Common Criteria Certification in China: A comparison with the schemes of the CCRA
Helmut Kurth, Yan Liu, David Ochel and Fiona Pattinson
atsec information security
Zhang Li
China Information Technology Security Certification Center
The Common Criteria standards
Signatories of the CCRA mutally accept certificates produced by “certificate authorizing” signatories and use the standards produced by the Common Criteria Development Board, currently Version 2.3 of the Common Criteria. Version 3.1 of the Common Criteria and the Common Evaluation Methodology are currently under development and expected to be officially published before September 2006.
ISO/IEC 15408 and ISO/IEC 18045 (analogous to the Common Evaluation Methodology, the CEM) are closely related to the Common Criteria Standards.
The Chinese standard GB/T 18336-2001 is equivalent to the Common Criteria through its equivalency to ISO/IEC 15408:1999. CC Version 2.1 became the International standard – ISO/IEC 15408:1999, and it has been adopted as Chinese standard GB/T 18336-2001 in 2001. ISO/IEC 15408:1999 was superseded by ISO/IEC 15408:2005, which is mainly equivalent to version 2.2 of the Common Criteria.
In P.R. China the following standards are relevant:
Related to ISO/IEC 15408, GB/T 18336 consists of the following three parts:
- GB/T 18336.1-2001 equivalent to ISO/IEC 15408-1:1999 Information technology – Security techniques – Evaluation Criteria for IT Security Part 1: Introduction and general model
- GB/T 18336.2-2001 equivalent to ISO/IEC 15408-2:1999 Information technology – Security techniques – Evaluation Criteria for IT Security Part 2: Security functional requirements
- GB/T 18336.3-2001 equivalent to ISO/IEC 15408-3:1999 Information technology – Security techniques – Evaluation Criteria for IT Security Part 3: Security assurance requirements
Although the CEM was used as a reference during the evaluation work given by CNITSEC, there was no related Chinese version for the ISO/IEC 18045 standard until recently. CNITSEC use its own rules and manual for the product certification scheme, which is not formally harmonized with any other national scheme.
The table below shows the differences between the Chinese standard and the CC:
|
Section in GB/T 18336
|
Differences compared to CC
|
Content in GB/T 18336
|
|
Part1. [7] foreword
|
Special foreword in the Chinese CC standard.
|
This standard is equivalent to International standard ISO/IEC 15408-1:1999 “Information technology – Security techniques – Evaluation Criteria for IT Security Part 1: Introduction and general model.” It is adopted in the P.R.China.
This standard is owned by the Chinese Informational Construction Office and produced by the China Technology Standardization Committee.
This standard is drafted and developed by the China Information Technology Security Certification Center (CNITSEC), The 30-th institute of Information Industry Bureau, China State Information Center, Fudan University.
Its major authors are Shizhong Wu, Qimin Xi, Jianzhong Luo, Guanbao Fang, Yafei Wu, Xiaohua Chen, Limin Lei, Hong Ye, Chengrong Wu, Yuanfei Huang, Weihong Ren, Yuhua Cui.
This standard is finally explained by CNITSEC.
|
|
Part1. Section 1 Scope
|
In GB/T 18336, “CC” is used in whole articles to mention this standard.
|
Because of the compliance and historical reasons, we continue to call the GB/T 18336 as Common Criteria (CC) in this standard.
|
|
Part1. Section 2 Reference
|
Additional reference in the Chinese CC standard.
|
Additional reference:
GB/T 9387.2 – 1995 Information disposal system, Open System Interconnection, Basic reference model Part 2: Security System Structure (equivalent to ISO/IEC 7498-2:1989)
|
|
Part2. [8] Foreword
|
Special foreword in Chinese CC part 2.
|
This standard is proposed by the Chinese Informational Construction Office.
This standard is owned by the China Technology Standardization Committee.
This standard is developed by China Information Technology Security Certification Center (CNITSEC), The 30-th institute of Information Industry Bureau, China State Information Center, Fudan University.
Its major authors are Shizhong Wu, Jianzhong Luo, Guanbao Fang, Xiaohua Chen, Qimin Xi, Limin Lei, Yafei Wu, Hong Ye, Chengrong Wu, Yuanfei Huang, Jianjun Zhang, Weihong Ren, Yuhua Cui.
|
|
Part 2. Section 2 Reference
|
GB/T 18336.1 is reference of the part II of Chinese CC.
|
GB/T 18336.1 Information Technologies – Security Techniques - Evaluation Criteria for IT Security Part 1: Introduction and general model (equivalent to ISO/IEC 15408.1)
|
|
Part 3. [9]
Foreword
|
Special foreword in Part 3 of Chinese CC.
|
This standard is equivalent to International standard ISO/IEC 15408-1:1999 “Information technology – Security techniques – Evaluation Criteria for IT Security Part 3: Security Assurance Requirements”.
