October 18, 2021

Common Criteria smartphone certification: How Samsung Knox is leading the way

Brian Wood

If you’re not an IT leader in federal government, chances are you may never have heard of Common Criteria. But whoever you are, Common Criteria has a big effect on the security of the products you buy. Everyone who sells information technology solutions to security-sensitive public sector organizations must build their products based on the requirements in Common Criteria. And in today’s world of proliferating cyber security threats, it’s increasingly viewed as benchmark all enterprises look to in evaluating their mobile technology.

Over the past decade, Samsung has committed to Common Criteria’s process of continuous mobile security elevation — not just by building our devices and Knox security platform to align with Common Criteria, but by participating in the process and contributing our expertise. Here’s an overview of Common Criteria, why it’s important for the security of mobile devices and how Samsung has supported its evolution.

 

What is Common Criteria?

Let’s skip all the buzzwords and get to the point: With Common Criteria, experts get together — typically coordinated by a government agency — to define what it means for a particular type of product to be “secure.” Then, anyone who wants to sell a product can go to an independent testing lab and say, “My product X is secure. Please verify this.” The result is good for the customer, as it provides a “third-party validation” of the vendor claims.

This process — the setting of requirements, independent review of vendor devices and validation of conformance — lets buyers trust that evaluated products are secure independent of any vendor claims. The level of trust in the Common Criteria process is so high that 30 governments around the world have agreed to accept Common Criteria evaluations as valid, regardless of where the evaluation was done. While Common Criteria is especially popular in the public sector, it has knock-on effects for everyone who buys a product.

Here’s an example of how the process works. In Common Criteria, a set of defined security requirements is called a Protection Profile. Many of these Protection Profiles have been created, but an essential one for Samsung is called the Protection Profile for Mobile Device Fundamentals (PP_MD), which covers things like smartphones and tablets. The requirements for Mobile Devices under Common Criteria add up to 241 pages.

On just one of those pages, there are requirements about how smartphones must generate cryptographic keys using a random number generator. It’s not a big section, just three points — a short but sweet list of requirements for making high-quality cryptographic keys. But it is essential, because if you aren’t making your cryptographic keys from truly random numbers, you may have a huge security flaw: All your encryption could be useless if the keys are easy to guess. (Don’t laugh — this has happened many times in the past.) If a programmer writing smartphone software calls just any random number function they find, you could end up with weak keys, and poor security. Common Criteria gets rid of the trust element (“We trust that Samsung will do a good job”) and replaces it with independently defined criteria and independent testing.

For general-purpose smartphones, we focus on the three most applicable Common Criteria Protection Profiles. The basis for all our validations is Mobile Device Fundamentals, which takes a holistic look at a mobile device and how it will be used. In addition, we also validate our products against the VPN Client and File Encryption Protection Profiles.

 

Samsung and Common Criteria

Samsung has been an active, leading participant in the Common Criteria process in the U.S. (through the U.S. National Information Assurance Partnership) and within the international community. When it comes to security for mobile devices, we’ve helped to define the requirements and write the standards.

But Samsung’s participation and input isn’t limited to mobile. We were also an active participant in defining Common Criteria specifications for Data-at-Rest, which applies to all sorts of devices. Samsung actively participates in more than 10 Common Criteria technical communities in the United States and abroad.

Thanks to our early participation in the mobile device technical community more than eight years ago, Samsung was the first mobile device vendor to be certified under Common Criteria for Mobile Device Fundamentals, starting with the Galaxy S4 and Android 4.4. Since then, Samsung has garnered more Common Criteria certifications than any other mobile vendor.

In addition to certifying Samsung devices, Samsung has worked with Google and the open source community to enhance the Android Open Source Project (AOSP) to meet Common Criteria requirements for security. Our contribution of the intellectual property around Mandatory Access Controls, for example, helps Android phones meet Common Criteria requirements.

Why are we so involved in Common Criteria, when most of our consumer end users haven’t even heard of the program? Because we believe Common Criteria sets a high bar for security — not just for government customers, but for everyone. And everyone deserves a secure device.

By working to provide consumer devices with defense-grade security, we make everyone more secure.

 

Additional security measures from Samsung

Common Criteria serves as a common base for defining security capabilities, but our security-focused smartphones go far beyond the basic requirements. For example, with the hardware encryption capabilities built into Samsung Knox, devices can support longer encryption keys for higher security while still maintaining a high level of user performance.

Another example is Samsung Knox Vault, a security component that goes beyond TrustZone to help protect your most critical data. While Common Criteria allows the possibility of something like Knox Vault, it is not a mandatory requirement. But because we believe the security functionality provided by Knox Vault is so important, Samsung independently certifies Knox Vault under Common Criteria. The security of Knox Vault in our newest hardware has been tested and certified by an independent, third-party under Common Criteria.

IT managers who need Common Criteria certification can rely on Samsung’s full commitment to keep delivering secure, fully certified devices. Samsung continues to build on top of the components of our smartphones and tablets — hardware and software — to create a holistic security posture, enhancing our overall security for all our customers.

 

If you’re not quite sure which mobile tools are right for your agency, browse Samsung’s versatile, reliable range of defense-grade mobile solutions protected by government-ready security.