WHAT IS A MEMeC CERTIFICATION?
jtsec has collaborated with the CCN (National Cryptographic Center) in the creation of a Methodology for the Evaluation of Cryptographic Mechanisms (MEMC) implemented in products whose main functionality is based on the use of cryptography.
The objective of this certification is to evaluate the correct implementation of cryptographic mechanisms used in technology products, which are being assessed under Common Criteria (CC), LINCE, STIC certifications, or those evaluated directly against this methodology as a cryptographic evaluation. In this way, a common framework for validating cryptographic mechanisms is created, enabling cryptographic certification at a national level.
A MEMeC certification defines three incremental assurance levels (CL1, CL2, and CL3) in terms of the number of requirements to meet, as well as the depth of compliance with them. These requirements are grouped into four fundamental areas:
- Cryptographic implementation: focused on verifying that both the cryptographic mechanisms implemented by the product and their configuration comply with the CCN-STIC 221 guide.
- Cryptographic management: focused on verifying that the product properly implements self-tests associated with these mechanisms, performs correct management of Sensitive Security Parameters throughout their lifecycle, and implements mitigation against other attacks, such as side-channel attacks.
- Conformity Testing: it focuses on verifying the results of the algorithms implemented by the product by conducting compliance tests.
- Implementation Pitfalls: focuses on verifying that cryptographic mechanisms are implemented while avoiding common implementation errors.
DOCUMENTATION AND TOOLS REQUIRED IN THE MEMeC EVALUATION PROCESS
Depending on the level of certification being sought, the following list of items and documentation is required to begin the evaluation process:
For CL1:
- TOE identification: It consists of defining the scope of the cryptographic evaluation. This means, clearly defining boundaries of the cryptographic evaluation itself and providing an adequate definition of the TOE as well as its purpose from the cryptographic point of view.
- Manufacturer's questionnaire (VQ): Document provided by the laboratory containing the necessary questions to provide evidence of the correct implementation and use of the cryptographic mechanisms implemented by the cryptographic module and additional documentation necessary to perform the evaluation.
- Conformance Testing Tool (Test Harness): It consists of the software/firmware toolset that must be fully developed by the vendor to enable the laboratory to execute the test vectors by invoking the cryptographic implementation of the TOE.
In addition to the above, for CL2 y CL3 is required:
- Test and operation interfaces to verify TOE functionality: Functional specification that identifies the TOE interfaces, as well as how to execute each of the implemented cryptographic mechanisms using them and how to obtain the result associated with such executions.
- Evidence of the Prevention of Common Implementation (Pitfalls): Presentation of the necessary evidence to avoid common implementation errors associated with the cryptographic mechanisms implemented.
- Implementation Representation (CL3): TOE source code or VHDL related to the implementation of the TOE cryptographic mechanisms, including information such as compilers, compilation options, etc.
- VQ for Random Number Generation: In case the TOE implements a random number generator to support the cryptographic functionality of the TOE, it will be necessary to provide a VQ associated to it and use a certified random number generator.
MEMeC CERTIFICATION PROCESS IN SPAIN
To certify a cryptographic product as MEMeC compliant, the product must be evaluated by an ENAC and CCN authorized laboratory acting as a reliable and technically qualified third party.
The laboratory shall review the manufacturer's documentation and perform tests to verify that a product's cryptographic mechanisms conform to applicable requirements and implement authorized cryptographic functions.
Once the manufacturer of the cryptographic product has delivered to the laboratory the Vendor Questionnaire along with all the documentation necessary to perform the evaluation, the laboratory shall perform the necessary tests to verify if the product complies with the MEMeC requirements.
The results of the evaluation performed by the laboratory are set out in an Evaluation Technical Report (ETR). The CCN will validate this report, and, in case no implementation failures or non-conformities were found during the evaluation, the product is certified as having been satisfactorily evaluated according to the MEMeC.
They already trusted us. Let's talk!
WHAT WE OFFER?
At jtsec, not only have we collaborated in the drafting of the standard together with CCN, but we are the first accredited laboratory to perform MEMeC evaluations. This gives us an in-depth knowledge of the process, allowing us to advise with precision and efficiency. Optimize your investment and avoid unnecessary costs contacting us as soon as possible. We offer you a specialized MEMeC consulting service that will ensure that your product meets the standards from the very first moment.
-
GAP ANALYSIS
Not sure if you meet the requirements of MEMeC ? Our service of GAP Analysis is the ideal tool to assess the current status of your product. Our experts will thoroughly analyze your cryptographic implementation, identifying any deficiencies that may prevent certification. This detailed analysis will allow you to clearly understand the steps necessary to pass the MEMeC-compliant Cryptographic Assessment and focus on correcting the aspects that do not meet the standard. With us, you will have a complete and accurate vision to face the evaluation successfully.
-
DOCUMENTATION DEVELOPMENT
We know that preparing the proper documentation for MEMeC certification can be a challenge. In jtsec, we are in charge of writing the Vendor Questionnaire and we guide you in the preparation of the rest of the documentation, making sure that it meets all the requirements of content and format required by the standard. Our goal is to save you time and money, offering you an efficient and optimized approach, so you can focus on what you do best: innovate.
-
TRAINING
Does your team need to acquire advanced cryptographic skills? In jtsec we offer you completely customized training. Whether for labs, developers or schematics, we tailor our courses to meet your specific needs. After receiving this training, your team will be fully trained to face the MEMeC certification process with confidence, knowledge and guarantees. Trust our experience to prepare your team and turn cryptography into a strong point of your company.