Thursday, November 5, 2015

ICMC15: The Next Steps Toward A Scalable International Cryptographic Evaluation Process

Clint Winebrenner, Technical Lead, Product Certifications Security & Trust Organization, Cisco

How can we work together to eliminate time we're spending doing different validations for different companies. It's not just money to validate against different government standards, but also developer's time.

Is there a reference recommended list of cryptographic algorithms, covering encryption, decryption, etc?

Customers have to trust their vendor to do the right thing, to build software to be secure, safe and comply with RFCs and other standards.  The vendor has to trust the 3rd party test lab.

Trust, but verify. Need to verify that the evidence provided really verifies the algorithms. The testing should be repeatable across all bodies and processes.  It should be scalable, too.

What can we do about remediation? Engage experts from the industry and academia. We need to critically anlyze design from both a security and  performance perspective. Working with academia, industry and government to propose effective and scalable alternatives.

What if you trust the algorithm, but not the validation process?  We can modify existing process for algorithm validation, with methods to verify a sub-set of the effort.  Can we share more evidence?  Why not publish detailed algorithm validation results?

Could this get more complicated?  Yes - we can trust the vendor and the validation process, but not how the algorithm is used. So, we have to look at the protocol's too. Can we share protocol details for all systems under test?

If we can come up with an acceptable international evaluation process, we can have significant savings on time and more reliability.