Guiding the Way through the World of Cyber Security

Roughly every five years, we refresh our website with a new appearance. As a precursor to our 25th anniversary in January 2025, we are thrilled to show the world our stylish, modern look.

It is atsec’s firm belief that effective security assurance can only truly be accomplished when the product developers proactively incorporate security requirements they thoroughly understand. Thus, it is our responsibility to guide our customers through the complex and changing world of security standards so they can feel confident in their understanding.

To that end, we refreshed our website with a new appearance to ensure it represents the current security standards landscape and that it is simple for anyone to navigate the relevant security requirements and find the services they need.

As we launch this new version of our website, we wanted to take a moment to reflect on the changes in and the demands of the cyber security industry with a piece from one of our co-founders, Staffan Persson:

The world of IT is constantly evolving, becoming more sophisticated, and covering more areas; cyber security is no exception. There are vanishingly few areas where cyber security is not crucial, as regulators usually demand some minimum level of security, and customers also increasingly understand how critical security is. We have all learned that cyber security is not entirely about features or functionality, it's about confidence in those security measures and their effectiveness; that confidence requires a set of criteria and an assessment showing that these criteria have been met.

When we started atsec almost 25 years ago, security requirements were limited and focused on specific types of products and types of users, so it was a niche market for users and developers of high-security products. Although the security area was not mature yet, it was still relatively easy to discuss and understand security problems within such a small community. Still, it was also not a “cool” business to be in, so it remained small for quite some time. This has now completely changed.

The current demand for security is huge: There are more security requirements than ever before, as well as different schemes to measure and certify security, both national and international. Sometimes, it is not even clear if a vendor has to comply with any security requirements, much less which specific requirements. In fact, the market is changing so fast that regulators also have a difficult time keeping up with these changes.

Good security cannot be achieved by assessment alone, since such verification can only assess what's already there, provided by the vendor. For real improvements in security, it is essential that product developers understand and endorse security, including endorsing the security criteria they must comply with.

Security criteria that have been available for decades have been updated, new aspects have been included, and - as confusing as they might be - it is important for vendors to understand these criteria. Clarity and transparency are an essential part of security, especially to the labs performing the security assessments, as they may be the first point of contact for vendors.

Given the importance of clarity in a complicated space, atsec has modernized its web site to help lead by example:

The website now comes with a modern design and covers all the services offered by every atsec office worldwide; this means no separate web site for each office.

One main menu, structured by the various service groups, presents each of the specific services provided by our offices in a way that shall help our customers find the best combination for their individual needs.

Along with each service, we also provide links where customers can download additional information, including authoritative links with references to the criteria and schemes. Informing our customers is of utmost importance to us, as we are convinced that customers who understand the criteria and their requirements can implement security profoundly better than those who are just impressed by some security expert witchcraft.

This focus on the services, rather than their location, addresses the quite common situation where customers may need several types of assessment services that require the cooperation of multiple atsec offices. This co-operation between our offices to serve our international customers has been a hallmark of atsec’s business since its foundation, so it made sense to unify everything on a single website.

We hope that this update will help you to better understand the different security criteria and whether they are useful for you. It may also be difficult to find out which security requirements are appropriate, what the requirement means, how big the effort will be, and who within atsec to talk to. If you need more information, just contact us for more information, as we’re always happy to help.

Please visit our new website at www.atsec.com.

First SP800-140Br1 Compliant FIPS 140-3 Certificates

 

On July 11^th, 2024, the first three FIPS 140-3 certificates for NIST’s SP800-140Br1 pilot program were posted on the NIST website. atsec information security was one of the labs that took part in the pilot program. SP 800-140Br1 specifies modifications of the methods to be used by a Cryptographic and Security Testing Laboratory (CSTL) to demonstrate conformance to ISO/IEC 19790 Annex B requirements.

 

The project was led by David Hawes (CMVP Program Manager) who kicked off the project in June 2023 in preparation of the rollout of SP800-140Br1 with the intention that it will benefit in preparing for the new process. With regular group meetings and guidance form CMVP, atsec submitted their first pilot in September 2023. This resulted in certificate #4723 for AMD’s ASP Cryptographic Coprocessor ("Phoenix"). atsec would like to thank AMD for their willingness to be part of this project. Special thanks to David Hawes for all the guidance, prompt response and his dedication to this project.

