What does hardware certification in EU mean?

Spanish media reported CNI certifies Huawei products for use in critical sectors such as defense. The original article^1 is quite accurate, but this has been picked up on social media and turned into blanket statement to the effect that “Spain proven Huawei devices are secure”, and this is neither true nor accurate, so I wanted to clarify what that actually means.

The article doesn’t include a link to the original reports, but they can be found on Spanish National Cryptological Center (CNC)^2 and most EU countries manage such repositories as a "single source of truth" for the purpose of legal compliance with national classified information protection laws. I don't know Huawei products, but anyone with network security experience will find many familiar brands there. For start I recommend the Network Firewalls category.^3

Firstly, a word about methodology. Such certifications are carried out according to the Common Criteria^4, whereby the manufacturer and the applicant organisation (the government agency wishing to use the device in question) submits the device along with its documentation, firmware, etc., and state, for example, “we wish to use this up to the RESTRICTED level”. The applicant puts forward specific claims (e.g. “the product uses AES-256 in accordance with the requirements for this level”) and the certification body confirms this or not based on the prestend evidence. There's seven levels of Common Criteria, from EAL1 to EAL7, with increasingly growing scope and complexity of the assessment. While EAL1 might be limited to simple gray box vulnerability assessment and check of documentation against the presented claims, EAL7 involves physical device examination to the lowest layers of hardware and firmware, and very thorough analysis of the management software. Not surprisingly, only products with relatively simple architecture such as data diodes are certified at the highest level, while most products target somewhere in the middle.

With great pleasure I've found out that my favourite firewall platform OPNSense is one of the certified ones^5. This is the general description of the certification report and please pay attention to the wording:

OPNsense Business Edition is a software-based state firewall. It is responsible for interconnecting two or more networks, channeling all communications between them through itself to examine each message and block those that do not meet the specified security criteria. The TOE includes both the firewall application and the platform/operating system on which it operates. The underlying operating system, based on FreeBSD, is an essential component of the TOE, providing the capabilities necessary for the secure execution of the TOE. Thus, the TOE is considered an integrated solution comprising:

Under EAL7 that would probably include full audit of the underlying FreeBSD, hardware and any custom management software installed, which is naturally impractical. Therefore in addition to the EAL, the certification specifies TOE (Target of Evaluation), which specifies precisely what is subject of the certification:

TOE is considered an integrated solution comprising: 1) Firewall application: Implements traffic filtering and security policy management functionality, 2) Platform/Operating System: FreeBSD, specifically configured to support the security operations required by the TOE. 3) Management interface: Includes both the command line interface (CLI) and the graphical user interface (GUI), through which TOE administration is carried out. Although the TOE offers a wide range of additional functionality, such as VPN, proxy, intrusion detection, among others, the scope of the assessment focuses on firewall functionality (traffic filtering and policy management).

And the detailed OPNsenseBusiness Edition Security Target v0.8 ^6 document is what is actually the most interesting here. You can clearly see some unique Common Criteria certification features:

• The target of the certification is not a general line of products, but a very specific product model with precisely stated version and features. This has the consequences that version change or change in features requires recertification, which is quite obvious when you realise that certified version 1 could be easily backdoored by uncertified version 1.2.
• The certification sponsor does not apply for a "general security posture" analysis, but a very specific set of features required by the sponsors business requirements of laws.

In the document we see some unique Common Criteria jargon, such as Security Functions , one of them being for example SF. Cryptography: The TOE supports only cryptographic algorithms and functions accepted for ENS MEDIUM category of CCN-STIC-807 guide.

There's more - Operational Environment Assumptions, for example A.PHYSICAL PROTECTION The product shall be physically protected by its environment and not subject to physical attacks that could compromise its security or interfere with its proper operation. These limit the scope of the certification, excluding a whole range of possible attacks, which would need to be countered by other Security Functions, such as chassis intrusion detection etc. TOE also defines what is exactly protected in the Assets to Protect section - for example, AS.PSC Credentials and private keys. Confidentiality and Integrity.

These are now confronted against defined Threats , for example:

T.CRYPTO - WEAK CRYPTOGRAPHIC MECHANISMS: Use of cryptographic mechanisms or weak key lengths in the product that allow an attacker to compromise it, primarily through brute force attacks.

This threat would impact the following Assets to Protect (I've only decoded the AS.PSC example above, but others are self-explanatory);

• AS.PSC
• AS.COMMUNICATIONS
• AS.UPDATES
• AS.ADMINISTRATION

The whole TOE is an exercise in building a matrix protected assets, threatened by defined threats, which are countered by security functions, which are implemented by very specific Security Functional Requirements. For example, trusted administration mechanisms (ADM group), user identification and authentication (IAU group), trusted communication channels (COM group) and others. And this matrix is ultimately subject of practical validation by the certifying body.

Ultimately, the CNC issued a certificate that states the following:

This certificate covers the functionality declared in the [ST] of the TOE in the version specified in the TOE Identification section of this report, specifically: OPNsense Business Edition 23.10.2

Please especially make note of the last bit, the exact version, because it's important.

Conclusions

The key point is that the certification applies to a specific firmware version on a specific device and in a specific configuration. The only thing the CNI can therefore confirm is similar to “the Huawei router model XYZ-123 with firmware Z.456, brought in for testing with source code, does not contain any backdoors”.

However, simply loading a new firmware version Z.457 or using model XYZ-124 usually invalidates the certificate (it’s more complicated than that, but that’s the general rule), which makes sense because a backdoor could be present in the update.

So, in theory, the claim that there is no backdoor is true; in practice, this would mean that the user cannot install updates if new vulnerabilities appear in the firmware without recertification of the patched version.

To sum up, what the Spanish CNC have done makes perfect sense – there is no reason not to trust the CNI to have done a poor job in the certification process. Above all, they forced Huawei to undergo the certification process in EU, which involves providing a vast amount of technical information and, presumably, source code (again, this depends on the EAL)… and this has, in a sense, always been the aim of the European NIS2 Directive – not to buy a pig in a poke, but to force foreign manufacturers to certify critical products within the EU.

At the same time, one must be aware that this is part of Huawei’s and the Chinese government’s PR campaign, and a clear line must be drawn between what this certification has proven and what it has not.

These certificates mean exactly what is written in them and not a word more – so if a certificate states that “model XYZ-123 with firmware Z.456 has no backdoor”, that is its only PROVEN conclusion, full stop.

In particular, the certificates do not mean that all Huawei products are secure as a matter of principle, that other Huawei products do not have backdoors, or that a backdoor cannot appear in them after a new version is installed. I recommend bearing this detail in mind, especially to all colleagues who will have to deal with eloquent company representatives on parliamentary committees or in tenders 😉

A general note – if anyone is interested in how backdoors are installed in networks with a truly high level of security, please read up on the Tailored Access Operations carried out by the NSA and the likes for decades.^7 At the end of the day, you end up with a batch of 50 identical routers where 49 had no backdoor, whilst one does, as that particular one was destined for installation exactly where it was needed (hence ‘tailored’). There are procedures for all this, but again, for that level of assurance you need to control the whole supply chain.

Find me on Fediverse, feel free to comment! See how