MEMeC Evaluation, accredited lab

  • Top-Level Experts
  • Leading laboratory in MEMeC evaluations
  • Cryptographic Mechanisms Evaluation Methodology (MEMeC) by CCN, created by CCN with the help of jtsec
  • First MEMeC laboratory accredited by CCN

Click here to find our talks related to MEMeC and other standards offered in the most relevant cybersecurity events
By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.

WHAT IS A MEMeC CERTIFICATION?

jtsec has collaborated with the CCN (National Cryptographic Center) in the creation of a Methodology for the Evaluation of Cryptographic Mechanisms (MEMC) implemented in products whose main functionality is based on the use of cryptography.

The objective of this certification is to evaluate the correct implementation of cryptographic mechanisms used in technology products, which are being assessed under Common Criteria (CC), LINCE, STIC certifications, or those evaluated directly against this methodology as a cryptographic evaluation. In this way, a common framework for validating cryptographic mechanisms is created, enabling cryptographic certification at a national level.

A MEMeC certification defines three incremental assurance levels (CL1, CL2, and CL3) in terms of the number of requirements to meet, as well as the depth of compliance with them. These requirements are grouped into four fundamental areas:

  • Cryptographic implementation: focused on verifying that both the cryptographic mechanisms implemented by the product and their configuration comply with the CCN-STIC 221 guide.
  • Cryptographic management: focused on verifying that the product properly implements self-tests associated with these mechanisms, performs correct management of Sensitive Security Parameters throughout their lifecycle, and implements mitigation against other attacks, such as side-channel attacks.
  • Conformity Testing: it focuses on verifying the results of the algorithms implemented by the product by conducting compliance tests.
  • Implementation Pitfalls: focuses on verifying that cryptographic mechanisms are implemented while avoiding common implementation errors.

DOCUMENTATION AND TOOLS REQUIRED IN THE MEMeC EVALUATION PROCESS

Depending on the level of certification being sought, the following list of items and documentation is required to begin the evaluation process:

For CL1:

  • TOE identification: It consists of defining the scope of the cryptographic evaluation. This means, clearly defining boundaries of the cryptographic evaluation itself and providing an adequate definition of the TOE as well as its purpose from the cryptographic point of view.
  • Manufacturer's questionnaire (VQ): Document provided by the laboratory containing the necessary questions to provide evidence of the correct implementation and use of the cryptographic mechanisms implemented by the cryptographic module and additional documentation necessary to perform the evaluation.
  • Conformance Testing Tool (Test Harness): It consists of the software/firmware toolset that must be fully developed by the vendor to enable the laboratory to execute the test vectors by invoking the cryptographic implementation of the TOE.

In addition to the above, for CL2 y CL3 is required:

  • Test and operation interfaces to verify TOE functionality: Functional specification that identifies the TOE interfaces, as well as how to execute each of the implemented cryptographic mechanisms using them and how to obtain the result associated with such executions.
  • Evidence of the Prevention of Common Implementation (Pitfalls): Presentation of the necessary evidence to avoid common implementation errors associated with the cryptographic mechanisms implemented.
  • Implementation Representation (CL3): TOE source code or VHDL related to the implementation of the TOE cryptographic mechanisms, including information such as compilers, compilation options, etc.
  • VQ for Random Number Generation: In case the TOE implements a random number generator to support the cryptographic functionality of the TOE, it will be necessary to provide a VQ associated to it and use a certified random number generator.

MEMeC CERTIFICATION PROCESS IN SPAIN

To certify a cryptographic product as MEMeC compliant, the product must be evaluated by an ENAC and CCN authorized laboratory acting as a reliable and technically qualified third party.

The laboratory shall review the manufacturer's documentation and perform tests to verify that a product's cryptographic mechanisms conform to applicable requirements and implement authorized cryptographic functions.

Once the manufacturer of the cryptographic product has delivered to the laboratory the Vendor Questionnaire along with all the documentation necessary to perform the evaluation, the laboratory shall perform the necessary tests to verify if the product complies with the MEMeC requirements.

The results of the evaluation performed by the laboratory are set out in an Evaluation Technical Report (ETR). The CCN will validate this report, and, in case no implementation failures or non-conformities were found during the evaluation, the product is certified as having been satisfactorily evaluated according to the MEMeC.

They already trusted us. Let's talk!

WHAT WE OFFER?

At jtsec we are leaders in cryptographic evaluations, mastering each stage of the process thanks to our participation in the MEMeC wording together with CCN and for being the first accredited laboratory by CCN and ENAC nationwide. With us, avoid unnecessary costs Contact us as soon as possible and guarantee the success of your evaluation!

  1. EVALUATION

    As an accredited laboratory, we carry out the complete evaluation of your cryptographic product. We analyze in detail the information provided in the Vendor Questionnaire and all associated documentation. In addition, we verify that the cryptographic mechanisms are correctly implemented and function according to the MEMeC requirements, ensuring fast and accurate certification.

  2. TRUST AND PROFESSIONALISM

    With years of experience in safety certifications, at jtsec we have a team that has been directly involved in the MEMeC development. This in-depth knowledge, combined with our technical expertise, not only streamlines the evaluation process, but also helps you to saves time and money. Trust our team to take your product to the next level.

  3. CUSTOMIZED APPROACH

    Each product is unique, and at jtsec we know it. That's why we offer a completely customized approach for your certification, adapting to the particularities of your project. We create a tailored work environment, where your specific needs are our priority. We work with you to make the process as efficient and successful as possible.

  4. TECHNICAL TRAINING

    At jtsec, we are committed to technical excellence. Only with the highest qualification can we guarantee the highest level of security of your products. Our equipment is subjected to a continuous training to keep a refined and accurate evaluation process. With us, you will be in the hands of professionals who take security to the highest level.

  5. TIME TO MARKET

    We know that in the world of technology, time is of the essence. At jtsec, we make speed our strength, without compromising quality. If your project has tight deadlines, you can rely on us to meet your deadlines and give you a competitive advantage. We put all our resources at your disposal, not only to be the best, but also to be the first to deliver the results you need.