Revisiting the analysis of references among Common Criteria
certified products

J 2025

Revisiting the analysis of references among Common Criteria certified products

JANOVSKÝ, Adam; Lukasz Michal CHMIELEWSKI; Petr ŠVENDA; Ján JANČÁR; Václav MATYÁŠ et al.

Základní údaje

Originální název

Revisiting the analysis of references among Common Criteria certified products

Autoři

JANOVSKÝ, Adam; Lukasz Michal CHMIELEWSKI; Petr ŠVENDA; Ján JANČÁR a Václav MATYÁŠ

Vydání

Computers & Security, 2025, 0167-4048

Další údaje

Jazyk

angličtina

Typ výsledku

Článek v odborném periodiku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Velká Británie a Severní Irsko

Utajení

není předmětem státního či obchodního tajemství

Odkazy

URL

Impakt faktor

Impact factor: 5.400 v roce 2024

Označené pro přenos do RIV

Ano

Kód RIV

RIV/00216224:14330/25:00140579

Organizační jednotka

Fakulta informatiky

Klíčová slova anglicky

Security certification; Common Criteria; Vulnerability assessment; Data analysis; References

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 1. 4. 2026 10:48, RNDr. Pavel Šmerk, Ph.D.

Anotace

V originále

With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.

Návaznosti

MUNI/A/1586/2023, interní kód MU

Název: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů

Investor: Masarykova univerzita, Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů

101087529, interní kód MU

Název: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS)

Investor: Evropská unie, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Rozšiřování účasti a posílení ERA

90254, velká výzkumná infrastruktura

Název: e-INFRA CZ II

Citovat

JANOVSKÝ, Adam; Lukasz Michal CHMIELEWSKI; Petr ŠVENDA; Ján JANČÁR a Václav MATYÁŠ. Revisiting the analysis of references among Common Criteria certified products. Computers & Security. 2025, roč. 152, č. 104362, s. 1-10. ISSN 0167-4048. Dostupné z: https://doi.org/10.1016/j.cose.2025.104362.

@article{2474337,
   author = {Janovský, Adam and Chmielewski, Lukasz Michal and Švenda, Petr and Jančár, Ján and Matyáš, Václav},
   article_number = {104362},
   doi = {https://doi.org/10.1016/j.cose.2025.104362},
   keywords = {Security certification; Common Criteria; Vulnerability assessment; Data analysis; References},
   language = {eng},
   issn = {0167-4048},
   journal = {Computers & Security},
   title = {Revisiting the analysis of references among Common Criteria certified products},
   url = {https://www.sciencedirect.com/science/article/pii/S0167404825000513},
   volume = {152},
   year = {2025}
}

TY  - JOUR
ID  - 2474337
AU  - Janovský, Adam - Chmielewski, Lukasz Michal - Švenda, Petr - Jančár, Ján - Matyáš, Václav
PY  - 2025
TI  - Revisiting the analysis of references among Common Criteria certified products
JF  - Computers & Security
VL  - 152
IS  - 104362
SP  - 1-10
EP  - 1-10
SN  - 01674048
KW  - Security certification
KW  - Common Criteria
KW  - Vulnerability assessment
KW  - Data analysis
KW  - References
UR  - https://www.sciencedirect.com/science/article/pii/S0167404825000513
N2  - With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.
ER  -

JANOVSKÝ, Adam; Lukasz Michal CHMIELEWSKI; Petr ŠVENDA; Ján JANČÁR a Václav MATYÁŠ. Revisiting the analysis of references among Common Criteria certified products. \textit{Computers \&{} Security}. 2025, roč.~152, č.~104362, s.~1-10. ISSN~0167-4048. Dostupné z: https://doi.org/10.1016/j.cose.2025.104362.

Přehled o publikaci