General Business Use
Security Target Lite
On the AT90SC Family of Devices
Atmel Toolbox 00.03.01.07
Important notice to readers…
Atmel makes no warranty for the use of its products, other than those expressly contained in the Company’s standard warranty which
is detailed in Atmel’s Terms and Conditions located on the Company’s web site. The Company assumes no responsibility for any errors
which may appear in this document, reserves the right to change devices or specifications detailed herein at any time without notice,
and does not make any commitment to update the information contained herein. No licenses to patents or other intellectual property
of Atmel are granted by the Company in connection with the sale of Atmel products, expressly or by implication. Atmel’s products are
not authorized for use as critical components in life support devices or systems.
The security of any system in which the product is used will depend on the system’s security as a whole. Where security or
cryptography features are mentioned in this document this refers to features which are intended to increase the security of the product
under normal use and in normal circumstances.
All products are sold subject to Atmel’s Terms & Conditions of Supply and the provisions of any agreements made between Atmel and
the Customer. In ordering a product covered by this document the Customer agrees to be bound by those Terms & Conditions and
agreements and nothing contained in this document constitutes or forms part of a contract (with the exception of the contents of this
Notice). A copy of Atmel’s Terms & Conditions of Supply is available on request.
 Atmel Corporation 2007
(05 Oct 07) General Business Use 3 of 56
TPG0159A
Contents
Section 1 Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite .... 9
1.1 Identification................................................................................................. 9
1.2 Overview...................................................................................................... 9
1.3 Common Criteria Conformance Claim....................................................... 12
1.4 Document Objective .................................................................................. 12
1.5 Document Structure................................................................................... 12
1.6 Scope and Terminology............................................................................. 13
1.7 References ................................................................................................ 13
1.8 Revision History......................................................................................... 14
Section 2 Target of Evaluation Description................................................................ 15
2.1 TOE Definition ........................................................................................... 15
2.2 TOE Life-cycle ........................................................................................... 19
2.3 TOE Environment ...................................................................................... 21
2.4 TOE Intended Usage ................................................................................. 22
Section 3 TOE Security Environment ........................................................................ 25
3.1 Assets ........................................................................................................ 25
3.2 Assumptions .............................................................................................. 27
3.3 Threats....................................................................................................... 29
3.4 Organizational Security Policies ................................................................ 31
Section 4 Security Objectives.................................................................................... 33
4.1 Security Objectives for the TOE................................................................. 33
4.2 Security Objectives for the Environment.................................................... 36
Section 5 TOE Security Functional Requirements .................................................... 37
Security Target Lite
4 of 56 General Business Use (05 Oct 07)
TPG0159A
5.1 The TOE Functional Requirements ...........................................................38
5.2 Security Requirements for the Environment ..............................................41
5.3 TOE Security Assurance Requirements ....................................................44
Section 6 TOE Summary Specification...................................................................... 47
6.1 TOE Security Functions.............................................................................47
6.2 TOE Assurance Measures.........................................................................49
Section 7 PP Claims.................................................................................................. 53
7.1 PP Reference.............................................................................................53
7.2 PP Refinements.........................................................................................53
7.3 PP Additions ..............................................................................................53
Appendix A Glossary..................................................................................................... 55
(05 Oct 07) General Business Use 5 of 56
TPG0159A
Figures
Figure 2-1 Complete Smartcard Device .............................................................................15
Figure 2-2 Smartcard Embedded Software........................................................................16
Figure 2-3 Smartcard Product Life Cycle ...........................................................................20
Figure 3-1 Assumptions......................................................................................................27
Figure 3-2 Standard Threats ..............................................................................................29
Figure 3-3 Attack Model for the TOE..................................................................................30
Figure 3-4 Organizational Security Policies........................................................................32
Figure 4-1 Standard Security Objectives............................................................................34
Figure 4-2 Security Objectives Related to Specific Functionality .......................................34
Figure 5-1 Standard Security Functional Requirements.....................................................38
Figure 5-2 Security Functional Requirements related to Specific Functionality .................38
Security Target Lite
6 of 56 General Business Use (05 Oct 07)
TPG0159A
(05 Oct 07) General Business Use 7 of 56
TPG0159A
Tables
Table 2-1 Smartcard Product Life-cycle...................................................................... 19
Table 2-2 Toolbox Product Life-cycle.......................................................................... 21
Table 5-1 EAL5 Package and Augmentation .............................................................. 44
Table 6-1 Relationship Between Assurance Requirements and Measures ................ 49
Security Target Lite
8 of 56 General Business Use (05 Oct 07)
TPG0159A
(05 Oct 07) General Business Use 9 of 56
TPG0159A
Section 1
Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite
1.1 Identification
1 Title: Atmel Toolbox 00.03.01.07 on the Atmel AT90SC Family Security Target Lite
2 Version: TPG0159A_(05 Oct 07)
3 This Security Target Lite has been constructed with Common Criteria (CC) Version 2.3.
1.2 Overview
Protection Profile Claims
4 This Security Target Lite (ST-Lite) is based on the Protection Profile BSI-PP-002-2001,
with additions taken from the Smartcard Integrated Circuit Augmentations BSI-AUG-
2002:
AT90SC Family Project Derivation
5 The AT90SC family of devices consists of a microcontroller (MCU) device with security
features. The device is a member of a family of single chip MCU devices which are
intended for use within Smartcard products. The family codename is AT90SC ASL4 and
the ‘parent’ device of the family, the initial device in the family was the VEGA2 project,
part number AT90SC19264RC, certified under the French CC scheme, Ref. 2002/04.
Document Title Date
BSI-PP-002-2001 Smartcard IC Platform Protection Profile V1.0 July 2001
BSI-AUG-2002 Smartcard Integrated Circuit Platform Augmentations March 2002
Note
The complete Hardware and Software part that is the AT90SC product and
the Atmel Cryptographic Toolbox is complaint to the BSI-PP-002-2001, this
Security Target Lite details only the software part of the completed AT90SC
part therefore this ST-Lite is based on the PP rather than fully compliant.
Security Target
10 of 56 General Business Use (05 Oct 07)
TPG0159A
Cryptographic Toolbox
6 The IC dedicated Support Software defined in this Security Target Lite, is a
Cryptographic Toolbox that provides a set of cryptographic functions that can be used
by the Smartcard embedded Software on the AT90SC hardware device. The AT90SC
family provides a Cryptographic Accelerator and MCU to provide hardware support to
the cryptographic toolbox functions. The crypto library is stored in the ROM* of the
AT90SC family and is linked to the Smartcard Embedded Software.
TOE Information:
Assurance Level
7 The TOE is being evaluated against the CC Smartcard IC Platform Protection Profile
(BSI-PP-002-2001) to Evaluation Assurance Level 5 (EAL5) augmented with
AVA_VLA.4, ALC_DVS.2 and AVA_MSU.3 under the Common Criteria scheme.
Sponsor
8 Atmel Smart Card ICs, a division of ATMEL Corporation, is the developer and the
sponsor for the AT90SC ASL4 evaluations.
Note
* The AT90SC may also feature FLASH parts the crypto Toolbox and
Smartcard Embedded Software would therefore be stored in FLASH, this
Security Target Lite will refer to ROM as the storage area for the Crpyto
Toolbox, the Smartcard Embedded Software Developer should refer to the
AT90SC device Security Target for details of the FLASH memory map.
