Security assessment of cryptographic solutions
The objective of evaluating cryptographic solutions is to build a risk model of the application assets and the application itself when faced with the threat of a quantum computer. A fundamental problem for existing solutions consists in using asymmetric encryption algorithms and obtaining secret keys. These algorithms are vulnerable for a quantum computer because it is able to effectively solve their underlying mathematical problems which cannot be solved by classical computers within the foreseeable time frame.
Objectives of the assessment
Analysis of the current product, search for vulnerabilities caused by the incorrect implementation of existing cryptographic algorithms, and integration of third-party solutions.
Analysis of threats posed by a quantum computer to the used algorithms and assets.
Report preparation based on the results of the analysis, including recommendations on the problems found in the current implementation.
Support of the project and provision of technical and scientific expertise.
Assessment result
Based on the results of the assessment, the team provides the client with a report that reflects the details of the technical work, the project goals, a description of the product and its architecture, as well as problems and vulnerabilities and recommendations for their correction. The client may request clarification in the final report regarding the information provided and ask for additional iterations of reviewing the document and making corrections to it.
- Project architecture review
- Listing of assets and methods of their protection
- Cryptographic algorithms and materials included in the project
- General remarks on the protection mechanisms included in the project
- Project functionality description
- List of vulnerabilities
- The attacker's model and its scenarios
- Evaluation of the provided results by time
- Provided and used materials
The team of specialists makes an assessment in open testing format.
The assessment includes the following tasks:
Based on the results of the completed assessment of the current implementation, the client may request additional iterations of the evaluation in order to verify the changes made, taking into account our recommendations.
The proposed testing focuses on the applied cryptographic algorithms, their implementation, the data protection model, as well as threats to the application's assets in the event of a quantum computer attack. The assessment is based on existing recommendations regarding the algorithms and cryptographic materials used.
The assessment includes the following tasks:
- Project design and architecture analysis;
- Project documentation analysis;
- Studying the product source code;
- Preparing the final report and obtaining approval from the customer.
Based on the results of the completed assessment of the current implementation, the client may request additional iterations of the evaluation in order to verify the changes made, taking into account our recommendations.
The proposed testing focuses on the applied cryptographic algorithms, their implementation, the data protection model, as well as threats to the application's assets in the event of a quantum computer attack. The assessment is based on existing recommendations regarding the algorithms and cryptographic materials used.
Our experts assess the safety of cryptographic solutions, taking into account the standards and recommendations of the local and global institutions like NIST.
We do not provide certification in accordance with the requirements of the listed organizations. However, our assessment provides the opportunity to minimize the resources needed to prepare for this certification.
We do not provide certification in accordance with the requirements of the listed organizations. However, our assessment provides the opportunity to minimize the resources needed to prepare for this certification.
During the assessment, our team reviews the current implementation and source code of the project, focusing on the following aspects:
- Used algorithms; their final implementation and operating mode;
- Data protection at end nodes and during transmission;
- Integration quality of third-party solutions and security mechanisms;
- Assessment of the quantum computer threat.
To evaluate the project in the open testing format, our specialists need the following:
- The source code of the project. Access to the control system version is optional;
- Technical and project documentation;
- Communication with specialists from the client side to clarify the technical details of the project.
For effective assessment, there are general conditions that come down to a well-established interaction between clients and our team. Before starting the project, it is necessary to provide the contacts of the client's technical specialists who are able to support the provided solution during working hours.
The tasks of our group do not include functional testing of cryptographic solutions, but information about any deviations from the expected behavior in the operation of the solution will be provided in full.
Among other things, it should be emphasized once again that the information about vulnerabilities provided at the testing stage is not a reason to eliminate them at the testing stage. Our team evaluates a specific version. Small edits are acceptable, but it is expected that they will not go beyond the minimum necessary:
Repeated iterations of the assessment should be agreed upon before the project is carried out. The format of interim reports, as well as their frequency, must also be agreed upon in advance.
The tasks of our group do not include functional testing of cryptographic solutions, but information about any deviations from the expected behavior in the operation of the solution will be provided in full.
Among other things, it should be emphasized once again that the information about vulnerabilities provided at the testing stage is not a reason to eliminate them at the testing stage. Our team evaluates a specific version. Small edits are acceptable, but it is expected that they will not go beyond the minimum necessary:
- Refactoring excluded;
- Code formatting;
- Making changes to the functional aspects of the project that are not related to performance and security.
Repeated iterations of the assessment should be agreed upon before the project is carried out. The format of interim reports, as well as their frequency, must also be agreed upon in advance.
Depending on the project type, the timing for the activity of our analysts may vary.
The key activities within the framework of the project are:
The key activities within the framework of the project are:
- Studying the documentation/structure of the project;
- Functional testing of the project; installation and configuration of the solution;
- Project source code analysis;
- Search for vulnerabilities in the solution;
- Preparation and approval of the final report.
Related services and products