Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Scope and Purpose of CAN/CSA ISO IEC 17825-18
“content”: “
The resistance of cryptographic modules to non-invasive attacks—such as side-channel analysis (SCA) and fault injection (FI)—is no longer solely a matter of academic research. It has become a formalized and auditable requirement for high-assurance security evaluations in commercial and government sectors.
In 2018, the Canadian Standards Association (CSA) adopted the international benchmark ISO/IEC 17825 as CAN/CSA ISO IEC 17825-18, providing a comprehensive, standardized testing methodology for the mitigation of non-invasive attack classes against cryptographic modules. This standard harmonizes the evaluation approach across global frameworks including FIPS 140-3, Common Criteria, and various national cybersecurity schemes.
This article provides a detailed technical breakdown of the scope, core technical requirements, practical implementation strategies for testing laboratories, and the compliance landscape surrounding this critical standard.
Scope and Purpose of CAN/CSA ISO IEC 17825-18
The standard specifically addresses testing methods for non-invasive attacks. Unlike invasive attacks (which require depackaging the chip) or semi-invasive attacks (which use chemical etching or focused ion beams), non-invasive attacks exploit observable physical phenomena generated by the module during normal operation.
Standard Scope
- Attack Classes Covered: Simple Power Analysis (SPA), Differential Power Analysis (DPA), Electromagnetic Analysis (EMA/DEMA), Timing Analysis, and Injection of Transient Faults (clock, voltage, EM, or optical).
- Module Types: Hardware cryptographic modules (ASICs, FPGAs, Smart Cards) and software cryptographic modules (running on general-purpose CPUs or secure enclaves).
- Relationship to Other Standards: It works in direct support of the security requirements defined in ISO/IEC 19790 (the international equivalent of FIPS 140-3) and the test requirements defined in ISO/IEC 24759. It provides the rigorous test methodologies required to validate compliance with the non-invasive attack mitigation mandates found in those higher-level standards.
The purpose is to remove ambiguity from side-channel evaluations. Instead of relying on a lab’s subjective interpretation of what constitutes an effective attack, the standard defines specific test metrics, pass/fail criteria, and reporting requirements. This ensures that a module passing evaluation in one accredited laboratory will achieve the same result in another.
Core Technical Requirements and Test Metrics
The standard does not simply state that a module must be secure; it demands quantifiable demonstration of resistance. The testing is structured around specific attacks, each with associated metrics.
Test Methodology Framework
Implementation of the standard requires a rigorous test setup that can reliably stimulate the Device Under Test (DUT) and capture leakage with high fidelity. Testing is typically divided into “Generic” and “Specific” attack stages.
| Attack Class | Primary Observable | Key Test Metric | Documentation Requirement |
|---|---|---|---|
| Simple Power Analysis (SPA) | Power Trace Instruction Patterns | SNR (Signal-to-Noise Ratio) of Data/Key Dependent Signal | Execution path analysis & alignment correlation |
| Differential Power Analysis (DPA) | Statistical Power Correlation | MTD (Maximum Traces to Disclosure) | Success rate vs. number of traces graph |
| Timing Analysis | Execution Time Variance | Time Variance Analysis (Mean & Variance) | Algorithm runtime distribution histogram |
| Fault Injection (FI) | Transient Output Errors / Giltches | Fault Coverage / Error Detection Rate | Device sensitivity map & fault model analysis |
Critical Technical Definitions
- MTD (Maximum Traces to Disclosure): The minimum number of side-channel traces required to successfully distinguish the correct cryptographic key from all candidates with a specified success probability. Higher MTD indicates stronger resistance.
- Test Yield: The ratio of successful attack runs to total attempts under identical conditions. A lower yield suggests effective countermeasure implementation, though standard pass/fail criteria are strictly defined.
- Leakage Assessment: The standard outlines specific statistical tests (e.g., Welch’s t-test for TVLA—Test Vector Leakage Assessment) to detect the presence of key-dependent leakage pre-emptively, before a full DPA attack is attempted.
Implementation and Lab Testing Highlights
Planning for Evaluations: Testing labs should establish a baseline using the standard’s required leakage assessment (TVLA). A static t-test score below the defined threshold (typically |t| < 4.5) often indicates that a full DPA attack will be unsuccessful, dramatically reducing overall test time for robust modules.
Strict Configuration Control: Non-invasive testing is highly sensitive to the DUT’s operational state. The module must be executing the exact cryptographic algorithm (e.g., AES-256 encryption or ECDSA signing) in the loop required by the test plan. System interrupts, memory bus activity, or varying clock speeds can completely mask or skew the leakage signal. The standard enforces strict monitoring of the DUT during acquisition.
Synergistic Security Gain: When combined with ISO/IEC 19790 Annex B requirements, compliance with CAN/CSA ISO IEC 17825-18 provides the strongest possible evidence for non-invasive attack mitigation. Successfully completing the standard’s test sequences creates a defensible, repeatable security evaluation report that satisfies the strictest Common Criteria Protection Profiles.