TOE Name Atmel Toolbox 00.03.01.xx
Latest Toolbox Revision Number 00.03.01.07
Atmel Toolbox Certified Part
Numbers
00.03.01.03 Certified with hardware
Evaluation
00.03.01.04 M-2005/06
Atmel Corporation
3235 Orchard Parkway
San Jose
CA95131
USA
Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite
(05 Oct 07) General Business Use 11 of 56
TPG0159A
Evaluation Scheme
9 The TOE is evaluated under the French CC Scheme
Evaluator
10 The TOE is independently verified by the following Test facility (ITSEF), registered with
the French CC Scheme.
Brief TOE Description
11 The TOE is the Atmel Cryptograhic Toolbox 00.03.01.07, stored in ROM, on the
AT90SC family of smartcards with cryptographic accelerator. The Atmel toolbox allows
the smartcard embedded software the ability to perform the following cryptographic
functions.
! SHA-1 algorithm
! RSA without CRT algorithm
! RSA with CRT algorithm
! Miller Rabin algorithm
! EC-DSA
! ECDH
Centre De Certification
Direction centrale de la securite des systemes
d’information
51 bouleverard de la Tour-maubourg
75700 Paris
France
Thalès Security Systems - CEACI
BPI 1414
18 avenue Edouard Belin
Toulouse
France
Security Target
12 of 56 General Business Use (05 Oct 07)
TPG0159A
1.3 Common Criteria Conformance Claim
12 This Security Target Lite is conformant to parts 2 and 3 of the Common Criteria, V2.3,
as follows:
! Part 2 extended: the security functional requirements are based on those
identified in part 2 of the Common Criteria, the additional security functional
requirement is defined in BSI-PP-002-2001 Protection Profile.
! Part 3 conformant: the security assurance requirements are in the form of an EAL
(assurance package) that is based upon assurance components in part 3 of the
Common Criteria (CC).The augmentations used are also taken from part 3 of the
Common Criteria.
1.4 Document Objective
13 The purpose of this document is to satisfy the Common Criteria (CC) requirements for
a Security Target Lite; in particular, to specify the security requirements and functions,
and the assurance requirements and measures, where applicable from the BSI-PP-
002-2001, Smartcard IC Platform Protection Profile.
1.5 Document Structure
Section 1 introduces the Security Target Lite, and includes sections on terminology,
references and main actors.
Section 2 contains the product description and describes the TOE as an aid to the
understanding of its security requirements and addresses the product type, the
intended usage and the general features of the TOE.
Section 3 describes the TOE security environment.
Section 4 describes the required security objectives.
Section 5 describes the TOE security functional requirements.
Section 6 describes the TOE security functions.
Section 7 describes the Protection Profile (PP) claims.
Appendix A provides a glossary of the terms and abbreviations.
Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite
(05 Oct 07) General Business Use 13 of 56
TPG0159A
1.6 Scope and Terminology
14 Parts of this document are based on the AT90SC Technical Data Sheet [TD], and the
Toolbox 3.x on AT90SCxxxxC Family with AdvX [TBX] application note.
15 The term Target of Evaluation (TOE) is standard CC terminology and refers to the
software being evaluated, that is the Atmel Toolbox 00.03.01.07 on the AT90SC
Family.The stated toolbox commands form the main part of the evaluation.
16 Security objectives are defined herein with labels in the form O.xx_xx. These labels are
used elsewhere for reference. Similarly, modes, assets, subjects, threats, assumptions
and organizational security policy are defined with labels of the form M.xx_xx, D.xx_xx,
S.xx_xx, T.xx_xx, A.xx_xx, and P.xx_xx respectively.
17 Hexadecimal numbers are prefixed by $, e.g. $FF is 255 decimal. Binary numbers are
prefixed by%, e.g.%0001 1011 is decimal 27. An integer value may be expressed as a
hexadecimal, binary or decimal number, whichever form is the most convenient.
1.7 References
18 The Toolbox 00.03.01.07 Deliverables List (EDL) identifies the latest revision of the
following documents, the EDL list details all the deliverables sent as evidence, as part
of the TOE evaluation.
Within this Security Target Lite the above are referred to with the use of [ ] brackets, for
example [TD] refers to the document AT90SC Technical Datasheet, the ST user should
refer to the this document for further information. Some documents listed above are
only available to an ITSEF, the Composite product developer should refer to their
ITSEF for guidance on what they require.
[ESOF] AT90SC Strength of Security Functions Analysis
[AM_IS] AT90SC Address and Instruction Set
[TD_GEN] AT90SC Technical Data (TPR0160)
[TBX] Toolbox 3.x on AT90SCxxxxC Family with AdvX (TPR0133)
[APP_AdvX] AdvX for AT90SC Family (TPR0116)
[APP_SCRY] Securing Cryptographic Operations on AT90SC products with
the Toolbox 3.x (TPR0141)
[APP_CRYPT] Efficient use of AdvX for Implementing Cryptographic
Operations (TPR0142)
Security Target
14 of 56 General Business Use (05 Oct 07)
TPG0159A
1.8 Revision History
Rev Date Description Originator
A 05 Oct 07 Initial release for 00.03.01.07 Revision John Boggie
(05 Oct 07) General Business Use 15 of 56
TPG0159A
Section 2
Target of Evaluation Description
19 This part of the Security Target Lite (ST-Lite) describes the Target of Evaluation (TOE)
as an aid to the understanding of its security requirements and address the product
type, the intended usage and the general features of the TOE.
2.1 TOE Definition
20 The Target of Evaluation is the Cryptographic Software part of a AT90SC smartcard.
The TOE can be as support software for cryptographic functions on an already certified
Hardware Platform (AT90SC device).Figure 2-1 defines a complete Smart card device
this includes both the Hardware and Software parts of the device.
Figure 2-1 Complete Smartcard Device
Note
The Smartcard Embedded Software Developer must take into consideration
the AT90SC Security Target as well as this Security Target Lite when using
this document.
Complete Smart Card Device
Certified Hardware Platform
(AT90SCxxxxx)
Smartcard Embedded
Software
Security Target
16 of 56 General Business Use (05 Oct 07)
TPG0159A
Hardware Definition
21 The hardware part is the physical IC. This part of the Smartcard system is evaluated
independently and may be used as the basis for many composite products (that is it
may be used with various software applications).
Software Definition
22 The software is embedded in the hardware and is designed to operate the hardware.
The software consists of a smartcard embedded software provided by a customer
(Smartcard Embedded Software Developer), and a Cryptographic Toolbox (TBX)
provided by Atmel, the TBX is merged with the Smartcard embedded software in Phase
2 of the life cycle. Figure 2-2 shows a further breakdown of the Smartcard Embedded
Software.
Figure 2-2 Smartcard Embedded Software
23 The TOE boundary is the Atmel Cryptographic Software as shown in Figure 2-2. As
defined above this Crypto toolbox (TBX), forms part of a complete Smartcard
application. The TOE can only be thought of as a part of the complete application. The
TOE offers support to the Smartcard Embedded Software to allow cryptographic
functions to be performed by the Hardware certified AT90SC device, at the request of
the Smartcard Embedded Software.
00.03.01.xx Atmel Toolbox
24 The Atmel Toolbox [TBX], software library allows fast cryptographic algorithm
implementations (RSA, SHA-1, Prime Generation,...) on the hardware AT90SC. The
TOE shall also provide software cryptographic primitives to ease the customer
proprietary software implementation of these algorithms (full multiply, square, partial
multiply, division,...) as well as DSA and EC-DSA data signature. The primitives listed
Complete Smartcard Embedded Software
Customer Embedded Software
Atmel Cryptographic
Toolbox 00.03.01.xx
Software
Target of Evaluation Description
(05 Oct 07) General Business Use 17 of 56
TPG0159A
as well as DSA and EC-DSA. The cryptographic library is stored in the ROM of the
AT90SC device.
