SlideShare a Scribd company logo
Evolution of cryptographic
evaluation in Europe
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
2 / 41
José Ruiz Gualda
jtsec Beyond IT Security
• Computer Engineer (University of Granada)
• Expert in Common Criteria, LINCE and FIPS
140-2 & FIPS 140-3
• Member of the SCCG (Stakeholder
Cybersecurity Certification Group) at the
European Commission.
• Secretary of SC3 at CTN320
• Editor of LINCE as UNE standard
• Editor in JTC13 WG3 of the FITCEM
Methodology
• European Commission reviewer for the
ERNCIP group "IACS Cybersecurity
Certification".
jruiz@jtsec.es
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
History of the Cryptographic Evaluation
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
5 / 41
NIST (National Institute
of Standards and
Technology)
Verification of Conformity
according to FIPS 140-1,
FIPS 140-2 and FIPS 140-3
CMVP - Designed for
certifying cryptographic
modules
CAVP - Designed to
certify cryptographic
algorithms
Publication of multiple "Special
Publications" specifying cryptographic
algorithms and how to test them
USA
History of the Cryptographic Evaluation
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
6 / 41
International
History of the Cryptographic Evaluation
Spain
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
7 / 41
Certification Body for cryptographic modules -
OC-CCN (Spanish National Cryptologic Centre)
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
Cryptographic Evaluation Today
Europe
• SOG-IS Crypto Evaluation Scheme
Harmonised Cryptographic Evaluation
Procedures v0.16 (December 2020)
• First SOG-IS evaluation methodology
Implementation of cryptographic
mechanisms
Pitfalls Prevention Requirements
• SOG-IS Crypto Evaluation Scheme
Agreed Cryptographic Mechanisms v1.2
(January 2020)
Cryptographic mechanisms
agreed and recommended by
SOG-IS
Acceptable level of security
Implementation guidelines
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
9 / 41
Cryptographic Evaluation Today
Spain
CCN-STIC 130 Guide
Cryptologic Evaluation (DL)
Requirements Guide (October 2017)
• Requirements for Approval of
Encryption Products to Handle
Classified National Information
• Full Product Evaluation
Methodology
• Security Requirements
Specification
MEC – LINCE
Cryptographic evaluation module
within the LINCE methodology
Very light cryptographic
conformance testing following the
NIAP Protection Profiles approach
Botan-CCN Cryptographic Library
• CCN Reference implementation
for cryptographic evaluations
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
10 / 41
Botan-CCN Cryptographic Library
Reference implementation for
cryptographic evaluations of the
CCN
Cryptographic Evaluation Today
Spain
CCN-STIC 221 Guide
Cryptographic Mechanisms authorized by CCN
Includes new CCN-authorized algorithms with
respect to the European ACM
Transversal use guide not limited to ENS
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
11 / 41
Cryptographic Evaluation Today
Evolution
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
12 / 41
Authorized
Cryptographic
Mechanisms by
CCN
Cryptographic
Mechanisms Evaluation
Methodology
Cryptographic Evaluation Today
Is it only a Spanish issue? | Reasons why the cryptographic methodology is necessary
FIPS and/or ISO FIPS:
• It only works when the module has been
created to meet FIPS requirements.
• It works well for crypto modules but not
for products integrating crypto
• Neither security-relevant implementation
pitfalls nor limit values are checked.
STIC 130
• Does not include algorithm-level
conformity and includes product
implementation requirements.
• Not 100% focused on cryptographic
mechanisms.
• Provides the security point of view.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
13 / 41
We do not have a
methodology that evaluates
cryptographic mechanisms
(algorithms and protocols.)
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
Usage
CCN Cryptographic Mechanisms
Evaluation Methodology
• Products whose main functionality
requires cryptography (e.g., VPNs,
ciphers, secure communications,
etc.)
• During CC, LINCE and
Complementary STIC certification
processes.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
15 / 41
Definition
Cryptographic Mechanisms
Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
16 / 41
Document Structure
• Cryptographic Requirements
• Approved Cryptographic Mechanisms
• Conformity Testing
• Common Implementation Pitfalls
Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
17 / 41
1. Cryptographic Requirements
Objective: To specify the requirements
extracted by CCN from the CCN-STIC 130
guide that apply to cryptographic
mechanisms and primitives implemented
in relation to:
• Self-tests (not required by SOGIS)
• Critical Security Parameters (CSP)
Management (not required by SOGIS)
Evaluation: The evaluator shall verify that
the TOE complies with the cryptographic
requirements listed in this section.
Cryptographic Mechanisms Evaluation Methodology
1. Cryptographic Requirements - Critical Security
Parameters (CSP) Management
