October 2013 | SafeLogic

Archive for October, 2013

31 Oct 2013

New White Paper: Addressing the Common Criteria Protection Profiles for Mobility

commoncriteria_logoLast week, the US Government’s Common Criteria Evaluation and Validation Scheme (CCEVS) announced Protection Profiles for Mobile Devices (MD) and Mobile Device Management (MDM) systems.  The Common Criteria is an international standard for the evaluation of security features within IT products.  It is also widely recognized as a crucial certification needed for products seeking addition to the Unified Capabilities Approved Products List (UC APL), administered by the U.S. Defense Information Systems Agency (DISA).  Products which successfully earn addition to the UC APL become eligible for procurement and deployment by the various agencies of the United States Department of Defense.

These new Protection Profiles embody the requirements that are to be met by a specific technology type in Common Criteria evaluations.  The Mobile Device Protection Profile (MDPP) contains the security functional requirements for mobile devices such as smartphones and tablets.  The Mobile Device Management Protection Profile (MDMPP) includes the security functions to be evaluated including key protection, protected communications, mobile device configuration, and administration.

Cryptographic support functions are critical requirements in these new Protection Profiles, as anticipated.  It is important to note that while many vendors pursue both Common Criteria certification and FIPS 140-2 validation, the latter does not automatically satisfy the former.  The encryption requirements in these new Protection Profiles reflect certain standards imposed by NIST for FIPS 140-2, but they are not interchangeable.

We are proud to present a white paper explaining the cryptographic elements of these new Protection Profiles, available for immediate download.  This paper also presents information on how CryptoComply, our drop-in module, addresses and meets each encryption requirement for the MDPP and MDMPP and discusses the benefits of leveraging the crypto module.  CryptoComply integration is streamlined, designed to eliminate the several engineer-years it would take to build and implement these functions.

ApiTech_LogoResizeFor a real life scenario, please refer to SafeLogic’s Case Study with API Technologies, also available for immediate download.  API Technologies was seeking an updated listing on the UC APL, and they were able to accelerate the process by integrating CryptoComply.  In tandem with SafeLogic’s RapidCert, API Technologies satisfied all requirements and proceeded directly to the JITC testing phase.

For SafeLogic customers who integrate CryptoComply, drop-in compliance is just the first advantage.  RapidCert is a huge differentiator for those who seek FIPS 140-2 validation, while CryptoComply Professional Services brings SafeLogic’s expertise to the table, whether that entails custom software development, Common Criteria consulting, or something else altogether.  Our goal is to make these processes as easy as possible.

22 Oct 2013

The Post-Shutdown FIPS Validation Queue

I’m glad that’s over.

I’m not going to start spouting my political viewpoints, but I think we can all agree that the government shutdown was not ideal for anyone involved… and that it unfortunately involved all of us.  FIPS140Logo

For the folks in encryption, it was unsettling to learn that NIST was considered non-essential for government operation, and the result was that the CAVP and CMVP processes were hobbled.  Without NIST representation, the CSEC’s hands were tied and could not issue any validations.

According to Mark Minnoch on his excellent blog, CMVP was reviewing FIPS submissions from January 2013 on their last day open before the shutdown.  This represents a 10 month queue.  Back in May, Minnoch had blogged that the queue length was 7.5 months long.  This means that CMVP fell behind an additional 2.5 months of work in only 5 active months!

Mark’s latest post highlighted that only three new submissions appeared on the In Process list after NIST resumed operations, but three more have been added on today’s list update.  I hate to be pessimistic, but over the last six months, submissions outpaced the CMVP efficiency rate by 50%.  This means that the two week shutdown should represent three weeks worth of work, and I anticipate that it will soon be tacked onto the queue.  Meanwhile, submissions from January are still being finalized.  Forget the projections – that is an actual timeline of ten months.  Even if the expected rush of submissions never materializes, the CMVP will need to work significantly faster in order to reduce the queue length, not just keep up.

We haven’t made it to Thanksgiving yet, but let’s talk turkey.  You’re destined for pain if you’re planning a traditional validation path.  The CAVP is going to be impacted by the shutdown as well, meaning that ten months is really just the beginning.  If you’re beginning from scratch, you’re probably pushing a full year, start to finish, once you factor in the document preparation and the algorithm validations.  Many buyers can be patient, but that’s asking an awful lot.  By this time next year, your point of contact might not even be with the company!

