Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers + 31 15 269 2500

Slides:



Advertisements
Similar presentations
© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Advertisements

© Crown Copyright (2000) Module 3.1 Evaluation Process.
Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
System Integration Verification and Validation
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan
CS 411W - Notes Product Development Documentation.
Effective Design of Trusted Information Systems Luděk Novák,
Policies vs Threats by Albert Dorofeev, Sony Corporation 10 th International Common Criteria Conference, 2009.
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Information System Economics IT MAINTENANCE MANAGEMENT.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Software Project Transition Planning
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Illinois Institute of Technology
Quality is about testing early and testing often Joe Apuzzo, Ngozi Nwana, Sweety Varghese Student/Faculty Research Day CSIS Pace University May 6th, 2005.
CS CS 5150 Software Engineering Lecture 20 Acceptance and Delivery.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Systems Analysis I Data Flow Diagrams
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
Design, Implementation and Maintenance
OHT 4.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan
Software Evolution Planning CIS 376 Bruce R. Maxim UM-Dearborn.
Today’s Lecture application controls audit methodology.
Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.
Smartcard Evaluation TM8104 – IT Security Evaluation Linda Ariani Gunawan.
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
Chapter 10.
Semester 1, 2003 Week 7 CSE9020 / 1 Software Testing and Quality Assurance With thanks to Shonali Krishnaswamy and Sylvia Tucker.
Information Systems Security Computer System Life Cycle Security.
Evaluating Systems Information Assurance Fall 2010.
David N. Wozei Systems Administrator, IT Auditor.
Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?
INT-Evry (Masters IT– Soft Eng)IntegrationTesting.1 (OO) Integration Testing What: Integration testing is a phase of software testing in which.
ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Background. History TCSEC Issues non-standard inflexible not scalable.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Test vs. inspection Part 2 Tor Stålhane. Testing and inspection A short data analysis.
Common Criteria V3 Overview Presented to P2600 October Brian Smithson.
CMSC : Common Criteria for Computer/IT Systems
Project Scope Management Information Technology Project Management, Fifth Edition Note: some slides have been removed from the author’s original presentation.
Today’s Lecture Covers
1 Common Evaluation Methodology for IT Security Part 2: Evaluation Methodology chapter 5-8 Marie Elisabeth Gaup Moe 06/12/04.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
Lecture 13.  Failure mode: when team understands requirements but is unable to meet them.  To ensure that you are building the right system Continually.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Trusted Operating Systems
TM8104 IT Security EvaluationAutumn Evaluation - the Main Road to IT Security Assurance CC Part 3.
Design Principles and Common Security Related Programming Problems
======!"§==Systems= Technical Guidance for CC Evaluation Wolfgang Killmann T-Systems GEI GmbH.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Software Project Configuration Management
Ch.18 Evaluating Systems - Part 2 -
Lecture 09:Software Testing
9th International Common Criteria Conference Report to IEEE P2600 WG
Quality Assurance in Clinical Trials
Unit IV – Chapter 2 V-Test Model.
Presentation transcript:

Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers

page 2brightsight ® your partner in security approval Practical experience of CC3.1 XXX For internal reference. Version d.d Author and course maintainer: Wouter. Please feed back changes to him. Biggest changes since N/A: New version See notes for trainer information Additional improvements to do: Cost analysis (vs CAST-like evaluations)

page 3brightsight ® your partner in security approval Practical experience of CC3.1 Presentation Targets Describe our experiences with CCv3.1 Release 1 on a smartcard IC Practice: What works well? What does not work well (yet)? Theory: What has essentially changed? What is the effort/cost impact of these changes to an evaluation?

page 4brightsight ® your partner in security approval Practical experience of CC3.1 Summary (or: teaser) The feet view: Essentially, not much has changed This is the good and the bad news

page 5brightsight ® your partner in security approval Practical experience of CC3.1 This was made possible by: Developer and Sponsor: Netherlands Scheme for Certification in the area of IT Security (NSCIB) Certification Body: As usual, this presentation is my opinion, I do not speak for others.

page 6brightsight ® your partner in security approval Practical experience of CC3.1 Setting and background Experienced developer, entry into CC world: No existing CCv2.x legacy documentation Choice for new CCv3.x to be at cutting edge Accepting the bleeding edge aspects of this choice Timing relative to other activities on CC smartcard domain: Eurosmart PP (BSI-PP-0002) the choice, but CCv2.x CCv3.1 upgrade of PP and methodology not available at the time Proceeded under estimate that the PP would not significantly change (or an ST would be made stand-alone and match the old PP) Effectively this was parallel evolution to the Eurosmart/ISCI work

page 7brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP, ARC Guidance (AGD) Security Target evaluation (ASE) Evaluation experience so far

page 8brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP, ARC Guidance (AGD) Security Target evaluation (ASE) Most interesting parts (with respect to impact of the CCv3.1 changes)

page 9brightsight ® your partner in security approval Practical experience of CC3.1 Architecture (ADV_ARC) Needs to include a description how the following items are provided: “Security domains” i.e. environments provided “for use by potentially- harmful entities” Startup (“initialisation sequence”) Self protection Non-bypass Includes side channel analysis ALC ATE, AVA ADVAGD AS E

page 10brightsight ® your partner in security approval Practical experience of CC3.1 Architecture (ADV_ARC) Needs to include a description how the following items are provided: “Security domains” i.e. environments provided “for use by potentially- harmful entities” Startup (“initialisation sequence”) Self protection Non-bypass Includes side channel analysis ALC ATE, AVA ADVAGD AS E Essentially sums up what property of smartcard HW we test: To keep secrets secret, except when the software outputs them

page 11brightsight ® your partner in security approval Practical experience of CC3.1 Architecture (ADV_ARC) versus design (ADV_TDS) Something belongs in design (ADV_TDS): If a SFR can/must be mapped to TSFI / subsystem / module Something belongs in architecture (ADV_ARC): Not defined, effectively “the rest” If not explicitly required/covered by SFR but needed for self protection Corollary, architecture (ADV_ARC): is the place to put the security mechanisms that are needed to explain why an attack path will not work in AVA_VAN, But not the security mechanisms that cover the SFRs (or we are duplicating things) So what are the SFRs then? ALC ATE, AVA ADVAGD AS E

page 12brightsight ® your partner in security approval Practical experience of CC3.1 SFRs in smartcard hardware domain Standard smartcard SFRs describe: Protection of the test functionality Not available, and/or Harmless Protection against malfunctioning Prevention, and Detection Protection against leakage/tapping During transport, and During usage... ALC ATE, AVA ADVAGD AS E

page 13brightsight ® your partner in security approval Practical experience of CC3.1 SFRs in smartcard hardware domain Standard smartcard SFRs describe: Protection of the test functionality Not available, and/or Harmless Protection against malfunctioning Prevention, and Detection Protection against leakage/tapping During transport, and During usage... ALC ATE, AVA ADVAGD AS E Also describes what property of smartcard HW we test: To keep secrets secret, except when the software outputs them

page 14brightsight ® your partner in security approval Practical experience of CC3.1 SFRs in smartcard hardware domain Standard smartcard SFRs describe: Protection of the test functionality Not available, and/or Harmless Protection against malfunctioning Prevention, and Detection Protection against leakage/tapping During transport, and During usage... ALC ATE, AVA ADVAGD AS E Most properties of smartcard HW are SFRs, so must be in ADV_TDS, not in ADV_ARC

page 15brightsight ® your partner in security approval Practical experience of CC3.1 What do we do in ADV_ARC then? Our approach: In ADV_TDS describe the full design Including non-bypass & self-protection capabilities Physical countermeasures (even without real interfaces), Sidechannel countermeasures, etc In ADV_ARC describe: For each JIL attack method/path, describe why it cannot be used to bypass the TSF/SFRs I.e. why we cannot break the TSF with that method ALC ATE, AVA ADVAGD AS E

page 16brightsight ® your partner in security approval Practical experience of CC3.1 What do we do in ADV_ARC then? Our approach: In ADV_TDS describe the full design Including non-bypass & self-protection capabilities Physical countermeasures (even without real interfaces), Sidechannel countermeasures, etc In ADV_ARC describe: For each JIL attack method/path, describe why it cannot be used to bypass the TSF/SFRs I.e. why we cannot break the TSF with that method ALC ATE, AVA ADVAGD AS E Architecture becomes the developers reasoning explaining “why you have no chance attacking my TOE” (excellent starting information for evaluators and certifiers)

