Monday, September 26, 2022

New Cyber Resilience Act in EU


On September 15, 2022, the EU Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. This EU legislation introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.

The EU legislation will impose:

  • (a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
  • (b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
  • (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
  • (d) rules on market surveillance and enforcement.

The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network.

The European Parliament and the Council will examine the draft Cyber Resilience Act. Once adopted, the economic operators and Member States will have two years to adapt to the new requirements. However, the reporting obligation on manufacturers regarding actively exploited vulnerabilities and incidents will apply one year from the date of entry into force. Essential Cybersecurity Requirement and Vulnerability handling requirements are provided in Annex of the proposed new Cyber Resilience Act (provided as a separate document in the link below).

Please see Factsheet on the EU Cyber Resilience Act and Proposal for a Cyber Resilience Act for more information.

Monday, September 19, 2022

The Tenth International Cryptographic Module Conference

The 10th International Cryptographic Module Conference (ICMC) was held from September 14th to 16th 2022, at the Westin Arlington Gateway in the Washington, D.C. area. Yi Mao, Managing Director for atsec information security, wrote the welcome letter in this year's program:

Dear ICMC 2022 Participants,

A very warm welcome to the tentth annual ICMC! In September 2013, atsec initiated the first ICMC in a frugal Holiday Inn in Gaithersburg, Maryland, only 1.4 miles away from the NIST campus, to maximize their attendance. We had a total of 163 participants at the first ICMC. This tenth conference is recovering to the pre-COVID level, with close to 400 participants.

The ICMC has been growing healthier and stronger every year with more sponsors, users, labs, and vendors from all market segments worldwide. The spirit of the conference hasn’t changed since its inauguration: it is a platform where we improve the communication among all parties involved in designing, implementing, using, testing, and validating crypto modules, and where issues are discussed, and proposals are heard. The ideas sparked at the ICMC foster fruitful results from the various Cryptographic Module User Forum (CMUF) working groups. As we celebrate this historic tenth year of our endeavor, we acknowledge the NIST CMVP/CAVP and the CCCS CMVP as well as many individuals whose significant contributions built the cryptographic module validation community in the past decade. Whether a veteran or a newcomer in this field, everybody is a winner at the ICMC through collaboration!

Nowadays, many of our daily activities have been moved from the physical, tangible world to its digital counterpart in cyberspace. The COVID pandemic pushes us to be even more dependent on the internet. The demand for information security has reached the highest level ever. Modern cryptography, a fascinating interdisciplinary field of mathematics, computer science, and electrical engineering, offers an answer to information security and underpins our online commerce, privacy, and national security.

We witness rapid developments as new algorithms and protocols emerge, replacing their predecessors. The Entropy Source Validation (ESV) program has been set up for full service, replacing ENT labels on the CMVP certificates. The transition to the FIPS 140-3 standard is complete, and FIPS 140-2 reports are no longer accepted. Embracing change seems to be the only unchanging principle to stay relevant into the future.

It’s exciting to see the industry embracing cryptography and our society demanding validated crypto modules. Still, we face the challenge of having a long review pending queue in the validation process. To avoid becoming a victim of our success, we need to find a collaborative solution with a spirit of innovation to automate the CMVP. The ICMC brings together inspired people in this vibrant field to ensure we navigate the cutting edge successfully.

We also commemorated our dear friend and colleague, Dr. Bertrand du Castel with a blog post containing heartfelt memories of his life and genius. Please read the blog article here.

The conference itself started off with the opening ceremony by Sal la Pietra, President and Co-Founder of atsec information security.

Sal gave out commemorative golden coins in recognition of the distinguished contributors to the success of the ICMC and the growth of CMUF. 

The ICMC was three information packed days where we saw familiar faces and made new friends. As a platinum sponsor of the ICMC, atsec had a strong presence with a booth and six well-received talks:

  • The Rust Cryptographic Library Ecosystem - Joachim Vandersmissen
  • Fitting Token-Based Authentication to FIPS 140-3 - Yi Mao & Volker Urban (IBM)
  • Out of Bounds - A Look into FIPS 140-3 Boundary Definitions and Requirements - Renaudt Nunez
  • 360° View of FIPS 140-3 Certification - Swapneela Unkule
  • Protocol-Related Rules Enforcement in FIPS Validations - Stephan Mueller
  • Experiences with the Entropy Source Validation - Marcos Portnoi

Our atsec colleagues also moderated several presentation tracks:

  • Crypto Technology - Yi Mao
  • Random Bit Generators (RBG) - Marcos Portnoi
  • Certification Programs - Yi Mao
  • Post-Quantum Crypto - Dave Cornwell

At the closing ceremony, atsec also presented two dozen silver coins and Bertrand’s book to those who scored high in our "Your contribution is key to winning" game. Winners demonstrated their significant contributions to the ICMC and CMUF through their answers to the game questions and their presence at the ICMC22 closing meeting. We thank you for your participation in the game.


Overall, the tenth annual ICMC was a great success and we are looking forward to the ICMC23 on September 20 through 22 in Ottawa, Canada.

Thursday, September 15, 2022

Protocol Rule Enforcement & Module Scope

 Stephan Müller's presentation at the 2022 ICMC.

Wednesday, September 14, 2022

ICMC and Dr. Bertrand du Castel

by Dr. Yi Mao
 

Sal La Pietra, the President and co-founder of atsec information security (atsec), opened the tenth annual International Cryptographic Module Conference this morning at Westin Arlington Gateway in the Washington D.C. area. The theme of his opening speech was that everyone is a winner through collaborative work. All ICMC participants received a bronze medal. Ten trophies, each of which has an embedded gold medal, were awarded to the NIST CMVP/CAVP and CCCS CMVP and eight individuals for their significant contributions to the cryptographic module validation community in the past ten years. Twenty-five silver medalists will be announced at the ICMC closing meeting on September 16.

At this joyful moment, I deeply miss one person:  Dr. Bertrand du Castel. I wish we could invite him back as our distinguished guest, to witness this conference's growth and celebrate its success, but sadly he is no longer with us. I know that he would be proud to see the profound impact of his keynote speech at the conference's inauguration in 2013 (https://www.youtube.com/watch?v=Of6yHI8sygI) on the development of this community. The address carried his hallmark breadth of knowledge, connecting technology to fine art and humanity, sprinkles of metaphors, and a pinch of dry humor. It feels just like yesterday we were listening to him talk about two "elephants" and a bunch of "flamingos," where only one flamingo calls out "Key Distribution," and the rest of the group repeatedly calls for "Trust." Where do we place the trust in the cryptographic module: on embedded devices, in the cloud, or both? Seeking answers to the question he raised and the endeavor of driving "elephants" out of the room has become the force pushing cryptography to be part of the solution.  

