To evaluate a computer system or product to see it meets the security requirements based on the information security evaluation standards.
Trusted Computer System Evaluation Criteria (TCSEC) was the first computer security evaluation standard which was published by the U.S. defense department in1985. TCSEC influenced other European countries and very soon some countries based on TCSEC to develop their own security evaluation standards.
In 1996, America combined with 5 European countries (UK, France, Germany, Netherlands and Canada) and NSA (National Security Agency) and NIST (National Institute of Standards and Technology) developed a new criterion which was called Common Criteria (CC). In 1999 Common Criteria (CC) was recognized by ISO and named “ISO/IEC 15408-1999.
In this essay TCSEC and CC will be discussed, compared and contrasted to find out the similarities and differences and the strength of CC will be indicated.
The answers for the topic are based on research on relevant articles and journals and most of the resources are from the internet. The materials are then analyzed and discussed.
The outline of the report is as follows:
Introduction- brief description of the topic.
Background- explanation of TCSEC and CC.
Compare and contrast the two standards
Describe the similarities and differences between the two standards and state the advantages of CC.
Some journals, articles and books are used in this report which can be found in the references.
This session discusses TCSEC with the evaluation class of TCSEC. And also describes the CC and evaluation of assurance level of CC and the evaluation process.
TCSEC – Evaluation Class
CC- Assurances Levels
Controlled Access Protection
Methodically tested & checked
Labeled Security Protection
Methodically designed, tested, reviewed
Semi-formally designed and tested
Semi-formally verified design and tested
Formally verified design and tested
Table 1- Evaluation Class of TCSEC and Evaluation Assurances Level CC
TCSEC is commonly called the “Orange Book” (the cover of book is orange). TCSEC has 4 divisions and 7 evaluation classes. Each class contains security requirements and it is used to determine the level of trust of a computing system.
The divisions of TCSEC are A, B, C, D and the seven evaluation classes are: D (lowest), C1, C2, B1, B2, B3 and A1 (highest). A is more secure than D, and 2 is more secure than 1. (See Table 1)
Level D: non-secure system Level D only contains D1 evaluation class. D1 is the lowest protections and only provides security protection for file and user. Level D can be applied to any system which has been evaluated but did not meet the higher evaluation class requirements.
Level C: Discretionary protection Level C provides audit trial protection and Level C includes C1 and C2.C1 is discretionary security protection and its class is lower in Level C. C1 provides discretionary access control and it has the responsibility for Identification and authentication. C2 has all the security features of C1 and has the function of audit trail and access protection. C2 requires single- user log-in with password and an audit trail system. C2 works through log-in process, security event and source isolation to increase access.
Level B: Mandatory Control. There are 3 classes in Level B and they are B1, B2 and B3.B1 has all the requirements of C2 and it also has some new requirements: each object has a label which is under system control. It uses sensitivity labels as a basis of all the access control and labels the object which will import to the system. When the system administrator adds a new communication channel or I/O mechanism, he has to manually assign security level to the channel and mechanism. The system uses user password to determine the user access level and it also uses audit to record any unauthorized access . B2 has all the requirements of B1. Besides that, the B2 administrator must have clear and documentation style of security policy for trusted computing base. B2 has some new security requirements: system must immediately inform any changes between user and associated network, only user is able to do initial communication in the trusted path and the trusted computer base supports independent administrator and operator. B3 has all the requirements of B2. But B3 has stronger ability to monitor access and anti-interference. B3 system has to set the security of the administrator. The new security requirements for B3 are: provide a readable security list, some objects are not allowed for certain users to access, the system has to provide a description of the users and to identify user before any operation and the trusted computing base establishes security audit trail for each labeled object .
Level A has the highest security. Level A only has A1 class. A1 is similar to B3. A1has the obvious features a developer of system must adopt for a formal design specification to analyze a system. After analysis, the developer has to use verification technology to ensure that the system meets the design specifications. The entire installation operation must be done by the system administrator and each step has to provide formal documentation.
In TCSEC, to identify the security and to give some assurance to the system, it has to meet the security requirements .
The TCSEC was replaced by CC. CC is a framework of mutually recognized evaluation criteria and it contains 3 parts: security model, security functional requirements and security assurance requirements.
Security assurance components are the basis for the security assurance requirements and it expresses in Protection Profile (PP) or Security Target (ST) .
A Protection Profile is the security requirements of customers and a company of users for a class of Targets of Evaluation (TOE) . A PP uses a template independently to express security requirement. This is useful when implementing a product line or a family of related products .
Protection Profile copy TCSEC security requirements of C2 and B1. Protection Profile include: a template of commercial security profile, Firewall profiles which use for packet filters and application gateways, Smart card profiles, Database profile and a role which is based on control profile .
A Security Target consists of a collection of security requirements and used to evaluate computer system or product .
Figure 1 – The PP/ST specification framework 
Evaluation is that use defined criteria to evaluate a computer system or IT product . Figure 1 shows specification framework to the Targets of Evaluation. The Common Criteria evaluation process starts from identifying a TOE (Target of Evaluation), and then input an ST which describes the security functions of the TOE , the example of TOE is computer system or product, To see if the result of the system is secure, it should meet a set of security requirements or protection profile .
Common Criteria provides a set of Evaluation Assurance Levels (EAL) from EAL1 (lowest) to EAL7 (highest) and it will be awarded to products and system upon successful completion of evaluation (see Table 1). The Common Criteria is absorbed by ISO (NO. 15408)
EAL1- Functionally tested. For the correct operation of EAL1, it requires a certain confidence of occasion. This situation is of the view that the security threats are not serious . EAL1 provide the evidence of testing and its documentation.
