Vendors are increasingly looking to leverage OpenSSL 3.x as their cryptographic module of choice within their products. At the same time, entropy continues to a be a focus in both FIPS 140-3 and Common Criteria projects. For those transitioning from …
Introduction to the Quantum Computing Impact on Cryptography
Quantum computing continues to be a hot topic. Within the certification industry, it was most recently covered at the International Common Criteria Conference (ICCC) recently held in Spain. So, what is quantum computing and more importantly, what is the potential …
What’s the Deal With NDcPP 3.0?
This post aims to answer the most common questions we get about NDcPP 3.0:
X.509 CA:FALSE Testing
Many modern Common Criteria Protection Profiles include X.509 requirements requiring the evaluator to construct a series of certificates designed to verify that a system under test is correctly parsing and validating them. X.509 certificates appear relatively simple on the surface, …
Vulnerabilities and Common Criteria
No computing system is free from security vulnerabilities. Such flaws can manifest themselves within software, firmware and hardware implementations. Often the ease in widespread mitigation is based in part on whether a vendor can provide updates to software (relatively easy), …
What’s New In App PP v1.4
The Protection Profile for Application Software (APP PP) v1.4 has recently been published. Here are some key points from our initial review. PP-Modules. Vendors are now allowed to specify additional protection profiles (PPs) and PP-Modules in a PP-Configuration with APP …
Product Development. What’s Assurance Got To Do With It?
Observations from a CC newcomer If you’re new to Common Criteria (CC), you might be feeling a little overwhelmed and find yourself wondering if the effort in performing the certification is really worth it. As a newcomer to the industry …
NIST 800-90B Input Data Considerations
For the past few years, the Common Criteria program has been mandating entropy analysis for almost all protection profile based evaluations. Since November 2020, NIST 800-90B has also become a mandatory requirement under the FIPS 140-2 and the forthcoming FIPS …
The Role of Cryptographic Algorithm Validations in Common Criteria (CAVP FAQ)
[Updated July 6, 2021 – NIAP requires exact match CPU specs in CAVP certificates] Most CC evaluations performed in North America include cryptographic security claims called out in the target Protection Profile (PP) that is being used. Those requirements are …
Explicitly Parameterized ECDSA X.509 Certificates
Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this. NIAP (the US Common Criteria Scheme) recently published a series of …