introduction to the common criteria and the underlying concepts of trust in computer systems
DESCRIPTION
Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems. Michael McEvilley SIGAda 2002 Tutorial SF3 December 8, 2002. Tutorial Objectives Understanding. Security concepts and the principles behind establishing trust in security functions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/1.jpg)
1 ANALYTICSDECISIVE DECISIVE
ANALYTICS
Introduction to the Common CriteriaIntroduction to the Common Criteriaand the and the
Underlying Concepts of Trust in Underlying Concepts of Trust in Computer SystemsComputer Systems
Michael McEvilleyMichael McEvilleySIGAda 2002 Tutorial SF3SIGAda 2002 Tutorial SF3
December 8, 2002December 8, 2002
![Page 2: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/2.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS2
Tutorial ObjectivesTutorial ObjectivesUnderstandingUnderstanding
Security concepts and the principles behind establishing trust in security functions
The contents and concepts of the Common Criteria The philosophy behind the CC and the resultant
limitations of the CC
![Page 3: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/3.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS3
Tutorial ObjectivesTutorial ObjectivesRecognitionRecognition
The similarities and differences in establishing assurance for security critical and other critical application domains – Concepts vs. terminology– Development and verification processes
![Page 4: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/4.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS4
Discussion TopicsDiscussion Topics
Security Concepts & the CCCC Document Conceptual Walk-through
– CC Part I – Introduction & General Model– CC Part II – Functional Requirements
Requirements Organization, Overview, Operations
– CC Part III – Assurance Requirements Requirements Organization, Overview, Operations
![Page 5: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/5.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS5
What Is the CC?What Is the CC?“C“Common Criteria for Information Technologyommon Criteria for Information Technology
Security Evaluation”Security Evaluation”
Common Criteria– Meta-standard containing constructs and criteria used to develop security
specifications Specification constructs
– Protection Profile (PP)
– Security Target (ST)
Requirements criteria– Functional
– Assurance
… in support of the evaluation of products and systems
![Page 6: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/6.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS6
CC Functional CriteriaCC Functional Criteria
Specify the security properties of IT products and systems that address– Unauthorized disclosure (confidentiality, privacy)– Unauthorized modification (integrity)– Loss of use (availability)– Verification of identity (Identification and Authentication
(I&A))– Accountability for operations (audit, non-repudiation)
Provides a basis for comparison of different design or implementation solutions
![Page 7: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/7.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS7
CC Assurance CriteriaCC Assurance Criteria
Specify the properties for verification of development life-cycle activities
Specify the properties for accumulation and verification of a continuity of knowledge as systems evolve– Continuity of knowledge ~ maintenance
Provides a basis for comparison of the results of independent evaluations
![Page 8: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/8.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS8
Functional Requirements
Part 2
Assurance Requirements
Part 3
Introduction &
General ModelPart 1
Process IndependenceCC constructs may be integrated with existing
system life-cycle processes
Technology Independence
CC requirements are independent of technology and implementation – hardware,
software, firmware
Functionality Independence
CC criteria is independent of
requirements specific to any business or mission
case
Goal Independence
Originally developed to support formal evaluationBeing applied in new and
diverse contexts
Application of the CCApplication of the CC
![Page 9: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/9.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS9
CC TermsCC Terms
Target of Evaluation (TOE)– An IT product or system and its associated
administrator and user guidance documentation that is the subject of an evaluation
– Differentiation between product and system is not clear - think components
Single component TOE Multi-component TOE System TOE
![Page 10: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/10.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS10
CC TermsCC Terms TOE Security Policy (TSP)
– Set of rules that define how resources are managed, protected and distributed by the TOE
TOE Security Functions (TSF)– The parts of the TOE implementation that are relied upon for
the correct enforcement of the TOE Security Policy (TSP)
TSF Interfaces (TSFI)– Interfaces to the TOE security functions
internal to the TOE external to the TOE
![Page 11: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/11.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS11
CC TermsCC Terms
IT Environment– IT components that are not part of the TOE but with
which the TOE shares a trusted relationship Trust relationship – authentication of communication
participants and secure methods to transfer information
Non-IT Environment– The physical aspects of the location(s) in which the
TOE is placed and operates
![Page 12: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/12.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS12
IllustrationIllustrationTOE, TSF, TSFITOE, TSF, TSFI
TOE
Non-Security Functions
Target of Evaluation
(TOE)
TSF
Interfaces
(TSFI)
TOE Security Functions
(TSF)
![Page 13: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/13.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS13
Non-IT Environment
IllustrationIllustrationNon-IT EnvironmentNon-IT Environment
TOE
Non-IT environment
consists of the physical aspects of the location(s) in which the TOE
is placed and operates.
