King Ables Celebrates 8 Year Anniversary!

A Multi-Level Model for Common Criteria Certificate Maintenance

by Trang Huynh

I had the privilege of being on a discussion panel at the NIAP Validator Workshop this past June. The topic for the panel was “Continuous Software Update,” and the issue we were trying to tackle was Common Criteria (CC) evaluations for products with a high frequency of software updates, such as those for mobility products. From the discussion, I identified that the issue is two-fold:

1. updates occurring while the evaluation is in progress, and
2. updates after the evaluation is completed.

The case of updates after evaluation completion was the focal point of the panel discussion. Many ideas were brought up during the panel ranging from delta evaluations to requirements for regression testing, full evaluations, etc.

NIAP provides Publication #6 (Pub 6) describing the certificate maintenance / assurance continuity process offered by the scheme. This document contains definitions and examples of major changes and minor changes in addition to an outline of the necessary actions from the vendors and/or CCTLs pursuing certificate maintenance. Yet it is a great challenge for vendors/CCTLs and validation bodies alike to methodically determine whether an update constitutes a major or minor change. Changes in the extreme cases are easy to classify, but cases in the middle ground can be extremely fuzzy.

To solve this difficulty with classification, I raised an idea at the panel that the certificate maintenance process offer a predefined multi-level model similar to the one offered by FIPS 140-2. At a high-level FIPS 140-2 breaks down a change into several submission scenarios or SUB for short, (1SUB, 1ASUB, 1BSUB, 2SUB, 3SUB, 3ASUB, 4SUB, 5SUB, etc.) For example, 1SUB addresses administrative or non-security relevant changes that do not affect any FIPS 140-2 security-relevant items, such as updating vendor contact information or testing the module on additional platforms, that have little or no impact on the validated cryptographic module. The 3SUB scenario encompasses changes that would exceed 30% of the module's overall security functionality. Last but not least, 5SUB is for changes that do not meet 1SUB through 4SUB requirements. This model conceivably allows CST labs more "jurisdiction" to decide on the level of the change. Based on that decision the CST lab may proceed with the “game plan” described in section G.8 Re-validation Requirements of the Implementation Guidance which may involve the CST lab performing applicable testing on the changed cryptographic module and submitting the test results (along with other required materials) to the CMVP for re-validation.

I believe an introduction of gradation of changes in the certificate maintenance process would allow for a more systematic approach for performing impact analysis on product updates.

atsec’s ACVT service is operational

atsec is proud to announce that the Automated Cryptographic Validation Testing (ACVT) service is operational.

The atsec Cryptographic Security Testing (CST) laboratory is the first ever to achieve operational status with the Automated Cryptographic Validation Protocol (ACVP) production server operated by NIST. atsec's ACVP tools are fully implemented and functional. After the test results for all types of algorithm testing offered by the ACVP server were validated by NIST, atsec’s CST lab was granted access to the ACVP production server. atsec performed the algorithm testing on its SHA and HMAC implementations used in the atsec ACVP Proxy, which is the very first ACVT project to demonstrate that the NIST ACVP production server is now in business.

With this privileged access, the atsec new service uses the ACVP production server to automate the process of testing the implementation correctness of cryptographic algorithms and related functions, and offers a much more efficient and effective process in the awarding of certificates by NIST.

Certificates of implementation correctness are awarded by the cryptographic algorithm validation program; these certificates being required as a pre-requisite for cryptographic module validation as well as for Common Criteria evaluations in the U.S.

Mr. Stephan Mueller, one of atsec’s Principal Consultants, has worked closely in the development of the client program to test the NIST ACVP demo server, which has greatly helped NIST’s successful launch of the ACVP production server. He commented on this collaboration between atsec and NIST.

“NIST is to be congratulated on this important milestone in the development of the ACVT program. A program which provides assurances in the security of IT systems implementing cryptography as well as supporting developers by providing the capabilities to test in synch with modern development timescales.”

Dr. Yi Mao, atsec Laboratory Director, also commented.

“We applaud NIST’s initiative in launching the ACVT program and are proud of assisting them in achieving this historically significant milestone. Cryptography is the hard core that provides information security. Automated testing is the way forward to sustain the high demand of the much-needed assurance at the core of security. It’s an extremely exciting moment, and empowered with ACVT, we can immediately benefit our existing and new customers by taking their algorithm validation down a fast path.”

