The Common Criteria for Information Technology Security Evaluation (Common Criteria, CC) is an internationally recognized certification standard for the security of IT products and systems. It was developed by Canada, France, Germany, the Netherlands, the UK, and the U.S. in the mid-90s.
The aim of these governments was to unify three major security evaluation standards and their criteria: the European ITSEC, the U.S. TCSEC and the Canadian CTCPEC. This way, products being sold into international markets should no longer be needed to be re-evaluated beforehand.
The Common Criteria Recognition Agreement (CCRA), signed in 2000, regulates mutually recognized CC certifications across different countries. Participants commit to rigorous and standardized evaluation processes to support the high level of confidence in certified products. They strive to reduce the need for multiple evaluations and hereby reduce cost and effort invested into certification processes. The number of evaluated IT products has been increasing since then.
Governments and private-sector enterprises often require Common Criteria evaluations. By relying on certified, high-quality products they can ensure they are implementing the most secure solutions possible. As a result, they can secure IT infrastructures in the most effective way possible and protect business-critical data.
The U.S. government often relies on products that are listed by the National Information Assurance Partnership (NIAP). Being listed requires a Common Criteria certification. Similarly, the European eIDAS regulation requires a CC evaluation for electronic signatures to qualify as “qualified digital signatures”.
The Regulation N°910/2014 (eIDAS regulation) of the European Parliament and of the Council has triggered the definition of a new Protection Profile. The PP “Cryptographic Module for Trust Services” will be published as official standard EN 419221-5, and defines security requirements at an assurance level EAL4+.
Applications such as authentication, electronic signatures and encryption require strong and securely managed cryptographic keys. HSMs offer the highest level of security when generating, storing, managing and decommissioning high-quality cryptographic keys.
The Utimaco CryptoServer Se-Series Gen2 is currently being evaluated based on Protection Profile EN 419221-5. The certification registration with TUV Nederland can be found here. With this evaluation, we are aiming to make sure that trust service providers (TSP) can offer eIDAS-compliant solutions to their customers.
Does your application require a CC-certified HSM? Get in touch with us at firstname.lastname@example.org. We look forward to understanding your requirements and finding the appropriate solution.
Common Criteria key concepts and abbreviations you should be familiar with
- The target of evaluation (TOE) is the product or system evaluated against CC requirements.
- The general functionality and especially the security functional requirements (SFR) of the TOE are described in a security target (ST). This security target is preferably based on a recognized Protection Profile (PP), or may alternatively be freely defined by the TOE manufacturer.
- PPs summarize functional and security requirements for a certain type of product, e.g. a smartcard or a Hardware Security Module (HSM). Or alternatively for a device with use case specific functionality, e.g. a postal security device. The purpose of this is to make multiple products and their certifications comparable with each other.
A CC evaluation verifies the target’s security features in order to confirm claims made about the target of evaluation in the security target.
To qualify and assess the confidence one can place in a product’s security features:
- Security assurance requirements (SARs) describe the measures taken to ensure compliance of an IT product with the claimed security features or level.
- Evaluation assurance levels (EALs) correspond to a group of SARs. They go from EAL 1 to EAL 7 and give insight into how extensively and rigorously an evaluation has been executed.
- EAL 1 is the most basic level and the cheapest to implement.
- EAL 7 is the strictest and most demanding level, related to higher cost and greater input required.
The CCRA, among others, determines that evaluations with evaluation assurance level up until EAL4 are mutually recognized across participating countries. More often than not, higher EALs will necessitate the inclusion of the national government’s specific requirements.