Post on 26-Mar-2015
Title SlideEVOLVING CRITERIA FORINFORMATION SECURITY
PRODUCTS
Ravi SandhuGeorge Mason University
Fairfax, VirginiaUSA
2
SECURITY OBJECTIVES
SECRECY(CONFIDENTIALITY)
INTEGRITY AVAILABILITY(DENIAL OF SERVICE)
3
SECURITY TECHNIQUES
• Prevention access control
• Detection auditing
• Tolerance practicality
good prevention and detection both require good authentication as a foundation
good prevention and detection both require good authentication as a foundation
4
SECURITY TRADEOFFS
SECURITY
FUNCTIONALITY EASE OF USE
COST
5
ACHIEVING SECURITY
• Policy what?
• Mechanism how?
• Assurance how well?
6
EVALUATION CRITERIA
Policy
Assurance
SECURITY TARGET
Mechanism
PRODUCT
??
7
CRITERIA DATES
| | | | | | | | | | | |1985 1990 1995
USAORANGE BOOK
Canadian CTCPEC
1.0|
2.0|
3.0|
UK, Germany | | France
|
1.2|European Community ITSEC
1.0|
US Federal Criteria 1.0|
Common Criteria
8
CRITERIA RELATIONSHIPS
USA ORANGE BOOK
UK Germany France Canada
European Community
ITSEC
Federal CriteriaDRAFT
Common CriteriaPROPOSED
9
COMMONCRITERIA
&PRODUCT
EVALUATION
INTERNATIONAL COMPUTER
MARKET TRENDS
MUTUAL RECOGNITION
OF EVALUATIONS
COMPATIBILITYWITH EXISTING
CRITERIA
SYSTEMSECURITY
CHALLENGESOF THE
90'S
DRIVING FACTORS
10
ORANGE BOOK
USA ORANGE BOOK
UK Germany France Canada
European Community
ITSEC
Federal CriteriaDRAFT
Common CriteriaPROPOSED
11
ORANGE BOOK CLASSES
A1 Verified Design
B3 Security Domains
B2 Structured Protection
B1 Labeled Security Protection
C2 Controlled Access Protection
C1 Discretionary Security Protection
D Minimal ProtectionNO SECURITY
HIGH SECURITY
12
ORANGE BOOK CLASSESUNOFFICIAL VIEW
C1, C2 Simple enhancement of existing systems. No breakage of applications
B1 Relatively simple enhancement of existing systems. Will break some applications.
B2 Relatively major enhancement of existing systems. Will break many applications.
B3 Failed A1
A1 Top down design and implementation of a new system from scratch
13
ORANGE BOOK CRITERIA
SECURITY POLICY
ACCOUNTABILITY
ASSURANCE
DOCUMENTATION
14
SECURITY POLICY
C1 C2 B1 B2 B3A1
Discretionary Access Control + + +
Object Reuse +
Labels + +
Label Integrity +
Exportation of Labeled Information +
Labeling Human-Readable Output +
Mandatory Access Control + +
Subject Sensitivity Labels +
Device Labels +
+ added requirement
15
ACCOUNTABILITY
C1 C2 B1 B2 B3A1
Identification and Authentication + + + Audit + + + + Trusted Path + +
+ added requirement
16
ASSURANCE
C1 C2 B1 B2 B3A1
System Architecture + + + + +
System Integrity +
Security Testing + + + + ++
Design Specification and Verification + + ++
Covert Channel Analysis + ++
Trusted Facility Management + +
Configuration Management + +
Trusted Recovery +
Trusted Distribution +
+ added requirement
17
DOCUMENTATION
C1 C2 B1 B2 B3A1
Security Features User's Guide + Trusted Facility Manual + + + + + Test Documentation + +
+DesignDocumentation + + + +
+ added requirement
18
ORANGE BOOK CRITICISMS
• Does not address integrity or availability
• Combines policy and assurance in a single linear rating scale
• Mixes policy and mechanism
• Mixes policy and assurance
19
POLICY VS ASSURANCE
