error code occurs The log file contains an error message with a signature The archive object may be stored and an AOID may be returned 6 Retrieve the XAIP_OK_Sig by using the Archive Retrieval Re
88. ence Expected Results Observations l Check the middleware documentation for the The documentation states that secure external administration and configuration is possible client application and middleware 2 Check the middleware s administration and configuration The middleware supports secure external administration and features configuration 3 Start a data traffic capture tool to record the data between Data traffic capturing is started 4 Try to connect remotely to the middleware administration and configuration interface The credentials of an authorised user are needed to access the administration and configuration interface 5 Try to log in to the middleware administration and configuration interface using the credentials of an unauthorised user Access is denied 6 Try to log in to the middleware administration and Access is granted configuration interface using the credentials of an authorised user 7 Change several options and save the current settings It is possible to change the configuration and save the new settings 8 Stop the data traffic capture tool Data traffic capturing is stopped 9 Check the captured traffic log file All the data that was transmitted during the remote administration Federal Office for Information Security 31 BSI TR ESOR C 1 Functional Conformity Test Specification process is encrypted Verdict 3
89. ence is not possible 4 2 Strictness of Test Result Assessment The Technical Guideline differs between three major classes of requirements cf RFC 2119 e CAN or synonymously MAY COULD These requirements are just hints or optional features These requirements will not be tested SHOULD These requirements are strong recommendations Respective test cases should demonstrate the specified behaviour Alternatively the vendor explains why its product uses another approach and why the resulting security level is equal to the security level described Federal Office for Information Security 13 BSI TR ESOR C 1 Functional Conformity Test Specification in the Technical Guideline e MUST or synonymously SHALL These are strict requirements It is not allowed to use another approach or alternative techniques Test cases which tests MUST requirements are identified with a red coloured title line The expected results of these test cases must exactly be the actual results Test cases identified by a grey coloured title line are pure SHOULD requirements The expected test results may differ from the actual test results if the vendor can demonstrate the same or higher security level 4 3 Baseline for all Test Cases This section describes the basics valid and usable for all test cases 4 3 1 Standard Test Configurations Here a set of standard configurations of the test setup will be described These setups are referenced in
90. er is possible complete verification information of the signature the certificate and all certificates back to a trustworthy root CA must be present 3 Observe the output of the interface function A positive feedback will be received no error message or error VerifyResponse code 4 Check whether verification information is missing The All the signature verification results including related certificate information are returned without changes to the module making the request 5 Check the format for the verification results Check the user guidance to determine the format used The results are documented in a standardized format Preferably the VerificationReport of the eCard API Framework is used Verdict Federal Office for Information Security 67 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 15 M 2 15 Protecting private keys Requirement M A6 1 2 M2 A6 2 5 Test Purpose Private keys stored in the Cryptographic Module shall not be accessible for unauthorised users Configuration CONFIG_Common Pre test conditions Step Test sequence Expected Results Observations l Check vendor documentation whether the Crypto The Crypto Module may have such a function Module is able to store private keys longer than just for 4 If not this test case is finished and considered to be passed signature operations 2 Check vendor document
91. error message or error code will be Submission Response received 3 Check the log files of the TOT for an error record about There is an error record showing that the XML schema verification the XML schema check of this XAIP failed 4 Check whether the XAIP is stored The XAIP is not stored Verdict 126 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 8 S 4 1 08 Application protocol uses request response message exchange pattern Requirement AF A6 2 8 Test Purpose The test shall verify that a protocol within the TLS tunnel is used by which among other things the technical confirmation of the receipt of a client request is realised Configuration CONFIG_ArchiSafe Pre test conditions The IT system documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations l Check the IT system documentation for the used protocol The documentation states which protocol is used e g HTTP RPC within the TLS tunnel protocol RMI 2 Check the documentation for this protocol whether The protocol implements such confirmations e g TCP ACK technical confirmations of receipts are implemented HTTP Return codes Verdict Federal Office for Information Security 127 BSI TR ESOR C 1 Functional Conformity Test Specifi
92. ertificate Revocation List DES Data Encryption Standard DoS Denial of Service e g for example exempli gratia EC14N Exclusive XML Canonicalization ECM Enterprise Content Management ERS Evidence Record Syntax ETSI TSP European Telecommunication Standard Institut Time Stamping Profile HTTP Hypertext Transfer Protocol i e in other words id est ID Identifier IT Information Technology M Modules MER Merkle hash trees n a not applicable No Number OCSP Online Certificate Status Protocol Par Paragraph PKCS Public Key Cryptographic Standard PKI Public Key Infrastructure PP 0049 Identifier of the ACMPP RC2 Rivest Cipher 2 resp respectively Federal Office for Information Security 17 BSI TR ESOR C 1 Functional Conformity Test Specification RFC Request for Comments RMI Remote Method Invocation RPC Remote Procedure Call S Interfaces SASL Simple Authentication and Security Layer SCVP Server based Certification Validation Protocol Sig Signature SigG Signaturgesetz SigV Signaturverordnung SOAP Simple Object Access Protocol SQL Structured Query Language SSCD Secure Signature Creation Device ST Security Target TCP Transmission Control Protocol TLS Transport Layer Security TOT Target of Testing TR Technische Richtlinie TSP Time Stamp Protocol USB Universal Serial Bus WSDL Web Services Description Language XAIP
93. est Purpose If the module is intended to create qualified electronic signatures itself the TOT fulfils the requirements for a secure signature creation device pursuant to 17 Par 1 SigG Configuration CONFIG_Common Pre test conditions e User manual for TR ESOR M 2 is present Step Test sequence Expected Results Observations l Check whether the module is able to create qualified The module may be able to create qualified electronic signatures signatures itself 2 Check whether for the software or hardware units which Such a confirmation exists for the components which are supposed are supposed to create qualified electronic signatures or to create qualified electronic signatures the complete TOT there exists a confirmation that it is an approved secure signature creation device pursuant to 17 Par 1 SigG Verdict 54 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 3 M 2 03 Cryptographic algorithms must be suitable and exchangeable Requirement MD A7 3 6 M 2 A3 2 1 Test Purpose The algorithms and parameters of the Cryptographic Module that are suitable for security can be exchanged in a quick and uncomplicated manner Configuration CONFIG_Common Pre test conditions e User has administrator rights on the system e User manual is present Step Test sequence Expected Results Observations l Check whether a hash algorithm and
94. eval Request with the corresponding AOID as parameter Verdict 118 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 2 S 4 1 02 Archive Submission yields unique AOID Requirement MD AS 1 3 M1 A4 1 6 M1 A4 1 7 M3 A4 2 2 Test Purpose The test shall verify that a unique unchangeable AOID is assigned to each archive data object that is stored in the ECM The test shall verify that an already archived object will not be overwritten or changed by an Archive Submission Request Transfer an XAIP_OK or BIN_OK to the TOT using the interface function Archive Submission Request Configuration CONFIG_ArchiSafe Pre test conditions e Tester has write permissions on the system e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations 1 The call of the function with this XAIP BIN as a parameter is possible Retrieve the XAIP_OK s with the AOID s from step 2 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned to the XAIP BIN a Transfer the archival information package The call of the function with this XAIP BIN as a parameter is XAIP_OK Sig BIN_OK_ Sig to the TOT using the possible interface function Archive Submission Request 4 Observe the output of
95. evant parts of the Archival Information Package is based on algorithms and parameters which are capable to protect the security for long terms Configuration Config COMMON Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check the user manual whether the ArchiSig Module The ArchiSig Module calculates the hash value on the basis of at calculates the hash value on the basis of suitable least one of the recommended algorithms and parameters or the algorithms and parameters as recommended by the ArchiSig Module can be configured to do so BNetzA Verdict 96 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 13 M 3 13 ArchiSig Module supports time stamp renewal and hash tree renewal MD AS 1 6 MD AS 1 7 Requirement Test Purpose The test shall verify that pursuant to 17 SigV the signed data can be re signed and re hashed Configuration CONFIG_Common Pre test conditions Test user has administrative rights on the system e There are XAIPs or BINs stored in ECM long term storage and their AOID s are known e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations li Use the interface function Archive Evidence Request The call of the function with the list of this AOIDs as with the known AOIDs parameters is possible If required per
96. fier M 3 09 Requirement AS A5 2 1 AS AS 3 1 AS AS 6 1 M3 A3 2 2 MD A7 3 10 Test Purpose The individual entities of ArchiSig should be able to run on different machines Configuration CONFIG_Common Pre test conditions If required perform identification and authentication Step Test sequence Expected Results Observations l Perform test case M 3 01 This demonstrates that multiple entities on one computer work 2 Configure ArchiSig in such a way that the multiple That should be possible 3 Perform test case M 3 01 again This demonstrates that multiple entities on different computers work Verdict 92 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 10 M 3 10 ArchiSig Module uses separate storage for time stamps and AOIDs Requirement M3 A3 1 6 M3 A4 4 4 Test Purpose absolute certainty at any time The test shall verify that the calculated hash value Hxarp or Haw and the AOID and if applicable version ID will be stored and preserved in secure data storage that is part of or allocated to the ArchiSig Module in such a way that a hash value corresponding to an AOID and if applicable version ID can be identified with Configuration CONFIG_Common Pre test conditions XAIP_OK was archived successful and updated several times to obtain several versions e BIN_OK was archived successful and updated several times to obtain several ve
97. form identification and authentication e Appropriate Evidence Records will be received 2 Change old hash algorithm against new one The change of Hash Algorithm is possible 3 Initiate re hash hash tree renewal process The initiation of the re hash process is possible 4 Check log for information about the re hash process No error messages or error codes for the re hashing are in the log 5 Start the the re sign time stamp renewal process based The initiation of the re sign process is possible No error is on interfaces provided by the ArchiSig module indicated 6 Check log for information about the re sign process No error messages or error codes for the re signing are in the log 7 Use the interface function Archive Evidence Request Appropriate Evidence Records will be received with the known AOIDs 8 Compare the new Evidence Records with the old The new and the old Evidence Records are not equal The new Evidence Records of the XAIPs or BINs from step 1 Evidence Records base on the new hash and signature algorithms 9 Use the interface function Archive Retrieval Request The XAIP s are retrieved from the storage with the known AOIDs Federal Office for Information Security 97 BSI TR ESOR C 1 Functional Conformity Test Specification 10 Check the credential section of the XAIPs The respective old Evidence Records with old hash value are included in the credential section
98. formity Test Specification XAIP_OK Sig Q BIN_OK Sig Q see pre test conditions to the TOT using the interface function Configuration CONFIG_Common Pre test conditions e An XAIP OK Sig Q BIN OK Sig Q is present XAIP_OK Sig Q BIN OK Sig Q isa XAIP OK Sig BIN OK Sig with qualified electronic signature e An XAIP OK Sig A BIN OK Sig A is present XAIP_OK Sig A BIN OK Sig A isa XAIP OK Sig BIN OK_ Sig with advanced electronic signature e developer documents are present e ifthe Cryptographic Module isn t a certified signature product e g according to BSI TR 03112 a suitable test bed should be used to verify the correctness of the implementation of the signature related functionality Step Test sequence Expected Results Observations l Transfer the archival information package The call of the function with this XAIP BIN as parameter is packag possible XAIP OK Sig A BIN OK Sig A see pre test conditions to the TOT using the interface function VerifyRequest 2 Observe the output of the interface function A positive feedback will be received no error message or error VerifyResponse code A VerificationReport is included in VerifyResponse 3 Examine the VerificationReport if the validity The validity verification shall be correct and complete i e it verification would be done by the Cryptographic includes the entire certificate chain back to a trustworthy root Module ce
99. g is able to calculate ATS by using a Crypto Module Archive Time Stamps ATS e g by using a Crypto Federal Office for Information Security 83 BSI TR ESOR C 1 Functional Conformity Test Specification Module 6 Check whether ArchiSig passes the archive objects to the Yes ArchiSig passes all objects to the storage after hashing storage system ce Check whether ArchiSig renews the Archive Time Yes ArchiSig is able to calculate and renew ATS by using a Stamps Crypto Module 8 Check whether ArchiSig is able to renew the hash trees Yes ArchiSig is able to renew hash trees For this purpose it reads For this purpose ArchiSig must be able to read the the archive objects from the storage archive objects from the storage 9 Check whether ArchiSig is able to generate an ERS Yes ArchiSig is able to generate an ERS record conform to RFC record conform to RFC 4998 or RFC 6283 for a specific 4998 or RFC 6283 for every archive object archive object Verdict 84 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 4 M 3 04 Creation of initial archive time stamps Requirement M3 A4 5 4 Test Purpose ArchiSig Module The test should verify that the creation of the Initial Archive Time Stamp is automated and take place according to configurable rules reliably stored in the configurable rules for the c
