Ref. : SSE-0000076322-01 Page 1/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Ref. : SSE-0000076322-01 Page 1/68 Page 1/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass COMMON CRITERIA SECURITY TARGET Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 1/68 Reference : SSE-0000076322-01 Date : 2009-03-27 Ref. : SSE-0000076322-01 Page 2/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 2/68 TABLE OF CONTENTS 1 INTRODUCTION..................................................................................................... 5 1.1 SECURITY TARGET AND TOE REFERENCE ........................................................................5 1.2 GENERAL OVERVIEW OF THE TARGET OF EVALUATION (TOE) ......................................5 1.2.1 TOE type.......................................................................................................................5 1.2.2 Usage and major security features of the TOE ............................................................6 1.3 TOE DESCRIPTION..................................................................................................................6 1.3.1 TOE Boundary..............................................................................................................6 1.3.2 TOE architecture...........................................................................................................7 1.3.3 TOE life cycle................................................................................................................8 2 CONFORMANCE CLAIMS................................................................................... 10 2.1 CONFORMANCE WITH THE COMMON CRITERIA..............................................................10 2.2 CONFORMANCE WITH AN ASSURANCE PACKAGE..........................................................10 2.3 CONFORMANCE WITH A PROTECTION PROFILE .............................................................10 2.3.1 Protection Profile reference ........................................................................................10 2.3.2 Protection Profile Refinements ...................................................................................10 2.3.3 Protection Profile Additions.........................................................................................10 2.3.4 Application notes ........................................................................................................10 2.3.5 Protection Profile Claims rationale .............................................................................10 2.4 CONFORMANCE WITH THE CC SUPPORTING DOCUMENTS..........................................11 2.4.1 Application of Attack Potential to Smartcards.............................................................11 2.4.2 Composite product evaluation for Smartcards and similar devices ...........................11 3 SECURITY PROBLEM DEFINITION.................................................................... 12 3.1 ASSETS...................................................................................................................................12 AUTHENTICITY OF THE MRTD’S CHIP.................................................................... 12 3.2 SUBJECTS..............................................................................................................................12 3.3 THREATS................................................................................................................................14 3.4 ORGANISATIONAL SECURITY POLICIES (OSP).................................................................16 3.5 ASSUMPTIONS ......................................................................................................................17 4 SECURITY OBJECTIVES .................................................................................... 19 4.1 SECURITY OBJECTIVES FOR THE TOE..............................................................................19 4.2 SECURITY OBJECTIVES FOR THE DEVELOPMENT AND PRODUCTION ENVIRONMENT21 4.3 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ...............................22 ISSUING STATE OR ORGANIZATION ...................................................................... 22 Ref. : SSE-0000076322-01 Page 3/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 3/68 RECEIVING STATE OR ORGANIZATION ................................................................. 23 4.4 RATIONALE ............................................................................................................................24 4.4.1 Coverage matrix .........................................................................................................24 4.4.2 Coverage of threats in the operational environment ..................................................24 5 5.1 5.2 5.4 6 IT SECURIT 6.3 7 7.1 8 4.4.3 Coverage of organisational security policies ..............................................................26 26 28 29 29 31 ...33 ...33 ..33 ..33 ..37 ..41 ..44 ..48 ..51 52 ..52 ..52 ...53 ...53 ..54 ...54 56 ..56 ..57 ..57 9 REFERENCE AND APPLICABLE DOCUMENTS ............................................... 66 ..66 4.4.4 Coverage of assumptions........................................................................................... EXTENDED COMPONENTS DEFINITION........................................................... 28 DEFINITION OF THE FAMILY FAU_SAS .............................................................................. 5.3 DEFINITION OF THE FAMILY FMT_LIM ............................................................................... DEFINITION OF THE FAMILY FCS_RND.............................................................................. DEFINITION OF THE FAMILY FPT_EMSEC ......................................................................... Y REQUIREMENTS .......................................................................... 33 6.1 INTRODUCTION .................................................................................................................. 6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS............................................................. 6.2.1 Class FAU Security Audit ......................................................................................... 6.2.2 Class Cryptographic Support (FCS)......................................................................... 6.2.3 Class FIA Identification and Authentication.............................................................. 6.2.4 Class FDP User Data Protection.............................................................................. 6.2.5 Class FMT Security Management ............................................................................ 6.2.6 Class FPT Protection of the Security Functions....................................................... SECURITY ASSURANCE REQUIREMENTS FOR THE TOE ............................................. TOE SUMMARY SPECIFICATION....................................................................... STATEMENT OF TOE SECURITY FUNCTIONALITY ......................................................... 7.1.1 Chip security functionalities ...................................................................................... 7.1.2 Low level security functionalities ............................................................................. 7.1.3 Operating system security functionalities ................................................................ 7.1.4 Application manager security functionalities............................................................. 7.1.5 Application security functionalities........................................................................... DEFINITIONS, GLOSSARY AND ACRONYMS................................................... 8.1 ACRONYMS.......................................................................................................................... 8.2 CONVENTIONS USED ......................................................................................................... 8.3 DEFINITIONS........................................................................................................................ 9.1 REFERENCE DOCUMENTS ................................................................................................ 9.2 APPLICABLE DOCUMENTS ..................................................................................................67 Ref. : SSE-0000076322-01 Page 4/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 4/68 List of tables Table 1: Security problem definition / Security objectives............................................................................. .. Table 2: Overview on authentication SFR....................................................................................................... .. ........ ........ ....... 24 37 List of e Figure 1: A .. 7 8 figu s r rchitecture of the CC IDeal Pass........................................................................................................... .. Figure 2 : TOE life cycle.................................................................................................................................................... Ref. : SSE-0000076322-01 Page 5/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 5/68 1 INTRODUCTION 1.1 SECURITY TARGET AND TOE REFERENCE Title : MACHINE READABLE TRAVEL DOCUMENT – BASIC ACCESS CONTROL – CC IDEAL PASS Version : 1.3.3 arget identifier : SSE-0000076322-01 : Administration guidance : 0000074722 - IDeal - AGD - Pre-Personalization Manual 0000074723 - IDeal - AGD - Personalization Manual User guidance : 0000074862 - IDeal - AGD - ICAO User Manual CC compliance : Version : 3.1 Assurance level : EAL4 augmented with ALC_DVS.2 Chip and cryptolibrary certificate reference : DCSSI-2009/28 Protection Profile BSI-CC-PP-0055, VERSION 1.10 [R5] 1.2 GENERAL OVERVIEW OF THE TARGET OF EVALUATION (TOE) 1.2.1 TOE type The Target of Evaluation (TOE) is a contactless chip programmed according to the Logical Data Structure (LDS) [R9] (i.e. the MRTD’s chip) and providing the advanced security methods Basic Access Control (BAC) as defined in the Technical reports of “ICAO Doc 9303” [R9]. The MRTD’s chip allows the authenticity of the travel document and the identity of its holder to be checked during a border control, with the support of an inspection system. The MRTD’s chips are intended to be inserted into the cover page of traditional passport booklets. They can be integrated into modules, inlay or datapage. The final product can be a passport, a plastic card etc… The Chip Authentication prevents data traces described in [R9] informative appendix 7, A7.3.3. The Chip Authentication is provided by the following steps: − the inspection system communicates by means of secure messaging established by Basic Access Control, − the inspection system reads and verifies by means of the Passive Authentication the authenticity of the MRTD’s Chip Authentication Public Key using the Document Security Object, ST reference : Security t TOE reference : Chip identifier SB23YR80 Revision A TOE Identifier IDEAL/ST23YR80/1.3.3 Ref. : SSE-0000076322-01 Page 6/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 6/68 − the inspection system g TOE and the inspection system agree on two session MAC mode according to the Diffie- Hellman Primitive and received message authentication codes whether the MRTD’s chip was able or not to run this protocol properly (i.e. the TOE proves to be in possession uthentication Private Key corresponding to the Chip Authentication Public Key used ivation of the ses The Chip Authentication E environment. and major security features of the TOE The MRTD’s chip − protection of o ate or organization, travel document nu er optional data, additional biometri curity of the docum ation betwe cument holder and the inspection system prior to any border control by th d by secure messaging, In addition to e ed in authenticity and integrity by a e the issuing State or Organization and the security features of the MRTD’s chip. The physical MRTD is protected by physical security measures (e.g. watermark on paper, security rganizational security measures (e.g. control of materials, personalization procedures)[R9]. These security measures include the hip to the passport book. 1.3 1.3.1 sic Access Control according to the ICAO Doc 9303 [R9]. application − The Operating System enerates an ephemeral key pair, (iv) the keys for secure messaging in ENC_ − the inspection system verifies by means of of the Chip A for der sion keys). on of the TOE and the TO requires collaborati 1.2.2 Usage enables: integrity of the h lder’s stored data: issuing st mber, expiration date, holder’s name, nationality, birth date, sex, holder’s face portrait, oth c data and several other pieces of data for managing the se ent, − authentic en the travel do e Basic Access Control mechanism2 , − protection of integrity and confidentiality of data rea the protection provid digital signature cr d by the chip, the logical MRTD is protect ated by the document signer acting for printing), logical (e.g. authentication keys of the MRTD’s chip) and o binding of the MRTD’s c The details of these features are specified in [R9]. TOE DESCRIPTION TOE Boundary The Target Of Evaluation (TOE) is the contactless integrated circuit chip of machine readable travel documents (MRTD’s chip) programmed according to the Logical Data Structure (LDS) [R9] and providing Ba Only the BAC feature is covered by this ST. The EAC feature is covered by another ST. The TOE boundary encompasses: − The ICAO Ref. : SSE-0000076322-01 Page 7/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass − The ST embedded crypto library 1.3.2 CC IDeal Pass. This application is not accessible once in Operational Use phase. y be instantiated several times. The TOE does not allow any additional applets loading during its operational use. The architecture of the CC IDeal Pass is given in Figure 1. − The ST chip The TOE does not allow any additional applets loading during its operational use. TOE architecture The TOE is embedding two applications: − AIP Application, compliant with [R19], which performs the pre-personalization and the personalization operations of the − The ICAO application, which is compliant with [R9]. The ICAO application ma Page 7/68 Operating System AIP Data ICAO Data ICAO instance AIP Instance ICAO application AIP application Deactivated in user phase HAL Figure 1: Architecture of the CC IDeal Pass Ref. : SSE-0000076322-01 Page 8/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass 1.3.3 TOE life cycle sed as follows: The product’s life cycle is organi Phase 1 Embedded software development lopm Step 1 ent IC design and dedicated Page 8/68 Phase 2 Phase 3 Phase 4 Deve software development Integration Photomask fabrication IC packaging and initialization IC manufacturing, test and possible pre-personalization IC pre-personalization: Create application/ Create LDS File System Personalization Usage End of life Step 2 Manufacturing Personalization Usage Step 3 Step 4 Step 6 Step 7 Step 5 Legend Trusted delivery and verification procedures Delivery supposed to be done within secure environment Legend Trusted delivery and verification procedures Delivery supposed to be done within secure environment TOE considered under construction for the evaluation, covered by TOE considered as operational for the evaluation, covered by assurance class AGD Figure 2 : TOE life cycle This figure represents two views of the life-cycle: (1) an “end-user” view made of 4 phases, focusing on the main logical phases as defined in a protection profile like [R5]: a. Development phase: IC design, and embedded software development; b. Manufacturing phase: from IC manufacturing to booklet manufacturing, including patch loading, application creation and pre-personalization (loading the authentication key for assurance class ALC Ref. : SSE-0000076322-01 Page 9/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 9/68 the personalization agent); lization phase: loading of all data related to the MRTD holder; ed by the traveler at the border control. The user data can be read according to the security policy of the issuing State or Organization and can be used according to the security policy of the issuing State but they can never be modified. (2) a business view made of 7 steps, focusing more on the different trades and actors involved in smartcard business, and commonly used in protection profile related to smartcard such as [R7]. For example, the company in charge of IC manufacturin from the one in charge of IC packaging, as well as from the one in charge tion, pre- personalization, not considering all other actors involved in supplier, booklet supplier. The definition of the content of each step a pply chain vary from one provider to another and the picture is just indicat Referring to the life-cycle, the evaluated product is the produc t of the IC manufacturing, test and possible pre-personalization operations (step 3 At this step, the product is already self-protected before delivery to step 4 c. Persona d. Operational use phase: MRTD us g may be different of packaging, initialisa this phase: antenna nd the associated su ive. t that comes ou ). and all steps after. If a patch is necessary, it will be developed under the same conditions as the whole embedded software and will be included in the chip during manufacturing (phase 3 of the smart card life cycle) or during pre-personalization (phase 5 of the smart card life cycle). Ref. : SSE-0000076322-01 Page 10/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 10/68 2 CONFORMANCE CLAIMS 2.1 This Se − P − P n Criteria, Version 3.1, Release 2, dated September 2007 (see [R2]), 2.2 The level of assurance targeted by this Security Target is EAL4, augmented by the following 2.3 2.3.1 Protection Profile reference This Security Target claims strict conformance to the Protection Profile MRTD BAC [R5]. 