FPR_UNO.2 Allocation of information impacting unobservability
User application notes
This component requires that the use of a function or resource cannot be observed by specified users or subjects. Furthermore this component specifies that information related to the privacy of the user is distributed within the TOE such that attackers might not know which part of the TOE to target, or they need to attack multiple parts of the TOE.
An example of the use of this component is the use of a randomly allocated node to provide a function. In such a case the component might require that the privacy related information shall only be available to one identified part of the TOE, and will not be communicated outside this part of the TOE.
A more complex example can be found in some `voting algorithms'. Several parts of the TOE will be involved in the service, but no individual part of the TOE will be able to violate the policy. So a person may cast a vote (or not) without the TOE being able to determine whether a vote has been cast and what the vote happened to be (unless the vote was unanimous).
In addition to this component, a PP/ST author might want to incorporate Covert Channel Analysis.
Operations
Assignment:
In FPR_UNO.2.1 the PP/ST author should specify the list of users and/or subjects against which the TSF must provide protection. For example, even if the PP/ST author specifies a single user or subject role, the TSF must not only provide protection against each individual user or subject, but must protect with respect to cooperating users and/or subjects. A set of users, for example, could be a group of users which can operate under the same role or can all use the same process(es).
For FPR_UNO.2.1 the PP/ST author should identify the list of operations that are subjected to the unobservability requirement. Other users/subjects will then not be able to observe the operations on a covered object in the specified list (e.g. reading and writing to the object).
For FPR_UNO.2.1 the PP/ST author should identify the list of objects which are covered by the unobservability requirement. An example could be a specific mail server or ftp site.
In FPR_UNO.2.1 the PP/ST author should specify the set of protected users and/or subjects whose unobservability information will be protected. An example could be: "users accessing the system through the internet".
For FPR_UNO.2.2 the PP/ST author should identify which privacy related information should be distributed in a controlled manner. Examples of this information could be: IP address of subject, IP address of object, time, used encryption keys.
For FPR_UNO.2.2 the PP/ST author should specify the conditions to which the dissemination of the information should adhere. These conditions should be maintained throughout the lifetime of the privacy related information of each instance. Examples of these conditions could be: "the information shall only be present at a single separated part of the TOE and shall not be communicated outside this part of the TOE.", "the information shall only reside in a single separated part of the TOE, but shall be moved to another part of the TOE periodically", "the information shall be distributed between the different parts of the TOE such that compromise of any 5 separated parts of the TOE will not compromise the security policy".