25 The Smartcard Embedded Software when wishing to run a cryptographic function, calls
a set command as listed in [TBX], this command will call a function to perform one of
the following cryptograhic functions.
! SHA-1 algorithm
! RSA without CRT algorithm
! RSA with CRT algorithm
! Miller Rabin algorithm
! EC-DSA
! ECDH
TOE Interfaces
26 The TOE interfaces consist of:
! Interface between the Smartcard Embedded Software and the Atmel Toolbox
! The interface between the AT90SC CPU and the Atmel Toolbox
! The Interface between the AT90SC Crypto RAM and the Atmel Toolbox
TOE Development
27 As the TOE is developed to be part of the complete Smartcard device, the following
documents are used by the TOE developer during the TOE development phase.
Note
Please note that storage of the software Toolbox and the access rights
applied are not discussed in this ST, the certified AT90SC Hardware ST gives
full details of the Access Control and Firewall rules defined for the Hardware
TOE.
[AM_IS] AT90SC Address and Instruction Set
[TD_GEN] AT90SC Technical Data (TPR0160)
[APP_AdvX] AdvX for AT90SC Family (TPR0116)
[APP_CRYPT] Efficient use of AdvX for Implementing Cryptographic
Operations (TPR0142)
Security Target
18 of 56 General Business Use (05 Oct 07)
TPG0159A
Customer Software Guidance Documents
28 The guidance documents applicable for the development of the smartcard embedded
software for this TOE are:
29 The software developer should refer to the Certification report issued by DCSSI for the
correct revisions of the documents stated above.
2.1.1 Scope of Evaluation Summary
Part of the TOE
! Atmel Security User Guidance as detailed on page 18
! The TOE interfaces as detailed in Section 26
! Phases 2-3 of the Life Cycle
! The complete Atmel Toolbox 00.03.01.07 software
! Atmel Toolbox Cryptographic functions
Outwith the TOE
! Strength of Cryptographic Functions
! Phases 1 and 4-7 of the Life Cycle
[TBX] Toolbox 3.x on AT90SCxxxxC Family with AdvX (TPR0133)
[APP_AdvX] AdvX for AT90SC Family (TPR0116)
[APP_SCRY] Securing Cryptographic Operations on AT90SC products with
the Toolbox 3.x (TPR0141)
[]
[APP_RNG] Generation of Random Numbers with a Controlled Entropy on
AT90SC Family (TPR0166)
Target of Evaluation Description
(05 Oct 07) General Business Use 19 of 56
TPG0159A
2.2 TOE Life-cycle
30 To understand the Life Cycle of the TOE, it must be included in the overall Smartcard
Life Cycle first.
2.2.1 Smartcard Life Cycle
31 The standard smartcard product life-cycle consisting of 7 phases where the following
authorities are involved
.
Table 2-1 Smartcard Product Life-cycle
Phase 1 Smartcard software
development
The smartcard software developer is in charge of the
smartcard embedded software development and the
specification of IC pre-personalization requirements,
Phase 2 IC Development The IC designer designs the IC, develops IC dedicated
software, provides information, software or tools to the
smartcard software developer, and receives the software
from the developer, through trusted delivery and
verification procedures. From the IC design, IC dedicated
software and smartcard embedded software, the IC
designer constructs the smartcard IC database,
necessary for the IC photomask fabrication.
Phase 3 IC manufacturing and
testing
The IC manufacturer is responsible for producing the IC
through three main steps:
! IC manufacturing
! IC testing
! IC pre-personalization
Phase 4 IC packaging and
testing
The IC packaging manufacturer is responsible for the IC
packaging and testing.
Phase 5 Smartcard product
finishing process
The smartcard product manufacturer is responsible for the
smartcard product finishing process and testing.
Phase 6 Smartcard
personalization
The personalizer is responsible for the smartcard
personalization and final tests. Other application software
may be loaded onto the chip at the personalization
process.
Phase 7 Smartcard end-usage The smartcard issuer is responsible for the smartcard
product delivery to the smartcard end-user, and the end of
life process.
Security Target
20 of 56 General Business Use (05 Oct 07)
TPG0159A
Figure 2-3 Smartcard Product Life Cycle
Legend
Limits of the
development cycle
Trusted delivery and
verification procedures
Smartcard Embedded software
Pre-personalization data
and Atmel Toolbox data, or
customer Toolbox where
applicable
IC sensitive information
software, tools (not
applicable)
Test Libraries, Atmel Crypto
Library
Design Center; MaskPrep
Maskshop
Wafer Fab
Test Center
.
Production
Phase
See Hardware ST
User
Phase
Development
Phase
Smartcard IC Database Construction
IC Photomask Fabrication
IC Testing and Security Encoding
IC Manufacturing
IC Packaging
Smartcard Product Finishing Process
Testing (1)
Personalization
Testing (1)
Smartcard Product End-Usage (1)
End of Life Process
IC Design IC Dedicated Software
IC Personalization requirements Smartcard embedded software
IC Personalization requirements
Testing (1)
Phase 7
Phase 6
Phase 5
Phase 3
Phase 2
Phase 1
Phase 4
See Hardware ST
IC Personalization requirements
Product
Construction
Product
Usage
(1) Any faulty AT90SC
devices would be returned
to the Testing Centre to
perform failure analysis.
Target of Evaluation Description
(05 Oct 07) General Business Use 21 of 56
TPG0159A
2.2.2 Atmel Toolbox Life Cycle
32 The Atmel Toolbox integrates into the smartcard life cycle in phase 2 development
phase, before this in phase 1 and after this in phases 4-7 the toolbox must be
considered as part of the smartcard is protected by the smartcard delivery procedures.
33 The applicable phase to the toolbox is phase 2 of the smartcard, to show the life of the
TOE this phase requires to be refined, as detailed in Table 2-2.
2.3 TOE Environment
34 Considering the TOE, two types of environments are defined:
! Software development environment corresponding to Phase 2 (a,b,c)
! Code Entry environment corresponding to Phase 2 (e,f)
2.3.1 Software Development Environment
35 The Software Development Environment pertains to:
! Specification (a)
! Conception (b)
! Coding (c)
! Validation (d)
36 To assure security, the environment in which the development takes place is made
secure with controllable accesses having traceability. Access to the development
building is strictly monitored by a security person. Visitors must sign a log book and
record the time of arrival and time of departure to the building. All visitors are escorted
by authorized personnel at all times. All authorized personnel involved fully understand
the importance and the rigid implementation of the defined security procedures.
Table 2-2 Toolbox Product Life-cycle
Phase 2 TOE Development (a) Specification
(b) Conception
(c) Coding
(d) Validation
(e) Code Entry
(f) ROMGEN
Security Target
22 of 56 General Business Use (05 Oct 07)
TPG0159A
37 Specification and Conception of the TOE is performed by the Software Developer.
Specification and conception documentation is stored using a file management system.
The software development engineer uses appropriate software tools to make his code,
the TOE data is secure and only available to authenticated engineers. Sensitive
documents, databases on tapes, diskettes are stored in appropriate locked cupboards
and safes. Disposal of unwanted confidential data is carried out by shredding (paper
documents) or complete electronic erasures (electronic documents, databases, etc.).
