• 日本語
• 한국어
• 简体中文
• English

Certification

The Elliptic team has extensive experience in all aspects of security design. To help customers meet their goals from a cost and schedule point of view, Elliptic offers security consulting services that include NIST CMVP, FIPS 140-2, FIPS 140-3 and EAL validation.

FIPS-140

Elliptic recommends that customers who are considering a FIPS validation under the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP), start as early as possible in the product design cycle. A CMVP validation must be done by a third party, NIST accredited lab. During the validation program, Elliptic will assist customers with the security design of the product being considered for certification, help to create the documentation required by the third party lab and NIST and work to resolve questions as they arise during the process. A FIPS validation process will take several months to complete.

The following list outlines the typical steps in a FIPS certification process:

• The manufacturer submits the product and accompanying documentation to the accredited lab for certification and testing.
• The third party test lab reviews and tests the product against the FIPS 140-2 Derived Test Requirements.
• The third party test lab prepares and submits a draft certification report to NIST for review.
• NIST provides the third party test lab with questions/comments on the certification report.
• Once these questions have been resolved with NIST, a FIPS 140 certificate is issued by NIST.
• The certificate and descriptive information are posted to the CMVP web site on the NIST FIPS 140-1 and FIPS 140-2 Cryptographic Modules Certification List web page.

Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. The current release, version 3.1, is supported by 26 countries including most EU member states, Japan, Australia, Canada and the United States among others.

Common Criteria is a framework through which vendors of computer systems can implement designs that are expected to achieve a pre-determined security level. Testing laboratories can evaluate the products to confirm that they meet the criteria. System integrators use these unbiased test results to evaluate a vendor’s products to ensure that they can achieve their security objectives. The metric used in Common Criteria is known as an Evaluation Assurance Level (EAL) with higher security levels being equated with an increasing number. The following list outlines the EAL requirements at each level:

• EAL1: Functionally Tested
• EAL2: Structurally Tested
• EAL3: Methodically Tested and Checked
• EAL4: Methodically Designed, Tested, and Reviewed
• EAL5: Semi-formally Designed and Tested
• EAL6: Semi-formally Verified, Design and Tested
• EAL7: Formally Verified, Designed and Tested

Most companies considering certification of an existing product using Common Criteria aim for an EAL4 level. When submitting a new design for consideration, companies should aim for level EAL5 or EAL6. Similar to a FIPS validation, an approved, independent laboratory performs the certification.

Elliptic can help customers achieve CC certification. Engagement should begin early in the product life cycle to ensure a smooth and cost-effective certification process. Like FIPS, a Common Criteria certification will take several months and require dedicated resources to work through the process.