SlideShare a Scribd company logo
The new cryptographic
evaluation methodology
created by CCN
About me
• Cybersecurity evaluation & consultancy services
• Common Criteria, LINCE and ETSI EN 303 645
accredited lab.
• Developers of the most powerful tool for Common
Criteria, CCToolbox.
• Involved in standardization activities (ISO,
CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF,
CMUF, ERNCIP, …)
• Members of the SCCG (Stakeholder Cybersecurity
Certification Group)
• jtsec is part of the A+ group along with Lightship
Security. We have labs in Canada, USA and Spain.
About us
José Ruiz Gualda
jtsec Beyond IT Security
• Computer Engineer (University of Granada)
• Expert in Common Criteria, LINCE and FIPS 140-2 &
FIPS 140-3
• Member of the SCCG (Stakeholder Cybersecurity
Certification Group) at the European Commission.
• Secretary of SC3 at CTN320
• Editor of LINCE as UNE standard
• Editor in JTC13 WG3 of the FITCEM Methodology
• European Commission reviewer for the ERNCIP group
"IACS Cybersecurity Certification".
• Former ICCC program director
jruiz@jtsec.es
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
History of the Cryptographic Evaluation
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
5 / 41
NIST (National Institute
of Standards and
Technology)
Verification of Conformity
according to FIPS 140-1,
FIPS 140-2 and FIPS 140-3
CMVP - Designed for
certifying cryptographic
modules
CAVP - Designed to
certify cryptographic
algorithms
Publication of multiple "Special
Publications" specifying cryptographic
algorithms and how to test them
USA
History of the Cryptographic Evaluation
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
6 / 41
International
History of the Cryptographic Evaluation
Spain
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
7 / 41
Certification Body for cryptographic modules -
OC-CCN (Spanish National Cryptologic
Centre)
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
Cryptographic Evaluation Today
Europe
• SOG-IS Crypto Evaluation Scheme
Harmonised Cryptographic Evaluation
Procedures v0.16 (December 2020)
• First SOG-IS evaluation methodology
Implementation of cryptographic
mechanisms
Pitfalls Prevention Requirements
• SOG-IS Crypto Evaluation Scheme Agreed
Cryptographic Mechanisms v1.3 (February 2023)
Cryptographic mechanisms agreed and
recommended by SOG-IS
Acceptable level of security
Implementation guidelines
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
9 / 41
Cryptographic Evaluation Today
Spain
CCN-STIC 130 Guide
Cryptologic Evaluation Requirements
Guide (October 2017)
• Requirements for Approval of
Encryption Products to Handle
Classified National Information
• FIPS-like approach
• Security Requirements
MEC – LINCE
Cryptographic evaluation module
within the LINCE methodology
Very light cryptographic conformance
testing following the NIAP Protection
Profiles approach
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
10 / 41
Botan-CCN Cryptographic
Library
Reference implementation of CCN
to perform conformity testing of
the cryptographic mechanism in
cryptographic evaluations
Cryptographic Evaluation Today
Spain
CCN-STIC 221 Guide
Cryptographic Mechanisms authorized by CCN
Includes new CCN-authorized algorithms with
respect to the European ACM
Transversal use guide not limited to ENS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
11 / 41
Cryptographic Evaluation Today
Evolution
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
12 / 34
Jan 1994
FIPS 140-
1
March 2006
ISO/IEC
19790:2006
May 2016
SOGIS Agreed
Cryptographic
Mechanisms
1.0
June 2018
SOGIS Agreed
Cryptographic
Mechanisms
1.1 Jan 2020
SOGIS Agreed
Cryptographic
Mechanisms
1.2
May 2022
CCN-STIC
807 March 2023...
CCN-STIC 221
Cryptographic
Mechanisms
Authorized by the CCN
Dec
2018
Lince
Aug 2012
ISO/IEC
19790:2012
Jan 2018
SP800-90B
Oct 2018
CCN-STIC-
130
March 2019
FIPS 140-3
Dec 2020
SOG-IS
HEP
Coming...
CCN Cryptographic
Mechanisms
Evaluation
Methodology
Dec
1999
AIS 20/31
May 2001
FIPS 140-
2
Feb 2023
SOGIS Agreed
Cryptographic
Mechanisms
1.3by the CCN
Coming… 2023...
CCN Cryptographic
Evaluation
Methodology
Cryptographic Evaluation Today
Is this only a Spanish issue? | Reasons why the cryptographic mechanisms methodology is necessary
FIPS and/or ISO FIPS:
• It only works when the module has been
created to meet FIPS requirements.
• It does not work well for products that
integrate cryptography but do not use a
third-party cryptographic module.
STIC 130
• Does not include algorithm-level conformity
and includes product implementation
requirements.
• Not 100% focused on cryptographic
implementation.
• Provides the security point of view.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
13 / 41
We do not have a
methodology that evaluates
cryptographic algorithms
and protocols.
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
Usage
CCN Cryptographic Mechanisms Evaluation
Methodology
• Products whose main functionality
requires cryptography (e.g., VPNs,
ciphers, secure communications, etc.)
• According to three increasing
Certification Levels: CL1, CL2 & CL3
• During CC, LINCE and Complementary
STIC certification processes.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
15 / 41
Definition
CCN Cryptographic Mechanisms Evaluation
Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
16 / 41
Document Structure
• Cryptographic Requirements
• Agreed Cryptographic Mechanisms
• Conformity Testing
• Common Implementation Pitfalls
Index
Evaluation tasks and evaluation test
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
16 / 41
Each section contains:
• One or several tasks are defined. They are
mandatory independently of the implementation and
shall be executed for the associated certification
level.
• One or several tests defined and associated to each
task. They are categorized as mandatory or
implementation dependant. Moreover, the required
