The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIJavier Tallón
The document summarizes a proposal for an EU Industrial Automation and Control Systems (IACS) Components Cybersecurity Certification Scheme (ICCS). It introduces Georgios Theodoridis from the EC and Jose Ruiz from jtsec who are involved in developing the ICCS. It then outlines the ICCS, including its goals of increasing EU cybersecurity and the internal market through a harmonized certification approach. The ICCS would define common certification criteria and assurance levels for IACS components and recommend how to implement the scheme in line with the EU Cybersecurity Act.
Towards a certification scheme for IoT security evaluationAxel Rennoch
Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.
Summit 16: Software Defined Operations: The UNIFY SP-DevOps ToolkitOPNFV
UNIFY, a research project funded by the EU, released as open source a set of tools targeting operations and development in software-defined infrastructure and collectively known as the SP-DevOps Toolkit (URL). The SP-DevOps Toolkit includes an advanced network congestion detector, a scalable messaging bus that supports tenant isolation and aggregation, and a number of verification tools that address verification of VNFFGs both at a pre- and post-deployment stage. Furthermore, the project developed and publicly documented a set of workflows covering Observability, Troubleshooting and Verification aspects of software-defined infrastructure. The talk will examine the OPNFV Brahmaputra release, identify opportunities that could potentially be approached by hardened versions of the Toolkit tools and discuss how different OPNFV projects may be able to benefit from requirements supported by these tools as well as from potentially integrating or enhancing some of the tools themselves.
Vulnerability Detection Based on Git HistoryKenta Yamamoto
This document discusses a methodology for detecting vulnerabilities in software based on analysis of the project's Git history. It proposes an approach called HVD that considers whether lines of code were added or removed in code changes, which could improve precision over existing techniques. An evaluation using a dataset of over 350,000 commits found that HVD increased the area under the precision-recall curve by 18.8% compared to a baseline that ignores line additions and removals. Features related to computer resources like memory, CPU and networking were found to most significantly contribute to the classification model. The study demonstrates that automatically detecting vulnerabilities from Git data can produce results aligned with human intuition.
The document outlines work packages 4 and 5 of the SCADALab project. Work package 4 involves implementing the SCADA laboratory designed in work package 3, including setting up the laboratory area and connecting it to various test beds. Work package 5 focuses on pilot testing and experimentation using the new SCADA laboratory to conduct security assessments and tests on the connected infrastructure test beds. The work will validate the SCADA laboratory design and help refine it for future use in assessing the security of critical infrastructure systems.
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIJavier Tallón
The document summarizes a proposal for an EU Industrial Automation and Control Systems (IACS) Components Cybersecurity Certification Scheme (ICCS). It introduces Georgios Theodoridis from the EC and Jose Ruiz from jtsec who are involved in developing the ICCS. It then outlines the ICCS, including its goals of increasing EU cybersecurity and the internal market through a harmonized certification approach. The ICCS would define common certification criteria and assurance levels for IACS components and recommend how to implement the scheme in line with the EU Cybersecurity Act.
Towards a certification scheme for IoT security evaluationAxel Rennoch
Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.
Summit 16: Software Defined Operations: The UNIFY SP-DevOps ToolkitOPNFV
UNIFY, a research project funded by the EU, released as open source a set of tools targeting operations and development in software-defined infrastructure and collectively known as the SP-DevOps Toolkit (URL). The SP-DevOps Toolkit includes an advanced network congestion detector, a scalable messaging bus that supports tenant isolation and aggregation, and a number of verification tools that address verification of VNFFGs both at a pre- and post-deployment stage. Furthermore, the project developed and publicly documented a set of workflows covering Observability, Troubleshooting and Verification aspects of software-defined infrastructure. The talk will examine the OPNFV Brahmaputra release, identify opportunities that could potentially be approached by hardened versions of the Toolkit tools and discuss how different OPNFV projects may be able to benefit from requirements supported by these tools as well as from potentially integrating or enhancing some of the tools themselves.
Vulnerability Detection Based on Git HistoryKenta Yamamoto
This document discusses a methodology for detecting vulnerabilities in software based on analysis of the project's Git history. It proposes an approach called HVD that considers whether lines of code were added or removed in code changes, which could improve precision over existing techniques. An evaluation using a dataset of over 350,000 commits found that HVD increased the area under the precision-recall curve by 18.8% compared to a baseline that ignores line additions and removals. Features related to computer resources like memory, CPU and networking were found to most significantly contribute to the classification model. The study demonstrates that automatically detecting vulnerabilities from Git data can produce results aligned with human intuition.