This standard is proposed by the Chinese Informational Construction Office.
This standard is owned by the China Technology Standardization Committee.
This standard is developed by the China Information Technology Security Certification Center (CNITSEC), The 30-th institute of Information Industry Bureau, China State Information Center, Fudan University.
Its major authors are Shizhong Wu, Qimin Xi, Jianzhong Luo, Guanbao Fang, Yafei Wu, Xiaohua Chen, Limin Lei, Hong Ye, Chengrong Wu, Yuanfei Huang, Weihong Ren, Yuhua Cui.
This standard is finally explained by CNITSEC.
|
|
Part 3 Section 2 Reference
|
Additional reference in Part3 of Chinese CC.
|
Additional reference:
GB/T 9387.2 – 1995 Information disposal system, Open System Interconnection, Basic reference model Part 2: Security System Structure (equivalent ISO/IEC 7498-2:1989)
|
Table 1: Comparison of Chinese CC Standards to the ISO/IEC 15408 family
In general, the Chinese GB/T 18336 is almost translated from ISO/IEC 15408. Other than the CC standard itself, Chinese CC evaluation scheme has the following major differences compared to CCRA schemes (such as the U.S. CCEVS or the German BSI).
- There is still no commercial evaluation laboratory in China. The current laboratories are all government sections, although CNITSEC has plans to increase the number of evaluation sections.
- CNITSEC is also responsible for surveying or managing the product certificate after it has been issued.
- It is not necessary to re-evaluate a product due to a minor version release of the product.
Certification Activity
Figure 5 shows the breakdown of products certified by CNITSEC. The first products were certified in 1999. Since then, there have been a total of 374 products certified, 38 of those occurring in 2005. This information was obtained from the CNITSEC website [10] at http://www.itsec.gov.cn/webportal/portal.po?UID=DWV1_WOUID_URL_20600
Figure 4 shows a similar graph depicting the categorization of products evaluated under the CCRA scheme and reported on the Common Criteria Portal. Because of differences in the schemes and the criteria for categorization are not public it is not possible to produce the information using the same taxonomy.
Table 2 uses information about CCRA certificate producing nations derived from the certified products list of the Common Criteria Portal [11]. It does not include certificates dated after December 31st, 2005 nor does it include those at EAL5 or greater, or those posted as re-certifications. The list does not include certificates for those projects that chose not to publicize their status.
Number of laboratories in scheme Number of Certificates in 2005 Total number of certificates 2005 and earlier
|
|
Number of laboratories in scheme
|
Number of Certificates in 2005
|
Total number of certificates 2005 and earlier
|
|
P.R. China
|
15
|
38
|
374
|
|
Australia & New Zealand
|
3
|
3
|
13
|
|
Canada
|
3
|
18
|
42
|
|
France
|
6
|
14
|
79
|
|
Germany
|
14
|
22
|
73
|
|
Japan
|
3
|
18
|
29
|
|
Netherlands
|
1
|
0
|
0
|
|
Norway
|
2
|
0
|
0
|
|
UK
|
5
|
8
|
49
|
|
USA
|
10
|
48
|
104
|
|
Total for CCRA
|
47
|
146
|
389
|
Table 2: Comparison of certificated issues in CC or ISO/IEC 15408 based schemes
Conclusion
The national schemes operating under the predecessor to the CCRA in 1998, and the scheme operated by the P.R of China, begun in 1997 have been in operation for a similar length of time.
Although the operation of the Chinese scheme is not formally co-ordinated or harmonized with those certificate producing nations of the CCRA, some similarities are noted between the member schemes that are part of the Common Criteria Recognition Arrangement (CCRA) and the scheme operated by the P.R. China. The Chinese standards have relied heavily on the ISO/IEC equivalents, but are still at initial status, and as shown in Table 1, do contain some differences from the International versions.
Considered as an entity, the schemes co-operating under the CCRA have evaluated slightly more products than the Chinese scheme, some of the European national schemes such as those operated in Germany, France and the UK have evaluated still more products under the ITSEC scheme.
The resources available to each laboratory and those of the national schemes have not been assessed, and so the difference in the number of laboratories is explained as reflecting national scheme differences.
