Friday, June 14, 2024

Changes Coming to NIAP Entropy Assessment Reports in 2025

“What do you say to a room full of DRBGs standing around you? Everyone, please be seeded.”
  -Quin, atsec tester


When things change, it can help to approach that change with a light heart like this.

Recently, NIAP announced that Entropy Assessment Reports (EARs) must include a NIST Entropy Source Validation (ESV) certificate starting at the turn of the year on January 1st, 2025. This change will be most felt by vendors using third-party entropy sources, as it will be necessary for those third-party entropy sources to have an ESV certificate that can be used in the EAR; for vendors using their own software or hardware entropy sources, comprehensive documentation will be required for the ESV assessment, along with more stringent testing.

For the rest of the calendar year (CY24), EARs do not require an ESV certificate, and vendors using third-party entropy sources can provide clearly stated estimates of how much entropy their third-party solution provides. That said, getting a head start and going through an ESV assessment to get a certificate can help you prepare for both FIPS and NIAP CC evaluations, and can be used to strengthen your EAR for NIAP before the change goes into effect.

If you’re uncertain how to approach these changes, we’re always available to answer questions via phone or email, and Quin and our other testers have already taken training to understand how to navigate the road ahead. Rest assured, we’ll approach it with a light heart.

You can read NIAP’s announcement regarding the upcoming changes on their website in Labgram #118/Valgram #137, and a more detailed overview of the changes is available in NIAP’s Clarification to the Entropy Documentation and Assessment Annex document.

Friday, June 7, 2024

BSI NESAS CCS-GI Scheme Updates



We'd like to inform our customers and partners that the German Federal Office for Information Security (BSI) recently published new documents approving the use of additional Security Assurance Specifications (SCAS) under the BSI 5G NESAS Certification and Evaluation Scheme (BSI NESAS CCS-GI).

We encourage our customers to fully review the newly published documents and explore how these additional approved SCAS might be useful in achieveing NESAS CCS-GI certification. The full update can be found on BSI’s website for NESAS CCS-GI (https://www.bsi.bund.de/dok/NESAS-Dokumente); for a quick summary, the following SCAS have now been approved:

  • TS 33.523 18.2.0
  • TS 33.526 18.1.0
  • TS 33.527 18.2.0
  • TS 33.528 18.0.0
  • TS 33.537 18.2.0

Note that, while BSI have not made any changes to the above SCAS, the refinements for TS 33.117 (as described in the AIS N2 document) are still applicable for SCAS that refer to TS 33.117, such as TS 33.526.

As always, our team is ready to assist with any questions or provide guidance regarding this update.

Get in Touch
For more information on the newly approved SCAS and how they relate to your product lines, please don't hesitate to reach out to us. These services are provided by atsec via the German office.

Email: info@atsec.com
Phone: +49-89-442-49-830
Website: www.atsec.com

Stay tuned for more updates as we continue to bring you the latest within 5G security evaluation and certification.

Tuesday, April 23, 2024

EUCC and Cybersecurity Certification in Europe



The European Union Agency for Cybersecurity (ENISA) hosted a cybersecurity certification conference on April 18, 2024, in Brussels, Belgium. The conference very much focused on the implementation of the EUCC - European Cybersecurity Certification Scheme. This scheme, based on the established Common Criteria (CC), aims to harmonize cybersecurity assessments for Information and Communication Technology (ICT) products in Europe.

Transitioning phase
While the EUCC officially launched in February 2024, a transition period is in place to ensure a smooth shift from existing national schemes. Here's a breakdown of what to expect:

  • 2024: This year serves as a grace period for national certifications. Existing certificates issued under national schemes remain valid until their expiration date.
  • 2025 and beyond: It's anticipated that by 2025, the EUCC will become the dominant certification scheme across Europe. National schemes are expected to be phased out completely, making the EUCC the sole gateway for cybersecurity certification within the EU.

