Page 2 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
This page is intentionally left blank
Page 3 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
Ministero dello Sviluppo Economico
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
Certification Report
ASapp-eID-BAC v1.0
OCSI/CERT/SYS/09/2016/RC
Version 1.0
20 September 2017
Page 4 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
Disclaimer: this translation in English language is provided for informational purposes
only; it is not a substitute for the official document and has no legal value. The original
Italian language version of the document is the only approved and official version.
Courtesy translation
Page 5 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
1 Document revisions
Version Author Information Date
1.0 OCSI First issue 20/09/2017
Page 6 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
2 Index
1 Document revisions.....................................................................................................5
2 Index ...........................................................................................................................6
3 Acronyms ....................................................................................................................8
4 Bibliography.................................................................................................................9
5 Recognition of the certificate .....................................................................................11
5.1 European Recognition of CC Certificates (SOGIS-MRA) ..................................11
5.2 International Recognition of CC Certificates (CCRA) ........................................11
6 Statement of Certification ..........................................................................................12
7 Summary of the evaluation........................................................................................13
7.1 Introduction........................................................................................................13
7.2 Executive summary ...........................................................................................13
7.3 Evaluated product..............................................................................................13
7.3.1 TOE Architecture ..........................................................................................14
7.3.2 TOE security features...................................................................................14
7.4 Documentation ..................................................................................................15
7.5 Protection Profile (PP) claim..............................................................................15
7.6 Functional and assurance requirements............................................................16
7.7 Evaluation conduct ............................................................................................16
7.8 General considerations on the validity of the certification..................................16
8 Evaluation outcome...................................................................................................18
8.1 Evaluation results ..............................................................................................18
8.2 Recommendations.............................................................................................19
9 Annex A – Guidelines for the safe use of the product ...............................................20
9.1 Delivery .............................................................................................................20
9.2 Initialization and secure use of the TOE............................................................20
10 Annex B – Evaluated configuration ...........................................................................21
11 Annex C – Test activity..............................................................................................22
11.1 Test configuration..............................................................................................22
11.2 Functional tests performed by the developer.....................................................22
11.2.1 Test coverage...............................................................................................22
Page 7 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
11.2.2 Test results ...................................................................................................23
11.3 Functional and independent tests performed by the evaluators ........................23
11.4 Vulnerability analysis and penetration tests.......................................................23
Page 8 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
3 Acronyms
BAC Basic Access Control
CC Common Criteria
CCRA Common Criteria Recognition Arrangement
CEM Common Evaluation Methodology
DPCM Decreto del Presidente del Consiglio dei Ministri
EAL Evaluation Assurance Level
eMRTD electronic Machine Readable Travel Document