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
18 / 41
The methodology not only evaluates the
SOGIS related Key Management
requirements, but also assesses the entire
life cycle of every SSP managed by the TOE.
Example: SSP Life Cycle Management for AES_EDK
M
This comprehensive approach ensures a
thorough evaluation of the security posture
of the TOE beyond just key management.
Table extracted from the Vendor Questionnaire document.
Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
19 / 41
2. Approved Cryptographic Mechanisms
Objective: To specify the cryptographic
mechanisms recognized and agreed by the SOG-
IS Cryptographic Evaluation Scheme
participants.
The Vendor Questionnaire (VQ) document is
used to gather information related to the
cryptographic mechanisms implemented by the
vendor in order to comply with the Methodology.
This document includes guided questions for
the vendor about cryptographic mechanisms,
CSP and sensitive data management to ensure
all necessary information is included and
evaluation efforts are reduced.
Evaluation: The evaluator shall verify that the
cryptographic mechanisms included in the VQ
are implemented by the TOE and comply with
the guidelines presented by the SOG-IS in the
SOG-IS ACM
Table extracted from the Vendor Questionnaire document.
Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
20 / 41
3. Conformance Testing
Objective: To specify the requirements
necessary to perform conformity testing of
the cryptographic primitives and
mechanisms implemented by the TOE.
These tests shall determine whether the
cryptographic primitives and mechanisms
used by the TOE are correctly
implemented. This is similar to what NIST
does but also verifying parameterizations
and limit values that often lead to errors.
Evaluation: The evaluation process is
divided into four steps:
1. Generation of Test Vectors: Request
and Sample files.
2. Generation of Results by the Vendor:
Response File
3. Generation of Results by the Evaluator:
Response File
4. Validation of Results by the Evaluator
Cryptographic Mechanisms Evaluation Methodology
Conformance Testing Evaluation Process Diagram
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
21 / 41
Cryptographic Mechanisms Evaluation Methodology
Test Vectors Generation
◦ The evaluator shall
generate a 'REQUEST' file
(in JSON format) for each
cryptographic mechanism
implemented by the TOE
containing the test vectors
associated to the supported
parameterization.
◦ Additionally, the evaluator
shall generate the 'SAMPLE'
file (in JSON format) for
each cryptographic
mechanism implemented
by the TOE containing an
example solution to
indicate the format of the
expected result.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
22 / 41
The evaluator shall send to the
vendor a file package containing
the 'REQUEST' and 'SAMPLE' files
associated to all cryptographic
mechanisms implemented by the
TOE.
Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Vendor
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
23 / 41
◦The vendor shall generate a 'RESPONSE'
file associated with each cryptographic
mechanism implemented, containing the
output provided by the TOE for each of
the test vectors provided in the
'REQUEST' file.
◦The vendor shall retain the JSON format
presented in the 'REQUEST' and
'SAMPLE' files for the generation of the
'RESPONSE' file.
The vendor shall send to the evaluator a file
package containing the 'RESPONSE' files
associated with all cryptographic
mechanisms implemented by the TOE.
Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Evaluator
The evaluator shall generate the 'RESPONSE' file
associated to each cryptographic mechanism
implemented by the TOE, using the Botan-CCN
library as reference cryptographic
implementation.
The evaluator shall retain the JSON format
presented in the 'REQUEST' and 'SAMPLE' files
for the generation of the 'RESPONSE' file.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
24 / 41
Cryptographic Mechanisms
Evaluation Methodology
Validation of Results by the Evaluator
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
25 / 41
The evaluator shall validate the 'RESPONSE'
files provided by the vendor for each
cryptographic mechanism implemented by the
TOE, comparing the results provided with those
obtained in the previous step using the Botan-
CCN cryptographic library.
The evaluator shall determine whether the TOE
correctly implements the cryptographic
mechanisms and primitives used and declared.
Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
26 / 41
4. Common Implementation Pitfalls
Objective: To specify the requirements
necessary to avoid implementation pitfalls
in the cryptographic primitives and
mechanisms implemented by the TOE.
Evaluation: The evaluator shall verify that
the cryptographic mechanisms
implemented by the TOE comply with the
implementation pitfall avoidance
guidelines presented by the SOG-IS in the
SOG-IS Harmonized Cryptographic
Evaluation Procedures guide.
Structure
Cryptographic Mechanisms Evaluation Methodology
Common Implementation Pitfalls -
Example: GCM Implementation Pitfall
