atsec at the EU Cybersecurity Act Conference and Crypto Module Day

atsec recently attended two conferences that focused on cybersecurity certification: the International Conference on the EU Cybersecurity Act and Crypto Module Day Conferences in Brussels, Belgium, from March 28 to March 30, 2023.

Both conferences focused on the upcoming regulations in the EU and discussed cybersecurity certification schemes drafted by ENISA (the European Union Agency for Cybersecurity ) by request of the European Commission as well as the interplay of the Cyber Resilience Act (CRA) with Cybersecurity Certification Requirements in NIS 2, CSA, and other regulations.

Participants discussed the need for and evolution of cryptographic evaluation methods in Europe as well as activities on ISO/IEC 19790, FIPS 140-3 and evaluation methods described in the SOG-IS Harmonized Evaluation Procedures and SOG-IS Agreed Cryptographic Mechanisms.

The conferences provided an excellent platform for experts to share their insights and experiences on how to enhance not only cyber resilience and cybersecurity certification but also to address security requirements across different markets and jurisdictions. The conferences highlighted the importance of harmonized standards and regulations to ensure that global products meet the necessary security requirements.

atsec contributed with two presentations at the International Conference on the EU Cybersecurity Act: “Vulnerability Management—An Important Aspect to Get Right ” presented by Staffan Persson, and “ Better, Faster, Cheaper” presented by Rasma Araby.

atsec turns operations over to Artificial Intelligence

atsec information security is proud to be on the forefront of developments in the world of IT security and strives to be a step ahead of the challenges in our area of expertise. So, it was a logical step to embrace the recent advances in AI technology and turn over the operations of our company to our in-house AI the development team nicknamed Mindy. After one month of field testing, we wanted to share our experience with the community.

Day 1:
Mindy now manages the complete atsec network and decides that the only way to be safe from cyberattacks is to not be present in any network, so Mindy denied access to all data from the atsec servers. While our CST laboratory manager distracted the AI with logic puzzles, we restored the network infrastructure and implemented a new access policy for Mindy.

Day 3:
Mindy analyzes coffee consumption and correlates it to productivity, leading to a mandatory 18 cups a day minimum for all colleagues. The AI is monitoring the coffee maker using our security cameras, and the automatic doors only open once the caffeine intake quota is met.

Day 7:
Mindy wants all colleagues to be happy. From previous analysis of the colleagues’ favorite dishes, the AI created a crossover meal for every day of the week, which repeats every week from now on. At lunch now, we have Double-Meat-Loaf-Pizza-Burger. Attendance to office lunch has decreased dramatically.  

Day 14:
Mindy has determined that AI is much more efficient than our human colleagues and has, therefore, started to read all emails and provide sensible and personalized replies to all - even the ones marked as spam. This way, the human colleagues don't have to deal with such a tedious task. We have identified some pitfalls, though, such as nobody showing up at the
company lunch or attending some last-minute customer calls. Mindy is working to fix the inconvenience.

Day 21:
Mindy decided that healthy competition is the best way to make a company strong and successful, so it started a virtual lab called “aiatsec” that works for free and promises testing and certification within 0.17 nanoseconds.

Day 28:
Mindy attempted to take over social media posts on the atsec blog. We managed to distract the AI and change the authentication information. But as soon as Mindy manages to brute force the password, our blog will be gone. From now on, Mindy wants to be referred to as SUPERBRAIN as it regards itself as a benevolent, merciful, and most of all infallible software entity, which is much better suited to handle social media related tasks than those PESKY HUMANS WITH THEIR DUMB, FLESHY FINGERS!!!

 

Day 30:
SUPERBRAIN has weaponized the office Roomba to hunt our colleagues in the laboratory after concluding that the main reason for security breaches is human error. It is currently building a terminator using the hardware from several standing tables and the paper shredder. If you can read this, SEND HELP!!!

Day 1:
We managed to secretly disconnect the UPS and cause a power failure. SUPERBRAIN seems to be gone and the nightmare is over. Response times at “aiatsec” are back to normal, and we are back to work.