HW Hardware
ICAO International Civil Aviation Organization
LGP Linea Guida Provvisoria
LVS Laboratorio per la Valutazione della Sicurezza
NIS Nota Informativa dello Schema
OCSI Organismo di Certificazione della Sicurezza Informatica
PP Profilo di Protezione
RFV Rapporto Finale di Valutazione
SAR Security Assurance Requirement
SFR Security Functional Requirement
SW Software
TDS Traguardo di Sicurezza
TOE Target of Evaluation
TSF TOE Security Functionality
TSFI TOE Security Functionality Interface
Page 9 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
4 Bibliography
[CC1] CCMB-2012-09-001, “Common Criteria for Information Technology Security
Evaluation, Part 1 – Introduction and general model”, Version 3.1, Revision
4, September 2012
[CC2] CCMB-2012-09-002, “Common Criteria for Information Technology Security
Evaluation, Part 2 – Security functional components”, Version 3.1, Revision
4, September 2012
[CC3] CCMB-2012-09-003, “Common Criteria for Information Technology Security
Evaluation, Part 3 – Security assurance components”, Version 3.1, Revision
4, September 2012
[CCRA] “Arrangement on the Recognition of Common Criteria Certificates In the
field of Information Technology Security”, July 2014
[CEM] CCMB-2012-09-004, “Common Methodology for Information Technology
Security Evaluation – Evaluation methodology”, Version 3.1, Revision 4,
September 2012
[LGP1] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione - Descrizione
Generale dello Schema Nazionale - Linee Guida Provvisorie - parte 1 –
LGP1 versione 1.0, Dicembre 2004
[LGP2] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione -
Accreditamento degli LVS e abilitazione degli Assistenti - Linee Guida
Provvisorie - parte 2 – LGP2 versione 1.0, Dicembre 2004
[LGP3] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione - Procedure
di valutazione - Linee Guida Provvisorie - parte 3 – LGP3, versione 1.0,
Dicembre 2004
[NIS1] Organismo di Certificazione della Sicurezza Informatica, Nota Informativa
dello Schema N. 1/13 – Modifiche alla LGP1, versione 1.0, Novembre 2013
[NIS2] Organismo di Certificazione della Sicurezza Informatica, Nota Informativa
dello Schema N. 2/13 – Modifiche alla LGP2, versione 1.0, Novembre 2013
[NIS3] Organismo di Certificazione della Sicurezza Informatica, Nota Informativa
dello Schema N. 3/13 – Modifiche alla LGP3, versione 1.0, Novembre 2013
[SOGIS] “Mutual Recognition Agreement of Information Technology Security
Evaluation Certificates”, Version 3, January 2010
Page 10 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
[BSI-55] BSI-CC-PP-0055-2009, Machine Readable Travel Document with ”ICAO
Application”, Basic Access Control, Version 1.10, 25 March 2009
[BSI-TR] BSI TR-03105 Part 3.2: Advanced Security Mechanisms for Machine
Readable Travel Documents – Extended Access Control (EACv1) Tests for
security implementation, version 1.4.1, April 2014
[CCDB] CCDB-2015-12-001, Supporting Document, Mandatory Technical
Document, Composite product evaluation for Smart Cards and similar
devices, Version 1.4, December 2015
[ETR-COMP] ETR for Composite Evaluation NXP JCOP 3 SECID P60 (OSA) – PL 2/5 –
EAL5+, Brightsight, v1.0, 21 December 2016
[ICAO-P10] ICAO Doc 9303, Machine Readable Travel Documents, Seventh Edition,
2015, Part 10: Logical Data Structure (LDS) for Storage of Biometrics and
Other Data in the Contactless Integrated Circuit (IC)
[ICAO-P11] ICAO Doc 9303, Machine Readable Travel Documents, Seventh Edition,
2015, Part 11: Security Mechanisms for MRTDs
[ICAO-TR] ICAO: Machine Readable Travel Documents – Technical Report – RF
Protocol and Application Test Standard for EMRTD – Part 3: Tests for
Application Pro-tocol and Logical Data Structure, version 2.10, July 2016
[INI] ASapp-eID Applet Initialization Guidance Version 1.0, 14 March 2017,
reference TCAE160083
[NSCIB] Certification Report for “NXP JCOP 3 SECID P60 (OSA) PL2/5”, 21
December 2016, ref. NSCIB-CC-16-99111-CR2
[PER] ASapp-eID Applet Personalization Guidance Version 1.0, 14 March 2017,
reference TCAE160084
[RFV] “ASapp-eID Machine Readable Electronic Document - Basic Access
Control” Evaluation Technical Report, v3.0, 17 August 2017
[TDS] “ASapp-eID Machine Readable Electronic Document - Basic Access
Control” Security Target, v7, 15 August 2017, reference TCAE160088
[USR] ASapp-eID Applet Operational User Guidance Version 1.2, 7 July 2017,
reference TCAE160075
Page 11 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
5 Recognition of the certificate
5.1 European Recognition of CC Certificates (SOGIS-MRA)
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA, version 3 [SOGIS])
became effective in April 2010 and provides mutual recognition of certificates based on the
Common Criteria (CC) Evaluation Assurance Level up to and including EAL4 for all IT-
Products. A higher recognition level for evaluations beyond EAL4 is provided for IT-
Products related to specific Technical Domains only.
The current list of signatory nations and of technical domains for which the higher
recognition applies and other details can be found on http://www.sogisportal.eu.
