Happy Mother's Day

 

atsec wishes all mothers and grandmothers a wonderful and happy Mother's Day!

NIST Entropy Source Validation Server Available

by Stephan Mueller

NIST plans to offer a separate validation program apart from FIPS 140 to cover entropy sources: the ESV (Entropy Source Validation) program (hereafter ESVP). As part of the new validation effort, NIST recently launched an automated system to upload the required information in a structured manner: the Entropy Source Validation (ESV) server.

The protocol to interact with this server is provided at a public Github repository:
https://github.com/usnistgov/ESV-Server.

The ESV server has a similar concept as the already used server for Automated Cryptographic Verification Testing System (ACVTS). A "demo" server is available allowing users to verify that their ESV client works, verify that data from the entropy source matches NIST's expectations and in general become familiar with the ESV testing system. The demo server, however, cannot be used to upload data that will be considered as part of an ESV program. To result in an ESV certificate, the "production" ESV server must be used. It is technically identical to the "demo" server. It only differs in the aspect that the uploaded entropy data is the official test data and the test result contributes to a verdict of an ESV submission.

The ESV demo server has been available for some time but received several updates lately to bring it into a state that is required for performing validation tasks. NIST now considers the ESV demo server to be ready such that its companion of the ESV production server can be enabled as well. Starting from March 28, NIST accepts applications for access credentials to the ESV production server.

atsec successfully implemented an ESV client that was used to perform a full cycle on the ESV demo server. This qualifies atsec to gain the credentials to access the ESV production server. Furthermore, atsec dedicated two subject matter experts for the ESV related test which implies that atsec is well positioned to offer the ESV services to customers.

To demonstrate atsec's knowledge and expertise in the area of ESVP, we plan to take a project through the ESV program once NIST starts accepting the submissions.

Once again, atsec is at the forefront of new developments to provide necessary and requested services to our customers. The ESVP enables the entropy sources to be tested and validated independent of the cryptographic module validation program for FIPS 140 certificates. Just like the CAVP certificate, an ESVP certificate may be required and shall be referenced in a CMVP FIPS certificate as the respective entropy source is used by the cryptographic module. This is welcome news to vendors who are eager to pursue CAVP certificates. Obtaining ESVP certificates in parallel with the CMVP certificates will shorten the overall validation time and allow the re-use of the ESVP certificates in multiple CMVP validations when the same entropy source is shared.

atsec becoming first cybersecurity MetaLab

We are excited to announce that atsec information security has become the first IT Security Lab that has been accredited as a testing lab for the Metaverse. IT Security in virtual environments is as important as in the real world. While in the real world there are a lot of security mechanism already in place to protect your assets from theft or damage, protection measures for assets in the virtual world still need to evolve.

We at atsec want to contribute to this evolution by analyzing your solutions for the virtual world. The MetaLab director, Yi Mao, confirmed that “Our testers lead by Stephan Mueller have been working for decades to visualize the abstract requirements of the various security standards, and believe they have achieved a breakthrough. Now our customers can watch live with our atsec helmets (model APRFL1) their technologies passing AMVTS (Automated Metaverse Validation Test System), or observe how a vulnerability can be exploited and violate some Security Functional Requirements (SFRs) during a Common Metaverse Criteria Evaluation (CMCE).”  

Representatives from our offices in Europe have announced that they are actively contributing to the standardization groups responsible for defining the Common Metaverse Criteria Recognition Arrangement (CMCRA), but had to admit that they are not yet fully accustomed to participate in standardization meetings only through Avatars. Other challenges remain in the integration of the Common Metaverse Criteria (CMC) into the EU Cybersecurity Act certification framework, as EU CMC; and the identification of the relevant standards for the accreditation of Meta-Conformity Assessment Bodies and Meta-Labs.

VR experts from our offices in China recently started their first VPI DSS (Virtual Payment Industry Data Security Standard) certification. They are confident that they will be able to ramp up the payment approval scheme in virtually no time.

