Upload
johnathan-griffin
View
225
Download
1
Tags:
Embed Size (px)
Citation preview
Update on the German Scheme
Bundesamt für Sicherheit in der Informationstechnik (BSI)
(Federal Office for Information Security)
September 25, 2007
Irmela Ruhrmann Head of Division Certification, Approval and Conformity Testing
Gereon KillianHead of Certification Body
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 2
The Federal Office for Information Security (BSI) was established by the German Parliament in 1991.§ 3 of the Act on the Establishment of the BSI, dated 17.12.1990 (Federal Law Bulletin I p. 2834) defines the tasks of BSI.
The Federal Office for Information Security (BSI) was established by the German Parliament in 1991.§ 3 of the Act on the Establishment of the BSI, dated 17.12.1990 (Federal Law Bulletin I p. 2834) defines the tasks of BSI.
BSI Certification
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 4
BSI Certification Ordinance (BSI ZertV)
Act on Establishment of BSI(BSIG: December 1990)
Decrees of the Federal Minister of the Interior(e.g. handling of cryptographic problems)
Schedule of Costs (BSI-KostV)
BSI Certification
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 5
1989: Green Book of BSI
1991: Information Technology Security
Evaluation Criteria (ITSEC)
1999: Common Criteria (CC) V2.1 -
Standard ISO/IEC 15408
2004: Common Criteria (CC) V2.4 -
ASE/APE Trial Use Version
2005: CC V 3.0 Trial Use Version
2005: Common Criteria (CC) V2.3 -
Standard ISO/IEC 15408
2006: CC V 3.1 Approved by MC in
September 2006
SKriterien für die Bewertungder Sicherheit von Systemen
der Informationstechnik (ITSEC)
Juni 1991
Common Criteriafor Information Technology
Security Evaluation
Part I: Introduction and general model
May 1998
Version 2.0
CCIB-98-026
History
IT-SECURITY CRITERIA
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 6
Supported by• accredited evaluation
facilities• licensed auditors• international committees for
- criteria development and
harmonisation
- mutual recognition
Customer,User,
Operator
Product Certificates
- confirms product specificsecurity functionality and quality (CC/PP)- confirms system interoperability and functional aspects (TR)
ISO 27001 Certification in compliance with BSI Baseline Protection
In the BSI Certification Scheme, ISO 27001 in compliance with BSI Baseline Protection and Product Certification are intended to be complementary
BSI Certificate
confirms functioning and effective IT security management
ISO
270
01 /
BS
I IT
BP
BSI as Federal Office for Information Security
Pro
du
ct
Cer
tifi
cati
on
BSI-Certificate
German Certification Scheme
BSI TR
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 9
BSI Accreditation - Evaluation Facilities (1)
CC and/or ITSEC ITSEFs: Atos Origin GmbH atsec information security GmbH brightsight bv (former TNO-ITSEF BV) CSC Deutschland Solutions GmbH datenschutz nord GmbH DFKI (German Research Institution for Artificial Intelligence) GmbH media transfer AG secunet SwissIT AG SRC Security Research & Consulting GmbH Tele-Consulting security | networking | training GmbH (TC) T-Systems GEI GmbH TÜV Informationstechnik (TÜVIT) GmbH Industrieanlagen-Betriebsgesellschaft mbH (IABG) (only ITSEC)
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 10
BSI Accreditation - Evaluation Facilities (2)
BSI TR 03104 (ePass production data aquisition, quality check and data transmission)
Fraunhofer Institut für Angewandte Optik und Feinmechanik
BSI TR 03105 (ePassport Conformity Testing) CETECOM ICT Services GmbH Secunet Security Networks AG
German Certification Scheme
ITSEF for evaluations against BSI-TR (BSI Technical Guidelines)
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 11
EU Commission:
NATO:
UN/G8:
Acquisition Policies in EU/Germany at this point in time concern special areas (defense, health sector, ID cards)
Trend: increasing importance
Acquisition Policies for CC Certified Products Acquisition Policies for CC Certified Products
Multilateral Defense:
Infosec Technical and Implementation Guidance on the use of Common Criteria within NATO
Digital Tachograph: Directive equivalent to law
G8 - Principles on Critical Infrastructure Protection
Germany Digital Signature Law Health Cards and related products ePassport and eID documents
Airbus A 400M Eurofighter 2000
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 14
Product-types Certified / under Certification
Software Products Hardware Products
• Operating Systems- Mainframe- Midsize
• PC Security Products- Security Shells- Integrity Protection
• Data Communication Products
• Firewalls
• Biometric Security Products - (Voice Identification)
• Smartcard with OS and Applications
• Signature Applications
• Tachograph Components - Motion Sensor, - Vehicle Unit, - Smartcard
German Certification Scheme
• Smartcard Reader• Smartcard Controller
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 15
BSI-Certificates
0 114 15
34 37
88100
7 6 5 2 3 7 8 4
0102030405060708090
100110
CC
ITSEC
Market development of CC certified ProductsMarket development of CC certified Products
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 16
Market development of CC certified ProductsMarket development of CC certified Products
0
5
10
15
20
25
30
35
40
45
2003 2004 2005 2006
SmartcardApplications
TachographComponents
OperatingSystems
SignatureApplications
OtherProducts
SmartcardController
Firewalls
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 17
Certification parallel to the product development
Certification of a finished product
Assurance Continuity Re-evaluation Maintenance
