The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security. Standards are produced by many organizations, some for internal usage only, others for use by a groups of people, groups of companies, or a subsection of an industry. ... “ISO” redirects here. ... The International Electrotechnical Commission (IEC) is an international standards organization dealing with electrical, electronic and related technologies. ... This article describes how security can be achieved through design and engineering. ...

Common Criteria is based upon a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

Key Concepts

Common Criteria evaluations are performed on computer security products and systems.

• Target Of Evaluation (TOE) - the product or system that is the subject of the evaluation.

The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:

• Protection Profile (PP) - a document, typically created by a user or user community, which identifies security requirements relevant to that user for a particular purpose. A PP effectively defines a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls). Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.

• Security Functional Requirements (SFRs) - specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, an SFR may state how a user acting a particular role might be authenticated. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles).

• Security Target (ST) - the document that identifies the security properties of the target of evaluation. Each target is evaluated against the SFRs established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.

The evaluation process also tries to establish the level of confidence that may be placed in the product's security features through quality assurance processes: A Protection Profile (PP) is a document used as part of the evaluation process for the Common Criteria (CC). ... Smart card used for health insurance in France. ... A digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form. ... This article is about firewalls used in construction. ... In computer systems security Role-Based Access Control is an approach to restricting system access to authorized users. ... For other uses of the terms authentication, authentic and authenticity, see authenticity. ... This article is about computing. ... Quality assurance (QA) is the activity of providing evidence needed to establish confidence among all concerned, that quality-related activities are being performed effectively. ...

• Security Assurance Requirements (SARs) - descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively.

• Evaluation Assurance Level (EAL) - the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly 'augmenting' requirements in a few areas with requirements from a higher level. Higher EALs do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively validated.

So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating systems, smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing, e.g, interoperation, system management, user training, supplement CC and other product standards. Examples include the ISO 17799 (Or more properly BS 7799-2, which is now ISO/IEC 27002) or the German IT-Grundschutzhandbuch. An Evaluation Assurance Level (EAL) is an assurance requirement as defined by Common Criteria, an international standard in effect since 1999, to replace the ratings (e. ... An operating system (OS) is a software that manages computer resources and provides programmers with an interface used to access those resources. ... ISO/IEC 17799 is an information security standard published in December 2000 by the International Organization for Standardization and the International Electrotechnical Commission in 2000 entitled Information technology - Code of practice for information security management. ... ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. ...

Details of cryptographic implementation within the TOE are outside the scope of the CC. Instead, national standards, like FIPS 140-2 give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use. The Federal Information Processing Standard (FIPS) Publication 140-2 [1], called Security Requirements for Cryptographic Modules, is a United States security standard used to certify cryptographic modules, published in 2001. ...

History

CC originated out of three standards:

• ITSEC - The European standard, developed in the early 1990s by France, Germany, the Netherlands and the UK. It too was a unification of earlier work, such as the two UK approaches (the CESG UK Evaluation Scheme aimed at the Defence/Intelligence market and the DTI Green Book aimed at commercial use),and was adopted by some other countries, e.g. Australia
• CTCPEC - The Canadian standard followed from the US DoD standard, but avoided several problems and was used jointly by evaluators from both the U.S. and Canada. The CTCPEC standard was first published in May of 1993.
• TCSEC - The United States Department of Defense DoD 5200.28 Std , called the Orange Book and parts of the Rainbow Series. The Orange Book originated from Computer Security work including the Ware Report, done by the National Security Agency and the National Bureau of Standards (the NBS eventually became NIST) in the late 1970s and early 1980s. The central thesis of the Orange Book follows from the work done by Dave Bell and Len Lapadula for a set of protection mechanisms.

CC was produced by unifying these pre-existing standards, predominantly so that companies selling computer products for the government market (mainly for Defence or Intelligence use) would only need to have them evaluated against one set of standards. The CC was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S. This page meets Wikipedias criteria for speedy deletion. ... The United Kingdom of Great Britain and Northern Ireland is a country in western Europe, and member of the Commonwealth of Nations, the G8, the European Union, and NATO. Usually known simply as the United Kingdom, the UK, or (inaccurately) as Great Britain or Britain, the UK has four constituent... The Government Communications Headquarters (GCHQ) (previously named the Government Code and Cipher School (GC&CS)) is the main British intelligence service providing signals intelligence (SIGINT). ... The Department of Trade and Industry is a United Kingdom government department. ... CTCPEC is the Canadian Trusted Computer Product Evaluation Criteria. ... The introduction to this article provides insufficient context for those unfamiliar with the subject matter. ... The United States Department of Defense (DOD or DoD) is the federal department charged with coordinating and supervising all agencies and functions of the government relating directly to national security and the military. ... Orange Book is an informal name for a number of official publications, including: FDA Center for Drug Evaluation and Research - Approved Drug Products with Therapeutic Equivalence Evaluations Trusted Computer System Evaluation Criteria Handbook of EBU Directives and Permitted Conventions Standards relating to CD-MO, CD-R and CD-RW are... The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards published by the United States government in the 1980s and 1990s. ... For other uses of NSA, see NSA (disambiguation). ... NIST logo The National Institute of Standards and Technology (NIST, formerly known as The National Bureau of Standards) is a non-regulatory agency of the United States Department of Commerce’s Technology Administration. ...

