EVOLVING

Title
Slide

CRITERIA FOR
INFORMATION SECURITY
PRODUCTS
Ravi Sandhu
George Mason University
Fairfax, Virginia
USA

SECURITY OBJECTIVES
SECRECY
(CONFIDENTIALITY)

INTEGRITY

AVAILABILITY
(DENIAL OF SERVICE)

SECURITY TECHNIQUES

Prevention

access control

Detection

auditing

Tolerance

practicality

good
goodprevention
prevention and
and detection
detection both
both require
require
good
good authentication
authentication as
asaafoundation
foundation

SECURITY TRADEOFFS
SECURITY

COST

FUNCTIONALITY

EASE OF USE

ACHIEVING
SECURITY

Policy

what?

Mechanism

how?

Assurance

how well?

EVALUATION CRITERIA
SECURITY TARGET

Policy
PRODUCT

Assurance
??

Mechanism

CRITERIA DATES
USA
ORANGE BOOK
|

1.0
|
UK, Germany |

3.0
|

2.0
|

Canadian CTCPEC

| France
1.0
|

European Community ITSEC

1.2
|
1.0
|

US Federal Criteria

Common Criteria

|
1985

|
1990

|
1995

CRITERIA RELATIONSHIPS
USA ORANGE BOOK

UK

Germany

European
Community
ITSEC

France

Federal Criteria
DRAFT

Common Criteria
PROPOSED

Canada

DRIVING FACTORS
INTERNATIONAL
COMPUTER
MARKET
TRENDS

COMPATIBILITY
WITH EXISTING
CRITERIA
COMMON
CRITERIA
&
PRODUCT
EVALUATION

MUTUAL
RECOGNITION
OF EVALUATIONS

SYSTEM
SECURITY
CHALLENGES
OF THE
90'S

10

ORANGE BOOK
USA ORANGE BOOK

UK

Germany

European
Community
ITSEC

France

Federal Criteria
DRAFT

Common Criteria
PROPOSED

Canada

11

ORANGE BOOK CLASSES

HIGH SECURITY

NO SECURITY

A1

Verified Design

B3

Security Domains

B2

Structured Protection

B1

Labeled Security Protection

C2

Controlled Access Protection

C1

Discretionary Security Protection

Minimal Protection

12

ORANGE BOOK CLASSES

UNOFFICIAL VIEW
C1, C2

Simple enhancement of existing systems.

No breakage of applications

B1

Relatively simple enhancement of

existing systems. Will break some
applications.

B2

Relatively major enhancement of existing

systems. Will break many applications.

B3

Failed A1

A1

Top down design and implementation of a

new system from scratch

13

ORANGE BOOK
CRITERIA
SECURITY POLICY
ACCOUNTABILITY
ASSURANCE
DOCUMENTATION

14

SECURITY POLICY
C1
Discretionary Access Control
Object Reuse
Labels
Label Integrity
Exportation of Labeled Information
Labeling Human-Readable Output
Mandatory Access Control
Subject Sensitivity Labels
Device Labels

C2
+

B1
+
+

added requirement

B2

B3

+
+
+
+
+

+
+
+

A1
+

15

ACCOUNTABILITY

C1
Identification and Authentication
Audit
Trusted Path

C2
+

B1
+
+

added requirement

B2
+
+

B3

A1

+
+

+
+

16

ASSURANC
E
C1
System Architecture
System Integrity
Security Testing
Design Specification and Verification
Covert Channel Analysis
Trusted Facility Management
Configuration Management
Trusted Recovery
Trusted Distribution

C2
+
+
+

B1
+

B2
+

B3
+

A1
+

+
+

+
+
+
+
+

+
+
+
+

added requirement

+
+
+
+

+
+

17

DOCUMENTATION

C1
Security Features User's Guide
Trusted Facility Manual
Test Documentation
DesignDocumentation

C2
+
+
+
+

B1

B2

B3

A1

+
+
+

added requirement

18

ORANGE BOOK CRITICISMS

Does not address integrity or availability

Combines policy and assurance in a
single linear rating scale
Mixes policy and mechanism
Mixes policy and assurance

