you say to-mah-to, i say to-mae-to: why isn’t there a single solution to information security...
TRANSCRIPT
You say to-mah-to, I say to-You say to-mah-to, I say to-mae-to: why isn’t there a mae-to: why isn’t there a
single solution to single solution to Information Security Information Security
Assurance?Assurance?
Apostol VassilevApostol Vassilevatsec information securityatsec information security
&&NetIDSys, Inc. NetIDSys, Inc.
The problem of information The problem of information security assurancesecurity assurance
There are plethora of “secure” software There are plethora of “secure” software and hardware products, often designed and hardware products, often designed to meet similar customer information to meet similar customer information security needssecurity needs
How can we say which ones are How can we say which ones are better/more secure?better/more secure? Can the consumers decide for themselves? Can the consumers decide for themselves? Can we leave it up to the market forces to Can we leave it up to the market forces to
weed out the bad products and indentify the weed out the bad products and indentify the best solutions?best solutions?
OutlineOutline
Introduce a couple of major Introduce a couple of major information security assurance information security assurance standardsstandards Common CriteriaCommon Criteria Federal Information Processing Federal Information Processing
Standard (FIPS)Standard (FIPS) Current TrendsCurrent Trends ConclusionsConclusions
The CC standard for IT The CC standard for IT security evaluationsecurity evaluation
CommonCommon
CriteriaCriteria
Formalization of assurance Formalization of assurance and certificationand certification
• E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs
• which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security
• of the specified IT product
• E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs
• which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security
• of the specified IT product
MeasureMeasure by by impartial third partyimpartial third party,, that shows there is that shows there is reasonable confidencereasonable confidence,,
that a correctly that a correctly identified product, identified product, process or serviceprocess or service
is in accordance with a is in accordance with a specified standardspecified standard or or another normative another normative documentdocument..
MeasureMeasure by by impartial third partyimpartial third party,, that shows there is that shows there is reasonable confidencereasonable confidence,,
that a correctly that a correctly identified product, identified product, process or serviceprocess or service
is in accordance with a is in accordance with a specified standardspecified standard or or another normative another normative documentdocument..
Certification definition according to the German Law DIN Certification definition according to the German Law DIN 4502045020
The path to CCThe path to CC
Federal CriteriaDraft 1993
Common Criteriav1.0 1996v2.0 1998V2.1 1999
V2.3 = ISO 15408 2005V3.1 2006
(ISO 15408 an V3.x:coming in 2008)
Orange Book
(TCSEC) 1985
UK ConfidenceLevels 1989
German Criteria
French Criteria
ITSEC1991
Canadian Criteria(CTCPEC) 1993
Participating Nations and Participating Nations and AgenciesAgencies
Germany, Bundesamt für Sicherheit in der Informationstechnik Germany, Bundesamt für Sicherheit in der Informationstechnik BSIBSI..
France, Direction Centrale de la Sécurité des Systèmes d’Information France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSIDCSSI..
UK, Communications-Electronics Security Group UK, Communications-Electronics Security Group CESGCESG..
Netherlands, Netherlands National Communications Security Agency Netherlands, Netherlands National Communications Security Agency NLNCSANLNCSA..
Canada, Communication Security Establishment Canada, Communication Security Establishment CSECSE..
USA, National Security Agency USA, National Security Agency NSA NSA und National Institute of Standards and und National Institute of Standards and Technology Technology NISTNIST..
Australia and new Zealand, The Defence Signals Directorate bzw. the Australia and new Zealand, The Defence Signals Directorate bzw. the Government Communications Security BureauGovernment Communications Security Bureau
Japan, Information Technology Promotion AgencyJapan, Information Technology Promotion Agency
Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico NacionalNacional
Objectives of the CC Objectives of the CC standardstandard
Common criteria for products and systemsCommon criteria for products and systems based on the existing criteria of the U.S. and based on the existing criteria of the U.S. and
EuropeEurope ISO standardizationISO standardization
an international basis for developers an international basis for developers Comparability of security evaluation Comparability of security evaluation
resultsresults international mutual recognition of certificatesinternational mutual recognition of certificates
Improved availability of high-quality Improved availability of high-quality security technologysecurity technology
International International Recognition of CCRecognition of CC
Australia /New ZealandNetherlandsUSACanadaFranceGermanySwedenUKJapanKoreaNorwaySpain
ItalyFinlandAustriaHungaryTurkeyCzech Rep.
