260 likes | 401 Views
You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance?. Apostol Vassilev atsec information security & NetIDSys, Inc. The problem of information security assurance.
E N D
You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security & NetIDSys, Inc.
The problem of information security assurance • There are plethora of “secure” software and hardware products, often designed to meet similar customer information security needs • How can we say which ones are better/more secure? • Can the consumers decide for themselves? • Can we leave it up to the market forces to weed out the bad products and indentify the best solutions?
Outline • Introduce a couple of major information security assurance standards • Common Criteria • Federal Information Processing Standard (FIPS) • Current Trends • Conclusions
The CC standard for IT security evaluation Common Criteria
Formalization of assurance and certification Certification definition according to the German Law DIN 45020 • Measure • by impartial third party, • that shows there is reasonable confidence, • that a correctly identified product, process or service • is in accordance with a specified standard or another normative document. • E.g. by the BSI (Germany) or NIAP (USA) and licensed and accredited evaluation labs • which shows, that there is reasonable confidence in the correct implementation and effectiveness of IT security • of the specified IT product
Orange Book (TCSEC) 1985 Canadian Criteria (CTCPEC) 1993 Federal Criteria Draft 1993 Common Criteria v1.0 1996 v2.0 1998 V2.1 1999 V2.3 = ISO 15408 2005 V3.1 2006(ISO 15408 an V3.x:coming in 2008) UK Confidence Levels 1989 ITSEC 1991 German Criteria French Criteria The path to CC
Participating Nations and Agencies • Germany, Bundesamt für Sicherheit in der Informationstechnik BSI. • France, Direction Centrale de la Sécurité des Systèmes d’Information DCSSI. • UK, Communications-Electronics Security Group CESG. • Netherlands, Netherlands National Communications Security Agency NLNCSA. • Canada, Communication Security Establishment CSE. • USA, National Security Agency NSA und National Institute of Standards and Technology NIST. • Australia and new Zealand, The Defence Signals Directorate bzw. the Government Communications Security Bureau • Japan, Information Technology Promotion Agency • Spain, Ministerio de Adminitraciones Publicas und Centro Cryptologico Nacional
Objectives of the CC standard • Common criteria for products and systems • based on the existing criteria of the U.S. and Europe • ISO standardization • an international basis for developers • Comparability of security evaluation results • international mutual recognition of certificates • Improved availability of high-quality security technology
Certifying Nation Recognizing Nations Australia /New ZealandNetherlands USA Canada France Germany Sweden UK Japan Korea Norway Spain India Israel Singapore Denmark Greece Malaysia Italy Finland Austria Hungary Turkey Czech Rep. International Recognition of CC
CC Evaluation Approach • Axiomatic, resembles a math theorem proof • Security Problem Definition • Target of Evaluation (TOE) – the product • Threats, assumptions, security policies • Security Objectives for the TOE and its operational environment • Assurance claims • Typically stated as Evaluation Assurance Levels (EAL) • EAL1 to EAL7 • Proof
Applicant Application Product andevidence Certificate Certification report Evaluationreport Certificationbody Supervision Lab Eval. Report Certification procedure
Evaluation labs • atsec information security – leader in OS evaluation • Atos Origin GmbH • CSC Deutschland Solutions GmbH • Datenschutz nord GmbH • Deutsches Forschungszentrum für künstliche Intelligenz GmbH • Industrieanlagen-Betriebsgesellschaft (IABG) mbH • Media transfer AG • Secunet SWISSiT AG • SRC Security Research & Consulting GmbH • Tele Consulting GmbH • TNO-ITSEF BV • T-Systems GEI GmbH • TÜV Informationstechnik GmbH • WTD 81 • BSI
Responsibility of the Evaluator (DIN 17025) technically competent technically independent impartial neutral
Shortcomings of the CC standard • Does not evaluate the cryptography in security products • no crypt analysis • Does not take into account Risk • Assumptions are assumed to hold absolutely • Tends to be expensive/time consuming
FIPS: An Overview • FIPS are a series of U.S. Federal Information Processing Standards. • FIPS are mandatory to US Federal agencies, e.g., DoD, NSA, NIST. • They are not mandatory to individual states, but are often used by them. • They are often adopted by non-government agencies or large corporations FIPS 140-2 The Standard
FIPS 140-2 • FIPS 140-2 was published in 2001. • Change notes were added in 2002. • FIPS 140-2 has recently been reviewed and FIPS 140-3 is currently under development. • Mandatory for federal agencies FIPS 140-2 The Standard
What is a Cryptographic Module? • Can be: • Hardware • Software • Firmware • Hybrid • Performing certain security functionality • With specific logical/physical boundaries Cryptographic Module Basics
FIPS 140-2: Functional Areas • FIPS 140-2 is divided into 11 functional areas. • Each area is awarded a Security Level between 1 and 4 depending on the requirements that it meets. • The module as a whole is awarded an “Overall Security Level,” which is the lowest level awarded in any of the levels. FIPS 140-2 The Standard
FIPS 140-2: Functional Areas • Cryptographic Module Specification • Roles, Services, and Authentication • Finite State Model • Operational Environment • Cryptographic Key Management • Self Tests • Design Assurance • Mitigation of Other Attacks FIPS 140-2 The Standard
What is the FISP Validation Program? Cryptographic Module Validation Program (CMVP) A joint program between: • The U.S. NIST (National Institute for Standards and Technology) • The C.S.E. (Communications Security Establishment) of the Government of Canada Explaining the CMVP
The Validation Process Explaining the CMVP
Cryptographic Algorithm Validation(integral part of module validation) • Algorithms used in Approved mode must be FIPS-Validated. • This means that they are Implemented correctly. • 50 % of newly-tested algorithm fail! • They are published on a list given at http://csrc.nist.gov/cryptval/vallists.htm.
Shortcomings of FIPS 140-2 • Not as tightly specified as CC • A lot of room for interpretation; • hence repeatability of evaluation results is not guaranteed. • Limited to USA and Canada
Current trends • Combinations of the two major standards • Many federal agencies in the USA require certain products to be both CC and FIPS 140-2 certified • Ensures all security aspects are thoroughly looked at • May incur substantial cost
Conclusions • Information security assurance is needed to provide the consumer with guarantees for the technology they acquire • Two major standards exists (CC and FIPS 140-2) • Different strengths and weaknesses • Generally complimentary to each other • Increasingly used together in situations that require high assurance