Evaluating Cryptography in a Common Criteria context (K32a)
Cryptography is almost in all IT products providing security. As such, the evaluation of the cryptographic code is part of a Common Criteria evaluation. On the other side, in a crypto agility spirit, cryptographic code needs to be updated regularly, but this step is not always performed by cryptographers. This may result to code that is no more coherent or even vulnerable code forgotten in the implementation and continued to be used even if more robust cryptography is already implemented. This presentation will cover the usual process for evaluating cryptographic code from an evaluator point of view. To better illustrate the different steps, presenters will also cover some common mistakes that can be met as well a (non exhaustive) panorama of tools that can be used in order to analyze the given code and identify eventual vulnerabilities.