Security assessment of cryptographic solutions
The objective of evaluating cryptographic solutions is to build a risk model of the application assets and the application itself when faced with the threat of a quantum computer. A fundamental problem for existing solutions consists in using asymmetric encryption algorithms and obtaining secret keys. These algorithms are vulnerable for a quantum computer because it is able to effectively solve their underlying mathematical problems which cannot be solved by classical computers within the foreseeable time frame.
Objectives of the assessment
Analysis of the current product, search for vulnerabilities caused by the incorrect implementation of existing cryptographic algorithms, and integration of third-party solutions.
    Analysis of threats posed by a quantum computer to the used algorithms and assets.
      Report preparation based on the results of the analysis, including recommendations on the problems found in the current implementation.
      Support of the project and provision of technical and scientific expertise.
      Assessment result
      Based on the results of the assessment, the team provides the client with a report that reflects the details of the technical work, the project goals, a description of the product and its architecture, as well as problems and vulnerabilities and recommendations for their correction. The client may request clarification in the final report regarding the information provided and ask for additional iterations of reviewing the document and making corrections to it.
      Project architecture review
      Listing of assets and methods of their protection
      Cryptographic algorithms and materials included in the project
      General remarks on the protection mechanisms included in the project
      Project functionality description
      List of vulnerabilities
      The attacker's model and its scenarios
      Evaluation of the provided results by time
      Provided and used materials
      The Scope of the Assessment
      The team of specialists makes an assessment in open testing format.
      The assessment includes the following tasks:
      • Project design and architecture analysis;
      • Project documentation analysis;
      • Studying the product source code;
      • Preparing the final report and obtaining approval from the customer.
      In addition, the assessment team may, in agreement with the client, provide weekly reports on the current status of the work in written or verbal format.

      Based on the results of the completed assessment of the current implementation, the client may request additional iterations of the evaluation in order to verify the changes made, taking into account our recommendations.

      The proposed testing focuses on the applied cryptographic algorithms, their implementation, the data protection model, as well as threats to the application's assets in the event of a quantum computer attack. The assessment is based on existing recommendations regarding the algorithms and cryptographic materials used.
      Assessment Certification and Standards
      Our experts assess the safety of cryptographic solutions, taking into account the standards and recommendations of the local and global institutions like NIST.

      We do not provide certification in accordance with the requirements of the listed organizations. However, our assessment provides the opportunity to minimize the resources needed to prepare for this certification.
      Coverage of the Project's Technical Component
      During the assessment, our team reviews the current implementation and source code of the project, focusing on the following aspects:
      • Used algorithms; their final implementation and operating mode;
      • Data protection at end nodes and during transmission;
      • Integration quality of third-party solutions and security mechanisms;
      • Assessment of the quantum computer threat.
      Our team performs only public testing, which includes full access to the project documentation and source code.
      Preliminary Assessment Conditions
      To evaluate the project in the open testing format, our specialists need the following:
      • The source code of the project. Access to the control system version is optional;
      • Technical and project documentation;
      • Communication with specialists from the client side to clarify the technical details of the project.
      It should be understood that assessment is carried out for a specific version of the code at the time of its granting. Changes to the evaluated version should be made in consultation with our team, as they may affect the timing of the assessment. It is recommended to focus the changes on the security issues identified during the assessment.
        General Terms and Conditions
        For effective assessment, there are general conditions that come down to a well-established interaction between clients and our team. Before starting the project, it is necessary to provide the contacts of the client's technical specialists who are able to support the provided solution during working hours.

        The tasks of our group do not include functional testing of cryptographic solutions, but information about any deviations from the expected behavior in the operation of the solution will be provided in full.

        Among other things, it should be emphasized once again that the information about vulnerabilities provided at the testing stage is not a reason to eliminate them at the testing stage. Our team evaluates a specific version. Small edits are acceptable, but it is expected that they will not go beyond the minimum necessary:
        • Refactoring excluded;
        • Code formatting;
        • Making changes to the functional aspects of the project that are not related to performance and security.

        Repeated iterations of the assessment should be agreed upon before the project is carried out. The format of interim reports, as well as their frequency, must also be agreed upon in advance.
        Assessment Format
        Depending on the project type, the timing for the activity of our analysts may vary.

        The key activities within the framework of the project are:
        • Studying the documentation/structure of the project;
        • Functional testing of the project; installation and configuration of the solution;
        • Project source code analysis;
        • Search for vulnerabilities in the solution;
        • Preparation and approval of the final report.
        As the search for vulnerabilities and problems is a key task of our team, and their subsequent correction is meant as the final result of this activity, we will evaluate and rate the identified vulnerabilities depending on their impact on the project.
        Related services and products