Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Security EvaluationCSM27 Computer Security
Dr Hans Georg Schaathun
University of Surrey
Autumn 2007
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 1 / 25
Overview
Outline
1 Overview
2 Fundamental Concepts
3 The Common Criteria
4 Closing Words
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 2 / 25
Overview
Session objectives
Discuss advantages and limitations of security evaluationsClarify fundamental concepts and terminology in securityevaluationGive an overview of the Common Criteria, enabling students tofind appropriate documentation when needed
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 3 / 25
Overview
Can we trust a secure product/system?
Do you trust the manufacturer?Can you scrutinise and evaluate the product/system yourself?Is there an indenpendent evaluation or certification?
What is the difference between product and system?What practical difference does it make for the evaluator?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 4 / 25
Overview
Can we trust a secure product/system?
Do you trust the manufacturer?Can you scrutinise and evaluate the product/system yourself?Is there an indenpendent evaluation or certification?
What is the difference between product and system?What practical difference does it make for the evaluator?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 4 / 25
Overview
Can we trust a secure product/system?
Do you trust the manufacturer?Can you scrutinise and evaluate the product/system yourself?Is there an indenpendent evaluation or certification?
What is the difference between product and system?What practical difference does it make for the evaluator?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 4 / 25
Overview
Evaluation Standards
TCSEC (Orange Book) – USA 1983–1999CTCSEC – Canada 1989ITSEC – Europe 1991–2001 (EU Council 1995)Common Criteria – Canada, France, Germany, the Netherlands,UK, and USA, 1998–
International treaty: Common Criteria Recognition AgreementEvaluation Scheme needed to joinReplaces TCSEC, ITSEC, ...
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 5 / 25
Fundamental Concepts
Outline
1 Overview
2 Fundamental Concepts
3 The Common Criteria
4 Closing Words
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 6 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Target
Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)
Systemlocal and individual requirementsdialogue between security expert and non-expert user
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 7 / 25
Fundamental Concepts
Purpose
Distinctions in the Orange Book
Evaluation assess achievement of claimed propertiesCertification suitability for a given applicationAccreditation acceptance for a given application
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 8 / 25
Fundamental Concepts
Method
We have to avoidDifferent results from different evaluationsSecurity bugs found after a positive evaluation
Goals: Reproducability and RepeatabilityTwo methodologiesProduct-oriented (aka. investigational) considers the final product
Establishes trust in a particular productProcess-oriented (aka. audit-oriented) considers the development
process(Potentionally) Establishes trust in a particularproducer
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 9 / 25
Fundamental Concepts
Method
We have to avoidDifferent results from different evaluationsSecurity bugs found after a positive evaluation
Goals: Reproducability and RepeatabilityTwo methodologiesProduct-oriented (aka. investigational) considers the final product
Establishes trust in a particular productProcess-oriented (aka. audit-oriented) considers the development
process(Potentionally) Establishes trust in a particularproducer
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 9 / 25
Fundamental Concepts
Method
We have to avoidDifferent results from different evaluationsSecurity bugs found after a positive evaluation
Goals: Reproducability and RepeatabilityTwo methodologiesProduct-oriented (aka. investigational) considers the final product
Establishes trust in a particular productProcess-oriented (aka. audit-oriented) considers the development
process(Potentionally) Establishes trust in a particularproducer
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 9 / 25
Fundamental Concepts
Organisational Framework
Government Agencies (initial US approach)Private Enterprises with Government Accreditation
Government Certificates (UK 1991)Private Certification (Germany)
What is the contract between . . . ?SponsorEvaluatorManufacturer
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 10 / 25
Fundamental Concepts
Organisational Framework
Government Agencies (initial US approach)Private Enterprises with Government Accreditation
Government Certificates (UK 1991)Private Certification (Germany)
What is the contract between . . . ?SponsorEvaluatorManufacturer
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 10 / 25
Fundamental Concepts
Organisational Challenges
Consistency across independent agenciesDifferent people make different interpretations
Interpretation driftDifferent interpretations at different times
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 11 / 25
Fundamental Concepts
Structure
Functionality Which features are provided?Effectiveness Are the features appropriate for the requirements?Assurance How thorough/certain is the evaluation?
The orange book couples the three considerations into discretesecurity classesITSEC makes the three considerations separately
Flexible framework; open for new requirements
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 12 / 25
Fundamental Concepts
Structure
Functionality Which features are provided?Effectiveness Are the features appropriate for the requirements?Assurance How thorough/certain is the evaluation?
The orange book couples the three considerations into discretesecurity classesITSEC makes the three considerations separately
Flexible framework; open for new requirements
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 12 / 25
The Common Criteria
Outline
1 Overview
2 Fundamental Concepts
3 The Common Criteria
4 Closing Words
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 13 / 25
The Common Criteria
The Common Criteria
International TreatyCommon standards documents
CC documentsCC Evaluation Methodology (CEM)
Member states may have different implementationsEvaluation Scheme or National Scheme
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 14 / 25
The Common Criteria
Basic Concepts
Protection Profile (PP) describes the protection needed in a givenapplication scenario
Security Target (ST) describes the protection provided by (classes of)systems/products
ST implements a PP
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 15 / 25
The Common Criteria
Security Functional Requirements
This part of the CC defines the required structure andcontent of security functional components for the purpose ofsecurity evaluation. It includes a catalogue of functionalcomponents that will meet the common security functionalityrequirements of many IT products.