2.3.2 Protection Profile Refinements No specific refinement was performed to the Protection Profile MRTD BAC [R5]. 2.3.3 Protection Profile Additions There is no addition to the protection profile in this security target. 2.3.4 Application notes Application notes from the PP MRTD BAC [R5] have been copied in this ST when relevant. 2.3.5 Protection Profile Claims rationale The TOE type defined in this security target is exactly the same than the one defined in the PP MRTD BAC [R5]: an contactless chip with embedded software, and the MRTD application conformant to ICAO [R9]. In the following, the statements of the security problem definition, the security objectives, and the security requirements are identical to those of the PP MRTD BAC [R5]. CONFORMANCE WITH THE COMMON CRITERIA curity Target claims conformance to: art 1 of the Common Criteria, Version 3.1, Release 1, dated September 2006 (see [R1]) art 2 of the Commo − Part 3 of the Common Criteria, Version 3.1, Release 2, dated September 2007 (see [R3]), as follows − Part 2 extended, − Part 3 conformant. CONFORMANCE WITH AN ASSURANCE PACKAGE component defined in CC part 3 [R3]: − ALC_DVS.2. CONFORMANCE WITH A PROTECTION PROFILE Ref. : SSE-0000076322-01 Page 11/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 11/68 There is neither addition s security target compare to the PP [R5]. All PP re extended set of requirements whose completeness, consistency and soundness has been argued in the rationale sections of the 2.4 CONFORMANCE WITH THE CC SUPPORTING DOCUMENTS hall be artcard ttack Potential to Smartcards be used instead of the CEM [R4] when calculating the attack potential of the successful attack performed during AVA_VAN analysis. This document impacts only the vulnerability 2.4.2 for Smartcards and similar devices 2] shall be used in addition to the CC part 3 [R3] and to the CEM [R4]. This document specifies the additional information to be provided by a developer, and the additional checks mposite evaluation”. This is the case for the current TOE as the underlying IC ST23YR80 revision A is already evaluated and certified under the llowing additional assurance requirements apply for this TOE: activity ; − ATE_COMP.1 for the tests activity ; nor refinement or augmentation performed in thi quirements have been shown to be satisfied in the present document. This security target address a smartcard TOE and therefore, the associated evaluation s performed in compliance with all CC mandatory supporting documents related to sm evaluations: 2.4.1 Application of A This document [R11] shall analysis performed by the ITSEF, and is not detailed here. Composite product evaluation This document [R1 to be performed by the ITSEF when performing a “co reference: 2009/28. Therefore, the fo − ASE_COMP.1 for the security target ; − ALC_COMP.1 for the life cycle support ; − ADV_COMP.1 for the development − AVA_COMP.1 for the vulnerability assessment. Ref. : SSE-0000076322-01 Page 12/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 12/68 3 SECURITY PROBLEM DEFINITION 3.1 n personal data of the MRTD holder. The Chip Authentication Public Key (EF.DG s used by the inspection Data) of the MRTD holder (EF.DG1, EF.DG2, EF.DG5 to EF.DG13, EF.DG16), nalized by the issuing State or Organization for the MRTD ession of a genuine MRTD. to the TOE: anufacturer “Manufacturer” is the generic term for the IC Manufacturer producing the integrated circuit as well as for the MRTD Manufacturer completing the IC to the MRTD’s chip. The Manufacturer is the default user of the TOE during the Phase 2 Manufacturing (step 3 to step 5). In this Security Target, the TOE does not distinguish between the users “IC Manufacturer” and the “MRTD Manufacturer” using this role Manufacturer. Personalization Agent ASSETS The logical MRTD data consists of the EF.COM, EF.DG1 to EF.DG16 (with different security needs) and the Document Security Object EF.SOD according to LDS [R9]. These data are user data of the TOE. The EF.COM lists the existing elementary files (EF) with the user data. The EF.DG1 to EF.DG13 and EF.DG 16 contai 14) is used by the inspection system for the Chip Authentication. The EF.SOD i system for Passive Authentication of the logical MRTD. Due to interoperability reasons as the ‘ICAO Doc 9303’ [R9] the TOE described in this security target specifies only the BAC mechanisms with resistance against enhanced basic attack potential granting access to − Logical MRTD standard User Data (i.e. Personal − Chip Authentication Public Key in EF.DG14, − Active Authentication Public Key in EF.DG15, − Document Security Object (SOD) in EF.SOD, − Common data in EF.COM. The TOE prevents read access to sensitive User Data − Sensitive biometric reference data (EF.DG3, EF.DG4)1 . A sensitive asset is the following more general one. Authenticity of the MRTD’s chip The authenticity of the MRTD’s chip perso holder is used by the traveler to prove his poss 3.2 SUBJECTS The following individuals and IT systems have access M 1 Cf. [R10] for details how to access these User data under EAC protection. Ref. : SSE-0000076322-01 Page 13/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 13/68 The agent is acting on b alize the MRTD for the holder by: − establishing the identity of the holder for the biographic data in the MRTD, c reference data of the MRTD holder i.e. the portrait, the encoded finger ystem (IS) control officer of the receiving State: r and verifying its authenticity, ontactless communication with the MRTD’s chip, Control Mechanism, r the Basic Access Control by optically reading the MRTD or other parts of the passport book providing this information. The General Inspection System (GIS) is a Basic Inspection System which implements additionally the − implements the Terminal Authentication Protocol, the issuing State or Organization through the Document Verifier of the receiving State to read the sensitive biometric reference data. The security attributes of the EIS are defined te 1: This security target does not distinguish between the BIS, GIS and EIS because the Chip Authentication Mechanism and the Extended Access Control is outside the scope. Person presenting the MRTD to the inspection system and claiming the identity of the MRTD holder. ehalf of the issuing State or Organization to person − enrolling the biometri image(s) and/or the encoded iris image(s), − writing these data on the physical and logical MRTD for the holder as defined for global, international and national interoperability, − writing the initial TSF data and − signing the Document Security Object defined in [R9]. Terminal A terminal is any technical system communicating with the TOE through its contactless interface. Inspection s A technical system used by the border − examining an MRTD presented by the travele − verifying the traveler as the MRTD holder. The Basic Inspection System (BIS): − contains a terminal for the c − implements the terminals part of the Basic Access − gets the authorization to read the logical MRTD unde Chip Authentication Mechanism. The Extended Inspection System (EIS) in addition to the General Inspection System: − is authorized by by the Inspection System Certificates. Application no MRTD Holder The rightful holder of the MRTD for whom the issuing State or Organization personalized the MRTD. Traveler Ref. : SSE-0000076322-01 Page 14/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 14/68 Attacker nt trying : ut knowing or optically thout authorization, or ng the inspection system as TOE IT environment unterfeit or forged MRTD. Therefore the impostor may use results not relevant for the TOE. 3.3 THREATS T.Chip_ID Identification of MRTD’s chip An attacker trying to trace the movement of the MRTD by identifying remotely the MRTD’s chip by munication interface. The page in advance. al MRTD stem to read the logical MRTD or parts of it via the contactless e MRZ data printed it. The inspection system uses the MRZ data printed on the MRTD g a communication with the MRTD’s chip not its security related data in order to deceive on an inspection system by means of the changed MRTD holder’s etric reference data. e biographical data on the biographical data page of the passport book, in the printed MRZ and in the Z to claim another identity of the traveler. The attacker may alter the printed portrait and the ric A threat age − to identify and to trace the movement of the MRTD’s chip remotely (i.e. witho reading the printed MRZ data), − to read or to manipulate the logical MRTD wi − to forge a genuine MRTD. Application note 2: An impostor is attacki independent on using a genuine, co of successful attacks against the TOE but the attack itself is establishing or listening to communications through the contactless com attacker cannot read and does not know the MRZ data printed on the MRTD data T.Skimming Skimming the logic An attacker imitates the inspection sy communication channel of the TOE. The attacker cannot read and does not know th on the MRTD data page in advance. T. Eavesdropping Eavesdropping to the communication between TOE and inspection system An attacker is listening to the communication between the MRTD’s chip and an inspection system to gain the logical MRTD or parts of data page but the attacker does not know these data in advance. Note in case of T.Skimming the attacker is establishin knowing the MRZ data printed on the MRTD data page and without a help of the inspection system which knows these data. In case of T.Eavesdropping the attacker uses the communication of the inspection system. T.Forgery Forgery of data on MRTD’s chip An attacker alters fraudulently the complete stored logical MRTD or any part of it including identity or biom This threat comprises several attack scenarios of MRTD forgery. The attacker may alter th digital MR digitized portrait to overcome the visual inspection of the inspection officer and the automated biomet Ref. : SSE-0000076322-01 Page 15/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 15/68 authentication mechanism by face recognition. The attacker may alter the biometric reference data to ated biometric authentication mechanism of the inspection system. The attacker may f different logical MRTDs to create a new forged MRTD, e.g. the attacker writes ay also copy the complete unchanged logical MRTD to another The TOE shall also avert the threats as specified below: al Use” phase in order ser Data, ipulate (explore, curity features or functions of the TOE or Leakage TD’s chip through , or by changes in processing time requirements. This leakage may be interpreted as a covert nd can then be related to the specific operation being performed. Examples are the Differential Electromagnetic Analysis (DEMA) and the Physical Tampering may perform ph order e MRTD’s chip in order to defeat autom combine data groups o the digitized portrait and optional biometric reference finger data read from the logical MRTD of a traveler into another MRTD’s chip leaving their digital MRZ unchanged to claim the identity of the holder this MRTD. The attacker m contactless chip. T.Abuse-Func Abuse of Functionality An attacker may use functions of the TOE which shall not be used in “TOE operation − to manipulate U − to man bypass, deactivate or change) se − to disclose or to manipulate TSF Data. This threat addresses the misuse of the functions for the initialization and the personalization in the operational state after delivery to MRTD holder. T.Information_ Information Leakage from MR An attacker may exploit information which is leaked from the TOE during its usage in order to disclose confidential TSF data. The information leakage may be inherent in the normal operation or caused by the attacker. Leakage may occur emanations, variations in power consumption, I/O characteristics, clock frequency channel transmission but is more closely related to measurement of operating parameters which may be derived either from measurements of the contactless interface (emanation) or direct measurements (by contact to the chip still available even for a contactless chip) a Differential Power Analysis (DPA). Moreover the attacker may try actively to enforce information leakage by fault injection (e.g. Differential Fault Analysis). T.Phys-Tamper An attacker ysical probing of the MRTD’s chip in − to disclose TSF Data, or − to disclose/reconstruct the MRTD’s chip Embedded Software. An attacker may physically modify th − modify security features or functions of the MRTD’s chip, − modify security functions of the MRTD’s chip Embedded Software, − modify User Data or, Ref. : SSE-0000076322-01 Page 16/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 16/68 − to modify TSF data. layout characteristics need to be identified. Determination of software design including treatment of User Data and TSF Data may also be a pre-requisite. The modification may es of circuitry or data can be permanent or cker may cause a malfunction of TSF or of the MRTD’s chip Embedded Software by applying functions of the MRTD’s chip Embedded Software. oftware or misusing administration function. To exploit peration. 