vendor inputs are detailed for each test.
Some specific examples:
Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
17 / 41
1. Cryptographic Requirements
Objective: To specify the requirements extracted by
CCN from the CCN-STIC 130 guide that apply to the
security of cryptographic products related to the
cryptographic mechanisms and primitives implemented
in relation to:
• Self-tests (not required by SOGIS nor CCN STIC-
221)
• Critical Security Parameters (CSP) Management
(with additional requirements than required by
SOGIS)
• Mitigation of Other Attacks (not required by SOGIS
nor CCN STIC-221)
Evaluation: The evaluator shall verify that the TOE
complies with the cryptographic requirements listed in
this section.
Cryptographic Mechanisms Evaluation Methodology
1. Cryptographic Requirements - Critical Security
Parameters (CSP) Management
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
18 / 41
The methodology not only evaluates the
SOGIS related Key Management
requirements, but also assesses the entire
life cycle of every SSP managed by the
TOE. Example: SSP Life Cycle Management for AES_EDK
M
This comprehensive approach ensures a
thorough evaluation of the security posture
of the TOE beyond just key management.
Cryptographic Mechanisms Evaluation
Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
19 / 41
2. Approved Cryptographic Mechanisms
Objective: To specify the cryptographic
mechanisms recognized and agreed by CCN
Evaluation: The evaluator shall verify that the
cryptographic mechanisms implemented by the
TOE comply with the guidelines presented by
the CCN in the CCN STIC-221 guide including
correct parametrization.
Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
20 / 41
3. Conformance Testing
Objective: To specify the requirements
necessary to perform conformity testing of
the cryptographic primitives and
mechanisms implemented by the TOE.
These tests shall determine whether the
cryptographic primitives and mechanisms
used by the TOE are correctly
implemented. This is similar to what NIST
does but also verifying parameterizations
and limit values that often lead to errors.
Evaluation: The evaluation process is
divided into four steps:
1. Generation of Test Vectors: Request
and Sample files.
2. Generation of Results by the Vendor:
Response File
3. Generation of Results by the Evaluator:
Response File
4. Validation of Results by the Evaluator
Cryptographic Mechanisms Evaluation Methodology
Conformance Testing Evaluation Process Diagram
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
21 / 41
Cryptographic Mechanisms Evaluation Methodology
Test Vectors Generation
◦ The evaluator shall
generate a 'REQUEST' file
(in JSON format) for each
cryptographic mechanism
implemented by the TOE
containing the test vectors
associated to the supported
parameterization.
◦ Additionally, the evaluator
shall generate the
'SAMPLE' file (in JSON
format) for each
cryptographic mechanism
implemented by the TOE
containing an example
solution to indicate the
format of the expected
result.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
22 / 41
The evaluator shall send to the
vendor a file package containing
the 'REQUEST' and 'SAMPLE'
files associated to all
cryptographic mechanisms
implemented by the TOE.
Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Vendor
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
23 / 41
◦ The vendor shall generate a
'RESPONSE' file associated with each
cryptographic mechanism implemented,
containing the output provided by the
TOE for each of the test vectors provided
in the 'REQUEST' file.
◦ The vendor shall retain the JSON format
presented in the 'REQUEST' and
'SAMPLE' files for the generation of the
'RESPONSE' file.
The vendor shall send to the evaluator a file
package containing the 'RESPONSE' files
associated with all cryptographic mechanisms
implemented by the TOE.
Cryptographic Mechanisms
Evaluation Methodology
Generation of Results by the Evaluator
The evaluator shall generate the 'RESPONSE'
file associated to each cryptographic mechanism
implemented by the TOE, using the Botan-CCN
library as reference cryptographic
implementation.
The evaluator shall retain the JSON format
presented in the 'REQUEST' and 'SAMPLE' files
for the generation of the 'RESPONSE' file.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
24 / 41
Cryptographic
Mechanisms Evaluation
Methodology
Validation of Results by the Evaluator
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
25 / 41
The evaluator shall validate the 'RESPONSE'
files provided by the vendor for each
cryptographic mechanism implemented by the
TOE, comparing the results provided with those
obtained in the previous step using the Botan-
CCN cryptographic library.
The evaluator shall determine whether the TOE
correctly implements the cryptographic
mechanisms and primitives used and declared.
Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
26 / 41
4. Common Implementation Pitfalls
Objective: To specify the requirements
necessary to avoid implementation pitfalls
in the cryptographic primitives and
mechanisms implemented by the TOE.
Evaluation: The evaluator shall verify that
the cryptographic mechanisms
implemented by the TOE comply with the
implementation pitfall avoidance guidelines
presented by the SOG-IS in the SOG-IS
Harmonized Cryptographic Evaluation
Procedures guide.
Structure
Cryptographic Mechanisms Evaluation Methodology
Common Implementation Pitfalls - Example:
Key Derivation Implementation Pitfall
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
27 / 41
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
Cryptographic Mechanisms Evaluation
Methodology
• Complete evaluation methodology. It establishes
concrete evaluation tasks depending on the certification
level (CL1,CL2 or CL3) to be followed by the evaluator
for each cryptographic mechanism to assess:
