Presentation is loading. Please wait.

Presentation is loading. Please wait.

You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security &

Published byBeatrix Robbins Modified over 8 years ago

Similar presentations

Presentation on theme: "You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security &"— Presentation transcript:

1 You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security & NetIDSys, Inc.

2 The problem of information security assurance There are plethora of “secure” software and hardware products, often designed to meet similar customer information security needs There are plethora of “secure” software and hardware products, often designed to meet similar customer information security needs How can we say which ones are better/more secure? How can we say which ones are better/more secure? Can the consumers decide for themselves? Can the consumers decide for themselves? Can we leave it up to the market forces to weed out the bad products and indentify the best solutions? Can we leave it up to the market forces to weed out the bad products and indentify the best solutions?

3 Outline Introduce a couple of major information security assurance standards Introduce a couple of major information security assurance standards Common Criteria Common Criteria Federal Information Processing Standard (FIPS) Federal Information Processing Standard (FIPS) Current Trends Current Trends Conclusions Conclusions

4 The CC standard for IT security evaluation C ommon C riteria

5 Formalization of assurance and certification E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security of the specified IT product E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security of the specified IT product Measure Measure by impartial third party, by impartial third party, that shows there is reasonable confidence, that shows there is reasonable confidence, that a correctly identified product, process or service that a correctly identified product, process or service is in accordance with a specified standard or another normative document. is in accordance with a specified standard or another normative document. Measure Measure by impartial third party, by impartial third party, that shows there is reasonable confidence, that shows there is reasonable confidence, that a correctly identified product, process or service that a correctly identified product, process or service is in accordance with a specified standard or another normative document. is in accordance with a specified standard or another normative document. Certification definition according to the German Law DIN 45020

6 The path to CC Federal Criteria Draft 1993 Common Criteria v1.0 1996 v2.0 1998 V2.1 1999 V2.3 = ISO 15408 2005 V3.1 2006 (ISO 15408 an V3.x: coming in 2008)‏ Orange Book (TCSEC) 1985 UK Confidence Levels 1989 German Criteria French Criteria ITSEC 1991 Canadian Criteria (CTCPEC) 1993

7 Participating Nations and Agencies Germany, Bundesamt für Sicherheit in der Informationstechnik BSI. Germany, Bundesamt für Sicherheit in der Informationstechnik BSI. France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSI. France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSI. UK, Communications-Electronics Security Group CESG. UK, Communications-Electronics Security Group CESG. Netherlands, Netherlands National Communications Security Agency NLNCSA. Netherlands, Netherlands National Communications Security Agency NLNCSA. Canada, Communication Security Establishment CSE. Canada, Communication Security Establishment CSE. USA, National Security Agency NSA und National Institute of Standards and Technology NIST. USA, National Security Agency NSA und National Institute of Standards and Technology NIST. Australia and new Zealand, The Defence Signals Directorate bzw. the Government Communications Security Bureau Australia and new Zealand, The Defence Signals Directorate bzw. the Government Communications Security Bureau Japan, Information Technology Promotion Agency Japan, Information Technology Promotion Agency Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Nacional Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Nacional

8 Objectives of the CC standard Common criteria for products and systems Common criteria for products and systems based on the existing criteria of the U.S. and Europe based on the existing criteria of the U.S. and Europe ISO standardization ISO standardization an international basis for developers an international basis for developers Comparability of security evaluation results Comparability of security evaluation results international mutual recognition of certificates international mutual recognition of certificates Improved availability of high-quality security technology Improved availability of high-quality security technology

9 International Recognition of CC Australia /New Zealand Netherlands USA Canada France Germany Sweden UK Japan Korea Norway Spain Italy Finland Austria Hungary Turkey Czech Rep. India Israel Singapore Denmark Greece Malaysia

10 CC Evaluation Approach Axiomatic, resembles a math theorem proof Axiomatic, resembles a math theorem proof Security Problem Definition Security Problem Definition Target of Evaluation (TOE) – the product Target of Evaluation (TOE) – the product Threats, assumptions, security policies Threats, assumptions, security policies Security Objectives for the TOE and its operational environment Security Objectives for the TOE and its operational environment Assurance claims Assurance claims Typically stated as Evaluation Assurance Levels (EAL) Typically stated as Evaluation Assurance Levels (EAL) EAL1 to EAL7 EAL1 to EAL7 Proof Proof

11 Certification procedure Applicant Lab Certification body Supervision Application Certificate Certification report Eval. Report Evaluation report Product and evidence

12 atsec information security – leader in OS evaluation atsec information security – leader in OS evaluation Atos Origin GmbH Atos Origin GmbH CSC Deutschland Solutions GmbH CSC Deutschland Solutions GmbH Datenschutz nord GmbH Datenschutz nord GmbH Deutsches Forschungszentrum für künstliche Intelligenz GmbH Deutsches Forschungszentrum für künstliche Intelligenz GmbH Industrieanlagen-Betriebsgesellschaft (IABG) mbH Industrieanlagen-Betriebsgesellschaft (IABG) mbH Media transfer AG Media transfer AG Secunet SWISSiT AG Secunet SWISSiT AG SRC Security Research & Consulting GmbH SRC Security Research & Consulting GmbH Tele Consulting GmbH Tele Consulting GmbH TNO-ITSEF BV TNO-ITSEF BV T-Systems GEI GmbH T-Systems GEI GmbH TÜV Informationstechnik GmbH TÜV Informationstechnik GmbH Evaluation labs WTD 81 BSI