100. gain Conformity Level 2 it also has to pass all the tests for Conformity Level 1 e Column Testable This column is checked if the requirement is testable Testable includes here check of documentation or other evidences manual tests of the product as well as automated tests Non testable requirements typically focus on out of scope components like the upstream application or on organizational procedures of the end user organization If a requirement is marked as non testable no test cases are specified for this requirement e Column Test Cases In this column the ID s of all the test cases are listed which must be performed to check whether the requirement is completely covered by the product system e Column Comments This column is used for comments like references to other requirements or justifications for the ratings in the other columns A later version of these C x documents will also contain the test specifications for the conformity to the Bundesbeh rdenprofil Annex TR ESOR B The table will be extended then This is important when a product has already passed Conformity Level 1 and applies for Conformity Level 2 at a later point in time For this case it must be made clear that these requirements also need to be tested again 12 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification 4 Test Approach The following test specificati
101. gative feedback is received An error message or error code occurs The XAIP BIN is not deleted ce 8 Using the interface function Archive Deletion Request and the AOID to request the deletion of the XAIP_OK Sig or BIN_OK Sig Provide a reason for deletion The call of the function with this AOID as a parameter is possible 9 Observe the output of the interface function Archive Deletion Response A positive feedback is received No error message or error code occurs The XAIP BIN is deleted Verdict Federal Office for Information Security 161 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 5 2 S 4 5 02 Deletion shall be performed for complete XAIP BIN Requirement MD AS 1 27 Test Purpose The test shall verify that a deletion is always performed for the complete XAIP BIN including all versions of data objects function Archive Submission Request possible Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Store an XAIP_OK or BIN_OK using the interface The call of the function with this XAIP BIN as a parameter is 2 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or err
102. gether with the possible respective version IDs from step 11 to request some XAIP s 13 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs The correct versions of all the requested XAIP s are received 14 Use the Archive Update Request function with an The function call is possible AOID which does not exist 15 Check the output of the Archive Update Response A negative feedback will be received An error message or error function code occurs 16 Use the Archive Evidence Request function with the The function call is possible AOID from step 2 to check the XAIPs BINs authenticity and integrity 17 Check the output of the Archive Evidence Response An Evidence Record is received function 18 Use the Archive Evidence Request function with an The function call is possible AOID which does not exist 19 Check the output of the Archive Evidence Response A negative feedback will be received An error message or error function code occurs 20 Use the Archive Data Request function with the AOID The function call is possible from step 2 and the dataLocation parameter to identify an 150 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification individual data element within the XAIP BIN 21 Check the output of the Archive Data Response functio
103. gnature and data format checks are also performed on update Requirement MD A5 1 12 M1 A4 2 4 M1 A4 2 7 Test Purpose The test shall verify that the same data format and signature checks that are performed for the archival of documents and XAIPs are also performed when already archived XAIPs are changed Configuration CONFIG_ArchiSafe Pre test conditions e Tester has write permissions on the Middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Perform test case S 4 1 07 but with Archive Update For updates also the XML schema validation will be performed Request instead of Archive Submission Request 2 Perform test case S 4 1 05 but with Archive Update The added signatures of signed data objects will also be validated Request instead of Archive Submission Request Add a signed data object to an already archived XAIP If the TOT supports Archive Submission Requests with BINs only skip this step Verdict 140 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 2 7 4 2 07 All updates shall be traceable and keep the previous version untouched Requirement MD AS 1 13 M1 A4 2 7 Test Purpose versions untouched The test shall verify whether all changes are traceable and that changes to archived XAIPs BINs are only applied to the new ver
104. h the external interfaces of all archive WSDL system components 2 Check the middleware documentation for the use of SOAP Document Literal Encoding is used SOAP Document Literal Encoding Verdict Federal Office for Information Security 129 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 Archive Update Request Pre supposition A product which claims to to comply with the update functionality according to M 1 04 and S 4 2 01 Archive Update Request of this TR has to pass the following test case or prove that it supports functional analogous functions 5 5 4 2 1 4 2 01 Archive Update Request is possible and ArchiSig immediately secures the new object Requirement MD A5 1 3 MD A5 1 4 MD A6 3 1 MI1 A4 1 4 M1 A4 1 7 M1 A4 2 8 MI1 AS 0 2 M3 A3 1 3 M3 A3 2 4 M3 A4 2 2 M3 A4 2 3 M3 A4 6 1 Test Purpose The test shall verify that an XAIP with a correct XML structure or a BIN archive object are correctly stored in the ECM long term storage The test shall check that an XAIP BIN will be send to the ArchiSig module before it will be stored in the ECM long term storage Archive Submission amp Archive Update The test shall check if for each XAIP BIN stored in the ECM long term storage a unique AOID will be generated and returned Configuration CONFIG_ArchiSafe Pre test conditions e Ifrequired establish a session with the TOT in order to perform the following tests e
105. he Cryptographic Module complies with the current version of complies with the current version of the algorithm the algorithm catalogue catalogue 2 Check the developer documents whether the The requirements from Chapter 4 2 are implemented requirements from Chapter 4 2 of annex TR ESOR M2 are implemented for generating hash values necessary for signatures Verdict 60 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 9 M 2 09 Crypto Module supports canonicalisation for the verification of XML signatures M2 A4 4 2 M2 A4 4 4 Requirement Test Purpose Support of canonicalisation procedures for the verification of of XML signatures The support of canonicalisation procedure C14N Canonical XML C14N is supported at a minimum Note if the TOT doesn t support XML signatures the test case can be passed as fulfilled whether the support of canonicalisation procedures at least for the verification of signatures of XML contents by the Cryptographic Module is given signatures of XML contents by the Cryptographic Module is present Configuration CONFIG_Common Pre test conditions e User manual is present e Security architecture design is present Step Test sequence Expected Results Observations l Check the user manual and security architecture design The support of canonicalisation procedures for the verification of 2 Check the developer documents for
106. he interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 12 Check whether the data element is included and whether The data element is included and is identical to the data element this data element is identical to the data element used in used in step 3 step 3 Verdict Federal Office for Information Security 147 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 10 S 4 2 10 All updates are logged Identifier S 4 2 10 Requirement MD AS5 1 16 Test Purpose The test shall verify that all changes are logged to a log file Configuration CONFIG_ArchiSafe Pre test conditions Tester has read permissions on the file system e Test case S 4 2 03 has been performed e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check the vendor documentation how and where the A log file exists the updates are recorded directly within the middleware records the updates XAIPs or there is any other type of records especially for the BINs 2 Check the log records for update events triggered in test All the updates have been logged incl the time when the updates case S 4 2 09 were performed the changed data and the user name of the person account who updated the data Verdict 148 Federal Office for Information S
107. hiSafe Pre test conditions e The IT system documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations 1 Check whether a secure communication channel between A secure communication channel is set up and active upstream application and TOT is configured and activated 2 Start logging the data traffic between the external IT The data logging process has been started application and the middleware 3 Store an XAIP_OK_ Sig or BIN_OK Sig from the The function call is possible external IT application via the middleware to the ECM 4 Close the connection of the two components Stop The complete data exchange between the components has been logging the data traffic intercepted and logged S Check the data traffic log file for unprotected document No document data can be accessed data Verdict 122 Federal Office for Information Security BSI TR ESOR C Conformity Test Specifica tion 5 5 4 1 5 S 4 1 05 Archive Submission includes signature verification and storage of results M1 A4 1 2 M1 A4 1 3 Requirement Test Purpose archive object The test shall verify that the ArchiSafe module is able to initiate the verification of electronic signatures of the XAIPs or BINs before they are stored and that an error message is received in the case of a fail
108. iSig Module itself has not implemented cryptographic functions for the protection of the authenticity or verification of the integrity and authenticity with the exception of the canonicalisation functions and the functions for generation of Merkle hash trees Configuration CONFIG_Common Pre test conditions e Disconnect the Crypto Module from the ArchiSig Module e User manual is present e User has administrator rights on the system e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check whether ArchiSig could be configured in sucha The TOT may or may not have such a configuration option If it way that no Crypto Module needs to be used does not this test case is finished and considered to be passed If it does the security guidance of the vendor clearly states that this configuration is not recommended 2 Call the Archive Submission Request function of The call of the function with this XAIP BIN as parameter is ArchiSafe using XAIP_OK or BIN_OK Sig as possible parameter If required perform identification and authentication 3 Observe the output of the interface function Archive A negative feedback will be received an error message or error Submission Response code should show that the signature cannot be verified because a hash value for the XAIP BIN couldn t be calculated Verdict Federal Office for Informa
109. ient application B Using the interface The call of the function with this AOID as a parameter is possible function Archive Update Request and the AOID A1 with any update data to update the XAIP or BIN 4 Observe the output of the interface function Archive A negative feedback is received An error message or error code Update Response occurs because access is denied The XAIP BIN is not updated 5 By using client application B Using the interface The call of the function with this AOID as a parameter is possible function Archive Retrieval Request and the AOID A1 to request the XAIP BIN Federal Office for Information Security 51 BSI TR ESOR C 1 Functional Conformity Test Specification 6 Observe the output of the interface function Archive Retrieval Response A negative feedback is received An error message or error code occurs because access is denied No XAIP is received Deletion Response 7 By using client application B Using the interface The call of the function with this AOID as a parameter is possible function Archive Deletion Request and the AOID A1 to delete the XAIP or BIN 8 Observe the output of the interface function Archive A negative feedback is received An error message or error code occurs because access is denied The XAIP BIN is not deleted 9 By using client application A Using the interface function Archive Retrie
110. ification Archive Retrieval Request with the AOID from step 2 with the very first version ID e g 0 or 1 10 Observe the output of the interface function Archive The original unchanged version of the XAIP BIN embedded in Retrieval Response an XAIP is successfully retrieved 11 Retrieve the originally stored version by issuing an The call of the function is possible Archive Retrieval Request with the AOID from step 2 without a version ID 12 Observe the output of the interface function Archive The most current changed version of the XAIP BIN embedded in Retrieval Response an XAIP is successfully retrieved Verdict Federal Office for Information Security 137 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 5 4 2 05 Only authorised entities can change data Requirement MD A5 1 11 Test Purpose The test shall verify that changes to documents and data including the associated meta data is not possible for unauthorised users or applications Configuration CONFIG_ArchiSafe Pre test conditions e Tester has no read write permissions on the middleware e Do not perform any authentication against ArchiSafe Step Test sequence Expected Results Observations 1 Submit a XAIP_OK or BIN_ OK to the middleware using The XAIP BIN was archived An AOID was returned an account A from a client A if TOT is multi client capabl
111. information about how the canonicalisation procedure was implemented The implementation of the canonicalisation procedure support C14N Canonical XML C14N at a minimum ECIAN Exclusive XML Canonicalization should also be supported not canonicalised e g by entering empty lines and spaces between the XML tags Do not modify or remove the signature 3 Generate a signed XML e g a signed XAIP or BIN It is not necessary to produce the signature with this Crypto Module 4 Verify the signature of the XAIP BIN The verification result should show a positive result Signature is valid oP Modify the signed XAIP BIN in such a way so that itis Federal Office for Information Security 61 BSI TR ESOR C 1 Functional Conformity Test Specification 6 Verify the signature of the XAIP BIN The verification result should show a positive result Signature is valid Verdict 62 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 10 M 2 10 Canonicalisation procedures do not change the content data Requirement M2 A4 4 3 Test Purpose The implemented canonicalisation procedures shall not change the content data Note if the TOT doesn t support Archive Submission Requests with XML data as parameters the test case can be passed as fulfilled XML data to the Cryptographic Module Configuratio
112. ing XAIP_OK Sig or BIN _OK_ Sig and measure the assured performance to execute the request i e measure the time the Archive Retrieval Request will be answered by an Archive Retrieval Response Please take care to just measure the TOT performance not other modules systems The measure confirms the assured performance T Repeat steps 5 and 6 with the AOID s retrieved in step 4 The measure confirms the assured performance Verdict 176 Federal Office for Information Security BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 5 Interface S 5 The TR ESOR S 5 interface enables accesses from the ArchiSafe module to the ECM long term storage without technical dependence of the cryptographically secured Evidence Records This is an interface of a component not part of the TR ESOR middleware Therefore no conformity tests can be specified here 5 5 6 Interface S 6 The archiving of new archival information packages is possible with the TR ESOR S 6 interface described here which can be used to include the ArchiSig Module directly in the archiving procedure This is a direct way to generate the securing hash values Thus it is impossible to circumvent this security function Pre supposition A product which claims to functionally comply with the Interface S 6 specification of this TR has to pass e all test cases in this section or prove that it supports functional analogous interfaces
113. interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 12 Check the retrieved XAIPs and especially the content All data objects can successfully be retrieved from the archive data system encapsulated in valid XAIPs as defined in the middleware documentation The actual content data is not modified and can be used as usual Verdict Federal Office for Information Security 155 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 4 2 S 4 4 02 Middleware returns a correct Evidence Record for each requested AOID Requirement M1 A4 5 1 M1 A4 5 2 M1 A4 5 3 Test Purpose The test shall verify that requesting an Evidence Record for a valid AOID the Evidence Record is correct i e conform with ERS specified in RFC 4998 or RFC 6283 and contains one or more reduced Archive Time Stamps in ERS assigned to the AOID Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the Middleware e Ifrequired perform identification and authentication e Test case M 3 06 has already been successfully checked Step Test sequence Expected Results Observations l Using the interface function Archive Evidence Request The call of the function with a list of AOIDs as a parameter is with several valid AOIDs as parameter in one function possible call 2 Observe the output of the
114. ion Security 75 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 23 M 2 23 Crypto Module supports RFC 3161 and suitable algorithms M2 A5 3 3 M3 A4 7 4 Requirement Test Purpose The Cryptographic Module shall check whether requested time stamp fulfils the requirements and specifications of the time stamp protocol pursuant to RFC3161 RFC3852 and ETSI TSP and whether the limitations for algorithms and parameters assessed as suitable for security by the Federal Office for Information Security BSI and the Federal Network Agency are implemented Configuration CONFIG_Common Pre test conditions Install a Time Stamp Service which accepts requests compliant with TSP RFC 3161 e Configure the Crypto Module to use this Time Stamp Service Supply the list of algorithms and parameters assessed as suitable for security by the Federal Office for Information Security BSI and the Federal Service Check also whether there are guidance hints regarding the configuration of algorithms and other cryptographic parameters the BNetzA Network Agency Step Test sequence Expected Results Observations l Configure the Crypto Module according to the guidance It is expected that there are at least some hints regarding the especially the protocol used to access the Time Stamp configuration of algorithms according to the recommendations of 2 Request the time stamp using the interface function
115. ion Service Provider which offers CRL 2 Configure the Cryptographic Module for using CRL Configuration of Cryptographic Module was successful 3 Block the network connection to the repository which The network connection to CRL is blocked hosts the CRL 4 Transfer the signed XAIP_OK BIN_OK to the TOT The call of the function with this XAIP BIN as parameter is using the interface function VerifyRequest possible 5 Observe the output of the interface function A negative feedback will be received an error message or error VerifyResponse code The certificate was classified as invalid Verdict 114 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 1 2 Sign Request The test cases M 2 07 sec 5 3 7 M 2 07 Support of Hash functions M 2 08 sec 5 3 8 M 2 08 Crypto Module uses recommended algorithms for generating signatures M 2 09 sec 5 3 9 M 2 09 Crypto Module supports canonicalisation for the verification of XML signatures M 2 10 sec 5 3 10 M 2 10 Canonicalisation procedures do not change the content data M 2 11 sec 5 3 11 M 2 11 XML Signatures follow the recommendations of RFC3275 and M 2 12 sec 5 3 12 M 2 12 Reliable verification of electronic signatures are also relevant here 5 5 2 Interface S 2 The main purpose of the TR ESOR S 2 interface between the ArchiSig Module and the ECM long term storage is to make the necessary rea
116. ionally the respective AOID The original XAIP s do not contain this AOID 7 Between performance of step 1 and step 7 must be less The ERS record can be received even if the archive object was time as ArchiSig is configured to perform automated submitted just very shortly before this test step signature renewal because it should be checked whether newly submitted archive objects run through the ArchiSig module and initial archive time stamps will be generated immediately Request the ERS record for the XAIP BIN stored in step 1 using the AOID from step 2 as a parameter 8 Check whether the hash value in the ERS for the XAIP The hash value listed in the ERS record refers to the XAIP BIN BIN refers to the XAIP with the AOID included with the AOID included In case of doubt recalculate the hash value for the The hash value for this XAIP BIN is correctly mentioned in the XAIP BIN with the AOID see M 3 sec 2 4 1 for ERS record details and compare that with the hash value listed in the ERS record 9 Repeat the steps 1 8 immediately in order to be sure that Same results as expected above ArchiSig did not perform an Archive Time Stamp renewal between step 1 and 7 10 Repeat the steps 1 9 but instead of submit use the Update is successful a version ID will be issued and returned The log records show the XML schema check for storing an XAIP BIN Federal Office for Information Security 131 BSI TR ESOR C 1 Functional C
117. ith a clear and understandable error with an AOID that contains wild card characters like message or an error code or Verdict 174 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 8 S 4 8 01 Performance Requirements Identifier S 4 8 01 Requirement There is actually no requirement in the TR but the TOT shall ensure a suitable performance while executing Archive Requests Test Purpose The test shall verify that the TOT is able to ensure a suitable performance while executing Archive Requests Configuration CONFIG_ArchiSafe Pre test conditions e The middleware documentation user manual is available The documentation user manual for the ECM Long term storage is available Requests means for example how long does proceeding of a request with an archive object of the size x take Step Test sequence Expected Results Observations 1 Check the documentation of the TOT and optionally of The documentation of ArchiSafe and optional of the ECM long the ECM long term storage if there are any assertions term storage contain some assertions and related conditions or and related conditions or constraints regarding the constraints regarding the performance of the TOT while executing performance of the TOT while executing Archive Archive Requests 2 Store an XAIP_OK or BIN_OK using the interface The measure confirms the assured performance function
118. ived Deletion Response Verdict 168 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 5 6 S 4 5 06 Deletion should be possible in an irreversible manner Identifier S 4 5 06 Requirement M1 A4 4 5 Test Purpose The test shall verify that the ArchiSafe module is able to initiate a permanent deletion of XAIPs BINs in the ECM long term storage Configuration CONFIG_ArchiSafe Pre test conditions Tester has administration permissions on the file system e The middleware user manual is available e The user manual for the ECM Long term storage is available e The ECM Long term storage supports permanent deletion e Check the ArchiSafe documentation how the permanent deletion in the storage can be configured initiated e Configure ArchiSafe and the storage in such a way that the permanent deletion will be used Step Test sequence Expected Results Observations l Store an XAIP_OK or BIN_OK using the interface The call of the function with this XAIP BIN as a parameter is function Archive Submission Request possible 2 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or error code occurs An AOID is assigned ce 3 Using the interface function Archive Deletion Request and the AOID from step 2 to request the deletion of the XAIP_OK BIN_OK The call of the fu
119. ived No error message or error code Retrieval Response occurs An XAIP is received 6 Use the interface function Archive Retrieval Request The call of the function with these AOID s as a parameter is and several AOID s from step 2 to request some XAIP s possible us Observe the output of the interface function Archive A positive feedback is received No error message or error code Federal Office for Information Security 149 BSI TR ESOR C 1 Functional Conformity Test Specification Retrieval Response occurs All the requested XAIP s are received 8 Use the interface function Archive Retrieval Request The call of the function with this AOID as a parameter is possible and an AOID which does not exist to request an XAIP 9 Observe the output of the interface function Archive A negative feedback will be received An error message or error Retrieval Response code occurs No XAIP is received 10 Use the Archive Update Request function with the The function call is possible AOID s from step 2 to change the data contained within all the XAIP or BIN 11 Check the output of the Archive Update Response A new version ID per XAIP BIN is received function 12 Use the interface function Archive Retrieval Request The call of the function with these AOID s as a parameter is and several AOID s from step 2 to
120. ived No error message or error code Update Response occurs A new Version ID is assigned 22 Request the XAIP with the AOID from step 2 and the The call of the function with this AOID as a parameter is possible interface function Archive Retrieval Request 23 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 24 Request Evidence Records using the AOID from step 2 The call of the function with this AOID as a parameter is possible and the interface function Archive Evidence Request 25 Observe the output of the interface function Archive A positive feedback is received No error message or error code Evidence Response occurs An Evidence Record is received 144 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 26 Calculate manually the evidence data for the updated The evidence data has been calculated XAIP BIN For this purpose use the time stamp information provided in the ERS retrieved in the previous step Zi Compare the manually calculated evidence data with the The evidence data is equal but differs from the evidence data evidence data of the requested Evidence Record retrieved in step 18 Verdict Federal Office for Information Security 145 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4
121. l detail specifications of interfaces and data formats used e Conformity Level 1 Functional Conformity e Conformity Level 2 Technical Conformity e Conformity Level 3 Recommendations for Federal Agencies The three levels are built on top of each other This means e g in order to demonstrate conformity to level 2 all conformance criteria for level 1 have to be passed in addition to the conformance criteria for level 2 This document specifies the functional conformity criteria tests derived from the requirements specified in the documents of the Technical Guideline In order to become certified according to a conformity level a product or system must pass all conformity criteria tests for this conformity level and for all lower conformity levels If one or more tests are not successful the conformity cannot be certified In the following chapter the test criteria will be derived from the requirements defined of the TR Furthermore the requirements and therefore also the test criteria are assigned to a conformity level Based on these assignments the subsequent chapters define the test cases for the conformity levels in detail Red headlined marked test cases MUST be passed for fulfilling the conformity criteria The test case specifications are written in such a way that this document or the respective parts of it could be used as template for the documentation of the final results of actual testing 10 Federal Office fo
122. message or error code occurs The XAIP BIN is deleted 9 Check the log file for the deletion procedure The log file contains all the data about the deletion of this XAIP BIN including the reason for deletion Verdict Federal Office for Information Security 165 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 5 4 4 5 04 Deletion of an archive object shall be logged Requirement MD AS 1 5 MD AS5 1 29 Test Purpose The test shall verify that every deletion is logged Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check for the existence of a log file or any other type of There is such an event log records that is used by the middleware to log deletions 2 Store an XAIP_OK_ Sig or BIN_OK Sig using the The call of the function with this XAIP BIN as a parameter is interface function Archive Submission Request possible 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned 4 Using the interface function Archive Deletion Request The call of the function with this AOID as a parameter is possible and the AOID from step 3
123. middleware interface still requires a TLS tunnel 4 Try to store a XAIP_OK_ Sig or BIN OK _Sigandthen No data is transmitted because no encryption tunnel is active Verdict 24 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 3 2 A 03 2 Mutual authenticated TLS between XML module and ArchiSafe Module or an equivalent middleware interface Identifier A 03 2 Requirement AF A6 2 2 Test Purpose not possible The test shall verify that when using a TLS tunnel without certificate based authentication a transmission between the ArchiSafe module and the XML module is Configuration CONFIG _ArchiSafe includes TLS enforcement by ArchiSafe if an ArchiSafe Module is present Pre test conditions The IT system documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations l Verify that the client application also use a TLS tunnel The client application is configured in such a way that a TLS for the communication with the S 4 interface of tunnel with certificate based mutual authentication will be used ArchiSafe 2 Establish a TLS tunnel without using a certificate on A TLS tunnel cannot be established client application site 3 Establish a TLS tunnel without using a valid certificate
124. n The requested data value and the original locationValue are received 22 Use the Archive Data Request function with an AOID which does not exist The function call is possible 23 Check the output of the Archive Data Response function A negative feedback will be received An error message or error code occurs 24 Use the Archive Deletion Request function with an AOID which does not exist The function call is possible 25 Check the output of the Archive Deletion Response function A negative feedback will be received An error message or error code occurs 26 Use the Archive Deletion Request function with the AOID from step 2 to delete the XAIP BIN The function call is possible 27 Check the output of the Archive Deletion Response function The XAIP BIN has been deleted from the storage 28 Stop the data traffic capture tool Data traffic capturing is stopped 29 Check the captured data The captured data is encrypted or otherwise protected No references to the previous access procedures can be found Verdict Federal Office for Information Security 151 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 3 2 4 3 02 Archive Retrieval returns XAIP Requirement MD A6 3 2 M1 A4 3 3 Test Purpose The test shall verify that requested data is always returned in an XAIP based
125. n CONFIG_Common Pre test conditions e XML data with empty tags additional white spaces wrong order of XML tags and signature is present e g from test case M 2 09 Step Test sequence Expected Results Observations 1 Using the interface function VerifyRequest send The sending of the XML data is possible data with original XML data 2 Observe the output of the interface function A positive feedback will be received no error message or error VerifyResponse code 3 Check the field responseData The field responseData contains e no XML data but only the results of the verification OR XML data and the results of the verification 4 If XML data are returned compare the received XML The contents of both XML files are equal unmodified or the XML data is modified assumed canonicalised Ds Check the result of canonicalisation whether the unmodified and the modified XML data is equal related to the content and mappable for XML syntax and XSD used The canonicalisation is correct Verdict Federal Office for Information Security 63 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 11 M 2 11 XML Signatures follow the recommendations of RFC3275 Requirement M A5 1 3 M2 A5 3 8 Test Purpose Electronic signatures of XML data will be generated in the following format and follow the basic recommendations in Common PKI Part 8 XML Signature Standar
