University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters

University of Tulsa - Center for Information Security Outline What is the Common Criteria? Origins of the Common Criteria Common Criteria Basics Security Functional Requirements Security Assurance Requirements Evaluation Assurance Levels Common Criteria in the US Common Criteria and C&A Centralized Certified Products List

University of Tulsa - Center for Information Security What is the Common Criteria? The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. Standardizes –Security Functionality –Evaluation Assurance

University of Tulsa - Center for Information Security Origins of the Common Criteria Netherlands United States Canada France United Kingdom Germany

University of Tulsa - Center for Information Security Origins of the Common Criteria

University of Tulsa - Center for Information Security Origins of the Common Criteria Version 1.0 (Jan 1996) – published for comment Version 2.0 (May 1998) – takes account of extensive review Version 2.0 (1999) – adopted by ISO as ISO 15408

University of Tulsa - Center for Information Security Pop Quiz!! 1.Name one of the two areas that CC standardizes. 2.Name one of the six countries that participates in the CC

University of Tulsa - Center for Information Security Common Criteria: Three Parts Part 1: Intro and General Model Part 2: Security Functional Requirements Part 3: Security Assurance Requirements

University of Tulsa - Center for Information Security Intro and General Model: Definitions Target of Evaluation (TOE) – an IT product or system and its associated administrator and user guidance documentation that is the subject of evaluation Protection Profile (PP) – an implementation- independent set of security requirements for a category of TOEs that meet specific consumer needs. Security Target (ST) – a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.

University of Tulsa - Center for Information Security Common Criteria Users UserUses of Common Criteria ConsumersTo find requirements for security features that match their own risk assessment. To shop for products that have ratings with those features. To publish their security requirements so that vendors can design products that meet them. DevelopersTo select security requirements that they wish to include in their products. To design and build a product in a way that can prove to evaluators that the product meets requirements. To determine their responsibilities in supporting and evaluating their product. EvaluatorsTo judge whether or not a product meets its security requirements. Provide a yardstick against which evaluations can be performed. Provide input when forming specific evaluation methods.

University of Tulsa - Center for Information Security Pop Quiz!! 1.True or False: The Protection Profile answers the question “What will I provide?” 2.List one interested party in the CC. 3.Name one part of the CC.

University of Tulsa - Center for Information Security Security Functional Requirements Security Functional Requirements describe the expected behavior of a TOE

University of Tulsa - Center for Information Security Security Functionality: Organization The CC security requirements are organized into the hierarchy of –Class-Family-Component This hierarchy is provided to help consumers to locate specific security requirements and the right components to combat threats.

University of Tulsa - Center for Information Security Security Functionality: Functional Requirement Classes Audit (FAU) Cryptographic Support (FCS) Communications (FCO) User Data Protection (FDP) Identification and Authentication (FIA) Security Management (FMT) Privacy (FPR) Protection of the TOE Security Functions (FPT) Resource Utilization (FRU) TOE Access (FTA) Trusted Path/Channels (FTP)

University of Tulsa - Center for Information Security Pop Quiz!! 1.Name the levels of the hierarchy. 2.Security Functional Requirements describe the _____ ______ of a TOE. 3.Name one Functional Requirement Class.

University of Tulsa - Center for Information Security Security Assurance Grounds for confidence that an IT product or system meets its security objectives.

University of Tulsa - Center for Information Security Security Assurance: How to gain assurance… Evaluation Analysis –Design representations –Flaws –Functional tests and results –Guidance documents –Processes procedures –Penetration testing

University of Tulsa - Center for Information Security Security Assurance: Assurance Requirement Classes Evaluation of PPs and STs –Protection Profile Evaluation (APE) –Security Target Evaluation (ASE) Evaluation Assurance Classes –Configuration Management (ACM) –Delivery and Operation (ADO) –Development (ADV) –Guidance documents (AGD) –Life Cycle Support (ALC) –Tests (ATE) –Vulnerability Assessment (AVA) Assurance Maintenance Class –Maintenance of Assurance (AMA)

University of Tulsa - Center for Information Security Pop Quiz!! 1.Fill in the blank…. Grounds for confidence that an IT product or system meets its _________. 2. How can you gain assurance? 3. Name one Assurance Requirement Class.

