Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun - - PowerPoint PPT Presentation

Security Evaluation

CSM27 Computer Security Dr Hans Georg Schaathun

University of Surrey

Autumn 2008 – Week 8

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 1 / 21

Overview

Session objectives

Discuss advantages and limitations of security evaluations Clarify fundamental concepts and terminology in security evaluation Give an overview of the Common Criteria, enabling students to find appropriate documentation when needed

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 2 / 21

Overview

Can we trust a secure product/system?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

Overview

Can we trust a secure product/system?

Do you trust the manufacturer? Can you scrutinise and evaluate the product/system yourself? Is there an indenpendent evaluation or certification?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

Overview

Can we trust a secure product/system?

Do you trust the manufacturer? Can you scrutinise and evaluate the product/system yourself? Is there an indenpendent evaluation or certification? What is the difference between product and system? What practical difference does it make for the evaluator?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 3 / 21

Overview

Evaluation Standards

TCSEC (Orange Book) – USA 1983–1999 CTCSEC – Canada 1989 ITSEC – Europe 1991–2001 (EU Council 1995) Common Criteria – Canada, France, Germany, the Netherlands, UK, and USA, 1998–

International treaty: Common Criteria Recognition Agreement Evaluation Scheme needed to join Replaces TCSEC, ITSEC, ...

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 4 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Target

Product

generic products generic requirements Security Classes (TCSEC) Protection Profile (Common Criteria)

System

local and individual requirements dialogue between security expert and non-expert user

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 5 / 21

Fundamental Concepts

Purpose

Distinctions in the Orange Book Evaluation assess achievement of claimed properties Certification suitability for a given application Accreditation acceptance for a given application

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 6 / 21

Fundamental Concepts

Method

We have to avoid

Different results from different evaluations Security bugs found after a positive evaluation

Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product

Establishes trust in a particular product

Process-oriented (aka. audit-oriented) considers the development process

(Potentionally) Establishes trust in a particular producer

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

Fundamental Concepts

Method

We have to avoid

Different results from different evaluations Security bugs found after a positive evaluation

Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product

Establishes trust in a particular product

Process-oriented (aka. audit-oriented) considers the development process

(Potentionally) Establishes trust in a particular producer

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

Fundamental Concepts

Method

We have to avoid

Different results from different evaluations Security bugs found after a positive evaluation

Goals: Reproducability and Repeatability Two methodologies Product-oriented (aka. investigational) considers the final product

Establishes trust in a particular product

Process-oriented (aka. audit-oriented) considers the development process

(Potentionally) Establishes trust in a particular producer

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 7 / 21

Fundamental Concepts

Organisational Framework

Government Agencies (initial US approach) Private Enterprises with Government Accreditation

Government Certificates (UK 1991) Private Certification (Germany)

What is the contract between . . . ?

Sponsor Evaluator Manufacturer

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 8 / 21

Fundamental Concepts

Organisational Framework

Government Agencies (initial US approach) Private Enterprises with Government Accreditation

Government Certificates (UK 1991) Private Certification (Germany)

What is the contract between . . . ?

Sponsor Evaluator Manufacturer

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 8 / 21

Fundamental Concepts

Organisational Challenges

Consistency across independent agencies

Different people make different interpretations

Interpretation drift

Different interpretations at different times

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 9 / 21

Fundamental Concepts

Structure

Functionality Which features are provided? Effectiveness Are the features appropriate for the requirements? Assurance How thorough/certain is the evaluation? The orange book couples the three considerations into discrete security classes ITSEC makes the three considerations separately

Flexible framework; open for new requirements

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 10 / 21

Fundamental Concepts

Structure

Functionality Which features are provided? Effectiveness Are the features appropriate for the requirements? Assurance How thorough/certain is the evaluation? The orange book couples the three considerations into discrete security classes ITSEC makes the three considerations separately

Flexible framework; open for new requirements

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 10 / 21

The Common Criteria

The Common Criteria

International Treaty Common standards documents

CC documents CC Evaluation Methodology (CEM)

Member states may have different implementations

Evaluation Scheme or National Scheme

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 11 / 21

The Common Criteria

Basic Concepts

Protection Profile (PP) describes the protection needed in a given application scenario Security Target (ST) describes the protection provided by (classes of) systems/products ST implements a PP

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 12 / 21

The Common Criteria

Security Functional Requirements

This part of the CC defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 13 / 21

The Common Criteria

Security Functional Requirements

This part of the CC defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 13 / 21

The Common Criteria

Functional Requirements Classes

An example

Communications class (two families)

Non-repudiation of origin Non-repudiation of receipt

Cryptographic support Security Audit User data protection . . .

