Blog Post Categories
atsec information security | Common Criteria | Conferences | Cyber Security
Cryptographic Algorithms | Entropy Source Validation | FIPS 140-3 | ICCC | ICMC
Information Security | Medical Devices | News | Newsletter | PCI | April Fools
If you’re looking for an older post and can’t find it here, it can likely be found on our old blog.
Below are our blog posts, from newest to oldest.
-
Written by Rasma Mozuraite Araby We are thrilled to announce that atsec’s Certification Body (CB) officially issued its first cybersecurity certificates for Common Criteria. This achievement represents atsec’s readiness for the upcoming European Cybersecurity Certification Scheme (EUCC), positioning our Certification Body at the forefront of cybersecurity compliance in the European Union. The EUCC is an…
-
Written by Stephan Mueller NIST published the final version of FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) on August 13, 2024, making the first post-quantum cryptographic (PQC) algorithms official and wrapping up an eight-year effort to prepare us for a future where quantum cyberattacks are a more common threat. NIST enabled the…
-
Written by Yan Liu atsec (Beijing) Information Technology Co., Ltd (short for “atsec”) is pleased to announce that atsec has become one of the PCI Global Executive Assessor Roundtable (GEAR) members for the 2024 – 2026 term. The PCI Security Standards Council (SSC) GEAR is a direct communication channel between senior leadership of payment security…
-
Written by Yan Liu Now listed by Swift as an assessment provider in the directory of Swift Customer Security Programme (CSP) Certified Assessors, atsec information security assessors can help global financial institutes assess their level of compliance with the CSP mandatory and advisory controls. In the financial industry, Swift requires that financial institutes using its…
-
Roughly every five years, we refresh our website with a new appearance. As a precursor to our 25th anniversary in January 2025, we are thrilled to show the world our stylish, modern look. It is atsec’s firm belief that effective security assurance can only truly be accomplished when the product developers proactively incorporate security requirements…
-
On July 11th, 2024, the first three FIPS 140-3 certificates for NIST’s SP800-140Br1 pilot program were posted on the NIST website. atsec information security was one of the labs that took part in the pilot program. SP 800-140Br1 specifies modifications of the methods to be used by a Cryptographic and Security Testing Laboratory (CSTL) to…
-
atsec has become an official GSMA member. The GSMA represents the interests of mobile operators worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and internet companies, as well as organizations in adjacent industry sectors. atsec is a GSMA appointed…
-
“What do you say to a room full of DRBGs standing around you? Everyone, please be seeded.” -Quin, atsec tester When things change, it can help to approach that change with a light heart like this.Recently, NIAP announced that Entropy Assessment Reports (EARs) must include a NIST Entropy Source Validation (ESV) certificate starting at the…
-
We’d like to inform our customers and partners that the German Federal Office for Information Security (BSI) recently published new documents approving the use of additional Security Assurance Specifications (SCAS) under the BSI 5G NESAS Certification and Evaluation Scheme (BSI NESAS CCS-GI). We encourage our customers to fully review the newly published documents and explore…
-
Please enjoy our quick primer on CMVP, CAVP and ESV testing.
-
The European Union Agency for Cybersecurity (ENISA) hosted a cybersecurity certification conference on April 18, 2024, in Brussels, Belgium. The conference very much focused on the implementation of the EUCC – European Cybersecurity Certification Scheme. This scheme, based on the established Common Criteria (CC), aims to harmonize cybersecurity assessments for Information and Communication Technology (ICT)…
-
atsec information security (branded as “atsec”) has been qualified by the FIDO Alliance as one of the FIDO Accredited Security Laboratories to evaluate the authenticator products.
-
atsec AB Stockholm, Sweden is thrilled to announce: We are the first IEEE Authorized Testing Facility! We’ve officially been approved as an IEEE Authorized Testing Facility, making atsec AB Stockholm, Sweden the first company able to provide testing of medical devices according to the IEEE 2621 standard. Additional locations include atsec corporation Austin TX, USA…
-
Austin, TX: In a groundbreaking announcement today, c@tsec information security, a subsidiary of atsec information security, and the leader in quantum computing technology, proudly unveils its latest innovation: the Quantum PurrProcessor™. The Quantum PurrProcessor™ operates on a revolutionary principle, harnessing the power of Schrödinger’s Cat to perform computations beyond the limitations of classical computers. By…
-
Resulting from a joint collaboration between John Kelsey (NIST), Stefan Lucks (Bauhaus-Universität Weimar, Germany) and Stephan Müller (atsec information security), a new deterministic random bit generator (DRBG) is published. The XDRBG was publicly presented at the 30th Fast Software Encryption Conference 2024 in Leuven, Belgium. The XDRBG uses an extensible output function (XOF) as primitive…
-
atsec information security hosted a free day-long hybrid event on the Concordia University campus in Austin, TX. With 330 registered attendees, both in-person and remote.
-
Happy Valentine’s Day to our customers, our partners, colleagues and communities around the world that we work with.
-
As always on the 11th of January atsec celebrates its birthday.This year it is the 24th! As they say: time flies when you’re doing IT security!Our best wishes and thanks to all of the contributors: our customers, our partners, and our colleagues.