![Page 14: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/14.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS14
TOE
IT ProductIT Product
Non-IT environmentimplemented by the physical world
IT Environmentimplemented by IT capabilities
The general environment is enclosed inside the square, i.e., the ‘world’
IllustrationIllustrationIT EnvironmentIT Environment
– TOE Environment is enclosed inside the circle
![Page 15: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/15.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS15
Practical IllustrationPractical IllustrationWeb Server (TOE) - Certificate Server (IT Environment)Web Server (TOE) - Certificate Server (IT Environment)
TOE IT Product
Non-IT environment of the Web Server (TOE)
Non-IT environment of the Certificate Server (IT environment of the TOE)
![Page 16: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/16.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS16
InterfacesInterfaces
Rules for interaction between componentsTypically specified independent of
functionality– message interface– programming interface (API)– services interface– plug-in interface
May be internal or external
![Page 17: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/17.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS17
Trust RelationshipsTrust Relationships
Rules for secure interaction between components– special form of interface– subset of interface specification
From the CC perspective– internal to the TOE– between the TOE and a remote trusted component
the IT environment
![Page 18: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/18.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS18
Establishing Trust Establishing Trust RelationshipsRelationships
Trusted channels provide mechanism for trust relationships between security components– authentication of endpoints– secure communication protocol
integrity, confidentiality, recovery
Trusted channels provide mechanism for trust relationship between user and TSF
![Page 19: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/19.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS19
CC Trust Relationship TermsCC Trust Relationship Terms Trusted Channel
– the means by which the TSF communicates securely with another part of the TSF or with a remote trusted IT product
Trusted Path– the means by which a user communicates securely with the
TSF– trusted paths are built on trusted channels
![Page 20: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/20.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS20
Trusted Relationship ConceptTrusted Relationship ConceptTOE & IT EnvironmentTOE & IT Environment
Trust relationship between TOE and IT environment requires– establishment of trust between the communicants via two-way
authentication
– protecting information from modification and disclosure
TOE IT Product
Trusted InterfaceTSF Trusted ChannelSecurity
Functions
![Page 21: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/21.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS21
Trusted Relationship ConceptTrusted Relationship ConceptNetworked/Distributed TOENetworked/Distributed TOE
No IT Environment - the TSF is a single logical entity although the parts are physically distributed
Regardless, the requirements remain– establishment of trust between the distributed TSF components– protecting information from modification and disclosure
TOE TOE
Trusted InterfaceTSF Internal Channel of the TOE TSF
![Page 22: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/22.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS22
Security Evaluation IssuesSecurity Evaluation Issues
TOE(Operating System)
TSF
TSF
Process Management
File Management
Memory Management
TSF consists of three subsystems– one external interface to TSF– three internal subsystem interfaces
![Page 23: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/23.jpg)
23
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Descriptive Walkthrough
of the
Common Criteria
![Page 24: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/24.jpg)
24
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Common CriteriaCommon CriteriaPart IPart I
Introduction
&
General Model
Introduction&
General Model
Part 1
![Page 25: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/25.jpg)
25
ANALYTICSDECISIVE DECISIVE
ANALYTICS
The CC Requirements The CC Requirements Specification FrameworkSpecification Framework
Specification ConstructsProtection Profiles
Security Targets
Packages
![Page 26: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/26.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS26
Specification Framework PurposeSpecification Framework Purpose
Present a “Security Case”– Context problem statement
Introduction TOE Description Environment information
– Assumptions, Threats, Policies
– Statement of solution Objectives Functional and assurance requirements
– Rationale to substantiate the solution
![Page 27: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/27.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS27
CC Specification ConstructsCC Specification Constructs
Protection Profile (PP)– An implementation-independent characterization of
required security capabilities and verification activities Security Target (ST)
– A implementation-dependent statement of security capabilities and verification activities used as the basis for the TOE evaluation
Complete requirement and implementation detail
Package– Reusable set of functional and/or assurance requirements
![Page 28: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/28.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS28
Purpose of the PPPurpose of the PP
To provide a means for statement of security requirement needs– for acquisition– for development– for certification & accreditation– for any unique security documentation requirement
PPs establish ...– a basis for ST development– a common reference for ST comparison and assessment
![Page 29: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/29.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS29
Protection Profile GranularityProtection Profile Granularity
Requirement detail granularity is the discretion of the PP
author
Increasing detail & constraints - less options & flexibility
. . . . .AbstractHigh LevelConceptual
PP
Capabilityor
TechnologyFocused
PP
![Page 30: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/30.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS30
Purpose of the STPurpose of the ST
To provide a means for developers and system integrators to state the security requirement of a component, product or system – in response to a PP– independent of a PP
STs establish– the basis for a TOE evaluation
![Page 31: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/31.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS31
Protection Profile Security Target
PP/ST Contents/ComparisonPP/ST Contents/Comparison
Identification Overview TOE Description Security Environment
– Assumptions, Threats, Policies Security Objectives Security Requirements
– Functional, Assurance (EAL) Rationale
Identification Overview TOE Description Security Environment
– Assumptions, Threats, Policies Security Objectives Security Requirements
– Functional, Assurance (EAL) Rationale TOE Summary Specification
CC Conformance Claim PP Claims
![Page 32: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/32.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS32
PP EvaluationPP Evaluation
