Hardware Security Modules (HSMs) are used in all card payment systems (as well as various other applications that require strong security) to protect business transactions and sensitive information. HSMs allow authentication, encryption/decryption and management of cryptographic keys to occur with the highest level of security. The globally-recognized HSM certification, Common Criteria (CC), guarantees the assurance level of an HSM. This article explores how CC helps in choosing the right HSM for your business needs.
Origin of Common Criteria
The goal for developing CC was to provide global recognition and acceptance so that the products sold in the international market would not require re-evaluation by each purchasing country. The CCRA (Common Criteria Recognition Agreement) was signed in 2000, which standardizes the reciprocally acknowledged CC certifications across different countries. Contributors committed to rigorous and standardized evaluation processes to support the highest level of confidence in certified products.
CC is a joint venture of six countries, including the U.S., U.K., Canada, France, Germany and Netherlands. It also includes the progress accomplished individually by the counties on the following standards:
- TCSEC (Trusted Computer System Evaluation Criteria). A U.S. Department of Defense (DoD) standard also referred as “Orange Book” that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system
- ITSEC (Information Technology Security Evaluation Criteria). A European standard created in the early 1990s by Germany, France, Netherlands and UK.
- CTCPEC (Canadian Trusted Computer Product Evaluation Criteria). First published in May 1993, it is a subset of the U.S. DoD standard. It was used jointly by evaluators from both Canada and U.S.
Common Criteria Security Evaluation
Common Criteria is an international standard (ISO/IEC 15408) for IT Security Evaluation. The latest version, CC 3.1 Revision 5 was released in April 2017.
Common Criteria has 3 parts:
- “Introduction and General Model” – containing definitions of terminologies used in the evaluation process
- “Security Functional Components” – elaborates the security requirements
- “Security Assurance Components” – used to rate the effectiveness of security controls
CC empowers a target assessment to approve that a specific HSM fulfills a characterized set of security requirements.
Key concepts of CC are:
- Target of Evaluation (TOE). The HSM/product to be evaluated.
- Protection Profile (PP). Characterizes a standard arrangement of security prerequisites/requirements for a particular HSM. PPs are expressed using a template about a product line or a broad range of related products.
- Security Target (ST). An explicit set of security requirements that incorporates comprehensive product-specific information and can be stated as a refinement of the PP. The ST forms the basis for agreement between the TOE developers, consumers, and evaluators to the security a TOE offers.
- Evaluation Assurance Level (EAL). Provides an overall characterization of the HSM’s evaluation and is the final grade assigned to it. EALs range from 1-7, with one being the minimal level and seven being the maximum level of assessment. An HSM with a higher EAL is not an assurance of an elevated level of security; instead, it signifies it has undergone more testing.
EALs are as follows:
- Functionally tested
- Structurally tested
- Methodically tested and checked
- Methodically designed, tested, and reviewed
- Semi-formally designed and tested
- Semi-formally verified design and tested
- Formally-verified design and tested
Using the CC Rating and Protection Profile to Choose the Right HSMs
Common Criteria-certified HSMs are widely deployed by government/enterprise organizations across the globe for the defense of their core security infrastructures. In many sectors, it is mandatory that HSMs being procured must be CC-certified according to a specific EAL rating and Protection Profile (PP). The security-appropriate CC certification EAL rating ranges from 1 to 7.
The EAL rating can be checked from the CC website which lists all the certified HSMs and crypto modules.
The selection of HSM is based on the usage and deployment requirements and the corresponding HSM PP. The website also shows the PP categories, which are related to crypto modules and HSMs, including:
- Key Management Systems (KMS)
- Digital Signatures Products
- ICs, Smart Cards, Smart Card-Related Devices and Systems
- Data Protection Products
- Network and Network related Devices and Systems
The following table shows some examples of the Protection Profiles for Common Criteria certified HSMs and crypto modules and their corresponding issued EALs.
Product Protection Profile
When choosing CC certified HSMs and crypto modules, it is generally recommended (if not required) to select products that have an EAL rating of equal or higher than 4 - and that the HSM is certified against a specific protection profile, according to what it is used for, e.g. Qualified Electronic Signatures or EMV transaction authorization. Common Criteria certification, thereby, delivers the guarantee that an HSM’s process of specification, implementation and evaluation has been properly tested in a rigorous manner, and it is suitable for the intended use.
References and further reading
- Selected articles on HSMs (2013-17), by Ashiq JA, Peter Landrock, Peter Smirnoff, Steve Marshall, Torben Pedersen and more
- Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
- Selected articles on PCI DSS (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Stefan Hansen and more
Image: "common criteria", is a protected logo of the Common Criteria Recognition Arrangement (CCRA)