The document outlines work packages 4 and 5 of the SCADALab project. Work package 4 involves implementing the SCADA laboratory designed in work package 3, including setting up the laboratory area and connecting it to various test beds. Work package 5 focuses on pilot testing and experimentation using the new SCADA laboratory to conduct security assessments and tests on the connected infrastructure test beds. The work will validate the SCADA laboratory design and help refine it for future use in assessing the security of critical infrastructure systems.
ZONeSEC was a EU-funded project from 2014-2018 that developed an open framework to improve critical infrastructure protection for wide areas like pipelines, railways, and highways. It involved 19 partners from 9 countries. The project overcame challenges like integrating heterogeneous sensors over different network types at scale. It tested its solutions in four pilots covering water pipelines, gas pipelines, railways, and oil pipelines. Lessons learned included the need for extensive field testing of integrated solutions and the importance of good communication between partners.
TÜV NORD GROUP is a certification body that provides standardization and conformity assessment services. It is accredited to certify products according to European standards and notified to assess compliance with European directives. It has international recognition from organizations in the US, Australia, and South Korea. TÜV NORD GROUP has experience in projects involving standardization and certification for security applications in areas like disaster resilience, fighting crime and terrorism, and border security. It is interested in partnering on projects involving standardization, validation, and conformity evaluation of security devices and systems.
TÜV NORD GROUP is a certification body that provides standardization and conformity assessment services. It is accredited in Spain and has international recognition. It has expertise in developing standards, certifying products for compliance, and testing security devices. TÜV NORD GROUP expresses interest in partnering on H2020 projects related to standardization, validation, and certification of security technologies.
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docxPetruVrlan
This document outlines a roadmap for introducing a labelling mechanism within the CEPEJ to certify artificial intelligence tools and services used in the justice system. The proposed mechanism would involve setting up a labelling committee, defining label requirements, and establishing an application process. It would aim to promote compliance with the CEPEJ's Ethical Charter on AI through a simplified voluntary certification system. The roadmap describes necessary strategic, operational, and technical steps as well as anticipated resource needs to implement the labelling mechanism.
The document discusses the impacts of quantum computing on security for large financial organizations. It outlines NIST's process for standardizing post-quantum cryptography to develop cryptographic systems secure against both quantum and classical computers. The timeline and evaluation criteria for candidate algorithms are presented, along with families of algorithms being considered like lattice-based, code-based, and hash-based signatures. The document also examines challenges for replacing cryptographic algorithms in legacy infrastructure, assessing the quantum resistance of routing and switching vendors, and the impact on common cryptographic algorithms used in applications.
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
This document introduces the Industrial Automation and Control Systems (IACS) Compliance and Certification Framework (ICCF) which aims to establish a fully bridged European certification scheme for IACS cybersecurity. The ICCF proposes four certification schemes of increasing rigor. It involves compliance assessment, cyber resilience testing, and development process evaluation activities. The ICCF is supported by common assessment requirements, protection profiles, and a certification process. It establishes a structure for certifying IACS components and families of products based on their critical assets, operating conditions, protection assumptions, and security functions. Stakeholders are encouraged to join trials of the ICCF in 2017.
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMEDINA
The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...PROIDEA
Nowe przepisy Komisji Europejskiej dotyczące cyberbezpieczeństwa (strategia UE, NIS, GDPR obejmuje certyfikację) i jej wpływ na codzienną pracę telco w praktyce
ZONeSEC is an EU project that developed an early warning framework for security in wide zones. It ran from 2014 to 2018. The framework integrates various sensors like radar, acoustic, and video analytics to detect physical and cyber threats. It uses distributed processing and data fusion to analyze signals from numerous scalable sensors. Three pilot demonstrations tested the integrated system in different environments and scenarios. The final pilot will integrate legacy systems, detect cyber and physical intrusions, and use drones for remote monitoring.
The document discusses several digital forensics frameworks that outline procedures for conducting digital investigations. It describes the FORZA framework in detail, which includes different layers representing contextual information, legal considerations, technical preparations, data acquisition, analysis, and legal presentation. Other frameworks covered include an enhanced digital investigation process model, an event-based digital forensic investigation framework, and a computer forensics field triage process model. Key phases of each framework, such as readiness, deployment, physical crime scene investigation, and digital crime scene investigation are also outlined.