Common Criteria Testing Organizations

All Testing Laboratories must comply with ISO 17025, and Certification Bodies will normally be approved against either ISO/IEC Guide 65 or BS EN 45011. It has been suggested that ISO/IEC 17025 be merged into this article or section. ...

The compliance with ISO 17025 is typically demonstrated to a National approval authority: It has been suggested that ISO/IEC 17025 be merged into this article or section. ...

• In Canada, the Standards Council of Canada (SCC) accredits Common Criteria Evaluation Facilities
• In the UK the United Kingdom Accreditation Service (UKAS) accredits Commercial Evaluation Facilities (CLEF)
• In the US, the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits Common Criteria Testing Laboratories (CCTL)

The Standards Council of Canada is a Crown corporation based in Ottawa, Ontario, and is Canadas member body of the International Organization for Standardization. ... NIST logo The National Institute of Standards and Technology (NIST, formerly known as The National Bureau of Standards) is a non-regulatory agency of the United States Department of Commerce’s Technology Administration. ...

Mutual Recognition Arrangement

As well as the Common Criteria standard, there is also a sub-treaty level Common Criteria MRA (Mutual Recognition Arrangement), whereby each party thereto recognizes evaluations against the Common Criteria standard done by other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand joined 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. The Arrangement has since been renamed Common Criteria Recognition Arrangement (CCRA) and membership continues to expand. Within the CCRA only evaluations up to EAL 4 are mutually recognized (Including augmentation with flaw remediation). The European countries within the former ITSEC agreement typically recognize higher EALs as well. Evaluations at EAL5 and above tend to involve the security requirements of the host nation's government.

Issues

Requirements

Common Criteria does not provide a list of product security requirements or features that products must contain: this follows the approach taken by ITSEC, but has been a source of debate to those used to the more prescriptive approach of other earlier standards such as TCSEC and FIPS 140-2. This page meets Wikipedias criteria for speedy deletion. ... The introduction to this article provides insufficient context for those unfamiliar with the subject matter. ... FIPS 140 (Federal Information Processing Standards Publication 140) is a United States federal standard that specifies security requirements for cryptography modules. ...

Value of Certification

So, if a product is Common Criteria certified, does that mean it is very secure? Let's look at an example.

Microsoft Windows 2000 is certified product at EAL4+, but regular security patches for security vulnerabilities are still published by Microsoft for Windows 2000. This is possible because the process of getting a Common Criteria certification allows a vendor to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. Based on these assumptions, the claimed security functions of the product are evaluated. Since Microsoft Windows 2000 has been EAL4+ certified, it should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft. Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... Windows 2000 (also referred to as Win2K) is a preemptive, interruptible, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. ...

Whether you run Microsoft Windows 2000 in the precise evaluated configuration or not, you should apply Microsoft's security patches for the vulnerabilities in Windows 2000 as they continue to appear. If any of these security vulnerabilities are exploitable in the product's evaluated configuration, the product's Common Criteria certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include application of the patches to fix the security vulnerabilities within the evaluated configuration. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product's certification by the certification body of the country in which the product was evaluated.

Microsoft Windows 2000 remains at EAL4+ without including the application of any Microsoft security vulnerability patches in its evaluated configuration. This shows both the limitation and strength of an evaluated configuration.

Criticisms

In August 2007, Government Computing News (GCN) columnist William Jackson critically examined Common Criteria methodology and its US implementation by the CCEVS.^[1] In the column executives from the security industry, researchers, and representatives from NIAP were interviewed. Objections outlined in the article include: GCN may stand for Nintendo GameCube, a Video game console. ... William Jackson may refer to: Government: William Jackson (congressman) (1783-1855), US Congressman from Massachusetts William Jackson (secretary), Secretary to the Philadelphia Convention and member of the U.S. Continental Army William Jackson (Gibraltar), Governor of Gibraltar William Jackson (Massachusetts), former U.S. Senator from Massachusetts William Harding Jackson, former...

