Category

Auditoría

Trust services training

By #eIdAS, Acreditación, Auditoría, Certificación de auditores EIDAS, Conformity Assessment Body (CAB), eIDAS, EIDAS Auditor certification, Electronic Trust Service Providers, Evaluación de conformidad, Servicios de Confianza DigitalNo Comments

New dates for training on trust services:

  • Level 1 (2 days): Training for advanced users of electronic trust services (25 and 26 October 2022). Fee price: €1,000 +VAT.
  • Level 2 (2 days): Training for Trusted e-Services providers’ staff (15 and 17 November 2022). Fee: 1.000 € +VAT
  • Level 3 (2 days): Training for EIDAS Trusted e-Services Auditor candidates (29 November and 1 December 2022). Fee: 2.500 € +VAT. It includes accompaniment as a trainee auditor in 4 EIDAS audits.

Online training, held from 16:00 to 20:00 (Central European Time, UTC + 1h).
On this occasion, a special price has been defined to thank the people who have contacted us, following the announcement we made a few months ago: EIDAS specialist training and auditor certification.

  • Level 1 (2 days). Promotion: 450 € +VAT
  • Level 1 + Level 2 (4 days). Promotion: 1.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days). Promotion: 2.500 € + VAT

In addition to the training, it is possible to obtain the associated professional certification by passing a level exam:

  • Professional certification “Trusted e-Services Specialist”. Level 1. Examination fees 200 € +VAT
  • Professional certification “Trusted e-Services Company Professional”. Level 2. Examination fees: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Professional certification “Evaluator of digital trust services companies”. Level 3. Examination fee: 600 € +VAT. Level 2 exam must be passed or pending evaluation. 4 EIDAS audits must be carried out as “trainee auditor” to become a fully qualified auditor.

Registration Form: Formulario_formacion-EIDAS-TCAB-2022

Download the full brochure: Brochure_training-EIDAS-TCAB-2022

Sunday September 4th, 2022

Remote identification component for EIDAS certificate issuance services

By #eIdAS, Auditoría, Certificados cualificados, Conformity Assessment, Electronic Trust Services, EN 319 411-1, EN 319 411-2, Remote identification, SEPBLAC, TS 119 461, Video onboardingNo Comments

Identity proofing is not an eIDAS trusted service by itself, but a component of other trusted services. A remote identity proofing service component can be used by many different trust services.

Providers of remote identification services based on video and audio transmission systems from the applicant’s equipment can be audited according to ETSI EN 319 403-1 so that this audit can subsequently be used by a qualified certificate issuing service provider without this part of the service having to be audited again.

The standard used to assess providers of remote identification services is the recently published standard ETSI TS 119 461. This standard has been developed taking into account the following aspects:

  • It is based on ETSI EN 319 401 which contains common requirements for all trust services.
  • It includes specific requirements for the verification of the identity of natural persons.
  1.  It compiles best practice requirements on how to use certain means to implement the three tasks of “collection of attributes and electronic evidence”, “verification of electronic attributes and evidence’, and ‘binding the requested action (e.g. issuing a certificate) to the identity of the applicant’.
  2. It specifies how identity proofing processes can be constructed by combining means to achieve the basic desired outcome of the identity proofing process.
  • It links to the requirements of section 6.2 of EN 319 411-1 and EN 319 411-2 by indicating ways to fulfil these requirements by remote identification.
  • Although it lays down specific requirements for providing qualified trust services, e.g. issuing of qualified certificates of natural persons, the identity verification service is not a qualified service by itself.

The security requirements of ETSI TS 119 461 cover the most common risks, which fall into two main categories:

  • Forged evidence: An applicant falsely claims an identity using forged means of evidence.
  • Impersonation: An applicant uses valid means of evidence associated with another person.

Potential operational risks and social engineering risks are also taken into account.

Saturday November 13th, 2021

Electronic notices and registered e-mail are essential in long-distance relationships.

By #eIdAS, Auditoría, Conformity Assessment, Conformity Assessment Body, electronic delivery, Electronic Trust Services, Entrega certificada, notificacionesNo Comments

As streets, businesses, and public buildings emptied, other places took center stage. Electronic notifications were already doing so, but they are another of the protagonists of this period of State of Alarm due to the COVID-19 pandemic.

An electronic system of notifications allows any type of natural or legal person to receive the different notices and documents that the Public Administrations have issued in digital format.

