Who is certifying security products of our type, and what were the requirements in the past? What processor architectures are commonly used in security certifications and given products of interest? How do we compare with our competitors and their security-certified products? How long do security evaluations take for certain labs, types of products, etc.? Are we under-/or over-certifying with respect to competition? What do we know about the usage of cryptographic libraries in certified software and devices? What additional information can we discover without having to sign an NDA? 

Security certification schemes like Common Criteria (CC) and FIPS 140 help users trust that IT products are secure. However, a significant information gap exists regarding particular security/cryptographic techniques utilized in these certified products.

There is a gap between the formal certification documents publicly available and the actual makeup of the product ecosystem. Our tool sec-certs enables an extensive data-driven analysis to address this deficiency, and also to answer questions like those above. The sec-certs framework (https://sec-certs.org/) systematically parses and supports analyses of publicly available CC, EUCC, and FIPS 140 certification-related documents.

Our work transcends anecdotal evidence by utilizing these documents as a substantial data source to construct empirical models of the various ecosystems (e.g., cryptographic libraries, products utilizing certain sub-components) within security-certified products. E.g., we can show a heavy reliance on a small number of cryptographic libraries, indicating a possible monoculture, where a flaw in one widely used library could have a disproportionately large effect on the whole certified landscape. The results suggest a systemic issue: the current certification process does not ensure that the software supply chain is transparent, making it challenging to manage risks effectively. Our work establishes a fundamental quantitative baseline that underscores the necessity for more comprehensive and organized reporting of components in security certifications.

Vashek (Václav) Matyáš is a Professor at Masaryk University, Brno, heading its Centre for Research on Cryptography and Security. His research interests relate to applied cryptography and security; with over 200 peer-reviewed papers and articles. He worked also with Cybernetica, Red Hat Czech, CyLab at Carnegie Mellon University, as a Fulbright-Masaryk Visiting Scholar at Harvard University, Microsoft Research Cambridge, University College Dublin, Ubilab at UBS AG, and as a Royal Society Postdoctoral Fellow with the Cambridge University Computer Lab. Vashek also worked on the Common Criteria and in ISO/IEC JTC1 SC27. He can be contacted at matyas AT fi.muni.cz.

Petr Švenda is an associate professor at Masaryk University, Brno. He first touched the domain of security certifications in 2002 while working on the side-channel analysis of cryptographic devices and has kept his passion for cryptographic smartcards ever since. The Common Criteria and FIPS 140 security certification artifacts proved to be an essential source of information during a responsible disclosure of ROCA and Minerva vulnerabilities his team found. If only the documents would be automatically processable at that time.