IT Security Evaluation in China Yi Mao, Ph.D., CISSP atsec information security cooperation Austin, TX USA www.atsec.com yi@atsec.com ICCC 2012 September 18-20, Paris, France atsec information security, 2012
Agenda Motivation and Objectives Certification and Accreditation Administration of the People s Republic of China (CNCA) China Information Security Certification Center (ISCCC) China Information Technology Security Evaluation Center (CNITSEC) Conclusions Disclaimer: I m employed by atsec information security corporation in Austin TX, USA, an independent lab specializing in IT security evaluations. I do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, despite the fact that most of them are in Chinese. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 2
atsec s Vision and Mission Promote the effort of establishing a set of well-thought out, consistent standards for IT security evaluation worldwide. Prevent re-inventing the wheel or making the same kind of mistakes repeatedly. Enable western clients to deliver their products to the Chinese market by facilitating compliance to the Chinese certification requirements. Help Chinese vendors to enter the global market by achieving internationally recognized certificates (e.g. CC, FIPS 140-2). ICCC 2012 September 18-20, Paris, France atsec information security, 2012 3
From China The Chinese IT community closely follows international standards - A Chinese delegation attends each annual International CC Conference Chinese vendors have already achieved CC certification - ZTE - Huawei Chinese vendors have already achieved FIPS 140-2 certification - ZTE - Pierson - Watchdata Chinese organizations have received CC and FIPS 140-2 training - ISCCC - Vendors pursuing CC and/or FIPS 140-2 certifications ICCC 2012 September 18-20, Paris, France atsec information security, 2012 4
To China When a western vendor wants to sell their IT security products in China (for example, for Chinese government procurement), and needs to get the required certificates using Chinese evaluation schemes, they often wonder where to start. This is especially true for those vendors who do not have local branches in China, because information provided by the following authorities is mostly in Chinese: Certification and Accreditation Administration of the People s Republic of China (CNCA) China Information Security Certification Center (ISCCC) China Information Technology Security Evaluation Center (CNITSEC) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 5
CNCA (Chinese Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 6
CNCA (English Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 7
ISCCC (Chinese Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 8
ISCCC (English Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 9
CNITSEC (Chinese Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 10
CNITSEC (English Web Page) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 11
Problem: It s in Chinese! Chinese web pages for CNCA, ISCCC, and CNITSEC have much richer content. The English version of their webpages only contains a brief introduction. It is impossible for non-chinese speakers to get a basic understanding of what s going on in China. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 12
What will be covered? This presentation will provide a brief sketch of the current state of IT security product evaluation in China, not via a word-to-word translation of the Chinese webpages but by connecting the dots to give a high-level view that is: o o o o objective up-to-date based soley on publicly available information as coherant as possible ICCC 2012 September 18-20, Paris, France atsec information security, 2012 13
The Chain of Command ICCC 2012 September 18-20, Paris, France atsec information security, 2012 14
CNCA and CCC CNCA: The China National Certification and Accreditation Administration is set up and authorized by the State Council to perform administrative functions, and provide unified management, supervision, and nationwide coordination of all certification and accreditation-related organizations. One of its responsibilities was to establish, develop, implement, and maintain the China Compulsory Certification (CCC) scheme. The CCC Mark is a compulsory safety mark for both domestically manufactured products and any products imported into China. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 15
Catalogue of CCC-products (1) Electrical wires and cables Switches for circuits, Installation protective and connection devices Low-voltage Electrical Apparatus Small Power motors Electric tools Welding machines Household and similar electrical appliances ICCC 2012 September 18-20, Paris, France atsec information security, 2012 16
Catalogue of CCC-products (2) Audio and video apparatus Information technology equipment Lighting apparatus Motor vehicles and Safety Motor vehicle tires Safety Glasses Agricultural Machinery Latex Products ICCC 2012 September 18-20, Paris, France atsec information security, 2012 17
Catalogue of CCC-products (3) Telecommunication terminal equipment Medical Devices Fire Fighting Equipment Detectors for Intruder Alarm Systems Wireless Local Area Network (WLAN) systems Home Renovation Materials Toys Information Security Products ICCC 2012 September 18-20, Paris, France atsec information security, 2012 18
