| Abstract | At the present time, owing to advance of the broadband mobile communications and the Internet, many home users are enjoying services of IT revolution. Nevertheless, only limited people are aware of the danger of information eavesdropping and privacy invasion, when it comes to security policies. The security information can be understood as the ability of an information system which uses the Evaluation Assurance Levels (EAL) as defined in international standards ISO/IEC 15408 to avoid all accidents or malicious deliberate actions. Accidents and actions which will endanger availability, integrity, and confidentiality of stored or transmitted data as well as corresponding services offered by these networks and systems.
Many international standards exist in the IT security field. We have been developing a knowledge-based tool based on multiple international standards. In this paper, we propose a new knowledge-based tool based on FIPS 140-2 and SP 800-57 in addition to ISO/IEC 15408(CC), ISO/IEC 15446, ISO/IEC 13335, ISO/IEC 17799, and ISO/IEC 19791.
ISO/IEC 15408 also known as Common Criteria (CC) for Information Technology Security Evaluation is an international standard used as the basis to evaluate the security properties of IT products. CC Part 3 describes 7 security requirements package used for the evaluation, called Evaluations Assurance Level (EAL). In order to evaluate IT products based on CC, developers must create security target (ST). According to CC, the subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is not covered in the CC. However, the Target of evaluation (TOE) may employ cryptographic functionality to help to satisfy several high level security objectives. In this case, ST developers must be able to refer to an external standard.
FIPS 140-2 are different from the CC in the abstractness and focus of tests. FIPS 140-2 testing is against a defined cryptographic module and provides a suite of conformance tests to four security levels. All these 2500-odd pages about these international standards may not be the biggest issue. The principal problem of these international standards is the technical languages used with the large number of unfamiliar and technical terms. Specifically, on the cryptographic field, there are too many new technical words, and several standards to apply for cryptography. All these make the contents difficult to understand and the ST developer must read many times when trying to create a ST for evaluation. From the FIPS 140-2 point of view, FIPS 140-2 specifies 11 security requirements to secure design and implementation of cryptographic module. In addition, 4 security levels are specified for each of 11 requirement areas. According to FIPS 140-2, if the operational environment is modifiable, the operating system requirements of the CC are applicable at Security Levels 2 and above.
This knowledge-based tools works as a web application and will be able to access at http://teshilab.net. The knowledge-based tool supplements deficiency in ST developer’s knowledge by allowing easy access to often complex but necessary information on international standards and security requirements for cryptographic modules. In addition, this knowledge-based tool can also be used to support ST developers to understand the Cryptographic Module Validation Program (CMVP) process. Most of the information on FIPS 140-2, CC and other standards, are graphically displayed on this site. In addition, references in the same standards or to other standards are graphically represented, to help user to read and understand this relationships. Finally, we are working to include in this knowledge-based tool, other important international standards and special publication from NIST to support other aspect of cryptography and risk assessment as our future works. |