What is Common Criteria and why is it important?
From the Cloud Signature Consortium to eIDAS, international standards form the bedrock of Ascertia’s digital trust solutions. Common Criteria (CC) is another such example, an international standard for certifying computer security software and hardware.
At its core, Common Criteria uses something called a protection profile – a document used as input to the certification process - it defines precisely the security requirements that must be fulfilled to protect against the threats assumed within the environment where the solution will be used.
CC based evaluations also have an Evaluation Assurance Level or “EAL” rating. The EAL rating defines the degree of trust one can have that the product/solution being evaluated complies with the requirements in the protection profile and is directly dependent on the level of detail the independent evaluations go to during the evaluation process.
The ultimate goal of Common Criteria is to independently validate claims from a vendor that its security features are valid. Only accredited laboratories can perform Common Criteria evaluations.
How common is the Common Criteria?
Established by global governments, the Common Criteria Recognition Arrangement has been signed by 31 countries, and each country recognises the other’s certifications and certification schemes.
In the United States, the National Information Assurance Partnership (NIAP) is responsible for implementing the Common Criteria. This includes management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body.
Other countries have their own Common Criteria authorities. Each authority certifies a Common Criteria lab, which evaluates products. Once certified by the authority, based on the evidence from the lab and the vendor, that certification is recognised globally.
Evaluations are performed to a particular assurance level which represents the strength of the evaluation. Products that require a higher assurance level, to say Evaluation Assurance Level 4 (EAL 4), require far greater testing and scrutiny than a product being evaluated to EAL 1 or EAL 2.
Greater attention is usually given to the assurance level, instead of what, specifically, is being assured, which is documented within the protection profile. In reality, both aspects of the evaluation should be analysed by would-be customers of a secure system.
Furthermore, a Common Criteria certification represents a very specific configuration of software and hardware. Software versions and hardware models are important and are documented as part of the certification, differences or changes to these versions will invalidate the certification.
Why is Common Criteria important?
Common Criteria (ISO/IEC 15408) provides formal, global recognition that a software vendors claims about the security features of their product are valid and have been independently evaluated against a formal protection profile. This independence is essential for building digital trust. By following a standard approach there should be consistency with the certification results no matter which lab performs the evaluation.
How does Common Criteria apply to Ascertia products?
Historically, Certification Authority (CA) products have been certified against a “Certificate Issuing and Management Components (CIMC)” protection profile - this defined the requirements for components that issue, revoke, and manage X509 public key certificates.
However, this CIMC protection profile dates back to 2011 and is not being maintained, so many see the profile as obsolete.
In 2017, National Information Assurance Partnership (NIAP) created the “U.S. Government Approved Protection Profile - Protection Profile for Certification Authorities” - an up to date and maintained profile that describes the security requirements for a Certification Authority and supporting infrastructure including Online Certificate Status Protocol (OCSP).
Ascertia is committed to performing Common Criteria evaluations of its relevant products against latest protections profiles and at the higher assurance levels. This is evidenced from Ascertia being the first company globally to achieve CC certificates of its ADSS Server SAM Appliance against the 419 241-2 Common Criteria protection profile at EAL 4+ level, in support of remote signing requirements, including qualified (remote) signatures.
Ascertia recently refreshed this certification to include the latest features of the ADSS Server SAM Appliance 7.0.2 feature set.
Importantly, Ascertia has just completed Common Criteria certification of ADSS PKI Server, this covers the Ascertia Certification Authority (CA) and Online Certificate Status Protocol (OCSP) Server, The certification was conducted against the latest Protection profile from National Information Assurance Partnership (NIAP). By using NIAP we have chosen not only the latest Common Criteria protection profile for the evaluation of our CA and OCSP product, but unlike others, we decided to go for EAL 4 for the highest assurance and therefore trust for this evaluation. Others in the industry have evaluated against NIAP at only EAL 1 or EAL 2.
Are ADSS Server Patches Certified?
This is a common question for any provider that has invested in product certification.
With any minor release or patch, customers expect updates to apply to their chosen systems so they can take advantage of new features or resolve bugs or security issues.
Unfortunately, applying any update to a Common Criteria system will immediately invalidate the Common Criteria certification. This is because Common Criteria is against a specific version in a specific configuration, and this is why Common Criteria is such an important standard.
At Ascertia, we believe that where permissible by system auditors, Common Criteria should be used as a baseline for a product’s deployment and where permissible, patching and upgrades can be planned in conjunction with consultation with a customer’s auditor.
Common Criteria does offer a maintenance procedure to enable the certification of a product to be periodically refreshed and Ascertia is committed to undergo the maintenance procedure for its certified products periodically as can be witnessed by our ADSS SAM appliance re-certifications.
Who is Common Criteria ultimately for?
Common Criteria is often mandatory for software used within Government deployments, such as National ID, ePassport, Government Enterprise and other projects where high trust in the system solution components is required.
These highly regulated environments, such as WebTrust-certified Trust Service Providers, Remote Signing Service Providers and enterprises where third-party validation on a products trust worthiness is mandatory rely on Common Criteria.
Common Criteria is a signal of trust and should always be sought when considering new products that underpin the security of your company’s digital estate.
Ascertia's new Common Criteria certificate will be published to the CC portal in April. Speak to the Ascertia team to learn more about Common Criteria’s role in our products.