Update on the German Scheme Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) September 25, 2007 Irmela

Update on the German Scheme

Bundesamt für Sicherheit in der Informationstechnik (BSI)

(Federal Office for Information Security)

September 25, 2007

Irmela Ruhrmann Head of Division Certification, Approval and Conformity Testing

Gereon KillianHead of Certification Body

Irmela Ruhrmann / Gereon Killian September 25, 2007 Slide 2

The Federal Office for Information Security (BSI) was established by the German Parliament in 1991.§ 3 of the Act on the Establishment of the BSI, dated 17.12.1990 (Federal Law Bulletin I p. 2834) defines the tasks of BSI.

The Federal Office for Information Security (BSI) was established by the German Parliament in 1991.§ 3 of the Act on the Establishment of the BSI, dated 17.12.1990 (Federal Law Bulletin I p. 2834) defines the tasks of BSI.

BSI Certification


BSI Certification Ordinance (BSI ZertV)

Act on Establishment of BSI(BSIG: December 1990)

Decrees of the Federal Minister of the Interior(e.g. handling of cryptographic problems)

Schedule of Costs (BSI-KostV)

BSI Certification


1989: Green Book of BSI

1991: Information Technology Security

Evaluation Criteria (ITSEC)

1999: Common Criteria (CC) V2.1 -

Standard ISO/IEC 15408


ASE/APE Trial Use Version

2005: CC V 3.0 Trial Use Version


Standard ISO/IEC 15408

2006: CC V 3.1 Approved by MC in

September 2006

SKriterien für die Bewertungder Sicherheit von Systemen

der Informationstechnik (ITSEC)

Juni 1991

Common Criteriafor Information Technology

Security Evaluation

Part I: Introduction and general model

May 1998

Version 2.0

CCIB-98-026

History

IT-SECURITY CRITERIA

German Certification Scheme


Supported by• accredited evaluation

facilities• licensed auditors• international committees for

- criteria development and

harmonisation

- mutual recognition

Customer,User,

Operator

Product Certificates

- confirms product specificsecurity functionality and quality (CC/PP)- confirms system interoperability and functional aspects (TR)

ISO 27001 Certification in compliance with BSI Baseline Protection

In the BSI Certification Scheme, ISO 27001 in compliance with BSI Baseline Protection and Product Certification are intended to be complementary

BSI Certificate

confirms functioning and effective IT security management

ISO

270

01 /

BS

I IT

BP

BSI as Federal Office for Information Security

Pro

du

ct

Cer

tifi

cati

on

BSI-Certificate


BSI TR


BSI Accreditation - Evaluation Facilities (1)

CC and/or ITSEC ITSEFs: Atos Origin GmbH atsec information security GmbH brightsight bv (former TNO-ITSEF BV) CSC Deutschland Solutions GmbH datenschutz nord GmbH DFKI (German Research Institution for Artificial Intelligence) GmbH media transfer AG secunet SwissIT AG SRC Security Research & Consulting GmbH Tele-Consulting security | networking | training GmbH (TC) T-Systems GEI GmbH TÜV Informationstechnik (TÜVIT) GmbH Industrieanlagen-Betriebsgesellschaft mbH (IABG) (only ITSEC)



BSI Accreditation - Evaluation Facilities (2)

BSI TR 03104 (ePass production data aquisition, quality check and data transmission)

Fraunhofer Institut für Angewandte Optik und Feinmechanik

BSI TR 03105 (ePassport Conformity Testing) CETECOM ICT Services GmbH Secunet Security Networks AG


ITSEF for evaluations against BSI-TR (BSI Technical Guidelines)


EU Commission:

NATO:

UN/G8:

Acquisition Policies in EU/Germany at this point in time concern special areas (defense, health sector, ID cards)

Trend: increasing importance

Acquisition Policies for CC Certified Products Acquisition Policies for CC Certified Products

Multilateral Defense:

Infosec Technical and Implementation Guidance on the use of Common Criteria within NATO

Digital Tachograph: Directive equivalent to law

G8 - Principles on Critical Infrastructure Protection

Germany Digital Signature Law Health Cards and related products ePassport and eID documents

Airbus A 400M Eurofighter 2000



Product-types Certified / under Certification

Software Products Hardware Products

• Operating Systems- Mainframe- Midsize

• PC Security Products- Security Shells- Integrity Protection

• Data Communication Products

• Firewalls

• Biometric Security Products - (Voice Identification)

• Smartcard with OS and Applications

• Signature Applications

• Tachograph Components - Motion Sensor, - Vehicle Unit, - Smartcard


• Smartcard Reader• Smartcard Controller


BSI-Certificates

0 114 15

34 37

88100

7 6 5 2 3 7 8 4

0102030405060708090

100110

CC

ITSEC

Market development of CC certified ProductsMarket development of CC certified Products



Market development of CC certified ProductsMarket development of CC certified Products

0

5

10

15

20

25

30

35

40

45

2003 2004 2005 2006

SmartcardApplications

TachographComponents

OperatingSystems

SignatureApplications

OtherProducts

SmartcardController

Firewalls



Certification parallel to the product development

Certification of a finished product

Assurance Continuity Re-evaluation Maintenance

(mostly on HW/Smartcard, a few on SW, one on PP)