A Look Ahead: Embracing the EUCC
The EUCC signifies a positive step towards a more robust cybersecurity environment in Europe. As we move into the latter half of 2024 and beyond, here's what to keep in mind:

  • National Cybersecurity Certification Authorities (NCCAs) and Conformity Assessment Bodies (CABs): Establish the necessary certification structure; achieve required authorizations and accreditation.
  • Manufacturers: Familiarize yourself with the EUCC requirements and consider initiating the certification process for your products. Also, consider post-certification vulnerability handling requirements that will be enforced by the EUCC.
  • Consumers: Look for the EUCC mark when purchasing ICT products and cloud services, signifying their adherence to a rigorous cybersecurity standard.

Market uptake
Predicting the exact pace of market uptake of the EUCC is difficult, but global certificate recognition, well defined and streamlined certification processes would make the scheme attractive to the manufacturers of the ICT products. The future of the EUCC might also be impacted by broader European cybersecurity regulations that could potentially mandate the use of the scheme for certain types of products.
Rasma Araby, from atsec information security, participated in the panel discussion “How to handle vulnerabilities in certified solutions,” discussing vulnerability management and disclosure procedures compliance with the obligations outlined in the EUCC.

What can atsec do for you?
Since the start of the ENISA initiative in 2018, we have been actively contributing to the EUCC development. We regularly inform our customers of the progress to help them benefit from EUCC certification. 
If you are interested in performing EUCC certification or have questions regarding our evaluation services, please do not hesitate to contact us (info@atsec.com). We look forward to working with you.


Wednesday, April 10, 2024

atsec Adds FIDO Evaluation Qualification



atsec information security (branded as “atsec”) has been qualified by the FIDO Alliance as one of the FIDO Accredited Security Laboratories to evaluate the authenticator products. The accreditation has been listed on the official website of the FIDO Alliance: https://fidoalliance.org/certification/authenticator-certification-levels/accredited-security-laboratories/

In addition, atsec is also one of the FIDO members (https://fidoalliance.org/members/) and contributes to the industry.

Passwords are the root cause of over 80% of data breaches, making them the main problem of cybersecurity. With the average user having more than 90 online accounts, up to 51% of passwords are reused across those accounts. According to the research of FIDO Alliance, the average help desk labor cost for a single password reset is up to $70.

FIDO, short for “Fast IDentity Online”, is a series of authentication standards that help reduce reliance on passwords. As an accredited security laboratory by the FIDO Alliance,. atsec information security offers the following security evaluation services for your authenticator products:

  • FIDO2: FIDO2 is comprised of the W3C Web Authentication (WebAuthn) and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance.
    • WebAuthn: WebAuthn defines a standard web API that is being built into browsers and platforms to enable support for FIDO Authentication.
    • CTAP2: CTAP2 allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.
    • CTAP1: Formerly known as “FIDO U2F”, CTAP1 allows the use of existing FIDO U2F devices (such as FIDO Security Keys) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a second-factor experience.
  • FIDO UAF: FIDO UAF supports a passwordless experience for online service on users’ own device with local authentication mechanisms such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc.

The FIDO2 and FIDO UAF protocols have been identified within the common specification authenticator security goals. There are 16 Security Goals (SG) identified by FIDO, and 29 Security Measures (SM) that can be implemented to cover the security goals for FIDO authenticators. Ten Security Requirements are derived to support the Security Measures:

  • Authenticator definition Derived Requirements
  • Key Management and Authenticator Security Parameters
  • Authenticator’s Test for User Presence and User Verification
  • Privacy
  • Physical Security, Side Channel Attack Resistance and Fault Injection Resistance
  • Attestation
  • Operating Environment
  • Self-Tests and Firmware Updates
  • Manufacturing and Development
  • Operational Guidance

Passwords and other forms of legacy authentication, such as SMS OTPs, are knowledge-based, a hassle to remember, and easy to phish, harvest, and replay. FIDO helps shift from this legacy, knowledge-based authentication scenario to a modern, possession-based and phishing-resistant authentication scenario.

The security testing of the authenticator products against FIDO standards allows vendors to integrate their authenticators into modern and FIDO-enabled online services and provides their users with a flawless authentication experience. This also reduces the risk of a password being forgotten or stolen.

atsec is ready to partner with you to help you understand the requirements of the standard, test your authenticator products, and achieve the FIDO certification.

The products being compliant with the FIDO UAF, FIDO U2F, and FIDO2 specifications and evaluated by a security laboratory (e.g. atsec) can be certified and listed by FIDO alliance on the official website: https://fidoalliance.org/certification/fido-certified-products/.

