The French information security agency (ANSSI) developed the CSPN certification as a lightweight alternative to CC certifications. If CC/EMVco certification is too long or too expensive for your product, CSPN might be just what you are looking for.
Who can I contact?
Matthieu Finiasz, PhD
Senior Security Expert
As many of you are probably aware, CC or EMVco certification is a long and expensive process that might not be suitable for all products. One specificity of CSPN certifications is that the evaluation is time-constrained, thus limiting its delays and cost, but still offering a guarantee that some experts have spent some time analyzing the product, without finding any security flaws. The typical CSPN evaluation consists of 25 days dedicated to software security (protocol fuzzing, port scanning, etc.) and 10 days dedicated to the cryptographic analysis (algorithm choices and key sizes, protocol analysis, etc.).
The range of products that can receive CSPN certificates is very wide, including of course security software (VPN, hard drive encryption, password manager, etc.), but also mobile applications (e-Health, access control, secure messaging, etc.), connected devices (NAS, smart meters, smart home, etc.) or even open-source software and libraries.
Timeline of a CSPN evaluation
The typical timeline of a CSPN evaluation follows these steps:
- Definition/redaction of a security target precisely describing the scope of the evaluation (when needed, some parts of the product can be excluded from the evaluation). This step is done jointly by the developers and the evaluator.
- Validation of the security target by the ANSSI.
- The developers then hand out all the evaluation material to the evaluator. This evaluation material may or may not include source code. It should at least include a fully functional version of the product and, for the cryptographic analysis, a precise description of the cryptographic protocols implemented.
- Time constrained evaluation of the product. During this step, further exchanges between the evaluator and the developers are still possible. The developers may hand out additional material to the evaluator, or simply answer the questions he may have. This time constrained step also includes the redaction of a detailed evaluation report listing all the tests performed during the evaluation and their results, and providing a list of all uncovered security issues.
- Validation of the conclusions of the report by the ANSSI.
- Delivery of the CSPN certificate by the ANSSI.
For CSPN evaluations, CryptoExperts works in partnership with Trusted Labs. CryptoExperts is in charge of the cryptographic analysis while Trusted Labs handles the other security aspects.