effective banking products cc evaluations

Effective banking products CC evaluations.

8th I.C.C.C. Rome, September 26th, 2007.

CHIOCCA MartineBanking products Security Risk Manager

Gemalto Public

Context of efficient CC evaluations

French Banking products required security evaluation since 1995 and annual certificate survey:

1995-2000: ITSEC xxxxx, 2000-now : CC EAL 4 + (VLA.4,..)

Scope of the evaluation : all payment applications on the card: National & International EMV Payment Legacy Payment National purse Monéo

Protection profiles : PP/9911 (payment) & PP/0101(purse) New European CAS Security Target

Gemalto Public

Security Target

Certificate Survey

FOURNITURES

CertificatEAL4+

Smart Card S/W developer

IC manufacturer

Sponsor or Observer

Preparation

DCSSI

CESTI

Evaluation & Certification processes

Evaluation Technical Report (ETR)

Gemalto Public

Gemalto evaluation strategy

Capitalize working with the same evaluation laboratory for each banking products’ type : native, java, contactless,…

Advantages: Parallelize as much as possible product design & evaluation

Capitalize on laboratory’s knowledge of the product

Better chance to get productive lab’s feedback

Reusability of assurance deliverables

Quicker and less expensive security evaluation

End Eval..

Development and Evaluation processes

DevelopmentProcess

Emulator Testing .

DevelopmentSpecificationCard Testing

Analysis Imp., Code.

Devpt.Method. & Environment

Target & Devpt.specifications

Card Testing & VLA

EvaluationProcess

2 to 3 monthsGeneric process

Card roming

Gemalto Public

Synchronizes design and evaluation

First step of evaluation : ASE, ADV deliveries ,to reach the source code review

An card emulator and associated tools are given to the laboratory

Goal => get as much comments before Roming

Second step : others deliveries ACM, ADO, ATE, During roming most deliveries are updated

Last step: AVA deliveries and penetration testing Duration : 2-3 months after the deliveries of the first cards

Cards characteritics :– With & without “coating” to gain time in preparation

– With known & unknown data

Gemalto Public

Security : Ever moving target

What do we learn from the evaluations: All code review gave feedback taken into account before roming.

Most penetration tests reveals us investigation tracks that could be enhanced in future products to make those tracks even less accessible

Certification is a GOOD…. starting point……

Annual survey : required by French baking organizations Each year the same laboratory re-assesses the product resistance

Second evaluation derivates from exiting certified product => 50% less on Cost and Duration.

Gemalto Public

SmartCard Security : Still keep ahead

ONLY WAY TO IMPLEMENT EFFICIENT SECURITY MECHANISMS

=> Internal Gemalto laboratory: Equivalent technical level as external ITSEF

State of the Art at attacks techniques

More 10 experts investigating in S/W and H/W attacks

New security mechanisms efficiency. Privately evaluated to assess robustness Internally and externally evaluated

Gemalto Public

Conclusion of our CC evaluation experiences

Effective CC evaluations Operational way of practicing CC evaluation

Efficient CC evaluations All CC evaluated products gets certified at once.

All our banking customers are confident in the security level of the products.

Our experience in security proved our products do resist over time.

The end… Questions ?

Contact : [email protected]

Tel : 33(1) 01 55 01 59 25

mailto:[email protected]

11Effective smartcard evaluations process - Jean-Pierre KRIMM

© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA

All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA

2007

Effective Smartcard Evaluations Process

Jean-Pierre KRIMMTechnical Manager of CESTI-LETI

[email protected]

2007

8th ICCC, Rome, September 26th, 2007.




Context

Smartcard evaluations In the French Scheme of CertificationUsing a composition scheme with CC v2Based on the experience of a developer (Gemalto)

and an evaluator (CESTI-LETI)

The goal wishes isTo reduce time and cost of an evaluationKeeping the same efficiency as usually

This part presents the evaluator point of view




Presentation Outline

Smartcard evaluations General presentation of the composition scheme Description of the standard evaluation tasks sequencing

How to save time: 4 recipes Adaptation of the standard tasks sequencing The entire source code is provided An IC emulator is kept available The scheme is deeply involved in the evaluation

Conclusion




Smartcard Evaluation Process

A typical smartcard architecture (closed)

The composition scheme First, the IC is evaluated and certified Then, the whole product is evaluated, using the results of the IC

evaluation These steps are not necessary performed by the same lab.

Integrated Circuit (IC)

Applications

OS




Standard evaluation tasks sequencing

The path in red is the critical one In practice

Conformity tasks are performed first for acquiring the knowledge of the TOE, i.e. ADV, ACM, ALC, ADO, AGD

Efficiency ones are performed in last, i.e. AVA Some of them shall be performed on the TOE suitable for testing

i.e. ATE_IND, AVA_VLA, ADO_IGS, ACM_CAP, AVA_MSU




How to save time in the evaluation

Identifying vulnerabilities or anomalies earlier to correct them as soon as possible

Penetration testing will be divided in two sub-sets A standard made of state of the art’s attacks related to a well known

application A specific which refines the standard one, and adds new ones strongly

dependent to the implementation and the IC vulnerabilities

To achieve this goal, 4 recipes:1. Adaptation of the standard tasks sequencing:

a code review and standard attacks will be performed in advance2. The entire source code is provided3. An IC emulator is kept available4. The scheme is deeply involved in the evaluation




1 - Adaptation of the standard tasks sequencing

Context reminded: applications are well known French banking applications: legacy, EMV, e-purse

Some evaluation tasks can be performed in advance A partial code review can be performed on its finale version.

=> a first feedback on the quality of the implementation can be provided to the developer

The standard sub-set of attacks can be performed in advance, in each banking application, as soon as samples are available=> a first feedback on the resistance of the product can be provided to the developer

this leads to identify common vulnerabilities earlier and thus allows corrections earlier

The standard evaluation tasks sequencing will be completed, performing the complete code analysis (ADV_IMP) and the specific sub-set of attacks




2- The entire source code is provided

The entire application source code is providedTo the lab. premises Including cryptographic implementations Including the generated assembler

BenefitsThe evaluator has the source code always availableGuarantee the independence of the evaluatorBoth levels of language are necessary for attacks,

i.e. the high level to identify a vulnerability, and the low level for its exploitation




3 - An IC emulator is kept available

An IC emulator is kept available In the case the evaluator needs itHelpful to understand both H/W and S/W behaviors, To save time simulating the feasibility of attacks

Due to the composition schemeThe IC is usually not well known by the lab.Some H/W countermeasures are not fully explainedThe IC is seen as a “grey box”




4 - The scheme is deeply involved in the evaluation

The French Scheme is deeply involved in each evaluation

Benefits It allows an earlier detection of evaluation anomalies,

which are taken into consideration when they appear It allows to find a solution quickly when a problem

occurs It guarantees the level of the evaluation in real time,

for a specific way to work




Conclusion

It is possible to improve an evaluation process in terms of time (and cost) for a well-known specific domain, i.e. smartcardexperience driven, for both developer and evaluator through a specific schemewithout a specific interpretation of the CEMkeeping the same level of evaluation




Thank you for your attention

Contact : [email protected]

Tel: +33 (0)4 38 78 49 13

effective banking products cc evaluations

Documents