So far, this series has addressed how Cybersecurity works in an e-passport scheme and the verification mechanisms used to detect potential Cyber fraud. Next, the authors explain the role of Common Criteria for Information Technology Security Evaluation, an international standard for computer security certification, in evaluating the security of software embedded in an ePassport.
Multiple security frameworks can be used when evaluating the security of an ePassport secure embedded software. As an example, banking cards are ruled by the EMVCo scheme (EMVCo is a global technical body, industry-wide collaboration, to facilitate the worldwide interoperability of secure payment transactions by developing and publishing the EMV® Specifications and their related testing processes. EMV stands for “Europay, Mastercard, and Visa,” the three companies that created the standard).
A similar environment has been adopted as the reference for most identity documents: the Common Criteria evaluations (which was defined before EMVCo). The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification with international and mutual recognition agreement. Over the last 25 years, CC has been the undisputed reference Cybersecurity framework for the IT and Security industries.
Common Criteria provides assurance that IT security products have been specified and evaluated in a rigorous and repeatable manner and at a level commensurate with the target environment for use.
Originally developed to unify and supersede national IT security certification schemes from several different countries, including the US, Canada, Germany, the UK, France, Australia and New Zealand, Common Criteria is now the widest available mutual recognition scheme for secure IT products and is often a pre-requisite for qualified digital signatures under the European Union digital signature laws. This applies to EU ID documents such as Passports, Identity cards, Resident Permits, Social Security cards.
The Common Criteria standard provides an assurance on different aspects of the product security covering areas such as:
- Development of the product and related functional specification, high-level design, security architecture and/or implementation design.
- Guidance of the product and related manual for the secure preparation and deployment of the product
- Lifecycle of the product and all related processes applicable during its creation such as configuration management or secure development process and tools used to the deployment and retirement of the product with the lifecycle design and delivery process.
- Supporting security policy documentation
- Tests of the product and particularly coverage of the functional security requirement
- Vulnerability assessments.
More information is available on the Common Criteria portal
Certification is performed according to specific Cybersecurity guidance tailored to the application at stake – guidance called Protection Profile (PP). The depth of the certification is ruled by a scale (Evaluation Assurance Level) ranging from 1 to 7. Evaluation is always extremely demanding in terms of Cybersecurity reliability – typically 3 months of white box penetration testing by skilled, independent evaluators. White-box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (black box testing).
The security challenges attached to these evaluation schemes are extremely demanding and the state of the art is continuously evolving. The industry is also innovating, looking for new methods and new algorithms to cope with this evolution. The industry is constantly coping with this evolution, as cryptographic algorithms are also evolving. For this reason, as it comes to embedded operating systems, the evaluations eventually end-up being a superstructure made of multiple layers:
- Common criteria certification of the electronic chip, where security of the chip is assessed and aligned with the latest findings related to hardware security.
- Certification of the secure embedded software, focused on the analysis of the implementation, ensuring that it demonstrates resistance to the latest software security threats.
- Often there is a third certification, typically an application (such as e-Identity, e-Passport, e-Healthcare) dealing with the software implementation of practical applicative services inside the product.
Such multi-layered certifications are commonly referred to as “composite” certifications where one can see that an ultimately challenging task in terms of security has been divided into multiple layers in order to be executed through a safe and efficient methodological approach. Such certifications are aligned with international standards to allow interoperability.
Next, we’ll wrap up this forward-thinking series with an article about moving toward protection that stays ahead of Cyber threats.
Common Criteria Portal
The Secure Identity Alliance (SIA) is an expert and globally recognised not-for-profit organisation. We bring together public, private and non-government organisations to foster international collaboration, help shape policy, provide technical guidance and share best practice in the implementation of identity programmes. Underpinning our work is the belief that unlocking the full power of identity is critical to enable people, economy and society to thrive.