Introduction to Common Criteria

Common Criteria is the internationally accepted replacement for the outmoded United States Department of Defense Orange Book security evaluations. Government agencies around the world as well as many other organizations require Common Criteria evaluation as part of their product selection process.

Common Criteria allows product vendors to describe the security functions they offer in a standard manner, and allows customers to describe the security functions they require. Common Criteria makes it possible to map these two sets of features to a meaningful suite of products.

The hardware must be located in a secure physical environment and users of all types should not reveal keys or passwords. Additionally, they should not allow written records or notes to be seen by unauthorized personnel.

For more information about Common Criteria, see http://www.commoncriteriaportal.org. This chapter contains information about the following topics:

• Common Criteria Overview
• Acronyms and Terms

Common Criteria Overview

Common Criteria (ISO/IEC 15408) is a “cookbook” that allows for considerable latitude in meeting specific functional requirements. A secure Junos software environment targets several areas of concern to deliver Evaluation Assurance Level 3 (EAL3) security to users. These areas include:

• SHA-2 support—A secure Junos software environment supports the SHA-2 family of cryptographic algorithms internally.
• Routing correctness—A secure Junos software environment supports all routing protocols required by Common Criteria EAL3.
• Manager identification and authentication—Only system managers (superusers) can change the authentication data for locally authenticated users in a secure Junos software environment.
• Configuration change accounting—Configuration changes in a secure Junos software environment are audited through syslog or RADIUS/TACACS+.
• Management traffic separation—A secure Junos software environment treats managers and the information they require differently from user traffic.
• CAVS—Cryptographic Algorithm Validation System. Used as part of FIPS certification.

Acronyms and Terms

The following acronyms and terms apply to a secure Junos software environment and are not necessarily Common Criteria-specific.

• EAL—Evaluation Assurance Level. An assurance requirement defined by Common Criteria. For example, EAL2 is Evaluation Assurance Level 2 and EAL3 is Evaluation Assurance Level 3. Higher levels have more stringent requirements.
• ECC—Elliptical Curve Cryptography. A public key algorithm technique applied over an elliptical curve (a mathematical expression). Operations over an elliptical curve are known to be faster, more secure, and provide equivalent security using a smaller number of bits.
• ECDH—Elliptical Curve Diffie-Hellman. Applies the Diffie-Hellman algorithm over an elliptical curve.
• ECDSA—Elliptical curve digital signature algorithm. Applies digital signatures over an elliptical curve.
• FIPS—Federal Information Processing Standard. FIPS-140-2 and FIPS 140-3 deal with security and cryptographic modules.
• KATS—Known Answer Test System. Used to validate the cryptographic algorithm implementation, typically for verifying FIPS compliance.
• TOE—Target of Evaluation. Used to identify the component under evaluation for compliance.