Ministero dello Sviluppo Economico
Direzione generale per le tecnologie delle comunicazioni ela sicurezza informatica
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
Schema nazionale per la valutazione e certificazione della sicurezza di sistemi e prodotti ICT
(DPCM del 30 ottobre 2003 - G.U. n. 93 del 27 aprile 2004)
Certificato n. 11/20
(Certification No.)
Prodotto: IDentity Applet v3.4/QSCD on NXP JCOP 4 P71
(Product)
Sviluppato da: ID&Trust Ltd.
(Developed by)
Il prodotto indicato in questo certificato è risultato conforme ai requisiti dello standard
ISO/IEC 15408 (Common Criteria) v. 3.1 per il livello di garanzia:
The product identified in this certificate complies with the requirements of the standard
ISO/IEC 15408 (Common Criteria) v. 3.1 for the assurance level:
EAL4+
(AVA_VAN.5)
Il Direttore
(Dott.ssa Eva Spina)
Roma, 28 ottobre 2020
Fino a EAL2 (Up to EAL2) Fino a EAL4 (Up to EAL4)
[ORIGINAL DIGITALLY SIGNED]
Page 2 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
This page is intentionally left blank
Page 3 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
Ministero dello Sviluppo Economico
Direzione generale per le tecnologie delle comunicazioni e la sicurezza informatica
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
Certification Report
IDentity Applet v3.4/QSCD
on NXP JCOP 4 P71
OCSI/CERT/SYS/07/2016/RC
Version 1.0
28 October 2020
Page 4 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
Courtesy translation
Disclaimer: this translation in English language is provided for informational purposes
only; it is not a substitute for the official document and has no legal value. The original
Italian language version of the document is the only approved and official version.
Page 5 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
1 Document revisions
Version Author Information Date
1.0 OCSI First issue 28/10/2020
Page 6 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
2 Table of contents
1 Document revisions........................................................................................................5
2 Table of contents............................................................................................................6
3 Acronyms........................................................................................................................8
4 References....................................................................................................................10
4.1 Criteria and regulations........................................................................................10
4.2 Technical documents ...........................................................................................11
5 Recognition of the certificate........................................................................................12
5.1 European Recognition of CC Certificates (SOGIS-MRA)...................................12
5.2 International Recognition of CC Certificates (CCRA) .........................................12
6 Statement of Certification.............................................................................................13
7 Summary of the evaluation ..........................................................................................15
7.1 Introduction...........................................................................................................15
7.2 Executive summary..............................................................................................15
7.3 Evaluated product ................................................................................................15
7.3.1 TOE Architecture.............................................................................................17
7.3.2 TOE security features......................................................................................18
7.4 Documentation .....................................................................................................20
7.5 Protection Profile conformance claims ................................................................20
7.6 Functional and assurance requirements .............................................................20
7.7 Evaluation conduct...............................................................................................20
7.8 General considerations about the certification validity........................................21
8 Evaluation outcome......................................................................................................22
8.1 Evaluation results.................................................................................................22
8.2 Additional assurance activities.............................................................................23
8.3 Recommendations ...............................................................................................24
9 Annex A – Guidelines for the secure usage of the product.........................................25
9.1 TOE Delivery ........................................................................................................25
9.2 Installation, initialization and secure usage of the TOE ......................................25
10 Annex B – Evaluated configuration..............................................................................27
11 Annex C – Test activity.................................................................................................28
Page 7 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
11.1 Test configuration.................................................................................................28
11.2 Functional tests performed by the Developer......................................................28
11.2.1 Testing approach.............................................................................................28
11.2.2 Test coverage..................................................................................................29
11.2.3 Test results ......................................................................................................29
11.3 Functional and independent tests performed by the Evaluators ........................29
11.4 Vulnerability analysis and penetration tests ........................................................29
Page 8 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
3 Acronyms
AES Advanced Encryption Standard
API Application Programming Interface
CC Common Criteria
CCRA Common Criteria Recognition Arrangement
CEM Common Evaluation Methodology
