Computer and Network Security
Common Criteria
R. E. Newman
Computer & Information Sciences & Engineering University Of Florida
Gainesville, Florida 32611-6120 nemo@cise.ufl.edu
Common Criteria
Consistent Terminology, Practices, Mechanisms
1
Definitions
1.1
Security vs. assurance vs. trust
Common Criteria
Cooperative effort among
Canada, France, Germany, The Netherlands, UK, USA (NSA, NIST)
Defines sets of security criteria that may be used to define needs and claims
Does NOT Specify development approach for products
Specify particular forms or formats for product specification Specify evaluation methodology
Guarantee fitness for use of an evaluated product
F ig u re 1 : 3
CC Terms
Class − grouping of families with a common focus
Component − smallest selectable set of elements for inclusion in PP, ST, or package Element − an indivisible security requirement
Evaluation − assessment of PP, ST or TOE against defined criteria
Evaluation Assurance Level (EAL) − A package of assurance components from Part 3 representing a point on the CC predefined assurance scale
Evaluation Scheme − an administrative and regulatory framework under which the CC is applied
Family − a grouping of components that share security objectives but differ in emphasis or rigor
Package − a reusable set of either functional or assurance components (e.g., an EAL) that together satisfy a defined set of security objectives
Protection Profile (PP) − an implementation−independent set of security
requirements for a category of TOEs that meets specific customer needs
F ig u re 2 : 4
TOE Security Policy − a set of rules that regulate how assets are managed, protected, and distributed in a TOE
CC Terms
Security Function (SF) − a part or parts of the TOE relied upon to enforce a subset of rules of the TSP
Security Function Policy (SFP) − the security policy enforced by a SF
Security Objective − a statement of intent to counter identified threats and/or to satisfy identified organizational security policies or assumptions
Security Target (ST) − a set of security requirements and specifications to be used to evaluate an identified TOE
Strength of Function (SOF) − a qualification of a TOE SF expressing the minimum effort assumed to be required to defeat its underlying mechanisms
Target of Evaluation (TOE) − an IT product or system and its administrative and user guides that is subject to evaluation
TOE Security Functions (TSF) − the hardware, firmware, and software that enforce the TSP of a TOE F ig u re 3 : 5
Evaluation Criteria Evaluation Scheme Evaluation Methodology Operate TOE Evaluation Results Evaluate TOE Develop TOE TOE and Evidence Evaluation Security Requirements (PP and ST)
TOE Evaluation Process
feedback F ig u re 4 : 6
TOE Evaluation Representation Requirements
At each level of refinement in the TOE specification and development process, representations must be detailed and complete enough to ensure:
(a) Sufficiency − that the refinement is a complete instantiation of the higher levels (i.e., all TSFs, properties, behaviors defined at a higher level must be demonstrably present at the lower level); (b) Necessity − that the refinement is an accurate instantiation of higher
levels (i.e., that there are no TSFs, properties or behaviors at the lower level that are not present at a higher level).
F ig u re 5 : 7
TOE Security Environment
TSE includes all relevant laws, regulations, organizational security policies, customs, knowledge, expertise, and threats present or assumed (CONTEXT).
The PP or ST writer must take into account:
a) physical environment (including physical protection, personnel); b) assets requiring protection (direct and indirect);
c) TOE purpose (product type and intended use).
Security statements about the TOE made after threat, risk, and policy investigation: a) assumptions about the environment for the TOE to be considered secure; b) threats to asset security − threat agent, presumed attack method,
vulnerabilities exploited, assets attacked; c) applicable organizational policies and rules.
F ig u re 6 : 8
TOE Security Objectives
Statement of goals regarding threats to counter or policies to meet based on the purpose of the TOE and its assumed environment
Addresses all security concerns and declare which are to be handled by the TOE and which by its environment, based on engineering judgement, security policy, economic factors, risk acceptance decisions.
Security objectives for environment met by non−technical and procedural means
Security objectives for TOE and its IT environment refined into IT Security Requirements F ig u re 7 : 9
TOE IT Security Requirements
Refinement of TOE security objectives for TOE and its IT environment, which, if met, would ensure that the TOE meet its security objectives.
Decomposed into Functional Requirements and Assurance Requirements
If TOE SFs are realized by probabilistic or permuational mechanisms (e.g., hash functions, passwords,...), then an SOF may be specified (SOF−basic, SOF−medium, SOF−high)
Levied on TSFs
Functional requirements (part 2) include I&A, audit, non−repudiation, ...
Assurance requirements (part 3) levied on a) actions of developer, b) evidence produced, and c) actions of evaluator; assurance derived from
b) efficacy of SFs a) correctness of implementation of SFs F ig u re 8 : 1 0
TOE Summary Specification
Part of Security Target (ST)
Defines instantiation of security requirements for TOE:
High−level definition of Security Functions (SFs) claimed to meet the functional requirements; and
Assurance measures taken to meet assurance requirements.
F ig u re 9 : 1 1
Dependencies
May exist between functional components May exist between assurance components
May exist between functional and assurance components
Arise when a component is not sufficient by itself and relies on the presence of another component
Dependency descriptions are part of CC component definitions
Must be satisfied when incorporating components into PPs and STs for completeness
F ig u re 1 0 : 1 2
Operations on Components
Iteration
Assignment
Selection
Refinement
may be used more than once with varying operations
specification of a parameter to be filled in when component used
specification of items from a list given in the component
addition of extra detail when component is used
F ig u re 1 1 : 1 3
Packages
Intermediate combination of components
Permits expression of a set of functional or assurance requirements that meet an identifiable subset of security objectives
Intended for reuse
May be used in larger packages, PPs, STs
EALs (Evaluation Assurance Levels) are predefined assurance packages in Part 3.
Each EAL is a baseline set of consistent assurance requirements for evaluation
F ig u re 1 2 : 1 4
Protection Profiles
from the CC, or
stated explicitly, along with an EAL (perhaps augmented)
Consistent set of functional and assurance requirements
Permit expression of security requirements for a set of TOEs that will comply fully with a set of security objectives
Intended for reuse
Contains rationale for objectives and requirements
F ig u re 1 3 : 1 5
Security Targets
A consistent set of security requirements made by reference to a PP
by explicit statement
fby reference to CC functional and assurance components, or
Contains the TOE Summary Specification, along with security requirements and objectives, and rationales for each
Basis for agreement among all parties as to what security the TOE offers
F ig u re 1 4 : 1 6
Protection Profile Specification
PP identification PP overview PP Introduction
TOE Description
TOE Security Environment Assumptions Threats
Organizational security policies Security Objectives For the TOE
For the environment
IT Security Requirements TOE Security Requirements
TOE assurance reqts TOE functional reqts Sec Reqts for the IT Env.
PP Application Notes
Rationale For Security Objectives For Security Requirements
F ig u re 1 5 : 1 7
Rationale For Security Objectives For Security Requirements PP Introduction
TOE Description
TOE Security Environment Assumptions Threats
Organizational security policies Security Objectives For the TOE
For the environment
IT Security Requirements TOE Security Requirements
TOE assurance reqts TOE functional reqts Sec Reqts for the IT Env.
Security Target Specification
ST identification ST overview CC conformance
TOE Summary Specification TOE Security Functions Assurance measures
PP reference, PP tailoring, PP additions PP Claims
For TOE Summary Specifications For PP Claims F ig u re 1 6 : 1 8