For more information about atsec, please visit: https://www.atsec.com.

Monday, April 1, 2024

atsec AB first IEEE 2621 Accredited Medical Device Testing Facility

atsec AB Stockholm, Sweden is thrilled to announce:  We are the first IEEE Authorized Testing Facility!

We've officially been approved as an IEEE Authorized Testing Facility, making atsec AB Stockholm, Sweden the first company able to provide testing of medical devices according to the IEEE 2621 standard. Additional locations include atsec corporation Austin TX, USA and atsec GmbH Munich, Germany.

 

The IEEE, or Institute of Electrical and Electronics Engineers, is a globally recognized leader in developing technical standards. Earning their authorization as a testing facility demonstrates our capability to conduct rigorous and reliable security evaluations of medical devices according to the IEEE 2621 standard.


Importantly, the IEEE 2621 standard is recognized by the Food and Drug Administration (FDA), the leading regulatory body for medical devices in the United States. This recognition signifies that the FDA considers the standard to be a valuable tool in ensuring medical device security.


Proven Expertise Through Pilot Projects
"We enthusiastically embraced the opportunity to become a player in this domain when IEEE first contacted atsec in July 2022," said Sal La Pietra, President and founder of atsec.
We're particularly proud of this achievement because it follows the successful completion of two pilot projects that used the IEEE 2621 standard for medical device testing. These projects allowed us to refine our processes and demonstrate our expertise in applying this standard," added Rasma Mozuraite Araby, Managing Director of atsec AB in Stockholm, Sweden.

Looking Ahead: Medical Device Testing

As an IEEE Authorized Testing Facility with laboratories in Sweden, the U.S., and Germany, atsec is now positioned to offer our clients a suite of testing services that ensure their medical devices meet the industry's security benchmarks. If you're looking for a reliable partner to verify the security of your medical devices, contact us today to discuss your specific needs.

BREAKING NEWS: c@tsec information security Unveils Revolutionary Quantum Computer


April 1, 2024 – Austin, TX: In a groundbreaking announcement today, c@tsec information security, a subsidiary of atsec information security, and the leader in quantum computing technology, proudly unveils its latest innovation: the Quantum PurrProcessor™.

The Quantum PurrProcessor™ operates on a revolutionary principle, harnessing the power of Schrödinger's Cat to perform computations beyond the limitations of classical computers. By forming a matrix of 1024 by 1024 cardboard boxes, each containing a Schroedinger’s cat either alive or dead, we achieve a never before seen computing power of 10242 CuteBits.

"We are ecstatic to introduce the world to our feline-fueled quantum computing marvel," said Stephan Mueller, Principal Consultant and Chief Feline Officer at c@tsec. "Our approach not only pushes the boundaries of quantum mechanics but also provides a cozy home for these quantum kitties."

However, due to strict animal welfare regulations, c@tsec’s scientists had to make a few adjustments. Instead of furry felines who could be either alive or dead, our boxes are now filled with state-of-the-art RoboCats™ driven by the newest generation of AI, thus merging several cutting-edge technologies.

"Our RoboCats™ are programmed with the indecision of a real cat and the computational prowess of a quantum physicist," said Mueller. "And they don't shed – a win-win for both computing efficiency and office cleanliness!"

Once more atsec information security proves to the world that easy solutions to difficult problems are possible. The Quantum PurrProcessor™ will be available for purchase in the near future. Maybe 5 years from now. Or on April 1st 2025.

Wednesday, March 27, 2024

XDRGB - Random Bit Generator using any XOF

Resulting from a joint collaboration between John Kelsey (NIST), Stefan Lucks (Bauhaus-Universität Weimar, Germany) and Stephan Müller (atsec information security), a new deterministic random bit generator (DRBG) is published. The XDRBG was publicly presented at the 30th Fast Software Encryption Conference 2024 in Leuven, Belgium.

The XDRBG uses an extensible output function (XOF) as primitive which allows the use of SHAKE algorithm (FIPS 202), as well as Ascon, the finalist in the NIST lightweight cryptographic algorithm competition. In addition, other XOF functions are allowed to be used with the XDRBG specification.

