Vendor's guide to ASD cryptographic evaluations
1. What is an ASD Cryptographic Evaluation and why is it required?
An ASD Cryptographic Evaluation is an unconstrained search and test for cryptographic vulnerabilities. The Australian Signals Directorate (ASD) performs this search so Australian and New Zealand government agencies can rely on the strength and quality of the cryptographic security they use to protect official information and systems.
The result of an ASD Cryptographic Evaluation is a published consumer guide on the Evaluated Product List (EPL) that provides guidance to Australian government agencies on the security classification of information that can be stored or transmitted in accordance with the Information Security Manual (ISM).
In Australia, ICT security products may be evaluated for use by Australian government agencies through the Australasian Information Security Evaluation Program (AISEP), ASD High Assurance evaluation program or a discrete ASD evaluation.
An ASD Cryptographic Evaluation is required if:
- an ICT security product enters the AISEP containing cryptographic functionality in the Target of Evaluation (TOE), and an Australian government agency will rely on this cryptographic functionality for reducing the storage and physical transfer and/or electronic transit encryption requirements of PROTECTED information or higher, or
- an Australian government agency selects a product on the EPL that is not AISEP-evaluated (including products from the Common Criteria Portal) and the ICT security product contains cryptographic functionality that will be used to reduce the storage and physical transfer and/or electronic transit encryption requirements of PROTECTED information.
Examples of where an ASD Cryptographic Evaluation would and would not be required on a product containing cryptography are:
- if an Australian government agency wanted to use a hard disk encryption product to reduce the storage and physical transfer requirements of PROTECTED information on a laptop to those of UNCLASSIFIED, an ASD Cryptographic Evaluation would be required
- if an Australian government agency wanted to use an ICT security product that provided file-based encryption, auditing and access control features, but only wished to use the access control features, an ASD Cryptographic Evaluation would not be required.
Examples of cryptographic evaluations conducted in other nations include the UK's CAPS scheme, the USA's FIPS-140 and the USA and Canadian Cryptographic Module Validation Program (CMVP). The results and certification/validation of these cryptographic evaluations are not a replacement for an ASD Cryptographic Evaluation for Australian government agencies.
2. What is the purpose of an ASD Cryptographic Evaluation?
The purpose of an ASD Cryptographic Evaluation is to analyse a product to determine whether the security architecture and cryptographic algorithms used have been implemented correctly and are appropriately strong for the product’s intended use by the recommending government agency.
3. What is the relationship between an AISEP evaluation and an ASD Cryptographic Evaluation?
ASD performs cryptographic evaluations independently of the AISEP. However, the depth of testing in the ASD Cryptographic Evaluation is determined by the risks associated with the use of the product, which are dependent on the planned deployment of the product and the classification handling involved. These details should be specified in the letter of recommendation for evaluation to determine resourcing and effort involved. Information on the AISEP can be found at the AISEP FAQs.
4. If a vendor’s ICT security product has been evaluated under a Common Criteria scheme other than the AISEP, how do I have it listed on the EPL?
An Australian government agency must request and require that an ICT security product undergo an ASD Cryptographic Evaluation. An ASD Cryptographic Evaluation request is submitted to ASD through a letter of recommendation for evaluation in accordance with the recommendation process.
ASD Cryptographic Evaluation requests are actioned on the basis of Australian government need and priority. It is recommended that Australian government agencies first consider the use of a certified product that has completed the ACE process for suitability to their requirements in accordance with the ISM.
5. What tests are performed during an ASD Cryptographic Evaluation?
ASD Cryptographic Evaluation testing involves a combination of open source and in-house tests to ensure the correct implementation of encryption algorithms as well as assessing the quality of the surrounding cryptographic architecture.
Depending on the type and technology of ICT security product undergoing an ASD Cryptographic Evaluation, areas of testing may include packet sniffing, black box testing, source code review, key management analysis and Random Number Generation (RNG) evaluation.
6. Are there particular cryptographic algorithms or protocols that should be implemented in the ICT security product for Australian government use?
Yes. All ICT security products implementing cryptography destined for use by Australian government agencies must use ASD-approved cryptographic algorithms and ASD-approved cryptographic protocols. Further information is in the ISM.
7. What information and support should vendors provide in assisting an ASD Cryptographic Evaluation?
- A technical and/or engineering contact within the company (preferably located in Australia) to answer any questions that may arise during the ASD Cryptographic Evaluation.
- Technical documentation including descriptions of protocols, key management, algorithms and data formats.
- Offline access to the full source code of the ICT security product.
