atsec attended the 20th International Conference on Applied Cryptography and Network Security (ACNS)

Last week, employees from atsec Germany and atsec Italy attended the 20th International Conference on Applied Cryptography and Network Security (ACNS) in Rome, Italy. As the name implies, ACNS highlights academic and industry research in the areas of applied cryptography and network security. Accepted papers are published in Springer's Lecture Notes in Computer Science series, and the authors give a presentation during the conference itself. Additionally, ACNS includes a poster session and workshop tracks.

This year, the conference was held in hybrid mode, with the in-person event located at the National Research Council building and the Sapienza University of Rome (Museum Of Classical Art). During the main conference track, 9 areas were presented: Encryption, Attacks, Cryptographic Protocols, System Security, Cryptographic Primitives, Multi-Party Computation (MPC), Blockchain, Block Ciphers, and Post-Quantum Cryptography. Joachim Vandersmissen, IT Security Consultant at atsec Germany, contributed a paper and presentation on white-box cryptography for the Speck block cipher called "A White-Box Speck Implementation Using Self-Equivalence Encodings."

In white-box cryptography, a cryptographic implementation is executed in an untrusted environment by an untrusted attacker. This is commonly the case in Digital Rights Management (DRM). For example, an online streaming platform might send a customer an encrypted version of the movie they want to watch as well as a cryptographic implementation to decrypt this movie. However, the streaming platform does not want the customer to use this implementation to decrypt other movies, or worse, extract the cryptographic key from the implementation. Other applications of white-box cryptography include mobile apps and smart cards.

Academic research in white-box cryptography started in 2002, so the area is relatively young. Chow et al. proposed the white-box model, which formalized the real-world environment from the previous paragraph. In their model, the attacker wants to recover the cryptographic key from a white-box implementation to bypass this original white-box implementation. Since 2002, many academic methods have been proposed, but so far there is no secure way to construct white-box implementations from existing block ciphers. Instead, many commercial solutions rely on the secrecy of the white-box design to provide some degree of security.

In "A White-Box Speck Implementation Using Self-Equivalence Encodings," Joachim and co-authors propose a method to construct white-box implementations for the Speck block cipher. Speck is a block cipher proposed in 2013 by the NSA, with a focus on performance in software. This makes Speck especially suitable for embedded applications, such as IoT. Unfortunately, in the paper, they also introduced an attack to demonstrate the proposed method is not secure in the white-box model. Even though this is a negative result, it can still be used to guide future research directions in white-box cryptography. The paper also proposes some ways to extend this method, which might perhaps result in a secure white-box Speck implementation.

If you are interested in learning more about this topic, you can refer to the full paper, freely available on the IACR ePrint archive: https://ia.cr/2022/444. Implementation code is also available on GitHub: https://github.com/jvdsn/white-box-speck.

Cybersecurity Certification Schemes in Europe (Part 1)

by Rasma Araby

atsec has recently participated in two conferences that focused on cybersecurity certification: the 2022 International Conference on the EU Cybersecurity Act in Brussels, Belgium, and ENISA Cybersecurity Certification Conference 2022 in Athens, Greece.

atsec contributed with two presentations at the EU Cybersecurity Conference “Successful cPP Certification under the CSA,” presented by Rasma Araby, and “A Scheme of Scheme – Challenges and opportunities for CSA schemes” presented by Staffan Persson. Also, Rasma Araby participated in the panel discussion regarding “Market Incentives for Certification” at the ENISA Cybersecurity Certification Conference.

Both conferences focused on the upcoming certification schemes being developed in Europe. Upon request of the European Commission (Article 48 (2) of the Cybersecurity Act (CSA)), ENISA is working on three cybersecurity certification schemes:

•  EUCC - the candidate EUCC scheme is a scheme for ICT products based on the Common Criteria (ISO/IEC 15408 and 18045). The EUCC candidate cybersecurity certification scheme aims to serve as a successor to the SOG-IS Mutual Recognition Agreement.
• EUCS - the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonize the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU Member States.
• EU5G – the candidate European Union Cybersecurity Certification Scheme on 5G cybersecurity. The scheme aims to develop a candidate European cybersecurity certification scheme for 5G networks to address the following use cases: the supply and deployment of 5G network equipment, management of subscriber identities, remote SIM provisioning, 5G authentication, and subscriber connectivity services.
  

Both conferences discussed the need for standardization and certification and also focused on stakeholder requirements, applicable national and international legislations, as well as the threat landscape. The need for harmonized requirements and schemes was heavily underlined by the attending product vendors.

All three certification schemes are under development right now. It is expected the EUCC scheme will be completed and adopted first. For the legal implementation of the candidate EUCC scheme prepared by ENISA, the European Commission will adopt an implementing act, presumably at the end of 2022.

In the second part of this blog, we will continue reporting on the cybersecurity certification schemes in Europe and will solely focus on the EUCC scheme. Stay tuned!

atsec attended the Omnisecure conference in Berlin

After two years of video conferences, we were finally able to meet stakeholders of our community again in person as three representatives of atsec Germany attended the Omnisecure conference from June 21st through 23rd 2022 in Berlin.

The Omnisecure conference has a clear focus on the German market with a strong presence of the Bundesamt fuer Sicherheit in der Informationstechnik (BSI). There have been several interesting presentations from different domains. Among the major topics was the (national) approval of IT security products for handling classified information - one of the main business domains for atsec Germany.

Michael Vogel, Managing Director of atsec Germany, has provided a presentation on the vendor qualification requirements that need to be fulfilled to participate in the qualified product approval scheme defined by BSI. The presentation was perceived very well by the audience and triggered some interesting follow-up discussions.

The face-to-face conference allowed us to touch base with several of our customers in person for the first time in months, and this opportunity has been much appreciated by ourselves and many participants. We are looking forward to the upcoming in-person conferences planned for the rest of this year, in particular the ICMC conference and the ICCC conference to meet more of our customers in person again. Don't forget to register so we can meet you there!

atsec virtually at the National Cybersecurity Center of Excellence

atsec is excited to have been invited to the virtual kick-off meeting for the “Automation of the NIST Cryptographic Module Validation Program” at the National Cybersecurity Center of Excellence (NCCoE).

The National Institute for Standards and Technology (NIST) organized the kick-off meeting on June 1st of, 2022. It started with an introduction by NIST, followed by presentations from several collaborators, and ended with a discussion and outline of the next steps.

atsec supports the NCCoE initiative to automate the Cryptographic Module Validation Program (CMVP) to shorten the time for the “review pending,” “in review,” and “coordination” phases of module validation. The atsec team will focus on identifying Test Evidence (TE) items that could be automated and ensuring that the automation works with the CMVP’s WebCryptic tool.

atsec has been involved in other automation tools like the Automated Cryptographic Validation Testing System (ACVTS) and is looking forward to the challenge of bringing automation to the CMVP.