Bakalářská práce

Analysis and search for problematic certificates in Common Criteria

Lyubov Laurenyuk
Anotace

Tato bakalářská práce analyzuje certifikace Common Criteria (CC) a vybrané certifikace FIPS 140 s cílem identifikovat případy, kdy jejich veřejně dostupná dokumentace naznačuje bezpečnostně relevantní omezení nebo nejednoznačnosti. S využitím ekosystému sec-certs, open-source frameworku pro sběr a analýzu artefaktů bezpečnostních certifikací, práce kombinuje automatizované vyhledávání v certifikačních …více

Abstract

This thesis analyzes Common Criteria (CC) and selected FIPS 140 certificates with the goal of identifying cases where their public documentation suggests security-relevant limitations or ambiguities. Using the sec-certs ecosystem, an open-source framework for collecting and analyzing security certification artifacts, it combines automated search in certification artifacts with manual analysis of selected …více

Zadání práce
The sec-certs project (sec-certs.org) aims to be the one-stop shop for exploring the security certification ecosystem (specifically, the Common Criteria and FIPS 140 schemes). The project aggregates and annotates certification data, enabling unified search, vulnerability investigation, trend analysis, side-by-side comparisons, notifications, and more. The project is a long-term research focus of the Centre for Research on Cryptography and Security (CRoCS) at FI MUNI in cooperation with an industrial partner, Red Hat.

The main goal for the student in this project is to identify so-called problematic certificates, primarily in the Common Criteria scheme but potentially in FIPS 140 as well. As problematic certificates, we consider those that suggest there may be underlying common-sense security issues in the certified products, even though they are certified. 

There were several problematic certificates even before the work on this thesis started. For example, consider the following two certificates : 
  • Hikvision Network Camera Series: https://www.commoncriteriaportal.org/files/epfiles/SERTIT-115 Hikvision CR v1.0.pdf
    Problem: A secure IP camera is evaluated as secure under the assumption that the network interface is secure. That suggests the network certificate may be insecure. 
  • Samsung IC (ANSSI-CC-2022/09, certificate in French) with potentially misconfigured memory protection rights.
    Problem: The certificate contains the following text: "The evaluation is based on the evaluation results of this same product certified on October 8, 2021, under the reference ANSSI-CC-2021/47, see [CER]. It corresponds to an evaluation with scope reduction following the identification of vulnerability.". This suggests that the product covered by the previous certificate may contain a vulnerability. 
The student's goal is to analyze the existing problematic certificates and search for new ones using the search tooling from the sec-certs project. The project's outcome would also include a description of how the problematic certificates were identified (e.g., queries to the sec-certs database/portal). 

In particular, the following tasks should be executed within the project:
  • Analyze existing problematic certificates and the root issues of their problems. 
  • Search for new problematic certificates using the search tooling developed within the sec-certs project. For all newly identified problematic certificates, assess the nature of the issues, their potential practical impact, and speculate on their root causes.
  • Moreover, for all problematic certificates, classify them into distinct issue categories (i.e., certificates affected by similar security issue shoudl be grouped together). 
  • Optionally, the student will search for problematic certificates by analyzing unexpected modifications in them over time. 
Práce zkontrolována:
25. 5. 2026 10:47, Lukasz Michal Chmielewski, PhD, učo 247858
Plný text práce
429,9 KB / soubor PDF
Jazyk práce
angličtina angličtina
Termín obhajoby
24. 6. 2026
Práce byla úspěšně obhájena

Vedoucí

Lukasz Michal Chmielewski, PhD, učo 247858
KPSK FI MU

Oponent

RNDr. Martin Ukrop, Ph.D., učo 374297
KPSK FI MU

  • Přidání souboru

    Soubor nebo složku lze nahrát pomocí tlačítka Přidat.
  • Další operace se soubory

    Podrobnosti lze zjistit označením příslušného řádku.
  • Pohled pro experty

    Pro častou práci je možné zvolit režim Více možností.
  • Vyhledávání souborů

    Vyhledávaný výraz můžete zadat přímo do adresního řádku.
  • Rychlý přístup k souborům

    Pomocí funkce Nedávné je možné se rychle vrátit k právě prohlíženým souborům. Oblíbené soubory je také možné označit Hvězdičkou.