sec-certs Python API demo#

In this demo, we will:

  1. Fetch the fully processed dataset from our web

  2. Turn the dataset into a pandas dataframe – a data structure suitable for further data analysis.

  3. Filter the dataset to certificates of our interest

  4. Explore various attrributes of a dataset and its individual certificate

  5. Learn how to go from a single vulnerability to all certificates that may suffer from the vulnerability

  6. Plot various characteristics of the dataset

1. Fetch the fully processed dataset from our web#

# First, import the necessary libraries
from sec_certs.dataset import CCDataset
import pandas as pd
# Download the dataset and see how many certificates it contains
dataset = CCDataset.from_web_latest()
print(f"The downloaded CCDataset contains {len(dataset)} certificates")
Downloading CC Dataset: 100%|██████████| 144M/144M [00:14<00:00, 10.6MB/s] 
The downloaded CCDataset contains 5330 certificates
# # Don't run this! This creates new empty dataset, crawls commoncriteriaportal.org and processed all certificates.
# dset = CCDataset()
# dset.get_certs_from_web()
# dset.process_auxillary_datasets()
# dset.download_all_artifacts()
# dset.convert_all_pdfs()
# dset.analyze_certificates()

2. Turn the dataset into a pandas dataframe – a data structure suitable for further data analysis.#

df = dataset.to_pandas()
# print columns of the dataset
df.columns
Index(['cert_id', 'name', 'status', 'category', 'manufacturer', 'scheme',
       'security_level', 'eal', 'not_valid_before', 'not_valid_after',
       'report_link', 'st_link', 'cert_link', 'manufacturer_web',
       'extracted_versions', 'cpe_matches', 'verified_cpe_matches',
       'related_cves', 'directly_referenced_by', 'indirectly_referenced_by',
       'directly_referencing', 'indirectly_referencing', 'extracted_sars',
       'protection_profiles', 'cert_lab', 'year_from'],
      dtype='object')
# Select a single column
df_vulns = df.related_cves
df_vulns.head()
dgst
8298c7814b3b2860    NaN
9a1c767d358eee50    NaN
979e00ac7d3e229c    NaN
a6015339aa4434cf    NaN
a89ee15539d006d1    NaN
Name: related_cves, dtype: object
# Save the dataset as json (might not work from browser)
dataset.to_json("cc_dataset.json")

3. Filter the dataset to certificates of our interest#

# Select only certificates that have some related cves
vulnerable_certificates = df.loc[df.related_cves.notnull()]

# Select only certificates from BSI
bsi_certs = df.loc[df.cert_lab == "BSI"]

# Select only certificates certified in 2017 or later
certs_2017_and_newer = df.loc[df.not_valid_before.dt.year >= 2017]

# select only active certificates
active_certificates = df.loc[df.status == "active"]

# Select only certificates that reference some other certificate
reference_rich_certificates = df.loc[df.directly_referencing.notnull()]

# Select only certificates with EAL6 and higher
eal6_or_more = df.loc[df.eal >= "EAL6"]
# Show arbitrary subset that we've defined earlier 
eal6_or_more.head()
cert_id name status category manufacturer scheme security_level eal not_valid_before not_valid_after ... verified_cpe_matches related_cves directly_referenced_by indirectly_referenced_by directly_referencing indirectly_referencing extracted_sars protection_profiles cert_lab year_from
dgst
ef1fba0df82eb56e BSI-DSZ-CC-1096-2021 Arbit Data Diode 10 GbE v1.00 active Boundary Protection Devices and Systems Arbit Cyber Defence Systems ApS DE {EAL7+, ALC_FLR.1} EAL7+ 2021-04-07 2026-04-07 ... NaN NaN NaN NaN NaN NaN {SAR(family='ALC_FLR', level=1), SAR(family='A... NaN BSI 2021
167ed26aa5bc8193 NSCIB-CC-163925-CR Fort Fox Hardware Data Diode FFHDD3_1/10 active Boundary Protection Devices and Systems Fox-IT B.V. NL {ALC_FLR.3, ASE_TSS.2, EAL7+} EAL7+ 2018-07-11 2023-07-11 ... NaN NaN NaN NaN NaN NaN {SAR(family='ASE_CCL', level=1), SAR(family='A... NaN NaN 2018
6cd7a7a1cffaa67e NSCIB-CC-0095534-CR3 NXP JCOP 4.7 SE051 active ICs, Smart Cards and Smart Card-Related Device... NXP Semiconductors NL {ASE_TSS.2, EAL6+, ALC_FLR.1} EAL6+ 2023-03-27 2028-03-27 ... NaN NaN NaN NaN {BSI-DSZ-CC-1136-V3-2022, NSCIB-CC-180212-CR5} {BSI-DSZ-CC-1136-2021, BSI-DSZ-CC-1136-V3-2022... {SAR(family='ALC_FLR', level=1), SAR(family='A... [Java Card Protection Profile - Open Configura... NaN 2023
51e4fcdced4053b0 ANSSI-CC-2023/14 S3D384C/S3D352C/S3D300C/S3D264C/S3D232C/S3K384... active ICs, Smart Cards and Smart Card-Related Device... Samsung Electronics Co., Ltd. FR {ASE_TSS.2, EAL6+} EAL6+ 2023-03-02 2028-03-02 ... NaN NaN NaN NaN {ANSSI-CC-2021/56} {ANSSI-CC-2021/56} {SAR(family='ASE_CCL', level=1), SAR(family='A... [Security IC Platform Protection Profile with ... NaN 2023
1116a6b1b0edbf8d NSCIB-CC-66030-CR6 NXP Crypto Library V3.1.x on P6021y VB active ICs, Smart Cards and Smart Card-Related Device... NXP Semiconductors Germany GmbH, Business Unit... NL {ASE_TSS.2, EAL6+, ALC_FLR.1} EAL6+ 2023-02-16 2028-02-16 ... NaN NaN NaN NaN {BSI-DSZ-CC-1072-V5-2022} {BSI-DSZ-CC-1072-V2-2019, BSI-DSZ-CC-1072-V5-2... {SAR(family='ASE_CCL', level=1), SAR(family='A... [Security IC Platform Protection Profile with ... NaN 2023