2.3.2 TOE Code Entry Environment
38 The Code Entry Environment pertains to:
! Code Entry
! ROMGEN
39 As with the Software development environment, to assure security, the environment in
which the Code Entry takes place is made secure with controllable accesses having
traceability. Access to the development building is strictly monitored by a security
person. Visitors must sign a log book and record the time of arrival and time of
departure to the building. All visitors are escorted by authorized personnel at all times.
All authorized personnel involved fully understand the importance and the rigid
implementation of the defined security procedures.
40 The Software Developer releases the final Toolbox code to the Code Entry team. The
processing of the Toolbox data by the Code Entry and ROMGEN teams is performed
on a secure network accessible to authenticated engineers with password controls to
ensure that the data is protected at all times. As with the Development environment
sensitive documents, databases on tapes, diskettes are stored in appropriate locked
cupboards and safes. Disposal of unwanted confidential data is carried out by
shredding (paper documents) or complete electronic erasures (electronic documents,
databases, etc.).
2.3.3 TOE User Environment
41 From after ROMGEN the TOE must be considered as part of the AT90SC hardware
TOE, the user of the TOE must refer to the AT90SC Security Target for information on,
the secure handling and delivery processes, from this stage onwards.
2.4 TOE Intended Usage
42 The TOE can be incorporated in several applications such as:
! Banking and finance market for credit/debit cards, electronic purse (stored value
cards) and electronic commerce.
! Network based transaction processing such as mobile phones (GSM SIM cards),
pay-TV (subscriber and pay-per-view cards), communication highways (Internet
access and transaction processing).
Target of Evaluation Description
(05 Oct 07) General Business Use 23 of 56
TPG0159A
! Transport and ticketing market (access control cards).
! Governmental cards (ID-cards, healthcards, driver license etc).
! Multimedia commerce and Intellectual Property Rights protection.
43 During the phase 2 of the AT90SC life cycle the TOE is being developed and produced.
The administrators are the following:
! The smartcard embedded software developer
! The Atmel Code Entry Team
! The Atmel ROMGEN Team
Security Target
24 of 56 General Business Use (05 Oct 07)
TPG0159A
(05 Oct 07) General Business Use 25 of 56
TPG0159A
Section 3
TOE Security Environment
44 This Security Target Lite is based on the BSI-PP-002-2001 protection profile.
45 This section describes the security aspects of the environment in which the certified
AT90SC device is intended to be used, and addresses the description of the assets to
be protected, the assumptions, the threats, and the organizational security policies.
46 Section 3 and 4 are taken directly from the BSI-PP-002-2001 Protection Profile to fully
comply with the Protection Profile the complete system AT90SC Certified Hardware
platform and the TOE must be taken into account, section 3 and 4 deal only with the
parts of the PP that deal specifically with the Software Toolbox.
3.1 Assets
3.1.1 Assets regarding the Threats
47 Assets are security relevant elements of the TOE that include the Primary and
Secondary assets.
Primary Assets
! User application data (D.xxx_DATA) of the TOE comprising the IC pre-
personalization requirements, located in:
! Crypto ROM (D.CRYPTO_ROM_DATA)
The User data can be subject to manipulation and disclosure while being stored or
processed by the TOE.
! Smartcard embedded software (D.xxx_SOFT) located in:
! Crypto ROM (D.CRYPTO_ROM_SOFT)
Smartcard Embedded software needs to be protected to prevent manipulation and
disclosure.
! IC dedicated software (D.xxx_DSOFT) located in:
Note
The Smartcard Embedded Software developer should refer to this document
and also the specific AT90SC family member Security Target. Section 3
onwards can be though of as a building block that fits directly into the
appropriate AT90SC Security Target.
Security Target
26 of 56 General Business Use (05 Oct 07)
TPG0159A
! Crypto ROM (D.CRYPTO_ROM_DSOFT))
48 Therefore, the complete TOE itself is an asset.
Secondary Assets
49 There are many ways to manipulate or disclose the User Data:
1. An attacker may manipulate the smartcard Embedded Software or the TOE
(Primary assets)
Such attacks usually require design information of the TOE to be obtained. Therefore,
the design information is a secondary asset.
! IC specification (D.IC_SPEC)
! Design (D.DESIGN)
! Development tools (D.DEV_TOOLS)
! Technology (D.TECHNO)
! Photomasks (D.MASK)
50 The above secondary assets disclose the following information to an attacker and
therefore need to be protected.
1. The IC dedicated Software with the parts IC Dedicated Test software, and IC
dedicated support software
2. The TSF data
51 Assets must be protected in terms of confidentiality and integrity.
Grouping of Assets / Object Definition
52 These assets can be grouped to define objects that must be protected, which is useful
for the following sections of this document.
! O3: Crypto ROM: covering D.CRYPTO_ROM_DATA, D.CRYPTO_ROM_SOFT,
D.CRYPTO_ROM_DSOFT
TOE Security Environment
(05 Oct 07) General Business Use 27 of 56
TPG0159A
3.2 Assumptions
53 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform
Protection Profile”, the assumptions defined in section 3.2 of the PP (where applicable)
are valid for this Security Target Lite and are listed below.
Figure 3-1 Assumptions
A.Plat-Appl
A.Resp-Appl
Scope of Protection Profile PP-BSI-002 Outwith the Protection Profile PP-BSI-002
A.Platform Security
Security Target
28 of 56 General Business Use (05 Oct 07)
TPG0159A
A.Plaform Security Hardware Platform Security
The security of the Hardware Platform on which the TOE is
loaded, shall have sufficient security to fully protect the TOE
and its assets.
The random numbers generated by the Platform shall not be
predictable and have sufficient entropy. The platform will
ensure that no information about produced random
numbers is available to an attacker, as this information may
be used to generate cryptographic keys.
A.Plat-Appl Usage of Platform
The Smartcard Embedded Software shall be designed
according to the latest TOE user guidance as stated in
Section 28. The Smartcard Embedded Software designer
should also take into account the findings of the TOE
evaluation report.
Applies to Phase 1
A.Resp-Appl Treatment of User Data
User data is owned by the Smartcard Embedded Software.
Therefore, is assumed that security relevant User Data for
example Cryptographic keys, are treated by the Smartcard
Embedded Software according to the requirements of the
specific end application.
Applies to Phase 1
TOE Security Environment
(05 Oct 07) General Business Use 29 of 56
TPG0159A
3.3 Threats
54 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform
Protection Profile”, the threats defined in section 3.3 of the PP (where applicable) are
valid for this Security Target Lite and are listed below
According to BSI-PP-002-2001, there are the following standard high-level security
concerns
55 The security concerns 1 and 2 give rise to the following threats:
Figure 3-2 Standard Threats
56 The complete AT90SC device is exposed to different types of influences or interactions
with it’s outside world. Some of them may result from just using the TOE, others may
SC1 Manipulation of User Data and of the Smartcard Embedded Software
(while being executed/processed and while being stored in the TOE’s
memories)
SC2 Disclosure of User Data and of the Smartcard Embedded Software (while
being processed and while being stored in the TOE’s memories)
T.Leak-Inherent
Scope of Protection Profile PP-BSI-002 Outwith the Protection Profile
PP-BSI-002
Security Target
30 of 56 General Business Use (05 Oct 07)
TPG0159A
also indicate an attack. The different types of influences or interactions are shown in
Figure 3-3.
Figure 3-3 Attack Model for the TOE
57 An interaction with the TOE can be done through the ISO interfaces (number 7-9 in
Figure 3-3) which are realized using contacts. Influences or interactions with the TOE
also occurs through the chip surface (number 1-6 in Figure 3-3). In number 1and 6
galvanic contacts are used. In number 2 and 5 the influence (arrow directed to the chip)
does not require a contact. Number 3 and 4 refer to specific situations where the TOE
and it’s functional behaviour is not only influenced but definite changes are made by
applying mechanical, chemical and other methods (such as 1 and 2). Many attacks
require a prior inspection and some reverse-engineering (number 3).