 

As an outcome of this project, CMVP created MIS Verifier and Security Policy Builder tool which is an important step to facilitate automated verification and processing of the modules. Security Policy (SP) is one of the required documents for FIPS submission. Earlier the SP was written manually in its entirety leading to many consistency and human errors. In the new process, CMVP uses JSON as the submission format to provide a mechanism for receiving structured data. This data in the form of field and table information source is the Module Information Structure (MIS). The remaining information is entered by the vendor into a copy of the CMVP supplied Microsoft Word template document. This completed template is merged with the MIS fields and tables to produce the final Security Policy. The verifier part, parses the MIS fields and performs schema and rule validation that helps eliminate duplication of information and the need to verify multiple separate sources.

This is also accompanied with Br1 variation of the original Web Cryptik, a web-based application for the CSTLs to create and submit their FIPS report packages to CMVP.

 

This is not the only measure the CMVP is taking to shorten cryptographic module queue: recently Interim Validations were introduced as a way to deal with the current backlog and while it gives some much-needed relief, they come with a reduction in assurance and a shorter certificate lifetime of 2 years vs. the usual 5 years.

 

For a sustainable way to expedite the FIPS validation process in response to the increasingly high demand for the validated cryptographic modules, the National Cybersecurity Center of Excellence (NCCoE) launched the AMVP (Automated Module Validation Project) initiative and is making good progress. The upcoming ICMC in September will have a Panel on this project and demonstrate its latest development. atsec actively participates in the NCCoE AMVP alongside the CMVP, vendors, and other labs. We are optimistic that we will soon see the lights from the end of the lengthy review-pending tunnel.

 

Changes Coming to NIAP Entropy Assessment Reports in 2025

“What do you say to a room full of DRBGs standing around you? Everyone, please be seeded.”
  -Quin, atsec tester

When things change, it can help to approach that change with a light heart like this.

Recently, NIAP announced that Entropy Assessment Reports (EARs) must include a NIST Entropy Source Validation (ESV) certificate starting at the turn of the year on January 1st, 2025. This change will be most felt by vendors using third-party entropy sources, as it will be necessary for those third-party entropy sources to have an ESV certificate that can be used in the EAR; for vendors using their own software or hardware entropy sources, comprehensive documentation will be required for the ESV assessment, along with more stringent testing.

For the rest of the calendar year (CY24), EARs do not require an ESV certificate, and vendors using third-party entropy sources can provide clearly stated estimates of how much entropy their third-party solution provides. That said, getting a head start and going through an ESV assessment to get a certificate can help you prepare for both FIPS and NIAP CC evaluations, and can be used to strengthen your EAR for NIAP before the change goes into effect.

If you’re uncertain how to approach these changes, we’re always available to answer questions via phone or email, and Quin and our other testers have already taken training to understand how to navigate the road ahead. Rest assured, we’ll approach it with a light heart.

You can read NIAP’s announcement regarding the upcoming changes on their website in Labgram #118/Valgram #137, and a more detailed overview of the changes is available in NIAP’s Clarification to the Entropy Documentation and Assessment Annex document.

BSI NESAS CCS-GI Scheme Updates

We'd like to inform our customers and partners that the German Federal Office for Information Security (BSI) recently published new documents approving the use of additional Security Assurance Specifications (SCAS) under the BSI 5G NESAS Certification and Evaluation Scheme (BSI NESAS CCS-GI).

We encourage our customers to fully review the newly published documents and explore how these additional approved SCAS might be useful in achieveing NESAS CCS-GI certification. The full update can be found on BSI’s website for NESAS CCS-GI (https://www.bsi.bund.de/dok/NESAS-Dokumente); for a quick summary, the following SCAS have now been approved:

• TS 33.523 18.2.0
• TS 33.526 18.1.0
• TS 33.527 18.2.0
• TS 33.528 18.0.0
• TS 33.537 18.2.0

Note that, while BSI have not made any changes to the above SCAS, the refinements for TS 33.117 (as described in the AIS N2 document) are still applicable for SCAS that refer to TS 33.117, such as TS 33.526.

As always, our team is ready to assist with any questions or provide guidance regarding this update.

Get in Touch
For more information on the newly approved SCAS and how they relate to your product lines, please don't hesitate to reach out to us. These services are provided by atsec via the German office.

Email: info@atsec.com
Phone: +49-89-442-49-830
Website: www.atsec.com

Stay tuned for more updates as we continue to bring you the latest within 5G security evaluation and certification.