CGA Certificate Generation Application
CRS Certificate Request Signature
CSP Certification Service Provider
DES Data Encryption Standard
DPCM Decreto del Presidente del Consiglio dei Ministri
DTBS/R Data To Be Signed / Representation
EAL Evaluation Assurance Level
ECC Elliptic Curve Cryptography
ECDSA Elliptic Curve Digital Signature Algorithm
eIDAS electronic IDentification Authentication and Signature
eMRTD Electronic Machine Readable Travel Document
ETR Evaluation Technical Report
GP Global Platform
HW Hardware
ICAO International Civil Aviation Organization
IC Integrated Circuit
IT Information Technology
JCOP Java Card Open Platform
JCRE Java Card Runtime Environment
JCVM Java Card Virtual Machine
Page 9 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
LGP Linea Guida Provvisoria
LVS Laboratorio per la Valutazione della Sicurezza
MMU Memory Management Unit
NIS Nota Informativa dello Schema
OCSI Organismo di Certificazione della Sicurezza Informatica
OS Operating System
PIN Personal Identification Number
PKCC Public Key Crypto Coprocessor
PP Protection Profile
QSCD Qualified Signature Creation Device
QTSP Qualified Trust Service Provider
RAD Reference Authentication Data
RAM Random Access Memory
RSA Rivest, Shamir, Adleman
SAR Security Assurance Requirement
SCA Signature Creation Application
SCD Signature Creation Data
SFR Security Functional Requirement
SOGIS Senior Officials Group Information Systems Security
ST Security Target
SVD Signature Verification Data
SW Software
TOE Target of Evaluation
TSF TOE Security Functionality
TSFI TSF Interface
Page 10 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
4 References
4.1 Criteria and regulations
[CC1] CCMB-2017-04-001, “Common Criteria for Information Technology Security
Evaluation, Part 1 – Introduction and general model”, Version 3.1, Revision 5,
April 2017
[CC2] CCMB-2017-04-002, “Common Criteria for Information Technology Security
Evaluation, Part 2 – Security functional components”, Version 3.1, Revision
5, April 2017
[CC3] CCMB-2017-04-003, “Common Criteria for Information Technology Security
Evaluation, Part 3 – Security assurance components”, Version 3.1, Revision
5, April 2017
[CCRA] “Arrangement on the Recognition of Common Criteria Certificates In the field
of Information Technology Security”, July 2014
[CEM] CCMB-2017-04-004, “Common Methodology for Information Technology
Security Evaluation – Evaluation methodology”, Version 3.1, Revision 5, April
2017
[eIDAS] Regulation (EU) No. 910/2014 of the European Parliament and of the Council
of 23 July 2014 on electronic identification and trust services for electronic
transactions in the internal market and repealing Directive 1999/93/EC,
Official Journal of the European Union L 257, 28 August 2014
[LGP1] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione - Descrizione
Generale dello Schema Nazionale - Linee Guida Provvisorie - parte 1 –
LGP1 versione 1.0, Dicembre 2004
[LGP2] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione -
Accreditamento degli LVS e abilitazione degli Assistenti - Linee Guida
Provvisorie - parte 2 – LGP2 versione 1.0, Dicembre 2004
[LGP3] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione - Procedure di
valutazione - Linee Guida Provvisorie - parte 3 – LGP3, versione 1.0,
Dicembre 2004
[NIS1] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 1/13 – Modifiche alla LGP1, versione 1.0, Novembre 2013
[NIS2] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 2/13 – Modifiche alla LGP2, versione 1.0, Novembre 2013
Page 11 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
[NIS3] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 3/13 – Modifiche alla LGP3, versione 1.0, Novembre 2013
[SOGIS] “Mutual Recognition Agreement of Information Technology Security
Evaluation Certificates”, Version 3, January 2010
4.2 Technical documents
[ADM] ID&Trust Identity Applet Suite Administrator’s Guide, Version 3.4.1, 31 July
2020
[BSI-TR] BSI Technical Guideline TR-03105 Part 3.4: Test plan for eID-Cards with
eSign-application acc. to BSI TR-03117, Version 1.0, 01 April 2010
[DEL] ID&Trust Documents, Common Criteria Evaluation, IDentity Applet V3.4
Delivery Documentation, V0.02, 10 February 2020
[ETR] “ID&Trust IDentity Applet v3.4 /QSCD” Evaluation Technical Report, v4,
CCLab Software Laboratory, 14 October 2020
[ETR-COMP] Evaluation Technical Report for Composition NXP JCOP 4 P71 - EAL6+,
19-RPT-177, Version 7.0, 19 March 2020
[ICAO-TR] International Civil Aviation Organization (ICAO) Technical Report, Radio
Frequency Protocol and Application Test Standard for eMRTD Part 3 –
Tests for Application Protocol and Logical Data Structure, Version 2.10, 7
July 2016
[JIL-COMP] Joint Interpretation Library, Composite product evaluation for Smart Cards
and similar devices, Version 1.5.1, May 2018
[NXP-CR1] Certification Report “NXP JCOP 4 P71”, NSCIB-CC-180212-CR2, TÜV
Rheinland Nederland B.V., 20 March 2020
[NXP-CR2] Certification Report “NXP Secure Smart Card Controller N7121 with IC
Dedicated Software and Crypto Library”, BSI-DSZ-CC-1040-2019-MA-01,
BSI - Bundesamt für Sicherheit in der Informationstechnik, 4 March 2020
[PPQSCD1] EN 419211-2:2013, Protection profiles for secure signature creation device
- Part 2: Device with key generation
[PPQSCD2] EN 419211-4:2013, Protection profiles for Secure signature creation device
- Part 4: Device with key generation and trusted communication with
certificate generation application
[ST] “Security Target IDentity Applet v3.4/QSCD - Qualified electronic signature
compliant with IAS ECCv2 and eIDAS”, Version 1.02, ID&Trust Ltd., 13
October 2020
[USR] ID&Trust Identity Applet Suite User’s Guide, Version 3.4.1, 4 August 2020
Page 12 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
5 Recognition of the certificate
5.1 European Recognition of CC Certificates (SOGIS-MRA)
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA, version 3 [SOGIS])
became effective in April 2010 and provides mutual recognition of certificates based on the
Common Criteria (CC) Evaluation Assurance Level up to and including EAL4 for all IT-
Products. A higher recognition level for evaluations beyond EAL4 is provided for IT-
Products related to specific Technical Domains only.
The current list of signatory nations and of technical domains for which the higher
recognition applies and other details can be found on https://www.sogis.eu/.
The SOGIS-MRA logo printed on the certificate indicates that it is recognized under the
terms of this agreement by signatory nations.
This certificate is recognized under SOGIS-MRA up to EAL4.
