crypto4c-ch21a-安全評(píng)估

1、 安全評(píng)估安全評(píng)估2005 - 2007 ToC 安全評(píng)估準(zhǔn)則 DOD/TCSEC橘皮書 DOD/TNI紅皮書 ITSEC CSSC NIST/FIPS CC BS7799 密碼設(shè)備的評(píng)估 安全方案的規(guī)劃 需求分析 具體方案 基礎(chǔ)設(shè)施 產(chǎn)品規(guī)劃 關(guān)于安全評(píng)估 需要什么樣的安全 使用什么技術(shù) 買什么產(chǎn)品 對(duì)產(chǎn)品的評(píng)估 如何部署和實(shí)施 對(duì)運(yùn)行系統(tǒng)的現(xiàn)狀的評(píng)估 標(biāo)準(zhǔn)：關(guān)于建立、評(píng)估、審計(jì) 沿革關(guān)系 TCSEC/85/AM ITSEC/90/EU CTCPEC/90/CA FC/91/AM CC/95 (99IS) BS7799/95/EN ISO17799/2000/ISO DOD/TCSEC TC

2、SEC 1983/1985 (Orange Book) Trusted Computer System Evaluation Criteria Rainbow Series by NIST/NCSC goto “TCSEC.htm” TCSEC 4個(gè)級(jí)別 按照安全性遞減定義了ABCD4個(gè)級(jí)別 D級(jí)，評(píng)估達(dá)不到更高級(jí)別的系統(tǒng) C級(jí)，自主保護(hù)級(jí) B級(jí)，強(qiáng)制保護(hù)級(jí) A級(jí)，驗(yàn)證保護(hù)級(jí) http:/www.fact- C級(jí) 自主保護(hù)級(jí) C級(jí) 具有一定的保護(hù)能力，采用自主訪問(wèn)控制和審計(jì)跟蹤 一般只適用于具有一定等級(jí)的多用戶環(huán)境 具有對(duì)主體責(zé)任及其動(dòng)作審計(jì)的能力 C1級(jí) 自主安全保護(hù)級(jí) 隔離用戶與數(shù)據(jù)，使用

3、戶具備自主安全保護(hù)的能力 為用戶提供可行的手段，保護(hù)用戶和用戶組信息，避免其他用戶對(duì)數(shù)據(jù)的非法讀寫與破壞 適用于處理同一敏感級(jí)別數(shù)據(jù)的多用戶環(huán)境 C2級(jí) 控制訪問(wèn)保護(hù)級(jí) 比C1級(jí)具有更細(xì)粒度的自主訪問(wèn)控制 通過(guò)注冊(cè)過(guò)程控制、審計(jì)安全相關(guān)事件以及資源隔離，使單個(gè)用戶為其行為負(fù)責(zé) B級(jí) 強(qiáng)制保護(hù)級(jí) B級(jí) 維護(hù)完整的安全標(biāo)記，并在此基礎(chǔ)上執(zhí)行一系列強(qiáng)制訪問(wèn)控制規(guī)則 主要數(shù)據(jù)結(jié)構(gòu)必須攜帶敏感標(biāo)記 提供安全策略模型以及規(guī)約 應(yīng)提供證據(jù)證明訪問(wèn)監(jiān)控器得到了正確的實(shí)施 B1級(jí) 標(biāo)記安全保護(hù)級(jí) 要求具有C2級(jí)系統(tǒng)的所有特性 應(yīng)提供安全策略模型的非形式化描述、數(shù)據(jù)標(biāo)記以及命名主體和客體的強(qiáng)制訪問(wèn)控制 消除測(cè)試中

4、發(fā)現(xiàn)的所有缺陷 - B2級(jí) 結(jié)構(gòu)化保護(hù)級(jí) 要求將B1級(jí)系統(tǒng)中建立的自主和強(qiáng)制訪問(wèn)控制擴(kuò)展到所有的主體與客體 鑒別機(jī)制應(yīng)得到加強(qiáng)，提供可信設(shè)施管理以支持系統(tǒng)管理員和操作員的職能 提供嚴(yán)格的配置管理控制 B2級(jí)系統(tǒng)應(yīng)具備相當(dāng)?shù)目節(jié)B透能力 - B3 安全區(qū)域保護(hù)級(jí) 安全管理員職能 擴(kuò)充審計(jì)機(jī)制 當(dāng)發(fā)生與安全相關(guān)的事件時(shí)，發(fā)出信號(hào) 提供系統(tǒng)恢復(fù)機(jī)制 系統(tǒng)具有很高的抗?jié)B透能力 A級(jí) 驗(yàn)證保護(hù)級(jí) A級(jí) 使用形式化的安全驗(yàn)證方法，保證系統(tǒng)的自主和強(qiáng)制安全控制措施能夠有效地保護(hù)系統(tǒng)中存儲(chǔ)和處理的秘密信息或其他敏感信息 為證明滿足設(shè)計(jì)、開發(fā)及實(shí)現(xiàn)等各個(gè)方面的安全要求，系統(tǒng)應(yīng)提供豐富的文檔信息 A1級(jí) 驗(yàn)證設(shè)計(jì)級(jí)