The DRBG is significantly smaller compared to the DRBGs defined in SP800-90A. The XDRBG specification not only defines the algorithmic part of the XDRBG, but also provides a mathematical proof of its design. The security proof applies to all usable XOFs. In the not too far future, the XDRBG specification will also be supplemented by an appendix mapping it to the German AIS 20/31 specification. The specification also maps to the model defined in the NIST SP800-90A standard.

A standalone reference implementation is available at Github.

Friday, March 1, 2024

Crypto Module Bootcamp 2024

On Tuesday, February 27, 2024, atsec information security hosted a free day-long hybrid event on the Concordia University campus in Austin, TX. With 330 registered attendees, both in-person and remote, we have by far surpassed our original attendance estimate.

When atsec started the International Cryptographic Module Conference (ICMC) in 2013, we wanted to create a forum for the stakeholders in the crypto module world to come together. The ICMC has flourished over the last ten years and is now a well-established and highly regarded conference for IT security professionals. However, the cost involved in traveling and attending the conference has closed the door to students and attendees from academia.

It is important to us to make events like these easily available to college students. Those students will soon become laboratory testers, agency validators, and developers – the next generation of IT professionals. We have taken pride in educating and lifting up the IT security community, including those studying for the future.

The bootcamp is an event intended to carry out our idea of attracting a new group of attendees: the STEM students. We started with Concordia and UT Austin. We are pleased to have created the opportunity for students, who could be our future colleagues, to interact with industry and government leaders, as well as policy makers, without meeting and travel expenses.



The Crypto Module Bootcamp brought students together with experts from academia, industry, government, standards bodies and laboratories for an exchange on topics including artificial intelligence, quantum computers, cryptography, entropy and much more. We wanted to make sure the students got a glimpse of what the world of IT security entails and showcase the variety of ways it touches our lives.

The event opened with a welcome address by atsec president and co-founder Sal La Pietra, followed by an introduction of the first recipient of the Bertrand du Castel Memorial Scholarship. Keynote speaker Professor Scott Aaronson took the stage with a very informative and entertaining presentation about the use of cryptography for Safe AI.

This was followed by a panel discussion on Safe AI and Secure Cyberspace with Prof. Scott Aaronson; NIST Fellow Dr. Lily Chen; Eric Hibbard, Head of US INCITS delegation for ISO/IEC JTC1/SC27; and the Director of NIAP, Jon Rolf. Dr. Yi Mao, atsec US CEO, moderated the panel discussion.

 

The event was perceived as a combination of mini ICMC and mini ICCC, with topics ranging from AI safety to the connected car. An attendee commented, “Its significance is far beyond cryptographic modules. It touched on many aspects for the future cryptographic standards and validation program.” You can find the complete line-up of speakers and panelists, as well as a list of the presentations here at the event website.



After a full day of presentations and discussions, the day ended with a tour of the beautiful Concordia University nature preserve. The overwhelmingly positive feedback and questions about making this a recurring event showed us that we are on the right track. We would like to thank Concordia University, the guest speakers, and all of the participants for making the first bootcamp such a success.

This event was also put together in memory of our friend and colleague, Dr. Betrand du Castel. His wife, Christine, gave a heartfelt speech commemorating his life. We invite you to read our blog article on Bertrand du Castel and his exceptional contributions to the field of smart card security. We took the opportunity to collect some deeply touching stories and insightful quotes from a few of Bertrand’s former colleagues and friends.

On behalf of Concordia University, who generously opened their campus for this event, we invite you to donate to their STEM program.

Donations can be made online at www.concordia.edu/giving/
Please put “du Castel” in the comments.
 
Or you can mail a check to:
Concordia University Texas
11400 Concordia University Drive
Austin, Texas 78726
 
For more information, please contact
April Kerwin at april.kerwin@concordia.edu or 512-313-5101

Wednesday, February 14, 2024

Happy Valentine's Day!

Happy Valentine's Day to our customers, our partners, colleagues and communities around the world that we work with.

Thursday, January 11, 2024

Happy Birthday, atsec!

As always on the 11th of January atsec celebrates its birthday.
This year it is the 24th! As they say: time flies when you're doing IT security!
Our best wishes and thanks to all of the contributors: our customers, our partners, and our colleagues.