it security evaluation in china · china compulsory certification process the ccc process consists...

ICCC 2012 September 18-20, Paris, France © atsec information security, 2012

IT Security Evaluation in China

Yi Mao, Ph.D., CISSP

atsecinformationsecuritycooperationAustin,TX‐ [email protected]

ICCC 2012 September 18-20, Paris, France © atsec information security, 2012 2

Agenda

• Motivation and Objectives

• Certification and Accreditation Administration of the People’s Republic of China (CNCA)

• China Information Security Certification Center (ISCCC)

• China Information Technology Security Evaluation Center (CNITSEC)

• Conclusions

Disclaimer: I’m employed by atsec information security corporation in Austin TX, USA, an independent lab specializing in IT security evaluations. I do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, despite the fact that most of them are in Chinese.


atsec’s Vision and Mission

• Promote the effort of establishing a set of well-thought out, consistent standards for IT security evaluation worldwide.

• Prevent re-inventing the wheel or making the same kind of mistakes repeatedly.

• Enable western clients to deliver their products to the Chinese market by facilitating compliance to the Chinese certification requirements.

• Help Chinese vendors to enter the global market by achieving internationally recognized certificates (e.g. CC, FIPS 140-2).


From China• The Chinese IT community closely follows

international standards- A Chinese delegation attends each annual International CC

Conference

• Chinese vendors have already achieved CC certification- ZTE- Huawei

• Chinese vendors have already achieved FIPS 140-2 certification- ZTE- Pierson- Watchdata

• Chinese organizations have received CC and FIPS 140-2 training- ISCCC- Vendors pursuing CC and/or FIPS 140-2 certifications


To China

When a western vendor wants to sell their IT security products in China (for example, for Chinese government procurement), and needs to get the required certificates using Chinese evaluation schemes, they often wonder where to start.

This is especially true for those vendors who do not have local branches in China, because information provided by the following authorities is mostly in Chinese:

• Certification and Accreditation Administration of the People’s Republic of China (CNCA)


• China Information Technology Security Evaluation Center (CNITSEC)


CNCA (Chinese Web Page)


CNCA (English Web Page)


ISCCC (Chinese Web Page)


ISCCC (English Web Page)


CNITSEC (Chinese Web Page)


CNITSEC (English Web Page)


Problem: It’s in Chinese!

• Chinese web pages for CNCA, ISCCC, and CNITSEC have much richer content.

• The English version of their webpages only contains a brief introduction.

• It is impossible for non-Chinese speakers to get a basic understanding of what‘s going on in China.


What will be covered?

This presentation will provide a brief sketch of the current state of IT security product evaluation in China,

• not via a word-to-word translation of the Chinese webpages

• but by connecting the dots to give a high-level view that is:

o objective

o up-to-date

o based soley on publicly available information

o as coherant as possible


The Chain of Command


CNCA and CCC

CNCA: The China National Certification and Accreditation Administration is set up and authorized by the State Council to perform administrative functions, and provide unified management, supervision, and nationwide coordination of all certification and accreditation-related organizations.

One of its responsibilities was to establish, develop, implement, and maintain the China Compulsory Certification (CCC) scheme.

The CCC Mark is a compulsory safety mark for both domestically manufactured products and any products imported into China.


Catalogue of CCC-products (1)

• Electrical wires and cables

• Switches for circuits, Installation protective and

connection devices

• Low-voltage Electrical Apparatus

• Small Power motors

• Electric tools

• Welding machines

• Household and similar electrical appliances



• Audio and video apparatus

• Information technology equipment

• Lighting apparatus

• Motor vehicles and Safety

• Motor vehicle tires

• Safety Glasses

• Agricultural Machinery

• Latex Products

ICCC 2012 September 18-20, Paris, France

• Telecommunication terminal equipment

• Medical Devices

• Fire Fighting Equipment

• Detectors for Intruder Alarm Systems

• Wireless Local Area Network (WLAN) systems

• Home Renovation Materials

• Toys

• Information Security Products

© atsec information security, 2012 18



IS Products Subject to CCC (Notice No. 7 of 2008)

This notice was given on January 28, 2008. It announced the first batch of 13 types of IS products to be included in the mandatory certification catalogue. It was to be enforced on May 1 2009.


