1 / 22

Effective banking products CC evaluations.

Effective banking products CC evaluations. CHIOCCA Martine Banking products Security Risk Manager. 8 th I.C.C.C. Rome, September 26th , 2007. Context of efficient CC evaluations. French Banking products required security evaluation since 1995 and annual certificate survey:

ovid
Download Presentation

Effective banking products CC evaluations.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective banking products CC evaluations. CHIOCCA MartineBanking products Security Risk Manager 8th I.C.C.C. Rome, September 26th, 2007.

  2. Context of efficient CC evaluations • French Banking products required security evaluation since 1995 and annual certificate survey: • 1995-2000: ITSEC xxxxx, • 2000-now : CC EAL 4 + (VLA.4,..) • Scope of the evaluation : all payment applications on the card: • National & International EMV Payment • Legacy Payment • National purse Monéo • Protection profiles : • PP/9911 (payment) & PP/0101(purse) • New European CAS Security Target

  3. Evaluation & Certification processes DCSSI Certificat EAL4+ CESTI Evaluation Technical Report (ETR) Certificate Survey FOURNITURES Sponsor or Observer IC manufacturer Preparation Smart Card S/W developer Security Target

  4. Gemalto evaluation strategy • Capitalize working with the same evaluation laboratory for each banking products’ type : native, java, contactless,… • Advantages: • Parallelize as much as possible product design & evaluation • Capitalize on laboratory’s knowledge of the product • Better chance to get productive lab’s feedback • Reusabilityof assurance deliverables • Quicker and less expensive security evaluation

  5. Development and Evaluation processes Development Process Emulator Testing Card roming Card Testing Specification Development . 2 to 3 months Generic process Evaluation Process Analysis Target & Devpt.specifications Devpt.Method. & Environment Card Testing & VLA End Eval. Imp., Code. . 11

  6. Synchronizes design and evaluation • First step of evaluation : ASE, ADV deliveries ,to reach the source code review • An card emulator and associated tools are given to the laboratory • Goal => get as much comments before Roming • Second step : others deliveries ACM, ADO, ATE, • During roming most deliveries are updated • Last step: AVA deliveries and penetration testing • Duration : 2-3 months after the deliveries of the first cards • Cards characteritics : • With & without “coating” to gain time in preparation • With known & unknown data

  7. Security : Ever moving target • What do we learn from the evaluations: • All code review gave feedback taken into account before roming. • Most penetration tests reveals us investigation tracks that could be enhanced in future products to make those tracks even less accessible • Certification is a GOOD…. starting point…… • Annual survey : required by French baking organizations • Each year the same laboratory re-assesses the product resistance • Second evaluation derivates from exiting certified product => 50% less on Cost and Duration.

  8. SmartCard Security : Still keep ahead • ONLY WAY TO IMPLEMENT EFFICIENT SECURITY MECHANISMS => Internal Gemalto laboratory: • Equivalent technical level as external ITSEF • State of the Art at attacks techniques • More 10 experts investigating in S/W and H/W attacks • New security mechanisms efficiency. • Privately evaluated to assess robustness • Internally and externally evaluated

  9. Conclusion of our CC evaluation experiences • Effective CC evaluations • Operational way of practicing CC evaluation • Efficient CC evaluations • All CC evaluated products gets certified at once. • All our banking customers are confidentin the security level of the products. • Our experience in security proved our products do resist over time.

  10. The end… Questions ? Contact : martine.chiocca@gemalto.com Tel : 33(1) 01 55 01 59 25

  11. 2007 Effective Smartcard Evaluations Process Jean-Pierre KRIMM Technical Manager of CESTI-LETI jean-pierre.krimm@cea.fr 8th ICCC, Rome, September 26th, 2007. Effective smartcard evaluations process - Jean-Pierre KRIMM

  12. Context • Smartcard evaluations • In the French Scheme of Certification • Using a composition scheme with CC v2 • Based on the experience of a developer (Gemalto) and an evaluator (CESTI-LETI) • The goal wishes is • To reduce time and cost of an evaluation • Keeping the same efficiency as usually • This part presents the evaluator point of view Effective smartcard evaluations process - Jean-Pierre KRIMM

