• ポイント
• Common Criteria SFR、SAR一覧
  • Security Functional Requirements (SFRs)
    • CLASS FAU: SECURITY AUDIT
    • CLASS FCO: COMMUNICATION
    • CLASS FCS: CRYPTOGRAPHIC SUPPORT
    • CLASS FDP: USER DATA PROTECTION
    • CLASS FIA: IDENTIFICATION AND AUTHENTICATION
    • CLASS FMT: SECURITY MANAGEMENT
    • CLASS FPR: PRIVACY
    • CLASS FPT: PROTECTION OF THE TSF
    • CLASS FRU: RESOURCE UTILISATION
    • CLASS FTA: TOE ACCESS
    • CLASS FTP: TRUSTED PATH/CHANNELS
  • Security Assurance Requirements (SARs)
    • CLASS ASE: SECURITY TARGET EVALUATION
    • CLASS ADV: DEVELOPMENT
    • CLASS AGD: GUIDANCE DOCUMENTS
    • CLASS ALC: LIFE-CYCLE SUPPORT
    • CLASS ATE: TESTS
    • CLASS AVA: VULNERABILITY ASSESSMENT
    • CLASS ACO: COMPOSITION
• Link

ポイント

• Common Criteria (ISO/IEC 15408)ってそもそも理解するのが難しいし、特に略語が多すぎ・・・
• いろんな説明資料でもSFR, SARに英語3文字の略語が多く（AVA_VANとか！）、なんの略なのか想像できないものが多すぎ・・・
• 下記にCCのSFR、SARを網羅

Common Criteria SFR、SAR一覧

Security Functional Requirements (SFRs)

Class名の最初のFが「Function」？

CLASS FAU: SECURITY AUDIT

• Audit requirements in a distributed environment
• Security audit automatic response (FAU_ARP)
• Security audit data generation (FAU_GEN)
• Security audit analysis (FAU_SAA)
• Security audit review (FAU_SAR)
• Security audit event selection (FAU_SEL)
• Security audit event storage (FAU_STG)

CLASS FCO: COMMUNICATION

• Non-repudiation of origin (FCO_NRO)
• Non-repudiation of receipt (FCO_NRR)

CLASS FCS: CRYPTOGRAPHIC SUPPORT

• Cryptographic key management (FCS_CKM)
• Cryptographic operation (FCS_COP)

CLASS FDP: USER DATA PROTECTION

• Access control policy (FDP_ACC)
• Access control functions (FDP_ACF)
• Data authentication (FDP_DAU)
• Export from the TOE (FDP_ETC)
• Information flow control policy (FDP_IFC)
• Information flow control functions (FDP_IFF)
• Import from outside of the TOE (FDP_ITC)
• Internal TOE transfer (FDP_ITT)
• Residual information protection (FDP_RIP)
• Rollback (FDP_ROL)
• Stored data integrity (FDP_SDI)
• Inter-TSF user data confidentiality transfer protection (FDP_UCT)
• Inter-TSF user data integrity transfer protection (FDP_UIT)

CLASS FIA: IDENTIFICATION AND AUTHENTICATION

• Authentication failures (FIA_AFL)
• User attribute definition (FIA_ATD)
• Specification of secrets (FIA_SOS)
• User authentication (FIA_UAU)
• User identification (FIA_UID)
• User-subject binding (FIA_USB)

CLASS FMT: SECURITY MANAGEMENT

• Management of functions in TSF (FMT_MOF)
• Management of security attributes (FMT_MSA)
• Management of TSF data (FMT_MTD)
• Revocation (FMT_REV)
• Security attribute expiration (FMT_SAE)
• Specification of Management Functions (FMT_SMF)
• Security management roles (FMT_SMR)

CLASS FPR: PRIVACY

• Anonymity (FPR_ANO)
• Pseudonymity (FPR_PSE)
• Unlinkability (FPR_UNL)
• Unobservability (FPR_UNO)

CLASS FPT: PROTECTION OF THE TSF

• Fail secure (FPT_FLS)
• Availability of exported TSF data (FPT_ITA)
• Confidentiality of exported TSF data (FPT_ITC)
• Integrity of exported TSF data (FPT_ITI)
• Internal TOE TSF data transfer (FPT_ITT)
• TSF physical protection (FPT_PHP)
• Trusted recovery (FPT_RCV)
• Replay detection (FPT_RPL)
• State synchrony protocol (FPT_SSP)
• Time stamps (FPT_STM)
• Inter-TSF TSF data consistency (FPT_TDC)
• Testing of external entities (FPT_TEE)
• Internal TOE TSF data replication consistency (FPT_TRC)
• TSF self test (FPT_TST)

CLASS FRU: RESOURCE UTILISATION

• Fault tolerance (FRU_FLT)
• Priority of service (FRU_PRS)
• Resource allocation (FRU_RSA)

CLASS FTA: TOE ACCESS

• Limitation on scope of selectable attributes (FTA_LSA)
• Limitation on multiple concurrent sessions (FTA_MCS)
• Session locking and termination (FTA_SSL)
• TOE access banners (FTA_TAB)
• TOE access history (FTA_TAH)
• TOE session establishment (FTA_TSE)

CLASS FTP: TRUSTED PATH/CHANNELS

• Inter-TSF trusted channel (FTP_ITC)
• Trusted path (FTP_TRP)

Security Assurance Requirements (SARs)

Class名の最初のAが「Assurance」？

CLASS ASE: SECURITY TARGET EVALUATION

• ST introduction (ASE_INT)
• Conformance claims (ASE_CCL)
• Security problem definition (ASE_SPD)
• Security objectives (ASE_OBJ)
• Extended components definition (ASE_ECD)
• Security requirements (ASE_REQ)
• TOE summary specification (ASE_TSS)

CLASS ADV: DEVELOPMENT

• Security Architecture (ADV_ARC)
• Functional specification (ADV_FSP)
• Implementation representation (ADV_IMP)
• TSF internals (ADV_INT)
• Security policy modelling (ADV_SPM)
• TOE design (ADV_TDS)

CLASS AGD: GUIDANCE DOCUMENTS

• Operational user guidance (AGD_OPE)
• Preparative procedures (AGD_PRE)

CLASS ALC: LIFE-CYCLE SUPPORT

• CM capabilities (ALC_CMC)
• CM scope (ALC_CMS)
• Delivery (ALC_DEL)
• Development security (ALC_DVS)
• Flaw remediation (ALC_FLR)
• Life-cycle definition (ALC_LCD)
• Tools and techniques (ALC_TAT)

CLASS ATE: TESTS

• Coverage (ATE_COV)
• Depth (ATE_DPT)
• Functional tests (ATE_FUN)
• Independent testing (ATE_IND)

CLASS AVA: VULNERABILITY ASSESSMENT

• Vulnerability analysis (AVA_VAN)
  • <= 出た！一番よくみるやつ！^^
  • AVA_VAN: Assurance Vulnerability Asesementの中のVulnerability Analysisという意味！
  • ClassがAVA、FamilyがVAN

CLASS ACO: COMPOSITION

• Composition rationale (ACO_COR)
• Development evidence (ACO_DEV)
• Reliance of dependent component (ACO_REL)
• Composed TOE testing (ACO_CTT)
• Composition vulnerability analysis (ACO_VUL)

Link

www.ipa.go.jp

Common Criteria Quick Reference Card

smartcardguy.hatenablog.jp