Monday, August 8, 2022

Clarice Assad's Residence Workshop with Austin Classical Guitar Society


by Salvatore La Pietra

It is a different kind of blog entry, not about technical expertise or atsec’s latest achievement.
It is a 32-minute clip ending with atsec as a sponsor and detailing
Clarice Assad's Residence Workshop with Austin Classical Guitar Society (ACGS):


https://www.youtube.com/watch?v=aeaNM-bIh-M

I had the opportunity to meet with Matthew Hinsley, Executive Director, and Joe Williams, Artistic Director of ACGS, when they proposed to support the residence of Clarice with the Austin Classical Guitar Youth Orchestra (ACGYO). For atsec, it was essential that funding would support education.  

My son was involved with ACGS since an early age.  I met teachers, students, and musicians of all ages and genders. I have always been fascinated with the passion, focus, and amount of time spent on the instrument.  Several of these young students will undertake a STEM career in Engineering, Computer Science, and Medicine and be brilliant, thanks to their focus over the years of learning the instrument.

Several colleagues within atsec play instruments or are involved with some form of artistic activity, reminding me that our profession, too, requires focus and creativity to get tests working and write a detailed report.

Clarice Assad is phenomenal, and the young guitarists are creating, with her help, an authentic piece of art. The final result is outstanding and original. Enjoy it. For once, it is not all about atsec, though atsec contributed to making it possible!

Monday, August 1, 2022

atsec Became One of the First PCI DSS v4 QSA Companies

atsec China (“atsec” for short in this article) has completed the training and examination on “PCI DSS QSA Version 4 Transition” provided by the Payment Card Industry Security Standards Council (PCI SSC) and became one of the first Qualified Security Assessors (QSA) companies globally to perform the assessment according to the new version of the PCI DSS standard (version 4.0).


 
PCI DSS v4.0 was released on 31 March 2022. The goals of the new evolution of the standard are: 1) to continue to meet the security needs of the payment industry, 2) to promote security as a continuous process, 3) to add flexibility for different methodologies, and 4) to enhance validation methods.
As one of the Global Executive Assessor Roundtable (GEAR) members, atsec was actively involved in the development of the new standard and related documentation (e.g., the reporting template).


Figure: PCI DSS v4.0 Implementation Timeline (Source from PCI SSC)

As shown in the figure above, on 31 March 2024, the old version of the standard PCI DSS v3.2.1 will be retired. atsec has developed and maintained its own tools and methodologies on PCI DSS v4.0 compliance and assessment. atsec is willing to support assessed entities to adopt the new standard efficiently and provides assessment services if needed during the transition period.


Monday, July 25, 2022

Challenges and Opportunities


Many of us who have been in the evaluation and certification (validation) business  have seen the development, not only of security requirements and schemes, but also how the “security echo system” works. A few weeks ago, I was generously given the opportunity to share some ideas at the EU CSA conference in Brussels. Here is a short summary of the ideas behind that presentation.

What makes a scheme successful?
No scheme will survive without a market demand. Just being technically brilliant and formally correct will not make it a successful scheme. We have seen quite a number of schemes being established and operated over the years. Quite often, the scheme developers are technicians with a focus on requirements and formalism, however a successful scheme needs:

  • Market demand (without a demand no use)
  • Credibility (both requirements and scheme operation)
  • Wide recognition in its target areas (geographical and over industries)
  • Reasonable effort (cost and time effective)
  • Availability of competence and resources (mainly personnel)
  • Maintenance (over time and ability to adapt)
  • Pragmatism (not losing touch with reality) 

Market demand is most important. Sometimes, even technically “poor” schemes may turn out to be successful just because they are there to meet a market demand. Any imperfections of a scheme that meets market demand may be fixed over time because it will be used.

Give them the third best to go on with; the second best comes too late, the best never comes.
— Watson-Watt in Louis Brown “Technical and Military Imperatives” (1) 

What are the security trends and why?
The first published security criteria came with the development of the Trusted Computer Security Evaluation Criteria (TCSEC) in the U.S., usually called the Orange Book. These requirements were specific to operating systems used within the U.S. DoD to protect classified information, implementing the Bell-LaPadula security model. Later, additional requirements were added for (database) applications, such as the Trusted Database Interpretation of the TCSEC (TDI), and for interconnection such as the Trusted Network Interpretation of the TCSEC (TNI), along with a whole series of nicely written documents describing maintenance, integrity, audit, etc.

