Upload
gregory-riley
View
213
Download
1
Embed Size (px)
Citation preview
Common Criteria V3 Overview
Presented to P2600
October 25 2005Brian Smithson
What have they done!?
Summary
Conceptual model
Structural changes
Summary of changes
Part 1 More consistent terminology introduced Changes in the ASE (Security Target Evaluation) and APE
(Protection Profile Evaluation) assurance classes
Part 2 Complicated terms simplified or removed Concepts simplified and clarified Underlying model developed Reduced 11 classes to 6, 67 families to 45, 354 pages to 130
Summary (2)
Part 3 ASE and APE reorganized and rewritten to give a higher
assurance-to-work ratio ACM/ADO/AGD/ALC classes rearranged with clearer purpose
into ALC and AGD ADV also gives more assurance for less work ATE updated to reflect the new ADV ABA merged Strength of Function (SOF) with Vulnerability
Analysis (VLA), and merged Misuse (MSU) into AGD A new class, ACO, deals with composition
Summary (3)
CEM New CEM is presented according to class, not EAL, and
methodology is provided for all components up to EAL5
EAL1 is now easier You can do a “low assurance level” PP and ST Just do SFRs, SARs, no Security Problem Definition
Conceptual model
1. Security in the operational environment
2. Security in the development environment
3. Evaluation
Security in the operational environment
Assets in the operational environment are defined in terms of value to the owners
Key factors: Risk Countermeasures
How are these countermeasures evaluated?
Countermeasures must be:
Sufficient (in conjunction with countermeasures in the operational environment) to counter the threats
Correct in that they don’t contain vulnerabilities which could prevent it from working
Sufficiency of the TOE
Starts with a Security Problem Definition: Assets and threats to those assets Relevant Organizational Security Policies Relevant Assumptions about the operational environment
Describe a partwise solution Solution provided by the TOE Solution provided by the operational environment
The parts provided by the TOE are Security Functional Requirements (SFRs)
The collection of SFRs is the TOE Security Policy (TSP)
A TOE which fulfills the TSP is sufficient, as long as the TOE has been correctly designed and implemented
Security in the development environment
Correctness of implementation depends on the development environment
Assets in the development environment are defined in terms of value to the developers
Correctness of the TOE implementation
Starts with a Security Problem Definition Assets (in the development environment) and threats to
those assets Relevant Organizational Security Policies that apply to the
development environment Solutions to the problem are Security Assurance
Requirements (SARs)
If all SARs are met, then there is assurance that the TOE is implemented correctly
Evaluation model
Key concepts: Risk Countermeasure
s Assurance
Structural changesCC v2.2 -> v3
structural changes
v3.0
1. PP introduction 1.1. PP reference
1.2. TOE overview
2. Conformance claims 2.1. Conformance claim
conforms with CCv3ANDPart 2 conformant or extendedANDPart 3 conformant or exgtended
2.2. PP claim
would specify which PP we conform to (if we were composing a PP)
2.3. Package claim
refers to EAL and any other defined packages
3. Security problem definition3.1. threats
3.2. organizational security policies
3.3. assumptions
note the changed order of subtopics compared to v2.2
4. Security objectives
4.1. for the TOE
4.2. for the development environment
4.3. for the operational environment
4.4. security objectives rationale
5. Extended components definition
6. Security requirements6.1. security functional requirements for the TOE
6.2. security assurance requirements for the TOE
6.3. security requirements rationale
v2.2
1. PP introduction1.1. PP identification
1.2. PP overview
2. TOE description
3. TOE security environment3.1. assumptions
3.2. threats
3.3. organizational security policies
4. Security objectives4.1. for the TOE
4.2. for the environment4.2.1. IT environment
4.2.2. non-IT environment
5. IT security requirements
5.1. TOE security requirements5.1.1. security functional requirements
Part 2 and explicit reqs in CCv2.2
5.1.2. security assurance requirements
Part 3 and explicit reqs in CCv2.2
5.2. Environment security requirements
optional in CCv3
6. PP application notesApplication notes appear close to their point of application in v3, not in a separate section
7. Rationale
Rationale items are placed in the functional and assurance sections in v3, not in a separate section