Cryptography - Lecture 24 - Trusted Computer Systems

1. TCSEC

• Trusted Computer System Evaluation Criteria ("Orange Book")
• standard for a single computer systems with terminal access
• first standard definition of a trusted computer system and how to evaluate and ensure them
• original spec Aug 83, revised Dec 85
• has tight coupling between functionality & assurance

2. Criteria

• TCSEC defines a number of criteria within broad categories of:

  Security Policy

  must have an explicit, enforced security policy; objects in system need access control labels

  Accountability

  access to information must be controlled by rights of subjects vs class of information; audit trails must be kept

  Assurance

  system must contain mechanisms which can be independently evaluated to provide sufficient assurance that they enforce the stated requirements

3. Other "Rainbow Book" Standards

• also in the Rainbow series is:

  Red Book

  Trusted Network Interpretation

  Yellow Book

  Methodology for Security Risk Assessment

  Lavendar Book

  Database Security Evaluation

4. Evaluation Criteria Classes

Class	Description
D	Minimal Protection
C1	Discretionary Security Protection
C2	Controlled Access Protection
B1	Labelled Security Protection
B2	Structured Protection
B3	Security Domains
A1	Verified Design

5. TCSEC Functionality Requirements

	C1	C2	B1	B2	B3	A1
Ident/Authent	N	N	N	=	=	=
DAC	N	N	=	=	N	=
Audit		N	N	N	N	=
MAC			N	N	=	=
Labelled Output			N	=	=	=
Device Labels				N	=	=
Object Reuse		N	=	=	=	=
Trusted Path				N	=	=

• N means New/Changed/Enhanced functionality required
• = means no additional requirements

6. ITSEC

• Information Technology Security Evaluation Criteria (ITSEC)
• the harmonised European trusted evaluation standard
• unlike TCSEC it is designed for both single and multiple networked computer systems
• Target Of Evaluation (TOE) is the evaluated system
• structured around two key concepts - assurance and functionality
• also details the evalulation process by an independent evaulator working with developer and sponser
• evaluator checks the test and analysis results supplied by sponser and performs aditional tests to audit and supplement these

7. Assurance

• concerned with confidence in both correctness and effectiveness of security functions and mechanisms
• have 7 evaluation levels defined:

  E0

  inadequate

  E1

  statement of security objects, informal description of security architecture

  E2

  +informal description of detailed design, testing, configuration control and controlled distribution

  E3

  +detailed design and source code evaulated

  E4

  +formal security policy model, rigourous architectural and detailed design, vulnerability analysis

  E5

  +close correspondence between detailed design and source code, vulnerability analysis on source code

  E6

  +formal description of TOE consistent with formal security model, evaluation of object code against source

8. Assurance

• correctness is addressed both from:
  • development process & environment in building TOE
  • operation of the TOE
• TOE must also be assessed for:
  • suitability and binding of functionality
  • consequences of known and discovered vulnerabilities
  • strength of security mechanisms against direct attack

9. Functionality

• considered in terms of its security objectives, security functions and security mechanisms
• must define security objectives for TOE either as a natural language security policy or a formal model
• each functionality class is defined by a number of descriptive categories including:
  • identification & authentication, access control, accountability, audit, object reuse, accuracy, reliability of service and data exchange

10. Functionality

• ten functionality classes are defined in two groups

  F1-F5

  map onto TCSEC classes with appropriate assurance levels
  (C1,C2,B1,B2,B3,A1 = F1+E1,F2+E2,F3+E3,F4+E4,F5+E5,F5+E6)

  F6

  high integrity systems (eg financial)

  F7

  high availability/mission critical systems

  F8

  high integrity data communications systems

  F9

  high confidentiality data communications systems

  F10

  high confidentiality and integrity networks

11. Common Criteria

• Common Criteria is being developed as an ISO standard (JTC1.SC27)
• based on existing TCSEC, ITSEC, CTCPEC (Canadian), Federal (US) standards
• concerned with standards for
  • evaluation criteria
  • methodology for application of criteria
  • administrative procedures for evaluation, certification and accreditation schemes

12. Common Criteria

• CC Part 1 covers

  IT Security

  "reduction of risks associated with threats to the information arising directly or indirectly from human error or deliberate subversion"

  Threat Analysis

  to discover conceivable threats

  Risk Analysis

  to determine countermeasures

13. Common Criteria

• key concepts which it defines are:

  Protection Profile

  set of generic security requirements for some applications sector

  Security Target

  a particular instance of a PP

  Target of Evaluation

  actual system evaluated

14. Functional Class Set

• identification & authentication
• trusted path
• security audit
• TOE entry
• user data protection
• resource utilisation & availability
• protection of TOE security functions
• physical protection
• privacy
• communications

15. Assurance Levels

AL0

unassured

AL1

tested

AL2

structurally tested

AL3

methodically tested & checked

AL4

methodically tested & reviewed

AL5

semiformal design

AL6

semiformal verified design

AL7

formally verified design

16. DSD Publications

• Defence Signals Directorate (DSD) is Australia's national authority for signals intelligence and information security
• two principal functions: Signals Intelligence and Information Security
• DSD's Infosec role is not classified
• various Infosec products and services are available
• http://www.dsd.gov.au/infosec/

17. ACSI33

• Australian Communications-Electronic Security Instruction 33 (ACSI 33)
• developed by DSD
• to provide guidance to Australian Government agencies wishing to protect their information systems
• Contents:

  Introduction	Introduction
  Handbook1	Standards
  Handbook2	Evaluated Products
  Handbook3	Risk Management
  Handbook4	Security Management
  Handbook5	Emanations and Cabling Security
  Handbook6	Media Security
  Handbook7	System Access Control
  Handbook8	Network Security
  Handbook9	Cryptographic Systems
  Handbook10	Web Security
  Handbook11	Email Security
  Handbook12	Malicious Software
  Handbook13	Intrusion Detection
  Handbook14	Physical Security
  Handbook14 - Sup	Physical Security (Restricted)

18. Gateway Certification Guide

• developed by DSD
• to provide an independent assessment that an agency's gateway (firewall) has:
  • been configured and managed appropriately
  • that suitable safeguards have been effectivelyimplemented
• Contents:

  Introduction	Introduction
  Chapter1	Security Risk Assessment
  Chapter2	Gateway Policy
  Chapter3	Gateway Design
  Chapter4	Gateway Security Management
  Chapter5	DSD Certification Procedures

19. Evaluated Products List

• DSD maintains an "Evaluated Products List"
• lists products/systems evaluated to a particular class
• in Australia formerly used ITSEC, now Common Crieria
• accept some O/S evaluations also
• note its is a slow and costly process to have a system evaluated
• examples:

  B1

  SCO CMW+, BEST-X/B1, Sun Trusted Solaris

  C2

  SCO UnixWare, BEST-X/C2, Sun Solaris, HP-UX, Novell Netware 4.11 Server< AIX

• see EPL - Products at a Glance (Jan 2001)

20. Summary

• Evaluation Standards: TCSEC, ITSEC, Common Criteria
• DSD Publications

21. Exercises

• Consider the Weapons Documentation case in lesson 23. What type of computer system would be required to implement the evaluation level you identified? From the DSD EPL, what products might be suitable for this?