5.2 International Recognition of CC Certificates (CCRA)
The current version of the international arrangement on the mutual recognition of
certificates based on the CC (Common Criteria Recognition Arrangement, [CCRA] has
been ratified on 08 September 2014. It covers CC certificates compliant with collaborative
Protection Profiles (cPP), up to and including EAL4, or certificates based on assurance
components up to and including EAL2, with the possible augmentation of Flaw
Remediation family (ALC_FLR).
The current list of signatory nations and of collaborative Protection Profiles (cPP) and
other details can be found on https://www.commoncriteriaportal.org/.
The CCRA logo printed on the certificate indicates that it is recognised under the terms of
this agreement by signatory nations.
This certificate is recognised under CCRA up to EAL2.
Page 13 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
6 Statement of Certification
The Target of Evaluation (TOE) is the product “IDentity Applet v3.4/QSCD on NXP JCOP
4 P71”, short name “IDentity Applet v3.4/QSCD”, developed by ID&Trust Ltd.
The TOE is a Qualified Signature Creation Device (QSCD) representing a contact or
contactless smart card which is able to generate Signature Creation Data (SCD) and
create qualified electronic signatures. The TOE protects the SCD and ensures that only an
authorized signatory can use it.
The TOE is a composite product and comprises:
• The underlying Platform of the TOE: “NXP JCOP 4 P71”, developed by NXP
Semiconductors Germany GmbH;
• the Application Part of the TOE: “IDentity Applet v3.4/QSCD”;
• the associated guidance documentation.
Therefore, the evaluation has been conducted using the results of the Platform CC
evaluation [NXP-CR1], and following the recommendations contained in the mandatory
supporting document “Composite product evaluation for Smart Cards and similar devices”
[JIL-COMP], as required by the international agreements CCRA and SOGIS.
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guidelines [LGP1,
LGP2, LGP3] and Scheme Information Notes [NIS1, NIS2, NIS3]. The Scheme is operated
by the Italian Certification Body “Organismo di Certificazione della Sicurezza Informatica
(OCSI)”, established by the Prime Minister Decree (DPCM) of 30 October 2003 (O.J. n.98
of 27 April 2004).
The evaluation actually started in 2016 on a TOE named “IDentity Applet v3.3/SSCD on
NXP JCOP 3 SECID P60 OSB Smart Card”, based on the JCOP 3 platform. During the
evaluation, the Sponsor decided to update the TOE to use the JCOP 4 platform. The new
TOE “IDentity Applet v3.4/QSCD” has exactly the same functionality of v3.3 but on the
updated platform. Therefore, the LVS CCLab Software Laboratory used the results of the
v3.3 ongoing evaluation as a base.
The objective of the evaluation is to provide assurance that the product complies with the
security requirements specified in the associated Security Target [ST]; the potential
consumers of the product should review also the Security Target, in addition to the present
Certification Report, in order to gain a complete understanding of the security problem
addressed. The evaluation activities have been carried out in accordance with the
Common Criteria Part 3 [CC3] and the Common Evaluation Methodology [CEM].
The TOE resulted compliant with the requirements of Part 3 of the CC v 3.1 for the
assurance level EAL4, augmented with AVA_VAN.5, according to the information provided
Page 14 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
in the Security Target [ST] and in the configuration shown in Annex B – Evaluated
configuration of this Certification Report.
The publication of the Certification Report is the confirmation that the evaluation process
has been conducted in accordance with the requirements of the evaluation criteria
Common Criteria - ISO/IEC 15408 ([CC1], [CC2], [CC3]) and the procedures indicated by
the Common Criteria Recognition Arrangement [CCRA] and that no exploitable
vulnerability was found. However, the Certification Body with such a document does not
express any kind of support or promotion of the TOE.
Page 15 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
7 Summary of the evaluation
7.1 Introduction
This Certification Report states the outcome of the Common Criteria evaluation of the
product “IDentity Applet v3.4/QSCD” to provide assurance to the potential consumers that
TOE security features comply with its security requirements.
In addition to the present Certification Report, the potential consumers of the product
should review also the Security Target [ST], specifying the functional and assurance
requirements and the intended operational environment.
7.2 Executive summary
TOE name IDentity Applet v3.4/QSCD on NXP JCOP 4 P71
Security Target “Security Target IDentity Applet v3.4/QSCD - Qualified
electronic signature compliant with IAS ECCv2 and
eIDAS”, Version 1.02 [ST]
Evaluation Assurance Level EAL4 augmented with AVA_VAN.5
Developer ID&Trust Ltd.
Sponsor NXP Semiconductors Netherlands B.V.
LVS CCLab Software Laboratory
CC version 3.1 Rev. 5
PP conformance claim EN 419 211-2:2013 [PPQSCD1]
EN 419 211-4:2013 [PPQSCD2]
Evaluation starting date 6 September 2016
Evaluation ending date 14 October 2020
The certification results apply only to the version of the product shown in this Certification
Report and only if the operational environment assumptions described in the Security
Target [ST] are fulfilled.
7.3 Evaluated product
This section summarizes the main functional and security requirements of the TOE. For a
detailed description, please refer to the Security Target [ST].
The TOE “IDentity Applet v3.4/QSCD” is a combination of a smart card and an applet
programmed for implementing a Qualified Signature Creation Device (QSCD) compliant
with Regulation (EU) No. 910/2014 [eIDAS].
