CAPS (CESG Assisted Products Service) is a certification scheme exclusive to the UK Government market. CAPS offers Government and MoD users the assurance their security products have been tested to the highest standards. Further information on CESG can be found at http://www.cesg.gov.uk/. The MoD has an additional certification scheme operated by the Defence Infosec Product Co-operation Group (DIPCOG) which offers extra guidance and assurance for MoD staff on the suitability of CAPS products for particular applications.
During product development, Thales provides design information to CESG which describes how the product in question meets the security criteria for the target market. The formal explanation of compliance is published in a restricted document called the ‘security target’. At the end of a successful evaluation, CESG issue a CAPS certificate for the specific version of the product being assessed. Modifications to the product, whether to provide bug fixes or new functionality, require a reassessment by CESG before the revised product can be released. Depending on the complexity of the change, this can take several months to complete due to the amount of testing which needs to be completed to ensure the changes do not introduce any security vulnerabilities.
In all CAPS-approved products the cryptographic key material is generated by CESG and supplied in a secure manner to the end customer, sometimes through a trusted third party. All products under the CAPS scheme therefore employ key material controlled explicitly by CESG. This differs from the commercial market where in most cases the end-user community generate and manage its own key material using a management system supplied by the vendor.
Each product is classified by category and according to its cryptographic grade. Currently CESG recognise products in Baseline Grade (securing up to RESTRICTED information), Enhanced Grade (typically securing up to short term SECRET) and High Grade (SECRET & TOP SECRET) categories. The amount of documentation required, strength of security design, algorithms and key lengths used varies for each category. Thales concentrates on the Enhanced Grade standard but has a number of offerings in both the Baseline Grade and High Grade markets. The precise specifications on levels of classified data that a product can protect are summarised on the CAPS certificate. They are also confirmed during the ‘authorisation to purchase’ phase that the end user undertakes before Thales is permitted to supply the product.
Datacryptor AP and Datacryptor 2000 have been certified under the CAPS scheme. Click here to view the Thales CAPS entries on the CESG website.