Requesting an ASD Cryptographic Evaluation
To request an ASD Cryptographic Evaluation, please complete the sponsorship letter. We will work with you and the vendor to understand the evaluation aims, expectations and timeframes.
Frequently asked questions
What tests are performed during an evaluation?
We conduct a combination of open source and in-house tests to ensure the correct implementation of cryptographic algorithms and protocols as well as assessing the quality of the surrounding cryptographic architecture.
Depending on the type of product undergoing evaluation, testing might include packet sniffing, black box testing, source code review, key management analysis and Random Number Generation (RNG) evaluation.
Are there particular cryptographic algorithms or protocols that should be implemented in a product for Australian use?
Yes. All products implementing cryptography must use ASD Approved Cryptographic Algorithms and ASD Approved Cryptographic Protocols.
Why do you need source code to perform an evaluation?
We need to independently review the source code to be confident in the implementation and architecture of the cryptographic security. Providing source code usually expedites the evaluation.
When can you begin an evaluation?
An evaluation can only be performed on Common Criteria certified products, and their Security Target and Certification Report must be publicly available before we can begin our evaluation.
When we start the evaluation will also depend on priorities, when information is provided by the vendor and the type of product itself (hardware vs software).
We will advise vendors when we are starting the evaluation.
What is a Consumer Guide?
Consumer Guides are found on the Evaluated Products List. We publish a Consumer Guide for all products for which we have performed a cryptographic or high assurance evaluation.
Consumer Guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure product usage.
What information and support should vendors provide for an evaluation?
Vendors should provide a technical and/or engineering contact within the company (preferably located in Australia) to answer questions; technical documentation including descriptions of protocols, key management, algorithms and data formats; and offline access to the full source code.
How long does an evaluation take?
The evaluation process generally takes several months. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the evaluation depends on the implementation of a suitable fix.
Does obtaining FIPS-140 accreditation mean that the product does not need to go through an evaluation?
No. In accordance with the ISM, FIPS-140 accreditation does not replace an evaluation. However, providing all relevant FIPS accreditation documentation may assist with the evaluation.
Do you charge for evaluations?
No. We do not charge fees for conducting an evaluation. However, the vendor is responsible for arranging delivery of information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.
Do vendors need a non-disclosure agreement (NDA) in place when the evaluation starts?
No. However, if requested, we can negotiate a NDA with the vendor. This can be a lengthy process that will postpone the start of the evaluation. To reduce delays, we have a standard NDA template which is available upon request.