ICCC 2012 September 18-20, Paris, France © atsec information security, 2012
IT Security Evaluation in China
Yi Mao, Ph.D., CISSP
atsecinformationsecuritycooperationAustin,TX‐ [email protected]
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 2
Agenda
• Motivation and Objectives
• Certification and Accreditation Administration of the People’s Republic of China (CNCA)
• China Information Security Certification Center (ISCCC)
• China Information Technology Security Evaluation Center (CNITSEC)
• Conclusions
Disclaimer: I’m employed by atsec information security corporation in Austin TX, USA, an independent lab specializing in IT security evaluations. I do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, despite the fact that most of them are in Chinese.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 3
atsec’s Vision and Mission
• Promote the effort of establishing a set of well-thought out, consistent standards for IT security evaluation worldwide.
• Prevent re-inventing the wheel or making the same kind of mistakes repeatedly.
• Enable western clients to deliver their products to the Chinese market by facilitating compliance to the Chinese certification requirements.
• Help Chinese vendors to enter the global market by achieving internationally recognized certificates (e.g. CC, FIPS 140-2).
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 4
From China• The Chinese IT community closely follows
international standards- A Chinese delegation attends each annual International CC
Conference
• Chinese vendors have already achieved CC certification- ZTE- Huawei
• Chinese vendors have already achieved FIPS 140-2 certification- ZTE- Pierson- Watchdata
• Chinese organizations have received CC and FIPS 140-2 training- ISCCC- Vendors pursuing CC and/or FIPS 140-2 certifications
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 5
To China
When a western vendor wants to sell their IT security products in China (for example, for Chinese government procurement), and needs to get the required certificates using Chinese evaluation schemes, they often wonder where to start.
This is especially true for those vendors who do not have local branches in China, because information provided by the following authorities is mostly in Chinese:
• Certification and Accreditation Administration of the People’s Republic of China (CNCA)
• China Information Security Certification Center (ISCCC)
• China Information Technology Security Evaluation Center (CNITSEC)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 6
CNCA (Chinese Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 7
CNCA (English Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 8
ISCCC (Chinese Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 9
ISCCC (English Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 10
CNITSEC (Chinese Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 11
CNITSEC (English Web Page)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 12
Problem: It’s in Chinese!
• Chinese web pages for CNCA, ISCCC, and CNITSEC have much richer content.
• The English version of their webpages only contains a brief introduction.
• It is impossible for non-Chinese speakers to get a basic understanding of what‘s going on in China.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 13
What will be covered?
This presentation will provide a brief sketch of the current state of IT security product evaluation in China,
• not via a word-to-word translation of the Chinese webpages
• but by connecting the dots to give a high-level view that is:
o objective
o up-to-date
o based soley on publicly available information
o as coherant as possible
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 14
The Chain of Command
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 15
CNCA and CCC
CNCA: The China National Certification and Accreditation Administration is set up and authorized by the State Council to perform administrative functions, and provide unified management, supervision, and nationwide coordination of all certification and accreditation-related organizations.
One of its responsibilities was to establish, develop, implement, and maintain the China Compulsory Certification (CCC) scheme.
