Common Criteria Scheme for product security evaluation and certification.
MitaliChatterjee8
8 views
24 slides
Oct 26, 2025
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
The Common Criteria Certification Scheme as per ISO 15408
Slide Content
Common Criteria Certification
Scheme
Scheme
Leading questions in IT security
Are the security services, being provided by the IT
product which are strong enough to protect the
asset?
e.g.
How good is the firewall protecting the network ?
How good is the Identification and authentication mechanism of an Internet
banking site?
How good is the protection mechanism of the HSM which are keeping my
private key ?
•What is the common scale to assess (the
goodness of the IT security products )?
2
Are the security services, being provided by the IT
product which are strong enough to protect the
asset?
e.g.
How good is the firewall protecting the network ?
How good is the Identification and authentication mechanism of an Internet
banking site?
How good is the protection mechanism of the HSM which are keeping my
private key ?
•What is the common scale to assess (the
goodness of the IT security products )?
2
‘Common’ in Common Criteria Standards
CRITERIA (for assessment)
Across the member Nations (scheme)
Across the stake holders (user/developer/
evaluator/certifier)
PROCESS (to follow)
in specifying the security specification/requirement of
the product (by the users)
in specifying the security claims of the product (by the
developer)
in evaluating / testing /Certification of the product
3
CRITERIA (for assessment)
Across the member Nations (scheme)
Across the stake holders (user/developer/
evaluator/certifier)
PROCESS (to follow)
in specifying the security specification/requirement of
the product (by the users)
in specifying the security claims of the product (by the
developer)
in evaluating / testing /Certification of the product
3
Evolution of Common Criteria Standard
4
4
The Common Criteria Standards
today
•Acknowledging the wide spread requirement, the ISO has thus
recognised Common Criteria version 2.1 as a standard for
security specifications and evaluations, and published as ISO
15408
•Current version of Common Criteria Standard is 3.1 R5 and
getting revised continuously
today
•Acknowledging the wide spread requirement, the ISO has thus
recognised Common Criteria version 2.1 as a standard for
security specifications and evaluations, and published as ISO
15408
•Current version of Common Criteria Standard is 3.1 R5 and
getting revised continuously
Family of CC standards and documents
CC Part-1
CC Part-2
CC Part-3
CEM
Introduction and general model
Security functional Requirements
Security Assurance Requirements
Common Evaluation
Methodology
ISO15408
6
ISO 18045
CC Part-1
CC Part-2
CC Part-3
CEM
Introduction and general model
Security functional Requirements
Security Assurance Requirements
Common Evaluation
Methodology
ISO15408
6
ISO 18045
Security of IT product- CC perspective
Common Criteria Standards address two kinds of
security:
The product can protect assets from threats in a
specific environment.
(e.g.: in the way that a firewall protects a network).
The product can protect itself in the specified
environment.
7
Common Criteria Standards address two kinds of
security:
The product can protect assets from threats in a
specific environment.
(e.g.: in the way that a firewall protects a network).
The product can protect itself in the specified
environment.
7
Some CC Terminologies…….
PP (Protection Profile) – An implementation-independent set of
security requirements for a category of TOE’s that meet specific
consumer needs
ST (Security Target) – A set of security requirements and
specifications to be used as the basis for evaluation of an identified
TOE
EAL(Evaluation Assurance Level) – is the level of confidence
achieved by the TOE
TOE (Target of Evaluation) – An IT product or system and its
associated administrator and user guidance documents that is
subject of an evaluation.
cPP (Collaborative Protection Profile) - Agreed protection
profile for a type of product across the member nations
8
PP (Protection Profile) – An implementation-independent set of
security requirements for a category of TOE’s that meet specific
consumer needs
ST (Security Target) – A set of security requirements and
specifications to be used as the basis for evaluation of an identified
TOE
EAL(Evaluation Assurance Level) – is the level of confidence
achieved by the TOE
TOE (Target of Evaluation) – An IT product or system and its
associated administrator and user guidance documents that is
subject of an evaluation.
cPP (Collaborative Protection Profile) - Agreed protection
profile for a type of product across the member nations
8
The PP (users’ requirements)
The ST (developers’ claims)
SECURITY TARGET VS. PROTECTION PROFILE
11
No ref. to any PP
ST addresses the PP
ST complies to
the PP and beyond
ST complies to many PPs
ST partially complies to PP
11
No ref. to any PP
ST addresses the PP
ST complies to
the PP and beyond
ST complies to many PPs
ST partially complies to PP
Difference between PP and ST( if is developed as an
answer to a PP)
ST = PP + TOE Summary specification
Developer’s
Specific description
of the security features
Vendor/ developer
Neutral Security
requirements
answer to a PP)
ST = PP + TOE Summary specification
Developer’s
Specific description
of the security features
Vendor/ developer
Neutral Security
requirements
The Target of Evaluation (TOE)
Target of Evaluation (TOE) is an IT product or system, which is
the subject for evaluation.
