crypto4c-ch21a-安全評估

1、 安全評估安全評估2005 - 2007 ToC 安全評估準則 DOD/TCSEC橘皮書 DOD/TNI紅皮書 ITSEC CSSC NIST/FIPS CC BS7799 密碼設(shè)備的評估 安全方案的規(guī)劃 需求分析 具體方案 基礎(chǔ)設(shè)施 產(chǎn)品規(guī)劃 關(guān)于安全評估 需要什么樣的安全 使用什么技術(shù) 買什么產(chǎn)品 對產(chǎn)品的評估 如何部署和實施 對運行系統(tǒng)的現(xiàn)狀的評估 標準：關(guān)于建立、評估、審計 沿革關(guān)系 TCSEC/85/AM ITSEC/90/EU CTCPEC/90/CA FC/91/AM CC/95 (99IS) BS7799/95/EN ISO17799/2000/ISO DOD/TCSEC TC

2、SEC 1983/1985 (Orange Book) Trusted Computer System Evaluation Criteria Rainbow Series by NIST/NCSC goto “TCSEC.htm” TCSEC 4個級別 按照安全性遞減定義了ABCD4個級別 D級，評估達不到更高級別的系統(tǒng) C級，自主保護級 B級，強制保護級 A級，驗證保護級 http:/www.fact- C級 自主保護級 C級 具有一定的保護能力，采用自主訪問控制和審計跟蹤 一般只適用于具有一定等級的多用戶環(huán)境 具有對主體責(zé)任及其動作審計的能力 C1級 自主安全保護級 隔離用戶與數(shù)據(jù)，使用

3、戶具備自主安全保護的能力 為用戶提供可行的手段，保護用戶和用戶組信息，避免其他用戶對數(shù)據(jù)的非法讀寫與破壞 適用于處理同一敏感級別數(shù)據(jù)的多用戶環(huán)境 C2級 控制訪問保護級 比C1級具有更細粒度的自主訪問控制 通過注冊過程控制、審計安全相關(guān)事件以及資源隔離，使單個用戶為其行為負責(zé) B級 強制保護級 B級 維護完整的安全標記，并在此基礎(chǔ)上執(zhí)行一系列強制訪問控制規(guī)則 主要數(shù)據(jù)結(jié)構(gòu)必須攜帶敏感標記 提供安全策略模型以及規(guī)約 應(yīng)提供證據(jù)證明訪問監(jiān)控器得到了正確的實施 B1級 標記安全保護級 要求具有C2級系統(tǒng)的所有特性 應(yīng)提供安全策略模型的非形式化描述、數(shù)據(jù)標記以及命名主體和客體的強制訪問控制 消除測試中

4、發(fā)現(xiàn)的所有缺陷 - B2級 結(jié)構(gòu)化保護級 要求將B1級系統(tǒng)中建立的自主和強制訪問控制擴展到所有的主體與客體 鑒別機制應(yīng)得到加強，提供可信設(shè)施管理以支持系統(tǒng)管理員和操作員的職能 提供嚴格的配置管理控制 B2級系統(tǒng)應(yīng)具備相當(dāng)?shù)目節(jié)B透能力 - B3 安全區(qū)域保護級 安全管理員職能 擴充審計機制 當(dāng)發(fā)生與安全相關(guān)的事件時，發(fā)出信號 提供系統(tǒng)恢復(fù)機制 系統(tǒng)具有很高的抗?jié)B透能力 A級 驗證保護級 A級 使用形式化的安全驗證方法，保證系統(tǒng)的自主和強制安全控制措施能夠有效地保護系統(tǒng)中存儲和處理的秘密信息或其他敏感信息 為證明滿足設(shè)計、開發(fā)及實現(xiàn)等各個方面的安全要求，系統(tǒng)應(yīng)提供豐富的文檔信息 A1級 驗證設(shè)計級