IS Products Subject to CCC (Notice No. 7 of 2008) This notice was given on January 28, 2008. It announced the first batch of 13 types of IS products to be included in the mandatory certification catalogue. It was to be enforced on May 1 2009. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 19
13 types of IS Products on CCC Catalogue 1. Firewall products 2. Network security separation cards and line selectors 3. Security isolation and information exchange products 4. Secure routers 5. Smart card chip operating systems 6. Data backup and recovery products 7. Secure operating systems 8. Secure database systems 9. Anti-spam products 10. Intrusion detection systems 11. Network vulnerability scanning products 12. Security audit products 13. Website recovery products ICCC 2012 September 18-20, Paris, France atsec information security, 2012 20
IS Products Subject to CCC (Notice No. 33 of 2009) A revised notice was given on April 27, 2009 to adjust the statement of CCC for IS products announced in the previous notice (No. 7 of 2008): The CCC for IS products would not be enforced until May 1, 2010. It is mandatory for government procurement only. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 21
IS Products Subject to CCC (Notice No. 26 of 2010) This notice was given on July 14, 2010. It announced official name of the certification scheme (i.e. national information security product certification system) official name of the certificate (i.e. China's national information security products certification) official certificate mark ( ) official certificate template ICCC 2012 September 18-20, Paris, France atsec information security, 2012 22
IS Products Certificate Template The template shows that the certificate will have the following information: Certification logo Certificate name Certificate number Official certificate mark Information about the applicant Information about the Manufacturer Information about the factory Information about the product Referenced standards and technical requirements Referenced CNCA implementation rule Issuance date Expiration date Condition of validity Name and stamp of certification body ICCC 2012 September 18-20, Paris, France atsec information security, 2012 23
Safety vs. Security 安 全 Safety: The state of being free from the occurrence or risk of injury, damage, or loss. Security: The process or means of protecting against defects, dangers, loss, and crime. Security denotes a separation between the assets and the threat. In English, the terms safety and security are related, but each has a distinct and unique meaning. In Chinese, there is only ONE term 安 全 which means both safety and security. This explains why the CCC safety mark, originally intended to ensuring a product s quality and unharmful function, has been stretched to cover IT security products. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 24
Organizations Tasked by CNCA China Quality Certification Center (CQC) o Processes most of CCC mark applications other than IS products (for safety concerns) China Information Security Certification Center (ISCCC) o processes CCC mark applications for IS products (known as CC-IS) and WLAN products (for security concerns) China National Accreditation Service for Conformity (CNAS) o o o Processes accreditations on Certification body Processes accreditations on Laboratory Processes accreditations on Inspection body ICCC 2012 September 18-20, Paris, France atsec information security, 2012 25
CNCA Designated Labs for CC-IS CNCA Notice No. 3 of 2008 ISCCC is the designated certification body for CC-IS. There are seven CNCA designated labs for CC-IS. - China Information Technology Security Evaluation Center (CNITSEC) CNCA Notice No. 25 of 2009 Defines the business scope for each designated lab ICCC 2012 September 18-20, Paris, France atsec information security, 2012 26
China Compulsory Certification Process The CCC process consists of the following steps: 1. Submission of an application and supporting materials to a certification body (e.g. ISCCC for CC-IS) 2. Documentation review for the acceptance of the application 3. Type testing on product samples by a CNCA-designated lab (e.g. the seven CC-IS labs) 4. Factory inspection by certification body representatives 5. Evaluation of the test results (may involve re-testing for failed tests) and certificate approval 6. Certification maintenance via annual surveillance inspection ICCC 2012 September 18-20, Paris, France atsec information security, 2012 27
How long does CCC certification take? Article 15 in Mandatory product certification regulations (effective as of May 1, 2002, http://www.cnca.gov.cn/cnca/rdht/qzxcprz/flfg/72303.shtml) specifies: Under normal circumstances, a designated certification body shall complete the certification process and notify the applicant about the certification result within 90 days after an application is accepted. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 28
