Common Criteria for Information Technology Security Evaluation

from Wikipedia, the free encyclopedia

The Common Criteria for Information Technology Security Evaluation ( Common Criteria or CC for short ; in German: General criteria for evaluating the security of information technology ) are an international standard for testing and evaluating the security properties of IT products.


In June 1993, the Common Criteria Editorial Board (CCEB) began working on the Common Criteria, with members from Canada, France, Germany, Great Britain and the United States. To this end, the CCEB harmonized the previous standards CTCPEC (Canadian), ITSEC (European) and TCSEC (American). In this way, a jointly recognized basis for assessing data security was created. This is to avoid components or systems having to be assessed and certified multiple times in different countries. The first version (1.0) was released in January 1996. Version 2.0 followed after a long revision phase by the newly founded CC Implementation Board (CCIB) in May 1998. Since this version, the so-called project sponsors have also included the Netherlands in addition to the countries mentioned above.

ISO / IEC standard

Since 1994, the International Organization for Standardization (ISO), together with the CCEB or its successor, the CCIB, has been trying to develop an international standard. With the adoption of the ISO / IEC  15408 standard on December 1, 1999 in several sub-documents, the Common Criteria are a general and globally recognized standard. The standard is subject to the usual ISO change procedures. Version 2.3 followed in 2005, and a version jump to 3.1 in September 2006. Since then, new project sponsors have been Australia, New Zealand, Japan and Spain. The fourth revision of Common Criteria 3.1 was published in September 2012, followed by revision 5 in April 2017.

Process model

Logo of the German Institute for Standardization DIN ISO / IEC 15408-1 ... 3
Area IT security
title Information technology - IT security procedures - Evaluation criteria for IT security
Latest edition 2009-12 or 2008-09
ISO ISO / IEC 15408-1 ... 3

The Common Criteria differentiate between the functionality (scope of functions) of the system under consideration and the trustworthiness ( quality ). The distinction between the functionality of a system on the one hand and the trust that can be created by testing this functionality is one of the essential paradigms of the Common Criteria. The trustworthiness is considered in terms of the effectiveness of the methods used and the correctness of the implementation . The procedure can be understood as a feedback waterfall model.

Ideally, a security assessment that is independent of the finished product is carried out first, which leads to the creation of a general protection profile . From this security catalog, specific security specifications can then be developed for certain products , against which the evaluation according to CC is then carried out. The required trustworthiness, the depth of testing , is generally determined in accordance with the EAL (Evaluation Assurance Level, see below). An indication of the test depth without underlying functional safety requirements is pointless. In particular, the naming of the EAL levels without further information has prevailed, which often leads to irritation and heated debates.

In December 1999 the Common Criteria were declared the International Standard ISO / IEC  15408. The German part of this work will be a. supervised by DIN NIA-01-27 IT security procedures.

The CC consist of three parts:

  • Part 1: Introduction and General Model
  • Part 2: Functional safety requirements
  • Part 3: Requirements for trustworthiness / assurance requirements

In Germany, the standard parts are published as DIN standards DIN ISO / IEC 15408-1 ... 3.


The Common Criteria is based on a four-eyes principle when testing the safety properties of a product. The product must first be evaluated by an accredited testing agency and can then be certified by a certification agency (in Germany this is the Federal Office for Information Security (BSI) ).

International recognition

Certification according to the Common Criteria is mutually recognized internationally up to EAL4 (see below). Higher EALs do not have to be recognized internationally, but have hardly any practical significance in the private sector because of their enormous complexity. Within Europe, within the so-called SOGIS agreement and within certain technical areas, certifications up to EAL 7 may also be recognized.

Paradigm of criteria

The basic paradigm of the Common Criteria is the separation of the consideration of functionality and trustworthiness. In principle, the criteria do not specify that a certain functionality must be implemented or that it must be checked with a certain trustworthiness. Both aspects are defined by the manufacturer of the product in a document, the so-called security target, at the beginning of the evaluation.

Functionality classes

Part II of the Common Criteria contains a number of so-called "Security Functional Requirements (SFR)". The safety functionality of a product to be tested is described with the help of these semi-formal modules. In contrast to other standards, the functionality classes are not structured hierarchically. Instead, each class describes a certain basic function of the security architecture that must be assessed separately. Important functionality classes are:

In principle, the manufacturer is responsible for selecting the functionality that a system to be tested should provide. It is his responsibility to coordinate this functionality with the other parties involved - especially the customer. As part of an evaluation according to Common Criteria, only functions that the manufacturer has modeled in his "Security Target" are checked. When selecting SFR from Part II of the Common Criteria, certain framework conditions must be observed. Part II of the CC also maintains dependencies between SFRs, which must be taken into account when making the selection. Is z. For example, if an SFR is used to describe an access control policy for data, the dependency stipulates that SFRs must also be used to authenticate users. Collections of SFRs are combined to form protection profiles that describe the typical range of functions of certain products (e.g. firewalls , smart cards, etc.). Such protection profiles are traditionally written by manufacturers' associations or large customers to express their requirements for a certain class of products.


The Common Criteria define seven levels of trustworthiness (Evaluation Assurance Level, EAL1-7), which describe the correctness of the implementation of the system under consideration and the depth of testing . As the level of trustworthiness increases, so do the demands on the depth to which the manufacturer must describe his product and with which the product is tested. The following table provides an overview of the Evaluation Assurance Level and also compares the depths in other criteria.

EAL1 E0-E1 Q0-Q1 functionally tested D-C1
EAL2 E1 Q1 structurally tested C1
EAL3 E2 Q2 methodically tested and verified C2
EAL4 E3 Q3 methodically developed, tested and reviewed B1
EAL5 E4 Q4 semiformal designed and tested B2
EAL6 E5 Q5 semi-formally verified design and tested B3
EAL7 E6 Q6 formally verified design and tested A.

Evaluation methodology for certification

In addition to the Common Criteria, the bodies and institutions involved have developed a certification methodology that is intended to make the results of certification comprehensible and comparable. They are currently designed for parts 1 and 2 and are structured analogously to EAL 1–4.


The Common Criteria is based on a very formal approach that is required as a basis for the international recognition of the certificates. This leads to the frequent criticism that too much paper and too little product are tested in tests according to Common Criteria.

The evaluation according to CC is generally quite complex and takes some time. This too often leads to criticism of the application of these criteria.

Individual evidence

  1. Search result at ISO for ISO / IEC 15408
  2. ^ Richard A. Kemmerer: Computer Security. (PDF; 135 kB) 2001, accessed on June 13, 2013 (English).
  3. CCIB: common criteria. (PDF; 260 kB) Part 1: Introduction and general model. (No longer available online.) August 1999, archived from the original on April 19, 2012 ; accessed on June 13, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /
  4. CCIB: common criteria. (PDF; 561 kB) Part 1: Introduction and general model. (No longer available online.) September 2006, archived from the original on December 24, 2012 ; accessed on June 13, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /

Web links