Update on the German Scheme

utterlypanoramicΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

52 εμφανίσεις

Update on the German Scheme




Bundesamt für Sicherheit in der Informationstechnik (BSI)

(Federal Office for Information Security)

September 25, 2007

Irmela Ruhrmann


Head of Division Certification, Approval and Conformity Testing


Gereon Killian

Head of Certification Body

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
2

The
Federal Office for Information
Security (BSI)
was established by
the German Parliament in 1991.

§

3 of the Act on the Establishment
of the BSI, dated 17.12.1990 (Federal
Law Bulletin I p. 2834) defines the
tasks of BSI.


BSI Certification

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
4

BSI Certification Ordinance (BSI ZertV)

Act on Establishment of BSI

(BSIG: December 1990)

Decrees of the Federal Minister of the Interior

(e.g. handling of cryptographic problems)

Schedule of Costs (BSI
-
KostV)

BSI Certification

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
5

1989:

Green Book of BSI

1991:

Information Technology Security


Evaluation Criteria (ITSEC)


1999:

Common Criteria (CC) V2.1
-




Standard ISO/IEC 15408

2004:

Common Criteria (CC) V2.4
-




ASE/APE Trial Use Version

2005:


CC V 3.0 Trial Use Version

2005:

Common Criteria (CC) V2.3
-




Standard ISO/IEC 15408

2006:


CC V 3.1 Approved by MC in



September 2006

S

Kriterien für die Bewertung

der Sicherheit von Systemen

der Informationstechnik (ITSEC)

Juni

1991

Common Criteria

for Information Technology

Security Evaluation




Part I: Introduction and general model


May 1998


Version 2.0


CCIB
-
98
-
026

History





IT
-
SECURITY CRITERIA

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
6

Supported by



accredited evaluation


facilities



licensed auditors



international committees for


-

criteria development and


harmonisation


-

mutual recognition

Customer,

User,

Operator

Product Certificates

-

confirms
product specific

security functionality and
quality (CC/PP)

-

confirms

system
interoperability and functional
aspects (TR)

ISO 27001 Certification

in compliance with

BSI Baseline Protection

In the BSI Certification Scheme, ISO 27001 in compliance with BSI Baseline Protection


and Product Certification are intended to be complementary

BSI Certificate


confirms
functioning and
effective IT security
management

ISO 27001 /
BSI IT BP

BSI as Federal Office for Information Security


Product
Certification

BSI
-
Certificate

German Certification Scheme

BSI TR

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
9

BSI Accreditation
-

Evaluation Facilities (1)

CC and/or ITSEC ITSEFs:


Atos Origin GmbH


atsec information security GmbH


brightsight bv (former TNO
-
ITSEF BV)


CSC Deutschland Solutions GmbH


datenschutz nord GmbH


DFKI (German Research Institution for Artificial Intelligence) GmbH


media transfer AG


secunet SwissIT AG


SRC Security Research & Consulting GmbH


Tele
-
Consulting security | networking | training GmbH
(TC)


T
-
Systems GEI GmbH


TÜV Informationstechnik (TÜVIT) GmbH


Industrieanlagen
-
Betriebsgesellschaft mbH (IABG) (only ITSEC)


German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
10

BSI Accreditation
-

Evaluation Facilities (2)

BSI TR 03104

(ePass production data aquisition,




quality check and data transmission)


Fraunhofer Institut für Angewandte Optik und Feinmechanik


BSI TR 03105

(ePassport Conformity Testing)


CETECOM ICT Services GmbH


Secunet Security Networks AG


German Certification Scheme

ITSEF for evaluations against BSI
-
TR (BSI Technical Guidelines)

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
11

EU Commission:

NATO:


UN/G8:

Acquisition Policies in EU/Germany at this point in time concern special areas
(defense, health sector, ID cards)


Trend: increasing importance

Acquisition Policies for CC Certified Products

Multilateral Defense:



Infosec Technical and Implementation Guidance


on the use of Common Criteria within NATO



Digital Tachograph: Directive equivalent to law



G8
-

Principles on Critical Infrastructure Protection

Germany



Digital Signature Law



Health Cards and related products



ePassport and eID documents



Airbus A 400M



Eurofighter 2000

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
14

Product
-
types Certified / under Certification


Software Products


Hardware Products



Operating Systems

-

Mainframe

-

Midsize



PC Security Products

-

Security Shells

-

Integrity Protection



Data Communication Products



Firewalls



Biometric Security Products


-

(Voice Identification)



Smartcard with OS and Applications



Signature Applications



Tachograph Components


-

Motion Sensor,


-

Vehicle Unit,


-

Smartcard

German Certification Scheme



Smartcard Reader



Smartcard Controller


Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
15

BSI-Certificates
0
1
14
15
34
37
88
100
7
6
5
2
3
7
8
4
0
10
20
30
40
50
60
70
80
90
100
110
2000
2001
2002
2003
2004
2005
2006
Forecast 2007
CC
ITSEC
Market development of CC certified Products

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
16

Market development of CC certified Products

0
5
10
15
20
25
30
35
40
45
2003
2004
2005
2006
Smartcard
Applications
Tachograph
Components
Operating
Systems
Signature
Applications
Other
Products
Smartcard
Controller
Firewalls
German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
17


Certification parallel to the product development



Certification of a finished product



Assurance Continuity


Re
-
evaluation


Maintenance

(mostly on HW/Smartcard, a few on SW, one on PP)

Types of certification procedures

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
18

Recent Certificates (Examples 1)