-
n addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM.
-
The whole atsec team wishes our colleagues, customers, partners and suppliers a Merry Christmas and a Happy New Year.
-
On August 24 2023 NIST published the first drafts of: On November 15 2023 NIST announced that the three algorithms will be available for testing at the ACVP Demo service. During the course of the development of both Kyber and Dilithium reference implementations, NIST developers reached out to atsec to compare intermediate results of both…
-
atsec participated in the PCI (Payment Card Industry) Security Standards Council 2023 Asia-Pacific Community Meeting held in Kuala Lumpur, Malaysia, on 15 and 16 November and hosted a booth. atsec’s principal consultant Di Li provided a presentation on “Our ‘Key’ Experience in PIN Security / P2PE / FIPS 140-3.” A short summary of the presentation…
-
As in previous years, atsec is attending the International Common Criteria Conference, this time in Washington DC from October 31st to November 2nd 2023. We invite you to come and talk to us at our booth (#10) or attend our colleagues’ contributions to the conference:
-
On September 26, 2023, The Food and Drug Administration (FDA) released their finalized Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions guidance document. This document provides general principles for device cybersecurity relevant to device manufacturers. It seeks to emphasize the importance of safeguarding medical devices throughout a product’s life cycle. The…
-
The 11th International Cryptographic Module Conference (ICMC) started today. This year the conference is held from September 20th to 22nd 2023 at the Shaw Center in Ottawa Canada. The conference itself kicked off with Yi Mao, CEO of atsec US, giving the opening speech. It featured our latest animation, which has become somewhat of a…
-
Everybody seems to jump on the AI bandwagon these days, “enhancing” their products and services with “AI.” It sounds, however, a bit like the IoT hype from the last decade when your coffee machine desperately needed Internet access. This time, though, there’s also some Armageddon undertone, claiming that AI would make our jobs obsolete and…
-
Recently the CMVP has granted ESV certificate #E57 to the Intel DRNG entropy source. The testing and submission was done by atsec and it marks the first ESV certificate granted to the Intel DRNG. The Intel DRNG (Digital Random Number Generator) is a hardware Random Bit Generator (RBG) integrated into a multitude of Intel processors,…
-
On July 14, atsec obtained the first validation certificate for a post-quantum cryptographic algorithm: A4204. We used the Automated Cryptographic Validation Protocol (ACVP) to verify the correctness of the LMS (Leighton-Micali Signature) key pair generation, signature generation, and signature verification implementations in the QASM Hardware Security Module, developed by Crypto4A Technologies. This milestone represents an…
-
In today’s interconnected world, the Internet of Things (IoT) has become an integral part of our daily lives. From smart homes to industrial automation, IoT devices are revolutionizing various industries. However, with this increased connectivity comes the need for robust security measures to protect sensitive data and ensure the integrity of these devices. The Importance…
-
Following the news published in early 2022, atsec would like to proudly announce a successful completion of the CEST (Confidential Evaluation of Software Trustworthiness) project – a Swedish research project funded by Vinnova. The CEST project provides a confidential software security assurance environment enabling software supply chains to be compliant with regulations, standards, and corporate…
-
Like last year, three representatives of atsec Germany attended the Omnisecure conference from May 22 through 24, 2023, in Berlin. The Omnisecure conference has a clear focus on the German market and, in particular, national approvals of IT security products – one of the main business domains for atsec Germany. Therefore, there has been a…
-
An alleged Russian-linked ransomware gang has exploited a vulnerability in a popular file transfer tool called MOVEit to attack both commercial and government targets world-wide. This attack appears to include data theft as well as the deployment of ransomware. Since we have been asked by one of our customers if this attack had any effect…
-
atsec recently attended two conferences that focused on cybersecurity certification: the International Conference on the EU Cybersecurity Act and Crypto Module Day Conferences in Brussels, Belgium, from March 28 to March 30, 2023. Both conferences focused on the upcoming regulations in the EU and discussed cybersecurity certification schemes drafted by ENISA (the European Union Agency…
-
atsec information security is proud to be on the forefront of developments in the world of IT security and strives to be a step ahead of the challenges in our area of expertise. So, it was a logical step to embrace the recent advances in AI technology and turn over the operations of our company…
-
After years of video conferences, the Security Summit was finally back in person in Milan, Italy, from March 14 to 16, 2023. atsec couldn’t miss the opportunity to participate as gold sponsor in one of the most important cyber security events held in Italy and to meet our customers, partners, and people involved in the…
-
Update: We greatly appreciate all the feedback we received on this blog article. For new updates, please see our revised handy overview to the new CC:2022 at the end of the blog article. It all started with Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) in 1983; the German Security Evaluation Criteria (Green Book)…
-
We are pleased to announce that atsec information security AB has been accredited as a certification body by SWEDAC, the national accreditation body in Sweden, to provide Common Criteria (CC) certifications of IT products. With over 20 years of experience as a CC evaluation lab, atsec has taken the step to become a CC certification…
-
atsec information security wishes all women – colleagues, customers, suppliers, and partners – a wonderful International Women’s Day. atsec highly values your contribution and praises your outstanding achievements in information security.