How much does CCC certification cost? CNCA regulates mandatory product certification fees (http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/default.shtml): Certification application fee Fees for a designated lab to conduct type testing on sample products for each type of the product listed on the CCC catalog Daily rate for a certification body representative to conduct factory inspections Ranges of Person-Days needed for the initial factory inspection for each type of the product listed on the CCC catalog Ranges of Person-Days needed for the follow-up surveillance factory inspection for each type of the product listed on the CCC catalog Annual certification maintenance fee Prices of CCC marks to be printed Fees may be adjusted as product types are added or deleted from the CCC catalog. To reduce the vendors financial cost for CCC, CNCA announced a 10%~30% fee reduction on May 1, 2009. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 29
Lab Testing Fees for IS Products (1) CNCA announced the lab testing fees on May 22, 2009 (http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/images /2009/06/22/0CC0B946123A4FE5B9E4A265B17488FB.doc): Products Type Fees in CNY Fees in USD 1. Firewall products L1: 18500 L2 : 35500 L3 : 51500 < 8,200 2. Network security separation cards and line selectors 3. Security isolation and information exchange products Basic: 20000 Enhanced: 34000 < 5,400 L1: 21000 L2: 37000 L3: 49000 < 7,800 4.Secure routers L1: 20500 L2: 42000 L3: 51000 < 8,100 5. Smart card chip operating systems 77500 < 12,300 6.Data backup and recovery products Basic: 30000 Enhanced: 40000 < 6,400 ICCC 2012 September 18-20, Paris, France atsec information security, 2012 30
Lab Testing Fees for IS Products (2) Products Type Fees in CNY Fees in USD 7. Secure operating systems L3: 43000 L4: 64000 L5: 85000 < 13,500 8. Secure database systems L3: 43000 L4: 69500 L5: 84000 < 13,300 9. Anti-spam products 19000 < 3000 10. Intrusion detection systems L1(host/net): 20000/23000 L2(host/net): 32000/43000 L3(host/net): 69000/88000 < 13,900 11. Network vulnerability scanning products Basic: 22500 Enhanced: 37500 < 6,000 12. Security audit products Basic: 19100 Enhanced: 33800 < 5,400 13. Website recovery products Basic: 22000 Enhanced: 34000 < 5,400 ICCC 2012 September 18-20, Paris, France atsec information security, 2012 31
Factory Inspection Fee for IS Products CNCA announced ranges of Person-Days for initial and follow-up factory inspections for all 13 types of IS products on May 22 2009 (2,500 CNY per Person-Day): Initial: 2-4 PD / Follow-up: 1-3 PD (< 1,600 USD / 1,200 USD) 1. Firewall products 4.Secure routers Initial: 4-6 PD / Follow-up: 2-4 PD (< 2,400 USD / 1,600 USD) 2. Network security separation cards and line selectors 3. Security isolation and information exchange products 6.Data backup and recovery products 5. Smart card chip operating systems 7. Secure operating systems 8. Secure database systems 9. Anti-spam products 10. Intrusion detection systems 12. Security audit products 11. Network vulnerability scanning products 10. Website recovery products ICCC 2012 September 18-20, Paris, France atsec information security, 2012 32
The Chain of Command ICCC 2012 September 18-20, Paris, France 33
China Information Security Certification Center (ISCCC) ISCCC was established in 2006. It is a nonprofit organization that provides the following services: Product Certification National information security product certification ( ) Wireless LAN product certification ( ) IT Information Security Certification ( ) Technical certification of payment service equipment for Nonfinancial facilities ( ) Information Security Management System (ISMS) Certification Certification of Service Qualification Training and Certification of Information Security Professionals ICCC 2012 September 18-20, Paris, France atsec information security, 2012 34
Chinese Standards Used for Information Security Product Certification The mandatory certification for the 13 types of IS products uses product-type-specific standards that are derived from three basic information security standards in China: GB 17859-1999, Classified Criteria for Security Protection of Computer Information System GB/T 20271-2006, Information Security Technology - Common Security Technology Requirements for Information Systems GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008, which are the Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3 The voluntary certification for other types of IS products uses GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008 (i.e. Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3). ICCC 2012 September 18-20, Paris, France atsec information security, 2012 35
ISCCC Certification Procedures There are two slightly different certification procedures: A centralized procedure which requires the vendor to submit their application to the ISCCC and get acceptance prior to choosing a lab for type testing. A staged procedure which allows the vendor to work with a lab to pass the type testing before submitting their application to the ISCCC. Certification time varies depending on the product types. CC-IS Firewall: 30 days lab test, 2-4 PD initial on-site / 1-3 PD annual re-visit CC-IS Secure OS: 90 days for lab test, 4-6 PD initial on-site / 1-3 PD annual re-visit Voluntary IS products: normally 90 days for overall certification, maximum 150 days Certificate validity varies depending on the product types. CC-IS products: no set expiration date, contingent to surveillance Voluntary IS products: 3 years, contingent to surveillance ICCC 2012 September 18-20, Paris, France atsec information security, 2012 36