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
27 / 41
[IMPLEMENTATIONPITFALL-GCM-1]: The
tester shall perform the following evaluation
tasks:
- Verifying that no message of length strictly
greater tan 232 - 2 blocks can be encrypted.
Analysis: The counters are generated with the
concatenation of a unique IV of 96 bits and an
incremented counter denoted on 32 bits. This
task avoids the overflow of the counter.
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Evaluation | Methodology over SOG-IS
Cryptographic Mechanisms Evaluation Methodology
• Complete evaluation methodology. It establishes
concrete evaluation tasks to be followed by the
evaluator for each cryptographic mechanism to
assess:
• The CCN-STIC 130 implementation
requirements
• Usage of approved mechanisms
• Conformity Testing
• Common implementation pitfalls
avoidance.
• Self-tests. The TOE is required to perform power-up
and conditional self-tests. Several evaluation tasks
are designed to evaluate their implementation and
correct operation.
SOG-IS HEP and ACM
• List cryptographic requirements and agreed
mechanisms and evaluation tasks only for
conformity testing and for implementation
pitfalls avoidance.
• Self-tests requirements are not specified.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
28 / 41
Cryptographic Mechanisms Evaluation Methodology
• Life cycle management of each SSP
managed by the TOE. For each SSP, its
strength, generation, entry/output, storage and
zeroization methods are evaluated.
• Complete list of conformity test vectors for
all the agreed cryptographic mechanisms.
Example: AES Key Wrapping.
SOG-IS HEP and ACM
• Establishes general Key Management
requirements, specifying only the
recommended mechanism for each stage.
• The conformity test vectors of several
algorithms are not defined or are not
complete.
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Evaluation | Methodology over SOG-IS
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
29 / 41
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
CCN Cryptographic
Evaluation Tool
Definition
Performing Conformity Testing
Structure of the Tool
o JSON test files: test vectors in hexadecimal
format according to SOG-IS methodology.
o ACVP-Parser: JSON file processing and
extraction of parameters needed to invoke the
cryptographic reference implementation.
o Botan-CCN Cryptographic Library:
cryptographic reference implementation used
to generate test vectors results and validate
the correct cryptographic implementation of
the TOE.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
31 / 41
CCN Cryptographic
Evaluation Tool
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
32 / 41
1. Processing of the test vectors to extract the
parameters using the ACVP-Parser.
2. Invocation of the Botan-CCN cryptographic
library to perform the generation of test
vector results using the associated
'REQUEST' file.
3. Generation of the 'RESPONSE' file associated
to a cryptographic mechanism using the
associated 'REQUEST' file and the results
obtained using the Botan-CCN cryptographic
library.
Flowchart
Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
33 / 41
‘REQUEST’ file ‘RESPONSE' file generated by the Tool
Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
34 / 41
‘RESPONSE' file generated by TOE
Validation of results
Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
35 / 41
‘RESPONSE' file generated by TOE
Validation of results
ERROR
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
37 / 41
1.New Algorithms:
The Cryptographic Mechanisms Evaluation Methodology
will be adapted in the future to include new "classical" and
post-quantum algorithms recommended by the Spanish
CCN in the new STIC 221 guide.
• New recommended classical algorithms: SCRYPT,
ChaCha20_Poly1305 and EdDSA.
Future directions
• Post-Quantum Algorithms: several post-quantum
algorithms are recommended to face the quantum
threat:
• CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon,
SPHINCS+ , Classic McEliece, BIKE, HQC and SIKE.
• FrodoKEM is also recommended. It will not be
standardised as part of NIST’s PQC project, mainly
due to efficiency considerations, but there are
currently no doubts about its security.
Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
38 / 41
Future directions
2. Security Levels:
Different increasing qualitative levels of security
will be defined for the methodology.
Each TOE will be evaluated according to the
level of sensitivity of the information it handles
and the global evaluation methodology to which
the Cryptographic Methodology is being applied
to.
Some evaluation tasks will be common for all
levels and others will only apply depending on
the security level.
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
Conclusions
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
40 / 41
• Innovative, necessary and useful
methodology to evaluate crypto
mechanisms
• Contribution to complement European
efforts
• It is necessary to harmonize the criteria
at the national level in order to make life
easier for laboratories and vendors
Thank you

