From 29b40f43e5102f5289495a93044e5b71a3003ec3 Mon Sep 17 00:00:00 2001 From: "Bozawglanian, Hagop (hb755d)" Date: Mon, 10 Sep 2018 18:02:42 +0000 Subject: VNFRQS - Cryptography Reqs Batch 1 Including changes for VNFRQTS - 435, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434 Issue-ID: VNFRQTS-435 Change-Id: I5e4e32e7d56b601815b6b6d550d135dba3db3446 Signed-off-by: Bozawglanian, Hagop (hb755d) --- docs/Chapter4/Security.rst | 104 +++++++++++++++++++++++++++------------------ docs/data/needs.json | 72 +++++++++++++++---------------- 2 files changed, 98 insertions(+), 78 deletions(-) (limited to 'docs') diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index 384f07e..6f3f0b8 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -471,13 +471,6 @@ Identity and Access Management Requirements The VNF **SHOULD** support OAuth 2.0 authorization using an external Authorization Server. -.. req:: - :id: R-48080 - :target: VNF - :keyword: SHOULD - - The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol). - .. req:: :id: R-75041 :target: VNF @@ -1015,14 +1008,6 @@ Data Protection Requirements virtual memory. If not possible to disable the paging of the data requiring encryption, the virtual memory should be encrypted. -.. req:: - :id: R-93860 - :target: VNF - :keyword: MUST - - The VNF **MUST** provide the capability to integrate with an - external encryption service. - .. req:: :id: R-73067 :target: VNF @@ -1063,59 +1048,98 @@ Data Protection Requirements versions of cryptographic algorithms and protocols with minimal impact. .. req:: - :id: R-44723 + :id: R-95864 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** use symmetric keys of at least 112 bits in length. + The VNF **MUST** support digital certificates that comply with X.509 + standards. .. req:: - :id: R-25401 + :id: R-12110 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** use keys generated or derived from + predictable functions or values, e.g., values considered predictable + include user identity information, time of day, stored/transmitted data. + +.. req:: + :id: R-69610 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** use asymmetric keys of at least 2048 bits in length. + The VNF **MUST** provide the capability of using X.509 certificates + issued by an external Certificate Authority. .. req:: - :id: R-95864 + :id: R-47204 :target: VNF :keyword: MUST :updated: casablanca - The VNF **MUST** support digital certificates that comply with X.509 - standards. + The VNF **MUST** be capable of protecting the confidentiality and integrity + of data at rest and in transit from unauthorized access and modification. + + +VNF Cryptography Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section covers VNF cryptography requirements that are mostly +applicable to encryption or protocol meethods. .. req:: - :id: R-12110 + :id: R-48080 :target: VNF - :keyword: MUST NOT + :keyword: SHOULD + :updated: casablanca - The VNF **MUST NOT** use keys generated or derived from - predictable functions or values, e.g., values considered predictable - include user identity information, time of day, stored/transmitted data. + The VNF **SHOULD** support an automated certificate management protocol + such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or + Automated Certificate Management Environment (ACME). .. req:: - :id: R-52060 + :id: R-93860 + :target: VNF + :keyword: SHOULD + :updated: casablanca + + The VNF **SHOULD** provide the capability to integrate with an + external encryption service. + +.. req:: + :id: R-44723 :target: VNF :keyword: MUST + :updated: casablanca - The VNF **MUST** provide the capability to configure encryption - algorithms or devices so that they comply with the laws of the jurisdiction - in which there are plans to use data encryption. + The VNF **MUST** use symmetric keys of at least 112 bits in length. .. req:: - :id: R-69610 + :id: R-25401 :target: VNF :keyword: MUST :updated: casablanca - The VNF **MUST** provide the capability of using X.509 certificates - issued by an external Certificate Authority. + The VNF **MUST** use asymmetric keys of at least 2048 bits in length. + +.. req:: + :id: R-52060 + :target: VNF + :keyword: MUST + :updated: casablanca + + The VNF **MUST** provide the capability to configure encryption + algorithms or devices so that they comply with the laws of the jurisdiction + in which there are plans to use data encryption. .. req:: :id: R-83500 :target: VNF :keyword: MUST + :updated: casablanca The VNF **MUST** provide the capability of allowing certificate renewal and revocation. @@ -1124,6 +1148,7 @@ Data Protection Requirements :id: R-29977 :target: VNF :keyword: MUST + :updated: casablanca The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate. @@ -1132,6 +1157,7 @@ Data Protection Requirements :id: R-24359 :target: VNF :keyword: MUST + :updated: casablanca The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the date the certificate is being @@ -1141,6 +1167,7 @@ Data Protection Requirements :id: R-39604 :target: VNF :keyword: MUST + :updated: casablanca The VNF **MUST** provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation @@ -1151,16 +1178,9 @@ Data Protection Requirements :id: R-75343 :target: VNF :keyword: MUST + :updated: casablanca The VNF **MUST** provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate - the "distinguished name". -.. req:: - :id: R-47204 - :target: VNF - :keyword: MUST - :updated: casablanca - - The VNF **MUST** be capable of protecting the confidentiality and integrity - of data at rest and in transit from unauthorized access and modification. \ No newline at end of file diff --git a/docs/data/needs.json b/docs/data/needs.json index 2d38372..439d6ae 100644 --- a/docs/data/needs.json +++ b/docs/data/needs.json @@ -1,5 +1,5 @@ { - "created": "2018-09-07T19:37:09.602325", + "created": "2018-09-10T17:51:37.025716", "current_version": "casablanca", "project": "", "versions": { @@ -21858,7 +21858,7 @@ "needs_amount": 750 }, "casablanca": { - "created": "2018-09-07T19:37:09.602183", + "created": "2018-09-10T17:51:37.025645", "needs": { "R-00011": { "description": "A VNF's Heat Orchestration Template's Nested YAML files\nparameter's **MUST NOT** have a parameter constraint defined.", @@ -26853,9 +26853,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -26867,7 +26867,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -26996,9 +26996,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -27010,7 +27010,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -28057,9 +28057,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -28071,7 +28071,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -30042,9 +30042,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -30056,7 +30056,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -31385,9 +31385,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -31399,7 +31399,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -32084,7 +32084,7 @@ "validation_mode": "" }, "R-48080": { - "description": "The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol).", + "description": "The VNF **SHOULD** support an automated certificate management protocol\nsuch as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or\nAutomated Certificate Management Environment (ACME).", "full_title": "", "hide_links": "", "id": "R-48080", @@ -32093,9 +32093,9 @@ "keyword": "SHOULD", "links": [], "notes": "", - "section_name": "VNF Identity and Access Management Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Identity and Access Management Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -32107,7 +32107,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -32841,9 +32841,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -32855,7 +32855,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -37213,9 +37213,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -37227,7 +37227,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -38609,9 +38609,9 @@ "keyword": "MUST", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -38623,7 +38623,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -41014,18 +41014,18 @@ "validation_mode": "" }, "R-93860": { - "description": "The VNF **MUST** provide the capability to integrate with an\nexternal encryption service.", + "description": "The VNF **SHOULD** provide the capability to integrate with an\nexternal encryption service.", "full_title": "", "hide_links": "", "id": "R-93860", "impacts": "", "introduced": "", - "keyword": "MUST", + "keyword": "SHOULD", "links": [], "notes": "", - "section_name": "VNF Data Protection Requirements", + "section_name": "VNF Cryptography Requirements", "sections": [ - "VNF Data Protection Requirements", + "VNF Cryptography Requirements", "VNF Security" ], "status": null, @@ -41037,7 +41037,7 @@ "title": "", "title_from_content": "", "type_name": "Requirement", - "updated": "", + "updated": "casablanca", "validated_by": "", "validation_mode": "" }, @@ -41811,7 +41811,7 @@ "validation_mode": "" }, "R-98391": { - "description": "The VNF **MUST**, if not integrated with the Operator\u2019s Identity and\nAccess Management system, support Role-Based Access Control to enforce\nleast privilege.", + "description": "The VNF **MUST**, if not integrated with the Operator's Identity and\nAccess Management system, support Role-Based Access Control to enforce\nleast privilege.", "full_title": "", "hide_links": "", "id": "R-98391", -- cgit 1.2.3-korg