German IT security criteria

from Wikipedia, the free encyclopedia

The German IT Security Criteria ( ITS or ITSK , also Green Paper ) are a guideline for the evaluation and certification of computer systems and software drawn up in 1989/1990 by the Central Office for Information Security (now BSI ) . It is the German counterpart to the American Orange Book and forms the basis for newer standards such as ITSEC and the Common Criteria .

The assessment is similar to ITSEC, but along only two axes: functionality and reliability . The reliability is examined in relation to the effectiveness of the method and the correctness of the implementation . Both values ​​are then combined into a quality class .

Functionality classes

In contrast to the American Orange Book, these IT security criteria evaluate functionality and trustworthiness ( quality ); When it comes to trustworthiness, a further distinction is made between correctness and effectiveness . This results in three dimensions of the evaluation, whereby only the first 5 of the total of 10 functionality classes form a hierarchical order:

BSI ITS F ITSEC F meaning TCSEC
F1 F-C1 Simple security, cooperative users C1
F2 F-C2 Login mechanism, individual user data separated, (simple) logging C2
F3 F-B1 Security model, rule-based protection levels B1
F4 F-B2 Formal security model, secure data flow for authentication B2
F5 F-B3 Reference monitor properties, formally verifiable . B3 / A

There are also other functionality classes that relate to the consistency of data and the availability of services:

BSI ITS F ITSEC F meaning
F6 F-IN Rules to maintain the integrity and consistency of the data, type concept (especially for database systems : constraints and transactions )
F7 F-AV Availability , error bridging , failure probability (precautions for power failure, redundant hardware , backups )

There are also three classes of functionality that relate to the transmission of data (especially in networks ):

BSI ITS F ITSEC F meaning
F8 F-DI Securing the integrity and authenticity of messages ( electronic signature )
F9 F-DC Securing the confidentiality of messages ( encryption )
F10 F-DX Requirements for secure networks

Quality classes

When evaluating the quality (trustworthiness) of a computer system, a distinction is made between the effectiveness of the method and the correctness of the implementation . These two values ​​are then combined into one quality value.

The effectiveness describes the resistance of a protective mechanism against attempted circumvention. The ITSEC distinguishes between three levels of effectiveness , whereas the ITSK defines a finer assessment (six levels ):

BSI ITS ITSEC meaning TCSEC
not suitable - No protection. D.
weak low Only protection against accidental, unintentional violations of the safety rules. Easy to get around.
medium strength medium Protection against intentional violations by attackers with limited opportunity and resources. C1-C2
strong strong Good protection, only to be circumvented with great effort. B1-B2
very strong Very good protection, can only be circumvented with a great deal of effort B3-A
not surmountable Cannot be overcome at the moment, no known vulnerability.

The quality is assessed in eight stages. The effectiveness of the method is combined with the passed test depth for the implementation. The correctness of the implementation is again assessed in six stages. In particular, a check is made for program errors and the extent to which the implementation actually realizes the previously evaluated method. In contrast to the BSI guideline ITSK , ITSEC does not summarize the effectiveness and trustworthiness, but treats the values ​​separately.

BSI ITS Q effectiveness correctness ITSEC E TCSEC
Q0 not suitable ineffective E0 D.
Q1 medium strength Informal specification of the architecture, functional test, targeted attacks E1 C1
Q2 medium strength Additional informal description of the detailed design (detailed specification) E2 C2
Q3 strong Analysis of the source code or the hardware layout E3 B1
Q4 strong Formal security model, semi-formal detailed specification E4 B2
Q5 very strong Detailed specification must be reproducible on the source code E5 B3
Q6 very strong In addition, formal specification and analysis of the architecture E6
Q7 z. Z. not surmountable In addition, formal specification and verification of the architecture A.

Web links