• Cryptographic Management requirements
• Mitigation of other attacks.
• Usage of approved mechanisms, including post
quantum algorithms and specific entropy
requirements
• Conformity Testing
• Common implementation pitfalls avoidance.
• Self-tests. It is verified that the self-tests are properly
implemented for each algorithm according to CCN
requirements. Several evaluation tasks are designed to
evaluate their implementation and correct operation.
SOG-IS HEP and ACM
• Provides the agreed mechanisms and their associated
requirements, and the evaluation tasks to:
• Verify their correct implementation according
to their associated standard
• Perform the conformity testing.
• Avoid implementation pitfalls.
• Verify key management (with less
requirements than the CCN evaluation
methodology)
• Self-tests requirements and Mitigation of other attacks
are not specified.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
28 / 41
Cryptographic Mechanisms Evaluation
Methodology
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
SOG-IS HEP and ACM
SOG-IS HEP and ACM
• List of classical algorithms without including
references to post-quantum algorithms
•New Algorithms: The Cryptographic Mechanisms
Evaluation Methodology includes new "classical" and post-
quantum algorithms recommended by the Spanish CCN in
the new STIC 221 guide.
New recommended classical
algorithms:
SCRYPT,
ChaCha20_Poly1305
EdDSA
Post-Quantum Algorithms
•CRYSTALS-
Kyber,
CRYSTALS-
Dilithium,
Falcon,
SPHINCS+
•FrodoKEM is also
recommended. It will not
be standardised as part
of NIST’s PQC project,
mainly due to efficiency
considerations, but there
are currently no doubts
about its security.
Cryptographic Mechanisms Evaluation
Methodology
• Life cycle management of each SSP
managed by the TOE. For each SSP, its
strength, generation, entry/output, storage
and zeroization methods are evaluated.
• Complete list of conformity test vectors for
all the agreed cryptographic mechanisms.
Example: AES Key Wrapping.
SOG-IS HEP and ACM
• Establishes general Key Management
requirements, specifying only the
recommended mechanism for each stage.
• The conformity test vectors of several
algorithms are not defined or are not
complete.
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
Cryptographic Mechanisms Evaluation Methodology
• The methodology will be used in Common Criteria evaluations at the national
level if crypto is a core component of the product (e.g. VPN, Ciphers, etc...)
• The methodology could be considered a supporting document to harmonize
how to evaluate crypto mechanisms.
Cryptographic Mechanisms Evaluation Methodology
Link with Common Criteria
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
CCN Cryptographic Evaluation
Tool
Definition
Performing Conformity Testing
Structure of the Tool
o JSON test files: test vectors in hexadecimal format
according to SOG-IS methodology.
o ACVP-Parser: JSON file processing and extraction of
parameters needed to invoke the cryptographic
reference implementation.
o Botan-CCN Cryptographic Library: cryptographic
reference implementation used to generate test vectors
results and validate the correct cryptographic
implementation of the TOE.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
31 / 41
CCN Cryptographic
Evaluation Tool
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
32 / 41
1. Processing of the test vectors to extract the
parameters using the ACVP-Parser.
2. Invocation of the Botan-CCN cryptographic
library to perform the generation of test
vector results using the associated
'REQUEST' file.
3. Generation of the 'RESPONSE' file
associated to a cryptographic mechanism
using the associated 'REQUEST' file and the
results obtained using the Botan-CCN
cryptographic library.
Flowchart
Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
33 / 41
‘REQUEST’ file ‘RESPONSE' file generated by the Tool
Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
34 / 41
‘RESPONSE' file generated by TOE
Validation of results
Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
35 / 41
‘RESPONSE' file generated by TOE
Validation of results
ERROR
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
Cryptographic Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
38 / 41
1. Usage
Cryptographic evaluation methodology to address the
security requirements of the CCN-STIC 130 guidance.
This methodology aims to evaluate the implementation of
a TOE beyond the requirements associated with
cryptographic mechanisms such as:
- Cryptographic Module Design
- Authentication
- Physical Security
- Logical Security
- RNG design
- Configuration management system
- Etc…
Cryptographic Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
38 / 41
2. Security Levels:
CCN STIC-130 defines 3 increasing qualitative levels of
security that are directly mapped to the 3 evaluation levels
of the Cryptographic Mechanisms Evaluation Methodology:
- CL1: Low Level of CCN-STIC 130 (Restricted)
- CL2: High Level of CCN-STIC 130
- CL3: Advanced Level of CCN-STIC 130
Each TOE will be evaluated according to the level of
sensitivity of the information it handles and the global
evaluation methodology to which the Cryptographic
Methodology is being applied to.
Some evaluation tasks will be common for all levels and
others will only apply depending on the security level.
INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
Conclusions
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
40 / 41
• Spain is pioneer in creating a Cryptographic
Evaluation Methodology for mechanisms.
• The usage in Common Criteria
evaluations is straight forward.
• The methodology is in trial usage and will
be published soon
• All this work is a contribution to complement
European efforts
• This effort is necessary to unify criteria in
the sector in order to make life easier for
laboratories and vendors.
Thank you