Real-Time Simulation for MBSE of Synchrophasor SystemsLuigi Vanfretti
This document discusses the development of a laboratory for testing and validating phasor measurement unit (PMU) applications using real-time hardware-in-the-loop (HIL) simulation. It describes the initial implementation of the lab in 2011 and outlines contributions to the model-based systems engineering foundations for cyber-physical power systems, including modeling for real-time simulation, experimental work developing and testing PMU applications using HIL, and several PMU-based monitoring applications that were implemented and tested.
Tulasi has experience in technical program management, system architecture, software development, and test and measurement instruments. She has worked on projects involving mobile communication systems, wireless networks, transit automation, aerospace systems, medical devices, and oil exploration equipment. Tulasi led the development of several products and systems, including a medical centrifuge, pipeline communication system, and environmental controls for an F-22 aircraft. Her PhD research involved developing a secure cloud-based framework for point-of-care medical testing systems.
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
This document summarizes the results of an experiment conducted to test requirements for continuous monitoring and certification from the European Union's Cloud Services (EUCS) certification scheme. The experiment found that:
1) Existing tools can automate assessment of some EUCS requirements, but coverage is currently limited.
2) A machine-readable format like NIST's OSCAL shows promise for specifying and reporting on automated assessments.
3) While some level of automation is possible now, auditors will still need to review evidence to ensure trustworthy compliance. Standardization of audit processes could help leverage the full potential of automation in the future.
The document describes a new tool being developed called MONSTER to monitor the structural health of ancient masonry structures. It involves a wireless sensor network using low-cost accelerometers and software called NOSA-ITACA to model structural behavior. The system was tested on the San Frediano bell tower in Lucca, Italy. Operational modal analysis of tower vibration data matched well with frequencies obtained from a finite element model of the tower, helping validate the tool. The goal is to better assess conservation needs and monitor behavior over time of important masonry cultural heritage structures.
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...KTN
Two new SBRIs have been announced to drive efficiency and safety in the rail industry. Network Rail will work with Innovate UK, part of UK Research and Innovation, to invest up to £3m to address two of the objectives identified in Network Rail’s CP6 funding strategy for research and development:
- Automated tunnel examination
- Security surveillance analytics for stations
This briefing event is an opportunity for you to find out more about the two SBRI competitions and how to apply, and there will be ample time for networking.
The webcast recording is now available: https://youtu.be/Uqq452lk90c
Find out more about the Transport Interest Group at https://ktn-uk.co.uk/interests/transport
Join the KTN Transport group on LinkedIn at https://www.linkedin.com/groups/4148691/
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
This whitepaper reports on lessons learned related to the experimentation performed by the MEDINA team on the topic of continuous (automated) monitoring, just as required by the High Assurance baseline of the draft version of the European Cybersecurity Certification Scheme for Cloud Service (EUCS). Besides the reported process and obtained results, we also provide a set of recommendations to relevant stakeholders (in particular Cloud Service Providers and Auditors) with the goal of supporting the uptake of EUCS for High Assurance.
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
More Related Content
Similar to EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
ZONeSEC was a EU-funded project from 2014-2018 that developed an open framework to improve critical infrastructure protection for wide areas like pipelines, railways, and highways. It involved 19 partners from 9 countries. The project overcame challenges like integrating heterogeneous sensors over different network types at scale. It tested its solutions in four pilots covering water pipelines, gas pipelines, railways, and oil pipelines. Lessons learned included the need for extensive field testing of integrated solutions and the importance of good communication between partners.
TÜV NORD GROUP is a certification body that provides standardization and conformity assessment services. It is accredited to certify products according to European standards and notified to assess compliance with European directives. It has international recognition from organizations in the US, Australia, and South Korea. TÜV NORD GROUP has experience in projects involving standardization and certification for security applications in areas like disaster resilience, fighting crime and terrorism, and border security. It is interested in partnering on projects involving standardization, validation, and conformity evaluation of security devices and systems.
TÜV NORD GROUP is a certification body that provides standardization and conformity assessment services. It is accredited in Spain and has international recognition. It has expertise in developing standards, certifying products for compliance, and testing security devices. TÜV NORD GROUP expresses interest in partnering on H2020 projects related to standardization, validation, and certification of security technologies.