Bertrand was a Schlumberger Fellow and widely recognized as a "keeper of the scientific soul" of that organization. In 2005, he won the Visionary Award from Card Technology Magazine for pioneering the Java Card (https://www.slideshare.net/BertrandduCastel/2005-visionary-of-the-year-award-49010879). He accomplished his mission to break smart cards away from the limitations of proprietary platforms through embracing open standards. It was a pivotal step that caused the smart card industry to flourish, ensuring that these cards were used in every corner of the internet. Bertrand headed the team that created Java Card, helped build the Java Card Forum to manage the software platform, led work on one of the industry's first internet smart cards, and co-founded the WLAN Smart Card Consortium to promote the use of smart cards on Wi-Fi networks.

Java Card is a software technology that allows Java-based applications (applets) to be run securely on smart cards and, more generally, on "secure elements" (SE) with small memory footprint cryptographic tokens. Java Card addresses hardware fragmentation while retaining code portability brought forward by Java.


As an open standard backed by leading smart card manufacturers, including Thales, Java Card offers the best security of its kind via data encapsulation, Applet firewall, and Cryptography. A brief review of the history highlights the connection between today's Java Cards manufactured by Thales and the first Java Card invented in 1996 by Bertrand's team in the Schlumberger Smart Card division, which was carried through Axalto and Gemalto eras into Thales. According to Oracle, nearly six billion Java Card-enabled devices are rolled out each year.

In 2013, when atsec had the initiative to launch an International Cryptographic Module Conference, Bertrand was at the top of our list for a keynote speech. As a highly respected leading figure in the smart card industry who had accrued significant recognition and honors for his work, we wanted him to share his vision of cryptographic module validation and shed some light on the path forward. He agreed to help us with the first ICMC with a blunt and honest statement, "I can only give an outsider's view because I do not know cryptographic module validation." Adding to it, he said, "I'll say what I want to say, say it, and say what I said. My presentation will be confusing. Do you still want me to do it?" "Yes, Bertrand!"

Having worked with Bertrand for almost six years at the Schlumberger/Axalto/Gemalto time, I benefited tremendously under the tutelage of a master. He had a great zest for a broad spectrum of knowledge ranging from neural science, computer science, logic, artificial intelligence, software engineering, linguistics, fine art, and history of humanity and civilization (see Bertrand's publications here: https://www.researchgate.net/profile/Bertrand-Du-Castel). He is well known for throwing out unconventional questions, sparking heated discussions, and building consensus toward a promising solution. After decades of pioneering research in various topics, with ups and downs in the industrial job position (nowadays, some companies may prefer today's profit to a scientific soul keeper advocating tomorrow's view from the top), his curiosity and passion still burned bright.

Good questions often lead to great discovery. Sorting out the "confusion" Bertrand left us in his speech could be a scenic path to fruitful results. To set off the ICMC with an open and inclusive start, we welcomed an "outsider's" view, which could be insightful. A Chinese quatrain by the famous poet Su Shi in the Song dynasty fittingly and metaphorically captures the situation where the insiders may get lost in sight. Its English translation (based on the translations provided by Burton Watson (link) and Hongfa Huang (link)) is roughly the following:

From the side, a whole range; from the end, a single peak:
Far, near, high, low, no two parts alike.
It's so hard to tell the true face of Mount Lushan,
Because this very mountain has had me right inside.

I was a complete outsider to the smart card industry, and information security in general, when I first met Bertrand in the Fall of 2000. I was a Ph.D. candidate in the Department of Philosophy studying at UT-Austin with an expected Master of Science degree in Computer Science by the end of the year. A friend of mine, who was helping Bertrand interview job candidates, thought a candidate would be extremely lucky if s/he would work for such a brilliant boss who encouraged creativity, innovation and risk-taking, and actively applying Darwin's evolutionary theory to computing history in a collegial, academic environment. I begged her to introduce me to Bertrand. My wish was soon granted.

On a sunny autumn afternoon, I visited the award-winning Schlumberger Austin campus (https://jacksonmcelhaney.com/projects/schlumberger-asc) on 620 Ranch Road (the current site of the Concordia University campus). The campus had six buildings, named with the letters A–F, connected by covered walkways and encircled by a trail winding through a massive nature preserve encompassing natural springs, wetlands, caves, dense trees, and lots of wildlife. The ivy leaves and wildflowers were like curtains and carpets decorating walkways. Bamboo and other indoor plants grew inside buildings awash in natural light from large windows and copious skylights, threaded with staircases. A wooden bridge swung above a rushing stream, where you could hear birds chirping or watch passing satellites at night. Hiding in the middle of a forest, who would have guessed cutting-edge smart card technology led by an innovative mind would emerge from such a place? I met Bertrand in his office in Building F. His office had two sides of huge, ceiling-to-floor glass windows. He said deer would come to his windows. Perhaps that was why he always had Darwin's evolutionary theory in his mind, as nature was fully displayed to him.

I was somewhat nervous when I first talked to Bertrand, partly because I couldn't decipher his jokes and partly because I was not used to his French accent (in fact, any French accent). He quickly scanned through my résumé and focused on one of my published papers about Saussure's semiology and his interpretation of the meaning of words. I explained that in Saussure's notion, the word 'tree' does not refer to a tree as a physical object but to the psychological concept of a tree. The linguistic sign thus arises from the psychological association between the signifier (a 'sound-image') and the signified (a 'concept'). There can, therefore, be no linguistic expression without meaning but also no meaning without linguistic expression. I continued by claiming that Saussure's concept of structural linguistics shed light on how language shapes our concepts of the world and that it influenced but was later replaced by Chomsky's Universal Grammar. Bertrand disagreed. He argued that he was in one of Chomsky's seminars when Chomsky toured Europe in the 70s. Chomsky criticized structuralism and made it clear that his modern approach to linguistics was not rooted in it. I replied that Chomsky's criticism of structuralism was directed at the Bloomfieldian school, known as "American structuralism," which should not be confused with Saussure's structuralism. Bertrand opened up the internet, and after a few clicks, the references we read together supported my argument.

Our meeting ended with Bertrand asking me, "Do you want to work here with me?” I replied, “Of course, but you haven't asked me questions about programming and computer science." My voice was filled with surprise and excitement. Bertrand looked at me and said, "You have convinced me, but you need to convince people here that you know what you know and you can make others know what you know but they previously did not know."