5、 在功能上和B3級系統(tǒng)是相同的 要求用形式化設(shè)計規(guī)范和驗證方法來對系統(tǒng)進行分析，確保按設(shè)計要求實現(xiàn) - 超A1級 系統(tǒng)體系結(jié)構(gòu) 安全測試 形式化規(guī)約與驗證 可信設(shè)計環(huán)境等 TNI TNI Trusted Network Interpretation of the TCSEC Goto“TNI.htm”“TNIEG.htm” Content Part I Part II APPENDIX A, B, C TNI / I Part I of this document provides interpretations of the Department of Defense Trusted Com

6、puter System Evaluation Criteria (TCSEC) (DOD-5200.28-STD), for trusted computer/communications network systems. The specific security feature, the assurance requirements, and the rating structure of the TCSEC are extended to networks of computers ranging from isolated local area networks to wide-ar

7、ea internetwork systems. TNI / II Part II of this document describes a number of additional security services (e.g., communications integrity, denial of service, transmission security) that arise in conjunction with networks. Those services available in specific network offerings, while inappropriat

8、e for the rigorous evaluation applied to TCSEC related feature and assurance requirements, may receive qualitative ratings. ITSEC ITSEC by European Union Information Technology Security Evaluation Criteria Goto “itsec-en.pdf” Ex遞增 E0 無安全保證 E1 有安全目標和關(guān)于體系結(jié)構(gòu)設(shè)計的非形式化描述 E2 對詳細設(shè)計有非形式化的描述 - E3 評估源代碼或硬件設(shè)計圖 E

9、4 有對安全目標/策略的基本形式模型 E5 設(shè)計和源代碼/硬件有緊密的對應(yīng)關(guān)系 E6 安全功能/體系結(jié)構(gòu)設(shè)計與安全目標/策略模型一致 CSSCCTCPEC CSSC: CTCPEC Goto “ctcpec1.pdf” Canadian System Security Centre: Canadian Trusted Computer Product Evaluation Criteria It is a computer security standard comparable to the American TCSEC (Orange Book) but somewhat more adv

10、anced. It has been superseded by the international Common Criteria standard. 可和TCSEC相比，但更進步 已被國際標準CC替代 NIST/FIPS National Institute of Standards and Technology, Federal Information Processing Standards Publications “sp800-12_The NIST Security Handbook.pdf” /fipspubs/ CC Common

11、Criteria for Information Technology Security with the aim of replacing existing criteria (FC/TCSEC, ITSEC, CTCPEC) with a single international standard: the Common Criteria (CC). Goto “CC_*.*” links /cc/Documents/ / http:/ CC 3Parts Part 1Introduction and Gene

12、ral Model Part 2Security Functional Requirements Annexes Part 3Security Assurance Requirements refto:/addon_11/CC_Overview.ppt CC / EALEvaluation Assurance Levels EAL1：功能測試 EAL2：結(jié)構(gòu)測試 EAL3：系統(tǒng)測試和檢查 EAL4：系統(tǒng)設(shè)計、測試和復(fù)查 EAL5：半形式化設(shè)計和測試 EAL6：半形式化驗證的設(shè)計和測試 EAL7：形式化驗證的設(shè)計和測試 EAL1: Functional Test Confidence in cu

13、rrent operation is required No assistance from TOE developer Applicable where threat to security is not serious Independent testing against specification and guidance documentation EAL2: Structural Test Requires some cooperation of the developer Adds requirements for configuration list, delivery, hi

14、gh-level design documentation, developer functional testing, vulnerability analysis, and more extensive independent testing EAL3: Methodical Test and Check Requires some positive security engineering at the design stage, with minimal changes to existing practices Added assurance through investigatio

15、n of product and development environment controls, and high-level design documentation Places additional requirements on testing, development environment controls and TOE configuration management EAL4: Methodical Design, Test, and Review Highest level likely for retrofit of an existing product Addit

16、ional requirements on design, implementation, vulnerability analysis, low level design documentation, development and system automated configuration management, and an informal security policy model EAL5: Semiformal Design and Test Higher assurance, risk situations where some penetration resistance

17、is needed Requires rigorous commercial development practices and moderate use of specialist engineering techniques Additional requirements on semi-formal functional specification, high-level design, and their correspondence, vulnerability, and covert channel analysis EAL6: Semiformally Verified Desi