-
The National Security Agency (NSA) has released the Commercial National Security Algorithm (CNSA) Suite 2.0 and Frequently Asked Questions detailing future quantum resistant (QR) algorithm requirements for National Security Systems (NSS). CNSA 1.0 was published in 2016 to replace NSA Suite B and standardized the use of the AES, SHA, RSA, DH, ECDH, and ECDSA…
-
atsec information security wishes all colleagues, customers, suppliers,and partners a Happy Valentine’s Day filled with joy, happiness, and security!
-
Our Swedish colleagues unveiled the atsec sign on the front of the office building. Talk about enhanced visibility. The other atsec offices around the world are only a little bit jealous… 😀
-
After 40+ years of working, I am officially retired and can say that I saved the best for last. Four plus years ago, after working for IBM for over 29 years, I was hired by atsec information security corp., a small Austin company of approximately 25 people. Coming from Big Blue, I really had a…
-
We wish all our colleagues from atsec China as well as all our customers, partners, and suppliers celebrating the new lunar year, a Happy Chinese New Year.The year of the Rabbit is important since atsec was born under that zodiac sign. Tradition suggests wearing something red during the year of your sign, which is not…
-
Our best wishes and thanks to all of the contributors: our customers, our partners, and our colleagues.
-
The CMVP published four FIPS 140-3 certificates today, marking the first modules to go through testing and validation under the new version of the FIPS 140 standard. FIPS 140-3 became effective on September 22, 2019, and testing began on September 22, 2020. FIPS 140-3 has been mandatory for new modules since September 22, 2021. The…
-
After two years of virtualized conferences, the ICCC was back in person once again. The ICCC 2022 was held from November 15-17 in Toledo, Spain. It was a welcoming feeling to meet face-to-face with our customers, certification bodies, and peers alike. We reconnected with familiar faces and made new friends. The biggest highlights of the…
-
-
We want to draw your attention to the following publication issued by the German Federal Office for Information Security (BSI): https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/221005_Apple_Sicherheitsfunktionen.html In a nutshell for the non-German readers, the article states that Apple has agreed to an independent evaluation of the core security functions of iOS and iPadOS by BSI. This evaluation has been conducted according…
-
The 21st International Common Criteria Conference (ICCC 2022) will be held from November 15 to 17, 2022, in Toledo, Spain. As always, atsec information security looks forward to opportunities for networking and exchanging ideas with our peers in Common Criteria and in the IT security community alike. After two years of virtual conferences, we are…
-
As one of the first companies in Germany, atsec has become a certified evaluation laboratory in the German Network Equipment Security Assurance Scheme Cybersecurity Certification Scheme – German Implementation (NESAS CCS-GI) scheme maintained by BSI (Bundesamt für Sicherheit in der Informationstechnik). This certification scheme is based on the Groupe Speciale Mobile Association (GSMA) NESAS, in…
-
On September 15, 2022, the EU Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. This EU legislation introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle. The EU legislation will impose: The proposed regulation will apply to all…
-
The 10th International Cryptographic Module Conference (ICMC) was held from September 14th to 16th 2022, at the Westin Arlington Gateway in the Washington, D.C. area. Yi Mao, Managing Director for atsec information security, wrote the welcome letter in this year’s program: “Dear ICMC 2022 Participants, A very warm welcome to the tentth annual ICMC! In…
-
Stephan Müller’s presentation at the 2022 ICMC.
-
Sal La Pietra, the President and co-founder of atsec information security (atsec), opened the tenth annual International Cryptographic Module Conference this morning at Westin Arlington Gateway in the Washington D.C. area.
-
All components comprising a software product are ultimately the responsibility of the developer of that product, even if one or more of those components is supplied by a third party. This is especially true when the product is evaluated for Common Criteria (CC) certification. Recently, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security…
-
atsec China is pleased to announce that atsec has become one of the PCI Global Executive Assessor Roundtable (GEAR) members for the 2022-2024 term. atsec China has joined in PCI GEAR since 2018 during its initial establishment. In 2022, atsec China is one of 27 organizations to join the PCI GEAR in its efforts to…
-
It is a different kind of blog entry, not about technical expertise or atsec’s latest achievement.It is a 32-minute clip ending with atsec as a sponsor and detailingClarice Assad’s Residence Workshop with Austin Classical Guitar Society (ACGS): https://www.youtube.com/watch?v=aeaNM-bIh-M I had the opportunity to meet with Matthew Hinsley, Executive Director, and Joe Williams, Artistic Director of…
-
atsec China (“atsec” for short in this article) has completed the training and examination on “PCI DSS QSA Version 4 Transition” provided by the Payment Card Industry Security Standards Council (PCI SSC) and became one of the first Qualified Security Assessors (QSA) companies globally to perform the assessment according to the new version of the…
-
Many of us who have been in the evaluation and certification (validation) business have seen the development, not only of security requirements and schemes, but also how the “security echo system” works. A few weeks ago, I was generously given the opportunity to share some ideas at the EU CSA conference in Brussels. Here is…
-