Page 16 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
The TOE supports the generation of Signature Creation Data (SCD) and the creation of
qualified electronic signatures. Additionally, the TOE supports its authentication as QSCD
by the Certificate Generation Application (CGA) of the Certification Service Provider (CSP)
and a trusted communication with the CGA for protection of Signature Verification Data
(SVD) generated and exported by the TOE and imported by CGA.
The TOE stores SCD and Reference Authentication Data (RAD). The TOE may store
multiple instances of SCD. In this case the TOE provides a function to identify each SCD
and the Signature Creation Application (SCA) can provide an interface to the signer to
select an SCD for use in the signature creation function of the QSCD.
The TOE protects the confidentiality and integrity of the SCD and restricts its use in
signature creation to its signatory. The TOE comprises all IT security functionality
necessary to ensure the secrecy of the SCD and the security of the electronic signature.
The digital signature created by the TOE may be used to create a qualified electronic
signature as defined in [eIDAS].
The TOE supports Certificate Request Signature (CRS) to provide evidence about the
validity of the SVD for the CGA. The CRS also proves that the SVD belongs to the TOE.
The CRS key pair is generated separately from the SCD/SVD key pair on the TOE, but in
case of the generation of the SCD/SVD key pair, the TOE signs the SVD with the private
CRS key. So, the CGA is able to verify the validity of the SVD by checking the CRS.
The TOE may implement additional functions and security requirements, e.g., for editing
and displaying the DTBS/R, but these additional functions and security requirements are
outside of the security policy defined by the Security Target [ST], and are not covered by
the evaluated configuration of the TOE.
The TOE is a composite product and comprises:
• The underlying Platform of the TOE: “NXP JCOP 4 P71”, developed by NXP
Semiconductors Germany GmbH, certified at EAL6 augmented with ASE_TSS.2
and ALC_FLR.1 [NXP-CR1]; it consists of:
a) Micro Controller (a secure smart card controller from NXP from the
SmartMX3 family);
b) IC Dedicated Software (Micro Controller Firmware and Crypto Library);
c) IC Embedded Software JCOP 4 (Java Card Virtual Machine, Runtime
Environment, Java Card API);
d) Global Platform (GP) Framework;
• the Application Part of the TOE: “IDentity Applet v3.4/QSCD”;
• the associated guidance documentation.
The intended customer of the product is the QSCD provisioning service, who prepares the
TOE as QSCD for its users, personalizes the TOE with the identity of the legitimate user
as Signatory and delivers it to the Signatory itself.
Page 17 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
After preparation, the SCD shall be in a non-operational state. Upon receiving a TOE, the
Signatory shall verify its non-operational state and change the SCD state to operational.
7.3.1 TOE Architecture
Figure 1 shows the logical scope of the TOE and TOE boundaries.
Figure 1 - TOE logical scope and boundaries
The TOE is a composite TOE and the dashed line denotes the whole TOE. The underlying
certified hardware platform and JCOP 4 OS are marked with purple and green. The blue
box marks the application layer. The ID&Trust IDentity Applet Suite v3.4 could be loaded
in the Flash. During the creation phase an instance is created in the Flash and after
several configuration steps it will be personalized as IDentity Applet v3.4/QSCD.
For a detailed description of the TOE, consult the Security Target [ST], and in particular:
• the physical and logical parts of the TOE are described in sect. 1.4.2 of [ST];
• the TOE life cycle is described in sect. 1.4.5 of [ST] in terms of the Development,
Preparation and Operational Use stages;
• the TOE security features are summarized in sect. 1.4.6 of [ST].
Page 18 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
7.3.2 TOE security features
7.3.2.1 Platform compatibility
Some aspects related to security features of the TOE, including security objectives,
assumptions, threats and organizational security policies, defined in the Security Target,
are covered directly by the Platform. For details see sect. 2.4 of the Security Target [ST].
7.3.2.2 QSCD functionality
The TOE as a qualified signature creation device (QSCD) has the following distinct
operational environments:
• The preparation environment, where it interacts with a certification service provider
through a Certificate Generation Application (CGA) to obtain a certificate for the
Signature Verification Data (SVD) corresponding to the Signature Creation Data
(SCD) the TOE has generated. The TOE can export the SVD through a trusted
channel allowing the CGA to check the authenticity of the SVD. The initialization
environment interacts further with the TOE to personalize it with the initial value of
the Reference Authentication Data (RAD).
• The signing environment, where it interacts with a signer through a Signature
Creation Application (SCA) to sign data after authenticating the signer as its
signatory. The SCA provides the unique representation of data to be signed
(DTBS/R) as input to the TOE signature-creation function and obtains the resulting
digital signature.
• The management environment, where it interacts with the user or a QTSP to
perform management operations, e.g., for the signatory to reset a blocked RAD. A
single device, e.g., a smart card terminal, may provide the required secure
environment for management and signing.
The TOE is a combination of hardware and software configured to securely create, use
and manage Signature Creation Data (SCD). The QSCD protects the SCD during its
whole life cycle as to be used in a signature-creation process solely by its signatory. It
comprises all IT security functionality necessary to ensure the secrecy of the SCD and the
security of the electronic signature, providing the following functions:
• generate an SCD/SVD pair in accordance with specified cryptographic key
generation algorithms:
o RSA with cryptographic key sizes 1024-4096 bits;
o ECC with cryptographic key sizes 160-521 bits.