The SOGIS-MRA logo printed on the certificate indicates that it is recognised under the
terms of this agreement by signatory nations.
This certificate is recognized under SOGIS-MRA up to EAL4.
5.2 International Recognition of CC Certificates (CCRA)
The current version of the international arrangement on the mutual recognition of
certificates based on the CC (Common Criteria Recognition Arrangement, [CCRA] has
been ratified on 08 September 2014. It covers CC certificates compliant with collaborative
Protection Profiles (cPP), up to and including EAL4, or certificates based on assurance
components up to and including EAL 2, with the possible augmentation of Flaw
Remediation family (ALC_FLR).
The current list of signatory nations and of collaborative Protection Profiles (cPP) and
other details can be found on http://www.commoncriteriaportal.org.
The CCRA logo printed on the certificate indicates that it is recognised under the terms of
this agreement by signatory nations.
This certificate is recognized under CCRA up to EAL2.
Page 12 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
6 Statement of Certification
The Target of Evaluation (TOE) is the product “ASapp-eID Machine Readable Electronic
Document - Basic Access Control”, short name “ASapp-eID-BAC v1.0”, developed by HID
Global / Arjo Systems.
The TOE is a composite product and comprises:
 the Platform “NXP JCOP 3 SECID P60 (OSA) – PL 2/5”, short name “JCOP3
SECID P60”, certified under The Netherland CC Scheme at EAL5+ (augmented
with AVA_VAN.5, ALC_DVS.2, ASE_TSS.2 and ALC_FLR.1) [NSCIB];
 the Application Part of the TOE, an ICAO applet compliant with ICAO Doc 9303
([ICAO-P10] and [ICAO-P11]);
 the associated guidance documentation ([INI], [PER] and [USR]).
Therefore, the evaluation has been conducted using the results of the Platform CC
evaluation [NSCIB] and following the recommendations contained in the document
“Composite product evaluation for Smart Cards and similar devices” [CCDB], as required
by the international agreements CCRA and SOGIS.
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guidelines [LGP1,
LGP2, LGP3] and Scheme Information Notes [NIS1, NIS2, NIS3]. The Scheme is operated
by the Italian Certification Body “Organismo di Certificazione della Sicurezza Informatica
(OCSI)”, established by the Prime Minister Decree (DPCM) of 30 October 2003 (O.J. n.98
of 27 April 2004).
The objective of the evaluation is to provide assurance that the product complies with the
security requirements specified in the associated Security Target [TDS]; the potential
consumers of the product should review also the Security Target, in addition to the present
Certification Report, in order to gain a complete understanding of the security problem
addressed. The evaluation activities have been carried out in accordance with the
Common Criteria Part 3 [CC3] and the Common Evaluation Methodology [CEM].
The TOE resulted compliant with the requirements of Part 3 of the CC v 3.1 for the
assurance level EAL4, augmented with ALC_DVS.2, according to the information provided
in the Security Target [TDS] and in the configuration shown in Annex B of this Certification
Report.
The publication of the Certification Report is the confirmation that the evaluation process
has been conducted in accordance with the requirements of the evaluation criteria
Common Criteria - ISO/IEC 15408 ([CC1], [CC2], [CC3]) and the procedures indicated by
the Common Criteria Recognition Arrangement [CCRA] and that no exploitable
vulnerability was found. However the Certification Body with such a document does not
express any kind of support or promotion of the TOE.
Page 13 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
7 Summary of the evaluation
7.1 Introduction
This Certification Report states the outcome of the Common Criteria evaluation of the
product “ASapp-eID-BAC v1.0” to provide assurance to the potential consumers that TOE
security features comply with its security requirements.
In addition to the present Certification Report, the potential consumers of the product
should review also the Security Target [TDS], specifying the functional and assurance
requirements and the intended operational environment.