(“Information Security and Cryptography” in Chinese Calligraphy) In this article, we provide an up-to-date overview regarding IT security standards as well as the current situation of IT security testing and certification in China. It also covers the topics related to security assessment and compliance in the financial industry. Security standards are established to support organizations…
-
At atsec, quality and security are more than just words – they encompass everything we do and are deeply embedded in our four principles: We know the businessWe act with integrityWe stay focusedWe are independent Management is committed to the implementation and improvement of an integrated Management System. Every atsec colleague is committed to providing…
-
atsec attended the 20th International Conference on Applied Cryptography and Network Security (ACNS)
Last week, employees from atsec Germany and atsec Italy attended the 20th International Conference on Applied Cryptography and Network Security (ACNS) in Rome, Italy. As the name implies, ACNS highlights academic and industry research in the areas of applied cryptography and network security. Accepted papers are published in Springer’s Lecture Notes in Computer Science series,…
-
atsec has recently participated in two conferences that focused on cybersecurity certification: the 2022 International Conference on the EU Cybersecurity Act in Brussels, Belgium, and ENISA Cybersecurity Certification Conference 2022 in Athens, Greece. atsec contributed with two presentations at the EU Cybersecurity Conference “Successful cPP Certification under the CSA,” presented by Rasma Araby, and “A…
-
After two years of video conferences, we were finally able to meet stakeholders of our community again in person as three representatives of atsec Germany attended the Omnisecure conference from June 21st through 23rd 2022 in Berlin. The Omnisecure conference has a clear focus on the German market with a strong presence of the Bundesamt…
-
atsec is excited to have been invited to the virtual kick-off meeting for the “Automation of the NIST Cryptographic Module Validation Program” at the National Cybersecurity Center of Excellence (NCCoE). The National Institute for Standards and Technology (NIST) organized the kick-off meeting on June 1st of, 2022. It started with an introduction by NIST, followed…
-
atsec wishes all mothers and grandmothers a wonderful and happy Mother’s Day!
-
NIST plans to offer a separate validation program apart from FIPS 140 to cover entropy sources: the ESV (Entropy Source Validation) program (hereafter ESVP). As part of the new validation effort, NIST recently launched an automated system to upload the required information in a structured manner: the Entropy Source Validation (ESV) server. The protocol to…
-
We are excited to announce that atsec information security has become the first IT Security Lab that has been accredited as a testing lab for the Metaverse. IT Security in virtual environments is as important as in the real world. While in the real world there are a lot of security mechanism already in place…
-
From Archimedes to the bright minds of our time, atsec would like to thank all the mathematicians contributing to making our world more secure.
-
atsec information security wishes all women – colleagues, customers, suppliers, and partners – a wonderful International Women’s Day. atsec highly values your contribution and praises your outstandingachievements in information security.
-
FIPS 140-3 has a more detailed set of submission scenarios than FIPS 140-2. It can be daunting to find the right scenario for your situation. The flow diagram below provides an overview and helps to explain the different scenarios. More information can be found in the FIPS 140-3 Management Manual. The Management Manual is currently…
-
atsec information security wishes all colleagues, customers, suppliers, and partners a Happy Valentine’s Day filled with joy, happiness, and security!
-
Our colleague Quentin Gouchet, together with Eric Järpe, authored an article on distinguishing encrypted from non-encrypted data. We invite you to read the article here. Introduction:The discrimination of encrypted data from other kinds of data is of interest in many areas of application. For instance for making other applications work for the communication traffic in…
-
A big hug to you all. Happy Birthday! “atsec is a big hug to the whole team represented in the at-sign @ of our logo!” audaces fortuna juvat “An idea is nothing more or less than a new combination of old elements,” James Webb. atsec, is: “A new idea based on old concepts.” When atsec…
-
This year the motto for our Holiday greeting is “Bridges”, as it symbolizes much of what we do in our daily work. We bridge the difficult terrain of international and national standards between vendors and government agencies, so both parties can reach their respective goals. We bridge the gaps in knowledge by constantly training our…
-
I’ve been with atsec for more than two years, and I am happy to be on board. But when I joined, I had some concerns. Coming from companies with thousands of employees and revenues in the billions, joining a company with less than one hundred employees worldwide and a few digits less in revenue felt…
-
atsec participated in ICCC 2021 from October 19th to 20th, which was held as a fully virtualized conference the second year in a row due to the worldwide pandemic. While we appreciate to have the opportunity to exchange new information as well as give and receive presentations in our domain, we cannot deny that we…
-
A few days ago, I returned from my first business trip in months. I didn’t travel because I had to, but because I decided that it would be better to be on-site instead of handling the project remotely. And we are handling a lot of projects remotely at the moment. But for this project it…
-
Please enjoy this year’s animation from Yi Mao’s opening presentation at the 2021 International Cryptographic Module Conference (ICMC). We also invite you to watch a recording of Yi Mao’s welcome address for the ICMC:
-
We invite you to watch this presentation by Richard Fant on Sample Size in SP800-90B.
