The diverse services of the Federal Office for Information Security (BSI) include the certification of IT products, IT systems and of protection profiles.

Why IT security certification of products and protection profiles?

The increasing use of e-commerce, online banking or e-mail as a means of communication has led to a considerable increase in risks, but also in the security awareness of users. Particular risks are posed by threats to the integrity and confidentiality of digital documents and the availability of services. To mitigate these risks, the IT products used must have security features that provide adequate protection.

Evaluation and certification based on the internationally recognised security criteria Information Technology Security Evaluation Criteria (ITSEC) or Common Criteria (CC) determines whether these products actually have adequate security features. Evaluation of the IT products in use is therefore required in many application areas. This applies, for example, to IT products used within the framework of the German Signature Act (Federal Law Gazette Part I No. 22, published on 21 May 2001). To specify the security requirements for these IT products, a protection profile is currently being developed that implements the regulations of the Signature Act and thus also the EU Directive 1999/93/EC. Due to the importance of smart cards for cashless payment transactions, a large number of smart card ICs and smart card operating systems and applications have been evaluated and certified based on the requirements of credit card institutions and banks. To specify the security requirements, manufacturers and credit institutions have created a series of protection profiles. These protection profiles have been evaluated and certified/registered according to CC.

Security criteria as a basis for certification

Evaluation and certification can optionally be carried out on the basis of the Information Technology Security Evaluation Criteria (ITSEC) as a European-recognised set of criteria or the Common Criteria for Information Technology Security Evaluation (CC). The CC are a further development and harmonisation of the European ITSEC, the Orange Books (TCSEC), the Federal Criteria (FC) of the USA and the Canadian criteria (CTCPEC). They were published in December 1999 by the International Standards Organisation (ISO) as the international standard ISO/IEC 15408 and have been continuously developed. The CC are thus the current set of criteria and are recommended by the BSI as a basis for evaluation. ITSEC and CC can be downloaded from the IT security criteria section.

The requirements of the security criteria are divided into requirements for assessing the correctness of the product or system to be evaluated on the one hand and requirements for assessing the effectiveness of its security functions on the other. The requirements for the evaluation aspect 'correctness' include, for example, requirements for the scope and level of detail of the design documentation, for the structuring of the design, for the scope and depth of the functional tests, requirements for the development tools and the security measures in the development environment as well as the product delivery procedures to the user. In evaluating the effectiveness of the security functions, analyses and penetration tests are used to examine whether it is possible for an attacker with an assumed attack potential to overcome the security functions or exploit vulnerabilities. The requirements for both evaluation aspects are summarised in Part 3 of the CC as assurance requirements. The assurance requirements in Part 3 of the CC are structured in a modular way. The hierarchically graded evaluation assurance levels EAL1 to EAL7 were formed from the modular requirement components. The ITSECs contain the likewise graded evaluation levels E1 to E6. As the evaluation level increases, so do the requirements for the scope and depth of testing. To specify the functional security requirements for an IT product or IT system, part 2 of the CC contains the likewise modular functional requirement components.

The security target is the central document of each evaluation. They contain, among other things, a description of the product to be evaluated and its environment of use, the assumed threats and security policies to be met, the specification of its security functional requirements and security functions, and the evaluation level sought by the sponsor. In CC security targets, the functional security requirements are formed by the functional requirement components of Part 2 of the CC. The document "IT Security Based on the CC - A Guide", which contains, among other things, a mapping of product-typical threats to functional requirements of the CC, provides support here. This document can be found in the section 'IT Security Criteria' under Common Criteria (CC).

One objective of the ITSEC and CC criteria is to enable application to as many product categories as possible. It was therefore necessary to formulate the requirements more openly and to refrain from including binding evaluation methods in the criteria. However, in order to be able to provide a generally recognised concept for IT security evaluations and thus create the basis for recognising the equivalence of certificates from different certification bodies, evaluation methodologies are developed in international cooperation. For the ITSEC, the "Information Technology Systems Evaluation Manual" (ITSEM) was published in 1993. The "Common Evaluation Methodology" is available as an evaluation methodology for the CC.