5、 在功能上和B3級(jí)系統(tǒng)是相同的 要求用形式化設(shè)計(jì)規(guī)范和驗(yàn)證方法來(lái)對(duì)系統(tǒng)進(jìn)行分析，確保按設(shè)計(jì)要求實(shí)現(xiàn) - 超A1級(jí) 系統(tǒng)體系結(jié)構(gòu) 安全測(cè)試 形式化規(guī)約與驗(yàn)證 可信設(shè)計(jì)環(huán)境等 TNI TNI Trusted Network Interpretation of the TCSEC Goto“TNI.htm”“TNIEG.htm” Content Part I Part II APPENDIX A, B, C TNI / I Part I of this document provides interpretations of the Department of Defense Trusted Com

6、puter System Evaluation Criteria (TCSEC) (DOD-5200.28-STD), for trusted computer/communications network systems. The specific security feature, the assurance requirements, and the rating structure of the TCSEC are extended to networks of computers ranging from isolated local area networks to wide-ar

7、ea internetwork systems. TNI / II Part II of this document describes a number of additional security services (e.g., communications integrity, denial of service, transmission security) that arise in conjunction with networks. Those services available in specific network offerings, while inappropriat

8、e for the rigorous evaluation applied to TCSEC related feature and assurance requirements, may receive qualitative ratings. ITSEC ITSEC by European Union Information Technology Security Evaluation Criteria Goto “itsec-en.pdf” Ex遞增 E0 無(wú)安全保證 E1 有安全目標(biāo)和關(guān)于體系結(jié)構(gòu)設(shè)計(jì)的非形式化描述 E2 對(duì)詳細(xì)設(shè)計(jì)有非形式化的描述 - E3 評(píng)估源代碼或硬件設(shè)計(jì)圖 E

9、4 有對(duì)安全目標(biāo)/策略的基本形式模型 E5 設(shè)計(jì)和源代碼/硬件有緊密的對(duì)應(yīng)關(guān)系 E6 安全功能/體系結(jié)構(gòu)設(shè)計(jì)與安全目標(biāo)/策略模型一致 CSSCCTCPEC CSSC: CTCPEC Goto “ctcpec1.pdf” Canadian System Security Centre: Canadian Trusted Computer Product Evaluation Criteria It is a computer security standard comparable to the American TCSEC (Orange Book) but somewhat more adv

10、anced. It has been superseded by the international Common Criteria standard. 可和TCSEC相比，但更進(jìn)步 已被國(guó)際標(biāo)準(zhǔn)CC替代 NIST/FIPS National Institute of Standards and Technology, Federal Information Processing Standards Publications “sp800-12_The NIST Security Handbook.pdf” /fipspubs/ CC Common

11、Criteria for Information Technology Security with the aim of replacing existing criteria (FC/TCSEC, ITSEC, CTCPEC) with a single international standard: the Common Criteria (CC). Goto “CC_*.*” links /cc/Documents/ / http:/ CC 3Parts Part 1Introduction and Gene

12、ral Model Part 2Security Functional Requirements Annexes Part 3Security Assurance Requirements refto:/addon_11/CC_Overview.ppt CC / EALEvaluation Assurance Levels EAL1：功能測(cè)試 EAL2：結(jié)構(gòu)測(cè)試 EAL3：系統(tǒng)測(cè)試和檢查 EAL4：系統(tǒng)設(shè)計(jì)、測(cè)試和復(fù)查 EAL5：半形式化設(shè)計(jì)和測(cè)試 EAL6：半形式化驗(yàn)證的設(shè)計(jì)和測(cè)試 EAL7：形式化驗(yàn)證的設(shè)計(jì)和測(cè)試 EAL1: Functional Test Confidence in cu

13、rrent operation is required No assistance from TOE developer Applicable where threat to security is not serious Independent testing against specification and guidance documentation EAL2: Structural Test Requires some cooperation of the developer Adds requirements for configuration list, delivery, hi

14、gh-level design documentation, developer functional testing, vulnerability analysis, and more extensive independent testing EAL3: Methodical Test and Check Requires some positive security engineering at the design stage, with minimal changes to existing practices Added assurance through investigatio

15、n of product and development environment controls, and high-level design documentation Places additional requirements on testing, development environment controls and TOE configuration management EAL4: Methodical Design, Test, and Review Highest level likely for retrofit of an existing product Addit

16、ional requirements on design, implementation, vulnerability analysis, low level design documentation, development and system automated configuration management, and an informal security policy model EAL5: Semiformal Design and Test Higher assurance, risk situations where some penetration resistance

17、is needed Requires rigorous commercial development practices and moderate use of specialist engineering techniques Additional requirements on semi-formal functional specification, high-level design, and their correspondence, vulnerability, and covert channel analysis EAL6: Semiformally Verified Desi

