Common Criteria

related topics
{system, computer, user}
{law, state, case}
{company, market, business}
{math, number, function}
{theory, work, human}
{work, book, publish}

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1.[1]

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

Contents

Key concepts

Common Criteria evaluations are performed on computer security products and systems.

  • Target Of Evaluation (TOE) - the product or system that is the subject of the evaluation.

The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:

  • Protection Profile (PP) - a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.
  • Security Target (ST) - the document that identifies the security properties of the target of evaluation. It may refer to one or more PPs. The TOE is evaluated against the SFRs (see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.

Full article ▸

related documents
Authorization
Kevin Mitnick
Key-agreement protocol
Electronic tagging
Role-based access control
DIVX (Digital Video Express)
Communications in Argentina
Access control list
Inktomi Corporation
UNIVAC
Pseudonymous remailer
Engineering Research Associates
Internationalization and localization
Microsoft BASIC
Datasaab
Apache License
Matrox
Application binary interface
Xenix
ActiveX
Nautilus (file manager)
EPOC (computing)
Webmail
RealNetworks
Man-in-the-middle attack
Vladimir Levin
Asure Software
Deadlock
Abstract Window Toolkit
Business process management