ICMC Conference

May 8-11
Ottawa, Ontario, Canada

The International Cryptographic Module Conference is the leading annual event for global expertise in commercial cryptography. At the sixth annual edition of the conference in May 8-11 in Ottawa, Ontario, Canada, over 400 industry leaders from over 22 countries will convene to address the unique challenges faced by those who develop, produce, test, specify, and use cryptographic modules, with a strong focus on standards such as FIPS 140-2, ISO/IEC 19790, and Common Criteria. The conference helps to foster a focused, organized community of users. ICMC reviews technical issues underlying cryptographic implementation including physical security, key management, side-channel analysis, open-source development, algorithm testing, quantum threats, embedded applications, standardization, validation programs, government policy, professional ethics, and more.


PrimeKey speakers

Martin Oczko: Traditional Hardware Security Models vs. Real World Requirements. Is There A Gap?

10 May, 15:30-16:00

Hardware based security (like HSMs, TPMs, smart cards etc) is a well established concept and there is a variety of hardware security modules of different flavours available on the market. However the HSM technology hasn’t changed during the last 10+ years although the systems, deployment concepts and applications which are to protect changed massively. Cloud or outsourced deployments require a new level of integrity protection for the applications, IoT is bringing a new level of scalability requirements into the game and new technology stacks for critical applications redefine the need for a secure execution environment which goes beyond the protection of the cryptography part of the application.

This session will look at “the state of the nation“ regarding hardware security and related technologies like cryptographic APIs or management schemes in the context of todays cloud computing, Industrial IoT, and critical applications. It will analyze current requirements and put the state of technology and certification schemes on a test bench based on practical experience from the last years. Also, the session will ask and try to answer questions like: Is PKCS#11 really best suited for cloud and Industrial IoT use cases? Is it really sufficient to protect only cryptographic keys in a hardware security module? Do we have a gap when it comes to certification schemas?

Last but not least the presentation will try to answer the question: Is the current state of the hardware security technology with it’s deployments models, APIs and management concepts sufficient to address the requirements coming with latest technology stacks, cloud technologies and IoT use-cases?


Tomas Gustavsson: Case study on certification and audit of open source security software

11 May, 10:45-11:15
Ottawa salon 212

EJBCA project started in 2001. Now it its 6th major version, it is used worldwide for variety of use-cases. We share experiences of Common Criteria EAL4+ certification of an open source software, and look at value of CC certification in practice, putting in broader context of audit standards such as eIDAS/ETSI, CA/B forum or WebTrust. We look also at integration with FIPS-140-2 certified HSMs using PKCS#11, and discuss some examples where static nature of certifications is insufficient in practice.



Read more about ICMC