Verifies that the PP meets the criteria defined by the APE assurance class– Technical correctness vs. applicability
Establishes an approved specification repository from which compliant components may be developed or verified– Often referred to as a registry– Managed by a controlling [regulatory] organization
![Page 33: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/33.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS33
ST EvaluationST Evaluation
Verifies that the ST serves as a suitable basis for the TOE evaluation– Technical correctness
Verifies that the ST is an accurate instantiation of each profile to which it claims compliance– PP compliance claim is optional
The ST is typically evaluated with the TOE
![Page 34: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/34.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS34
ST & TOE EvaluationST & TOE Evaluation
TOE evaluation includes ST, TOE and evaluation evidence
ST must be evaluated first to establish a basis for the TOE evaluation
ST evaluation is not complete until the TOE evaluation completes– ST must be sufficiently complete to enable the TOE
evaluation
![Page 35: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/35.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS35
PP/ST RelationshipPP/ST Relationship
A ST may be derived from a PP A ST may be developed independent of a PP The ST author has the option to establish the
relationship between the ST and a PP– referred to as a PP Claim– one ST may be related to multiple PPs– each PP claim must be substantiated by the ST author
![Page 36: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/36.jpg)
36
ANALYTICSDECISIVE DECISIVE
ANALYTICS
CC Requirements Specification Framework (PP/ST) Contents
![Page 37: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/37.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS37
Basis for RequirementsBasis for Requirements
ALL TOE security requirements ultimately arise from consideration of the purpose of the TOE and the context in
which the TOE operates
![Page 38: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/38.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS38
PP/ST Development ActivitiesPP/ST Development Activities
Establish Security Environment
Establish Security Objectives
Establish Security Requirements
Derivation
Derivation
Substantiation
Substantiation
A specification framework with checks and balances to provide
end-to-end correctness
![Page 39: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/39.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS39
PP/ST Development ActivitiesPP/ST Development ActivitiesEstablish Security EnvironmentEstablish Security Environment
Establish Security Environment
TOE Physical(Non-IT)
Environment
TOE IT Environment
Assets Requiring Protection
TOE Scope and Purpose
Secure Usage Assumptions
Organizational Security Policies
(OSPs)Threats
![Page 40: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/40.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS40
PP/ST Development ActivitiesPP/ST Development ActivitiesEstablish Security ObjectivesEstablish Security Objectives
Establish Security Objectives
Secure Usage Assumptions
Organizational Security Policies
(OSPs)Threats
Non-IT Environment
Objectives
IT EnvironmentObjectives
TOEObjectives
![Page 41: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/41.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS41
PP/ST Development ActivitiesPP/ST Development ActivitiesEstablish Security RequirementsEstablish Security Requirements
Establish Security Requirements
Non-IT Environment
Objectives
IT Environment Objectives
TOE Objectives
TOE Functional
Requirements
Interface to IT Environment Requirements
TOE Assurance
Requirements
Non-IT Environment Requirements
CC Part II & Part III
Requirements Catalog
![Page 42: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/42.jpg)
42
ANALYTICSDECISIVE DECISIVE
ANALYTICS
The Security EnvironmentThe Security Environment
Secure Usage Assumptions
Threats
Organizational Security Policy (OSP)
![Page 43: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/43.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS43
Security Environment Security Environment ComponentsComponents
Assumptions– The security aspects of the environment in which the TOE
will be used or is intended to be used Threats
– The ability to exploit a vulnerability by a threat agent Organizational Security Policies (OSPs)
– A set of rules, procedures, practices, or guidelines imposed by an organization upon its operations
![Page 44: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/44.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS44
AssumptionsAssumptions “The security aspects of the environment in which“The security aspects of the environment in which
the TOE will be used or is intended to be used” the TOE will be used or is intended to be used”
Assumptions are “assertions of expectations” regarding– secure usage of the TOE– scope and boundary of the TOE– placement of the TOE in its environment
interaction with other IT (IT environment) interaction with people (Non-IT environment)
Assumptions establish context for all that follows in the PP/ST
![Page 45: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/45.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS45
Using AssumptionsUsing Assumptions
Assumptions must not– impose requirements on the TOE or on its IT environment– have IT aspects of objectives mapped to them– be used to mitigate legitimate threats that are to be countered
by the TOE or its IT environment
Assumptions must– be considered as requirements for the Non-IT environment
Assumptions always– result in objectives for the Non-IT environment
![Page 46: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/46.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS46
Assumption ExamplesAssumption Examples
A.Physical_Protection – The TOE is installed in a restricted and controlled
access area sufficient to prevent unauthorized physical access to the TOE.
A.Dedicated_Network– The TOE is installed on an isolated network that is
dedicated to the TOE and that is not connected to any other network.
![Page 47: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/47.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS47
ThreatsThreats “The ability to exploit a vulnerability by a threat agent”“The ability to exploit a vulnerability by a threat agent”
Threat definition is accomplished through a Vulnerability Analysis that give insight to the threats– against the TOE – against the environment of the TOE (IT & Non-IT)– inherent to technology/personnel/operations
Threats are countered– by the TOE– by the IT environment of the TOE– by the Non-IT environment of the TOE
![Page 48: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/48.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS48
Focus of Threat StatementsFocus of Threat Statements
Threats provide a basis for statement of countermeasures
Threats SHALL address– the attack– the attacker– the assets– the implications of the successful attack
Threats SHOULD address– attacker motivation, expertise– risk of threat being realized
![Page 49: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/49.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS49
Threat ExamplesThreat Examples
T.Intercept An individual obtains unauthorized access to controlled information by intercepting information transmitted to/from the TOE.