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docxPetruVrlan
This document outlines a roadmap for introducing a labelling mechanism within the CEPEJ to certify artificial intelligence tools and services used in the justice system. The proposed mechanism would involve setting up a labelling committee, defining label requirements, and establishing an application process. It would aim to promote compliance with the CEPEJ's Ethical Charter on AI through a simplified voluntary certification system. The roadmap describes necessary strategic, operational, and technical steps as well as anticipated resource needs to implement the labelling mechanism.
The document discusses the impacts of quantum computing on security for large financial organizations. It outlines NIST's process for standardizing post-quantum cryptography to develop cryptographic systems secure against both quantum and classical computers. The timeline and evaluation criteria for candidate algorithms are presented, along with families of algorithms being considered like lattice-based, code-based, and hash-based signatures. The document also examines challenges for replacing cryptographic algorithms in legacy infrastructure, assessing the quantum resistance of routing and switching vendors, and the impact on common cryptographic algorithms used in applications.
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
This document introduces the Industrial Automation and Control Systems (IACS) Compliance and Certification Framework (ICCF) which aims to establish a fully bridged European certification scheme for IACS cybersecurity. The ICCF proposes four certification schemes of increasing rigor. It involves compliance assessment, cyber resilience testing, and development process evaluation activities. The ICCF is supported by common assessment requirements, protection profiles, and a certification process. It establishes a structure for certifying IACS components and families of products based on their critical assets, operating conditions, protection assumptions, and security functions. Stakeholders are encouraged to join trials of the ICCF in 2017.
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMEDINA
The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.
PLNOG20 - Janusz Pieczerak - European Cyber Security Organisation – lesson le...PROIDEA
Nowe przepisy Komisji Europejskiej dotyczące cyberbezpieczeństwa (strategia UE, NIS, GDPR obejmuje certyfikację) i jej wpływ na codzienną pracę telco w praktyce
ZONeSEC is an EU project that developed an early warning framework for security in wide zones. It ran from 2014 to 2018. The framework integrates various sensors like radar, acoustic, and video analytics to detect physical and cyber threats. It uses distributed processing and data fusion to analyze signals from numerous scalable sensors. Three pilot demonstrations tested the integrated system in different environments and scenarios. The final pilot will integrate legacy systems, detect cyber and physical intrusions, and use drones for remote monitoring.
The document discusses several digital forensics frameworks that outline procedures for conducting digital investigations. It describes the FORZA framework in detail, which includes different layers representing contextual information, legal considerations, technical preparations, data acquisition, analysis, and legal presentation. Other frameworks covered include an enhanced digital investigation process model, an event-based digital forensic investigation framework, and a computer forensics field triage process model. Key phases of each framework, such as readiness, deployment, physical crime scene investigation, and digital crime scene investigation are also outlined.
Real-Time Simulation for MBSE of Synchrophasor SystemsLuigi Vanfretti
This document discusses the development of a laboratory for testing and validating phasor measurement unit (PMU) applications using real-time hardware-in-the-loop (HIL) simulation. It describes the initial implementation of the lab in 2011 and outlines contributions to the model-based systems engineering foundations for cyber-physical power systems, including modeling for real-time simulation, experimental work developing and testing PMU applications using HIL, and several PMU-based monitoring applications that were implemented and tested.
Tulasi has experience in technical program management, system architecture, software development, and test and measurement instruments. She has worked on projects involving mobile communication systems, wireless networks, transit automation, aerospace systems, medical devices, and oil exploration equipment. Tulasi led the development of several products and systems, including a medical centrifuge, pipeline communication system, and environmental controls for an F-22 aircraft. Her PhD research involved developing a secure cloud-based framework for point-of-care medical testing systems.
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
This document summarizes the results of an experiment conducted to test requirements for continuous monitoring and certification from the European Union's Cloud Services (EUCS) certification scheme. The experiment found that:
1) Existing tools can automate assessment of some EUCS requirements, but coverage is currently limited.
2) A machine-readable format like NIST's OSCAL shows promise for specifying and reporting on automated assessments.
3) While some level of automation is possible now, auditors will still need to review evidence to ensure trustworthy compliance. Standardization of audit processes could help leverage the full potential of automation in the future.
The document describes a new tool being developed called MONSTER to monitor the structural health of ancient masonry structures. It involves a wireless sensor network using low-cost accelerometers and software called NOSA-ITACA to model structural behavior. The system was tested on the San Frediano bell tower in Lucca, Italy. Operational modal analysis of tower vibration data matched well with frequencies obtained from a finite element model of the tower, helping validate the tool. The goal is to better assess conservation needs and monitor behavior over time of important masonry cultural heritage structures.
