ISO/IEC 19790 Evaluation

  • Top-level experts.
  • Save time and money.
  • 14 years of proven experience.
  • On-time delivery.
  • Great team specialized in cryptography.

Click here to find our presentation talk on ISO/IEC 19790 at one of the most relevant cybersecurity events on the national scene.
By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.

WHAT IS AN ISO/IEC 19790 CERTIFICATION?

This involves the evaluation of a cryptographic module according to the ISO/IEC 19790:2012 standard, to be used for the protection of sensitive information in a communication system or electronic systems. Four certification levels are defined: SL1, SL2, SL3, and SL4, for which the standard specifies requirements across 11 security areas.

The security levels are as follows:

Security Level 1 (SL1)

This is the most basic level of security. Basic requirements for a cryptographic module are specified (at least one approved security function). It allows for implicit and explicit authentication and does not require specific physical security mechanisms.

Security Level 2 (SL2)

Improves physical security mechanisms by adding a tamper-evidence requirement. Requires role-based authentication to control operator access to their associated services. This corresponds to the highest level for a Software module, as from Level 3 onwards, physical security requirements are mandatory.

Security Level 3 (SL3)

Defines additional requirements to mitigate unauthorized access to SSPs managed by the module. Advanced physical security requirements are included. Requires identity-based authentication to control operator access to associated services and EFP/EFT security measures, as well as the use of an automated configuration management system to control the manufacturing process of the TOE.

Security Level 4 (SL4)

In addition to what is required by SL3, it requires detection and response mechanisms for unauthorized physical access. Multi-factor authentication is required to control operator access to associated services, and EFP security measures are mandatory.

DOCUMENTATION AND TOOLS REQUIRED IN THE ISO/IEC 19790 EVALUATION PROCESS

Required as part of the necessary documentation for carrying out the evaluation process according to ISO/IEC 19790:

  • Security Policy (SP): This is the main document where the manufacturer must provide a description of the cryptographic module, including all the information required by the standard to meet its requirements.
  • Functional Specification (FS): This is an informal description of the cryptographic module, where the module's cryptographic functionality defined in the SP is associated with its physical and logical interfaces, indicating how to execute each of them.
  • Finite State Model (FSM): A document that defines the finite state model that evidences the cryptographic module's implementation according to the standard's requirements, including all required states.
  • Vendor Testing (VT): The vendor must perform and document the tests carried out on the TOE to verify the correct execution of the cryptographic functionalities implemented in the module, as specified in the SP and in accordance with the FS.
  • Vendor Evidence (VE): This document records each of the documentary and implementation requirements to be met by the TOE and the manufacturer during the certification process based on ISO/IEC 24759.
  • Configuration Item List (CIL): This should list the documentary elements and the TOE itself that are under evaluation and managed by the manufacturer's configuration management system.
  • Vendor Questionnaire (VQ): As part of the evaluation, the manufacturer must complete the VQ to provide evidence of the implemented algorithms, enabling their certification under a MEMeC certification.
  • Compliance Testing Tool (Test Harness): This consists of a set of software/firmware tools developed entirely by the vendor, enabling the lab to execute test vectors by invoking the TOE's cryptographic implementation as required in a MEMeC certification.

ISO/IEC 19790 CERTIFICATION PROCESS

To certify a cryptographic product according to MEMeC, the product must be evaluated by an ENAC- and CCN-authorized laboratory that acts as a reliable and technically qualified third party.

The certification process consists of two parts. The first is the ISO/IEC 19790 certification itself where evaluation will be conducted against its requirements, and the second is a MEMeC CL1 certification required to obtain certification of the cryptographic mechanisms implemented by the TOE according to the requirements established by the National Cryptologic Center (CCN).

ISO/IEC 19790

  • Evaluation of the cryptographic module and its associated documentation.

ISO/IEC 19790 - Algorithm Certification (MEMeC CL1)

  • Certification of Cryptographic Mechanisms implemented by the TOE according to the associated Vendor Questionnaire.

The laboratory will review the manufacturer's documentation and conduct tests to verify that the cryptographic mechanisms of a product comply with applicable requirements and implement authorized cryptographic functions.

Once the cryptographic product manufacturer submits the required documentation to the laboratory for evaluation, the laboratory will conduct the necessary tests to verify if the product meets ISO/IEC 19790 and MEMeC CL1 requirements.

The results of the laboratory's evaluation are presented in a Technical Evaluation Report (ETR). The CCN will validate this report, and if no implementation flaws or non-conformities are found during the evaluation, it certifies that the product has been successfully evaluated in compliance with ISO/IEC 19790 and MEMeC CL1.

They already trusted us. Let's talk!

WHAT DO WE OFFER?

At jtsec, we are specialists in cryptographic evaluations and understand every phase of the process. If you want to avoid unnecessary costs and ensure a smooth certification process, contact us as soon as possible and let our experts guide you from the start.

  1. EVALUATION

    As an accredited laboratory, at jtsec we perform the complete evaluation of your cryptographic product in compliance with the ISO/IEC 19790 standard. Our team meticulously reviews the documentation, validates the security functionality, and conducts the necessary tests to ensure your product achieves certification quickly and efficiently.

  2. TRUST AND PROFESSIONALISM

    With years of experience in security certifications, our team of highly qualified professionals manages the entire process, providing you with the confidence that your products meet the highest standards. We make sure to optimize time and resources, minimizing unnecessary costs and accelerating the path to certification.

  3. TECHNICAL TRAINING

    At jtsec, we bring technical excellence to each of our projects. Our professionals are committed to a continuous training process, always maintaining the highest qualifications to verify and ensure the security of your products. Trust us to ensure that your technology is in the hands of experts.

  4. TIME TO MARKET

    We understand that time is crucial in today's market. At jtsec, we work not only to be the best but also to be the fastest. If you have tight deadlines, you can rely on us: we put all our resources at your disposal to ensure your product reaches the market as quickly as possible, without compromising quality.