More Related Content

Similar to ICCC23 -The new cryptographic evaluation methodology created by CCN

First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International Workshop
ScadaLab Project
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003  2015 - EuroPriSe and ISDP10003  2015 -
EuroPriSe and ISDP10003 2015 -
Marco Moreschini
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015
Marco Moreschini
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
PECB
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
CMG - The Digital Transformation Association
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Montrium
 
20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab
Dr. Paul THERON
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptx
AntonioProcentese1
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
Ulf Mattsson
 
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
KTN
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
Javier Tallón
 
Monitoring_2019_Validator how mointering
Monitoring_2019_Validator how mointeringMonitoring_2019_Validator how mointering
Monitoring_2019_Validator how mointering
compengwaelalahmar
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Maitena Ilardia
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
MEDINA
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification.  Chapter IIIndustrial Automation Control Systems Cybersecurity Certification.  Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Javier Tallón
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber Security
Amrit Chhetri
 

Similar to ICCC23 -The new cryptographic evaluation methodology created by CCN (20)

First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International Workshop
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003  2015 - EuroPriSe and ISDP10003  2015 -
EuroPriSe and ISDP10003 2015 -
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
 
20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab20161012CRITIS_ptheron_ICCF ab
20161012CRITIS_ptheron_ICCF ab
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptx
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
 
Monitoring_2019_Validator how mointering
Monitoring_2019_Validator how mointeringMonitoring_2019_Validator how mointering
Monitoring_2019_Validator how mointering
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification.  Chapter IIIndustrial Automation Control Systems Cybersecurity Certification.  Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber Security
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
Javier Tallón
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
Javier Tallón
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
Javier Tallón
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Javier Tallón
 
La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
 
La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.
 

