1CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574Information Systems SecurityTopic 5.2: Evaluation of secureinformation systemsCSC 474/574 Dr. Peng Ning 2Computer ScienceWhat are Security Criteria?• (User view) A way to define InformationTechnology (IT) security requirements for some ITproducts:– Hardware– Software– Combinations of above• (Developer view) A way to describe securitycapabilities of their specific product• (Evaluator view) A tool to measure the confidencewe may place in the security of a product.2CSC 474/574 Dr. Peng Ning 3Computer ScienceHistory of IT Security CriteriaOrange Book(TCSEC) 1985ITSEC1991UK ConfidenceLevels 1989Federal CriteriaDraft 1993Canadian Criteria(CTCPEC) 1993Common Criteriav1.0 1996v2.0 1998German CriteriaFrench CriteriaISOFDIS 15408 ‘99CSC 474/574 Dr. Peng Ning 4Computer ScienceTrusted Computer System EvaluationCriterion (“The Orange Book”)• Issued under authority of an in accordance with DoDDirective 5200.28, Security Requirements forAutomatic Data Processing (ADP) Systems• Purpose is to provide technicalhardware/firmware/software security criteria andassociated technical evaluation methodologies insupport of overall ADP system security policy,evaluation and approval/accreditation responsibilitiespromulgated by DoD3CSC 474/574 Dr. Peng Ning 5Computer ScienceFundamental Computer SecurityRequirements• What it really means to call a computer system"secure"• Secure systems control access to information– Only properly authorized individuals, or processesoperating on their behalf may:• Read• Write• Create• Delete• Two sets of requirements:– Four deal with what needs to be provided to control accessto information– Two deal with how one can obtain credible assurances thatthis is accomplished in a trusted computer systemCSC 474/574 Dr. Peng Ning 6Computer ScienceOrange Book Classes• A1 Verified Design• B3 Security Domains• B2 Structured Protection• B1 Labeled Security Protection• C2 Controlled Access Protection• C1 Discretionary SecurityProtection• D Minimal ProtectionNO SECURITYHIGH SECURITY4CSC 474/574 Dr. Peng Ning 7Computer ScienceFunctionality v. AssurancefunctionalityassuranceC1C2B1B2B3 A1• functionality is multi-dimensional• assurance has a linearprogressionCSC 474/574 Dr. Peng Ning 8Computer ScienceOrange Book Classes — Unofficial View• C1, C2 Simple enhancement of existingsystems. No breakage of applications• B1 Relatively simple enhancement of existingsystems. Will break some applications.• B2 Relatively major enhancement of existingsystems. Will break many applications.• B3 Failed A1• A1 Top down design and implementation of anew system from scratch5CSC 474/574 Dr. Peng Ning 9Computer ScienceNCSC Rainbow Series — Selected Titles• Orange Trusted Computer System EvaluationCriteria• Yellow Guidance for Applying the OrangeBook• Red Trusted Network Interpretation• Lavender Trusted Database InterpretationCSC 474/574 Dr. Peng Ning 10Computer ScienceOrange Book Criticisms• Mixes various levels of abstraction in a singledocument• Does not address integrity of data• Combines functionality and assurance in asingle linear rating scale– They are indeed other combinations.6CSC 474/574 Dr. Peng Ning 11Computer ScienceInternational CriteriaORANGEBOOKITSECCTCPECMore Flexibility in Application to Non-MilitaryUseBroader FunctionalityBroader AssuranceAddress Functionality DirectlyBroader AssuranceBroader FunctionalityBroader AssuranceCSC 474/574 Dr. Peng Ning 12Computer ScienceWhy New International Criteria?SECURITYCRITERIA&PRODUCTEVALUATIONDRIVING FACTORSDRIVING FACTORSINTERNATIONAL COMPUTER MARKET TRENDSMUTUAL RECOGNITION OF SECURITY PRODUCT EVALUATIONSEVOLUTIONANDADAPTATIONOF ORANGE BOOKSYSTEMSECURITYCHALLENGESOF THE90'SA LARGERA LARGERWORLD-VIEWWORLD-VIEWIS NEEDEDIS NEEDED7CSC 474/574 Dr. Peng Ning 13Computer ScienceCC Project• In Spring 1993, the following governments agreed todevelop a “Common Information TechnologySecurity Criteria”– Canada– France– Germany– Netherlands– UK– USA - NIST and NSA• Objectives– Common evaluation methodology– Mutual recognitionCSC 474/574 Dr. Peng Ning 14Computer ScienceCC• Three major drafts– v0.6 - circulated for comments by a limitedaudience in 4/94– v0.9 - Published in 11/94 for public review– v0.1 - More definitive version in 2/96 for trial use• CC Version 2.0– Accepted as an International StandardsOrganization (ISO) security standard in 5/98 (ISOInternational Standard 15408)– US, Canada, France, Germany, and UK officiallyagreed on mutual recognition in 10/988CSC 474/574 Dr. Peng Ning 15Computer ScienceCommon Criteria (CC)• Part 1: Introduction and General Model– Terminology, derivation of requirements andspecifications, PP & ST Normative• Part 2: Security Functional Requirements– Desired information technology security behavior• Part 3: Security Assurance Requirements– Measures providing confidence that the securityfunctionality is effectively and correctlyimplemented.CSC 474/574 Dr. Peng Ning 16Computer ScienceWithin Scope of CC• Basis for evaluation of security properties ofIT products and systems• Allows independent evaluations to becompared• Addresses protection of information from– unauthorized disclose (confidentiality)– modification (integrity),– loss of use (availability)• Applicable to IT security measuresimplemented in HW, SW, and firmware.9CSC 474/574 Dr. Peng Ning 17Computer ScienceOutside Scope of CC• Administrative and legal application of CC• Administrative security measures• Physical aspects of IT security• Evaluation methodology• Mutual recognition arrangements• Cryptographic algorithms• Accreditation & certification processesCSC 474/574 Dr. Peng Ning 18Computer ScienceTerminology• Protection profile (PP)• Security target (ST)• Target of evaluation (TOE)10CSC 474/574 Dr. Peng Ning 19Computer ScienceProtection Profile• Answer the question:– “This is what I want or need.”• Implementation independent• Protection profile authors:– Anyone who wants to state IT security needs (e.g.,commercial consumer, consumer groups)– Anyone who supplies products which support ITsecurity needs– Others (security officers, auditors, accreditors, etc.)CSC 474/574 Dr. Peng Ning 20Computer ScienceSecurity Target• Answer the question:– “This is what I have.”• Implementation dependent• Security target authors–