5 rows × 26 columns

4. Explore various attrributes of a dataset and its individual certificate#

# Select a single certificate by its digest
cert = dataset["15d68159595eae09"]
print(cert)
Infineon Technologies AG Infineon Security Controller M7892 B11 with optional RSA2048/4096 v1.02.013 or v2.07.003, EC v1.02.013 or v2.07.003, SHA-2 v1.01, SCL v2.02.012, Base v1.02.013 or v2.07.003, and Toolbox v1.02.013 or v2.07.003 libraries and with specific IC dedicated software (firmware) dgst: 15d68159595eae09
# Display attributes of this certificate
vars(cert)
{'status': 'active',
 'category': 'ICs, Smart Cards and Smart Card-Related Devices and Systems',
 'name': 'Infineon Security Controller M7892 B11 with optional RSA2048/4096 v1.02.013 or v2.07.003, EC v1.02.013 or v2.07.003, SHA-2 v1.01, SCL v2.02.012, Base v1.02.013 or v2.07.003, and Toolbox v1.02.013 or v2.07.003 libraries and with specific IC dedicated software (firmware)',
 'manufacturer': 'Infineon Technologies AG',
 'scheme': 'DE',
 'security_level': {'ALC_FLR.1', 'EAL6+'},
 'not_valid_before': datetime.date(2020, 11, 26),
 'not_valid_after': datetime.date(2025, 11, 26),
 'report_link': 'https://www.commoncriteriaportal.org/files/epfiles/0782V5a_pdf.pdf',
 'st_link': 'https://www.commoncriteriaportal.org/files/epfiles/0782V5b_pdf.pdf',
 'cert_link': 'https://www.commoncriteriaportal.org/files/epfiles/0782V5c_pdf.pdf',
 'manufacturer_web': 'https://www.infineon.com/',
 'protection_profiles': {ProtectionProfile(pp_name='Security IC Platform Protection Profile, Version 1.0', pp_eal='EAL4+', pp_link='https://www.commoncriteriaportal.org/files/ppfiles/pp0035b.pdf', pp_ids=frozenset({'PKISKPP', 'SECURITY_IC_V1.0'}))},
 'maintenance_updates': set(),
 'state': CCCertificate.InternalState(st_download_ok=True, report_download_ok=True, st_convert_garbage=False, report_convert_garbage=False, st_convert_ok=True, report_convert_ok=True, st_extract_ok=True, report_extract_ok=True, st_pdf_hash='781a91574529280685f19db6ff42f38c313ced51333878edb1e201213926f160', report_pdf_hash='34fddbff0d9d5231e861613f4a59a8a9ac61584610e522953adfa50ee69d42c0', st_txt_hash='7d950c298fce34a95a70db4d89347b68616f6dd8c6617af838d8bdd9de01eb17', report_txt_hash='68dc7f2f4f25a864c2eead97218f8dd61a2ecf76f6762aa9fa27fb528178c070', _st_pdf_path=PosixPath('/this/is/dummy/nonexisting/path/certs/targets/pdf/15d68159595eae09.pdf'), _report_pdf_path=PosixPath('/this/is/dummy/nonexisting/path/certs/reports/pdf/15d68159595eae09.pdf'), _st_txt_path=PosixPath('/this/is/dummy/nonexisting/path/certs/targets/txt/15d68159595eae09.txt'), _report_txt_path=PosixPath('/this/is/dummy/nonexisting/path/certs/reports/txt/15d68159595eae09.txt')),
 'pdf_data': CCCertificate.PdfData(report_metadata={'pdf_file_size_bytes': 819344, 'pdf_is_encrypted': False, 'pdf_number_of_pages': 31, '/Author': 'Bundesamt für Sicherheit in der Informationstechnik', '/CreationDate': "D:20201127105614+01'00'", '/Creator': 'Writer', '/Keywords': '"Common Criteria, Certification, Zertifizierung, Infineon Technologies AG"', '/ModDate': "D:20201201164110+01'00'", '/Producer': 'LibreOffice 6.3', '/Subject': 'Common Criteria Certification, BSI-DSZ-CC-0782-V5-2020, Infineon Technologies AG', '/Title': 'Certification Report BSI-DSZ-CC-0782-V5-2020', 'pdf_hyperlinks': {'http://www.commoncriteriaportal.org/cc/', 'https://www.sogis.eu/', 'https://www.bsi.bund.de/zertifizierungsreporte', 'https://www.bsi.bund.de/zertifizierung', 'http://www.commoncriteriaportal.org/', 'https://www.bsi.bund.de/', 'https://www.bsi.bund.de/AIS'}}, st_metadata={'pdf_file_size_bytes': 1582331, 'pdf_is_encrypted': False, 'pdf_number_of_pages': 112, '/Creator': 'Microsoft Word - M7892_B11_SCL_public_ST.docx', '/Producer': 'Nuance PDF Create 8', '/CreationDate': "D:20201127091852+01'00'", '/ModDate': "D:20201127091852+01'00'", '/Author': 'Infineon Technologies AG', '/Title': 'Microsoft Word - M7892_B11_SCL_public_ST.docx', '/Keywords': '16-bit security controller', 'pdf_hyperlinks': set()}, report_frontpage={'anssi': {}, 'bsi': {'match_rules': ['(BSI-DSZ-CC-.+?) (?:for|For) (.+?) from (.