A couple of weeks later, I gave a presentation to people from the smart card group and the oilfield services group. My topic was non-monotonic reasoning in our daily argument using natural language instead of monotonic reasoning in mathematical proofs. Bertrand was very selective in hiring, and such a presentation was a must. I learned later that he was a graduate of Ecole Polytechnique with a Ph.D. from the University of Paris. These are the most prestigious universities in France, and people who graduate from those institutes are considered the "crème de la crème." Through his unique hiring process, he gathered a team of intellectuals with diversified backgrounds and knowledge who shared the passion for achieving the best.

Years later, I am on the other side of the interview table. Learning from Bertrand, it also became atsec's hiring requirement for a job presentation. The focus is not on the presentation content per se but the presentation style. It serves as a vehicle to measure the candidate's ability to think independently, articulate the problem, communicate the solution, and respond to questions, comments, or even criticisms from the audience.

Working under Bertrand's leadership was a dream job. I was fortunate to start my professional career with such a fantastic mentor. He was best at protecting the engineers from upper management, helping them do their job, giving them room to innovate, and providing them funds for expensive books and trips to conferences. His management style was leading by doing. It would be one's lucky day if he popped into your office and started a mind-blowing conversation with you. On one of my lucky days, he wrote the following group of sentences on my blackboard intermingled with my seven-layer Open Systems Interconnection (OSI) model and cryptography used in TLS/SSL layer already on the board:

•    The rocket reached the top of its trajectory.
•    The trajectory of the rocket reached its top.

•    The sun is bright.
•    Mary is bright.

•    Arrows fly.
•    Birds fly.


He asked why both sentences in each pair were correct but their meanings differed, and that was the beginning of our joint paper on Generics and Metaphors Unified under a Four-Layer Semantic Theory of Concepts (https://www.researchgate.net/publication/234076899_Generics_and_Metaphors_Unified_under_a_Four-Layer_Semantic_Theory_of_Concepts).

Unlike the tension commonly seen between employees and their managers, talking to Bertrand and sharing our thoughts with him were the highlights of a working day. How he motivated the team seemed like magic but also came so naturally from him. Without being asked, we all voluntarily wanted to show him our ideas, draft papers, demos, and prototypes. More often than not, he disagreed with our initial proposals with laser-sharp comments, but eventually a solution would emerge. In summer months when he went to Europe, we felt the office became too quiet and we missed the thought-provoking discussions with him. He was an enabler of innovators through working with and nurturing us. He was always thinking, and thinking made him happy. This happy thinking habit proved to be contagious, and I’m indebted to him for inheriting it.

In the first three years working in Bertrand’s department, my team lead and I, just two of us, covered the entire North American market for smart card personalization needs including a variety of industry sectors: SIM cards for telecommunications, banking cards for electronic payment, transportation cards, identity cards, healthcare cards, passports, and driver’s licenses. In the meantime, I completed my Ph.D. by working late evenings, weekends, and holidays. What I learned from Bertrand was to love what you do.

Loving what we do is the most powerful motivation shared among atsec colleagues. I manage the technical and company cultural training program for our newcomers, through which a clear message is delivered to every new addition to our team: it is not just an eight-hour job but a professional career to be built with passion and love. atsec values Bertrand’s “leading by doing and sharing” management style and follows its spirit. One indicator for loving what we do is our annual ICMC clips (https://www.atsec.com/media/index.html). Every year I had Bertrand preview our clip for his feedback until I no longer could. In one of his email replies, he commented, “The video is great…a superb way to communicate to the core.”  

The best ideas are the well communicated and received ones. The ICMC clips use a joyful tone presenting challenges faced by the cryptographic module validation community coupled with feasible solutions. Clips demonstrate atsec’s expertise in FIPS and show our passion and love using our talents in art, music, and humorous and metaphorical language. We at atsec work hard and laugh loud, which often reminds me of the days working with Bertrand. The difference is that Bertrand had to protect his engineers from upper management; at atsec, the upper management protects our colleagues.

The picture below illustrates the roll-up panels that we are displaying at our ICMC booth this year: 



Competence, Experience, Contributions, Founding, Leading, and Bridging are the common words applicable to both Bertrand’s team who made a breakthrough in card technology and atsec’s team who build up the module validation community. It’s apparent that Bertrand’s spirit lives through us, who have learned a great deal from him and are teaching our fellow colleagues just the same.

For those who didn’t get a chance to know Bertrand, atsec will provide Bertrand’s book “Computer Theology: Intelligent Design of the World Wide Web,” co-authored with Tim Jurgensen. Published in 2008, the book describes a theology of the World Wide Web based on a comparative study of human societies and computer networks. His ideas are worth studying and spreading. We will provide a paper copy to Gold and Silver medalists at the ICMC. If you would like to receive a paper copy, please contact us at cst-info@atsec.com.




We took this opportunity collect some deeply touching stories and insightful quotes from a few of Bertrand’s former colleagues and friends.

For Maria Nekam, Bertrand’s long-time assistant, his passing seemed and still seems impossible. Her most memorable interactions with Bertrand were those joyful moments when they talked of butterflies, Klimt, and Johnny Hallyday. For many, including Maria, Bertrand was the lodestar - a man for whom the motto "Live Curiously" was written.

Tim Jurgensen, Bertrand’s book co-author and long-time collaborator, wrote:

“I first met Bertrand in 1978, shortly after he joined Schlumberger. I had been working there for a few years at that time. Over the course of my career, I worked with Bertrand and for him. During that career I once surmised that I had "lived" in Paris, Bertrand's "home town," for over two years, one week at a time. My trips to Paris were almost always at least one week in duration, and I made over 100 trips.

I loved to walk in Paris and I spent many days roaming the neighborhood where Bertrand lived his early years. Now, I grew up in a small town in western Oklahoma. I used to joke with Bertrand that between the two of us, we spanned a significant part of "world culture," from the simple to the sublime.  He took this to heart to the extent that a few years before he died, in the course of a driving vacation one summer, he spent a day visiting my home town in western Oklahoma. I think he was searching for an understanding of my "grounding".

For many years, I traveled with Bertrand to Java Card Forum meetings around the world. On most of those trips, on the night before we would return to the United States Bertrand would take me, and sometimes others, out to dinner at a restaurant he thought "interesting."  On one such occasion in Marseille he took me to dinner at a seafood restaurant in the harbor area. When we arrived he announced "Most people come to this restaurant for the bouillabaisse, but you shouldn't have the bouillabaisse here!" So, I didn't.

As we were eating, I asked Bertrand why we weren't having the bouillabaisse? He responded "Bouillabaisse is an historic dish created here in Marseille and it uses only the fish, or parts of fish, that the fishermen could not sell. It is intended to show the creation of an exquisite dish from the most common ingredients. At this restaurant, they make their bouillabaisse from only the best fish.

