Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Similar documents
GSA FIPS 201 Evaluation Program

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Introducing atsec information security. Helmut Kurth, Sal la Pietra and Staffan Persson

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Certification Report

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

The Government-wide Implementation of Biometrics for HSPD-12

NIST Cryptographic Algorithm Validation Program (CAVP) Certifications for Freescale Cryptographic Accelerators

Certification Report

Certification Report

Guideline for Implementing Cryptography In the Federal Government

Using BroadSAFE TM Technology 07/18/05

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Archived NIST Technical Series Publication

How To Get The Nist Report And Other Products For Free

Secure Network Communications FIPS Non Proprietary Security Policy

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Certification Report

Certification Report

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

Human Factors in Information Security

An Introduction to Cryptography as Applied to the Smart Grid

Pulse Secure, LLC. January 9, 2015

The NIST SP A Deterministic Random Bit Generator Validation System (DRBGVS)

Guide to Data Field Encryption

Certification Report

Recommendation for Key Management Part 1: General (Revision 3)

Symantec Mobility: Suite Server Cryptographic Module

Athena Smartcard Inc. IDProtect Key with LASER PKI FIPS Cryptographic Module Security Policy. Document Version: 1.0 Date: April 25, 2012

How To Evaluate Watchguard And Fireware V11.5.1

Entrust Smartcard & USB Authentication

EAC Decision on Request for Interpretation (Operating System Configuration)

Alliance Key Manager Solution Brief

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Certification Report

VMware, Inc. VMware Java JCE (Java Cryptographic Extension) Module

SUSE Linux Enterprise 12 Security Certifications

McAfee Firewall Enterprise 8.2.1

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

NIST Cyber Security Activities

Randomized Hashing for Digital Signatures

Ciphire Mail. Abstract

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Hardware Security Modules for Protecting Embedded Systems

Recommendation for Cryptographic Key Generation

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

McAfee Firewall Enterprise 8.3.1

Key Management Best Practices

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

Review Article Cyber Security for Smart Grid, Cryptography, and Privacy

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Certification Report

FIPS Security Policy

Authentication requirement Authentication function MAC Hash function Security of

Complying with PCI Data Security

UM0586 User manual. STM32 Cryptographic Library. Introduction

PRIME IDENTITY MANAGEMENT CORE

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Evaluation of Digital Signature Process

Government of Ontario IT Standard (GO-ITS) Number Security Requirements for the Use of Cryptography

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

National Security Agency Perspective on Key Management

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

FIPS Security Policy LogRhythm Log Manager

Cryptographic Key Management (CKM) Design Principles for the Advanced Metering Infrastructure (AMI)

FIPS Non Proprietary Security Policy: IBM Internet Security Systems Proventia GX Series Security

BMC Client Management - SCAP Implementation Statement. Version 12.0

Strong Authentication for Future Web Applications

Common Criteria NDPP SIP Server EP Assurance Activity Report

FIPS Security Policy LogRhythm or Windows System Monitor Agent

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Citrix MetaFrame XP Security Standards and Deployment Scenarios

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

Cyber Security Practical considerations for implementing IEC 62351

NitroGuard Intrusion Prevention System Version and Security Policy

Security Policy. Trapeze Networks

Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS Non-Proprietary Security Policy

IBM Crypto Server Management General Information Manual

Introduction to Security and PIX Firewall

Certification Report

Table of Contents. Bibliografische Informationen digitalisiert durch

Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 4.0

Transcription:

Cryptographic and Security Testing Laboratory Deputy Laboratory Director, CST Laboratory Manager

About our Cryptographic and Security Testing Laboratory Bringing together a suite of conformance testing programs from agencies including NIST, CSE and the GSA. atsec offers Quality Expertise and experience Specialist knowledge CST= Cryptographic and Security Testing NVLAP= National Voluntary Laboratory Accreditation Program 2

CST Lab History 2000: atsec information security founded Started with Common Criteria 2005: atsec establishes a CST Lab, accredited under NVLAP for CMVP CAVP 2008: CST Laboratory scope expands with NPIVP SCAP GSA FIPS 201 EP 2012: CST Laboratory scope expands with TWIC (Until 2015) atsec information security, 2013 3

atsec s CST Conformance Testing Laboratories NIST s Cryptographic Module Validation Program FIPS 140-2 NIST s Cryptographic Algorithm Validation Program AES, TDES, Hash, RNG, RSA etc NIST s Personal Identity Validation Program FIPS 201, Smartcard Applet and middleware GSA s FIPS 201 Evaluation Program FIPS 201 related procurement (ID related products) NIST s Security Content Automation Program Supporting Federal Desktop Core Configuration, Tools capabilities and components CMVP CAVP NPIVP GSA FIPS 201 EP SCAP 4

Cryptographic Module Validation Program (CMVP) Operated in partnership by NIST's Security Management & Assurance group, and Canada's CSE Provides certification for conformance to the NIST standards for cryptographic modules: FIPS 140-2 Products using cryptography and used in the U.S. Federal arena are mandated to comply. Used in a variety of other areas U.K. And Japan Government Digital Cinema specification Banking and Financial 5