1 2
Electrical
Stimulation
Energy and
Particle Exposure
(e.g. temperature)
3
4
Inspection and
Reverse-engineering
Physical
Manipulation
9
8
7
6 5
Electrical
Simulation
(glitches etc.)
Communication
Electrical
Measurement
and Analysis
(Also for
unbonded pads)
Electrical
Measurement
and Analysis
Electro-magnetic
Interaction/radiation
and Analysis
TOE Security Environment
(05 Oct 07) General Business Use 31 of 56
TPG0159A
58 The Smartcard Embedded Software must contribute to averting the threats: At least it
must not undermine the security provided by the TOE. For details refer to the
assumptions regarding the Smartcard Embedded Software, specified in Section 3.2.
Standard Threats (referring to SC1 and SC2).
59 From the threats stated in Figure 3-3, the TOE shall avert the applicable threats listed
below:
3.4 Organizational Security Policies
60 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform
Protection Profile”, the Security Policy defined in section 3.4 of the PP (where
applicable) are valid for this Security Target Lite and are listed below.
61 The TOE may provide specific security functionality which can be used by the
Smartcard Embedded Software. Particular specific security functionality may not
necessarily be derived from threats identified for the TOE's environment because it can
only be decided in the context of the smartcard application, against which threats the
Smartcard Embedded Software will use the specific security functionality. Therefore,
T.Leak-Inherent Inherent Information Leakage
An attacker may exploit information which is leaked from the
TOE during usage of the complete smartcard system in
order to disclose confidential data (User Data or TSF data).
No direct contact with the smartcard internal is required
here. Leakage may occur through emanations, variations in
power consumption, I/O characteristics, clock frequency, or
by changes in processing time requirements. One example
is the Differential Power Analysis (DPA). This leakage may
be interpreted as a covert channel transmission but is more
closely related to measurement of operating parameters,
which may be derived either from direct (contact)
measurements (numbers 6 and 7 Figure 3-3) or
measurement of emanations (number 5) and can be related
to the specific operation being performed.
Security Target
32 of 56 General Business Use (05 Oct 07)
TPG0159A
the necessity of some specific functionality may not derived from a threat. The Security
organizational policies are shown in Figure 3-4.
Figure 3-4 Organizational Security Policies
62 The IC developer must apply the policy “Additional Specific Security Functionality”
(P.Add-Functions) as specified below.
P.Add-Functions Additional Specific Security Functionality
The TOE must provide the following specific security
functionality to the Smartcard Embedded Software,
according to accepted international standard:
! Secure Hash Algorithm (SHA))
! Rivest-Shamir-Adleman (RSA) With CRT
! Rivest-Shamir-Adleman (RSA) Without CRT
! Elliptical Curve Computation (ECC)
! RSA Key Generation
The TOE must provide means to identify the correct revision
of the TOE on request by the TOE user.
P.Add-Functions
Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002
(05 Oct 07) General Business Use 33 of 56
TPG0159A
Section 4
Security Objectives
63 This Security Target Lite is based on the BSI-PP-002-2001 protection profile.
64 The security objectives of the TOE contains the following sections:
! Security Objectives for the TOE
! Security Objectives for the Environment
4.1 Security Objectives for the TOE
According to this Security Target Lite, there are the following standard high level
security goals:
65 Though the Smartcard Embedded Software stored in the AT90SC ROM, will in many
cases not contain secret data or algorithms, it must be protected from being disclosed,
since for instance knowledge of specific implementation details may assist an attacker.
66 These standard high-level security goals are refined below by defining security
objectives as required by the Common Criteria (Figure 4-1). Note that the integrity of
the TOE is a means to reach these objectives.
SG1 Maintain the integrity of User Data and of the Smartcard Embedded
Software (when executing TOE functions).
SG2 maintain the confidentiality of User Data and of the Smartcard Embedded
Software (when executing TOE functions).
Security Target
34 of 56 General Business Use (05 Oct 07)
TPG0159A
Figure 4-1 Standard Security Objectives
67 According to this Security Target Lite there are the following high level security goals
related to specific functionality:
68 The additional high level security considerations are refined below by defining security
objectives as required by the Common Criteria.
Figure 4-2 Security Objectives Related to Specific Functionality
SG4 Provide additional security functionality.
O.Leak-Inherent
O.Identification
Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002
O.Add-Functions
Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002
Security Objectives
(05 Oct 07) General Business Use 35 of 56
TPG0159A
Standard Security Objectives (referring to SG1 and SG2)
69 The TOE shall provide protection on each of the Standard Security Objectives as listed
below:
Security Objectives Relating to Specific Functionality (referring to SG3 and SG4)
70 The TOE shall provide protection on each of the Specific Functionality Security
Objectives as listed below:
O.Leak-Inherent Protection Against Inherent Information Leakage
The TOE must provide protection against disclosure of
confidential data (User Data or TSF data) stored and/or
processed in the smartcard IC
! By measurement and analysis of the shape and
amplitude of signals (for example on the power, clock,
or I/O lines) and
! By measurement and analysis of the time between
events found by measuring signals (for instance on the
power, clock, or I/O lines).
This objective pertains to measurements with subsequent
complex signal processing. Details correspond to an
analysis of attack scenarios which is not given here.
O.Identification TOE Identification
The TOE must provide means to store Initialisation Data and
Pre-personalisation Data in its non-volatile memory. The
Initialisation Data (or parts of them) are used for TOE
identification.
O.Add-Function Additional Specific Security Functionality
The TOE must provide the following specific security
functionality to the Smartcard Embedded Software:
! Secure Hash Algorithm (SHA)
! Rivest-Shamir-Adleman (RSA) With CRT
! Rivest-Shamir-Adleman (RSA) Without CRT
! Elliptical Curve Computation (ECC)
! RSA Key Generation
Security Target
36 of 56 General Business Use (05 Oct 07)
TPG0159A
4.2 Security Objectives for the Environment
Phase 1
71 The Smartcard Embedded Software shall provide for each of the Security Objectives
for the Environment as stated below.
Phase 2
72 The hardware Platform shall provide for the Security Objective for the environment as
stated below..
OE.Plat-Appl Usage of TOE Platform
To ensure that the TOE is used in a secure manner the
Smartcard Embedded Software shall be designed so that
the requirements from the following documents are met:
! TOE application notes
! Findings of the TOE evaluation reports relevant for the
Smartcard Embedded Software
OE.Resp-Appl Treatment of User Data
Security relevant User Data (especially cryptographic keys)
are treated by the Smartcard Embedded Software as
required by the security needs of the specific application
context.
For example the Smartcard Embedded Software will not
disclose security relevant user data to unauthorised users or
processes when communicating with a terminal.
OE.Platform security Hardware Platform Security
The security of the Hardware Platform on which the TOE is
loaded, must be of a sufficient quality to fully protect the
TOE and its assets.
The security of the hardware platform is especially relevant
when taking into account the RNG used in conjuction with
the TOE to produce cryptographic keys. The hardware
platform RNG must be tested against a recognised quality
metric.
(05 Oct 07) General Business Use 37 of 56
TPG0159A
Section 5
TOE Security Functional Requirements
73 This Security Target Lite is based on the BSI-PP-002-2001 protection profile.
74 The TOE security functional requirements define the functional requirements for the
TOE using functional requirements components drawn from the Common Criteria part
2, and extended functional requirements defined in BSI-PP-002-2001.
