ISO/IEC 17825: Mitigation Methods for Classes of Non-Intrusive Attack against Cryptographic Modules
The world of security standards is constantly being updated and revised to keep up with technological advances. One of the major players in this field is ISO, or the International Organization for Standardization. ISO refers at the same time to the name of the information technology standard but also this international committee that decides on processes and techniques that will then be applicable to any company that wishes to be certified to a specific standard.
ISO/IEC 19790:2012 is a standard that was published in 2012 that addresses requirements specifically intended to maintain the security provided by cryptographic modules. It an important standard that companies working in the security and safety fields must strive to follow. ISO/IEC 19790:2012 is also the technical requirements for FIPS 140-3.
Another important standard in the cybersecurity field is ISO/IEC 17825 which specifies non-invasive attack mitigation test metrics to determine compliance with the requirements specified in ISO/IEC 19790:2012. The test metrics are associated with the security functions specified in ISO/IEC 19790:2012.
ISO/IEC 17825 was originally published in 2016 and is a part of the larger ISO/IEC 19790:2012 standard on security techniques for cryptographic modules; which is itself part of FIPS-140-3. The standard follows methods for mitigating classes of non-intrusive attack against cryptographic modules; it has 60 requirements divided into 11 clauses. In order to obtain this security standard, a series of tests such as timing analysis, simple analysis and differential analysis must be followed. If these requirements are not met, ISO/IEC 17825 is not complied with.
For the first time since its publication in 2012, ISO/IEC 19790:2012 is undergoing a revision in 2022. As part of this review, some of its component standards are also being revised. One of them being ISO/IEC 17825. This standard will become a requirement in the FIPS 140-3 technical requirements standards ISO/IEC 19790, and henceforth it shall be mandatory to follow the ISO/IEC 17825 for non-invasive attacks mitigation for Cryptographic Module Validation Program test after the new updates which will come into effect with the revision currently being made.
Secure-IC on ISO/IEC 17825
Secure-IC always strives to follow the highest security standards in order to provide the most secure solutions possible.
Indeed, Sylvain Guilley, CTO of Secure-IC, is senior editor of international standards, among which the standards for cryptographic module testing. That implies that Secure-IC was already implementing ISO/IEC 17825 even before its revision.
Secure-IC’s AnalyzrTM which is a powerful post-silicon security evaluation platform, enables security evaluation on real physical chip/boards after foundry tape-out. It includes all the necessary equipment to perform efficiently SCA measurements and fault injections (FIA). AnalyzrTM allows to certify for FIPS 140-3 and is today the only tool available today to certify for ISO/IEC 17825; meaning that as of yet, the only tool that will be able to certify your device for ISO/IEC 17825 and for FIPS-140 in general will be Secure-IC’s AnalyzrTM tool.
Do you have questions on this topic and on our protection solutions? We are here to help.