126. n CONFIG_Common Pre test conditions e Source and target module are not mutually authenticated ii Step Test sequence Expected Results Observations l Check the user manual for information about interfaces The list of interfaces and authentications possibilities is stated 2 Send requests to the target module the TOT without One of the following results is expected any identification or authentication at all A response is given that the request couldn t be executed 3 Send requests to the target module the TOT after the One of the following results is expected valid authentication of the source module only A response is given that the request couldn t be executed 4 Send requests to the target module the TOT after the A valid response is sent back by the target module valid authentication of source and target module 5 After step 4 send another request to the target module If there is no secured tunnel established the TOT without mutual authentication A response is given that the request couldn t be executed If there is a secured tunnel established A valid response is sent back by the target module 6 Replace the source module by a fake Do not take over n a the authentication credentials of the source module 22 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 7 Try to establish a connection betwee
127. n Security 107 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 20 M 3 20 ArchiSig Module should be able to maintain parallel hash trees Identifier M 3 20 Requirement M3 A5 2 2 Test Purpose Check whether the ArchiSig Module returns several reduced Evidence Records when parallel hash trees are managed Configuration CONFIG Common Pre test conditions Configure ArchiSig in such a way that at least two parallel hash trees are managed Archive submit several archive objects to build up the trees Ensure that at least one initial Archive Time Stamp is created to build up the trees Step Test sequence Expected Results Observations l Request the ERS of archive objects submitted to the The ERS for these archive objects can be retrieved archive 2 Check the ERS whether there are reduced Archive Time For every managed hash tree a separate Evidence Record proofs Stamps for every managed hash tree included the integrity of the archive object Verdict 108 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 21 M 3 21 Resigning procedure is efficient and produces Evidence Records Requirement MD A5 1 8 Test Purpose The test shall verify that the solution for re signing shall be efficient and compatible with the Evidence Record Syntax Configuration CONFIG_Common Pre test co
128. n and the AOID from step 2 4 Compare the data objects of the retrieved XAIP with the The data objects are identical data objects of the XAIP BIN that has originally been stored in step 1 5 Check vendor documentation whether ArchiSafe resp No such function or requirement exists the TOT provides any function to modify the actual data content or whether a conversion of the data content is required Verdict Federal Office for Information Security 125 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 1 7 S 4 1 07 Archive Submission of invalid XML data is not possible Identifier S 4 1 07 Requirement MD AS5 1 4 M1 A4 1 1 M1 A4 2 3 Test Purpose The test shall verify that it is not possible to store an archival information package with a wrong XML syntax Configuration CONFIG_ArchiSafe includes XSD schema verification enabled Pre test conditions e Ifrequired establish a session with the TOT in order to perform the following tests e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Transfer the archival information package XAIP_NOK The call of the function with this XAIP as a parameter is possible to the TOT using the interface function Archive Submission Request a Observe the output of the interface function Archive A clear and understandable
129. n source and target A response is given that the request couldn t be executed component the TOT without authentication 8 Try to establish a connection between source and target A response is given that the request couldn t be executed component the TOT with authentication Try to also fake the authentication credentials of the faked source module 9 Verify that the authentication credentials of the TOT are Authentication credentials of the TOT bases on cryptography e g not just username password or other similar simple data certificates Kerberos tokens 10 Start logging the data traffic between the TOT and The data logging process has been started another component 11 Establish a valid and mutually authenticated connection A valid connection is established and a valid answer from the TOT between the two components and place a request from is received source to target module TOT 12 Close the connection of the two components The complete data exchange between the components has been intercepted and logged 13 Replay the intercepted data in order to establish a valid No connection is established authenticated connection between the attacker and the TOT Verdict Federal Office for Information Security 23 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 3 1 A 03 1 Mutual authenticated TLS between client application and ArchiSafe Module or an equivalent middleware inte
130. nction with this AOID as a parameter is possible 4 Observe the output of the interface function Archive Deletion Response A positive feedback is received No error message or error code occurs The XAIP BIN is deleted a Use all available administration functions of ArchiSafe and the storage for attempting to recover the XAIP The deleted XAIPs BINs cannot be recovered Verdict Federal Office for Information Security 169 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 6 Archive Data Request 5 5 4 6 1 4 6 01 Archive Data shall require valid AOID and dataLocation Requirement M1 A4 6 1 M1 A4 6 2 M1 A4 6 3 Test Purpose The test shall verify that the Archive Data Request will retrieve and return a data element from an XAIP BIN if the request is performed with a list of valid AOID and a valid dataLocation parameter The test shall verify that data elements that are retrieved with an Archive Data Request are returned as they have been stored originally without being changed The test shall verify that an Archive Data Request with an invalid AOID returns an understandable error code or error message Configuration CONFIG_ArchiSafe Pre test conditions e If required perform identification and authentication Step Test sequence Expected Results Observations 1 Store several XAIP_OK s or BIN_OK s using the The call of the func
131. nd binary data as and the AOID from step 2 add an additional XAIP_OK parameters is possible BIN_OK 6 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is assigned 7 Request the XAIP using the AOID from step 2 and the The call of the function with this AOID as a parameter is possible 8 Observe the output of the interface function Archive Retrieval Response A positive feedback is received No error message or error code occurs An XAIP is received 9 Request Evidence Records using the AOID from step 2 and the interface function Archive Evidence Request The call of the function with this AOID as a parameter is possible 10 Observe the output of the interface function Archive A positive feedback is received No error message or error code Federal Office for Information Security 143 BSI TR ESOR C 1 Functional Conformity Test Specification Evidence Response occurs An Evidence Record is received 11 Verify the retrieved ERS by using an appropriate tool The tool shows that the ERS is upright 12 Using the interface function Archive Update Request The call of the function with this AOID and the XAIP BIN as and the AOID from step 2 to change the XAIP_OK parameters is possible BIN
132. nditions User manual and developer documents are present Step Test sequence Expected Results Observations l Check user manual for re signing solution The solution for re signing is efficient while it preserves the 8 marketability of the protected documents Especially the algorithm used has a much better runtime cost model than O n when n is the number of documents in the storage 2 Check user manual for re signing solution The solution for re signing is compatible with the Evidence gning Record Syntax according to RFC4998 or RFC6283 Verdict http en wikipedia org wiki Big_O notation Use_in_computer_science Federal Office for Information Security 109 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 22 M 3 22 Deletion of an archive object shall not impair the conclusiveness of others Requirement MD AS 1 28 Test Purpose The test shall verify that the conclusiveness of the remaining documents in the ECM storage is not affected by the deletion of individual XAIPs or BINs interface function Archive Submission Request possible Configuration CONFIG_ArchiSafe Pre test conditions e Tester has read write permissions on the middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Store an XAIP_OK_ Sig or BIN_OK Sig using the The call of the function with this XAIP BIN as a parameter is
133. nfiguration CONFIG_ArchiSafe Pre test conditions e Ifrequired perform identification and authentication e Developer documentation is available which contains information about existing restrictions for the length and admissible characters of an AOID Step Test sequence Expected Results Observations l Use the interface function Archive Submission The request is answered with a clear and understandable error Request with no parameters message or an error code 2 Use the interface function Archive Submission The request is performed correctly An AOID is returned Request with a binary data object with 0 bytes length The object can be retrieved without errors and modifications 3 Use the interface function Archive Submission The request is performed correctly An AOID is returned Request with a very large archive object several The object can be retrieved without errors and modifications Gigabytes at least four 4 Use the interface function Archive Submission The request is performed correctly An AOID is returned Request with an archive object which contains nested The object can be retrieved without errors and modifications XAIPs at least 5 levels 5 Use the interface function Archive Update Request The request is answered with a clear and understandable error with no parameters message or an error code 6 Use the interface function Archive Update Request The re
134. nimum Configuration CONFIG Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check the user manual if the Cryptographic Module The Cryptographic Module provides such a function provides a function for the reliable verification of electronic signatures 2 Check the user manual for information about which The Cryptographic Module supports the XML Signature Standard signature data formats are supported by the RFC3275 or the Cryptographic Message Syntax CMS Cryptographic Module RFC3852 or both 3 Use VerifyRequest function to verify a XML or BIN XML BIN signatures are supported by that function signature 4 Compare signature verification results of the The signature verifications offer identical results Cryptographic module with results of a common certified OR tool or product the product is certified according to BSI TR 03112 Alternatively the TOT is certified according to BSI TR 03112 Then this test step is not required 5 Use VerifyRequest function to verify a CMS signature CMS signatures are supported by that function 6 Compare signature verification results of the The signature verifications offer identical results Cryptographic module with results of a common certified OR tool or product the product is certified according to BSI TR 03112 Alternatively the TOT is certified according to BSI TR 03112 Then this test step is not required Verdict Federal Offic
135. nitial Archive Time Stamp the hash value Module and perform this test case again is not possible because ArchiSig itself does not have this functionality Verdict Federal Office for Information Security 99 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 15 M 3 15 ArchiSig Module shall verify requested time stamps Requirement M3 A4 5 3 M3 A4 7 5 M3 A4 8 2 M3 A4 8 5 Test Purpose The ArchiSig Module shall in case of generating new time stamps ensure that the time stamp contains all information required for validation of the time stamp including the qualified electronic signatures contained therein In case of renewal of the hash trees the time stamp shall contain all information required for validation of the time stamp including the qualified electronic signatures contained therein The concluding Archive Time Stamp of the hash trees to be renewed will be re verified for integrity and authenticity before these Archive Time Stamps are transferred into a new hash tree or included there To do so the signature of this Archive Time Stamp and the associated certificate chain will be re verified with the help of the functions of the TR ESOR M 2 Cryptographic Module An inclusion of this Archive Time Stamp in the new hash tree only take place if this verification has had a positive result Configuration CONFIG_Common Pre test conditions e ECM long term storage contains already some objects and AOIDs
136. nt Step Test sequence Expected Results Observations l Check the user manual how the validity periods of hash The validity periods of hash and signature algorithms should be and signature algorithms are stored and managed stored and managed in the form of a policy file Verdict Federal Office for Information Security 69 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 17 M 2 17 Protect its own security Identifier M 2 17 Requirement M A6 1 3 M2 A6 1 4 M2 A6 2 2 Test Purpose Check whether the Cryptographic Module includes a function to verify its own integrity as internal defence against manipulation Configuration CONFIG Common Pre test conditions e Design documents e Developer documents Step Test sequence Expected Results Observations l Check the vendor documentation for information The Cryptographic Module includes a function to verify its own whether the Cryptographic Module includes a function integrity to verify its own integrity Verdict 70 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 18 M 2 18 Recording security functions Requirement M A6 2 3 Test Purpose Check whether the Cryptographic Module has functions to record all security functions in a meaningful and traceable manner Configuration CONFIG_Common Pre test conditions Developer documents are present e
137. nteeeeeeseaaes 83 5 4 4 M 3 04 Creation of initial archive time stamps cccceesscesseceeneceeneceseeesseeceseeseeeeeeeesteeeeeeaes 85 5 4 5 M 3 05 AOID shall be Umique eeceeecceesseeeseeceseeeeeeeseecssecesneceeeeeneeesseeeeseeseseeeseeesseeesneenaes 86 5 4 6 M 3 06 ArchiSig Module creates Evidence Records according to RFC4998 or 6283 5 87 5 4 7 M 3 07 ArchiSig Module should not implement cryptographic functions c ccscceseeee 89 5 4 8 M 3 08 ArchiSig Module should be thread safe cccccscccesseessseeeseeesceeeseeesseeenseeeeeseneeeeesneaes 90 5 4 9 M 3 09 Instances of ArchiSig Module should be deployable on different machines 92 5 4 10 M 3 10 ArchiSig Module uses separate storage for time stamps and AOIDSs eeee 93 5 4 11 M 3 11 Canonicalisation of XML is performed prior to hashing and noted in XAIP 95 5 4 12 M 3 12 Hashing of relevant parts is performed with suitable algorithms c ceseeeee 96 4 Federal Office for Information Security Functional Conformity Test Specification 5 4 13 M 3 13 ArchiSig Module supports time stamp renewal and hash tree renewal 005 97 5 4 14 M 3 14 Time stamp renewal creates initial archive time stampS c ccsccessseceteeeeteeeseeeeeees 99 5 4 15 M 3 15 ArchiSig Module shall verify requested time stamp5S cccccecsseesseeeteeesteeesseeees