75 The minimum strength of function level for the TOE security requirements is SOF-high.
Note
The Smartcard Embedded Software Developer must consider the whole
product, to comply with the BSI-PP-002-2001 Protection Profile, the full
AT90SC system SFRs must be considered, the developer should refer to
both security targets.
Security Target
38 of 56 General Business Use (05 Oct 07)
TPG0159A
5.1 The TOE Functional Requirements
Standard Security Functional Requirements
76 The Standard TOE Security Functional Requirements (where applicable to the TOE) as
listed within the BSI-PP-002-2001 are shown in Figure 5-1
Figure 5-1 Standard Security Functional Requirements
77 The Security Functional Requirements related to specific Functionality are shown in
Figure 5-2.
Figure 5-2 Security Functional Requirements related to Specific Functionality
Leakage
Basic Internal
Transfer Protection
(FDP_ITT.1)
Basic Internal
TSF data Transfer
(FPT_ITT.1)
Protection
Subset
Information Flow
Control
(FDP_IFC.1)
Audit Storage
(FAU_SAS.1)
Identification
SFRs related to Specific Functionality
- Cryptography
Cryptograhic
Operations
(FCS_COP.1)
Cryptography
TOE Security Functional Requirements
(05 Oct 07) General Business Use 39 of 56
TPG0159A
5.1.1 Functional Requirements Relating to Leakage
Basic Internal Transfer Protection (FDP_ITT.1)
78 The TOE shall meet the requirement “Basic internal transfer protection” as specified
below:
Basic Internal TSF data transfer protection (FPT_ITT.1)
79 The TOE shall meet the requirement “Basic internal TSF data transfer protection” as
specified below:
FDP_ITT.1 Basic internal transfer protection
Hierarchical to No other components
FDP_ITT.1.1 The TSF shall enforce the Data Processing Policy to
prevent the disclosure of user data when it is transmitted
between physically-separated parts of the TOE.
Dependencies FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset
information flow control
Refinement The different memories, the CPU and other functional units of
the Smartcard device (e.g. a cryptographic co-processor) are
seen as physically-separated parts of the Smartcard device.
FPT_ITT.1 Basic internal TSF data transfer protection
Hierarchical to No other components
FPT_ITT.1.1 The TSF shall protect TSF data from disclosure when it is
transmitted between separate parts of the TOE.
Dependencies No dependencies
Refinement The different memories, the CPU and other functional units of
the smartcard device (e.g. a cryptographic co-processor) are
seen as separated parts of the Smartcard device.
This requirement is equivalent to FDP_ITT.1 above but refers
to TSF data instead of User Data. Therefore, it should be
understood as to refer to the same Data Processing Policy
defined under FDP_IFC.1.
Security Target
40 of 56 General Business Use (05 Oct 07)
TPG0159A
Subset Information Flow Control (FDP_IFC.1)
80 The TOE shall meet the requirement “Subset information flow control” as specified
below:
81 The following Security Functional Policy (SFP) Data Processing Policy is defined for the
requirement “Subset information flow control”:
! User Data and TSF data shall not be accessible from the TOE except when the
Smartcard Embedded Software decides to communicate the User Data via an
external interface. The protection shall be applied to confidential data only but
without the distinction of attributes controlled by the Smartcard Embedded
Software.
5.1.2 Functional Requirements Relating to Identification
Audit Storage (FAU_SAS.1)
82 The TOE shall meet the requirement “Audit storage” as specified below:
Cryptographic operation (FCS_COP.1)
83 The TOE shall meet the requirement “Cryptographic operation” on cryptographic
operations as specified below:
FDP_IFC.1 Subset information flow control
Hierarchical to No other components
FDP_IFC.1.1 The TSF shall enforce the Data Processing Policy on all
confidential data when they are processed or transferred
by the TOE or by the Smartcard Embedded Software.
Dependencies FDP_IFF.1 Simple security attributes
FAU_SAS.1 Audit storage
Hierarchical to No other components
FAU_SAS.1.1 The TSF shall provide test personnel before TOE Delivery
with the capability to store the Initialisation Data and/or Pre-
personalisation Data and/or supplements of the
Smartcard Embedded Software in the audit records.
Dependencies No dependencies
FCS_COP.1 Cryptographic operation
Hierarchical to No other components
FCS_COP.1.1 The TSF shall perform software:
TOE Security Functional Requirements
(05 Oct 07) General Business Use 41 of 56
TPG0159A
5.2 Security Requirements for the Environment
5.2.1 Security Requirements for the IT-Environment
84 The environment shall meet the requirement “Quality metric for random numbers” as
detailed below::
! data encryption and decryption in accordance with a
specified cryptographic algorithm: SHA-1, and
cryptographic key size: (not disclosed in ST-Lite) that
meet the following Secure Hash Standard, FIPS PUB
180-1, 17th April 1995
! data encryption and decryption in accordance with a
specified cryptographic algorithm: RSA without CRT
data, and cryptographic key size: (not disclosed in ST-
Lite) that meet the following, PKCS#1 V2.0, 1st
October, 1998.
! data encryption and decryption in accordance with a
specified cryptographic algorithm: RSA with CRT data,
and cryptographic key size: (not disclosed in ST-Lite)
bits that meet the following PKCS#1 V2.0, 1st October,
1998.
! data encryption and decryption in accordance with a
specified cryptographic algorithm: EC-DSA, and
cryptographic key size: (not disclosed in ST-Lite) that
meet the following, FIPS 186-2, 27th January, 2007 for
Digital Signatures.
! data encryption and decryption in accordance with a
specified cryptographic algorithm: ECDH, and
cryptographic key size: (not disclosed in ST-Lite) that
meet the following ISO 15946-3:2002 for ECDH
standard.
Dependencies (FDP_ITC.1 Import of user data without security attributes or
FDP_ITC.2 Import of user data with security attributes or
FCS_CKM.1 Cryptographic key generation)
FCS_CKM.4 Cryptographic key destruction
FMT_MSA.2 Secure security attributes
FCS_RND.1 Quality metric for random numbers
Hierarchical to No other components
FCS_RND.1.1 The TSF shall provide a mechanism to generate random
numbers that meet [assignment: a defined quality metric].
Dependencies No dependencies
Security Target
42 of 56 General Business Use (05 Oct 07)
TPG0159A
5.2.2 Security Requirements for the NON-IT-Environment
85 In the following, security requirements for the Non-IT-Environment are defined.
86 For the Hardware Platform the requirement “ Hardware Platform Security
(RE.Hardware Platform)” is valid..
87 For the development of the Smartcard Embedded Software (in Phase 1) the
requirement “Design and implementation of the Smartcard Embedded Software
(RE.Phase-1)” is valid.
RE.Platform
Security
Hardware Platform Security
The TOE user must ensure that the security of the Hardware Platform
on which the TOE is loaded, must be of a sufficiently quality to fully
protect the TOE and its assets.
The security of the hardware platform is especially relevant when
taking into account the RNG used in conjuction with the TOE to
produce cryptographic keys. The hardware platform RNG must be
tested against a recognised quality metric.
RE.Phase-1 Design and Implementation of the Smartcard Embedded Software
The developers shall design and implement the Smartcard Embedded
Software in such a way that it meets the requirements from the
following documents (i) data sheet for the TOE, (ii) TOE application
notes, and (iii) findings of the TOE evaluation reports relevant for the
Smartcard Embedded Software. (See section 2.1 Customer Software
Guidance)
The developers shall implement the Smartcard Embedded Software in
a way that it protects security relevant User Data (especially
cryptographic keys) as required by the security needs of the specific
application context.
