lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200505181845.j4IIjK8c016111@turing-police.cc.vt.edu>
Date: Wed May 18 19:45:34 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Can ISO15408 evaluated products be trusted? 

On Wed, 18 May 2005 08:25:32 PDT, Nora Barrera said:
> Does anybody understand what is really tested during
> an evaluation, or is it just bullshit?

Ask the vendor for a copy of the evaluation report.  

http://csrc.nist.gov/cc/

The *important* part you want to find is the 'Protection Profile' that
it was evaluated against - this replaces the old C1/C2/B1/B2/A levels
in the old DOD Orange Book. Note *very* carefully this change from
Orange Book:

There are *two* components - the Protection Profile (how much stuff the system
is designed to protect) and the EAL (evaluation assurance profile) (how good/
thorough a job the system does).  So it's possible to get a very high rating on
a not-very-protective profile (and in fact, many vendors have done this).

http://niap.nist.gov/cc-scheme/pp/index.html has a list of profiles.

Note that the EAL and PP interact - a CAPP (Controlled Access) evaluated at EAL4
may actually provide less *real* protection than an LSPP (Labeled System) evaluated
to EAL3 - the EAL4 just means they've done more work to prove the *provided*
security works as advertised.

The NSA reportedly did an EAL7 light switch.  They did a *LOT* of work proving
there was no possible way to subvert any of the security mechanisms the light
switch provided. :)

(And yes, many vendors went for an EAL4 on a lower protection profile instead
of an EAL3 on a profile that required more features - don't let Microsoft, IBM,
Suse, or *anybody* brag up that EAL4 till they tell you what profile it was aginst ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050518/9bec8935/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