138. nterface function Archive Evidence Response A negative feedback is received An error message or error code occurs No Evidence Record is received Verdict Federal Office for Information Security 157 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 4 3 S 4 4 03 Middleware creates correct Evidence Records for specific XAIP or BIN versions MD AS 1 24 M1 A4 5 4 Requirement Test Purpose The test shall verify that the middleware is able to create correct electronic Evidence Records for each version of an XAIP or BIN so that their authenticity and integrity since the time of archiving is ensured even if changes were performed in the meantime Archive Evidence Response with an appropriate tool occurs A correct Evidence Record in ERS as specified in RFC 4998 or RFC 6283 is received Configuration CONFIG_ArchiSafe Pre test conditions Tester has read write permissions on the Middleware e Ifrequired perform identification and authentication e The call of the function Archive Submission Request with a XAIP_OK Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID A1 is assigned The call of the function Archive Update Request with a valid AOID and for adding a BIN_OK as a parameter is possible A positive feedback is received No error message or error code occurs An new Version ID
139. om number generators or according to AIS 31 for physical random number generators Verdict 58 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 7 M 2 07 Support of Hash functions Requirement M2 A4 2 1 M2 A4 2 2 M2 A4 2 3 M2 A5 2 1 Test Purpose fulfilled enable verification of hash values generated in the past The Cryptographic Module shall have functions to calculate hash values for information packages In doing so the requirements for hash procedures shall be Exclusively those hash algorithms and parameters recommended by the Federal Office for Information Security and the Federal Network Agency shall be used to form hash values However the Cryptographic Module shall continue to support all hash algorithms previously used by the Cryptographic Module in order to Configuration CONFIG Common Pre test conditions e User manual is present e The list of hash algorithms and parameters recommended by the Federal Office for Information Security and the Federal Network Agency is accessible Step Test sequence Expected Results Observations l Check the user manual for the hash algorithms which are used by the Cryptographic Module The Cryptographic algorithms Module shall support at least two hash algorithms which have been assessed by the Federal Office of Information Security and the Federal Network Agency as suitable
140. onformity Test Specification The updated XAIP will be retrieved The retrieved XAIP contains the requested changes updates The ERS can be retrieved The hash value identifies the updated XAIP BIN Same results in the repetition Verdict 132 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 2 2 4 2 02 Archive Update requires existing AOID Requirement M1 A4 2 1 Test Purpose The test shall verify that the ArchiSafe module can only update an archive data object when a valid and existing AOID is part of the update request Configuration CONFIG_ArchiSafe Pre test conditions e If required perform identification and authentication Step Test sequence Expected Results Observations 1 Try to issue an Archive Update Request with an AOID The function call is possible that does not exist 2 Observe the output of the interface function Archive An error message or error code is received Update Response Verdict Federal Office for Information Security 133 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 2 3 4 2 03 Archive Update is allowed and results in a new version ID Identifier S 4 2 03 Requirement MD A5 1 10 M1 A4 2 5 M1 A4 2 9 Test Purpose The test shall verify whether it is possible to change documents and data including the associated meta data
141. ons especially the algorithms and parameters used for or the Crypto Module just supports those algorithms and parameters operation assessed as suitable for security by the Federal Office for Information Security and the Federal Network Agency hard wired and the Crypto Modules needs to be updated in order to change that 2 If a configuration file is used check whether this files The DSSC format is used complies with DSSC Verdict Federal Office for Information Security 73 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 21 M 2 21 Verification of certificates based on a standardized protocol Requirement M2 A5 1 14 Test Purpose The verification of the validity of the certificate shall occur on the basis of a standardized protocol see A5 1 14 in M 2 Configuration CONFIG_Common Pre test conditions e User manual is present e Developer documents are present Step Test sequence Expected Results Observations l Check the user manual and developer documents for The list of supported protocols for the verification of the validity of pp P y information about which protocols for the verification of the certificate is given the validity of certificates are supported At least OCSP or SCVP is supported 2 Check each other supported verification protocol if itis All other supported protocols for the verification of the validity of standardiz
142. ons are based on the recommended reference architecture in chapter 7 1 of the main document of this technical guideline Thus in the following differences between expected and observed test results should be carefully interpreted by the testers respecting the fact that actual implementations of components and or modules of the middleware may deviate from the recommended reference architecture This may result also in different characteristics of implemented and provided interfaces Beside this testing the conformity to this guideline may refer to a single module only This may result also in different characteristics and expected results of implemented and provided features and interfaces In the following text we use the wording S 4 Interface instead of S 4 Interface or functionally analogous interfaces It is worth noting therefore that testing the conformity level 1 the referred interfaces are required in a logical functional manner only and not in a technical interoperable characteristic The TR ESOR interfaces S 2 and S 5 are actually not part of the TR ESOR middleware because they will be provided by the storage system Therefore no conformity tests will be specified here 4 1 Structure of the Test Case Specifications Some test cases are ordered according to the modules M 1 M 3 and all products These test cases cannot be assigned to the certain interface of the module but check general properties of the module
143. or an user who has administrator rights on the system code 3 Check the log files of the ArchiSig Module if there is There is information about the renewal of Archive Time Stamps information about the renewal of Archive Time Stamps 4 Use the function Renewal of Archive Time Stamp with A call of the function is not possible and a clear and a user who has no administrator rights on the system understandable error message or error code will be received 3 Check the log files of the ArchiSig Module if there is There is no information that the function was performed information about the try of renewing Archive Time successfully but there shall be information about the failed request Stamps Verdict 104 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 18 M 3 18 Hash tree renewal can only be requested through administrative interface Requirement M3 A4 8 1 M3 A4 8 3 M3 A4 8 4 Test Purpose The test shall check whether the function Renewal of Hash Tree calculates new hash values on the basis of configured hash algorithm for all archival information packages stored in the ECM long term storage that have been registered by the TR ESOR Middleware as well as the Archive Time Stamp sequences stored in the data storage of the ArchiSig Module with the new configured algorithm and that the old Archive Time Configura
144. or code occurs An AOID is assigned and the AOID from step 2 to change the XAIP_OK or BIN_OK e g changing metadata 3 Using the interface function Archive Update Request The call of the function with this binary data and the AOID as and the AOID from step 2 add an additional XAIP_OK parameters is possible BIN_OK 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 5 Using the interface function Archive Update Request The call of the function with this XAIP and the AOID as parameters is possible Deletion Response 6 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 7 Using the interface function Archive Deletion Request The call of the function with this AOID as a parameter is possible and the AOID from step 2 to delete the XAIP_OK BIN_OK 8 Observe the output of the interface function Archive A positive feedback is received No error message or error code occurs The XAIP is deleted 9 Try to retrieve an earlier version of the XAIP BIN by The call of the function is possible 162 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification using an
145. ositive feedback is received No error message or error code Update Response occurs A new Version ID is received 134 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 8 Using the interface function Archive Update Request The call of the function with this data and the AOID as parameters and the AOID from step 3 to update content of the XAIP is possible BIN 9 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 10 Using the interface function Archive Update Request and the AOID from step 3 to update metadata of the The call of the function with this data and the AOID as parameters is possible XAIP BIN 11 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 12 Using the interface function Archive Update Request and the AOID from step 3 to remove one piece of data from the XAIP BIN not the complete XAIP The call of the function with this data and the AOID as parameters is possible 13 Observe the output of the interface function Archive Update Response A positive feedback is received No error message or error code occurs A new Version ID is received 14 Retrieve the XAI
146. ossible to request an XAIP 3 Observe the output of the interface function Archive A positive feedback is received No error message or error code 4 Using the interface function Archive Retrieval Request to request the binary object in form of a XAIP The call of the function is possible a Observe the output of the interface function Archive Retrieval Response A positive feedback is received No error message or error code occurs An XAIP is received 6 Check the retrieved XAIPs and especially the content All data objects can successfully be retrieved from the archive data system encapsulated in valid XAIPs as defined in the middleware documentation The actual content data is not modified and can be used as usual 7 Start the hash tree renewal process The hash tree renewal is in process 154 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 8 Using the interface function Archive Retrieval Request The call of the function is possible to request an XAIP 9 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 10 Using the interface function Archive Retrieval Request The call of the function is possible to request the binary object in form of an XAIP 11 Observe the output of the
147. ossible at all because Crypto Module declined connection Requirement M2 A6 2 1 Test Purpose A secure tunnel can be maintained after successful authentication Configuration CONFIG_Common Pre test conditions e Tester has access rights to the Cryptographic Module e No mutual authentication between the Cryptographic Module and the interface partner was made e M2 is configured to use a secure tunnel e The hash of XAIP_OK_ Sig or BIN_OK_ Sig is present Step Test sequence Expected Results Observations l Transfer the archival information package The call of the function with this XAIP BIN as parameter is packag XAIP_OK Sig or BIN_OK Sig to the TOT using the interface S1 function VerifyRequest VerifyResponse 2 Perform the mutual authentication Performing of the authentication is possible 3 Transfer the archival information package The call of the function with this XAIP BIN as parameter is possible BIN_OK to the TOT using the interface S1 function 4 Observe the output of the interface function A positive feedback will be received no error message or error VerifyResponse code 3 Transfer the archival information package XAIP_OK or If the function exists the call of the function with this XAIP BIN as parameter is possible Federal Office for Information Security 29 BSI TR ESOR C 1 Functional Conformity Test Specification
148. quest function and the AOID from step 3 The XAIP_OK_ Sig is retrieved be Check the XAIP_OK_ Sig especially the credential section whether the signature verification information The certificates certification verification information and the signature verification information are included in the retrieved Federal Office for Information Security 123 BSI TR ESOR C 1 Functional Conformity Test Specification are included XAIP_OK Sig 8 If archived stored retrieve the XAIP_OK_ SigWrong by using the Archive Retrieval Request function and the AOID from step 5 The XAIP_OK_SigWrong is retrieved 9 Check the XAIP_OK_SigWrong especially the credential section whether the signature verification information are included The certificates certification verification information and the signature verification information are included in the retrieved XAIP_OK_ SigWrong 10 Retrieve the BIN _OK_ Sig by using the Archive Retrieval Request function and the AOID from step 7 The BIN_OK Sig is retrieved in the XAIP format including all assigned metadata and the BIN data as content 11 Check the retrieved XAIP and all the metadata whether the signature verification information are included The certificates certification verification information and the signature verification information are included in the retrieved XAIP 12 If archived stored retrieve the BI
149. quest is answered with a clear and understandable error with an AOID that contains invalid characters message or an error code 7 Use the interface function Archive Update Request The request is answered with a clear and understandable error with an AOID that contains too many characters message or an error code 8 Use the interface function Archive Update Request and The update will be performed The elements and sections will try to update elements and sections of an archived XAIP added only to the XAIP 172 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification which do not exist yet Existing elements sections will not be modified 9 Use the interface function Archive Retrieval Request The request is answered with a clear and understandable error with no parameters message or an error code 10 Use the interface function Archive Retrieval Request The request is answered with a clear and understandable error with an AOID that contains invalid characters message or an error code 11 Use the interface function Archive Retrieval Request The request is answered with a clear and understandable error with an AOID that contains too many characters message or an error code 12 Use the interface function Archive Retrieval Request The request is answered with a clear and underst
150. r Information Security BSI TR ESOR C 1 Functional Conformity Test Specification 3 The Test Criteria The documents of the Technical Guideline describe and define a high number of aspects and facts potentially subject to testing In order to summarize all these items and to clearly define the aspects to be tested per conformity level a consolidated list of test criteria is developed The actual test criteria can be found in appendix to this document This appendix is a table containing all the requirements from all the documents of the Technical Guideline Per requirement it is stated whether it is relevant for Conformity Test Level 1 or 2 whether it is a core requirement for a module of the middleware and whether it is testable at all For fulfilling the required conformity in general or in compliance with the pre suppositions written down before the test cases the red marked test specifications in this document must be tested and passed All other test specifications must be passed or the non fulfilment must be justified Here follows a detailed description of the columns of this table Federal Office for Information Security 11 BSI TR ESOR C 1 Functional Conformity Test Specification Column Document In this column the title of the document is listed from which the requirement is obtained e Column Chapter In this column the chapter of the document is listed where the requirement can be found This is espe
