1 / 34

Common Criteria

Common Criteria. Dawn Schulte Leigh Anne Winters. Outline. What is the Common Criteria? Origins of the Common Criteria Common Criteria Basics Security Functional Requirements Security Assurance Requirements Evaluation Assurance Levels Common Criteria in the US Common Criteria and C&A

dara
Download Presentation

Common Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Criteria Dawn Schulte Leigh Anne Winters University of Tulsa - Center for Information Security

  2. Outline • What is the Common Criteria? • Origins of the Common Criteria • Common Criteria Basics • Security Functional Requirements • Security Assurance Requirements • Evaluation Assurance Levels • Common Criteria in the US • Common Criteria and C&A • Centralized Certified Products List University of Tulsa - Center for Information Security

  3. What is the Common Criteria? • The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. • Standardizes • Security Functionality • Evaluation Assurance University of Tulsa - Center for Information Security

  4. Origins of the Common Criteria United Kingdom Netherlands United States France Germany Canada University of Tulsa - Center for Information Security

  5. Origins of the Common Criteria University of Tulsa - Center for Information Security

  6. Origins of the Common Criteria • Version 1.0 (Jan 1996) – published for comment • Version 2.0 (May 1998) – takes account of extensive review • Version 2.0 (1999) – adopted by ISO as ISO 15408 University of Tulsa - Center for Information Security

  7. Pop Quiz!! • Name one of the two areas that CC standardizes. • Name one of the six countries that participates in the CC University of Tulsa - Center for Information Security

  8. Common Criteria:Three Parts • Part 1: Intro and General Model • Part 2: Security Functional Requirements • Part 3: Security Assurance Requirements University of Tulsa - Center for Information Security

  9. Intro and General Model:Definitions • Target of Evaluation (TOE) – an IT product or system and its associated administrator and user guidance documentation that is the subject of evaluation • Protection Profile (PP) – an implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. • Security Target (ST) – a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE. University of Tulsa - Center for Information Security

  10. Common Criteria Users University of Tulsa - Center for Information Security

  11. Pop Quiz!! • True or False: The Protection Profile answers the question “What will I provide?” • List one interested party in the CC. • Name one part of the CC. University of Tulsa - Center for Information Security

  12. Security Functional Requirements Security Functional Requirements describe the expected behavior of a TOE University of Tulsa - Center for Information Security

  13. Security Functionality:Organization • The CC security requirements are organized into the hierarchy of • Class-Family-Component • This hierarchy is provided to help consumers to locate specific security requirements and the right components to combat threats. University of Tulsa - Center for Information Security

  14. Security Functionality:Functional Requirement Classes • Audit (FAU) • Cryptographic Support (FCS) • Communications (FCO) • User Data Protection (FDP) • Identification and Authentication (FIA) • Security Management (FMT) • Privacy (FPR) • Protection of the TOE Security Functions (FPT) • Resource Utilization (FRU) • TOE Access (FTA) • Trusted Path/Channels (FTP) University of Tulsa - Center for Information Security

  15. Pop Quiz!! • Name the levels of the hierarchy. • Security Functional Requirements describe the _____ ______ of a TOE. • Name one Functional Requirement Class. University of Tulsa - Center for Information Security

  16. Security Assurance Grounds for confidence that an IT product or system meets its security objectives. University of Tulsa - Center for Information Security

  17. Security Assurance:How to gain assurance… Evaluation Analysis • Design representations • Flaws • Functional tests and results • Guidance documents • Processes procedures • Penetration testing University of Tulsa - Center for Information Security

  18. Security Assurance:Assurance Requirement Classes • Evaluation of PPs and STs • Protection Profile Evaluation (APE) • Security Target Evaluation (ASE) • Evaluation Assurance Classes • Configuration Management (ACM) • Delivery and Operation (ADO) • Development (ADV) • Guidance documents (AGD) • Life Cycle Support (ALC) • Tests (ATE) • Vulnerability Assessment (AVA) • Assurance Maintenance Class • Maintenance of Assurance (AMA) University of Tulsa - Center for Information Security

  19. Pop Quiz!! • Fill in the blank…. Grounds for confidence that an IT product or system meets its _________. 2. How can you gain assurance? 3. Name one Assurance Requirement Class. University of Tulsa - Center for Information Security