Bertrand was a thinker of novel thoughts and an accomplished innovator. However, he was firmly grounded in historical perspective and culture."


Bertrand’s talent for unifying seemingly opposite personality traits is echoed in Krishna Ksheerabdhi’s comments:

“Bertrand was one of a kind - in the very true sense of the expression. Intellectual but pragmatic. Creative but structured. Strict but empathic. Mercurial but deeply calm. It was these paradoxical traits that made him unique. It also made him work on challenging problems and often succeed in solving them.”


Karen Lu remembered Bertrand:

“Bertrand was brilliant. He was always thinking but did not limit to his own mind. He liked to ask questions and listen to other people’s thoughts, which might support, be different, or be against his ideas. I used to work in a separate division from Bertrand’s in Schlumberger and a completely different field. Still, he often invited me to interview his candidates or listen to their presentations. He would then ask, what do you think? In January 2002, a new Advanced Smart Card Research group was established under Bertrand’s leadership. My colleagues and I were selected to join. It was not because we were smart card experts but, in Bertrand’s words, “because you know nothing about smart cards!” He wanted fresh thinking and new ideas.”


Amy Price shared her remembrance:

“The time I spent at Schlumberger Austin was a magical time for me, and Bertrand was a big part of that. We all recognize that Bertrand was brilliant, creative and a seeker of knowledge and truth. But for me, he was the first leader I’d ever met who truly embraced diversity. And I don’t just mean intellectual inclusivity – he recognized key traits, skills and capabilities of all kinds in people and intentionally (and thoughtfully) put them to their best and highest use within the collective he built. It was true diversity before anyone thought to call it that – and it brought out the very best in all that knew and worked with him. I believe that breakthrough thinking and innovation are best rooted in a diverse organization – and Bertrand made sure that he constructed just that. It not only contributed to the incredible work – having a great and incredibly loyal team let him soar to new creative and intellectual heights.

On a personal level, Bertrand made it easy for me to be my ‘whole self’ – from technologist to communicator to artist – and to bring all my intellectual muscles to our discussions, which were especially fruitful during lunches on the back deck. I will never forget the discussion we had about figures – dancers – painted on ancient pottery that he asserted were the earliest form of graphic communication. That is, until I mentioned cave paintings. Next time we talked, we had a great conversation about cave paintings. But again, that was Bertrand simply being open to embracing learning and new data. Underneath that occasionally argumentative exterior, Bertrand was one of the kindest people I’ve ever known. And I was struck when I realized for the first time how clear and brilliant blue his eyes were under those tinted lenses he favored. Thank you, Bertrand, for being both an advocate and a friend.”


Fiona Stewart remembered Bertrand:

“When I first met Bertrand, I was working for Schlumberger. In those days, ‘Management by Objectives’ was a much-loved philosophy.
I recall my objective set by Bertrand was simple: “ISO 9001. You do the BS!”  Bertrand, thank you! I am still doing ISO 9001, ISO 27001, as well as Common Criteria and FIPS 140-3, and yes, I am still doing the BS ;) This was the best objective of my life."


Elizabeth Dahan showed how much she loved Bertrand and enjoyed working with him during her days at Schlumberger. She wrote:
 

“I worked directly under Bertrand for 6+ years with many roles: webmaster of Cyberflex.com and Reflexreaders.com, ‘owner’ and customer support of the Smartcards webstore, graphics designer, and the maintainer of the Cyberflex discussion forum. Bertrand called me ‘the Marketing arm for the whole team."

Working with Bertrand was working with a winner! One of the favorite parts of my job was collaborating with him on all of his wonderful presentations, which had quirky titles such as “Smart Cards are Pots” or the infamous “Death of the Washing Machine.” I was one of the first people to see his presentations, because I would critique his delivery and his slides.

Bertrand would always test out his presentations at our research center. Everyone would attend his presentations. They knew if it was from Bertrand it would be GOOD! Those who have seen these presentations will be smiling and nodding their heads right now!

Bertrand was well known for his extreme French accent. Everyone made jokes about how he was a linguistics expert, but no one could understand anything he said. It took me two years to learn to understand him. He would come to my office and spout a litany of words in super-fast speed. I would say, ‘excuse me?’ And he would repeat it. I would say, ‘Can you say that one more time?’ Three times it would take! So funny. We would just laugh!

He was also very quick tempered. He would come into my office yelling with his arms waving around. ‘The server is down! What are you going to do about it?’ (For example.) I would always just laugh, because I found it so funny when he did this. Me laughing always made him laugh. It always diffused the situation.

One day I was talking to him about an issue I was having, (I can’t remember what.) He said to me, (think about this in the thickest French accent you can,) ‘Elizabeth, when it rains, you know the trees, they get wet.’ And then he walked out. Ha ha! Of course, this didn’t give me any solution. But he knew I would solve my own problem. This is how he was. He hired good people because he knew they could do the job.

I learned a lot from him. I enjoyed his hands off management style and employed it myself when I became a manager. Later after we all left Schlumberger, I would organize reunion lunches. Bertrand was often in attendance. It was always so nice to see him and hear how he was doing as a Schlumberger Fellow. He is sorely missed. He was one of my very favorite people.”


I’ll conclude with the stories told by Sal La Pietra about his interaction with Bertrand:

“I first met Bertrand long ago at a restaurant. Bertrand had an infectious
smile. His eyes and wit were as sharp as those of a Lynx. He was a big fan of Japan, and he once told me that one of his ancestors held the post of French Prime Minister for a short while. I had difficulty in understanding Bertrand’s French accent at the start, but being Italian, I soon figured out how to read the underlying meaning of his conversation.

We mainly met over lunches and a couple of times over dinner. We often started with company strategy, high assurance, and formal methods and ended up talking about food and wine. He told me what he was thinking about some companies and their technologies. Sometimes, he commented on our services and the infosec market in general. I did not always agree with him, but he usually was right.

I tried in so many ways to work closely with Bertrand. Once, atsec decided to become a certification authority (CA) and had him be part of the board of trustees for the new organization, but this project didn’t go far.

After the merger of Gemplus and Axalto to become Gemalto, now Thales, his team went through re-organization and downsizing. He asked me to hire one of his people, and I did it, and it was the best thing he ever suggested to me.

I talked with Bertrand last time at the 2013 ICMC. He was glad atsec founded the conference and predicted a promising future. Once more, you were right! Thank you, Bertrand, for everything you have done!”

Although this is the longest blog on our website, it has come to an end. Nevertheless, our thoughts on Bertrand will never end. His spirit is with us. He is watching us, guiding us, and feeling proud of what we deliver today and what we will develop tomorrow.