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...KTN
Two new SBRIs have been announced to drive efficiency and safety in the rail industry. Network Rail will work with Innovate UK, part of UK Research and Innovation, to invest up to £3m to address two of the objectives identified in Network Rail’s CP6 funding strategy for research and development:
- Automated tunnel examination
- Security surveillance analytics for stations
This briefing event is an opportunity for you to find out more about the two SBRI competitions and how to apply, and there will be ample time for networking.
The webcast recording is now available: https://youtu.be/Uqq452lk90c
Find out more about the Transport Interest Group at https://ktn-uk.co.uk/interests/transport
Join the KTN Transport group on LinkedIn at https://www.linkedin.com/groups/4148691/
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
This whitepaper reports on lessons learned related to the experimentation performed by the MEDINA team on the topic of continuous (automated) monitoring, just as required by the High Assurance baseline of the draft version of the European Cybersecurity Certification Scheme for Cloud Service (EUCS). Besides the reported process and obtained results, we also provide a set of recommendations to relevant stakeholders (in particular Cloud Service Providers and Auditors) with the goal of supporting the uptake of EUCS for High Assurance.
Similar to EUCA23 - Evolution of cryptographic evaluation in Europe.pdf (20)
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
El documento introduce el Centro Criptológico Nacional (CCN) y el Esquema Nacional de Seguridad (ENS), y explica que el CCN-STIC 105 Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) ofrece un listado de productos con garantías de seguridad contrastadas por el CCN. También describe los procesos de certificación LINCE y Common Criteria para incluir productos en el catálogo, y los beneficios que esto conlleva para las organizaciones.
Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son?
El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional.
Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.
Evolucionado la evaluación CriptográficaJavier Tallón
El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional.
Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas.
El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica.
En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos.
Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo.
En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional.
Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE.
Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec.
En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube.
La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community.
At ISO level, a new standard has been approved aiming to support this goal: ISO 19896.
ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations.
The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk.
Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo.
Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo.
En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native.
En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.
Is Automation Necessary for the CC Survival?Javier Tallón
The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado.
CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.
This document discusses José Ruiz and his experience with Common Criteria and FIPS certification standards. It then summarizes the need for automation tools to streamline the certification process, addressing issues like a lack of engineers and high paperwork demands. Specific tools are mentioned, including NIAP's tool for automating security targets and CCToolbox, which the document's author developed. CCToolbox aims to simplify and automate documentation, evaluation activities, and the overall certification workflow. Benefits discussed include reduced time and costs for manufacturers and laboratories.
This document summarizes Common Criteria certification statistics from various sources including the CCScraper tool. It provides statistics for 2021 based on data collected up to September 30th, highlighting the top certification schemes, assurance levels, laboratories, product categories and manufacturers. It also analyzes trends over the past 5 years and discusses the impact of the COVID-19 pandemic on certification numbers.
The document discusses cybersecurity certification standards. It provides a brief history of early certification standards from the 1980s to the present Common Criteria standard. It notes that certification involves an accredited third party audit against a standard to issue a conformity certificate. Successful standards are cost-effective, provide value, and have properties like those in the Kama Sutra. The document also introduces the jtsec cybersecurity company, describing their evaluation, consultancy, and development teams and some of their projects involving major tech companies.
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...Javier Tallón
Este documento presenta información sobre el Catálogo de Productos de Seguridad TIC (CPSTIC), incluyendo las certificaciones válidas para incluir productos en el catálogo, como LINCE y Common Criteria. También describe casos de éxito del uso del catálogo en la administración pública española para productos como herramientas de videoidentificación, cortafuegos y cargadores de vehículos eléctricos. El objetivo del catálogo es proporcionar una lista de productos con garantías de seguridad para su uso en el sector públic
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Javier Tallón
Charla ofrecida para profesionales de la salud gracias a la colaboración del PTS (Parque Tecnológico de la Salud). En el que se detallan los diferentes tipos de auditorías y certificaciones aptas para el ámbito de la e-health.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
2. José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
2 / 41
José Ruiz Gualda
jtsec Beyond IT Security
• Computer Engineer (University of Granada)
• Expert in Common Criteria, LINCE and FIPS
140-2 & FIPS 140-3
• Member of the SCCG (Stakeholder
Cybersecurity Certification Group) at the
European Commission.
