Windows 2000 declared secure

[Jonathan S. Shapiro]

>Ron Luman II replies to Jim Hughes
>
> >> Is it arguable that the difference is minimal. Is there
> >> a more formal description of what can be done with an
> >> EAL3 vs an EAL4 device?
> >
> >If by 'what can be done' you are referring to recommended usage,
> >I'm not aware of any.  If you mean functionality, then you
> >might want to re-read the webpage referenced in a previous
> >message.  EAL# does not specify functionality, only assurance.
> >In other words, what processes were followed and how rigorously.
> >The Protection Profile is what specifies the functionality.

Ron's description is correct, but may lead to a slight misunderstanding.
As he says, the protection profile specifies the functional
requirements, while the EAL# specifies assurance. To be a little more
pedantic, the EAL# specifies the *assurance* requirements. When we say
that a system has been rated "EAL4" we are saying that the evaluation
has met a collection of evaluation requirements that are packaged
together in the Common Criteria under the heading of EAL4.

You may occasionally see people talk about "EAL4+" or "EAL4 Augmented"
(or, as in the Microsoft case, "CAPP augmented", where CAPP can be
replaced by any protection profile). In the case of EAL#, this means
that additional evaluation requirements were met beyond those of EAL4.
In the case of a protection profile, it means that additional functional
requirements were included.

However...

One cannot altogether separate the evaluation requirements from the
functional requirements. In certain areas where we have a lot of
historical knowledge, the evaluation requirements become fairly precise.
For example, there are evaluation requirements on how to evaluate a
login authentication system. These have the side effect of implicitly
requiring that the corresponding functional requirements have been met.

When CAPP was designed, the authors specified that the highest assurance
level that the CAPP functional requirements could support was EAL3. This
may have subsequently been revised, but somebody should definitely
invite a clarification on this from NIAP (the accrediting body for
evaluation groups) on this point.

Having looked at CAPP again, it is unclear to me how an EAL4 evaluation
result could properly have been issued. This could well be my
misunderstanding, so don't jump to any conclusions yet. The answer could
very well lie in the protection profile augmentations the Microsoft did,
which I have not examined.


shap


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com