TOE includes all materials, like documentation and
administrator guide those are delivered with the product.
TOE might not be a full system or product as it could be
referring to only a particular module or part of a full product.
TOE= the Product ( + guidance documents)
Target of Evaluation (TOE) is an IT product or system, which is
the subject for evaluation.
TOE includes all materials, like documentation and
administrator guide those are delivered with the product.
TOE might not be a full system or product as it could be
referring to only a particular module or part of a full product.
TOE= the Product ( + guidance documents)
Example: A typical TOE (General purpose
Operating System)
Operating System)
Components of Product
Evaluation
(ST Based)
Assessment of
Product docs.
Dev. Process docs.
Testing
Vulnerability Assessment
Site visit (EAL 3 onwards)
Following
Common Evaluation
Methodology (CEM)
Evaluation
(ST Based)
Assessment of
Product docs.
Dev. Process docs.
Testing
Vulnerability Assessment
Site visit (EAL 3 onwards)
Following
Common Evaluation
Methodology (CEM)
Evaluation Assurance level (EAL)
EAL is NOT a scale to
measure number of
security
functions/feature
Same product can be
evaluated for different
EALs
Source code for security
functions to be reviewed
from EAL4
Assurance
Levels
EAL 7
EAL 6
EAL 5
EAL4
EAL 3
EAL 2
EAL 1
•Rigor of inspection
•Cost of evaluation
•Time of evaluation
EAL is not relevant for cPP based evaluation
EAL is NOT a scale to
measure number of
security
functions/feature
Same product can be
evaluated for different
EALs
Source code for security
functions to be reviewed
from EAL4
Assurance
Levels
EAL 7
EAL 6
EAL 5
EAL4
EAL 3
EAL 2
EAL 1
•Rigor of inspection
•Cost of evaluation
•Time of evaluation
EAL is not relevant for cPP based evaluation
Components of PP Evaluation
Following
Common Evaluation
Methodology (CEM)
Following
Common Evaluation
Methodology (CEM)
CC evaluation and Certification
EVALUATION
The Common Criteria
evaluation laboratory (CCTL) ,
undertakes
testing of the IT
product,
assessment of its
associated documents
and
assessment of its
development process
CERTIFICATION
The Certification body (IC3S)
issues a Common Criteria
Certificate to the product
under evaluation based on the
evaluation results from the
CCTL
18
Aim is to gain trust and confidence on the security of
The IT product
EVALUATION
The Common Criteria
evaluation laboratory (CCTL) ,
undertakes
testing of the IT
product,
assessment of its
associated documents
and
assessment of its
development process
CERTIFICATION
The Certification body (IC3S)
issues a Common Criteria
Certificate to the product
under evaluation based on the
evaluation results from the
CCTL
18
Aim is to gain trust and confidence on the security of
The IT product
Types of Evaluation activity
19
19
Approach to Evaluation
Based on cPP (collaborative
Protection Profile) which contains
evaluation/testing methodology
20
Based on Common
Evaluation Methodology
(CEM)
Based on cPP (collaborative
Protection Profile) which contains
evaluation/testing methodology
20
Based on Common
Evaluation Methodology
(CEM)
CC certification process
Evaluation facility
Certification Body
ETR
Other Evaluation
evidences
?
CC Certificate
Developer
Application
Instruction for evaluation
21
Evaluation facility
Certification Body
ETR
Other Evaluation
evidences
?
CC Certificate
Developer
Application
Instruction for evaluation
21
CC evaluation- an iterative process
Vendor/
Consultant
Docs
Product for evaluation
Evaluation facility
(e.g. CCTL, Kolkata)
Complying
With the
requirements
ETR (Evaluation Test
Report) to Cert. body
(e.g.IC3S, STQC HQ,
New Delhi)
YESNO
22
Vendor/
Consultant
Docs
Product for evaluation
Evaluation facility
(e.g. CCTL, Kolkata)
Complying
With the
requirements
ETR (Evaluation Test
Report) to Cert. body
(e.g.IC3S, STQC HQ,
New Delhi)
YESNO
22
Communication with developer
Before docs
Qualifies for
stage 0
After Stage 0
Evaluator
Developer
Text
Text
OR
WSs
OR
CCTL boundary
Ext. SVN
Server
Ext. SVN
Server
Before docs
Qualifies for
stage 0
After Stage 0
Evaluator
Developer
Text
Text
OR
WSs
OR
CCTL boundary
Ext. SVN
Server
Ext. SVN
Server
Communication with validator
WSs
Validator’s
Comments.
OR
SER
CCTL boundary
Evaluator Validator
Ext. SVN Server
WSs
Validator’s
Comments.
OR
SER
CCTL boundary
Evaluator Validator
Ext. SVN Server
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 24
- Age 44 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
61 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
56 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
44 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
45 views
21
Know for Certain
DaveSinNM
28 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
31 views