Security Evaluations for Cryptographic Modules: FIPS 140-3, ISO/IEC 19790, MEMeC, and Common Criteria
Cryptographic evaluations are essential processes to ensure the security and reliability of cryptographic modules used in various applications. These modules are fundamental for protecting sensitive information in communication and electronic systems, ensuring that data remains confidential and integral.
Applus+ Laboratories offers cryptographic evaluation services under various internationally recognised standards and methodologies. These services are designed to assess the implementation and management of cryptographic mechanisms in products, ensuring they meet the necessary security requirements for certification.
Applus+ Laboratories offers FIPS 140-3 certification, a standard recognised by the governments of the U.S. and Canada. This service ensures the security of cryptographic modules in hardware, software, and firmware solutions. The validation process includes the validation of cryptographic algorithms and the definition of the cryptographic module boundaries.
Our ISO/IEC 19790 evaluation service involves assessing cryptographic modules according to the ISO/IEC 19790:2012 standard. This standard is used for protecting sensitive information in communication or electronic systems and defines four certification levels (SL1, SL2, SL3, and SL4), each with specific requirements in 11 security areas.
The MEMeC evaluation focuses on assessing cryptographic mechanisms implemented in products whose primary functionality is based on the use of cryptography. The MEMeC certification defines three levels of incremental assurance (CL1, CL2, and CL3) and focuses on key areas such as cryptographic implementation, cryptographic management, conformance testing, and avoiding common implementation errors.
Cryptographic testing is crucial in Common Criteria (CC) evaluations to ensure the security and reliability of cryptographic mechanisms in IT products. While the CC framework itself does not specify detailed cryptographic requirements, it incorporates cryptographic evaluation through various means, including verifying that cryptographic mechanisms meet Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs).
Different national bodies approach cryptographic evaluation in various ways. For instance, the United States (NIAP) only accepts products that conform to an approved Protection Profile (PP), while Spain's Centro Criptológico Nacional (CCN) has developed a specific methodology for evaluating cryptographic mechanisms (MEMeC), defining three security levels and including procedures for both classical and post-quantum algorithms.
Key components of cryptographic evaluation include conformance testing, self-testing, and checking for common implementation errors. Evaluators verify that the cryptographic mechanisms comply with approved algorithms and parameterisations specific to each national scheme.
The Common Criteria Recognition Arrangement (CCRA) facilitates international collaboration, with countries working together to standardise evaluation methodologies and criteria, including those for cryptographic mechanisms. This ensures that certified products meet stringent security requirements across different national contexts, providing confidence in their cryptographic implementations.
With these cryptographic evaluation services, Applus+ Laboratories ensures that their clients' products meet the highest security standards, providing access to key markets. FIPS 140-3 certification is essential for the U.S. and Canadian markets, while ISO/IEC 19790 evaluation is internationally recognised and facilitates entry into various global markets. MEMeC evaluation is particularly relevant in Spain, ensuring compliance with local standards.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.