Your Creative Solutions Services Products Research and other fun About YCS Contact information
Home
Although we have an extensive library of presentations, we prefer to adapt these or create new ones to customize the whole course to your situation. We appreciate the difficulty of knowing what courses you want, so we list some repeating sets below.

As with all our services, should your needs not be listed explicitly below, please contact us, most likely we can provide you with a custom workshop.

Introduction of evaluation and certification methods (Common Criteria, FIPS-140, PCI, ...) in 1-4 hours

Want the short and simple version? Tell us how long you have and in that time we will explain to you:

  • how product and process evaluation methods are constructed,
  • how they work in practice,
  • how to use them,
  • how to operate in them, and
  • how to get the most out of it.

The limits of product evaluations, or how to hack certified products (1-2 hours + discussion time)

Evaluation methodologies like Common Criteria play by certain rules. Hackers breaking the rules will go outside the safe boundaries of the evaluation, potentially breaking the security of the product.

How to hack certified-secure products

This course teaches in a fun, accessible way just how to look at evaluated products and how not.

Common Criteria introduction in 2 days

This course provides the participants with the necessary knowledge and understanding to decide whether Common Criteria is suitable for their situation. It also describes what impact a Common Criteria evaluation process will have on the product, its documentation and the processes of development and production. The course covers all aspects of the CC at the industry standard level EAL4+ from beginning to end, including protection profiles (PPs), security targets (STs), the actual evaluation and surrounding process aspects. These aspects are described from the views of
  • the requirement setters (such as government organizations and credit card companies),
  • the product developers,
  • the evaluators (and behind them: the certifiers), and
  • the end-users.
The main focus of course will be on the practical implementation aspects for the developer, using examples from the smartcard domain (unless you have preferences for another area).

Subjects covered

The following subjects are covered by this course:
  • Common Criteria positioned amongst alternative, discussing relevancy and applicability for your product.
  • The benefits and costs of Common Criteria evaluations, with comparison to alternatives like EMVco and FIPS-140 evaluations .
  • The history, current state and developments for the near future of the Common Criteria standard.
  • The essence of the most frequently used protection profiles.
  • The process of a Common Criteria evaluation project, including management information such as project outline.
  • Common Criteria terminology such as PP, ST, SFR, SAR, FCS_COP, and many more.

Common Criteria for developers

We generally provide Common Criteria training in combination with consultancy activities for you as a developer, both helping you understand what is required and together with you achieving it.

These courses are adapted so that together with the consultancy, the total learning effect is optimal and has the least impact on the developer's time. As such, a general schedule is hard to give.

Common Criteria for evaluators and certifiers

Whereas many courses focus on the literal description of the requirements of the CC as how they should be read, they still leave out how an evaluator can perform the evaluation in a practical manner.

This course shows the full complexity of an EAL4 Common Criteria evaluation project. From Security Target evaluation (ASE) to the Vulnerability Analysis (AVA), the practical aspects of the evaluator tasks will be discussed, including the pitfalls leading to difficulties and the valid short-cuts reducing the efforts and complexities.

As evaluations are not stand-alone activities, the interaction with the developer and with the certifiers is also included as topics.

A typical course is 4-5 days long with after care via email for a few weeks. Course certificates will be isssued, of attendance or passing of the exam.

Common Criteria as requirements setting methods

Security officers, product acquirers, risk managers, law and procedure drafters, many people have the need to improve the security in the organization. Improvements of the processes are often implemented with the ISO 2700x range and similar local approaches.

Common Criteria offers an excellent method for improving the product security. The Common Criteria evaluation and certification processes already solve the difficult aspects of how to test the security quality of products, how to ensure the testing is done accurately, and how to verify the expertise of the companies doing the testing. Verification of all this is very simple: check for the CC certificate. Big organizations, including organizations in the financial, telecom, government and defense domains are finding this a very convenient and effective way to improve overall security.

All that is left, is to specify what security properties the product should show. In a workshop of a day, together we can make or select such a set of security properties (called "Protection Profile" in Common Criteria).

Selection of an existing Protection Profile is best done in a 4 to 8 hours workshop. Creation of the Protection profile is best done in an 8 hour workshop, with several days of after care via email.

Evaluation methods

Certain product types, technologies and evaluation levels require a specific evaluation approach. Many years of experience allows us to offer training in specialized evaluation methods. The below methods are commonly requested (more available on request):

Formal methods

At high evaluation assurance levels (in Common Criteria: EAL6 and higher), formal methods are required. Formal methods use mathematical proofs to show that a product meets its requirements. The logical proof methods to use are, as the mathematicians like to say, "non-trivial" (meaning: complex).

Random number generators

Random number generators are notoriously hard to verify. As always, the good thing is that there are multiple standards to choose from, which is exactly the bad thing also.
  • The FIPS-140 standard is of limited use for the generic evaluation of any generic random number generator. It essentially mandates the use of one of its defined deterministic random number generators (DRNGs, generators that are unpredictable from the output, but given the same input always generate the same output).
  • The German CC certification body has for a long time had a more generic evaluation standard for such DRNGs AIS 20.
  • The German CC certification body also had a very succesfull standard for the evaluation of true, physical random number generators AIS 31. This is the standard used for nearly all smartcards evaluated. It provides very, very high quality random numbers at the cost of very high evaluation complexity. If you are considering making a product for your first AIS31 evaluation, I strongly suggest that you get help as early as possible to prevent very costly mistakes in the beginning.

Both blackbox testing and whitebox analysis of random number generators is a fascinating but complex field. Note that we are also working on a complementary tool to facilitate the testing.

Other methodology and technology?

It is hard for us to list all evaluation methodology and technology we can offer training in. If you are missing one, please contact us.
Author: Wouter Slegers - Copyright Your Creative Solutions 2009 - All rights reserved