Recently uploaded

To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
Task Tracker
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
87tomato
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
kayash1656
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
confluent
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Aardwolf Security
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
simran hot girls
 
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
dream girl
 
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
josephinedrea942
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
SimonedeGijt
 
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdfA Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
kalichargn70th171
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
mohitd6
 
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
shanihomely
 
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdfAI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
Daniel Zivkovic
 
Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
NachuSubramanian1
 
Amadeus Travel API, Amadeus Booking API, Amadeus GDS
Amadeus Travel API, Amadeus Booking API, Amadeus GDSAmadeus Travel API, Amadeus Booking API, Amadeus GDS
Amadeus Travel API, Amadeus Booking API, Amadeus GDS
aadhiyaeliza
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
jhkdigitalmarketing
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
aslasdfmkhan4750
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
908dutch
 

Recently uploaded (20)

To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
 
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
 
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
 
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdfA Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
 
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
 
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdfAI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
 
Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
 
Amadeus Travel API, Amadeus Booking API, Amadeus GDS
Amadeus Travel API, Amadeus Booking API, Amadeus GDSAmadeus Travel API, Amadeus Booking API, Amadeus GDS
Amadeus Travel API, Amadeus Booking API, Amadeus GDS
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
 

ICCC23 -The new cryptographic evaluation methodology created by CCN

  • 1. The new cryptographic evaluation methodology created by CCN
  • 2. About me • Cybersecurity evaluation & consultancy services • Common Criteria, LINCE and ETSI EN 303 645 accredited lab. • Developers of the most powerful tool for Common Criteria, CCToolbox. • Involved in standardization activities (ISO, CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF, CMUF, ERNCIP, …) • Members of the SCCG (Stakeholder Cybersecurity Certification Group) • jtsec is part of the A+ group along with Lightship Security. We have labs in Canada, USA and Spain. About us José Ruiz Gualda jtsec Beyond IT Security • Computer Engineer (University of Granada) • Expert in Common Criteria, LINCE and FIPS 140-2 & FIPS 140-3 • Member of the SCCG (Stakeholder Cybersecurity Certification Group) at the European Commission. • Secretary of SC3 at CTN320 • Editor of LINCE as UNE standard • Editor in JTC13 WG3 of the FITCEM Methodology • European Commission reviewer for the ERNCIP group "IACS Cybersecurity Certification". • Former ICCC program director jruiz@jtsec.es
  • 3. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 4. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 5. History of the Cryptographic Evaluation José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 5 / 41 NIST (National Institute of Standards and Technology) Verification of Conformity according to FIPS 140-1, FIPS 140-2 and FIPS 140-3 CMVP - Designed for certifying cryptographic modules CAVP - Designed to certify cryptographic algorithms Publication of multiple "Special Publications" specifying cryptographic algorithms and how to test them USA
  • 6. History of the Cryptographic Evaluation José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 6 / 41 International
  • 7. History of the Cryptographic Evaluation Spain José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 7 / 41 Certification Body for cryptographic modules - OC-CCN (Spanish National Cryptologic Centre)
  • 8. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 9. Cryptographic Evaluation Today Europe • SOG-IS Crypto Evaluation Scheme Harmonised Cryptographic Evaluation Procedures v0.16 (December 2020) • First SOG-IS evaluation methodology Implementation of cryptographic mechanisms Pitfalls Prevention Requirements • SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms v1.3 (February 2023) Cryptographic mechanisms agreed and recommended by SOG-IS Acceptable level of security Implementation guidelines José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 9 / 41
  • 10. Cryptographic Evaluation Today Spain CCN-STIC 130 Guide Cryptologic Evaluation Requirements Guide (October 2017) • Requirements for Approval of Encryption Products to Handle Classified National Information • FIPS-like approach • Security Requirements MEC – LINCE Cryptographic evaluation module within the LINCE methodology Very light cryptographic conformance testing following the NIAP Protection Profiles approach José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 10 / 41 Botan-CCN Cryptographic Library Reference implementation of CCN to perform conformity testing of the cryptographic mechanism in cryptographic evaluations