*)'], 'cert_id': 'BSI-DSZ-CC-0782-V5-2020', 'cert_item': 'Infineon Security Controller M7892 B11 with optional RSA2048/4096 v1.02.013 or v2.07.003, EC v1.02.013 or v2.07.003, SHA-2 v1.01, SCL v2.02.012, Base v1.02.013 or v2.07.003, and Toolbox v1.02.013 or v2.07.003 libraries and with specific IC dedicated software (firmware', 'developer': 'Infineon Technologies AG', 'cert_lab': 'BSI', 'ref_protection_profiles': 'Security IC Platform Protection Profile, Version 1.0, 15 June 2007, BSI-CC-PP-0035-2007', 'cc_version': 'PP conformant plus product specific extensions Common Criteria Part 2 extended', 'cc_security_level': 'Common Criteria Part 3 conformant EAL 6 augmented by ALC_FLR.1'}, 'nscib': {}, 'niap': {}, 'canada': {}}, st_frontpage={'anssi': {}, 'bsi': {}, 'nscib': {}, 'niap': {}, 'canada': {}}, report_keywords={'cc_cert_id': {'DE': {'BSI-DSZ-CC-0782-V5-2020': 38, 'BSI-DSZ-CC-0782-V4-2018': 8}}, 'cc_protection_profile_id': {'BSI': {'BSI-CC-PP-0035-2007': 2, 'BSI-CC-PP- 0035-2007': 1}}, 'cc_security_level': {'EAL': {'EAL 6': 4, 'EAL 5': 4, 'EAL 2': 2, 'EAL 1': 1, 'EAL 4': 1, 'EAL6': 3, 'EAL6+': 3, 'EAL5+': 1, 'EAL 6 augmented': 3, 'EAL6 augmented': 3}}, 'cc_sar': {'ALC': {'ALC_FLR.1': 5, 'ALC_FLR': 2, 'ALC_CMC.5': 1, 'ALC_CMS.5': 1, 'ALC_DEL.1': 1, 'ALC_DVS.2': 1, 'ALC_LCD.1': 1, 'ALC_TAT.3': 1}}, 'cc_sfr': {}, 'cc_claims': {}, 'vendor': {'Infineon': {'Infineon': 9, 'Infineon Technologies AG': 18, 'Infineon Technologies': 1}, 'GD': {'G&D': 1, 'Giesecke & Devrient': 1}}, 'eval_facility': {'TUV': {'TÜV Informationstechnik': 4}}, 'symmetric_crypto': {'AES_competition': {'AES': {'AES': 13}}, 'DES': {'DES': {'DES': 3}, '3DES': {'Triple-DES': 3, 'TDES': 7}}}, 'asymmetric_crypto': {'RSA': {'RSA2048': 1, 'RSA4096': 1, 'RSA-2048': 1}, 'ECC': {'ECDH': {'ECDH': 3}, 'ECDSA': {'ECDSA': 3}, 'ECC': {'ECC': 7}}}, 'pq_crypto': {}, 'hash_function': {'SHA': {'SHA2': {'SHA-2': 16}}}, 'crypto_scheme': {'MAC': {'MAC': 3}, 'KA': {'Key Agreement': 1}}, 'crypto_protocol': {}, 'randomness': {'TRNG': {'TRNG': 1}, 'PRNG': {'PRNG': 1}, 'RNG': {'RNG': 3}}, 'cipher_mode': {'ECB': {'ECB': 2}, 'CBC': {'CBC': 2}, 'CTR': {'CTR': 2}, 'CFB': {'CFB': 2}}, 'ecc_curve': {'NIST': {'K-233': 2, 'K-409': 2}}, 'crypto_engine': {}, 'tls_cipher_suite': {}, 'crypto_library': {'Infineon': {'v1.02.013': 39}}, 'vulnerability': {}, 'side_channel_analysis': {'SCA': {'physical probing': 1, 'SPA': 2, 'DPA': 3}, 'FI': {'physical tampering': 1, 'DFA': 3}}, 'technical_report_id': {'BSI': {'BSI TR-02102': 1, 'BSI 18': 1, 'BSI 7148': 1}}, 'device_model': {}, 'tee_name': {}, 'os_name': {}, 'cplc_data': {}, 'ic_data_group': {}, 'standard_id': {'FIPS': {'FIPS186-4': 4, 'FIPS197': 4, 'FIPS180-4': 1}, 'PKCS': {'PKCS #1': 3}, 'BSI': {'AIS 34': 1, 'AIS 31': 2, 'AIS 25': 1, 'AIS 26': 1, 'AIS 36': 2, 'AIS31': 2, 'AIS 35': 1, 'AIS1': 1, 'AIS14': 1, 'AIS19': 1, 'AIS20': 1, 'AIS25': 1, 'AIS26': 1, 'AIS32': 1, 'AIS34': 1, 'AIS35': 1, 'AIS36': 1, 'AIS38': 1, 'AIS46': 1}, 'RFC': {'RFC5639': 4}, 'ISO': {'ISO/IEC 15408': 4, 'ISO/IEC 18045': 4, 'ISO/IEC 17065': 2}}, 'javacard_version': {}, 'javacard_api_const': {}, 'javacard_packages': {}, 'certification_process': {'ConfidentialDocument': {'being maintained, is not given any longer. In particular, prior to the dissemination of confidential documentation and information related to the TOE or resulting from the evaluation and certification': 1, 'M7892 B11 Recertification Common Criteria CCv3.1 EAL6 augmented (EAL6+)”, Infineon Technologies AG (confidential document) [7] Evaluation Technical Report for BSI-DSZ-CC-0782-V5-2020, Version 5, 2020-11-06, “Evaluation': 1, 'Report – ETR (Summary)”, TÜV Informationstechnik GmbH, (confidential document) [8] Security IC Platform Protection Profile, Version 1.0, 15 June 2007, BSI-CC-PP- 0035-2007 7': 1, '“Evaluation Technical Report for composite Evaluation (ETR Comp)”, TÜV Informationstechnik GmbH (confidential document) [11] Configuration list for the TOE, Version 3.0, 2017-09-29, “Configuration Management Scope ALC': 1, 'Common Criteria with Evaluation Assurance Level EAL6 augmented (EAL6+) M7892 B11” (confidential document) [12] SCL78 Symmetric Crypto Library for SCPv3 DES / AES 16-bit Security Controller User Interface': 1, 'Infineon Technologies AG (confidential document) [13] SLE70 Asymmetric Crypto Library for Crypto@2304T RSA / ECC / Toolbox (1.02.013), 2020-10-05': 1, 'Technologies AG (confidential document) [14] SLE70 Asymmetric Crypto Library for Crypto@2304T RSA / ECC / Toolbox (2.07.003), 2019-05-27': 1, 'Technologies AG (confidential document) [15] Crypto@2304T User Manual, 2010-03-23, Infineon Technologies AG [16] 16-bit Controller Family': 1, '70 Programmer’s Reference Manual, 2019-12-03, Infineon Technologies AG (confidential document) [17] M7892 Errata Sheet, 2019-12-18, Infineon Technologies AG [18] M7892 SOLID FLASH Controller': 1, 'Controller Family Hardware Reference Manual, Revision 3.0, 2019-06-24, Infineon Technologies AG (confidential document) [19] AMM Advanced Mode for NRG SAM Addendum to M7892 Hardware Reference Manual, Version 2.0': 1, 'Infineon Technologies AG (confidential document) [20] SLx 70 Family Secure Hash Algorithm SHA-2 (SHA 