-
While the home office has become a normality for many IT companies and operations during the pandemic, the requirements for security evaluation, certifications, accreditations, and other approvals have remained constant. Site visits at the development sites are required to achieve the approval of certification and accreditation. How could this be accomplished when developers, auditors, and…
-
atsec China has been qualified by PCI SSC (Payment Card Industry Security Standards Council) as a Card Production Security Assessor (CPSA) Company to validate an entity’s adherence to the PCI Card Production and Provisioning Logical Security and Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical…
-
Some reflections on security assurance, how it can be achieved and verified, from the view of an evaluation lab. Security assurance is usually hard to grasp and sometimes we have seen there is the misconception how it can be achieved. One of the early milestones in understanding assurance came with the vulnerability analysis of Multics…
-
When atsec was about to be founded, one of the first questions the founders (a German, an Italian, and a Swede) had was which name would best represent the company’s approach to information security, but more importantly, whether the domain would be available. Here is the list of all the available domain names in December…
-
The two most repeated terms at the NIST Entropy Workshop held on April 27-29 are “mathematical model” and “justification.” That brought me back to my college days at Peking University where I first studied Mathematical Logic. Logic is all about valid rules of inference. Mathematical logic applies the techniques of formal logic to mathematics and mathematical reasoning, and applies…
-
Washington, DC—A new cybersecurity initiative dubbed PAWS (Puppy Assisted Warning Systems) has been introduced today by the US Department of Defense (DoD) to combat and deter the rising threat of cybersecurity attacks from countries who have vested interests to undermine US IT infrastructure and businesses. The 1.7 trillion dollar program will be entirely self-funded through…
-
Celebrating International Women’s Day 2021!
-
by Marcos Portnoi, Stephan Mueller, and Viktoria Meyerhoff In 2018, the Internet Engineering Task Force (IETF) published RFC 8446, “Transport Layer Security (TLS) Protocol Version 1.3”, a new standard for the latest version of TLS. TLS is the successor of SSL (Secure Sockets Layer), which was developed by Netscape in 1995. In 2020, the Cryptographic…
-
by King Ables The attack on the SolarWinds network management platform Orion allowed a bad actor to inject malware into the product prior to it being signed and deployed to customers during a regular software update. This highlights a largely underappreciated but universal truth of the Internet age–almost all businesses depend on a software supply…
-
The GSMA (Global System for Mobile Communications) organization recognizes atsec’s ISO/IEC 17025 accreditation that now allows network product evaluations against NESAS Security Assurance Specifications (SCAS). The NESAS scheme is a collaboration and jointly led by 3GPP and the GSMA, and is open to all vendors of network equipment products that support 3GPP defined functions. NESAS…
-
Today atsec celebrates its 21st Birthday! We can finally get a pilot license, gamble at the casino and we won’t be mad when we get carded at the ICMC! We are happy to look back on more than two interesting decades and would like to thank our customers, the government agencies, our colleagues and friends…
-
Our colleagues from around the world wish you Happy and Healthy Holidays and a good start into 2021.
-
by Richard Fant Figure 1: e-Passports issued by different countries In today’s climate of COVID-19, domestic travel has become difficult, and international travel almost impossible. Many US airlines now require their passengers to submit to a COVID-19 test within 24-48 hours prior to travel to prove the traveler is not currently infected. Some countries have…
-
atsec participated in ICCC 2020 from November 16th through 18th, which for the first time had to be held fully virtualized due to the worldwide pandemic. The ICCC used the same conference platform as for the ICMC 2020. In addition to attending the ICCC 2020, a number of atsec consultants joined the virtual CCUF Workshop…
-
It has become an atsec tradition to produce an animation with an FIPS-relevant topic for the ICMC. This year it has the transition from FIPS 140-2 to FIPS 140-3 as the subject – with a personal touch. Yi Mao presented the animation during her opening speech at the virtual ICMC 2020.
-
by Swapneela Unkule NIST SP 800-56A provides recommendations for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. Diffie-Hellman (DH), Elliptic Curve DH (ECDH) and Menezes-Qu-Vanstone (MQV) key-agreement schemes are specified in this standard. These Key-Agreement Schemes (KAS) are widely used in network protocols such as TLS. The SP 800-56A has been revised twice since its initial…
-
It was the beginning of January when I first heard about the new virus causing severe flu-like symptoms, such as upper respiratory infection, spreading throughout China. I started to worry about our China team. Nevertheless, we continued to plan for the global celebration of atsec’s 20th anniversary, assuming the virus would go away by Spring.…
-
With the sunset of the Cryptographic Algorithm Validation System (CAVS) at end of June 2020, algorithm testing for NIST and NIAP validations and evaluations must now be performed using the Automated Cryptographic Validation Testing System (ACVTS). The list of issued CAVP certificates using ACVTS (i.e. the certificates prefixed with “A”) illustrates that atsec is clearly…
-
Dear CAVS Tool, We want to congratulate you on years and years of dedicated service. Without you, algorithm testing would not have been what it is today, and we salute you for staying with us for so long. On June 30th you will finally get your well-deserved retirement. Rumors are you will relocate to a…
-
One of the rewards of working in the evaluation and testing business is to see our customers succeed and show the results of their efforts. We are always happy to work with organizations who are committed to IT security and want to improve their products and processes for the benefit of their customers. In that…
-
by Richard FantThe RiseMD5 (message digest version 5) was developed in 1991 and is still very popular today, with a wide range of commercial and government applications. MD5 is used to generate hash values of passwords stored on a system as opposed to storing the passwords in plain text. This password protection method was used…
-
atsec China has been qualified by the PCI SSC (Payment Card Industry Security Standards Council) as a Secure Software Lifecycle (SLC) Assessor and Secure Software Assessor company under the PCI Software Security Framework (SSF) program to evaluate a vendor’s software lifecycle and/or validate a vendor’s payment software. The PCI SSF is a collection of standards…
-
According to sources in the DPA (Data Protection Agency) new guidelines will be issued soon that will make digital trash separation mandatory. Every year an estimated 240 zettabytes of re-usable bits are thrown into desktop trash cans. The new guidelines require operating system manufacturers to implement a recycling bin next to the trash can on…
-
by Richard Fant Meltdown Attack: 2 years laterIn February 2017, independent security researchers discovered a catastrophic security flaw in the cache design for processors developed by Intel Corporation. After embargoing the information for almost a year while working on a fix, Intel publicly announced in January 2018 the security flaw known as the Meltdown Attack.…
-
Happy International Women’s Day to all our wonderful atsec colleagues in Europe, US and Asia.
