Tuesday, October 15, 2019

Stephan Mueller publishes SP800-90B compliant Linux implementation of CPU Jitter RNG

NIST’s Special Publication 800-90B “Recommendation for the Entropy Sources Used for Random Bit Generation” (SP800-90B) lays out the testing requirements for random bit generators. According to Implementation Guidance 7.18, compliance to SP800-90B will be mandatory for FIPS 140-2 validations starting November 8th 2020.

Our colleague Stephan Mueller recently published an updated, SP800-90B compliant version of his Jitter RNG suite for Linux to give our customers a head-start to achieve compliance before the transition date. While the SP800-90B compliance of the Jitter RNG was reviewed by NIST, official approval is only given when the Jitter RNG is used as part of an actual FIPS 140-2 validation.

In his documentation (Section 7.4) he explains the steps a user has to follow to claim SP800-90B compliance using the Jitter RNG, thus removing the need for them to prepare their own SP800-90B analysis.

Stephan Mueller made the Jitter RNG suite available for the public:

The code for the CPU Jitter RNG can be downloaded here:

The documentation can be downloaded here:

The associated tests can be downloaded here:

Wednesday, October 9, 2019

atsec at the International Common Criteria Conference (ICCC) 2019

atsec participated in ICCC 2019 held in Singapore from October 1st to 3rd in conjunction with Singapore International Cyber Week (SICW).

It was the perfect venue to celebrate the 20th anniversary of the Common Criteria standard with an increase of the Common Criteria Recognition Arrangement (CCRA) membership from 27 to 31 with the addition of Indonesia, Slovakia, Ethiopia and the Philippines.

The UK updated their CCRA status from a certificate issuing country to a certificate consuming country, with continuous commitment to both the CCRA and the International Technical Communities (iTC).

As a Silver Sponsor of the ICCC 2019, atsec hosted one of four ICCC booths on the exhibition floor among the other exhibitors participating in the SICW. In addition to attending ICCC 2019, some atsec consultants also participated at the CCUF a week prior to ICCC.

atsec gave the following three presentations at ICCC.

  • Mr. Michael Vogel with Ms. Terry Diaz (Cisco): iTC: General Update and TLSv1.3 integration into NDcPP
  • Mr. Di Li : The Chinese Commercial Cryptography Scheme and ISO/IEC 19790
  • Dr. Andreas Hohenegger: The Common Criteria and IEC-62443
During the award ceremony two customers received certificates as successful results of atsec’s evaluation work: Oracle and Qualcomm. At the same time atsec was mentioned as one of the five labs that have been licensed by the Cyber Security Agency (CSA) to be a Common Criteria Testing lab (CCTL) under the Singapore Common Criteria Scheme (SCCS).

Monday, September 30, 2019

CST Newsletter and FIPS 140-3 Change Summary

We invite you to take a look at our CST Newsletter.

This newsletter is intended to inform our customers about recent changes within the Implementation Guidance and NIST's Cryptographic Module Validation Program (CMVP).

We also included a high-level summary of changes to the testing and documentation that FIPS 140-3 will introduce.

Monday, September 16, 2019

atsec adds Singaporean Common Criteria Scheme accreditation

Cyber Security Agency of Singapore

atsec is pleased to announce that it has been licensed by CSA to be a Common Criteria Testing lab (CCTL) under the Singapore Common Criteria Scheme (SCCS).

Please check the Common Criteria Portal:

as well the Singapore Common Criteria Scheme:

atsec is already operating Common Criteria labs under BSI Germany, US NIAP, CSEC Sweden and OCSI Italy.

Adding Singapore to the list of Common Criteria laboratories offers our customers an opportunity to identify and satisfy requirements coming from the region, and also be closer to customers already present and operating in the region.

Evaluations under the Singaporean Scheme will be Protection Profile based as well as using EAL1 to EAL5 assurance levels.

Wednesday, July 31, 2019

A Multi-Level Model for Common Criteria Certificate Maintenance

by Trang Huynh

I had the privilege of being on a discussion panel at the NIAP Validator Workshop this past June. The topic for the panel was “Continuous Software Update,” and the issue we were trying to tackle was Common Criteria (CC) evaluations for products with a high frequency of software updates, such as those for mobility products. From the discussion, I identified that the issue is two-fold:
  1. updates occurring while the evaluation is in progress, and
  2. updates after the evaluation is completed.
The case of updates after evaluation completion was the focal point of the panel discussion. Many ideas were brought up during the panel ranging from delta evaluations to requirements for regression testing, full evaluations, etc.