The CCC Mark is a compulsory safety mark for both domestically manufactured products and any products imported into China.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 16
Catalogue of CCC-products (1)
• Electrical wires and cables
• Switches for circuits, Installation protective and
connection devices
• Low-voltage Electrical Apparatus
• Small Power motors
• Electric tools
• Welding machines
• Household and similar electrical appliances
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 17
Catalogue of CCC-products (2)
• Audio and video apparatus
• Information technology equipment
• Lighting apparatus
• Motor vehicles and Safety
• Motor vehicle tires
• Safety Glasses
• Agricultural Machinery
• Latex Products
ICCC 2012 September 18-20, Paris, France
• Telecommunication terminal equipment
• Medical Devices
• Fire Fighting Equipment
• Detectors for Intruder Alarm Systems
• Wireless Local Area Network (WLAN) systems
• Home Renovation Materials
• Toys
• Information Security Products
© atsec information security, 2012 18
Catalogue of CCC-products (3)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 19
IS Products Subject to CCC (Notice No. 7 of 2008)
This notice was given on January 28, 2008. It announced the first batch of 13 types of IS products to be included in the mandatory certification catalogue. It was to be enforced on May 1 2009.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 20
13 types of IS Products on CCC Catalogue
1. Firewall products2. Network security separation cards and line selectors3. Security isolation and information exchange products4. Secure routers5. Smart card chip operating systems6. Data backup and recovery products7. Secure operating systems8. Secure database systems9. Anti-spam products10. Intrusion detection systems11. Network vulnerability scanning products12. Security audit products13. Website recovery products
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 21
IS Products Subject to CCC (Notice No. 33 of 2009)
A revised notice was given on April 27, 2009 to adjust the statement of CCC for IS products announced in the previous notice (No. 7 of 2008):• The CCC for IS products would not be enforced until May 1, 2010.• It is mandatory for government procurement only.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 22
IS Products Subject to CCC (Notice No. 26 of 2010)
This notice was given on July 14, 2010. It announced • official name of the certification scheme (i.e. national information security
product certification system)• official name of the certificate (i.e. China's national information security products
certification)• official certificate mark ( )• official certificate template
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 23
IS Products Certificate TemplateThe template shows that the certificate will have the following information:• Certification logo• Certificate name• Certificate number• Official certificate mark• Information about the applicant• Information about the Manufacturer• Information about the factory• Information about the product• Referenced standards and technical
requirements• Referenced CNCA implementation
rule• Issuance date• Expiration date• Condition of validity• Name and stamp of certification body
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 24
Safety vs. Security
Safety: The state of being free from the occurrence or risk of injury, damage, or loss.
Security: The process or means of protecting against defects, dangers, loss, and crime. “Security” denotes a separation between the assets and the threat.
• In English, the terms “safety” and “security” are related, but each has a distinct and unique meaning.
• In Chinese, there is only ONE term “安全” which means both safety and security.
This explains why the CCC safety mark, originally intended to ensuring a product‘s quality and unharmful function, has been stretched to cover IT security products.
安全
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 25
Organizations Tasked by CNCA
• China Quality Certification Center (CQC)
o Processes most of CCC mark applications other than IS products (for safety concerns)
• China Information Security Certification Center (ISCCC)
o processes CCC mark applications for IS products (known as CC-IS) and WLAN products (for security concerns)
• China National Accreditation Service for Conformity (CNAS)
o Processes accreditations on Certification body
o Processes accreditations on Laboratory
o Processes accreditations on Inspection body
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 26
CNCA –Designated Labs for CC-IS
• CNCA Notice No. 3 of 2008 ISCCC is the designated
certification body for CC-IS. There are seven CNCA
designated labs for CC-IS.- China Information Technology
Security Evaluation Center (CNITSEC)
• CNCA Notice No. 25 of 2009 Defines the business scope for
each designated lab
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 27
China Compulsory Certification Process
The CCC process consists of the following steps:
1. Submission of an application and supporting materials to a certification body (e.g. ISCCC for CC-IS)
2. Documentation review for the acceptance of the application
3. Type testing on product samples by a CNCA-designated lab (e.g. the seven CC-IS labs)
4. Factory inspection by certification body representatives
5. Evaluation of the test results (may involve re-testing for failed tests) and certificate approval
6. Certification maintenance via annual surveillance inspection
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 28
How long does CCC certification take?
Article 15 in “Mandatory product certification regulations” (effective as of May 1, 2002, http://www.cnca.gov.cn/cnca/rdht/qzxcprz/flfg/72303.shtml) specifies:
Under normal circumstances, a designated certification body shall complete the certification process and notify the applicant about the certification result within 90 days after an application is accepted.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 29
How much does CCC certification cost?
