I. Security Evaluation Using CC
Various approaches to security evaluation of biometric verification products have been made up to now. The author reports on these efforts and current situation twice. This time security evaluation, especially the one using CC (Common Criteria) is reported.
1. Requirements for security evaluation
Security evaluation is to evaluate the security of a product. The evaluation result depends on the evaluator who evaluates it. Evaluators are classified into three: product developers themselves, product procurers, and independent third parties. Evaluation by product developers has the least objectivity and evaluation by product procurers is difficult to reuse by other procurers. Evaluation by independent third parties is the most desirable from the viewpoint of objectivity and reusability of evaluation result.
Evaluation needs certain criteria, and there are as many criteria as the number of evaluators even for only one product. In case of the evaluation by independent third parties, it is difficult to select one because the evaluation criteria depend on it and are not the same as other’s. Therefore, there should be standard evaluation criteria. Summing up, security evaluation by independent third party using standard evaluation criteria is the most desirable.
2. Security evaluation using CC
It is the security evaluation using CC, called CC evaluation, to respond exactly to the above request. CC was specified by CCRA (CC Recognition Arrangement), and also was internationally standardized as ISO/IEC 15408. Part 1 shows the overall framework, Part 2 is a catalog of security functional requirements, and Part 3 is a catalog of security assurance requirements. In CC evaluation, a security requirement definition document called ST (Security Target) shall be described. In the ST, the security functional requirements of the product to be satisfied are extracted from Part 2 and described, and the assurance of implementation of the security functions is determined by the security assurance requirements extracted from Part 3.
In addition, CEM (Common Evaluation Methodology, internationally standardized as ISO/IEC 18045) defines evaluation activities of the evaluator to each of the security assurance requirements defined in Part 3. With such a framework, security evaluation is realized so that it is objective and does not depend on the evaluator.
CC evaluation is not completed only by the evaluation by the evaluator but is completed by the certification of the evaluation results by a certification body, which exists only one in each CCRA member country (In Japan, Information-Technology Promotion Agency (IPA) is the certification body). A product which is CC evaluated and certified is called a CC certified product.
In principle, a product CC certified in a CCRA member country is also treated as CC certified in other CCRA member countries. That is because the variation of the evaluation results of the product should be very small where common standard evaluation criteria, CC, are used. CC evaluation is carried out by an organization called an evaluation body, which is approved in each of the CCRA member countries. In Japan, four organizations are approved as evaluation bodies.
Although CC evaluation has the advantages of its objectivity with common evaluation criteria, it also includes some issues. One is that it needs much cost and time, and another is that the development of the ST requires certain specific knowledge and skills. In many cases of actual CC evaluations, the development of ST takes much time and cost. PP (Protection Profile) is to help to solve this issue. PP is a security requirement definition document for a given product category. Since it is not a security requirement definition document for a specific product, it is more abstract than ST.
PP is indispensable for spreading CC evaluation in a product category. For example, if there is a PP for biometric verification products, it is possible to write an ST of an actual product relatively easily based on this PP.
※The part 2 is: Security Evaluation for Biometric Verification Product Part 2
Author of this article
Invited Senior Researcher
Information Technology Research Institute
National Institute of Advanced Industrial Science and Technology (AIST)