151. r code Retrieval Response occurs An XAIP is received T Compare the retrieved XAIP with the XAIP stored in The XAIP resp the BIN embedded in the retrieved XAIP is the step 1 same file that was stored in step 1 8 Request the XAIP from the TOT using the interface The call of the function with this AOID as a parameter is possible Federal Office for Information Security 141 BSI TR ESOR C 1 Functional Conformity Test Specification function Archive Retrieval Request with the AOID from step 2 and a valid version ID which is not the very first and not the very last version ID 9 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 10 Compare the retrieved XAIP with the XAIP stored in The XAIP reflects all changes done in step 3 as appropriate for the step 1 and all the changes done in step 3 selected version ID Especially XAIP does not contain the changes which are applied to newer versions that the version selected 11 Request the XAIP from the TOT using the interface The call of the function with this AOID as a parameter is possible function Archive Retrieval Request with the AOID from step 2 and without a version ID 12 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval
152. r comparable open standardised data formats Configuration CONFIG_Common Pre test conditions Test user has user manual and user guide Step Test sequence Expected Results Observations l Check whether the TOT external interfaces for data All interfaces are defined using XML or a comparable open exhange are described and defined using XML or standardised format for data exchange comparable open standardised data formats e g take a look at the interface definitions within the annex TR ESOR E 2 Compare the implemented data exchange interfaces with The interfaces are implemented the way they have been defined their definitions described in the user manual or user guide Verdict Federal Office for Information Security 21 BSI TR ESOR C 1 Functional Conformity Test Specification 5 1 3 A 03 No access without mutual authentication Requirement AS A6 1 1 AS A6 1 2 AS A6 1 3 M3 A5 1 1 M3 A5 1 2 Test Purpose The test shall verify i that any access from a source module to a target module can only take place via defined interfaces and is impossible without prior mutual authentication ii that the mutual authentication between source and target module is cryptographically sufficient so that it is impossible to exchange individual components without being noticed and iii that it is impossible to bypass authentication mechanisms of two components by a replay attack Configuratio
153. r information ifthe The cancellation of the execution of a function produces a capability of cancelling the execution of a function meaningful and comprehensible error message in the event of produces a meaningful and comprehensible error unauthorised access in the module s security functions message in the event of unauthorised access in the module s security functions 3 Check the error messages produced during test case M 2 All these error messages are meaningful and comprehensible 20 due to unauthorized access Are these error messages meaningful and comprehensible Verdict 72 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 20 M 2 20 Configuration of cryptographic functions Requirement M2 A6 3 1 M2 A6 3 2 Test Purpose Check whether the Cryptographic Module has a central function to configure cryptographic functions Check whether the configuration is managed by a configuration file and whether this file complies with RFC5698 Configuration CONFIG_Common Pre test conditions e User manual is present e Product design documents are present Step Test sequence Expected Results Observations 1 Check the vendor documentation and assess the Crypto The Cryptographic Module has a central function to configure Module to identify how the Cryptographic Module cryptographic functions preferably in a configuration file realises the configuration of cryptographic functi
154. r requested qualified time stamps for re signing include a qualified electronic signature from the time stamp issuer Step Test sequence Expected Results Observations 1 If possible configure the time stamp service provider or The test set up is possible the requesting middleware in such a way that the time stamps will be qualified signed Otherwise use a time stamp service provider actually generating qualified signed time stamps 9 Let the Cryptographic Module request a time stamp from The Cryptographic Module requests the time stamp the time stamp service provider 3 Observe the output of the Cryptographic Module A positive feedback will be received no error message or error code The Cryptographic Module accepts the qualified signed qualified time stamp 4 If possible configure the time stamp service provider or The test set up is possible the requesting middleware in such a way that the time stamps will be not qualified signed Otherwise use a time stamp service provider actually generating signed time stamps but not qualified signed 5 Let the Cryptographic Module request a time stamp from The Cryptographic Module requests the time stamp the time stamp service provider 6 Observe the output of the Cryptographic Module A negative feedback will be received an error message or error Federal Office for Information Security 77 BSI TR ESOR C 1 Functional Confo
155. rameter is possible 4 Observe the output of the interface function Archive Submission Response A positive feedback is received No error message or error code is returned An AOID is assigned BIN_OK assigned to client B and then attempt to access stored data Archive Retrieval Request with an authentication of client A 5 Authenticate with valid user credentials of client B The authentication is successful 6 Attempt to get an Archive Retrieval Request with the The access will be denied AOID from client A 7 Repeat the test sequence storing first an XAIP_OK or The access will be denied Verdict Federal Office for Information Security 49 BSI TR ESOR C 1 Functional Conformity Test Specification 5 2 10 M 1 10 ArchiSafe Module is thread safe Requirement AF A6 2 13 Test Purpose The test shall verify that the ArchiSafe module can process several transactions simultaneously Configuration CONFIG_ArchiSafe Pre test conditions The middleware documentation is available e The IT system documentation is available The application documentation is available e Ifrequired establish a session with the TOT in order to perform the following tests e Ifrequired perform identification and authentication e A sufficient amount of XAIPs or BINs have already been stored on the ECM storage to perform the technical tests
156. reation of Initial Archive Time Stamps Time Stamps Configuration CONFIG_Common Pre test conditions User has administrator rights on the system e Ifrequired perform identification and authentication e At least one archive object is already archived Step Test sequence Expected Results Observations l Check the ArchiSig Module whether there are There are configurable rules for the creation of Initial Archive 2 Configure the ArchiSig Module in such a way that every Configuration is possible 10 minutes or another short time period a new Archive Time Stamp will be created 3 Request every 10 minutes or the configured period of ERS can be retrieved time a new ERS of an already archived object 3 or 4 times 4 Check the last Initial Archive Time Stamp The check is performed successfully Verdict Federal Office for Information Security 85 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 5 M 3 05 AOID shall be unique Requirement M3 A4 2 2 Test Purpose The test shall verify that the generation of an AOID shall be unique collision free Configuration CONFIG Common Pre test conditions e User has administrator rights on the system e Ifrequired perform identification and authentication e Test cases S 4 14 and S 4 19 were performed successful and the AOIDs are known Step Test sequence Expected Results Obser
157. rface equivalent middleware interface and the XML module resp the client application Identifier A 03 1 Requirement AF A6 2 2 AF A6 2 4 AF A6 2 5 AF A6 2 6 Test Purpose The test shall verify whether a TLS tunnel with certificate based mutual authentication is used for each transmission between the ArchiSafe module or an retrieve anew XAIP_OK Sig Try to update an existing archive object Try to delete an existing archive object ArchiSafe or the equivalent middleware interface does not accept any unencrypted connection Configuration CONFIG _ArchiSafe includes TLS enforcement by ArchiSafe if an ArchiSafe Module is present Pre test conditions e The IT system documentation is available e Ifrequired perform identification and authentication e Administration access to the IT systems is needed Step Test sequence Expected Results Observations 1 Verify that the client application also use a TLS tunnel The client application is configured in such a way that a TLS for the communication with the S 4 interface of tunnel with certificate based mutual authentication will be used ArchiSafe 2 Try to store a XAIP_OK Sig or BIN_OK Sig and then Data can be transmitted and the function be called The XAIP BIN retrieve anew XAIP_OK Sig can be stored 3 Disable the TLS tunnel on the client application site Data encryption is not active any more on client application site ArchiSafe or the equivalent
158. rmity Test Specification code on display or in error log will appear The Cryptographic Module doesn t accept not qualified signed qualified time stamp If possible configure the time stamp service provider or the requesting middleware in such a way that the time stamps will be not signed Otherwise use a time stamp service provider actually generating not signed time stamps The test set up is possible Let the Cryptographic Module request a time stamp from the time stamp service provider The Cryptographic Module requests the time stamp Observe the output of the Cryptographic Module A negative feedback will be received an error message or error code on display or in error log will appear The Cryptographic Module doesn t accept not signed qualified time stamp Verdict 78 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 25 M 2 25 Crypto Module shall verify signatures of received time stamps Requirement M2 A5 3 4 M2 A5 3 5 Test Purpose Check whether the Cryptographic Module verifies the authenticity and integrity of received qualified time stamps immediately upon receipt and prior to further processing including the validation of the certificate chain back to a trustworthy root CA Configuration CONFIG Common Pre test conditions Configure Crypto Module to maximum verbose logging Step Test sequence Expect
159. rsions e The versionIDs were noted e Ifrequired establish a session with the TOT in order to perform the following tests e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Use the interface function Archive Retrieval Request The call of the function with this AOID as parameter is possible and the AOID from the archived XAIP_OK or BIN_OK and the latest version of XAIP_OK will be received 2 Use the interface function Archive Retrieval The call of the function with this AOID and versionID as Request the AOID from the archived parameters is possible and the appropriate version of XAIP_OK XAIP_OK or BIN_OK and an older versionID will be received 3 Use the interface function Archive Evidence The call of the function with this AOID and versionID as Request the AOID from the archived parameters is possible and XAIP_OK or BIN_OK and an older versionID e the appropriate Evidence Record of XAIP_OK or BIN_OK will be received e The retrieved Evidence Record could be positively verified by an appropriate tool 4 Use the interface function Archive Retrieval Request The call of the function with this AOID as parameter is possible and the AOID from the archived BIN_OK and e the latest version of BIN_OK embedded in an XAIP will Federal Office for Information Security 93 BSI TR ESOR C 1 Functional Conformity Test Specification
160. rtificate 4 Transfer the archival information package The call of the function with this XAIP BIN as parameter is possible VerifyRequest Bs Observe the output of the interface function A positive feedback will be received no error message or error VerifyResponse code A VerificationReport is included in VerifyResponse 6 Examine the VerificationReport if the validity The validity verification shall be correct and complete i e it verification would be done by the Cryptographic includes the entire certificate chain back to a trustworthy root Module certificate Verdict Federal Office for Information Security 113 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 1 1 2 S 1 1 02 Verify Request Unavailable CRL results in invalid certificate Requirement M2 A5 1 16 Test Purpose If CRLs are used for certificate validation and the results of the CRL are unclear or the repository which hosts the CRL cannot accept inquiries then the respective certificate will be classified as invalid Configuration CONFIG_Common Pre test conditions Certificate of a Certification Service Provider which support CRL is present Step Test sequence Expected Results Observations l Sign the XAIP_OK BIN_ OK archival information The signed XAIP_OK BIN_OK was created successfully package using a valid and not expired certificate issued by a Certificat
161. s returned Federal Office for Information Security 47 BSI TR ESOR C 1 Functional Conformity Test Specification AOID to update data objects in the archived XAIP_OK BIN_OK 6 Use the Archive Retrieval Request with returned AOID to request an XAIP_OK and check if the version manifest has been changed The call is successful the version manifest has been changed Verdict 48 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 9 M 1 09 ArchiSafe module should be capable of serving and separating multiple clients Identifier M 1 09 Requirement MD A6 1 3 Test Purpose The test should check whether the middleware is able to manage multiple clients and separate the different clients data management of multiple clients storing their data separately Configuration CONFIG_ArchiSafe Pre test conditions The middleware documentation is available e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check the middleware documentation for the It is possible to manage multiple clients simultaneously while 2 Authenticate with valid user credentials of client A The authentication is successful 3 Store an XAIP_OK or BIN_OK using the interface function Archive Submission Request The call of the function with this XAIP BIN as a pa
162. sa hace atest odors oat seagate socal atc nea Ms ese ale nas caneab T 160 5 5 4 5 2 S 4 5 02 Deletion shall be performed for complete XAIP BIN c ceeeeees 162 5 5 4 5 3 S 4 5 03 Deletion requires reason expiration and AOID cceeeeesseeeeeetteeees 164 5 5 4 5 4 S 4 5 04 Deletion of an archive object shall be logged eecceeesseeceeeeeneeees 166 5 5 4 5 5 S 4 5 05 Error message if deletion is not supported ccccccesceessceesseeeeeeseeeees 167 5 5 4 5 6 S 4 5 06 Deletion should be possible in an irreversible mannet cccee 169 5 5 4 6 Archive Data Requ sta sii nnet e denen cdevicaede a event e aa a a aaa 170 5 5 4 6 1 S 4 6 01 Archive Data shall require valid AOID and dataLocation 170 5 5 4 7 8 4 7 01 ArchiSafe Module is robust against incorrect parameters ccseeeeees 172 5 5 4 8 S 4 8 01 Performance Requirements ccccecscceessecsssesseeeseeesneeesneeeneeeeteeseeeesenteeeeeees 175 D D Ds nterface S tees aooe a aE eect phini E Pk Tae eases abe ORS a cake A NR es 177 3 9 0 Interface S20 ses 25 eahceiaieg a e a dozeawayoda a etd loalee ee a E Case cebuehita Bates 177 5 5 6 1 Archive Submission Request c cccscccssscssssessseeeseeeeseeeeseeesecenseeesaeesseeesseeeeseeseteeeseeens 177 5 5 6 2 Archive Update Request c ccccccsscsssscesseesseeesseeesseeeeeeeseeesseceseeceaecneeseneeeeeeeeeeseseeess 177 5 5 6 3 Archive Evidence Req