• export the SVD for certification through a trusted channel to the CGA;
• prove the identity as QSCD to external entities;
• optionally, receive and store certificate info;
• switch the TOE from a non-operational state to an operational state, and
Page 19 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
• if in an operational state, create digital signatures for data in accordance with the
following cryptographic algorithms:
o RSA according to RSASSA-PKCS1-v1_5 or RSASSA-PSS with key sizes
2048-4096 bits;
o ECDSA with key sizes 160-521 bits.
Using the following steps:
o select an SCD if multiple SCDs are present in the QSCD;
o authenticate the signatory and determine its intent to sign;
o receive the DTBS/R;
o apply an appropriate cryptographic signature-creation function using the
selected SCD to the DTBS/R.
7.3.2.3 Security functions
The TOE security functions are described in detail in sect. 7.1 of the Security Target [ST].
The most significant aspects are summarized below:
• AccessControl: This function provides the access controls to data in the file
system, initialization, personalization and pre-personalization data. During earlier
life phases, when the applet may not be present yet, the Platform is responsible for
managing the accesses correctly. The TOE provides access control mechanisms
that allow the maintenance of different security roles (Signatory and Administrator)
and the access control policies and functions.
• Authenticate: This function manages the identification and authentication of the
Signatory and Administrator and enforces role separation. After activation or reset
of the TOE no user is authenticated. TSF-mediated actions on behalf of a user
require the user’s prior successful identification and authentication.
• SecureManagement: all security attributes are modified in a secure way so that no
unauthorised modifications are possible. This function is responsible for the secure
management of the security attributes, data and functions.
• TrustedChannel: this function is responsible for the command and response
exchanges between the TOE and the external entities (e.g., CGA) and maintains
data confidentiality, integrity and authenticity.
• CryptoKey: this function is responsible for providing cryptographic support to the
TSF, including secure key generation (SCD/SVD key pair) and digital signature
creation. It also provides a secure key destruction method.
• AppletParametersSign: certain configuration and control parameters are signed,
and this signature is verified before closing the Initialization phase. Only the
unsigned parameters can be changed by the Initializer. This way only those
Application Profiles can be applied which are validated by the Developer and
conform to the requirements. The Initialization state cannot be finished by reaching
the INITIALIZED state, and the personalization phase cannot be started without
successful signature verification. These signatures can be verified during the whole
Page 20 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
IDentity Applet life-cycle, thus the non-authorized changed become detectable by
applying this security functionality.
• Platform: covers the security functionalities based on the security functionalities of
the certified cryptographic library and the certified IC Platform.
7.4 Documentation
The guidance documentation specified in Annex A – Guidelines for the secure usage of
the product is delivered to the customer together with the product.
The guidance documentation contains all the information for secure initialization,
configuration and secure usage the TOE in accordance with the requirements of the
Security Target [ST].
Customers should also follow the recommendations for the secure usage of the TOE
contained in sect. 8.3 of this report.
7.5 Protection Profile conformance claims
The Security Target [ST] claims strict conformance to the following Protection Profiles:
• EN 419211-2:2013, Protection profiles for secure signature creation device - Part 2:
Device with key generation [PPQSCD1]
• EN 419211-4:2013, Protection profiles for Secure signature creation device - Part 4:
Device with key generation and trusted communication with certificate generation
application [PPQSCD2]
7.6 Functional and assurance requirements
All Security Assurance Requirements (SAR) have been selected from CC Part 3 [CC3].
All the SFRs have been selected or derived by extension from CC Part 2 [CC2].
Considering that the Security Target claims strict conformance to the Protection Profiles
EN 419211-2:2013 [PPQSCD1] and EN 419211-4:2013 [PPQSCD2], the ST also includes
the following extended functional requirements from these PPs:
• FIA_API.1 from the family FIA_API: Authentication Proof of Identity
• FPT_EMS.1 from the family FPT_EMS: TOE Emanation
Please refer to the Security Target [ST] for the complete description of all security
objectives, the threats that these objectives should address, the Security Functional
Requirements (SFR) and the security functions that realize the same objectives.
7.7 Evaluation conduct
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guideline [LGP3] and
Page 21 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
the Scheme Information Note [NIS3] and in accordance with the requirements of the
Common Criteria Recognition Arrangement [CCRA].
Since the TOE is a composite product, the evaluation has been conducted following the
recommendations contained in the document “Composite product evaluation for Smart
Cards and similar devices” [JIL-COMP], as required by the international agreements
CCRA and SOGIS. In this regard, it should be noted that the penetration tests have been
completed on August 2020, within 18 months from the Platform vulnerability analysis (31
May 2019, the date of the oldest ETR for Composition indicated in the Platform
certifications [NXP-CR1] and [NXP-CR2]).
The purpose of the evaluation is to provide assurance on the effectiveness of the TOE to
meet the requirements stated in the relevant Security Target [ST]. Initially the Security
Target has been evaluated to ensure that constitutes a solid basis for an evaluation in
accordance with the requirements expressed by the standard CC. Then, the TOE has
been evaluated on the basis of the statements contained in such a Security Target. Both
phases of the evaluation have been conducted in accordance with the CC Part 3 [CC3]
and the Common Evaluation Methodology [CEM].
The Certification Body OCSI has supervised the conduct of the evaluation performed by
the evaluation facility (LVS) CCLab Software Laboratory.