3.4 ll comply with the following Organizational Security Policies (OSP) as security rules, procedures, practices, or guidelines imposed by an organization upon its operations. tness of the biographical data, the printed gitized por rence data and other data of the logical MRTD with respect to the MRTD holder. The personalization of the MRTD for the holder is performed by an agent ta protection policy The biographical data and their summary printed in the MRZ and stored on the MRTD’s chip (EF.DG1), biometric reference data of finger(s) The physical tampering may be focused directly on the disclosure or manipulation of TOE User Data (e.g. the biometric reference data for the inspection system) or TSF Data (e.g. authentication key of the MRTD’s chip) or indirectly by preparation of the TOE to following attack methods by modification of security features (e.g. to enable information leakage through power analysis). Physical tampering requires direct interaction with the MRTD’s chip internals. Techniques commonly employed in IC failure analysis and IC reverse engineering efforts may be used. Before that, the hardware security mechanisms and result in the deactivation of a security function. Chang temporary. T.Malfunction Malfunction due to Environmental Stress An atta environmental stress in order to − deactivate or modify security features or functions of the TOE or − circumvent, deactivate or modify security This may be achieved e.g. by operating the MRTD’s chip outside the normal operating conditions, exploiting errors in the MRTD’s chip Embedded S these vulnerabilities an attacker needs information about the functional o ORGANISATIONAL SECURITY POLICIES (OSP) The TOE sha P.Manufact Manufacturing of the MRTD’s chip The Initialization Data are written by the IC Manufacturer to identify the IC uniquely. The MRTD Manufacturer writes the Pre-personalization Data which contains at least the Personalization Agent Key. P.Personalization Personalization of the MRTD by issuing State or Organization only The issuing State or Organization guarantees the correc portrait and the di trait, the biometric refe authorized by the issuing State or Organization only. P.Personal_Data Personal da the printed portrait and the digitized portrait (EF.DG2), the Ref. : SSE-0000076322-01 Page 17/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 17/68 (EF.DG3), the biometric reference data of iris image(s) (EF.DG4)2 and data according to LDS (EF.DG5 the MRTD holder. These data used only with agreement of the MRTD holder by inspection systems to ented. The MRTD’s chip shall provide the possibility for the Basic Access be used. act nufacturing and test operations to maintain confidentiality and integrity of the MRTD and of its manufacturing and test data (to prevent any possible copy, A.MRTD_Delivery MRTD delivery during step 4 to 6 − Procedures shall ensure protection of TOE material/information under delivery and storage. taken in case of improper operation in the e got the required skill. A.Pers_Agent Personalization of the MRTD’s chip with respect to the MRTD holder, asic Ac − the Chip Authentication Public Key (EF.DG14) if stored on the MRTD’s chip, and to EF.DG13, EF.DG16) stored on the MRTD’s chip are personal data of groups are intended to be which the MRTD is pres Control to allow read access to these data only for terminals successfully authenticated based on knowledge of the Document Basic Access Keys as defined in [R9]. Application note 3: The organizational security policy P.Personal_Data is drawn from the ICAO ‘ICAO Doc 9303’ [R9]. Note that the Document Basic Access Key is defined by the TOE environment and loaded to the TOE by the Personalization Agent 3.5 ASSUMPTIONS The assumptions describe the security aspects of the environment in which the TOE will be used or is intended to A.MRTD_Manuf MRTD manufacturing on step 4 to 6 It is assumed that appropriate functionality testing of the MRTD is used. It is assumed that security procedures are used during all ma modification, retention, theft or unauthorized use). Procedures shall guarantee the control of the TOE delivery and storage process and conformance to its objectives: − Procedures shall ensure that corrective actions are delivery process and storage. − Procedures shall ensure that people dealing with the procedure for delivery hav The Personalization Agent ensures the correctness of − the logical MRTD − the Document B cess Keys, − the Document Signer Public Key Certificate (if stored on the MRTD’s chip). 2 3 and EF.D authentication not being covered by this Protection Profile. Note, that EF.DG G4 are only readable after successful EAC Ref. : SSE-0000076322-01 Page 18/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 18/68 The Personalization Agent signs the Document Security Object. The Personalization Agent bears the − implements the terminal part of the Basic Access Control [R9]. The Basic Inspection System reads the logical MRTD under Basic Access Control and performs the Application note 4: According to [R9] the support of the Passive Authentication mechanism is he Basi oes not address Primary Inspection y of Basic Access Control Keys ic Acce nd imported by the issuing State or Organization have to provide sufficient cryptographic strength. As a consequence of the “ICAO Doc inted MRZ data. It has to be ensured that these data provide sufficient entropy to withstand from ssing the MRZ data resp. the BAC keys entropy potential account. E.g. there might be a direct dependency between the Document Number when tive Personalization Agent Authentication to authenticate himself to the TOE by symmetric cryptographic mechanisms. A.Insp_Sys Inspection Systems for global interoperability The Inspection System is used by the border control officer of the receiving State − Examining an MRTD presented by the traveler and verifying its authenticity and − verifying the traveler as MRTD holder. The Basic Inspection System for global interoperability − includes the Country Signing CA Public Key and the Document Signer Public Key of each issuing State or Organization, and Passive Authentication to verify the logical MRTD. mandatory whereas t c Access Control is optional. This ST d Systems therefore the BAC is mandatory within this ST. A.BAC-Keys Cryptographic qualit The Document Bas ss Control Keys being generated a 9303” [R9], the Document Basic Access Control Keys are derived from a defined subset of the individual pr any attack based on the decision that the inspection system has to derive Document Access Keys the printed MRZ data with enhanced basic attack potential. Application note 5: When asse dependencies between these data (especially single items of the MRZ) have to be considered and taken into chosen consecu ly and the issuing date. Ref. : SSE-0000076322-01 Page 19/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 19/68 4 SECURITY OBJECTIVES he security objectives for the TOE environment are separated into security objectives for ent and produc erational environment. 4.1 ed threats al security policies to be met by the TOE. alization of logical MRTD rized Personalization Agents ta may be written only during and a groups EF.DG 3 to EF.DG16 are added. ersonalization, − the Personalization Agents may : • add (fill) data into the LDS data gro update and si rt for adding data . to terminals successfully authenticated as Personalization Agent. Read access to EF.DG1, EF.DG2 and EF.DG5 to EF.DG16 is granted to terminals successfully authenticated as Basic Inspection System. The Basic Inspection System shall authenticate itself by means of the Basic Access Control based on knowledge of the Document Basic Access Key. The TOE must ensure the confidentiality of the logical MRTD data during their transmission to the Basic Inspection System. Application note 7: The traveler grants the authorization for reading the personal data in EF.DG1, EF.DG2 and EF.DG5 to EF.DG16 to the inspection system by presenting the MRTD. The MRTD’s chip shall provide read access to these data for terminals successfully authenticated by means of the Basic This chapter describes the security objectives for the TOE and the security objectives for the TOE environment. T the developm tion environment and security objectives for the op SECURITY OBJECTIVES FOR THE TOE This section describes the security objectives for the TOE addressing the aspects of identifi to be countered by the TOE and organization OT.AC_Pers Access Control for Person The TOE must ensure that the logical MRTD data in EF.DG1 to EF.DG16, the Document security object according to LDS [R9] and the TSF data can be written by autho only. The logical MRTD data in EF.DG1 to EF.DG16 and the TSF da cannot be changed after its personalization. The Document security object can be updated by authorized Personalization Agents if data in the dat Application note 6: The OT.AC_Pers implies that − the data of the LDS groups written during personalization for MRTD holder (at least EF.DG1 and EF.DG2) can not be changed by write access after p ups not written yet, and • gn the Document Security Object accordingly. The suppo in the “Operational Use” phase is optional. OT.Data_Int Integrity of personal data The TOE must ensure the integrity of the logical MRTD stored on the MRTD’s chip against physical manipulation and unauthorized writing. The TOE must ensure that the inspection system is able to detect any modification of the transmitted logical MRTD data OT. Data_Conf Confidentiality of personal data The TOE must ensure the confidentiality of the logical MRTD data groups EF.DG1 to EF.DG16. Read access to EF.DG1 to EF.DG16 is granted Ref. : SSE-0000076322-01 Page 20/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 20/68 Access Control ba y objective OT.Data_Conf requi function Basic Access Control Authentication. The Document Basic Access Keys are derived from the MRZ data defined by the TOE - Keys. Note that the authorization for reading the biometric data in EF.DG3 and EF.DG4 is only granted t covered by this security target. Thus the read access provide mea in its non-volatile T.Identification addresses security features of the TOE to support the life cycle security in the manufacturing and personalization phases. The IC ase 3 “Personalization of the es security features of the TOE to be used by the TOE manufa the Document Number as part of integrate identifier through the contactless interface before successful authentication as Basic Inspection System or as Personalization Agent. The following TOE security objectives address the protection provided by the MRTD’s chip independent nctionality the TOE to prevent the abuse of test and support dicated Test Software which are not specified here. sed on knowledge of the Document Basic Access Keys. The securit res the TOE to ensure the strength of the security environment and are loaded into the TOE by the Personalization Agent. Therefore the sufficient quality of these keys has to result from the MRZ data’s entropy. Any attack based on decision of the “ICAO Doc 9303” [R9] that the inspection system derives Document Basic Access is ensured by OE.BAC after successful Enhanced Access Control no must be prevented even in case of a successful BAC Authentication. OT.Identification Identification and Authentication of the TOE The TOE must ns to store IC Identification and Pre-Personalization Data memory. The IC Identification Data must provide a unique identification of the IC during Phase 2 “Manufacturing” and Phase 3 “Personalization of the MRTD”. The storage of the Pre-Personalization data includes writing of the Personalization Agent Authentication key(s). ). In Phase 4 “Operational Use” the TOE shall identify itself only to a successful authenticated Basic Inspection System or Personalization Agent. Application note 8: The TOE security objective O Identification Data are used for TOE identification in Phase 2 “Manufacturing” and for traceability and/or to secure shipment of the TOE from Phase 2 “Manufacturing” into the Ph MRTD”. The OT.Identification address cturing. In the Phase 4 “Operational Use” the TOE is identified by the printed and digital MRZ. The OT.Identification forbids the output of any other IC (e.g. d circuit card serial number ICCSN) or MRTD of the TOE environment. OT.Prot_Abuse-Func Protection against Abuse of Fu After delivery of the MRTD Holder, the TOE must functions that may be maliciously used to − disclose critical User Data, − manipulate critical User Data of the IC Embedded Software, − manipulate Soft-coded IC Embedded Software or − bypass, deactivate, change or explore security features or functions of the TOE. Details of the relevant attack scenarios depend, for instance, on the capabilities of the Test Features provided by the IC De OT.Prot_Inf_Leak Protection against Information Leakage Ref. : SSE-0000076322-01 Page 21/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 21/68 The TOE must provide protection against disclosure of confidential TSF data stored and/or processed per ded (using standard tools for measuring voltage and current) or − measuring not using galvanic contacts but other types of physical interaction between charges he normal nmental conditions may include external energy (esp. electromagnetic) fields, ed knowledge about the TOE’s internals. 4.2 in the MRTD’s chip − by measurement and analysis of the shape and amplitude of signals or the time between events found by measuring signals on the electromagnetic field, power consumption, clock, or I/O lines and − by forcing a malfunction of the TOE and/or − by a physical manipulation of the TOE. Application note 9: This objective pertains to measurements with subsequent complex signal processing due to normal operation of the TOE or operations enforced by an attacker. Details correspond to an analysis of attack scenarios which is not given here. OT.Prot_Phys-Tam Protection against Physical Tampering The TOE must provide protection of the confidentiality and integrity of the User Data, the TSF Data, and the MRTD’s chip Embedded Software. This includes protection against attacks with enhanced basic attack potential by means of − measuring through galvanic contacts which is direct physical probing on the chips surface except on pads being bon (using tools used in solid-state physics research and IC failure analysis) − manipulation of the hardware and its security features, as well as − controlled manipulation of memory contents (User Data, TSF Data) with a prior − reverse-engineering to understand the design and its properties and functions. OT.Prot_Malfunction Protection against Malfunctions The TOE must ensure its correct operation. The TOE must prevent its operation outside t operating conditions where reliability and secure operation has not been proven or tested. This is to prevent errors. The enviro voltage (on any contacts), clock frequency, or temperature. Application note 10: A malfunction of the TOE may also be caused using a direct interaction with elements on the chip surface. This is considered as being a manipulation (refer to the objective OT.Prot_Phys-Tamper) provided that detail SECURITY OBJECTIVES FOR THE DEVELOPMENT AND PRODUCTION ENVIRONMENT OE.MRTD_Manufact Protection of the MRTD Manufacturing Appropriate functionality testing of the TOE shall be used in step 4 to 6. Ref. : SSE-0000076322-01 Page 22/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 22/68 During all manufactu d test operations, security procedures shall and 6 to maintain confid the TOE and its manufac ring an be used through phases 4, 5 entiality and integrity of turing and test data. isclosure of any security relevant information, level, transmittal form, reception acknowledgment), rs: ip • tive actions are taken in case of improper operation in the delivery e to meet the procedure ctations. Y OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ing security objectives of the TOE environment. − personalize the MRTD for the holder together with the defined physical and logical security measures to protect the confidentiality and integrity of these data. ganiz OE.MRTD_ Delivery Protection of the MRTD delivery Procedures shall ensure protection of TOE material/information under delivery including the following objectives: − non-d − identification of the element under delivery, − meet confidentiality rules (confidentiality − physical protection to prevent external damage, − secure storage and handling procedures (including rejected TOE’s), − traceability of TOE during delivery including the following paramete • origin and sh ment details, reception, reception acknowledgement, • location material/information. Procedures shall ensure that correc process (including if applicable any non-conformance to the confidentiality convention) and highlight all non-conformance to this process. Procedures shall ensure that people (shipping department, carrier, reception department) dealing with the procedure for delivery have got the required skill, training and knowledg requirements and be able to act fully in accordance with the above expe 4.3 SECURIT Issuing State or Organization The issuing State or Organization will implement the follow OE.Personalization Personalization of logical MRTD The issuing State or Organization must ensure that the Personalization Agents acting on behalf of the issuing State or Organization − establish the correct identity of the holder and create biographical data for the MRTD, − enroll the biometric reference data of the MRTD holder i.e. the portrait, the encoded finger image(s) and/or the encoded iris image(s) and OE.Pass_Auth_Sign Authentication of logical MRTD by Signature The issuing State or Or ation must Ref. : SSE-0000076322-01 Page 23/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 23/68 − generate a cryptographic secure Country Signing CA Key Pair, Document Signer Certificates ates and te a cryptographic secure Document Signer Key Pair and ensure the secrecy of the in a secure operational environment only and ons. EF.SOD relates to all data in the data in EF.DG1 rol Keys ys being generated and imported by the issuing State or gth. As a consequence of the ‘ICAO Doc l Keys are derived from a defined subset of the individual printed MRZ data. It has to be ensured that these data provide sufficient entropy to withstand any Receiving State or Organization The inspection system of the receiving State or Organization must examine the MRTD presented by icity by means of the physical security measures and to detect any the Country Signing Public Key and the Document Signer Public Key of each issuing tion, a − implements the terminal part of the Basic Access Control [R9]. rification by Passive Authentication traveler as the logical MRTD before they are used. The ty in all inspection systems. − ensure the secrecy of the Country Signing CA Private Key and sign in a secure operational environment, and − distribute the Certificate of the Country Signing CA Public Key to receiving St Organizations maintaining its authenticity and integrity. The issuing State or Organization must − genera Document Signer Private Keys, − sign Document Security Objects of genuine MRTD − distribute the Certificate of the Document Signer Public Key to receiving States and Organizati The digital signature in the Document Security Object to EF.DG16 if stored in the LDS according to [R9]. OE.BAC-Keys Cryptographic quality of Basic Access Cont The Document Basic Access Control Ke Organization have to provide sufficient cryptographic stren 9303’ [R9] the Document Basic Access Contro attack based on the decision that the inspection system has to derive Document Basic Access Keys from the printed MRZ data with enhanced basic attack potential. The receiving State or Organization will implement the following security objectives of the TOE environment. OE.Exam_MRTD Examination of the MRTD passport book the traveler to verify its authent manipulation of the physical MRTD. The Basic Inspection System for global interoperability − includes State or Organiza nd OE.Passive_Auth_Verif Ve The border control officer of the receiving State uses the inspection system to verify the MRTD holder. The inspection systems must have successfully verified the signature of Document Security Objects and the integrity data elements of receiving States and Organizations must manage the Country Signing CA Public Key and the Document Signer Public Key maintaining their authenticity and availabili Ref. : SSE-0000076322-01 Page 24/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 24/68 OE.Prot_Logical_MRTD Protection of data from the logical MRTD The inspection system of the receiving State or Organization ensures the confidentiality and integrity of he receiving State examining the logical MRTD being under t the terminal part of the Basic . 