References
[1] J. Walton "WTO: China Enters Year Three," The China Business Review 2004. http://www.chinabusinessreview.com/public/0401/01.html
[2] The Common Criteria Sponsoring Organizations "Common Criteria for Information Technology Security Evaluation Version 2.1," August 1999.
[3] The Common Criteria Sponsoring Organizations "Common Criteria for Information Technology Security Evaluation Version 2.3," 2005.
[4] International Organization for Standardization (ISO) "ISO/IEC 15408-1:2005 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model,"
[5] International Organization for Standardization (ISO) "ISO/IEC 15408-2:2005 Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements," .
[6] International Organization for Standardization (ISO) "ISO/IEC 15408-3:2005 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements," .
[7] GB/T 18336.1 Information technology — Security techniques — Evaluation Criteria for IT Security — Part 1:Introduction and general model.
[8] GB/T 18336.2 Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements.
[9] GB/T 18336.3 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements," .
[10] CNITSEC web site, China Information Technology Security Certification Center http://www.itsec.gov.cn/
[11] Common Criteria Portal, The official website of the Common Criteria Project: List of Evaluated Products at URL http://www.commoncriteriaportal.org/public/consumer/index.php?menu=4
[12] Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security. May 2000, available from http://www.commoncriteriaportal.org/public/files/cc-recarrange.pdf
About the authors:
Zhang Li
(zhangli@itsec.gov.cn)
attended the Hubei Technological Institute from 1991 to 1995 and attained a Bachelor Degree in Mechanical Theory and later a Master Degree in Automobile Engineering at the Hunan University. He then attained a Doctor Degree in Automobile Engineering from the Shanghai Jiaotong University. Since 2001 Zhang Li has worked for the China Information Technology Security Certification Center as Deputy Chief Engineer, In charge of information system security test and evaluation.
Fiona Pattinson
(fiona@atsec.com)
is a laboratory manager for the information security provider, atsec (www.atsec.com). atsec has acredited laboratories for evaluation of requirements of Common Criteria under both the German (BSI) scheme and the US (NIAP) scheme, and for FIPS 140-2, and Personal Identity Verification. atsec also provides services for ISO/IEC 27001 and in IT security consulting.
Ms Pattinson is a Certified Information Systems Security Professional (CISSP) and Certified Software Development Professional (CSDP). She earned her M.Sc. in ‘Computing for Commerce and Industry’ from the UK’s Open University. She serves on the U.S. INCITS CS1 committee ‘Cyber Security’ and works on the ISO SC27 WG3 ‘Security Techniques’ working on Common Criteria and other security standards.
Ms Pattinson’s IT career began in 1984 with assembly programming, progressing through operations management, technical support, systems analysis, new-business development and as a software-development quality and information-security consultant.
Helmut Kurth
(helmut@atsec.com)
is a co-founder of atsec information security, has been active in security research and standardization in information security for more than 20 years. He is one of the leading experts on information technology (IT) security in Europe and the main author of the German IT security evaluation criteria and the associated evaluation methodology.
Kurth speaks regularly at conferences and has published numerous papers on information security. He has been an active member of the Steering Committee of ESORICS (European Symposium on Research in Computer Security) since it was founded and has been a member of the program committees of various conferences for research in computer security including the IEEE Symposium on Security and Privacy, the ACM Conference on Computer and Communication Security, ESORICS, and the ACM Symposium on Applied Computing (Track on Computer Security).
Helmut Kurth holds a master’s degree in Applied Mathematics from the University of Bonn.
David Ochel
(david@atsec.com)
is a Principal Consultant with atsec information security in Austin, TX. He holds a degree in Computer Science from the University of Applied Sciences Bonn-Rhein-Sieg in Germany. Originally specializing in technical consulting for Public Key Infrastructures, David has been working as an evaluator for numerous Common Criteria evaluation projects with atsec under the German and US Schemes and was atsec’s lead evaluator for an EAL4 component evaluation leading to the accreditation of atsec’s Austin-based Common Criteria Testing Laboratory for performing evaluations under NIAP’s Common Criteria Evaluation and Validation Scheme. David is currently involved in various Common Criteria projects for atsec, either as a consultant, evaluator, or project manager.
Yan Liu
yan@atsec.com
attended a B.Sc. program in Computational Mathematics and Its Applied Software at the College of Applied Sciences, Beijing Polytechnic University, China. In 2002 he graduated as an Information Security and Management graduate student at The Chinese Academy of Sciences. He then attained a M.Sc in Information Security Technology at Eindhoven University of Technology (TU/e), Netherlands. Yan Liu works as Chief Representative and Senior Consultant in Beijing, China.
|