18、gn and Tested High Assurance - where penetration resistance is necessary Additional requirements on analysis, layered TOE design, semi-formal low-level design documentation, complete CM system automation and a structured development environment, and vulnerability/covert channel analysis EAL7: Formal

19、ly Verified Design and Tested Highest assurance where high resistance to penetration is necessary Assurance is gained through application of formal methods in the documentation of the functional specification and high-level design Additional requirements for complete developer testing and complete i

20、ndependent confirmation of the test results COMP CCTCSECITSEC-DE0EAL1-EAL2C1E1EAL3C2E2EAL4B1E3EAL5B2E4EAL6B3E5EAL7A1E6 BS7799 BS7799 by BSI the British Standards Institution 2000, ISO/17799 Goto: “BS7799-1_1999(ISO).doc” Two parts ISO17799 BS7799-2 BS7799s介紹 有關(guān)敏感資料管理的國際認可標準，強調(diào)資料的保密性及完整性。 此標準可分為兩部份：首

21、部份為準則部份，旨在協(xié)助機構(gòu)確認其運作對資料保密方面的影響，這項準則已納入ISO品質(zhì)認證的范疇之內(nèi)（ISO 17799認證），涵蓋10大范疇，127控制點； 次部份為施行細則，是有關(guān)資料保密管理系統(tǒng) Information Security Management System 的架構(gòu)、目標以及監(jiān)控。 BS7799認證標準早于一九九五年確立，旨在協(xié)助各行各業(yè)及政府機構(gòu)加強資料保安，一直獲各地機構(gòu)廣泛采用，某些國家政府更將BS7799認證列為全國通用的標準。 Parts 1, 2 Part 1: ISO/IEC 17799:2000 the standard code of practice an

22、d can be regarded as a comprehensive catalogue of good security things to do. Part 2: BS7799-2:2002 Specify for security management a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, mini

23、mising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. ToC of P1 Information security policy Security organization Assets classification and control Personal security Physical and environmental security Computer and network manage

24、ment System access control System development and maintenance Business continuity planning Compliance BS7799認證 BS7799認證咨詢 http:/ http:/ links BS7799/BSI http:/www.bsi- The ISO17799 Toolkit http:/www.iso17799-made- BS7799 SECURITY ZONE http:/www.thewindow.to/bs7799/index.htm 對密碼設(shè)備的評估 國內(nèi)相關(guān)的法規(guī) 商用密碼管理條例

25、 國外 NIST FIPS 140-2 /cryptval/140-2.htm /cryptval/ Goto“fips140-2.pdf”“fips140-2_SL.1-4.txt”“fips140faq.htm” Security Level 1 / 該級提供安全的最低水平。不要求物理安全機制。一個例子就是PC機加密板。 / 該級允許在未經(jīng)評估的一般商用機器系統(tǒng)上運行你的密碼模塊。這主要是為了方便一些低安全需求的場合。“fips140-2_SL.1-4.txt” Security Level 2 / 該級增加了防干

26、擾或竄改的物理安全機制要求，包括封裝、封條、防撬等。 / 該級要求最小的基于角色的認證。 / 該級允許相關(guān)部件運行在具有EAL2/CC安全級別的計算系統(tǒng)上。 Security Level 3 / 該級阻止試圖對密碼模塊的入侵，并在必要時自毀敏感信息。 / 該級要求基于標識的認證機制。 / 該級系統(tǒng)得具有EAL3/CC安全級。 Security Level 4 / 該級對密碼模塊提供徹底的封裝保護，能探測到非授權(quán)的物理訪問，并能及時的刪除所有明文信息。 / 必須考慮外部的高溫、高壓導(dǎo)致的操作失效；非正常操作可以引發(fā)故意的內(nèi)部爆炸。 / 該級系統(tǒng)得運行在EAL4/CC以上安全級上。 Links T

27、CSEC / FIPS 140 Security Requirements for Cryptographic Modules /cryptval/ Common Criteria (CCITSE) /cc/ TPEP /tpep/ /tpep/tpep.html The Information Warfare Site .uk/ Rainbow Series Lib