4.4 o e Leak -Tam lfunc i nuf zation th_Sign RTD Auth_Verif ical_MRTD the data read from the logical MRTD. T Basic Access Control will use inspection systems which implemen Access Control and use the secure messaging with fresh generated keys for the protection of the transmitted data (i.e. Basic Inspection Systems) RATIONALE 4.4.1 Coverage matrix The following table provides an overview for security objectives coverage: OT.AC_Pers OT.Data_In OT.Data_ OT.Identific OT.Prot_ OT.Prot_In OT.Prot_Ph OT.Prot_M OE.MRT OE.MRT OE.Personal OE.Pass_ OE.BAC-K OE.Exam_ OE.Passive_ OE.Prot_Log t Conf at Abus f_ ys a D_Ma D_ Delivery i Au eys M i n -Func per t on act T.Chip-ID X X T.Skimming X X T.Eavesdropping X T.Forgery X X X X X X T.Abuse-Func X X T.Information_Leakage X T.Phys-tamper X T.Malfunction X P.Manufact X P.Personalization X X X P.Personal_Data X X A.MRTD_Manufact X A.MRTD_Delivery X A.Pers_Agent X A.Insp_Sys X X A.BAC_Keys X Table 1: Security problem definition / Security objectives 4.4.2 Coverage of threats in the operational environment T.Chip_ID Ref. : SSE-0000076322-01 Page 25/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 25/68 The threat T.Chip_ID “Identification of MRTD’s chip” addresses the trace of the MRTD movement by ing k r the environment OE.BAC- Keys. istening the communication between the MRTD’s chip and a terminal. This threat is countered by the security objective OT.Data_Conf “Confidentiality of sic Access Control using sufficiently strong derived keys as required by the security objective for the environment OE.BAC-Keys. T.Forgery The threat T.Forgery “Forgery of data on MRTD’s chip” addresses the fraudulent alteration of the complete stored logical MRTD or any part of it. The security objective OT.AC_Pers “Access Control for Personalization of logical MRTD“ requires the TOE to limit the write access for the logical MRTD to the trustworthy Personalization Agent (cf. OE.Personalizat e TOE will protect grity of the stored logical MRTD according the security ob ve ity of l data” and OT.Prot_Phys-Tamper “Protection against in e presented MRTD passport book according to book” shall ensure that passport book does present the complete unchanged logical MRTD MRTD data by means of digital signature which thentication of logical y Signatur cording to OE.Pas erif “Verification by a s A th nt at n T.Abus The th nc “Abuse of n tio a ” d e a ing the MRTD’s chip as product and is se f u tions fo perso l the operational state a lde o di ose or to manipul te the logical RT . This threat is counter Abuse-Fun “Protection again of Functionality”. Additionally this objectiv y the security objective for the environme t: ation “Person RTD” e r g a h E ec rity func ns o h in al ation and the persona and the e r f c n o r io a a er e ry to MRTD holder a to the i e e us o th T E T.Inform Phys-Tamper, M lfu c on The th ation_Leakag “Informatio Leakage from MRT ’s c ”, T.Phys-Tamper “Physic and T.Malfun tion “Malfunction due to En ro m t S es ” re typical for integrated circuits like sm l. The protection of the identifying remotely the MRTD’s chip through the contactless communication interface. This threat is countered as described by the security objective OT.Identification by Basic Access Control us sufficiently strong derived eys as required by the security objective fo T.Skimming The threat T.Skimming “Skimming digital MRZ data or the digital portrait” and T.Eavesdropping “Eavesdropping to the communication between TOE and inspection system” address the reading of the logical MRTD trough the contactless interface or l personal data” through Ba ion). Th OT amp xam tive ent rdi by the pers n o ass m log ign m inte ona f th port ay ical “Au ac jecti ica TD se viro d a ified .Da ering”. ina co will ng t the ta_ tio nta de o O Int Th n o ctle tect E.P insp “In e e f th ss pa as ec tegr xam e M chip rtly s_A tion Phys _MR n a en eate ver l T “E nsi nm cco atio D p hich ed _S yste OE. not . Th wil e” Ex con e T l be an am tai OE cr d RT w forg uth s MRTD sive_Auth_ b V P s ive u e ic io ”. e-Func reat T.Abuse-Fu Fu c n lity a dr sses ttacks s u ion material for the MRTD RTD ho m u o the f nc r na ization in fter delivery to M _ r t scl a M D ed by OT.Prot ed b c st Abuse e is support TOE n OE.Personaliz alization of logical M d nsu in th t t u e TO s u tio f r t e iti iz lization are disable s cu ity n tio s for the pe at nal st te ft d live re enabled according nt nd d e f e O . ation_Leakage, T. T. a n ti reats T.Inform e n D hip al Tampering” c vi n en al tr s a art cards under direct attack with high attack potentia Ref. : SSE-0000076322-01 Page 26/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 26/68 TOE against these threats is addressed by the directly relate “Protection against Information Leakage”, OT.Prot_Phys d security objectives OT.Prot_Inf_Leak -Tamper “Protection against Physical d OT.Prot_Malfunction “Protection against Malfunctions”. 4.4.3 P P.Manufact “Manufacturing of the MRTD’s chip” requires a unique identification of the IC by means of the Initialization Data and the writing of the Prepersonalization Data as being fulfilled by ion. ation “Personalization of logical MRTD”, and cess control for the user data and TSF data as described by the security objective “Access Control for Personalization of logical MRTD”. a_Int “Integrity of personal data” describing the unconditional protection of the integrity of the stored data and during transmission. The e OT.Data_Conf “Confidentiality of personal data” describes the protection of the 4.4.4 tection of the MRTD Manufacturing” that steps. Tampering” an Coverage of organisational security policies P.Manufact The OS OT.Identificat P.Personalization The OSP P.Personalization “Personalization of the MRTD by issuing State or Organization only” addresses the: − the enrolment of the logical MRTD by the Personalization Agent as described in the security objective for the TOE environment OE.Personaliz − the ac OT.AC_Pers Note the manufacturer equips the TOE with the Personalization Agent Authentication key(s) according to OT.Identification “Identification and Authentication of the TOE”. The security objective OT.AC_Pers limits the management of TSF data and the management of TSF to the Personalization Agent. P.Personal_Data The OSP P.Personal_Data “Personal data protection policy” requires the TOE : − to support the protection of the confidentiality of the logical MRTD by means of the Basic Access Control and − enforce the access control for reading as decided by the issuing State or Organization. This policy is implemented by the security objectives OT.Dat security objectiv confidentiality. Coverage of assumptions A.MRTD_Manufact The assumption A.MRTD_Manufact “MRTD manufacturing on step 4 to 6” is covered by the security objective for the TOE environment OE.MRTD_Manufact “Pro requires to use security procedures during all manufacturing Ref. : SSE-0000076322-01 Page 27/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 27/68 A.MRTD_ Delivery The assumption A.Pers_Agent “Personalization of the MRTD’s chip” is covered by the security “Personalization of logical MRTD” including the the MRTD holder personal data. nation of the MRTD passport book”. The security objectives for the TOE t_Logical_MRTD “Protection of data from the logical MRTD” will require the Basic trol Keys” is directly covered for the TOE environment OE.BAC-Keys “Cryptographic quality of Basic The assumption A.MRTD_ Delivery “MRTD delivery during step 4 to 6” is covered by the security objective for the TOE environment OE.MRTD_ Delivery “Protection of the MRTD delivery” that requires to use security procedures during delivery steps of the MRTD. A.Pers_Agent objective for the TOE environment OE.Personalization enrolment, the protection with digital signature and the storage of A.Insp_Sys The examination of the MRTD passport book addressed by the assumption A.Insp_Sys “Inspection Systems for global interoperability” is covered by the security objectives for the TOE environment OE.Exam_MRTD “Exami environment OE.Pro Inspection System to implement the Basic Access Control and to protect the logical MRTD data during the transmission and the internal handling. A.BAC-Keys The assumption A.BAC-Keys “Cryptographic quality of Basic Access Con by the security objective Access Control Keys” ensuring the sufficient key quality to be provided by the issuing State or Organization. Ref. : SSE-0000076322-01 Page 28/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass 5 EXTENDED COMPONENTS DEFINITION le MRTD BAC [R5]. 5.1 DEFINITION OF THE FAMILY FAU_SAS functional requirements for the storage of audit data. It has a more general approach than FAU_GEN, because it does not necessarily require enerated by the TOE itself and because it does not give specific details of the content FAU_SAS Audit data storage Family behaviour There are no management activities foreseen. Audit: FAU_SAS.1 There are no actions defined to be auditable. FAU_SAS.1 Audit storage Hierarchical to: No other components. Dependencies: No dependencies. FAU_SAS.1.1 The TSF shall provide [assignment: authorized users] with the capability to store [assignment: list of audit information] in the audit records. This security target uses components defined as extensions to CC part 2. Some of these components are defined in [R7], other components are defined in protection profi To define the security functional requirements of the TOE a sensitive family (FAU_SAS) of the Class FAU (Security Audit) is defined here. This family describes the the data to be g of the audit records. The family “Audit data storage (FAU_SAS)” is specified as follows. This family defines functional requirements for the storage of audit data. Component levelling FAU_SAS.1 Requires the TOE to provide the possibility to store audit data. Management: FAU_SAS.1 FAU_SAS Audit data storage 1 Page 28/68 Ref. : SSE-0000076322-01 Page 29/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass 5.2 DEFINITION OF THE FAMILY FCS_RND To define th y (FCS_RND) of the r component uality requirements for the generation of random numbers which are intended to FCS_RND.1 Generation of random numbers requires that random numbers meet a defined quality metric. Management: FCS_RND.1 There are no management activities foreseen. FCS_ There are n s defined to be auditable. FCS_RND.1 Quality metric for rand cal to: No othe nts. Dependencies: No de The TSF sh mechanism to generate random numbers that meet uality metric]. 5.3 DEFINITION OF THE FAMILY FMT_LIM The family FMT_L tures of the TOE. The new functional requirements were defined in the class FMT because this class addresses the management of functions of the TSF. The examples of the technical mechanism used in the TOE show that no other e IT security functional requirements of the TOE an additional famil Class FCS (cryptographic support) is defined here. This family describes the functional requirements for random number generation used for cryptographic purposes. The component FCS_RND is not limited to generation of cryptographic keys unlike the component FCS_CKM.1. The simila FIA_SOS.2 is intended for non-cryptographic use. The family “Generation of random numbers (FCS_RND)” is specified as follows. FCS_RND Generation of random numbers Family behaviour This family defines q be use for cryptographic purposes. Component leveling: FCS_RND Generation of random numbers 1 Audit: RND.1 o action om numbers ration Hierarchi r compone pendencies. FCS_RND.1.1 all provide a [assignment: a defined q IM describes the functional requirements for the Test Fea Page 29/68 Ref. : SSE-0000076322-01 Page 30/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass class is appropriate to address the specific iss capabilities of the functions and by limiting their availa ues of preventing the abuse of functions by limiting the bility. nctions in a combined manner. Note that FDP_ACF restricts the access to functions whereas the Limited capability of this designed in a specific manner. g FMT_LIM.1 Limited capabilities requires that the TSF is built to provide only the capabilities (perform action, gather information) necessary for its genuine purpose. ies (FMT_LIM.1)). This can be achieved, for instance, by removing or by disabling functions in a specific phase of the TOE’s life-cycle. Management: FMT_LIM.1, FMT_LIM.2 There are no management activities foreseen. Audit: FMT_LIM.1, FMT_LIM.2 There are no actions defined to be auditable. To define the IT security functional requirements of the TOE a sensitive family (FMT_LIM) of the Class ere. This family describes the functional requirements for the functional requirements were defined in the class FMT because this class addresses the management of functions of the TSF. The examples of the technical preventing the ab bilities of the functions and by limiting their availability abilities (FMT_LIM.1)” is specified as follows. The family “Limited capabilities and availability (FMT_LIM)” is specified as follows. FMT_LIM Limited capabilities and availability Family behaviour This family defines requirements that limit the capabilities and availability of fu family requires the functions themselves to be Component levellin Page 30/68 FMT_LIM.2 Limited availability requires that the TSF restrict the use of functions (refer to Limited capabilit FMT (Security Management) is defined h Test Features of the TOE. The new mechanism used in the TOE show that no other class is appropriate to address the specific issues of use of functions by limiting the capa The TOE Functional Requirement “Limited cap FMT_LIM.1 Limited capabilities. Hierarchical to: No other components. FMT_LIM Limited capabilities and availability 2 1 Ref. : SSE-0000076322-01 Page 31/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 31/68 Dependencies: FMT_LIM.2 Limited availability. nted in a manner that limits its capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is al Requirement “Limited availability (FMT_LIM.2)” is specified as follows. T_LIM.1 Limited capabilities. FMT_LIM.2.1 The TSF shall be designed in a manner that limits its availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is enforced ity policy]. Application note 11: The functional requirements FMT_LIM.1 and FMT_LIM.2 sume that there are two types of mechanisms (limited capabilities and limited availability) which together shall provide protection in order to enforce the policy. This also allows that − the TSF is provided without restrictions in the product in its user environment but its capabilities ited or conversely is d product prior he policy. 