1

Common Criteria DiscussionsCommon Criteria DiscussionsCCSDS Security Working GroupCCSDS Security Working Group

Spring 2008 MeetingSpring 2008 Meeting

11-12 March 200811-12 March 2008Washington DCWashington DC

(Marriott Courtyard Crystal City, Virginia)(Marriott Courtyard Crystal City, Virginia)

2

BackgroundBackground

• ISO 15408 – Common Criteria for Information Technology Security Evaluation– International standard – Security requirements– Common evaluation methodology– Mutual evaluation recognition (25 countries)

• Protection Profiles– Designed as an “acquisition” document

» Desired security services• Security Targets

– Designed as a vendor “technical delivery” specification» Documents the security services provided in a product

with respect to a Protection Profile

3

Type of PPs Already WrittenType of PPs Already Written

• Access control devices• Boundary protection devices/systems (aka firewalls)• Databases• Detection devices/systems (IDS)• ICs, Smart Cards, devices and systems• Key Management systems• Network and Network-related devices/systems• Operating systems• Other devices/systems (e.g., ATM, biometric, certificate

issuing)• Digital Signature products

4

Why Common Criteria?Why Common Criteria?

• Advocate the use of PPs to specify (in standardized terms) the full extent of a system’s security requirements.

5

Space PPsSpace PPs

• What would a space PP consist of?– Profiles of mission security requirements?

» Formalization, in CC terms, of security requirements, by mission type, a la security architecture?

– PPs for space ‘unique’ systems, e.g.,» C&DH/command & control» Solid state recorders» Shared bus» Others?

6

Example – Cash MachineExample – Cash Machine11

This Protection Profile has been developed to specify the requirements in terms of functionalities and levels of assurance applicable to ACDs/ATMs.

Many transactions can be carried out via an ACD/ATM. The target has therefore been deliberately restricted to matters connected with the use of a card, the identification of the cardholder (the confidentiality of the PIN, etc) and the dispensing of cash (the integrity of the interfaces with the server, etc).

The target of evaluation comprises:• a central processing unit (the “brain” which conditions or coordinates its overall operation),• a cash dispenser (a hardware device for taking banknotes from cash cassettes and delivering them to the cardholder),• a card reader (for smart cards and possibly stripe cards),• an input device for the cardholder to use (subsequently termed the “keypad”).

The Protection Profile relates mainly to interchanges between these various components,which are normally grouped together within a single hardware enclosure (see thediagram above), but any other architecture may be considered.

1Bull, Dassault, Diebold, NCR, Siemens Nixdorf, Wang Global

7

DiscussionDiscussion

• Does this make sense?• Should we attempt to do this?• Will anyone use it – or even care about it?• Do the National Space Agencies use the Common

Criteria – or should they?– US requires FISMA (Federal Information Security

Management Act)» NIST Federal Information Processing standards» No mention of CC evaluated products

– What about everyone else?

8

Example: US Federal Aviation Example: US Federal Aviation Administration (FAA)Administration (FAA)

• FAA has developed a Protection Profile library of templates • Three PP classes (characteristics) resulting in 18 different

PPs– Mission:

» Mission critical National Airspace System (NAS)» Mission support/administrative

– Technology and Security Enclave:» Wide area network» Local area network/facility communications» Applications system

– Risk:» High risk/critical system» Moderate risk/essential system» Low risk/routine system

• FAA PP Library Link

9

10

National Airspace System (NAS)National Airspace System (NAS)

• NAS is very much akin to a distributed mission control center• From the FAA PP for high risk WAN:

– The TOE is a high risk WAN that will operate within the U.S. National Airspace System (NAS). The NAS is defined as “the common network of U.S. airspace; air navigation facilities, equipment and services; airports or landing areas; aeronautical charts, information and services; rules, regulations and procedures; technical information; and manpower and material. The NAS encompasses everything and everyone providing FAA-regulated flight operations support services to aviators in airspace for which the United States has jurisdiction or responsibility. Included are system components shared jointly with the military. The NAS is an evolving system of technologies, procedures, and people intended to meet the needs of NAS users and service providers. In short, the NAS is a system of systems that executes a safety-critical mission on a 7x24 basis nationwide.

11

Example:Example:FAA PP Assets & SensitivitiesFAA PP Assets & Sensitivities

Information Security Classification

I. FAA Operational Voice and Data

1.1 Air to Ground Voice SBU

1.2 Air to Ground Data SBU

1.3 Ground to Ground Voice SBU

1.4 Ground to Ground Data SBU

1.5 Ground to Air Voice SBU

1.6 Ground to Air Data SBU

II. System Hardware, Software, Firmware

2.1 Cryptographic Keys, other security credentials SSI

2.2 Cryptographic Equipment SSI

2.3 Application System (hardware, software, firmware) FOUO

2.4 LAN/WAN telecommunications infrastructure (hardware, software, firmware) FOUO/SSI

2.5 System Operation and Management hardware, software, firmware FOUO/SSI

2.6 Security management hardware, software, firmware FOUO/SSI

2.7 End-user system hardware, software, firmware FOUO/SSI

2.8 Interfaces to Military, Law Enforcement, and Other Government Agencies FOUO/SSI

Key: NR - not rated, public informationSBU - sensitive but unclassified

FOUO - for official use onlySSI - security sensitive information

12

Way Forward?Way Forward?

• Write a space system Protection Profile?– What program/system?– Should we/can we write a “system” PP?

» ISS» Constellation» ATV» Planetary explorer» Near-earth explorer» Meteorological» Other?

– Or should we write a PP to cover a segment of a system?» Mission control system» Launch control system» Public data dissemination system» Other?

• If this is a good thing do we have volunteers?

13

Discussion/DirectionDiscussion/Direction