23-25 March, 2027 | Steigenberger Wiltcher's, Brussels

Is There Something Wrong With Cryptography in Certified Products? (A21a)

Investigate systemic issues in cryptographic implementations within certified products.
26 Mar 2026
11:00 am
Ballroom A

Is There Something Wrong With Cryptography in Certified Products? (A21a)

What is known about the usage of cryptographic libraries in certified software and devices? Who uses what library? What additional information can the speakers discover without having to sign an NDA? Security certification schemes like Common Criteria (CC) and FIPS 140 help users trust that IT products are secure, especially since they usually depend on cryptographic libraries for their main security features. However, a significant information gap exists regarding these libraries utilized in these certified products.

There is a gap between the formal certification documents publicly available and the actual makeup of the product ecosystem. the speakers’ study offers an extensive data-driven analysis to address this deficiency.

Using the speakers’ sec-certs framework (https://sec-certs.org/), the speakers systematically parse and analyze publicly available CC and FIPS 140 certification-related documents.

the speakers’ study transcends anecdotal evidence by utilizing these documents as a substantial data source to construct an empirical model of the cryptographic ecosystem within certified products. the speakers’ analysis measures the frequency and usage of the most commonly used cryptographic libraries. Approximately 23-25% of all new certificates issued in the last ten years mention OpenSSL, making it a major player. Followed by Network Security Services (NSS), BoringSSL, and Libgcrypt.

This heavy reliance on a small number of libraries suggests a possible cryptographic monoculture, where a flaw in one widely used library could have a disproportionately large effect on the whole certified landscape. The results indicate a systemic issue: the certification process does not ensure that the software supply chain is transparent, making it challenging to manage risks effectively. the speakers’ research establishes a fundamental quantitative baseline that underscores the necessity for more comprehensive and organized reporting of software components in security certifications.