  • 11. Cryptographic Evaluation Today Spain CCN-STIC 221 Guide Cryptographic Mechanisms authorized by CCN Includes new CCN-authorized algorithms with respect to the European ACM Transversal use guide not limited to ENS José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 11 / 41
  • 12. Cryptographic Evaluation Today Evolution José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 12 / 34 Jan 1994 FIPS 140- 1 March 2006 ISO/IEC 19790:2006 May 2016 SOGIS Agreed Cryptographic Mechanisms 1.0 June 2018 SOGIS Agreed Cryptographic Mechanisms 1.1 Jan 2020 SOGIS Agreed Cryptographic Mechanisms 1.2 May 2022 CCN-STIC 807 March 2023... CCN-STIC 221 Cryptographic Mechanisms Authorized by the CCN Dec 2018 Lince Aug 2012 ISO/IEC 19790:2012 Jan 2018 SP800-90B Oct 2018 CCN-STIC- 130 March 2019 FIPS 140-3 Dec 2020 SOG-IS HEP Coming... CCN Cryptographic Mechanisms Evaluation Methodology Dec 1999 AIS 20/31 May 2001 FIPS 140- 2 Feb 2023 SOGIS Agreed Cryptographic Mechanisms 1.3by the CCN Coming… 2023... CCN Cryptographic Evaluation Methodology
  • 13. Cryptographic Evaluation Today Is this only a Spanish issue? | Reasons why the cryptographic mechanisms methodology is necessary FIPS and/or ISO FIPS: • It only works when the module has been created to meet FIPS requirements. • It does not work well for products that integrate cryptography but do not use a third-party cryptographic module. STIC 130 • Does not include algorithm-level conformity and includes product implementation requirements. • Not 100% focused on cryptographic implementation. • Provides the security point of view. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 13 / 41 We do not have a methodology that evaluates cryptographic algorithms and protocols.
  • 14. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 15. Usage CCN Cryptographic Mechanisms Evaluation Methodology • Products whose main functionality requires cryptography (e.g., VPNs, ciphers, secure communications, etc.) • According to three increasing Certification Levels: CL1, CL2 & CL3 • During CC, LINCE and Complementary STIC certification processes. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 15 / 41
  • 16. Definition CCN Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 16 / 41 Document Structure • Cryptographic Requirements • Agreed Cryptographic Mechanisms • Conformity Testing • Common Implementation Pitfalls Index
  • 17. Evaluation tasks and evaluation test Structure José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 16 / 41 Each section contains: • One or several tasks are defined. They are mandatory independently of the implementation and shall be executed for the associated certification level. • One or several tests defined and associated to each task. They are categorized as mandatory or implementation dependant. Moreover, the required vendor inputs are detailed for each test. Some specific examples:
  • 18. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 17 / 41 1. Cryptographic Requirements Objective: To specify the requirements extracted by CCN from the CCN-STIC 130 guide that apply to the security of cryptographic products related to the cryptographic mechanisms and primitives implemented in relation to: • Self-tests (not required by SOGIS nor CCN STIC- 221) • Critical Security Parameters (CSP) Management (with additional requirements than required by SOGIS) • Mitigation of Other Attacks (not required by SOGIS nor CCN STIC-221) Evaluation: The evaluator shall verify that the TOE complies with the cryptographic requirements listed in this section.
  • 19. Cryptographic Mechanisms Evaluation Methodology 1. Cryptographic Requirements - Critical Security Parameters (CSP) Management José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 18 / 41 The methodology not only evaluates the SOGIS related Key Management requirements, but also assesses the entire life cycle of every SSP managed by the TOE. Example: SSP Life Cycle Management for AES_EDK M This comprehensive approach ensures a thorough evaluation of the security posture of the TOE beyond just key management.
  • 20. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 19 / 41 2. Approved Cryptographic Mechanisms Objective: To specify the cryptographic mechanisms recognized and agreed by CCN Evaluation: The evaluator shall verify that the cryptographic mechanisms implemented by the TOE comply with the guidelines presented by the CCN in the CCN STIC-221 guide including correct parametrization.
  • 21. Cryptographic Mechanisms Evaluation Methodology Structure José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 20 / 41 3. Conformance Testing Objective: To specify the requirements necessary to perform conformity testing of the cryptographic primitives and mechanisms implemented by the TOE. These tests shall determine whether the cryptographic primitives and mechanisms used by the TOE are correctly implemented. This is similar to what NIST does but also verifying parameterizations and limit values that often lead to errors. Evaluation: The evaluation process is divided into four steps: 1. Generation of Test Vectors: Request and Sample files. 2. Generation of Results by the Vendor: Response File 3. Generation of Results by the Evaluator: Response File 4. Validation of Results by the Evaluator
  • 22. Cryptographic Mechanisms Evaluation Methodology Conformance Testing Evaluation Process Diagram José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 21 / 41