NIAP provides Publication #6 (Pub 6) describing the certificate maintenance / assurance continuity process offered by the scheme. This document contains definitions and examples of major changes and minor changes in addition to an outline of the necessary actions from the vendors and/or CCTLs pursuing certificate maintenance. Yet it is a great challenge for vendors/CCTLs and validation bodies alike to methodically determine whether an update constitutes a major or minor change. Changes in the extreme cases are easy to classify, but cases in the middle ground can be extremely fuzzy.

To solve this difficulty with classification, I raised an idea at the panel that the certificate maintenance process offer a predefined multi-level model similar to the one offered by FIPS 140-2. At a high-level FIPS 140-2 breaks down a change into several submission scenarios or SUB for short, (1SUB, 1ASUB, 1BSUB, 2SUB, 3SUB, 3ASUB, 4SUB, 5SUB, etc.) For example, 1SUB addresses administrative or non-security relevant changes that do not affect any FIPS 140-2 security-relevant items, such as updating vendor contact information or testing the module on additional platforms, that have little or no impact on the validated cryptographic module. The 3SUB scenario encompasses changes that would exceed 30% of the module's overall security functionality. Last but not least, 5SUB is for changes that do not meet 1SUB through 4SUB requirements. This model conceivably allows CST labs more "jurisdiction" to decide on the level of the change. Based on that decision the CST lab may proceed with the “game plan” described in section G.8 Re-validation Requirements of the Implementation Guidance which may involve the CST lab performing applicable testing on the changed cryptographic module and submitting the test results (along with other required materials) to the CMVP for re-validation.

I believe an introduction of gradation of changes in the certificate maintenance process would allow for a more systematic approach for performing impact analysis on product updates.

Tuesday, July 9, 2019

atsec’s ACVT service is operational

atsec is proud to announce that the Automated Cryptographic Validation Testing (ACVT) service is operational.

The atsec Cryptographic Security Testing (CST) laboratory is the first ever to achieve operational status with the Automated Cryptographic Validation Protocol (ACVP) production server operated by NIST. atsec's ACVP tools are fully implemented and functional. After the test results for all types of algorithm testing offered by the ACVP server were validated by NIST, atsec’s CST lab was granted access to the ACVP production server. atsec performed the algorithm testing on its SHA and HMAC implementations used in the atsec ACVP Proxy, which is the very first ACVT project to demonstrate that the NIST ACVP production server is now in business.

With this privileged access, the atsec new service uses the ACVP production server to automate the process of testing the implementation correctness of cryptographic algorithms and related functions, and offers a much more efficient and effective process in the awarding of certificates by NIST.

Certificates of implementation correctness are awarded by the cryptographic algorithm validation program; these certificates being required as a pre-requisite for cryptographic module validation as well as for Common Criteria evaluations in the U.S.

Mr. Stephan Mueller, one of atsec’s Principal Consultants, has worked closely in the development of the client program to test the NIST ACVP demo server, which has greatly helped NIST’s successful launch of the ACVP production server. He commented on this collaboration between atsec and NIST.

“NIST is to be congratulated on this important milestone in the development of the ACVT program. A program which provides assurances in the security of IT systems implementing cryptography as well as supporting developers by providing the capabilities to test in synch with modern development timescales.”

Dr. Yi Mao, atsec Laboratory Director, also commented.

“We applaud NIST’s initiative in launching the ACVT program and are proud of assisting them in achieving this historically significant milestone. Cryptography is the hard core that provides information security. Automated testing is the way forward to sustain the high demand of the much-needed assurance at the core of security. It’s an extremely exciting moment, and empowered with ACVT, we can immediately benefit our existing and new customers by taking their algorithm validation down a fast path.”

Find out more at:
atsec’s cryptographic algorithm testing service page.
NIST’s Automated Cryptographic Validation Testing (ACVT) project.

Wednesday, July 3, 2019

atsec’s Rome office is accredited by OCSI for Common Criteria evaluations

atsec is pleased to announce that the atsec Rome office has been accredited by the Italian scheme, OCSI, for performing Common Criteria evaluations.

This is in addition to the accreditations by the Italian security agency, OCSI of our atsec laboratories in the U.S., Germany and Sweden.