T.AuthenticationAn individual obtains unauthorized access to the TOE by
a. impersonating an authorized user of the TOE,b. replaying a successful authentication session,c. unauthorized use of an authorized users existing
session
![Page 50: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/50.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS50
Organizational Security Policy Organizational Security Policy “A set of rules, procedures, practices, or guidelines “A set of rules, procedures, practices, or guidelines
imposed by an organization upon its operations”imposed by an organization upon its operations”
PP/ST author discretion to include/exclude policy– Policy required
If some aspect of the policy is to be enforced by the TOE or by the IT environment of the TOE
– Policy optional If no aspect of the policy is to be enforced by the
TOE or by the IT environment of the TOE
![Page 51: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/51.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS51
OSP ExampleOSP Example
P.Dedicated_NetworkAll mission-critical systems shall be installed on dedicated networks that are isolated from non-mission-critical systems in accordance with OPSEC 123.4.
![Page 52: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/52.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS52
Assumptions and OSPsAssumptions and OSPs Assumptions vs. Policy
– it’s a style/preference issue– assumptions are mapped to non-IT objectives, and an
equivalent policy statement will also be mapped to a non-IT objective
– A.Dedicated_NetworkThe TOE is installed on an isolated network that is not connected to any other network.
– P.Dedicated_NetworkAll mission-critical systems shall be installed on dedicated networks that are isolated from non-mission-critical systems in accordance with OPSEC 123.4.
![Page 53: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/53.jpg)
53
ANALYTICSDECISIVE DECISIVE
ANALYTICS
The Security ObjectivesThe Security Objectives
Security Objectives for the TOE
Security Objectives for the IT EnvironmentSecurity Objectives for the Non-IT Environment
![Page 54: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/54.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS54
Security ObjectivesSecurity Objectives
Objectives establish the basis for the selection of security requirements (functional & assurance)
Objectives exist only to address the problem statement per the security environment section– Support Assumptions– Counter Threats (eliminate, minimize, monitor)– Enforce OSPs
Justified by rationale
![Page 55: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/55.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS55
Types of Security ObjectivesTypes of Security Objectives
TOE Objectives– Implemented by security requirements allocated to the
TOE
IT Environment Objectives– Implemented by security requirements allocated to the
IT systems that interact with the TOE
Non-IT Environment Objectives– Implemented by personnel and procedural means– Outside the scope of the CC– Statement of non-IT environment requirements is not
required
![Page 56: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/56.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS56
Objective Example - Non-ITObjective Example - Non-IT(from Assumption)(from Assumption)
OE.Physical_ProtectionThose responsible for the TOE shall ensure that the TOE is installed in a restricted and controlled access area that prevents unauthorized physical access to the TOE.
A.Physical_Protection
The TOE is installed in a restricted and controlled access area sufficient to prevent unauthorized physical access to the TOE.
![Page 57: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/57.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS57
Objective Example - TOEObjective Example - TOE(from Threat)(from Threat)
O.Impersonate
The TSF shall provide two-factor authentication employing hardware token technology and a unique identification attribute.
Note: O.Impersonate addresses only one aspect of T.Authentication.
T.Authentication
An individual obtains unauthorized access to the TOE by
a. impersonating an authorized user of the TOE,
b. replaying a successful authentication session,
c. unauthorized use of an authorized users existing session
![Page 58: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/58.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS58
Objective Example - Non-ITObjective Example - Non-IT(from Policy)(from Policy)
OE.Network
Those responsible for the TOE shall ensure that the TOE is connected to a dedicated network that is isolated from non-mission-critical systems.
P.Dedicated_NetworkAll mission-critical systems shall be installed on dedicated networks that are isolated from non-mission-critical systems in accordance with OPSEC 123.4.