EAL2- Structurally tested. In the delivery of the design information and test results, EAL2 requires the developer collaboration. But do not spend too much energy beyond the good commercial operation of consistency.
EAL3- Methodically tested & checked. Without a lot of changes on the premise of reasonable development practices, it allows a conscientious developer to obtain maximum assurance during the design phase from the correct security engineering.
EAL4- Methodically designed, tested, reviewed. It allows the developers to obtain maximum guarantee from the correct security engineering, the security engineering is based on good and strict commercial development practice. This development practice does not need much professional knowledge, skills or other resources. In the rational economic conditions, and to renovate an existing production line, EAL can achieve the highest level of result .
EAL5- Semi-formally designed and tested. It enables the developers to obtain maximum security from the security engineering. The security engineering is based on a strictly commercial development practice. It relies on the appropriate application of professional safety engineering technology for support.
EAL6- Semi-formally verified design and tested. It enables the developers to gain a high level of certification through the application of safety engineering technology and strict development environment, and. This is to produce a costly TOE to protect high-value assets against major risks .
EAL7- Formally verified design and tested. It is applicable to safe TOE development and it applies to places where the risk is very high, or high value assets that worth higher expenses.
In this session discussed TCSEC and CC, an explained evaluation class of TCSEC, evaluation assurance level of CC and the evaluation process. Those discussions are very important that helps to find out the similarities and difference of TCSEC and CC.
Next session, TCSEC and CC will be compared and contrasted based on the above discussion.
Compare and contrast TCSEC and CC
This session will discuss the similarities and differences between the security standards based on the above description on TCSEC and CC. It will also state the strength of CC and to explain why CC is a relatively successful security evaluation standard.
Even though TCSEC has been replaced by CC, they still have some similarities. Both of them are security evaluation standard and evaluate computer system by security level classification and each level has security requirements. Both of them provide confidentiality security functionality and evaluate Computer Operation System.
Although CC has some similarities as TCSEC, but both of them are different.
TSCEC is only used in U.S. In the beginning, it was proposed that TCSEC was to focus on independent computer system and it suited evaluation of military operating system. TCSEC does not involve security criteria for open system and it is the criteria for static model. TSCEC just considered protecting system – owner and operator but did not cover user security area especially for the security of telecommunication system user. And also only considered confidentiality for documents of system owner and it did not address integrity and availability. From Table 1 we see that the evaluation of TCSEC is mix security and functionality. So if any hardware of software is changed, it will start to evaluate the system again.
But CC is recognized by ISO organization and it applies to nations. Compared CC with TCSEC, CC is more complete. Common Criteria is not only focus on operating system but also for Network and Database. Common Criteria involve security criteria for open system and the criteria for dynamic model. CC keeps system confidentiality, availability and integrity through TOE’s security specifications. CC has distinguished security and functionality, any change does not affect the evaluation.
The evaluation process of both also is different. TCSEC checks system to see if it is secure by using the security requirements which is classified by evaluation class. In a Common Criteria evaluation, use Common Criteria to evaluate the product or computer system. The evaluation stages are: Protection Profile evaluation, Security Targets evaluation, TOE evaluation and Assurance maintenance.CC evaluates system starting from identifying a TOE, and then developing a set of criteria to the TOE for evaluation. For each step, detailed information will be added. To get to know if the system is secure, it should meet a set of security criteria or protection profile. Finally TCSEC has been substituted by CC. That means TCSEC was abandoned but CC is still the ongoing security evaluation standard.
The advantages of CC
Form the above comparison of the differences between TCSEC and CC, we can point out that CC is a relatively successful security evaluation standard because CC has some advantages. CC is an international security standard and many countries acknowledge the testing result.
CC is absorbed in security objectives and the related threats and the evaluation process help to enhance confidentiality, availability and integrity of the system.
CC provides a set of security criteria in detail and the criteria details are easily understood by customer and supplier. Customer can use them to determine the security level of the products and also to find out their own security requirements. So that supplier can design product for them and also use them to identify their product or system security features.
Customer can trust the evaluation because the testing is done independently and not by the supplier.
In this session, the similarities and differences between TCSEC and CC have been discussed and after comparison, the advantages of CC have been indicated.
To sum up, through the discussion of the evaluation process and assurance level of TCSEC and CC, we found out the similarities and differences between the two standards and also the advantages of CC.
TCSEC is firstly a security standard and it develops 4 levels and 7 evaluation classes. Each evaluation class contains security requirements and using the requirements it will help to identify the security level of the system or product. TCSEC has provided identification and authentication for user to access the system document and also to provide audit trial and access protection.
TCSEC evaluates system or products by checking security requirements to see if the system meets them.
TCSEC has been replaced by CC and CC is an international security evaluation standard.
CC provides Protection Profiles and Security Targets which are documents for specifying security requirements.  CC has 7 Evaluation assurance levels.
Because CC came from TCSEC, they have some similarities but actually they are quite different. TCSEC only applies to operation system and it focuses on the demand of confidentiality. CC has full description of security mode, security concepts and security functionality.
Compared with TCSEC, CC has some advantages. The testing result is accepted by nations, supplier can design product for customer based on their requirements. CC keeps system confidentiality, availability and integrity. After comparison we can say that CC is relatively a successful security evaluation standard.