Ask Our Experts (AOE): What is JIL for Secure Elements?
Microchip expert Todd Slack explains the JIL rating in Common Criteria (CC) methodology and what it means for secure key storage devices.
Watch the video or read the transcript below:
Hi everyone, Ulises here for Microchip Technology. Welcome to Ask Our Experts, a series of videos where we answer some Frequently Asked Questions (FAQs) on a diverse set of topics. Today's topic is about secure elements. To help answer our question, we welcome back Todd Slack. So let's get started! Todd, JIL is a term used by Microchip Technology when we promote our secure key storage solutions; it's also a term used by Common Criteria, but what does it mean?
JIL stands for Joint Interpretation Library. It is a globally recognized scoring system in the security community, focused on basically determining how well you protect your keys in a secure element. In our case, we submit devices like [Microchip Technology] Trust Anchor 100 and ECC608, for evaluation [to our third-party] Accredited Security Lab.
Before [the Third-Party Accredited Security Lab] ever starts trying to attack the device and extract keys, we provide them access to our design databases, they get access to our data sheets, user guides, programming specs—you name it—and then they figure out the best path on how they're going to try to attack our device. Now we get a set of scores when the clock starts, which is when they actually start trying to attack the device. The first set would be on how long it takes them to extract a key from a device if, in fact, they can extract it. There's a score where if it's less than a day you would get zero points, but it would increment as you go to a week, a month, and so on. Ultimately, after three person-months of trying to extract the key from a device, if they cannot extract that key then they consider it impractical to extract the key from that device, and you would end up ultimately with a score of JIL High. Now along the way, there are other things that you can get a score if, in fact, they can extract a key—say, after a month—where you involve things like: what was the expertise of the person that attacked the device, was this a recent college graduate or one of only a handful of people in the world that can perform the attack?
Another set of points would be associated with the cost of the attack: was this a $250 Differential Power Analysis (DPA) Board or a $500,000 piece of equipment that it took to extract the keys? How much were they dependent on documentation that's publicly available, versus what was provided, say, under Non-Disclosure Agreement (NDA)? Then a number of different scores will add up ultimately from zero to thirty-one (31), 31 being the highest. You can have basic, enhanced basic, moderate and ultimately high. Devices like the [Microchip Technology] Trust Anchor and ECC608 where they were unable to extract a key after three person-months achieved a score of JIL High, and that explains the JIL Scoring Assessment System.
Thanks, Todd always nice to have you! Viewers, to learn more about [Microchip Technology] Trust Anchor make sure to check out our CryptoAutomotive™ technology web page linked in the description below. Don't forget to subscribe to our YouTube channel to be the first to know when we have more insights from our experts. We'll see you next time!