256/224, SHA 512/384) Library, Version 1.01': 1, 'Infineon Technologies AG (confidential document) [21] M7892 Security Guidelines, 2020-07-17, Infineon Technologies AG (confidential document) [22': 1, '70 Family Production and Personalization User’s Manual, 2015-04-01, Infineon Technologies AG (confidential document) 27 / 31 Certification Report BSI-DSZ-CC-0782-V5-2020 C. Excerpts from the Criteria For the': 1}}}, st_keywords={'cc_cert_id': {}, 'cc_protection_profile_id': {'BSI': {'BSI-PP-0035': 1}}, 'cc_security_level': {'EAL': {'EAL6': 8, 'EAL6+': 4, 'EAL4+': 1, 'EAL 6': 1, 'EAL6 augmented': 4, 'EAL 6 augmented': 1}}, 'cc_sar': {'ADV': {'ADV_SPM': 2, 'ADV_ARC.1': 1, 'ADV_FSP.5': 3, 'ADV_IMP.2': 2, 'ADV_INT.3': 1, 'ADV_TDS.5': 1, 'ADV_SPM.1': 6, 'ADV_IMP': 1, 'ADV_IMP.1': 2, 'ADV_FSP': 1, 'ADV_FSP.4': 4}, 'AGD': {'AGD_OPE.1': 1, 'AGD_PRE.1': 1}, 'ALC': {'ALC_DVS': 1, 'ALC_FLR.1': 11, 'ALC_DVS.2': 3, 'ALC_CMC.5': 3, 'ALC_CMS.5': 3, 'ALC_DEL.1': 1, 'ALC_LCD.1': 1, 'ALC_TAT.3': 1, 'ALC_CMS': 2, 'ALC_CMS.4': 2, 'ALC_CMC': 1, 'ALC_CMC.4': 3}, 'ATE': {'ATE_COV.3': 4, 'ATE_DPT.3': 1, 'ATE_FUN.2': 1, 'ATE_IND.2': 1, 'ATE_COV': 1, 'ATE_COV.2': 3}, 'AVA': {'AVA_VAN.5': 4}, 'ASE': {'ASE_INT': 1, 'ASE_CCL': 1, 'ASE_SPD': 1, 'ASE_OBJ': 1, 'ASE_ECD': 1, 'ASE_REQ': 1, 'ASE_CCL.1': 1, 'ASE_ECD.1': 1, 'ASE_INT.1': 1, 'ASE_OBJ.2': 1, 'ASE_REQ.2': 1, 'ASE_SPD.1': 1, 'ASE_TSS.1': 1, 'ASE_TSS': 1}}, 'cc_sfr': {'FAU': {'FAU_SAS.1': 10, 'FAU_SAS': 4, 'FAU_GEN': 1, 'FAU_SAS.1.1': 1}, 'FCS': {'FCS_RNG.1': 14, 'FCS_RNG': 4, 'FCS_COP': 103, 'FCS_CKM': 74, 'FCS_RNG.1.1': 2, 'FCS_RNG.1.2': 2, 'FCS_COP.1': 30, 'FCS_CKM.4': 39, 'FCS_CKM.1': 41, 'FCS_CKM.2': 6}, 'FDP': {'FDP_ITT.1': 18, 'FDP_IFC.1': 17, 'FDP_ACC.1': 26, 'FDP_ACF.1': 21, 'FDP_SDI.1': 16, 'FDP_SDI.2': 14, 'FDP_ACC.1.1': 1, 'FDP_ACF.1.1': 1, 'FDP_ACF.1.2': 1, 'FDP_ACF.1.3': 1, 'FDP_ACF.1.4': 1, 'FDP_ITC.1': 34, 'FDP_ITC.2': 34, 'FDP_SDI.1.1': 1, 'FDP_SDI.2.1': 2, 'FDP_SDI.2.2': 2}, 'FMT': {'FMT_LIM': 2, 'FMT_LIM.1': 6, 'FMT_LIM.2': 6, 'FMT_MSA.1': 21, 'FMT_MSA.3': 20, 'FMT_SMF.1': 16, 'FMT_SMR.1': 5, 'FMT_MSA.3.1': 1, 'FMT_MSA.3.2': 1, 'FMT_MSA.1.1': 1, 'FMT_SMF.1.1': 1, 'FMT_CKM.4': 1}, 'FPT': {'FPT_TST': 3, 'FPT_TST.2': 33, 'FPT_TST.1': 12, 'FPT_TST.2.1': 2, 'FPT_FLS.1': 19, 'FPT_PHP.3': 25, 'FPT_ITT.1': 18, 'FPT_AMT.1': 1, 'FPT_LIM.2': 1}, 'FRU': {'FRU_FLT.2': 7}}, 'cc_claims': {'O': {'O.RND': 1}, 'T': {'T.RND': 1}}, 'vendor': {'Infineon': {'Infineon Technologies AG': 26, 'Infineon Technologies': 2, 'Infineon': 15}}, 'eval_facility': {}, 'symmetric_crypto': {'AES_competition': {'AES': {'AES': 68}}, 'DES': {'DES': {'DES': 16}, '3DES': {'TDES': 48, 'Triple-DES': 2}}, 'constructions': {'MAC': {'HMAC': 4, 'CBC-MAC': 4}}}, 'asymmetric_crypto': {'RSA': {'RSA2048': 1, 'RSA4096': 1, 'RSA-2048': 1}, 'ECC': {'ECDH': {'ECDH': 11}, 'ECDSA': {'ECDSA': 26}, 'ECC': {'ECC': 16}}, 'FF': {'DH': {'Diffie-Hellman': 9}, 'DSA': {'DSA': 1}}}, 'pq_crypto': {}, 'hash_function': {'SHA': {'SHA2': {'SHA-256': 1, 'SHA-512': 1, 'SHA-2': 70}}}, 'crypto_scheme': {'KA': {'Key Agreement': 3, 'Key agreement': 1}}, 'crypto_protocol': {}, 'randomness': {'TRNG': {'TRNG': 11, 'DTRNG': 1}, 'PRNG': {'PRNG': 6}, 'RNG': {'RND': 2, 'RNG': 9}}, 'cipher_mode': {'ECB': {'ECB': 11}, 'CBC': {'CBC': 11}, 'CTR': {'CTR': 6}, 'CFB': {'CFB': 7}}, 'ecc_curve': {}, 'crypto_engine': {}, 'tls_cipher_suite': {}, 'crypto_library': {'Infineon': {'v1.02.013': 32}}, 'vulnerability': {}, 'side_channel_analysis': {'SCA': {'Leak-Inherent': 11, 'Physical Probing': 2, 'physical probing': 1, 'side-channel': 2, 'side channel': 4, 'SPA': 7, 'DPA': 12}, 'FI': {'Malfunction': 9, 'DFA': 9, 'fault induction': 1}}, 'technical_report_id': {'BSI': {'BSI 1': 2}}, 'device_model': {}, 'tee_name': {}, 'os_name': {}, 'cplc_data': {}, 'ic_data_group': {}, 'standard_id': {'FIPS': {'FIPS 197': 2, 'FIPS 180-4': 1, 'FIPS PUB 197': 3, 'FIPS PUB 180-4': 2, 'FIPS PUB 186-4': 2}, 'NIST': {'SP 800-67': 3, 'SP 800-38A': 6}, 'BSI': {'AIS31': 9}, 'RFC': {'RFC 5639': 2, 'RFC 8017': 1}, 'ISO': {'ISO/IEC 18092': 4, 'ISO/IEC 7816-3': 1, 'ISO/IEC 14888-3': 1, 'ISO/IEC 11770-3': 2, 'ISO/IEC 10118': 2, 'ISO/IEC 18033': 2, 'ISO/IEC14443-3': 1, 'ISO/IEC 97971: 2011': 1}, 'CC': {'CCMB-2017-04-001': 2, 'CCMB-2017-04-002': 2, 'CCMB-2017-04-003': 2, 'CCMB-2012-09-004': 1}}, 'javacard_version': {}, 'javacard_api_const': {}, 'javacard_packages': {}, 'certification_process': {}}, report_filename='0782V5a_pdf.pdf', st_filename='0782V5b_pdf.pdf'),
