Embed Size (px)
Citation preview
An Overview ofCommon CriteriaProtection Profiles
María M. Larrondo Petrie, PhD
March 26, 2004
Overview
• Common Criteria CC
• Information Assurance IATFF
• CC Protection Profiles– Structure– Development Tools
• Case Study – Role Based Access Control
• References
Common Criteria• Common Criteria (CC) – replaces security criteria
and processes used in the (14) common criteria countries with the goal that product evaluations conducted in one country would be accepted in other countries
• US entities involved in CC is National Information Assurance Partnership NIAP,
a partnership between– National Institute of Standards and Technology NIST
– National Security Agency NSA
Common Criteria: What is it?• Common Criteria (CC) – catalog of criteria
and a framework for organizing a subset of the criteria into security specification
• Who uses it?
Common Criteria
Product Vendors
Certifiers
EvaluatorsConsumersApprovers
Accreditors
Developers
Common Criteria• Evolution of International Security Standards
Orange Book (TCSEC) 1985
UK Confidence Levels 1989
German Criteria
French Criteria
Canadian Criteria CTCPEC) 1993
Federal Criteria (FC) Draft 1993
ITSEC 1991
Common Criteria V 1.0 1996 V 2.0 1998 V 2.1 1999
ISO International Standard 15408 1999
Common Criteria - Terminology• PP - Protection Profile– implementation independent
criteria• SP - Security Profile– implementation dependent criteria• TOE – Target of Evaluation – what you are describing –
your product• EAL – Evaluation Assurance Level – CC assurance
levels – 7 hierarchical – EAL1thru EAL7 – EAL1 (least amount)
• CEM – Common Evaluation Method – set of steps for validating assurance requirements in an SP – Only addresses levels EAL1 through EAL4.
CC Protection Profile (PP)
• High-level expression of desired security properties (i.e. security environment, security objectives and security requirements)
• A mechanism to provide Consumers the ability to specify their security requirements
• Generic so multiple implementations may meet the stated requirements
• PP represents “I want”
from giles.ppt
CC Security Target (ST)
• High-level expression of claimed security properties
• A mechanism to provide Vendors the ability to make claims regarding their security products
• Specific to an implementation• ST represents “I provide”
IATFF
• What? A security guidance document developed by NSA’s ISSO organization with support from security advocates in government and industry
• Constraints?– Unclassified
– Published on the Internet
• Primary Coordination forum? Information Assurance Technical Framework Forum (IATFF)
IATF
• Help government users become wiser consumers of implementing security solutions
• Assist industry in understanding the government’s needs and the nature of the desired solutions to these needs
• Focus Government and Industry investment resources on the security technology gaps
How does the Framework help Government Users?
• By describing their needs to the industry providers• By “suggesting” the important characteristics of
security solutions to different classes of problems• By providing an assessment of the security
technology available on the open market
Security Methodology
Organizational Security Policy
Risk Assessment
Certification and Accreditation
Non-Technical Technical
Security Countermeasures
Life-Cycle Security Management
Adversaries, Motivations, and Attacks
National/ Service/Agency Policies, Regulations,
Standards
Mission Needs
National Policy NSTISSIC, NSTISSAM
National Policy NSTISSIC, NSTISSAM
People Operations
GIG Policy
GIG IA Policy &Implementation Guidance
Technology
GIG ArchitectureServices, Protocols, etc.
Information Assurance Technical Framework
Defend the Computing
Environment
Supporting Infrastructures
Detect & Respond
KMI/ PKI
Executive Summaries, Protection Profiles
Defend the Network &
Infrastructure
Defend the Enclave
Boundary
NIAP
-Testing-Evaluation-Certification
DITSCAP
Certification and
Accreditation process
Intel Comm. DCID 6/3
Intel Comm. DCID 6/3
Flow from Policy to SpecificationFlow from Policy to Specification
People Operations
Successful Mission Execution Information Assurance
Technology
Defense In Depth StrategyDefense In Depth Strategy
Defend the Computing
Environment
Supporting Infrastructures
Defend the Enclave
Boundary Detect & RespondKMI/PKI
Defend the Network &
Infrastructure
How It’s Organized
• Central Change:Alignment with Defense-In-Depth
NSFChapter 5
“Security Solutions
Framework”
NSFChapter 5
“Security Solutions
Framework”
Chapter 8
Chapter 8
Chapter 7
Chapter 7
Chapter 6
Chapter 6
Chapter 5
Chapter 5IATF:IATF:
Today’s Framework ElementsInformation Assurance
Technical Framework (IATF)
Main Body
Information AssuranceTutorial &
General Guidance
Executive Summaries
Concise, Definitive Security Requirements For
Specific Cases
Protection Profiles
FormalCommon Criteria Documents for
Defining Testable Requirements
IATF Release 2.0, Figure 1-2,
Composition of the IATFIATF Release 2.0, Figure 1-2,
Composition of the IATF
