1 / 25

Apostol Vassilev atsec information security & NetIDSys, Inc.

You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance?. Apostol Vassilev atsec information security & NetIDSys, Inc. The problem of information security assurance.

camden
Download Presentation

Apostol Vassilev atsec information security & NetIDSys, Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security & NetIDSys, Inc.

  2. The problem of information security assurance • There are plethora of “secure” software and hardware products, often designed to meet similar customer information security needs • How can we say which ones are better/more secure? • Can the consumers decide for themselves? • Can we leave it up to the market forces to weed out the bad products and indentify the best solutions?

  3. Outline • Introduce a couple of major information security assurance standards • Common Criteria • Federal Information Processing Standard (FIPS) • Current Trends • Conclusions

  4. The CC standard for IT security evaluation Common Criteria

  5. Formalization of assurance and certification Certification definition according to the German Law DIN 45020 • Measure • by impartial third party, • that shows there is reasonable confidence, • that a correctly identified product, process or service • is in accordance with a specified standard or another normative document. • E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs • which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security • of the specified IT product

  6. Orange Book (TCSEC) 1985 Canadian Criteria (CTCPEC) 1993 Federal Criteria Draft 1993 Common Criteria v1.0 1996 v2.0 1998 V2.1 1999 V2.3 = ISO 15408 2005 V3.1 2006(ISO 15408 an V3.x:coming in 2008)‏ UK Confidence Levels 1989 ITSEC 1991 German Criteria French Criteria The path to CC

  7. Participating Nations and Agencies • Germany, Bundesamt für Sicherheit in der Informationstechnik BSI. • France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSI. • UK, Communications-Electronics Security Group CESG. • Netherlands, Netherlands National Communications Security Agency NLNCSA. • Canada, Communication Security Establishment CSE. • USA, National Security Agency NSA und National Institute of Standards and Technology NIST. • Australia and new Zealand, The Defence Signals Directorate bzw. the Government Communications Security Bureau • Japan, Information Technology Promotion Agency • Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Nacional

  8. Objectives of the CC standard • Common criteria for products and systems • based on the existing criteria of the U.S. and Europe • ISO standardization • an international basis for developers • Comparability of security evaluation results • international mutual recognition of certificates • Improved availability of high-quality security technology

  9. Certifying Nation Recognizing Nations Australia /New ZealandNetherlands USA Canada France Germany Sweden UK Japan Korea Norway Spain India Israel Singapore Denmark Greece Malaysia Italy Finland Austria Hungary Turkey Czech Rep. International Recognition of CC

  10. CC Evaluation Approach • Axiomatic, resembles a math theorem proof • Security Problem Definition • Target of Evaluation (TOE) – the product • Threats, assumptions, security policies • Security Objectives for the TOE and its operational environment • Assurance claims • Typically stated as Evaluation Assurance Levels (EAL) • EAL1 to EAL7 • Proof

  11. Applicant Application Product andevidence Certificate Certification report Evaluationreport Certificationbody Supervision Lab Eval. Report Certification procedure

  12. Evaluation labs • atsec information security – leader in OS evaluation • Atos Origin GmbH • CSC Deutschland Solutions GmbH • Datenschutz nord GmbH • Deutsches Forschungszentrum für künstliche Intelligenz GmbH • Industrieanlagen-Betriebsgesellschaft (IABG) mbH • Media transfer AG • Secunet SWISSiT AG • SRC Security Research & Consulting GmbH • Tele Consulting GmbH • TNO-ITSEF BV • T-Systems GEI GmbH • TÜV Informationstechnik GmbH • WTD 81 • BSI

  13. Responsibility of the Evaluator (DIN 17025) technically competent technically independent impartial neutral

  14. Shortcomings of the CC standard • Does not evaluate the cryptography in security products • no crypt analysis • Does not take into account Risk • Assumptions are assumed to hold absolutely • Tends to be expensive/time consuming

  15. FIPS: An Overview • FIPS are a series of U.S. Federal Information Processing Standards. • FIPS are mandatory to US Federal agencies, e.g., DoD, NSA, NIST. • They are not mandatory to individual states, but are often used by them. • They are often adopted by non-government agencies or large corporations FIPS 140-2 The Standard

  16. FIPS 140-2 • FIPS 140-2 was published in 2001. • Change notes were added in 2002. • FIPS 140-2 has recently been reviewed and FIPS 140-3 is currently under development. • Mandatory for federal agencies FIPS 140-2 The Standard

  17. What is a Cryptographic Module? • Can be: • Hardware • Software • Firmware • Hybrid • Performing certain security functionality • With specific logical/physical boundaries Cryptographic Module Basics

  18. FIPS 140-2: Functional Areas • FIPS 140-2 is divided into 11 functional areas. • Each area is awarded a Security Level between 1 and 4 depending on the requirements that it meets. • The module as a whole is awarded an “Overall Security Level,” which is the lowest level awarded in any of the levels. FIPS 140-2 The Standard

  19. FIPS 140-2: Functional Areas • Cryptographic Module Specification • Roles, Services, and Authentication • Finite State Model • Operational Environment • Cryptographic Key Management • Self Tests • Design Assurance • Mitigation of Other Attacks FIPS 140-2 The Standard

  20. What is the FISP Validation Program? Cryptographic Module Validation Program (CMVP) A joint program between: • The U.S. NIST (National Institute for Standards and Technology) • The C.S.E. (Communications Security Establishment) of the Government of Canada Explaining the CMVP

  21. The Validation Process Explaining the CMVP

  22. Cryptographic Algorithm Validation(integral part of module validation) • Algorithms used in Approved mode must be FIPS-Validated. • This means that they are Implemented correctly. • 50 % of newly-tested algorithm fail! • They are published on a list given at http://csrc.nist.gov/cryptval/vallists.htm.

  23. Shortcomings of FIPS 140-2 • Not as tightly specified as CC • A lot of room for interpretation; • hence repeatability of evaluation results is not guaranteed. • Limited to USA and Canada

  24. Current trends • Combinations of the two major standards • Many federal agencies in the USA require certain products to be both CC and FIPS 140-2 certified • Ensures all security aspects are thoroughly looked at • May incur substantial cost

  25. Conclusions • Information security assurance is needed to provide the consumer with guarantees for the technology they acquire • Two major standards exists (CC and FIPS 140-2) • Different strengths and weaknesses • Generally complimentary to each other • Increasingly used together in situations that require high assurance

More Related