Security Product Evaluations

Common Criteria

NIAP Website

www.niap.nist.gov

CC Documents

Historical Perspective

EuropeanNational

& RegionalInitiatives

‘89-’93

CanadianInitiatives

‘89-’93

CommonCriteriaProject

‘93--

ISOFDIS 15408

‘99

USTCSEC

‘83, ‘85

CTCPEC3

‘93

FederalCriteria

‘92

CommonCriteria

1.0

‘96

CommonCriteria

2.0

‘98

NIST’sMSFR

‘90

ITSEC1.2

‘91ISO

Initiatives‘92--

Security Product EvaluationsNational Information Assurance PartnershipNational Information Assurance PartnershipNational Information Assurance Partnership

NIAP Evaluates and Validates Security Solutions

Using the Common Criteria

Common Criteria Evaluation and Validation Scheme The program developed by NIST and NSA as part of the National Information Assurance Partnership (NIAP) establishing an organizational and technical framework to evaluate the trustworthiness of IT Products and protection profiles.

US Program Overview

NIAP AccreditsPrivate

Testing Labs

NIAP IssuesCC Certificates

to Products

Labs do CCEvaluations of

IT ProductsNIAP Reviews

& ValidatesLab Results

MRA NationsRecognize

Product Cert’s

• Booz Allen Hamilton Common Criteria Testing Laboratory

• Cable and Wireless Common Criteria Testing Laboratory

• COACT Inc. CAFE Laboratory

• Computer Sciences Corporation

• Critrian Independent Labs

• CygnaCom Solutions Security Evaluation Laboratory

• InfoGard Laboratories Inc.

• SAIC Common Criteria Testing Laboratory

Common Criteria Testing Laboratory Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility, accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and aproved by the NIAP Validation Body to conduct Common Critieria-based evaluations.

CC Evaluations

Evaluation The assessment of an IT product against the Common Criteria using the Common Evaluation Methodology to determine whether or not the claims made are justified; or the assessment of a protection profile against the Common Criteria using the Common Evaluation Methodology to determine if the profile is complete, consistent, technically sound and hence suitable for use as a statement of requirements for one or more TOEs that may be evaluated.

EAL Equivalence

• EAL 1 =

• EAL 2 & 3 = Basic Assurance

• EAL 4 = Medium Assurance

• EAL 5, 6 & 7 = High Assurance

EALS

*TCSEC

C1C2B1B2B3A1

EALEAL1EAL2EAL3EAL4EAL5EAL6EAL7

NameFunctionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested

*TCSEC = “Trusted Computer Security Evaluation Criteria” -- ”Orange Book”

Evaluation Assurance LevelsApproximate Backward Compatibility Comparison

Typical CC Evaluations

• EAL 2 6 to 9 Months $200 K $400 K

• EAL 3 9 to 12 Months $300 $500 K

• EAL 4 1 Year + $500K +

STs PPsSecurity Target A specification of the security required (both functionality and assurance) in a Target of Evaluation (TOE), used as a baseline for evaluation under the CC. The security target specifies the security objectives, the threats to those objectives, and any specific security mechanisms that will be employed.

Protection Profile An implementation independent set of security requirements for a category of IT products which meet specific consumer needs.

Security Target Contents• Introduction

• TOE Description

• Security Environment Assumptions Threats Organizational Security Policies

• Security Objectives

• Security Requirements Functional Req’ts Assurance Req’ts

• TOE Summary Specification

• PP Claims

• Rationale

Target of Evaluation An IT product or group of IT products configured as an IT System and associated documentation that is the subject of a security evaluation under the CC.

Also, a protection profile that is the subject of a security evaluation under the CC.

Target Of Evaluation• Target of Evaluation (TOE)

An IT product or system that is the subject of an evaluation.

• TOE Security Policy (TSP)

The rules that regulate how assets are managed, protected

and distributed within a TOE.

• TOE Security Functions (TSF)

All parts of the TOE that must be relied upon for the

correct enforcement of the TSP.

CC Terminology

Acronym Overload

Classes of Security Functional Requirements

ClassClassFAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP

NameNameAuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE AccessTrusted Path / Channels

Classes of Security Assurance Requirements

ClassClassACMADOADVAGDALCATEAVAAPEASEAMA

NameNameConfiguration ManagementDelivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance

Protection Profile Contents

• Introduction

• TOE Description

• Security Environment Assumptions Threats Organizational Security Policies

• Security Objectives

• Security Requirements

• Functional Req’ts

• Assurance Req’ts

• Rationale

Specification of the Attacker

• Corporate Security

• HIPPA / Gramm-Leach-Bliley

• Department of Defense

• Department of Energy

The Security Target Addresses the Sophistication of the Attacker

Protection Profile for Which Consumer ???

Using CC

• IT Product ConsumersLook for PPs matching your security requirements -- use in procurement

specifications

• Consumer Consortia (Users Groups)Use CC to build PPs expressing members’ needsWork with Product Developers to build matching products

• Product DevelopersUse CC to specify product security capabilities via Security Targets

• Product Evaluators/ValidatorsUse CC-compliant Protection Profiles & Security Targets as yardstick for

measuring product compliance

Questions?