ServiceS

Certification

FIPS-140

Elliptic recommends that if a customer is considering a FIPS validation under the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP), the best plan is to start as early as possible in the product design cycle. A CMVP validation must be done by a third party, NIST accredited lab. Elliptic's role in the validation program is to assist customers in the security design of the product being considered for certification, help with creating the necessary documentation required for by the third party lab and NIST as well as working to complete the process as questions arise during the process. A FIPS validation process will take several months to compelte.

The usual flow of a FIPS certification process is as follows:

• The manufacturer submits documentation and the product for certification and testing to the accredited lab.
• The third party test lab reviews and tests the product against the FIPS 140-2 Derived Test Requirements.
• The third party test lab prepares and submits a draft certification report to NIST for review.
• NIST provides the third party test lab with questions/comments on the certification report.
• Once these questions have been resolved with NIST, a FIPS 140 certificate is issued by NIST.
• The certificate and descriptive information are posted to the CMVP web site on the NIST FIPS 140-1 and FIPS 140-2 Cryptographic Modules Certification List web page.

Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently released at version 3.1 and is supported by 26 countries including most EU member states, Japan, Australia, Canada and the United States among others.

Common Criteria is a framework through which vendors of computere systems can implement designs which are expected to achieve a pre-determiend security level and testing laboratories can evaluate the products to determine if they do indeed meet the criteria. This in turn allow a system integrators to evaluate vendors products in an unbiased way allowing the integrator greater assurance that their security objectives can be achieved. The metric used in Common Criteria is known as an Evaluation Assurance Level (EAL) with higher security levels being equated with an increasing number. The list below outlines the EAL requirements at each level:

• EAL1: Functionally Tested
• EAL2: Structurally Tested
• EAL3: Methodically Tested and Checked
• EAL4: Methodically Designed, Tested, and Reviewed
• EAL5: Semi-formally Designed and Tested
• EAL6: Semi-formally Verified, Design and Tested
• EAL7: Formally Verified, Designed and Tested

Most companies considering certification of an existing product against Common Criteria aim for an EAL4 level. If a ground up, new design is under consideration, there is no reason not to target EAL5 or EAL6. As in a FIPS validation, the certification is done by an approved, independent laboratory.

Elliptic can assist customers in achieving CC certification and it is important in working through the certification process that the engagement begins as early as possible in the product life cycle. This makes the certification process much easier and less costly when compared to iterations caused when problems arise in the certification process. Like FIPS, a Common Criteria certification will take several months and require dedicated resources to work through the process.

Search