Acknowledgment:
Many thanks to Bertrand’s family for their support and for sharing Bertrand professionally with us.

References to Bertrand’s work and memories of Bertrand: 

Monday, September 12, 2022

Securing the Software Supply Chain

by King Ables


All components comprising a software product are ultimately the responsibility of the developer of that product, even if one or more of those components is supplied by a third party. This is especially true when the product is evaluated for Common Criteria (CC) certification.

Recently, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published

Securing The Software Supply Chain Recommended Practices Guide for Developers:
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/

This the first in a planned three-part series of guidance documents. Part one provides a good overview of the issues developers face producing and supporting secure software. It covers topics such as:

  • developing secure code
  • software repository security
  • hardening the build environment
  • verifying third-party components
  • code review and testing
  • threat and vulnerability assessment
  • secure build and distribution

Some things discussed are already required in some CC evaluations, based on requirements in specific protection profiles, like:

  • fuzz testing
  • use of memory-safe programming tools or techniques
  • penetration testing
  • vulnerability response

One topic of note is the Software Bill of Materials (SBOM). While recommended by this new guidance, formal SBOMs are not currently required for CC evaluation or federal procurement. However, that could change soon. HR 7900, the National Defense Authorization Act for FY 2023, has passed the U.S. House of Representatives and is currently in the senate. This bill includes a requirement for SBOMs to be included in all Department of Defense software procurement bids. Presuming this bill is eventually passed and signed into law, SBOMs will be required during procurement and may be added as a requirement to some protection profiles.


Monday, August 15, 2022

atsec became a PCI GEAR member again for 2022-2024

atsec China is pleased to announce that atsec has become one of the PCI Global Executive Assessor Roundtable (GEAR) members for the 2022-2024 term.

atsec China has joined in PCI GEAR since 2018 during its initial establishment. In 2022, atsec China is one of 27 organizations to join the PCI GEAR in its efforts to secure payment data globally. As strategic partners, Roundtable members bring industry, geographical, and technical insight to PCI Security Standards Council (SSC) plans and projects on behalf of the assessor community.

PCI SSC Executive Director Lance J. Johnson quotes: “We need voices from across the assessor community to help ensure we are providing the best standards and programs to support the industry in protecting against today’s modern cybercriminal. We’re pleased to have atsec China on the PCI SSC Global Executive Roundtable to provide critical insights and help us build on the great efforts that are already being done to increase payment security globally.”

Please refer to the announcement published by PCI SSC as follows:
https://www.pcisecuritystandards.org/about_us/global_executive_assessor_roundtable/

About the PCI Security Standards Council

The PCI SSC leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate, and prevent cyberattacks and breaches.

Monday, August 8, 2022

Clarice Assad's Residence Workshop with Austin Classical Guitar Society


by Salvatore La Pietra

It is a different kind of blog entry, not about technical expertise or atsec’s latest achievement.
It is a 32-minute clip ending with atsec as a sponsor and detailing
Clarice Assad's Residence Workshop with Austin Classical Guitar Society (ACGS):


https://www.youtube.com/watch?v=aeaNM-bIh-M

I had the opportunity to meet with Matthew Hinsley, Executive Director, and Joe Williams, Artistic Director of ACGS, when they proposed to support the residence of Clarice with the Austin Classical Guitar Youth Orchestra (ACGYO). For atsec, it was essential that funding would support education.  

My son was involved with ACGS since an early age.  I met teachers, students, and musicians of all ages and genders. I have always been fascinated with the passion, focus, and amount of time spent on the instrument.  Several of these young students will undertake a STEM career in Engineering, Computer Science, and Medicine and be brilliant, thanks to their focus over the years of learning the instrument.

Several colleagues within atsec play instruments or are involved with some form of artistic activity, reminding me that our profession, too, requires focus and creativity to get tests working and write a detailed report.

Clarice Assad is phenomenal, and the young guitarists are creating, with her help, an authentic piece of art. The final result is outstanding and original. Enjoy it. For once, it is not all about atsec, though atsec contributed to making it possible!

Monday, August 1, 2022

atsec Became One of the First PCI DSS v4 QSA Companies

atsec China (“atsec” for short in this article) has completed the training and examination on “PCI DSS QSA Version 4 Transition” provided by the Payment Card Industry Security Standards Council (PCI SSC) and became one of the first Qualified Security Assessors (QSA) companies globally to perform the assessment according to the new version of the PCI DSS standard (version 4.0).


 
PCI DSS v4.0 was released on 31 March 2022. The goals of the new evolution of the standard are: 1) to continue to meet the security needs of the payment industry, 2) to promote security as a continuous process, 3) to add flexibility for different methodologies, and 4) to enhance validation methods.
As one of the Global Executive Assessor Roundtable (GEAR) members, atsec was actively involved in the development of the new standard and related documentation (e.g., the reporting template).


Figure: PCI DSS v4.0 Implementation Timeline (Source from PCI SSC)

As shown in the figure above, on 31 March 2024, the old version of the standard PCI DSS v3.2.1 will be retired. atsec has developed and maintained its own tools and methodologies on PCI DSS v4.0 compliance and assessment. atsec is willing to support assessed entities to adopt the new standard efficiently and provides assessment services if needed during the transition period.


Monday, July 25, 2022

Challenges and Opportunities


Many of us who have been in the evaluation and certification (validation) business  have seen the development, not only of security requirements and schemes, but also how the “security echo system” works. A few weeks ago, I was generously given the opportunity to share some ideas at the EU CSA conference in Brussels. Here is a short summary of the ideas behind that presentation.

What makes a scheme successful?
No scheme will survive without a market demand. Just being technically brilliant and formally correct will not make it a successful scheme. We have seen quite a number of schemes being established and operated over the years. Quite often, the scheme developers are technicians with a focus on requirements and formalism, however a successful scheme needs:

  • Market demand (without a demand no use)
  • Credibility (both requirements and scheme operation)
  • Wide recognition in its target areas (geographical and over industries)
  • Reasonable effort (cost and time effective)
  • Availability of competence and resources (mainly personnel)
  • Maintenance (over time and ability to adapt)
  • Pragmatism (not losing touch with reality) 

Market demand is most important. Sometimes, even technically “poor” schemes may turn out to be successful just because they are there to meet a market demand. Any imperfections of a scheme that meets market demand may be fixed over time because it will be used.