 'heuristics': CCCertificate.Heuristics(extracted_versions={'2.02.012', '1.01', '2.07.003', '1.02.013'}, cpe_matches={'cpe:2.3:a:infineon:rsa_library:1.02.013:*:*:*:*:*:*:*'}, verified_cpe_matches=None, related_cves={'CVE-2017-15361'}, cert_lab=['BSI'], cert_id='BSI-DSZ-CC-0782-V5-2020', st_references=References(directly_referenced_by={'BSI-DSZ-CC-1088-2022', 'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, indirectly_referenced_by={'BSI-DSZ-CC-1088-2022', 'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, directly_referencing=None, indirectly_referencing=None), report_references=References(directly_referenced_by={'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, indirectly_referenced_by={'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, directly_referencing={'BSI-DSZ-CC-0782-V4-2018'}, indirectly_referencing={'BSI-DSZ-CC-0782-V3-2017', 'BSI-DSZ-CC-0782-V4-2018', 'BSI-DSZ-CC-0782-V2-2015', 'BSI-DSZ-CC-0782-2012'}), extracted_sars={SAR(family='ASE_CCL', level=1), SAR(family='ASE_INT', level=1), SAR(family='ASE_SPD', level=1), SAR(family='ALC_DEL', level=1), SAR(family='ALC_LCD', level=1), SAR(family='ALC_CMS', level=5), SAR(family='ALC_DVS', level=2), SAR(family='AVA_VAN', level=5), SAR(family='ATE_COV', level=3), SAR(family='ALC_TAT', level=3), SAR(family='ASE_ECD', level=1), SAR(family='ADV_TDS', level=5), SAR(family='ADV_SPM', level=1), SAR(family='ADV_INT', level=3), SAR(family='ATE_IND', level=2), SAR(family='ASE_TSS', level=1), SAR(family='ASE_REQ', level=2), SAR(family='AGD_PRE', level=1), SAR(family='ATE_FUN', level=2), SAR(family='ADV_IMP', level=2), SAR(family='ADV_ARC', level=1), SAR(family='ALC_FLR', level=1), SAR(family='ADV_FSP', level=5), SAR(family='ATE_DPT', level=3), SAR(family='ASE_OBJ', level=2), SAR(family='AGD_OPE', level=1), SAR(family='ALC_CMC', level=5)}, direct_transitive_cves=None, indirect_transitive_cves=None, scheme_data={'cert_id': 'BSI-DSZ-CC-0879-V5-2022', 'product': 'Infineon Security Controller M7893 B11 with optional RSA2048 v2.03.008, SHA-2 V1.01, Toolbox v2.03.008 and with specific IC …', 'vendor': 'Infineon Technologies AG', 'certification_date': '19.10.2022', 'category': 'Smart Cards and similar devices', 'url': 'https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/0879_0879V2_0879V3_0879V4_0879V5.html', 'enhanced': {'product': 'Infineon Security Controller M7893 B11 with optional RSA2048 v2.03.008, SHA-2 V1.01, Toolbox v2.03.008 and with specific IC dedicated software (firmware)', 'applicant': 'Infineon Technologies AG\nAm Campeon 1-12\n85579 Neubiberg', 'evaluation_facility': 'TÜV Informationstechnik GmbH', 'assurance_level': 'EAL6+,ALC_FLR.1', 'protection_profile': 'Security IC Platform Protection Profile, Version 1.0, 15 June 2007, BSI-CC-PP-0035-2007', 'certification_date': '19.10.2022', 'expiration_date': '18.10.2027', 'entries': [{'id': 'BSI-DSZ-CC-0879-V5-2022', 'description': 'and RSA4096 cryptographic library. Beside that the certified scope has been limited: the keygeneration is out of the certified scope.'}, {'id': 'BSI-DSZ-CC-0879-V4-2020', 'description': ') v1.03.006.'}, {'id': 'BSI-DSZ-CC-0879-V3-2018', 'description': 'Certificate'}, {'id': 'BSI-DSZ-CC-0879-V2-2015', 'description': 'Security Target'}, {'id': 'BSI-DSZ-CC-0879-2014-MA-01 (04.12.2014)\nMaintenancereport / Maintenance Report', 'description': '.'}, {'id': 'BSI', 'description': 'Security Target'}], 'report_link': 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte08/0879V5c_pdf.pdf?__blob=publicationFile&v=2', 'target_link': 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte08/0879V5b_pdf.pdf?__blob=publicationFile&v=2', 'description': 'The Target of Evaluation (TOE) is Infineon smart card IC (Security Controller) M7893 B11 with optional Software Libraries RSA2048/4096 v1.03.006, EC v1.03.006, SHA-2 v1.01 and Toolbox v1.03.006 and with specific IC dedicated software. The TOE provides a real 16-bit CPU-architecture and is compatible to the Intel 80251 architecture. The major components of the core system are the two CPUs (Central Processing Units), the MMU (Memory Management Unit) and MED (Memory Encryption/Decryption Unit). The dual interface controller is able to communicate using either the contact based or the contactless interface.\nThe TOE consists of the hardware part, the firmware parts and the software parts. The software parts are differentiated into: the cryptographic libraries RSA, EC and SHA-2 and the supporting libraries Toolbox and Base. RSA, EC, SHA-2 and Toolbox provide certain functionality to the Smartcard Embedded Software.'}, 'subcategory': 'ICs, Cryptolib'})}
# Focus on extracted heuristics
vars(cert.heuristics)
{'extracted_versions': {'1.01', '1.02.013', '2.02.012', '2.07.003'},
 'cpe_matches': {'cpe:2.3:a:infineon:rsa_library:1.02.013:*:*:*:*:*:*:*'},
