Validation of Cryptographic Protocols with Common Criteria (N13b)
The need for verification of cryptographic protocols is a necessary step in the certification strategy. Part 3 of the Common Criteria (CC) efficiently segments the evaluation into several levels that can be extended to the verification of cryptographic modules. To this end, an update to an existing ISO/IEC 29128 standard, new parts 2 and 3 are proposed. ISO/IEC 29128 Part 3 provides a generic framework that can be followed to evaluate any type of cryptographic protocol. The evaluation of a protocol can leverage a preliminary evaluation of the underlying algorithms, as in a composite evaluation. Once the individual algorithms have been validated, there could still remain bugs at a protocol level due to inconsistent combination of algorithms, improper set of parameters (e.g. nonce reuse), vulnerable modes of operation, etc. It provides an explanation on how to conduct an evaluation of cryptography protocols based on the methodology that is provided in part 3 of the CC for developers and CEM for evaluators on the specific methodology concerning cryptographic protocols. It is relevant to both developers and evaluators for the design of secure cryptographic protocols and the evaluation of the security level respectively. It also provides conformance parameters, assurance levels, assurance classes, vulnerability assessment and analysis for cryptographic protocols. In addition, the appendix is supplemented with examples on real-time vulnerabilities and attack cases.