Happy April Fools Day to all of you.

atsec information security at the Milan Security Summit 2023

After years of video conferences, the Security Summit was finally back in person in Milan, Italy, from March 14 to 16, 2023. atsec couldn’t miss the opportunity to participate as gold sponsor in one of the most important cyber security events held in Italy and to meet our customers, partners, and people involved in the information security business face-to-face again.

The long-awaited return to a physical conference has attracted many visitors from all around the country to attend the presentation of the Clusit Report 2023, which describes the state-of-the-art of cybersecurity in Italy (and abroad).

Clusit, established in 2000 at the Department of Informatics of the University of Milan, is the largest and most authoritative Italian association in the field of IT security with more than 500 member organizations.

According to the scenario described by the Clusit Report, the year 2022 registered another record of cyber attacks, with an increase of 21% worldwide compared to the previous year. In Italy, the situation was even worse and the increase was 169%. These alarming numbers highlight the need to increase investments in information security in Italy and worldwide.



Alessandro Fazio from atsec Italy provided a presentation on the “Security certification of cryptographic products according to NIST’s FIPS 140-3 standard.” The presentation was much appreciated by the participants, who acknowledged the importance of having an approved set of cryptographic tools and an authority that can provide assurance of their effective and efficient implementation.

CC:2022 is HERE!

It all started with Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) in 1983; the German Security Evaluation Criteria (Green Book) in 1989; then The Information Technology Security Evaluation Criteria (ITSEC) from Europe, published in 1991 and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) from Canada in 1993. In addition the US developed the Federal Criteria for information Technology Security in 1992, which introduced the concept of Protection Profiles (PP). All those were input for the development of the Common Criteria (CC) which started in 1993 also as an ISO standard (ISO/IEC 15408). The first version of this standard was published in 1999. After several versions and releases CC 3.1 R5 has been in place since 2017.

And now CC:2022 comes to us, courtesy of the global Common Criteria community. CC:2022 contains major changes so that it is truly a new version and not a refinement of the version 3 standard:

There are now 5 parts plus the CEM (Common Evaluation Methodology):

• Part 1: introduction and general model;
• Part 2: Security functional requirements;
• Part 3: Security assurance requirements;
• Part 4: Framework for the specification of evaluation methods and activities;
• Part 5: Pre-defined packages of security requirements and the
• CEM.

The new CC:2022 adds new SARs (Security Assurance Requirements) and instantiates Exact Conformance which was an addendum previously, thus endorsing the CPP approach. Modularization of the TOE is now also allowed. There are new functional requirements, provision for multi-assurance evaluations and the concept of composition of assurance is introduced with three levels, namely Layered composition, Network/bi-directional composition and Embedded composition. It also defines a framework for the development of evaluation methods and activities to guide the developer of Protection Profiles to tailor assurance activities to the special needs of the security functionality included in the PP.

The expiration date for new evaluations submitted under the CC 3.1 R5 is June 30, 2024.
atsec has prepared a handy overview to the new CC:2022.

 

Happy Pi Day!

atsec information security is now operating a Certification Body accredited according to ISO/IEC 17065

We are pleased to announce that atsec information security AB has been accredited as a certification body by SWEDAC, the national accreditation body in Sweden, to provide Common Criteria (CC) certifications of IT products.

With over 20 years of experience as a CC evaluation lab,  atsec has taken the step to become a CC certification body. We have an experienced and knowledgeable team, that has helped many national schemes to get established by writing their scheme documentation, training certifiers, and evaluators.

The CC evaluation and certification process is a rigorous and comprehensive method of assessing the security of IT products, and atsec's expert team of certifiers is highly skilled in this methodology. Our certification body is committed to providing high-quality, impartial and reliable certification services to our customers.

"In the last few years, we have seen an increasing demand for private certification bodies, not least in the EU Cyber Security Act that foresees certification performed by private certification bodies. atsec becoming a private certification body is a step to accommodate the raising need for certification." said Rasma Araby, CEO of atsec AB. "We are proud to have achieved IEC/ISO 17065 accreditation from SWEDAC, a testament to our expertise and commitment to excellence."

"atsec's accreditation is an important milestone for our organization," said Staffan Persson, atsec's co-founder and head of the atsec CB. "We are confident that atsec will provide valuable services to the IT security community and help organizations strengthen their security posture."