Find out more at:
atsec’s cryptographic algorithm testing service page.
NIST’s Automated Cryptographic Validation Testing (ACVT) project.

atsec’s Rome office is accredited by OCSI for Common Criteria evaluations

atsec is pleased to announce that the atsec Rome office has been accredited by the Italian scheme, OCSI, for performing Common Criteria evaluations.

This is in addition to the accreditations by the Italian security agency, OCSI of our atsec laboratories in the U.S., Germany and Sweden.

Garibaldi Conte: Managing Director, atsec Italy, 2019:

“I am both happy and excited for atsec's entrance into the Italian market for IT Security Evaluation and Certification. I have been in the InfoSec business for over 15 years in Italy. The reason I accepted the challenge to be the Managing Director of the atsec Italian operation, is because of atsec's level of expertise in the field, depth of knowledge, care for standards, many achievements, customer base, the technology they have evaluated and their global presence. Under those conditions, atsec Italy is not a challenge, but a gift—a gift that will strengthen Italy's role in IT Security Evaluation and Certification in Europe.”

Staffan Persson, Co-founder, Managing Director EMEA:

“atsec’s strategy is to support our customers with their information assurance needs. With a great many leading global companies in our customer portfolio, it is important that we establish a strong presence in Europe as the EU Cybersecurity Act develops to do all that long-standing regional mutual recognition arrangements such as SOG-IS have achieved and much more.”

 

Salvatore La Pietra, Co-Founder, President and CEO:

"atsec has a mission at the core: ‘information security done right.’
We have always looked at IT Security differently from others. Our customers tell us that and our people show it.
atsec Italy, together with atsec Germany and Sweden, provide a substantial European presence, and together with atsec US and atsec China increase our geographical and cultural presence, underlining our global dedication to our customers. atsec Italy is the latest to join the atsec group, but will not be the last. Stay tuned…"




The atsec Italy office is located in Rome at:

atsec information security srl

Via Tirso, 26

00198 Rome

Italy

Tel: +39-06-89232678 

www.atsec.it

Congratulating Qualcomm on CC certification of their Snapdragon 855 SOC

atsec congratulates Qualcomm on the successful evaluation of their Snapdragon 855 system on a chip (SOC) processor.

The evaluation was performed jointly by atsec information security laboratory GmbH and T-Systems International GmbH laboratory; with the software evaluation being performed by atsec, and the hardware evaluation performed by T-Systems.

atsec is proud to have contributed to the first successful mobile SoC to receive Smart Card Equivalent Security Certification from the German Federal Security Agency BSI. 

For more detailed information check the Certification Report and other documents posted on the BSI web site, and the related news from Qualcomm.

ATSEC PROVIDED PCI TRAINING AT VISA SECURITY SUMMIT 2019

China, Shanghai—From June 19th to 20th, Visa held the Asia Pacific Security Summit in Shanghai, China.

During the “Ecosystem Data Security Workshop” on the 19th, Diana Greenhaw, VISA’s Vice President of Global Payment System Risk, gave a speech on "Ecosystem Risk Updates—A Global Perspective". Troy Leach, Chief Technical Officer of PCI Security Standards Council, spoke about "PCI Global Updates” discussing the technology development of global payment standardization. Next PCI Laboratory Director Yan Liu and Principal Consultant and QSA Jinyun Chen from atsec China presented on "Protecting your data by using PCI DSS.”

atsec first introduced an overview of the Payment Card Industry, including the current standards family, the SIG (Special Interest Group) for this year, and the GEAR (Global Executive Assessor Roundtable) for improving overall assessment quality. Then atsec’s methodology regarding PCI DSS assessment and compliance was emphasized.

