Background 1985 TCSEC USA 1991 ITSEC Europe (France, Germany, Netherlands, UK) 1993 CTCPEC Canada 1993 FC(draft) USA History June 1993 January 1996 All collaborate on Common Criteria Version 1.0 October 1997 Version 2.0 Beta June 1999 ISO 15408/version 2.1 TCSEC Issues • non-standard • inflexible • not scalable The Global Information Grid (GIG) and the Common Criteria (CC) Global Information Grid •Clinger-Cohen Act of 1996 (reference (d)) and Title 10, U.S.C., Section 2223 (reference (a)) •All DoD and Intelligence Community Computers Information Assurance G&PM: 5.2.20. Consult the IA Technical Framework (IATF) and published Common Criteria (CC) Protection Profiles for guidance regarding common classes of network and system attacks, interoperability and compatibility with the defense-in-depth strategy, and IA solutions that should be considered to counter attacks. 5.2.21. Acquire IA solutions that have been evaluated using the Common Criteria Evaluation and Validation Scheme based on the National Information Assurance Program (NIAP) process. NIAP - Collaboration between NIST and NSA for security evaluation Common Criteria Sections I. Introduction and General Model II. Security Functional Requirements III. Security Assurance Requirements I. Introduction and General Model • Defines general concepts and principals of IT security evaluation. • Provides constructs for defining and selecting security objectives • Provides guidelines for writing high-level specifications II. Security Functional Requirements • Provides functional components III. Security Assurance Requirements • Provides assurance requirements • Evaluation Criteria of PP and ST • Provides evaluation levels with a predefined scale (EAL’s) Common Criteria I. Introduction and General Model I. Introduction and General Model DefinitionsTarget of Evaluation (TOE) — An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation. Protection Profile (PP) — An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. Security Target (ST) — A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE. I. Introduction and General Model Protection Profiles • Operating System • Firewall • Database • Smart Card • etc. I. Introduction and General Model Security Targets • NT 4.0 • Oracle 8 • Checkpoint-1 • Visa SmartCard • etc. Requirements Structure •Class •Family •leveling-specifies if components are hierarchic •Component •dependencies-other components that are relied upon Requirements Structure CLASS_FAMILY.Component Class FIA-Identification and authentication Family FIA_UID-User Identification Component FIA_UID.1-Timing of Identification Common Criteria II. Security Functional Requirements II. Security Functional Requirements Hierarchy of Security Functional Requirements Level Class Example Family Cryptographic Key Management Component Cryptographic Key Generation Cryptographic Support II. Security Functional Requirements Security Functional Component •Dependencies -Components rely on other components for satisfaction •Operations -Iteration -Assignment: FAU_ARP.1.1 The TSF shall take [assignment: list of the least disruptive actions] upon detection of a potential security violation. -Selection: FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: minimum, basic, detailed, not specified] level of audit; -Refinement II. Security Functional Requirements Security Functional Classes Class Name FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE Access Trusted Path / Channels Common Criteria III. Security Assurance Requirements III. Security Assurance Requirements DefinitionsPackage — A reusable set of either functional or assurance components (e.g. an EAL), combined together to satisfy a set of identified security objectives. Evaluation Assurance Level (EAL) — A package consisting of assurance components from Part 3 that represents a point on the CC predefined assurance scale. III. Security Assurance Requirements Hierarchy of Security Assurance Requirements Level Class Example Family Delivery Component Detection of modification Delivery and Operation III. Security Assurance Requirements Security Assurance Classes Class Name ACM ADO ADV AGD ALC ATE AVA APE ASE AMA Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance III. Security Assurance Requirements Evaluation Assurance Levels EAL Level Rough TCSEC equivalent Features EAL1 N/A Functionally tested EAL2 C1 Structurally tested Good commercial practice EAL3 C2 Methodically tested Proactive security design EAL4 B1 EAL5 B2 EAL6 B3 EAL7 A1 Methodically designed, tested, and checked Maximum assurance without specialized knowledge Likely maximum for security retrofit Semiformally designed and tested Includes covert channel analysis Development environment controls Semiformally verified design and tested Structured development process Modular and layered design Formally verified design Current Certified Protection Profiles • C2 =Controlled Access Protection Profile (Version 1.d) • B1=Labeled Security Protection Profile (Version 1.b) • Traffic Filter Firewall Protection Profile for Low Risk Environments (Version 1.d) Controlled Access Protection Profile (CAPP) • Version 1.d • Written by NSA • Designed to replace C2 C2 vs CAPP C2 Sections CAPP Sections 2.2.1 2.2.2 2.2.2.1 Security Policy Accountability Identification and Authorization Audit 5.2 User Data Policy 5.3 5.1 Identification and Authorization Security Audit Operational Assurance 5.5.1 5.5.3 Abstract Machine Testing Domain Seperation Life-Cycle Assurance Documentation Security Feature User's Guide Trusted Facility Manual Test Documentation Design Documentation 6.6.3 Functional Testing 6.4.2 User Guidance 6.4.1 6.6 6.3 Administrator Guidance Security Testing Development 2.2.2.2 2.2.3 2.2.3.1 2.2.3.2 2.2.4 2.2.4.1 2.2.4.2 2.2.4.3 2.2.4.4 Assurance New Items in CAPP 5.1 Security Audit-lists 19 auditable events •All modifications to the values of security attributes •Actions taken due to audit storage failure 5.3.2 Strength of Authentication Data •Single guess has less than 1/1,000,000 chance •Multiple attempts in one minute have less than 1/100,000 chance 5.4 Security Management-specifies requirements and roles. 6.2 Delivery and Operation Labeled Security Protection Profile (LSPP) • Version 1.b • Developed by NSA • Designed to replace B1 B1 vs LSPP B1 Section LSPP Section 5.2 User Data Policy 5.3 5.1 Identification and Authorization Security Audit 3.1.3.1 Operational Assurance 5.5.1 5.5.3 Abstract Machine Testing Domain Seperation 3.1.3.2 Life-Cycle Assurance 3.1.4 Documentation 3.1.4.1 Security Feature User's Guide 3.1.4.2 Trusted Facility Manual 3.1.4.3 Test Documentation 3.1.4.4 Design Documentation 6.6.3 Functional Testing 6.4.2 User Guidance 6.4.1 6.6 6.3 Administrator Guidance Security Testing Development 2.1.1 Security Policy 3.1.2 Accountability 3.1.2.1 Identification and Authorization 3.1.2.2 Audit 3.1.3 Assurance New Items in LSPP 5.1 Security Audit-lists 19 auditable events •All attempts to import user data, including any security attributes •Actions taken due to audit storage failure 5.3.2 Strength of Authentication Data •Single guess has less than 1/1,000,000 chance •Multiple attempts in one minute have less than 1/100,000 chance 5.4 Security Management-specifies requirements and roles. 6.2 Delivery and Operation ISO/IEC PDTR 15446 • • • • Expands on PPs and STs PPs and STs for composite TOEs Functional and Assurance Packages Generic and Worked Examples Websites of Interest Common Criteria NIST- csrc.ncsl.nist.gov/cc CC Toolbox- niap.nist.gov/tools/cctool.html Others GIG- cno-n6.hq.navy.mil/files.htm NIAP- niap.nist.gov