Types of certification procedures



Recent Certificates (Examples 1)Recent Certificates (Examples 1)

Infineon Smartcard-Controller (SLE66CL180PE, SLE66CL180PEM, SLE66CL180PES, SLE66CL81PE, SLE66CL81PEM,

SLE66CL80PE, SLE66CL80PEM, SLE66CL80PES, SLE66CL41PE)

Renesas Smartcard-Controller (AE55C1 (HD65255C1)

SuSE LINUX Operating Systems (SUSE Linux Enterprise Server V 8, with Service Products Pack 3)

Microsoft Exchange Server, Data bank server (Database Engine of Microsoft SQL Server) Firewall (ISA Server), Directory-Server

IBM Operating Systems, e.g. z/OS, AIX, PR/SM, Directory-Server, Tivoli Access Manager



GeNUA Firewall (GeNUScreen 1.0)

NXP Smartcard Controller Semiconductors (P5CD080V0B, P5CN080V0B and Germany P5CC080V0B)

Sharp Smartcard Controller (SM4148)

Océ Printer Controller (Océ SRA Technologies Controller Version 3, Bundle 8.02)

OPENLiMiT Signature application softwareSign Cubes AG (SignCubes base components 2.1)

Siemens VDO Tachograph (Digital Tachograph DTCO 1381,

Release 1.2a)

Recent Certificates (Examples 2)Recent Certificates (Examples 2)



Recent Maintenance Examples

NXP Semiconductors GermanyGmbH(BSI-DSZ-CC-0410-2007-MA-01)

NXP Secure Smart Card ControllerP5CC073V0B with specific ICDedicated Software

Smartcardplatform

IBM Deutschland EntwicklungGmbH(BSI-DSZ-CC-0426-2007-MA-01)

NXP P521G072V0P (JCOP 21 v2.3.1),NXP P531G072V0P (JCOP 31 v2.3.1)and NXP P531G072V0Q (JCOP 31v2.3.1)

Smartcardplatform

OPENLiMiT SignCubes AG(BSI-DSZ-CC-0432-2007-MA-01)

OPENLiMiT SignCubes basecomponents 2.1,Version 2.1.6.2

Signatureapplicationsoftware

Infineon Technologies AG(BSI-DSZ-CC-0338-2005-MA-03)

Infineon Smart Card IC (SecurityController) SLE66CLX640P/m1523-a15and SLE66CLX641P/m1522-a15both with RSA2048 V1.3 and specific ICDedicated Software

SmartcardController



ePassport The new German ePass includes biometrics with latest contactless

smartcard (ISO 14443) and IT-security technology. TOE: RFID-Controller (HW), embedded-SW (OS), MRTD (ICAO)

application. Life-Cycles: development, manufacturering, personalisation,

operation. IT-Security Certification according to CC PPs and conformity-tested

according to Technical Guideline.

Important Certification Projects (1)Important Certification Projects (1)


Protection Profile: Machine Readable Travel Document with „ICAO Application“ Extended Access Control, Version 1.1

Technical Guideline: BSI-TR 03105 „ePassport Conformity Testing“ (TR-ePass)


Key Security Components to be certified: eGK - Electronic Health Card for 80 Mio. citizens replacing the

KVK (health insurance card). HPC - Health Professional Card for more than 500.000 health

professionals. SMC - Security Module Card to be used by an institution under

control by a health professional. B4HC - Bit4Health Connector, provides access to the central

telematics infrastructure.

National eHealth-Card



according to certified Protection Profiles


Technical Components: Motion Sensor Vehicle Unit Tachograph Card (workshop/service, police, driver)

Digital Tachograph

Certification requirements according to EU Directive: specified in „Generic Security Targets“ in conformity with the Common Criteria Protection Profile concept ITSEC, E3 high Common Criteria (CC), EAL 4+




PP on Software for protection of personal video data - Closed Circuit Television (CCT)

Electronic Voting PPs (CC V2.3 / CC V3.1)

PP for USB-data storage devices

Mobile Synchronization Services PP

Security IC Platform Protection Profile (CC V3.1)

Other Recent Protection Profile DevelopmentsOther Recent Protection Profile Developments



ISO 9001 - Certification according to industry rules QM-System of CB has been certified

Site Certification:Introduction in the German scheme 4th quarter 2007

Guidance for Developer’s Documents

Update of Scheme Interpretations for CC V3.1 ongoing

Important Projects inside the BSI Certification SchemeImportant Projects inside the BSI Certification Scheme



Certification improves IT-Security & IT-Product quality

World-wide increasing number of certificates and PPs

Success factors:

Common Criteria as an International Standard

Regulations and Public Acquisition policy promote product certification

Certification required by the Public and Private Sector

Certification Policy is part of the National Plan for Information Infrastructure Protection in Germany

Complete product platforms of IT market leaders get certified

New CC-versions and scheme-efforts make certification less complex

Optimisation of CB internal process enhances efficiency

Increasing effort in development of Protection Profiles

Perspectives & Conclusions


Contact

Bundesamt für Sicherheit in der Informationstechnik(Federal Office for Information Security)

Godesberger Allee 185-18953175 Bonn

Tel: +49 (0)3018 9582 111Fax: +49 (0)3018 10 9582 5477

[email protected]/gshb/zert