Version 6.0f, 12 March 2001
1.1 Common Criteria Overview 1.2 CC Toolbox Overview 1.3 New Toolbox Features 1.4 Limitations 1.5 Security and Privacy 2. Installing the CC Toolbox
2.1 Minimum System Configuration 2.2 Uninstalling Previous Versions 2.3 Installing the CC Toolbox 3. Toolbox Configuration 4. Support via Observation Reports 5. Relevant License Agreements
The Common Criteria (CC) provides an approach to describing Information Technology (IT) system security from two interrelated perspectives:
Version 6.0 of the CC Toolbox has been developed as an integrated set of tools to aid consumers, customers and system developers in writing PPs and STs. The CC Toolbox is intended to simplify and streamline use of the CC for IT system practitioners and thus facilitate widespread acceptance and use of the CC. The purpose of the CC Toolbox is twofold:
The CC Toolbox consists of two tools with a common user interface. The user may select between these tools by choosing the appropriate radio button on the CC Toolbox toolbar:
Since the paradigms of creating a PP or ST are similar, the user interface of the CC Toolbox is designed to accommodate both sets of tasks and can produce either report. Users of the CC Toolbox can maneuver through the tool, specifying functional or assurance requirements, selecting an Evaluation Assurance Level (EAL), Security Objectives, Threats, Policies, etc., and defer the decision of which type of report they wish to produce until a later time in the process. The output of the CC Toolbox is a skeleton PP or ST report based on information supplied by the user. The reports produced by the CC Toolbox are not to be considered final products and will need to be completed by the user.
The CC Toolbox is now public domain software, and is being developed by interested contributors under public license. The new version 6.0f provides easier installation, more convenient access to user documentation, and a new HTML rendering of the CC.
Version 6 of the CC Toolbox provides the capability to:
Version 6 is accompanied by a CC Profiling Knowledge Base, a database of Protection Profile development information that may be helpful in developing new pre-defined environment files for the CC Toolbox. The CC Profiling Knowledge Base comes with its own User Guide. Please visit NIAP's website at: http://niap.nist.gov/tools/cctool.html to download a copy of the CC Profiling Knowledge Base.
Interview sessions created using Version 1.0 can NOT be imported into Version 6.0 of the CC Toolbox. Sessions created in Version 2. 0, 3.0 , 4.0, and 5.0x can be imported into Version 6.0. User-defined policies, threats, assumptions or security objectives created in Version 2.0 and Version 3.0 that have a name conflict with the domain knowledge in Version 6.0 will be appended with "_UD". The Report Data Set (*.rds) files created in Version 4.0 cannot use the new domain knowledge data (Pre-Defined Environment, *.pde files) available in Versions 5.0.
Version 6.0 of the CC Toolbox contains a domain knowledge base that includes pre-defined Assumptions, Threats, Policies, Security Objectives, and associated implementation strategies. The Assumptions, Threats, Policies and Objectives suggested by the tool are provided for the convenience of the tool users. Users may copy portions of the information into a PP or ST, browse the information for ideas on writing their own assumptions, threats, policies and objectives, or reword the information for use in a PP or ST. The security engineering guidance provided by the tool also includes suggestions for selecting threats, objectives, and CC components, for completing operations on CC components, and for providing PP rationale. The information and suggestions provided by the tool represent the combined technical experience of the security engineers who compiled the information. The US Government does not mandate use of the information provided by the tool. Specifically, the provision of this information does not abrogate the Toolbox user's responsibilities to perform the appropriate security analysis and to determine fitness for use.
The reports generated by the CC Toolbox may be classified or proprietary depending upon the information supplied by the user. Additionally, the security classification of the system upon which the CC Toolbox is installed determines the classification level of the application. Therefore, it is the user's responsibility to adequately protect the CC Toolbox and the data, including the ST and PP reports.
Briefly, installation consists of the following steps:
2.1.1 Hardware. The CC Toolbox requires the following minimum hardware configuration:
2.1.2. Operating System. The CC Toolbox has been developed to run on Microsoft Windows operating systems. Its Java-based implementation makes it relatively platform independent.
2.1.3 Java Runtime Environment 1.3 (JRE 1.3). You can check whether your computer has JRE 1.3 as follows:
If your computer doesn't have JRE 1.3, you can obtain a copy from [http://java.sun.com/j2se/1.3/jre/download-windows.html] and install it by double clicking on the downloaded .exe file. If you have the Toolbox CD, there is a copy of JRE 1.3 on the CD as well.