-
by Andreas Fabis When we talk to our customers about FIPS 140-2 testing some questions regarding certificate maintenance frequently come up: There are many factors that can lead to module or platform changes: technical, business and marketing, to name a few. Navigating the rules and options of FIPS 140-2 re-certification can be challenging, and currently…
-
During the period of the novel coronavirus (COVID-19) outbreak in China, I, and many others, have cancelled parties with family, friends and colleagues—even during the traditional Chinese Lunar New Year. We have also decided to work remotely with atsec colleagues, customers, and partners. This gave me more time to think and learn, and I wanted…
-
atsec is happy to announce that we are now a licensed Conformity Assessment Body (CAB) under Electronic Identification, Authentication and Trust Services (eIDAS). eIDAS is an EU regulation on electronic identification and trust services for electronic transactions that applies as law within the whole of the EU. Trust services include electronic signatures, electronic seals, time…
-
During my almost 20 years with the company (first as a freelancer, then as an employee) I have seen atsec grow from a small, determined group of IT professionals in a crammed room full of computers into an international company with a well-earned, excellent reputation in the IT security world. Growing from the first baby…
-
(click on the image or follow this link for a special greeting from atsec) To all of our valued customers, colleagues, friends and family we wish Happy Holidays and a Safe and Secure New Year. We are looking forward to working with you in the coming year. Regards,your atsec team
-
November 21, 2019, Melbourne, Australia atsec China participated in the PCI Security Standards Council’s 2019 Asia-Pacific Community Meeting held in Melbourne, Australia from the 20th to 21st of November, and also hosted a booth. atsec’s principal consultants provided a presentation on “a PCI Walk in the Clouds.” atsec shared their experience in Payment Card Industry…
-
atsec US Corporate Vice President and Lab Director, Yi Mao, presented “Crypto Testing Leading to Better Security” at InnoTech Austin 2019. Through many examples, Dr. Mao showed the audience that cryptography is the hard core providing data confidentiality, integrity and authenticity. Cryptographic algorithms are used to encrypt sensitive data (e.g. password files), to authenticate users…
-
by Stephan MuellerThe OpenSSL project outlined the development strategy pertaining to the Federal Information Processing Standard (FIPS) 140-2 code in the November 7th, 2019 OpenSSL blog titled “Update on 3.0 Development, FIPS and 1.0.2 EOL.”[1] As a summary, the following relevant aspects for FIPS 140-2 are communicated. · The standard OpenSSL 1.0.2 will be End of…
-
Stephan Mueller With the enforcement of SP800-90B starting in November 2020, the noise sources behind the Linux /dev/random, /dev/urandom and the getrandom system call interfaces must comply with all requirements stipulated by SP800-90B. If this compliance is not achieved, all modules using Linux random number generator as entropy source from its operational environment will likely…
-
The atsec Automated Cryptographic Validation Protocol (ACVP) tool set demonstrated that ACVT is fully production-ready with the completion of the ACVP test run of 3,529 test vector sets managed by 329 test sessions. The testing marks the first successful production test run of ACVT with the three-party approach commonly used during FIPS 140-2 testing. The…
-
atsec China (with the official name – atsec (Beijing) Information Technology Co., Ltd) has been qualified by the PCI SSC (Payment Card Industry Security Standards Council) as a QPA (Qualified PIN Assessor) company to perform the PCI personal identification number (PIN) security assessments according to the PCI PIN Security standard. The recent version of the…
-
NIST’s Special Publication 800-90B “Recommendation for the Entropy Sources Used for Random Bit Generation” (SP800-90B) lays out the testing requirements for random bit generators. According to Implementation Guidance 7.18, compliance to SP800-90B will be mandatory for FIPS 140-2 validations starting November 8th 2020. Our colleague Stephan Mueller recently published an updated, SP800-90B compliant version of…
-
atsec participated in ICCC 2019 held in Singapore from October 1st to 3rd in conjunction with Singapore International Cyber Week (SICW). It was the perfect venue to celebrate the 20th anniversary of the Common Criteria standard with an increase of the Common Criteria Recognition Arrangement (CCRA) membership from 27 to 31 with the addition of…
-
atsec is pleased to announce that it has been licensed by CSA to be a Common Criteria Testing lab (CCTL) under the Singapore Common Criteria Scheme (SCCS). Please check the Common Criteria Portal:https://www.commoncriteriaportal.org/labs/index.cfm as well the Singapore Common Criteria Scheme:https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/singapore-common-criteria-scheme/approved-labs atsec is already operating Common Criteria labs under BSI Germany, US NIAP, CSEC Sweden and…
-
by Trang Huynh I had the privilege of being on a discussion panel at the NIAP Validator Workshop this past June. The topic for the panel was “Continuous Software Update,” and the issue we were trying to tackle was Common Criteria (CC) evaluations for products with a high frequency of software updates, such as those…
