Überblick Common Criteria

9
1 Zertifizierte IT-Sicherheit nach Common Criteria - ISO/IEC 15408 Dr. Jens Oberender | SRC security research & consulting GmbH

description

SRC security research & consulting

Transcript of Überblick Common Criteria

Page 1: Überblick Common Criteria

1

Zertifizierte IT-Sicherheit nach Common Criteria - ISO/IEC 15408

Dr. Jens Oberender | SRC security research & consulting GmbH

Page 2: Überblick Common Criteria

2

Agenda

• Sicherheits-Zertifikate und Anerkennung

• Vom Problem zum IT-Sicherheits-Produkt

• Schwachstellen-Analyse

Page 3: Überblick Common Criteria

3

Zertifikat (Common Criteria)

Behördliche Zustimmung über die Sicherheit eines Produkts

gemäß einer Untersuchungstiefe

und im Bezug auf die Produktklasse

Bundesamt für Sicherheit in der Informatikstechnik (BSI)

Der abgregrenzte Evaluierungsgegenstand (EVG,

der sicherheitskritische Teil)

Das Security Problem Definition (SPD) wird vollständig abgedeckt durch: a) Sicherheitsfunktionen des EVG oder

b) zugesicherte Eigenschaften der Umwelt des EVG

Ein Schutzprofil definiert SPD und Security Functional Requirements (SFR)

Evaluation Assurance Level (EAL) 4: Methodisches Vorgehen, z.B. Nachvollziehen von SPD bis zur Implementierung

Page 4: Überblick Common Criteria

4

Anerkennung

Page 5: Überblick Common Criteria

5

Security Problem Definition

© SRC/BSI Sicherheitsfunktionen

des EVG

Organisatorische Sicherheitspolitiken Annahmen Bedrohungen

Sicherheitsziele für den EVG

Sicherheitsziele für die EVG Umgebung

Anforderungen an die Sicherheitsfunktionen

des EVG

Page 6: Überblick Common Criteria

6

Bsp.: Security Problem Definition

• Threat Unkontrollierter Informationsfluss

• Security Objective of the TOE Regelbasiertes Filtern von Nachrichten

• Security Functional Requirement

• Security Flow Policy

• FDP_IFC.1 Subset information flow control

• FDP_IFF.1 Simple security attributes

• Sicherheitsfunktion: Einsatz von iptables

The TSF shall enforce the [assignment: information flow control SFP] on [assignment: subjects, information, and

operations covered by the SFP …]

Page 7: Überblick Common Criteria

7

Nachweise nachvollziehen

Page 8: Überblick Common Criteria

8

Schwachstellen-Analyse

• Angriffspfade bewerten

Man-in-the-

Middle

Hardware

Power Analysis

© Lars Gierlichs

© Steven Murdoch

Page 9: Überblick Common Criteria

9

CC

Produkte

• Digitaler Tachograph

• Elektronischer Reisepass

Zusammenfassung

• Zusicherung (‚Assurance‘) in die Sicherheit von IT-Produkten

• Evaluierungsgegenstand | Umgebung

• Evaluation Assurance Levels

• Vertrauen schaffen [email protected]


COMMON TOXICITY CRITERIA MANUAL - National … · Common Toxicity Criteria Manual 1 COMMON TOXICITY CRITERIA QUICK REFERENCE Definition of Adverse Event • Toxicity – Toxicity

COMMON TOXICITY CRITERIA MANUAL - National … · Common Toxicity Criteria Manual 1 COMMON TOXICITY CRITERIA QUICK REFERENCE Definition of Adverse Event • Toxicity – Toxicity

Performance Specification - Common Criteria

Performance Specification - Common Criteria

Common Criteria Recognition Arrangement

Common Criteria Recognition Arrangement

Hyper-V Common Criteria Guide

Hyper-V Common Criteria Guide

Public version - Common Criteria

Public version - Common Criteria

Hitachi Command Suite Common Component ST - Common Criteria

Hitachi Command Suite Common Component ST - Common Criteria

DATA SHEET COMMON CRITERIA CERTIFICATION

DATA SHEET COMMON CRITERIA CERTIFICATION

GGM8000 Family Common Criteria Certfication

GGM8000 Family Common Criteria Certfication

Samsung Devices – Validated Through Common Criteria … · Samsung Devices – Validated Through Common Criteria and FIPS Common Criteria The Common Criteria for Information Technology

Samsung Devices – Validated Through Common Criteria … · Samsung Devices – Validated Through Common Criteria and FIPS Common Criteria The Common Criteria for Information Technology

Tool for Supporting a Common Criteria Evaluation Soraya Artiles -INTA 1 Tool for Supporting a Common Criteria Evaluation 9th International Common Criteria Conference Jeju, Korea –25th

Tool for Supporting a Common Criteria Evaluation Soraya Artiles -INTA 1 Tool for Supporting a Common Criteria Evaluation 9th International Common Criteria Conference Jeju, Korea –25th

Public Security Target - Common Criteria · Keycorp MULTOS Common Criteria Public Security Target KEYCORP Document Number: SIM-SP-0212 Revision Number: 1.0 Page 7 1.3 Common Criteria

Public Security Target - Common Criteria · Keycorp MULTOS Common Criteria Public Security Target KEYCORP Document Number: SIM-SP-0212 Revision Number: 1.0 Page 7 1.3 Common Criteria

Common Criteria Guide - niap-ccevs.org

Common Criteria Guide - niap-ccevs.org

Samsung Devices– Now Validated Through Common Criteria and … · Samsung Devices– Now Validated Through Common Criteria and FIPS Common Criteria The Common Criteria certification

Samsung Devices– Now Validated Through Common Criteria and … · Samsung Devices– Now Validated Through Common Criteria and FIPS Common Criteria The Common Criteria certification

Security Target - Common Criteria

Security Target - Common Criteria

Microsoft Windows Common Criteria Evaluation

Microsoft Windows Common Criteria Evaluation

Orange book common criteria

Orange book common criteria

MultiApp v4.1 Javacard Platform - Common Criteria · MultiApp v4.1 Javacard Platform Common Criteria / ISO 15408 Security Target ...

MultiApp v4.1 Javacard Platform - Common Criteria · MultiApp v4.1 Javacard Platform Common Criteria / ISO 15408 Security Target ...

COMMON CRITeRIA – ISO/IEC 15408

COMMON CRITeRIA – ISO/IEC 15408

GeNUGate Firewall 6 - Common Criteria

GeNUGate Firewall 6 - Common Criteria

National Information Assurance Partnership Common Criteria ...€¦ · Common Criteria for Information Technology Security Evaluation (CC) using the Common Methodology for Information

National Information Assurance Partnership Common Criteria ...€¦ · Common Criteria for Information Technology Security Evaluation (CC) using the Common Methodology for Information