Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Cryptographic evaluation

Frequently asked question icon

Are there particular cryptographic algorithms or protocols that should be implemented in the ICT security product for Australian Government use?

Feb 1, 2019 - Yes. All ICT security products implementing cryptography destined for use by Australian Government agencies must use ACSC-approved cryptographic algorithms and ACSC-approved cryptographic protocols. Further information is in the ISM.
Frequently asked question icon

Why do you need source code to perform the evaluation?

Jul 1, 2018 - We need to independently review the source code to be confident in the implementation and architecture of the cryptographic security. Providing source code usually expedites the evaluation.

When can you begin the Cryptographic evaluation?

Jul 1, 2018 - An ACSC Cryptographic evaluation can only be performed on products which have been certified via a recognised Common Criteria (CC) scheme, in Australia or overseas. The CC Security Target and Certification Report must be published/publicly available before we can begin our evaluation. The evaluation start date is also subject to information provided by the vendor.

What tests are performed during a Cryptographic evaluation?

Jul 1, 2018 - We conduct a combination of open source and in-house tests to ensure the correct implementation of encryption algorithms as well as assessing the quality of the surrounding cryptographic architecture. Depending on the type and technology of ICT security product undergoing evaluation, testing might include packet sniffing, black box testing, source code review, key management analysis and Random Number Generation (RNG) evaluation.
Cryptographic image

Cryptographic evaluations

Jul 1, 2018 - We analyse products intended to be used by Australian and New Zealand government agencies to determine whether the security architecture and cryptographic algorithms they use have been implemented correctly and are strong enough for the products intended use.

What is a consumer guide?

Jul 1, 2018 - Consumer guides are found on the EPL and are for the benefit of Australian Government agencies. We publish a consumer guide for all ICT security products for which we have performed a Cryptographic evaluation and sometimes where we deem clarification of use for Australian Government is necessary. Consumer guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure cryptographic usage. They also specify the classification of data that the product can be used to protect.

What information and support should vendors provide for an ACSC Cryptographic evaluation?

Jul 1, 2018 - Vendors should provide: a technical and/or engineering contact within the company (preferably located in Australia) to answer questions technical documentation including descriptions of protocols, key management, algorithms and data formats offline access to the full source code.

How long does a Cryptographic evaluation take?

Jul 1, 2018 - The Cryptographic evaluation process generally takes several months. This timeframe is separate to the time taken for the AISEP evaluation. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the Cryptographic evaluation depends on the implementation of a suitable fix. If the recommending Australian Government agency withdraws its recommendation, we will usually halt the Cryptographic evaluation.

Does obtaining FIPS-140 accreditation mean that the ICT product does not need to go through an ACSC Cryptographic evaluation?

Jul 1, 2018 - No. In accordance with the ISM, FIPS-140 accreditation does not replace an ACSC Cryptographic evaluation. However, providing all relevant FIPS accreditation documentation may assist the process.

Do you charge for Cryptographic evaluations?

Jul 1, 2018 - No. We do not charge evaluation fees for conducting a Cryptographic evaluation or producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.