(mostly on HW/Smartcard, a few on SW, one on PP)
Types of certification procedures
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 18
Recent Certificates (Examples 1)Recent Certificates (Examples 1)
Infineon Smartcard-Controller (SLE66CL180PE, SLE66CL180PEM, SLE66CL180PES, SLE66CL81PE, SLE66CL81PEM,
SLE66CL80PE, SLE66CL80PEM, SLE66CL80PES, SLE66CL41PE)
Renesas Smartcard-Controller (AE55C1 (HD65255C1)
SuSE LINUX Operating Systems (SUSE Linux Enterprise Server V 8, with Service Products Pack 3)
Microsoft Exchange Server, Data bank server (Database Engine of Microsoft SQL Server) Firewall (ISA Server), Directory-Server
IBM Operating Systems, e.g. z/OS, AIX, PR/SM, Directory-Server, Tivoli Access Manager
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 19
GeNUA Firewall (GeNUScreen 1.0)
NXP Smartcard Controller Semiconductors (P5CD080V0B, P5CN080V0B and Germany P5CC080V0B)
Sharp Smartcard Controller (SM4148)
Océ Printer Controller (Océ SRA Technologies Controller Version 3, Bundle 8.02)
OPENLiMiT Signature application softwareSign Cubes AG (SignCubes base components 2.1)
Siemens VDO Tachograph (Digital Tachograph DTCO 1381,
Release 1.2a)
Recent Certificates (Examples 2)Recent Certificates (Examples 2)
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 20
Recent Maintenance Examples
NXP Semiconductors GermanyGmbH(BSI-DSZ-CC-0410-2007-MA-01)
NXP Secure Smart Card ControllerP5CC073V0B with specific ICDedicated Software
Smartcardplatform
IBM Deutschland EntwicklungGmbH(BSI-DSZ-CC-0426-2007-MA-01)
NXP P521G072V0P (JCOP 21 v2.3.1),NXP P531G072V0P (JCOP 31 v2.3.1)and NXP P531G072V0Q (JCOP 31v2.3.1)
Smartcardplatform
OPENLiMiT SignCubes AG(BSI-DSZ-CC-0432-2007-MA-01)
OPENLiMiT SignCubes basecomponents 2.1,Version 2.1.6.2
Signatureapplicationsoftware
Infineon Technologies AG(BSI-DSZ-CC-0338-2005-MA-03)
Infineon Smart Card IC (SecurityController) SLE66CLX640P/m1523-a15and SLE66CLX641P/m1522-a15both with RSA2048 V1.3 and specific ICDedicated Software
SmartcardController
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 21
ePassport The new German ePass includes biometrics with latest contactless
smartcard (ISO 14443) and IT-security technology. TOE: RFID-Controller (HW), embedded-SW (OS), MRTD (ICAO)
application. Life-Cycles: development, manufacturering, personalisation,
operation. IT-Security Certification according to CC PPs and conformity-tested
according to Technical Guideline.
Important Certification Projects (1)Important Certification Projects (1)
German Certification Scheme
Protection Profile: Machine Readable Travel Document with „ICAO Application“ Extended Access Control, Version 1.1
Technical Guideline: BSI-TR 03105 „ePassport Conformity Testing“ (TR-ePass)
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 22
Key Security Components to be certified: eGK - Electronic Health Card for 80 Mio. citizens replacing the
KVK (health insurance card). HPC - Health Professional Card for more than 500.000 health
professionals. SMC - Security Module Card to be used by an institution under
control by a health professional. B4HC - Bit4Health Connector, provides access to the central
telematics infrastructure.
National eHealth-Card
Important Certification Projects (2)Important Certification Projects (2)
German Certification Scheme
according to certified Protection Profiles
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 23
Technical Components: Motion Sensor Vehicle Unit Tachograph Card (workshop/service, police, driver)
Digital Tachograph
Certification requirements according to EU Directive: specified in „Generic Security Targets“ in conformity with the Common Criteria Protection Profile concept ITSEC, E3 high Common Criteria (CC), EAL 4+
German Certification Scheme
Important Certification Projects (3)Important Certification Projects (3)
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 24
PP on Software for protection of personal video data - Closed Circuit Television (CCT)
Electronic Voting PPs (CC V2.3 / CC V3.1)
PP for USB-data storage devices
Mobile Synchronization Services PP
Security IC Platform Protection Profile (CC V3.1)
Other Recent Protection Profile DevelopmentsOther Recent Protection Profile Developments
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 25
ISO 9001 - Certification according to industry rules QM-System of CB has been certified
Site Certification:Introduction in the German scheme 4th quarter 2007
Guidance for Developer’s Documents
Update of Scheme Interpretations for CC V3.1 ongoing
Important Projects inside the BSI Certification SchemeImportant Projects inside the BSI Certification Scheme
German Certification Scheme
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 26
Certification improves IT-Security & IT-Product quality
World-wide increasing number of certificates and PPs
Success factors:
Common Criteria as an International Standard
Regulations and Public Acquisition policy promote product certification
Certification required by the Public and Private Sector
Certification Policy is part of the National Plan for Information Infrastructure Protection in Germany
Complete product platforms of IT market leaders get certified
New CC-versions and scheme-efforts make certification less complex
Optimisation of CB internal process enhances efficiency
Increasing effort in development of Protection Profiles
Perspectives & Conclusions
Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 27
Contact
Bundesamt für Sicherheit in der Informationstechnik(Federal Office for Information Security)
Godesberger Allee 185-18953175 Bonn
Tel: +49 (0)3018 9582 111Fax: +49 (0)3018 10 9582 5477
[email protected]/gshb/zert