CNCA regulates mandatory product certification fees(http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/default.shtml):
• Certification application fee• Fees for a designated lab to conduct type testing on sample products for
each type of the product listed on the CCC catalog• Daily rate for a certification body representative to conduct factory
inspections • Ranges of Person-Days needed for the initial factory inspection for each
type of the product listed on the CCC catalog• Ranges of Person-Days needed for the follow-up surveillance factory
inspection for each type of the product listed on the CCC catalog• Annual certification maintenance fee• Prices of CCC marks to be printed
Fees may be adjusted as product types are added or deleted from the CCC catalog. To reduce the vendors’ financial cost for CCC, CNCA announced a 10%~30% fee reduction on May 1, 2009.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 30
Lab Testing Fees for IS Products (1)CNCA announced the lab testing fees on May 22, 2009(http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/images/2009/06/22/0CC0B946123A4FE5B9E4A265B17488FB.doc):Products Type Fees in CNY Fees in USD
1. Firewall products L1: 18500L2 : 35500L3 : 51500 < 8,200
2. Network security separation cards and line selectors
Basic: 20000Enhanced: 34000 < 5,400
3. Security isolation and information exchange products
L1: 21000L2: 37000L3: 49000 < 7,800
4.Secure routers L1: 20500L2: 42000L3: 51000 < 8,100
5. Smart card chip operating systems 77500 < 12,300
6.Data backup and recovery products Basic: 30000Enhanced: 40000 < 6,400
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 31
Lab Testing Fees for IS Products (2)
Products Type Fees in CNY Fees in USD
7. Secure operating systems L3: 43000L4: 64000L5: 85000 < 13,500
8. Secure database systems L3: 43000L4: 69500L5: 84000 < 13,300
9. Anti-spam products 19000 < 3000
10. Intrusion detection systems L1(host/net): 20000/23000L2(host/net): 32000/43000L3(host/net): 69000/88000 < 13,900
11. Network vulnerability scanning products
Basic: 22500Enhanced: 37500 < 6,000
12. Security audit products Basic: 19100Enhanced: 33800 < 5,400
13. Website recovery products Basic: 22000Enhanced: 34000 < 5,400
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 32
Factory Inspection Fee for IS ProductsCNCA announced ranges of Person-Days for initial and follow-up factory inspections for all 13 types of IS products on May 22 2009 (2,500 CNY per Person-Day):
Initial: 2-4 PD / Follow-up: 1-3 PD (< 1,600 USD / 1,200 USD)
Initial: 4-6 PD / Follow-up: 2-4 PD (< 2,400 USD / 1,600 USD)
1. Firewall products 4.Secure routers
2. Network security separation cards and line selectors
5. Smart card chip operating systems
3. Security isolation and information exchange products
7. Secure operating systems
6.Data backup and recovery products 8. Secure database systems
9. Anti-spam products
10. Intrusion detection systems 12. Security audit products
11. Network vulnerability scanning products 10. Website recovery products
ICCC 2012 September 18-20, Paris, France 33
The Chain of Command
ICCC 2012 September 18-20, Paris, France
ISCCC was established in 2006. It is a nonprofit organization that provides the following services:
• Product Certification National information security product certification ( ) Wireless LAN product certification ( ) IT Information Security Certification ( ) Technical certification of payment service equipment for Non-
financial facilities ( )
• Information Security Management System (ISMS) Certification• Certification of Service Qualification • Training and Certification of Information Security Professionals
© atsec information security, 2012 34
China Information Security Certification Center (ISCCC)
ICCC 2012 September 18-20, Paris, France
• The mandatory certification for the 13 types of IS products uses product-type-specific standards that are derived from three basic information security standards in China: GB 17859 -1999, “Classified Criteria for Security Protection of
Computer Information System” GB/T 20271-2006, “Information Security Technology - Common
Security Technology Requirements for Information Systems” GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008,
which are the Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3
The voluntary certification for other types of IS products uses GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008 (i.e. Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3).
© atsec information security, 2012 35
Chinese Standards Used for Information Security Product Certification
ICCC 2012 September 18-20, Paris, France
• There are two slightly different certification procedures: A centralized procedure which requires the vendor to
submit their application to the ISCCC and get acceptance prior to choosing a lab for type testing.
A staged procedure which allows the vendor to work with a lab to pass the type testing before submitting their application to the ISCCC.