Common Pitfalls in Documentation: The standard is exceptionally strict regarding the reproducibility of the test environment. Failing to precisely document probe placement (coordinates and angle), oscilloscope sample rate, and power supply filtering characteristics can lead to an immediate “Fail” due to a lack of reproducibility. Ensure your Test Configuration Report is accurate to within at least 0.1 mm for physical probes.
Required Lab Infrastructure
To perform evaluations compliant with the standard, a laboratory must invest in specific equipment, including:
- High-speed digital oscilloscope (typically ≥ 2 GHz bandwidth, ≥ 10 GS/s).
- Low-noise power probes and current probes.
- Electromagnetic (EM) near-field probes (e.g., H-field and E-field probes).
- Programmable fault injection equipment (clock glitcher, voltage glitcher, EM pulse generator).
- Advanced statistical analysis software for MTD calculation and TVLA.
Compliance, Certification, and Global Landscape
Canadian Adoption Context
CAN/CSA ISO IEC 17825-18 is the identical adoption of the international standard ISO/IEC 17825 by the Standards Council of Canada. Organizations seeking Canadian federal government security approvals for cryptographic modules (e.g., within the Canadian Centre for Cyber Security’s Cryptographic Module Verification Program) must demonstrate compliance with this specific standard.
Global Harmonization
The standard plays a crucial role in international mutual recognition. A security evaluation conducted per ISO/IEC 17825 is largely accepted across jurisdictions that adhere to the Common Criteria Recognition Arrangement (CCRA) and the SOG-I S Smartcard Evaluation Framework. Furthermore, the test metrics align closely with the requirements for FIPS 140-3 Level 2, 3, and 4.
Maintaining Compliance
Compliance is not a one-time event. Any modification to the cryptographic algorithm implementation, the underlying hardware architecture, compilers, or manufacturing process node can alter the leakage profile of the module. The standard, and the certifying bodies that enforce it, typically require a re-evaluation or a delta evaluation when such changes occur. The standard itself provides clear guidelines for the scope of re-testing.
—
Copyright © 2026 — International Standards Application. This document provides a technical summary of the standard described and is for informational purposes only. Consult the official text of CAN/CSA ISO IEC 17825-18 for authoritative requirements.
Frequently Asked Questions (FAQ)
Q: How does CAN/CSA ISO IEC 17825-18 differ from FIPS 140-3 testing requirements?
A: FIPS 140-3 (ISO/IEC 19790) defines the what—the high-level security requirements for non-invasive attack mitigation (e.g., Level 3 requires “attack mitigation”). CAN/CSA ISO IEC 17825-18 defines the how—the detailed, repeatable test methods and metrics to verify those requirements, such as calculating the MTD and performing TVLA.
A: FIPS 140-3 (ISO/IEC 19790) defines the what—the high-level security requirements for non-invasive attack mitigation (e.g., Level 3 requires “attack mitigation”). CAN/CSA ISO IEC 17825-18 defines the how—the detailed, repeatable test methods and metrics to verify those requirements, such as calculating the MTD and performing TVLA.
Q: Is this standard applicable to pure software cryptographic libraries (e.g., OpenSSL, BouncyCastle)?
A: Yes. The scope specifically includes software cryptographic modules. For software, testing requires either physical power/EM measurements on the actual execution platform or robust simulation environments. The standard provides specific guidance on adapting the test methods for software running on high-noise general-purpose platforms, typically focusing on trace alignment and precise trigger setup.
A: Yes. The scope specifically includes software cryptographic modules. For software, testing requires either physical power/EM measurements on the actual execution platform or robust simulation environments. The standard provides specific guidance on adapting the test methods for software running on high-noise general-purpose platforms, typically focusing on trace alignment and precise trigger setup.
Q: What is “TVLA” and why is it important in this standard?
A: Test Vector Leakage Assessment (TVLA) is a pre-qualification test method specified in the standard. It uses a fixed vs. random key Welch’s t-test to detect if a module leaks any key-dependent correlation. It is extremely powerful because it does not require a full attack; instead, it quickly determines whether a module is “worth” attacking, functioning as a critical quality gate in the evaluation process.
A: Test Vector Leakage Assessment (TVLA) is a pre-qualification test method specified in the standard. It uses a fixed vs. random key Welch’s t-test to detect if a module leaks any key-dependent correlation. It is extremely powerful because it does not require a full attack; instead, it quickly determines whether a module is “worth” attacking, functioning as a critical quality gate in the evaluation process.
Q: Are there specific pass/fail criteria defined in the standard for DPA resistance?
A: Yes, the standard defines strict criteria. A common criterion is the Maximum Traces to Disclosure (MTD). The module is deemed to have passed if the number of traces required to recover a key, or a significant portion of a key, exceeds a defined threshold. This threshold is partially based on the security strength of the algorithm (e.g., requiring > 10 million traces for a 128-bit AES key).
“
A: Yes, the standard defines strict criteria. A common criterion is the Maximum Traces to Disclosure (MTD). The module is deemed to have passed if the number of traces required to recover a key, or a significant portion of a key, exceeds a defined threshold. This threshold is partially based on the security strength of the algorithm (e.g., requiring > 10 million traces for a 128-bit AES key).