Windows 2000 declared secure
Jim Hughes
jim at network.com
Fri Nov 1 13:43:32 EST 2002
Gentlepeople:
I believe I have an interesting question... While I am not generally a
Microsoft fan, the documentation that was pointed to seems to be
inconsistent. I agree with most of what Johnathan says,and maybe this is
just a nit that is irrelevant to the discussion at hand.
The document that the email referenced is
http://eros.cs.jhu.edu/~shap/NT-EAL4.html which in turn references page
9 of
http://www.radium.ncsc.mil/tpep/library/protection_profiles/CAPP-1.d.pdf
which I will quote a few paragraphs below where Johnathon quoted:
1.3 Strength of Environment
The CAPP is for a generalized environment with a moderate level
of risk to the assets. The assurance requirements and the
minimum strength of function were chosen to be consistent with
that level of risk. The assurance level is EAL 3 and the minimum
strength of function is SOF-medium.
But the press release states NT-2000 achieved EAL-4?
>From http://www.commoncriteria.org/docs/EALs.html the differences
between EAL3 and EAL4 are:
EAL3 - methodically tested and checked
EAL3 permits a conscientious developer to gain maximum assurance
from positive security engineering at the design stage without
substantial alteration of existing sound development practices.
It is applicable in those circumstances where developers or
users require a moderate level of independently assured
security, and require a thorough investigation of the TOE and
its development without incurring substantial reengineering
costs.
An EAL3 evaluation provides an analysis supported by "grey box"
testing, selective confirmation of the developer test results,
and evidence of a developer search for obvious vulnerabilities.
Development environmental controls and TOE configuration
management are also required.
EAL4 - methodically designed, tested and reviewed
EAL4 permits a developer to maximize assurance gained from
positive security engineering based on good commercial
development practices. Although rigorous, these practices do not
require substantial specialist knowledge, skills, and other
resources. EAL4 is the highest level at which it is likely to be
economically feasible to retrofit to an existing product line.
It is applicable in those circumstances where developers or
users require a moderate to high level of independently assured
security in conventional commodity TOEs, and are prepared to
incur additional security-specific engineering costs.
An EAL4 evaluation provides an analysis supported by the
low-level design of the modules of the TOE, and a subset of the
implementation. Testing is supported by an independent search
for vulnerabilities. Development controls are supported by a
life-cycle model, identification of tools, and automated
configuration management.
[TOE stands for Target of Evaluation.]
Is it arguable that the difference is minimal. Is there a more formal
description of what can be done with an EAL3 vs an EAL4 device?
Thanks
jim
On Thu, 2002-10-31 at 17:41, Mark Miller wrote:
> At 11:41 PM 10/30/2002 Wednesday, Peter Gutmann wrote:
> >http://biz.yahoo.com/prnews/021029/sftu114_1.html
> >
> >Microsoft Windows 2000 Awarded Common Criteria Certification
> >Tuesday October 29, 2:00 pm ET
> >Achieves Highest Level of Security Evaluation for the Broadest Set of
> Real-
> > World Scenarios
>
>
> What it means: http://eros.cs.jhu.edu/~shap/NT-EAL4.html
>
>
> ----------------------------------------
> Text by me above is hereby placed in the public domain
>
> Cheers,
> --MarkM
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
--
Jim Hughes <jim at network.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list