Common Criteria

1
Common Criteria

• May-Lis Farnes

2
Agenda

• Business needs and advantages of CC?
• What is CC?
• Roles and method description
• Accreditation and certification CC
• Status
• How to organise the work
• Good examples
• Future trends
• Common Criteria Conference in Sweden 2003
• Further readings

3
What is Common Criteria (CC)?

• A standardised method for security evaluation of
  IT-products (and system)
• Version 2.1 the same as ISO/IEC-15408

4
Origins of Common Criteria
5
Sponsoring organisation
National Institute of Standards and
Technology, National Security Agency
Communications Security Establishment
Communications-Electronic Security Group
Bundesamt fur Sicherbeit in der
Informationstechnik
Service Central de la Securite des Systemes
dInformation
National Institute of Standards and
Technology National Security Agency
6
Common Criteria Recognition Arrangement (CCRA)

• CCRA
• International arrangement to recognise Common
  Criteria certificates authorised by any other
  certificate authorising participant in accordance
  with the terms of this Arrangement and applicable
  laws and regulations of the participant country
• Participants are government organisations or
  government agencies representing their country or
  countries
• National signatory
• The national organisation who is signatory and
  participant of the CCRA.

7
Common Criteria Recognition Arrangement, CCRA

• 16 Members Australia, Austria, Canada, Finland,
  France, Germany , Greece, Israel, Italy, the
  Netherlands, New Zealand, Norway, Spain, Sweden,
  the United Kingdom, the United States
• Coming soon Japan

8
Why Common Criteria?

• To ensure that security in IT-products is
  evaluated in relation to the estimated risks
• Need for a common method enabling comparison of
  IT security
• International support and co-operation

9
Certification

• Products can be certified to have followed sound
  security standards in design and development
• Different levels of security assurance possible
  (EAL)
• Possible to compare evaluation results
• Certification is done through a certification body

10
Stake holders
Accreditation bodies
Manufacturers/ Product developers
Product vendors
Common Criteria
Certification bodies
Customers/ Consumer
Evaluators
Associations
11
Benefits from CC

• Consumers can chose products that have a
  demonstrated security assurance level
• Manufacturers can promote their product by
  showing proofs of proper, evaluated security
  design
• Evaluation is performed by independent parties
• Align separate criteria (US, Europe etc)

12
Consumer demands on evaluated products

• How was the evaluation performed?
• What features of the product are covered?
• Who authorised the evaluation?
• Which evaluation level and what does that mean?

13
Use of CC

• Procurement Specifications
• Product Development
• Evaluation Programs
• Certification and Accreditation

14
Overview of evaluation process
Evaluation Facility
Eval. report
Certification Body
Product
Manufacturer
Customer/Consumer
15
Evaluation Assurance Levels
CC EAL0 EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Description functionally tested structurally
tested methodically tested and checked methodicall
y design, tested reviewed semiformally design
and tested semiformally verified design and
tested formally verified design and tested
16
Methodology

• Define Target of Evaluation, ToE (the product /
  system)
• Specify security functionality using standardised
  Protection Profiles, PP
• Specify specific Security Target, ST
• Requirements for IT security in two parts
• functional
• assurance

17
Key ConceptsProtection Profile, PP

• Protection Profile
• formal document with a set of security
  requirements
• for a specific category of product (e.g.
  Operating systems, databases etc)
• implementation independent
• reusable and available
• aid in procurement formulations

18
Key ConceptsProtection Profile, PP

• Protection Profile basic contents
• TOE category description / application context
• Threats / security environment
• Security objectives
• Functional requirements
• Assurance level and components requirements

19
Key ConceptsSecurity Target, ST

• Security Target
• Security objectives for a specific product (e.g.
  Sun OS 4.7.4)
• Defines functional measures
• Defines assurance measures
• Not openly available

20
Key ConceptsSecurity Target, ST

• Security Target basic contents
• TOE type description, usage and IT-features
• Threats / security environment
• Security objectives
• TOE IT-security - functional and assurance
  requirements
• TOE Summary Specification
• CC Conformance Claim
• PP Claims

21
Definitions

• IT Security Evaluation Facility (EF)
• An independent evaluation laboratory
• Performs evaluations of TOE and PP
• Produces Evaluation Technical Report
• Certification Body (CB)
• Validates CC evaluation performed by evaluation
  laboratories (EF)
• Produces Certification Report

22
Accreditation
Common Criteria Recognition Arrangement (CCRA)

SWEDAC
Certification Body (CB)
supervision
IT Security Evaluation Facility (EF)
23
Evaluation methodology

• Common Evaluation Methodology (CEM)
• Document detailing the security evaluation method
  for CC
• Evaluation and Certification Scheme (ECS)
• Describes how the Evaluation Facility and the
  Certification Body should perform their
  evaluation and certification.

