书签分享收藏举报版权申诉 / 294

立即下载加入VIP,交流精品资源

当前位置：首页 > 标准规范 > 国际标准 > ANSI > ANSI INCITS ISO IEC 18045-2008 Information technology - Security techniques - Methodology for IT security evaluation《信息技术.安全技术.IT安全评估用方法学》.pdf

ANSI INCITS ISO IEC 18045-2008 Information technology - Security techniques - Methodology for IT security evaluation《信息技术.安全技术.IT安全评估用方法学》.pdf

上传人：cleanass300

文档编号：436270

上传时间：2018-11-14

格式：PDF

页数：294

大小：3.11MB

《ANSI INCITS ISO IEC 18045-2008 Information technology - Security techniques - Methodology for IT security evaluation《信息技术.安全技术.IT安全评估用方法学》.pdf》由会员分享，可在线阅读，更多相关《ANSI INCITS ISO IEC 18045-2008 Information technology - Security techniques - Methodology for IT security evaluation《信息技术.安全技术.IT安全评估用方法学》.pdf（294页珍藏版）》请在麦多课文档分享上搜索。

1、INCITS/ISO/IEC 18045-2008 (ISO/IEC 18045:2008, IDT) Information technology Security techniques Methodologyfor IT security evaluationINCITS/ISO/IEC 18045-2008(ISO/IEC 18045:2008, IDT)Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction

2、or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 18045-2008 ii ITIC 2008 All rights reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces whi

3、ch are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems In

4、corporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event

5、that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/1/2008 Published by American National Standards Instit

6、ute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American Nati

7、onal Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be sub

8、mitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-iii Contents Page 1 Scope 1 2 No

9、rmative references 1 3 Terms and definitions . 1 4 Symbols and abbreviated terms 3 5 Overview . 3 5.1 Organisation of this International Standard . 3 6 Document Conventions 3 6.1 Terminology . 3 6.2 Verb usage . 3 6.3 General evaluation guidance . 4 6.4 Relationship between ISO/IEC 15408 and ISO/IEC

10、 18045 structures . 4 7 Evaluation process and related tasks . 4 7.1 Introduction 4 7.2 Evaluation process overview . 5 7.2.1 Objectives 5 7.2.2 Responsibilities of the roles 5 7.2.3 Relationship of roles . 5 7.2.4 General evaluation model . 6 7.2.5 Evaluator verdicts . 6 7.3 Evaluation input task 8

11、 7.3.1 Objectives 8 7.3.2 Application notes 8 7.3.3 Management of evaluation evidence sub-task . 8 7.4 Evaluation sub-activities 9 7.5 Evaluation output task 9 7.5.1 Objectives 9 7.5.2 Management of evaluation outputs . 9 7.5.3 Application notes 10 7.5.4 Write OR sub-task . 10 7.5.5 Write ETR sub-ta

12、sk 10 8 Class APE: Protection Profile evaluation . 15 8.1 Introduction 15 8.2 Application notes 15 8.2.1 Re-using the evaluation results of certified PPs 15 8.3 PP introduction (APE_INT) . 16 8.3.1 Evaluation of sub-activity (APE_INT.1) . 16 8.4 Conformance claims (APE_CCL) . 17 8.4.1 Evaluation of

13、sub-activity (APE_CCL.1) 17 8.5 Security problem definition (APE_SPD) 21 8.5.1 Evaluation of sub-activity (APE_SPD.1) 21 8.6 Security objectives (APE_OBJ) . 23 8.6.1 Evaluation of sub-activity (APE_OBJ.1) 23 8.6.2 Evaluation of sub-activity (APE_OBJ.2) 23 8.7 Extended components definition (APE_ECD)

14、 25 8.7.1 Evaluation of sub-activity (APE_ECD.1) . 25 8.8 Security requirements (APE_REQ) 29 8.8.1 Evaluation of sub-activity (APE_REQ.1) . 29 8.8.2 Evaluation of sub-activity (APE_REQ.2) . 32 9 Class ASE: Security Target evaluation . 36 9.1 Introduction 36 INCITS/ISO/IEC 18045-2008 ITIC 2008 All ri