Certificates Issued to IS Products by ISCCC As of August 23, 2012: There are 263 certificates issued to IS products under the compulsory certification program. The certificate list contains: certificate number (e.g. 2012162305000263) product name and version evaluated level (e.g. L1/L2/L3/L4, or Basic/Enhanced, or EAL for COS) vendor name (e.g. Amaranten (Asia) Network Co., Ltd. for a firewall) issue date Certificate status (e.g. valid / revoked) There are 73 certificates issued to IS products under the voluntary certification program. The certificate list contains: certificate number (e.g. ISCCC-2012-VP-073) product name and version vendor name - Axalto Beijing certified their Axalto_Alto Smart card (V2.0) - Gemplus Tianjin certified their Gemplus_Gem Smart Card (V1.0) Issuance date Certificate status (e.g. valid/revoked) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 37
The Chain of Command ICCC 2012 September 18-20, Paris, France atsec information security, 2012 38
China Information Technology Security Evaluation Center (CNITSEC) CNITSEC was founded in 1997. It is a CNCA-designated leading information Security Evaluation Center. It provides the following services: Information Security Product Evaluation o GB/T 18336-2008 (i.e. Chinese translation of CC V2.3) o Chinese PPs for Firewalls, Smart Cards, Switches and Routers, etc. Information Management System Certification o ISO/IEC 17799-2000 o ISO/IEC 21827-2002 o Chinese management system regulations Certification of Service Qualification Training and Certification of Information Security Professionals ICCC 2012 September 18-20, Paris, France atsec information security, 2012 39
CNITSEC Authorized Labs CNITSEC has its own authorized laboratories. Currently, there are 9 CNITSEC authorized labs. The list on the left contains the following information for each authorized lab: organization name status of authorization authorized Scope authorization valid time period corporate representative Address contact number ICCC 2012 September 18-20, Paris, France atsec information security, 2012 40
CNITSEC IS Product Evaluation (FAQ) The main stardards used are GB/T 18336-2008 (Chinese translation of CC V2.3) and CEM Eligible products are those that have IT security functionality Possible Assurance levels to achieve are: EAL1 EAL5 Eligible applicants are: 1. Government agencies, research institutes or independent legal business entities 2. Foreign companies can apply for the product evaluation at CNITSEC through their agencies in China, who must be eligible applicants under condition 1. Within 10 days of the application submission, CNITSEC will provide an acceptance or rejection notice. Within 10 days of the evaluation completion, the certification number will be announced and registered. Evaluation time frame: EAL1: 20 business days; EAL2: 30 business days; EAL3: 60 business days; EAL4: 90 business days; EAL5: 120 business days ICCC 2012 September 18-20, Paris, France atsec information security, 2012 41
CNITSEC Evaluation Process The entire process consists of four steps: 1. application and acceptance 2. pre-evaluation 3. evaluation o documentation review o security functionality test independent test - Requires at least two sample products - Samples should be made available no later than halfway (50%) through the evaluation penetration test (not required for EAL1) 4. on-site inspection (required for EAL 3 and above) o performed when the evaluation is about 70% complete o verifies and confirms that the configuration management, delivery and operation, and development environment security are implemented as claimed ICCC 2012 September 18-20, Paris, France atsec information security, 2012 42
CNITSEC IS Product Certificates As of June 2012, 186 certs have been issued. There are foreign products (e.g. Samsung IC card) listed under their local branch s name (e.g. Samsung Shanghai). The certificate list contains the following information: vendor name product name and version certificate number (e.g. CNITSEC2012PRD0186) assurance level (e.g. EAL1, EAL3) issuance date expiration date (3 years after issuance date) ICCC 2012 September 18-20, Paris, France atsec information security, 2012 43
Conclusions IS product evaluation in China has its unique aspects, but CC is very much alive in China. It is directly used for ISCCC voluntary IS product certification directly used for CNITSEC IS product evaluation (voluntary) blended into standards for Compulsory Certification for IS products (CC-IS) It is possible for a foreign-branded IS product to be certified by ISCCC (either compulsorily or voluntarily) or evaluated by CNITSEC, but the application for that product is expected to be submitted to them via a local (Chinese) agent/branch. The certification/evaluation-related information is publically available, though most information is published only in Chinese. ICCC 2012 September 18-20, Paris, France atsec information security, 2012 44
Thank you for your attention! ICCC 2012 September 18-20, Paris, France atsec information security, 2012 45