8. Why does ASD require source code in order to perform an ASD Cryptographic Evaluation?
To achieve a higher level of confidence in the implementation and architecture of the cryptographic security, greater scrutiny must be applied through an independent review of the source code. The provision of source code usually expedites the cryptographic evaluation as fewer assumptions are made about the ICT product, given that evaluators can view the full implementation as they require it.
9. When can ASD begin the ASD Cryptographic Evaluation?
Outside of Australia, an ASD Cryptographic Evaluation can only be performed on Common Criteria certified products. This includes all Common Criteria recognised certification schemes. The CC Security Target (ST) and Certification Report (CR) must be published/publicly available before the ASD Cryptographic Evaluation can begin. The commencement is also subject to information provided by the vendor.
For products undergoing CC evaluation in the AISEP, the commencement date of a product’s ASD Cryptographic Evaluation will depend on the provision of the information provided, in addition to the ICT product itself (hardware, software). The government letter of recommendation for evaluation for the ASD Cryptographic Evaluation also determines the priority of the evaluation.
Vendors are encouraged to be proactive in seeking advice and to be cooperative in providing information to facilitate the ASD Cryptographic Evaluation process.
10. How long does an ASD Cryptographic Evaluation take?
The ASD Cryptographic Evaluation process generally takes several months. This is an estimate from the ASD Cryptographic Evaluation commencement date, which is separate to an AISEP evaluation commencement date. The vendor will be formally advised of the ASD Cryptographic Evaluation commencement date by ASD. The time taken is greatly dependent on and influenced by the level of cooperation from the vendor and whether any security vulnerabilities are found during the ASD Cryptographic Evaluation. If security vulnerabilities are detected, continuation of the ASD Cryptographic Evaluation will depend on the implementation of a suitable fix.
If the recommending Australian government agency withdraws its recommendation, the ASD Cryptographic Evaluation will usually halt.
11. Do vendors need a Non-Disclosure Agreement in place with ASD before commencing an ASD Cryptographic Evaluation?
ASD does not require a Non-Disclosure Agreement (NDA) be in place prior to starting an ASD Cryptographic Evaluation.
If one is requested, an NDA can be negotiated between ASD and the vendor. It should be noted that this can be a lengthy process that will postpone the ASD Cryptographic Evaluation commencement until the NDA is finalised.
To reduce delays caused by an NDA, vendors may use the standard ASD NDA template, which is available upon request.
12. Does obtaining FIPS-140 accreditation mean that the ICT product does not need to go through an ASD Cryptographic Evaluation?
In accordance with the ISM, FIPS-140 accreditation does not replace an ASD Cryptographic Evaluation. However, providing all relevant FIPS accreditation documentation may assist the process.
13. What is the outcome of an ASD Cryptographic Evaluation?
The completion of an ASD Cryptographic Evaluation results in a published consumer guide for the product’s use by Australian government agencies. The consumer guide is listed with the ICT security product’s completed AISEP or CC evaluation result on the EPL. For the benefit of Australian government agencies, consumer guides specify the security classification of information that the evaluated ICT product can be used to protect.
14. What is a consumer guide?
Consumer guides are found on the EPL and are for the benefit of Australian government agencies. A consumer guide is published for ICT security products that have completed an ASD Cryptographic Evaluation and sometimes where clarification of use for Australian government was deemed necessary. Consumer guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure cryptographic usage. Consumer guides also specify the classification of data that the product can be used to protect.
Products on the EPL that do not have a consumer guide include those that have not been recommended for the use of cryptographic security or products that do not contain cryptographic security.
15. What is the Evaluated Products List and where can I find it?
The Evaluated Products List (EPL) provides a comprehensive list of ASD-evaluated ICT security products that meet the needs of Australian government agencies in securing official information. ICT products that are progressing through or have completed an ASD Cryptographic Evaluation are listed on the EPL.
16. Are there any costs incurred by the vendor for an ASD Cryptographic Evaluation?
ASD does not charge evaluation fees to the vendor for conducting an ASD Cryptographic Evaluation or for producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to ASD (if secure electronic means is not a viable option) and the provision of licences required by ASD in order to conduct the evaluation.
17. Acronym guide
- ASD Cryptographic Evaluation
- Australasian Information Security Evaluation Program
- Australian Signals Directorate
- Certification Report
- Evaluation Assurance Level
- Evaluated Products List
- Information and Communications Technology
- (Australian Government) Information Security Manual
- Non-Disclosure Agreement
- Security Target
- Target of Evaluation