Some thoughts on the auxiliary tools of secret evaluation:
To give a simple example:
At present, the evaluation object of commercial cryptography application security evaluation on this physical and environmental level generally refers to the system where the system is located and important areas and other content that require people to judge objective facts subjectively
(computer room electronic access control products and related technical documents, videos, etc.) Monitoring equipment and related technical documents)
related technical detection tools are nothing more than the cryptographic algorithm used in identity authentication and data integrity protection and the
objective evidence collected subjectively by technical personnel can automatically identify identity authentication with the assistance of secret evaluation tools The cryptographic technology used for data integrity protection
can intelligently perform relevant integrity checks on the collected data that needs integrity protection (algorithm verification and data comparison, etc.)
For the current Class III security system, the main points of commercial encryption application security evaluation at the network and communication levels are generally channels.
A good network topology map and professional operation and maintenance personnel can better assist us in the development of secret evaluation work. And implementation
We can better filter out how many channels we are evaluating for this evaluation from the network topology diagram and the description of the relevant system operation and maintenance personnel (and don’t forget the reference in the password application scheme) based
on In this situation, our secret reviewers can only make subjective judgments (channels) based on the relevant information of the system
(ideally: the secret review auxiliary tool can automatically identify the imported network topology map or system-related data and automatically analyze its channel➡ It is a bit unrealistic
and may be realized in the next few years, but the development and form at the current stage (equal protection tools are an example) are still subject to discussion. Basically, they are some semi-automatic tools that are subjectively judged by humans and then entered into the system) according to this
level Based on the relevant evaluation content, let’s think about the secret evaluation auxiliary tool:
without considering the subjective judgment of the channel of the system under test, the secret evaluation auxiliary tool can automatically identify and analyze the data flow obtained by the secret evaluation personnel through the evaluation tool Packets (this process requires humans to capture data traffic packets subjectively)
through corresponding screening commands (this process is also a subjective input of humans, for example: ip.addr ==XX.XX.XX.XX and/&& tls etc.) The tool can automatically analyze whether the digital certificate (identity authentication) and cryptographic algorithm suite (communication data integrity and confidentiality of important data in the communication process) used in the communication channel communication process are compliant, correct, valid, etc. content
......................
Having said that, it is still necessary to distinguish between secret review aids, which specifically refer to tools that assist secret reviewers in writing reports? Or is it a tool to assist secret reviewers in conducting assessments?
Of course, both of these must be available, but in view of the current market environment, I have seen such tools, but some functions are still a bit unsatisfactory. There is no qualification testing report for the relevant secret evaluation auxiliary tools, so we directly conduct testing and issue relevant system reports
. Is it contradictory and convincing before and after?
In short, I personally feel that it is theoretically possible to use tools to completely replace manual labor to carry out assessments and issue corresponding reports, but it is currently unfeasible to completely replace manual labor with automated tools.
Next, according to the current technical level and evaluation ability, the following requirements are listed for the secret evaluation auxiliary tools:
Technical level
************************************************* *********************
Data traffic:
① Automatic capture of data traffic packets: Through certain technical means (network cable access or mirroring methods, etc.), it is possible to capture a certain A data traffic packet of a process.
②Ability to automatically filter out target data traffic through commands: Through filtering methods and other technologies, we can obtain the data traffic packets we want.
③Ability to automatically analyze the target data traffic: for the acquired target data traffic packets, it can automatically identify the cryptographic algorithm or cryptographic technology used in the handshake phase or the communication phase (for example: automatically identify the algorithm suite, etc.).
Digital certificate:
① Automatically export certificate: Based on the previous stage, the certificate can be automatically identified and exported during the process of analyzing the target data traffic, and the encryption certificate or signature certificate can be clearly distinguished.
②Ability to automatically analyze whether the certificate is compliant: through certain technical means, the exported digital certificate can be automatically analyzed and detected (for example: automatically analyze its signature algorithm, issuer, valid date, certificate format, etc.), and verify the validity of the certificate. legality.
③Ability to automatically identify the upper-level certificate: the imported digital certificate can automatically identify the upper-level certificate or its root certificate through technical means, and verify it.
Signature verification:
①Automatic signature verification: It can automatically verify the signature documents (such as: medical seal documents, red head stamp documents, etc.) produced by the target system, and then automatically analyze whether the digital certificate in the previous stage is compliance.
Data protection:
①Integrity protection: able to automatically identify files or data that pass integrity protection (this point should also be artificially imported), including but not limited to log technology, structured data (important data) in the database It
can automatically identify the cryptographic algorithm and cryptographic technology used by the system under test for data integrity protection, and further verify it.
②Confidentiality protection: Similarly, it can automatically identify files or data protected by confidentiality (this should be artificially imported at present), including but not limited to log technology and structured data (important data) in the database. It
can automatically identify the cryptographic algorithm and cryptographic technology used by the system under test for data confidentiality protection, and further verify it.
***************************************************** *******************
Report level
************************************************* *********************
Actually, I don’t want to describe too much about this aspect. In fact, the goal is to save manpower and time and obtain greater profit space .
However, regarding the current development of security assessment for commercial cryptography applications at this stage, taking the security as an example, the following considerations are made:
① It can automatically identify important information about Party A in the project, and automatically export the process documents of the project (risk notice, Confidentiality agreement, on-site evaluation authorization letter, etc.)
②The system can automatically enter the system information we collected in the early stage, and complete the preparation of the corresponding evaluation plan.
③ A report can be automatically generated according to the on-site evaluation record sheet sorted out by the evaluation personnel.
*******************************************************************