IndiaIsraelSingaporeDenmarkGreeceMalaysia
CC Evaluation ApproachCC Evaluation Approach Axiomatic, resembles a math theorem Axiomatic, resembles a math theorem
proofproof Security Problem DefinitionSecurity Problem Definition
Target of Evaluation (TOE) – the productTarget of Evaluation (TOE) – the product Threats, assumptions, security policiesThreats, assumptions, security policies Security Objectives for the TOE and its Security Objectives for the TOE and its
operational environmentoperational environment Assurance claimsAssurance claims
Typically stated as Evaluation Assurance Levels Typically stated as Evaluation Assurance Levels (EAL)(EAL)
EAL1 to EAL7EAL1 to EAL7 ProofProof
Certification procedureCertification procedureApplicant
LabCertification
bodySupervision
Application
CertificateCertification report
Eval. Report
Evaluationreport
Product andevidence
atsec information security – leader in OS evaluationatsec information security – leader in OS evaluation Atos OriginAtos Origin GmbH GmbH CSC Deutschland Solutions GmbHCSC Deutschland Solutions GmbH Datenschutz nord GmbHDatenschutz nord GmbH Deutsches Forschungszentrum für künstliche Deutsches Forschungszentrum für künstliche
Intelligenz GmbHIntelligenz GmbH Industrieanlagen-Betriebsgesellschaft (IABG) mbHIndustrieanlagen-Betriebsgesellschaft (IABG) mbH Media transfer AGMedia transfer AG Secunet SWISSiT AGSecunet SWISSiT AG SRC Security Research & Consulting GmbHSRC Security Research & Consulting GmbH Tele Consulting GmbHTele Consulting GmbH TNO-ITSEF BVTNO-ITSEF BV T-Systems GEI GmbHT-Systems GEI GmbH TÜV Informationstechnik GmbHTÜV Informationstechnik GmbH
Evaluation labsEvaluation labs
•WTD 81 •BSI
Responsibility of Responsibility of the Evaluator the Evaluator (DIN 17025)(DIN 17025)
impartialimpartial
neutralneutral
technically technically competentcompetent
technically technically independent independent
Shortcomings of the CC Shortcomings of the CC standard standard
Does not evaluate the cryptography in Does not evaluate the cryptography in security productssecurity products no crypt analysisno crypt analysis
Does not take into account RiskDoes not take into account Risk Assumptions are assumed to hold Assumptions are assumed to hold
absolutelyabsolutely
Tends to be expensive/time consumingTends to be expensive/time consuming
FIPS: An OverviewFIPS: An Overview
FIPS are a series of U.S. Federal FIPS are a series of U.S. Federal Information Processing Standards.Information Processing Standards.
FIPS are mandatory to US Federal FIPS are mandatory to US Federal agencies, e.g., DoD, NSA, NIST.agencies, e.g., DoD, NSA, NIST.
They are not mandatory to individual They are not mandatory to individual states, but are often used by them.states, but are often used by them.
They are often adopted by non-They are often adopted by non-government agencies or large government agencies or large corporationscorporations
FIPS 140-2 The StandardFIPS 140-2 The Standard
FIPS 140-2FIPS 140-2
FIPS 140-2 was published in 2001.FIPS 140-2 was published in 2001. Change notes were added in 2002.Change notes were added in 2002. FIPS 140-2 has recently been FIPS 140-2 has recently been
reviewed and FIPS 140-3 is reviewed and FIPS 140-3 is currently under development.currently under development.
