Title: You say to-mah-to, I say to-mae-to: why isn
1You say to-mah-to, I say to-mae-to why isnt
there a single solution to Information Security
Assurance?
- Apostol Vassilev
- atsec information security
-
- NetIDSys, Inc.
2The problem of information security assurance
- There are plethora of secure software and
hardware products, often designed to meet similar
customer information security needs - How can we say which ones are better/more secure?
- Can the consumers decide for themselves?
- Can we leave it up to the market forces to weed
out the bad products and indentify the best
solutions?
3Outline
- Introduce a couple of major information security
assurance standards - Common Criteria
- Federal Information Processing Standard (FIPS)
- Current Trends
- Conclusions
4The CC standard for IT security evaluation
5Formalization of assurance and certification
Certification definition according to the German
Law DIN 45020
- E.g. by the BSI (Germany) or NIAP (USA) and
licensed and accredited evaluation labs - which shows, that there is reasonable confidence
in the correct implementation and effectiveness
of IT security - of the specified IT product
- Measure
- by impartial third party,
- that shows there is reasonable confidence,
- that a correctly identified product, process or
service - is in accordance with a specified standard or
another normative document.
6The path to CC
7Participating Nations and Agencies
- Germany, Bundesamt für Sicherheit in der
Informationstechnik BSI. - France, Direction Centrale de la Sécurité des
Systèmes dInformation DCSSI. - UK, Communications-Electronics Security Group
CESG. - Netherlands, Netherlands National Communications
Security Agency NLNCSA. - Canada, Communication Security Establishment
CSE. - USA, National Security Agency NSA und National
Institute of Standards and Technology NIST. - Australia and new Zealand, The Defence Signals
Directorate bzw. the Government Communications
Security Bureau - Japan, Information Technology Promotion Agency
- Spain, Ministerio de Adminitraciones Publicas und
Centro Cryptologico Nacional
8Objectives of the CC standard
- Common criteria for products and systems
- based on the existing criteria of the U.S. and
Europe - ISO standardization
- an international basis for developers
- Comparability of security evaluation results
- international mutual recognition of certificates
- Improved availability of high-quality security
technology
9International Recognition of CC
10CC Evaluation Approach
- Axiomatic, resembles a math theorem proof
- Security Problem Definition
- Target of Evaluation (TOE) the product
- Threats, assumptions, security policies
- Security Objectives for the TOE and its
operational environment - Assurance claims
- Typically stated as Evaluation Assurance Levels
(EAL) - EAL1 to EAL7
- Proof
11Certification procedure
12Evaluation labs
- atsec information security leader in OS
evaluation - Atos Origin GmbH
- CSC Deutschland Solutions GmbH
- Datenschutz nord GmbH
- Deutsches Forschungszentrum für künstliche
Intelligenz GmbH - Industrieanlagen-Betriebsgesellschaft (IABG) mbH
- Media transfer AG
- Secunet SWISSiT AG
- SRC Security Research Consulting GmbH
- Tele Consulting GmbH
- TNO-ITSEF BV
- T-Systems GEI GmbH
- TÜV Informationstechnik GmbH
13Responsibility of the Evaluator (DIN 17025)
technically competent
technically independent
impartial
neutral
14Shortcomings of the CC standard
- Does not evaluate the cryptography in security
products - no crypt analysis
- Does not take into account Risk
- Assumptions are assumed to hold absolutely
- Tends to be expensive/time consuming
15FIPS An Overview
- FIPS are a series of U.S. Federal Information
Processing Standards. - FIPS are mandatory to US Federal agencies, e.g.,
DoD, NSA, NIST. - They are not mandatory to individual states, but
are often used by them. - They are often adopted by non-government agencies
or large corporations
FIPS 140-2 The Standard
16FIPS 140-2
- FIPS 140-2 was published in 2001.
- Change notes were added in 2002.
- FIPS 140-2 has recently been reviewed and FIPS
140-3 is currently under development. - Mandatory for federal agencies
FIPS 140-2 The Standard
17What is a Cryptographic Module?
- Can be
- Hardware
- Software
- Firmware
- Hybrid
- Performing certain security functionality
- With specific logical/physical boundaries
Cryptographic Module Basics
18FIPS 140-2 Functional Areas
- FIPS 140-2 is divided into 11 functional areas.
- Each area is awarded a Security Level between 1
and 4 depending on the requirements that it
meets. - The module as a whole is awarded an Overall
Security Level, which is the lowest level
awarded in any of the levels.
FIPS 140-2 The Standard
19FIPS 140-2 Functional Areas
- Cryptographic Module Specification
- Roles, Services, and Authentication
- Finite State Model
- Operational Environment
- Cryptographic Key Management
- Self Tests
- Design Assurance
- Mitigation of Other Attacks
FIPS 140-2 The Standard
20What is the FISP Validation Program?
- Cryptographic Module Validation Program
- (CMVP)
- A joint program between
- The U.S. NIST (National Institute for Standards
and Technology) - The C.S.E. (Communications Security
Establishment) of the Government of Canada
Explaining the CMVP
21The Validation Process
Explaining the CMVP
22Cryptographic Algorithm Validation(integral part
of module validation)
- Algorithms used in Approved mode must be
FIPS-Validated. - This means that they are Implemented correctly.
- 50 of newly-tested algorithm fail!
- They are published on a list given at
- http//csrc.nist.gov/cryptval/vallists.htm.
23Shortcomings of FIPS 140-2
- Not as tightly specified as CC
- A lot of room for interpretation
- hence repeatability of evaluation results is not
guaranteed. - Limited to USA and Canada
24Current trends
- Combinations of the two major standards
- Many federal agencies in the USA require certain
products to be both CC and FIPS 140-2 certified - Ensures all security aspects are thoroughly
looked at - May incur substantial cost
25Conclusions
- Information security assurance is needed to
provide the consumer with guarantees for the
technology they acquire - Two major standards exists (CC and FIPS 140-2)
- Different strengths and weaknesses
- Generally complimentary to each other
- Increasingly used together in situations that
require high assurance