Skip to main content

Common Criteria

Common Criteria (CC), also known as ISO/IEC 15408, is an international standard for security certification of information technology products and systems. In essence, it provides a structured framework for manufacturers to make claims about the security features of their products and for independent laboratories to verify if these claims are true.

It ensures that a product (e.g., firewall, HSM, OS, etc.) was designed, tested, and validated against well-defined security requirements. Generally these products fall into some of the categories we'll discuss later.

CC products are more reliable for critical environments — some public bids require CC certification. It's generally used in:

  • Government
  • Military industry
  • Critical infrastructure
  • Banks and large companies requiring "certified" products

Let's think about an HP printer we need to buy that needs to meet CC. The certification is granted to a specific product, not to HP company as a whole. And definitely, not all HP printers (or any other brand) are certified.

Common Criteria certification is an expensive and time-consuming process. That's why companies strategically certify only models intended for customers who require this level of assurance. Certifying a home printer would significantly increase the product price.

Common Criteria Concepts​

The manufacturer defines a Target of Evaluation (TOE) (what will be evaluated) and a list of security requirements. The evaluation is done in accredited laboratories and can achieve assurance levels called Evaluation Assurance Levels (EALs), ranging from 1 to 7 which we'll see later.

  • Target of Evaluation (TOE): Refers to the product or system being evaluated.
  • Protection Profile (PP): Is a document that defines a set of security requirements for a specific product category (for example, firewalls or operating systems). It's independent of a specific product.
  • Security Target (ST): Is a document that details the security specifications of a specific Target of Evaluation (TOE). The ST defines the product's security functionalities and assurance measures that will be applied during evaluation.

Categories​

  1. Operating Systems (OS): This is one of the most critical categories. The OS is the foundation on which all other applications run, and its security is paramount. The evaluation focuses on ensuring the operating system can protect itself and the data it manages.

    • What is evaluated: Access control (user permissions), secure boot, memory protection, audit log generation, data encryption (like Microsoft's BitLocker or Apple's FileVault).

  2. Network and Perimeter Protection Devices: These products are the first line of defense for a corporate network. Certification ensures they can reliably inspect traffic and apply defined security policies.

    • Evaluated: Packet filtering, stateful inspection, VPN tunnel creation (Virtual Private Network), intrusion detection and prevention (IDS/IPS), and the management security of the device itself. Example:
      • Next Generation Firewalls (NGFW): Products from Palo Alto Networks, Check Point, Fortinet, SonicWall.
      • Routers and Switches: Equipment from Cisco and other major network infrastructure brands.
      • VPN Gateways.

  3. Databases: Validates the mechanisms that protect this data against unauthorized access and tampering in databases like Oracle, MySQL, etc

    • Evaluated: Granular access control to tables and columns, data encryption at rest and in transit, privilege separation (preventing even the database administrator from seeing sensitive data) and robust auditing.

  4. Hardware and Integrated Circuits (ICs): Security can start at the lowest level: silicon. Certification here ensures the hardware itself is secure and resistant to physical and logical attacks.

    • What is evaluated:
      • Tamper resistance, protection of cryptographic keys stored in the chip, generation of high-quality random numbers.
    • Concrete examples:
      • Smart Cards: Used in chip credit cards, government identification cards, and authentication tokens.
      • Hardware Security Modules (HSMs): Devices that protect and manage digital keys for critical cryptographic operations, essential in banks and certification authorities.
      • Secure Processors: Like Apple's T2 Security Chip or Secure Enclave, which create a protected area within the main processor.
      • Trusted Platform Modules (TPMs): Chips dedicated to performing security operations.

  5. Mobility and Multifunctional Devices: With the increase in remote work and connectivity, security of devices that were once simple has become crucial.

What is evaluated: Secure separation between corporate and personal data (containerization), wireless communication security (Wi-Fi, Bluetooth), data protection on device (encryption), and secure print management on multifunctional devices. Examples: Printers, scanners, smartphones.

Evaluation Assurance Levels (EALs)​

Common Criteria uses Evaluation Assurance Levels (EALs) to indicate the degree of rigor and depth of security evaluation. There are seven levels, with EAL1 being the most basic and EAL7 the most rigorous:

  • EAL1: Functionally Tested. Suitable for situations where there's some confidence in correct operation, but security threats are not considered serious.
  • EAL2: Structurally Tested. Requires analysis of the product design and developer test results.
  • EAL3: Methodically Tested and Checked. The evaluation goes beyond testing and verifies the development process, including configuration management and secure delivery procedures.
  • EAL4: Methodically Designed, Tested, and Reviewed. This is the highest level that's economically viable to apply to an existing product. Vulnerability analysis is more in-depth.
  • EAL5: Semiformally Designed and Tested. Requires a semiformal design approach and more extensive vulnerability analysis.
  • EAL6: Semiformally Verified Design and Tested. Adds more rigorous design analysis and complete systematic testing of security functionalities.
  • EAL7: Formally Verified Design and Tested. It's the highest level and requires formal design verification, plus extensive testing. It's generally applied to products for very high-risk environments.

It's important to note that a higher EAL doesn't necessarily mean a product is "more secure", but rather that its security claims were tested more rigorously. The choice of appropriate EAL level depends on the security needs of the environment where the product will be used.