New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?


- May
Posted by: Juan Martínez
New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?

Cryptography has become, in recent years, a fundamental part of the cybersecurity of any product. Therefore, CCN has decided to create a methodology for the evaluation of cryptographic mechanisms that can be applied to all those products that are certified/qualified using standards such as Common Criteria and LINCE, as well as for those that are tested directly against the methodology itself as cryptographic evaluation.

From jtsec we are especially proud to be able to participate in the creation of this new methodology that will serve as a national and European baseline and on which we have been working for about two years and that we had the opportunity to present at XVI Jornadas STIC CCN-CERT and at EU Cybersecurity Act Conference 2023.

Reasons for the creation of a new cryptographic methodology

The different standards and documents related to cryptography both in Spain (CCN STIC – 130, CCN STIC – 221 o MEC), and at international/European level (FIPS, SOG-IS ACM and HEP) do not fit perfectly to the evaluation of cryptographic mechanisms.

The new cryptographic evaluation methodology created by CCN aims to create a single model for the cryptographic evaluations mentioned above, oriented to products whose main functionality requires cryptography (VPN, encryptors, secure communications, etc.), defining the tasks to be performed by the evaluator in order to verify the requirements to be met by the products. With this new methodology we avoid creating an excessive burden for the laboratory, that the evaluations are extended in time, as well as incomprehension on many occasions by the manufacturer as to what criteria are followed during the selection process of which parts are included and excluded from the evaluation.

Methodology structure

This new methodology has been created taking into account four fundamental pillars:

  • Cryptographic requirements defined by CCN: It establishes the evaluation tasks for the evaluator to verify that the implementation requirements are being met, and also to verify that the execution of the self-tests and the management of the Sensitive Security Parameters (SSP), which include the Public Security Parameters (PSS) and the Critical Security Parameters (CSP), are being carried out correctly.

  • Cryptographic Mechanisms approved by CCN: Defines the cryptographic algorithms approved by CCN in CCN-STIC 221 guide and the parameterization associated to each one of them. The evaluator shall verify that the cryptographic mechanisms implemented by the TOE comply with the guidelines presented by CCN in the CCN-STIC 221 guide.

  • Conformity testing: It is necessary to verify the correct operation of the cryptographic mechanisms implemented in the TOE. To do so, it is necessary to run tests using input vectors that produce known responses, which will determine whether the cryptographic mechanisms and primitives used by the TOE have been operated properly, also verifying parameterizations and limit values that usually lead to pitfall.

    For this purpose, it is necessary to use the tool that jtsec is creating together with CCN, for the validation of cryptographic modules. Its use is based on the generation of input tests (REQ files) for each algorithm implemented in the TOE, which are provided to the manufacturers, together with examples of each algorithm (SAMPLE files), so that, using them as input in the TOE, the manufacturer generates the response/output files to them (Vendor RSP files). Once the client has generated these response files, it will be necessary to compare that they are correct, using the response files (Tester RSP) generated by the tool, to verify that they match, and that, therefore, the TOE operates properly.

    *Diagram of the conformity testing evaluation process

  • Common implementation pitfalls: It is necessary to verify that the cryptographic mechanisms implemented in the TOE, are free of common pitfalls that are made at the time of their implementation. To avoid such pitfalls in the cryptographic mechanisms implemented in the TOE and presented by the SOG-IS in the guide SOG-IS Harmonised Cryptographic Evaluation Procedures.


    With this new methodology, which has aimed to generate a common evaluation framework, it could be said that Spain, with the collaboration of jtsec, is positioned as a cutting edge in the creation of a cryptographic evaluation methodology:

  • It is positioned as a forefront in the creation of a cryptographic evaluation methodology.

  • It is a pioneer in the creation of a tool for validating the conformity of algorithms in accordance with the cryptographic mechanisms approved in Spain and Europe.

  • It has contributed to complement cybersecurity efforts at the European level.

  • It promotes the unification of criteria in the sector to facilitate the day-to-day work of both laboratories and manufacturers.

  • Juan Martínez/Senior consultant

    Telecommunication Engineer and Master in cybersecurity by the University of Granada. Working as a cybersecurity consultant at jtsec since July 2017 in projects related to Common Criteria, LINCE certification, FIPS 140-2, FIPS 140-3 and PCI-PTS standards.

    Although his main activity is focused in consultancy, he has also participated in project as evaluator in LINCE certifications and as a hardware security analyst based on his experience in hardware obtained during his University stage participating in the third and fourth editions of the “Desafío Tecnológico UGR” university challenge where he got the third and first awards respectively.

    Juan is part of the first group of students awarded the CryptoCert Certified Crypto Analyst certification, whose quality, relevance and usefulness is recognized by the Spanish National Cryptologic Center.

    His main motivation is to keep improving his cybersecurity skills in order to actively participate in the protection of user data and to help the companies to achieve their product certifications.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.