IT Security Evaluation By Sandeep Joshi Common Criteria Common Criteria IT Security Evaluation By Sandeep Joshi Sandeep Joshi Southern Methodist University

Southern Methodist University List of Terms… Term Meaning CC Common Criteria (Official ISO name is Evaluation Criteria for Information Technology Security) Class Grouping of families that share a common focus Component Smallest selectable set of elements Evaluation Assurance Level (EAL) A package consisting of assurance components that represents a point on CC predefined assurance scale Family A grouping of components that share security objective but may differ in emphasis Sandeep Joshi Southern Methodist University

Southern Methodist University List of Terms… Term Meaning Organizational Security Policy One or more security rules, procedures, practices or guidelines imposed by organization upon its operations Package A reusable set of either functional or assurance components, combined together to satisfy set of security policies Protection Profile (PP) An implementation independent set of security requirements Security Target A set of security requirements and specification to be used as a basis for evaluation of identified TOE Semi-Formal Expressed in a restricted syntax language with defined semantics Sandeep Joshi Southern Methodist University

Southern Methodist University List of Terms Term Meaning Target Of Evaluation An IT product or system and its associated administrator and user guidance documentation, that is the subject of evaluation TOE Resource Anything consumable or usable in TOE TOE Security Function (TSF) A set consisting of all hardware, software and firmware of the TOE that must be relied upon for the correct enforcement of TSP TOE Security Policy (TSP) A set of rules that regulate how assets are managed, protected and distributed within a TOE Trusted Channel A means by which a use and a TSF can communicate with necessary confidence to support TSP Sandeep Joshi Southern Methodist University

Southern Methodist University Common Criteria History… Originated out of three standards ITSEC (Information Technology Security Evaluation Criteria) European Standard, developed in early 1990s, by UK, France, the Netherlands, and Germany TCSEC (Trusted Computer System Evaluation Criteria) Widely known as “Orange Book” Sandeep Joshi Southern Methodist University

Southern Methodist University History… TCSEC (Trusted Computer System Evaluation Criteria) Issued by United States Government National Computer Security Council, as DoD standard 5200.28-STD, December 1985 CTCPEC (Canadian Trusted Computer Product Evaluation Criteria) Sandeep Joshi Southern Methodist University

Southern Methodist University History… First Draft (Version 1.0) was published in January 1996 for comments Version 2.0 was published in 1998, and was accepted by ISO as an Final Committee Draft (FCD) document Version 2.0 became ISO standard sometime in June 1999 with minor, mostly editorial modifications. Sandeep Joshi Southern Methodist University

Southern Methodist University History Two versions of CCs were released since then… Version 2.1 was released in August 1999, and now accepted as ISO-15408 standard Version 2.2, the newest version, released this year (2004). Sandeep Joshi Southern Methodist University

Southern Methodist University Why should we use the CC? What support does CC have? What guarantees do CC-certified/validated products provide? Where should we start, if we want to achieve CC-certificate/validation for our product? Sandeep Joshi Southern Methodist University

What support does CC have?.. National security and standards organizations within Canada, France, Germany, Netherlands, UK and USA worked in collaboration to replace their existing security evaluation criteria (SEC) Sandeep Joshi Southern Methodist University

What support does CC have? Acceptance by ISO will ensure that CC rapidly becomes the world standard for security specification and evaluation Wider choice for evaluated products for consumers Greater understanding of consumer requirements Greater access to markets for developers Sandeep Joshi Southern Methodist University

What guarantees products will provide? A sound basis for confidence that security measures are appropriate to meet a given threat and that they are correctly implemented Quantifies/measures the extent to which security has been assessed Includes an assurance scale, called as Evaluation Assurance Level (EAL) Sandeep Joshi Southern Methodist University

Southern Methodist University Who could be affected? Developers Vendors Common Criteria Accreditors Certifiers Approvers Evaluators Consumers Sandeep Joshi Southern Methodist University

Southern Methodist University What is CC? Overview Building Blocks Security and Functional Requirements Security Assurance Requirements Protection Profiles (PP) Security Targets (ST) Sandeep Joshi Southern Methodist University

Southern Methodist University Overview… Consumer Developer Evaluator Introduction and General Model For background and reference purposes Security Functional Requirements Guidance for formulating statement of requirements Reference when interpreting statements of functional requirements Mandatory to determine if product meets requirements Security Assurance Requirements Guidance formulating level of assurance Reference interpreting assurance requirements Sandeep Joshi Southern Methodist University

