NIST division launches programs for testing product security

By Edward RobackSpecial to GCNWhen you manage to configure a new encryption package or firewall without breaking anything, it's time to congratulate yourself and head home to sleep more soundly.Or is it? Does the secure icon on the screen mean that sensitive information is being encrypted correctly? Is the firewall keeping out intruders as the vendor claimed?Confidence in the correct operation of some information technology products is easy. When you send a document to a printer, you can tell pretty quickly whether the printer works. When you pick up a phone, you know at once whether it can dial a call. Put a diskette in a drive, and the document either reads in or it doesn't, aside from format issues.For many security functions, however, it's not that straightforward.Consider encryption. A necessary condition for protecting your information is correctly implementing a secure algorithm. Encryption keys must be generated and protected properly, and users must be up to speed.Or consider access controls. For example, a user sets up a calendar application and clicks on the 'private' box so that private appointments cannot be read by anyone else. Is the information really private?The fundamental question is this: How can an organization tell whether the security features in commercial IT products work as intended and meet specifications?In computer security terminology, security assurance provides the basis for such confidence. Varying degrees of assurance are supported by conformance testing, security evaluations and vendor claims.Products with an appropriate degree of assurance contribute to system security as a whole. This should be an important factor in making IT procurement decisions.Of course, other complementary and interdependent controls are also needed. They include sound operating procedures, adequate training, comprehensive policies, security architectures and a risk management program.The Computer Security Division of the IT Laboratory at the National Institute of Standards and Technology has set up two programs for product evaluation and testing: the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme and the Cryptographic Module Validation Program (CMVP). Both use accredited private laboratories to conduct testing and issue government certificates after successful completion of tests.The NIAP evaluation program, jointly led by the National Security Agency and NIST, focuses on evaluations of products such as firewalls or operating systems against a set of security specifications, which are drawn from the International Standards Organization's Common Criteria.The Common Criteria serve as a catalog of security requirements with which you can develop a set of specifications for a particular type of product such as a firewall or router. A lab can then test the product against the requirements of the profile or target.Depending on the degree of confidence needed, testing can be detailed and rigorous. The Common Criteria specify seven predefined assurance levels to help you strike a cost-effective risk balance. A listing of products evaluated in accordance with the NIAP Common Criteria Evaluation and Validation Scheme appears on the Web, at .Users and organizations do not have to develop their own security specifications. As NIAP progresses, broadly applicable specifications will evolve from industry and government groups that focus on specific technologies. NIST and the Canadian government's security establishment jointly manage CMVP. Its testing provides assurance that: 1) a cryptographic module meets one of the four security specification levels of Federal Information Processing Standard 140-1; and 2) the FIPS-approved algorithms for encryption or digital signatures are correctly implemented. Higher-level modules do not imply stronger or better encryption, but they do give more protection to the secret keys held by the modules. About 100 modules have been validated under the CMVP to date.Federal agencies should use FIPS 140-1 to protect their sensitive, unclassified applications. Look for the FIPS 140-1 logo on products you buy. The CMVP's validated products list appears at .Assurance of proper functioning by cryptographic modules and algorithms is critical for sensitive data that is transmitted over untrusted paths such as the Internet. Unauthorized disclosure of information and its consequences might not be apparent for some time, in contrast with, say, the immediate public awareness when an agency home page is defaced.Cryptographic modules are often integrated into products with noncryptographic functions, such as Web browsers. The CMVP's assurance about a cryptographic module does not extend to other aspects of a product that incorporates the module.See more about NIST's recommendations in a draft publication entitled . The draft is posted at .