Cryptographic Algorithm Validation Program (CAVP) Operated by NIST's Security Management & Assurance group Performs validation of implementation testing of NIST Approved algorithms NIST statistics have shown that close to 25% of cryptographic algorithms are implemented incorrectly. Algorithm Validation is performed in support of: FIPS 140-2 PCI assessment Voting systems Financial Industry Many other software assurance programs FIPS Approved/NIST Recommended Cryptographic Algorithms Symmetric key Triple DES (TDEA) (SP 800-67) AES ( FIPS 197) EES - Skipjack (FIPS 185) Asymmetric key DSA2 RSA2 ECDSA2 (FIPS 186-3) Digital Signature Standard (DSS) (FIPS 186-2) Message Authentication CMAC (SP 800-38B) CCM (SP 800-38C) HMAC (FIPS 198) GCM and GMAC (SP 800-38D) Hash SHA- 1,224,256,384,512 (FIPS 180-3) Random Number Generators Random Number Generation for DSA (FIPS 186-2) RNG for ECDSA (ANSI X9.62) RNG for RSA (ANSI X9.31) DRBG deterministic random bit generator (SP 800-90) Key Management KAS FFC KAS ECC (SP 800-56A) 6

NIST's Personal Identity Verification Program (NPIVP) Operated by NIST's Systems & Emerging Technologies Security Research group Validate the compliance/conformance of two PIV components --PIV middleware and PIV card application with the specifications in NIST SP 800-73 Provides assurance that the set of PIV middleware and PIV card applications that have been validated by NPIVP are interoperable 7

Security Content and Automation Protocol (SCAP) Conformance testing offered by NIST's Information Technology Laboratory Authenticated Configuration Scanner In support of the Federal Desktop Core Configuration and vulnerability management "Information technology providers must use SCAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations." - U.S. Office of Management and Budget 8

GSA FIPS 201 EP The General Services Administration (GSA), is the executive agent for acquisition of HSPD-12 products and services Focuses on interoperability and performance testing Applies to all vendors that submit or intend to submit a proposal to sell products/services on the GSA Blanket Purchase Agreement (BPA) for FIPS 201 Approved Products/Services under Information Technology (IT) Schedule 70, Special Item Number (SIN) 132-60 9

atsec CST Lab Services Training and Testing Support Readiness Assessment Conformance Consulting Conformance Testing Corporate Certification Strategy atsec information security, 2013 10

Readiness Assessment for FIPS 140-2 A readiness assessment helps Establish a certification strategy Establish boundaries of the product for optimal testing projects Discover any gaps and discuss remediation Introduce the developer and testing teams, establishing good rapport Allow atsec to estimate costs and hence offer a fair fixed price Perform basic training Typically 1 or 2 days duration onsite, the report follows within 2 weeks 11

Training for FIPS 140-2 We offer technical training for your team Introductory workshop suitable for business managers (2 hrs- ½ day) Developer training suitable for development staff involved in validation projects (1-5 days, Architecture, Hardware and Software) Workshops on technology-specific IT security Workshops on standards transitions 12

Conformance Testing Resulting in a certificate for your products atsec s commitment On-time delivery Full support for your team Experts who actively follow the programs Negotiation with the programs to solve technical problems 13

Hardware Testing For physical devices, often located in hostile environments Integrated circuits; Smartcards: e-passports, SIM cards, credit cards; Personal devices: cell phones, PDAs; Embedded systems Card readers, digital tachographs, alarm systems, electricity meters; Network devices ; Devices using ASICs, FPGAs or on-chip cryptographic functions. 14

Hardware Testing Our capabailities for hardware security testing include: Low Tech/Environmental Tests Moderate Tech/Passive and Probe Tests High Tech/Energy Tests Enclosure hardening Tamper evidence, tamper detection, tamper response testing and consulting Embedded software architecture security design review and source code review Consulting on Monolithic kernels such as Embedded Linux and Microsoft CE Protocol Analysis including proprietary network protocols and their network interfaces Cryptographic testing for ASICs and software implementations of algorithms Electromagnetic shield testing 15

Consulting Consulting associated with a Conformance testing project Physical Security Producing the Security Policy in conjunction with your key security and product architects a timely and well-written SP can save weeks from the schedule and avoid costly overruns and errors Support in providing the evidence needed we minimize the evidence to the required minimum we do NOT recommend producing any unneeded documentation Support in producing the right test cases 16

Corporate Certification Strategy For companies where formal certification of products is a key marketing or customer requirement, atsec assists with Determining the strategy for gaining and maintaining compliance for a variety of certifications including Common Criteria and FIPS 140-2 Synchronizing certification and re-certification with the product release cycle Helping customers develop efficient development processes for one or more products saving money and time. 17

Commitment to Quality atsec ensures all internal processes are certified with the leading international standards ISO 9001 for quality ensures ALL internal business processes meet recognized standards, mature and improve. covers everything from back-office processes to lessons learned ISO/IEC 27001 for information security ensures that information and IP entrusted to us stays safe at all time ISO 17025 for laboratory services ensures our formal laboratory procedures are world-class 18

Why do business with atsec? atsec delivers results on time and at a fair price atsec provides unique synergies: Combined Common Criteria and FIPS 140-2 (or other) testing Maximizes reuse of evidence while minimizing the time and costs atsec has global reach atsec employs experts with internationally-recognized track records atsec leads the industry Contributing to development of standards Advising schemes and programs about the state-of-theart for information security 19

Find out much more at www.atsec.com atsec s thought leadership at http://atsec-information-security.blogspot.com/ 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information