• Secretary of SC3 at CTN320
• Editor of LINCE as UNE standard
• Editor in JTC13 WG3 of the FITCEM
Methodology
• European Commission reviewer for the
ERNCIP group "IACS Cybersecurity
Certification".
jruiz@jtsec.es
3. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
4. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
5. History of the Cryptographic Evaluation
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
5 / 41
NIST (National Institute
of Standards and
Technology)
Verification of Conformity
according to FIPS 140-1,
FIPS 140-2 and FIPS 140-3
CMVP - Designed for
certifying cryptographic
modules
CAVP - Designed to
certify cryptographic
algorithms
Publication of multiple "Special
Publications" specifying cryptographic
algorithms and how to test them
USA
6. History of the Cryptographic Evaluation
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
6 / 41
International
7. History of the Cryptographic Evaluation
Spain
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
7 / 41
Certification Body for cryptographic modules -
OC-CCN (Spanish National Cryptologic Centre)
8. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
9. Cryptographic Evaluation Today
Europe
• SOG-IS Crypto Evaluation Scheme
Harmonised Cryptographic Evaluation
Procedures v0.16 (December 2020)
• First SOG-IS evaluation methodology
Implementation of cryptographic
mechanisms
Pitfalls Prevention Requirements
• SOG-IS Crypto Evaluation Scheme
Agreed Cryptographic Mechanisms v1.2
(January 2020)
Cryptographic mechanisms
agreed and recommended by
SOG-IS
Acceptable level of security
Implementation guidelines
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
9 / 41
10. Cryptographic Evaluation Today
Spain
CCN-STIC 130 Guide
Cryptologic Evaluation (DL)
Requirements Guide (October 2017)
• Requirements for Approval of
Encryption Products to Handle
Classified National Information
• Full Product Evaluation
Methodology
• Security Requirements
Specification
MEC – LINCE
Cryptographic evaluation module
within the LINCE methodology
Very light cryptographic
conformance testing following the
NIAP Protection Profiles approach
Botan-CCN Cryptographic Library
• CCN Reference implementation
for cryptographic evaluations
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
10 / 41
Botan-CCN Cryptographic Library
Reference implementation for
cryptographic evaluations of the
CCN
11. Cryptographic Evaluation Today
Spain
CCN-STIC 221 Guide
Cryptographic Mechanisms authorized by CCN
Includes new CCN-authorized algorithms with
respect to the European ACM
Transversal use guide not limited to ENS
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
11 / 41
12. Cryptographic Evaluation Today
Evolution
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
12 / 41
Authorized
Cryptographic
Mechanisms by
CCN
Cryptographic
Mechanisms Evaluation
Methodology
13. Cryptographic Evaluation Today
Is it only a Spanish issue? | Reasons why the cryptographic methodology is necessary
FIPS and/or ISO FIPS:
• It only works when the module has been
created to meet FIPS requirements.
• It works well for crypto modules but not
for products integrating crypto
• Neither security-relevant implementation
pitfalls nor limit values are checked.
STIC 130
• Does not include algorithm-level
conformity and includes product
implementation requirements.
• Not 100% focused on cryptographic
mechanisms.
• Provides the security point of view.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
13 / 41
We do not have a
methodology that evaluates
cryptographic mechanisms
(algorithms and protocols.)
14. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
15. Usage
CCN Cryptographic Mechanisms
Evaluation Methodology
• Products whose main functionality
requires cryptography (e.g., VPNs,
ciphers, secure communications,
etc.)
• During CC, LINCE and
Complementary STIC certification
processes.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
15 / 41
16. Definition
Cryptographic Mechanisms
Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
16 / 41
Document Structure
• Cryptographic Requirements
• Approved Cryptographic Mechanisms
• Conformity Testing
• Common Implementation Pitfalls
17. Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
17 / 41
1. Cryptographic Requirements
Objective: To specify the requirements
extracted by CCN from the CCN-STIC 130
guide that apply to cryptographic
mechanisms and primitives implemented
in relation to:
• Self-tests (not required by SOGIS)
• Critical Security Parameters (CSP)
Management (not required by SOGIS)
Evaluation: The evaluator shall verify that
the TOE complies with the cryptographic
requirements listed in this section.
18. Cryptographic Mechanisms Evaluation Methodology
1. Cryptographic Requirements - Critical Security
Parameters (CSP) Management
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
18 / 41
The methodology not only evaluates the
SOGIS related Key Management
requirements, but also assesses the entire
life cycle of every SSP managed by the TOE.