 'verified_cpe_matches': None,
 'related_cves': {'CVE-2017-15361'},
 'cert_lab': ['BSI'],
 'cert_id': 'BSI-DSZ-CC-0782-V5-2020',
 'st_references': References(directly_referenced_by={'BSI-DSZ-CC-1088-2022', 'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, indirectly_referenced_by={'BSI-DSZ-CC-1088-2022', 'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, directly_referencing=None, indirectly_referencing=None),
 'report_references': References(directly_referenced_by={'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, indirectly_referenced_by={'KECS-ISIS-1139-2021', 'KECS-ISIS-1113-2021', 'KECS-ISIS-1140-2021'}, directly_referencing={'BSI-DSZ-CC-0782-V4-2018'}, indirectly_referencing={'BSI-DSZ-CC-0782-V3-2017', 'BSI-DSZ-CC-0782-V4-2018', 'BSI-DSZ-CC-0782-V2-2015', 'BSI-DSZ-CC-0782-2012'}),
 'extracted_sars': {SAR(family='ADV_ARC', level=1),
  SAR(family='ADV_FSP', level=5),
  SAR(family='ADV_IMP', level=2),
  SAR(family='ADV_INT', level=3),
  SAR(family='ADV_SPM', level=1),
  SAR(family='ADV_TDS', level=5),
  SAR(family='AGD_OPE', level=1),
  SAR(family='AGD_PRE', level=1),
  SAR(family='ALC_CMC', level=5),
  SAR(family='ALC_CMS', level=5),
  SAR(family='ALC_DEL', level=1),
  SAR(family='ALC_DVS', level=2),
  SAR(family='ALC_FLR', level=1),
  SAR(family='ALC_LCD', level=1),
  SAR(family='ALC_TAT', level=3),
  SAR(family='ASE_CCL', level=1),
  SAR(family='ASE_ECD', level=1),
  SAR(family='ASE_INT', level=1),
  SAR(family='ASE_OBJ', level=2),
  SAR(family='ASE_REQ', level=2),
  SAR(family='ASE_SPD', level=1),
  SAR(family='ASE_TSS', level=1),
  SAR(family='ATE_COV', level=3),
  SAR(family='ATE_DPT', level=3),
  SAR(family='ATE_FUN', level=2),
  SAR(family='ATE_IND', level=2),
  SAR(family='AVA_VAN', level=5)},
 'direct_transitive_cves': None,
 'indirect_transitive_cves': None,
 'scheme_data': {'cert_id': 'BSI-DSZ-CC-0879-V5-2022',
  'product': 'Infineon Security Controller M7893 B11 with optional RSA2048 v2.03.008, SHA-2 V1.01, Toolbox v2.03.008 and with specific IC …',
  'vendor': 'Infineon Technologies AG',
  'certification_date': '19.10.2022',
  'category': 'Smart Cards and similar devices',
  'url': 'https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/0879_0879V2_0879V3_0879V4_0879V5.html',
  'enhanced': {'product': 'Infineon Security Controller M7893 B11 with optional RSA2048 v2.03.008, SHA-2 V1.01, Toolbox v2.03.008 and with specific IC dedicated software (firmware)',
   'applicant': 'Infineon Technologies AG\nAm Campeon 1-12\n85579 Neubiberg',
   'evaluation_facility': 'TÜV Informationstechnik GmbH',
   'assurance_level': 'EAL6+,ALC_FLR.1',
   'protection_profile': 'Security IC Platform Protection Profile, Version 1.0, 15 June 2007, BSI-CC-PP-0035-2007',
   'certification_date': '19.10.2022',
   'expiration_date': '18.10.2027',
   'entries': [{'id': 'BSI-DSZ-CC-0879-V5-2022',
     'description': 'and RSA4096 cryptographic library. Beside that the certified scope has been limited: the keygeneration is out of the certified scope.'},
    {'id': 'BSI-DSZ-CC-0879-V4-2020', 'description': ') v1.03.006.'},
    {'id': 'BSI-DSZ-CC-0879-V3-2018', 'description': 'Certificate'},
    {'id': 'BSI-DSZ-CC-0879-V2-2015', 'description': 'Security Target'},
    {'id': 'BSI-DSZ-CC-0879-2014-MA-01 (04.12.2014)\nMaintenancereport / Maintenance Report',
     'description': '.'},
    {'id': 'BSI', 'description': 'Security Target'}],
   'report_link': 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte08/0879V5c_pdf.pdf?__blob=publicationFile&v=2',
   'target_link': 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte08/0879V5b_pdf.pdf?__blob=publicationFile&v=2',
   'description': 'The Target of Evaluation (TOE) is Infineon smart card IC (Security Controller) M7893 B11 with optional Software Libraries RSA2048/4096 v1.03.006, EC v1.03.006, SHA-2 v1.01 and Toolbox v1.03.006 and with specific IC dedicated software. The TOE provides a real 16-bit CPU-architecture and is compatible to the Intel 80251 architecture. The major components of the core system are the two CPUs (Central Processing Units), the MMU (Memory Management Unit) and MED (Memory Encryption/Decryption Unit). The dual interface controller is able to communicate using either the contact based or the contactless interface.\nThe TOE consists of the hardware part, the firmware parts and the software parts. The software parts are differentiated into: the cryptographic libraries RSA, EC and SHA-2 and the supporting libraries Toolbox and Base. RSA, EC, SHA-2 and Toolbox provide certain functionality to the Smartcard Embedded Software.'},
  'subcategory': 'ICs, Cryptolib'}}

