Upload
charla-bruce
View
216
Download
0
Embed Size (px)
Citation preview
Effective banking products CC evaluations.
8th I.C.C.C. Rome, September 26th, 2007.
CHIOCCA MartineBanking products Security Risk Manager
Gemalto Public
Context of efficient CC evaluations
French Banking products required security evaluation since 1995 and annual certificate survey:
1995-2000: ITSEC xxxxx, 2000-now : CC EAL 4 + (VLA.4,..)
Scope of the evaluation : all payment applications on the card: National & International EMV Payment Legacy Payment National purse Monéo
Protection profiles : PP/9911 (payment) & PP/0101(purse) New European CAS Security Target
Gemalto Public
Security Target
Certificate Survey
FOURNITURES
CertificatEAL4+
Smart Card S/W developer
IC manufacturer
Sponsor or Observer
Preparation
DCSSI
CESTI
Evaluation & Certification processes
Evaluation Technical Report (ETR)
Gemalto Public
Gemalto evaluation strategy
Capitalize working with the same evaluation laboratory for each banking products’ type : native, java, contactless,…
Advantages: Parallelize as much as possible product design & evaluation
Capitalize on laboratory’s knowledge of the product
Better chance to get productive lab’s feedback
Reusability of assurance deliverables
Quicker and less expensive security evaluation
End Eval..
Development and Evaluation processes
DevelopmentProcess
Emulator Testing .
DevelopmentSpecificationCard Testing
Analysis Imp., Code.
Devpt.Method. & Environment
Target & Devpt.specifications
Card Testing & VLA
EvaluationProcess
2 to 3 monthsGeneric process
Card roming
Gemalto Public
Synchronizes design and evaluation
First step of evaluation : ASE, ADV deliveries ,to reach the source code review
An card emulator and associated tools are given to the laboratory
Goal => get as much comments before Roming
Second step : others deliveries ACM, ADO, ATE, During roming most deliveries are updated
Last step: AVA deliveries and penetration testing Duration : 2-3 months after the deliveries of the first cards
Cards characteritics :– With & without “coating” to gain time in preparation
– With known & unknown data
Gemalto Public
Security : Ever moving target
What do we learn from the evaluations: All code review gave feedback taken into account before roming.
Most penetration tests reveals us investigation tracks that could be enhanced in future products to make those tracks even less accessible
Certification is a GOOD…. starting point……
Annual survey : required by French baking organizations Each year the same laboratory re-assesses the product resistance
Second evaluation derivates from exiting certified product => 50% less on Cost and Duration.
Gemalto Public
SmartCard Security : Still keep ahead
ONLY WAY TO IMPLEMENT EFFICIENT SECURITY MECHANISMS
=> Internal Gemalto laboratory: Equivalent technical level as external ITSEF
State of the Art at attacks techniques
More 10 experts investigating in S/W and H/W attacks
New security mechanisms efficiency. Privately evaluated to assess robustness Internally and externally evaluated
Gemalto Public
Conclusion of our CC evaluation experiences
Effective CC evaluations Operational way of practicing CC evaluation
Efficient CC evaluations All CC evaluated products gets certified at once.
All our banking customers are confident in the security level of the products.
Our experience in security proved our products do resist over time.
11Effective smartcard evaluations process - Jean-Pierre KRIMM
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
2007
Effective Smartcard Evaluations Process
Jean-Pierre KRIMMTechnical Manager of CESTI-LETI
2007
8th ICCC, Rome, September 26th, 2007.
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
12Effective smartcard evaluations process - Jean-Pierre KRIMM
Context
Smartcard evaluations In the French Scheme of CertificationUsing a composition scheme with CC v2Based on the experience of a developer (Gemalto)
and an evaluator (CESTI-LETI)
The goal wishes isTo reduce time and cost of an evaluationKeeping the same efficiency as usually
This part presents the evaluator point of view
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
13Effective smartcard evaluations process - Jean-Pierre KRIMM
Presentation Outline
Smartcard evaluations General presentation of the composition scheme Description of the standard evaluation tasks sequencing
How to save time: 4 recipes Adaptation of the standard tasks sequencing The entire source code is provided An IC emulator is kept available The scheme is deeply involved in the evaluation
Conclusion
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
14Effective smartcard evaluations process - Jean-Pierre KRIMM
Smartcard Evaluation Process
A typical smartcard architecture (closed)
The composition scheme First, the IC is evaluated and certified Then, the whole product is evaluated, using the results of the IC
evaluation These steps are not necessary performed by the same lab.