Give them the third best to go on with; the second best comes too late, the best never comes.
— Watson-Watt in Louis Brown “Technical and Military Imperatives” (1) 

What are the security trends and why?
The first published security criteria came with the development of the Trusted Computer Security Evaluation Criteria (TCSEC) in the U.S., usually called the Orange Book. These requirements were specific to operating systems used within the U.S. DoD to protect classified information, implementing the Bell-LaPadula security model. Later, additional requirements were added for (database) applications, such as the Trusted Database Interpretation of the TCSEC (TDI), and for interconnection such as the Trusted Network Interpretation of the TCSEC (TNI), along with a whole series of nicely written documents describing maintenance, integrity, audit, etc.

The TCSEC was a development from specific requirements to generic requirements, by creating TCSEC interpretations. Still, the main problem of the TCSEC was that they combined functionality and assurance – more security functionality came along with higher assurance requirements. The change came with  developments in Europe, especially with the German Security Evaluation Criteria which were the first to decouple functionality and assurance and required the developer to describe his security functionality in a ‘Security Requirements Document’, now called a Security Target. This approach was adopted by the European ITSEC, the U.S. Federal Criteria and finally with the Common Criteria, which are all very general security criteria and not product type specific requirements, sort of meta requirements providing ‘building blocks’ one could choose from and refine for specific products or product types. Only in their application they became specific with Protection Profiles and Security Targets. Having a common base was a major advancement to avoid fragmentation of criteria and schemes. It meant that criteria would be suitable not only for different, but also future products, unknown to the criteria developer.

Today we see a trend of moving back to specific requirements, even branch specific requirements and schemes, at the same time products are being developed for and used in different branches using the idea of Protection Profiles as first defined in the U.S. Federal Criteria and later adopted by the Common Criteria.

It’s easier to apply and ensure consistent, repeatable and reproducible testing against specific criteria than against generic meta criteria, such as classic Common Criteria. However, it requires fast and effective maintenance of those specific criteria to keep them up-to-date with the technology. Otherwise it may take years before new products can be evaluated, just because the criteria development usually takes too much time and may not start until products are available and in demand by security aware customers.

Finally, if different sectors have different criteria, fragmentation will cause additional costs for vendors if products are used in different markets with their own criteria such as the government, telecom, vehicle, financial industry, etc.

It is obvious to everyone that the pace of the IT industry has changed, with short development cycles of new product versions and new features. The development cycles may easily be shorter than the time necessary for evaluation and certifications, meaning only outdated product will be certified. So customers will be using either outdated or uncertified products. Also, an evaluation may not only confirm security but also detect deficiencies that then will be fixed by developers. These fixes should not only be made to outdated versions for them to be certified but rather (and more importantly) to the newer versions being deployed.

The obvious solution would be to focus both on the development methods and processes as well as on the products. Security is not a property that comes with an evaluation – it is a property that has to be built into the product, and the purpose of the evaluation is to confirm this. This has long been known by the quality management community but seems largely ignored by the security evaluation and certification community. Years ago, in preparation of the new version of Common Criteria, BSI initiated a project on “predictive assurance” focusing on the development methods and processes (2). A project that, for different reasons, was never finished, unfortunately. However, a few other schemes have picked up the idea.

The real value of tests is not that they detect bugs in the code,
but that they detect inadequacies in the methods, concentration,
and skills of those who design and produce the code.

— C. A. R. Hoare, How Did Software Get So Reliable Without Proof? (3) 

Summary
So, how can criteria and scheme development be improved? Here are a few suggestions:

  • Strong industry involvement is essential, mainly for input from development processes, developer tools, and new technologies.
  • Product life-cycle is usually fast, which either means fast certifications or certification of the development and maintenance processes.
  • Consider the developer, development processes, and product life-cycle. That’s where assurance actually starts.
  • We don't need criteria for the technology of yesterday but for the technology of today and technology that we may not even know of. So, we need criteria that are either so generic that they will work or we need very good criteria maintenance.
  • International cooperation and recognition is key. Criteria may not be able to handle all national aspects, but there is still no need to reinvent the wheel.
  • Be pragmatic. Decide on what is good enough and fit for purpose.

Striving to better, oft we mar what's well
— Duke of Albany in Shakespeare's King Lear

(1) Louis Brown, Technical and Military Imperatives, A Radar History of World War II, 1999.
(2) Irmela Ruhrmann, Predictive assurance, BSI, 9 ICCC, Jeju, Korea September 2008.
https://www.commoncriteriaportal.org/iccc/9iccc/pdf/A2402.pdf
(3) C. A. R. Hoare, How Did Software Get So Reliable Without Proof?, Industrial Benefit and Advances in Formal Methods‚ Third International Symposium of Formal Methods Europe‚ Oxford‚ UK‚ March 18−22‚ 1996.
https://www.gwern.net/docs/math/1996-hoare.pdf

Monday, July 11, 2022

Update on the IT Security Standards in China

by Yan Liu

(“Information Security and Cryptography” in Chinese Calligraphy)

In this article, we provide an up-to-date overview regarding IT security standards as well as the current situation of IT security testing and certification in China. It also covers the topics related to security assessment and compliance in the financial industry.

Security standards are established to support organizations improving the information security baseline and mitigating potential risks. As shown in the figure below, an organization may establish its own information security policy including appropriate security controls, by considering the compliance requirements from regulators and partners, as well as its own business and technical requirements. These controls can be defined based on the best practice, such as industry standards, national standards, international standards, or regulations.

Figure 1: Standards viewed from an organization perspective

The situation may be similar to every organization in the world, although the standardization processes and methods may vary in different countries and regions. The focus of this discussion is on the situation in China.

First, a high-level structure of security national standards in China is given.

Overview of information security national standards in China

In China, the National Information Security Standardization Technical Committee (“TC260”) is responsible for organizing technical work engaged in information security standardization. Currently, the following working groups are focusing on different areas of information security:

WG1 - Information security standard system and coordination
WG3 - Cryptographic technology
WG4 - Authentication and authorization
WG5 - Information security evaluation
WG6 - Communication security standard
WG7 - Information security management
WG8 - Big data security standard

According to the official TC260 website, there are 339 national security standards issued as of 7 June 2022. The high-level classification and structure of information security national standards are as follows:

