Blog - Lightship Security

SSH Rekey Limits with OpenSSH

Greg McLearn August 13, 2018 Common Criteria

Background

In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8. On the face of it, FCS_SSH*_EXT.1.8 is a fairly straightforward SFR with a relatively straightforward means to enforce it:

FCS_SSHS_EXT.1.8: The TSF shall ensure that within SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of transmitted data. After either of the thresholds are reached a rekey needs to be performed.

However, it is vitally important to read the application note (Application Note 102 in NDcPP v2.0+20180314) that follows this SFR element, because one small detail appears to be catching vendors by surprise:

For the maximum transmitted data threshold, the total incoming and outgoing data needs to be counted.
Read More

Demystifying The OpenSSL FIPS Test Suite

Jason Lawlor August 8, 2018 FIPS 140-2

In this short video tutorial, we examine the freely available FIPS 140-2 test suite which is part of the OpenSSL FIPS Object Module development package.

6 Tips to Help Avoid Surprises In Your Next Common Criteria Evaluation

Jason Lawlor July 29, 2018 Certifications, Common Criteria

Undertaking a Common Criteria (CC) evaluation should not be an opaque process from a timing, process or cost perspective. In this post, the testing experts at Lightship provide 6 practical tips to ensure that you are getting the best value and outcomes for your certification dollar. The following is targeted primarily at Protection Profile (PP) based evaluations, but most also apply to Security Target (EAL) based projects.

lightship-iaea-cyber-risk-nuclear-supply-chain

Lightship at IAEA Meeting on Cyber Risk in the Nuclear Supply Chain

Lachlan Turner July 4, 2018 Common Criteria, Lightship News

Lightship Security Director of Consulting, Lachlan Turner, was nominated by the Government of Canada to participate in the International Atomic Energy Agency (IAEA) Technical Meeting on Reducing Cyber Risks in the Supply Chain which was held at IAEA’s Headquarters in Vienna, Austria, from 25 to 29 June 2018. Lachlan attended along with some 110 other delegates from around the world. Delegates included nuclear regulators, operators, suppliers and various other industry representatives.Read More

Don’t Call it a Bash Script: Automation is Not Scripting

Alex Thurston June 13, 2018 Certifications, Common Criteria

Or, maybe it is. In reality, the answer is that all automation is scripting but not all scripting is automation. Automation is really a maturation or evolution of scripting. Calculators script the mathematical principles defined by Thales, Pythagoras, Euclid and Archimedes. To-do applications script the act of making a list of tasks on a piece of paper and scratching them off. The directions given by Google Maps on a road trip script the job normally performed by the person with a paper map sitting in the passenger seat.

Secure Tunnelled NTP Proof of Concept

Greg McLearn June 4, 2018 Common Criteria

Recently, NIAP issued Technical Decision TD0321: Protection of NTP communications. It states that network time sources are critical pieces of information that must be protected. However, having no other agreed-upon mechanism to authenticate the source of, or ensure the integrity of NTP packets, NIAP requires vendors to use NTP over one of only a handful of acceptable trusted communications channels: TLS, DTLS, HTTPS*, SSH or IPSec.

This leaves many vendors in a bind since there are (a) no public-facing NTP servers that operate over any of these permissible channels; and, more importantly, (b) there are no widely available NTP server/client implementations that can be used to build such a solution.

NIAP TD0321: Protection of NTP communications

Lachlan Turner May 24, 2018 Certifications, Common Criteria

NIAP has issued Technical Decision TD0321 against the Network Device Collaborative Protection Profile (NDcPPv2.0e) mandating the use of a trusted channel (IPsec, SSH, TLS, DTLS, HTTPS) for NTP (or non-NTP external entity used to set time). This will impact any in-flight and future NDcPP evaluations that are destined for the NIAP PCL.
Read More

Tutorial – Generating Test Vector Responses for CAVP Testing

Jason Lawlor May 23, 2018 FIPS 140-2

In this short tutorial, we demonstrate how to generate the AES response files used in CAVP algorithm testing. The OpenSSL FIPS Object Module 2.0.16 is used for this demonstration.

Certification Head Start

Jason Lawlor April 11, 2018 Certifications, Common Criteria

Imagine having more than 60% of your Common Criteria evaluation completed in less than a week.
With Lightship’s Certification Head Start offering, we can make it happen.
Read More

Common Criteria Lab Accreditation

Lachlan Turner April 3, 2018 Certifications, Common Criteria, Lightship News

We are excited to announce that Lightship Security is a fully accredited Common Criteria laboratory. Prepare for warp-speed certifications! Contact us to find out how our experienced team uses Greenlight automation and Lightship’s industry first functional gap assessment methodology to transform your certification experience.

Full press release: Lightship Security completes accreditation as Common Criteria laboratory

Standards Council of Canada: Directory of Accredited Laboratories – Lightship Security

Communications Security Establishment: Common Criteria Evaluation Facilities