IBM chip achieves security standard
- By Dan Caterinicchia, Dan Caterinicchia
- Nov 08, 2001
Common Criteria home page
IBM Corp. announced this week that its Cryptographic Security Chip, used
in its NetVista desktop computers and ThinkPad notebooks, has received Common
Criteria certification, a security standard recognized by the United States
and 13 other countries.
Common Criteria (ISO/IEC 15408) is an international standard for evaluating
information technology security products to be certified at a defined assurance
level.
The U.S. National Information Assurance Partnership (NIAP), an alliance
of the National Institute of Standards and Technology and the National Security
Agency, awarded the certification after a two-year process, said Peter Hortensius,
vice president of development for IBM's personal computing devices group.
"This is very important because it provides a benchmark against which both
our customers and our competitors can be measured ... in terms of security
claims and security capabilities," Hortensius said. "It's all about [products]
doing what they say they will do."
The Cryptographic Security Chip for PC Clients uses encryption keys
and processes to help secure data, communications and identity. It stores
encrypted keys and supports public key infrastructure operations such as
encryption for privacy and digital signatures for authentication.
And because all of the functionality takes place within the protected
environment of the chip not in the computer's main memory the system
is more secure than software-only solutions, Hortensius said, adding that
IBM would seek the certification for more products in the future.
"As we roll forward, we look to Common Criteria as a demonstrable way
of systems proving their capabilities," he said. "We'll likely head down
the path again."
The Common Criteria evaluation was performed by CygnaCom Solutions Inc.,
an Entrust Inc. laboratory based in McLean, Va., that is accredited for
the NIAP Common Criteria and Validation Scheme, said Ernie Ovies, senior
engineer in IBM's personal computing devices group.
The security chip, developed by IBM, is manufactured by Atmel Corp.,
which assisted IBM in obtaining Common Criteria certification.
Ovies said the two-year process was normal for obtaining Common Criteria
certification, which can sometimes take even longer.
The validation report and related material will be published on the
NIAP Common Criteria Evaluation and Validation Scheme Web site for use by prospective government
agency and enterprise security customers.
The 13 other countries that recognize and use Common Criteria for the
evaluation of information technology security products are Australia, Canada,
Finland, France, Germany, Greece, Israel, Italy, the Netherlands, New Zealand,
Norway, Spain and the United Kingdom.