In early versions of UNIX, account
passwords and file permissions
were the only types of security
implemented. As computers became more widespread and those who wanted to gain unauthorized access became more devious, it became apparent
that this was not enough. Since the US government was steadily increasing the number of agencies
that had computers, the level of system security
needed to be increased as well.
In 1985, the National Security Agency's National Computer Security Center (NCSC) created a set of computer
security standards for the Defense Department, titled "Trusted Computer Systems Evaluation
Criteria". This is commonly known as the "Orange Book" as it was published with an orange cover.
(This is part of a series of documents by the DOD related to computer security, all with different colored covers.)
Within the Orange Book, there are four broad classes of security
levels for computers:
The C class contains to sub-levels, C1 and C2, with C2 offering slightly more security
than C1. Class B
offers three sub-levels: B1, B2 and B3.
Traditional PC based operating systems, like DOS
Windows fall within class
D. This minimal protection does not mean there is no security,
it is not as high as the C class.
You can buy add-on products to add passwords to your system or
change the file attributes to prevent accidental erasure. There are even product available that will
allow you to add passwords to DOS
and Windows systems, but that's about it.
systems include the features and functions to employ discretionary protection
. That means that it is up to the system administrator's discretion to decide how much access
people have. Class C1 systems offers enough security
to let users keep their data private from other
users and prevent it from being accidentally read or destroyed. As we've already talked about,
already provides this level of security
in the form of user passwords and file
permissions. Class C2 demands tighter login
procedures, auditing of security
related events, and
isolation of system resources.
B-Class systems implement mandatory
protection. That is, the system administrator
cannot turn it
off if he or she likes. Class B1 systems have labeled protection. This means that security
procedures and sensitivity labels are required for each file. (A sensitivity level is
basically a security
classification) Class B2 adds the requirement that the system must be able to
account for every code in the system. This helps to prevent security
holes such as Trojan
horses. Class B3 deals with the security
of data access, in terms of prevent tampering and
notification of security-relevant events.
The most secure class,
Class A1, requires
verified designs. Although they are functionally the same as B3
systems, A1 systems have also been formally defined, as well as proven by tests.
years, the orange book was seen as the bible for computer security.
Often people would see a system
that followed the guidelines specific ed for a C2 level of trust and call the machine C2
"secure." This is a misnomer. The machine is trusted to provide a certain level of
security, but it is not "secure"
Recently, groups in several countries have gotten
together to update the guidelines defined by the orange book. They have developed the "Common
Criteria," which is a standard for security
criteria. These countries are Canada,
France, Great Britain, the Netherlands, Germany and the US. Acceptance by these countries has made
this, more or less, the de facto standard for information technology security
of the more important basis documents for the Common Criteria (CC) is the orange book and the
Information Technology Security Evaluation Criteria from the Commission of the European Community
(ITSEC). However, the CC is not just a synopsis of other documents, but rather it's planned that the
CC will replace these other documents.
Two of the key concepts in the CC are the
protection profile and the security target. The protection profile is not product
specific, but after being reviewed, it becomes part of the CC. It documents a particular
IT-security problem and the appropriate solution. For these the requirements for specific product
types can be developed.
Security targets allow protection profiles to be fit to a specific
product. In other words, the product as a particular goal, in regards to security.
With this, the
security target forms the basis of the evaluation. A product evaluation determines whether a
particular product has properly identified and addressed a particular IT-security problem.
The CC will be expanded as needed. The version planned as of this writing will contain
requirements for cryptology. Cryptology solves problems of confidentiality, data integrity, and
verification. The first version already addresses the issues of data protection and secure
communication, even over open networks.
The evaluation process has several stages. First, a
product manufacturer identifies an IT-security problem and decides to develop a solution and wants
to have it evaluated. If a protection profile exists for this problem, the manufacturer can fit the
profile to the product through the security
If there is no security
profile, a new
one can be developed and a standard established to measure similar products. However, a security
target can be defined without reference to a protection profile.
First, the security
is evaluated according to the CC. Then the product itself is evaluated according to the security
target. If the product passes the evaluation, it is given an Evaluation Assurance Level (EAL). The
evaluation, which is conducted by an organization independent of the manufacturer confirms
that there are no obvious security
errors. In the case of a higher EAL, the evaluation confirms that
there are no hidden errors. Also the evaluation confirms that there is user documentation.
of the advantages that the CC brings is that it is flexible and provides a clear concept of
security. Products that have been evaluated and certified by the CC will gain significance and
acceptance. The costs resulting from the evaluation process will be compensated by the improvements
as well as the increase in market demand for certified products. As of this writing,
most of the protection profiles deal with network
issues. However, because of it flexibility, the CC
can be implemented is other areas.
For the current version of the CC, check out the web site
of the Nation Institute of Standards and technology at: