The Common Criteria (CC) Paradigm Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards

1
The Common Criteria (CC) ParadigmStuart Katzke,
Ph.D.Senior Research ScientistNational
Institute of Standards Technology100 Bureau
Drive Stop 8930Gaithersburg, MD 20899(301)
975-4768skatzke_at_nist.govfax (301) 975-4964
2
An Evolutionary Process

• Two decades of research and development

Common Criteria 1993-98
Federal Criteria 1992
US-NIST MSFR 1990
US-DOD TCSEC 1983-85
ISO 15408 Common Criteria 1999
Canada TCPEC 1993
Europe ITSEC 1991
European National/Regional Initiatives 1989-93
Canadian Initiatives 1989-93
3
The Common Criteria(International
Standard-ISO/IEC 15408)

• What the standard is
• Common structure and language for expressing
  product/system IT security requirements (Part 1)
• Catalog of standardized IT security requirement
  components and packages (Parts 2 and 3)
• How the standard is used The CC Paradigm
• Develop protection profiles and security targets
  -- specific IT security requirements and
  specifications for products and systems
• Evaluate products and systems against known and
  understood IT security requirements

4
IT Security Requirements
The Common Criteria defines two types of IT
security requirements--

• Assurance Requirements
• - for establishing confidence in security
  functions
• correctness of implementation
• effectiveness in satisfying security
  objectives

• Functional Requirements
• - for defining security behavior
• of the IT product or system
• implemented requirements
• become security functions

• Examples
• Development
• Configuration Management
• Life Cycle Support
• Testing
• Vulnerability Analysis

• Examples
• Identification Authentication
• Audit
• User Data Protection
• Cryptographic Support

5
Evaluation Assurance Levels
Common Criteria defines seven hierarchical
assurance levels--
EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
EAL Designation
Functionally Tested Structurally
Tested Methodically Tested Checked Methodically
Designed, Tested Reviewed Semiformally Designed
Tested Semiformally Verified Design
Tested Formally Verified Design Tested
6
Protection Profiles (generic) Security Targets
(specific)

• Protection Profile contents
• Introduction
• TOE Description
• Security Environment
• Assumptions
• Threats
• Organizational security policies
• Security Objectives
• Security Requirements
• Functional requirements
• Assurance requirements
• Rationale

• Security Target contents
• Introduction
• TOE Description
• Security Environment
• Assumptions
• Threats
• Organizational security policies
• Security Objectives
• Security Requirements
• Functional requirements
• Assurance requirements
• TOE Summary Specification
• PP Claims
• Rationale

7
Profiles and Targets (Some Examples)

• Protection Profiles (Product Independent)
• Operating Systems (C2, CS2, RBAC)
• Firewalls (Packet Filter and Application)
• Smart cards (Stored value and other)
• Security Targets (Product Specific)
• Oracle Database Management System
• Lucent, Cisco, Checkpoint Firewalls

8
Beneficiaries of the Standard

• Consumer Consortia (Users Groups)
• Use ISO/IEC 15408 to build protection profiles
  expressing their needs
• Work with developers to build matching IT
  products and systems
• Individual IT Consumers
• Look for protection profiles matching their
  security requirements -- use in procurement
  specifications
• In acquisitions, give preference to products that
  have been evaluated
• Product and System Developers
• Build products to meet targeted/selected
  protection profiles
• Use ISO/IEC 15408 to specify IT product and
  system security capabilities via security targets
• Product Evaluators and Certifiers
• Use ISO-compliant protection profiles and
  security targets to measure IT product and system
  compliance

9
Defining Requirements
10
Industry Responds
11
Demonstrating Conformance
Private sector, accredited security testing
laboratories conduct evaluations
IT Products
Security Features and Assurances
Common Criteria Testing Labs
Vendors bring IT products to independent,
impartial testing facilities for security
evaluation
Test results submitted to the National
Information Assurance Partnership (NIAP) for
post-evaluation validation
12
Validating Test Results
Validation Body validates laboratorys test
results
Validation Report
Common Criteria Validation Body
Laboratory submits test report to Validation Body
NIAP issues Validation Report and Common Criteria
Certificate
13
Mutual Recognition Arrangement

• National Information Assurance partnership
  (NIAP), in conjunction with the U.S. State
  Department,
• negotiated a Recognition Arrangement that
• Provides recognition of Common Criteria
  certificates by 19 nations
• Canada, United Kingdom, France, Germany,
  Australia, New Zealand, Greece, Norway, Finland,
  Italy, Israel, Spain, The Netherlands, Japan,
  Hungary, Austria, Sweden, Turkey, US
• Eliminates need for costly security evaluations
  in more than one country
• Offers excellent global market opportunities for
  U.S. IT industry

14
Industry Use of the CC

• Industry can use the CC paradigm in several
  important ways
• For IT security requirements definition (by
  technology area and sector)
• PPs
• STs
• By encouraging vendors/developers to undergo IT
  security evaluations and assessments
• By giving acquisition preference/consideration to
  evaluated products (all things being equal)
• Meets requirements
• Meets cost-benefit ( other) requirements

15
Developing Security Requirements(Technology Area
and Industry Sector)
Generalized, Consumer Driven Security Requirements
Technology Area Protection Profiles
Technology Area Protection Profiles
Technology Area Protection Profiles
Technology Area Protection Profiles
Database Systems
Operating Systems
Firewalls
Applications

• Defense
• Banking
• Process
• Control
• Insurance

• Healthcare
• Finance
• Transportation
• Manufacturing

Operating System PP
DBMS PP
Firewall PP
Application PP
IT System Security Requirements
Enterprise Information Systems within Sectors
16
NIST Forums(Technology Area and Industry Sector)

• Focus on security requirements definition
• Achieve results in community driven, cooperative
  environment
• Reach critical mass and rapid convergence on IT
  security requirements
• Raise security bar across the board increase
  later
• May require compromise on less than optimal
  solutions
• Contribute requirements to standards groups

17
Forum Expectations

• Community ownership of security requirements
• Leadership
• Funding/resources
• Technical expertise
• Community adoption and enforcement through
  acquisition
• Increased demand for evaluated IT products and
  systems

18
Recent Forum Successes

• Smart Card Security Users Group
• (Technology Area)
• Healthcare Security Forum
• (Industry Sector)
• Process Control Security Forum
• (Industry Sector)
• Telecommunications Security Forum
• (Industry Sector)

19
Potential Forums

• Technology Areas
• Operating Systems
• Database Systems
• Firewalls
• Biometrics
• Industry Sectors
• Insurance
• Audit and Controls
• Banking and Finance
• Manufacturing

20
Future

• Identify areas of common interest for NIST and
  IEEE
• Identify potential vehicles for cooperation and
  collaboration, e.g., standard activity,
  workshops, conferences, forums
• Follow-on meetings to discuss implementation
  details

21
Contact InformationStuart Katzke, Ph.D.Senior
Research ScientistNational Institute of
Standards Technology100 Bureau Drive Stop
8930Gaithersburg, MD 20899(301)
975-4768skatzke_at_nist.govfax (301) 975-4964