Perancangan Spesifikasi Keamanan untuk Pengembangan Aplikasi Secure Chat Berdasarkan Common Criteria For It Security Evaluation

Penulis

Amiruddin Amiruddin, Muhammad Faqih Rohmani

Abstrak

Spesifikasi keamanan sangat penting bagi pengembangan aplikasi chatting karena dapat menentukan tingkat keamanan aplikasi yang tentunya akan berdampak pada kepercayaan pengguna. Namun, pengembangan fitur keamanan pada aplikasi yang beredar belum semua didasarkan pada suatu spesifikasi kebutuhan keamanan yang jelas. Misanya, aplikasi Mxit dan QQ Mobile tidak memenuhi satu pun dari tujuh kategori keamanan untuk secure chat yang dikeluarkan oleh Electronic Frontiers Foundtaion (EFF). Bahkan, Yahoo! Messenger belum menerapkan disain keamanan yang baik, misalnya kita tidak dapat memverifikasi identitas kontak kita. Selain itu, Yahoo! Messenger tidak menerapkan perfect forward secrecy. Artinya, fitur keamanan pada beberapa aplikasi chat dikembangkan tidak berdasarkan pada rancangan spesifikasi keamanan. Pada penelitian ini, dilakukan perancangan spesifikasi keamanan untuk pengembangan aplikasi secure chat dengan mengacu pada Common Criteria for IT Security Evaluation Version 3.1:2017.  Pada hasil rancangan tersebut, telah ditentukan 28 famili dari 7 kelas Secure Functional Requirement (SFR) yang harus dipenuhi dalam pengembangan aplikasi secure chat. Hasil rancangan telah divalidasi dengan metode expert judgment.

Abstract

Security specifications are very important for chat application development because they can determine the level of its security which, of course, will have an impact on user trust. However, the development of outstanding application security features is not all based on a clear security requirement specification. For example, the Mxit and QQ Mobile applications do not meet any of the seven security categories for secure chat issued by the Electronic Frontier Foundation (EFF). In fact, Yahoo! Messenger has not implemented a good security design, for example, we cannot verify the identity of our contacts and do not apply perfect forward secrecy. This means that security features in some chat applications are developed not based on security specification designs. In this study, the design of security specifications for secure chat application development was carried out by referring to the Common Criteria for IT Security Evaluation Version 3.1: 2017. In the design results, 28 families of 7 classes of Secure Functional Requirements (SFR) have been determined that must be met in the development of secure chat applications. The design result has been validated using expert judgment method.

Teks Lengkap:

PDF

Referensi


ANDROID, “A sweet new take on Android 5.0, Lollipop,” Android, 2019. [Online].

https://android.com/versions/lollipop-5-0/

AMINANTO, M. E. and Sutikno, S., "Development of protection profile and security target for Indonesia electronic ID card (KTP-el) reader based on common criteria V3.1:2012/SNI ISO/IEC15408:2014",

International Conference of Advanced Informatics: Concept, Theory and Application (ICAICTA), Bandung, 2014, pp. 1-6

Common Criteria1, “Common Criteria for Information Technology Security Evaluation Part 1 : Introduction and general model, Revision 5, 2017

Common Criteria2, “Common Criteria for Information Technology Security Evaluation Part 2 : Security functional components, Revision 5, 2017

Common Criteria3, “Common Criteria for Information Technology Security Evaluation Part 3 : Security assurance components, 2012

DASHTINEJAD, P., “Security System for Mobile Messaging Applications,” KTH University, 2015.

https://www.diva-portal.org/smash/get/diva/ 3A813095/fulltext01.pdf

DONOHUE, B., 11 Unsecure Mobile and Internet Messaging Apps, 2014 https://www.kaspersky.com/blog/11_unsecure_messengers/ 6806/ diakses 6 Agustus 2020

eVAULT, Technologies Sdn.Bhd, “SecureMi® Version 1.2 Security Target 0.13 4”, 2017, pp. 1–60

https://commoncriteriaportal.org/files/epfiles/ SecureMi-1.2-Security-Target-v0.13.pdf

HARPE, R. “Secure Messages Protection Profile,” vol. 1, no. 44, pp. 1–44, 2018

https://commoncriteriaportal.org/files/epfiles/ Secure-Messages-PP-v1.1.pdf

ISO, “ISO/IEC TR: 15446: Information Technology - Security Techniques - Guidance for the Production of Protection Profiles and Security Targets”, International Organization for Standardization, Geneva, 2017

MADDEN, M. et al., "Public Perceptions of Privacy and Security in the Post-Snowden Era", 2014, https://pewresearch.org/internet/2014/11/12/public-privacy-perceptions/

NOBARI,A. D. et al., "Analysis of Telegram, An Instant Messaging Service", Proceedings of the 2017 ACM on Conference on Information and Knowledge Management, 2017, pp.2035–2038,

OFFERMANN, P. and Platz, E.R., “Outline of a Design Science Research Process,” Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, May 2009 Article No.: 7 pp. 1–11

OWASP, “Mobile Top 10 2016-Top 10,” Open Web Application Security Project, 2016. [Online].

https://owasp.org/index.php/Mobile_Top_10_2016-Top_10.

PERSSON, S., “Security Target for Dencrypt Talk Version 1.0,” pp. 1–39, 2017.

https://commoncriteriaportal.org/files/epfiles/ Security-Target-for-Dencrypt-Talk-version-1.0.pdf

REMOND, M., “ejabberd Massive Scalability: 1 Node — 2+ Million Concurrent Users,” ejabberd, XMPP, 2016. Online:

https://ejabberd.im/forum/25334/ejabberd-massive-scalability-1-node-__%E2%80%94-2-million-concurrent-users/index.html

SABAH, N. et al., “Developing an End-to-End secure chat Application,” Int. J. Comput. Sci. Netw. Secur., vol. 17, no. 11, pp. 108–113, 2017

Signal, “Signal Specification,” 2019. Online:

https://signal.org/docs

Telegram, “Telegram FAQ,” 2019. Online: https://telegram.org/faq#q-what-is-telegram-what-do-i-do-here.

UNGER, N. et al., "SoK: Secure Messaging," 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015, pp. 232-249, doi: 10.1109/SP.2015.22.

Viber1, “Rakuten Viber Features,” Rakuten Viber, 2019. Online: https://viber.com/features/

Viber2, “Viber Encryption Overview,” 2019. https://viber.com/app/uploads/viber-encryption-overview.pdf

WhatsApp, “WhatsApp Encryption Overview”, Technical White Paper, p. 11, 2017 https://whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

XecureIT, Pesankita, 2017, online: https://pesan.kita.id/




DOI: http://dx.doi.org/10.25126/jtiik.2021863637