15、ghts reservedCopyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-iv 9.2 Application notes 37 9.2.1 Re-using the evaluation results of certified PPs . 37 9.3 ST introduction (ASE_INT

16、) . 37 9.3.1 Evaluation of sub-activity (ASE_INT.1) 37 9.4 Conformance claims (ASE_CCL) 40 9.4.1 Evaluation of sub-activity (ASE_CCL.1) . 40 9.5 Security problem definition (ASE_SPD) . 45 9.5.1 Evaluation of sub-activity (ASE_SPD.1) . 45 9.6 Security objectives (ASE_OBJ) . 47 9.6.1 Evaluation of sub

17、-activity (ASE_OBJ.1) . 47 9.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 47 9.7 Extended components definition (ASE_ECD) . 49 9.7.1 Evaluation of sub-activity (ASE_ECD.1) . 49 9.8 Security requirements (ASE_REQ) . 53 9.8.1 Evaluation of sub-activity (ASE_REQ.1) 53 9.8.2 Evaluation of sub-activity (

18、ASE_REQ.2) 56 9.9 TOE summary specification (ASE_TSS) 60 9.9.1 Evaluation of sub-activity (ASE_TSS.1) . 60 9.9.2 Evaluation of sub-activity (ASE_TSS.2) . 61 10 Class ADV: Development . 62 10.1 Introduction . 62 10.2 Application notes 63 10.3 Security Architecture (ADV_ARC) . 63 10.3.1 Evaluation of

19、sub-activity (ADV_ARC.1) 63 10.4 Functional specification (ADV_FSP). 67 10.4.1 Evaluation of sub-activity (ADV_FSP.1) . 67 10.4.2 Evaluation of sub-activity (ADV_FSP.2) . 70 10.4.3 Evaluation of sub-activity (ADV_FSP.3) . 75 10.4.4 Evaluation of sub-activity (ADV_FSP.4) . 80 10.4.5 Evaluation of sub

20、-activity (ADV_FSP.5) . 85 10.4.6 Evaluation of sub-activity (ADV_FSP.6) . 90 10.5 Implementation representation (ADV_IMP) 90 10.5.1 Evaluation of sub-activity (ADV_IMP.1) 90 10.5.2 Evaluation of sub-activity (ADV_IMP.2) 92 10.6 TSF internals (ADV_INT) 93 10.6.1 Evaluation of sub-activity (ADV_INT.1

21、) 93 10.6.2 Evaluation of sub-activity (ADV_INT.2) 95 10.6.3 Evaluation of sub-activity (ADV_INT.3) 97 10.7 Security policy modelling (ADV_SPM) . 97 10.7.1 Evaluation of sub-activity (ADV_SPM.1) 97 10.8 TOE design (ADV_TDS) 97 10.8.1 Evaluation of sub-activity (ADV_TDS.1) . 97 10.8.2 Evaluation of s

22、ub-activity (ADV_TDS.2) . 100 10.8.3 Evaluation of sub-activity (ADV_TDS.3) . 105 10.8.4 Evaluation of sub-activity (ADV_TDS.4) . 113 10.8.5 Evaluation of sub-activity (ADV_TDS.5) . 122 10.8.6 Evaluation of sub-activity (ADV_TDS.6) . 122 11 Class AGD: Guidance documents 122 11.1 Introduction . 122 1

23、1.2 Application notes 122 11.3 Operational user guidance (AGD_OPE) . 122 11.3.1 Evaluation of sub-activity (AGD_OPE.1) 122 11.4 Preparative procedures (AGD_PRE) . 125 11.4.1 Evaluation of sub-activity (AGD_PRE.1) 125 12 Class ALC: Life-cycle support . 127 12.1 Introduction . 127 12.2 CM capabilities

24、 (ALC_CMC) . 127 12.2.1 Evaluation of sub-activity (ALC_CMC.1) 127 INCITS/ISO/IEC 18045-2008 ITIC 2008 All rights reservedCopyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-v 12.2.