The TCSEC was a development from specific requirements to generic requirements, by creating TCSEC interpretations. Still, the main problem of the TCSEC was that they combined functionality and assurance – more security functionality came along with higher assurance requirements. The change came with  developments in Europe, especially with the German Security Evaluation Criteria which were the first to decouple functionality and assurance and required the developer to describe his security functionality in a ‘Security Requirements Document’, now called a Security Target. This approach was adopted by the European ITSEC, the U.S. Federal Criteria and finally with the Common Criteria, which are all very general security criteria and not product type specific requirements, sort of meta requirements providing ‘building blocks’ one could choose from and refine for specific products or product types. Only in their application they became specific with Protection Profiles and Security Targets. Having a common base was a major advancement to avoid fragmentation of criteria and schemes. It meant that criteria would be suitable not only for different, but also future products, unknown to the criteria developer.

Today we see a trend of moving back to specific requirements, even branch specific requirements and schemes, at the same time products are being developed for and used in different branches using the idea of Protection Profiles as first defined in the U.S. Federal Criteria and later adopted by the Common Criteria.

It’s easier to apply and ensure consistent, repeatable and reproducible testing against specific criteria than against generic meta criteria, such as classic Common Criteria. However, it requires fast and effective maintenance of those specific criteria to keep them up-to-date with the technology. Otherwise it may take years before new products can be evaluated, just because the criteria development usually takes too much time and may not start until products are available and in demand by security aware customers.

Finally, if different sectors have different criteria, fragmentation will cause additional costs for vendors if products are used in different markets with their own criteria such as the government, telecom, vehicle, financial industry, etc.

It is obvious to everyone that the pace of the IT industry has changed, with short development cycles of new product versions and new features. The development cycles may easily be shorter than the time necessary for evaluation and certifications, meaning only outdated product will be certified. So customers will be using either outdated or uncertified products. Also, an evaluation may not only confirm security but also detect deficiencies that then will be fixed by developers. These fixes should not only be made to outdated versions for them to be certified but rather (and more importantly) to the newer versions being deployed.

The obvious solution would be to focus both on the development methods and processes as well as on the products. Security is not a property that comes with an evaluation – it is a property that has to be built into the product, and the purpose of the evaluation is to confirm this. This has long been known by the quality management community but seems largely ignored by the security evaluation and certification community. Years ago, in preparation of the new version of Common Criteria, BSI initiated a project on “predictive assurance” focusing on the development methods and processes (2). A project that, for different reasons, was never finished, unfortunately. However, a few other schemes have picked up the idea.

The real value of tests is not that they detect bugs in the code,
but that they detect inadequacies in the methods, concentration,
and skills of those who design and produce the code.

— C. A. R. Hoare, How Did Software Get So Reliable Without Proof? (3) 

Summary
So, how can criteria and scheme development be improved? Here are a few suggestions:

  • Strong industry involvement is essential, mainly for input from development processes, developer tools, and new technologies.
  • Product life-cycle is usually fast, which either means fast certifications or certification of the development and maintenance processes.
  • Consider the developer, development processes, and product life-cycle. That’s where assurance actually starts.
  • We don't need criteria for the technology of yesterday but for the technology of today and technology that we may not even know of. So, we need criteria that are either so generic that they will work or we need very good criteria maintenance.
  • International cooperation and recognition is key. Criteria may not be able to handle all national aspects, but there is still no need to reinvent the wheel.
  • Be pragmatic. Decide on what is good enough and fit for purpose.