18、gn and Tested High Assurance - where penetration resistance is necessary Additional requirements on analysis, layered TOE design, semi-formal low-level design documentation, complete CM system automation and a structured development environment, and vulnerability/covert channel analysis EAL7: Formal

19、ly Verified Design and Tested Highest assurance where high resistance to penetration is necessary Assurance is gained through application of formal methods in the documentation of the functional specification and high-level design Additional requirements for complete developer testing and complete i

20、ndependent confirmation of the test results COMP CCTCSECITSEC-DE0EAL1-EAL2C1E1EAL3C2E2EAL4B1E3EAL5B2E4EAL6B3E5EAL7A1E6 BS7799 BS7799 by BSI the British Standards Institution 2000, ISO/17799 Goto: “BS7799-1_1999(ISO).doc” Two parts ISO17799 BS7799-2 BS7799s介紹 有關(guān)敏感資料管理的國(guó)際認(rèn)可標(biāo)準(zhǔn)，強(qiáng)調(diào)資料的保密性及完整性。 此標(biāo)準(zhǔn)可分為兩部份：首

21、部份為準(zhǔn)則部份，旨在協(xié)助機(jī)構(gòu)確認(rèn)其運(yùn)作對(duì)資料保密方面的影響，這項(xiàng)準(zhǔn)則已納入ISO品質(zhì)認(rèn)證的范疇之內(nèi)（ISO 17799認(rèn)證），涵蓋10大范疇，127控制點(diǎn)； 次部份為施行細(xì)則，是有關(guān)資料保密管理系統(tǒng) Information Security Management System 的架構(gòu)、目標(biāo)以及監(jiān)控。 BS7799認(rèn)證標(biāo)準(zhǔn)早于一九九五年確立，旨在協(xié)助各行各業(yè)及政府機(jī)構(gòu)加強(qiáng)資料保安，一直獲各地機(jī)構(gòu)廣泛采用，某些國(guó)家政府更將BS7799認(rèn)證列為全國(guó)通用的標(biāo)準(zhǔn)。 Parts 1, 2 Part 1: ISO/IEC 17799:2000 the standard code of practice an

22、d can be regarded as a comprehensive catalogue of good security things to do. Part 2: BS7799-2:2002 Specify for security management a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, mini

23、mising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements. ToC of P1 Information security policy Security organization Assets classification and control Personal security Physical and environmental security Computer and network manage

24、ment System access control System development and maintenance Business continuity planning Compliance BS7799認(rèn)證 BS7799認(rèn)證咨詢 http:/ http:/ links BS7799/BSI http:/www.bsi- The ISO17799 Toolkit http:/www.iso17799-made- BS7799 SECURITY ZONE http:/www.thewindow.to/bs7799/index.htm 對(duì)密碼設(shè)備的評(píng)估 國(guó)內(nèi)相關(guān)的法規(guī) 商用密碼管理?xiàng)l例

25、 國(guó)外 NIST FIPS 140-2 /cryptval/140-2.htm /cryptval/ Goto“fips140-2.pdf”“fips140-2_SL.1-4.txt”“fips140faq.htm” Security Level 1 / 該級(jí)提供安全的最低水平。不要求物理安全機(jī)制。一個(gè)例子就是PC機(jī)加密板。 / 該級(jí)允許在未經(jīng)評(píng)估的一般商用機(jī)器系統(tǒng)上運(yùn)行你的密碼模塊。這主要是為了方便一些低安全需求的場(chǎng)合?！癴ips140-2_SL.1-4.txt” Security Level 2 / 該級(jí)增加了防干

26、擾或竄改的物理安全機(jī)制要求，包括封裝、封條、防撬等。 / 該級(jí)要求最小的基于角色的認(rèn)證。 / 該級(jí)允許相關(guān)部件運(yùn)行在具有EAL2/CC安全級(jí)別的計(jì)算系統(tǒng)上。 Security Level 3 / 該級(jí)阻止試圖對(duì)密碼模塊的入侵，并在必要時(shí)自毀敏感信息。 / 該級(jí)要求基于標(biāo)識(shí)的認(rèn)證機(jī)制。 / 該級(jí)系統(tǒng)得具有EAL3/CC安全級(jí)。 Security Level 4 / 該級(jí)對(duì)密碼模塊提供徹底的封裝保護(hù)，能探測(cè)到非授權(quán)的物理訪問(wèn)，并能及時(shí)的刪除所有明文信息。 / 必須考慮外部的高溫、高壓導(dǎo)致的操作失效；非正常操作可以引發(fā)故意的內(nèi)部爆炸。 / 該級(jí)系統(tǒng)得運(yùn)行在EAL4/CC以上安全級(jí)上。 Links T

27、CSEC / FIPS 140 Security Requirements for Cryptographic Modules /cryptval/ Common Criteria (CCITSE) /cc/ TPEP /tpep/ /tpep/tpep.html The Information Warfare Site .uk/ Rainbow Series Lib