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 14 / 21

The Common Criteria

Functional Requirements Classes

An example

Communications class (two families)

Non-repudiation of origin Non-repudiation of receipt

Cryptographic support Security Audit User data protection . . .

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 14 / 21

The Common Criteria

Security Assurance Requirements

This CC Part 3 defines the assurance requirements of the

• CC. It includes the evaluation assurance levels (EALs) that

define a scale for measuring assurance for component TOEs, the composed assurance packages (CAPs) that define a scale for measuring assurance for composed TOEs, the individual assurance components from which the assurance levels and packages are composed, and the criteria for evaluation of PPs and STs.

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 15 / 21

The Common Criteria

Security Assurance Requirements

This CC Part 3 defines the assurance requirements of the

• CC. It includes the evaluation assurance levels (EALs) that

define a scale for measuring assurance for component TOEs, the composed assurance packages (CAPs) that define a scale for measuring assurance for composed TOEs, the individual assurance components from which the assurance levels and packages are composed, and the criteria for evaluation of PPs and STs.

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 15 / 21

The Common Criteria

Assurance Classes

Evaluation methodology for every document/product/system/etc. APE: Protection Profile Evaluation ASE: Security Target Evaluation Seven classes relating to product or system

Development Delivery and Operation Tests . . .

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 16 / 21

The Common Criteria

Assurance Classes

Evaluation methodology for every document/product/system/etc. APE: Protection Profile Evaluation ASE: Security Target Evaluation Seven classes relating to product or system

Development Delivery and Operation Tests . . .

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 16 / 21

The Common Criteria

Assurance Classes

Evaluation methodology for every document/product/system/etc. APE: Protection Profile Evaluation ASE: Security Target Evaluation Seven classes relating to product or system

Development Delivery and Operation Tests . . .

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 16 / 21

The Common Criteria

Evaluation Assurance Levels

EAL1: Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed EAL5: Semiformally Designed and Tested EAL6: Semiformally Verfied Design Tested EAL7: Formally Verified Design and Tested Levels 5-7 have not been standardised internationally yet

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 17 / 21

The Common Criteria

Evaluation Assurance Levels

EAL1: Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed EAL5: Semiformally Designed and Tested EAL6: Semiformally Verfied Design Tested EAL7: Formally Verified Design and Tested Levels 5-7 have not been standardised internationally yet

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 17 / 21

The Common Criteria

Evaluation Assurance Levels

EAL1: Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed EAL5: Semiformally Designed and Tested EAL6: Semiformally Verfied Design Tested EAL7: Formally Verified Design and Tested Levels 5-7 have not been standardised internationally yet

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 17 / 21

Closing Words

Do we need evaluation standards?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 18 / 21

Closing Words

Do we need evaluation standards?

Controversial Requirement for government applications

The standards are tokens of government trust Standardisation essential for public sector markets

Little enthusiasm outside public sector [Gollmann] Some exceptional industries do want standardised evaluation

At present: Smart Card Manufacturer

Evaluation covers one version and one configuration

Evaluation takes time – probably not most recent version

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 18 / 21

Closing Words

Cost and Benefit

Expensive : 10%–40% of development cost

Fees to the evaluator Production of supporting documentation Delay to market

Criterion in certain markets

All depends on the customer

Is the money better spent elsewhere?

Security Management, etc.?

Are Quality Standards an alternative?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 19 / 21

Closing Words

Exercise sheet

Refer to the Common Criteria portal http://www.commoncriteriaportal.org/. Choose one protection profile (PP) which interests you, and the security targets (ST) of a product implementing this PP . Compare the PP and the ST, and identify any differences. Based on this comparison, what is your

• pinion of the product? For which applications is the product suitable?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 20 / 21

Closing Words

Discussion Exercise

Compare Evaluation and Consultancy Consultants advise clients on suitable solutions for their applications (including security requirements). Where would you draw the boundary between evaluation and consultancy?

What do consultants do? What does an evaluation do?

Are there any situations where you would clearly choose one over the other?

Dr Hans Georg Schaathun Security Evaluation Autumn 2008 – Week 8 21 / 21