Five months after the official release of LINCE by the Centro Criptológico Nacional (CCN), we have the opportunity to present the new Spanish certification standard in the CCN-CERT event in Madrid. In this talk, we will address the situation of certifications in our country which lead to the creation of a new scheme that could adapt to the needs of both the administration and private companies.
The restrictions that the Esquema Nacional de Seguridad (ENS) demand the use of certified products in certain situations, but recommend their use at all times. In particular, it is backed on the Catálogo de Productos de Seguridad de las Tecnologías de la Información y Comunicación (CPSTIC) as a list of products whose security has been verified. In order to gain access to this catalogue, a manufacturer must certify their product in accordance to the Common Criteria or pass a series of tests that the CCN may establish in particular cases.
The Common Criteria certifications follow a strict and meticulous scheme of requirements that force the manufacturer to invest large amounts of time and money to reach their goal. Nonetheless, in the Spanish scenery in which most of the companies are small or medium size, a Common Criteria certification is unreachable for may manufacturers; especially when we talk about products that are updated often or that need to be released as quickly as possible. Under these circumstances, the need for a new certification scheme that allows for granting the security of products in a fast, cheap and attainable way is clear.
This is not a new problem, along the years many countries have created the so-called light certifications. These schemes, such as the French Certifcation de Sécurité de Premier Niveau (CSPN), have been based on the Common Criteria principles to create certification procedures that are manageable for the manufacturers but which keep the warranty of security of the products. In the case of Spain, the light certification that has been developed to this end is the Certificación Nacional Esencial de Seguridad (LINCE) .
LINCE is an evaluation methodology for IT products based on the Common Criteria principles and oriented to vulnerability analysis and penetration tests. Its major strengths over sturdier certifications mainly consist on a lesser effort, duration and cost for the manufacturer. Nevertheless, for the way in which it is applied, it also allows for paying more attention the critical parts of each product, putting a bigger effort on specific tests that help mitigate real threats, instead of focusing on exhaustive tests or dense documentation.
Besides LINCE main content, there are two additional modules that may be used to complete the certification process and carry out a more detailed analysis of certain parts of a product. On the one hand, there is a Source Code Revision Module (MCF) which consists on making a source code analysis while searching for vulnerabilities. On the other hand, the Cryptographic Evaluation Module (MEC) consists on evaluating the functionality of cryptographic mechanisms implemented by the product. These modules entail an additional work and time load that is added to the total of the evaluation.
This way, LINCE is not a substitute for Common Criteria, its goal is to offer a warranty of security to the manufacturers and consumers at the most affordable level in terms of time, effort and money. A LINCE certificate allows for the incorporation of the product to the CPSTIC which entails two main advantages: national level visibility of the product as safe to use and the possibility of offering the selling the product to the administration.
Summing up, the new LINCE methodology comes to offer a cybersecurity certification procedure which allows manufacturers to take care of the documentation and all the other requirements for the procedure by themselves, which covers all the relevant attack vectors adapted to the particular characteristics of each product and which guarantees the security of a product in delimited time.
Article written with the invaluable help of Alberto del Río.