  • 23. Cryptographic Mechanisms Evaluation Methodology Test Vectors Generation ◦ The evaluator shall generate a 'REQUEST' file (in JSON format) for each cryptographic mechanism implemented by the TOE containing the test vectors associated to the supported parameterization. ◦ Additionally, the evaluator shall generate the 'SAMPLE' file (in JSON format) for each cryptographic mechanism implemented by the TOE containing an example solution to indicate the format of the expected result. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 22 / 41 The evaluator shall send to the vendor a file package containing the 'REQUEST' and 'SAMPLE' files associated to all cryptographic mechanisms implemented by the TOE.
  • 24. Cryptographic Mechanisms Evaluation Methodology Generation of Results by the Vendor José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 23 / 41 ◦ The vendor shall generate a 'RESPONSE' file associated with each cryptographic mechanism implemented, containing the output provided by the TOE for each of the test vectors provided in the 'REQUEST' file. ◦ The vendor shall retain the JSON format presented in the 'REQUEST' and 'SAMPLE' files for the generation of the 'RESPONSE' file. The vendor shall send to the evaluator a file package containing the 'RESPONSE' files associated with all cryptographic mechanisms implemented by the TOE.
  • 25. Cryptographic Mechanisms Evaluation Methodology Generation of Results by the Evaluator The evaluator shall generate the 'RESPONSE' file associated to each cryptographic mechanism implemented by the TOE, using the Botan-CCN library as reference cryptographic implementation. The evaluator shall retain the JSON format presented in the 'REQUEST' and 'SAMPLE' files for the generation of the 'RESPONSE' file. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 24 / 41
  • 26. Cryptographic Mechanisms Evaluation Methodology Validation of Results by the Evaluator José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 25 / 41 The evaluator shall validate the 'RESPONSE' files provided by the vendor for each cryptographic mechanism implemented by the TOE, comparing the results provided with those obtained in the previous step using the Botan- CCN cryptographic library. The evaluator shall determine whether the TOE correctly implements the cryptographic mechanisms and primitives used and declared.
  • 27. Cryptographic Mechanisms Evaluation Methodology José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 26 / 41 4. Common Implementation Pitfalls Objective: To specify the requirements necessary to avoid implementation pitfalls in the cryptographic primitives and mechanisms implemented by the TOE. Evaluation: The evaluator shall verify that the cryptographic mechanisms implemented by the TOE comply with the implementation pitfall avoidance guidelines presented by the SOG-IS in the SOG-IS Harmonized Cryptographic Evaluation Procedures guide. Structure
  • 28. Cryptographic Mechanisms Evaluation Methodology Common Implementation Pitfalls - Example: Key Derivation Implementation Pitfall José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 27 / 41
  • 29. Cryptographic Mechanisms Evaluation Methodology Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS Cryptographic Mechanisms Evaluation Methodology • Complete evaluation methodology. It establishes concrete evaluation tasks depending on the certification level (CL1,CL2 or CL3) to be followed by the evaluator for each cryptographic mechanism to assess: • Cryptographic Management requirements • Mitigation of other attacks. • Usage of approved mechanisms, including post quantum algorithms and specific entropy requirements • Conformity Testing • Common implementation pitfalls avoidance. • Self-tests. It is verified that the self-tests are properly implemented for each algorithm according to CCN requirements. Several evaluation tasks are designed to evaluate their implementation and correct operation. SOG-IS HEP and ACM • Provides the agreed mechanisms and their associated requirements, and the evaluation tasks to: • Verify their correct implementation according to their associated standard • Perform the conformity testing. • Avoid implementation pitfalls. • Verify key management (with less requirements than the CCN evaluation methodology) • Self-tests requirements and Mitigation of other attacks are not specified. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 28 / 41
  • 30. Cryptographic Mechanisms Evaluation Methodology Cryptographic Mechanisms Evaluation Methodology Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 29 / 41 SOG-IS HEP and ACM SOG-IS HEP and ACM • List of classical algorithms without including references to post-quantum algorithms •New Algorithms: The Cryptographic Mechanisms Evaluation Methodology includes new "classical" and post- quantum algorithms recommended by the Spanish CCN in the new STIC 221 guide. New recommended classical algorithms: SCRYPT, ChaCha20_Poly1305 EdDSA Post-Quantum Algorithms •CRYSTALS- Kyber, CRYSTALS- Dilithium, Falcon, SPHINCS+ •FrodoKEM is also recommended. It will not be standardised as part of NIST’s PQC project, mainly due to efficiency considerations, but there are currently no doubts about its security.
  • 31. Cryptographic Mechanisms Evaluation Methodology • Life cycle management of each SSP managed by the TOE. For each SSP, its strength, generation, entry/output, storage and zeroization methods are evaluated. • Complete list of conformity test vectors for all the agreed cryptographic mechanisms. Example: AES Key Wrapping. SOG-IS HEP and ACM • Establishes general Key Management requirements, specifying only the recommended mechanism for each stage. • The conformity test vectors of several algorithms are not defined or are not complete. Cryptographic Mechanisms Evaluation Methodology Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 29 / 41