5. Learn how to go from a single vulnerability to all certificates that may suffer from the vulnerability#

# Search for certificate IDs of certs vulnerable to RoCA CVE (CVE-2017-15361)
roca_cve_id = 'CVE-2017-15361'
df["is_vulnerable_to_roca"] = df.related_cves.map(lambda x: False if pd.isnull(x) else roca_cve_id in x)
df.loc[df.is_vulnerable_to_roca, "cert_id"].to_list()
['BSI-DSZ-CC-0782-V5-2020',
 'BSI-DSZ-CC-0964-V4-2019',
 'BSI-DSZ-CC-0782-V4-2018',
 'BSI-DSZ-CC-0964-V3-2017',
 'BSI-DSZ-CC-0782-V3-2017',
 'BSI-DSZ-CC-0926-V2-2017',
 'BSI-DSZ-CC-0782-V2-2015',
 'BSI-DSZ-CC-0829-V2-2015',
 'BSI-DSZ-CC-0891-2015',
 'BSI-DSZ-CC-0964-2015',
 'BSI-DSZ-CC-0926-2014',
 'BSI-DSZ-CC-0917-2014',
 'BSI-DSZ-CC-0907-2013',
 'BSI-DSZ-CC-0782-2012',
 'BSI-DSZ-CC-0829-2012',
 'BSI-DSZ-CC-0758-2012']
# Inspect individual certificate that might suffer from RoCA vuln.
print(dataset["15d68159595eae09"])
Infineon Technologies AG Infineon Security Controller M7892 B11 with optional RSA2048/4096 v1.02.013 or v2.07.003, EC v1.02.013 or v2.07.003, SHA-2 v1.01, SCL v2.02.012, Base v1.02.013 or v2.07.003, and Toolbox v1.02.013 or v2.07.003 libraries and with specific IC dedicated software (firmware) dgst: 15d68159595eae09
# Given certificates that suffer from ROCA, which certified products reference them?
roca_vulnerable_cert_ids = df.loc[df.is_vulnerable_to_roca, "cert_id"].to_list()
df["references_roca"] = df.indirectly_referencing.map(lambda x: False if pd.isnull(x) else any(y in x for y in roca_vulnerable_cert_ids))

df_roca_affected = df.loc[df.references_roca]