page 17brightsight ® your partner in security approval Practical experience of CC3.1 ADV_FSP/ADV_TDS experiences Labelling: SFR-enforcing Criterium: Directly implements the SFRs SFR-supporting Everything that the SFR-enforcing parts depend on Criterium: If you remove that part and the SFR-enforcing parts do not function anymore, it is SFR-supporting SFR-non-interfering None of the above, but could impact the SFRs Criterium: if this part misbehaves or is hostile, it can influence the above. None of the above: TOE but not TSF ALC ATE, AVA ADVAGD AS E

page 18brightsight ® your partner in security approval Practical experience of CC3.1 ADV_FSP/ADV_TDS experiences Labelling: SFR-enforcing Criterium: Directly implements the SFRs SFR-supporting Everything that the SFR-enforcing parts depend on Criterium: If you remove that part and the SFR-enforcing parts do not function anymore, it is SFR-supporting SFR-non-interfering None of the above, but could impact the SFRs Criterium: if this part misbehaves or is hostile, it can influence the above. None of the above: TOE but not TSF ALC ATE, AVA ADVAGD AS E No clear separation

page 19brightsight ® your partner in security approval Practical experience of CC3.1 Legend: A = Provide argument S = Summary D = Description Bold = new requirement compared to previous EAL ALC ATE, AVA ADVAGD AS E But the differences in evaluation are minimal

page 20brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP, ARC Guidance (AGD) Security Target evaluation (ASE) Most interesting parts (with respect to impact of the CCv3.1 changes)

page 21brightsight ® your partner in security approval Practical experience of CC3.1 Guidance (AGD_OPE and AGD_PRE) Replaces CCv2.3 AGD_*+ADO_* Major changes: No “administrator” and “user”, now just “users in roles” Acceptance procedure user is included Devided in “Preparative procedures” (AGD_PRE) Receipt of TOE (checking it) Installation “Operational guidance” (AGD_OPE) Day to day running of the system ALC ATE, AVA ADVAGD AS E

page 22brightsight ® your partner in security approval Practical experience of CC3.1 Preparative procedures (AGD_PRE) Describe acceptance process user should follow (former ADO) Checking that the product is the TOE (with all necessary version checks) Checking for modification/masquerading (And the users receiving procedure is checked against the developers shipping procedure in ALC_DEL) Describe installation steps Minimum system requirements for secure installation (?) Requirements due to objectives for environment Any security settings Handling exceptions and problems (!) ALC ATE, AVA ADVAGD AS E Mapped to shipping and first time startup guidance (more procedure oriented, “installation” does not fit smartcard HW life-cycle)

page 23brightsight ® your partner in security approval Practical experience of CC3.1 Operational user guidance (AGD_OPE) How to make “effective use” of the TSF Show modes of operation of the TO including modes after failure, and operational errors Cover “human visible TSFI” one at a time Cover all objectives for the operational environment Should be reasonable and clear Compared to CCv2.3 AGD No big changes Human user argument more explicit ALC ATE, AVA ADVAGD AS E Mapped to programmers guidance (because the program has to follow these rules to make effective use of the TSF in operational use)

page 24brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP, ARC Guidance (AGD) Security Target evaluation (ASE) Most interesting parts (with respect to impact of the CCv3.1 changes)

page 25brightsight ® your partner in security approval Practical experience of CC3.1 Delivery to customer Formerly known as ADO (More) explicitly covers everything from production to user Including warehousing! Checking of this process is more explicitly covered, by one of Site visit Getting the TOE from somewhere in the delivery process Buying the TOE and inspecting it Asking end-users how this is done Note: interacts with AGD_PRE (where the user’s side is checked whether it fits the sending procedures) ALC ATE, AVA ADVAGD AS E

page 26brightsight ® your partner in security approval Practical experience of CC3.1 ALC_DVS 1.Site security must be good Officially: Not defined what is good Unofficially: about the AVA_VAN level 2.+ must argue why it is sufficient CCv2.3 interpretations (in smartcard domain) were different: ALC_DVS.1 = Site security documentation needed, some security ALC_DVS.2 = High security for development environment ALC ATE, AVA ADVAGD AS E

