Blog | Page 6 | Lightship Security

The Mother of All NIAP Protection Profiles – NDcPP

Lachlan Turner November 29, 2018Certifications, Common Criteria

We took a strategic decision early on at Lightship Security to focus our initial Greenlight development efforts on automating the tests specified by the Network Device collaborative Protection Profile (NDcPP). There are two main reasons for this:

It is the most widely used Common Criteria Protection Profile in North America (given its generic applicability)
It is the forerunner for most NIAP Approved Protection Profiles which re-use a large portion of the NDcPP Security Functional Requirements (SFRs)

Now, we have automated the testing not only for NDcPP but also several other Protection Profiles by virtue of this SFR re-use. Below we present an analysis of the re-use of NDcPP requirements across NIAP Approved Protection Profiles (all but a few).

Notable NDcPPv2.1 Changes (from v2.0e)

Lachlan Turner October 3, 2018Certifications, Common Criteria

[March 12, 2019 Update] NDcPPv2.1 has been formally endorsed by NIAP.

NDcPPv2.1 is hot off the presses from the Network iTC. ~~It is yet to be officially accepted by NIAP for PCL usage however this is probably not too far off, perhaps with some minor tweaks (the new NTP SFR being something to watch)~~.

Here are some notes from our initial review:

NTP. A new SFR has been added for NTP which we understand refers to mechanisms that are supported by commonly available NTP clients. Vendors still have the option of specifying manual time configuration. If v2.1 is accepted by NIAP as is, this will remove the mandated use of a trusted channel for NTP which was causing problems for some vendors in v2.0e.
TLS. Administrators can now elect to ignore certificate validation failures. Support for 192-bit ciphersuites has been removed and a couple of new suites have been added.
X.509. Certificate revocation checking requirements have been ‘clarified’ by an application note. This may result in changes for implementations that meet the current requirements.
Audit Events. All generation/import/change of long-term cryptographic keys (i.e. not session keys) need to be audited, including those that are automatically generated by the TOE.

SSH Rekey Limits with OpenSSH

Greg McLearn August 13, 2018Common Criteria

Since this article was posted, the international Network Interpretations Team has issued RFI 201824 stating that the send and receive keys can be independently rekeyed. Therefore, the requirement that the ‘aggregate’ traffic be counted is no longer mandated according to the iTC. NIAP has yet to endorse RFI 201824, meaning that still, as of April 2, 2019, NIAP still requires the aggregate be counted.

Background

In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8. On the face of it, FCS_SSH*_EXT.1.8 is a fairly straightforward SFR with a relatively straightforward means to enforce it:

FCS_SSHS_EXT.1.8: The TSF shall ensure that within SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of transmitted data. After either of the thresholds are reached a rekey needs to be performed.

However, it is vitally important to read the application note (Application Note 102 in NDcPP v2.0+20180314) that follows this SFR element, because one small detail appears to be catching vendors by surprise:

For the maximum transmitted data threshold, the total incoming and outgoing data needs to be counted.
Read More

6 Tips to Help Avoid Surprises In Your Next Common Criteria Evaluation

Jason Lawlor July 29, 2018Certifications, Common Criteria

Undertaking a Common Criteria (CC) evaluation should not be an opaque process from a timing, process or cost perspective. In this post, the testing experts at Lightship provide 6 practical tips to ensure that you are getting the best value and outcomes for your certification dollar. The following is targeted primarily at Protection Profile (PP) based evaluations, but most also apply to Security Target (EAL) based projects.

lightship-iaea-cyber-risk-nuclear-supply-chain

Lightship at IAEA Meeting on Cyber Risk in the Nuclear Supply Chain

Lachlan Turner July 4, 2018Common Criteria, Lightship News

Lightship Security Director of Consulting, Lachlan Turner, was nominated by the Government of Canada to participate in the International Atomic Energy Agency (IAEA) Technical Meeting on Reducing Cyber Risks in the Supply Chain which was held at IAEA’s Headquarters in Vienna, Austria, from 25 to 29 June 2018. Lachlan attended along with some 110 other delegates from around the world. Delegates included nuclear regulators, operators, suppliers and various other industry representatives.Read More

Don’t Call it a Bash Script: Automation is Not Scripting

Alex Thurston June 13, 2018Certifications, Common Criteria

Or, maybe it is. In reality, the answer is that all automation is scripting but not all scripting is automation. Automation is really a maturation or evolution of scripting. Calculators script the mathematical principles defined by Thales, Pythagoras, Euclid and Archimedes. To-do applications script the act of making a list of tasks on a piece of paper and scratching them off. The directions given by Google Maps on a road trip script the job normally performed by the person with a paper map sitting in the passenger seat.

Tutorial – Generating Test Vector Responses for CAVP Testing

Jason Lawlor May 23, 2018FIPS 140-2

In this short tutorial, we demonstrate how to generate the AES response files used in CAVP algorithm testing. The OpenSSL FIPS Object Module 2.0.16 is used for this demonstration.

On the Road with Mobile Certifications

Greg McLearn April 1, 2018Certifications, Humour

At Lightship Security, we are all about certifying at the speed of development. Therefore, we are proud to announce our new mobile certifications laboratory. With over 1200 cubic feet of interior high-tech laboratory goodness, we can handle even your most demanding certification needs. The 10-cylinder, 350 horsepower motor will have us rolling into your neighbourhood before the ink dries on the contract.

Look for Lightship Security Mobile Certifications near you. For more information about this amazing industry-first service, click here.

How to get on the NIAP Product Compliant List (PCL)

Lachlan Turner March 20, 2018Certifications, Common Criteria

Many vendors seeking to sell hardware or software to the U.S. Government, particularly to defense and intelligence agencies, will find that cyber security product certification is mandated by federal procurement requirements (CNSSP 11) for these environments. We know, because many of our clients come to us for this very reason – fast, efficient, low risk evaluations that ultimately end up on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL).

Lightship Security interview with Ottawa Business Journal

Lachlan Turner January 30, 2018Certifications, Lightship News

Our President Jason Lawlor talks with the Ottawa Business Journal to explain what Lightship Security is all about. Interview topics include:

An introduction to Lightship Security… and why the name Lightship?
Product certification and Common Criteria overview
Certification at the Speed of Development using our Greenlight test automation platform
Lightship Security innovation and growth strategy