Quantitative Analysis of Entropy

Greg McLearn Entropy

[Jan 12, 2018 update: With the final release of NIST SP 800-90B, we’ve updated this post to reflect the new published status of this NIST SP as well as to correct any differences between rev2 and the final publication.]


It had been almost two years since NIST SP800-90B, draft 2 was released. When the final special publication was released on January 10, 2018, we hadn’t expect it to change as dramatically as between draft 1 to draft 2.  After a cursory review, it would appear there are only minor changes to the quantitative elements.  With the new published status, we will expect many Common Criteria schemes — if they don’t already — to soon mandate quantitative analysis of the raw entropy source.

While SP 800-90B was in draft form, North American schemes (NIAP and CSE) have permitted labs to evaluate a quantitative analysis (if available) or a qualitative analysis of a vendor’s entropy source. Qualitative analysis is usually relied upon when raw entropy is not easily obtained (such as from hardware sources or from closed-source systems), but is often onerous to author and often inefficient to get through evaluation. By contrast, quantitative analysis can bypass significant discussions on the merits of otherwise opaque hardware and software constructs and quantify the raw entropy as a single number. In this technical post, we will discuss one structured approach to quantitative analysis of a raw entropy source.

Read More


Code for NIST Entropy Health Testing

Greg McLearn Entropy, Tools

[Jan 12, 2018 update: With the final release of NIST SP 800-90B, we’ve updated the sample health test code to match the minor changes between rev2 and the final version.  The narrative of this post with respect to requirements for Common Criteria has been updated below as well to reflect the new published status of this NIST SP.]


In Common Criteria, there has been increasing emphasis on the evaluation of the entropy used by manufacturers in the development and deployment of their systems. The following post discusses considerations and approaches for entropy health testing.

Health testing is, of course, necessary to ensure the proper functioning of the noise being provided to the critical components of the cryptographic systems. Therefore, if a vendor is investing resources in ensuring a strongly seeded DRBG, there should be some effort expended on doing some form of health testing.

Read More


Agile Assurance: Modernizing IT Product Certification

Lachlan Turner Certifications

In an agile development model, software is developed in incremental, rapid cycles with the goal of continuous improvement, fast flaw remediation and improved customer experience. Agile models advocate adaptive planning, evolutionary development, early delivery, fast iterations, and rapid response to change.

Can modern product assurance programs be designed to keep pace with agile development? At Lightship Security, we think so. In fact, we’ve made it our mission: Certification at the speed of development. We believe that a shift to “agile assurance” is a necessary step towards restoring trust and credibility to the cyber supply chain.

In this post, we are concerned with options to improve assurance outcomes provided by internationally adopted product certification programs. As a company, our focus is on developing solutions that support a modernized approach to product certification. This includes moving our industry towards agile assurance using contextual automation and supporting methodologies – we want to disrupt product certification as we know it.

Read More


NDcPP – The devil is in the details

Lachlan Turner Common Criteria

In this post, we identify some common problem areas for vendors complying with the Network Device Collaborative Protection Profile (NDcPP). We’ll discuss how Lightship has adjusted to the new reality that every product going against the very prescriptive NDcPP will have gaps because of the strict level of conformance required – even if the same product was tested against a previous version of NDPP / NDcPP.

Read More

Goodbye TLS_RSA

Goodbye TLS_RSA

Lachlan Turner Common Criteria

[Dec 13, 2017 update: The plot thickens… in early December researchers revived a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server – known as The Robot Attack. ROBOT only affects TLS cipher modes that use RSA encryption.]


[Nov 6, 2017 update: NIAP has withdrawn Labgram #106 (moved to Superseded List) as NIST has announced an update to its transition plans. The NIST announcement indicates that a draft update to the relevant standard is expected in the summer of 2018.  We recommend that vendors not rely solely on TLS_RSA ciphers, allow admins to disable TLS_RSA and add support for cipher suites that use DHE or ECDHE for key transport.]