  • 32. Cryptographic Mechanisms Evaluation Methodology • The methodology will be used in Common Criteria evaluations at the national level if crypto is a core component of the product (e.g. VPN, Ciphers, etc...) • The methodology could be considered a supporting document to harmonize how to evaluate crypto mechanisms. Cryptographic Mechanisms Evaluation Methodology Link with Common Criteria José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 29 / 41
  • 33. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 34. CCN Cryptographic Evaluation Tool Definition Performing Conformity Testing Structure of the Tool o JSON test files: test vectors in hexadecimal format according to SOG-IS methodology. o ACVP-Parser: JSON file processing and extraction of parameters needed to invoke the cryptographic reference implementation. o Botan-CCN Cryptographic Library: cryptographic reference implementation used to generate test vectors results and validate the correct cryptographic implementation of the TOE. José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 31 / 41
  • 35. CCN Cryptographic Evaluation Tool José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 32 / 41 1. Processing of the test vectors to extract the parameters using the ACVP-Parser. 2. Invocation of the Botan-CCN cryptographic library to perform the generation of test vector results using the associated 'REQUEST' file. 3. Generation of the 'RESPONSE' file associated to a cryptographic mechanism using the associated 'REQUEST' file and the results obtained using the Botan-CCN cryptographic library. Flowchart
  • 36. Cryptographic Evaluation Tool Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 33 / 41 ‘REQUEST’ file ‘RESPONSE' file generated by the Tool
  • 37. Cryptographic Evaluation Tool Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 34 / 41 ‘RESPONSE' file generated by TOE Validation of results
  • 38. Cryptographic Evaluation Tool Cryptographic Evaluation Tool - Usage Example: SHA-256 José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 35 / 41 ‘RESPONSE' file generated by TOE Validation of results ERROR
  • 39. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 40. Cryptographic Evaluation Methodology José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 38 / 41 1. Usage Cryptographic evaluation methodology to address the security requirements of the CCN-STIC 130 guidance. This methodology aims to evaluate the implementation of a TOE beyond the requirements associated with cryptographic mechanisms such as: - Cryptographic Module Design - Authentication - Physical Security - Logical Security - RNG design - Configuration management system - Etc…
  • 41. Cryptographic Evaluation Methodology José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 38 / 41 2. Security Levels: CCN STIC-130 defines 3 increasing qualitative levels of security that are directly mapped to the 3 evaluation levels of the Cryptographic Mechanisms Evaluation Methodology: - CL1: Low Level of CCN-STIC 130 (Restricted) - CL2: High Level of CCN-STIC 130 - CL3: Advanced Level of CCN-STIC 130 Each TOE will be evaluated according to the level of sensitivity of the information it handles and the global evaluation methodology to which the Cryptographic Methodology is being applied to. Some evaluation tasks will be common for all levels and others will only apply depending on the security level.
  • 42. INDEX 1. History of Cryptographic Evaluation 2. Cryptographic Evaluation Today 3. Cryptographic Mechanisms Evaluation Methodology 4. Cryptographic Evaluation Tool 5. Cryptographic Evaluation Methodology 6. Conclusions
  • 43. Conclusions José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN 40 / 41 • Spain is pioneer in creating a Cryptographic Evaluation Methodology for mechanisms. • The usage in Common Criteria evaluations is straight forward. • The methodology is in trial usage and will be published soon • All this work is a contribution to complement European efforts • This effort is necessary to unify criteria in the sector in order to make life easier for laboratories and vendors.

Editor's Notes

  1. Let me briefly present myself: I’m José Manuel Pulido, currently Lead Cybersecurity Consultant at jtsec. I have been involved in the Common Criteria, cybersecurity in general and development of tools for CC professionals for several years. And I also have participated in various conferences, being this my third year in ICCC. The statistics that I Will present to you today, and the tools used to create them are elaborated in jtsec, an accredited CC laboratory, deeply involved in various standardization groups related to cybersecurity certification as you can see I. I won’t take too much time from you for this presentation. You are welcome to check this slide or the jtsec website after the talk if you want to know more about us.
  2. Los Power-up son verificación de integridad del módulo, DRBG test y algoritmos relacionados con critical funcitons Los conditional contemplan la ejecución de los de los algoritmos antes del primer uso, DRBG de nuevo antes de generar una clave, los pairwise, los de verificar los algoritmos dedicados a verificar la integridad de firmware en una actualización y los algoritmos relacionados con funciones críticas