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 16 / 25
The Common Criteria
Security Functional Requirements
This part of the CC defines the required structure andcontent of security functional components for the purpose ofsecurity evaluation. It includes a catalogue of functionalcomponents that will meet the common security functionalityrequirements of many IT products.
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 16 / 25
The Common Criteria
Functional Requirements ClassesAn example
Communications class (two families)Non-repudiation of originNon-repudiation of receipt
Cryptographic supportSecurity AuditUser data protection. . .
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 17 / 25
The Common Criteria
Functional Requirements ClassesAn example
Communications class (two families)Non-repudiation of originNon-repudiation of receipt
Cryptographic supportSecurity AuditUser data protection. . .
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 17 / 25
The Common Criteria
Security Assurance Requirements
This CC Part 3 defines the assurance requirements of theCC. It includes the evaluation assurance levels (EALs) thatdefine a scale for measuring assurance for component TOEs,the composed assurance packages (CAPs) that define ascale for measuring assurance for composed TOEs, theindividual assurance components from which the assurancelevels and packages are composed, and the criteria forevaluation of PPs and STs.
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 18 / 25
The Common Criteria
Security Assurance Requirements
This CC Part 3 defines the assurance requirements of theCC. It includes the evaluation assurance levels (EALs) thatdefine a scale for measuring assurance for component TOEs,the composed assurance packages (CAPs) that define ascale for measuring assurance for composed TOEs, theindividual assurance components from which the assurancelevels and packages are composed, and the criteria forevaluation of PPs and STs.
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 18 / 25
The Common Criteria
Assurance Classes
APE: Protection Profile EvaluationASE: Security Target Evaluation
Seven classes relating to product or systemDevelopmentDelivery and OperationTests. . .
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 19 / 25
The Common Criteria
Assurance Classes
APE: Protection Profile EvaluationASE: Security Target Evaluation
Seven classes relating to product or systemDevelopmentDelivery and OperationTests. . .
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 19 / 25
The Common Criteria
Evaluation Assurance Levels
EAL1: Functionally TestedEAL2: Structurally TestedEAL3: Methodically Tested and CheckedEAL4: Methodically Designed, Tested, and ReviewedEAL5: Semiformally Designed and TestedEAL6: Semiformally Verfied Design TestedEAL7: Formally Verified Design and TestedLevels 5-7 have not been standardised internationally yet
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 20 / 25
The Common Criteria
Evaluation Assurance Levels
EAL1: Functionally TestedEAL2: Structurally TestedEAL3: Methodically Tested and CheckedEAL4: Methodically Designed, Tested, and ReviewedEAL5: Semiformally Designed and TestedEAL6: Semiformally Verfied Design TestedEAL7: Formally Verified Design and TestedLevels 5-7 have not been standardised internationally yet
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 20 / 25
The Common Criteria
Evaluation Assurance Levels
EAL1: Functionally TestedEAL2: Structurally TestedEAL3: Methodically Tested and CheckedEAL4: Methodically Designed, Tested, and ReviewedEAL5: Semiformally Designed and TestedEAL6: Semiformally Verfied Design TestedEAL7: Formally Verified Design and TestedLevels 5-7 have not been standardised internationally yet
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 20 / 25
Closing Words
Outline
1 Overview
2 Fundamental Concepts
3 The Common Criteria
4 Closing Words
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 21 / 25
Closing Words
Do we need evaluation standards?
ControversialRequirement for government applications
The standards are tokens of government trustStandardisation essential for public sector markets
Little enthusiasm outside public sector [Gollmann]Some exceptional industries do want standardised evaluation
At present: Smart Card ManufacturerEvaluation covers one version and one configuration
Evaluation takes time – probably not most recent version
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 22 / 25
Closing Words
Do we need evaluation standards?
ControversialRequirement for government applications
The standards are tokens of government trustStandardisation essential for public sector markets
Little enthusiasm outside public sector [Gollmann]Some exceptional industries do want standardised evaluation
At present: Smart Card ManufacturerEvaluation covers one version and one configuration
Evaluation takes time – probably not most recent version
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 22 / 25
Closing Words
Cost and Benefit
Expensive : 10%–40% of development costFees to the evaluatorProduction of supporting documentationDelay to market
Criterion in certain marketsAll depends on the customer
Is the money better spent elsewhere?Security Management, etc.?
Are Quality Standards an alternative?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 23 / 25
Closing Words
Exercise sheet
Refer to the Common Criteria portalhttp://www.commoncriteriaportal.org/. Choose oneprotection profile (PP) which interests you, and the security targets(ST) of a product implementing this PP. Compare the PP and the ST,and identify any differences. Based on this comparison, what is youropinion of the product? For which applications is the product suitable?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 24 / 25
Closing Words
Discussion Exercise
Compare Evaluation and ConsultancyConsultants advise clients on suitable solutions for theirapplications (including security requirements).Where would you draw the boundary between evaluation andconsultancy?
What do consultants do?What does an evaluation do?
Are there any situations where you would clearly choose one overthe other?
Dr Hans Georg Schaathun Security Evaluation Autumn 2007 25 / 25