The evaluation was completed on 14 October 2020 with the issuance by LVS of the
Evaluation Technical Report [ETR], which was approved by the Certification Body on 16
October 2020. Then, the Certification Body issued this Certification Report.
7.8 General considerations about the certification validity
The evaluation focused on the security features declared in the Security Target [ST], with
reference to the operational environment specified therein. The evaluation has been
performed on the TOE configured as described in Annex B – Evaluated configuration.
Potential customers are advised to check that this corresponds to their own requirements
and to pay attention to the recommendations contained in this Certification Report.
The certification is not a guarantee that no vulnerabilities exist; it remains a probability (the
smaller, the higher the assurance level) that exploitable vulnerabilities can be discovered
after the issuance of the certificate. This Certification Report reflects the conclusions of the
certification at the time of issuance. Potential customers are invited to check regularly the
arising of any new vulnerability after the issuance of this Certification Report, and if the
vulnerability can be exploited in the operational environment of the TOE, check with the
Developer if security updates have been developed and if those updates have been
evaluated and certified.
Page 22 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
8 Evaluation outcome
8.1 Evaluation results
Following the analysis of the Evaluation Technical Report [ETR] issued by the LVS CCLab
Software Laboratory and documents required for the certification, and considering the
evaluation activities carried out, the Certification Body OCSI concluded that TOE “IDentity
Applet v3.4/QSCD” meets the requirements of Part 3 of the Common Criteria [CC3]
provided for the evaluation assurance level EAL4, augmented with AVA_VAN.5, with
respect to the security features described in the Security Target [ST] and the evaluated
configuration, shown in Annex B – Evaluated configuration.
Table 1 summarizes the final verdict of each activity carried out by the LVS in accordance
with the assurance requirements established in [CC3] for the evaluation assurance level
EAL4, augmented with AVA_VAN.5.
Assurance classes and components Verdict
Security Target evaluation Class ASE Pass
Conformance claims ASE_CCL.1 Pass
Extended components definition ASE_ECD.1 Pass
ST introduction ASE_INT.1 Pass
Security objectives ASE_OBJ.2 Pass
Derived security requirements ASE_REQ.2 Pass
Security problem definition ASE_SPD.1 Pass
TOE summary specification ASE_TSS.1 Pass
Development Class ADV Pass
Security architecture description ADV_ARC.1 Pass
Complete functional specification ADV_FSP.4 Pass
Implementation representation of the TSF ADV_IMP.1 Pass
Basic modular design ADV_TDS.3 Pass
Guidance documents Class AGD Pass
Operational user guidance AGD_OPE.1 Pass
Preparative procedures AGD_PRE.1 Pass
Life cycle support Class ALC Pass
Production support, acceptance procedures and
automation
ALC_CMC.4 Pass
Problem tracking CM coverage ALC_CMS.4 Pass
Delivery procedures ALC_DEL.1 Pass
Page 23 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
Assurance classes and components Verdict
Identification of security measures ALC_DVS.1 Pass
Developer defined life-cycle model ALC_LCD.1 Pass
Well-defined development tools ALC_TAT.1 Pass
Test Class ATE Pass
Analysis of coverage ATE_COV.2 Pass
Testing: basic design ATE_DPT.1 Pass
Functional testing ATE_FUN.1 Pass
Independent testing - sample ATE_IND.2 Pass
Vulnerability assessment Class AVA Pass
Advanced methodical vulnerability analysis AVA_VAN.5 Pass
Table 1 - Final verdicts for assurance requirements
8.2 Additional assurance activities
The mandatory supporting document “Composite product evaluation for Smart Cards and
similar devices” [JIL-COMP] includes additional assurance requirements that are specific
to the composite TOE type.
The document defines refinements to existing assurance requirements for a composite
product evaluation. The objective of these sub-activities is to precisely define the Evaluator
tasks for the different parts of the composite TOE evaluation.
Table 2 summarizes the final verdict of the composition-specific assurance activities
required by [JIL-COMP] carried out by the LVS.
Composition-specific assurance activities Verdict
ASE_COMP: Consistency of composite product
Security Target
ASE_COMP.1 Pass
ALC_COMP: Integration of composition parts and
consistency check of delivery procedures
ALC_COMP.1 Pass
ADV_COMP: Composite design compliance ADV_COMP.1 Pass
ATE_COMP: Composite functional testing ATE_COMP.1 Pass
AVA_COMP: Composite vulnerability assessment AVA_COMP.1 Pass
Table 2 - Final verdicts for composition-specific assurance activities
Page 24 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
8.3 Recommendations
The conclusions of the Certification Body (OCSI) are summarized in sect. 6 (Statement of
Certification).
Potential customers of the product “IDentity Applet v3.4/QSCD” are suggested to properly
understand the specific purpose of certification reading this Certification Report together
with the Security Target [ST].
The TOE must be used according to the Security Objectives for the operational
environment specified in sect. 4.2 of the Security Target [ST]. It is assumed that, in the
operational environment of the TOE, all the Organizational Security Policies and the
Assumptions described, respectively, in sect. 3.3 and 3.4 of the Security Target [ST] are
respected, particularly those compatible with the Platform (see [ST] sect. 2.4).
This Certification Report is valid for the TOE in its evaluated configuration; in particular,
Annex A – Guidelines for the secure usage of the product includes a number of
recommendations relating to delivery, initialization, configuration and secure usage of the
product, according to the guidance documentation provided together with the TOE ([ADM],
[USR]).