The Tax Agency, the Directorate General of Traffic, and the Social Security are the main issuing bodies of this type of notification that allow public entities to make significant savings in terms of messaging and users to save travel time as they no longer have to be present when the notification is delivered.

The private sector has also developed reliable notification systems, which can now be adapted to the requirements of EU Regulation 910/2014 (EIDAS) and can thus be converted into certified delivery systems. This is provided for in Articles 43 and 44 of the EIDAS Regulation:

Article 43 – Legal effect of an electronic registered delivery service

1.   Data sent and received using an electronic registered delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic registered delivery service.

2.   Data sent and received using a qualified electronic registered delivery service shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated by the qualified electronic registered delivery service.

Article 44 – Requirements for qualified electronic registered delivery services

1.   Qualified electronic registered delivery services shall meet the following requirements:

(a)

they are provided by one or more qualified trust service provider(s);

(b)

they ensure with a high level of confidence the identification of the sender;

(c)

they ensure the identification of the addressee before the delivery of the data;

(d)

the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;

(e)

any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;

(f)

the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.

In the event of the data being transferred between two or more qualified trust service providers, the requirements in points (a) to (f) shall apply to all the qualified trust service providers.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Although the Commission has not published standards that provide a presumption of compliance, ETSI has published the following evaluation standards:

  • EN 319 521 – Policy & security requirements for electronic registered delivery service providers
  • EN 319 531 – Policy & security requirements for registered electronic mail (REM) service providers

At TCAB, we are in a position to assess trustworthy registered electronic delivery service providers. according to EIDAS and ETS Standards. Call us at +34 91 388 0789 to clarify your doubts.

 

Tuesday May 19th, 2020

TCAB participates in the event on the Cybersecurity Regulation organized by AMETIC

By Acreditación, AMETIC, Auditoría, Centro Criptológico Nacional, Cyber-security, Cybersecurity, ENISA, EU CybersecurityNo Comments

AMETIC, the Spanish ICT Business Association has organized an informative event on the new European regulation “Cybersecurity Act”, which from June 2019 will regulate the implementation of a common European framework for the certification of “Cybersecure” ICT products and services to promote cybersecurity of online services and consumer devices.

This European regulation not only seeks to increase the confidence of users in relation to the use of connected devices, but also to strengthen the European cybersecurity industry and the European Single Market, positioning it as a reference worldwide, in line with other markets such as the United States or China. The European Union Agency for Network and Information Security (ENISA), which through this regulation will be named as the new European Agency for Cybersecurity, will coordinate and harmonize policies at European level, and will support Member States in the implementation of plans and national strategies in the fight against threats and cybersecurity attacks.

Antonio Cimorra, director of Information Technologies and Digital Agenda of AMETIC, highlighted during the opening of the session the advances that the digital transformation has introduced in society, as well as the importance of ensuring cybersecurity. He also commented on the measures that, from AMETIC, and particularly from the Cybersecurity Commission where important suppliers of this technology meet, are being developed in this field. Cimorra also highlighted the association’s support for the new European initiative.

Later, Ignacio Pina, Technical Director of the National Accreditation Entity (ENAC), explained that, “although the regulation will not be mandatory at the beginning, as far as certification is concerned, it is spected that the market will regulate itself fostering its adoption “. Pina added that “certification in itself does not generate security, but rather seeks to build trust among consumers”. In this regard, he commented that “the transition between current national certification schemes in force and the new common European framework will be gradual”. On the other hand, he stressed that “the role of the industry in defining the certification schemes that derive from this regulation, is essential for them to be aligned with market needs.”

Implications of “Cybersecurity Act”

Next, Cybersecutity focused round table was held witht the motto “How does the Cybersecurity Act impact on companies in the digital sector ?”.

Round table was presented by David González, president of the AMETIC Cybersecurity Commission and Head of Sales for Europe and North Africa of G & D. The participants were Mariano José Benito, CISO of GMV; Jesús María Alonso, Head of Consulting Spain of ATOS; Ainhoa ​​Inza, CEO of TCAB (Trust Conformity Assessment Body), and Miguel Bañón, CEO of EPOCHE & ESPRI.

They discussed the implications of the certification regulation for the activity of companies in the digital sector, and the following steps to address in this new scenario.

