common criteria

University of Tulsa - Center for Information Security

Common Criteria Common Criteria

Dawn SchulteLeigh Anne Winters


OutlineOutline

• What is the Common Criteria?• Origins of the Common Criteria• Common Criteria Basics• Security Functional Requirements• Security Assurance Requirements• Evaluation Assurance Levels• Common Criteria in the US• Common Criteria and C&A• Centralized Certified Products List


What is the Common What is the Common Criteria?Criteria?

• The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community.

• Standardizes– Security Functionality– Evaluation Assurance


Origins of the Origins of the Common CriteriaCommon Criteria

Netherlands

United States

Canada

France

United Kingdom

Germany



• Version 1.0 (Jan 1996) – published for comment

• Version 2.0 (May 1998) – takes account of extensive review

• Version 2.0 (1999) – adopted by ISO as ISO 15408


Pop Quiz!!Pop Quiz!!

1. Name one of the two areas that CC standardizes.

2. Name one of the six countries that participates in the CC


Common Criteria:Common Criteria:Three PartsThree Parts

• Part 1: Intro and General Model• Part 2: Security Functional Requirements• Part 3: Security Assurance Requirements


Intro and General Model:Intro and General Model:

DefinitionsDefinitions

• Target of Evaluation (TOE) – an IT product or system and its associated administrator and user guidance documentation that is the subject of evaluation

• Protection Profile (PP) – an implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs.

• Security Target (ST) – a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.


Common Criteria UsersCommon Criteria Users

User Uses of Common Criteria

Consumers To find requirements for security features that match their own risk assessment. To shop for products that have ratings with those features. To publish their security requirements so that vendors can design products that meet them.

Developers To select security requirements that they wish to include in their products. To design and build a product in a way that can prove to evaluators that the product meets requirements. To determine their responsibilities in supporting and evaluating their product.

Evaluators To judge whether or not a product meets its security requirements. Provide a yardstick against which evaluations can be performed. Provide input when forming specific evaluation methods.



1. True or False: The Protection Profile answers the question “What will I provide?”

2. List one interested party in the CC.3. Name one part of the CC.


Security Functional Security Functional RequirementsRequirements

Security Functional Requirements describe the expected behavior of a TOE


Security Functionality:Security Functionality:

OrganizationOrganization

• The CC security requirements are organized into the hierarchy of – Class-Family-Component

• This hierarchy is provided to help consumers to locate specific security requirements and the right components to combat threats.


Security Functionality:Security Functionality:

Functional Requirement Functional Requirement ClassesClasses

• Audit (FAU)• Cryptographic Support (FCS)• Communications (FCO)• User Data Protection (FDP)• Identification and Authentication (FIA)• Security Management (FMT)• Privacy (FPR)• Protection of the TOE Security Functions (FPT)• Resource Utilization (FRU)• TOE Access (FTA)• Trusted Path/Channels (FTP)



1. Name the levels of the hierarchy.2. Security Functional Requirements

describe the _____ ______ of a TOE.3. Name one Functional Requirement Class.


Security AssuranceSecurity Assurance

Grounds for confidence that an IT product or system meets its security objectives.


Security Assurance:Security Assurance:

How to gain assurance…How to gain assurance…EvaluationEvaluation

Analysis– Design representations– Flaws– Functional tests and results– Guidance documents– Processes procedures– Penetration testing


Security Assurance:Security Assurance:

Assurance Requirement Assurance Requirement ClassesClasses

• Evaluation of PPs and STs– Protection Profile Evaluation (APE)– Security Target Evaluation (ASE)

• Evaluation Assurance Classes– Configuration Management (ACM)– Delivery and Operation (ADO)– Development (ADV)– Guidance documents (AGD)– Life Cycle Support (ALC)– Tests (ATE)– Vulnerability Assessment (AVA)

• Assurance Maintenance Class– Maintenance of Assurance (AMA)



1. Fill in the blank….Grounds for confidence that an IT product or system meets its _________.

2. How can you gain assurance?3. Name one Assurance Requirement Class.


Why go through the Why go through the process?process?