![Page 59: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/59.jpg)
59
ANALYTICSDECISIVE DECISIVE
ANALYTICS
The Security RequirementsThe Security Requirements
Security Functional Requirements
Security Assurance Requirements
![Page 60: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/60.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS60
Functional and Assurance Functional and Assurance RequirementsRequirements
Selected from the CC– Functional Requirements - Part 2– Assurance Requirements - Part 3
May be explicitly statedJustified by rationale
![Page 61: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/61.jpg)
61
ANALYTICSDECISIVE DECISIVE
ANALYTICS
RationaleRationale
Security Objectives
Security Requirements
TOE Summary Specification (ST only)
![Page 62: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/62.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS62
Security Objectives RationaleSecurity Objectives Rationale
Justifies statement of security objectives through demonstration of– Necessity - coverage of security environment
through traceability to specific aspects of the environment
– Sufficiency - suitability to support the assumptions counter the threats enforce the OSPs
![Page 63: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/63.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS63
Security Requirements Security Requirements RationaleRationale
Justifies each security requirement through– Necessity - coverage of security environment
traceability to specific aspects of the objectives
– Sufficiency suitability to implement specific aspects of the
objectives
![Page 64: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/64.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS64
TOE Summary SpecificationTOE Summary Specification(TSS)(TSS)
Definition and mapping of – security functions to functional requirements– assurance measures to assurance requirements
Rationale (necessity/sufficiency)– security functions meeting the security
requirements– assurance measures meeting the assurance
requirements
![Page 65: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/65.jpg)
65
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Reusable ConstructsReusable Constructs
Packages
![Page 66: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/66.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS66
Package ConstructPackage Construct
Reusable set of either functional or assurance components combined together to satisfy a set of identified security objectives
CC provides no explicit criteria for evaluation of packages
![Page 67: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/67.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS67
Package ContentsPackage Contents
Objectives – establish context for requirements
Requirements– implement objectives
Rationale– presents informal argument to justify
requirements in terms of the stated objectives
Package
Objectives
Requirements
Rationale
![Page 68: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/68.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS68
SecurityObjectives
SecurityRequirements
TOE SummarySpecification
Assumptions OSPsThreats
Non-IT
Functional
SecurityFunctions
ITTOE
Assurance Functional Assurance
Security Target Only
PP/ST Section RelationshipsPP/ST Section Relationships
SecurityEnvironment
AssuranceMeasures
![Page 69: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/69.jpg)
69
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Common CriteriaCommon CriteriaPart IIPart II
Security Functional Requirements
Security Functional
Requirements
Part 2
![Page 70: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/70.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS70
Functional Requirements Functional Requirements OrganizationOrganization
Class - organizational purposes– all members share a common focus (e.g, Audit, I&A)
Family - organizational purposes– all members share security objectives but may differ in emphasis (e.g.,
Audit event definition, Audit event review)
Component - smallest selectable requirement set– contains a set of elements
Element - “shall” statements– members of a component
– elements cannot be selected individually
![Page 71: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/71.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS71
FIA_UID.1.1
F=Functional
ClassName Family
Name
ComponentNumber
ElementNumber
Interpreting Functional Interpreting Functional Requirement NamesRequirement Names
![Page 72: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/72.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS72
Operations on RequirementsOperations on Requirements Assignment
Selection
Refinement
Iteration
Functional requirements have placeholders indicating where Assignment and Selection operations are allowed
Refinement and iteration may be performed on any functional requirement
![Page 73: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/73.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS73
Assignment OperationAssignment Operation
Specification of a parameter filled in when component is used
“Fill in the Blank” operation
Allows PP/ST writer to provide information relating to application of the requirement
The PP writer may defer completing assignments, but the ST writer must complete all assignments
![Page 74: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/74.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS74
As Written in the Common Criteria: FMT_SMR.1.1 The TSF shall maintain the roles:
[assignment: the authorized identified roles].
After Assignment Operation: FMT_SMR.1.1 The TSF shall maintain the roles:
[assignment: authorized administrator, security officer, operator].
Assignment Operation Assignment Operation ExampleExample
![Page 75: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/75.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS75
Selection OperationSelection Operation
Specification of elements selected from a list given in the component
“Multiple Choice” operation
Allows PP/ST writer to select from a provided list of choices
The PP writer may defer completing selections, but the ST writer must complete all selections
![Page 76: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/76.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS76
As Written in the Common Criteria: FTA_TAH.1.1 Upon successful session establishment, the TSF
shall display the [selection: date, time, method, location] of the last successful session establishment to the user.
After Selection Operation: FTA_TAH.1.1 Upon successful session establishment, the TSF
shall display the [selection: date, time, and location] of the last successful session establishment to the user
Selection Operation Example Selection Operation Example #1#1
![Page 77: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/77.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS77
As Written in the Common Criteria: FTP_TRP.1.3 The TSF shall require the use of the trusted
path for [selection: initial user authentication, [assignment: other services for which trusted path is required]].
After Selection Operation: FTP_TRP.1.3 The TSF shall require the use of the trusted
path for [selection: initial user authentication [assignment: and password changes]].
Selection Operation Example Selection Operation Example #2#2
![Page 78: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/78.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS78
Combined Selection and Combined Selection and Assignment ExampleAssignment Example
As Written in the Common Criteria: FMT_MTD.1.1 The TSF shall restrict the ability to
[selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorized identified roles].
After Selection Operation: FMT_MTD.1.1 The TSF shall restrict the ability to
[selection: delete, [assignment: and create]] the [assignment: user authentication database] to [assignment: the authorized administrator].
![Page 79: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/79.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS79
Refinement OperationRefinement Operation
A mechanism to tailor a requirement by specifying additional detail in order to meet a security objective
Rules for refinement:– the refinement shall only restrict the set of possible
acceptable functions used to implement the requirement– the refinement may not levy completely new requirements– the refinement may not increase the list of dependencies of
the requirement being refined
![Page 80: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/80.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS80
As Written in the Common Criteria: FAU_SAA.1.1 The TSF shall be able to apply a set of
rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP.
After Refinement Operation: FAU_SAA.1.1 The Server-TSF shall be able to apply
a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP.
Refinement Operation Refinement Operation ExampleExample
![Page 81: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/81.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS81
Iteration OperationIteration Operation
Repetitive use of the same component to address different aspects of the requirement being stated (e.g., identification of more than one type of user).
Can be performed on any functional component
![Page 82: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/82.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS82
Iteration Operation ExampleIteration Operation ExampleAs Written in the Common Criteria: FMT_MTD.1.1 The TSF shall restrict the ability to [selection:
change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorized identified roles].
