Chain of Trust: Unraveling References Among Common Criteria Certified Products

JANOVSKÝ, Adam, Lukasz Michal CHMIELEWSKI, Petr ŠVENDA, Ján JANČÁR and Václav MATYÁŠ. Chain of Trust: Unraveling References Among Common Criteria Certified Products. Online. In Nikolaos Pitropakis, Sokratis Katsikas, Steven Furnell, Konstantinos Markantonakis. ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology. volume 710. Cham: Springer Nature Switzerland, 2024, p. 191-205. ISBN 978-3-031-65175-5. Available from: https://dx.doi.org/10.1007/978-3-031-65175-5_14.

Basic information

Original name

Chain of Trust: Unraveling References Among Common Criteria Certified Products

Authors

JANOVSKÝ, Adam (203 Czech Republic, guarantor, belonging to the institution), Lukasz Michal CHMIELEWSKI (616 Poland, belonging to the institution), Petr ŠVENDA (203 Czech Republic, belonging to the institution), Ján JANČÁR ORCID (703 Slovakia, belonging to the institution) and Václav MATYÁŠ ORCID (203 Czech Republic, belonging to the institution)

Edition

volume 710. Cham, ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, p. 191-205, 15 pp. 2024

Publisher

Springer Nature Switzerland

---

Other information

Language

English

Type of outcome

Proceedings paper

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Switzerland

Confidentiality degree

is not subject to a state or trade secret

Publication form

electronic version available online

References:

URL

Organization unit

Faculty of Informatics

ISBN

978-3-031-65175-5

DOI

http://dx.doi.org/10.1007/978-3-031-65175-5_14

UT WoS

001299944000014

Keywords in English

security certification; Common Criteria; FIPS 140; security evaluation

Tags

International impact, Reviewed

---

Abstract

V originále

With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.

---

Links

MUNI/A/1586/2023, interní kód MU	Name: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů Investor: Masaryk University, Applied research at FI: Forensic aspects of critical infrastructures, applied cryptography, cybersecurity trainings, scheduling algorithms logistics and algorithms for physical sensors
101087529, interní kód MU	Name: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS) Investor: European Union, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Widening participation and strengthening the European Research Area
90254, large research infrastructures	Name: e-INFRA CZ II