13 types of IS Products on CCC Catalogue

1. Firewall products2. Network security separation cards and line selectors3. Security isolation and information exchange products4. Secure routers5. Smart card chip operating systems6. Data backup and recovery products7. Secure operating systems8. Secure database systems9. Anti-spam products10. Intrusion detection systems11. Network vulnerability scanning products12. Security audit products13. Website recovery products



A revised notice was given on April 27, 2009 to adjust the statement of CCC for IS products announced in the previous notice (No. 7 of 2008):• The CCC for IS products would not be enforced until May 1, 2010.• It is mandatory for government procurement only.



This notice was given on July 14, 2010. It announced • official name of the certification scheme (i.e. national information security

product certification system)• official name of the certificate (i.e. China's national information security products

certification)• official certificate mark ( )• official certificate template


IS Products Certificate TemplateThe template shows that the certificate will have the following information:• Certification logo• Certificate name• Certificate number• Official certificate mark• Information about the applicant• Information about the Manufacturer• Information about the factory• Information about the product• Referenced standards and technical

requirements• Referenced CNCA implementation

rule• Issuance date• Expiration date• Condition of validity• Name and stamp of certification body


Safety vs. Security

Safety: The state of being free from the occurrence or risk of injury, damage, or loss.

Security: The process or means of protecting against defects, dangers, loss, and crime. “Security” denotes a separation between the assets and the threat.

• In English, the terms “safety” and “security” are related, but each has a distinct and unique meaning.

• In Chinese, there is only ONE term “安全” which means both safety and security.

This explains why the CCC safety mark, originally intended to ensuring a product‘s quality and unharmful function, has been stretched to cover IT security products.

安全


Organizations Tasked by CNCA

• China Quality Certification Center (CQC)

o Processes most of CCC mark applications other than IS products (for safety concerns)


o processes CCC mark applications for IS products (known as CC-IS) and WLAN products (for security concerns)

• China National Accreditation Service for Conformity (CNAS)

o Processes accreditations on Certification body

o Processes accreditations on Laboratory

o Processes accreditations on Inspection body


CNCA –Designated Labs for CC-IS

• CNCA Notice No. 3 of 2008 ISCCC is the designated

certification body for CC-IS. There are seven CNCA

designated labs for CC-IS.- China Information Technology

Security Evaluation Center (CNITSEC)

• CNCA Notice No. 25 of 2009 Defines the business scope for

each designated lab


China Compulsory Certification Process

The CCC process consists of the following steps:

1. Submission of an application and supporting materials to a certification body (e.g. ISCCC for CC-IS)

2. Documentation review for the acceptance of the application

3. Type testing on product samples by a CNCA-designated lab (e.g. the seven CC-IS labs)

4. Factory inspection by certification body representatives

5. Evaluation of the test results (may involve re-testing for failed tests) and certificate approval

6. Certification maintenance via annual surveillance inspection


How long does CCC certification take?

Article 15 in “Mandatory product certification regulations” (effective as of May 1, 2002, http://www.cnca.gov.cn/cnca/rdht/qzxcprz/flfg/72303.shtml) specifies:

Under normal circumstances, a designated certification body shall complete the certification process and notify the applicant about the certification result within 90 days after an application is accepted.


How much does CCC certification cost?

CNCA regulates mandatory product certification fees(http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/default.shtml):

• Certification application fee• Fees for a designated lab to conduct type testing on sample products for

each type of the product listed on the CCC catalog• Daily rate for a certification body representative to conduct factory

inspections • Ranges of Person-Days needed for the initial factory inspection for each

type of the product listed on the CCC catalog• Ranges of Person-Days needed for the follow-up surveillance factory

inspection for each type of the product listed on the CCC catalog• Annual certification maintenance fee• Prices of CCC marks to be printed

Fees may be adjusted as product types are added or deleted from the CCC catalog. To reduce the vendors’ financial cost for CCC, CNCA announced a 10%~30% fee reduction on May 1, 2009.


