Are you really sure that your security solution is ready to cope with the real world? Are you certain that your in-house design will survive the scrutiny of expert cryptographers?
CryptoExperts offers externalized R&D and consulting services in a wide variety of security areas. We can perform an in-depth design and security analysis of your application, spot the cryptographic misconceptions, propose appropriate alternatives and help you to achieve a successful security certification.
Give us the instruction set of your microcontroller and we do the rest.
We have more than 20 years of experience in developing and delivering cycle-accurate optimized cryptographic libraries. Our software is available on a variety of hardware platforms and supports standard and advanced cryptographic algorithms.
A fresh pair of eyes on your design.
The development of a cryptographic product, from a whiteboard protocol to an industrial grade implementation, is a long and complex process. Our experts will help you avoid common (and less common) pitfalls at any stage of the development.
Verifying side-channel countermeasures with automatic tools.
The VERISICC project aims to build automatic tools to verify and generate proven masked cryptographic implementations. These tools will allow industrial people to develop secure and efficient implementations and to certification bodies to quickly and accurately verify the implementations submitted to an evaluation.
Formally proving that your crypto libs are side-channel resistant.
The PRINCE research project addresses the challenge of building leakage-resilient primitives and leakage-resilient implementations for standard algorithms. Through an appropriate security modelling, the embedded security industry has never been closer to fill in the gap between empirically secure cryptographic implementations and built-in, provably perfect resistance against side-channels.
Common Criteria (CC) is the international standard (ISO 15408) for evaluating the security of information technology products. The certification process involves the testing of a product by an accredited third-party IT security evaluation facility (ITSEF) lab to ensure that it meets a set of security requirements. Products that pass the evaluation receive a Common Criteria certification, which is recognized by governments and organizations around the world as evidence of the product’s security. The certification can be used to help organizations comply with security regulations and to make more informed decisions when purchasing IT products.
The French information security agency (ANSSI) developed the CSPN certification as a lightweight alternative to CC certifications. One specificity of CSPN certifications is that the evaluation is time-constrained, thus limiting its delays and cost, but still offering a guarantee that some experts have spent some time analyzing the product. The typical CSPN evaluation consists of 25 days dedicated to software security (protocol fuzzing, port scanning, etc.) and 10 days dedicated to cryptographic analysis (algorithm choices and key sizes, protocol analysis, etc.).
Whether your company plans to go through a CC or CSPN certification, CryptoExperts can help you put together the appropriate security arguments as a source for your certification and support your team during the overall certification process.
CryptoExperts offers consulting services to evaluate the security of random number generators (RNG). You have your own RNG legacy and need to undergo a AIS20/31 or FIPS 140-3 certification process? We can help!
Physical True Random Number Generators (PTRNGs) are based on a hardware noise source which is digitized and possibly composed with a post-processing mechanism. Getting an AIS20/31 certificate for a PTRNG (PTG.1/2/3 classes) requires to provide a stochastic model of the source and to demonstrate evidence on the quality of its entropy. CryptoExperts proposes a methodology that performs a statistical evaluation of the noise source, derives a relevant stochastic model, and assesses the entropy of the generated (post-processed) random numbers.
A post-processing mechanism can be of two different natures:
Assessing the quality of the former kind of post-processing consists in proving that it acts as a good entropy extractor. In other words, given some statistical property about the noise source, the post-processing must produce a high-entropy output. Cryptographic post-processing/DRNG on the other hand must satisfy advanced mathematical properties such as (strong) forward and/or backward secrecy. You can trust CryptoExperts to evaluate your post-processing mechanism, in the TRNG, DRNG, or hybrid setting. If the need be, we will come back to you with a set of recommendations, and finally provide you with a formal security proof of your design.
Our offer is not limited to evaluation, stochastic modeling, and formal security proofs, we further help our customers meet all AIS20/31 requirements (PTG.1/2/3, DRG.1/2/3/4) and support them during the overall certification process. Involve CryptoExperts and leave no room to randomness in getting your certificate!