European Information Technology Security Criteria (ITSEC)
The review is based on version 1.2 of these criteria, published in June 1991 on behalf of four countries: France, Germany, the Netherlands and the United Kingdom.
The European criteria consider the following tasks of information security tools:
protection of information from unauthorized access in order to ensure confidentiality;
ensuring the integrity of information by protecting it from unauthorized modification or destruction;
ensuring the health of systems by countering denial of service threats.
The "European Criteria" distinguishes between systems and products.
A system is a specific hardware and software configuration built with well-defined goals and functioning in a known environment.
A product is a hardware and software "package" that can be purchased and integrated into a particular system at its discretion.
Thus, from the point of view of information security, the main difference between a system and a product is that the system has a specific environment that can be defined and studied in any detail, and the product must be designed for use in various conditions.
Threats to the security of the system are quite specific and real in nature. Regarding threats to the product, one can only make assumptions. The developer can specify the conditions suitable for the functioning of the product; it is up to the buyer to ensure that these conditions are met.
For practical reasons, it is important to ensure the unity of criteria for evaluating products and systems - to facilitate and reduce the cost of evaluating a system made up of previously certified products. In this regard, a single term is introduced for systems and products - the object of evaluation. Reservations are made in the appropriate places, which requirements apply exclusively to systems and which ones apply only to products.
In order to meet the requirements of confidentiality, integrity and operability, it is necessary to implement an appropriate set of security functions, such as identification and authentication, access control, disaster recovery, etc. In order for protective equipment to be recognized as effective, a certain degree of confidence in the correctness of their choice and reliability of functioning is required. To solve this problem, the concept of adequacy (assurance) of protective equipment is introduced for the first time in the "European Criteria".
The overall assessment of the security level of the system consists of the functional power of the protective equipment and the level of adequacy of their implementation.
Most of the security requirements coincide with the similar requirements of the Orange Book.
The "European Criteria" defines ten safety classes. Classes F-C1, F-C2, F-B1, F-B2, F-B3 correspond to the safety classes of the Orange Book with similar designations.
The F-IN class is designed for systems with high integrity requirements, which is typical for database management systems.
Its description is based on the concept of "roles" corresponding to the types of user activities and providing access to certain objects only through trusted processes. The following types of access must be distinguished: read, write, add, delete, create, rename, and execute objects.
The F-AV class is characterized by increased performance requirements. This is essential, for example, for process control systems.
The requirements of this class specify that the system must be restored after the failure of a separate hardware component in such a way that all critical functions remain available at all times. The system components should be replaced in the same mode. Regardless of the load level, a certain system response time to external events must be guaranteed.
The F-DI class is focused on distributed information processing systems.
Before starting the exchange and upon receipt of data, the parties should be able to identify the participants in the interaction and verify its authenticity. Error control and correction tools should be used. In particular, all accidental or intentional misrepresentations of address and user information should be detected when sending data. Knowledge of the distortion detection algorithm should not allow an attacker to illegally modify the transmitted data. Attempts to retransmit previously transmitted messages must be detected.
The F-DC class pays special attention to the confidentiality requirements of the transmitted information.
Information on communication channels must be transmitted in encrypted form. Encryption keys protect against unauthorized access.
The F-DX class places increased demands on both the integrity and confidentiality of information.
It can be considered as a combination of the F-DI and F-DC classes with additional encryption and traffic analysis protection capabilities. Access to previously transmitted information should be restricted, which in principle can facilitate cryptanalysis.
Criteria of adequacy. Adequacy includes two aspects: effectiveness, reflecting the compliance of security tools with the tasks to be solved, and correctness, characterizing the process of their development and functioning.
Efficiency is the correspondence between the tasks assigned to security tools and the implemented set of protection functions - their functional completeness and consistency, ease of use, as well as the possible consequences of attackers using security weaknesses.
Correctness - the correctness and reliability of the implementation of security functions.
European criteria pay much more attention to the adequacy of protective equipment than to functional requirements. As already mentioned, adequacy consists of two components - the effectiveness and correctness of the operation of protective equipment.
The European criteria define seven levels of adequacy - from E0 to E6. During the adequacy check, the entire life cycle of the system is analyzed - from the initial design phase to operation and maintenance. The levels of adequacy from E1 to E6 are built according to the increasing requirements of thorough control. So, at the E1 level, only the general architecture of the system is analyzed, and the adequacy of the protection means is confirmed by functional testing. At the EC level, the source code of programs and hardware schematics are involved in the analysis.
At the E6 level, a formal description of the security functions, the overall architecture, as well as the security policy is required.
The European criteria define three levels of safety - basic, medium and high. The degree of system security is determined by the weakest of the critical protection mechanisms.
Security is considered basic if the means of protection are able to withstand individual random attacks.
Security is considered average if the means of protection are able to resist intruders with limited resources and capabilities.
Finally, security can be considered high if there is confidence that the means of protection can only be overcome by an attacker with high qualifications, whose set of capabilities and resources is beyond the scope of what is possible.
So, the European information Technology security criteria, which appeared after the Orange Book, had a significant impact on security standards and certification methods.
The main achievement of this document is the introduction of the concept of adequacy of protective equipment and the definition of a separate scale for adequacy criteria. As already mentioned, European criteria attach even more importance to the adequacy of protective equipment than to their functionality. This approach is used in many later information security standards.