Lab Testing Fees for IS Products (1)CNCA announced the lab testing fees on May 22, 2009(http://www.cnca.gov.cn/cnca/rdht/qzxcprz/rzsf/images/2009/06/22/0CC0B946123A4FE5B9E4A265B17488FB.doc):Products Type Fees in CNY Fees in USD

1. Firewall products L1: 18500L2 : 35500L3 : 51500 < 8,200

2. Network security separation cards and line selectors

Basic: 20000Enhanced: 34000 < 5,400

3. Security isolation and information exchange products

L1: 21000L2: 37000L3: 49000 < 7,800

4.Secure routers L1: 20500L2: 42000L3: 51000 < 8,100

5. Smart card chip operating systems 77500 < 12,300

6.Data backup and recovery products Basic: 30000Enhanced: 40000 < 6,400


Lab Testing Fees for IS Products (2)

Products Type Fees in CNY Fees in USD

7. Secure operating systems L3: 43000L4: 64000L5: 85000 < 13,500

8. Secure database systems L3: 43000L4: 69500L5: 84000 < 13,300

9. Anti-spam products 19000 < 3000

10. Intrusion detection systems L1(host/net): 20000/23000L2(host/net): 32000/43000L3(host/net): 69000/88000 < 13,900

11. Network vulnerability scanning products

Basic: 22500Enhanced: 37500 < 6,000

12. Security audit products Basic: 19100Enhanced: 33800 < 5,400

13. Website recovery products Basic: 22000Enhanced: 34000 < 5,400


Factory Inspection Fee for IS ProductsCNCA announced ranges of Person-Days for initial and follow-up factory inspections for all 13 types of IS products on May 22 2009 (2,500 CNY per Person-Day):

Initial: 2-4 PD / Follow-up: 1-3 PD (< 1,600 USD / 1,200 USD)

Initial: 4-6 PD / Follow-up: 2-4 PD (< 2,400 USD / 1,600 USD)

1. Firewall products 4.Secure routers

2. Network security separation cards and line selectors

5. Smart card chip operating systems

3. Security isolation and information exchange products

7. Secure operating systems

6.Data backup and recovery products 8. Secure database systems

9. Anti-spam products

10. Intrusion detection systems 12. Security audit products

11. Network vulnerability scanning products 10. Website recovery products

ICCC 2012 September 18-20, Paris, France 33



ISCCC was established in 2006. It is a nonprofit organization that provides the following services:

• Product Certification National information security product certification ( ) Wireless LAN product certification ( ) IT Information Security Certification ( ) Technical certification of payment service equipment for Non-

financial facilities ( )

• Information Security Management System (ISMS) Certification• Certification of Service Qualification • Training and Certification of Information Security Professionals


China Information Security Certification Center (ISCCC)


• The mandatory certification for the 13 types of IS products uses product-type-specific standards that are derived from three basic information security standards in China: GB 17859 -1999, “Classified Criteria for Security Protection of

Computer Information System” GB/T 20271-2006, “Information Security Technology - Common

Security Technology Requirements for Information Systems” GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008,

which are the Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3

The voluntary certification for other types of IS products uses GB/T 18336.1-2008, GB/T 18336.2-2008, GB/T 18336.3-2008 (i.e. Chinese translations of Common Criteria v2.3 Part 1, Part 2, and Part 3).


Chinese Standards Used for Information Security Product Certification


• There are two slightly different certification procedures: A centralized procedure which requires the vendor to

submit their application to the ISCCC and get acceptance prior to choosing a lab for type testing.

A staged procedure which allows the vendor to work with a lab to pass the type testing before submitting their application to the ISCCC.