2.1.4 Windows Scripting Engine. Recent versions of Windows come with the WScript scripting engine. You can check whether you have WScript by going to the start menu, selecting Run, and typing WScript. This will work even if your e-mailer and browser have disabled the use of scripts. If you do not have WScript, you can obtain it from [http://www.microsoft.com/msdownload/vbscript/scripting.asp]. Only the last portion of the installation requires WScript, and as a last resort you can do that portion by hand.
2.1 5 Microsoft Access. Users who wish to modify or extend the domain knowledge base will need to have a copy of Microsoft Access 97, as the CC Profiling Knowledge Base is implemented using Access.
If you decide to uninstall a version of the CC Toolbox, either of the following techniques should work:
The Uninstall program will proceed with uninstalling the CC Toolbox software. It will not delete data files. In particular, it will not delete saved reports or your personal configuration information, which is stored in the file resources\CCToolbox.config.
Note. If you choose not to uninstall a previous version, then it is important to install the new version into a different directory. In Version 6.0f this is easy, as the installer suggests a new default installation directory directory.
You may obtain the CC Toolbox from the NIAP website [http://niap.nist.gov/tools/cctool.html], or in some cases, you may receive it on a CD.
After loading the CC Toolbox onto your computer, double click on the downloaded CC Toolbox installer, v60f_cctoolbox.exe, and proceed as follows:
You can personalize your copy of the CC Toolbox by selecting the Configuration function on the File menu. Configuration options are divided into two groups, Defaults and E-Mail Settings.
|The CC Toolbox has a built in Autosave feature that
saves an interview session based on a pre-specified time
interval (i.e., every 10 minutes). You can adjust
the time by moving the slider with your mouse, by
highlighting the slider and pressing the left- or
right-arrow keys, or by typing in a number
directly. Setting the time to zero minutes disables
|The default report mode can be set to either
Protection Profile or Security Target. Setting the
default report mode to PP, for example, will cause the
user to always be in PP mode when a new CC Toolbox
session is created. The difference between PP and
ST mode is merely which report type will be generated and
in the wording of the prompts in the Component
|The default directory location is the place where the
CC Toolbox will save templates and report data
sets. Additionally, this is the directory where the
CC Toolbox will look for templates and report data sets
when users request an Open operation. Users can
change this directory by selecting the Browse button or
by manually entering a valid directory location.
|The CC Toolbox Configuration function allows the user
to enable or disable logging mode. When enabled key
user events are logged to the file
CCToolboxRecordFile.txt. This file will
be sent as an attachment to an Observation Report
e-mail. The intention of logging is to allow the
user easily record the steps they followed to recreate an
error that they plan to report via an Observation Report.
|This information can be reliably found in the
preference settings of your e-mail program. In Netscape,
look on the Edit Menu, select
Preferences. Expand the
Mail & News Groups node on the left of the pane.
Click on Mail Servers. The Mail Host is the
Outgoing Mail (SMPT) Server. Typical Mail Host values
are, e.g., mail.nist.gov, mailhost.snap.com. If you are
behind a firewall, you will need to specify a mail
host that on your side of the firewall.
|The Name, Company, Telephone, Fax, and Email fields have their obvious meanings.|
For more information on configuring and using the CC Toolbox consult the Users Guide and the Reference Manual. Shortcuts to these documents can be found in the CC Toolbox folder on the Start Menu (assuming you choose the option to install them).
You are encouraged to document any feedback/observations online from within the CC Toolbox (Observation Form), which will be emailed to firstname.lastname@example.org. This approach can provide you with needed support and, at the same time, provides the Toolbox developers with needed feedback.
An observation report may be sent directly from the CC Toolbox by selecting the Observation Report option from the Help menu on the menu bar. Upon selection, the CC Toolbox Observation Reporting Form will be displayed. A name, email address, and Mail Host must be provided in the form. Complete the observation and press the rotating Send Email icon. This observation report will be sent to the National Information Assurance Partnership (NIAP). The observation report also sends NIAP information about the:
Use of the CC Toolbox and related tools is subject to constraints given in the file LICENSE.TXT.
The CC Toolbox includes free, redistributable support software from Sun Microsystems and IBM. Use of this support software, and thus of the CC Toolbox itself, is subject to license agreements available from the respective vendors:
|Freeware Product ||URL for Further Information|
|JavaTM 2 Runtime Environment||http://java.sun.com/j2se/1.3/jre|
|JavaBeansTM Activation Framework||http://java.sun.com/beans/glasgow/jaf.html|
|IBM® Logging Toolkit for Java||http://www.alphaworks.ibm.com/tech/loggingtoolkit4j|