  1. Basic standards
    • Glossary: GB/T 25069 “information security technology – Glossary”
    • Framework and model: e.g., GB/Z 29830 “a framework for IT security assurance,” which is identical to ISO/IEC 15443
  2. Technology and mechanism standards
    • Cryptographic algorithms and technology: e.g., GB/T 32905 “Information security techniques - SM3 cryptographic hash algorithm”; GB/T 32907 “Information security technology - SM4 block cipher algorithm”; GB/T 32918 “Information security technology - SM2 based on elliptic curves”
    • Security identification: e.g., GB/T 36629 “Information security technology - Security technique requirements for citizen cyber electronic identity”
    • Authentication and Authorization: e.g., GB/T 15843 “Information technology - Security techniques - Entity authentication,” which is identical to ISO/IEC 9798
    • Trusted computing: e.g., GB/T 36639 “Information security technology - Trusted computing specification - Trusted support platform for server”
    • Biometric recognition: e.g., GB/T 36651 “Information security techniques - Biometric authentication protocol framework based on trusted environment”
    • Identification management: e.g., GB/T 31504 “Information security technology - Authentication and authorization - Digital identity information service framework specification”
  3. Security management standards
    • Information security management system: e.g., GB/T 22080 “Information technology - security techniques - information security management systems – requirements,” which is identical to ISO/IEC 27001; GB/T 22081, which is identical to ISO/IEC 27002; GB/T 25067, which is identical to ISO/IEC 27006, etc.
    • Risk management: e.g., GB/T 31509 “Information security risk assessment implementation guide”
    • Operation management: e.g., GB/T 36626 “Information system security operation and management guide”
    • Incident management: e.g., GB/T 20985 “Information security incident management,” which is identical to ISO/IEC 27035
  4. Security testing standards
    • Testing criteria: e.g., GB/T 18336, which is identical to ISO/IEC 15408; GB/Z 20283 “Guide for the production of Protection Profiles and Security Targets,” which is identical to ISO/IEC 15446
    • Testing methodology: e.g., GB/T 30270 “Information technology - security technology - methodology for IT security evaluation,” which is identical to ISO/IEC 18045
  5. Products and Services standards
    • Components: e.g., GB/T 37092 “Information security technology - security requirements for cryptographic modules”
    • Security products: e.g., GB/T 33131 “Information security technology - Specification for IP storage network security based on IPSec”
    • IT Products: e.g., GB/T 36950 “Information security technology - Security technical requirements of smart card (EAL4+)”
    • Network critical equipment: e.g., GB/T 25063 “Information security technology - Testing and evaluation requirement for server security”
    • Network security dedicated products: e.g., GB/T 36635-2018 “Information security technology – Basic requirements and implementation guide of network security monitoring”
    • Network services: e.g., GB/T 32914 “Information security technology - Information security service provider management requirements”
  6. Network and System standards
    • Information system: e.g., GB 17859 “Classified criteria for security protection of Computer information system”; GB/T 20274 “Information security technology - evaluation framework for information systems security assurance”; GB/T 22239 “Information security technology - Baseline for classified protection of cybersecurity”; GB/T 36959 “Information security technology - Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity”
    • Office system: e.g., GB/T 35282 “Information security technology - Security technology specifications of mobile e-government system”
    • Communication network: e.g., GB/T 33562 “Information security technology - Secure domain name system deployment guide”
    • Industrial control system: e.g., GB/T 32919 “Information security technology - Application guide to industrial control system security control”
  7. Data security standards
    • Personal information: e.g., GB/Z 28828 “Information security technology - Guideline for personal information protection within information system for public and commercial services”; GB/T 35273 “Information security technology - Personal information security specification”
  8. Organization management standard
    • Organization: e.g., GB/T 35289 “Information security technology - Specification on the service quality of certification authority”
    • Personnel: e.g., GB/T 35288 “Information security technology - Specification on the job skills of certificate authority employees”
    • Supervision: e.g., GB/T 32926 “Information security technology - Information security management specification for government information technology service outsourcing”
    • Supply Chain: e.g., GB/T 36637 “Information security technology - Guidelines for the information and communication technology supply chain risk management”
  9. New technology and application security standards:
    • Cloud computing: e.g., GB/T 34942 “Information security technology - The assessment method for security capability of cloud computing service”; GB/T 35279 “Information security technology - Security reference architecture of cloud computing”
    • Big data: e.g., GB/T 35274-2017 “Information security technology - Security capability requirements for big data services”
    • Internet of things: e.g., GB/T 36951 “Information security technology - Security technical requirements for application of sensing terminals in internet of things”; GB/T 37025 “Information security technology-Security technical requirements of data transmission for internet of things”
    • Mobile: e.g., GB/T 33565 “Information security technology - Security technology requirements for wireless local area network (WLAN) access system (EAL2+)”
    • Critical information infrastructure:
      • Information sharing: e.g., GB/T 36643 “Information security technology - Cyber security threat information format”
      • Monitoring and early warning: e.g., GB/T 32924 “Information security technology - Guideline for cyber security warning”
      • Incident emergency response: e.g., GB/T 24363 “Information security technology - Specifications of emergency response plan for information security”

For these Chinese national standards, a series number follows the prefix “GB,” “GB/T,” or “GB/Z.” Mandatory national standards are prefixed with “GB.” Based on current index information (as of 7 June 2022) published by TC260, GB 17859-1999 is the only mandatory standard. GB standards are the basis for the product testing that products must undergo during the China Compulsory Certificate (CCC or 3C) certification. If there is no corresponding GB Standard, CCC is not required.

Recommended national standards are prefixed with “GB/T,” and related organizations are encouraged to implement the standards voluntarily. As we can see from the list above, most of the Chinese standards in information security area are recommended standards.

“GB/Z“ means the standard is for guidance only.

A few organizations in China related to IT security testing, evaluation, and/or certification are introduced in the next section.

Organizations related to IT security testing, evaluation, and/or certification

The Chinese national standards could be used to perform IT security testing, evaluation, and/or certification related to products, services, management systems, etc.

Figure 2: Organizations related to IT security testing, evaluation, and/or certification

As shown in the above figure, there are two high-level dimensions considering cyber security testing and/or certification: one is the certification and accreditation, and another one is related to cyber security.

From the dimension of certification and accreditation, the China National Accreditation Service for Conformity Assessment (“CNAS“ for short) is the national accreditation body of China responsible for the accreditation of certification bodies, laboratories, and inspection bodies, which is established under the approval of the Certification and Accreditation Administration of the People’s Republic of China (CNCA) and authorized by CNCA in accordance with the regulations. For instance, atsec is one of the global IT security evaluation facilities with an office in China since February 2006, and atsec China was accredited by CNAS in accordance with ISO/IEC 17025 General Requirements for the competence of testing and calibration laboratories (CNAS-CL01) initially on 24 December 2010.

As shown in the above figure, the China Cybersecurity Review Technology and Certification Center (“CCRC“ for short), with former name ISCCC (Information security certification center of China), is one of the important certification bodies in China to carry out security certification on products, management systems, services, etc., in order to better address the regulation defined in the national cyber security law issued in 2016 and enforced in 2017. ISCCC was established in 2006, with the approval of the China central government, and authorized by eight government authorities and ministries including CNCA.