Example: SSP Life Cycle Management for AES_EDK
M
This comprehensive approach ensures a
thorough evaluation of the security posture
of the TOE beyond just key management.
Table extracted from the Vendor Questionnaire document.
19. Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
19 / 41
2. Approved Cryptographic Mechanisms
Objective: To specify the cryptographic
mechanisms recognized and agreed by the SOG-
IS Cryptographic Evaluation Scheme
participants.
The Vendor Questionnaire (VQ) document is
used to gather information related to the
cryptographic mechanisms implemented by the
vendor in order to comply with the Methodology.
This document includes guided questions for
the vendor about cryptographic mechanisms,
CSP and sensitive data management to ensure
all necessary information is included and
evaluation efforts are reduced.
Evaluation: The evaluator shall verify that the
cryptographic mechanisms included in the VQ
are implemented by the TOE and comply with
the guidelines presented by the SOG-IS in the
SOG-IS ACM
Table extracted from the Vendor Questionnaire document.
20. Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
20 / 41
3. Conformance Testing
Objective: To specify the requirements
necessary to perform conformity testing of
the cryptographic primitives and
mechanisms implemented by the TOE.
These tests shall determine whether the
cryptographic primitives and mechanisms
used by the TOE are correctly
implemented. This is similar to what NIST
does but also verifying parameterizations
and limit values that often lead to errors.
Evaluation: The evaluation process is
divided into four steps:
1. Generation of Test Vectors: Request
and Sample files.
2. Generation of Results by the Vendor:
Response File
3. Generation of Results by the Evaluator:
Response File
4. Validation of Results by the Evaluator
21. Cryptographic Mechanisms Evaluation Methodology
Conformance Testing Evaluation Process Diagram
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
21 / 41
22. Cryptographic Mechanisms Evaluation Methodology
Test Vectors Generation
◦ The evaluator shall
generate a 'REQUEST' file
(in JSON format) for each
cryptographic mechanism
implemented by the TOE
containing the test vectors
associated to the supported
parameterization.
◦ Additionally, the evaluator
shall generate the 'SAMPLE'
file (in JSON format) for
each cryptographic
mechanism implemented
by the TOE containing an
example solution to
indicate the format of the
expected result.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
22 / 41
The evaluator shall send to the
vendor a file package containing
the 'REQUEST' and 'SAMPLE' files
associated to all cryptographic
mechanisms implemented by the
TOE.
23. Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Vendor
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
23 / 41
◦The vendor shall generate a 'RESPONSE'
file associated with each cryptographic
mechanism implemented, containing the
output provided by the TOE for each of
the test vectors provided in the
'REQUEST' file.
◦The vendor shall retain the JSON format
presented in the 'REQUEST' and
'SAMPLE' files for the generation of the
'RESPONSE' file.
The vendor shall send to the evaluator a file
package containing the 'RESPONSE' files
associated with all cryptographic
mechanisms implemented by the TOE.
24. Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Evaluator
The evaluator shall generate the 'RESPONSE' file
associated to each cryptographic mechanism
implemented by the TOE, using the Botan-CCN
library as reference cryptographic
implementation.
The evaluator shall retain the JSON format
presented in the 'REQUEST' and 'SAMPLE' files
for the generation of the 'RESPONSE' file.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
24 / 41
25. Cryptographic Mechanisms
Evaluation Methodology
Validation of Results by the Evaluator
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
25 / 41
The evaluator shall validate the 'RESPONSE'
files provided by the vendor for each
cryptographic mechanism implemented by the
TOE, comparing the results provided with those
obtained in the previous step using the Botan-
CCN cryptographic library.
The evaluator shall determine whether the TOE
correctly implements the cryptographic
mechanisms and primitives used and declared.
26. Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
26 / 41
4. Common Implementation Pitfalls
Objective: To specify the requirements
necessary to avoid implementation pitfalls
in the cryptographic primitives and
mechanisms implemented by the TOE.
Evaluation: The evaluator shall verify that
the cryptographic mechanisms
implemented by the TOE comply with the
implementation pitfall avoidance
guidelines presented by the SOG-IS in the
SOG-IS Harmonized Cryptographic
Evaluation Procedures guide.
Structure
27. Cryptographic Mechanisms Evaluation Methodology
Common Implementation Pitfalls -
Example: GCM Implementation Pitfall
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
27 / 41
[IMPLEMENTATIONPITFALL-GCM-1]: The
tester shall perform the following evaluation
tasks:
- Verifying that no message of length strictly
greater tan 232 - 2 blocks can be encrypted.