• Internationally recognized• Independent quality mark• Some customers may desire a CC

Certificate• Good marketing


Evaluation Assurance Evaluation Assurance LevelsLevels

• 7 Evaluation Assurance Levels (EAL)– Each level offers an increasing level of assurance

• EAL1-EAL2: Basic Level Assurance• EAL3- EAL4: Moderate Level Assurance• EAL5-EAL7: High Level Assurance

– Cost and time required increases with each level– Only Levels 1-4 are mutually recognized


EAL1 & EAL2: EAL1 & EAL2: Basic Level AssuranceBasic Level Assurance

• EAL1 – Functionally Tested– Applicable where threats to security are not viewed as serious– Provides an evaluation of the TOE as made available to the

consumer• Independent testing against specification• Examination of documentation

• EAL2 – Structurally Tested– Applicable where consumers or designers require a low to

moderate level of independently assured security– Complete development record not available– Legacy Systems, limited developer access, etc.


EAL3 & EAL4:EAL3 & EAL4:Moderate Level Moderate Level

AssuranceAssurance• EAL3 – Methodically Tested and Checked

– Applicable when developers or user require a moderate level of independently assured security.

– Thorough investigation of the TOE and its development.

• EAL4 – Methodically Designed, Tested and Reviewed– Highest level at which it is likely to be economically

feasible to certify an existing product.– Developers must be prepared to incur additional

security-specific engineering costs.


EAL5 - EAL7:EAL5 - EAL7:High Level AssuranceHigh Level Assurance

• EAL5 – Semiformally Designed and Tested• EAL6 – Semiformally Verified Design and

Tested• EAL7 – Formally Verified Design and

Tested

• NOTE: No product has been evaluated at EAL5-7 at this time.



1. Give one reason why a developer should have a product CC certified.

2. Which EAL offers basic assurance with minimal cost and involvement of the developer?

3. Which EALs are mutually recognized?


Common Criteria in the Common Criteria in the USUS

• National Information Assurance Partnership (NIAP)– established 1997

– Partnership between NSA and NIST

– Promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems

– Common Criteria Evaluation and Validation Scheme (CCEVS)

• NSTISSP No. 11 – Effective July 2002, COTS products must be validated by:

• NIAP CCEVS

• NIST FIPS Cryptomodule Validation Program


Common Criteria Common Criteria and C&Aand C&A

• 2 Parallel Security Processes:– Certification ad Accreditation (C&A)– Evaluation

• C&A:– Provides information to make a decision about the risk of

operating an information system.

• Evaluation:– Determines whether an information technology product

complies with established standards.– Can be used in the DITSCAP process.


Common Criteria Common Criteria and C&Aand C&A

• Part of all phases of the DITSCAP process• C4.2.3.2. “When the Phase 2 initial

certification analysis is completed the system should have a documented security specification,” … “COTS and GOTS products used in the system design must be evaluated to ensure that they have been integrated properly and that their functionality meets the security and operational needs of the system.”

» DITSCAP APPLICATION MANUAL



1. What does CCEVS stand for?2. What two agencies form the National

Information Assurance Partnership?3. Certification and Accreditation provides

information to make a decision about the _______ of operating an information system.


Centralized CertifiedCentralized CertifiedProducts ListProducts List

• Centralized Certified Products List (CCPL) is produced to assist in the selection of products that will provide an appropriate level of information security.

• Types of Products:– Firewalls, operating systems, switchs, VPNs, PKI, guards,

biometrics, smart cards, etc.

• Total list can be found at: www.commoncriteria.org


Evaluated Operating Evaluated Operating SystemsSystems


Last Pop Quiz!!!Last Pop Quiz!!!

1. If you were going to purchase a security product where could you find the products that had been evaluated by the Common Criteria?

2. Name two types of products that have been evaluated.


For Further Information For Further Information ……

• Common Criteria: www.commoncriteria.org

• NIAP: http://naip.nist.gov• NSA: www.radium.ncsc.mil• United Kingdom: www.cesg.gov.uk/cchtml


Questions?Questions?

common criteria

Documents

security assurancegrounds

security objectives

specific security requirements

security target st

common criteria userspop

uscommon criteria

cccommon criteria

common criteriaorigins