Striving to better, oft we mar what's well
— Duke of Albany in Shakespeare's King Lear

(1) Louis Brown, Technical and Military Imperatives, A Radar History of World War II, 1999.
(2) Irmela Ruhrmann, Predictive assurance, BSI, 9 ICCC, Jeju, Korea September 2008.
https://www.commoncriteriaportal.org/iccc/9iccc/pdf/A2402.pdf
(3) C. A. R. Hoare, How Did Software Get So Reliable Without Proof?, Industrial Benefit and Advances in Formal Methods‚ Third International Symposium of Formal Methods Europe‚ Oxford‚ UK‚ March 18−22‚ 1996.
https://www.gwern.net/docs/math/1996-hoare.pdf

Monday, July 11, 2022

Update on the IT Security Standards in China

by Yan Liu

(“Information Security and Cryptography” in Chinese Calligraphy)

In this article, we provide an up-to-date overview regarding IT security standards as well as the current situation of IT security testing and certification in China. It also covers the topics related to security assessment and compliance in the financial industry.

Security standards are established to support organizations improving the information security baseline and mitigating potential risks. As shown in the figure below, an organization may establish its own information security policy including appropriate security controls, by considering the compliance requirements from regulators and partners, as well as its own business and technical requirements. These controls can be defined based on the best practice, such as industry standards, national standards, international standards, or regulations.

Figure 1: Standards viewed from an organization perspective

The situation may be similar to every organization in the world, although the standardization processes and methods may vary in different countries and regions. The focus of this discussion is on the situation in China.

First, a high-level structure of security national standards in China is given.

Overview of information security national standards in China

In China, the National Information Security Standardization Technical Committee (“TC260”) is responsible for organizing technical work engaged in information security standardization. Currently, the following working groups are focusing on different areas of information security:

WG1 - Information security standard system and coordination
WG3 - Cryptographic technology
WG4 - Authentication and authorization
WG5 - Information security evaluation
WG6 - Communication security standard
WG7 - Information security management
WG8 - Big data security standard

According to the official TC260 website, there are 339 national security standards issued as of 7 June 2022. The high-level classification and structure of information security national standards are as follows:

