Feb 1, 2019 - Yes. All ICT security products implementing cryptography destined for use by Australian Government agencies must use ACSC-approved cryptographic algorithms and ACSC-approved cryptographic protocols. Further information is in the ISM.
Jul 1, 2018 - We need to independently review the source code to be confident in the implementation and architecture of the cryptographic security. Providing source code usually expedites the evaluation.
Jul 1, 2018 - An ACSC Cryptographic evaluation can only be performed on products which have been certified via a recognised Common Criteria (CC) scheme, in Australia or overseas. The CC Security Target and Certification Report must be published/publicly available before we can begin our evaluation. The evaluation start date is also subject to information provided by the vendor.
Jul 1, 2018 - We conduct a combination of open source and in-house tests to ensure the correct implementation of encryption algorithms as well as assessing the quality of the surrounding cryptographic architecture. Depending on the type and technology of ICT security product undergoing evaluation, testing might include packet sniffing, black box testing, source code review, key management analysis and Random Number Generation (RNG) evaluation.
Jul 1, 2018 - We analyse products intended to be used by Australian and New Zealand government agencies to determine whether the security architecture and cryptographic algorithms they use have been implemented correctly and are strong enough for the products intended use.
Jul 1, 2018 - Consumer guides are found on the EPL and are for the benefit of Australian Government agencies. We publish a consumer guide for all ICT security products for which we have performed a Cryptographic evaluation and sometimes where we deem clarification of use for Australian Government is necessary. Consumer guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure cryptographic usage. They also specify the classification of data that the product can be used to protect.
Jul 1, 2018 - Vendors should provide: a technical and/or engineering contact within the company (preferably located in Australia) to answer questions technical documentation including descriptions of protocols, key management, algorithms and data formats offline access to the full source code.
Jul 1, 2018 - The Cryptographic evaluation process generally takes several months. This timeframe is separate to the time taken for the AISEP evaluation. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the Cryptographic evaluation depends on the implementation of a suitable fix. If the recommending Australian Government agency withdraws its recommendation, we will usually halt the Cryptographic evaluation.
Jul 1, 2018 - No. In accordance with the ISM, FIPS-140 accreditation does not replace an ACSC Cryptographic evaluation. However, providing all relevant FIPS accreditation documentation may assist the process.
Jul 1, 2018 - No. We do not charge evaluation fees for conducting a Cryptographic evaluation or producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.