In general, the participants commented that it is a very positive initiative since, despite being a voluntary regulation for the time being, it is expected that its impact on the market will increase the number of certified secure ICT products in a significant way. They also highlighted that, for Spain, it is an opportunity for consolidation at the European level in terms of cybersecurity, taking advantage of the fact that the Spanish certification ecosystem is among the best considered in Europe.

On the other hand, it has been highlighted that, since there is no penalties framework within the regulation, it is important for companies to detect the benefit of certification, such as the impact on the consumer in terms of trustworthiness. They have also commented that the objective of this initiative is that consumers “get used” to verify that those ICT products or services that they buy or consume, carry the seal of safety certification.

Finally, the presentation by the expert representative of the National Cryptological Center (CCN), an entity that currently coordinates the work of certification in cybersecurity at the national level, addressed how the new Scheme will be adopted in Spain. CCN has coincided with other speakers in the great opportunity that “Cybersecurity Act” supposes for the European and Spanish cybersecurity industry when it comes to positioning Europe in line with other markets.

Monday June 3rd, 2019

Security audits for projects with Blockchain and SmartContracts

By Auditoría, Blockchain, Conformity AssessmentNo Comments

According to some estimates, blockchain technology companies can expect business volumes of 6 billion euros by 2020. However, they must first deal with blockchain security vulnerabilities, which, despite their relevance, continue to be underestimated when It deals with the so-called “distributed accounting” technology (or DLT).

A comment here, to clarify the “distributed ledger” (DLT) widespread term that in my opinion should be renamed as “distributed accounting”, or better, “RJT Replicated Journal Technology” since it really registers entries in the log as they are produced, not reflecting the accounting itself.

Security vulnerabilities in block chains

Some aspects of security have to do with the use of cryptography, and given that cryptography is used intensively in blockchain contexts, there is a widespread belief that blockchain systems are inherently safe.

However, in complex systems, different attack vectors appear that must be identified and remedied, so that excessive confidence in the technology can be dangerous.

In fact, the technology called DLT is subject to a series of problems that centralized databases do not have.

The security risks of Blockchain exist, and must be recognized and mitigated so that Blockchain fulfills its promise to transform the way in which data is stored and how it affects the projects that use it.

As more government, industrial and commercial sectors adopt technology, the need to address these problems sooner rather than later becomes paramount.

Blockchain Vulnerabilities

Vulnerabilities of the interface system

One of the most likely vulnerabilities with DLT originates outside of the blockchain itself.

The interface system is the equipment that a user uses to access services based on blockchain.

In this system credentials are introduced, enough reason to attract attackers who exploit vulnerabilities. Other times, manipulating the “clipboard” the memory area used for copy and paste functions can allow an attacker to change the destination account of a transaction.

Malware detection is a desirable feature in tools that anticipate minimizing attacks on the interface system.

Security of public key cryptography

Those who propose transactions to form part of the chain (for example, value transfers in the case of crypto-assets and cryptocurrencies) sign them with a private key and give information about their public key. The private key is filed with the portfolio or equivalent mechanism. The protection of the equipment is again essential. But there are certain risks (for example, based on quantum computing) that in the future could allow obtaining the private key from the public one. To minimize risk, there are techniques associated with single-use portfolios that can be adopted.

Key backups should not be kept on the system that is used daily. And even less without encrypting.

Third party platforms

As cyber-currencies and applications using related technologies (such as DLT) become popular, the third-party solutions market will experience growth. Some possible services to be offered by third parties are:

  • Blockchain integration platforms
  • Payment processors
  • Wallets
  • Fintech entities
  • Cryptocurrency payment platforms
  • Smart contracts

These platforms use different vulnerable technologies, in addition to blockchain-specific ones. They are true Providers of Digital Trust Services and should comply with the standard EN 319 401 that the EIDAS Regulation imposes on Qualified Providers.

Control of  deployment

When a project starts or evolves within it, exhaustive tests must be carried out to detect vulnerabilities in the code before it passes to the final execution environment. This is especially relevant in smartcontracts. In the smarcontracts languages ​​such as Solidity are frequently used, with “defects” similar to those of Javascript. A case of special relevance may be to include the addresses of the portfolios in quotes. If not, the addresses are truncated and the amounts remitted can end up in an irrecoverable limbo.