page 27brightsight ® your partner in security approval Practical experience of CC3.1 Summary changes in ALC, ACM CCv2.3 to CCv3.1: Double work collapsed ALC_DVS.2 interpretation has changed (?) ALC_LCD.2 shifted from “standardized” to “measureable” life-cycle More important change: Site certification Allows more re-usable and modular evaluation of sites Formalization of site visit re-use practices in smartcard domain Is likely to reduce site visit load significantly ALC ATE, AVA ADVAGD AS E

page 28brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC), Configuration Management (ACM) Tests (ATE), Vulnerability Assessment (AVA) Development (ADV) with FSP, HLD, LLD, IMP, RCR Delivery and operation (ADO), Guidance (AGD) Security Target evaluation (ASE) Assurance Measures in CCv2.3

page 29brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP, ARC Guidance (AGD) Security Target evaluation (ASE) Assurance Measures in CCv3.1

page 30brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP Guidance (AGD) Security Target evaluation (ASE) Theory: What has essentially changed?

page 31brightsight ® your partner in security approval Practical experience of CC3.1 Threats Organizational Security Policies Assumptions SFRs Assurance Measures Sec. Objectives for the TOE Sec. Objectives for Environment TOE Evaluation SARs SFRs for IT Environment Security Functions ST structure in CCv2.3 ALC ATE, AVA ADVAGD AS E

page 32brightsight ® your partner in security approval Practical experience of CC3.1 Assurance Measures Sec. Objectives for the TOE Threats Organizational Security Policies Assumptions SFRs Sec. Objectives for Environment TOE Evaluation SARs SFRs for IT Environment Security Functions What is used in TOE evaluation in CCv2.3? ALC ATE, AVA ADVAGD AS E

page 33brightsight ® your partner in security approval Practical experience of CC3.1 Threats Organizational Security Policies Assumptions SFRsSARs Sec. Objectives for the TOE Sec. Objectives Operational Environment TOE Evaluation Assurance Rationale ST structure in CCv3.1 ALC ATE, AVA ADVAGD AS E

page 34brightsight ® your partner in security approval Practical experience of CC3.1 Threats Organizational Security Policies Assumptions Sec. Objectives for the TOE SFRsSARs Sec. Objectives Operational Environment TOE Evaluation Assurance Rationale What is used in TOE evaluation in CCv3.1? ALC ATE, AVA ADVAGD AS E

page 35brightsight ® your partner in security approval Practical experience of CC3.1 Threats Organizational Security Policies Assumptions Sec. Objectives for the TOE SFRsSARs Sec. Objectives Operational Environment TOE Evaluation Assurance Rationale Essential change ALC ATE, AVA ADVAGD AS E

page 36brightsight ® your partner in security approval Practical experience of CC3.1 Impact of changes in ASE/CCv3.x (or: philosophical view) CCv2.x structure and result: Tracing SFRs and Security Functions What the TOE does What requirements are to be met CCv3.x structure and result: Tracing the SFRs Describe how the TOE is meeting the requirements ALC ATE, AVA ADVAGD AS E Focus is now more on proving that the TOE meets the requirements (not that the TOE does something interesting)

page 37brightsight ® your partner in security approval Practical experience of CC3.1 Life-cycle support (ALC) Tests (ATE), Vulnerability Assessment (AVA_VAN) Development (ADV) with FSP, TDS, IMP Guidance (AGD) Security Target evaluation (ASE) Clearer insight: Where does the extra effort/money in CC evaluations go?

page 38brightsight ® your partner in security approval Practical experience of CC3.1 Summary With existing SFRs, design (ADV_TDS) and architecture could overlap, but Describing how the JIL attacks are countered is a good basis for the architecture (ADV_ARC) evidence. Overhead of the “CC paperwork for the sake of paperwork” reduced ALC ATE, AVA ADVAGD AS E Focus can now be more on proving that the TOE meets the requirements

page 39brightsight ® your partner in security approval Practical experience of CC3.1 Impact for “standard” smartcard developer

page 40brightsight ® your partner in security approval Practical experience of CC3.1 Questions?

page 41brightsight ® your partner in security approval Practical experience of CC3.1 Contact information Note: the name “TNO ITSEF” has changed to “Brightsight” Brightsight BV Delftechpark XJ Delft The Netherlands Telephone: FAX: Web:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.