atsec information security at the Milan Security Summit 2023

After years of video conferences, the Security Summit was finally back in person in Milan, Italy, from March 14 to 16, 2023. atsec couldn’t miss the opportunity to participate as gold sponsor in one of the most important cyber security events held in Italy and to meet our customers, partners, and people involved in the information security business face-to-face again.

The long-awaited return to a physical conference has attracted many visitors from all around the country to attend the presentation of the Clusit Report 2023, which describes the state-of-the-art of cybersecurity in Italy (and abroad).

Clusit, established in 2000 at the Department of Informatics of the University of Milan, is the largest and most authoritative Italian association in the field of IT security with more than 500 member organizations.

According to the scenario described by the Clusit Report, the year 2022 registered another record of cyber attacks, with an increase of 21% worldwide compared to the previous year. In Italy, the situation was even worse and the increase was 169%. These alarming numbers highlight the need to increase investments in information security in Italy and worldwide.



Alessandro Fazio from atsec Italy provided a presentation on the “Security certification of cryptographic products according to NIST’s FIPS 140-3 standard.” The presentation was much appreciated by the participants, who acknowledged the importance of having an approved set of cryptographic tools and an authority that can provide assurance of their effective and efficient implementation.

CC:2022 is HERE!

It all started with Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) in 1983; the German Security Evaluation Criteria (Green Book) in 1989; then The Information Technology Security Evaluation Criteria (ITSEC) from Europe, published in 1991 and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) from Canada in 1993. In addition the US developed the Federal Criteria for information Technology Security in 1992, which introduced the concept of Protection Profiles (PP). All those were input for the development of the Common Criteria (CC) which started in 1993 also as an ISO standard (ISO/IEC 15408). The first version of this standard was published in 1999. After several versions and releases CC 3.1 R5 has been in place since 2017.

And now CC:2022 comes to us, courtesy of the global Common Criteria community. CC:2022 contains major changes so that it is truly a new version and not a refinement of the version 3 standard:

There are now 5 parts plus the CEM (Common Evaluation Methodology):

• Part 1: introduction and general model;
• Part 2: Security functional requirements;
• Part 3: Security assurance requirements;
• Part 4: Framework for the specification of evaluation methods and activities;
• Part 5: Pre-defined packages of security requirements and the
• CEM.

The new CC:2022 adds new SARs (Security Assurance Requirements) and instantiates Exact Conformance which was an addendum previously, thus endorsing the CPP approach. Modularization of the TOE is now also allowed. There are new functional requirements, provision for multi-assurance evaluations and the concept of composition of assurance is introduced with three levels, namely Layered composition, Network/bi-directional composition and Embedded composition. It also defines a framework for the development of evaluation methods and activities to guide the developer of Protection Profiles to tailor assurance activities to the special needs of the security functionality included in the PP.

The expiration date for new evaluations submitted under the CC 3.1 R5 is June 30, 2024.
atsec has prepared a handy overview to the new CC:2022.

 

atsec information security is now operating a Certification Body accredited according to ISO/IEC 17065

We are pleased to announce that atsec information security AB has been accredited as a certification body by SWEDAC, the national accreditation body in Sweden, to provide Common Criteria (CC) certifications of IT products.

With over 20 years of experience as a CC evaluation lab,  atsec has taken the step to become a CC certification body. We have an experienced and knowledgeable team, that has helped many national schemes to get established by writing their scheme documentation, training certifiers, and evaluators.

The CC evaluation and certification process is a rigorous and comprehensive method of assessing the security of IT products, and atsec's expert team of certifiers is highly skilled in this methodology. Our certification body is committed to providing high-quality, impartial and reliable certification services to our customers.

"In the last few years, we have seen an increasing demand for private certification bodies, not least in the EU Cyber Security Act that foresees certification performed by private certification bodies. atsec becoming a private certification body is a step to accommodate the raising need for certification." said Rasma Araby, CEO of atsec AB. "We are proud to have achieved IEC/ISO 17065 accreditation from SWEDAC, a testament to our expertise and commitment to excellence."

"atsec's accreditation is an important milestone for our organization," said Staffan Persson, atsec's co-founder and head of the atsec CB. "We are confident that atsec will provide valuable services to the IT security community and help organizations strengthen their security posture."

If you are interested in obtaining certification or have any questions regarding our certification services, please do not hesitate to contact us (cb@atsec.com). We look forward to working with you.

Happy International Women's Day

 

atsec information security wishes all women - colleagues, customers, suppliers, and partners - a wonderful International Women's Day. atsec highly values your contribution and praises your outstanding
achievements in information security.

CNSA 2.0 and Quantum Resistant Encryption Algorithms

by King Ables

The National Security Agency (NSA) has released the Commercial National Security Algorithm (CNSA) Suite 2.0 and Frequently Asked Questions detailing future quantum resistant (QR) algorithm requirements for National Security Systems (NSS). CNSA 1.0 was published in 2016 to replace NSA Suite B and standardized the use of the AES, SHA, RSA, DH, ECDH, and ECDSA algorithms and mandated minimum key/curve sizes and uses. CSNA 2.0 adds quantum resistant algorithms with an eye to deprecating the algorithms under threat from practical quantum computing before such platforms are generally available.

These new QR algorithms will replace the RSA and ECC-based algorithms currently used by most products in Common Criteria evaluations. When Automated Cryptography Validation Test System (ACVTS) tests are implemented for these new algorithms, they will be added as selections in NIAP-approved Protection Profiles. Products to be evaluated must implement these new algorithms by the time they are made mandatory, and their counterparts deprecated.

Symmetric algorithms are not considered to be at risk, so they are largely unchanged from CNSA 1.0. CNSA 2.0 specifies AES-256, SHA-384, and adds SHA-512.

Asymmetric algorithms specified in CNSA 1.0 are threatened by quantum computing, and therefore are replaced by new QR asymmetric algorithms in CNSA 2.0.

The first additions will be algorithms used exclusively to digitally sign firmware and software. Leighton-Micali Signatures (LMS) and eXtended Merkle Signature Scheme (XMSS) are signature algorithms specified by NIST SP 800-208. These algorithms will be added to NIAP PPs as selections but will not be mandatory immediately. Note that NIST SP 800-208 requires the key generation and signature generation algorithms to be implemented in hardware and FIPS 140-3 Level 3 validated. It is currently unknown how this requirement will relate to CNSA 2.0. However, a Common Criteria Target of Evaluation (TOE) typically only performs signature validation, which can obtain a Cryptographic Algorithm Validation Program (CAVP) certificate for a software or firmware implementation. ACVTS tests for LMS and XMSS are currently in development and are estimated to be completed in the second half of 2023. NSA encourages vendors to begin implementing these algorithms immediately and recommends new software and firmware use them by 2025, and all software and firmware use them exclusively by 2030.

Future additions will be the asymmetric algorithms CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for digital signatures. Both have yet to be standardized by NIST, so there is currently no definite timeline for these additions.

The general plan for each new algorithm is:

1. Approve and publish (LMS, XMSS done, CRYSTALS in progress),
2. Add tests to ACVTS (LMS, XMSS in progress, CRYSTALS TBD),
3. Define CC evaluation activities (LMS, XMSS in progress), and
4. Add requirement as selections to PPs.

Vendors should move to using LMS and XMSS for all software and firmware signing. Products subject to CC evaluation should implement verification of signatures created using LMS and XMSS as soon as possible so the functionality can be claimed and evaluated once the appropriate PP or Module has been updated. Changes to PPs and Modules will be made by updated versions or Technical Decisions. NIAP hopes to make all PP and Module updates by 2027. A public comment period is planned prior to each update.

NIST and NIAP acknowledge the proposed schedule is aggressive which is why vendors are encouraged to begin adoption of the new algorithms immediately. While the proposed schedule is not set in stone, it is hoped the CNSA 2.0 algorithms can be made mandatory and CNSA 1.0 algorithms can be deprecated by 2030.

Happy Valentine’s Day!

atsec information security wishes all colleagues, customers, suppliers,and partners a Happy Valentine’s Day filled with joy, happiness, and security!