-
atsec is proud to announce that the Automated Cryptographic Validation Testing (ACVT) service is operational. The atsec Cryptographic Security Testing (CST) laboratory is the first ever to achieve operational status with the Automated Cryptographic Validation Protocol (ACVP) production server operated by NIST. atsec’s ACVP tools are fully implemented and functional. After the test results for…
-
atsec is pleased to announce that the atsec Rome office has been accredited by the Italian scheme, OCSI, for performing Common Criteria evaluations. This is in addition to the accreditations by the Italian security agency, OCSI of our atsec laboratories in the U.S., Germany and Sweden. Garibaldi Conte: Managing Director, atsec Italy, 2019: “I am…
-
atsec congratulates Qualcomm on the successful evaluation of their Snapdragon 855 system on a chip (SOC) processor. The evaluation was performed jointly by atsec information security laboratory GmbH and T-Systems International GmbH laboratory; with the software evaluation being performed by atsec, and the hardware evaluation performed by T-Systems. atsec is proud to have contributed to the…
-
China, Shanghai—From June 19th to 20th, Visa held the Asia Pacific Security Summit in Shanghai, China. During the “Ecosystem Data Security Workshop” on the 19th, Diana Greenhaw, VISA’s Vice President of Global Payment System Risk, gave a speech on “Ecosystem Risk Updates—A Global Perspective”. As one of the signature sponsors, atsec draws attention from industry…
-
After a day of pre-conference workshops, the 7th International Cryptographic Module Conference (ICMC) was kicked off this morning with a welcome address from atsec’s VP and Lab Director Yi Mao. (from left to right: Renaudt Nunez, Stephan Mueller, Fiona Pattinson, Swapneela Unkule, Yi Mao) Yi Mao’s Opening Speech for the ICMC 2019: “Good morning everyone!…
-
White Paper international Think-tank Community (iTC) April 1st, 2019 Green Entropy Tasked with consideration of ways and means to reduce the carbon footprint of IT security; after a year of deliberation the iTC have produced the following summary of their report. The full report is available on request to itc@green-entropy.org Research has shown that much effort has recently…
-
Happy International Women’s Day to all our wonderful atsec colleagues in Europe, US and Asia.
-
For several years the value of conformance testing against the FIPS 140-2 specification has been well accepted, and the assurance gained through validated conformance has been specified in several other markets.
-
-
As many of our customers will be aware, the current U.S. government shutdown can affect their projects with atsec. This time, the partial shutdown includes the U.S. Department of Commerce, and hence NIST’s Computer Security Resource Center. This affects our customers with FIPS 140-2 conformance validations (CMVP), and cryptographic algorithm validations CAVP/ACVP). The U.S. Common…
-
atsec is proud to present support for the NIST ACVP testing framework which replaces the legacy NIST CAVS testing. Cryptographic algorithm validation program (CAVP) testing is required for cryptographic modules undergoing conformance testing and validation according to the FIPS 140-2 specification. It is also required for Common Criteria evaluations performed in accordance with the NIAP Common Criteria Evaluation…
-
The Network International Technical Community (iTC) published the Network Device Collaborative Protection Profile (NDcPP) version 2.1. This is the latest update to the NDcPP series of cPPs. Vendors looking to perform a NIAP evaluation using this cPP will need to wait until NIAP approves the new version. In the past, NIAP has taken about one…
-
After a day of pre-conference workshops, the International Cryptographic Module Conference (ICMC) 2018 was kicked off this morning with a welcome address from atsec’s VP and Lab Director Yi Mao. The welcome was followed by keynote speeches from Jason Hart, CTO of Data Protection for Gemalto UK and Scott Jones, Assistant Deputy Minister of Information…
-
Near the end of 2017, NIAP issued and later retracted Labgram #106. This Labgram warned that RSAES-PKCS1-v1.5 would be disallowed by NIST after 2017 which meant that it would also be disallowed by NIAP after 2017 in CC evaluations. The reason for the retraction was because NIST delayed the publication of their update to NIST…
-
In a major announcement, atsec information security announces the establishment of partnerships with major retail outlets around the world, in a bid to provide more convenient provision of security assurance to users of commercial IT products. Users of commercial off the shelf products purchased through major retail outlets can set default profile options such as…
-
Oh boy!!! Yet another year has gone by and we are celebrating International Women’s Day again. This year the theme is “Time is Now: Rural and urban activists transforming women’s lives”. I must say that working in atsec has always been free of the worries about gender inequality that I’ve been reading such a lot about…
-
It is 18 years since atsec was founded on January 11th, 2000. Since then atsec has made a very significant contribution to information security. As one of the only truly independent labs atsec is still self-funded, owned by professionals in the security assurance business and a key player in the technologies and geographies in which…
-