🎉 df_roca_affected dataframe now holds certified products that reference certified products directly affected by RoCA vulnerability. Let’s take a look

df_roca_affected.head()
cert_id name status category manufacturer scheme security_level eal not_valid_before not_valid_after ... directly_referenced_by indirectly_referenced_by directly_referencing indirectly_referencing extracted_sars protection_profiles cert_lab year_from is_vulnerable_to_roca references_roca
dgst
6a07be907f66f5d1 BSI-DSZ-CC-1147-V2-2023 MTCOS Pro 2.5 EAC with PACE / P71D352 (N7121) active ICs, Smart Cards and Smart Card-Related Device... MaskTech International GmbH DE {EAL5+, ALC_DVS.2, AVA_VAN.5} EAL5+ 2023-02-22 2028-02-22 ... {BSI-DSZ-CC-1148-V2-2023} {BSI-DSZ-CC-1148-V2-2023} {BSI-DSZ-CC-1136-V3-2022, BSI-DSZ-CC-1147-2020... {BSI-DSZ-CC-0891-2015, BSI-DSZ-CC-1136-V3-2022... {SAR(family='ASE_CCL', level=1), SAR(family='A... [Machine Readable Travel Document with ICAO Ap... BSI 2023 False True
49bcce8117e22c62 BSI-DSZ-CC-1148-V2-2023 MTCOS Pro 2.5 EAC with PACE / P71D352 (N7121) ... active ICs, Smart Cards and Smart Card-Related Device... MaskTech International GmbH DE {ALC_DVS.2, EAL4+} EAL4+ 2023-02-22 2028-02-22 ... NaN NaN {BSI-DSZ-CC-1147-V2-2023, BSI-DSZ-CC-1136-V3-2... {BSI-DSZ-CC-0891-2015, BSI-DSZ-CC-1136-V3-2022... {SAR(family='ASE_CCL', level=1), SAR(family='A... [Protection Profile for Machine Readable Trave... BSI 2023 False True
01cb2ad202b5df12 ANSSI-CC-2022/68 ACOS-IDv2.1 eMRTD (A) BAC Configuration(Versio... active ICs, Smart Cards and Smart Card-Related Device... Austria Card plastikkarten und Ausweissysteme ... FR {ALC_TAT.2, ALC_FLR.1, EAL4+, ALC_CMS.5, ADV_T... EAL4+ 2022-12-15 2027-12-15 ... NaN NaN {ANSSI-CC-2022/08, BSI-DSZ-CC-1110-V5-2022} {BSI-DSZ-CC-1110-V4-2021, BSI-DSZ-CC-0945-2017... {SAR(family='ALC_FLR', level=1), SAR(family='A... [Protection Profile for Machine Readable Trave... NaN 2022 False True
37739e3954762bc2 ANSSI-CC-2022/64 ACOS-IDv2.1 SSCD (A) CB-Comm (Version 2.1 SSCD... active ICs, Smart Cards and Smart Card-Related Device... Austria Card plastikkarten und Ausweissysteme ... FR {EAL5+, ALC_DVS.2, ALC_FLR.1, AVA_VAN.5} EAL5+ 2022-12-15 2027-12-15 ... NaN NaN {ANSSI-CC-2022/19, BSI-DSZ-CC-1110-V5-2022} {ANSSI-CC-2022/19, BSI-DSZ-CC-0945-2017, BSI-D... {SAR(family='ALC_FLR', level=1), SAR(family='A... [Protection profiles for secure signature crea... NaN 2022 False True
a4b7ab85878030d7 ANSSI-CC-2022/65 ACOS-IDv2.1 SSCD (A) CL-TC-Comm (Version 2.1 S... active ICs, Smart Cards and Smart Card-Related Device... Austria Card plastikkarten und Ausweissysteme ... FR {EAL5+, ALC_DVS.2, ALC_FLR.1, AVA_VAN.5} EAL5+ 2022-12-15 2027-12-15 ... NaN NaN {ANSSI-CC-2022/20, BSI-DSZ-CC-1110-V5-2022} {BSI-DSZ-CC-1110-V4-2021, BSI-DSZ-CC-0945-2017... {SAR(family='ALC_FLR', level=1), SAR(family='A... [Protection profiles for secure signature crea... NaN 2022 False True

5 rows × 28 columns

# Say that you're interested into `ANSSI-CC-2013/55` that was deployed in Estonia. Is it affected? Let's find out.
df_roca_affected.loc[df.cert_id == "ANSSI-CC-2013/55"]
cert_id name status category manufacturer scheme security_level eal not_valid_before not_valid_after ... directly_referenced_by indirectly_referenced_by directly_referencing indirectly_referencing extracted_sars protection_profiles cert_lab year_from is_vulnerable_to_roca references_roca
dgst
350581534e265186 ANSSI-CC-2013/55 Plateforme jTOP INFv#46 masquée sur composants... archived ICs, Smart Cards and Smart Card-Related Device... Trusted Logic / Infineon FR {EAL5+, ALC_DVS.2, AVA_VAN.5} EAL5+ 2013-08-07 2019-09-01 ... {ANSSI-CC-2015/25, ANSSI-CC-2013/64} {ANSSI-CC-2015/25, ANSSI-CC-2013/64} {BSI-DSZ-CC-0829-2012} {BSI-DSZ-CC-0829-2012, BSI-DSZ-CC-0728-2011, B... {SAR(family='ALC_DVS', level=2), SAR(family='A... [Java Card™ System Protection Profile Open Con... SERMA 2013 False True

1 rows × 28 columns

6. Plot various characteristics of the dataset#

# Different categories
df.category.value_counts().plot.bar()
<AxesSubplot: >
../../_images/ff559188e94718d0a63fa42dd4e2a252fa92488832758d14577104006e1b5931.svg
# Different EAL levels
df.eal.value_counts().plot.bar()
<AxesSubplot: >
../../_images/c38c900984913c5312dbf910bfee2595b36f7904b76cc7987ef37bfe70acad75.svg
# Number of referenced certificates
df["n_referencing"] = df.directly_referencing.map(lambda x: 0 if pd.isnull(x) else len(x))
df.n_referencing.plot.box()
<AxesSubplot: >
../../_images/77efb3576260beae9aabaf8e6e6931831d238496522c57bcb0cc03d899bfe3c1.svg
# Take a look at the columns and try to plot an attribute of your interest.

Showcase of complicated plots that can be produced with our dataframe#

alt text alt text