Mandatory for federal agenciesMandatory for federal agencies
FIPS 140-2 The StandardFIPS 140-2 The Standard
What is a Cryptographic What is a Cryptographic Module?Module?
Can be: Can be: HardwareHardware SoftwareSoftware FirmwareFirmware Hybrid Hybrid
Performing certain security Performing certain security functionalityfunctionality
With specific logical/physical With specific logical/physical boundariesboundaries
Cryptographic Module BasicsCryptographic Module Basics
FIPS 140-2: Functional FIPS 140-2: Functional AreasAreas
FIPS 140-2 is divided into 11 FIPS 140-2 is divided into 11 functional areas.functional areas.
Each area is awarded a Security Level Each area is awarded a Security Level between 1 and 4 depending on the between 1 and 4 depending on the requirements that it meets.requirements that it meets.
The module as a whole is awarded an The module as a whole is awarded an “Overall Security Level,” which is the “Overall Security Level,” which is the lowest level awarded in any of the lowest level awarded in any of the levels.levels.
FIPS 140-2 The StandardFIPS 140-2 The Standard
FIPS 140-2: Functional FIPS 140-2: Functional AreasAreas
1.1. Cryptographic Module SpecificationCryptographic Module Specification
3.3. Roles, Services, and AuthenticationRoles, Services, and Authentication
4.4. Finite State ModelFinite State Model
6.6. Operational EnvironmentOperational Environment
7.7. Cryptographic Key ManagementCryptographic Key Management
9.9. Self TestsSelf Tests
10.10. Design AssuranceDesign Assurance
11.11. Mitigation of Other AttacksMitigation of Other Attacks
FIPS 140-2 The StandardFIPS 140-2 The Standard
What is the FISP Validation What is the FISP Validation Program?Program?
Cryptographic Module Validation ProgramCryptographic Module Validation Program
(CMVP)(CMVP)
A joint program between: A joint program between: The U.S. NIST (National Institute for The U.S. NIST (National Institute for
Standards and Technology)Standards and Technology) The C.S.E. (Communications Security The C.S.E. (Communications Security
Establishment) of the Government of CanadaEstablishment) of the Government of Canada
Explaining the CMVPExplaining the CMVP
The Validation ProcessThe Validation Process
Explaining the CMVPExplaining the CMVP
Cryptographic Algorithm Cryptographic Algorithm ValidationValidation
(integral part of module (integral part of module validation)validation) Algorithms used in Approved mode Algorithms used in Approved mode
must be FIPS-Validated.must be FIPS-Validated. This means that they are This means that they are
Implemented correctly.Implemented correctly. 50 % of newly-tested algorithm fail!50 % of newly-tested algorithm fail!
They are published on a list given atThey are published on a list given at
http://csrc.nist.gov/cryptval/http://csrc.nist.gov/cryptval/vallists.htm.vallists.htm.
Shortcomings of FIPS Shortcomings of FIPS 140-2 140-2
Not as tightly specified as CCNot as tightly specified as CC A lot of room for interpretation; A lot of room for interpretation;
hence repeatability of evaluation results hence repeatability of evaluation results is not guaranteed.is not guaranteed.
Limited to USA and CanadaLimited to USA and Canada
Current trendsCurrent trends
Combinations of the two major standardsCombinations of the two major standards
Many federal agencies in the USA Many federal agencies in the USA require certain products to be both CC require certain products to be both CC and FIPS 140-2 certifiedand FIPS 140-2 certified
Ensures all security aspects are thoroughly Ensures all security aspects are thoroughly looked atlooked at
May incur substantial costMay incur substantial cost
ConclusionsConclusions
Information security assurance is Information security assurance is needed to provide the consumer needed to provide the consumer with guarantees for the technology with guarantees for the technology they acquirethey acquire
Two major standards exists (CC and Two major standards exists (CC and FIPS 140-2)FIPS 140-2) Different strengths and weaknessesDifferent strengths and weaknesses Generally complimentary to each otherGenerally complimentary to each other Increasingly used together in situations Increasingly used together in situations
that require high assurancethat require high assurance