EUCC and Cybersecurity Certification in Europe

The European Union Agency for Cybersecurity (ENISA) hosted a cybersecurity certification conference on April 18, 2024, in Brussels, Belgium. The conference very much focused on the implementation of the EUCC - European Cybersecurity Certification Scheme. This scheme, based on the established Common Criteria (CC), aims to harmonize cybersecurity assessments for Information and Communication Technology (ICT) products in Europe.

Transitioning phase
While the EUCC officially launched in February 2024, a transition period is in place to ensure a smooth shift from existing national schemes. Here's a breakdown of what to expect:

• 2024: This year serves as a grace period for national certifications. Existing certificates issued under national schemes remain valid until their expiration date.
• 2025 and beyond: It's anticipated that by 2025, the EUCC will become the dominant certification scheme across Europe. National schemes are expected to be phased out completely, making the EUCC the sole gateway for cybersecurity certification within the EU.

A Look Ahead: Embracing the EUCC
The EUCC signifies a positive step towards a more robust cybersecurity environment in Europe. As we move into the latter half of 2024 and beyond, here's what to keep in mind:

• National Cybersecurity Certification Authorities (NCCAs) and Conformity Assessment Bodies (CABs): Establish the necessary certification structure; achieve required authorizations and accreditation.
• Manufacturers: Familiarize yourself with the EUCC requirements and consider initiating the certification process for your products. Also, consider post-certification vulnerability handling requirements that will be enforced by the EUCC.
• Consumers: Look for the EUCC mark when purchasing ICT products and cloud services, signifying their adherence to a rigorous cybersecurity standard.

Market uptake
Predicting the exact pace of market uptake of the EUCC is difficult, but global certificate recognition, well defined and streamlined certification processes would make the scheme attractive to the manufacturers of the ICT products. The future of the EUCC might also be impacted by broader European cybersecurity regulations that could potentially mandate the use of the scheme for certain types of products.
Rasma Araby, from atsec information security, participated in the panel discussion “How to handle vulnerabilities in certified solutions,” discussing vulnerability management and disclosure procedures compliance with the obligations outlined in the EUCC.

What can atsec do for you?
Since the start of the ENISA initiative in 2018, we have been actively contributing to the EUCC development. We regularly inform our customers of the progress to help them benefit from EUCC certification. 
If you are interested in performing EUCC certification or have questions regarding our evaluation services, please do not hesitate to contact us (info@atsec.com). We look forward to working with you.

atsec Adds FIDO Evaluation Qualification

atsec information security (branded as “atsec”) has been qualified by the FIDO Alliance as one of the FIDO Accredited Security Laboratories to evaluate the authenticator products. The accreditation has been listed on the official website of the FIDO Alliance: https://fidoalliance.org/certification/authenticator-certification-levels/accredited-security-laboratories/

In addition, atsec is also one of the FIDO members (https://fidoalliance.org/members/) and contributes to the industry.

Passwords are the root cause of over 80% of data breaches, making them the main problem of cybersecurity. With the average user having more than 90 online accounts, up to 51% of passwords are reused across those accounts. According to the research of FIDO Alliance, the average help desk labor cost for a single password reset is up to $70.

FIDO, short for “Fast IDentity Online”, is a series of authentication standards that help reduce reliance on passwords. As an accredited security laboratory by the FIDO Alliance,. atsec information security offers the following security evaluation services for your authenticator products:

• FIDO2: FIDO2 is comprised of the W3C Web Authentication (WebAuthn) and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance.
• WebAuthn: WebAuthn defines a standard web API that is being built into browsers and platforms to enable support for FIDO Authentication.
• CTAP2: CTAP2 allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.
• CTAP1: Formerly known as “FIDO U2F”, CTAP1 allows the use of existing FIDO U2F devices (such as FIDO Security Keys) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a second-factor experience.
• FIDO UAF: FIDO UAF supports a passwordless experience for online service on users’ own device with local authentication mechanisms such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc.

The FIDO2 and FIDO UAF protocols have been identified within the common specification authenticator security goals. There are 16 Security Goals (SG) identified by FIDO, and 29 Security Measures (SM) that can be implemented to cover the security goals for FIDO authenticators. Ten Security Requirements are derived to support the Security Measures:

• Authenticator definition Derived Requirements
• Key Management and Authenticator Security Parameters
• Authenticator’s Test for User Presence and User Verification
• Privacy
• Physical Security, Side Channel Attack Resistance and Fault Injection Resistance
• Attestation
• Operating Environment
• Self-Tests and Firmware Updates
• Manufacturing and Development
• Operational Guidance

Passwords and other forms of legacy authentication, such as SMS OTPs, are knowledge-based, a hassle to remember, and easy to phish, harvest, and replay. FIDO helps shift from this legacy, knowledge-based authentication scenario to a modern, possession-based and phishing-resistant authentication scenario.

