I've read several misconceptions about Common Criteria certifications. Typically:
- "Components producers pay for certification"
- "Certifications test only against a known set of predefined scenarios"
- "Certifications are not a replacement for independant review"
Thread👇
- "Components producers pay for certification"
- "Certifications test only against a known set of predefined scenarios"
- "Certifications are not a replacement for independant review"
Thread👇
(2/n)
In a Common Criteria Certification process (for a circuit). There are 4 actors:
1. The sponsor (SP)
2. The chip manufacturer (CM)
3. The 3rd party evaluation lab (lab)
4. The Certification body (CB)
In a Common Criteria Certification process (for a circuit). There are 4 actors:
1. The sponsor (SP)
2. The chip manufacturer (CM)
3. The 3rd party evaluation lab (lab)
4. The Certification body (CB)
(3/n)
Often SP and CM is the same entity, but not always.
The lab is an independant security eval entity accredited by the CB. There's no commercial relationship between lab and the CB. Regularly, the CB audits the lab to verify its skills.
Labs can lose their accreditation.
Often SP and CM is the same entity, but not always.
The lab is an independant security eval entity accredited by the CB. There's no commercial relationship between lab and the CB. Regularly, the CB audits the lab to verify its skills.
Labs can lose their accreditation.
(4/n)
The CBs are national entities funded by states (for financial independance). A mutual recognition exists for CC certificates but only for a few CB (sogis.eu)
The CBs audit themselves to verify skills and independance. Recently one member has been kicked of.
The CBs are national entities funded by states (for financial independance). A mutual recognition exists for CC certificates but only for a few CB (sogis.eu)
The CBs audit themselves to verify skills and independance. Recently one member has been kicked of.
(5/n)
SP requests an eval. It selects a lab accredited by a CB. The SP pays for the independant evaluation.
The lab:
- audits the Security Target (threat model)
- does functionnal testing
- audits the Life Cycle: who dev, manufactures, tests, pacakage? what are the processes?...
SP requests an eval. It selects a lab accredited by a CB. The SP pays for the independant evaluation.
The lab:
- audits the Security Target (threat model)
- does functionnal testing
- audits the Life Cycle: who dev, manufactures, tests, pacakage? what are the processes?...
(6/n)
- audits carefully the code (all the dev evidence are provided by the CM - Firmware, Verilog, tests, dev env, Functionnal/Architecture/Implem spec)
- does a vulnerability analysis: from the evidences, what are the possible attack paths.
- emits a Test plan
- audits carefully the code (all the dev evidence are provided by the CM - Firmware, Verilog, tests, dev env, Functionnal/Architecture/Implem spec)
- does a vulnerability analysis: from the evidences, what are the possible attack paths.
- emits a Test plan
(7/n)
- launches the actual test campaign. It often modifies the initial test plan, based on the findings. It includes *at least* SCA, FA, Hardware reverse, software attacks
Then the lab reports the found vulns to the CM (there are always some).
- launches the actual test campaign. It often modifies the initial test plan, based on the findings. It includes *at least* SCA, FA, Hardware reverse, software attacks
Then the lab reports the found vulns to the CM (there are always some).
(8/n)
The CM tries to fix them (when possible), on the firmware side, or on the hardware side (a new version of the chip must be manufactured).
When, there are no more vulnerability. The lab sends the evaluation report to the CB.
The CM tries to fix them (when possible), on the firmware side, or on the hardware side (a new version of the chip must be manufactured).
When, there are no more vulnerability. The lab sends the evaluation report to the CB.
(9/n) The CB audits the reports and can ask for complementary tests. When the CB is satisfied, the chip is then certified.
(10/n)
- CM do not pay for Certification - They pay for independant evaluation
- Cert process is not a push button approach - It's vulnerability analysis based.
- Cert is not a replacement for a independant review - it's actually true. Independant review is necessary for cert
- CM do not pay for Certification - They pay for independant evaluation
- Cert process is not a push button approach - It's vulnerability analysis based.
- Cert is not a replacement for a independant review - it's actually true. Independant review is necessary for cert
