DEVELOPMENT OF PROTECTION PROFILE FOR SECOND-LEVEL E-KTP CARD READER BASED ON ISO/IEC 15408:2022 AND ISO/IEC TS 19608:2018

Yhufi Swastantri Gustiviana; Yohan Suryanto

doi:10.52436/1.jutif.2023.4.2.741

Yhufi Swastantri Gustiviana Teknik Elektro, Fakultas Teknik, Universitas Indonesia, Indonesia
Yohan Suryanto Teknik Elektro, Fakultas Teknik, Universitas Indonesia, Indonesia

DOI: https://doi.org/10.52436/1.jutif.2023.4.2.741

Keywords: e-KTP reader device, functional requirement, ISO/IEC 15408:2022, ISO/IEC TS 19608:2018, ISO/IEC 18045:2022, protection profile, security

Abstract

The second level e-KTP reader device is an electronic data reader device stored in the e-KTP chip by applying a verification device in the form of a fingerprint/face scan. The data stored in the e-KTP chip is personal data that is general and specific, as stated in Law Number 27 of 2022. Therefore, users of e-KTP readers as controllers and processors of personal data are obliged to prevent unauthorised access lawfully by using a security system reliably, safely and responsibly. Permendagri Number 76 of 2020 requires compliance with product standards by involving relevant K/L agencies in the security sector as a form of supervision. Based on BSSN Regulation 15 of 2019, implementing the evaluation process in Indonesia's common criteria scheme requires a Protection Profile document to support the evaluation of IT device security. However, there is no Protection Profile document for e-KTP reader devices that have been certified so that it can be used as a reference in developing IT devices to support the evaluation of IT device security. Therefore, in this study, developing Protection Profiles for e-KTP readers based on ISO/IEC 15408 and ISO/IEC TS 19608: 2018 was carried out to prepare functional security requirements and security guarantees by considering the protection of personal data. While the developing method used is based on ISO/IEC TR 15446:2017. The results of this study are preparing a Protection Profile document consisting of 25 functional security requirements to fulfil 8 device security objectives with a level of security assurance at Evaluation Assurance Level (EAL) 4. Then the design results are tested based on the Assurance Protection Profile Evaluation class (APE) ISO/IEC 18045:2022 and declared to meet the criteria based on the ISO/IEC 15408 series.

Downloads

Download data is not yet available.

References

Kementerian Sekretariat Negara Republik Indonesia, Undang-Undang Nomor 20 Tahun 2014 tentang Standardisasi dan Penilaiain Kesesuaian, Jakarta, 2014.

Kementerian Sekretariat Negara Republik Indonesia, Peraturan Presiden Nomor 28 Tahun 2021 tentang Badan Siber dan Sandi Negara, Jakarta, 2021.

Badan Siber dan Sandi Negara, Peraturan Badan SIber dan Sandi Negara Nomor 6 Tahun 2021 tentang Organisasi dan Tata Kerja Badan Siber dan Sandi Negara, Jakarta, 2021.

Badan Siber dan Sandi Negara, Peraturan Badan Siber dan Sandi Negara Nomor 15 Tahun 2019 tentang Penyelenggaraan Skema Common Criteria Indonesia, Jakarta, 2019.

ISO/IEC, ISO/IEC 15408-1:2022 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model, Switzerland: ISO/IEC, 2022.

Kementerian Dalam Negeri Republik Indonesia, Peraturan Menteri Dalam Negeri Republik Indonesia Nomor 76 Tahun 2020 tentang Perangkat Pembaca dan Penulis seta Perangkat Pembaca Kartu Tanda Penduduk Elektronik, Jakarta: Kementerian Dalam Negeri Republik Indonesia, 2020.

Kementerian Sekretariat Negara Republik Indonesia, Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi, Jakarta: Kementerian Sekretariat Negara Republik Indonesia, 2022.

D. Priyasa, "Perangkat Pembaca KTP Elektronik Mandiri Untuk Industri Nasional," in Seminar Nasional Insentif Riset Sinas , Bandung, 2012.

Y. A. Setyoko and R. Yasirandi, "Security Protection Profile on Smart Card System Using ISO 15408 Case Study: Indonesia Health Insurance Agency," in 2018 6th International Conference on Information and Communication Technology (ICoICT), Bandung, Indonesia, 2018

H.-J. Lee, K. Lee and D. Won, "Protection Profile of Personal Information Security System," in 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China, 2011.

