AUTHENTICATION ASSURANCE LEVELS

Authentication is the process by which the Monitoring Party gains appropriate confidence that the information reported by a monitoring system accurately reflects the true state of the monitored item. Authentication is how we establish trust in monitoring systems and measurements to verify compliance with, for example, the storage of nuclear weapon-origin material. Authentication helps assure the Monitoring Party that accurate and reliable information is provided by any measurement system and that any irregularities are detected. How can the confidence derived from authentication be measured? The Common Criteria is an internationally recognized, multi-part standard for defining and evaluating the security properties of information technology products and systems. The Common Criteria provides a set of composition rules to develop a rational and repeatable graded assurance package. This graded assurance package establishes a set of levels composed of criteria for evaluating a system or product. As the assurance level increases, the assurance that a product meets the security and functional requirements also increases. Since the Common Criteria only provides a set of composition rules, the final set of evaluation levels can be modified to meet the specific needs of an application. This Common Criteria approach has been applied to create a definition of Authentication Assurance Levels that can quantify the level of assurance reached for a system subject to a set of authentication procedures. The application of the Common Criteria to armscontrol authentication expands on more typical information security evaluations in that it must contend with possible information barriers and preclude sophisticated intentional subversion attempts. This paper will summarize the results of the initial definition of the Authentication Assurance Levels, compare them to related developments, and provide a discussion on their role in authentication.