Southern Methodist University Overview Sandeep Joshi Southern Methodist University

Southern Methodist University Building Blocks… Security Functional Requirements Grouped into 11 classes Members of each class shares common focus, but differ in emphasis Audit, Cryptographic Support, Communication, User Data Protection, Identification and Authentication, Security Management, Privacy, Protection of TOE security functions, Resource Utilization, TOE Access, Trusted Path/Channels Sandeep Joshi Southern Methodist University

Southern Methodist University Building Blocks Audit class contains 6 families dealing with various aspects of auditing data generation, analysis, event storage etc. Each family contains one or more components Audit data generation has 2 components 1 dealing with generation of audit records 2 dealing with association of user with auditable event Sandeep Joshi Southern Methodist University

Security Assurance Requirements… Grouped into Classes  Families  Components In all 8 basic classes and two special classes for PPs and STs Configuration Management, Guidance Documents, Vulnerability Assessment, Delivery and Operation, Life Cycle Support, Assurance Maintenance, Development, Tests Sandeep Joshi Southern Methodist University

Security Assurance Requirements… Provides 7 predefined assurance packages Known as Evaluation Assurance Levels (EAL) Raising scale of assurance From EAL1 to EAL7 Sandeep Joshi Southern Methodist University

Security Assurance Requirements… EAL1: Functionally Tested Provides evaluation of product as made available to user Independent testing against specification Examination of guidance documents EAL2: Structurally Tested Applicable where developer/user need low  moderate level of assurance For example, legacy systems EAL3: Methodically Tested and Checked Provides analysis supported by “gray box” testing Selective confirmation of test results Sandeep Joshi Southern Methodist University

Security Assurance Requirements… EAL4: Methodically Designed, Tested and Reviewed Low level analysis of design, and subset of implementation Independent search for vulnerability EAL5: Semi-formally Designed and Testes Analysis of complete implementation Supplemented by formal model Semiformal presentation of functional model, and high level design Search for vulnerability must ensure resistance etc Sandeep Joshi Southern Methodist University

Security Assurance Requirements EAL6: Semi-formally Verified design and Tested Analysis with modular and layered approach to design and implementation Plus EAL5 and lower level testing EAL7: Formally Verified design and Tested Evaluation of formal model with, formal presentation of formal specification Evidence of “white-box” testing Sandeep Joshi Southern Methodist University

Southern Methodist University Protection Profiles… What is Protection Profile? Essentially an implementation independent statement of security requirements that is shown to address threats that exists in a specified environment Sandeep Joshi Southern Methodist University

Southern Methodist University Protection Profiles… What it contains? Introduction  PP Identification, PP Overview TOE Description TOE Security Environment  Assumptions, Threats, Organizational Security Policies Security Objectives  For TOE, For Environment IT Security Requirements  TOE Security Requirements Functional Assurance  Security Requirements for IT environment PP Application Notes Rationale  Objectives, Requirements Sandeep Joshi Southern Methodist University

Southern Methodist University Protection Profiles When would you want a PP? When setting standards for particular product type A government wishes to specify security requirements for a class of security products, like firewalls, etc. Or, a firm needs an IT system that addresses its security issues Sandeep Joshi Southern Methodist University

Southern Methodist University Security Targets… What is Security Target? A basis against which evaluation is performed Contains security threats, objectives, requirements, summary specification of functions and assurance measures When is ST Needed? When submitting product for evaluation Sandeep Joshi Southern Methodist University

Southern Methodist University Security Targets… What are the contents of ST Document? Introduction  ST Identification, ST Overview, CC conformance TOE Description TOE Environment  Assumptions, Threats, Organizational Security Policies Security Objectives  For TOE, For environment IT Security Requirements  TOE Security Requirements  Functional, Assurance  Security Requirements for IT environment TOE Summary Specification TOE Security Function, Assurance Measures PP Claims  PP Reference, PP Refinement, Additions Rationale Security Objective Rationale Security Requirements Rationale TOE Summary Specification PP Claims Rationale Sandeep Joshi Southern Methodist University

Southern Methodist University Reference http://csrc.nist.gov/cc/ Sandeep Joshi Southern Methodist University

Southern Methodist University Questions!!! Sandeep Joshi Southern Methodist University