Appendix F:Case Specific Guidance
(aka “executive summaries”)
Appendix F:Case Specific Guidance
(aka “executive summaries”)
Appendix G:Protection Profiles
Appendix G:Protection Profiles
The “Document”The “Document”
Protection
Profile
for
______
Protection
Profile
for
______
Protection
Profile
for
______
Executive
Summary
for
______
User Situation & Need for Information Assurance
Solution
IATF: Information Assurance Technical Framework Forum
• • http://www.iatf.net/protection_profiles/profiles.cfm
IATF: Information Assurance Technical Framework Forum
KMI/PKIDetect and Respond
Switches and Routers
FirewallsOperating Systems
Certificate Management
IDSMultinational Information
Sharing (MNIS)Wireless VPNs Biometrics Key Recovery
Peripheral Sharing Switch
Web PKI Recovery
Remote Access Tokens
Multiple Domain
SolutionsMobile Code
Mobile CodeSecure
MessagingGuards DBMS
Access Control
System Profiles
Supporting InfrastructureDefend the Network and
Infrastructure
Defend the Enclave
Boundary
Defend the Computing
Environment
Three Kinds of Protection Profiles
• DoD (COTS) Acquisition Protection Profiles– Developed To Become Binding Procurement Guidance for DoD
– Must Be Achievable with Today’s Technology
– May Be Accompanied by Additional Specification Data
– Will Be Coordinated DoD-Wide by OSD
– Ultimately “Owned” by OASD(C3I)
• Technology Goal Protection Profiles– Developed To Influence Development of New Technology
– Focused on Future Needs or Implementations
– “Owned” by NSA
• Specific Need Protection Profiles– Developed In Response to a Customer’s Specific Need
– Subject to Customer Approval
– “Owned” by the Customer
Common Criteria Protection Profile• Common Criteria Protection Profile (CC PP) – an
implementation independent statement of security requirements that is shown to address threats that exist in a specified environment
• A PP is appropiate when– Consumer group wishes to specify security requirements
for an application type (e.g., electronic funds transfer)– Government wishes to specify security requirements for a
class of security products (e.g., firewalls)– An organization wishes to purchase an IT system to
address its security requirements (e.g., patient records for a hospital)
Contents of a Protection Profile
• PP Introduction– PP Identification
– PP Overview
• Target of Evalustion (TOE)
• TOE Security Environment– Assumptions
– Threats
– Organizational security policies
• Security Objectives– Security objectives for the TOE– Security objectives for the
environment
• IT Security Requirements– TOE Security Requirements
• Security functional req.• Security assurance req.
– Sec. reqs. for IT environment
• PP Application Notes• Rationales
– Security objectives rationale– Security requirements rational
What is in a PP
• Security Environment Defined– The TOE will be used in environments in which no higher than
sensitive but unclassified information is processed, or the sensitivity level of information in both the internal and external networks is the same. Firewalls compliant provide access control policies, extensive auditing and a low level of assurance.
• Secure Usage Assumptions– Connectivity Assumptions
• Single entry point
– Physical Assumptions• Control of physical access
– Personnel Assumptions• Trustworthy Administrator
What is in a PP
• Organizational Security Policies• Threats to Security
– Threats Addressed by the TOE• An unauthorized person may gain logical access to TOE• Lack of audit trail• Undetected penetration attempts
– Threats to be Addressed by Operating Environment• Hostile system administrator• Sophisticated attacks on higher-level protocols
• Security Objectives• Functional Security Requirements and Assurance
The CC Toolbox
• Information Assurance “TurboTax” design tool for:– Architects– System Engineers– Requirements Activities
• Focused on:– Application of the CC – Describing Security Features– Specifying Security Requirements
– Drafting ST’s and PP’s • http://cctoolbox.sparta.com
Registered Protection Profiles
• Sets of registered Protection Profiles exist at the following locations:– http://www.radium.ncsc.mil/tpep/protection_profiles/
index.html– http://www.cesg.gov.uk/cchtml/ippr/list_by_type.html– http://csrc.nist.gov/cc/pp/pplist.htm – (currently being
updated so I could not look up the list to see if it including what we are trying to propose)
– http://www.scssi.gouv.fr/present/si/ccsti/pp.html
References• [NIST, 2003] “Common Criteria for IT Security Evaluation: Common
Language to Express Common Needs”, Computer Security Resource Center (CSRC), National Institute of Standards and Technology, created 12 November 2002, last updated 19 May 2003, http://csrc.nist.gov/cc/
• “Common Criteria for Information Technology Security Evaluation, User Guide, CESG, UK and NIST, USA, Syntegra, October 2999.
• [Towns and Britton, 1999] Towns, M. and K. Britton. Protection Profile Development Workshop: Student Handbook, Ver. 2.0, NIAP/NIST, 2000.
[Grainger 2000] Granger, G. Common Criteria Tools, Mitretek Systems, May 25, 2000.