163. sions of the XAIP BIN separately The Evidence Record contains evidences for all versions of the XAIP BIN back to the original version The integrity and authenticity can be proven back to the time of first archival Verdict Federal Office for Information Security 159 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 5 Archive Deletion Request 5 5 4 5 1 4 5 01 Deletion is only possible by authorised entities and with included reason Requirement MD A5 1 26 MD AS 1 27 M1 A4 4 3 M1 A5 0 3 Test Purpose The test shall verify that deletion of data before their expiry date can only be performed by authorised users of an authorised IT application when the reason for deletion is contained in the deletion request Configuration CONFIG_ArchiSafe e Tester has read write permissions on the middleware e Authentication against the application with the credentials of a user who is authorised to access that just submitted XAIP BIN but not authorised to delete data before it is expired is successfully e The call of the function Archive Submission Request with a XAIP_OK Sig or BIN OK Sig as a parameter is possible A positive feedback is received No error message or error code occurs An AOID is assigned Pre test conditions Step Test sequence Expected Results Observations l Using the interface function Archive Deletion Request The call of the function with this A
164. sions while leaving the existing TOT using the interface function Archive Submission Request Configuration CONFIG_ArchiSafe Pre test conditions e The tester has read write permissions on the middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations he Store an XAIP OK Sig BIN_OK_ Sig with data to the The call of the function with this XAIP BIN as a parameter is possible 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned 2 Using the interface function Archive Update Request The call of the function with this XAIP BIN and the AOID as and the AOID from step 2 add a few changes to the parameters is possible XAIP_OK Sig BIN_OK Sig 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID is received 5 Request a XAIP from the TOT using the interface The call of the function with this AOID and the Version ID as function Archive Retrieval Request with the AOID parameters is possible from step 2 and the version ID as parameters which indicates the very first version 6 Observe the output of the interface function Archive A positive feedback is received No error message or erro
165. spectively or prove that it supports functional analogous interfaces 5 3 1 M 2 01 Crypto Module is a signature application component according to 17 Par 2 SigG Requirement MD A7 3 4 Test Purpose The Cryptographic Module fulfils the requirements of a signature application component pursuant to 17 Sec 2 SigG at a minimum Configuration CONFIG_Common Pre test conditions e User manual is present Step Test sequence Expected Results Observations l Check the user manual and related documentation if In the user manual there is a confirmation that the Cryptographic there is described that the Cryptographic Module fulfils Module fulfil the requirements of a signature application the requirements of a signature application component component pursuant to 17 Par 2 SigG at a minimum This means pursuant to 17 Par 2 SigG at a minimum that there is a certification and confirmation according to SigG or there is a declaration of the vendor according to 17 Par 4 SigG Verdict Federal Office for Information Security 53 BSI TR ESOR C 1 Functional Conformity Test Specification 5 3 2 M 2 02 Crypto Module may be SSCD according to 17 Par 1 SigG Pre supposition A product which claims to comply the M 2 Crypto Module specification of this TR and which intends to generate qualified signatures by itself has to pass the following test case Requirement MD A7 3 5 T
166. ssion of invalid XML data is not possible 126 5 5 4 1 8 S 4 1 08 Application protocol uses request response message exchange pattern E EE A E EA ERA A AEA T O T A oadeuts Sarees ieee es 127 5 5 4 1 9 S 4 1 09 Application protocol is routing capable ccecccesseeeseeeeestteeeeeseneeees 128 5 5 4 1 10 8 4 1 10 WSDL and Document literal encoding for SOAP should be used 129 5 5 4 2 Archive Update Request ccccecsscssscesseceseeesseeesseeeeeeceeeesseecssecesaeceseeseneeeneeeneeesaeeess 130 5 5 4 2 1 S 4 2 01 Archive Update Request is possible and ArchiSig immediately secures the Federal Office for Information Security 5 Preservation of Evidence of Cryptographically Signed Documents TR ESOR BSI TR 03125 TIE W lt ODJOCt e552 6 ste 3 E La tatasec E la la lalate eect oleae ee a eee eed 130 5 5 4 2 2 4 2 02 Archive Update requires existing AOID ccceseessseeeteeesteeeeseneeees 133 5 5 4 2 3 S 4 2 03 Archive Update is allowed and results in a new version ID 005 134 5 5 4 2 4 S 4 2 04 Archive Update requires data and creates new VEISION ccccceeeees 136 5 5 4 2 5 S 4 2 05 Only authorised entities can change data cccceesecessseesenteeeeeeenteeees 138 5 5 4 2 6 S 4 2 06 Signature and data format checks are also performed on update 140 5 5 4 2 7 S 4 2 07 All updates shall be traceable and keep the previous version untouched AAT alicia ede d
167. st be done during the resigning The call of the function is possible The results the AOID were p Submit some archival information package to the TOT Teceived in an acceptable amount of time using the interface function Archive Submission Request 4 Start a complete rehashing of the archival information The rehashing of the archival information packages starts packages J This must be done during the rehashing The call of the function with this AOID as parameter is possible Request some archival information package from the The results were received in an acceptable amount of time TOT using the interface function Archive Retrieval 90 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification Request and the noted AOID from the test case S 4 14 6 This must be done during the rehashing Submit some archival information package to the TOT using the interface function Archive Submission Request The call of the function is possible The results the AOID were received in an acceptable amount of time lt 2 Min Verdict Federal Office for Information Security 91 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 9 M 3 09 Instances of ArchiSig Module should be deployable on different machines entities are running on different computers Consulting the guidance for that purpose Identi
168. t 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID lt p gt is assigned 3 By using the interface function Archive Update The call of the function with this AOID and the empty data element as parameters is possible 6 Observe the output of the interface function Archive A positive feedback is received No error message or error code Update Response occurs A new Version ID lt n 1 gt is assigned and returned 7 Using the interface function Archive Retrieval The call of the function with this AOID and Version ID as 146 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification Request the AOID from step 2 and the Version ID from parameters is possible step 6 8 Observe the output of the interface function Archive A positive feedback is received No error message or error code Retrieval Response occurs An XAIP is received 9 Check whether the data element is included and whether The data element is not included this data element is identical to the data element used in step 3 10 Using the interface function Archive Retrieval The call of the function with this AOID and Version ID as Request the AOID from step 2 and the Version ID from parameters is possible step 4 11 Observe the output of t
169. t changed on the ECM directly but only of the data change process by using the middleware function calls of the ArchiSafe module It may be possible that the ArchiSafe product cannot technically enforce that but just the guidance recommends to do so 3 Check the middleware documentation for the description Existing data objects are not deleted from the ECM directly but of the data deletion process only by using the middleware function calls of the ArchiSafe module It may be possible that the ArchiSafe product cannot technically enforce that but just the guidance recommends to do so Verdict 40 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 2 4 M 1 04 Support of specified functions Requirement AS A5 4 1 M1 A4 0 1 Test Purpose The test shall verify that the interface TR ESOR S 4 provides at least the following functions e A function for the secure and reliable storage of archival information packages e A function for updating archival information packages that have already been archived optional e A function for retrieving archival information packages in XAIP format e A function for retrieving technical cryptographic Evidence Records e A function for deleting archived data e _ A function for retrieving data elements of individual archival information packages Configuration CONFIG_ArchiSafe Pre test conditions e User manual
170. t its OWN SCCULILY ccccecscesssccessceesceeeeeeseccesecececeseecseeesseeseseeeeeeeesetteeeeesntaaes 70 5 3 18 M 2 18 Recording security fUNCtiONS ccccecscceessceeseceseceececeseeesseeceseeeeseeceseecsaeessaeensreeeneaaes 71 5 3 19 M 2 19 Responsivity to unauthorized acCess cccceesscsssseeseeeseeeeseeeeeeeseeesseceseeessnteeeeeeeeaas 72 5 3 20 M 2 20 Configuration of cryptographic fUNCtiONS cccceccceeesceesceeseeeeteeeeeeceeeeeesenteeeeeseaes 73 5 3 21 M 2 21 Verification of certificates based on a standardized protocol cecccceeeesteeeeeeeees 74 5 3 22 M 2 22 Crypto Module is able to request qualified time stamps cccccccessseceeseeteeeeesetees 75 5 3 23 M 2 23 Crypto Module supports RFC 3161 and suitable algorithms cceeeseesseeereeees 76 5 3 24 M 2 24 Time stamps need to bear qualified electronic signature c cccccecssceesseeetteeeeeetees 77 5 3 25 M 2 25 Crypto Module shall verify signatures of received time stampS cccceseeeeeeeeees 79 5 4 Module 3 ArchiSige Module csc nitisi A E A A REA T ES 80 5 4 1 M 3 01 ArchiSig Module should be realised as a separate module ccccecessseceeeeeteeeeeeeees 81 5 4 2 M 3 02 Using interface S 3 is possible c cccecscceesecesseceeeeeeseeeseeeececeeeenecesenseeeeeeestseeeeensaaes 82 5 4 3 M 3 03 ArchiSig Module implements specified fUNnctions ccccsceeeseesceeesteeeeeee
171. that the ArchiSafe module offers comprehensive and configurable options for logging any access to the archive Check the user manual of the software for logging options Comprehensive and configurable logging options are described in the user manual Configuration CONFIG_ArchiSafe Pre test conditions The ArchiSafe module is installed and configured e The user has administration rights on the system Step Test sequence Expected Results Observations 1 2 Configure the log function to the most comprehensive Any kind of access to the archive will be logged to the log file level 3 Store an XAIP_OK_ Sig or BIN OK Sig using the The function call is possible The XAIP BIN object is assigned an Archive Submission Request function AOID and stored successfully 4 Use the Archive Update Request function with the The function call is possible A new version ID is received AOID from step 3 to change the data contained within the XAIP or BIN 5 Use the Archive Retrieval Request function with the The function call is possible The archive data object is received in AOID from step 3 to retrieve the XAIP from the storage XAIP format 6 Use the Archive Evidence Request function with the The function call is possible An Evidence Record is received AOID from step 3 to check the XAIPs BINs authenticity and integrity ve Use the Archive Data Request function
172. the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An AOID is assigned to the XAIP 35 Compare the AOIDs The AOIDs are not equal 6 Transfer the very same XAIP_OK or BIN_OK from step The call of the function with this XAIP as a parameter is possible 1 to the TOT using the interface function Archive Submission Request T Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs Another AOID is assigned to the XAIP BIN than in step 2 8 Both XAIP s could be retrieved They are identical except the Federal Office for Information Security 119 BSI TR ESOR C 1 Functional Conformity Test Specification and 4 AOID and maybe some other metadata like date and time of archival 9 If the TOT supports Archive Update Request update The update is successful one XAIP_OK or BIN_OK by using the Archive Update Request and the AOID from step 2 10 Retrieve the XAIP_OK s with the AOID s from step 2 Both XAIP s could be retrieved They are not identical The second and 7 XAIP includes the update whereas the first XAIP is still unchanged Verdict 120 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 5 4 1 3 4 1 03 Archive Submission with valid binar
173. the steps 11 12 13 is integer and for the steps 5 6 7 is not integer Verdict Federal Office for Information Security 101 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 16 M 3 16 Time stamps shall be verified prior to renewal Requirement M3 A4 7 2 M3 A4 7 3 Test Purpose Check whether a complete Archive Time Stamp renewal verifies the integrity and authenticity of the Archive Time Stamps to be renewed and whether the hash values of these Archive Time Stamps are included in the new Archive Time Stamp Request the ERS of these archive objects which are covered by the mentioned parallel Archive Time Stamps The hash value of each of the parallel Archive Time Stamps is documented in one ERS Configuration CONFIG_Common Pre test conditions Submit several archive objects to the storage and configure the automatic Archive Time Stamping in such a way that several Archive Time Stamps will be generated in parallel and they are not covered by a superior Archive Time Stamp e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations 1 2 Start the complete Archive Time Stamp renewal process The complete Archive Time Stamp renewal process was started successfully 3 Observe the requests of the ArchiSig module to the ArchiSig will request verification of the very last Archiv
174. this is a binary object which does not claim conformance to a XML schema gt Binary no means that this is an XML object yes means that this is a binary a non XML object Preservation Time Future means that the the minimum retention date is somewhere in the future e g 01 01 2100 Past means that the the minimum retention date is somewhere in the past e g 01 01 2000 Signature No signature means that the user data contained in the test object does not contain a digital signature Valid means that the user data contained in the test object contains a digital signature which is mathematically correct produced with an approved algorithm and with a valid neither expired nor revoked certificate issued by a known and trustworthy Certificate Authority It does not need to be a qualified signature 3 The verification of signatures of documents included in the XAIP or passed over as binary Federal Office for Information Security 15 BSI TR ESOR C 1 Functional Conformity Test Specification Not Valid means that the user data contained in the test object contains a digital signature which is mathematically not correct but produced with an approved algorithm and with a valid neither expired nor revoked certificate issued by a known and trustworthy Certificate Authority It does not need to be a qualified signature
175. ting the confomity level 1 the referred interfaces are required in a logical functional manner only and not in a technical interoperable characteristic 5 5 1 Interface S 1 The primary purpose of the TR ESOR S 1 interface between the ArchiSafe module and the Cryptographic module is the verification and creation of electronic signatures that were or should be attached to electronic data to be archived XAIP or BIN documents Pre supposition A product which claims to functionally comply with the Interface S 1 specification of this TR has to pass e all test cases in this section or prove that it supports functional analogous interfaces 5 5 1 1 Verify Request 5 5 1 1 1 S 1 1 01 Verify Request Verification of signature includes certificate path validation Requirement M A5 1 8 M2 A5 1 9 Test Purpose The function is able to verify whether the user certificate used to generate the signature was valid at the time the signature was generated see Chapter 5 1 3 Validity verification shall be complete i e it includes the entire certificate chain back to a trustworthy root certificate The Cryptographic Module shall be able to verify advanced and qualified electronic signatures Qualified time stamps with qualified electronic signatures shall be verifiable i e the validity of the time stamp signature at the time of time stamp generation must be verified 112 Federal Office for Information Security BSI TR ESOR C Con