After Iteration Operation: FMT_MTD.1.1 The TSF shall restrict the ability to [selection:
modify] the [assignment: password file] to [assignment: the authorized administrator].
FMT_MTD.1.1 The TSF shall restrict the ability to backup/restore the password file to the authorized operator.
![Page 83: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/83.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS83
Explicitly Stated Explicitly Stated RequirementsRequirements
“Rolling Your Own Requirements”“Rolling Your Own Requirements”
CC component catalogues are extensive but not comprehensive– Requirements evolve over time
CC does not mandate exclusive use of component catalogues
CC contains criteria for correctness of extended requirements
CC terms– Extensibility ~ Extended requirements ~ Explicitly stated requirements
![Page 84: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/84.jpg)
84
ANALYTICSDECISIVE DECISIVE
ANALYTICS
CC Part II
Functional Requirement Classes
![Page 85: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/85.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS85
Functional Requirement Functional Requirement ClassesClasses
Security Audit (FAU) Communication (FCO) Cryptographic Support (FCS) User Data Protection (FDP) Identification & Authentication (FIA) Security Management (FMT) Privacy (FPR) Protection of the TOE Security Functions (FPT) Resource Utilization (FRU) TOE Access (FTA) Trusted Path/Channels (FTP)
![Page 86: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/86.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS86
Class FAU: Security AuditClass FAU: Security Audit
The 6 families in this class address...– recognizing and responding to (FAU_ARP)– recording (FAU_GEN, FAU_SEL)– storing and protecting (FAU_STG)– review and analysis of (FAU_SAA, FAU_SAR)
... security-relevant events and activities.
![Page 87: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/87.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS87
Class FCO: CommunicationClass FCO: Communication
The 2 families in this class address ...– proof of origin (FCO_NRO)– proof of receipt (FCO_NRR)
... of transmitted information.
![Page 88: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/88.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS88
Class FCS: Cryptographic Class FCS: Cryptographic SupportSupport
The 2 families in this class address ...– generation, distribution, access, and destruction
(FCS_CKM)– operational use (FCS_COP)
... of cryptographic keys.
![Page 89: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/89.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS89
Class FDP: User Data Class FDP: User Data ProtectionProtection
The 13 families in this class address ...– security function policies (FDP_ACC, FDP_IFC)– access control and information flow control functions
(FDP_ACF, FDP_IFF)– authenticity and integrity (FDP_DAU, FDP_ITT,
FDP_SDI)– reuse and rollback (FDP_RIP, FDP_ROL,)– import/export (FDP_ETC, FDP_ITC)– inter-TSF communications (FDP_UCT, FDP_UIT)
... for protection of user data.
![Page 90: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/90.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS90
Class FIA: Identification & Class FIA: Identification & AuthenticationAuthentication
The 6 families in this class address ...– establishing (FIA_ATD, FIA_SOS, FIA_USB)– verifying (FIA_UAU, FIA_UID)– failures when authenticating (FIA_AFL)
... claimed user identity.
![Page 91: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/91.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS91
Class FMT: Security Class FMT: Security ManagementManagement
The 6 families in this class address ...– management of TSF data (FMT_MTD)– management of security attributes (FMT_MSA,
FMT_REV, FMT_SAE)– management of the security functions (FMT_MOF)– security roles (FMT_SMR)
... of the TOE.
![Page 92: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/92.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS92
Class FPR: PrivacyClass FPR: Privacy
The 4 families in this class address ...– discovery and misuse (FPR_ANO, FPR_PSE,
FPR_UNL, FPR_UNO)
... of an individual’s identity or activities by others.
![Page 93: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/93.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS93
Class FPT: Protection of the Class FPT: Protection of the TOE Security FunctionsTOE Security Functions
The 16 families in this class address ...– testing (FPT_AMT, FPT_TSF)– physical/anti-tamper protection (FPT_PHP)– secure TSF data transfer (FPT_ITA, FPT_ITC, FPT_ITI,
FPT_ITT, FPT_RPL, FPT_TDC, FPT_TRC)– failure and recovery (FPT_RCV, FPT_FLS)– state and timing (FPT_SSP, FPT_STM)– reference mediation and domain separation (FPT_RVM,
FPT_SEP)
... of the TSF mechanisms and data.
![Page 94: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/94.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS94
Class FRU: Resource Class FRU: Resource UtilizationUtilization
The 3 families in this class address ...– availability (FRU_FLT)– allocation (FRU_PRS, FRU_RSA)
... of resources.
![Page 95: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/95.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS95
Class FTA: TOE AccessClass FTA: TOE Access
The 6 families in this class address ...– attributes (FTA_LSA, FTA_TAB, FTA_TAH)– establishment (FTA_MCS, FTA_SSL, FTA_TSE)
... of a user session.
![Page 96: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/96.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS96
Class FTP: Trusted Class FTP: Trusted Path/ChannelsPath/Channels
The 2 families in this class address ...– trusted communication paths (FTP_TRP)– trusted communication channels (FTP_ITC)
... between users and the TSF and between the TSF and other trusted IT products, respectively.
![Page 97: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/97.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS97
CC Part 3
Security Assurance Requirements
Security Assurance
Requirements
Part 3
![Page 98: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/98.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS98
What is Assurance? What is Assurance?