  1. Basic standards
    • Glossary: GB/T 25069 “information security technology – Glossary”
    • Framework and model: e.g., GB/Z 29830 “a framework for IT security assurance,” which is identical to ISO/IEC 15443
  2. Technology and mechanism standards
    • Cryptographic algorithms and technology: e.g., GB/T 32905 “Information security techniques - SM3 cryptographic hash algorithm”; GB/T 32907 “Information security technology - SM4 block cipher algorithm”; GB/T 32918 “Information security technology - SM2 based on elliptic curves”
    • Security identification: e.g., GB/T 36629 “Information security technology - Security technique requirements for citizen cyber electronic identity”
    • Authentication and Authorization: e.g., GB/T 15843 “Information technology - Security techniques - Entity authentication,” which is identical to ISO/IEC 9798
    • Trusted computing: e.g., GB/T 36639 “Information security technology - Trusted computing specification - Trusted support platform for server”
    • Biometric recognition: e.g., GB/T 36651 “Information security techniques - Biometric authentication protocol framework based on trusted environment”
    • Identification management: e.g., GB/T 31504 “Information security technology - Authentication and authorization - Digital identity information service framework specification”
  3. Security management standards
    • Information security management system: e.g., GB/T 22080 “Information technology - security techniques - information security management systems – requirements,” which is identical to ISO/IEC 27001; GB/T 22081, which is identical to ISO/IEC 27002; GB/T 25067, which is identical to ISO/IEC 27006, etc.
    • Risk management: e.g., GB/T 31509 “Information security risk assessment implementation guide”
    • Operation management: e.g., GB/T 36626 “Information system security operation and management guide”
    • Incident management: e.g., GB/T 20985 “Information security incident management,” which is identical to ISO/IEC 27035
  4. Security testing standards
    • Testing criteria: e.g., GB/T 18336, which is identical to ISO/IEC 15408; GB/Z 20283 “Guide for the production of Protection Profiles and Security Targets,” which is identical to ISO/IEC 15446
    • Testing methodology: e.g., GB/T 30270 “Information technology - security technology - methodology for IT security evaluation,” which is identical to ISO/IEC 18045
  5. Products and Services standards
    • Components: e.g., GB/T 37092 “Information security technology - security requirements for cryptographic modules”
    • Security products: e.g., GB/T 33131 “Information security technology - Specification for IP storage network security based on IPSec”
    • IT Products: e.g., GB/T 36950 “Information security technology - Security technical requirements of smart card (EAL4+)”
    • Network critical equipment: e.g., GB/T 25063 “Information security technology - Testing and evaluation requirement for server security”
    • Network security dedicated products: e.g., GB/T 36635-2018 “Information security technology – Basic requirements and implementation guide of network security monitoring”
    • Network services: e.g., GB/T 32914 “Information security technology - Information security service provider management requirements”
  6. Network and System standards
    • Information system: e.g., GB 17859 “Classified criteria for security protection of Computer information system”; GB/T 20274 “Information security technology - evaluation framework for information systems security assurance”; GB/T 22239 “Information security technology - Baseline for classified protection of cybersecurity”; GB/T 36959 “Information security technology - Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity”
    • Office system: e.g., GB/T 35282 “Information security technology - Security technology specifications of mobile e-government system”
    • Communication network: e.g., GB/T 33562 “Information security technology - Secure domain name system deployment guide”
    • Industrial control system: e.g., GB/T 32919 “Information security technology - Application guide to industrial control system security control”
  7. Data security standards
    • Personal information: e.g., GB/Z 28828 “Information security technology - Guideline for personal information protection within information system for public and commercial services”; GB/T 35273 “Information security technology - Personal information security specification”
  8. Organization management standard
    • Organization: e.g., GB/T 35289 “Information security technology - Specification on the service quality of certification authority”
    • Personnel: e.g., GB/T 35288 “Information security technology - Specification on the job skills of certificate authority employees”
    • Supervision: e.g., GB/T 32926 “Information security technology - Information security management specification for government information technology service outsourcing”
    • Supply Chain: e.g., GB/T 36637 “Information security technology - Guidelines for the information and communication technology supply chain risk management”
  9. New technology and application security standards:
    • Cloud computing: e.g., GB/T 34942 “Information security technology - The assessment method for security capability of cloud computing service”; GB/T 35279 “Information security technology - Security reference architecture of cloud computing”
    • Big data: e.g., GB/T 35274-2017 “Information security technology - Security capability requirements for big data services”
    • Internet of things: e.g., GB/T 36951 “Information security technology - Security technical requirements for application of sensing terminals in internet of things”; GB/T 37025 “Information security technology-Security technical requirements of data transmission for internet of things”
    • Mobile: e.g., GB/T 33565 “Information security technology - Security technology requirements for wireless local area network (WLAN) access system (EAL2+)”
    • Critical information infrastructure:
      • Information sharing: e.g., GB/T 36643 “Information security technology - Cyber security threat information format”
      • Monitoring and early warning: e.g., GB/T 32924 “Information security technology - Guideline for cyber security warning”
      • Incident emergency response: e.g., GB/T 24363 “Information security technology - Specifications of emergency response plan for information security”

For these Chinese national standards, a series number follows the prefix “GB,” “GB/T,” or “GB/Z.” Mandatory national standards are prefixed with “GB.” Based on current index information (as of 7 June 2022) published by TC260, GB 17859-1999 is the only mandatory standard. GB standards are the basis for the product testing that products must undergo during the China Compulsory Certificate (CCC or 3C) certification. If there is no corresponding GB Standard, CCC is not required.

Recommended national standards are prefixed with “GB/T,” and related organizations are encouraged to implement the standards voluntarily. As we can see from the list above, most of the Chinese standards in information security area are recommended standards.

“GB/Z“ means the standard is for guidance only.

A few organizations in China related to IT security testing, evaluation, and/or certification are introduced in the next section.

Organizations related to IT security testing, evaluation, and/or certification

The Chinese national standards could be used to perform IT security testing, evaluation, and/or certification related to products, services, management systems, etc.

Figure 2: Organizations related to IT security testing, evaluation, and/or certification

As shown in the above figure, there are two high-level dimensions considering cyber security testing and/or certification: one is the certification and accreditation, and another one is related to cyber security.

