New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
Cryptography has become, in recent years, a fundamental part of the cybersecurity of any product. Therefore, CCN has decided to create a methodology for the evaluation of cryptographic mechanisms that can be applied to all those products that are certified/qualified using standards such as Common Criteria and LINCE, as well as for those that are tested directly against the methodology itself as cryptographic evaluation.
From jtsec we are especially proud to be able to participate in the creation of this new methodology that will serve as a national and European baseline
and on which we have been working for about two years and that we had the opportunity to present at XVI Jornadas STIC CCN-CERT
and at EU Cybersecurity Act Conference 2023.
Reasons for the creation of a new cryptographic methodology
The different standards and documents related to cryptography both in Spain (CCN STIC – 130, CCN STIC – 221 o MEC), and at international/European level (FIPS
, SOG-IS ACM
) do not fit perfectly to the evaluation of cryptographic mechanisms.
The new cryptographic evaluation methodology created by CCN aims to create a single model for the cryptographic evaluations
mentioned above, oriented to products whose main functionality requires cryptography (VPN, encryptors, secure communications, etc.), defining the tasks to be performed by the evaluator in order to verify the requirements to be met by the products.
With this new methodology we avoid creating an excessive burden for the laboratory, that the evaluations are extended in time, as well as incomprehension on many occasions by the manufacturer as to what criteria are followed during the selection process of which parts are included and excluded from the evaluation.
This new methodology has been created taking into account four fundamental pillars:
Cryptographic requirements defined by CCN: It establishes the evaluation tasks for the evaluator to verify that the implementation requirements are being met, and also to verify that the execution of the self-tests and the management of the Sensitive Security Parameters (SSP), which include the Public Security Parameters (PSS) and the Critical Security Parameters (CSP), are being carried out correctly.
Cryptographic Mechanisms approved by CCN: Defines the cryptographic algorithms approved by CCN in CCN-STIC 221 guide and the parameterization associated to each one of them. The evaluator shall verify that the cryptographic mechanisms implemented by the TOE comply with the guidelines presented by CCN in the CCN-STIC 221 guide.
Conformity testing: It is necessary to verify the correct operation of the cryptographic mechanisms implemented in the TOE. To do so, it is necessary to run tests using input vectors that produce known responses, which will determine whether the cryptographic mechanisms and primitives used by the TOE have been operated properly, also verifying parameterizations and limit values that usually lead to pitfall.
For this purpose, it is necessary to use the tool that jtsec is creating together with CCN, for the validation of cryptographic modules. Its use is based on the generation of input tests (REQ files) for each algorithm implemented in the TOE, which are provided to the manufacturers, together with examples of each algorithm (SAMPLE files), so that, using them as input in the TOE, the manufacturer generates the response/output files to them (Vendor RSP files). Once the client has generated these response files, it will be necessary to compare that they are correct, using the response files (Tester RSP) generated by the tool, to verify that they match, and that, therefore, the TOE operates properly.
*Diagram of the conformity testing evaluation process
Common implementation pitfalls: It is necessary to verify that the cryptographic mechanisms implemented in the TOE, are free of common pitfalls that are made at the time of their implementation. To avoid such pitfalls in the cryptographic mechanisms implemented in the TOE and presented by the SOG-IS in the guide SOG-IS Harmonised Cryptographic Evaluation Procedures.
With this new methodology, which has aimed to generate a common evaluation framework, it could be said that Spain, with the collaboration of jtsec, is positioned as a cutting edge in the creation of a cryptographic evaluation methodology:
It is positioned as a forefront in the creation of a cryptographic evaluation methodology.
It is a pioneer in the creation of a tool for validating the conformity of algorithms in accordance with the cryptographic mechanisms approved in Spain and Europe.
It has contributed to complement cybersecurity efforts at the European level.
It promotes the unification of criteria in the sector to facilitate the day-to-day work of both laboratories and manufacturers.