ISO/IEC 19790 Consulting services

  • Top-level experts.
  • Save time and money.
  • On-time delivery.
  • Great team specialized in cryptography.

Click here to find our presentation talk on ISO/IEC 19790 at one of the most relevant cybersecurity events on the national scene.
By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.

WHAT IS AN ISO/IEC 19790 CERTIFICATION?

This involves the evaluation of a cryptographic module according to the ISO/IEC 19790:2012 standard, to be used for the protection of sensitive information in a communication system or electronic systems. Four certification levels are defined: SL1, SL2, SL3, and SL4, for which the standard specifies requirements across 11 security areas.

The security levels are as follows:

Security Level 1 (SL1)

This is the most basic level of security. Basic requirements for a cryptographic module are specified (at least one approved security function). It allows for implicit and explicit authentication and does not require specific physical security mechanisms.

Security Level 2 (SL2)

Improves physical security mechanisms by adding a tamper-evidence requirement. Requires role-based authentication to control operator access to their associated services. This corresponds to the highest level for a Software module, as from Level 3 onwards, physical security requirements are mandatory.

Security Level 3 (SL3)

Defines additional requirements to mitigate unauthorized access to SSPs managed by the module. Advanced physical security requirements are included. Requires identity-based authentication to control operator access to associated services and EFP/EFT security measures, as well as the use of an automated configuration management system to control the manufacturing process of the TOE.

Security Level 4 (SL4)

In addition to what is required by SL3, it requires detection and response mechanisms for unauthorized physical access. Multi-factor authentication is required to control operator access to associated services, and EFP security measures are mandatory.

DOCUMENTATION AND TOOLS REQUIRED IN THE ISO/IEC 19790 EVALUATION PROCESS

Required as part of the necessary documentation for carrying out the evaluation process according to ISO/IEC 19790:

  • Security Policy (SP): This is the main document where the manufacturer must provide a description of the cryptographic module, including all the information required by the standard to meet its requirements.
  • Functional Specification (FS): This is an informal description of the cryptographic module, where the module's cryptographic functionality defined in the SP is associated with its physical and logical interfaces, indicating how to execute each of them.
  • Finite State Model (FSM): A document that defines the finite state model that evidences the cryptographic module's implementation according to the standard's requirements, including all required states.
  • Vendor Testing (VT): The vendor must perform and document the tests carried out on the TOE to verify the correct execution of the cryptographic functionalities implemented in the module, as specified in the SP and in accordance with the FS.
  • Vendor Evidence (VE): This document records each of the documentary and implementation requirements to be met by the TOE and the manufacturer during the certification process based on ISO/IEC 24759.
  • Configuration Item List (CIL): This should list the documentary elements and the TOE itself that are under evaluation and managed by the manufacturer's configuration management system.
  • Vendor Questionnaire (VQ): As part of the evaluation, the manufacturer must complete the VQ to provide evidence of the implemented algorithms, enabling their certification under a MEMeC certification.
  • Compliance Testing Tool (Test Harness): This consists of a set of software/firmware tools developed entirely by the vendor, enabling the lab to execute test vectors by invoking the TOE's cryptographic implementation as required in a MEMeC certification.

ISO/IEC 19790 CERTIFICATION PROCESS

To certify a cryptographic product according to MEMeC, the product must be evaluated by an ENAC- and CCN-authorized laboratory that acts as a reliable and technically qualified third party.

The certification process consists of two parts. The first is the ISO/IEC 19790 certification itself where evaluation will be conducted against its requirements, and the second is a MEMeC CL1 certification required to obtain certification of the cryptographic mechanisms implemented by the TOE according to the requirements established by the National Cryptologic Center (CCN).

ISO/IEC 19790

  • Evaluation of the cryptographic module and its associated documentation.

ISO/IEC 19790 - Algorithm Certification (MEMeC CL1)

  • Certification of Cryptographic Mechanisms implemented by the TOE according to the associated Vendor Questionnaire.

The laboratory will review the manufacturer's documentation and conduct tests to verify that the cryptographic mechanisms of a product comply with applicable requirements and implement authorized cryptographic functions.

Once the cryptographic product manufacturer submits the required documentation to the laboratory for evaluation, the laboratory will conduct the necessary tests to verify if the product meets ISO/IEC 19790 and MEMeC CL1 requirements.

The results of the laboratory's evaluation are presented in a Technical Evaluation Report (ETR). The CCN will validate this report, and if no implementation flaws or non-conformities are found during the evaluation, it certifies that the product has been successfully evaluated in compliance with ISO/IEC 19790 and MEMeC CL1.

They already trusted us. Let's talk!

WHAT DO WE OFFER?

At jtsec, we are expert evaluators in the ISO/IEC 19790 standard and know every detail of the certification process. If you want to avoid unnecessary costs and ensure your product meets the standards from the start, contact us as soon as possible and inquire about our specialized ISO/IEC 19790 consulting service.

  1. GAP ANALYSIS

    Do you have doubts about whether your product can obtain ISO/IEC 19790 certification? Our GAP Analysis is the ideal tool to clear them up. Our experts will thoroughly evaluate your product, identifying any deficiencies that might result in non-compliance with the standard. This detailed analysis will enable you to understand precisely the evaluation process, know what you need to comply with the standard, and focus your efforts on the critical areas that require attention.

  2. CONSULTING

    If your cryptographic module needs to be validated according to ISO/IEC 19790, at jtsec we offer comprehensive support throughout the process. We know the documentation required by the standard can be complex, so we assist you in drafting the necessary documents, such as the Security Policy, Functional Specification, Finite State Model, Vendor Testing, Vendor Evidence, and the Configuration Item List.

    Moreover, you can hire additional consulting services to develop the Vendor Questionnaire, essential for certifying cryptographic mechanisms according to the MEMeC CL1 evaluation. With our team by your side, you can confidently navigate the certification process.

  3. TRAINING

    Does your team need to enhance their knowledge about ISO/IEC 19790 certification? We offer customized training tailored to your company's specific needs. We have conducted courses for laboratories, developers, and various schemes, ensuring your team is fully equipped to handle the certification process successfully. After our training, you will be fully prepared to successfully pass the evaluation process.