Grounds for confidence that implemented countermeasures meet their security objectives– CC focus is the IT countermeasures– Comprehensive approach includes the environment
Assurance measures– Provide a basis for a security argument– Do not add functionality to the TOE
Assurance is subjective
![Page 99: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/99.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS99
Why Assurance is Needed?Why Assurance is Needed?
To address vulnerabilities arising from– Requirements
Incorrect, insufficient, ineffective
– Design and Implementation Incorrect design decisions Errors in implementation
– Operational Controls Inadequate or overly complicated Poorly documented
![Page 100: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/100.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS100
Where Assurance is NeededWhere Assurance is Needed
Verification and Validation of the Specification– Protection Profile– Security Target
Verification of the implementation (TOE) CC defines 3 evaluations
– Protection Profile (PP) evaluation mandatory criteria
– Security Target (ST) evaluation mandatory criteria
– Target of Evaluation (TOE) evaluation criteria as specified in the Security Target
![Page 101: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/101.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS101
Concept of TOE EvaluationConcept of TOE EvaluationCC Approach to VerificationCC Approach to Verification
Analysis of processes and procedures
Checking that processes and procedures are being applied
Analysis of the correspondence between TOE design representations
Analysis of the TOE design representations against the requirements
Verification of mathematical proofs
Analysis of guidance documents
Analysis of functional tests and results
Independent functional testing
Analysis for flaws Penetration testing
![Page 102: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/102.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS102
CC AssuranceCC AssuranceArgument ScaleArgument Scale
Balance 3 variables– Scope - how much is assessed– Depth - to what degree is it assessed– Rigor - in what manner is it assessed
Greater Assurance
Greater Evaluation Effort
(Scope, Depth, Rigor)
![Page 103: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/103.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS103
ADV_LLD.3.1(D,C,E)
A=Assurance
SpecificClass
FamilyName Component
Number
ElementNumber
ElementIdentifier
Interpreting Assurance Interpreting Assurance Requirement NamesRequirement Names
![Page 104: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/104.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS104
Security Assurance ClassesSecurity Assurance ClassesTOE Evaluation: Configuration Management
(ACM) Delivery and operation
(ADO) Development (ADV) Guidance documents (AGD) Life Cycle Support (ALC) Maintenance of Assurance
(AMA) Tests (ATE) Vulnerability assessment
(AVA)
PP Evaluation: PP Evaluation (APE)
ST Evaluation: ST Evaluation (ASE)
![Page 105: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/105.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS105
ACM: Configuration Management
ACM_AUT CM automation
ACM_CAP CM capabilities
ACM_SCP CM scope
1 2
21 543
321
The families in this class address the CM system used in the development of the TOE
Class ACM: Configuration Class ACM: Configuration ManagementManagement
![Page 106: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/106.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS106
The families in this class address documentation focused on correct delivery, installation, generation, and start-up of the TOE
ADO: Delivery and Operation
ADO_DEL Delivery
ADO_IGS Installation, generation,and startup
1 2
21
3
Class ADO: Delivery and Class ADO: Delivery and OperationOperation
![Page 107: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/107.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS107
Class ADV: DevelopmentClass ADV: DevelopmentThe families in this class define requirements for the design documentation of the TOE security functions at various levels of abstractions.
ADV: Development
ADV_INT TSF internals
ADV_LLD Low-level design
ADV_RCR Representation correspondence
ADV_SPM Security policy modeling
ADV_IMP Implementation representation
ADV_HLD High-level design
ADV_FSP Functional specification
1
1
2 3 4 5
3 2 4
3 2 1
3 2 1
3 2 1
3 1 2
3 2 1
![Page 108: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/108.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS108
AGD defines requirements for the coherency, coverage, and completeness of the user and administrative guidance documentation.
AGD: Guidance Documents
AGD_ADM Administrative guidance
AGD_USR User guidance
1 2
21
3
Class AGD: Guidance DocumentsClass AGD: Guidance Documents
![Page 109: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/109.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS109
Class ALC: Life Cycle SupportClass ALC: Life Cycle SupportALC defines requirements for the establishment of discipline and control in the process of TOE development and maintenance.
ALC: Life cycle support
ALC_DVS Development security
ALC_FLR Flaw remediation
ALC_TAT Tools and techniques
1ALC_LCD Life cycle definition 2 3
1
1
1 2
2
2
3
3
![Page 110: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/110.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS110
AMA defines requirements for the maintenance of the level of assurance that the TOE will continue to meet its security target as changes are made to the TOE or its environment.
AMA: Maintenance of assurance
AMA_AMP Assurance maintenance plan
AMA_CAT TOE component categorization report
AMA_SIA Security impact analysis
1AMA_EVD Evidence of assurance maintenance
1
1
1 2
Class AMA: Maintenance of Class AMA: Maintenance of AssuranceAssurance
![Page 111: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/111.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS111
Class ATE: TestsClass ATE: Tests ATE defines testing requirements that demonstrate the TOE satisfies its functional requirements.
ATE: Tests
ATE_COV Coverage
ATE_DPT Depth
ATE_IND Independent testing
1ATE_FUN Functional tests 2
1
1
1 2
2
2
3
3
3
![Page 112: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/112.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS112
AVA defines requirements for the identification of exploitable vulnerabilities introduced in the construction, operation, misuse, or incorrect configuration of the TOE.