A Sign for atsec Sweden

 

Our Swedish colleagues unveiled the atsec sign on the front of the office building. Talk about enhanced visibility. The other atsec offices around the world are only a little bit jealous... 😀

Saved the Best for Last

After 40+ years of working, I am officially retired and can say that I saved the best for last. Four plus years ago, after working for IBM for over 29 years, I was hired by atsec information security corp., a small Austin company of approximately 25 people. Coming from Big Blue, I really had a lot of anxieties and concerns going from a large employer to a small one. I was afraid that I wouldn't be able to adapt to a small company work culture.

I found out that the work culture at atsec was the best I’d ever experienced. Everyone is authentic, loves what they do, and has a sense of purpose within the business. I developed strong relationships with my co-workers as they shared their experiences and knowledge with me, improving my own personal growth. I will miss working with some of the most talented and creative individuals in the business. It certainly has been an epic journey, and it is an incredibly strong testament to the emphasis atsec places on the development and support of skills, expertise, and excellence amongst the technical community. Those attributes and expectations are set from the top down, with management practicing what they preach and being a wealth of knowledge themselves.

atsec management is outstanding; they truly care about each individual, welcome creativity, and lead by example. They treat you like a colleague, not an employee, and that's reflected in the benefits and how management approaches employees. The owner of atsec doesn't have to worry about pleasing shareholders; this allows the company to have other priorities such as giving back to the employees and supporting the Austin community directly.
In the 4+ years that I worked for atsec, they provided a competitive salary, gave bonuses, took our families on trips, and had yearly Christmas celebrations around the Austin Hill Country area and even Moody Gardens Resort in Galveston. Management is always providing additional "gifts" to show their appreciation such as Amazon gift cards, restaurants gift cards, Thanksgiving ham and turkey, and more. The company also provides a weekly catered lunch, and once a year, the owner puts on his chef's hat and makes for us the greatest original Italian food I have ever had. No Olive Garden for us!

In sports, in business, or in our relationships, it usually matters little how one starts. The winners are declared only at the end.
Thank you, atsec! It truly has been a blessing.

Randy Baker

Feeling thankful for this #workmilestone
#atsec #thankyou #savethebestforlast

One last!

On his last day, Randy received many best wishes from atsec’s colleagues in Austin and overseas. As well wishes poured in, one consideration from a colleague in Austin stood above all. I reproduce it here for us all to reflect on:

After several testimonies and messages from our colleagues to Randy, I wanted to post one more message here before he leaves to his new endeavors.

We work in a highly technical field. So technical prowess, expertise, knowledge are naturally skills we must have. Yet, one topic was abundant in the messages about Randy, and cause me to reflect upon.

We live in times wherein it seems that cruelty became a winning strategy; lies and fraud seem to have become common. Acceptable. Rewarded. Science and common sense lose place to bogeymen. To ignorance, to fear, to intolerance, pushing countrypeople against countrypeople.

Yet, what that the common topic among messages to Randy? His gentleness. His positive energy. His respect, his smile, the confidence and comfort he instilled in people. Among everything, as a testament to his character, what mattered to us was exactly that: his character. The fact that he perfectly personifies the gentleman.

For me, that was a proof that, despite the dark clouds, despite the barrage from those who embrace disruption and noise, at the end, what really matter to us, human beings, what really stays in our memories as everlasting impression and legacy, is the absolute power of a person who is gentle, ethical, positive, humble and dependable.

Mission accomplished, Randy!

Happy Chinese New Year

 

We wish all our colleagues from atsec China as well as all our customers, partners, and suppliers celebrating the new lunar year, a Happy Chinese New Year.
The year of the Rabbit is important since atsec was born under that zodiac sign. Tradition suggests wearing something red during the year of your sign, which is not a problem for atsec because our logo is red for every sign of the Chinese zodiac ;).

Happy Birthday, atsec!

As always on the 11th of January atsec celebrates its birthday.
This year it is the 23rd! As they say: time flies when your doing IT security!
Our best wishes and thanks to all of the contributors: our customers, our partners, and our colleagues.