24
Reports

• Evaluation Technical Report
• Reflects the results of the CC evaluation.
• Prepared by the Evaluation Facility
• CB use the report in the Certification/Validation
  Report
• Certification/Validation Report
• Public document published by a Certification Body
• Summarises the results from certification /
  validation.
• Documents that the evaluation has been performed
  correctly
• Common Criteria certificate
• Public document that provides basic information
  about the certified product. There must be a
  connection to the certification/validation report

25
CC evaluation
26
Certification

• Common Criteria certificate issued bear this
  mark.
• Confirms that the Common Criteria certificate has
  been authorised.
• The mark may be used by vendors in conjunction
  with advertising, marketing, and sales of the
  product for which the certificate is issued.

27
Evaluation
28
Examples, Evaluated Products

• Sun Solaris 8 Operating environment, EAL4
• Windows 2000 Professional, EAL4
• Symantec Enterprise Firewall v7.0, EAL4
• Oracle 9i Release 9.2.0.1.0 (EAL4 in eval.)
• Nokia IPSO Version 3.5, (EAL4 in eval.)
• Smart Cards

29
The regulatory area

• The new digital Tachograph
• Appendix 1B Technical specification
• Security evaluation, ITSEC

30
How to organise work

• Not a simple process
• Takes time and requires resource
• Awareness
• Structured and well thought out
• Can be hard to find expertise

31
Status in Sweden and other countries Evaluation
laboratories

• Sweden under development
• France 4
• Germany 9
• UK 5
• USA 7
• Canada 3
• Australia NZ 3

32
Statistics

• 31 Evaluation Facilities (World wide)
• 18 certified Protection Profiles (PP)
• Registered by CCRA
• 12 drafted or developed PPs
• Registered by CCRA
• Over 70 evaluated products

33
Development of PPs

• Over half of the certified Protection Profiles
  have been developed by
• National Security Agency, NSA
• National Institute of Standards and Technology,
  NIST
• Other examples include
• Oracle
• Consignia

34
Status CC

• Both old and new
• CCRA has to be renewed?
• Private vs. Military
• Regulatory area will grow?

35
Status CC in Sweden and experience

• Early bird
• The activity on the ISMS area is low and will
  affect CC development
• Private sector and military sector

36
The map
CCRA
PP
ST
Lib
Accreditation body
Certification body
Evaluation labs
Customer
Manufacture
37
Future trends

• Business models
• From Military use to Private and Public sector
  use
• Financing models
• Good examples
• Common and broader understanding Takes time
• Good examples
• Customer demand

38
World Conference

• SWEDAC, are proud to host the 4th International
  Common Criteria Conference, 7 - 9 September 2003
  in Stockholm, Sweden
• http//www.iccconference.com

39
To read more about CC

• Part 1, Introduction and general model, is the
  introduction to the CC. It defines general
  concepts and principles of IT security evaluation
  and presents a general model of evaluation. Part
  1 also presents constructs for expressing IT
  security objectives, for selecting and defining
  IT security requirements, and for writing
  high-level specifications for products and
  systems. In addition, the usefulness of each part
  of the CC is described in terms of each of the
  target audiences.
• Part 2, Security functional requirements,
  establishes a set of security functional
  components as a standard way of expressing the
  security functional requirements for Targets of
  Evaluation (TOEs). Part 2 catalogues the set of
  functional components, families, and classes.
• Part 3, Security assurance requirements,
  establishes a set of assurance components as a
  standard way of expressing the assurance
  requirements for TOEs. Part 3 catalogues the set
  of assurance components, families, and classes.
  Part 3 also defines evaluation criteria for
  Protection Profiles (PPs) and Security Targets
  (STs) and presents evaluation assurance levels
  that define the predefined CC scale for rating
  assurance for TOEs, which is called the
  Evaluation Assurance Levels (EALs).

40
More information

• http//www.commoncriteria.org
• http//csrc.nist.gov/cc/index.html
• http//www.swedac.se
• http//www.bsi.de/cc/