M. E. Aminanto and S. Sutikno, "Development of Protection Profile and Security Target for Indonesia Electronic ID Card's (KTP-el) Card Reader Based on Common Criteria V3.1:2012/ SNI ISO/IEC 15408:2014," in International Conferenceof Advanced Informatics: Concept, Theory and Application (ICAICTA), Bandung, 2014.

ISO/IEC, ISO/IEC 15446:2017 Information technology - Security techniques - Guidance for the production of Protection Profiles and Security Targets, Switzerland: ISO/IEC, 2017.

ISO/IEC, ISO/IEC 15408-2 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part: 2 Security functional components, Switzerland: ISO/IEC, 2022.

ISO/IEC, ISO/IEC 15408-5 Information security, cybersecurity and privacy protection - Evaluation criteria dor IT security - Part 5: Pre-defined packages of security requirements, Switzerland: ISO/IEC, 2022.

ISO/IEC, ISO/IEC TS 19608:2018 Guidance for developing security andprivacy functional requirements based on ISO/IEC 15408, Switzerland: ISO/IEC, 2018.

ISO/IEC, ISO/IEC 18045:2022 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation, Switzerlan: ISO/IEC, 2022.

W. Caesar and F. Wigunanto, "Perancangan Emulator KTP Elektronik Berbasis Java Card untuk Mendukung Pengujian Fungsionalitas Pembaca KTP Elektronik Industri Nasional," Jurnal Teknik Elektro, vol. 8, no. 2, pp. 31-38, 2016.

D. Priyasta and W. Cesar, "Pengembangan Alat Uji Kesesuaian Perilaku Kartu Cerdas terhadap KTP Elektronik," in Seminar Nasional Sains dan Teknologi, Jakarta, 2018.

National Security Agency , Information Assurance Technical Framework Release 3.1, Maryland: National Security Agency , 2002.

Y. S. Gustiviana and E. R. Agustina, "Perancangan Spesifikasi Fungsi Keamanan Aplikasi File Encryption (Filtion) Versi 1.0.0 berdasarkan SNI ISO/IEC 15408:2014," in Seminar Nasional Sains dan Teknologi Informasi, Medan, 2021.

A. Saut, F. Achmad and E. R. Agustina, "Perancangan Spesifikasi Keamanan pada SIFER berdasarkan SNI ISO/IEC 15408:2014 - Teknologi informasi - Teknik keamanan - Kriteria evaluasi keamanan teknologi informasi," in The 11th National Conference on Information Technology and Electrical Engineering, Jogja, 2019.

E. R. Agustina, A. Saut, M. Christine and I. Fitriani, "Perancangan Spesifikasi Keamanan Aplikasi Sistem Kompetensi Personil LSPro BSSN (SIKOMPRONAS) versi 1.0.0 berdasarkan SNI ISO/IEC 15408:2014," in Seminar Nasional Teknologi Informasi, Komunikasi dan Administrasi, Balikpapan, 2019.

M. Yudhistira, E. R. Agustina and A. Saut, "Perancangan Spesifikasi Keamanan pada Aplikasi Persiapan Penyelenggaraan Sertifikasi Keamanan Perangkat Teknologi Informasi (SIAGASIKAT) Versi 1.0.0 berdasarkan SNI ISO/IEC 15408:2014," in The 12th National Conference on Information Technology and Electrical Engineering (CITEE), Yogyakarta, 2020.

R. S. P. Yasirandi, A. MHD and E. Fefyosa, "Security Functional Requirements for the Development of a Biometrics Attendance System," in 8th International Conference on Information and Communication Technology (ICoICT), Yogyakarta, 2020.

F. Achmad and E. R. Agustina, "Perancangan Spesifikasi KeamananKontrol Akses pada Aplikasi Layanan Informasi di Lingkungan Instansi Pemerintah," Jurnal Teknologi Informasi dan Ilmu Komputer (JTIIK), vol. 6, no. 2, pp. 195-200, 2019.

E. R. Agustina and Y. S. Gustiviana, "Perancangan Protection Profile untuk Standalone File Encryption berdasarkan SNI ISO/IEC 15408:2014," in Seminar Nasional Sains dan Teknologi Informasi, Medan, 2021.