It’s not all bad news though.  RapidCert is still available, only from SafeLogic, and we will continue to blow away timeline projections.  In fact, we might need to change our tag line to “You needed SafeLogic twelve months ago”.  Time savings during validation cycles just got even more valuable, and SafeLogic is the only company that can offer you a truly accelerated timetable.


15 Oct 2013

Announcing CryptoCompact

Somewhere, Sasquatch is crying.  Apologies to the hairy fella.  Bigfoot just isn’t welcome here.


Or here.


Wearables have arrived, but their space and processing constraints have made it extremely challenging to integrate the relatively large footprint of cryptographic modules.  This dilemma has perplexed many, generally resulting in shrugs and lack of action.  ‘Until these devices are more popular, hackers won’t bother.’

Unfortunately, the ostrich approach just isn’t going to work.   The capacity of Wearables is tiny, but the data itself is extremely significant.  Consider all of the highly personal information that is gathered by Wearables – not just location and time, but physical habits.  Some are designed specifically to archive heart rates and diagnostic data.  The sky is the limit here, both for altruistic goals and malicious.  It’s like a 007 movie come to life, and you can bet that the villains will surface now that the technology exists in the mainstream.  We can’t sit and wait for the bad guys to strike first.

Seeing these devices catch traction is very, very cool.  It’s aways amazing to watch new tech develop and be embraced by the masses.  But more importantly, it’s an opportunity and we have a responsibility to ensure that it doesn’t become a nightmare.  Developers are already working on enterprise applications and concepts for mass deployment of these devices.  The data must be secured, and our first challenge is to address the dilemma presented by the device capacity.  Encryption modules carry weight that isn’t factored into the design specifications for these constrained devices, hence the need for a module with a tiny footprint.  The trick is that it still needs to pack enough punch to power the apps and the security solutions that are sure to follow.

Today, I’m speaking at the Silicon Valley Telecom Council’s Wearables event at the CTIA MobileCON 2013, and I’m proud to announce CryptoCompact, only from SafeLogic.

The premise is simple.  We started with the same goals as CryptoComply – unrivaled cryptographic performance with the easiest implementation and best support in the business.  Then, we took out the bells and whistles and streamlined the module to run as fast as possible with the smallest footprint possible, but without sacrificing features needed today and for the future. And rest assured, CryptoCompact will uphold our standards for world class encryption by earning its own FIPS 140-2 validation.

I’m extremely excited about this new product and I can’t wait to share more details.  Check out the CryptoCompact page, including information about our pilot program.  If you’re developing apps for Wearables, definitely send us a submission.  We’ll be providing the CryptoCompact module to select developers during the testing period.  Stay tuned for more details!


10 Oct 2013

NIST and the Federal Shutdown

If you’ve been to the NIST site lately, you saw this.


Two weeks into the federal government shutdown, the debt ceiling is looming and your guess is as good as mine what will happen next.  It doesn’t matter which side of the aisle you’re on, because we are all annoyed, aggravated, and disappointed.  What we do know is that the shutdown has already furloughed NIST employees and all of us are going to suffer the consequences.

Apparently national data security is non-essential.  NIST employees were sent home and both the CAVP and CMVP have suspended validation activity.  Employees are legally barred from using government-issued devices to check e-mail or do any work while on furlough, so if you need anything, your only option is to contact CSEC, NIST’s Canadian counterpart and cooperating partner in the CAVP and CMVP programs.  The bad news?  CSEC cannot complete any validations without a NIST representative present.

Others have illustrated this shutdown as a mild inconvenience, or a minor pain because you cannot access the In Process List on the website or download a form.  I’m sorry to say that it is much, much more than that.

For those of you who are about to begin the process, you’ll quickly find out that without validation of your encryption algorithms, you won’t get very far.  Good luck with that, since CAVP workers are furloughed.  Once NIST re-opens, you can bet that the rush to submit to the CAVP queue will be significant.  It’s going to be a total crapshoot where you land in the queue, and you’re as likely to have to wait a couple months as a few weeks.

Then, and only then, can you submit your complete documentation to the CMVP.  You can forget about competing with the Black Friday-style rush of submissions on their first day open, because you’re still twiddling your thumbs and waiting for the CAVP.  No, you can be sure that you’ll be buried at the bottom of the pile, behind the incredibly long queue that was already in process on September 30th.  You can add all the folks who will complete their lab testing and submit on the first day open.  It’s going to be ugly.