Page 25 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
9 Annex A – Guidelines for the secure usage of the product
This annex provides considerations particularly relevant to the potential customers of the
product.
9.1 TOE Delivery
Since the TOE is a composite product, the delivery procedures entail interactions between
the application Developer (ID&Trust Ltd.) and the Platform manufacturer (NXP).
The delivery procedures between ID&Trust and NXP is the following:
1. The Developer (ID&Trust) develops a new version of the IDentity Applet v3.4.
2. After the new version is tested by ID&Trust a new release is issued and stored in
configuration management system of ID&Trust.
3. The new version of the IDentity Applet v3.4 is sent to NXP.
4. NXP loads the applet into the Platform’s chip.
The underlying Platform itself provides several security functions to protect IDentity Applet
v3.4 during the transportation between several possible entities.
NXP offers two ways of delivery of the product:
1. The customer collects the product at the NXP site (“Collection”).
2. The product is sent by NXP to the customer (“Shipment”). To guarantee that the
product is not manipulated during the delivery, the product is delivered in parcels
sealed with special tape. The tape is printed with consecutive numbers and has
special adhesive features which make any manipulation visible. NXP encloses a
form in the parcel which the customer is asked to return. By this NXP is informed
that the customer has received the undamaged parcel.
Both methods guarantee that the customer gets authentic products. Additionally, the
customer can use a special Transport Key to authenticate the chip.
More details on such procedures are contained in ID&Trust’s IDentity Applet V3.4 Delivery
Documentation [DEL].
9.2 Installation, initialization and secure usage of the TOE
TOE installation, configuration and operation should be done following the instructions in
the appropriate sections of the guidance documentation provided with the product to the
customer.
In particular, the following documents contain detailed information for the secure
initialization of the TOE, the preparation of its operational environment and the secure
Page 26 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
operation of the TOE in accordance with the security objectives specified in the Security
Target [ST]:
• ID&Trust Identity Applet Suite User’s Guide [ADM];
• ID&Trust Identity Applet Suite Administrator’s Guide [USR].
Page 27 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
10 Annex B – Evaluated configuration
The Target of Evaluation (TOE) is the product “IDentity Applet v3.4/QSCD on NXP JCOP
4 P71”, short name “IDentity Applet v3.4/QSCD”, developed by ID&Trust Ltd.
The TOE is a composite product and comprises the following HW/SW components,
representing the evaluated configuration of the TOE, as reported in [ST], to which the
evaluation results apply:
• The Platform “NXP JCOP 4 P71”, developed by NXP Semiconductors Germany
GmbH, certified at EAL6 augmented with ASE_TSS.2 and ALC_FLR.1 [NXP-CR1];
it consists of:
a) Micro Controller (a secure smart card controller from NXP from the
SmartMX3 family);
b) IC Dedicated Software (Micro Controller Firmware and Crypto Library);
c) IC Embedded Software JCOP 4 (Java Card Virtual Machine, Runtime
Environment, Java Card API);
d) Global Platform (GP) Framework;
• the Application Part of the TOE: “IDentity Applet v3.4/QSCD” configured as an
eMRTD application;
• the associated guidance documentation:
o ID&Trust Identity Applet Suite User’s Guide [ADM];
o ID&Trust Identity Applet Suite Administrator’s Guide [USR].
The Platform Micro Controller Firmware and IC Dedicated Software are covered by the
following certification: “NXP Secure Smart Card Controller N7121 with IC Dedicated
Software and Crypto Library” [NXP-CR2].
For more details, please refer to sect. 1.4 of the Security Target [ST].
Page 28 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
11 Annex C – Test activity
This annex describes the task of both the Evaluators and the Developer in testing
activities. For the assurance level EAL4, augmented with AVA_VAN.5, such activities
include the following three steps:
• evaluation of the tests performed by the Developer in terms of coverage and level of
detail;
• execution of independent functional tests by the Evaluators;
• execution of penetration tests by the Evaluators.
11.1 Test configuration
For the execution of these activities a test environment was set up at the LVS site. The
Developer provided all the resources needed for testing except the test tool and the card
reader.
In particular, the Evaluators test configuration consisted of:
• the sample card identified as IDentity Applet v3.4.7470/QSCD;
• the test card reader HID Omnikey 5x21 CL0;
• the test tool OpenSCDP with Eclipse 2018-12.
Before the tests, the software application has been initialized and configured in
accordance with the guidance documentation [ADM] and [USR], as indicated in sect. 9.2.
The Developer provided a personalization script for the installation of the TOE. The
Evaluators were able to install the TOE to the underlying Platform correctly. The
Evaluators successfully selected the QSCD applet which is a proof that the card was
installed properly and in a known state.
11.2 Functional tests performed by the Developer
11.2.1 Testing approach
The test plan presented by the Developer was largely based on the following industry
standard technical documents:
• ICAO Technical Report, Radio Frequency Protocol and Application Test Standard
for eMRTD Part 3 - Tests for Application Protocol and Logical Data Structure,
Version 2.10 [ICAO-TR];
• BSI Technical Guideline TR-03105 Part 3.4: Test plan for eID-Cards with eSign-
application acc. to BSI TR-03117, Version 1.0, 01 April 2010 [BSI-TR].
