The importance of certification
What is security certification?
Generally speaking, certification is used to show that a product has undergone assessment by a third party and has reached a certain standard. When speaking about security technology, certification is used to show that a specific hardware or software has undergone extensive testing and meets a certain security standard.
Our Ledger hardware wallets use state-of-the-art Secure Element chips , which are used for high-end security solutions for protecting critical data such as credit cards, passports and sim cards. These chips are certified for their high security level. For these applications, having this level of security is a third-party requirement. For hardware wallets, no such requirement exists. At Ledger, we believe it is our responsibility to provide the highest level of security.
The Secure Elements used in Ledger devices have passed a Common Criteria security evaluation – an international standard for banking cards and state requirements – and have obtained an EAL5+ certificate.
What are the EAL certification levels?
There are seven different levels of EAL, which is the abbreviation for Evaluation Assurance Level.
As mentioned, the EAL level of the Secure Elements we use is 5+. In this framework, the threat model considers remote and physical access for the attacker. During the EAL evaluation process, there are several elements taken into consideration such as:
– Life cycle / supply chain
– Development procedure
– Functional test
– Penetration test
Reaching EAL 5+ ensures having the highest level of security against penetration tests. Going beyond EAL 5+ does not provide a higher assurance against attacks anymore.
There are many types of certifications. The EAL is an internationally recognized, most renowned certificate, but national and even local certificates may exist.
Why is certification important?
Anyone can claim to have a secure device, but it is difficult to trust this claim. Through certificates, an independent third party has assessed the claim.
At Ledger, we believe security is paramount, and while anyone can claim to have a secure product, it means much more coming from a trusted third party. This is an important milestone for Ledger in our effort to certify all our B2C and B2B products.
What does Ledger do regarding certification?
Today, both Ledger Nano X and Ledger Nano S are the only hardware wallets to be independently certified, according to the security requirements specified in the CSPN (First Level Security Certification) security certification scheme.
This certification serves as an external, third-party confirmation that Ledger’s security is industry-leading. This external and independent assessment further validates the company’s commitment to industry-leading security.Ledger constantly looks to enhance the security of its products, leveraging both external security researchers in its Bounty Program, as well as its industry-leading, in-house Attack Lab, the Ledger Donjon. Ledger has developed a robust custom Operating System, namely BOLOS and crypto-asset apps run on top of this secure hardware. It’s this combination of software and hardware that brings the highest level of security to each of the company’s products.