Sorry, you need to enable JavaScript to visit this website.
Skip to main content

FAQs ASD Cryptographic Evaluations Program

What tests are performed during an ASD Cryptographic Evaluation?

We conduct a combination of open source and in-house tests to ensure the correct implementation of cryptographic algorithms and protocols as well as assessing the quality of the surrounding cryptographic architecture.

Depending on the type of product undergoing evaluation, testing might include packet sniffing, black box testing, source code review, key management analysis and Random Number Generation (RNG) evaluation.

Are there particular cryptographic algorithms or protocols that should be implemented in a product for Australian use?

Yes. All products implementing cryptography must use ASD Approved Cryptographic Algorithms and ASD Approved Cryptographic Protocols.

Why do you need source code to perform the evaluation?

We need to independently review the source code to be confident in the implementation and architecture of the cryptographic security. Providing source code usually expedites the evaluation.

When can you begin the Cryptographic evaluation?

An ACSC Cryptographic evaluation can only be performed on products which have been certified via a recognised Common Criteria (CC) scheme, in Australia or overseas. The CC Security Target and Certification Report must be published/publicly available before we can begin our evaluation. The evaluation start date is also subject to information provided by the vendor.

For products undergoing CC evaluation in the AISEP, when we start the Cryptographic evaluation will depend on when information is provided and the ICT product itself (hardware vs software). The letter of recommendation for evaluation also determines the priority of the evaluation.

We will advise vendors when we are starting the Cryptographic evaluation.

We encourage vendors to be proactive in seeking advice and to cooperate by providing information to facilitate our evaluation process.

What is a consumer guide?

Consumer guides are found on the EPL. We publish a consumer guide for all products for which we have performed a cryptographic or high assurance evaluation.

Consumer guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure product usage.

What information and support should vendors provide for an ACSC Cryptographic evaluation?

Vendors should provide:

  • a technical and/or engineering contact within the company (preferably located in Australia) to answer questions
  • technical documentation including descriptions of protocols, key management, algorithms and data formats
  • offline access to the full source code.

How long does a Cryptographic evaluation take?

The Cryptographic evaluation process generally takes several months. This timeframe is separate to the time taken for the AISEP evaluation.

The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the Cryptographic evaluation depends on the implementation of a suitable fix.

If the recommending Australian Government agency withdraws its recommendation, we will usually halt the Cryptographic evaluation.

Does obtaining FIPS-140 accreditation mean that the ICT product does not need to go through an ACSC Cryptographic evaluation?

No. In accordance with the ISM, FIPS-140 accreditation does not replace an ACSC Cryptographic evaluation. However, providing all relevant FIPS accreditation documentation may assist the process.

Do you charge for Cryptographic evaluations?

No. We do not charge evaluation fees for conducting a Cryptographic evaluation or producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.

Do vendors need a non-disclosure agreement (NDA) in place when the Cryptographic evaluation starts?

No.

If requested, we can negotiate an NDA with the vendor. This can be a lengthy process that will postpone the start of the Cryptographic evaluation.

To reduce delays, we have a standard NDA template, which is available upon request.

Date
August 27th, 2019