[Sep 29, 2017 update: We have heard through unofficial channels that Labgram #106 is on hold and the that further guidance from NIAP should be forthcoming ‘soon’. It would be prudent to be prepared to provide guidance to admins to disable TLS_RSA ciphers and add DHE or ECDHE ciphers to your Security Target if not already present]


NIAP has issued Labgram #106/Valgram #126 – Impact of NIST 2017 Transitions to NIAP and it’s a doozy!  You know that TLS_RSA_WITH_AES_128_CBC_SHA cipher suite that most NIAP Protection Profiles (PP) say is mandatory (even now)? Come January 1, 2018… not allowed. BOOM. Just like that.  In fact, no TLS_RSA suites will be allowed in any NIAP PCL product.  If TLS_RSA_* are the only cipher suites in use then the product will be archived off the list.  Just like that.

Read More


Lightship Security Common Criteria Test Lab

Lachlan Turner Common Criteria, Lightship News

The Communications Security Establishment (CSE) of Canada recently accepted Lightship Security as a Candidate Common Criteria Lab – an important milestones in the approval process to become an accredited IT security test lab. Accreditation is performed by the Standards Council of Canada (SCC) in partnership with CSE in accordance with ISO/IEC 17025 and allows participation in the twenty-eight nation Common Criteria Recognition Arrangement (CCRA).

“We are looking to disrupt the certifications landscape with our conformance automation software. Adding the Common Criteria lab allows us to drink our own champagne and perform quality certifications faster than ever before. We’re using Greenlight internally to support the accreditation process.” said Jason Lawlor, President of Lightship Security.

Greenlight is the Lightship Security designed and built software platform that automates testing against the latest Common Criteria Protection Profiles. All labs in Canada, regardless of experience are required to demonstrate ongoing technical competence to SCC and CSE reviewers. Lightship will be the first lab to integrate comprehensive automation through the use of Greenlight for real world evaluations.

Peach Tech

Lightship Security and Peach Tech partner to address new fuzz testing requirements under Common Criteria

Lachlan Turner Common Criteria, Lightship News

Lightship Security is proud to announce our partnership with Peach Tech, a Seattle, US based security software firm, to support our customers in their pursuit of product certification against the internationally recognized security standard, Common Criteria (CC).

The Collaborative Protection Profile for Network Devices (NDcPP) has introduced fuzz testing as part of the vulnerability analysis process. The NDcPP is a canary in the world of CC and we can expect to see fuzz testing become a standardized requirement across many Protection Profiles.

We’ve integrated Peach Tech’s Peach Fuzzer platform into our Greenlight service offering to give customers the peace of mind that their products meet the latest CC fuzz testing requirements.

Read our joint press release for all the details.


National Research Council of Canada Funding for Automation Platform

Lachlan Turner Lightship News

As part of our commitment to develop innovative certification automation solutions, Lightship Security is pleased to announce that it has received funding from the National Research Council of Canada Industrial Research Assistance Program (NRC-IRAP).

The funding will provide Lightship the ability to accelerate continued development of our industry first Conformance Automation Platform – Greenlight, in support of our clients Common Criteria certification requirements. The IRAP program support will be instrumental in allowing Lightship to tackle the complexities of the solution to meet a growing demand by government and industry for faster and better certification processes and outcomes.

Ark Infosec joins forces with Lightship Security

Lachlan Turner Lightship News

We are pleased to announce that Ark Infosec is joining forces with Lightship Security under the Lightship banner. Ark Infosec founder Lachlan Turner will be responsible for leading and growing the security consulting and professional services practice for Lightship Security. This strategic move gives Lightship a Vancouver presence and proximity to a growing list of clients on the west coast. Lightship Security is headquartered in Ottawa and specializes in conformance automation solutions, IT security certification consulting and advisory services including Common Criteria and FIPS 140-2.

Network Device Collaborative Protection Profile Overtakes EAL2

Network Device Collaborative Protection Profile Overtakes EAL2

Lachlan Turner Common Criteria

A lot of vendors are targeting their Common Criteria (CC) efforts towards Network Device Collaborative Protection Profile (NDcPP) compliance. A survey of the Australian, Canadian and US in-evaluation lists showed that there are around twelve ongoing NDcPP evaluations (Feb 2017). In comparison, there are ten ongoing Evaluation Assurance Level (EAL)2 evaluations (AU/CA only). This reflects the five-eyes policy shift towards Protection Profiles and the corresponding long sunset of EAL evaluations (at least in the five-eyes*).

Read More