Diapositive 1 - OCSI
Download
Report
Transcript Diapositive 1 - OCSI
Effective banking products CC
evaluations.
CHIOCCA Martine
Banking products Security Risk Manager
8th I.C.C.C. Rome, September 26th, 2007.
Context of efficient CC evaluations
French Banking products required security evaluation
since 1995 and annual certificate survey:
1995-2000: ITSEC xxxxx,
2000-now : CC EAL 4 + (VLA.4,..)
Scope of the evaluation : all payment applications on the card:
National & International EMV Payment
Legacy Payment
National purse Monéo
Protection profiles :
PP/9911 (payment) & PP/0101(purse)
New European CAS Security Target
Gemalto Public
Evaluation &
Certification processes
DCSSI
CESTI
Certificat
EAL4+
Evaluation Technical Report
(ETR)
Certificate
Survey
FOURNITURES
Sponsor or Observer
Preparation
IC manufacturer
Smart Card S/W developer
Security
Target
Gemalto Public
Gemalto evaluation strategy
Capitalize working with the same evaluation laboratory for
each banking products’ type : native, java, contactless,…
Advantages:
Parallelize as much as possible product design & evaluation
Capitalize on laboratory’s knowledge of the product
Better chance to get productive lab’s feedback
Reusability of assurance deliverables
Quicker and less expensive security evaluation
Gemalto Public
Development and Evaluation processes
Development
Process
Specification
Development
Emulator Card
Card
Testing . roming Testing
Generic process
Evaluation
Process
Target & Devpt. Devpt.Method.
Analysis
specifications
& Environment Imp., Code.
2 to 3 months
Card Testing
& VLA
End
Eval.
.
Synchronizes design and evaluation
First step of evaluation : ASE, ADV deliveries ,to reach the
source code review
An card emulator and associated tools are given to the laboratory
Goal => get as much comments before Roming
Second step : others deliveries ACM, ADO, ATE,
During roming most deliveries are updated
Last step: AVA deliveries and penetration testing
Duration : 2-3 months after the deliveries of the first cards
Cards characteritics :
– With & without “coating” to gain time in preparation
– With known & unknown data
Gemalto Public
Security : Ever moving target
What do we learn from the evaluations:
All code review gave feedback taken into account before roming.
Most penetration tests reveals us investigation tracks that could be
enhanced in future products to make those tracks even less accessible
Certification is a GOOD…. starting point……
Annual survey : required by French baking organizations
Each year the same laboratory re-assesses the product resistance
Second evaluation derivates from exiting certified product
=> 50% less on Cost and Duration.
Gemalto Public
SmartCard Security : Still keep ahead
ONLY WAY TO IMPLEMENT EFFICIENT SECURITY MECHANISMS
=> Internal Gemalto laboratory:
Equivalent technical level as external ITSEF
State of the Art at attacks techniques
More 10 experts investigating in S/W and H/W attacks
New security mechanisms efficiency.
Privately evaluated to assess robustness
Internally and externally evaluated
Gemalto Public
Conclusion of our CC evaluation experiences
Effective CC evaluations
Operational way of practicing CC evaluation
Efficient CC evaluations
All CC evaluated products gets certified at once.
All our banking customers are confident in the security level of the
products.
Our experience in security proved our products do resist over time.
Gemalto Public
The end…
Contact : [email protected]
Tel : 33(1) 01 55 01 59 25
Questions ?
2007
2007
Effective Smartcard
Evaluations Process
Jean-Pierre KRIMM
Technical Manager of CESTI-LETI
[email protected]
8th ICCC, Rome, September 26th, 2007.
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
11
Effective smartcard evaluations process - JeanPierre KRIMM
Context
Smartcard evaluations
In the French Scheme of Certification
Using a composition scheme with CC v2
Based on the experience of a developer (Gemalto)
and an evaluator (CESTI-LETI)
The goal wishes is
To reduce time and cost of an evaluation
Keeping the same efficiency as usually
This part presents the evaluator point of
view
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
12
Presentation Outline
Smartcard evaluations
General presentation of the composition scheme
Description of the standard evaluation tasks sequencing
How to save time: 4 recipes
Adaptation of the standard tasks sequencing
The entire source code is provided
An IC emulator is kept available
The scheme is deeply involved in the evaluation
Conclusion
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
13
Smartcard Evaluation Process
A typical smartcard architecture (closed)
Applications
OS
Integrated Circuit (IC)
The composition scheme
First, the IC is evaluated and certified
Then, the whole product is evaluated, using the results of the IC
evaluation
These steps are not necessary performed by the same lab.
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
14
Standard evaluation tasks sequencing
The path in red is the critical one
In practice
Conformity tasks are performed first for acquiring the knowledge
of the TOE, i.e. ADV, ACM, ALC, ADO, AGD
Efficiency ones are performed in last, i.e. AVA
Some of them shall be performed on the TOE suitable for testing
i.e. ATE_IND, AVA_VLA, ADO_IGS, ACM_CAP, AVA_MSU
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
15
How to save time in the evaluation
Identifying vulnerabilities or anomalies earlier to correct
them as soon as possible
Penetration testing will be divided in two sub-sets
A standard made of state of the art’s attacks related to a well known
application
A specific which refines the standard one, and adds new ones strongly
dependent to the implementation and the IC vulnerabilities
To achieve this goal, 4 recipes:
Adaptation of the standard tasks sequencing:
a code review and standard attacks will be performed in advance
2. The entire source code is provided
3. An IC emulator is kept available
4. The scheme is deeply involved in the evaluation
1.
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
16
1 - Adaptation of the standard tasks sequencing
Context reminded: applications are well known
French banking applications: legacy, EMV, e-purse
Some evaluation tasks can be performed in advance
A partial code review can be performed on its finale version.
=> a first feedback on the quality of the implementation can be provided
to the developer
The standard sub-set of attacks can be performed in advance, in each
banking application, as soon as samples are available
=> a first feedback on the resistance of the product can be provided to
the developer
this leads to identify common vulnerabilities earlier and thus allows
corrections earlier
The standard evaluation tasks sequencing will be
completed, performing the complete code analysis
(ADV_IMP) and the specific sub-set of attacks
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
17
2- The entire source code is provided
The entire application source code is
provided
To the lab. premises
Including cryptographic implementations
Including the generated assembler
Benefits
The evaluator has the source code always available
Guarantee the independence of the evaluator
Both levels of language are necessary for attacks,
i.e. the high level to identify a vulnerability, and the
low level for its exploitation
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
18
3 - An IC emulator is kept available
An IC emulator is kept available
In the case the evaluator needs it
Helpful to understand both H/W and S/W behaviors,
To save time simulating the feasibility of attacks
Due to the composition scheme
The IC is usually not well known by the lab.
Some H/W countermeasures are not fully explained
The IC is seen as a “grey box”
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
19
4 - The scheme is deeply involved in the evaluation
The French Scheme is deeply involved in
each evaluation
Benefits
It allows an earlier detection of evaluation anomalies,
which are taken into consideration when they appear
It allows to find a solution quickly when a problem
occurs
It guarantees the level of the evaluation in real time,
for a specific way to work
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
20
Conclusion
It is possible to improve an evaluation
process
in terms of time (and cost)
for a well-known specific domain, i.e. smartcard
experience driven, for both developer and evaluator
through a specific scheme
without a specific interpretation of the CEM
keeping the same level of evaluation
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
21
Thank you for your attention
Contact : [email protected]
Tel: +33 (0)4 38 78 49 13
© CEA 2007. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
Effective smartcard evaluations process - Jean-Pierre KRIMM
22