Search examples#
The goal is to provide a curated catalog of search strings over Common Criteria and FIPS-140 certification artifacts executed on the sec-certs webpage.
You are encouraged to contribute - please create a pull request and insert an entry into a suitable section lexicographically. Thank you! |
|---|
The sec-certs started in 2019 with the goal of providing automatic processing of certification artifacts. The extensive collection of keyword search regex strings is already included by the project in rules.yml file. Custom full text and title-only searches are additionally possible via the web interface. This document provides a list of read-to-use aggregated search strings for different domains using Whoosh query language. If you will find this list helpful, please consider citing our work as:
@article{sec-certs,
title = {sec-certs: Examining the security certification practice for better vulnerability mitigation},
journal = {Computers & Security},
volume = {143},
year = {2024},
issn = {0167-4048},
doi = {10.1016/j.cose.2024.103895},
url = {https://www.sciencedirect.com/science/article/pii/S0167404824001974},
author = {Adam Janovsky and Jan Jancar and Petr Svenda and Łukasz Chmielewski and Jiri Michalik and Vashek Matyas},
keywords = {Security certification, Common criteria, Vulnerability assessment, Data analysis, Smartcards}
}
Format and notation#
Search string goal: Common Criteria (hyperlinked to search on sec-certs.org page) ( )(result of search visualized in graph of references), FIPS-140 ( )
whole search string(for manual cut&paste)
Short description of search string targeted domain, expected results and interpretation.
Warning
False positives may be present, always check the actual certification document as search hit may still be ‘out of ToE scope’, with ‘no security functionality claimed’ etc.
Cryptographic capabilities#
Multi-party security#
Multi-party security use: Common Criteria (), FIPS-140 ()
"multiparty" OR "SMPC" OR "Multi-Party" OR "FROST"
Certificates mentioning generically any multiparty execution, hopefully in security or even cryptographic context.
Post-quantum cryptography#
Post-quantum algorithms support: Common Criteria (), FIPS-140 ()
"post quantum" OR "post-quantum" OR "PQC" OR "KYBER" OR "SPHINCS" OR "NTRU" OR "XMSS" OR "LWE" OR "CSIDH" OR "BLISS" OR "RLCE" OR "McEliece" OR "CRYSTALS" OR "Dilithium"
Certificates mentioning post-quantum cryptographic algorithms support.
Vulnerabilites assesment#
ROCA vulnerability#
ROCA CVE-2017-15361 is private key recovery vulnerability present in Infineon RSALib library used by smartcard and TPM devices between roughly 2004 and 2017. More details available here.
ROCA-vulnerable Infineon RSALib library v1.02.013: Common Criteria (), no FIPS-140
"v1.02.013"
Certificates mentioning confirmed vulnerable version of Infineon RSALib 1.02.013 library.ROCA-vulnerable Infineon RSALib library and similar (wildcard) v1.02.0??: Common Criteria (), no FIPS-140
v1.02.0*
Certificates mentioning Infineon RSALib 1.02.013 and other similar library versions. Versions v1.02.008, v1.02.010, v1.02.014 possibly also vulnerable.ROCA-vulnerable (likely) Infineon RSALib libraries other than v1.02.013: Common Criteria (), no FIPS-140
v1.02.0* NOT "v1.02.013"
Certificates mentioning posibly vulnerable RSALib version other than v1.02.013. Versions v1.02.008, v1.02.010, v1.02.014 possibly also vulnerable.Certificate IDs from Austria report 163484: Common Criteria (), no FIPS-140
"BSI-DSZ-CC-0833-2013" OR "BSI-DSZ-CC-0921-2014" OR "BSI-DSZ-CC-0782-2012" OR "BSI-DSZ-CC-0758-2012" OR "ANSSI-CC-2013/55"
Certificates mentioning certificate IDs directly or indirectly mentioned in Austria report 163484 related to Estonian eID platform (ANSSI-CC-2013/55).