From the dimension of certification and accreditation, the China National Accreditation Service for Conformity Assessment (“CNAS“ for short) is the national accreditation body of China responsible for the accreditation of certification bodies, laboratories, and inspection bodies, which is established under the approval of the Certification and Accreditation Administration of the People’s Republic of China (CNCA) and authorized by CNCA in accordance with the regulations. For instance, atsec is one of the global IT security evaluation facilities with an office in China since February 2006, and atsec China was accredited by CNAS in accordance with ISO/IEC 17025 General Requirements for the competence of testing and calibration laboratories (CNAS-CL01) initially on 24 December 2010.

As shown in the above figure, the China Cybersecurity Review Technology and Certification Center (“CCRC“ for short), with former name ISCCC (Information security certification center of China), is one of the important certification bodies in China to carry out security certification on products, management systems, services, etc., in order to better address the regulation defined in the national cyber security law issued in 2016 and enforced in 2017. ISCCC was established in 2006, with the approval of the China central government, and authorized by eight government authorities and ministries including CNCA.

In China, commercial cryptography is regulated by the department of State Cryptography Administration. I will not introduce the Chinese commercial cryptographic scheme in this article, and another article related to this topic could be published by atsec at a later time.

In addition to these national standards, some industry standards are adopted and implemented in different industry areas, e.g., financial industry, telecommunication industry, etc. I will emphasize a little more on industry security standards and programs in the financial industry in the next section.

Security standards and programs in the financial industry
In China, more and more financial organizations, including banks, payment service providers, and merchants who implement financial payment systems, have placed their attention on or been compliant with global standards and/or related validation programs, for instance ISO/IEC 27001, PCI standards, the security controls defined in SWIFT Customer Security Program (CSP), etc. Although these compliances are not mandatory by local regulators, in some cases, they are requested by global and/or local business partners. In addition, since more and more organizations have realized the importance of security implementation and compliance, they are voluntarily investing and putting effort into the improvement of information security. The compliance result can also provide more confidence during the business cooperation and is valuable for their brand reputation and marketing activities as well.

1. PCI standards
In the payment industry, various standards and programs (as shown in the figure below) are developed and maintained by PCI SSC (Payment Card Industry Security Standards Council), covering the security of data environment (PCI DSS: Data Security Standard), software security (PCI SSF: Secure Software Framework), security scanning and testing (ASV - approved scanning vendor program), Card Production (physical and logical security), P2PE (Point to Point Encryption), PCI 3DS, PIN Security, PFI (PCI Forensic Investigation), and so on. atsec offers a full range of services to support organizations in achieving PCI compliance.

Figure 3: Overview of PCI security standards and programs

As shown in the above figure, PCI DSS is the most important (and also the first) standard within the PCI standards family. PCI DSS version 4.0, as the next evolution of the standard, has been released in the first quarter of 2022. Industry organizations will have two years to become familiar with the new version and plan for and implement the changes needed. On 31 March 2024, the old version of PCI DSS (v3.2.1) will be formally retired.


Figure 4: PCI DSS v4.0 (source from PCI SSC website [3])

2. SWIFT CSP program
Similar to the PCI industry, the Customer Security Programme (CSP) was launched in 2016 by SWIFT (Society for Worldwide Interbank Financial Telecommunication, a global provider on secure financial messaging services) and designed to reinforce the security of the SWIFT community. Whether directly or indirectly connected, it complies with the SWIFT Customer Security Controls Framework (CSCF) to enhance the security of the local environment of each financial organization and helps protect the whole community. The financial institutes (e.g., banks) are required to comply with at least the mandatory controls to build a SWIFT infrastructure. The security controls are applicable to all users and recommended for the whole transaction chain, beyond the in-scope environment, and they are mapped against recognized international standards, e.g., NIST, PCI DSS, and ISO/IEC 27002.

As one of the independent security assessment providers, atsec has worked with quite a few banks in China to meet the security controls defined by SWIFT CSP.

3. Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions
In addition to the global security standards and assessment programs, the local requirements are mainly proposed and regulated by the PBOC (People’s Bank of China) in the financial industry in China. One example is the “Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions,” which was initially launched in 2010. Currently, the certification activities can be performed by CCRC as one of the certification bodies in China, and PBOC can issue and maintain the “Payment Business Licenses” to these payment institutions based on the testing and certification results.