What is eIDAS? Evaluation and certification of trustworthy systems and signature and seal creation devices becomes increasingly important due to the new eIDAS regulation (EU Regulation No. 910/2014) that entered into force in the 28 EU Member States in July 2016. eIDAS is an EU regulation on electronic identification (eID) and trust services (AS), which…
-
Over the last few years we have seen some maturation in the processes of providing information security assurance. This is good. First let’s roll back into history, to the days in the ‘70’s and ‘80’s, when it could not be safely assumed that the operating systems in use implemented access control correctly. “The Birth and…
-
“Dear Community, It is the second time that I have had the honor and pleasure to open the International Cryptographic Module Conference. This year is very special since it is the fifth anniversary of the conference. I’d like to welcome you all with an image from the end of the 1st ICMC. Many of you…
-
Unfortunately, atsec has been accused of distributing fake news. Here at atsec we take such an accusation seriously. We have performed a thorough internal investigation and have determined that the accusation is true. atsec has been guilty of disseminating fake news on an annual basis for the last fifteen years. We have followed our internal…
-
atsec customers who have projects for testing, validating, and certifying cryptographic modules for the US government market are intimately familiar with the FIPS 140-2 standard. This standard and its associated supporting documents are produced and published by NIST. Together, the suite of documents define the specification and testing requirements for a cryptographic module that is…
-
The votes have been counted and Zippa Futura and ISO/IEC 19790 win by a large margin:
-
Recognizing the need for secure IT products in all regions of the world, and in support of an internationally agreed Arrangement allowing for the mutual recognition of independently evaluated and validated information technology (IT) products, the Vatican has decided to sign the ISO/IEC 15408 International Recognition Arrangement (I2RA) and has started to validate the security…
-
Cryptographic Algorithm Validations The Cryptographic Algorithm Validation Program (CAVP) is an organization that is managed solely by the National Institute of Standards and Technology (NIST). Information about the CAVP scheme, including the official validation lists, can be found at NIST’s web page for the CAVP. The CAVP certifies that certain algorithms and related security functions…
-
The 2015 International Cryptographic Module Conference (ICMC) started yesterday with a day of pre-conference workshops on FIPS 140 Projects, Breaking into Embedded Devices, and Addressing Unique Security Challenges through Standardization. The main conference was opened today by Yi Mao, Ph.D., CST Lab Manager of atsec, followed by keynote speakers Phil Zimmermann (Creator of PGP, Co-founder,…
-
The 2014 ICMC started with a day of workshops on FIPS 140-2 and ISO/IEC 19790, followed today by keynote speakers Helmut Kurth (atsec information security) and Mary Ann Davidson (Oracle). Almost 200 attendees from around the world came to this year’s conference to discuss topics ranging from high-level policy to advanced technical subjects. One of…
-
This past September was my conference month. I first went to the 14th International Common Criteria Conference (ICCC) in Orlando, Florida and then a week later I was at the 1st International Cryptographic Module Conference (ICMC) in Gaithersburg, Maryland. The theme of the ICCC this year was a collaborative approach. The conference directed the CC…
-
The first ICMC is over.It was a wonderful event and thanks are due to all of the 171 participants for making it so. Participant Quote: “This conference is Win Win Win!”These attendees represented developers, governments, laboratories, consultants, and academics from the cryptographic module community. It turned out to be a truly international affair with people…
-
This first ICMC aims to bring together experts from around the world to confer on the topic of cryptographic modules, with emphasis on their secure design, implementation, assurance, and use, referencing both new and established standards such as FIPS 140-2 and ISO/IEC 19790. We are focused on attracting participants from the engineering and research community,…
-
1. Starting without the standard in mindProbably the biggest problem causing issue in a FIPS 140-2 validation project is when the developer decides to ‘back into’ the standard after the fact. Trying to validate a product that was developed without being mapped to the standard is more difficult at the very least and has a…
-
Galactic Emperor pleased about timely completion GAMMA DELPHI, Phnil’krq-Nebula – Stardate 2454191.50001atsec information security is pleased to announce Cosmic Criteria certification of the Mark VII Transporter Beam Control Software (Update 3.1, Fix Pack 2) at Stellar Assurance Level 9 augmented with flaw remediation (SAL9+) in compliance with the Particle Transmission Protocol Protection Profile (PTPPP). PTPPP…
-
Evaluation of Färist VPN and Firewall marks pioneering effort for Tutus AB, atsec AB, and CSEC Stockholm, Danderyd, Sweden – atsec information security AB is performing an EAL4+ evaluation of Tutus Data AB Färist VPN and Firewall for certification by the Swedish Certification Body for IT Security (CSEC). Of course an EAL4+ evaluation is nothing…