25、2 Evaluation of sub-activity (ALC_CMC.2) . 128 12.2.3 Evaluation of sub-activity (ALC_CMC.3) . 130 12.2.4 Evaluation of sub-activity (ALC_CMC.4) . 133 12.2.5 Evaluation of sub-activity (ALC_CMC.5) . 139 12.3 CM scope (ALC_CMS) . 145 12.3.1 Evaluation of sub-activity (ALC_CMS.1) . 145 12.3.2 Evaluati

26、on of sub-activity (ALC_CMS.2) . 146 12.3.3 Evaluation of sub-activity (ALC_CMS.3) . 147 12.3.4 Evaluation of sub-activity (ALC_CMS.4) . 148 12.3.5 Evaluation of sub-activity (ALC_CMS.5) . 149 12.4 Delivery (ALC_DEL) . 150 12.4.1 Evaluation of sub-activity (ALC_DEL.1) 150 12.5 Development security (

27、ALC_DVS) . 152 12.5.1 Evaluation of sub-activity (ALC_DVS.1) 152 12.5.2 Evaluation of sub-activity (ALC_DVS.2) 154 12.6 Flaw remediation (ALC_FLR) . 157 12.6.1 Evaluation of sub-activity (ALC_FLR.1) 157 12.6.2 Evaluation of sub-activity (ALC_FLR.2) 159 12.6.3 Evaluation of sub-activity (ALC_FLR.3) 1

28、62 12.7 Life-cycle definition (ALC_LCD) 167 12.7.1 Evaluation of sub-activity (ALC_LCD.1) 167 12.7.2 Evaluation of sub-activity (ALC_LCD.2) 168 12.8 Tools and techniques (ALC_TAT) 170 12.8.1 Evaluation of sub-activity (ALC_TAT.1) 170 12.8.2 Evaluation of sub-activity (ALC_TAT.2) 171 12.8.3 Evaluatio

29、n of sub-activity (ALC_TAT.3) 174 13 Class ATE: Tests . 176 13.1 Introduction 176 13.2 Application notes 176 13.2.1 Understanding the expected behaviour of the TOE 177 13.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 177 13.2.3 Verifying the adequacy of tes

30、ts . 177 13.3 Coverage (ATE_COV) 178 13.3.1 Evaluation of sub-activity (ATE_COV.1) . 178 13.3.2 Evaluation of sub-activity (ATE_COV.2) . 179 13.3.3 Evaluation of sub-activity (ATE_COV.3) . 180 13.4 Depth (ATE_DPT) . 180 13.4.1 Evaluation of sub-activity (ATE_DPT.1) 180 13.4.2 Evaluation of sub-activ

31、ity (ATE_DPT.2) 182 13.4.3 Evaluation of sub-activity (ATE_DPT.3) 184 13.4.4 Evaluation of sub-activity (ATE_DPT.4) 186 13.5 Functional tests (ATE_FUN) . 187 13.5.1 Evaluation of sub-activity (ATE_FUN.1) 187 13.5.2 Evaluation of sub-activity (ATE_FUN.2) 189 13.6 Independent testing (ATE_IND) . 190 1

32、3.6.1 Evaluation of sub-activity (ATE_IND.1) . 190 13.6.2 Evaluation of sub-activity (ATE_IND.2) . 193 13.6.3 Evaluation of sub-activity (ATE_IND.3) . 198 14 Class AVA: Vulnerability assessment . 198 14.1 Introduction 198 14.2 Vulnerability analysis (AVA_VAN) . 198 14.2.1 Evaluation of sub-activity

33、(AVA_VAN.1) . 198 14.2.2 Evaluation of sub-activity (AVA_VAN.2) . 203 14.2.3 Evaluation of sub-activity (AVA_VAN.3) . 209 14.2.4 Evaluation of sub-activity (AVA_VAN.4) . 217 14.2.5 Evaluation of sub-activity (AVA_VAN.5) . 224 15 Class ACO: Composition 224 15.1 Introduction 224 INCITS/ISO/IEC 18045-2

34、008 ITIC 2008 All rights reservedCopyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-vi 15.2 Application notes 224 15.3 Composition rationale (ACO_COR) 225 15.3.1 Evaluation of sub-

35、activity (ACO_COR.1) 225 15.4 Development evidence (ACO_DEV) 231 15.4.1 Evaluation of sub-activity (ACO_DEV.1) 231 15.4.2 Evaluation of sub-activity (ACO_DEV.2) 232 15.4.3 Evaluation of sub-activity (ACO_DEV.3) 234 15.5 Reliance of dependent component (ACO_REL) 236 15.5.1 Evaluation of sub-activity