The focuses of this testing and certification are on functional testing, performance testing, risk monitoring and anti-money laundering detection, as well as security testing.

Global industry communication
Global communication and collaboration in the technical and industry communities between China and the rest of the world never stop, not even during the pandemic in recent years. I will mention some observations during my work at atsec:

  • China UnionPay joined the PCI industry as one of the PCI SSC Strategic Members in 2020; as one of the six leading payment card brands in the world, UnionPay will communicate more with the payment industry and better adopt the PCI standards.
  • More Chinese vendors got the certificates based on global security standards, for instance:
    • Oppo Find X5 Pro obtained the Common Criteria certificate (issued by CSEC) in March 2022
    • Huawei Mate 40 Pro obtained the Common Criteria certificate (issued by OCSI) in January 2022
    • Huawei Mobile Devices (P40 series) obtained the Common Criteria certificate (issued by OCSI) in October 2021
    • OPPO Find X3 Pro obtained the Common Criteria certificate (issued by CSEC) in October 2021
    • Cryptographic Server HSM (produced by Beijing Lianshi Networks Technology Co., Ltd.) obtained the FIPS 140-2 certificate in February 2022
    • Sansec HSM Cryptographic Module (produced by Sansec Technology Co., Ltd.) obtained the FIPS 140-2 certificate in September 2021
    • TASS Crypto Engine (produced by Beijing JN TASS Technology Co., Ltd.) obtained the FIPS 140-2 certificate in April 2021
    • Inspur Power Commercial Systems Co., Ltd. obtained the O-TTPS (ISO/IEC 20243) certificate in October 2021
    • The AxKMS Certification Authority and AxKMS Key Injection Facilities (provided by Fujian Landi Commercial Equipment Co., Ltd.) passed PCI P2PE validation in January 2021
    • MoreFun KIF (provided by Fujian Morefun Electronic Technology Co., Ltd.) passed PCI P2PE validation in June 2020
    • (All above-mentioned evaluations and assessments are performed by atsec, and the information is based on the public information released by related certification/validation bodies)
  • We have also seen more involvement and voices from Chinese vendors in global standard technical communities, e.g., PCI, CCUF, EUCC, etc.
  • More and more organizations, such as the payment service providers, started to develop business globally, and being in compliance with the global standards is one of the important tasks. Some of these organizations (e.g., 99bill) have joined the PCI industry participating organizations and make contributions to the industry.
  • TC260 delegations and experts actively participate in the standardization work organized by ISO/IEC JTC1/SC 27. A few ISO standards (e.g., ISO/IEC 27071, ISO/IEC 27565) proposed by Chinese delegations have been drafted in the working group.
  • On the other hand, as shown in the first section, many international standards have been adopted as national standards in the information security area, and more will come.
This article briefly introduces the current situation of security standards and their certification schemes in China, and how the security standards (global or local) are adopted for industry organizations to enhance the security worldwide. We can feel the importance of global involvement and cooperation in the technical community, and I believe more collaboration will happen in the future.


References

[1] TC260: https://www.tc260.org.cn/
[2] CCRC: www.isccc.gov.cn
[3] PCI SSC: www.pcisecuritystandards.org
[4] SWIFT: https://www.swift.com/myswift/customer-security-programme-csp
[5] atsec: www.atsec.com

Thursday, July 7, 2022

Quality and Security - more than just words


At atsec, quality and security are more than just words – they encompass everything we do and are deeply embedded in our four principles:

We know the business
We act with integrity
We stay focused
We are independent

Management is committed to the implementation and improvement of an integrated Management System. Every atsec colleague is committed to providing quality services and protecting security regardless of their role.

This dedication began in the early days of atsec in Germany. Within one year of forming the company, Germany was ISO 9001 certified and a year later received their first ISO/IEC 27001 certificate. By 2005, the U.S. location was certified, followed by Sweden in 2006, China in 2011, and Italy in 2019. Each organization uses a different certification body: British Standards Institution (BSI) in the U.S., DQS in Germany, Scandinavian Business Certification in Sweden, ICIM in Italy, and China Cybersecurity Review Technology and Certification Center in China. You can see atsec’s certifications on our website.