More Related Content

Similar to EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

ZONeSEC: critical infrastructure protection in real practice
ZONeSEC: critical infrastructure protection in real practice ZONeSEC: critical infrastructure protection in real practice
ZONeSEC: critical infrastructure protection in real practice
José Ramón Martínez Salio
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
Elena Cortés Ventura
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
Redit
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptx
AntonioProcentese1
 
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
PetruVrlan
 
Quantum computing
Quantum computingQuantum computing
Quantum computing
Miguel Antonio Rey
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
Javier Tallón
 
20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab
Dr. Paul THERON
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Maitena Ilardia
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
MEDINA
 
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
PROIDEA
 
ZONeSEC in ERNCIP
ZONeSEC in ERNCIPZONeSEC in ERNCIP
ZONeSEC in ERNCIP
José Ramón Martínez Salio
 
File000176
File000176File000176
File000176
Desmond Devendran
 
Real-Time Simulation for MBSE of Synchrophasor Systems
Real-Time Simulation for MBSE of Synchrophasor SystemsReal-Time Simulation for MBSE of Synchrophasor Systems
Real-Time Simulation for MBSE of Synchrophasor Systems
Luigi Vanfretti
 
Profile tulasi v1.1
Profile tulasi v1.1Profile tulasi v1.1
Profile tulasi v1.1
Sivanesan Tulasidas
 
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
MEDINA
 
Praga2015
Praga2015Praga2015
Praga2015
MMSLAB
 
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
KTN
 
First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...
MEDINA
 

Similar to EUCA23 - Evolution of cryptographic evaluation in Europe.pdf (20)

ZONeSEC: critical infrastructure protection in real practice
ZONeSEC: critical infrastructure protection in real practice ZONeSEC: critical infrastructure protection in real practice
ZONeSEC: critical infrastructure protection in real practice
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptx
 
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docx
 
Quantum computing
Quantum computingQuantum computing
Quantum computing
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
 
20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
 
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...
 
ZONeSEC in ERNCIP
ZONeSEC in ERNCIPZONeSEC in ERNCIP
ZONeSEC in ERNCIP
 
File000176
File000176File000176
File000176
 
Real-Time Simulation for MBSE of Synchrophasor Systems
Real-Time Simulation for MBSE of Synchrophasor SystemsReal-Time Simulation for MBSE of Synchrophasor Systems
Real-Time Simulation for MBSE of Synchrophasor Systems
 
Profile tulasi v1.1
Profile tulasi v1.1Profile tulasi v1.1
Profile tulasi v1.1
 
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
 
Praga2015
Praga2015Praga2015
Praga2015
 
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
 
First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
Javier Tallón
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
Javier Tallón
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
Javier Tallón
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
 

Recently uploaded

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 

Recently uploaded (20)