During the presentation, atsec briefly introduced the PCI DSS requirements related to data protection, security development, security operation and administration. Finally, atsec shared experience on how to efficiently maintain PCI DSS compliance. All of the speakers suggested integrating the PCI DSS requirements and best practices into daily work activities.
The theme of the Summit was "Security, Innovation, and Trust". The topics presented covered cyber security, biometrics and e-commerce payment, etc. Implementation and security assessment of 3DS 2.0 was also given a lot of attention.
As one of the signature sponsors, atsec draws attention from industry and customers by providing professional security assessment and testing services based on global standards. Many friends stopped by the atsec booth and discussed technical topics with atsec consultants, such as how to achieve PCI compliance. atsec also offered prizes at our booth for correctly answered security questions to spread knowledge of security standards and technology.
atsec has actively contributed to global security standards development and improvement, including but not limited to PCI GEAR (Global Executive Assessor Roundtable), PCI SIG (Special Interest Group), etc. atsec helps global entities (banks, service providers and merchants) in the payment industry to achieve data security compliance (e.g. PCI, GDPR) in order to mitigate potential risk. In recent years, several global cloud service providers have worked with atsec on PCI compliance, and providing more secure cloud platforms for their customers.
atsec will continue to be dedicated to global security standards development, improvement and compliance assessment.

International Cryptographic Module Conference 2019 in Vancouver, Canada

After a day of pre-conference workshops, the 7th International Cryptographic Module Conference (ICMC) was kicked off this morning with a welcome address from atsec's VP and Lab Director Yi Mao.

 
(from left to right: Renaudt Nunez, Stephan Mueller, Fiona Pattinson, Swapneela Unkule, Yi Mao)


 Yi Mao's Opening Speech for the ICMC 2019:

"Good morning everyone!

Welcome to the 2019 International Cryptographic Module Conference! This is the 7th ICMC. It’s a great honor to announce the opening of this exciting conference. This is the first time that the conference is hosted on the west coast, to attract more attendees from the Eastern Hemisphere.
This year we have roughly 350 attendees coming from 24 countries. This conference offers 95 presentations by 115 expert speakers. They are scheduled in six pre-conference workshops and continued through the upcoming three-day conference covering ten content tracks. They range from Certification Programs, General Technology, Post-Quantum Crypto, Embedded Crypto, to Random Bit Generators, Open Source Crypto, Advanced Technology, Attacks to Crypto Modules, End User Experience, and the Crypto Enterprise Showcase.

The ICMC has been a wonderful annual gathering platform for the CMVP, labs, vendors, researchers, and users where we share our passion for cryptography, discuss challenging problems, and work together to find sensible solutions. 

For people who have been attending the ICMC in the past few years, this is a re-union event we look forward to. For our new friends, congratulations on your first exciting step into the cryptographic module validation community. 

Before the ICMC era, like many CST lab managers, I was often under a huge pressure to meet the CMVP’s requirements without having an upset vendor. A validation project often turned into a battle field where the CMVP demands and the vendor fights back. ICMC has been and is instrumental to brings experts and practitioners together to listen and to be heard. The open dialogs help each other to understand multiple parties’ different viewpoints and unify the community.

At the ICMC, we have started lively discussions on several important Implementation Guidance (IGs), as well as initiated the Crypto Module User Forum (CMUF) monthly meetings and many of its working groups. In a few minutes, you will hear key updates on the status of the CMUF. What starts at the ICMC is carried on throughout the year in our daily work until we gather together again to report on our work and congratulate each other’s achievements.

Entropy sources and the related IGs is one of the key discussion topics at the ICMC. IG 7.18 was just published last week to enforce NISP SP 800-90B compliance. It will co-exist with IG 7.15 for the next eighteen months and will then replace it. IG 7.14 remains to be valid.

FIPS 140-3 has long been expected. Back in 2016, we even had a “presidential level debate” on whether or not to adopt ISO/IEC 19790, and the majority of conference attendees voted for the adoption for FIPS 140-3. The very recent announcement of FIPS 140-3 on May 1 in the Federal Registry Notice proves that the voice of this conference is valuable to the decision makers.

As the ICMC continues on in many years to come, I have no doubt that not far from now FIPS modules will be in the cloud, because we are starting to take on this challenge at this conference.
Last but not least, NIST is ready to switch from the CAVS Tool to an Automated Crypto Validation Protocol (ACVP) for algorithm testing. It is a small step for all of us to adopt this change. It is a giant leap for NIST and the CMVP. This year’s conference clip is dedicated to those who contributed to achieving this significant milestone.



We’re in May, and Christmas is still far away, but everyday can be a Cryptomas day!