This continuous commitment to quality and security also ensures laboratory accreditation for the services that our laboratories provide. Many of the requirements for Common Criteria, FIPS 140-3, and CAVP/ACVP accreditation are met by having ISO 9001/ISO 27001 certification. The same is true for services provided in non-U.S. locations, such as PCI in China, NESAS in Sweden, and national accreditation in Germany.

Our robust Quality Management System and security controls have resulted in no major or minor non-conformities and only a few opportunities for improvement noted by auditors. This underlines the effectiveness of our process of risk management as well as our program of continuous improvement. As Michael Robrecht, a recently audited colleague in Germany, said, “The auditors were happy to see that we do not just follow our documented procedures but that our well-established procedures actually are lived and just got documented.”  

Security is in our name, and quality is in our culture!

Wednesday, June 29, 2022

atsec attended the 20th International Conference on Applied Cryptography and Network Security (ACNS)

Last week, employees from atsec Germany and atsec Italy attended the 20th International Conference on Applied Cryptography and Network Security (ACNS) in Rome, Italy. As the name implies, ACNS highlights academic and industry research in the areas of applied cryptography and network security. Accepted papers are published in Springer's Lecture Notes in Computer Science series, and the authors give a presentation during the conference itself. Additionally, ACNS includes a poster session and workshop tracks.

This year, the conference was held in hybrid mode, with the in-person event located at the National Research Council building and the Sapienza University of Rome (Museum Of Classical Art). During the main conference track, 9 areas were presented: Encryption, Attacks, Cryptographic Protocols, System Security, Cryptographic Primitives, Multi-Party Computation (MPC), Blockchain, Block Ciphers, and Post-Quantum Cryptography. Joachim Vandersmissen, IT Security Consultant at atsec Germany, contributed a paper and presentation on white-box cryptography for the Speck block cipher called "A White-Box Speck Implementation Using Self-Equivalence Encodings."

In white-box cryptography, a cryptographic implementation is executed in an untrusted environment by an untrusted attacker. This is commonly the case in Digital Rights Management (DRM). For example, an online streaming platform might send a customer an encrypted version of the movie they want to watch as well as a cryptographic implementation to decrypt this movie. However, the streaming platform does not want the customer to use this implementation to decrypt other movies, or worse, extract the cryptographic key from the implementation. Other applications of white-box cryptography include mobile apps and smart cards.

Academic research in white-box cryptography started in 2002, so the area is relatively young. Chow et al. proposed the white-box model, which formalized the real-world environment from the previous paragraph. In their model, the attacker wants to recover the cryptographic key from a white-box implementation to bypass this original white-box implementation. Since 2002, many academic methods have been proposed, but so far there is no secure way to construct white-box implementations from existing block ciphers. Instead, many commercial solutions rely on the secrecy of the white-box design to provide some degree of security.

In "A White-Box Speck Implementation Using Self-Equivalence Encodings," Joachim and co-authors propose a method to construct white-box implementations for the Speck block cipher. Speck is a block cipher proposed in 2013 by the NSA, with a focus on performance in software. This makes Speck especially suitable for embedded applications, such as IoT. Unfortunately, in the paper, they also introduced an attack to demonstrate the proposed method is not secure in the white-box model. Even though this is a negative result, it can still be used to guide future research directions in white-box cryptography. The paper also proposes some ways to extend this method, which might perhaps result in a secure white-box Speck implementation.

If you are interested in learning more about this topic, you can refer to the full paper, freely available on the IACR ePrint archive: https://ia.cr/2022/444. Implementation code is also available on GitHub: https://github.com/jvdsn/white-box-speck.