5.4 DEFINITION O nsitive fam manation) of the Class FPT (Protection of the TSF) is efined here to d t of the TOE. The TOE shall prevent nst the TOE and othe sed on external observable C TOE emanation fine gate intelligible emanations. FMT_LIM.1.1 The TSF shall be designed and impleme enforced [assignment: Limited capability and availability policy]. The TOE Function FMT_LIM.2 Limited availability. Hierarchical to: No other components. Dependencies: FM [assignment: Limited capability and availabil as are so lim that the policy is enforced − the TSF esigned with test and support functionality that is removed from, or disabled in, the to the Operational Use Phase. The combination of both requirements shall enforce t F THE FAMILY FPT_EMSEC The se ily FPT_EMSEC (TOE E d escribe the IT security functional requiremen attacks agai r secret data where the attack is ba physical phenomena of the TOE. Examples of such attacks are evaluation of TOE’s electromagnetic radiation, simple power analysis (SPA), differential power analysis (DPA), timing attacks, etc. This family describes the functional requirements for the limitation of intelligible emanations which are not directly addressed by any other component of CC part 2 [R2]. The family “TOE Emanation (FPT_EMSEC)” is specified as follows. FPT_EMSE Family behaviour This family de s requirements to miti Ref. : SSE-0000076322-01 Page 32/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Component leveling FPT_EMSEC.1 TOE emanation has two constituents: ess to TSF uires to not emit interface emanation enabling access to TSF Audit: Dependencies: No dependencies. r data]. users] are unable to use the following interface [assignment: type of connection] to gain access to [assignment: list of types list of types of user data]. FPT_EMSEC TOE emanation 1 FPT_EMSEC.1.1 Limit of Emissions requires to not emit intelligible emissions enabling acc data or user data. FPT_EMSEC.1.2 Interface Emanation req data or user data. Management: FPT_EMSEC.1 There are no management activities foreseen. FPT_EMSEC.1 There are no actions defined to be auditable. FPT_EMSEC.1 TOE emanation Hierarchical to: No other components. FPT_EMSEC.1.1 The TOE shall not emit [assignment: types of emissions] in excess of [assignment: specified limits] enabling access to [assignment: list of types of TSF data] and [assignment: list of types of use FPT_EMSEC.1.2 The TSF shall ensure [assignment: type of of TSF data] and [assignment: Page 32/68 Ref. : SSE-0000076322-01 Page 33/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 33/68 6 IT SECURITY REQUIREMENTS 6.1 This section identifies the security functional requirements for the TOE. Some refinement/sele SFRs are determined the PP MRTD BAC [R5], some are let with unspecifie [R5] authors are marked as bold text, while assignments made by the ST author are marked as bold text and in italics. The iteration operation is used when a component is repeated with varying operations. Iteration is in after the component identifier. 6.2 TOE SECURIT EQUIREMENTS 6.2.1 The TOE shall meet the requirement « Audit storage (FAU_SAS.1) » as specified below (Common AU_SAS.1 [assignment : authorized users] with the capability to store audit records. INTRODUCTION ction/assignment operations in the d values. Assignments made by the PP MRTD BAC in denoted by show g a slash “/”, and the iteration indicator Y FUNCTIONAL R Class FAU Security Audit Criteria Part 2 extended). F Audit storage FAU_SAS.1.1 The TSF shall provide [assignment : list of audit information] in the Assignment Authorized users : the Manufacturer : the IC Identification Data List of Audit Information Application note 12: The Manufacturer role is the default user identity assumed by the TOE in the write the Initializa are write-only-onc D.1/INI_DIS). 6.2.2 Class Cryp 6.2.2.1 CRYPTOGRAPHIC KEY MANAGEMENT (FCS_CKM) The TOE shall meet the requirement “Cryptographic key generation (FCS_CKM.1)” as specified below (Common Criteria Part 2). FCS_CKM.1 Cryptographic key generation – Generation of Document Basic Access Keys by the TOE FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment : cryptographic key Phase 2 Manufacturing. The IC manufacturer and the MRTD manufacturer in the Manufacturer role tion Data and/or Pre-personalization Data as TSF Data of the TOE. The audit records e data of the MRTD’s chip (see FMT_MT tographic Support (FCS) Ref. : SSE-0000076322-01 Page 34/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 34/68 generation algorithm] and specified cryptographic cryptographic key sizes] that meet the following key sizes [assignment : : [assignment : list of standards]. Assignment Cryptographic key generation algorithm : Docume Derivation Algorithm nt Basic Access Key Cryptographic key sizes : 112 bit. List of standards : [R9], normative appendix 5. Application note 13: The TOE is equipped with the Document Basic Access Key generated and ccess Control Authentication Protocol described in [R9], normative appendix 5, A5.2, produces agreed parameters to generate the Triple-DES key and ation keys for secure messaging by the algorithm in [R9], Normative appendix A5.1. The algorithm uses the random number RND.ICC generated by TSF as required by The TOE shall meet the requirement “Cryptographic key destruction (FCS_CKM.4)” as specified below F FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified method [assignment : cryptographic key destruction method] that meets the following : [assignment : list of downloaded by the Personalization Agent. The Basic A the Retail-MAC message authentic FCS_RND.1. (Common Criteria Part 2). CS_CKM.4 Cryptographic key destruction – MRTD cryptographic key destruction standards]. Assignment Cryptographic key destruction method : Overwriting of data List of standards : none Application note 14: The TOE shall destroy the Triple-DES encryption key and the Retail-MAC aging. yptograph SHA message authentication keys for secure mess 6.2.2.2 CRYPTOGRAPHIC OPERATION (FCS_COP) The TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below (Common Criteria Part 2). The iterations are caused by different cryptographic algorithms to be implemented by the TOE. FCS_COP.1/SHA Cr ic operation – Hash for Key Derivation FCS_COP.1.1 / The TSF shall perform [assignment : list of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment : Ref. : SSE-0000076322-01 Page 35/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 35/68 cryptographic algorithm] and cryptographic key sizes [assignment : cryptographic key sizes] that meet the following : [assignment : list of standards]. Assignment List of cryptographic operations : hashing : SHA-1, SHA224, SHA-256 Cryptographic algorithm Cryptographic key sizes : none List of standards : FIPS 180-2 Application note 15: This SFR requires the TOE to implement the hash function SHA-1 for the cryptographic primitive of the Basic Access Control Authentication Mechanism (see also FIA_UAU.4) accordance with a specified cryptographic algorithm [assignment : cryptographic algorithm] and cryptographic key sizes [assignment : dards]. according to [R9]. FCS_COP.1/ENC Cryptographic operation – Encryption / Decryption Triple DES FCS_COP.1.1 / SYM The TSF shall perform [assignment : list of cryptographic operations] in cryptographic key sizes] that meet the following : [assignment : list of stan Assignment of cryptographic operations : secure mess List aging (BAC) – encryption sizes : 112 bits List of standards : FIPS 46-3 [R14] and [R9], normative appendix 5, A5.3 and decryption Cryptographic algorithm : Triple-DES Cryptographic key Application note 16: Thi to implement the cryptographic primitive for secure messaging with encryption of the transmitted data. The keys are agreed between the TOE and the FCS_COP.1/AUTH Cryptographic operation – Authentication yptographic algorithm] and cryptographic key sizes [assignment : cryptographic key sizes] that meet the following : [assignment : list of s SFR requires the TOE terminal as part of the Basic Access Control Authentication Mechanism according to the FCS_CKM.1 and FIA_UAU.4. FCS_COP.1.1 / SYM The TSF shall perform [assignment : list of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment : cr standards]. Assignment List of cryptographic operations : symmetric authentication – encryption Ref. : SSE-0000076322-01 Page 36/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 36/68 and decryption List of standards : FIPS 46-3 [R14] Cryptographic algorithm : Triple-DES in CBC mode Cryptographic key sizes : 112 bits Application note 17: This SFR requires the TOE to implement the cryptographic primitive for authentication attempt of a mmetric authentication mechanism (cf. FIA_UAU. accordance with a specified cryptographic algorithm [assignment: [assignment: cryptographic key sizes] that meet the following: [assignment: list of terminal as Personalization Agent by means of the sy 4). FCS_COP.1/MAC Cryptographic operation – Retail MAC FCS_COP.1.1 / MAC The TSF shall perform [assignment: list of cryptographic operations] in cryptographic algorithm] and cryptographic key sizes standards]. Assignment rithm : Retail MAC s: ISO 9797 (MAC algorithm 3, block cipher DES, mode 2). List of cryptographic operations : secure messaging – message authentication code Cryptographic algo Cryptographic key sizes : 112 bits List of standard Sequence Message Counter, padding Application note 18: Thi nt the cryptographic primitive for secure messaging with encryptio agreed between the TSF by the Basic Access Control Authentication Mechanism according to the 6.2.2 e requirement “Quality metric for random numbers (FCS_RND.1)” as specified F ity FCS_RND.1.1 s SFR requires the TOE to impleme n and message authentication code over the transmitted data. The key is FCS_CKM.1 and FIA_UAU.4. .3 RANDOM NUMBER GENERATION (FCS_RND) The TOE shall meet th below (Common Criteria Part 2 extended). CS_RND.1 Qual metric for random numbers The TSF shall a mechanism to generate random numbers that meet [assignment: a defined quality metric]. Assignment AIS31 Class P2 quality metric A defined quality metric: Ref. : SSE-0000076322-01 Page 37/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 37/68 Application note 19: This SFR requires the TOE to generate random numbers used for the a protocols a 6.2.3 Class FIA Identification and Authentication The following table provides an overview on the authentication mechanisms used: uthentication s required by FIA_UAU.4. Name SFR for the TOE Algorithms and key sizes according to [R9], normative appendix 5. Basic Access Control FIA_UAU.4 and Triple-DES, 112 bit keys (cf. FCS_COP.1/MAC) Authentication Mechanism FIA_UAU.6 FCS_COP.1/ENC) and Retail-MAC, 112 bit keys (cf. Symmetric Authentication Mechanism for FIA_UAU.4 Triple-DES with 112 bit keys Personaliza¬tion Agents Table 2: Overview on authentication SFR 6.2.3.1 USER IDENTIFI The TOE shall meet th g of identification (FIA_UID.1)” as specified below (Common Criteria Part 2). F ing of iden FIA_UID.1.1 of TSF-mediated actions] on behalf of the user to be performed before the user is identified. CATION (FIA_UID) e requirement “Timin IA_UID.1Tim tification The TSF shall allow [assignment : list Assignment “Manufacturing”, List of TSF-mediated actions: (1) to read the Initialization Data in Phase 2 (2) to read the random identifier in Phase 3 “Personalization of the MRTD”, (3) to read the random identifier in Phase 4 “Operational Use” FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing n behalf of that user. any other TSF-mediated actions o Application note 20: The IC manufacturer and the MRTD manufacturer write the Initialization Data and/or Pre-personalization Data in the audit records of the IC during the Phase 2 “Manufacturing”. The cturing of the TOE. At this time the is th he MRTD manufacturer may create the user r ion Agen use zati audit records can be written only in the Phase 2 Manufa Manufacturer e only user role available for the TOE. T ole Personalizat rs in role Personali t for transition from Phase 2 to Phase 3 “Personalization of the MRTD”. The on Agent identify themselves by means of selecting the authentication key. Ref. : SSE-0000076322-01 Page 38/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 38/68 After personalization in the Phase 3 (i.e. writing the digital MRZ and the Document Basic Access Keys) the user role Basic Inspe Document Basic Access Keys. The Basic In on System is identified as default use e TOE will u ent Basic A stem. tification before the user is authenticated as Basic Inspection System (cf. T.Chip_ID). Note that the terminal and the MRTD’s chip use a (randomly rminal to communicate with more then one RFID. If this identifier is randomly selected it will not violate the OT.Identification. 6.2.3.2 USER AUTHENTICATIO T require uthen below ( FIA_UAU.1 Timing of authentication ssignment on behalf he user to be performed before the user is authenticated. ction System is created by writing the specti se the Docum r after power up or reset of the TOE i.e. th ccess Key to authenticate the user as Basic Inspection Sy Application note 21: In the “Operational Use” phase the MRTD must not allow anybody to read the ICCSN, the MRTD identifier or any other unique iden chosen) identifier for the communication channel to allow the te N (FIA_UAU) he TOE shall meet the Common Criteria Part 2). ment “Timing of a tication (FIA_UAU.1)” as specified FIA_UAU.1.1 The TSF of t shall allow [a : list of TSF-mediated actions] Assignment L (1) to read the Initialization Data in Phase 2 “Manufacturing”, random identifier in Phase 3 “Personalization of the (3) identify themselves by selection of the authentication key. ist of TSF-mediated actions: (2) to read the MRTD”, FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Application note 22: T Agent authenticate themselves. The TOE sh uthentication mechanisms (FIA_UAU.4)” as specified below (Com FIA_UAU.4 Single-use Terminal by the TOE FIA_UAU.4.1 : he Basic Inspection System and the Personalization all meet the requirements of “Single-use a mon Criteria Part 2). authentication mechanism – Single-use authentication of the The TSF shall prevent reuse of authentication data related to [assignment identified authentication mechanism(s)]. Assignment Identified authentication mechanism(s): (2) Basic Access Control Authentication Mechanism, (3) Authentication Mechanism based on Triple-DES Ref. : SSE-0000076322-01 Page 39/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 39/68 Application note 23: The authentication mechanisms may use either a challenge freshly and randomly RTD’s chip provides the terminal with a challenge-response-pair which allows a unique identification of the MRTD’s .5)” as specified below (Common Criteria Part 2). anisms he TSF shall provide [assignment : list of multiple authentication mechanisms] to support user authentication. generated by the TOE to prevent reuse of a response generated by a terminal in a successful authentication attempt. However, the authentication of Personalisation Agent may rely on other mechanisms ensuring protection against replay attacks, such as the use of an internal counter as a diversifier. Application note 24: The Basic Access Control Mechanism is a mutual device authentication mechanism defined in [R9]. In the first step the terminal authenticates itself to the MRTD’s chip and the MRTD’s chip authenticates to the terminal in the second step. In this second step the M chip with some probability depending on the entropy of the Document Basic Access Keys. Therefore the TOE shall stop further communications if the terminal is not successfully authenticated in the first step of the protocol to fulfill the security objective OT.Identification and to prevent T.Chip_ID. The TOE shall meet the requirement “Multiple authentication mechanisms (FIA_UAU FIA_UAU.5 Multiple authentication mech FIA_UAU.5.1 T Assignment List of multiple authentication mechanisms: riple-DES (1) Basic Access Control Authentication Mechanism, (2) Symmetric Authentication Mechanism based on T FIA_UAU.5.2 ny user’s claimed identity according to the [assignment : rules describing how the multiple authentication The TSF shall authenticate a mechanisms provide authentication]. Assignment n System only by means of the Basic Access Control Authentication Mechanism with the Document Basic Access Rules describing how the multiple authentication mechanisms provide authentication: (1) The TOE accepts the authentication attempt as Personalizatio Agent by the Symmetric Authentication Mechanism with the Personalization Agent Key during personalization phase of the product's life cycle (phase 3), (2) the TOE accepts the authentication attempt as Basic Inspection Keys. Application note 25: In case the ‘Common Criteria Protection Profile Machine Readable Travel should not be authenticated by using the BAC or the symmetric authentication mechanism as they base on the two-key Triple-DES. The authentication of the personalization agent is only possible during phase 3 of the life-cycle, using symetric authentication mechanism. Document with „ICAO Application", Extended Access Control’ [R6] should also be fulfilled the Personalization Agent Ref. : SSE-0000076322-01 Page 40/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 40/68 This can be considered as a refinement of the SFR FIA_UAU.5 of the PP. H efinement do not impact the conform Application note 2 ssaging for all commands exchanged after su zation all meet the requirement “Re-authenticating (FIA_UAU.6)” as specified below (Common owever, this r is more restrictive than the PP, increase the level off security and therefore, ity to the PP. 6: The Basic Access Control Mechanism includes the secure m ccessful authentication of the inspection system. The Personali e Agent may use Symmetric Authentication Mechanism without secure messaging mechanism as well if the personalization environment prevents eavesdropping to the communication between TOE and personalization terminal. The Basic Inspection System may use the Basic Access Control Authentication Mechanism with the Document Basic Access Keys. The TOE sh Criteria Part 2). FIA_UAU.6 Re-authenticating – Re-authenticating of Terminal by the TOE FIA_UAU.6.1 The TSF shall re-authenticate the user under the conditions [assignment : list of conditions under which re-authentication is required]. Assignment List of conditions under which re-authentication is required: (1) each command sent to the TOE during a BAC mechanism based communication after successful authentication of the terminal with Basic Access Control Authentication Mechanism. Application note 27: The Basic Access Control Mechanism specified in [R9] includes the secure m ll comma TOE checks by secure me ased on Retail-MAC whether it was sent by the successfully authenticated terminal (see FCS_COP.1/MAC for further details). The T an cation code. Therefore the TOE re-authenticates the u ived from the previously authenticat A te 28: No be followed by a Chip Aut from the BAC based co in FIA_UAU.6 above should not contradict to the option that commands are sent to the TOE that are no longer meeting the BAC c but are p advanced authentication p The TOE shall meet the re (Common Criteria Part 2). FIA_AFL.1 Authen essaging for a nds exchanged after successful authentication of the Inspection System. The ssaging in MAC_ENC mode each command b OE does not execute y command with incorrect message authenti ser for each received command and accepts only those commands rece ed BAC user. pplication no te that in case the TOE should also fulfill [R6] the BAC communication might hentication mechanism establishing a new secure messaging that is distinct mmunication. In this case the condition ommunication rotected by a more secure communication channel established after a more rocess. quirement « Authentication failure handling (FIA_AFL.1) » as specified below tication failure handling Ref. : SSE-0000076322-01 Page 41/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 41/68 FIA_AFL.1.1 f acceptable values] unsuccessful authentication The TSF shall detect when [selection : [assignment : positive integer number], an administrator configurable positive integer within [assignment : range o attempts occur related to [assignment : list of authentication events]. Selection 32 successive Assignment List of authentication events: ¾ Failure of a TDES based Authentication attempt FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [assignment met or surpassed], the TSF shall [assignment : list of actions]. Assignment met List of actions : Blocking the cryptographic key related to the authentication 6.2.4 Class FDP User Data Protection 6.2.4 S CONTROL POLICY (FDP_ACC) all m cified below (Co FDP_ACC.1 1 ntrol SFP] on .1 ACCES The TOE sh eet the requirement “Subset access control (FDP_ACC.1)” as spe mmon Criteria Part 2). Subset access control – Basic Access control FDP_ACC.1. The TSF shall enforce the [assignment : access co [assignment: list of subjects, objects and operations among subjects and objects covered by the SFP]. Assignment Access control SFP : Basic Access Control SFP List of subject, objects and operations among subjects and objects covered by the SFP : terminals gaining write, read and modification access to data in the EF.COM, EF.SOD, EF.DG1 to EF.DG16 of the logical MRTD Ref. : SSE-0000076322-01 Page 42/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 42/68 6.2.4.2 ACCESS CONTROL FUNCTIONS (FDP_ACF) ecurity attribute based access control – Basic Access Control ased on the following : [assignment : list of subjects and objects icated SFP, and, for each, the SFP-relevant security attributes, or named groups of SFP-relevant security The TOE shall meet the requirement “Security attribute based access control (FDP_ACF.1)” as specified below (Common Criteria Part 2). FDP_ACF.1 Basic S FDP_ACF.1.1 The TSF shall enforce the [assignment : access control SFP] to objects b controlled under the ind attributes]. Assignment , for levant security attributes, or named groups of SFP-relevant : b) Basic Inspection System d) data EF.DG1 to EF.DG16 of the logical MRTD, e) Data in EF.COM, f) Data in EF.SOD. tication status of terminals. Access control SFP : Basic Access Control SFP List of subjects and objects controlled under the indicated SFP, and each, the SFP-re security attributes (3) Subjects : a) Personalization Agent, c) Terminal, (4) Objects : (5) Security attributes : g) Authen FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment : rules governing access among controlled subjects and controlled objects d operations on controlled objects]. using controlle Assignment objects using controlled o Rules governing access among controlled subjects and controlled perations on controlled objects : to write and to read the data of the EF.COM, EF.SOD, EF.DG1 to EF.DG16 of the logical MRTD, (2) the successfully authenticated Basic Inspection System is (1) the successfully authenticated Personalization Agent is allowed allowed to read the data in EF.COM, EF.SOD, EF.DG1, EF.DG2 and EF.DG5 to EF.DG16 of the logical MRTD. FDP_ACF.1.3 ess of subjects to objects based on the following additional rules: [assignment: rules, based on security jects to objects]. The TSF shall explicitly authorize acc attributes, that explicitly authorize access of sub Ref. : SSE-0000076322-01 Page 43/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 43/68 Assignment Rules, based on security attributes, that explicitly authorize access of subjects to objects : none FDP_ACF.1.4 : [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]. The TSF shall explicitly deny access of subjects to objects based on the rule Assignment Rules, based on security attributes, that explicitly deny access of subjects to wed to modify any of the EF.DG1 to objects : (1) Any terminal is not allo EF.DG16 of the logical MRTD, (2) Any terminal is not allowed to read any of the EF.DG1 to EF.DG16 of the logical MRTD, (3) The Basic Inspection System is not allowed to read the data in EF.DG3 and EF.DG4. Application note 29: Th system needs special authentication and authorization for read access to DG3 and DG4 not defined in this security target (cf. [R6] for details). 6.2.4.3 INTER-TSF USE The TOE shall meet the below (Common Criteria P FDP_UCT.1 D FDP_UCT.1.1 Th cess control SFP(s) and/or information flow control SFP(s)] to be able to [selection : transmit, sure. e inspection R DATA CONFIDENTIALITY TRANSFER PROTECTION (FDP_UCT) requirement “Basic data exchange confidentiality (FDP_UCT.1)” as specified art 2). Basic data exchange confidentiality - MRT e TSF shall enforce the [assignment : ac receive] user data in a manner protected from unauthorized disclo Assignment Acce ation flow control SFP(s): Basic Access Control SFP ss control SFP(s) and/or inform Selection Transmit and receive 6.2.4.4 INTER-TSF USE The TOE shall meet th as specified below (Common Criteria Part 2). FDP_ FDP_UIT.1.1 able to [selection : transmit, R DATA INTEGRITY TRANSFER PROTECTION (FDP_UIT) e requirement “Data exchange integrity (FDP_UIT.1)” Basic data exchange integrity - MRTD UIT.1 The TSF shall enforce the [assignment : access control SFP(s) and/or information flow control SFP(s)] to be Ref. : SSE-0000076322-01 Page 44/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 44/68 receive] user data in a manner protected from [selection : modification, deletion, insertion, replay] errors. Assignment P(s): Basic Access Access control SFP(s) and/or information flow control SF Control SFP Selection modification, deletion, insertion and replay transmit and receive FDP_UIT.1.2 to determine on receipt of user data, whether [selection : modification, deletion, insertion, replay] has occurred. The TSF shall be able Selection modification, deletion, insertion and replay 6.2.5 MT Securit Application note 30: Th MT_SMF.1 and FMT_SMR.1 provide basic requirements to the management of the TSF data. 6.2.5.1 SPECIFICATION OF MANAGEMENT FUNCTIONS (FMT_SMF) The TOE shall meet the requi ment Functions (FMT_SMF.1)” as specified below (Common Criteria Part FMT_SMF.1 Functions ment functions to be Class F y Management e SFR F rement “Specification of Manage 2). Specification of Management FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions [assignment : list of security manage provided by the TSF]. Assignment List of security management functions to be provided by the TSF : (1) Initialization, (2) Personalization, (3) Configuration. A e 31: T person zati 6.2.5.2 SECURITY MANAGEMENT ROLES (FMT_SMR) T ll meet the Criteria Part 2). F pplication not alization (initiali he configuration capabilities of the TOE are available during the pre- on) and personalization phases. he TOE sha requirement “Security roles (FMT_SMR.1)” as specified below (Common MT_SMR.1 Security roles Ref. : SSE-0000076322-01 Page 45/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 45/68 FMT_SMR.1.1 The TSF shall maintain the roles [assignment : the authorized identified roles]. Assignment The authorized identified roles: (1) Manufacturer, (2) Personalization Agent, (3) Basic Inspection System. FMT_SMR.1.2 sers with roles. The TSF shall be able to associate u 6.2.5.3 LIMITED CAPAB AVAILABILITY (FMT_LIM) A note 32: The _LIM.2 address the management of the TSF and T prevent misu TOE over the life cycle phases. The TOE shall meet the require s specified below (Common C tended). FMT_LIM.1 .1 its their capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is nment : Limited capability and availability policy]. ILITIES AND pplication SF data to SFR FMT_LIM.1 and FMT se of test features of the ment “Limited capabilities (FMT_LIM.1)” a riteria Part 2 ex Limited capabilities FMT_LIM.1 The TSF shall be designed in a manner that lim enforced: [assig Assignment Limited capability and availability policy : Deploying Test Features after TOE Delivery does not allow: ted, (3) Software to be reconstructed and (4) Substantial information about construction of TSF to be (1) User Data to be disclosed or manipula (2) TSF data to be disclosed or manipulated, gathered which may enable other attacks. The TOE shall meet the Criteria Part 2 extended). FMT_LIM.2 FMT_LIM.2.1 in a manner that limits their availability so that in capability (FMT_LIM.1)” the following policy is enforced: [assignment : Limited capability and availability policy]. requirement “Limited availability (FMT_LIM.2)” as specified below (Common Limited availability The TSF shall be designed conjunction with “Limited Ref. : SSE-0000076322-01 Page 46/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 46/68 Assignment Limited capability and availability policy : Deploying Test Features after TOE Delivery does not allow, d or manipulated, (3) software to be reconstructed and tial information about construction of TSF to be (1) User Data to be disclose (2) TSF data to be disclosed or manipulated (4) substan gathered which may enable other attacks. Application note 33: The tion of “Deploying Test Features …” in FMT_LIM.2.1 might be a little bit misleading since the addressed features are no longer available (e.g. by disabling or removing the r ctionality). f FMT_LIM.1 and FMT_LIM.2 is introduced provide an optional app olicy. Note that the term “softwa _LIM.2.1 refers to both IC Dedicated and IC Embedded Softwa 6.2.5.4 MANAGEMENT OF TSF DATA (FMT_MTD) Application note 34: The following SFR are iterations of the component Management of TSF data ow. FMT_MTD.1.1 / The TSF shall restrict the ability to [selection: change_default, query, formula espective fun Nevertheless the combination o roach to enforce the same p re” in item 3 of FMT_LIM.1.1 and FMT re. (FMT_MTD.1). The TSF data include but are not limited to those identified bel The TOE shall meet the requirement “Management of TSF data (FMT_MTD.1)” as specified below (Common Criteria Part 2). The iterations address different management functions and different TSF data. FMT_MTD.1/INI_ENA Management of TSF data – Writing of Initialization Data and Pre-personalization data INI_ENA modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorized identified roles]. Selection Assignment : write Assignment List of TSF data : Initialization Data and Pre-Personalization Data The authorized identified roles : the Manufacturer Application note 35 d to the authentication reference data for the P graphic Personalization Agent Authentication Key. : The pre-personalization Data includes but is not limite ersonalization Agent which is the symmetric crypto Ref. : SSE-0000076322-01 Page 47/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 47/68 FMT_MTD.1/INI_DIS of Read Access to Initialization Data and Pre INI_DIS The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: ssignment: the authorized identified roles]. Management of TSF data – Disabling -personalization Data FMT_MTD.1.1 / list of TSF data] to [a Selection Assignment : disable read access for users to Assignment tion Agent List of TSF data : Initialization Data The authorized identified roles : the Personaliza Application note 36: Ac facturer are the default users assumed “Manufacturing” but the TOE is not requeste anufacturer. The TOE may restrict the abilit Data by − allowing to write − blocking the role Manufa The IC Manufacturer ma not limited to the IC shall restrict the ability to [selection: change_default, query, ignment: other operations]] the [assignment: uthorized identified roles]. cording to P.Manufact the IC Manufacturer and the MRTD Manu by the TOE in the role Manufacturer during the Phase 2 d to distinguish between these users within the role M y to write the Initialization Data and the Pre-personalization these data only once and cturer at the end of the Phase 2. y write the Initialization Data which includes but are Identifier as required by FAU_SAS.1. The Initialization Data provides a unique identification of the IC which is used to trace the IC in the Phase 2 and 3 “personalization” but is not needed and may be misused in the Phase 4 “Operational Use”. Therefore the external read access shall be blocked. The MRTD Manufacturer will write the Pre-personalization Data. FMT_MTD.1/KEY_WRITE Management of TSF data – Key Write FMT_MTD.1.1 / The TSF KEY_WRITE modify, delete, clear, [ass list of TSF data] to [assignment: the a Selection Assignment : write Assignment List of TSF data : Document Basic Access Keys The authorized identified roles : the Personalization Agent FMT_MTD.1/KEY_READ Management of TSF data – Key Read FMT_MTD.1.1 / KEY_READ The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorized identified roles]. Ref. : SSE-0000076322-01 Page 48/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 48/68 Selection Assignment : read Assignment List of TSF data : The authorized identified roles : none. (1) Document Basic Access Keys, (2) Personalization Agent Keys. Application note 37: The Personalization Agent generates, stores and ensures the correctness of the Document Basic Access Keys. 6.2.6 tions The TOE sh s require f kage they have “Failure with preservation e one hand stance to FRs “Limited capabilities (FMT_LIM.1)”, “Limited av ysical attack (FPT_PHP.3)” together with the SAR “Se RC.1) prevent bypassing, deactivation and mani ion of the se 6.2.6.1 TOE EMANATION (FPT_EMSEC) nt: types of emissions] in excess of [assignment: specified limits] enabling access to [assignment: list of Class FPT Protection of the Security Func all prevent inh ecurity functional orced lea erent and forced illicit information leakage for User Data and TSF Data. The ment FPT_EMSEC.1 addresses the inherent leakage. With respect to the to be considered in combination with the security functional requirements of secure state (FPT_FLS.1)” and “TSF testing (FPT_TST.1)” on th and “Resi physical attack (FPT_PHP.3)” on the other. The S ailability (FMT_LIM.2)” and “Resistance to ph curity architecture description” (ADV_A curity features or misuse of TOE functions. pulat The TOE shall meet the requirement “TOE Emanation (FPT_EMSEC.1)” as specified below (Common Criteria Part 2 extended). FPT_EMSEC.1 TOE Emanation FPT_EMSEC.1.1 The TOE shall not emit [assignme types of TSF data] and [assignment: list of types of user data]. Assignment Types of emissions : side channel Specified limits : limits of the state of the art t Authentication Keys List of types of user data : none List of types of TSF data : Personalization Agen FPT_EMSEC. 1.2 ess to [assignment: list of types of TSF data] and [assignment: list of types of The TSF shall ensure [assignment: types of users] are unable to use the following interface [assignment: types of connection] to gain acc user data]. Ref. : SSE-0000076322-01 Page 49/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 49/68 Assignment Types of users : any unauthorized users Types of connection : smart card circuit contacts List of types of TSF data : Personalization Agent Authentication Keys List of types of user data : none Application note 38 shall s b bserv i e TOE or m attacker that varies the p urable physical phenomena is influenced by the technology employed to implement the smart card. The M p has to prov ntactless interface but may have also (not used by the terminal but maybe by an attacker) sensitive contacts according to ISO/IEC 7816-2 as well. Examples o enomen not limited to variations in the power consumption, the timing of signals and the el erations or data transmissions. 6.2.6.2 FAIL SECURE ( The following security functional requirements address the protection against forced illicit information The TOE shall meet the requirement “Failure with preservation of secure state (FPT_FLS.1)” as : The TOE prevent attacks against the listed secret data where the attack i ased on external o nterfaces of th able physical phenomena of the TOE. Such attacks may be observable at the ay be originated from internal operation of the TOE or may be caused by an hysical environment under which the TOE operates. The set of meas RTD’s chi ide a smart card co f measurable ph a include, but are ectromagnetic radiation due to internal op FPT_FLS) leakage including physical manipulation. specified below (Common Criteria Part 2). FPT_FLS.1 Failure with preservation of secure state FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur : [assignment: list of types of failures in the TSF]. Assignment List of types of failures in the TSF : (1) Exposure to out-of-range operating conditions where therefore a malfunction could occur, (2) Failure detected by TSF according to FPT_TST.1 6.2.6 quirement “Resistance to physical attack (FPT_PHP.3)” as specified below 2). .3 TSF PHYSICAL PROTECTION (FPT_PHP) The TOE shall meet the re (Common Criteria Part Ref. : SSE-0000076322-01 Page 50/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 50/68 FPT_PHP.3 Resistance to physical attack FPT_PHP.3.1 The TSF shall resist ysical tampering scenarios] to the by responding automatically [assignment: ph [assignment: list of TSF devices/elements] such that the SFRs are always enforced. Assignment physical manipulation and physical probing Physical tampering scenarios : List of TSF devices/elements : TSF Application note 39: The easures to continuously counter physical manipulation and physical probing. Due to the nature of these attacks (especially manipulation) the T o means de re, permanent protection against these attacks is required ensuring that the TSP could not be violated at any time. Hence, “automatic response” means here − assuming that there m − countermeasures are 6.2.6 est should occur]] to demonstrate the correct operation of the TSF. TOE will implement appropriate m OE can by n tect attacks on all of its elements. Therefo ight be an attack at any time and provided at any time. .4 TSF SELF TEST (FPT_TST) The TOE shall meet the requirement “TSF testing (FPT_TST.1)” as specified below (Common Criteria Part 2). FPT_TST.1 TSF testing FPT_TST.1.1 The TSF shall run a suite of self tests [selection : during initial start-up, periodically during normal operation, at the request of the authorized user, at the conditions [assignment : conditions under which self t Selection During initial start-up FPT_TST.2.1 The TSF shall provide authorized users with the capability to verify the integrity of TSF data. FPT_TST.3.1 The TSF shall provide authorized users with the capability to verify the integrity of stored TSF executable code. A te 40: the Operational Use phases. he chip security target and have been evaluated during the chip evaluation. pplication no FPT_TST.1 requirement describes requirement for the Personalization and Self-tests during the Manufacturing phase are described in t Ref. : SSE-0000076322-01 Page 51/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 51/68 6.3 SECURITY ASSURANCE REQUIREMENTS FOR THE TOE The TOE shall be evaluated according to Evaluation Assurance Level 4 (EAL4) And augmented by the following components: − ALC_DVS.2, Ref. : SSE-0000076322-01 Page 52/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 52/68 7 TOE SUMMARY SPECIFICATION 7.1 STATEMENT OF TOE 7.1.1 ssed by the chip. The complete list the chip security functionality can be check in the chip Security Target [R8]. tion on each NVM byte, CPU usage, − checking integrity loss when accessing NVM, ROM or RAM, − providing a sign engine to check code and/or data integrity loss, − monitoring various manifestations of fault injection attempts, − providing a security timeout feature (watchdog timer), − providing the embedded software developer with the traceability information of the TOE. TSF_PHYSICAL_TAMPERING This security functionality ensures that: − The TOE detects clock and voltage supply operating changes by the environment, − The TOE detects attempts to violate its physical integrity, and glitch attacks, − The TOE is always clocked with shape and timing within specified operating conditions. TSF_SECURITY_ADMIN This security functionality ensures the management of the following security violation attempts: − Incorrect CPU usage, − Integrity loss in NVM, ROM or RAM − Code signature alarm, − Fault injection attempt, − access attempt to unavailable or reserved memory areas, − MPU errors, − Clock and voltage supply operating changes, − TOE physical integrity abuse. SECURITY FUNCTIONALITY Chip security functionalities The following functionalities of the product are directly addre TSF_INTEGRITY This security functionality is responsible for : − correcting single bit fails upon a read opera − verifying valid Ref. : SSE-0000076322-01 Page 53/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 53/68 TSF_UNOBS This security function n it is transmitted d other functional units of the parated parts of the TOE) : support mechanisms to the embedded software developer ionality provides DES and TDES data encryption / decryption capability, in order to r the encrypted data. s: bits result, it result, 6-bit result. s a hardware Random Number Generator (RNG) to support security graphic applications. The RNG complies with the AIS31 Class P2 rovides protection mechanism of the TOE towards observation and physical ay call onalities rectories, data and secrets) stored in initialization after each reset of the TOE. TSF_MEMORY This security function manages E²PROM and RAM erasure. ERVABILITY ality prevents the disclosure of user data and of TSF data whe between separate parts of the TOE (the different memories, the CPU an TOE such as a cryptographic co-processor are seen as se This functionality provides additional contributing to avoid information leakage. TSF_SYM_CRYPTO This security funct compute Message Authentication code (MAC) o TSF_ASYM_CRYPTO This security functionality provide − SHA-1 hash function chaining blocks of 512 bits to get a 160 − SHA-224 hash function chaining blocks of 512 bits to get a 224-b − SHA-256 hash function chaining blocks of 512 bits to get a 25 TSF_ALEAS This security functionality provide operations performed by crypto quality metric. 7.1.2 Low level security functionalities TSF_PHYS This security functionality p tampering, such as random delay and desynchronization capability. This security functionality m TSF_UNOBSERVABILITY. 7.1.3 Operating system security functi TSF_ACCESS This security function manages the access to objects (files, di E²PROM. TSF_INIT This security performs TOE testing and Ref. : SSE-0000076322-01 Page 54/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 54/68 TSF_OTP This security function manages the OTP area in E²PROM and in particular the « life cycle parameter », data. The CPLC area is a write-only-once area and write access is subject to Manufacturer or Personalization Agent authentication. Read access to the CPLC Personalization phase. During Operational Use phase, the CPLC area read rforms data integrity checks. g execution. nction reacts when a fault or an anomaly is detected. 7.1.4 This security function manages: ion selection. 7.1.5 This security function ensures secure management of secret such as cryptographic keys. ty function performs high level cryptographic operations. AUTH sic Access Keys. enforcing non-reversibility of the life cycle. TSF_CPLC This security function manages the CPLC area. The CPLC area contains Manufacturing data, pre- personalization data and Personalization area is allowed during access is only possible after BAC authentication. TSF_CHECK This security function pe TSF_TEST This security function performs self-tests at start-up and monitors code integrity durin TSF_AUDIT This security fu Application manager security functionalities TSF_GESTION − Management of the secure state of the TOE. − Applicat − Application separation. Application security functionalities TSF_SECRET TSF_CRYPTO This securi TSF_BAC_ This security functionality manages the authentication of the Inspection system to the TOE, based on the Document Ba Ref. : SSE-0000076322-01 Page 55/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 55/68 TSF_BAC_AUTH performs the Basic Access Control mechanism, as described in [R9], in order to the Inspection System. TSF_BAC_AUTH calls TSF_CRYPTO in order to perform the AUTH performs an authentication mechanism based on TDES. authenticate related cryptographic operations. TSF_TDES_AUTH TSF_TDES_ TSF_RATIF A counter may be associated to an authentication secret, which is used to count the number of successive unsuccessful authentication attempts. Ref. : SSE-0000076322-01 Page 56/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 56/68 8 DEFINITIONS, GLOSSARY AND ACRONYMS 8.1 ection System aluation Assurance Level IS General Inspection System IAS Identité Authentification Signature ICAO International Civil Aviation Organization ICCSN Integrated Circuit Card Serial Number IT Information Technology JCRE Java Card Runtime Environment JVM Java Virtual Machine MF Master File MRTD Machine Readable Travel Document n.a. Not applicable OSP Organizational security policy PP Protection Profile RAD Reference Authentication Data RNG Random Number Generator SAR Security assurance requirements SDO Signed Data Object SFP Security Function Policy SFR Security functional requirement ST Security Target TOE Target of Evaluation TSF TOE Security Functions ACRONYMS BIS Basic Insp CC Common Criteria EAL Ev EF Elementary File EIS Extended Inspection System G Ref. : SSE-0000076322-01 Page 57/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 57/68 TSP VAD Verificatio Platform 8.2 CONVENTIONS USED The following list shows the roots used for the various elements. Root TOE Security Policy n Authentication Data VGP Visa Global Elements described by this root ative to the TOE and the TOE operational environment OSP. Organisational security policy . tives for the TOE es for the operational environment 8.3 urity m ption by which means the MRTD’s chip proves and the inspection system verifies the identity and authenticity of the MRTD’s chip as part of a genuine MRTD issued by a the PP containing sensitive supporting information that is considered or , or use of the TOE. only a of the MRTDs chip to store the Initialization Data and Pre- personalization Data. Authenticity Ability to confirm the MRTD and its data elements on the MRTD’s chip were created by the issuing Acc [R9]] by which means the MRTD’s chip proves and the inspection pr n by means of secure messaging with Document Basic Access Keys (see there). Basic Inspection System (BIS) T. Threats rel A. Assumption OT Security objec OE. Security objectiv DEFINITIONS Active Authentication Sec echanism defined in [5] o known State of Organization. Application note Optional informative part of relevant useful for the construction, evaluation Audit records Write- -once non-volatile memory are State or Organization. Basic ess Control (BAC) Security mechanism defined in system otects their communicatio Ref. : SSE-0000076322-01 Page 58/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 58/68 An inspection system which implements the terminals part of the Basic Access Control Mechanism and ntica chip using the Document Basic Access Keys derived from the d MR logical MRTD. erso MRTD holder appearing as text in the visual and machine readable zones on the biographical data page of a passport book or on a travel card or visa. [R9]. ’s chip as (i) digital portrait an ptional biomet Certificate chain Hierarchical sequence ystem Certificate (lowest level), Document Verifier Certificate and Country Verifying Cert certificate of a lower le signed with the ate of the next higher level. The Country Verifying Certification Authority Certificate is signed with the private key blic key it contains (selfsigned certificate). py or reproduction of a genuine security document made by whatever means. [R9] PuCSCA) issued by Country Signing hority stored in the inspection system. root of the PKI of Inspection Systems and creates the Document Verifier thin this PKI. It enforces the Privacy policy of the issuing State or Organization in respect to the protection of sensitive biometric reference data stored in the MRTD. dates of valid CVCA, DV and domestic Inspection System certificates known to the TOE. It is used the validate card verifiable certificates. new public key of the Country Verifying Certification Authority signed with the old Certification Authority where the certificate effective date for the new key is before the certificate expiration date of the certificate for the old key. authe tes itself to the MRTD’s printe Z data for reading the Biographical data (biodata) The p nalized details of the Biometric reference data Data stored for biometric authentication of the MRTD holder in the MRTD d (ii) o ric reference data. of Inspection S ification Authority Certificates (highest level), where the private key corresponding to the public key in the certific ver is corresponding to the pu Chip An integrated circuit and its embedded software as it come out of the IC manufacturing step. Counterfeit An unauthorized co Country Signing CA Certificate (CCSCA) Certificate of the Country Signing Certification Authority Public Key (K Certification Aut Country Verifying Certification Authority The country specific Certificates wi Current date The maximum of the effective CVCA link Certificate Certificate of the public key of the Country Verifying Ref. : SSE-0000076322-01 Page 59/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 59/68 Document Basic Access Key Derivation Algorithm ys (key KENC) and message authentication (key KMAC) of data transmitted between the MRTD’s chip and the inspection m the printed MRZ of the passport book to authenticate an entity able to igned Data Structure, signed by the Document Signer (DS). Carries the hash values nd managing the authorization of the Extended Inspection Systems for the sensitive data of the MRTD in the limits provided by the issuing or Organizations. nhanced-Basic attack potential reading the communication between the MRTD’s cure messaging. The Agent may use the same mechanism to authenticate themselves with Personalization The [R9], normative appendix 5, A5.1 describes the Document Basic Access Key Derivation Algorithm on how