The security testing of the authenticator products against FIDO standards allows vendors to integrate their authenticators into modern and FIDO-enabled online services and provides their users with a flawless authentication experience. This also reduces the risk of a password being forgotten or stolen.

atsec is ready to partner with you to help you understand the requirements of the standard, test your authenticator products, and achieve the FIDO certification.

The products being compliant with the FIDO UAF, FIDO U2F, and FIDO2 specifications and evaluated by a security laboratory (e.g. atsec) can be certified and listed by FIDO alliance on the official website: https://fidoalliance.org/certification/fido-certified-products/.

For more information about atsec, please visit: https://www.atsec.com.

atsec AB first IEEE 2621 Accredited Medical Device Testing Facility

atsec AB Stockholm, Sweden is thrilled to announce:  We are the first IEEE Authorized Testing Facility!

We've officially been approved as an IEEE Authorized Testing Facility, making atsec AB Stockholm, Sweden the first company able to provide testing of medical devices according to the IEEE 2621 standard. Additional locations include atsec corporation Austin TX, USA and atsec GmbH Munich, Germany.

 

The IEEE, or Institute of Electrical and Electronics Engineers, is a globally recognized leader in developing technical standards. Earning their authorization as a testing facility demonstrates our capability to conduct rigorous and reliable security evaluations of medical devices according to the IEEE 2621 standard.

Importantly, the IEEE 2621 standard is recognized by the Food and Drug Administration (FDA), the leading regulatory body for medical devices in the United States. This recognition signifies that the FDA considers the standard to be a valuable tool in ensuring medical device security.

Proven Expertise Through Pilot Projects
"We enthusiastically embraced the opportunity to become a player in this domain when IEEE first contacted atsec in July 2022," said Sal La Pietra, President and founder of atsec.
We're particularly proud of this achievement because it follows the successful completion of two pilot projects that used the IEEE 2621 standard for medical device testing. These projects allowed us to refine our processes and demonstrate our expertise in applying this standard," added Rasma Mozuraite Araby, Managing Director of atsec AB in Stockholm, Sweden.

Looking Ahead: Medical Device Testing
As an IEEE Authorized Testing Facility with laboratories in Sweden, the U.S., and Germany, atsec is now positioned to offer our clients a suite of testing services that ensure their medical devices meet the industry's security benchmarks. If you're looking for a reliable partner to verify the security of your medical devices, contact us today to discuss your specific needs.

BREAKING NEWS: c@tsec information security Unveils Revolutionary Quantum Computer

April 1, 2024 – Austin, TX: In a groundbreaking announcement today, c@tsec information security, a subsidiary of atsec information security, and the leader in quantum computing technology, proudly unveils its latest innovation: the Quantum PurrProcessor™.

The Quantum PurrProcessor™ operates on a revolutionary principle, harnessing the power of Schrödinger's Cat to perform computations beyond the limitations of classical computers. By forming a matrix of 1024 by 1024 cardboard boxes, each containing a Schroedinger’s cat either alive or dead, we achieve a never before seen computing power of 1024² CuteBits.

"We are ecstatic to introduce the world to our feline-fueled quantum computing marvel," said Stephan Mueller, Principal Consultant and Chief Feline Officer at c@tsec. "Our approach not only pushes the boundaries of quantum mechanics but also provides a cozy home for these quantum kitties."

However, due to strict animal welfare regulations, c@tsec’s scientists had to make a few adjustments. Instead of furry felines who could be either alive or dead, our boxes are now filled with state-of-the-art RoboCats™ driven by the newest generation of AI, thus merging several cutting-edge technologies.

"Our RoboCats™ are programmed with the indecision of a real cat and the computational prowess of a quantum physicist," said Mueller. "And they don't shed – a win-win for both computing efficiency and office cleanliness!"

Once more atsec information security proves to the world that easy solutions to difficult problems are possible. The Quantum PurrProcessor™ will be available for purchase in the near future. Maybe 5 years from now. Or on April 1st 2025.

