Skip to main content
SpringerLink
Log in

Common Criteria: Origins and Overview

  • Chapter
  • First Online:
Book cover Smart Cards, Tokens, Security and Applications

Abstract

This chapter will consider how the Common Criteria for Information Technology Security Evaluation evolved, how they are defined and how they are used in practice. As an example we will look at how Common Criteria is applied to smart card evaluations. This chapter will not attempt to describe the full detail of Common Criteria, but will explore the scope of the criteria, the infrastructure that supports their use, and how protection Profiles and Security Targets are created to act as baselines for evaluations. As such it acts as an introduction to the use of Common Criteria, on which a reader can base further reading and practice in order to apply Common Criteria to real-world situations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Also known as “The Orange Book”, and one of the “Rainbow Books”: a series of security standards and guidance documents published by the US National Computer Security Center in a range of coloured covers.

  2. 2.

    The revisions contain mostly minor updates and corrections to clarify the criteria and their interpretation. A description of the CC maintenance process is given at www.commoncriteriaportal.org/cc/maintenance.

  3. 3.

    See the text of the CCRA on the Common Criteria portal (www.commoncriteriaportal.org) for more details of the recognition constraints.

  4. 4.

    See the text of the mutual recognition agreement on the SOG-IS website at www.sogis.org.

  5. 5.

    A Certification Body (also sometimes known as a Validation Body, but usually abbreviated as “CB”) is an entity operated or sponsored by a national Common Criteria scheme to oversee evaluations carried out in that national scheme and to carry out certification on the basis of the technical reports from its evaluation laboratories.

  6. 6.

    Use of the assurance levels in CC part 3 still continues, but in some areas the most recent use of CC has emphasised the definition of assurance in terms of the individual components rather than packaged levels.

  7. 7.

    The topic of attack potential calculations (which basically involve deriving a number representing the difficulty of an attack) for actual and potential vulnerabilities is too big to discuss in this chapter. However, the interested reader is referred to [6] for details of how this is done for smart cards and related products.

  8. 8.

    The order in which the components are listed is not significant.

  9. 9.

    For example, if a software application requires certification then this will often imply a need or benefit for the underlying hardware also to be certified. See the discussion of composite evaluations later in this chapter.

  10. 10.

    Indeed there are specific definitions and separate treatment of collaborative Protection Profiles (cPPs) developed from recognised international Technical Communities (iTCs) described in the CCRA (see [5], especially the definitions in Annex A and description of Collaborative Protection Profiles in Annex K).

  11. 11.

    CC part 3 also defines assurance components for the evaluation of Protection Profiles and Security Targets, but these are not discussed here.

References

  1. Common Criteria for Information Technology Security Evaluation - Part 1: Introduction and general model, Version 3.1 Revision 4, September 2012, CCMB-2012-09-001 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

  2. Common Criteria for Information Technology Security Evaluation - Part 2: Security functional components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-002 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

  3. Common Criteria for Information Technology Security Evaluation - Part 3 Security assurance components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-003 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

  4. Common Methodology for Information Technology Security Evaluation - Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

  5. Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security, 2 July 2014 (available from the ‘About the CC’ section at www.commoncriteriaportal.org)

  6. Application of Attack Potential to Smartcards, v2.9, May 2013, CCDB-2013-05-002 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

  7. Security IC Platform Protection Profile, version 1.0, 15 June 2007, BSI-PP-0035 (available from the ‘Protection Profiles’ section at www.commoncriteriaportal.org)

  8. Composite Product Evaluation for Smart Cards and Similar Devices, v1.2, April 2012, CCDB-2012-04-001 (available from the ‘Publications’ section at www.commoncriteriaportal.org)

Download references

Author information

Authors and Affiliations

  1. MasterCard, New York, USA

    John Tierney

  2. DNV GL, Cambridge, UK

    Tony Boswell

Authors
  1. John Tierney
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tony Boswell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tony Boswell .

Editor information

Editors and Affiliations

  1. Director of the Information Security Group, Head of the School of Mathematics and Information Security, Royal Holloway, University of London, Egham, Surrey, United Kingdom

    Keith Mayes

  2. Smart Card Centre, Information Security Group, Royal Holloway, University of London, Egham, Surrey, United Kingdom

    Konstantinos Markantonakis

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Tierney, J., Boswell, T. (2017). Common Criteria: Origins and Overview. In: Mayes, K., Markantonakis, K. (eds) Smart Cards, Tokens, Security and Applications. Springer, Cham. https://doi.org/10.1007/978-3-319-50500-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-50500-8_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-50498-8

  • Online ISBN: 978-3-319-50500-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation