MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 1 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
REF: 2013-1-INF-1215 v1
Target: Expediente
Date: 30.07.2013
Created by: CERT8
Revised by: CALIDAD
Approved by: TECNICO
CERTIFICATION REPORT
File: 2013-1 WISE WASTE RFID
Applicant: PT500272492 SOMA - Sociedade de Montagem de Automóveis S.A.
References:
[EXT-2002] Certification Request
[EXT-2200] Evaluation Technical Report
The product documentation referenced in the above documents.
Certification report of the product WISE WASTE® RFID SYSTEM version 3.0.0, as
requested in [EXT-2002] dated 15-01-2013, and evaluated by the laboratory
EPOCHE AND ESPRI, as detailed in the Evaluation Technical Report [EXT-2200]
received on 30/05/2013.
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 2 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
TABLE OF CONTENTS
EXECUTIVE SUMMARY ..................................................................................................................................3
TOE SUMMARY ..............................................................................................................................................3
SECURITY ASSURANCE REQUIREMENTS................................................................................................5
SECURITY FUNCTIONAL REQUIREMENTS ..............................................................................................6
IDENTIFICATION..............................................................................................................................................6
SECURITY POLICIES .......................................................................................................................................6
ASSUMPTIONS AND OPERATIONAL ENVIRONMENT............................................................................6
CLARIFICATIONS ON NON-COVERED THREATS....................................................................................7
OPERATIONAL ENVIRONMENT FUNCTIONALITY.................................................................................8
ARCHITECTURE................................................................................................................................................8
DOCUMENTS ......................................................................................................................................................9
PRODUCT TESTING..........................................................................................................................................9
EVALUATED CONFIGURATION ...................................................................................................................9
EVALUATION RESULTS................................................................................................................................10
COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM.......................................10
CERTIFIER RECOMMENDATIONS ............................................................................................................11
GLOSSARY........................................................................................................................................................11
BIBLIOGRAPHY...............................................................................................................................................11
SECURITY TARGET........................................................................................................................................11
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 3 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
EXECUTIVE SUMMARY
This document constitutes the Certification Report for the certification file of the
product WISE WASTE® RFID SYSTEM version 3.0.0.
WISE WASTE® RFID SYSTEM is classified as a "Waste Bin Identification System
(WBIS)" as defined in the protection profile [WBIS-PP]. The TOE parts are:
- The ID-Tag.
- The vehicle software.
- The security module.
Developer/manufacturer: SOMA – Sociedade de Montagem de Automóveis S.A.
Sponsor: SOMA – Sociedade de Montagem de Automóveis S.A.
Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de
Inteligencia (CNI).
ITSEF:EPOCHE AND ESPRI.
Protection Profile: Protection Profile Waste Bin Identification Systems WBIS-PP
Version 1.04.
Evaluation Level: Common Criteria version 3.1 revision 4, EAL1+ ASE_SPD.1,
ASE_OBJ.2 and ASE_REQ.2.
Evaluation end date: 30/05/2013.
All the assurance components required by the evaluation level EAL1 (augmented
with ASE_SPD.1, ASE_OBJ.2 and ASE_REQ.2) have been assigned a “PASS”
verdict. Consequently, the laboratory EPOCHE AND ESPRI assigns the “PASS”
VERDICT to the whole evaluation due all the evaluator actions are satisfied for the
EAL1+ ASE_SPD.1, ASE_OBJ.2 and ASE_REQ.2, as defined by the Common
Criteria version 3.1 revision 4 and the Common Methodology for Information
Technology Security Evaluation version 3.1 revision 4.
Considering the obtained evidences during the instruction of the certification request
of the product WISE WASTE® RFID SYSTEM v3.0.0, a positive resolution is
proposed.
TOE SUMMARY
The TOE is the WISE WASTE® RFID SYSTEM, which is a "Waste Bin Identification
System" as defined in the protection profile [WBIS-PP]. This is a system that aims
the operational and fleet management of waste collection companies and it is
designed to implement billing methods based on how many times one's waste bin is
collected.
The full system consists of the following components:
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 4 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
- An ID-Tag, containing the identification data of a waste bin.
- A vehicle with an ID-Tag reader (consisting in antennas, a multiplexer and reader
module), lifter sensors, a button box and a vehicle computer. The vehicle
computer consists on a processing unit and a modem. The vehicle software is
installed in the vehicle computer, hence, in the module containing the processing
unit and the modem. The interface with the driver is done through a tactile
display.
- The office computer, installed in a remote location. The security module and the
server software are in this office computer.
Of the above described components, only the following are part of the TOE:
- The ID-Tag.
- The vehicle software.
- The security module.
With this system, waste containers equipped with an ID-Tag are identified and their
associated clearance data is recorded and time stamped by the vehicle software.
This data contains the identification number of the container. The recorded and time
stamped information is then sent to the office computer to be used for billing
purposes by city councils or waste collection private companies. It should be noted
that this system identifies waste containers and not the actual waste.
The WISE WASTE® RFID SYSTEM is capable of protecting the billing data for
manipulation and loss, providing a reliable structure for data transmission and
backup. The collection records are backed up in the vehicle computer, pre-validated
by the vehicle software and then sent to the office computer of the city council or
disposal company. After strict validation and scrutiny in the security module located
in the office computer, the clearance data can then be used to generate billing
invoices.
Not only clearance data is exchanged between the vehicle software and the office
computer. As WISE WASTE® RFID is an operational and fleet management system,
all the information regarding the work performed by the collection teams is
processed and sent to the office computer.
There, through accessing the server software, TOE costumers such as city councils
or private waste collection companies may not only manage the work performed by
their employees but also charge their own costumers based on the clearance
records. They can generate reports, billing invoices and monitor, in real time, the
work being performed by the waste collection teams.
The access to the vehicle software is granted to authorized personnel only, due to
physical and organizational measures. The office computer may only be accessed
by anyone who has valid credentials for it.
The TOE consists solely on the ID-Tag, the vehicle software and the security
module. All other components are part of the TOE environment, not the TOE.
Therefore, the TOE environment consists in elements such as the lifter sensors, the
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 5 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
button box, the ID-Tag reader (antennas, reader and multiplexer), the tactile display
and the physical channels from the ID-Tag to the vehicle software, from the vehicle
software to the tactile display and from the vehicle software to the security module.
All additional interfaces, as well as the tactile display software and the office software
are also not part of this TOE.
In terms of security features, the TOE is capable of:
- Generate and guarantee the validity of records of clearance data AT and
clearance data blocks AT+.
- Prevent the modification of user data when it is transmitted between physically
separated parts of the TOE.
- Monitor stored data for random manipulation.
- Implement fault tolerance when loss of user data in the primary memory of the
vehicle software occurs.
SECURITY ASSURANCE REQUIREMENTS
The product was evaluated with all the evidence required to fulfil the evaluation level
EAL1 and the evidences required by the additional component ASE_SPD.1,
ASE_OBJ.2 and ASE_REQ.2, according to Common Criteria version 3.1 revision 4.
Assurance Class Assurance components
ADV: Development
ADV_FSP.1 Basic functional
specification
AGD_OPE.1 Operational user guidance
AGD: Guidance documents
AGD_PRE.1 Preparative procedures
ALC_CMC.1 Labelling of the TOE
ALC: Life-cycle support
ALC_CMS.1 TOE CM coverage
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components
definitions
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security
requirements
ASE_SPD.1 Security problem
definition
ASE: Security Target evaluation
ASE_TSS.1 TOE summary specification
ATE: Tests
ATE_IND.1 Independent testing –
conformance
AVA: Vulnerability assessment AVA_VAN.1 Vulnerability survey
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 6 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
SECURITY FUNCTIONAL REQUIREMENTS
The product security functionality satisfies the following functional requirements,
according to the Common Criteria version 3.1 revision 4:
Class Components
FDP_DAU.1 Basic Data Authentication
FDP_ITT.5 Internal transfer integrity
protection
FDP: User Data Protection
FDP_SDI.1 Stored data integrity monitoring
FRU: Resource utilisation FRU_FLT.1 Degraded fault tolerance
IDENTIFICATION
Product: WISE WASTE® RFID SYSTEM v3.0.0
Security Target: SOMA - WISE WASTE® RFID SYSTEM Security target, v5.0.
Protection Profile: Protection Profile Waste Bin Identification Systems WBIS-PP
Version 1.04.
Evaluation Level: Common Criteria version 3.1 revision 4. EAL1+ (ASE_SPD.1,
ASE_OBJ.2 and ASE_REQ.2).
SECURITY POLICIES
The use of the product WISE WASTE® RFID SYSTEM v3.0.0 shall implement a set
of security policies assuring the fulfilment of different standards and security
demands.
The detail of these policies is documented in the Security Target. In short, it
establishes the need of implementing organisational policies related to the following
aspects.
Policy 01: P.Safe Fault tolerance
This security policy is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 15).
ASSUMPTIONS AND OPERATIONAL ENVIRONMENT
The following assumptions are constraints to the conditions used to assure the
security properties and functionalities compiled by the security target. These
assumptions have been applied during the evaluation in order to determine if the
identified vulnerabilities can be exploited.
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 7 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
In order to assure the secure use of the TOE, it is necessary to start from these
assumptions for its operational environment. If this is not possible and any of them
could not be assumed, it would not be possible to assure the secure operation of the
TOE.
Assumption 01: A.Id ID-Tag
This assumption is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 34).
Assumption 02: A.Trusted Trustworthy personnel
This assumption is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 34).
Assumption 03: A.Access Access protection
This assumption is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 34).
Assumption 04: A.Check Check of completeness
This assumption is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 34).
Assumption 05: A.Backup Data backup
This assumption is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 34).
CLARIFICATIONS ON NON-COVERED THREATS
The following threats do not suppose a risk for the product WISE WASTE® RFID
SYSTEM v3.0.0, although the agents implementing attacks have the attack potential
according to the basic attack potential of EAL1+ (ASE_SPD.1, ASE_OBJ.2 and
ASE_REQ.2) and always fulfilling the usage assumptions and the proper security
policies satisfaction.
For any other threat not included in this list, the evaluation results of the product
security properties and the associated certificate, do not guarantee any resistance.
The threats covered by the security properties of the TOE are categorized below.
Threat 01: T.Man Manipulated identification data
This threat is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 14).
Threat 02: T.Jam#1 Disturbed identification data
This threat is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 15).
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 8 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
Threat 03: T.Create Invalid records of clearance
This threat is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 15).
Threat 04: T.Jam#2 Corrupted record of clearance
This threat is included in the ST and it is described in the [WBIS-PP] Protection
Profile (page 15).
OPERATIONAL ENVIRONMENT FUNCTIONALITY
The product requires the cooperation from its operational environment to fulfil some
of the objectives of the defined security problem.
The security objectives declared for the TOE operational environment are
categorized below.
Environment objective 01: OE.Id ID-Tag
This environment objective is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 16).
Environment objective 02: OE.Trusted Trustworthy personnel
This environment objective is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 16).
Environment objective 03: OE.Access Access protection
This environment objective is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 17).
Environment objective 04: OE.Check Check of completeness
This environment objective is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 17).
Environment objective 05: OE.Backup Data backup
This environment objective is included in the ST and it is described in the [WBIS-PP]
Protection Profile (page 17).
The details of the product operational environment (assumptions, threats and
organisational security policies) and the TOE security requirements are included in
the associated security target.
ARCHITECTURE
The Target of Evaluation (TOE) is a "Waste Bin Identification System (WBIS)" and
consists of the following components:
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 9 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
- An ID-Tag containing the identification of the waste container (the waste is not
identified).
- A vehicle computer with a processing unit and a modem. The vehicle software is
the one installed in the vehicle computer considering no add-on features, namely,
the software of the processing unit and the modem.
- A security module installed in a remote location that interfaces the refuse
collection vehicle with the office computer.
DOCUMENTS
The product includes the following documents that shall be distributed and made
available together to the users of the evaluated version:
- SOMA-WISE WASTE RFID SYSTEM Security target, version 5.0, May 2013
- Manual Ww Rfid Toe Parts-V4 May 2013
- System Manual SOMA® Wise Waste® V4.0 RFID-V03 February 2013
PRODUCT TESTING
The evaluator has tested all the SFRs defined through the TOE TSFIs. It has been
checked that the obtained results conform to the expected results.
EVALUATED CONFIGURATION
The full system consists of the following components:
- An ID-Tag, containing the identification data of a waste bin.
- A vehicle with an ID-Tag reader (consisting in antennas, a multiplexer and
reader module), lifter sensors, a button box and a vehicle computer. The
vehicle computer consists on a processing unit and a modem. The vehicle
software is installed in the vehicle computer, hence, in the module containing
the processing unit and the modem. The interface with the driver is done
through a tactile display.
- The office computer, installed in a remote location. The security module and
the server software are in this office computer.
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 10 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
Of the above described components, only the following are part of the TOE:
- The ID-Tag.
- The vehicle software.
- The security module.
The system is delivered to the client fully installed, configured and validated. Upon
delivery of the vehicle, there is a document both SOMA, SA and the employer must
sign, listing the vehicle's characteristics, as well as the description and quantity of
system components installed. Upon delivery of the manual, the employer is able to
check whether the product version is the expected one.
EVALUATION RESULTS
The product WISE WASTE® RFID SYSTEM v3.0.0 has been evaluated against the
Security Target “SOMA - WISE WASTE® RFID SYSTEM Security target, v5.0”.
All the assurance components required by the evaluation level EAL1+ ASE_SPD.1,
ASE_OBJ.2 and ASE_REQ.2 have been assigned a “PASS” verdict. Consequently,
the laboratory EPOCHE AND ESPRI assigns the “PASS” VERDICT to the whole
evaluation due all the evaluator actions are satisfied for the evaluation level EAL1+
ASE_SPD.1, ASE_OBJ.2 and ASE_REQ.2, as defined by the Common Criteria
version 3.1 revision 4 and the Common Methodology for Information Technology
Security Evaluation version 3.1 revision 4.
COMMENTS & RECOMMENDATIONS FROM THE
EVALUATION TEAM
Next, recommendations regarding the secure usage of the TOE are provided. These
have been collected along the evaluation process and are detailed to be considered
when using the product.
The TOE usage is recommended given that there are not exploitable vulnerabilities
in the intended operational environment.
The following usage recommendations are given:
- The physical access to the TOE must be controlled to ensure that only authorized
personnel have access.
- The crew of the collection vehicle and the user of the office computer are
authorized and trustworthy.
- The operator should check at regular intervals if the transported data from the
vehicle software to the security module in office is complete. Identified loss of
data should be analyzed.
MINISTERIO DE LA PRESIDENCIA
CENTRO NACIONAL DE INTELIGENCIA
CENTRO CRIPTOLÓGICO NACIONAL
ORGANISMO DE CERTIFICACIÓN
Página 11 de 11
C/ Argentona nº 20
Fax: + 34 91 372 58 08
Email: organismo.certificacion@cni.es
CERTIFIER RECOMMENDATIONS
Considering the obtained evidences during the instruction of the certification request
of the product WISE WASTE® RFID SYSTEM v3.0.0, a positive resolution is
proposed.
GLOSSARY
CCN Centro Criptológico Nacional (National Criptologic Centre)
CNI Centro Nacional de Inteligencia (National Intelligence Centre)
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
OC Organismo de Certificación (Certification Body)
TOE Target Of Evaluation
BIBLIOGRAPHY
The following standards and documents have been used for the evaluation of the
product:
[CC_P1] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1, R4, September 2012.
[CC_P2] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1, R4, September 2012.
[CC_P3] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1, R4, September 2012.
[CEM] Common Methodology for Information Technology Security Evaluation:
Version 3.1, R4, September 2012.
[WBIS-PP] Protection Profile Waste Bin Identification Systems Version 1.04
SECURITY TARGET
Along with this certification report, the complete security target of the evaluation is
available in the Certification Body and CCRA websites: SOMA - WISE WASTE®
RFID SYSTEM Security target, v5.0.