? In view of the evaluation and consultation of national information security products (EAL4+), DPLS Laboratory provides relevant training and consultation on domestic EAL4+ security certification process and technical points, including:
Analysis of EAL4+ Safety Standard
EAL4+ security authentication process
Analysis of technical points of EAL4+
DPLS Laboratory provides training and consultation for international and domestic industry testing projects such as CC, EMVCo, FIPS 140, Mi Shang, EAL4+, black box testing and penetration testing.
Introduction to National Information Security Products (EAL)
? In the field of information security, generally according to the characteristics of the system itself and its environment, different protection measures are taken, that is, different levels of protection (EAL). In order to meet the needs of IT technology security development and international standardization, security assessment standards are constantly being optimized and improved.
Classification of EAL
According to the evaluation standard of information security technology, namely CC, the evaluation of information technology security products is divided into 1-7 grades:
EAL 1: functional test
EAL2: structural testing
EAL3: Testing and inspection of the system
EAL4: System design, testing and review
EAL5: Semi-formal design and testing
EAL6: Design and Test of Semi-formal Verification
EAL7: Design and Test of Formal Verification
Introduction to EAL 4+
EAL4+ is one of the evaluation levels (system design, test and review levels) in Information Technology Security Evaluation Criteria (GB/T 36950-20 18), and it is a special certification of security guarantee. Let developers get the greatest guarantee from the correct safety engineering, which is based on good commercial development practices and is very strict, but it does not require a lot of professional knowledge, skills and other resources. Under economic and reasonable conditions, EAL4+ is the highest level that can be achieved by transforming the existing production line.
EAL 4+ (smart card product) evaluation content
Aiming at the information technology security evaluation of smart card products, all the assurance components of EAL4+ in GB/T 18336 are adopted, and the modularity of ADV_INT. 1 is increased, which enhances the intermediate resistance of the vulnerability analysis and evaluation component AVA_VLA.3 to cope with the threats that smart card products may face and the increasingly complex application environment.
The EAL4+ level confirms whether the safety function of the TOE is correctly realized by analyzing the safety function specification, high-level design, low-level design, coding and other design documents, and provides guarantee. In addition, security assurance is obtained through an informal TOE security strategy magic.
In the EAL4+ evaluation, the correctness of TOE security function is also verified by independent testing of TOE security function, testing conducted by developers based on functional specifications and high-level design and independent confirmation of test results, analysis of the strength of security function, and independent vulnerability analysis that developers look for evidence of vulnerabilities and prove that it can resist infiltration attackers with intermediate attack potential.
EAL4+ can also provide assurance through the use of development environment control measures, additional TOE configuration management (including automation) and evidence of safe delivery procedures.