A group of dedicated hard-working professionals made such a rich conference program possible. Our big thanks go out to the conference committee especially chairs:

Program committee

• Michael Angelo, Micro Focus
• Joshua Brickman, Oracle Inc.
• Erin Connor (Chair)
• Fabien Deboyser, UL
• Valerie Fenwick, Intel
• Shawn Geddis, Apple Inc.
• Ryan Hill, atsec (Chair)
• Tim Hudson, Cryptsoft Pty ltd (Chair)
• Laurie Mack, Gemalto
• Michele Mosca, University of Waterloo
• Seth Nielson, Johns Hopkins University
• Fiona Pattinson, atsec (Chair Emeritus)
• Nithya Rachamadugu, Cygnacom (Chair)
• Rich Salz, Akamai
• Mike Scanlin, NetApp
• Loren Shade, Allegro Software (Chair)
• Marcus Streets, Arm (Chair)
• Lachlan Turner, Lightship Security (Chair)
• Ashit Vora, Acumen Security
• Steve Weingart, Highland Tech LLC (Chair)
• William Whyte, Security Innovation
• Brian Wood, Samsung Electronics

Conference Production Management

• Bill Rutledge (Project Director)
• Jose Ruiz (Program Director)
• Nikki Principe (Operations Manger)
• Carrie Chu (Marketing and Operations Coordinator)

This year is special. Fiona is back at the ICMC. Fiona and atsec planted a seed in 2013 and it has been blooming once a year ever since. What an amazing accomplishment!

I’d also like to thank sponsors, exhibitors, speakers and participants. Enjoy the conference and your stay at Vancouver!"

More information about the conference running from May 14th to May 17th at the JW Marriott Parq in Vancouver, Canada can be found here: https://icmconference.org

Green Entropy

White Paper

international Think-tank Community (iTC)

April 1^st, 2019

Green Entropy

Tasked with consideration of ways and means to reduce the carbon footprint of IT security; after a year of deliberation the iTC have produced the following summary of their report. The full report is available on request to itc@green-entropy.org

Research has shown that much effort has recently been expended on reducing the energy needs and increasing the efficiency of data centers [1]. Similarly, much work has been performed and reported in regard to reducing the carbon footprint of I.T. workers and developers [2]. 

Many customers of IT security testing laboratories encourage and even require demonstration of the measures employed by laboratories in support of this endeavor, and often cite ISO/IEC 14001 [3] as an appropriate standard supporting the management of such activities.

Accordingly, the iTC team decided to concentrate their work on other, more fundamental aspects of the problem. Starting with the technology underlying the operation and security of every technology from embedded systems, through to the towering cumulus nimbi of I.T., Big Data and cloud technologies.

Every computer system needs to provision random numbers. Random numbers are extensively used in cryptographic functions as well as in the gaming industry, the quality of the random numbers needs to be sufficient for the purpose; quality factors include having sufficient entropy, timeliness and an element of surprise.

In this paper the iTC provide the following recommendation for green entropy.

Many green entropy sources are available to technologists. These include the number of leaves on a tree (*), the quantity of fish passing a data-center window, the number of steps one walks in a day, temperature jitter, and the sun-rising/-setting time in nanoseconds.

These naturally existing but not easily predictable numbers in our environment can be represented in binary form and the few Least Significant Bits (LSBs) of their binary representations may be used as entropy sources.

The iTC has approached the leading IT security testing laboratory, atsec information security who have confirmed that they are eager to analyze the newly recommended green entropy sources for the compliance of NIST SP 800-90B [4].

_______________________________________________________

(*) For many trees this is applicable for only part of the year.

References

[1]          Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for years. June 5, 2018: Accessed March 24, 2019.
https://news.microsoft.com/features/under-the-sea-microsoft-tests-a-datacenter-thats-quick-to-deploy-could-provide-internet-connectivity-for-years/

[2]          Green Office, Ways to Reduce Carbon Footprint, Tony Ellison. February 22, 2017: Accessed March 24, 2019.
https://www.business.com/articles/green-office-ways-to-reduce-carbon-footprint/

[3]          ISO/IEC 14001:2015, ISO. Available from all good standard stores.

[4]          SP 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation, NIST. January, 2018: Accessed March 24, 2019.
https://csrc.nist.gov/publications/detail/sp/800-90b/final

International Women's Day

Happy International Women's Day to all our wonderful atsec colleagues in Europe, US and Asia.

atsec has been operating for 19 years.