In addition to the product type-independent evaluation methodologies ITSEM and CEM, the development of additional product type-specific methodologies was necessary for the smart card area: "Integrated Circuit Hardware Evaluation Methodology", "The Application of ITSEC to Integrated Circuits", "The Application of CC to Integrated Circuits". The documents mentioned here can be downloaded from the page on application notes and interpretations for ITSEC and CC.
Since some of the criteria requirements require interpretation, the BSI produces interpretations in consultation with the auditing bodies. These interpretations are referred to as AIS ("Application Notes and Interpretations of the Scheme"). Within the international framework, interpretations to the ITSEC have been harmonised and published as the ITSEC Joint Interpretation Library (ITSEC-JIL). The CC Interpretations Management Board (CCIMB) was established for the international harmonisation of CC interpretations.

Protection profiles

The concept of protection profiles is a major innovation introduced with the CCs. Protection profiles can be used to define requirements for the security of an entire category of IT products or IT systems without reference to a specific implementation. Protection profiles offer users or user organisations the possibility to specify security requirements for IT products in order to provide manufacturers with product specifications as a basis for development. Requirements for the specific IT systems of a service area can also be described in a protection profile, e.g. for the purpose of system accreditation. Manufacturers or manufacturer associations can also use protection profiles for standardisation.

The structure of protection profiles corresponds to that of security targets. The use of protection profiles therefore considerably reduces the effort required to create security targets for specific IT products or systems. The protection profile only needs to be adapted to the specific product or system.
An evaluation and certification is also provided for protection profiles, which is the prerequisite for their registration. To date, a whole range of protection profiles have been registered with the various international certification bodies, with the majority of these profiles relating to smartcard ICs and smartcard operating systems and applications. Further protection profiles from the areas of firewalls, operating systems, database systems, biometric procedures and signature components have already been registered or are in development. Registered protection profiles are published on\ the following web addresses:

• https://www.bsi.bund.de/
• http://www.scssi.gouv.fr/
• http://www.cesg.gov.uk/
• http://www.cse-cst.gc.ca/
• http://www.dsd.gov.au/infosec
• http://www.niap-ccevs.org/cc-scheme/

The BSI certification scheme

The BSI certification scheme provides that a certification procedure involves the manufacturer or distributor as applicant, the BSI as certification body and an auditing body. The auditing bodies are recognised according to DIN EN 45001 or DIN EN ISO/IEC 17025.
The security target is developed at the beginning of a certification procedure with the involvement of the BSI and the auditing body. On the basis of the agreed security target, the manufacturer or distributor can now conclude an evaluation contract with the auditing body. They then submit the certification application to the BSI. The auditing body carries out the technical test known as evaluation, which is divided into various sub-steps according to the audit aspects of the applied set of criteria. The audit results are documented and justified by the audit body in audit reports. At the end of the evaluation, the audit body prepares the final evaluation report, which summarises the results of the evaluation for all required audit aspects. The certification body has the task of ensuring the equivalence of the evaluation results of different audit bodies. In order to achieve this, it carries out monitoring for each procedure, which includes the coordination of the security requirements, the development and coordination of interpretations as well as the acceptance of the audit reports. The result of the certification procedure is summarised by the certification body in a certification report. If the applicant agrees to the publication of the certification report, it is published in the Certification section.

Certification effort

The effort involved in the evaluation depends on the complexity of the product to be evaluated and thus crucially on the evaluation level chosen by the manufacturer in the security target. As the evaluation level increases, so does the scope and level of detail of the product and design documentation to be evaluated and, accordingly, the depth and extent of testing. If, for example, at level EAL3, a low-level design (detailed design) and the representation of the implementation (source code or hardware drawings) are still omitted, these design documents must be included in the evaluation from level EAL4 onwards. In higher levels, a formal security model and design documentation in semiformal or formal representation are also required.

Other decisive factors are the nature of the development process and the resources available at the manufacturer. Both ITSEC and CC assume a structured development process at the manufacturer, during which the required design documentation is produced as standard. If this is the case for a manufacturer, choosing one of the higher evaluation levels is unproblematic. Otherwise, it is recommended to start with the evaluation in line with a lower evaluation level. This is advisable in all cases where a special purpose does not prescribe or require a higher evaluation level (e.g. digital signature components, smart cards).
The estimated costs for a certification procedure vary greatly due to the factors listed above. In principle, a structured development process that ensures the required documentation is produced as standard shortens the procedure and reduces costs. The costs of certification at the BSI make up only a fraction of the evaluation costs. The majority of the external costs are incurred by the auditing body.

Further information about notification:

Bundesamt für Sicherheit in der Informationstechnik
Referat SZ 21 und SZ 22
Postfach 20 03 63
53133 Bonn
Telefon: +49 228 99 9582-111
Telefax: +49 228 99 9582-5455
E-Mail: zertifizierung@bsi.bund.de