Transcript Document

You say to-mah-to, I say to-mae-to:
why isn’t there a single solution to
Information Security Assurance?
Apostol Vassilev
atsec information security
&
NetIDSys, Inc.
The problem of information security
assurance


There are plethora of “secure” software and
hardware products, often designed to meet
similar customer information security needs
How can we say which ones are better/more
secure?
Can the consumers decide for themselves?
 Can we leave it up to the market forces to weed out
the bad products and indentify the best solutions?

Outline

Introduce a couple of major information
security assurance standards
Common Criteria
 Federal Information Processing Standard (FIPS)



Current Trends
Conclusions
The CC standard for IT security
evaluation
C
ommon
C
riteria
Formalization of assurance and
certification
Certification definition according to the German Law DIN 45020
 Measure
impartial third party,
 that shows there is reasonable
confidence,
 by
a correctly identified
product, process or service
 is in accordance with a
specified standard or another
normative document.
• E.g. by the BSI (Germany) or NIAP
(USA) and licensed and accredited
evaluation labs
 that
• which shows, that there is
reasonable confidence in the correct
implementation and effectiveness of
IT security
• of the specified IT product
The path to CC
Orange
Book
(TCSEC)
1985
UK Confidence
Levels 1989
German Criteria
French Criteria
Canadian Criteria
(CTCPEC) 1993
Federal Criteria
Draft 1993
ITSEC
1991
Common Criteria
v1.0 1996
v2.0 1998
V2.1 1999
V2.3 = ISO 15408 2005
V3.1 2006
(ISO 15408 an V3.x:
coming in 2008)
Participating Nations and Agencies

Germany, Bundesamt für Sicherheit in der Informationstechnik BSI.

France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSI.

UK, Communications-Electronics Security Group CESG.

Netherlands, Netherlands National Communications Security Agency NLNCSA.

Canada, Communication Security Establishment CSE.

USA, National Security Agency NSA und National Institute of Standards and Technology NIST.

Australia and new Zealand, The Defence Signals Directorate bzw. the Government
Communications Security Bureau

Japan, Information Technology Promotion Agency

Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Nacional
Objectives of the CC standard

Common criteria for products and systems


ISO standardization


an international basis for developers
Comparability of security evaluation results


based on the existing criteria of the U.S. and Europe
international mutual recognition of certificates
Improved availability of high-quality security
technology
International Recognition of CC
Australia /New Zealand
Netherlands
USA
Canada
France
Germany
Sweden
UK
Japan
Korea
Norway
Spain
India
Israel
Singapore
Denmark
Greece
Malaysia
Italy
Finland
Austria
Hungary
Turkey
Czech Rep.
CC Evaluation Approach

Axiomatic, resembles a math theorem proof

Security Problem Definition
Target of Evaluation (TOE) – the product
 Threats, assumptions, security policies
 Security Objectives for the TOE and its operational
environment


Assurance claims
Typically stated as Evaluation Assurance Levels (EAL)
 EAL1 to EAL7


Proof
Certification procedure
Applicant
Product and
evidence
Application
Certificate
Certification report
Evaluation
report
Supervision
Lab
Eval. Report
Certification
body
Evaluation labs













atsec information security – leader in OS evaluation
Atos Origin GmbH
CSC Deutschland Solutions GmbH
Datenschutz nord GmbH
Deutsches Forschungszentrum für künstliche Intelligenz GmbH
Industrieanlagen-Betriebsgesellschaft (IABG) mbH
Media transfer AG
Secunet SWISSiT AG
SRC Security Research & Consulting GmbH
Tele Consulting GmbH
TNO-ITSEF BV
•WTD 81
T-Systems GEI GmbH
•BSI
TÜV Informationstechnik GmbH
Responsibility of the
Evaluator (DIN 17025)
technically
competent
technically
independent
impartial
neutral
Shortcomings of the CC standard

Does not evaluate the cryptography in security
products


Does not take into account Risk


no crypt analysis
Assumptions are assumed to hold absolutely
Tends to be expensive/time consuming
FIPS: An Overview




FIPS are a series of U.S. Federal Information
Processing Standards.
FIPS are mandatory to US Federal agencies, e.g.,
DoD, NSA, NIST.
They are not mandatory to individual states, but
are often used by them.
They are often adopted by non-government
agencies or large corporations
FIPS 140-2 The Standard
FIPS 140-2




FIPS 140-2 was published in 2001.
Change notes were added in 2002.
FIPS 140-2 has recently been reviewed and FIPS
140-3 is currently under development.
Mandatory for federal agencies
FIPS 140-2 The Standard
What is a Cryptographic Module?

Can be:
Hardware
 Software
 Firmware
 Hybrid



Performing certain security functionality
With specific logical/physical boundaries
Cryptographic Module Basics
FIPS 140-2: Functional Areas



FIPS 140-2 is divided into 11 functional areas.
Each area is awarded a Security Level between 1
and 4 depending on the requirements that it
meets.
The module as a whole is awarded an “Overall
Security Level,” which is the lowest level awarded
in any of the levels.
FIPS 140-2 The Standard
FIPS 140-2: Functional Areas
1.
3.
4.
6.
7.
9.
10.
11.
Cryptographic Module Specification
Roles, Services, and Authentication
Finite State Model
Operational Environment
Cryptographic Key Management
Self Tests
Design Assurance
Mitigation of Other Attacks
FIPS 140-2 The Standard
What is the FISP Validation
Program?
Cryptographic Module Validation Program
(CMVP)
A joint program between:


The U.S. NIST (National Institute for Standards and
Technology)
The C.S.E. (Communications Security Establishment) of
the Government of Canada
Explaining the CMVP
The Validation Process
Explaining the CMVP
Cryptographic Algorithm Validation
(integral part of module validation)


Algorithms used in Approved mode must be
FIPS-Validated.
This means that they are Implemented
correctly.


50 % of newly-tested algorithm fail!
They are published on a list given at
http://csrc.nist.gov/cryptval/vallists.htm.
Shortcomings of FIPS 140-2


Not as tightly specified as CC

A lot of room for interpretation;

hence repeatability of evaluation results is not
guaranteed.
Limited to USA and Canada
Current trends

Combinations of the two major standards

Many federal agencies in the USA require certain
products to be both CC and FIPS 140-2
certified
Ensures all security aspects are thoroughly looked at
 May incur substantial cost

Conclusions


Information security assurance is needed to
provide the consumer with guarantees for the
technology they acquire
Two major standards exists (CC and FIPS 140-2)
Different strengths and weaknesses
 Generally complimentary to each other
 Increasingly used together in situations that require
high assurance
