SP-022: Board of Directors Room
Synopsis: Board of Directors Room for reading highly confidential documents on an un-trusted computer.
Description: Board of Directors need access to meeting protocols, agenda and other highly confidential information. Any computer may be used, even un-trusted or compromised computers. The documents accessible are highly confidential and no traces of documents shall be found on computer. It shall not be possible to download the documents in clear text or to print the documents. Detailed audit functionality shows which user has read which document and when. All documents are stored in the PDF format. The following technical design aspects need to be considered:
- The solution should be supported by multiple operating systems (Windows, OS X, Linux)?
- A USB stick is delivered to the Board of Directors Members and to the Secretaries
- The USB stick contains the "Board of Directors Room" applications and a SmartCard component containing a certificate for cryptography operations
- Public key infrastructure is required to encrypt the PDF documents exchanged via the "Board of Directors" application.
- The "Board of Directors Room" application will load a hardened web browser and a hardened PDF viewer from the USB stick to access the trusted and preconfigured web server
- The USB stick should be updated automatically from the "Board of Directors Room" web server
Uploading documents: The secretary creates a PDF document and encrypts the document with the public key of every Director. The encrypted PDF document is uploaded to the server. Downloading documents: The Board of Director connects the USB stick to a PC. The hardened browser is started automatically and prompts for the PIN. The PIN is used to allow the web browser to access the certificate on the stick and to login to the web server. Encrypted PDF's can now be downloaded to the USB stick and stored. For viewing the PDF's, the PDF viewer will decrypt the PDF with the private key of the user certificate stored in the SmartCard component. decision who gets access to which information; Strong two factor authentication by using MTAN, or token (i.e. OTP, certificates).
Assumptions: Only small user base – 10-30 users expected. The computers of the Board Secretaries where the documents are created are secure.
Indications: Easy to use but highly secure. Documents can be read on any un-trusted computer, it is assumed a Trojan Horse is present on the computer where the documents are read. Documents are also encrypted when downloaded to the USB stick.
Contra-Indications: It is not an Ad-hoc solution, a USB stick is delivered to the users in the setup phase. The solution is practical only for a small number of users.
Resistance against threats: The solution is resistance against generic Trojan Horse on the un-trusted computer where the Board of Directors read the documents. "Board of Directors Room" application is secured against any web application threats according to OWASP. A number of residual risks remain with this pattern:
- A board member taking screenshots and printing/mailing/saving the screenshots
- A board member handing the secure device to other persons
- A specific Trojan Horse attacking this specific device (USB stick with hardened browser)
Classification: File Exchange
Release: 15.Nov 2010
Author(s): Walter Sprenger pattern was created based on the working group results of the SGRP and the Information Security Society Switzerland
Reviewer(s): Martin Sibler
AC-01 Access Control Policies and Procedures
AC-02 Account Management
AC-03 Access Enforcement
AC-20 Use Of External Information Systems
AU-03 Content Of Audit Records
AU-08 Time Stamps
AU-09 Protection Of Audit Information
AU-11 Audit Record Retention
IA-02 User Identification And Authentication
IA-04 Identifier Management
IA-05 Authenticator Management
IA-07 Cryptographic Module Authentication
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-12 Cryptographic Key Establishment And Management
SC-17 Public Key Infrastructure Certificates