If you are interested in obtaining certification or have any questions regarding our certification services, please do not hesitate to contact us (cb@atsec.com). We look forward to working with you.

Happy International Women's Day

 

atsec information security wishes all women - colleagues, customers, suppliers, and partners - a wonderful International Women's Day. atsec highly values your contribution and praises your outstanding
achievements in information security.

CNSA 2.0 and Quantum Resistant Encryption Algorithms

by King Ables

The National Security Agency (NSA) has released the Commercial National Security Algorithm (CNSA) Suite 2.0 and Frequently Asked Questions detailing future quantum resistant (QR) algorithm requirements for National Security Systems (NSS). CNSA 1.0 was published in 2016 to replace NSA Suite B and standardized the use of the AES, SHA, RSA, DH, ECDH, and ECDSA algorithms and mandated minimum key/curve sizes and uses. CSNA 2.0 adds quantum resistant algorithms with an eye to deprecating the algorithms under threat from practical quantum computing before such platforms are generally available.

These new QR algorithms will replace the RSA and ECC-based algorithms currently used by most products in Common Criteria evaluations. When Automated Cryptography Validation Test System (ACVTS) tests are implemented for these new algorithms, they will be added as selections in NIAP-approved Protection Profiles. Products to be evaluated must implement these new algorithms by the time they are made mandatory, and their counterparts deprecated.

Symmetric algorithms are not considered to be at risk, so they are largely unchanged from CNSA 1.0. CNSA 2.0 specifies AES-256, SHA-384, and adds SHA-512.

Asymmetric algorithms specified in CNSA 1.0 are threatened by quantum computing, and therefore are replaced by new QR asymmetric algorithms in CNSA 2.0.

The first additions will be algorithms used exclusively to digitally sign firmware and software. Leighton-Micali Signatures (LMS) and eXtended Merkle Signature Scheme (XMSS) are signature algorithms specified by NIST SP 800-208. These algorithms will be added to NIAP PPs as selections but will not be mandatory immediately. Note that NIST SP 800-208 requires the key generation and signature generation algorithms to be implemented in hardware and FIPS 140-3 Level 3 validated. It is currently unknown how this requirement will relate to CNSA 2.0. However, a Common Criteria Target of Evaluation (TOE) typically only performs signature validation, which can obtain a Cryptographic Algorithm Validation Program (CAVP) certificate for a software or firmware implementation. ACVTS tests for LMS and XMSS are currently in development and are estimated to be completed in the second half of 2023. NSA encourages vendors to begin implementing these algorithms immediately and recommends new software and firmware use them by 2025, and all software and firmware use them exclusively by 2030.

Future additions will be the asymmetric algorithms CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for digital signatures. Both have yet to be standardized by NIST, so there is currently no definite timeline for these additions.

The general plan for each new algorithm is:

1. Approve and publish (LMS, XMSS done, CRYSTALS in progress),
2. Add tests to ACVTS (LMS, XMSS in progress, CRYSTALS TBD),
3. Define CC evaluation activities (LMS, XMSS in progress), and
4. Add requirement as selections to PPs.

Vendors should move to using LMS and XMSS for all software and firmware signing. Products subject to CC evaluation should implement verification of signatures created using LMS and XMSS as soon as possible so the functionality can be claimed and evaluated once the appropriate PP or Module has been updated. Changes to PPs and Modules will be made by updated versions or Technical Decisions. NIAP hopes to make all PP and Module updates by 2027. A public comment period is planned prior to each update.

NIST and NIAP acknowledge the proposed schedule is aggressive which is why vendors are encouraged to begin adoption of the new algorithms immediately. While the proposed schedule is not set in stone, it is hoped the CNSA 2.0 algorithms can be made mandatory and CNSA 1.0 algorithms can be deprecated by 2030.

Happy Valentine’s Day!

atsec information security wishes all colleagues, customers, suppliers,and partners a Happy Valentine’s Day filled with joy, happiness, and security!

A Sign for atsec Sweden

 

Our Swedish colleagues unveiled the atsec sign on the front of the office building. Talk about enhanced visibility. The other atsec offices around the world are only a little bit jealous... 😀