Analysis: The counters are generated with the
concatenation of a unique IV of 96 bits and an
incremented counter denoted on 32 bits. This
task avoids the overflow of the counter.
28. Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Evaluation | Methodology over SOG-IS
Cryptographic Mechanisms Evaluation Methodology
• Complete evaluation methodology. It establishes
concrete evaluation tasks to be followed by the
evaluator for each cryptographic mechanism to
assess:
• The CCN-STIC 130 implementation
requirements
• Usage of approved mechanisms
• Conformity Testing
• Common implementation pitfalls
avoidance.
• Self-tests. The TOE is required to perform power-up
and conditional self-tests. Several evaluation tasks
are designed to evaluate their implementation and
correct operation.
SOG-IS HEP and ACM
• List cryptographic requirements and agreed
mechanisms and evaluation tasks only for
conformity testing and for implementation
pitfalls avoidance.
• Self-tests requirements are not specified.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
28 / 41
29. Cryptographic Mechanisms Evaluation Methodology
• Life cycle management of each SSP
managed by the TOE. For each SSP, its
strength, generation, entry/output, storage and
zeroization methods are evaluated.
• Complete list of conformity test vectors for
all the agreed cryptographic mechanisms.
Example: AES Key Wrapping.
SOG-IS HEP and ACM
• Establishes general Key Management
requirements, specifying only the
recommended mechanism for each stage.
• The conformity test vectors of several
algorithms are not defined or are not
complete.
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Evaluation | Methodology over SOG-IS
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
29 / 41
30. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
31. CCN Cryptographic
Evaluation Tool
Definition
Performing Conformity Testing
Structure of the Tool
o JSON test files: test vectors in hexadecimal
format according to SOG-IS methodology.
o ACVP-Parser: JSON file processing and
extraction of parameters needed to invoke the
cryptographic reference implementation.
o Botan-CCN Cryptographic Library:
cryptographic reference implementation used
to generate test vectors results and validate
the correct cryptographic implementation of
the TOE.
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
31 / 41
32. CCN Cryptographic
Evaluation Tool
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
32 / 41
1. Processing of the test vectors to extract the
parameters using the ACVP-Parser.
2. Invocation of the Botan-CCN cryptographic
library to perform the generation of test
vector results using the associated
'REQUEST' file.
3. Generation of the 'RESPONSE' file associated
to a cryptographic mechanism using the
associated 'REQUEST' file and the results
obtained using the Botan-CCN cryptographic
library.
Flowchart
33. Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
33 / 41
‘REQUEST’ file ‘RESPONSE' file generated by the Tool
34. Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
34 / 41
‘RESPONSE' file generated by TOE
Validation of results
35. Cryptographic Mechanisms Evaluation Methodology
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
35 / 41
‘RESPONSE' file generated by TOE
Validation of results
ERROR
36. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
37. Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
37 / 41
1.New Algorithms:
The Cryptographic Mechanisms Evaluation Methodology
will be adapted in the future to include new "classical" and
post-quantum algorithms recommended by the Spanish
CCN in the new STIC 221 guide.
• New recommended classical algorithms: SCRYPT,
ChaCha20_Poly1305 and EdDSA.
Future directions
• Post-Quantum Algorithms: several post-quantum
algorithms are recommended to face the quantum
threat:
• CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon,
SPHINCS+ , Classic McEliece, BIKE, HQC and SIKE.
• FrodoKEM is also recommended. It will not be
standardised as part of NIST’s PQC project, mainly
due to efficiency considerations, but there are
currently no doubts about its security.
38. Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
38 / 41
Future directions
2. Security Levels:
Different increasing qualitative levels of security
will be defined for the methodology.
Each TOE will be evaluated according to the
level of sensitivity of the information it handles
and the global evaluation methodology to which
the Cryptographic Methodology is being applied
to.
Some evaluation tasks will be common for all
levels and others will only apply depending on
the security level.
39. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Future Directions
6. Conclusions
40. Conclusions
José Ruiz | JTSEC Evolution of cryptographic evaluation in Europe
40 / 41
• Innovative, necessary and useful
methodology to evaluate crypto
mechanisms
• Contribution to complement European
efforts
• It is necessary to harmonize the criteria
at the national level in order to make life
easier for laboratories and vendors