D 2024

Chain of Trust: Unraveling References Among Common Criteria Certified Products

JANOVSKÝ, Adam, Lukasz Michal CHMIELEWSKI, Petr ŠVENDA, Ján JANČÁR, Václav MATYÁŠ et. al.

Basic information

Original name

Chain of Trust: Unraveling References Among Common Criteria Certified Products

Authors

JANOVSKÝ, Adam (203 Czech Republic, guarantor, belonging to the institution), Lukasz Michal CHMIELEWSKI (616 Poland, belonging to the institution), Petr ŠVENDA (203 Czech Republic, belonging to the institution), Ján JANČÁR (703 Slovakia, belonging to the institution) and Václav MATYÁŠ (203 Czech Republic, belonging to the institution)

Edition

volume 710. Cham, ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, p. 191-205, 15 pp. 2024

Publisher

Springer Nature Switzerland

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Switzerland

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

electronic version available online

References:

Organization unit

Faculty of Informatics

ISBN

978-3-031-65175-5

DOI

Keywords in English

security certification; Common Criteria; FIPS 140; security evaluation

Tags

International impact, Reviewed
Změněno: 7/10/2024 08:30, doc. RNDr. Petr Švenda, Ph.D.

Abstract

V originále

With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.

Links

MUNI/A/1586/2023, interní kód MU
Name: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů
Investor: Masaryk University, Applied research at FI: Forensic aspects of critical infrastructures, applied cryptography, cybersecurity trainings, scheduling algorithms logistics and algorithms for physical sensors
101087529, interní kód MU
Name: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS)
Investor: European Union, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Widening participation and strengthening the European Research Area
90254, large research infrastructures
Name: e-INFRA CZ II