Integrated Circuit (IC)
Applications
OS
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
15Effective smartcard evaluations process - Jean-Pierre KRIMM
Standard evaluation tasks sequencing
The path in red is the critical one In practice
Conformity tasks are performed first for acquiring the knowledge of the TOE, i.e. ADV, ACM, ALC, ADO, AGD
Efficiency ones are performed in last, i.e. AVA Some of them shall be performed on the TOE suitable for testing
i.e. ATE_IND, AVA_VLA, ADO_IGS, ACM_CAP, AVA_MSU
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
16Effective smartcard evaluations process - Jean-Pierre KRIMM
How to save time in the evaluation
Identifying vulnerabilities or anomalies earlier to correct them as soon as possible
Penetration testing will be divided in two sub-sets A standard made of state of the art’s attacks related to a well known
application A specific which refines the standard one, and adds new ones strongly
dependent to the implementation and the IC vulnerabilities
To achieve this goal, 4 recipes:1. Adaptation of the standard tasks sequencing:
a code review and standard attacks will be performed in advance2. The entire source code is provided3. An IC emulator is kept available4. The scheme is deeply involved in the evaluation
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
17Effective smartcard evaluations process - Jean-Pierre KRIMM
1 - Adaptation of the standard tasks sequencing
Context reminded: applications are well known French banking applications: legacy, EMV, e-purse
Some evaluation tasks can be performed in advance A partial code review can be performed on its finale version.
=> a first feedback on the quality of the implementation can be provided to the developer
The standard sub-set of attacks can be performed in advance, in each banking application, as soon as samples are available=> a first feedback on the resistance of the product can be provided to the developer
this leads to identify common vulnerabilities earlier and thus allows corrections earlier
The standard evaluation tasks sequencing will be completed, performing the complete code analysis (ADV_IMP) and the specific sub-set of attacks
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
18Effective smartcard evaluations process - Jean-Pierre KRIMM
2- The entire source code is provided
The entire application source code is providedTo the lab. premises Including cryptographic implementations Including the generated assembler
BenefitsThe evaluator has the source code always availableGuarantee the independence of the evaluatorBoth levels of language are necessary for attacks,
i.e. the high level to identify a vulnerability, and the low level for its exploitation
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
19Effective smartcard evaluations process - Jean-Pierre KRIMM
3 - An IC emulator is kept available
An IC emulator is kept available In the case the evaluator needs itHelpful to understand both H/W and S/W behaviors, To save time simulating the feasibility of attacks
Due to the composition schemeThe IC is usually not well known by the lab.Some H/W countermeasures are not fully explainedThe IC is seen as a “grey box”
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
20Effective smartcard evaluations process - Jean-Pierre KRIMM
4 - The scheme is deeply involved in the evaluation
The French Scheme is deeply involved in each evaluation
Benefits It allows an earlier detection of evaluation anomalies,
which are taken into consideration when they appear It allows to find a solution quickly when a problem
occurs It guarantees the level of the evaluation in real time,
for a specific way to work
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
21Effective smartcard evaluations process - Jean-Pierre KRIMM
Conclusion
It is possible to improve an evaluation process in terms of time (and cost) for a well-known specific domain, i.e. smartcardexperience driven, for both developer and evaluator through a specific schemewithout a specific interpretation of the CEMkeeping the same level of evaluation
© CEA 2007. Tous droits réservés. Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable du CEA
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent of CEA
22Effective smartcard evaluations process - Jean-Pierre KRIMM
Thank you for your attention
Contact : [email protected]
Tel: +33 (0)4 38 78 49 13