Perancangan Spesifikasi Keamanan untuk Pengembangan Aplikasi Secure Chat Berdasarkan Common Criteria For It Security Evaluation
DOI:
https://doi.org/10.25126/jtiik.2021863637Abstrak
Spesifikasi keamanan sangat penting bagi pengembangan aplikasi chatting karena dapat menentukan tingkat keamanan aplikasi yang tentunya akan berdampak pada kepercayaan pengguna. Namun, pengembangan fitur keamanan pada aplikasi yang beredar belum semua didasarkan pada suatu spesifikasi kebutuhan keamanan yang jelas. Misanya, aplikasi Mxit dan QQ Mobile tidak memenuhi satu pun dari tujuh kategori keamanan untuk secure chat yang dikeluarkan oleh Electronic Frontiers Foundtaion (EFF). Bahkan, Yahoo! Messenger belum menerapkan disain keamanan yang baik, misalnya kita tidak dapat memverifikasi identitas kontak kita. Selain itu, Yahoo! Messenger tidak menerapkan perfect forward secrecy. Artinya, fitur keamanan pada beberapa aplikasi chat dikembangkan tidak berdasarkan pada rancangan spesifikasi keamanan. Pada penelitian ini, dilakukan perancangan spesifikasi keamanan untuk pengembangan aplikasi secure chat dengan mengacu pada Common Criteria for IT Security Evaluation Version 3.1:2017. Pada hasil rancangan tersebut, telah ditentukan 28 famili dari 7 kelas Secure Functional Requirement (SFR) yang harus dipenuhi dalam pengembangan aplikasi secure chat. Hasil rancangan telah divalidasi dengan metode expert judgment.
Abstract
Security specifications are very important for chat application development because they can determine the level of its security which, of course, will have an impact on user trust. However, the development of outstanding application security features is not all based on a clear security requirement specification. For example, the Mxit and QQ Mobile applications do not meet any of the seven security categories for secure chat issued by the Electronic Frontier Foundation (EFF). In fact, Yahoo! Messenger has not implemented a good security design, for example, we cannot verify the identity of our contacts and do not apply perfect forward secrecy. This means that security features in some chat applications are developed not based on security specification designs. In this study, the design of security specifications for secure chat application development was carried out by referring to the Common Criteria for IT Security Evaluation Version 3.1: 2017. In the design results, 28 families of 7 classes of Secure Functional Requirements (SFR) have been determined that must be met in the development of secure chat applications. The design result has been validated using expert judgment method.
Downloads
Referensi
ANDROID, “A sweet new take on Android 5.0, Lollipop,” Android, 2019. [Online].
https://android.com/versions/lollipop-5-0/
AMINANTO, M. E. and Sutikno, S., "Development of protection profile and security target for Indonesia electronic ID card (KTP-el) reader based on common criteria V3.1:2012/SNI ISO/IEC15408:2014",
International Conference of Advanced Informatics: Concept, Theory and Application (ICAICTA), Bandung, 2014, pp. 1-6
Common Criteria1, “Common Criteria for Information Technology Security Evaluation Part 1 : Introduction and general model, Revision 5, 2017
Common Criteria2, “Common Criteria for Information Technology Security Evaluation Part 2 : Security functional components, Revision 5, 2017
Common Criteria3, “Common Criteria for Information Technology Security Evaluation Part 3 : Security assurance components, 2012
DASHTINEJAD, P., “Security System for Mobile Messaging Applications,” KTH University, 2015.
https://www.diva-portal.org/smash/get/diva/ 3A813095/fulltext01.pdf
DONOHUE, B., 11 Unsecure Mobile and Internet Messaging Apps, 2014 https://www.kaspersky.com/blog/11_unsecure_messengers/ 6806/ diakses 6 Agustus 2020
eVAULT, Technologies Sdn.Bhd, “SecureMi® Version 1.2 Security Target 0.13 4”, 2017, pp. 1–60
https://commoncriteriaportal.org/files/epfiles/ SecureMi-1.2-Security-Target-v0.13.pdf
HARPE, R. “Secure Messages Protection Profile,” vol. 1, no. 44, pp. 1–44, 2018
https://commoncriteriaportal.org/files/epfiles/ Secure-Messages-PP-v1.1.pdf
ISO, “ISO/IEC TR: 15446: Information Technology - Security Techniques - Guidance for the Production of Protection Profiles and Security Targets”, International Organization for Standardization, Geneva, 2017
MADDEN, M. et al., "Public Perceptions of Privacy and Security in the Post-Snowden Era", 2014, https://pewresearch.org/internet/2014/11/12/public-privacy-perceptions/
NOBARI,A. D. et al., "Analysis of Telegram, An Instant Messaging Service", Proceedings of the 2017 ACM on Conference on Information and Knowledge Management, 2017, pp.2035–2038,
OFFERMANN, P. and Platz, E.R., “Outline of a Design Science Research Process,” Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, May 2009 Article No.: 7 pp. 1–11
OWASP, “Mobile Top 10 2016-Top 10,” Open Web Application Security Project, 2016. [Online].
https://owasp.org/index.php/Mobile_Top_10_2016-Top_10.
PERSSON, S., “Security Target for Dencrypt Talk Version 1.0,” pp. 1–39, 2017.
https://commoncriteriaportal.org/files/epfiles/ Security-Target-for-Dencrypt-Talk-version-1.0.pdf
REMOND, M., “ejabberd Massive Scalability: 1 Node — 2+ Million Concurrent Users,” ejabberd, XMPP, 2016. Online:
SABAH, N. et al., “Developing an End-to-End secure chat Application,” Int. J. Comput. Sci. Netw. Secur., vol. 17, no. 11, pp. 108–113, 2017
Signal, “Signal Specification,” 2019. Online:
Telegram, “Telegram FAQ,” 2019. Online: https://telegram.org/faq#q-what-is-telegram-what-do-i-do-here.
UNGER, N. et al., "SoK: Secure Messaging," 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015, pp. 232-249, doi: 10.1109/SP.2015.22.
Viber1, “Rakuten Viber Features,” Rakuten Viber, 2019. Online: https://viber.com/features/
Viber2, “Viber Encryption Overview,” 2019. https://viber.com/app/uploads/viber-encryption-overview.pdf
WhatsApp, “WhatsApp Encryption Overview”, Technical White Paper, p. 11, 2017 https://whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
XecureIT, Pesankita, 2017, online: https://pesan.kita.id/
Unduhan
Diterbitkan
Terbitan
Bagian
Lisensi
Artikel ini berlisensi Creative Common Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Penulis yang menerbitkan di jurnal ini menyetujui ketentuan berikut:
- Penulis menyimpan hak cipta dan memberikan jurnal hak penerbitan pertama naskah secara simultan dengan lisensi di bawah Creative Common Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) yang mengizinkan orang lain untuk berbagi pekerjaan dengan sebuah pernyataan kepenulisan pekerjaan dan penerbitan awal di jurnal ini.
- Penulis bisa memasukkan ke dalam penyusunan kontraktual tambahan terpisah untuk distribusi non ekslusif versi kaya terbitan jurnal (contoh: mempostingnya ke repositori institusional atau menerbitkannya dalam sebuah buku), dengan pengakuan penerbitan awalnya di jurnal ini.
- Penulis diizinkan dan didorong untuk mem-posting karya mereka online (contoh: di repositori institusional atau di website mereka) sebelum dan selama proses penyerahan, karena dapat mengarahkan ke pertukaran produktif, seperti halnya sitiran yang lebih awal dan lebih hebat dari karya yang diterbitkan. (Lihat Efek Akses Terbuka).