• Certification time varies depending on the product types. CC-IS Firewall: 30 days lab test, 2-4 PD initial on-site / 1-3 PD annual
re-visit CC-IS Secure OS: 90 days for lab test, 4-6 PD initial on-site / 1-3 PD
annual re-visit Voluntary IS products: normally 90 days for overall certification,
maximum 150 days
• Certificate validity varies depending on the product types. CC-IS products: no set expiration date, contingent to surveillance Voluntary IS products: 3 years, contingent to surveillance
© atsec information security, 2012 36
ISCCC Certification Procedures
ICCC 2012 September 18-20, Paris, France
As of August 23, 2012:• There are 263 certificates issued to IS products
under the compulsory certification program. The certificate list contains: certificate number (e.g. 2012162305000263) product name and version evaluated level (e.g. L1/L2/L3/L4, or Basic/Enhanced, or EAL for COS) vendor name (e.g. Amaranten (Asia) Network Co., Ltd. for a firewall) issue date Certificate status (e.g. valid / revoked)
• There are 73 certificates issued to IS products under the voluntarycertification program. The certificate list contains: certificate number (e.g. ISCCC-2012-VP-073) product name and version vendor name
- Axalto Beijing certified their Axalto_Alto Smart card (V2.0)- Gemplus Tianjin certified their Gemplus_Gem Smart Card (V1.0)
Issuance date Certificate status (e.g. valid/revoked)
© atsec information security, 2012 37
Certificates Issued to IS Products by ISCCC
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 38
The Chain of Command
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 39
China Information Technology Security Evaluation Center (CNITSEC)
CNITSEC was founded in 1997. It is a CNCA-designated leading information Security Evaluation Center. It provides the following services:
• Information Security Product Evaluationo GB/T 18336-2008 (i.e. Chinese translation of CC V2.3)o Chinese PPs for Firewalls, Smart Cards, Switches and Routers, etc.
• Information Management System Certificationo ISO/IEC 17799-2000o ISO/IEC 21827-2002o Chinese management system regulations
• Certification of Service Qualification
• Training and Certification of Information Security Professionals
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 40
CNITSEC Authorized Labs
CNITSEC has its own authorized laboratories. Currently, there are 9 CNITSEC authorized labs.
The list on the left contains the following information for each authorized lab:
• organization name• status of authorization• authorized Scope• authorization valid time period• corporate representative• Address• contact number
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 41
CNITSEC IS Product Evaluation (FAQ)• The main stardards used are GB/T 18336-2008
(Chinese translation of CC V2.3) and CEM• Eligible products are those that have IT security functionality• Possible Assurance levels to achieve are: EAL1 – EAL5• Eligible applicants are:
1. Government agencies, research institutes or independent legal business entities
2. Foreign companies can apply for the product evaluation at CNITSEC through their agencies in China, who must be eligible applicants under condition 1.
• Within 10 days of the application submission, CNITSEC will provide an acceptance or rejection notice.
• Within 10 days of the evaluation completion, the certification number will be announced and registered.
• Evaluation time frame:EAL1: 20 business days; EAL2: 30 business days; EAL3: 60 business days; EAL4: 90 business days; EAL5: 120 business days
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 42
CNITSEC Evaluation Process
The entire process consists of four steps:1. application and acceptance2. pre-evaluation3. evaluation
o documentation reviewo security functionality test
independent test- Requires at least two sample products- Samples should be made available no later than
halfway (50%) through the evaluation penetration test (not required for EAL1)
4. on-site inspection (required for EAL 3 and above)o performed when the evaluation is about 70% completeo verifies and confirms that the configuration management,
delivery and operation, and development environment security are implemented as claimed
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 43
CNITSEC IS Product Certificates
As of June 2012, 186 certs have been issued. There are foreign products (e.g. Samsung IC card) listed under their local branch‘s name (e.g. Samsung Shanghai). The certificate list contains the following information:
• vendor name• product name and version• certificate number (e.g.
CNITSEC2012PRD0186)• assurance level (e.g. EAL1, EAL3)• issuance date• expiration date (3 years after
issuance date)
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 44
Conclusions
• IS product evaluation in China has its unique aspects, but CC is very much alive in China. It is
• directly used for ISCCC voluntary IS product certification
• directly used for CNITSEC IS product evaluation (voluntary)
• blended into standards for Compulsory Certification for IS products (CC-IS)
• It is possible for a foreign-branded IS product to be certified by ISCCC (either compulsorily or voluntarily) or evaluated by CNITSEC, but the application for that product is expected to be submitted to them via a local (Chinese) agent/branch.
• The certification/evaluation-related information is publically available, though most information is published only in Chinese.
ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 45
Thank you for your attention!