Our evaluators for the metaverse are intensively trained in utilizing atsec state-of-the art helmets for testing and vulnerability analysis. For EAL5/Expert+ level, we also add the complexity of Beat Saber and other virtual settings to the testing environment.

If you want to try out the atsec helmets, meet us at our booth at the VAF event in Horizon Venues. See you there.

Happy Pi Day

From Archimedes to the bright minds of our time, atsec would like to thank all the mathematicians contributing to making our world more secure.

Happy International Women's Day

atsec information security wishes all women - colleagues, customers, suppliers, and partners - a wonderful International Women's Day. atsec highly values your contribution and praises your outstanding
achievements in information security.

FIPS 140-3 Submission Scenarios

by Andreas Fabis

FIPS 140-3 has a more detailed set of submission scenarios than FIPS 140-2. It can be daunting to find the right scenario for your situation. The flow diagram below provides an overview and helps to explain the different scenarios. More information can be found in the FIPS 140-3 Management Manual. The Management Manual is currently in draft status, and we will update this diagram to reflect the applicable NIST fees once the new version is published. Please note that it is possible and quite common to combine submission scenarios (for example, 1OEM and 1OEA).

The CMVP is also working on an entropy (ENT) certification program that will allow vendors to receive a stand-alone certificate for their entropy source. If you would like to follow the current status of the program, we invite you to join the Cryptographic Module User Forum (CMUF) and follow the discussion in the Entropy Working Group there.

 

(click to see a larger version)

Happy Valentine’s Day

atsec information security wishes all colleagues, customers, suppliers, and partners a Happy Valentine’s Day filled with joy, happiness, and security!

Distinguishing encrypted from non-encrypted data

Our colleague Quentin Gouchet, together with Eric Järpe, authored an article on distinguishing encrypted from non-encrypted data.

We invite you to read the article here.

Introduction:
The discrimination of encrypted data from other kinds of data is of interest in many areas of application. For instance for making other applications work for the communication traffic in a network where the means for application may depend on whether the traffic data is plaintext/cleartext, compressed, encrypted or encoded in some way. Also, there may be security reasons, e.g. the uncontrolled flow of encrypted data of which some may be transmitted for malicious purposes could be argued in need of supervision network abilities. To these ends, various methods, mainly of machine learning, have been suggested through the last decades.

It is atsec’s 22nd Anniversary!

A big hug to you all. Happy Birthday!

“atsec is a big hug to the whole team represented in the at-sign @ of our logo!”

 

 

audaces fortuna juvat

 

“An idea is nothing more or less than a new combination of old elements,” James Webb.

atsec, is: "A new idea based on old concepts." When atsec was founded on 01.11.2000, the founders knew what they wanted to achieve based on what they had experienced up until then: "A key international player in the niche market of information security, evaluation, testing, and assurance in general."  That niche today has expanded to encompass almost all aspects of our connected life and beyond!  

Fortune favors the bold!

 

Thank You All!
                …sal.

Happy Holidays and a Happy New Year from atsec

This year the motto for our Holiday greeting is “Bridges”, as it symbolizes much of what we do in our daily work. We bridge the difficult terrain of international and national standards between vendors and government agencies, so both parties can reach their respective goals. We bridge the gaps in knowledge by constantly training our own staff and transferring knowledge to our customers, so that they will have an easier time navigating the rules and requirements around testing and certification. We act as a bridge between different technical communities, e.g. by having started the International Cryptographic Module Conference (ICMC) and by hosting the Cryptographic Module User Forum (CMUF). We act as a bridge between the stakeholders and standard bodies like the CCUF & CMUF, ISO, O-TTPS , CMVP, CAVP, SCAP, BSI, CSA, CSEC, NIAP, OCSI, PCI and the GSMA. Bridges help navigating obstacles, they connect people, and allow progress into new areas. Here at atsec we strive to do the same.

The whole atsec team wishes you, your family, friends and colleagues Happy Holidays and a Happy New Year.