TOE Security Functional Requirements
(05 Oct 07) General Business Use 43 of 56
TPG0159A
88 The Smartcard Embedded Software shall meet the requirements RE.Cipher.
RE.Cipher Cipher Schemas
The developers of Smartcard Embedded Software must not
implement routines in a way which may compromise keys when the
routines are executed as part of the Smartcard Embedded Software.
Performing functions which access cryptographic keys could allow an
attacker to misuse these functions to gather information about the key
which is used in the computation of the function.
Keys must be kept confidential as soon as they are generated. The
keys must be unique with a very high probability, as well as
cryptographically strong. For example, it must be ensured that it is not
possible to derive the private key from a public key if asymmetric
algorithms are used. This implies that an appropriate key management
has to be realized in the environment.
Security Target
44 of 56 General Business Use (05 Oct 07)
TPG0159A
5.3 TOE Security Assurance Requirements
89 The assurance requirement is EAL5 augmented of additional assurance components
listed in Table 5-1.
90 Some of the augmentation components are hierarchical ones to the components
specified in EAL5.
91 All the components are drawn from Common Criteria Part 3.
Table 5-1 EAL5 Package and Augmentation
Assurance Class EAL5 Package
TBX_00.03.01.xx
EAL5+ Package
Augmented From
EAL5
ACM_AUT 1 1 No
ACM_CAP 4 4 No
ACM_SCP 3 3 No
ADO_DEL 2 2 No
ADO_IGS 1 1 No
ADV_FSP 3 3 No
ADV_HLD 3 3 No
ADV_IMP 2 2 No
ADV_INT 1 1 No
ADV_LLD 1 1 No
ADV_RCR 2 2 No
ADV_SPM 3 3 No
AGD_ADM 1 1 No
AGD_USR 1 1 No
ALC_DVS 1 2 Yes
ALC_FLR N/A N/A No
ALC_LCD 2 2 No
ALC_TAT 2 2 No
ATE_COV 2 2 No
ATE_DPT 2 2 No
ATE_FUN 1 1 No
ATE_IND 2 2 No
AVA_CCA 1 1 No
AVA_MSU 2 3 Yes
AVA_SOF 1 1 No
AVA_VLA 3 4 Yes
(05 Oct 07) General Business Use 45 of 56
TPG0159A
92 The refinements to the assurance requirements as stated within the Protection Profile
BSI-PP002-2001 have been taken into account.
Security Target
46 of 56 General Business Use (05 Oct 07)
TPG0159A
(05 Oct 07) General Business Use 47 of 56
TPG0159A
Section 6
TOE Summary Specification
93 This section defines the TOE security functions that implement the security functional
requirements defined in Section 5.1, and the TOE assurance measures that implement
the security assurance requirements defined in Section 5.3.
6.1 TOE Security Functions
6.1.1 Cryptography (SF10)
94 The TSF shall provide a cryptographic algorithm to be able to transmit and receive
objects in a manner protected from data retrieval or modification.
95 The TSF shall provide software
! M10.2 SHA-1 data signing capability.
! M10.3 RSA without CRT data encryption/ decryption capability
! M10.4 RSA with CRT data encryption/decryption.
96 Those may be used by the smartcard embedded software to support data encryption
and decryption for maintaining data integrity, and protect against sensitive data
unauthorized disclosure.
97 M10.6 the TSF shall provide software RSA cryptographic key generation capability
using Miller Rabin algorithm.
98 M10.7 the TSF shall provide software sign and verify signatures with ECC, conforming
to EC-DSA standard.
Note
The TSF and Security Mechanism (Mx.x) are numbered in a way to allow the
Smartcard Embedded Software Developer to see how the TSF detailed fits
into the equivalent TSFs for the certified AT90SC ST.
Note
The Atmel Toolbox must be considered as a whole
Security Target
48 of 56 General Business Use (05 Oct 07)
TPG0159A
99 M10.8 the TSF shall provide software point multiplication on an elliptical curve,
conforming to EC-DSA standard.
100 M10.9 the TSF shall provide software point addition on an elliptical curve, conforming
to EC-DSA standard.
101 M10.10 the TSF shall provide software point doubling on an elliptical curve, conforming
to EC-DSA standard.
102 M10.11 the TSF shall provide software ECDH cryptographic capability using Elliptic
Curve point operations.
103 M10.12 the TSF shall provide a software function that performs a selftest operation of
the TOE, at the end of the selftest function the TOE will output a Version number.
104 The Strength of Function claimed for the cryptography security function is high.
105 An assessment of the strength of the following algorithms does not form part of the
evaluation:
! SHA-1 algorithm
! RSA without CRT algorithm
! RSA with CRT algorithm
! Miller Rabin algorithm
! EC-DSA
! ECDH.
6.1.2 Security Functions Based on Permutations/combinations
106 Not applicable.
TOE Summary Specification
(05 Oct 07) General Business Use 49 of 56
TPG0159A
6.2 TOE Assurance Measures
107 Table 6-1 specifies how they satisfy the TOE security assurance requirements.
Security Target Lite (SA1)
108 SA1 shall provide the “TOE Security Target Lite” document plus its references.
Table 6-1 Relationship Between Assurance Requirements and Measures
Security
Target
Lite
Configuration
Management
Delivery
and
Operation
Development
Activity
Guidance
Life
Cycle
Support
Test
Activity
Vulnerability
assessment
Smartcard
Devices
Development
Site
Test
Site
Manufacturing
Site
Sub-contractor
Site
Assurance
Requirement
SA1
SA2
SA3
SA4
SA5
SA6
SA7
SA8
SA9
SA10
SA11
SA12
SA13
ASE_xxx x
ACM_AUT.1 x x x x x
ACM_CAP.4 x x x x x
ACM_SCP.3 x x x x x
ADO_DEL.2 x x x x x
ADO_IGS.1 x x x x x
ADV_FSP.3 x
ADV_HLD.3 x
ADV_IMP.2 x
ADV_LLD.1 x
ADV_RCR.2 x
ADV_SPM.3 x
AGD_ADM.1 x
AGD_USR.1 x
ALC_DVS.2 x x x x x
ALC_LCD.2 x x x x x
ALC_TAT.2 x x x x x
ATE_COV.2 x x x
ATE_DPT.2 x x x
ATE_FUN.1 x x x
ATE_IND.2 x x x
AVA_CCA.1 x x
AVA_MSU.3 x x
AVA_SOF.1 x x
AVA_VLA.4 x x
Security Target
50 of 56 General Business Use (05 Oct 07)
TPG0159A
Configuration Management (SA2)
109 SA2 shall provide the “CC Configuration Management (ACM)” interface document plus
its references.
Delivery and Operation (SA3)
110 SA3 shall provide the “CC Delivery and Operation (ADO)” interface document plus its
references.
Development Activity (SA4)
111 SA4 shall provide the “CC Development Activity (ADV)” interface document plus its
references.
Guidance (SA5)
112 SA5 shall provide the “CC Guidance (AGD)” interface document plus its references.
Life Cycle Support (SA6)
113 SA6 shall provide the “CC Life Cycle Support (ALC)” interface document plus its
references.
Test Activity (SA7)
114 SA7 shall provide the “CC Test Activity (ATE)” interface document plus its references,
and undertaking of testing described therein.
Vulnerability Assessment (SA8)
115 SA8 shall provide the “CC Vulnerability Assessment (AVA)” interface document plus its
references, and undertaking of vulnerability assessment described therein.