Infineon

Smartcard
-
Controller
(SLE66CL180PE, SLE66CL180PEM,


SLE66CL180PES, SLE66CL81PE, SLE66CL81PEM,


SLE66CL80PE, SLE66CL80PEM, SLE66CL80PES,


SLE66CL41PE)


Renesas

Smartcard
-
Controller
(AE55C1 (HD65255C1)



SuSE LINUX


Operating Systems
(SUSE Linux Enterprise Server V 8, with Service


Products


Pack 3)


Microsoft

Exchange Server,


Data bank server
(Database Engine of Microsoft SQL Server)



Firewall
(ISA Server),



Directory
-
Server


IBM

Operating Systems, e.g. z/OS,


AIX, PR/SM, Directory
-
Server,


Tivoli Access Manager

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
19


GeNUA


Firewall
(GeNUScreen 1.0)


NXP


Smartcard Controller

Semiconductors

(
P5CD080V0B, P5CN080V0B and

Germany P5CC080V0B
)


Sharp


Smartcard Controller
(SM4148)


Océ


Printer Controller
(Océ SRA
Technologies

Controller Version 3, Bundle 8.02)


OPENLiMiT


Signature application software

Sign Cubes AG


(SignCubes base components 2.1)


Siemens VDO


Tachograph




(Digital Tachograph DTCO 1381,



Release 1.2a)

Recent Certificates (Examples 2)

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
20

Recent Maintenance Examples

NXP
Semiconductors
Germany
GmbH
(BSI-DSZ-CC-0410-2007-MA-
01)
NXP
Secure Smart
Card Controller
P5CC073V0B
with
specific IC
Dedicated Software
Smartcard
platform
IBM Deutschland Entwicklung
GmbH
(BSI-DSZ-CC-0426-2007-MA-
01)
NXP P521G072V0P (JCOP 21 v2.3.1),
NXP P531G072V0P (JCOP 31 v2.3.1)
and NXP P531G072V0Q (JCOP 31
v2.3.1)
Smartcard
platform
OPENLiMiT
SignCubes AG
(BSI-DSZ-CC-0432-2007-MA-
01)
OPENLiMiT
SignCubes
base
components 2.1,
Version 2.1.6.2
Signature
application
software
Infineon
Technologies AG
(BSI-DSZ-CC-0338-2005-MA-
03)
Infineon Smart
Card IC (
Security
Controller) SLE66CLX640P/m1523-a15
and SLE66CLX641P/m1522-a15
both
with RSA2048 V1.3
and
specific IC
Dedicated Software
Smartcard
Controller
German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
21

ePassport


The new German ePass includes biometrics with latest contactless
smartcard (ISO 14443) and IT
-
security technology.


TOE: RFID
-
Controller (HW), embedded
-
SW (OS), MRTD (ICAO)
application.


Life
-
Cycles: development, manufacturering, personalisation,
operation.


IT
-
Security Certification according to CC PPs and conformity
-
tested
according to Technical Guideline.

Important Certification Projects (1)

German Certification Scheme

Protection Profile: Machine Readable Travel Document with „ICAO Application“
Extended Access Control, Version 1.1

Technical Guideline: BSI
-
TR 03105 „ePassport Conformity
Testing“ (TR
-
ePass)

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
22

Key Security Components to be certified:


eGK

-

Electronic Health Card for 80 Mio. citizens replacing the
KVK (health insurance card).


HPC

-

Health Professional Card for more than 500.000 health
professionals.


SMC

-

Security Module Card to be used by an institution under
control by a health professional.


B4HC
-

Bit4Health Connector, provides access to the central
telematics infrastructure.

National eHealth
-
Card

Important Certification Projects (2)

German Certification Scheme

according to certified Protection Profiles

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
23




Technical Components:



Motion Sensor



Vehicle Unit



Tachograph Card (workshop/service, police, driver)

Digital Tachograph

Certification requirements according to EU Directive:



specified in „Generic Security Targets“



in conformity with the Common Criteria Protection Profile concept



ITSEC, E3 high



Common Criteria (CC), EAL 4+

German Certification Scheme

Important Certification Projects (3)

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
24


PP on Software for protection of personal
video data
-

Closed Circuit Television
(CCT)



Electronic Voting PPs (CC V2.3 / CC V3.1)


PP for USB
-
data storage devices


Mobile Synchronization Services PP


Security IC Platform Protection Profile
(CC V3.1)

Other Recent Protection Profile Developments

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
25


ISO 9001
-

Certification according to industry rules




QM
-
System of CB has been certified


Site Certification
:

Introduction in the German scheme 4th quarter 2007


Guidance for Developer’s Documents


Update of Scheme Interpretations for CC V3.1 ongoing

Important Projects inside the BSI Certification Scheme

German Certification Scheme

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
26


Certification improves IT
-
Security & IT
-
Product quality


World
-
wide increasing number of certificates and PPs


Success factors:


Common Criteria as an International Standard


Regulations and Public Acquisition policy promote product certification


Certification required by the Public and Private Sector


Certification Policy is part of the National Plan for Information
Infrastructure Protection in Germany


Complete product platforms of IT market leaders get certified


New CC
-
versions and scheme
-
efforts make certification less complex


Optimisation of CB internal process enhances efficiency


Increasing effort in development of Protection Profiles

Perspectives & Conclusions

Irmela Ruhrmann / Gereon Killian

September 25, 2007


Slide
27

Contact

Bundesamt für Sicherheit in der
Informationstechnik

(Federal Office for Information Security)


Godesberger Allee 185
-
189

53175 Bonn


Tel: +49 (0)3018 9582 111

Fax: +49 (0)3018 10 9582 5477


zerti@bsi.bund.de

www.bsi.bund.de

www.bsi.bund.de/gshb/zert