terminals may derive the Document Basic Access Keys from the second line of the printed MRZ data. Document Basic Access Ke Pair of symmetric (two-key) Triple-DES keys used for secure messaging with encryption system [R9]. It is drawn fro read the printed MRZ of the passport book. Document Security Object (SOD) A RFC3369 CMS S of the LDS Data Groups. It is stored in the MRTD’s chip. It may carry the Document Signer Certificate (CDS). [R9] Document Verifier Certification authority creating the Inspection System Certificates a States Eavesdropper A threat agent with E chip and the inspection system to gain the data on the MRTD’s chip. Enrolment The process of collecting biometric samples from a person and the subsequent preparation and storage of biometric reference templates representing that person's identity. [R9] Extended Access Control Security mechanism identified in [R9] by which means the MRTD’s chip (i) verifies the authentication of the inspection systems authorized to read the optional biometric reference data, (ii) controls the access to the optional biometric reference data and (iii) protects the confidentiality and integrity of the optional biometric reference data during their transmission to the inspection system by se Personalization Agent Authentication Private Key and to get write and read access to the logical MRTD and TSF data. Ref. : SSE-0000076322-01 Page 60/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 60/68 Extended Inspection System rence data. by the issuing State or Organization to read the optional biometric reference data and supports the terminals part of the Extended Access Control Authentication Mechanism. lements sensitively the Chip Authentication Mechanism. y of inspection systems (either manual or automated) in different States throughout the world to exchange data, to process data received from systems in other States, and to utilize that data ons in their respective States. Global interoperability is a major objective of the ftware IC Dedicated Software (refer to above) which provides functions after TOE Delivery. the IC Dedicated Software (refer to above) which is used to test the TOE before TOE A General Inspection System which (i) implements the Chip Authentication Mechanism, (ii) implements the Terminal Authentication Protocol and (iii) is authorized by the issuing State or Organization through the Document Verifier of the receiving State to read the sensitive biometric refe Extended Inspection System (EIS) A role of a terminal as part of an inspection system which is in addition to Basic Inspection System authorized Forgery Fraudulent alteration of any part of the genuine document, e.g. changes to the biographical data or the portrait. [R9] General Inspection System A Basic Inspection System which imp Global Interoperability The capabilit in inspection operati standardized specifications for placement of both eye-readable and machine readable data in all MRTDs. [R9] IC Dedicated Support So That part of the The usage of parts of the IC Dedicated Software might be restricted to certain phases. IC Dedicated Test Software That part of Delivery but which does not provide any functionality thereafter. Initialisation Data Any data defined by the TOE Manufacturer and injected into the non-volatile memory by the Integrated Circuits manufacturer (Phase 2). These data are for instance used for traceability and for IC identification as MRTD’s material (IC identification data). Ref. : SSE-0000076322-01 Page 61/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 61/68 Inspection The act of a State examining an MRTD presented to it by a traveler (the MRTD holder) and verifying its order control officer of the receiving State (i) examining an r and verifying its authenticity and (ii) verifying the traveler component(s) designed to perform processing and/or memory functions. The MRTD’s chip is integrated circuit. s data elements on the MRTD’s chip have not been altered from that Organization. to issue an official travel document (e.g. the United Nations Organization, Logical Data Structure (LDS) red in the optional capacity expansion technology [R9]. d according to the Logical Data Structure [R9] as specified by ICAO on (2) the digital Machine Readable Zone Data (digital MRZ data, EF.DG1), (3) the digitized portraits (EF.DG2), ). (6) EF.COM and EF.SOD Logical travel document authenticity. [R9] Inspection system (IS) A technical system used by the b MRTD presented by the travele as MRTD holder. Integrated circuit (IC) Electronic built on an Integrity Ability to confirm the MRTD and it created by the issuing State or Issuing Organization Organization authorized issuer of the Laissez-passer). [R9] Issuing State The Country issuing the MRTD. [R9] The collection of groupings of Data Elements sto The capacity expansion technology used is the MRTD’s chip. Logical MRTD Data of the MRTD holder store the MRTD’s chip. It presents readable data including (but not limited to) (1) personal data of the MRTD holder (4) the biometric reference data of finger(s) (EF.DG3) or iris image(s) (EF.DG4) or both and (5) the other data according to LDS (EF.DG5 to EF.DG16 Ref. : SSE-0000076322-01 Page 62/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 62/68 Data stored including (but according to the Logical Data Structure as specified by ICAO in the integrated circuit not limited to) mage (mandatory) and (3) Ma d by a State or Organization which is used by the holder for international travel cial document of identity) and which contains mandatory visual (eye readable) chine read. [R9] eadable zone (MRZ) ry and optional data for machine reading using OCR methods. [R9] MRTD application nctionality of the operating system on the IC as the MRTD’s chip. It includes cture implementing the LDS [R9] ut does not include the User Data itself (i.e. content of EF.DG1 to .COM and EF.SOD) and − the TSF Data including the definition the authentication data but except ess Control Mutual authentication protocol followed by secure messaging between the inspection system and the personalized the MRTD. ready for Software (1) data contained in the machine-readable zone (mandatory), (2) digitized photographic i fingerprint image(s) and/or iris image(s) (optional). chine readable travel document (MRTD) Official document issue (e.g. passport, visa, offi data and a separate mandatory data summary, intended for global use, reflecting essential data elements capable of being ma Machine r Fixed dimensional area located on the front of the MRTD or MRP Data Page or, in the case of the TD1, the back of the MRTD, containing mandato Non-executable data defining the fu − the file stru − the definition of the User Data, b EF.DG13 and EF.DG16, EF − the authentication data itself. MRTD Basic Acc MRTD’s chip based on MRZ information as key seed and access condition to data stored on MRTD’s chip according to LDS. MRTD holder The rightful holder of the MRTD for whom the issuing State or Organization MRTD’s Chip A chip programmed according to the Logical Data Structure as specified by [R9] and personalisation. MRTD’s chip Embedded Ref. : SSE-0000076322-01 Page 63/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 63/68 Software embedded in a MRTD’s chip and not being developed by the IC Designer. The MRTD’s chip TD holder in the MRTD’s chip as (i) encoded finger F.DG4) or (iii) both. Note, that the European commission decided to use only fingerprint and not to use iris images as optional biometric reference ed software execution. A patch can fix missing arguments in an APDU, bad timing in the protocol tch that fixes a functional problem can have an impact on the security of the chip if it affects the behaviour of a security function. Passive authentication tion of the digital signature of the Document Security Object and data fields with the hash values contained in the signature and biographical data are applied to the document. This ric data collected during the “Enrolment”. [R9] of the MRTD holder i.e. the portrait, the encoded finger image(s) or (ii) the age(s) and (iii) writing these data on the physical and logical MRTD for the holder. cation proof and verification of the Personalization Agent. hic key used (i) by the Personalization Agent to prove their identity and get ) by the MRTD’s chip to verify the authentication attempt of a terminal as Personalization Agent. Embedded Software is designed in Step 1 and embedded into the MRTD’s chip in Step 3 of the TOE life-cycle. Optional biometric reference data Data stored for biometric authentication of the MR image(s) (EF.DG3) or (ii) encoded iris image(s) (E data. Patch Additional executable code loaded in EEPROM of a chip after IC manufacturing step, in order to fix a bug or a problem encountered with the embedd − a functional problem, eg. management… − a security problem: typically, a patch that corrects a weakness discovered on a security function. Note that a pa (i) verifica (ii) comparing the hash values of the read LDS Document Security Object. Personalization The process by which the portrait, may also include the optional biomet Personalization Agent The agent acting on the behalf of the issuing State or Organization to personalize the MRTD for the holder by (i) establishing the identity the holder for the biographic data in the MRTD, (ii) enrolling the biometric reference data encoded iris im Personalization Agent Authentication Information TSF data used for authenti Personalization Agent Authentication Key Symmetric cryptograp access to the logical MRTD and (ii Ref. : SSE-0000076322-01 Page 64/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 64/68 Physical travel document er data. rsonalization Data d the entity and used by the verifier to check the verification data provided by an identity in an authentication attempt. ISO/IEC 7816-4. certificate awarded by the DCSSI will attest conformity of the product and its documentation with the (functional and assurance) requirements The product to be evaluated and its associated documentation. Travel document in form of paper, plastic and chip using secure printing to present data including (but not limited to) (1) biographical data, (2) data of the machine-readable zone, (3) photographic image and (4) oth Pre-pe Any data that is injected into the non-volatile memory of the TOE by the MRTD Manufacturer (Phase 2) for traceability of non-personalized MRTD’s and/or to secure shipment within or between life cycle phases 2 and 3. It contains (but is not limited to) the Active Authentication Key Pair an Personalization Agent Key Pair. Pre-personalized MRTD’s chip MRTD’s chip equipped with a unique identifier and a unique asymmetric Active Authentication Key Pair of the chip. Receiving State The Country to which the Traveler is applying for entry. [R9] Reference data Data enrolled for a known id entity to prove this Secure messaging in encrypted mode Secure messaging using encryption and message authentication code according to Skimming Imitation of the inspection system to read the logical MRTD or parts of it via the contactless communication channel of the TOE without knowledge of the printed MRZ data. Security Target (ST) Reference document for the TOE evaluation: the formulated in the security target. Target of Evaluation (TOE) Ref. : SSE-0000076322-01 Page 65/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 65/68 Terminal Authorization (TSF) all hardware, software and firmware of the TOE that must be relied upon for the correct enforcement of the TSP. TOE Security Policy (TSP) Set of rules stipulating how to manage, protect and distribute assets within a TOE. Travel document A passport or other official document of identity issued by a State or Organization which may be used rnational travel. [R9] hat might affect the operation of the TOE (CC part 1 [R1]). The MRTD that contains the MRTD Chip holding only Initialization Data and Pre-personalization Data Personalisation Agent from the Manufacturer. nd for the user that does not affect the operation of the TSF (CC part 1 [R1]). The process of comparing a submitted biometric sample against the biometric reference template of a claimed, to determine whether it matches the enrollee’s data Intersection of the Certificate Holder Authorizations defined by the Inspection System Certificate, the Document Verifier Certificate and Country Verifying Certification Authority which shall be all valid for the Current Date. TOE Security Functionality A set consisting of by the rightful holder for inte Traveler Person presenting the MRTD to the inspection system and claiming the identity of the MRTD holder. TSF data Data created by and for the TOE t Unpersonalized MRTD as delivered to the User data Data created by a Verification single enrollee whose identity is being template. [R9] Verification Data provided by an entity in an authentication attempt to prove their identity to the verifier. The verifier checks whether the verification data match the reference data known for the claimed identity. Ref. : SSE-0000076322-01 Page 66/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 66/68 9 REFERENCE AND APPLICABLE DOCUMENTS 9.1 REFERENCE DOCUMENTS Designation Reference Title Revision Date Common Criteria [R1] CCMB-2006-09-001 Common Criteria for Information Version September Technology Security Evaluation, Part 1: Introduction and general model 3.1, Revision 1 2006 [R2] CCMB-2007-09-002 Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components Version 3.1, Revision September 2007 2 [R3] CCMB-2007-09-003 Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components Version 3.1, Revision 2 September 2007 [R4] CCMB-2007-09-004 Common Methodology for Information Versi Technology Security Evaluation, Evaluation Methodology on 3.1, Revision 2 September 2007 Protection Profiles and Security Target [R5] BSI-PP-0055 Common Criteria Protection Profile - Machine Readable Travel Document with “ICAO Application", Basic Access Version 1.10 March 2009 Control [R6] BSI-PP-0056 Common Criteria Protection Profile - Machine Readable Travel Document Version 1.10 March 2009 with “ICAO Application", Extended Access Control [R7] BSI-PP-0002-2001 Protection Profile, Security IC Platform Protection Profile. Certified by BSI Version 1.0 July 2001 (Bundesamt für Sicherheit in der Informationstechnik). [R8] SMD_SB23YR80_ST_09_00 1 SB23YR80A Security Target - Public Version Rev 01.00 March 2009 E-passport specifications [R9] ICAO Doc 9303 part 1 volume 1, Sixth edition, 2006, Passports with Machine Readable Data Stored in Optical Character Recognition Passports with Biometric Identification Capability. Sixth edition 2006 Format; part 1 volume 2, Sixth edition, 2006, Specifications for Electronically Enabled Ref. : SSE-0000076322-01 Page 67/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 67/68 Designation Reference Title Revision Date [R10] TR-03110 Technical Guideline Advanced Security Mechanisms for Machine Readable Version 1.11 Travel Documents – Extended Access Control (EAC) CC supporting document [R11] CCDB-2008-04-001 Supporting Document - Mandatory Technical Document - Application of Attack Potential to Smartcards V2.5, R1 April 2008 [R12] CCDB-2007-09-001 Supporting Document - Mandatory Technical Document - Composite product evaluation for Smartcards and similar devices V1.0, R1 September 2007 9.2 APPLICABLE DOCUMENTS Designation Reference Title Revision Date Cryptography [R11] PKCS#3 PKCS#3 : Diffie-Hellman Key-Agreement Standard, An RSA Laboratories Technical Note Version 1.4 Revised November 1, 1993 [R12] ISO/IEC 15946 ISO/IEC 15946 : Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 3 : Key establishment. 2002 [R13] Technical Guideline :Elliptic Curve Cryptography according to ISO 15946.TR- ECC, BSI 2006 [R14] FIPS PUB 46-3 Federal Information Processing Standards Publication FIPS PUB 46-3, Data Encryption Standards (DES), U.S. Department Of Commerce / National Institute of Standards and Technology. Reaffirmed 1999 October 25 [R15] ANSI X9.31 American Bankers Association, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), ANSI X9.31-1998 - Appendix A.2.4 1998 [R16] Federal Information Processing Standards Publication 180-2 SECURE HASH STANDARD (+ Change Notice to include SHA-224), U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology 2002 August 1 Ref. : SSE-0000076322-01 Page 68/68 Machine Readable Travel Document – Basic Access Control – CC IDeal Pass Page 68/68 OTHER [R17] configuration 3 – compact May 2003 VISA global platform requirements v2.1.1 [R18] Plate-forme commune pour l’eAdministration – Spécification technique Version 1.01 [R19] EMV CPS 1.0 Final 16 June 2003