assurance
C1C2
B1B2
B3 A1policy
20
EUROPEAN ITSEC
USA ORANGE BOOK
UK Germany France Canada
European Community
ITSEC
Federal CriteriaDRAFT
Common CriteriaPROPOSED
21
POLICY ASSURANCE UNBUNDLING
EVALUATION
POLICYor
FUNCTIONALITY
ASSURANCE
EFFECTIVENESS CORRECTNESS
22
POLICY IN ITSEC
• Open ended
• Orange Book classes are grand-fathered in
• Some new classes are identified
23
ORANGE BOOK POLICYGRAND-FATHERING
ITSEC ORANGE BOOK
F-C1 C1
F-C2 C2
F-B1 B1
F-B2 B2
F-B3 B3
24
ITSEC NEW POLICIES
ITSEC OBJECTIVE
F-IN High Integrity Requirements
F-AV High Availability Requirements
F-DI High Data Integrity during Data Exchange
F-DC High Data Confidentiality during Data Exchange
F-DX Networks with High Confidentiality and Integrity
others can be defined as needed
25
ASSURANCE: EFFECTIVENESS
CONSTRUCTION
• Suitability Analysis
• Binding Analysis
• Strength of Mechanism Analysis
• List of Known Vulnerabilities in Construction
OPERATION
• Ease of Use Analysis
• List of Known Vulnerabilities in Operational Use
26
ASSURANCE: CORRECTNESS
ITSEC ORANGE BOOK (very roughly)
E0 D
E1 C1
E2 C2
E3 B1
E4 B2
E5 B3
E6 A1
27
US DRAFT FEDERAL CRITERIA
USA ORANGE BOOK
UK Germany France Canada
European Community
ITSEC
Common CriteriaPROPOSED
Federal CriteriaDRAFT
28
NIST/NSAJoint Work
Commercial & IndependentInitiatives
NIST’s IT SecurityRequirements Study
Integrity Research
NRC Report"GSSP"
“Minimum SecurityFunctionality Requirements”(MSFR)
FederalCriteria
for IT Security
ECITSEC
CanadaTPEP Orange
Book
Advances inTechnology
INFLUENCES ON FEDERAL CRITERIA
29
ITSEC EVALUATION
Policy
Assurance
SECURITY TARGET
Mechanism
PRODUCT
??
30
FEDERAL CRITERIA EVALUATION
Policy
Assurance
SECURITYTARGET
Mechanism
PRODUCT
??
Policy
Assurance
PROTECTIONPROFILE
??
VendorSupplied
CustomerSupplied
31
PROTECTION PROFILE STRUCTURE
DescriptiveElementsSection
ProductRationaleSection Development
AssuranceRequirements
Section
FunctionalRequirements
Section EvaluationAssurance
RequirementsSection
PROTECTION PROFILE
32
FROM PROFILE TO PRODUCT
Protection Profile
PPA = Protection Profile Analysis
Protection Profiles Registry of
PP1 PP2 ... PPnEvaluation 2
Evaluation 3
Evaluation 1PPA
Security Target (ST)
ST ST
(PP)
pp1 ppn
Product 1 Product n
33
TOWARDS A COMMON CRITERIA
USA ORANGE BOOK
UK Germany France Canada
Common CriteriaPROPOSED
Federal CriteriaDRAFT
European Community
ITSEC
34
EC-NAAlignment
-----“Common
Criteria”
EC-NAAlignment
-----“Common
Criteria”
CCEditorial
Board
CanadaCTCPEC
3.0
ITSEC1.2
FedCrit1.0
“OrangeBook”Usage Joint
TechnicalGroups
Usage &Reviews
PublicComment
Usage &Reviews 1994: initial target
1996: more likely
ISOSC27WG3
COMMON CRITERIA PLAN
35
CHALLENGES THAT REMAIN
Complexities of the open distributed computing and management environments (including use of crypto in conjunction with COMPUSEC)
“Systems” and composability Problems
Trusted applications development and evaluation methods, including high integrity and high availability systems
Guidance on using IT security capabilities cost effectively in commercial environments
Speedy but meaningful product and system evaluations, and evaluation rating maintenance