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 

EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

  • 2. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 2 / 41 José Ruiz Gualda jtsec Beyond IT Security • Computer Engineer (University of Granada) • Expert in Common Criteria, LINCE and FIPS 140-2 & FIPS 140-3 • Member of the SCCG (Stakeholder Cybersecurity Certification Group) at the European Commission. • Secretary of SC3 at CTN320 • Editor of LINCE as UNE standard • Editor in JTC13 WG3 of the FITCEM Methodology • European Commission reviewer for the ERNCIP group "IACS Cybersecurity Certification". jruiz@jtsec.es
  • 3. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 4. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 5. History of the Cryptographic Evaluation José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 5 / 41 NIST (National Institute of Standards and Technology) Verification of Conformity according to FIPS 140-1, FIPS 140-2 and FIPS 140-3 CMVP - Designed for certifying cryptographic modules CAVP - Designed to certify cryptographic algorithms Publication of multiple "Special Publications" specifying cryptographic algorithms and how to test them USA
  • 6. History of the Cryptographic Evaluation José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 6 / 41 International
  • 7. History of the Cryptographic Evaluation Spain José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 7 / 41 Certification Body for cryptographic modules - OC-CCN (Spanish National Cryptologic Centre)
  • 8. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 9. Cryptographic Evaluation Today Europe • SOG-IS Crypto Evaluation Scheme Harmonised Cryptographic Evaluation Procedures v0.16 (December 2020) • First SOG-IS evaluation methodology Implementation of cryptographic mechanisms Pitfalls Prevention Requirements • SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms v1.2 (January 2020) Cryptographic mechanisms agreed and recommended by SOG-IS Acceptable level of security Implementation guidelines José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 9 / 41
  • 10. Cryptographic Evaluation Today Spain CCN-STIC 130 Guide Cryptologic Evaluation (DL) Requirements Guide (October 2017) • Requirements for Approval of Encryption Products to Handle Classified National Information • Full Product Evaluation Methodology • Security Requirements Specification MEC – LINCE Cryptographic evaluation module within the LINCE methodology Very light cryptographic conformance testing following the NIAP Protection Profiles approach Botan-CCN Cryptographic Library • CCN Reference implementation for cryptographic evaluations José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 10 / 41 Botan-CCN Cryptographic Library Reference implementation for cryptographic evaluations of the CCN
  • 11. Cryptographic Evaluation Today Spain CCN-STIC 221 Guide Cryptographic Mechanisms authorized by CCN Includes new CCN-authorized algorithms with respect to the European ACM Transversal use guide not limited to ENS José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 11 / 41
  • 12. Cryptographic Evaluation Today Evolution José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 12 / 41 Authorized Cryptographic Mechanisms by CCN Cryptographic Mechanisms Evaluation Methodology
  • 13. Cryptographic Evaluation Today Is it only a Spanish issue? | Reasons why the cryptographic methodology is necessary FIPS and/or ISO FIPS: • It only works when the module has been created to meet FIPS requirements. • It works well for crypto modules but not for products integrating crypto • Neither security-relevant implementation pitfalls nor limit values are checked. STIC 130 • Does not include algorithm-level conformity and includes product implementation requirements. • Not 100% focused on cryptographic mechanisms. • Provides the security point of view. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 13 / 41 We do not have a methodology that evaluates cryptographic mechanisms (algorithms and protocols.)
  • 14. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 15. Usage CCN Cryptographic Mechanisms Evaluation Methodology • Products whose main functionality requires cryptography (e.g., VPNs, ciphers, secure communications, etc.) • During CC, LINCE and Complementary STIC certification processes. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 15 / 41
  • 16. Definition Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 16 / 41 Document Structure • Cryptographic Requirements • Approved Cryptographic Mechanisms • Conformity Testing • Common Implementation Pitfalls
  • 17. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 17 / 41 1. Cryptographic Requirements Objective: To specify the requirements extracted by CCN from the CCN-STIC 130 guide that apply to cryptographic mechanisms and primitives implemented in relation to: • Self-tests (not required by SOGIS) • Critical Security Parameters (CSP) Management (not required by SOGIS) Evaluation: The evaluator shall verify that the TOE complies with the cryptographic requirements listed in this section.