University of Tulsa - Center for Information Security Why go through the process? Internationally recognized Independent quality mark Some customers may desire a CC Certificate Good marketing

University of Tulsa - Center for Information Security Evaluation Assurance Levels 7 Evaluation Assurance Levels (EAL) –Each level offers an increasing level of assurance EAL1-EAL2: Basic Level Assurance EAL3- EAL4: Moderate Level Assurance EAL5-EAL7: High Level Assurance –Cost and time required increases with each level –Only Levels 1-4 are mutually recognized

University of Tulsa - Center for Information Security EAL1 & EAL2: Basic Level Assurance EAL1 – Functionally Tested –Applicable where threats to security are not viewed as serious –Provides an evaluation of the TOE as made available to the consumer Independent testing against specification Examination of documentation EAL2 – Structurally Tested –Applicable where consumers or designers require a low to moderate level of independently assured security –Complete development record not available –Legacy Systems, limited developer access, etc.

University of Tulsa - Center for Information Security EAL3 & EAL4: Moderate Level Assurance EAL3 – Methodically Tested and Checked –Applicable when developers or user require a moderate level of independently assured security. –Thorough investigation of the TOE and its development. EAL4 – Methodically Designed, Tested and Reviewed –Highest level at which it is likely to be economically feasible to certify an existing product. –Developers must be prepared to incur additional security- specific engineering costs.

University of Tulsa - Center for Information Security EAL5 - EAL7: High Level Assurance EAL5 – Semiformally Designed and Tested EAL6 – Semiformally Verified Design and Tested EAL7 – Formally Verified Design and Tested NOTE: No product has been evaluated at EAL5-7 at this time.

University of Tulsa - Center for Information Security Pop Quiz!! 1.Give one reason why a developer should have a product CC certified. 2.Which EAL offers basic assurance with minimal cost and involvement of the developer? 3. Which EALs are mutually recognized?

University of Tulsa - Center for Information Security Common Criteria in the US National Information Assurance Partnership (NIAP) –established 1997 –Partnership between NSA and NIST –Promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems –Common Criteria Evaluation and Validation Scheme (CCEVS) NSTISSP No. 11 –Effective July 2002, COTS products must be validated by: NIAP CCEVS NIST FIPS Cryptomodule Validation Program

University of Tulsa - Center for Information Security Common Criteria and C&A 2 Parallel Security Processes: –Certification ad Accreditation (C&A) –Evaluation C&A: –Provides information to make a decision about the risk of operating an information system. Evaluation: –Determines whether an information technology product complies with established standards. –Can be used in the DITSCAP process.

University of Tulsa - Center for Information Security Common Criteria and C&A Part of all phases of the DITSCAP process C “When the Phase 2 initial certification analysis is completed the system should have a documented security specification,” … “COTS and GOTS products used in the system design must be evaluated to ensure that they have been integrated properly and that their functionality meets the security and operational needs of the system.” »DITSCAP APPLICATION MANUAL

University of Tulsa - Center for Information Security Pop Quiz!! 1.What does CCEVS stand for? 2.What two agencies form the National Information Assurance Partnership? 3.Certification and Accreditation provides information to make a decision about the _______ of operating an information system.

University of Tulsa - Center for Information Security Centralized Certified Products List Centralized Certified Products List (CCPL) is produced to assist in the selection of products that will provide an appropriate level of information security. Types of Products: –Firewalls, operating systems, switchs, VPNs, PKI, guards, biometrics, smart cards, etc. Total list can be found at:

University of Tulsa - Center for Information Security Evaluated Operating Systems

University of Tulsa - Center for Information Security Last Pop Quiz!!! 1.If you were going to purchase a security product where could you find the products that had been evaluated by the Common Criteria? 2.Name two types of products that have been evaluated.

University of Tulsa - Center for Information Security For Further Information … Common Criteria: NIAP: NSA: United Kingdom:

University of Tulsa - Center for Information Security Questions?