If you’ve already received your CAVP validations, then congrats!  You only have to deal with one swarm of submissions, instead of two.  Since we don’t know when NIST will re-open, the pressure is on.  Every day that the CMVP is closed, the number of prepared submissions rises, and you better believe that you’ll want to be among those accepted by CMVP on their first day back.  If you’re not, prepare for an extra long wait.  The queue will be particularly impacted.

I hope you’re not completely discouraged, because we’ve got plenty of good news for you.  For example, CryptoComply offers immediate drop-in compliance.  For many enterprise buyers, a letter of confirmation that you are leveraging our validated module will satisfy their internal FIPS mandate.

Instant compliance – that’s tough to beat, especially when things at NIST are as far as possible from instant.  Give us a call.


3 Oct 2013

The 3 Biggest Issues Discussed at ICMC 2013



Last week we were at the first International Cryptographic Module Conference, and I’m only just now getting my thoughts down. Remember what we said in this post:

Life at SafeLogic moves pretty fast.  We look at every day as a week, and every week as a month.

It’s been a crazy, busy, and excellent month since the conference last week.  Not just here at SafeLogic, but in the world around us.  A few days ago, I wished that we had more time for Q&A with the folks from CMVP.  As I’m writing this now, I suppose we should be happy that they could be in attendance at all, considering the furloughs this week.  The current status of the federal shutdown only exacerbates the issue of the long validation queue.  I’ll address that more below.

For the most comprehensive summary of the conference, check out Fiona Pattinson’s summary here.  My talk on FIPS and FUD went well.  I had a lot of fun, and I got good feedback from attendees, so it wasn’t just me.  It was refreshing to talk to the community as a vendor again and not as a consultant.  Incidentally, Valerie Fenwick of Oracle live-blogged my talk and captured the right points. Check out her summary here.  Very cool.  Thanks Valerie!

Upon arriving at ICMC, I was initially a bit stressed by some of the issues we face as a community.  Then as I began to process the signals from the noise, it hit me.  SafeLogic customers are shielded from these issues!  If a product vendor or end user attended a conference such as this, they would be overwhelmed.  The sheer volume of information being shared and discussed was staggering.  Without my background in cryptography, I would have never been able to identify the topics that were relevant to SafeLogic.  This is absolutely part of our role here.  SafeLogic customers can tune out and focus on what they do best, while we assess and address the issues of encryption and deliver a finished product.  Now more than ever, I realize that our method shelters customers from a great deal of anxiety, and that’s priceless.

There were three major issues discussed at ICMC that had potential to affect our position.  I’m proud to report that all three are well under control.  Let me explain:

1. New Implementation Guidance for software modules (IG 9.10). This poses a problem for many of the vendors pursuing narrowly-defined cryptographic boundaries and requires a great deal of attention.

What makes me happy: CryptoComply meets this IG.  Anyone who uses our module meets this IG.  So while a lot of time was spent talking about the technical details and the impacts to vendors, I just smiled knowing that  our customers are unaffected.  This is a great example of how SafeLogic leverages our expertise to address changes immediately and our customers sit back, relax, and enjoy the updates.


2. Entropy. Current validations received a reprieve from the draft guidance that imposes hefty technical and documentation challenges for sources of entropy.  However, the impending requirements are a nightmare and everyone in the space will be scrambling.

What makes me happy: SafeLogic has this problem solved. That’s all I can say for now. Stay tuned for more.


3. The length of the validation queue.  It’s getting longer and longer, with no real fix in sight.  The CMVP validation department furloughs are only going to make this worse, too.

What makes me happy: SafeLogic customers get through the queue more quickly.  RapidCert was established when the queue length was at six months.  This advantage becomes even more valuable as the queue length grows.


With these issues, all the hallway rants er, conversations, and everything else in discussion, attending ICMC was a great opportunity to network and check the temperature of the industry.  We already tackled those issues and there will be more on the way.  I’m proud to report that SafeLogic’s commitment to aggressively update and innovate has already shown proven results.  We will continue to lead the way, so that our customers remain insulated from the headaches of encryption.  And we’ll accomplish that by developing more cool solutions.  I’m looking forward to sharing that with you!