The document discusses the complexities and challenges of navigating cryptographic certifications that product vendors must obtain to sell in various countries, which leads to increased costs and effort. It highlights the need for common standards, suggesting improvements like an international standard based on existing frameworks such as FIPS 140-2 and ISO 19790. The final thoughts emphasize that while FIPS 140-2 has become a standard, there are gaps in the ISO 19790 standard regarding authority and economic motivation, pointing to the advantages of a unified cryptographic evaluation process.

1. Opening markets through
security certifications
Remove text box
and place vendor
logo here
Common Criteria and a
Mutually-Recognized
International
Cryptographic Standard
Amy Nicewick
Chief Operating Officer
Corsec Security, Inc.

2. corsec.com © 2014 Corsec Security, Inc.
The Issue
2
Problem
Definition
• Product Vendors are required to pursue many
different cryptographic certifications or
cryptographic reviews to sell in different countries.
» Algorithm requirements and module requirements are country
dependent
AES3DESDSA
MD5
SHA-1
SHA-256
Whirlpool
ECDSA
GOST
RIPEMD-128
Kasumi
KCDSA RSA
Blowfish
SEED
ARIA
Camellia
SMS4

3. corsec.com © 2014 Corsec Security, Inc.
Pain
3
» Pain
» Multiple product versions to create and maintain
» Additional Staffing – In-country experts, Testing staff, Lawyers
» In-country testing facilities or dedicated test beds
» Classified versus Unclassified (US and UK)
» COTS versus GOTS
» Different Algorithm lists
» Pain = Product Costs

4. corsec.com © 2014 Corsec Security, Inc.
What should we do now?
» Keep many existing standards (Nation Specific)?
» Create a new international standard?
» Build off of an existing standard (e.g., FIPS, ISO
19790)?
4

5. corsec.com © 2014 Corsec Security, Inc.
Cryptographic Evaluation
5
NIST - FIPS 140-2, Type 1
CSE – FIPS 140-2
CAPS, CPA, & FIPS 140-2
ASD-CE – Gov ReviewBSI - Gov Review
CCN – ISO 19790
Netherlands -
Gov Review
JCMVP – ISO 19790
KCMVP - ISO 19790
TSE-CMVP – ISO
19790
NSM – Gov Review
based on FIPS 140-2

6. corsec.com © 2014 Corsec Security, Inc.
CC and crypto solutions?
» Lots of people have looked for common ground in FIPS 140-2 and Common Criteria.
» ICCC Presentations:
» 2008 – Effective Certification Roadmap – Common Criteria and FIPS 140-2 - Lin, Juniper
» 2010 – FIPS and CC – How do they get along – Adam and Connor, EWA
» 2011 – For FIPS 140-2 to CC – Mao, atsec
» 2011 - HSM Protection profile: How to CC-evaluate a HSM to meet FIPS requirement - Munoz,
Epoche & Espri
» 2012 – Common Criteria for Crypto? – Keller, Corsec Security
» 2013 – Cryptography and Common Criteria – Vora (Cisco) and Brych (Safenet)
» 2014 – Towards a Scalable International Cryptographic Evaluation Process – Shankar and
Winebrenner, Cisco
» First ICCC Presentation
» 2000 - A Protection Profile for FIPS 140-1, Lessons Learned - Smid, CygnaCom
» PPs on the CC Portal:
» 2 for Encrypted storage
» 3 for Cryptographic Modules
» 2 For Full Disk Encryption
» 1 for IP Encryption
» 17 for Digital Signatures
» 4 for Key Management Systems
» CCUF/CCDB Crypto Working Groups working with ISO/IEC JTC1 SC27 WG3
6

7. corsec.com © 2014 Corsec Security, Inc.
Practical Solutions
7
Needed
Used by many nations and
continuing to gain acceptance
Labs in many nations
International collaboration on
the standard
Economic incentives (Purchasing
requirements)

8. corsec.com © 2014 Corsec Security, Inc.
Practical Solutions: FIPS 140-2
8
FIPS 140-2
Yes
Needed
Yes
No
Yes
Used by many nations and
continuing to gain acceptance
Labs in many nations
International collaboration on
the standard
Economic incentives (Purchasing
requirements)

9. corsec.com © 2014 Corsec Security, Inc.
FIPS Validations by Year and Level
Level 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Total
Level 1 1 2 2 9 12 11 14 30 40 39 42 34 75 83 51 92 64 68 99 102 870
Level 2 1 6 10 19 18 38 38 33 62 47 56 50 91 81 92 92 95 82 100 1011
Level 3 7 13 12 17 13 17 21 28 25 30 19 34 42 26 37 27 33 401
Level 4 1 1 5 1 1 2 1 2 1 1 3 1 20
Yearly
Total
1 3 8 27 45 46 70 82 90 122 119 116 155 195 167 227 185 200 208 236 2302
~ 2300 certificates issued 400+ participating vendors
0
50
100
150
200
250 1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Level 4
Level 3
Level 2
Level 1
9

10. corsec.com © 2014 Corsec Security, Inc.
FIPS 140-2 Testing Labs
10

11. corsec.com © 2014 Corsec Security, Inc.
FIPS 140-2 – Not quite there
11

12. corsec.com © 2014 Corsec Security, Inc.
ISO 19790
» History
» ISO/IEC 19790:2012 (based on FIPS 140-2) published 2012-08-15
» ISO/IEC 24759:2014 (based on FIPS 140-2 DTR) published 2014-02-01
» What it is
» Requirement for a whole cryptographic module
» Derived Test Requirements (guidance for testing)
» Annexes – Separate list of algorithms
» Annexes – Allows the “Approval Authority” to be defined
» What it is not
» Module Standard with no defined Approval Authority
» No CCRA-like agreement to put weight behind it
» Limited economic drivers (Japan CMVP)
» Latest developments
» Request for comment issued by NIST – due September 28, 2015
» CCDB working with ISO to develop algorithm testing standards
12

13. corsec.com © 2014 Corsec Security, Inc.
Practical Solutions: ISO 19790
13
ISO 19790
Yes
Needed
Yes
Yes
Soon?
Used by many nations and
continuing to gain acceptance
Labs in many nations
International collaboration on
the standard
Economic incentives (Purchasing
requirements)

14. corsec.com © 2014 Corsec Security, Inc.
Final Thoughts
14
» FIPS 140-2 is the de facto international cryptographic
standard
» Nations will want to continue to use different algorithms
» ISO 19790
» common set of cryptographic module requirements
» individual nations to specify and test algorithm
implementations
» ISO 19790 is missing critical things:
» Central Approval Authority – Like CCRA
» Wide spread Economic Driver
» ISO 19790 needs to address:
» IF FIPS 140-2 becomes ISO 19790, how will existing FIPS IGs
fit in?
» Should governments require vendors to pay for access to the
standard they must follow?

15. corsec.com © 2014 Corsec Security, Inc.
How will this benefit CC?
International Cryptography program will:
 Allow cPP authors to be able to provide
common, trusted cryptography testing
 Allow Nations to trust the crypto required by
cPPs, and therefore agree to purchase those
products
 Reduce the costs to vendors and purchasers
that exist in the way crypto is handled right
now.
This is a problem worth solving.
15

16. corsec.com © 2014 Corsec Security, Inc.
Questions?
16
Amy Nicewick| Corsec Security Inc.
+1 (703) 267-6050 x114 | anicewick@corsec.com
www.CORSEC.com