Common Criteria V3 Overview

Presented to P2600

October 25 2005Brian Smithson

What have they done!?

Summary

Conceptual model

Structural changes

Summary of changes

Part 1 More consistent terminology introduced Changes in the ASE (Security Target Evaluation) and APE

(Protection Profile Evaluation) assurance classes

Part 2 Complicated terms simplified or removed Concepts simplified and clarified Underlying model developed Reduced 11 classes to 6, 67 families to 45, 354 pages to 130

Summary (2)

Part 3 ASE and APE reorganized and rewritten to give a higher

assurance-to-work ratio ACM/ADO/AGD/ALC classes rearranged with clearer purpose

into ALC and AGD ADV also gives more assurance for less work ATE updated to reflect the new ADV ABA merged Strength of Function (SOF) with Vulnerability

Analysis (VLA), and merged Misuse (MSU) into AGD A new class, ACO, deals with composition

Summary (3)

CEM New CEM is presented according to class, not EAL, and

methodology is provided for all components up to EAL5

EAL1 is now easier You can do a “low assurance level” PP and ST Just do SFRs, SARs, no Security Problem Definition

Conceptual model

1. Security in the operational environment

2. Security in the development environment

3. Evaluation

Security in the operational environment

Assets in the operational environment are defined in terms of value to the owners

Key factors: Risk Countermeasures

How are these countermeasures evaluated?

Countermeasures must be:

Sufficient (in conjunction with countermeasures in the operational environment) to counter the threats

Correct in that they don’t contain vulnerabilities which could prevent it from working

Sufficiency of the TOE

Starts with a Security Problem Definition: Assets and threats to those assets Relevant Organizational Security Policies Relevant Assumptions about the operational environment

Describe a partwise solution Solution provided by the TOE Solution provided by the operational environment

The parts provided by the TOE are Security Functional Requirements (SFRs)

The collection of SFRs is the TOE Security Policy (TSP)

A TOE which fulfills the TSP is sufficient, as long as the TOE has been correctly designed and implemented

Security in the development environment

Correctness of implementation depends on the development environment

Assets in the development environment are defined in terms of value to the developers

Correctness of the TOE implementation

Starts with a Security Problem Definition Assets (in the development environment) and threats to

those assets Relevant Organizational Security Policies that apply to the

development environment Solutions to the problem are Security Assurance

Requirements (SARs)

If all SARs are met, then there is assurance that the TOE is implemented correctly

Evaluation model

Key concepts: Risk Countermeasure

s Assurance

Structural changesCC v2.2 -> v3

structural changes

v3.0

1. PP introduction 1.1. PP reference

1.2. TOE overview

2. Conformance claims 2.1. Conformance claim

conforms with CCv3ANDPart 2 conformant or extendedANDPart 3 conformant or exgtended

2.2. PP claim

would specify which PP we conform to (if we were composing a PP)

2.3. Package claim

refers to EAL and any other defined packages

3. Security problem definition3.1. threats

3.2. organizational security policies

3.3. assumptions

note the changed order of subtopics compared to v2.2

4. Security objectives

4.1. for the TOE

4.2. for the development environment

4.3. for the operational environment

4.4. security objectives rationale

5. Extended components definition

6. Security requirements6.1. security functional requirements for the TOE

6.2. security assurance requirements for the TOE

6.3. security requirements rationale

v2.2

1. PP introduction1.1. PP identification

1.2. PP overview

2. TOE description

3. TOE security environment3.1. assumptions

3.2. threats

3.3. organizational security policies

4. Security objectives4.1. for the TOE

4.2. for the environment4.2.1. IT environment

4.2.2. non-IT environment

5. IT security requirements

5.1. TOE security requirements5.1.1. security functional requirements

Part 2 and explicit reqs in CCv2.2

5.1.2. security assurance requirements

Part 3 and explicit reqs in CCv2.2

5.2. Environment security requirements

optional in CCv3

6. PP application notesApplication notes appear close to their point of application in v3, not in a separate section

7. Rationale

Rationale items are placed in the functional and assurance sections in v3, not in a separate section