• Evaluation is a costly process (often measured in hundreds of thousands of US dollars) -- and the vendor's return on that investment is not necessarily a more secure product
• Evaluation focuses primarily on assessing the evaluation documentation, not on the technical correctness or merits of the product itself (for US evaluations at EAL5 and higher, experts from the National Security Agency participate in the analysis)
• The effort and time necessary to prepare evaluation evidence and other evaluation-related documentation is so cumbersome that by the time the work is completed, the product in evaluation is generally obsolete
• Industry input, including that from organizations such as the Common Criteria Vendor's Forum, generally has little impact on the process as a whole

In a 2006 research paper, computer specialist David A. Wheeler suggested that the Common Criteria process discriminates against FOSS-centric organizations and development models.^[2] Common Criteria assurance requirements tend to be inspired by the traditional waterfall software development methodology. In contrast, much FOSS software is produced using modern agile paradigms. Although some have argued that both paradigms do not align well^[3], others have attempted to reconcile both paradigms.^[4] Categories: People stubs | 1965 births | Wikipedians with article ... FOSS is an acronym for free and open source software that is most often used in English-speaking military software communities. ... The waterfall model is a sequential software development model (a process for the creation of software) in which development is seen as flowing steadily downwards (like a waterfall) through the phases of requirements analysis, design, implementation, testing (validation), integration, and maintenance. ... Agile software development is a conceptual framework for software engineering that promotes development iterations throughout the life-cycle of the project. ...

Alternative Approaches

Throughout the lifetime of CC, it has not been universally adopted even by the creator nations, with, in particular, cryptographic approvals being handled separately, such as by the Canadian / US implementation of FIPS-140, and the CESG Assisted Products Scheme (CAPS)^[5] in the UK. FIPS 140 (Federal Information Processing Standards Publication 140) is a United States federal standard that specifies security requirements for cryptography modules. ... The Government Communications Headquarters (GCHQ) (previously named the Government Code and Cipher School (GC&CS)) is the main British intelligence service providing signals intelligence (SIGINT). ...

The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to be impeding the operation of the market:

• The CESG System Evaluation (SYSn) and Fast Track Approach (FTA) schemes for assurance of government systems rather than generic products and services, which have now been merged into the CESG Tailored Assurance Service (CTAS) ^[6]
• The CSIA Claims Test Mark (CCT Mark), which is aimed at handling less exhaustive assurance requirements for products and services in a cost and time efficient manner

The Government Communications Headquarters (GCHQ) (previously named the Government Code and Cipher School (GC&CS)) is the main British intelligence service providing signals intelligence (SIGINT). ...

References

1. ^ Under Attack: Common Criteria has loads of critics, but is it getting a bum rap Government Computer News, retrieved 2007-12-14
2. ^ Free-Libre / Open Source Software (FLOSS) and Software Assurance
3. ^ Wäyrynen, J., Bodén, M., and Boström, G., Security Engineering and eXtreme Programming: An Impossible Marriage?
4. ^ Beznosov, Konstantin and Kruchten, Philippe, Towards Agile Security Assurance, retrieved 2007-12-14
5. ^ CAPS: CESG Assisted Products Scheme
6. ^ Infosec Assurance and Certification Services (IACS)

See also

• Bell-LaPadula model
• Usability testing
• ISO 9241
• ISO/IEC 18045
• ISO/IEC 27001
• Semantic web
• Verification and Validation
• Information Assurance

The Bell-LaPadula Model was developed by David Elliott Bell and Len LaPadula in 1973[1][2][3] to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. ... Usability testing is a means for measuring how well people can use some human-made object (such as a web page, a computer interface, a document, or a device) for its intended purpose, i. ... ISO 9241 is a standard for usability. ... ISO/IEC 27001 part of a growing family of ISO/IEC standards, the ISO/IEC 27000 series is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ... W3Cs Semantic Web logo The Semantic Web is an evolving extension of the World Wide Web in which web content can be expressed not only in natural language, but also in a format that can be read and used by software agents, thus permitting them to find, share and... Verification and Validation (V&V) is the process of checking that a product, service, or system meets specifications and that it fulfills its intended purpose. ... U.S. Department of Defense Information Assurance emblem Information assurance (IA) is the practice of managing information-related risks. ...

External links

• The official website of the Common Criteria Project
• General CC information, hosted by NIST
• The Common Criteria standard documents
• Compliance evaluation in the United States
• List of Common Criteria evaluated products
• Towards Agile Security Assurance
• You may download ISO/IEC 15408 for free because it is a publicly available standard.