German IT security criteria
The German IT Security Criteria ( ITS or ITSK , also Green Paper ) are a guideline for the evaluation and certification of computer systems and software drawn up in 1989/1990 by the Central Office for Information Security (now BSI ) . It is the German counterpart to the American Orange Book and forms the basis for newer standards such as ITSEC and the Common Criteria .
The assessment is similar to ITSEC, but along only two axes: functionality and reliability . The reliability is examined in relation to the effectiveness of the method and the correctness of the implementation . Both values are then combined into a quality class .
Functionality classes
In contrast to the American Orange Book, these IT security criteria evaluate functionality and trustworthiness ( quality ); When it comes to trustworthiness, a further distinction is made between correctness and effectiveness . This results in three dimensions of the evaluation, whereby only the first 5 of the total of 10 functionality classes form a hierarchical order:
BSI ITS F | ITSEC F | meaning | TCSEC |
---|---|---|---|
F1 | F-C1 | Simple security, cooperative users | C1 |
F2 | F-C2 | Login mechanism, individual user data separated, (simple) logging | C2 |
F3 | F-B1 | Security model, rule-based protection levels | B1 |
F4 | F-B2 | Formal security model, secure data flow for authentication | B2 |
F5 | F-B3 | Reference monitor properties, formally verifiable . | B3 / A |
There are also other functionality classes that relate to the consistency of data and the availability of services:
BSI ITS F | ITSEC F | meaning |
---|---|---|
F6 | F-IN | Rules to maintain the integrity and consistency of the data, type concept (especially for database systems : constraints and transactions ) |
F7 | F-AV | Availability , error bridging , failure probability (precautions for power failure, redundant hardware , backups ) |
There are also three classes of functionality that relate to the transmission of data (especially in networks ):
BSI ITS F | ITSEC F | meaning |
---|---|---|
F8 | F-DI | Securing the integrity and authenticity of messages ( electronic signature ) |
F9 | F-DC | Securing the confidentiality of messages ( encryption ) |
F10 | F-DX | Requirements for secure networks |
Quality classes
When evaluating the quality (trustworthiness) of a computer system, a distinction is made between the effectiveness of the method and the correctness of the implementation . These two values are then combined into one quality value.
The effectiveness describes the resistance of a protective mechanism against attempted circumvention. The ITSEC distinguishes between three levels of effectiveness , whereas the ITSK defines a finer assessment (six levels ):
BSI ITS | ITSEC | meaning | TCSEC |
---|---|---|---|
not suitable | - | No protection. | D. |
weak | low | Only protection against accidental, unintentional violations of the safety rules. Easy to get around. | |
medium strength | medium | Protection against intentional violations by attackers with limited opportunity and resources. | C1-C2 |
strong | strong | Good protection, only to be circumvented with great effort. | B1-B2 |
very strong | Very good protection, can only be circumvented with a great deal of effort | B3-A | |
not surmountable | Cannot be overcome at the moment, no known vulnerability. |
The quality is assessed in eight stages. The effectiveness of the method is combined with the passed test depth for the implementation. The correctness of the implementation is again assessed in six stages. In particular, a check is made for program errors and the extent to which the implementation actually realizes the previously evaluated method. In contrast to the BSI guideline ITSK , ITSEC does not summarize the effectiveness and trustworthiness, but treats the values separately.
BSI ITS Q | effectiveness | correctness | ITSEC E | TCSEC |
---|---|---|---|---|
Q0 | not suitable | ineffective | E0 | D. |
Q1 | medium strength | Informal specification of the architecture, functional test, targeted attacks | E1 | C1 |
Q2 | medium strength | Additional informal description of the detailed design (detailed specification) | E2 | C2 |
Q3 | strong | Analysis of the source code or the hardware layout | E3 | B1 |
Q4 | strong | Formal security model, semi-formal detailed specification | E4 | B2 |
Q5 | very strong | Detailed specification must be reproducible on the source code | E5 | B3 |
Q6 | very strong | In addition, formal specification and analysis of the architecture | E6 | |
Q7 | z. Z. not surmountable | In addition, formal specification and verification of the architecture | A. |