Page 29 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
In addition, the Developer designed independently additional proprietary tests in order to
demonstrate the complete coverage of the functional requirements (SFRs) and of the
security functions.
11.2.2 Test coverage
The Evaluators have examined the test plan presented by the Developer and verified the
complete coverage of the functional requirements (SFRs) and the TSFIs described in the
functional specification.
11.2.3 Test results
The Evaluators executed a sample of tests from the developer test plan to analyze the
repeatability and reproducibility of the industry standard and proprietary tests. The
Evaluators compared the actual results of these tests with the expected results defined in
the test specification and found that all tests produced the same actual results as the
expected results.
11.3 Functional and independent tests performed by the Evaluators
Therefore, the Evaluators have designed independent testing to verify the correctness of
the TSFI.
The TSF includes a large number of interfaces, making it impractical to rigorously test all
of them. So, the Evaluators decided to focus on testing the immutability of essential data
on the TOE, using a sampling strategy to test the following interfaces:
• PUT DATA
• Comprehensive testing for all possible undocumented TSFIs
The Evaluators verified the actual test results and found that they were consistent with the
expected test results.
Moreover, considering that the TOE is a composite product, the Evaluators verified the
behavior of the TOE as a whole, carrying out the additional activities specified in the
ATE_COMP family, according to the document [JIL-COMP], also taking into
considerations the obligations and recommendations for the Applet evaluator in the
Platform’s ETR for Composition [ETR-COMP].
11.4 Vulnerability analysis and penetration tests
For the execution of these activities, the Evaluators worked on the same TOE sample
already used for the functional test activities, verifying that the test configuration was
consistent with the version of the TOE under evaluation.
Since the TOE is a composite product, the Evaluators carried out the additional activities
specified in the AVA_COMP family, according to the document [JIL-COMP], and examined
the results of the vulnerability assessment in the Platform’s ETR for Composition [ETR-
COMP] to determine that they can be reused for the composite evaluation of the Applet.
Page 30 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
The Evaluators used two approaches: a sampling strategy was employed to test the
functionality of a subset of the TSFIs instead of testing all of the interfaces, and a brute
force attack was implemented and executed to discover any undocumented APIs. The
Evaluators verified the behaviour of IDentity Applet v3.4/QSCD as a whole, considering
that it is a composite product.
The early phase of the vulnerability assessment was the information gathering about the
TOE. As the initial step, multiple public searches were conducted with different keyword
combinations (e.g., “Qualified Signature Creation Device vulnerabilities”, “tampering with
electronic signature devices”, “QSCD”) to identify the publicly available bugs and
vulnerabilities for the TOE. For this phase public vulnerability databases and research
papers were reviewed as well. Publicly known vulnerabilities are either outdated or only
relevant for the underlying platform, which is not in the scope of the evaluation. The
conclusion of this first phase was that the smart card technology is well documented and a
potential attacker can get deep understanding of how an electronic signature device works
based on industry standards and publicly available information on smart cards. The
documentation of the TOE is not publicly available (i.e., not on the manufacturer’s
website). This is a relevant information for the attack potential calculations. According to
the publicly available information, no relevant public vulnerability was found for the TOE.
As a second step, the manufacturer documentation was reviewed to achieve familiarity
with the TOE, its electronic signature functionalities, and to identify the possible attack
surfaces. As mentioned before, there is no publicly available documentation on the
manufacturer’s website. The Evaluators reviewed the functionalities of the TOE based on
the documentation and by using tools provided by the manufacturer of the underlying
platform to interact with the interfaces of the TOE. During this step the Evaluators
identified possible attack vectors related to possible undocumented interfaces. Due to the
product type of the TOE and the strict standardization in the industry of smart cards, the
Evaluators focused on potential vulnerabilities and testing related to the implementation of
the electronic signature functionality. The Evaluators gained insight based on the
information gathering that authentication related potential vulnerabilities should be
investigated.
With all the gathered intelligence about the TOE and the potential vulnerabilities, the
Evaluators created an attack plan with different attack scenarios to meet the requirements
of AVA_VAN.5. For the attack scenarios, exact attack potentials were calculated,
considering that publicly available information about smart cards are very detailed, rich,
and relatively easy to learn.
With the defined attack scenarios, the Evaluators conducted penetration tests against the
TOE to identify any existing vulnerabilities.
The Evaluators defined the following attack scenarios:
• The attacker attempts to unblock a previously blocked PIN of the eSIGN application
bypassing the required authentication for such operation.
• The attacker attempts to modify sensitive data that belongs to the eSIGN
application and is required for safe and correct functionality.
• The attacker discovers undocumented interfaces, which can be used as attack
surface for further escalation.
Page 31 of 31 OCSI/CERT/SYS/07/2016/RC Ver. 1.0
Then the Evaluators tried to penetrate the protection of the TOE with the tests designed
according to the above attack scenarios.
The results of the tests were documented with enough details for their repeatability, and
the results were also gathered in a table for the sake of clarity.
The executed penetration tests could not identify existing vulnerabilities in the TOE
exploitable with a High attack potential.
During the site visits the Evaluators performed source code analysis with an enhanced
focus on the implementation of authentication functionalities and the applied
countermeasures against side channel and fault injection attacks.
Based on the available information, the Evaluators did not identify residual vulnerabilities,
i.e., vulnerabilities that could be exploited only by an attacker with attack potential beyond
High.