Garibaldi Conte: Managing Director, atsec Italy, 2019:

“I am both happy and excited for atsec's entrance into the Italian market for IT Security Evaluation and Certification. I have been in the InfoSec business for over 15 years in Italy. The reason I accepted the challenge to be the Managing Director of the atsec Italian operation, is because of atsec's level of expertise in the field, depth of knowledge, care for standards, many achievements, customer base, the technology they have evaluated and their global presence. Under those conditions, atsec Italy is not a challenge, but a gift—a gift that will strengthen Italy's role in IT Security Evaluation and Certification in Europe.”

Staffan Persson, Co-founder, Managing Director EMEA:

“atsec’s strategy is to support our customers with their information assurance needs. With a great many leading global companies in our customer portfolio, it is important that we establish a strong presence in Europe as the EU Cybersecurity Act develops to do all that long-standing regional mutual recognition arrangements such as SOG-IS have achieved and much more.”


Salvatore La Pietra, Co-Founder, President and CEO:

"atsec has a mission at the core: ‘information security done right.’
We have always looked at IT Security differently from others. Our customers tell us that and our people show it.
atsec Italy, together with atsec Germany and Sweden, provide a substantial European presence, and together with atsec US and atsec China increase our geographical and cultural presence, underlining our global dedication to our customers. atsec Italy is the latest to join the atsec group, but will not be the last. Stay tuned…"

The atsec Italy office is located in Rome at:
atsec information security srl
Via Tirso, 26
00198 Rome
Tel: +39-06-89232678 

Tuesday, July 2, 2019

Congratulating Qualcomm on CC certification of their Snapdragon 855 SOC

atsec congratulates Qualcomm on the successful evaluation of their Snapdragon 855 system on a chip (SOC) processor.

The evaluation was performed jointly by atsec information security laboratory GmbH and T-Systems International GmbH laboratory; with the software evaluation being performed by atsec, and the hardware evaluation performed by T-Systems.

atsec is proud to have contributed to the first successful mobile SoC to receive Smart Card Equivalent Security Certification from the German Federal Security Agency BSI. 

For more detailed information check the Certification Report and other documents posted on the BSI web site, and the related news from Qualcomm.

Monday, June 24, 2019


As one of the signature sponsors, atsec draws attention from industry and customers by providing professional security assessment and testing services based on global standards. Many friends stopped by the atsec booth and discussed technical topics with atsec consultants, such as how to achieve PCI compliance. atsec also offered prizes at our booth for correctly answered security questions to spread knowledge of security standards and technology.

China, Shanghai—From June 19th to 20th, Visa held the Asia Pacific Security Summit in Shanghai, China.

During the “Ecosystem Data Security Workshop” on the 19th, Diana Greenhaw, VISA’s Vice President of Global Payment System Risk, gave a speech on "Ecosystem Risk Updates—A Global Perspective". Troy Leach, Chief Technical Officer of PCI Security Standards Council, spoke about "PCI Global Updates” discussing the technology development of global payment standardization. Next PCI Laboratory Director Yan Liu and Principal Consultant and QSA Jinyun Chen from atsec China presented on "Protecting your data by using PCI DSS.”
atsec first introduced an overview of the Payment Card Industry, including the current standards family, the SIG (Special Interest Group) for this year, and the GEAR (Global Executive Assessor Roundtable) for improving overall assessment quality. Then atsec’s methodology regarding PCI DSS assessment and compliance was emphasized.

During the presentation, atsec briefly introduced the PCI DSS requirements related to data protection, security development, security operation and administration. Finally, atsec shared experience on how to efficiently maintain PCI DSS compliance. All of the speakers suggested integrating the PCI DSS requirements and best practices into daily work activities.
The theme of the Summit was "Security, Innovation, and Trust". The topics presented covered cyber security, biometrics and e-commerce payment, etc. Implementation and security assessment of 3DS 2.0 was also given a lot of attention.
atsec has actively contributed to global security standards development and improvement, including but not limited to PCI GEAR (Global Executive Assessor Roundtable), PCI SIG (Special Interest Group), etc. atsec helps global entities (banks, service providers and merchants) in the payment industry to achieve data security compliance (e.g. PCI, GDPR) in order to mitigate potential risk. In recent years, several global cloud service providers have worked with atsec on PCI compliance, and providing more secure cloud platforms for their customers.
atsec will continue to be dedicated to global security standards development, improvement and compliance assessment.