In China, commercial cryptography is regulated by the department of State Cryptography Administration. I will not introduce the Chinese commercial cryptographic scheme in this article, and another article related to this topic could be published by atsec at a later time.

In addition to these national standards, some industry standards are adopted and implemented in different industry areas, e.g., financial industry, telecommunication industry, etc. I will emphasize a little more on industry security standards and programs in the financial industry in the next section.

Security standards and programs in the financial industry
In China, more and more financial organizations, including banks, payment service providers, and merchants who implement financial payment systems, have placed their attention on or been compliant with global standards and/or related validation programs, for instance ISO/IEC 27001, PCI standards, the security controls defined in SWIFT Customer Security Program (CSP), etc. Although these compliances are not mandatory by local regulators, in some cases, they are requested by global and/or local business partners. In addition, since more and more organizations have realized the importance of security implementation and compliance, they are voluntarily investing and putting effort into the improvement of information security. The compliance result can also provide more confidence during the business cooperation and is valuable for their brand reputation and marketing activities as well.

1. PCI standards
In the payment industry, various standards and programs (as shown in the figure below) are developed and maintained by PCI SSC (Payment Card Industry Security Standards Council), covering the security of data environment (PCI DSS: Data Security Standard), software security (PCI SSF: Secure Software Framework), security scanning and testing (ASV - approved scanning vendor program), Card Production (physical and logical security), P2PE (Point to Point Encryption), PCI 3DS, PIN Security, PFI (PCI Forensic Investigation), and so on. atsec offers a full range of services to support organizations in achieving PCI compliance.

Figure 3: Overview of PCI security standards and programs

As shown in the above figure, PCI DSS is the most important (and also the first) standard within the PCI standards family. PCI DSS version 4.0, as the next evolution of the standard, has been released in the first quarter of 2022. Industry organizations will have two years to become familiar with the new version and plan for and implement the changes needed. On 31 March 2024, the old version of PCI DSS (v3.2.1) will be formally retired.


Figure 4: PCI DSS v4.0 (source from PCI SSC website [3])

2. SWIFT CSP program
Similar to the PCI industry, the Customer Security Programme (CSP) was launched in 2016 by SWIFT (Society for Worldwide Interbank Financial Telecommunication, a global provider on secure financial messaging services) and designed to reinforce the security of the SWIFT community. Whether directly or indirectly connected, it complies with the SWIFT Customer Security Controls Framework (CSCF) to enhance the security of the local environment of each financial organization and helps protect the whole community. The financial institutes (e.g., banks) are required to comply with at least the mandatory controls to build a SWIFT infrastructure. The security controls are applicable to all users and recommended for the whole transaction chain, beyond the in-scope environment, and they are mapped against recognized international standards, e.g., NIST, PCI DSS, and ISO/IEC 27002.

As one of the independent security assessment providers, atsec has worked with quite a few banks in China to meet the security controls defined by SWIFT CSP.

3. Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions
In addition to the global security standards and assessment programs, the local requirements are mainly proposed and regulated by the PBOC (People’s Bank of China) in the financial industry in China. One example is the “Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions,” which was initially launched in 2010. Currently, the certification activities can be performed by CCRC as one of the certification bodies in China, and PBOC can issue and maintain the “Payment Business Licenses” to these payment institutions based on the testing and certification results.

The focuses of this testing and certification are on functional testing, performance testing, risk monitoring and anti-money laundering detection, as well as security testing.

Global industry communication
Global communication and collaboration in the technical and industry communities between China and the rest of the world never stop, not even during the pandemic in recent years. I will mention some observations during my work at atsec:

  • China UnionPay joined the PCI industry as one of the PCI SSC Strategic Members in 2020; as one of the six leading payment card brands in the world, UnionPay will communicate more with the payment industry and better adopt the PCI standards.
  • More Chinese vendors got the certificates based on global security standards, for instance:
    • Oppo Find X5 Pro obtained the Common Criteria certificate (issued by CSEC) in March 2022
    • Huawei Mate 40 Pro obtained the Common Criteria certificate (issued by OCSI) in January 2022
    • Huawei Mobile Devices (P40 series) obtained the Common Criteria certificate (issued by OCSI) in October 2021
    • OPPO Find X3 Pro obtained the Common Criteria certificate (issued by CSEC) in October 2021
    • Cryptographic Server HSM (produced by Beijing Lianshi Networks Technology Co., Ltd.) obtained the FIPS 140-2 certificate in February 2022
    • Sansec HSM Cryptographic Module (produced by Sansec Technology Co., Ltd.) obtained the FIPS 140-2 certificate in September 2021
    • TASS Crypto Engine (produced by Beijing JN TASS Technology Co., Ltd.) obtained the FIPS 140-2 certificate in April 2021
    • Inspur Power Commercial Systems Co., Ltd. obtained the O-TTPS (ISO/IEC 20243) certificate in October 2021
    • The AxKMS Certification Authority and AxKMS Key Injection Facilities (provided by Fujian Landi Commercial Equipment Co., Ltd.) passed PCI P2PE validation in January 2021
    • MoreFun KIF (provided by Fujian Morefun Electronic Technology Co., Ltd.) passed PCI P2PE validation in June 2020
    • (All above-mentioned evaluations and assessments are performed by atsec, and the information is based on the public information released by related certification/validation bodies)
  • We have also seen more involvement and voices from Chinese vendors in global standard technical communities, e.g., PCI, CCUF, EUCC, etc.
  • More and more organizations, such as the payment service providers, started to develop business globally, and being in compliance with the global standards is one of the important tasks. Some of these organizations (e.g., 99bill) have joined the PCI industry participating organizations and make contributions to the industry.
  • TC260 delegations and experts actively participate in the standardization work organized by ISO/IEC JTC1/SC 27. A few ISO standards (e.g., ISO/IEC 27071, ISO/IEC 27565) proposed by Chinese delegations have been drafted in the working group.
  • On the other hand, as shown in the first section, many international standards have been adopted as national standards in the information security area, and more will come.
This article briefly introduces the current situation of security standards and their certification schemes in China, and how the security standards (global or local) are adopted for industry organizations to enhance the security worldwide. We can feel the importance of global involvement and cooperation in the technical community, and I believe more collaboration will happen in the future.


References

[1] TC260: https://www.tc260.org.cn/
[2] CCRC: www.isccc.gov.cn
[3] PCI SSC: www.pcisecuritystandards.org
[4] SWIFT: https://www.swift.com/myswift/customer-security-programme-csp
[5] atsec: www.atsec.com