Title Slide

1
Title Slide
EVOLVING CRITERIA FOR INFORMATION SECURITY
PRODUCTS Ravi Sandhu George Mason
University Fairfax, Virginia USA

2
SECURITY OBJECTIVES
SECRECY (CONFIDENTIALITY)
AVAILABILITY (DENIAL OF SERVICE)
INTEGRITY
3
SECURITY TECHNIQUES

• Prevention access control
• Detection auditing
• Tolerance practicality

good prevention and detection both require good
authentication as a foundation
4
SECURITY TRADEOFFS
SECURITY
COST
FUNCTIONALITY
EASE OF USE
5
ACHIEVING SECURITY

• Policy what?
• Mechanism how?
• Assurance how well?

6
EVALUATION CRITERIA
SECURITY TARGET
Policy Assurance
PRODUCT
Mechanism
??
7
CRITERIA DATES
USAORANGE BOOK
3.0
1.0
2.0

Canadian CTCPEC
UK, Germany
France
1.0
1.2
European Community ITSEC
1.0
US Federal Criteria
Common Criteria
8
CRITERIA RELATIONSHIPS
9
DRIVING FACTORS
INTERNATIONAL COMPUTER MARKET TRENDS
COMPATIBILITY WITH EXISTING CRITERIA
COMMON CRITERIA PRODUCT EVALUATION
SYSTEM SECURITY CHALLENGES OF THE 90'S
MUTUAL RECOGNITION OF EVALUATIONS
10
ORANGE BOOK
USA ORANGE BOOK
UK
Germany
France
Canada
European Community ITSEC
Federal Criteria DRAFT
Common Criteria PROPOSED
11
ORANGE BOOK CLASSES
HIGH SECURITY

• A1 Verified Design
• B3 Security Domains
• B2 Structured Protection
• B1 Labeled Security Protection
• C2 Controlled Access Protection
• C1 Discretionary Security Protection
• D Minimal Protection

NO SECURITY
12
ORANGE BOOK CLASSESUNOFFICIAL VIEW

• C1, C2 Simple enhancement of existing systems.
  No breakage of applications
• B1 Relatively simple enhancement of existing
  systems. Will break some applications.
• B2 Relatively major enhancement of existing
  systems. Will break many applications.
• B3 Failed A1
• A1 Top down design and implementation of a new
  system from scratch

13
ORANGE BOOK CRITERIA
SECURITY POLICY ACCOUNTABILITY ASSURANCE DOCUMENTA
TION
14
SECURITY POLICY

• C1 C2 B1 B2 B3 A1
• Discretionary Access Control
• Object Reuse
• Labels
• Label Integrity
• Exportation of Labeled Information
• Labeling Human-Readable Output
• Mandatory Access Control
• Subject Sensitivity Labels
• Device Labels

• added requirement

15
ACCOUNTABILITY

• C1 C2 B1 B2 B3 A1
• Identification and Authentication
• Audit
• Trusted Path

• added requirement

16
ASSURANCE

• C1 C2 B1 B2 B3 A1
• System Architecture
• System Integrity
• Security Testing
• Design Specification and Verification
• Covert Channel Analysis
• Trusted Facility Management
• Configuration Management
• Trusted Recovery
• Trusted Distribution

• added requirement

17
DOCUMENTATION

• C1 C2 B1 B2 B3 A1
• Security Features User's Guide
• Trusted Facility Manual
• Test Documentation
• DesignDocumentation

• added requirement

18
ORANGE BOOK CRITICISMS

• Does not address integrity or availability
• Combines policy and assurance in a single linear
  rating scale
• Mixes policy and mechanism
• Mixes policy and assurance

19
POLICY VS ASSURANCE
20
EUROPEAN ITSEC
USA ORANGE BOOK
UK
Germany
France
Canada
European Community ITSEC
Federal Criteria DRAFT
Common Criteria PROPOSED
21
POLICY ASSURANCE UNBUNDLING
22
POLICY IN ITSEC

• Open ended
• Orange Book classes are grand-fathered in
• Some new classes are identified

23
ORANGE BOOK POLICYGRAND-FATHERING

• ITSEC ORANGE BOOK
• F-C1 C1
• F-C2 C2
• F-B1 B1
• F-B2 B2
• F-B3 B3

24
ITSEC NEW POLICIES

• ITSEC OBJECTIVE
• F-IN High Integrity Requirements
• F-AV High Availability Requirements
• F-DI High Data Integrity during Data Exchange
• F-DC High Data Confidentiality during Data
  Exchange
• F-DX Networks with High Confidentiality and
  Integrity

others can be defined as needed
25
ASSURANCE EFFECTIVENESS

• CONSTRUCTION
• Suitability Analysis
• Binding Analysis
• Strength of Mechanism Analysis
• List of Known Vulnerabilities in Construction
• OPERATION
• Ease of Use Analysis
• List of Known Vulnerabilities in Operational Use

26
ASSURANCE CORRECTNESS

• ITSEC ORANGE BOOK (very roughly)
• E0 D
• E1 C1
• E2 C2
• E3 B1
• E4 B2
• E5 B3
• E6 A1

27
US DRAFT FEDERAL CRITERIA
USA ORANGE BOOK
UK
Germany
France
Canada
European Community ITSEC
Federal Criteria DRAFT
Common Criteria PROPOSED
28
INFLUENCES ON FEDERAL CRITERIA
29
ITSEC EVALUATION
SECURITY TARGET
Policy Assurance
PRODUCT
Mechanism
??
30
FEDERAL CRITERIA EVALUATION
Policy Assurance
PROTECTION PROFILE
SECURITY TARGET
??
Policy Assurance
Customer Supplied
PRODUCT
Mechanism
??
Vendor Supplied
31
PROTECTION PROFILE STRUCTURE
PROTECTION PROFILE
Descriptive Elements Section
Product Rationale Section
Functional Requirements Section
Development Assurance Requirements Section
Evaluation Assurance Requirements Section
32
FROM PROFILE TO PRODUCT
33
TOWARDS A COMMON CRITERIA
USA ORANGE BOOK
UK
Germany
France
Canada
Federal Criteria DRAFT
European Community ITSEC
Common Criteria PROPOSED
34
COMMON CRITERIA PLAN
ITSEC 1.2
Usage Reviews
1994 initial target 1996 more likely
EC-NA Alignment ----- Common Criteria
Canada CTCPEC 3.0
CC Editorial Board
Usage Reviews
Orange Book Usage
FedCrit 1.0
Joint Technical Groups
ISO SC27 WG3
Public Comment
35
CHALLENGES THAT REMAIN

• Complexities of the open distributed computing
  and management environments (including use of
  crypto in conjunction with COMPUSEC)
• Systems and composability Problems
• Trusted applications development and evaluation
  methods, including high integrity and high
  availability systems
• Guidance on using IT security capabilities cost
  effectively in commercial environments
• Speedy but meaningful product and system
  evaluations, and evaluation rating maintenance