XDRGB - Random Bit Generator using any XOF

Resulting from a joint collaboration between John Kelsey (NIST), Stefan Lucks (Bauhaus-Universität Weimar, Germany) and Stephan Müller (atsec information security), a new deterministic random bit generator (DRBG) is published. The XDRBG was publicly presented at the 30th Fast Software Encryption Conference 2024 in Leuven, Belgium.

The XDRBG uses an extensible output function (XOF) as primitive which allows the use of SHAKE algorithm (FIPS 202), as well as Ascon, the finalist in the NIST lightweight cryptographic algorithm competition. In addition, other XOF functions are allowed to be used with the XDRBG specification.

The DRBG is significantly smaller compared to the DRBGs defined in SP800-90A. The XDRBG specification not only defines the algorithmic part of the XDRBG, but also provides a mathematical proof of its design. The security proof applies to all usable XOFs. In the not too far future, the XDRBG specification will also be supplemented by an appendix mapping it to the German AIS 20/31 specification. The specification also maps to the model defined in the NIST SP800-90A standard.

A standalone reference implementation is available at Github.

Crypto Module Bootcamp 2024

On Tuesday, February 27, 2024, atsec information security hosted a free day-long hybrid event on the Concordia University campus in Austin, TX. With 330 registered attendees, both in-person and remote, we have by far surpassed our original attendance estimate.

When atsec started the International Cryptographic Module Conference (ICMC) in 2013, we wanted to create a forum for the stakeholders in the crypto module world to come together. The ICMC has flourished over the last ten years and is now a well-established and highly regarded conference for IT security professionals. However, the cost involved in traveling and attending the conference has closed the door to students and attendees from academia.

It is important to us to make events like these easily available to college students. Those students will soon become laboratory testers, agency validators, and developers – the next generation of IT professionals. We have taken pride in educating and lifting up the IT security community, including those studying for the future.

The bootcamp is an event intended to carry out our idea of attracting a new group of attendees: the STEM students. We started with Concordia and UT Austin. We are pleased to have created the opportunity for students, who could be our future colleagues, to interact with industry and government leaders, as well as policy makers, without meeting and travel expenses.



The Crypto Module Bootcamp brought students together with experts from academia, industry, government, standards bodies and laboratories for an exchange on topics including artificial intelligence, quantum computers, cryptography, entropy and much more. We wanted to make sure the students got a glimpse of what the world of IT security entails and showcase the variety of ways it touches our lives.

The event opened with a welcome address by atsec president and co-founder Sal La Pietra, followed by an introduction of the first recipient of the Bertrand du Castel Memorial Scholarship. Keynote speaker Professor Scott Aaronson took the stage with a very informative and entertaining presentation about the use of cryptography for Safe AI.

This was followed by a panel discussion on Safe AI and Secure Cyberspace with Prof. Scott Aaronson; NIST Fellow Dr. Lily Chen; Eric Hibbard, Head of US INCITS delegation for ISO/IEC JTC1/SC27; and the Director of NIAP, Jon Rolf. Dr. Yi Mao, atsec US CEO, moderated the panel discussion.

 

The event was perceived as a combination of mini ICMC and mini ICCC, with topics ranging from AI safety to the connected car. An attendee commented, “Its significance is far beyond cryptographic modules. It touched on many aspects for the future cryptographic standards and validation program.” You can find the complete line-up of speakers and panelists, as well as a list of the presentations here at the event website.



After a full day of presentations and discussions, the day ended with a tour of the beautiful Concordia University nature preserve. The overwhelmingly positive feedback and questions about making this a recurring event showed us that we are on the right track. We would like to thank Concordia University, the guest speakers, and all of the participants for making the first bootcamp such a success.

This event was also put together in memory of our friend and colleague, Dr. Betrand du Castel. His wife, Christine, gave a heartfelt speech commemorating his life. We invite you to read our blog article on Bertrand du Castel and his exceptional contributions to the field of smart card security. We took the opportunity to collect some deeply touching stories and insightful quotes from a few of Bertrand’s former colleagues and friends.

On behalf of Concordia University, who generously opened their campus for this event, we invite you to donate to their STEM program.

Donations can be made online at www.concordia.edu/giving/
Please put “du Castel” in the comments.
 
Or you can mail a check to:
Concordia University Texas
11400 Concordia University Drive
Austin, Texas 78726
 
For more information, please contact
April Kerwin at april.kerwin@concordia.edu or 512-313-5101