Why do we need security evaluation To provide a basis for - - PDF document

1 IT Security Evaluation

Simone Fischer-Hübner

Why do we need security evaluation

To provide a basis for specifying security

expectations

To verify that a computer product/system

fulfills the requirements imposed on it

To establish a metric for the degree of trust

that can be placed on a security product/system (“objective yardstick”)

To guide developers which security is expected To fulfil legal requirements (§ 14 German

Digital Signature Act, § 17 Digital Signature Ordinance)

Some Security Standards

Aiming for evaluation Presented in this lecture

History – Product/System Evaluation

Trusted Computer Evaluation Criteria (TCSEC) DoD 1985 Information Technology Security Evaluation Criteria (ITSEC) EU 1991 UK system security confidence levels 1989 German IT-Security Criteria 1989 French „Blue- White-Red“ Book 1989 Canadian Trusted Computer Product Evaluation Criteria 1993 Common Criteria (CC) ISO 1999 The Federal Criteria NIST/NSA 1992

TCSEC

Scope

Protection of confidentiality of classified information

processed by DoD

Oriented towards isolated computer systems (mainframes)

Interpretations of TCSEC for other systems:

Trusted Network Interpretation (Red Book), 1987 Trusted Database Management System Interpretation

(Lavender Book), 1991

Historic but well known and the base for most other

product evaluation standards

Also known as “Orange Book”

TCSEC Requirements

2 TCSEC Hierarchy

Class D – Minimal Protection (unrated) Class C – Discretionary Protection

C1 Discretionary security protection C2 Controlled Access protection

Class B – Mandatory Protection

B1 Labeled Security Protection B2 Structured Protection B3 Security Domains

Class A – Verified Protection

A1 Verified Design

Increasing requirements for functionality & quality

Common Criteria

Harmonized criteria for the international community

for evaluation and recognition

ISO IS 15408

Current Version 3.1 from 2006/2007

Available at: http://www.commoncriteriaportal.org/

The scope of the common criteria covers

Systems (specific IT installation with a particular purpose and known

• perational environment)

and

• Products (hardware/software package that can be incorporated

into a variety of systems )

Common Criteria Structure

Part 1: Introduction and General Model Part 2: Security Functional Requirements Part 3:

Security Assurance Requirements

Target of evaluation

Target Of Evaluation (TOE)

An IT product or system possibly

accompanied by guidance documentation that is the subject of an evaluation

Requirements construction and organization

Source: Common criteria

Requirement expression

Class

A grouping of families

that share a common focus

Family

A grouping of components that share security

• bjectives but may differ in emphasis or rigor

Component

The smallest selectable set of elements that may

be included in a PP, a ST, or a package

Source: Common criteria

3 Requirement use

Package

A reusable set of either functional or assurance

components (e.g. An EAL), combined together to satisfy a set of identified security objectives

Security Target (ST)

A set of security requirements and specifications

to be used as the basis for evaluation of an identified TOE

Protection Profile (PP)

An implementation-independent, re-usable set of

security requirements for a category of TOEs that meet specific consumer needs

Protection Profile

Source: Common criteria

Protection Profile

Protection profiles focus on an area specified

by the sponsor

No single repository – e.g. US Government PP

• r German BSI PP

Example areas:

RBAC Profile Firewall Profiles IDS Profiles Biometric Profiles PKI Profiles OS Profiles

Functional Security Requirements

Class FAU: Security audit Class FCO: Communication Class FCS: Cryptographic support Class FDP: User data protection Class FIA: Identification and authentication Class FMT: Security management Class FPR: Privacy Class FPT: Protection of the TSF Class FRU: Resource utilisation Class FTA: TOE access Class FTP: Trusted path/channels

Example: FCO Communication

FCO Non-repudiation

• f origin ensures that

the originator of information cannot successfully deny having sent the information.

FCO_NRO.1 Selective proof of origin requires the TSF

(TOE Sec. Funct.) to provide subjects with the capability to request evidence of the origin of information.

FCO_NRO.2 Enforced proof of origin requires that the

TSF always generate evidence of origin for transmitted information.

Assurance Requirements

Class ACM: Configuration management Class ADO: Delivery and operation Class ADV: Development Class AGD: Guidance documents Class ALC: Life cycle support Class ATE: Tests Class AVA: Vulnerability assessment

4

Combination of assurance requriements –

Evaluation Assurance Level (EAL)

EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested

and reviewed

EAL5 - semiformally designed and tested EAL6 - semiformally verified design and

tested

EAL7 - formally verified design and

tested

TOE is designed with evaluation in mind Evaluation is not a primary goal during design

Combination of assurance requriements –

Evaluation Assurance Levels

Source: Common criteria

Evaluation Preperation

Initiation

The sponsors starts

the process

Feasibility study

The evaluator checks

if the evaluation can be performed

A list of evaluation

deliverables is included where all involved parties agree to

Source: Common Evaluation Methodology for Information Technology Security

Evaluation Conduct

Evaluation

Review the evaluation

deliverables and perform evaluator actions required by the assurance criteria

Observation reports can

be generated during the evaluation

Evaluation Technical

Report is produce

It contains the verdict

and the justification

Source: Common Evaluation Methodology for Information Technology Security

Evaluation Conclusion

Conformance to CC

assessed

The overseer reviews the

ETR for conformance with the CC

Evaluation Summary

report is generated

It bases on the ETR and

includes the result of the

• verseer review

Source: Common Evaluation Methodology for Information Technology Security