13 Responsibility of the Evaluator (DIN 17025) impartial neutral technically competent technically independent

14 Shortcomings of the CC standard Does not evaluate the cryptography in security products Does not evaluate the cryptography in security products no crypt analysis no crypt analysis Does not take into account Risk Does not take into account Risk Assumptions are assumed to hold absolutely Assumptions are assumed to hold absolutely Tends to be expensive/time consuming Tends to be expensive/time consuming

15 FIPS: An Overview FIPS are a series of U.S. Federal Information Processing Standards. FIPS are a series of U.S. Federal Information Processing Standards. FIPS are mandatory to US Federal agencies, e.g., DoD, NSA, NIST. FIPS are mandatory to US Federal agencies, e.g., DoD, NSA, NIST. They are not mandatory to individual states, but are often used by them. They are not mandatory to individual states, but are often used by them. They are often adopted by non-government agencies or large corporations They are often adopted by non-government agencies or large corporations FIPS 140-2 The Standard

16 FIPS 140-2 FIPS 140-2 was published in 2001. FIPS 140-2 was published in 2001. Change notes were added in 2002. Change notes were added in 2002. FIPS 140-2 has recently been reviewed and FIPS 140-3 is currently under development. FIPS 140-2 has recently been reviewed and FIPS 140-3 is currently under development. Mandatory for federal agencies Mandatory for federal agencies FIPS 140-2 The Standard

17 What is a Cryptographic Module? Can be: Can be: Hardware Hardware Software Software Firmware Firmware Hybrid Hybrid Performing certain security functionality Performing certain security functionality With specific logical/physical boundaries With specific logical/physical boundaries Cryptographic Module Basics

18 FIPS 140-2: Functional Areas FIPS 140-2 is divided into 11 functional areas. FIPS 140-2 is divided into 11 functional areas. Each area is awarded a Security Level between 1 and 4 depending on the requirements that it meets. Each area is awarded a Security Level between 1 and 4 depending on the requirements that it meets. The module as a whole is awarded an “Overall Security Level,” which is the lowest level awarded in any of the levels. The module as a whole is awarded an “Overall Security Level,” which is the lowest level awarded in any of the levels. FIPS 140-2 The Standard

19 FIPS 140-2: Functional Areas 1. Cryptographic Module Specification 3. Roles, Services, and Authentication 4. Finite State Model 6. Operational Environment 7. Cryptographic Key Management 9. Self Tests 10. Design Assurance 11. Mitigation of Other Attacks FIPS 140-2 The Standard

20 What is the FISP Validation Program? Cryptographic Module Validation Program (CMVP) A joint program between: The U.S. NIST (National Institute for Standards and Technology) The U.S. NIST (National Institute for Standards and Technology) The C.S.E. (Communications Security Establishment) of the Government of Canada The C.S.E. (Communications Security Establishment) of the Government of Canada Explaining the CMVP

21 The Validation Process Explaining the CMVP

22 Cryptographic Algorithm Validation (integral part of module validation) Algorithms used in Approved mode must be FIPS-Validated. Algorithms used in Approved mode must be FIPS-Validated. This means that they are Implemented correctly. This means that they are Implemented correctly. 50 % of newly-tested algorithm fail! 50 % of newly-tested algorithm fail! They are published on a list given at They are published on a list given athttp://csrc.nist.gov/cryptval/vallists.htm.

23 Shortcomings of FIPS 140-2 Not as tightly specified as CC Not as tightly specified as CC A lot of room for interpretation; A lot of room for interpretation; hence repeatability of evaluation results is not guaranteed. hence repeatability of evaluation results is not guaranteed. Limited to USA and Canada Limited to USA and Canada

24 Current trends Combinations of the two major standards Combinations of the two major standards Many federal agencies in the USA require certain products to be both CC and FIPS 140-2 certified Many federal agencies in the USA require certain products to be both CC and FIPS 140-2 certified Ensures all security aspects are thoroughly looked at Ensures all security aspects are thoroughly looked at May incur substantial cost May incur substantial cost

25 Conclusions Information security assurance is needed to provide the consumer with guarantees for the technology they acquire Information security assurance is needed to provide the consumer with guarantees for the technology they acquire Two major standards exists (CC and FIPS 140- 2) Two major standards exists (CC and FIPS 140- 2) Different strengths and weaknesses Different strengths and weaknesses Generally complimentary to each other Generally complimentary to each other Increasingly used together in situations that require high assurance Increasingly used together in situations that require high assurance

Download ppt "You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security &"

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
German Research Center for Artificial Intelligence Protection Profile for Central Requirements for Online Voting German Research Center for Artificial.

German Research Center for Artificial Intelligence Protection Profile for Central Requirements for Online Voting German Research Center for Artificial.
International Energy Agency Energy Conservation in Buildings and Community Systems Programme - ECBCS IEA Energy Conservation in Buildings & Community Systems.

International Energy Agency Energy Conservation in Buildings and Community Systems Programme - ECBCS IEA Energy Conservation in Buildings & Community Systems.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
ISO/IEC JTC1 SC37 Overview

ISO/IEC JTC1 SC37 Overview
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.
1 Information Security Standards Gary Gaskell © 2001.

1 Information Security Standards Gary Gaskell © 2001.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
ISO/IEC27001 Implementation Lecturer : Prof. Robert Dale 1 Department of Computing Hooran Mahmoudinasab Student ID : 41455398.

ISO/IEC27001 Implementation Lecturer : Prof. Robert Dale 1 Department of Computing Hooran Mahmoudinasab Student ID :

Similar presentations

Ads by Google