Академический Документы
Профессиональный Документы
Культура Документы
Formal Evaluation
Formal Evaluation
Communications Security
Formal Evaluation
Method
Trust
M th d tto achieve
hi
T t
Not a guarantee of security
Evaluation
E l i methodology
h d l
iincludes:
l d
Security requirements
Assurance requirements showing how to
establish security requirements met
Procedures
P
d
tto demonstrate
d
t t system
t
meets
t
requirements
Metrics for results
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Trusted
d Computer System
Evaluation
l i Criteria
i i
---
TCSEC
CSEC
Communications Security
Formal Evaluation
Emphasis on Confidentiality
Metric: Seven trust levels:
D, C1, C2, B1, B2, B3, A1
D is tried but failed
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Configuration
C fi
ti managementt requirements
i
t
(Version control, change management,
integration procedures, tools for product
generation)
Trusted distribution requirements ((unique to A1))
System architecture requirements
Design specification and verification
requirements
Testing requirements (functional, structural, unit,
system third party
system,
party, security)
Product documentation requirements (SFUG,
TFM)
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Government-sponsored independent
evaluators
Application: Determine if government
cares
Evaluation Phase
Communications Security
Formal Evaluation
Three
phases
Th
h
Design analysis
Review
R i
off d
design
i b
based
d on d
documentation
t ti
Test analysis
Final Review
Communications Security
Formal Evaluation
TCSEC: Problems
Communications Security
Formal Evaluation
Other Criteria
Communications Security
Formal Evaluation
Later Standards
CTCPEC Canada
ITSEC European Standard
Did not define functional criteria
Levels correspond to strength of evaluation
Includes code evaluation,, development
p
methodology requirements
Known vulnerability analysis
Communications Security
Formal Evaluation
ITSEC: Levels
E1: Security target defined, tested
Must have informal architecture description
Communications Security
Formal Evaluation
ITSEC Problems:
Inconsistency in evaluations
Not as formally defined as TCSEC
Communications Security
Formal Evaluation
CC
Replaced TCSEC,
TCSEC ITSEC with CC (1998)
Also known as Common Criteria
Recognition Arrangement
CC Documents
Functional requirements
Assurance requirements
Evaluation Assurance Levels (EAL)
CC Evaluation Methodology
gy ((CEM))
Detailed process model for each level
((evaluation of products
p
and systems)
y
)
National Scheme
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Terms used by CC
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
Communications Security
Security Paradigm
Formal Evaluation
Communications Security
Formal Evaluation
362 page d
documentt
11 Classes
Audit, Communication, Cryptography,
User data protection,
protection ID/authentication
ID/authentication,
Management, Privacy, Protection of
Security Functions
Functions, Resource Utilization
Utilization,
Access, Trusted paths
Se
Several
eral families per class
Lattice of components
p
in family
y
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
1. Pseudonymity
1. The TSF shall ensure that
[[assignment:
g
set of users
and/or subjects] are unable to
determine the real user name
bound to [assignment: list of
subjects and/or operations
and/or objects]
2. The TSF shall be able to
provide [assignment: number
of aliases] aliases of the real
user name to [assignment: list
of subjects]
3. The TSF shall [selection:
determine an alias for a user,
accept the alias from the user]
and verify that it conforms to
the [assignment: alias metric]
2. Reversible Pseudonimity
1.
3. Alias Pseudonimity
1.
Communications Security
Formal Evaluation
216 page d
documentt
10 Classes
Protection Profile Evaluation, Security
Target
g Evaluation
Configuration management, Delivery and
operation,
p
, Development,
p
, Guidance,, Life
cycle, Tests, Vulnerability assessment
Maintenance
Communications Security
Formal Evaluation
1.
Communications Security
Formal Evaluation
I t ll ti
Installation,
generation
ti and
d startstart
t t-up
A. Installation, generation, and start-up procedures
The developer shall document procedures necessary for the secure installation,
generation, and start-up of the TOE.
The documentation shall describe the steps necessary for secure installation
installation, generation,
generation
and start-up of the TOE.
The evaluator shall confirm that the information provided meets all requirements for
presentation of evidence.
content and p
The evaluator shall determine that the installation, generation, and start-up procedures
result in a secure configuration.
Generation Log
Communications Security
Formal Evaluation
Functionally tested
Structurally tested
Methodically tested and checked
Methodically designed, tested, and
reviewed
Semiformally designed and tested
Semiformally verified design and
tested
F
Formally
ll verified
ifi d d
design
i and
d ttested
t d
Communications Security
Formal Evaluation
Communications Security
Formal Evaluation
About
Ab t 80 registered
i t d products
d t
Only one at level 5
(Java Smart Card)
Several
S
l OS att 4
Likelyy manyy more not registered
g