IBM chip achieves security standard

• By Dan Caterinicchia, Dan Caterinicchia
• Nov 08, 2001

Common Criteria home page

IBM Corp. announced this week that its Cryptographic Security Chip, used in its NetVista desktop computers and ThinkPad notebooks, has received Common Criteria certification, a security standard recognized by the United States and 13 other countries.

Common Criteria (ISO/IEC 15408) is an international standard for evaluating information technology security products to be certified at a defined assurance level.

The U.S. National Information Assurance Partnership (NIAP), an alliance of the National Institute of Standards and Technology and the National Security Agency, awarded the certification after a two-year process, said Peter Hortensius, vice president of development for IBM's personal computing devices group. "This is very important because it provides a benchmark against which both our customers and our competitors can be measured ... in terms of security claims and security capabilities," Hortensius said. "It's all about [products] doing what they say they will do."

The Cryptographic Security Chip for PC Clients uses encryption keys and processes to help secure data, communications and identity. It stores encrypted keys and supports public key infrastructure operations such as encryption for privacy and digital signatures for authentication.

And because all of the functionality takes place within the protected environment of the chip — not in the computer's main memory — the system is more secure than software-only solutions, Hortensius said, adding that IBM would seek the certification for more products in the future.

"As we roll forward, we look to Common Criteria as a demonstrable way of systems proving their capabilities," he said. "We'll likely head down the path again."

The Common Criteria evaluation was performed by CygnaCom Solutions Inc., an Entrust Inc. laboratory based in McLean, Va., that is accredited for the NIAP Common Criteria and Validation Scheme, said Ernie Ovies, senior engineer in IBM's personal computing devices group.

The security chip, developed by IBM, is manufactured by Atmel Corp., which assisted IBM in obtaining Common Criteria certification.

Ovies said the two-year process was normal for obtaining Common Criteria certification, which can sometimes take even longer.

The validation report and related material will be published on the NIAP Common Criteria Evaluation and Validation Scheme Web site for use by prospective government agency and enterprise security customers.

The 13 other countries that recognize and use Common Criteria for the evaluation of information technology security products are Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, the Netherlands, New Zealand, Norway, Spain and the United Kingdom.