19

POLICY VS ASSURANCE

p
o
l
i
c
y

B3 A1
B2
B1
C2
C1
assurance

20

EUROPEAN
ITSEC
USA ORANGE BOOK

UK

Germany

European
Community
ITSEC

France

Federal Criteria
DRAFT

Common Criteria
PROPOSED

Canada

21

POLICY ASSURANCE UNBUNDLING

EVALUATION

POLICY
or
FUNCTIONALITY

ASSURANCE

EFFECTIVENESS

CORRECTNESS

22

POLICY IN ITSEC

Open ended
Orange Book classes are grand-fathered in
Some new classes are identified

23

ORANGE BOOK POLICY

GRAND-FATHERING
ITSEC

ORANGE BOOK

F-C1

C1

F-C2

C2

F-B1

B1

F-B2

B2

F-B3

B3

24

ITSEC NEW POLICIES

ITSEC

OBJECTIVE

F-IN

High Integrity Requirements

F-AV

High Availability Requirements

F-DI

High Data Integrity during Data Exchange

F-DC

High Data Confidentiality during Data Exchange

F-DX

Networks with High Confidentiality and Integrity

others can be defined as needed

25

ASSURANCE:
EFFECTIVENESS
CONSTRUCTION
Suitability Analysis
Binding Analysis
Strength of Mechanism Analysis
List of Known Vulnerabilities in Construction
OPERATION
Ease of Use Analysis
List of Known Vulnerabilities in Operational Use

26

ASSURANCE:
CORRECTNESS
ITSEC

ORANGE BOOK (very roughly)

E0

E1

C1

E2

C2

E3

B1

E4

B2

E5

B3

E6

A1

27

US DRAFT FEDERAL CRITERIA

USA ORANGE BOOK

UK

Germany

European
Community
ITSEC

France

Federal Criteria
DRAFT

Common Criteria
PROPOSED

Canada

28

INFLUENCES ON FEDERAL CRITERIA

NIST/NSA
Joint Work

EC
ITSEC

Commercial & Independent

Initiatives
NISTs IT Security
Requirements Study

Canada
TPEP

Federal
Criteria
for
IT Security

Integrity Research
NRC Report
"GSSP"
Minimum Security
Functionality Requirements
(MSFR)

Advances in
Technology

Orange
Book

29

ITSEC EVALUATION
SECURITY TARGET

Policy
PRODUCT

Assurance
??

Mechanism

30

FEDERAL CRITERIA EVALUATION

Policy

PROTECTION
PROFILE
SECURITY
TARGET

Assurance

PRODUCT
Mechanism

Policy

Assurance
??
Customer
Supplied

??
Vendor
Supplied

31

PROTECTION PROFILE
STRUCTURE
PROTECTION PROFILE

Descriptive
Elements
Section

Product
Rationale
Section

Functional
Requirements
Section

Development
Assurance
Requirements
Section

Evaluation
Assurance
Requirements
Section

32

FROM PROFILE TO PRODUCT

Protection Profile
PPA

Registry of
Protection Profiles
(PP)

PP1 PP2

Security Target
(ST)

ST
pp1

Product 1
PPA = Protection Profile Analysis

...

PPn

ST
ppn

Product n

Evaluation 1

Evaluation 2

Evaluation 3

33

TOWARDS A COMMON CRITERIA

USA ORANGE BOOK

UK

Germany

European
Community
ITSEC

France

Federal Criteria
DRAFT

Common Criteria
PROPOSED

Canada

34

COMMON CRITERIA PLAN

Usage &
Reviews

ITSEC
1.2

Usage &
Reviews

Canada
CTCPEC
3.0

Orange
Book
Usage

FedCrit
1.0

Public
Comment

1994: initial target

1996: more likely
CC
Editorial
Board

Joint
Technical
Groups

EC-NA
EC-NA
Alignment
Alignment
--------Common
Common
Criteria
Criteria

ISO
SC27
WG3

35

CHALLENGES THAT REMAIN

Complexities of the open distributed computing and
management environments (including use of crypto in
conjunction with COMPUSEC)
Systems and composability Problems
Trusted applications development and evaluation
methods, including high integrity and high availability
systems
Guidance on using IT security capabilities cost
effectively in commercial environments
Speedy but meaningful product and system
evaluations, and evaluation rating maintenance