22 July, 2010 IT Security Center (ISEC) Information-technology Promotion Agency (IPA) Copyright 2010 Information-Technology Promotion Agency, Japan 1

Overview of IT Security Center (IPA/ISEC) IPA/ISEC (Information-technology SEcurity Center) Mission: IT Security Enhancement in Japan Establishment: January, 1997 7 Groups - Virus & Unauthorized Access Countermeasures Group Provide information about Viruses and Unauthorized Computer Access - Security Engineering Laboratory Handle and Research vulnerability Information and Vulnerability Analysis - Security Economics Laboratory Support Information Security Policy Making Decision - Planning Group Plan and organize ISEC activity and operation - Global Alliance Group Promote information security education and awareness through seminars etc. - Information Security Certification Office IT Security Evaluation and Certification (Japanese Certification Body) - Cryptography Research Group Cryptography Research and Evaluation Activity Copyright 2010 Information-Technology Promotion Agency, Japan 3

Number of Certificates issued 60 50 40 30 20 10 Others Operating System Network PKI Firewall Smart Card Database Middleware MFP 0 FY2001 FY2002 FY2003 FY2004 FY2005 FY2006 FY2007 TOE Type FY2001 FY2002 FY2003 FY2004 FY2005 FY2006 FY2007(*) MFP 0 0 4 10 19 32 26 Middleware 0 0 0 0 0 2 13 Database 0 0 1 0 0 5 4 Smart Card 0 0 0 3 1 0 2 Firewall 0 1 0 0 0 1 2 PKI 0 0 0 1 2 0 1 Network 0 0 0 0 0 2 1 Operating System 0 0 0 0 0 1 1 Others 0 1 0 3 1 0 4 Copyright 2010 Information-Technology Promotion Agency, Japan 4 *) As of January, 2008

2009-2010 Activities in Japan IPA is conducting or conducted the following projects in the year 2009 and 2010 Developers evidence examples Guidance for new developers Guidance for CEM work units MFP vulnerabilities research Copyright 2010 Information-Technology Promotion Agency, Japan 6

Developers evidence examples Developers often say we need more concrete guidance about what information have to be described in the evidence (especially ADV_ARC) for CC evaluation Sometimes developers and evaluators have different view of ADV_ARC. This discrepancies cause delay in the evaluation. The bottom line is there is no common understanding of what ADV_ARC means for application software running on the OS at the CCRA level. However IPA, as a certification body, need to remedy this issue anyway. Copyright 2010 Information-Technology Promotion Agency, Japan 7

Developers evidence examples One possible solution is to develop examples of evidences for specific type of product so that certifiers, evaluators and developers can discuss more concretely. This is the first step to build a common understanding of what should be described in the evidence. Fortunately, French scheme has already developed such example of evidences for educational purpose. IPA and evaluation labs decided to examine French scheme examples first. Copyright 2010 Information-Technology Promotion Agency, Japan 8

Developers evidence examples French scheme has published Example of a set of evidences and the associated evaluation reports for a CC 3.1 evaluation of a real product (EAL2+, Truecrypt (Disk encryption software) ). http://www.ssi.gouv.fr/archive/fr/documentation/exemple/index-en.html Example of a set of evidences and the associated evaluation reports for a CC 3.1 evaluation of a real product (EAL2+, Truecrypt) These documents are available in French and English languages. They are intended in: - developpers which wish to make an evaluation of a product. These documents give example of evidences awaited by the ITSEFs and the certification schemes; - training organism and more generally, for the teacher in order to allow them to create a training program on evaluation criterion with concrete examples and correct versions.. The feedback shows that purely theorical training programs have a limited efficiency if they are no concrete examples; - ITSEFs in order to improve their internal evaluators training. Product: The mass encryption product Truecrypt version 4.2a. CC version : CC 3.1 Level of evaluation: EAL2+ augmented ADV_FSP.4, ADV_TDS.3, ADV_IMP.1, AVA_VAN.3 Copyright 2010 Information-Technology Promotion Agency, Japan 9

Developers evidence examples Japanese evaluation labs reviewed the Truecrypt evidences. They said they found some fundamental defects in the evidence. IPA translated several evidences into Japanese and published them with evaluation labs comments at our web site under the French scheme permission. http://www.ipa.go.jp/security/jisec/apdx.html IPA just start utilizing these examples with evaluators comments in our training courses to meet developers needs. However the TOE is Truecrypt and is not suitable for the other type of products. More examples are needed to develop in the future. Copyright 2010 Information-Technology Promotion Agency, Japan 10

Guidance for new developers Most of the certified products in Japan is MFP. IPA would like to see more variety of certified products. The result of vendors hearing showed that vendors were suffering lack of information about CC evaluation when he experienced CC for the first time. How much will it cost? How long will it take? What docs do we have to prepare for evaluation? How can we prepare evidences in a efficient manner? IPA is trying to provide developers who have never experienced CC evaluation with useful information so that new vendors can apply for CC without excessive concerns. Copyright 2010 Information-Technology Promotion Agency, Japan 11

Guidance for new developers Guidance for new developer is intended to provide useful information so that new vendors can apply for CC evaluation without excessive concerns Yen in million Range of sample cost of CC evaluations by EAL Range of time required for CC evaluation by EAL Month Copyright 2010 Information-Technology Promotion Agency, Japan 12

Guidance for CEM work units Developers want to see more concrete and clear guideline for CC evidence so that they can understand clearly what they should provide as evidence and how these evidences will be evaluated German scheme has already published the guidance for developers called Guidelines for Developer Documentation by extracting the information regarding the evidence to be provided from the CC/CEM. http://www.commoncriteriaportal.org/files/ccfiles/commoncriteriadevelopersguide_1_0.pdf Copyright 2010 Information-Technology Promotion Agency, Japan 13

Guidance for CEM work units German guidance re-arrange information regarding the evidence in the CC/CEM so that developers don t need to go back and forth between CC part3 and CEM. It is useful guidance but our venders want to see more concrete information. IPA is currently developing guidance which explain each CEM work unit more detail. This task has just started and we have nothing to provide to AISEC Copyright 2010 Information-Technology Promotion Agency, Japan 15

MFP vulnerabilities research IPA is developing attack database for MFP products What threats should be considered for MFP? What is the attack methods? What kind of vulnerabilities are likely to exist in MFP? Evaluators can refer this database for AVA_VAN. Developer also can refer this database to improve their own development process. Copyright 2010 Information-Technology Promotion Agency, Japan 16