  • 18. Cryptographic Mechanisms Evaluation Methodology 1. Cryptographic Requirements - Critical Security Parameters (CSP) Management José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 18 / 41 The methodology not only evaluates the SOGIS related Key Management requirements, but also assesses the entire life cycle of every SSP managed by the TOE. Example: SSP Life Cycle Management for AES_EDK M This comprehensive approach ensures a thorough evaluation of the security posture of the TOE beyond just key management. Table extracted from the Vendor Questionnaire document.
  • 19. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 19 / 41 2. Approved Cryptographic Mechanisms Objective: To specify the cryptographic mechanisms recognized and agreed by the SOG- IS Cryptographic Evaluation Scheme participants. The Vendor Questionnaire (VQ) document is used to gather information related to the cryptographic mechanisms implemented by the vendor in order to comply with the Methodology. This document includes guided questions for the vendor about cryptographic mechanisms, CSP and sensitive data management to ensure all necessary information is included and evaluation efforts are reduced. Evaluation: The evaluator shall verify that the cryptographic mechanisms included in the VQ are implemented by the TOE and comply with the guidelines presented by the SOG-IS in the SOG-IS ACM Table extracted from the Vendor Questionnaire document.
  • 20. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 20 / 41 3. Conformance Testing Objective: To specify the requirements necessary to perform conformity testing of the cryptographic primitives and mechanisms implemented by the TOE. These tests shall determine whether the cryptographic primitives and mechanisms used by the TOE are correctly implemented. This is similar to what NIST does but also verifying parameterizations and limit values that often lead to errors. Evaluation: The evaluation process is divided into four steps: 1. Generation of Test Vectors: Request and Sample files. 2. Generation of Results by the Vendor: Response File 3. Generation of Results by the Evaluator: Response File 4. Validation of Results by the Evaluator
  • 21. Cryptographic Mechanisms Evaluation Methodology Conformance Testing Evaluation Process Diagram José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 21 / 41
  • 22. Cryptographic Mechanisms Evaluation Methodology Test Vectors Generation ◦ The evaluator shall generate a 'REQUEST' file (in JSON format) for each cryptographic mechanism implemented by the TOE containing the test vectors associated to the supported parameterization. ◦ Additionally, the evaluator shall generate the 'SAMPLE' file (in JSON format) for each cryptographic mechanism implemented by the TOE containing an example solution to indicate the format of the expected result. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 22 / 41 The evaluator shall send to the vendor a file package containing the 'REQUEST' and 'SAMPLE' files associated to all cryptographic mechanisms implemented by the TOE.
  • 23. Cryptographic Mechanisms Evaluation Methodology Generation of Results by the Vendor José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 23 / 41 ◦The vendor shall generate a 'RESPONSE' file associated with each cryptographic mechanism implemented, containing the output provided by the TOE for each of the test vectors provided in the 'REQUEST' file. ◦The vendor shall retain the JSON format presented in the 'REQUEST' and 'SAMPLE' files for the generation of the 'RESPONSE' file. The vendor shall send to the evaluator a file package containing the 'RESPONSE' files associated with all cryptographic mechanisms implemented by the TOE.
  • 24. Cryptographic Mechanisms Evaluation Methodology Generation of Results by the Evaluator The evaluator shall generate the 'RESPONSE' file associated to each cryptographic mechanism implemented by the TOE, using the Botan-CCN library as reference cryptographic implementation. The evaluator shall retain the JSON format presented in the 'REQUEST' and 'SAMPLE' files for the generation of the 'RESPONSE' file. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 24 / 41
  • 25. Cryptographic Mechanisms Evaluation Methodology Validation of Results by the Evaluator José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 25 / 41 The evaluator shall validate the 'RESPONSE' files provided by the vendor for each cryptographic mechanism implemented by the TOE, comparing the results provided with those obtained in the previous step using the Botan- CCN cryptographic library. The evaluator shall determine whether the TOE correctly implements the cryptographic mechanisms and primitives used and declared.
  • 26. Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 26 / 41 4. Common Implementation Pitfalls Objective: To specify the requirements necessary to avoid implementation pitfalls in the cryptographic primitives and mechanisms implemented by the TOE. Evaluation: The evaluator shall verify that the cryptographic mechanisms implemented by the TOE comply with the implementation pitfall avoidance guidelines presented by the SOG-IS in the SOG-IS Harmonized Cryptographic Evaluation Procedures guide. Structure