• Certification time varies depending on the product types. CC-IS Firewall: 30 days lab test, 2-4 PD initial on-site / 1-3 PD annual

re-visit CC-IS Secure OS: 90 days for lab test, 4-6 PD initial on-site / 1-3 PD

annual re-visit Voluntary IS products: normally 90 days for overall certification,

maximum 150 days

• Certificate validity varies depending on the product types. CC-IS products: no set expiration date, contingent to surveillance Voluntary IS products: 3 years, contingent to surveillance


ISCCC Certification Procedures


As of August 23, 2012:• There are 263 certificates issued to IS products

under the compulsory certification program. The certificate list contains: certificate number (e.g. 2012162305000263) product name and version evaluated level (e.g. L1/L2/L3/L4, or Basic/Enhanced, or EAL for COS) vendor name (e.g. Amaranten (Asia) Network Co., Ltd. for a firewall) issue date Certificate status (e.g. valid / revoked)

• There are 73 certificates issued to IS products under the voluntarycertification program. The certificate list contains: certificate number (e.g. ISCCC-2012-VP-073) product name and version vendor name

- Axalto Beijing certified their Axalto_Alto Smart card (V2.0)- Gemplus Tianjin certified their Gemplus_Gem Smart Card (V1.0)

Issuance date Certificate status (e.g. valid/revoked)


Certificates Issued to IS Products by ISCCC


China Information Technology Security Evaluation Center (CNITSEC)

CNITSEC was founded in 1997. It is a CNCA-designated leading information Security Evaluation Center. It provides the following services:

• Information Security Product Evaluationo GB/T 18336-2008 (i.e. Chinese translation of CC V2.3)o Chinese PPs for Firewalls, Smart Cards, Switches and Routers, etc.

• Information Management System Certificationo ISO/IEC 17799-2000o ISO/IEC 21827-2002o Chinese management system regulations

• Certification of Service Qualification

• Training and Certification of Information Security Professionals


CNITSEC Authorized Labs

CNITSEC has its own authorized laboratories. Currently, there are 9 CNITSEC authorized labs.

The list on the left contains the following information for each authorized lab:

• organization name• status of authorization• authorized Scope• authorization valid time period• corporate representative• Address• contact number


CNITSEC IS Product Evaluation (FAQ)• The main stardards used are GB/T 18336-2008

(Chinese translation of CC V2.3) and CEM• Eligible products are those that have IT security functionality• Possible Assurance levels to achieve are: EAL1 – EAL5• Eligible applicants are:

1. Government agencies, research institutes or independent legal business entities

2. Foreign companies can apply for the product evaluation at CNITSEC through their agencies in China, who must be eligible applicants under condition 1.

• Within 10 days of the application submission, CNITSEC will provide an acceptance or rejection notice.

• Within 10 days of the evaluation completion, the certification number will be announced and registered.

• Evaluation time frame:EAL1: 20 business days; EAL2: 30 business days; EAL3: 60 business days; EAL4: 90 business days; EAL5: 120 business days


CNITSEC Evaluation Process

The entire process consists of four steps:1. application and acceptance2. pre-evaluation3. evaluation

o documentation reviewo security functionality test

independent test- Requires at least two sample products- Samples should be made available no later than

halfway (50%) through the evaluation penetration test (not required for EAL1)

4. on-site inspection (required for EAL 3 and above)o performed when the evaluation is about 70% completeo verifies and confirms that the configuration management,

delivery and operation, and development environment security are implemented as claimed


CNITSEC IS Product Certificates

As of June 2012, 186 certs have been issued. There are foreign products (e.g. Samsung IC card) listed under their local branch‘s name (e.g. Samsung Shanghai). The certificate list contains the following information:

• vendor name• product name and version• certificate number (e.g.

CNITSEC2012PRD0186)• assurance level (e.g. EAL1, EAL3)• issuance date• expiration date (3 years after

issuance date)


Conclusions

• IS product evaluation in China has its unique aspects, but CC is very much alive in China. It is

• directly used for ISCCC voluntary IS product certification

• directly used for CNITSEC IS product evaluation (voluntary)

• blended into standards for Compulsory Certification for IS products (CC-IS)

• It is possible for a foreign-branded IS product to be certified by ISCCC (either compulsorily or voluntarily) or evaluated by CNITSEC, but the application for that product is expected to be submitted to them via a local (Chinese) agent/branch.

• The certification/evaluation-related information is publically available, though most information is published only in Chinese.


Thank you for your attention!

it security evaluation in china · china compulsory certification process the ccc process consists...

Documents