  13. Presentation Outline • Smartcard evaluations • General presentation of the composition scheme • Description of the standard evaluation tasks sequencing • How to save time: 4 recipes • Adaptation of the standard tasks sequencing • The entire source code is provided • An IC emulator is kept available • The scheme is deeply involved in the evaluation • Conclusion Effective smartcard evaluations process - Jean-Pierre KRIMM

  14. Smartcard Evaluation Process Applications OS Integrated Circuit (IC) • A typical smartcard architecture (closed) • The composition scheme • First, the IC is evaluated and certified • Then, the whole product is evaluated, using the results of the IC evaluation • These steps are not necessary performed by the same lab. Effective smartcard evaluations process - Jean-Pierre KRIMM

  15. Standard evaluation tasks sequencing • The path in red is the critical one • In practice • Conformity tasks are performed first for acquiringthe knowledge of the TOE, i.e. ADV, ACM, ALC, ADO, AGD • Efficiency ones are performed in last, i.e. AVA • Some of them shall be performed on the TOE suitable for testingi.e. ATE_IND, AVA_VLA, ADO_IGS, ACM_CAP, AVA_MSU Effective smartcard evaluations process - Jean-Pierre KRIMM

  16. How to save time in the evaluation • Identifying vulnerabilities or anomalies earlier to correct them as soon as possible • Penetration testing will be divided in two sub-sets • A standard made of state of the art’s attacks related to a well known application • A specific which refines the standard one, and adds new ones strongly dependent to the implementation and the IC vulnerabilities • To achieve this goal, 4 recipes: • Adaptation of the standard tasks sequencing:a code review and standard attacks will be performed in advance • The entire source code is provided • An IC emulator is kept available • The scheme is deeply involved in the evaluation Effective smartcard evaluations process - Jean-Pierre KRIMM

  17. 1 - Adaptation of the standard tasks sequencing • Context reminded: applications are well known • French banking applications: legacy, EMV, e-purse • Some evaluation tasks can be performed in advance • A partial code review can be performed on its finale version.=> a first feedback on the quality of the implementation can be provided to the developer • The standard sub-set of attacks can be performed in advance, in each banking application, as soon as samples are available=> a first feedback on the resistance of the product can be provided to the developer • this leads to identify common vulnerabilities earlier and thus allows corrections earlier • The standard evaluation tasks sequencing will be completed, performing the complete code analysis (ADV_IMP) and the specific sub-set of attacks Effective smartcard evaluations process - Jean-Pierre KRIMM

  18. 2- The entire source code is provided • The entire application source code is provided • To the lab. premises • Including cryptographic implementations • Including the generated assembler • Benefits • The evaluator has the source code always available • Guarantee the independence of the evaluator • Both levels of language are necessary for attacks,i.e. the high level to identify a vulnerability, and the low level for its exploitation Effective smartcard evaluations process - Jean-Pierre KRIMM

  19. 3 - An IC emulator is kept available • An IC emulator is kept available • In the case the evaluator needs it • Helpful to understand both H/W and S/W behaviors, • To save time simulating the feasibility of attacks • Due to the composition scheme • The IC is usually not well known by the lab. • Some H/W countermeasures are not fully explained • The IC is seen as a “grey box” Effective smartcard evaluations process - Jean-Pierre KRIMM

  20. 4 - The scheme is deeply involved in the evaluation • The French Scheme is deeply involved in each evaluation • Benefits • It allows an earlier detection of evaluation anomalies, which are taken into consideration when they appear • It allows to find a solution quickly when a problem occurs • It guarantees the level of the evaluation in real time, for a specific way to work Effective smartcard evaluations process - Jean-Pierre KRIMM

  21. Conclusion • It is possible to improve an evaluation process • in terms of time (and cost) • for a well-known specific domain, i.e. smartcard • experience driven, for both developer and evaluator • through a specific scheme • without a specific interpretation of the CEM • keeping the same level of evaluation Effective smartcard evaluations process - Jean-Pierre KRIMM

  22. Thank you for your attention Contact : jean-pierre.krimm@cea.fr Tel: +33 (0)4 38 78 49 13 Effective smartcard evaluations process - Jean-Pierre KRIMM

More Related