  • 27. Cryptographic Mechanisms Evaluation Methodology Common Implementation Pitfalls - Example: GCM Implementation Pitfall José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 27 / 41 [IMPLEMENTATIONPITFALL-GCM-1]: The tester shall perform the following evaluation tasks: - Verifying that no message of length strictly greater tan 232 - 2 blocks can be encrypted. Analysis: The counters are generated with the concatenation of a unique IV of 96 bits and an incremented counter denoted on 32 bits. This task avoids the overflow of the counter.
  • 28. Cryptographic Mechanisms Evaluation Methodology Advantages of the Cryptographic Evaluation | Methodology over SOG-IS Cryptographic Mechanisms Evaluation Methodology • Complete evaluation methodology. It establishes concrete evaluation tasks to be followed by the evaluator for each cryptographic mechanism to assess: • The CCN-STIC 130 implementation requirements • Usage of approved mechanisms • Conformity Testing • Common implementation pitfalls avoidance. • Self-tests. The TOE is required to perform power-up and conditional self-tests. Several evaluation tasks are designed to evaluate their implementation and correct operation. SOG-IS HEP and ACM • List cryptographic requirements and agreed mechanisms and evaluation tasks only for conformity testing and for implementation pitfalls avoidance. • Self-tests requirements are not specified. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 28 / 41
  • 29. Cryptographic Mechanisms Evaluation Methodology • Life cycle management of each SSP managed by the TOE. For each SSP, its strength, generation, entry/output, storage and zeroization methods are evaluated. • Complete list of conformity test vectors for all the agreed cryptographic mechanisms. Example: AES Key Wrapping. SOG-IS HEP and ACM • Establishes general Key Management requirements, specifying only the recommended mechanism for each stage. • The conformity test vectors of several algorithms are not defined or are not complete. Cryptographic Mechanisms Evaluation Methodology Advantages of the Cryptographic Evaluation | Methodology over SOG-IS José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 29 / 41
  • 30. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 31. CCN Cryptographic Evaluation Tool Definition Performing Conformity Testing Structure of the Tool o JSON test files: test vectors in hexadecimal format according to SOG-IS methodology. o ACVP-Parser: JSON file processing and extraction of parameters needed to invoke the cryptographic reference implementation. o Botan-CCN Cryptographic Library: cryptographic reference implementation used to generate test vectors results and validate the correct cryptographic implementation of the TOE. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 31 / 41
  • 32. CCN Cryptographic Evaluation Tool José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 32 / 41 1. Processing of the test vectors to extract the parameters using the ACVP-Parser. 2. Invocation of the Botan-CCN cryptographic library to perform the generation of test vector results using the associated 'REQUEST' file. 3. Generation of the 'RESPONSE' file associated to a cryptographic mechanism using the associated 'REQUEST' file and the results obtained using the Botan-CCN cryptographic library. Flowchart
  • 33. Cryptographic Mechanisms Evaluation Methodology Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 33 / 41 ‘REQUEST’ file ‘RESPONSE' file generated by the Tool
  • 34. Cryptographic Mechanisms Evaluation Methodology Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 34 / 41 ‘RESPONSE' file generated by TOE Validation of results
  • 35. Cryptographic Mechanisms Evaluation Methodology Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 35 / 41 ‘RESPONSE' file generated by TOE Validation of results ERROR
  • 36. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 37. Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 37 / 41 1.New Algorithms: The Cryptographic Mechanisms Evaluation Methodology will be adapted in the future to include new "classical" and post-quantum algorithms recommended by the Spanish CCN in the new STIC 221 guide. • New recommended classical algorithms: SCRYPT, ChaCha20_Poly1305 and EdDSA. Future directions • Post-Quantum Algorithms: several post-quantum algorithms are recommended to face the quantum threat: • CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, SPHINCS+ , Classic McEliece, BIKE, HQC and SIKE. • FrodoKEM is also recommended. It will not be standardised as part of NIST’s PQC project, mainly due to efficiency considerations, but there are currently no doubts about its security.
  • 38. Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 38 / 41 Future directions 2. Security Levels: Different increasing qualitative levels of security will be defined for the methodology. Each TOE will be evaluated according to the level of sensitivity of the information it handles and the global evaluation methodology to which the Cryptographic Methodology is being applied to. Some evaluation tasks will be common for all levels and others will only apply depending on the security level.
  • 39. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Future Directions 6. Conclusions
  • 40. Conclusions José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe 40 / 41 • Innovative, necessary and useful methodology to evaluate crypto mechanisms • Contribution to complement European efforts • It is necessary to harmonize the criteria at the national level in order to make life easier for laboratories and vendors