1 omissions and errors in the cc who got it right? 8iccc denise cater
TRANSCRIPT
1
Omissions and errors in the CC
Who got it right?
8ICCCDenise Cater
2
Security Standards
ISO alone have issued:• ISO15408 – Common Criteria• ISO19092 – Financial Service – Security• ISO19790 – Security Requirements for
Cryptographic modules (FIPS 140)• ISO27001 – Information Security Management• ISO27002 (formerly ISO 17799) – ISMS best
practice
3
4
Many standards: One CC
• Catalogue of security components:– Functional– Assurance
• Focus on repeatability– Voluminous guidance for consistent
application– Scheme rules and interpretations
=“Heavy” process
5
Payment Industry Security Standards
• Payment Card Industry (PCI) Data Security Standard
• EMV (Europay, Mastercard, Visa) Specifications
• APACS PIN Entry Device PP
APACS
6
APACS application of CC
• Own Certification Body– Appointment of labs– Issuing of certificates
• Focus on CC– Less emphasis on CEM
• Concentration of efforts– Design and testing seen as paramount– Procedural requirements seen as supporting
7
Smartcard Industry
• Developed PPs
• Generated own interpretations– Adopted as CC Supporting
Documents– Included own Attack Potential
Table
• Examples of Smartcard Specific Attacks
8
Smartcard Industry
• Took the CC and gave specific guidance for their industry
• A lot of focus placed on penetration testing
• Identified additional stages in lifecycle/delivery
9
Adapt to Adopt
• Both industries have made changes to use CC– Interpretations– Greater emphasis in some areas, less in
others
10
Who got it right?
• The CC of course!– Providing a catalogue that Industry and
other schemes can draw upon
• But, also Industry/other schemes– Focus on areas of specific interest– Light-touch on other areas
11
Who got it wrong?
• Those who requested EALs to be included in CC (for backwards compatibility)– Led to “incorrect” use of CC– Initially less PPs developed as just
concentrated on assurance level
12
Who got it wrong?
• Authors of the CEM or CC Schemes?– Too prescriptive– Forcing evaluators to complete work units
at level of detail that is not always necessary
– Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis
13
In summary
• CC got it right
• CC got it wrong
But, Industry can adapt the CC to adopt it