36、(ACO_REL.1) 236 15.5.2 Evaluation of sub-activity (ACO_REL.2) 238 15.6 Composed TOE testing (ACO_CTT) 241 15.6.1 Evaluation of sub-activity (ACO_CTT.1) . 241 15.6.2 Evaluation of sub-activity (ACO_CTT.2) . 243 15.7 Composition vulnerability analysis (ACO_VUL) 246 15.7.1 Evaluation of sub-activity (A

37、CO_VUL.1) 246 15.7.2 Evaluation of sub-activity (ACO_VUL.2) 249 15.7.3 Evaluation of sub-activity (ACO_VUL.3) 252 Annex A (informative) General evaluation guidance 257 A.1 Objectives 257 A.2 Sampling 257 A.3 Dependencies 259 A.3.1 Dependencies between activities 259 A.3.2 Dependencies between sub-ac

38、tivities 259 A.3.3 Dependencies between actions 259 A.4 Site Visits . 259 A.4.1 Introduction . 259 A.4.2 General Approach . 260 A.4.3 Orientation Guide for the Preparation of the Check List 261 A.4.4 Example of a checklist . 262 A.5 Scheme Responsibilities . 264 Annex B (informative) Vulnerability A

39、ssessment (AVA) 266 B.1 What is Vulnerability Analysis . 266 B.2 Evaluator construction of a Vulnerability Analysis . 266 B.2.1 Generic vulnerability guidance . 267 B.2.2 Identification of Potential Vulnerabilities . 274 B.3 When attack potential is used . 276 B.3.1 Developer . 276 B.3.2 Evaluator 2

40、77 B.4 Calculating attack potential . 278 B.4.1 Application of attack potential 278 B.4.2 Characterising attack potential . 278 B.5 Example calculation for direct attack . 284 INCITS/ISO/IEC 18045-2008 ITIC 2008 All rights reservedCopyright American National Standards Institute Provided by IHS under

41、 license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-vii Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodi

42、es that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other i

43、nternational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules gi

44、ven in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval

45、 by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 18045 was prepared by Joint

46、Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. The identical text of ISO/IEC 18045 is published by the Common Criteria Project Sponsoring Organisations as Common Methodology for Information Technology Security Evaluation. The common XML source

47、for both publications can be found at http:/i.es/xml. This second edition cancels and replaces the first edition (ISO/IEC 18045:2005), which has been technically revised. Legal Notice The governmental organizations listed below contributed to the development of this version of the Common Methodology

48、 for Information Technology Security Evaluations. As the joint holders of the copyright in the Common Methodology for Information Technology Security Evaluations, version 3.1 (called CEM 3.1), they hereby grant non-exclusive license to ISO/IEC to use CEM 3.1 in the continued development/maintenance

49、of the ISO/IEC 18045 international standard. However, these governmental organizations retain the right to use, copy, distribute, translate or modify CEM 3.1 as they see fit. Australia/New Zealand: The Defence Signals Directorate and the Government Communications Security Bureau respectively; Canada: Communications Security Establishment; France: Dire

下载提示：本站仅提供存储空间/不修改/不编辑

1.请仔细阅读文档，确保文档完整性，对于不预览、不比对内容而直接下载带来的问题本站不予受理。
2.下载的文档，不会出现我们的网址水印。
3、该文档所得收入（下载+内容+预览）归上传者、原创作者；如果您是本文档原作者，请点此认领！既往收益都归您。

同意并开始全文预览

文档包含非法信息？点此举报后获取现金奖励！

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10000 积分 0人已下载

下载	加入VIP,交流精品资源

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: ANSIINCITSISOIEC180452008INFORMATIONTECHNOLOGYSECURITYTECHNIQUESMETHODOLOGYFORITSECURITYEVALUATION 信息技术

麦多课文档分享所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：ANSI INCITS ISO IEC 18045-2008 Information technology - Security techniques - Methodology for IT security evaluation《信息技术.安全技术.IT安全评估用方法学》.pdf
链接地址：http://www.mydoc123.com/p-436270.html