Smart Card Devices (SA9)
116 SA9 shall provide functional AT90SC smart card devices with TBX 3.x loaded and an
engineering ROM to allow TOE testing.
Development Site (SA10)
117 SA10 shall provide access to the development site.
Test Site (SA11)
118 SA11 shall provide access to the test site.
Manufacturing Site (SA12)
119 SA12 shall provide access to the manufacturing site.
TOE Summary Specification
(05 Oct 07) General Business Use 51 of 56
TPG0159A
Sub-contractor Sites (SA13)
120 SA13 shall provide access to the sub-contractor sites.
Security Target
52 of 56 General Business Use (05 Oct 07)
TPG0159A
(05 Oct 07) General Business Use 53 of 56
TPG0159A
Section 7
PP Claims
7.1 PP Reference
121 This Security Target Lite is based on the Protection Profile “Smartcard IC Platform
Protection Profile” V1.0 July 2001,and has been registered under the German
Certification Scheme (BSI) under the reference BSI-PP-002-2001.
7.2 PP Refinements
122 For clarification of this Security Target Lite, modes, assets, subjects, threats,
assumptions and organizational security policy are defined with labels of the form
M.xx_xx, D.xx_xx, S.xx_xx, T.xx_xx, A.xx_xx, and P.xx_xx respectively.
7.3 PP Additions
123 The PP additions fall into the following categories, the additions:
! taken directly from Common Criteria V2.3
! assumption and security objective for environment, defined in Section 3.2 of this
Security Target Lite
7.3.1 Additions from BSI-AUG-2002
124 Additions include Assumptions, Threats, Organisational security Policies, Security
Objectives and Security Functional Requirements.
7.3.1.1 Assumptions
125 This Security Target Lite specifies the additional Assumption, A.Platform Security. This
assumption relates to the Hardware Platform security.
7.3.1.2 Organizational Security Policies
126 This Security Target Lite specifies the additional organizational security policies, P.Add-
Functions this policy relates to the cryptographic functions provided by the TOE.
Security Target
54 of 56 General Business Use (05 Oct 07)
TPG0159A
7.3.1.3 Security Objectives
127 This Security Target Lite specifies the additional security objective, O.Add-Functions
this objective relates to the cryptographic functions provided by the TOE.
7.3.1.4 Security Functional Requirements
128 This Security Target Lite specifies the additional security functional requirements:
! FCS_COP.1 relating to the cryptographic functions provided by the TOE
7.3.1.5 Security Functional Requirements for the NON-IT-Environment
129 This Security Target Lite specifies the additional security functional requirement for the
NON-IT-Environment:
! RE.Cipher relating to the Smartcard Embedded Software development
7.3.2 Additions Defined in this Security Target Lite
7.3.2.1 Security Functional Requirements for the NON-IT-Environment
130 This Security Target Lite defines the additional security functional requirement for the
NON-IT-Environment:
! RE.Platform Security relating to the Security of the Hardware Platform the TOE is
loaded onto.
(05 Oct 07) General Business Use 55 of 56
TPG0159A
Appendix A
Glossary
A.1 Terms
HASH Transformation of a string of characters into a usually
shorter fixed length value or key that represents the
original string.
IC Dedicated Software IC Proprietary software which is required for testing
purposes and to implement special functions. For
Roper this includes the embedded test software and
additional test programmes which are run from outside
of the IC.
The Crypto libraries also form part of the IC dedicated
software.
IC Designer Institution (or its agent) responsible for the IC
Development. Atmel is the institution in respect of the
TOE.
IC Manufacturer Institution (or its agent) responsible for the IC
manufacturing, testing and pre-personalization. Atmel
is the institution in respect of the TOE.
IC Packaging
Manufacturer
Institution (or its agent) responsible for the IC
packaging and testing.
IC Pre-personalization
Data
Required information to enable the smartcard IC to be
configured by means of ROM options and to enable
programming of the EEPROM with customer specified
data.
Integrated Circuit (IC) Electronic component(s) designed to perform
processing and/or memory functions.
Personalizer Institution (or its agent) responsible for the smartcard
personalization and final testing.
Smartcard A credit sized plastic card which has a non volatile
memory and a processing unit embedded within it.
Security Target
56 of 56 General Business Use (05 Oct 07)
TPG0159A
Smartcard Embedded
Software
Software embedded in the smartcard application
(smartcard application software). This software is
provided by smartcard embedded software developer
(customer). Embedded software may be in any part of
User ROM or EEPROM.
Smartcard Embedded
Software Developer
Institution (or its agent) responsible for the smartcard
embedded software development and the
specification of pre-personalization requirements.
Smartcard Issuer Institution (or its agent) responsible for the smartcard
product delivery to the smartcard end-user.
Smartcard Product
Manufacturer
Institution (or its agent) responsible for the smartcard
product finishing process and testing.
Printed on recycled paper.
General Business Use
TPG0159A–SMIC–05Oct07
© Atmel Corporation 2007. All rights reserved. Atmel®
, logo and combinations thereof, Everywhere You Are®
and others, are registered
trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others.
Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any
intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL’S TERMS AND CONDI-
TIONS OF SALE LOCATED ON ATMEL’S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY
WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDEN-
TAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT
OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no
representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications
and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided
otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’s products are not intended, authorized, or warranted for use
as components in applications intended to support or sustain life.
Atmel Corporation Atmel Operations
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 487-2600
Regional Headquarters
Europe
Atmel Sarl
Route des Arsenaux 41
Case Postale 80
CH-1705 Fribourg
Switzerland
Tel: (41) 26-426-5555
Fax: (41) 26-426-5500
Asia
Room 1219
Chinachem Golden Plaza
77 Mody Road Tsimshatsui
East Kowloon
Hong Kong
Tel: (852) 2721-9778
Fax: (852) 2722-1369
Japan
9F, Tonetsu Shinkawa Bldg.
1-24-8 Shinkawa
Chuo-ku, Tokyo 104-0033
Japan
Tel: (81) 3-3523-3551
Fax: (81) 3-3523-7581
Memory
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 436-4314
Microcontrollers
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 436-4314
La Chantrerie
BP 70602
44306 Nantes Cedex 3, France
Tel: (33) 2-40-18-18-18
Fax: (33) 2-40-18-19-60
ASIC/ASSP/Smart Cards
Zone Industrielle
13106 Rousset Cedex, France
Tel: (33) 4-42-53-60-00
Fax: (33) 4-42-53-60-01
1150 East Cheyenne Mtn. Blvd.
Colorado Springs, CO 80906, USA
Tel: 1(719) 576-3300
Fax: 1(719) 540-1759
Scottish Enterprise Technology Park
Maxwell Building
East Kilbride G75 0QR, Scotland
Tel: (44) 1355-803-000
Fax: (44) 1355-242-743
RF/Automotive
Theresienstrasse 2
Postfach 3535
74025 Heilbronn, Germany
Tel: (49) 71-31-67-0
Fax: (49) 71-31-67-2340
1150 East Cheyenne Mtn. Blvd.
Colorado Springs, CO 80906, USA
Tel: 1(719) 576-3300
Fax: 1(719) 540-1759
Biometrics/Imaging/Hi-Rel MPU/
High Speed Converters/RF Datacom
Avenue de Rochepleine
BP 123
38521 Saint-Egreve Cedex, France
Tel: (33) 4-76-58-30-00
Fax: (33) 4-76-58-34-80
Literature Requests
www.atmel.com/literature