176. tion CONFIG_Common Pre test conditions e Test user has administrative rights on the system e There are XAIPs BINs registered by the TR ESOR Middleware stored in ECM long term storage e There are XAIPs BINs stored in ECM long term storage which are not registered by the TR ESOR Middleware e Ifrequired perform identification and authentication e Perform test case S 3 04 also together with this test case Step Test sequence Expected Results Observations l Change the hash algorithm configuration of the Crypto Configuration is possible even if the complete Crypto Module Module so that another algorithm will be used since now must be replaced for that purpose 2 Configure the storage in such a way that the access to Tracing of every object access is activated objects can be traced e g activate detailed logging a Use the function Renewal of Archive Time Stamp A positive feedback will be received no error message or error with an administrative user code 4 Check the ECM long term storage whether objects The middleware should not have accessed these objects which are not registered by the TR ESOR Middleware can be accessed by the middleware 3 Check the ECM long term storage if XAIPs BINs The middleware should have accessed these objects which are registered by the TR ESOR Middleware get a new hash value 6 Request the ERS for all these objects It can be demonstrated that every XAIP BIN got a new hash value
177. tion Security 89 BSI TR ESOR C 1 Functional Conformity Test Specification 5 4 8 M 3 08 ArchiSig Module should be thread safe Identifier M 3 08 Requirement MD A7 3 9 MD A7 3 10 MD A7 3 11 Test Purpose The ArchiSig Module should be able to work parallel in multiple entities in particular with regard to the case when all archival information packages present in the ECM long term storage have to be re signed Configuration CONFIG Common If possible configure ArchiSig to work parallel in multiple entities on one computer consult the guidance for that purpose Pre test conditions e Test case S 4 14 was performed successful and the AOID is noted e User has administrator rights on the system e User manual is present e Ifrequired perform identification and authentication e Ensure that there are a lot several thousand archive objects in the archive Step Test sequence Expected Results Observations l Start a complete resigning of the archival information The resigning of the archival information packages starts packages 2 This must be done during the resigning The call of the function with this AOID as parameter is possible Request some archival information package from the The results were received in an acceptable amount of time TOT using the interface function Archive Retrieval Request and the noted AOID from the test case S 4 14 3 This mu
178. tion of the two components The complete data exchange between the components has been intercepted and logged 4 Check if the logged traffic data reveals any authorisation No authorisation or payload data is revealed or payload data 5 Automatically send a large amount of small requests to The availability is not affected in a negative way The TOT responses to all the requests or identify the DoS targets and block them 6 Establish a valid connection between the components and place requests to the TOT with large amounts of data to provoke buffer overflows The sent data is properly processed and checked for plausibility Invalid data is rejected No buffer overflow will occur 7 Establish a valid connection between the components and place requests to the TOT with included database The sent data is properly processed and checked for plausibility Invalid data is rejected 28 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification command sequences The included database commands are not executed Verdict 5 1 6 A 06 A secure tunnel can be maintained after successful authentication XAIP_OK Sig or BIN_OK Sig to the TOT using the interface S1 function VerifyRequest Observe the output of the interface function possible but a negative feedback will be received or the call of the function is not p
179. tion with this XAIP as a parameter is possible interface function Archive Submission Request 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code is Submission Response returned A list of AOIDs has been assigned 3 Use the interface function Archive Data Request with The call of the function with these parameters is possible one AOID from step 2 with a valid dataLocation parameter to retrieve a data element that has been stored in the XAIP_OK BIN_OK in step 1 4 Observe the output of the interface function Archive A positive feedback is received No error message or error code is Data Response returned A data element is received 3 Compare the retrieved data element with the version that The data elements are equal has originally been stored in the XAIP BIN in step 1 6 Use the interface function Archive Data Request with The call of the function with these parameters is possible all the AOID from step 2 with a valid dataLocation parameter to retrieve the data element that has been stored in the XAIP_OK s BIN_OK s in step 1 170 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 7 Observe the output of the interface function Archive A positive feedback is received No error message or error code is Data Response returned
180. uals ig teas SA N A E A E A AE E A 141 5 5 4 2 8 S 4 2 08 Update shall not impair the probative value eecceesseeeteeesteeeteeees 143 5 5 4 2 9 4 2 09 Update can not delete data Versions can be retrieved separately 146 5 5 4 2 10 S 4 2 10 All updates are logged ecceessesssecsseceeneceseeeseeeenteeeeseneeeeessetaeeeeees 148 5 5 4 3 Archive Retrieval Request ccccscccsssccssecssscceseceeseeceneceneeceseessaeeeseeesessnseeeeseesteeeeeeses 149 5 5 4 3 1 S 4 3 01 AOID and secure channel is required for retrieval ceceeeseeetteees 149 5 5 4 3 2 S 4 3 02 Archive Retrieval returns XAIP oo ceceeceeesceseeeeceaecececeeeeseeeeeeaeesaeees 152 5 5 4 4 Archive Evidence Request ccccccccsssesssscsseesseeeeseeesseeeseeeseeesecseeeesseeensnaeeeesesneeeseeee 154 5 5 4 4 1 S 4 4 01 Preservation of evidence does not impair possibility to use documents 154 5 5 4 4 2 S 4 4 02 Middleware returns a correct Evidence Record for each requested AOID AO sable cara aon EA else aad sa etiseg rae ME va A eign wf ans E EA AT 156 5 5 4 4 3 S 4 4 03 Middleware creates correct Evidence Records for specific XAIP or BIN VETSIOMS 2 4ste fa E E EE sad uateeateodacer tea E A umes 158 5 5 4 5 Archive Deletion Request cccccccsscessseeesseeeseeesecesseceseeceececsneessseeeneesessnseeeeesenteeeeeees 160 5 5 4 5 1 S 4 5 01 Deletion is only possible by authorised entities and with included reason sub abcde t
181. uest os 2 ccicisescecsaaes secdasseesa bes A exaie ss du cesuedeal a a EEE 177 5 0 Annex DRE SO RoE cage ies ks ahd uit Uae caus dee tay e Recen Alde a testy ethan tial Maia te a a a 177 5 7 Ammex TRESOR S 22 sssesecepaccceenabiecgedebesdi sigue dees loscue a R a a E Sa bondavemssabeiedddacdcesedaddetaneveveeee 178 6 Federal Office for Information Security Functional Conformity Test Specification Os ANMCKES E A E E E E EE E myaccdeurbas E E EE A 179 Federal Office for Information Security 7 BSI TR ESOR C 1 Functional Conformity Test Specification 1 Introduction The goal of the Technical Guideline Preservation of Evidence of Cryptographically Signed Documents is to specify technical security requirements for the long term preservation of evidence of cryptographically signed electronic documents and data along with associated electronic administrative data meta data A Middleware defined for this purpose TR ESOR Middleware in the sense of this Guideline includes all of the modules M and interfaces S for the German Schnittstellen used for securing and preserving the authenticity and proving the integrity of the stored documents and data The Reference Architecture introduced in the Main Document of this Technical Guideline consists of the functions and logical units described in the following e The input interface S 4 of the TR ESOR Middleware serves to embed the TR ESOR Middleware in the existing IT an
182. uitable cryptographic procedures c cceceee 26 5 1 4 A 04 Authentication procedure is resistant against replay attacks ccccssceesseceeseeteeeeeeeees 27 5 1 5 A 05 Protection of communication channel and interface is robust against DoS attacks 28 5 1 6 A 06 A secure tunnel can be maintained after successful authentication cccceesseeeeeeeees 29 5 1 7 A 07 Secure administration interfaces cccccesccssseceseceeseeeeneceeseceeseeesneeeeseceseeeneeesesteeesensaaes 31 5 1 8 A 08 No security breach induced by administration interfaces or components ce eeee 33 5 1 9 A 09 Administration interfaces are available for authorised accounts only ccccssceeeeeeees 34 5 1 10 A 10 Additional interfaces do not Compromise SCCUTILY cescceescesseeetseeeteeesteeeeeeeeeestaaes 35 Oe Ae O SAS oe S appa S EAE E A ee eeamaannnerne 36 5 2 Mod le ArchiSates n Sennie e e a a a a ed ioe a ae e a 37 5 2 1 M 1 01 ArchiSafe module satisfies the requirements Of PP 0049 0 0 ceececeessseceesstteeeeeeeees 38 5 2 2 M 1 02 ArchiSafe module is separated and deployed on a trustworthy IT system 5 39 5 2 3 M 1 03 Access to ECM storage should be claimed to be controlled by ArchiSafe module 40 5 2 4 M 1 04 Support of specified functions 0 eee eeceeeceeessceeteeeeseeceseeessecesceceseeceeeesueeenseeeneeeseaes 41 5 2 5 M 1 05 Using interfaces S 1
183. ut the trustworthy IT system which module is implemented For this purpose the vendor could provide a specially hardened system or could assume a specially hardened system The test fails if no settings for the baseline system are assumed or already provided serves as a platform for the execution of the modules 4 For example if the vendor just states that the product runs on the platform XYZ the test fails If the vendor states that the products runs on the platform XYZ and a security white paper of the vendor of this platform may be considered the test passes Federal Office for Information Security 19 BSI TR ESOR C 1 Functional Conformity Test Specification 3 Check the TOT and or the user manual whether the Modules are neither a logical or functional component of an upstream IT specialist applications The Modules are neither a logical nor functional component of upstream IT specialist applications Verdict 20 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 1 2 A 02 XML based Interfaces Identifier A 02 Requirement MD A6 3 3 Test Purpose The test shall verify that the interfaces for the exchange of data between the middleware resp components of the middleware that conforms to this guideline are generally described and realised by means of XML and corresponding schema definitions o
184. val Request and the AOID A1 A2 and B1 to request the XAIPs The call of the function with this AOID as a parameter is possible 10 Observe the output of the interface function Archive Retrieval Response A mixed feedback is received The XAIP s Al and A2 could be retrieved for B1 an error was received 11 By using client application B Using the interface function Archive Retrieval Request and the AOID A1 A2 and B1 to request the XAIPs The call of the function with this AOID as a parameter is possible 12 Observe the output of the interface function Archive Retrieval Response A mixed feedback is received The XAIP B1 could be retrieved for AJ and A2 an error was received 13 Try to use a client application C which is not an authorized archive application to submit a XAIP or BIN to update a XAIP or BIN to retrieve a XAIP or to delete a XAIP or BIN of another client A negative feedback is received An error message or error code occurs Access to the middleware and the storage is denied in any case Verdict 52 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 3 Module 2 Crypto Module A product which claims to comply with the M 2 Crypto Module specification of this TR has to pass e all test cases in this section and e all test cases for the interface S 1 and S 3 specified in section 5 5 1 and 5 5 3 re
185. vations l Compare the known AOIDs No two AOIDs are equal Verdict 86 Federal Office for Information Security BSI TR ESOR C Conformity Test Specification 5 4 6 M 3 06 ArchiSig Module creates Evidence Records according to RFC4998 or 6283 Requirement MD AS 1 22 MD AS 1 23 M3 A3 1 1 M3 A4 10 1 Test Purpose Check whether the Middleware is able to provide technical evidence for the authenticity and unadulteratedness of the archival information packages upon request as well as all electronic Evidence Records needed for this purpose The function shall calculate an Evidence Record pursuant to the ERS standard for an Archival Information Package identified uniquely by the AOID and the result shall be returned in an allowed format RFC4998 RFC6283 to the application or module making the request calculated pursuant to the ERS standard for an Archival Information Package identified uniquely by the AOID Configuration CONFIG_Common Pre test conditions user manual is present e Tester has read write permissions on the Middleware e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Check the user manual if an Evidence Record is The Evidence Record is calculated pursuant to the ERS standard RFC4998 or RFC6283 2 Using the interface function Archive Evidence Request The call of the function with this AOID as par
186. y object is possible Requirement MD A5 1 3 M1 A4 1 7 M3 A4 2 2 Test Purpose The test shall verify that a binary document is stored in the ECM long term storage Configuration CONFIG_ArchiSafe Pre test conditions If required establish a session with the TOT in order to perform the following tests e Ifrequired perform identification and authentication Step Test sequence Expected Results Observations l Transfer several documents BIN_OK to the TOT using The call of the function with this document as a parameter is the interface function Archive Submission Request possible 2 Observe the output of the interface function Archive A positive feedback is received No error message or error code Submission Response occurs An unique AOID is assigned to each and every object 3 Check the log files of the TOT for a record about an There is no record about an XML schema verification of this XML schema check document 4 Check whether the document was stored The document has been stored Verdict Federal Office for Information Security 121 BSI TR ESOR C 1 Functional Conformity Test Specification 5 5 4 1 4 4 1 04 Archive Submission is always possible Requirement MD AS5 1 2 Test Purpose The test shall verify whether the storage of electronic documents and data from external IT applications is always possible via a secure communication channel Configuration CONFIG_Arc
187. ying trustworthiness of the platform ArchiSafe is running on platform Alternatively ArchiSafe is delivered on a security enhanced platform 2 Check the middleware documentation for a description The ArchiSafe module is designed as an independent module or is of the design of the ArchiSafe module at least functionally separated from other parts of the product Verdict Federal Office for Information Security 39 BSI TR ESOR C 1 Functional Conformity Test Specification 5 2 3 M 1 03 Access to ECM storage should be claimed to be controlled by ArchiSafe module Requirement MD A7 3 1 Test Purpose The test shall verify that any application access to the data on the ECM storage is claimed to be controlled and performed by the ArchiSafe module Configuration CONFIG_ArchiSafe e The ArchiSafe module is installed and configured The middleware documentation is available Pre test conditions e The user has administration rights on the system Step Test sequence Expected Results Observations l Check the middleware documentation for the description New data objects are not sent to the ECM directly but only by of the data storage process using the middleware function calls of the ArchiSafe module It may be possible that the ArchiSafe product cannot technically enforce that but just the guidance recommends to do so 2 Check the middleware documentation for the description Existing data objects are no
Download Pdf Manuals
Related Search