AVA: Vulnerability assessment
AVA_CCA Covert Channel analysis
AVA_MSU Misuse
AVA_VLA Vulnerability analysis
1AVA_ SOF Strength of functions
4
1
1
1 2
2
2
3
3
3
Class AVA: Vulnerability Class AVA: Vulnerability AssessmentAssessment
![Page 113: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/113.jpg)
113
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Operations on Assurance Operations on Assurance RequirementsRequirements
Iteration
Refinement
![Page 114: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/114.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS114
Assurance Iteration and RefinementAssurance Iteration and Refinement As stated in the CC …
– ADV_FSP.1.3C The functional specification shall describe the purpose and method of use of all external TSF interfaces, providing details of effects, exceptions and error messages, as appropriate.
After applying iteration for software and hardware …– ADV_FSP.1.3C;1 For software implementations, the functional specification shall describe the purpose and method of use of all
external TSF interfaces, providing details of effects, exceptions and error messages, as appropriate.
– ADV_FSP.1.3C;2 For hardware implementations, the functional specification shall describe the purpose and method of use of all external TSF interfaces, providing details of effects, input and output signal levels, error indications and reset conditions, as appropriate.
![Page 115: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/115.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS115
Assurance RefinementAssurance Refinement As stated in the CC …
– ADV_SPM.1.2C The TSP model shall describe the rules and characteristics of all policies of the TSP that can be modeled.
After applying iteration for software and hardware …– ADV_SPM.1.2C The TSP model shall describe the rules and characteristics of all policies of the TSP as a finite state machine to
include the following: definition and transition from non-secure to secure initialization state definition and transition from secure operational state to secure fail-state recovery transition from fail-secure to operational secure state definition of transition to known insecure fail states
![Page 116: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/116.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS116
Assurance PackagesAssurance Packages
Reusable set of functional or assurance components combined together to satisfy a set of identified security objectives
Currently, there are 7 assurance packages called Evaluation Assurance Levels (EAL1 - EAL7)
![Page 117: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/117.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS117
Evaluation Assurance LevelsEvaluation Assurance Levels
Assurance Achieved Cost/Feasibility
Provide an increasing scale that strives to maintain a balance
![Page 118: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/118.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS118
As s u r a n c e As s u r a n c eAs s u r a n c e Co mp o n e n t s b y
Ev a l u a t i o n As s u r a n c e Le v e lCl a s s F a mi l y EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Co n f i g u r a t i o n ACM_ AUT 1 1 2 2ma n a g e me n t ACM_ CAP 1 2 3 4 4 5 5
ACM_ S CP 1 2 3 3 3De l i v e r y a n d ADO_ DE L 1 1 2 2 2 3
o p e r a t i o n ADO_ I GS 1 1 1 1 1 1 1ADV_ F S P 1 1 1 2 3 3 4ADV_ HL D 1 2 2 3 4 5ADV_ I MP 1 2 3 3
De v e l o p me n t ADV_ I NT 1 2 3ADV_ L L D 1 1 2 2ADV_ RCR 1 1 1 1 2 2 3ADV_ S P M 1 3 3 3
Gu i d a n c e AGD_ ADM 1 1 1 1 1 1 1d o c u me n t s AGD_ US R 1 1 1 1 1 1 1
AL C_ DVS 1 1 1 2 2Li f e c y c l e AL C_ F L R
s u p p o r t AL C_ L CD 1 2 2 3AL C_ T AT 1 2 3 3AT E _ COV 1 2 2 2 3 3
Te s t s AT E _ DP T 1 1 2 2 3AT E _ F UN 1 1 1 1 2 2AT E _ I ND 1 2 2 2 2 2 3AVA_ CCA 1 2 2
Vu l n e r a b i l i t y AVA_ MS U 1 2 2 3 3a s s e s s me n t AVA_ S OF 1 1 1 1 1 1
AVA_ VL A 1 1 2 3 4 4AMA_ AMP
As s u r a n c e AMA_ CATma i n t e n a n c e AMA_ E VD
AMA_ S I A
Assurance Component toAssurance Component toEAL MappingEAL Mapping
![Page 119: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/119.jpg)
DECISIVEDECISIVEANALYTICSANALYTICS119
EAL AugmentationEAL AugmentationThe Tailoring of an Existing Evaluation Assurance Level (EAL)The Tailoring of an Existing Evaluation Assurance Level (EAL)
Allowed augmentation operations– Replace an existing component in the EAL with a higher
component– Add additional component(s) from other EALs – Add additional component(s) not in any EAL – MRA does not recognize augmentation with components
not in EAL1-4
Disallowed augmentation operation– Remove a component from an EAL definition
![Page 120: Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems](https://reader036.vdocuments.us/reader036/viewer/2022062800/56814131550346895dad189b/html5/thumbnails/120.jpg)
120
ANALYTICSDECISIVE DECISIVE
ANALYTICS
Questions?Questions?
Thank you
for your attention.Please do not hesitate to follow-up with any questions
are issues that arise subsequent to this session.
Michael McEvilley
703.414.5002 (voice)
703.414.5066 (fax)
www.commoncriteria.com