Size of the block chain

Depending on the type of cryptoactive and how its transaction management system has been designed for its annotation in the block chain, it may be necessary to preserve the entire chain of blocks from its origins. Some variants allow converting the transaction history into a “status photo” from which the previous history can be discarded. Be that as it may, the more transactions are made, the more the chain grows, which can create sizing problems in the equipment in which they are managed.

51% attacks

Some cryptoactive systems with different block confirmation philosophies (PoW, Proof of Work, PoS, Proof of Stake, …) could be attacked by groups that exceed the 51% participation in the consensus mechanism. Therefore, it would be advisable to anticipate the need for reversion mechanisms and the responsibility for the execution of such mechanisms.

There have been real cases of this type of attack on Pow mechanism (theoretical until recently) that is understood knowing that a large number of mining equipment accumulation centers are built in countries where electricity is cheap and supervision is scarce

Lack of maturity of blockchain technology

In all technologies, essential lessons are learned as they are adopted and generalized. Problems are discovered and reselled. Blockchain technology is still in the early stages of development and all risks and their effects are not understood.

Risks due to insufficient standardization

Many of the blockchain systems are deployed with a “Whitepaper” and source code of the project available on Github. Although it is an exercise in transparency, it is often revealed that the promoters of such projects have little interest in knowing the standards or adopting them.

It is particularly striking in the field of electronic signature, whose main market has matured over the years giving rise to various laws and technical standards that create legal presumptions for those who adopt technology and that define the standards that facilitate their interoperability.

In contrast, the use of electronic signature technology in blockchain projects seems to come from undergraduate students who have read the basics of electronic signature theory and who ignore the advance of the standards. They look like academic exercises, instead of responding to market demands that require systems to interoperate and that their developers know the laws and standards.

Fortunately UNE and ISO (among other standardization bodies) are beginning to propose standards for the blockchain world, which should not ignore the advances made in common technologies with a certain level of maturity.

It should be remembered that standardization, against what its critics affirm, does not limit innovation but opens up new possibilities for it. And leaves solved problems that were undertaken in the past minimizing the risk of reinventing the wheel each time.

Subtle vulnerabilities

There are vulnerabilities difficult to detect that are visible after incidents of a certain magnitude. It is advisable to provide for reversion mechanisms before deployment in order to manage problems that have not been previously identified.

An example is shown by the case of “The DAO”

A “DAO” (Distributed Autonomous Organization) is a Decentralized Autonomous Organization built on some types of blockchain, with code execution functionality for intelligent contracts associated with investments in the capital of markedly digital companies. You could say that a DAO is a crowdsourcing venture capital fund that is managed on the basis of embedded smartcontracts in a chain of blocks. There are many DAOs, each created to host and execute smart contracts for specific organizations.

One of those DAO, known as “The DAO”, was founded in 2016 by members of the Ethereum team. During its creation period, The DAO made history in the field of crowdfunding by raising 150 million dollars. Shortly after, The DAO made history, once again, by being the first DAO to be pirated.

During the crowdsale, many members of the Ethereum community expressed concern that the DAO code could be attacked. Subsequently, a member of the DAO team found a “recursive error” but erroneously believed that there were no DAO funds at risk. A hacker proved he was wrong.

The attack occurred when the attacker exploited two vulnerabilities in the DAO code. The hacker knew that the code was designed to allow both a split and a transfer of tokens between accounts. The hacker also realized that the code would not update account balances fast enough to prevent the transfer of the same tokens more than once.

The hacker executed a spinoff function, creating a “child DAO” account and made repeated transfer requests from his first account in quick succession. Since the code did not decrease the original account balances after each transfer, there was nothing to prevent the same tokens being repeated about 40 times each, without destroying the original tokens.

After transferring $ 55 million in Ether, the hacker terminated the attack and some additional events happened, so I invite you to investigate this issue from which great lessons are drawn.

Call us if you need us

When serious blockchain projects are proposed, their promoters invest in technology developments that help define transaction types, identity management models, block confirmation mechanisms, block production rates and transaction limits. per block. There are many aspects that make each project different.

One that should begin to be taken into account is that of the project audit. Maybe he does not detect all the problems, but he will discover the main ones. We must begin to value what is already known and avoid making mistakes that have already been committed.

Contact the Trust Conformity Assessment Body (TCAB) if you need to audit a blockchain project.

Wednesday July 11th, 2018