  20. Why go through the process? • Internationally recognized • Independent quality mark • Some customers may desire a CC Certificate • Good marketing University of Tulsa - Center for Information Security

  21. Evaluation Assurance Levels • 7 Evaluation Assurance Levels (EAL) • Each level offers an increasing level of assurance • EAL1-EAL2: Basic Level Assurance • EAL3- EAL4: Moderate Level Assurance • EAL5-EAL7: High Level Assurance • Cost and time required increases with each level • Only Levels 1-4 are mutually recognized University of Tulsa - Center for Information Security

  22. EAL1 & EAL2: Basic Level Assurance • EAL1 – Functionally Tested • Applicable where threats to security are not viewed as serious • Provides an evaluation of the TOE as made available to the consumer • Independent testing against specification • Examination of documentation • EAL2 – Structurally Tested • Applicable where consumers or designers require a low to moderate level of independently assured security • Complete development record not available • Legacy Systems, limited developer access, etc. University of Tulsa - Center for Information Security

  23. EAL3 & EAL4:Moderate Level Assurance • EAL3 – Methodically Tested and Checked • Applicable when developers or user require a moderate level of independently assured security. • Thorough investigation of the TOE and its development. • EAL4 – Methodically Designed, Tested and Reviewed • Highest level at which it is likely to be economically feasible to certify an existing product. • Developers must be prepared to incur additional security-specific engineering costs. University of Tulsa - Center for Information Security

  24. EAL5 - EAL7:High Level Assurance • EAL5 – Semiformally Designed and Tested • EAL6 – Semiformally Verified Design and Tested • EAL7 – Formally Verified Design and Tested • NOTE: No product has been evaluated at EAL5-7 at this time. University of Tulsa - Center for Information Security

  25. Pop Quiz!! • Give one reason why a developer should have a product CC certified. • Which EAL offers basic assurance with minimal cost and involvement of the developer? 3. Which EALs are mutually recognized? University of Tulsa - Center for Information Security

  26. Common Criteria in the US • National Information Assurance Partnership (NIAP) • established 1997 • Partnership between NSA and NIST • Promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems • Common Criteria Evaluation and Validation Scheme (CCEVS) • NSTISSP No. 11 • Effective July 2002, COTS products must be validated by: • NIAP CCEVS • NIST FIPS Cryptomodule Validation Program University of Tulsa - Center for Information Security

  27. Common Criteria and C&A • 2 Parallel Security Processes: • Certification ad Accreditation (C&A) • Evaluation • C&A: • Provides information to make a decision about the risk of operating an information system. • Evaluation: • Determines whether an information technology product complies with established standards. • Can be used in the DITSCAP process. University of Tulsa - Center for Information Security

  28. Common Criteria and C&A • Part of all phases of the DITSCAP process • C4.2.3.2. “When the Phase 2 initial certification analysis is completed the system should have a documented security specification,” … “COTS and GOTS products used in the system design must be evaluated to ensure that they have been integrated properly and that their functionality meets the security and operational needs of the system.” • DITSCAP APPLICATION MANUAL University of Tulsa - Center for Information Security

  29. Pop Quiz!! • What does CCEVS stand for? • What two agencies form the National Information Assurance Partnership? • Certification and Accreditation provides information to make a decision about the _______ of operating an information system. University of Tulsa - Center for Information Security

  30. Centralized CertifiedProducts List • Centralized Certified Products List (CCPL) is produced to assist in the selection of products that will provide an appropriate level of information security. • Types of Products: • Firewalls, operating systems, switchs, VPNs, PKI, guards, biometrics, smart cards, etc. • Total list can be found at: www.commoncriteria.org University of Tulsa - Center for Information Security

  31. Evaluated Operating Systems University of Tulsa - Center for Information Security

  32. Last Pop Quiz!!! • If you were going to purchase a security product where could you find the products that had been evaluated by the Common Criteria? • Name two types of products that have been evaluated. University of Tulsa - Center for Information Security

  33. For Further Information … • Common Criteria: www.commoncriteria.org • NIAP: http://naip.nist.gov • NSA: www.radium.ncsc.mil • United Kingdom: www.cesg.gov.uk/cchtml University of Tulsa - Center for Information Security

  34. Questions? University of Tulsa - Center for Information Security

More Related