Monday, June 27, 2022

Cybersecurity Certification Schemes in Europe (Part 1)

by Rasma Araby

atsec has recently participated in two conferences that focused on cybersecurity certification: the 2022 International Conference on the EU Cybersecurity Act in Brussels, Belgium, and ENISA Cybersecurity Certification Conference 2022 in Athens, Greece.

atsec contributed with two presentations at the EU Cybersecurity Conference “Successful cPP Certification under the CSA,” presented by Rasma Araby, and “A Scheme of Scheme – Challenges and opportunities for CSA schemes” presented by Staffan Persson. Also, Rasma Araby participated in the panel discussion regarding “Market Incentives for Certification” at the ENISA Cybersecurity Certification Conference.

Both conferences focused on the upcoming certification schemes being developed in Europe. Upon request of the European Commission (Article 48 (2) of the Cybersecurity Act (CSA)), ENISA is working on three cybersecurity certification schemes:

  •  EUCC - the candidate EUCC scheme is a scheme for ICT products based on the Common Criteria (ISO/IEC 15408 and 18045). The EUCC candidate cybersecurity certification scheme aims to serve as a successor to the SOG-IS Mutual Recognition Agreement.
  • EUCS - the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonize the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU Member States.
  • EU5G – the candidate European Union Cybersecurity Certification Scheme on 5G cybersecurity. The scheme aims to develop a candidate European cybersecurity certification scheme for 5G networks to address the following use cases: the supply and deployment of 5G network equipment, management of subscriber identities, remote SIM provisioning, 5G authentication, and subscriber connectivity services.

Both conferences discussed the need for standardization and certification and also focused on stakeholder requirements, applicable national and international legislations, as well as the threat landscape. The need for harmonized requirements and schemes was heavily underlined by the attending product vendors.

All three certification schemes are under development right now. It is expected the EUCC scheme will be completed and adopted first. For the legal implementation of the candidate EUCC scheme prepared by ENISA, the European Commission will adopt an implementing act, presumably at the end of 2022.

In the second part of this blog, we will continue reporting on the cybersecurity certification schemes in Europe and will solely focus on the EUCC scheme. Stay tuned!

Friday, June 24, 2022

atsec attended the Omnisecure conference in Berlin


After two years of video conferences, we were finally able to meet stakeholders of our community again in person as three representatives of atsec Germany attended the Omnisecure conference from June 21st through 23rd 2022 in Berlin.

The Omnisecure conference has a clear focus on the German market with a strong presence of the Bundesamt fuer Sicherheit in der Informationstechnik (BSI). There have been several interesting presentations from different domains. Among the major topics was the (national) approval of IT security products for handling classified information - one of the main business domains for atsec Germany.

Michael Vogel, Managing Director of atsec Germany, has provided a presentation on the vendor qualification requirements that need to be fulfilled to participate in the qualified product approval scheme defined by BSI. The presentation was perceived very well by the audience and triggered some interesting follow-up discussions.

The face-to-face conference allowed us to touch base with several of our customers in person for the first time in months, and this opportunity has been much appreciated by ourselves and many participants. We are looking forward to the upcoming in-person conferences planned for the rest of this year, in particular the ICMC conference and the ICCC conference to meet more of our customers in person again. Don't forget to register so we can meet you there!


Friday, June 17, 2022

atsec virtually at the National Cybersecurity Center of Excellence


atsec is excited to have been invited to the virtual kick-off meeting for the “Automation of the NIST Cryptographic Module Validation Program” at the National Cybersecurity Center of Excellence (NCCoE).

The National Institute for Standards and Technology (NIST) organized the kick-off meeting on June 1st of, 2022. It started with an introduction by NIST, followed by presentations from several collaborators, and ended with a discussion and outline of the next steps.

atsec supports the NCCoE initiative to automate the Cryptographic Module Validation Program (CMVP) to shorten the time for the “review pending,” “in review,” and “coordination” phases of module validation. The atsec team will focus on identifying Test Evidence (TE) items that could be automated and ensuring that the automation works with the CMVP’s WebCryptic tool.

atsec has been involved in other automation tools like the Automated Cryptographic Validation Testing System (ACVTS) and is looking forward to the challenge of bringing automation to the CMVP.

Sunday, May 8, 2022

Happy Mother's Day

 

atsec wishes all mothers and grandmothers a wonderful and happy Mother's Day!