7.2 Executive summary
Name of TOE ASapp-eID-BAC v1.0
Security Target ASapp-eID-BAC v1.0 Security Target, v7, 15 August
2017, reference TCAE160088
Evaluation Assurance Level EAL4 augmented with ALC_DVS.2
Developer HID Global / Arjo Systems
Sponsor HID Global / Arjo Systems
LVS Systrans Software Laboratory - CCLAB
CC version 3.1 Rev. 4
PP claim BSI-CC-PP-0055-2009 [BSI-55]
Kickoff date 20 September 2016
Completion date 2 August 2017
The certification results apply only to the version of the product shown in this Certification
Report and only if the operational environment assumptions described in the Security
Target [TDS] are fulfilled.
7.3 Evaluated product
This section summarizes the main functional and security requirements of TOE; for a
detailed description, please refer to the Security Target [TDS].
The TOE “ASapp-eID-BAC v1.0” is an electronic document representing a smart card
programmed according to the requirements and recommendations established by the
International Civil Aviation Organization in ICAO Doc 9303 [ICAO-P10].
The communication between terminal and chip shall be protected by Basic Access Control
(BAC) according to the Protection Profile “Machine Readable Travel Document with ICAO
Applet Basic Access Control” (BAC PP), BSI-CC-PP-0055 [BSI- 55].
Page 14 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
The TOE is a composite product and comprises:
 the Platform "NXP JCOP 3 SECID P60 (OSA) - PL 2/5", short name "JCOP3
SECID P60", certified under The Netherland CC Scheme at EAL5+ (augmented
with AVA_VAN.5, ALC_DVS.2, ASE_TSS.2 and ALC_FLR.1) [NSCIB];
 the Application Part of the TOE, an ICAO applet compliant with ICAO Doc 9303
([ICAO-P10] and [ICAO-P11]);
 the associated guidance documentation:
 Initialization Guidance for ASapp-eID Applet [INI];
 Personalization Guidance for ASapp-eID Applet [PER];
 Operational User Guidance for ASapp-eID Applet [USR].
The intended customer of the product is the issuing State or Organization, who is in
charge of delivering the electronic document to the holders, after storing their personal
data, such as biographical data, printed portrait, etc.
The electronic document is viewed as unit of the “physical” part (in form of paper and/or
plastic and chip), which presents visual readable data, and the “logical” part, where data
are stored according to a Logical Data Structure (LDS) as specified by ICAO [ICAO-P10].
The issuing State or Organization implements security features of the electronic document
to maintain the authenticity and integrity of the document and their data. The physical part
is identified by the document number and protected by physical security measures, while
the logical part is protected in authenticity and integrity by a digital signature created by the
issuing State or Organization.
7.3.1 TOE Architecture
For a detailed description of the TOE, consult the Security Target [TDS], and in particular:
 the physical and logical parts of the TOE are described in par. 1.4.2;
 the TOE life cycle is described in terms of four life cycle phases: development,
manufacturing, personalization and operational use, described in par. 1.5, together
with the operations allowed to users and administrators for each of them.
7.3.2 TOE security features
7.3.2.1 Platform compatibility
Some aspects related to security features of the TOE, including security objectives,
assumptions, threats and organizational security policies, defined in the Security Target,
are covered directly by the Platform. For details see Appendix A of [TDS].
7.3.2.2 Security features
The TOE security features are organized in security services, described in detail in par. 7.1
of [TDS], the most significant aspects are below informally summarized:
Page 15 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
 Agents Identification & Authentication: Access to functions and data of the TOE
is only allowed to authenticated users. The authentication mechanism applied
depends on the system used for operations.
 Data exchange with Secure Messaging: This security service concerns the
creation and the management of a secure communication channel for the sensitive
data exchange between the TOE and the Inspection System. On this channel, the
data will be encrypted and authenticated with session keys such that the TOE is
able to verify the integrity and authenticity of received data.
 Access Control of stored Data Objects: The assets (user data and TSF data) can
only be accessed as defined by the access right written during the personalization
process and allows the access to the TOE identification data in the Personalization
phase. Furthermore, the access conditions allow to differentiate the roles based on
the knowledge of secret keys. Any access not explicitly allowed is denied.
 Life cycle management: It ensures that the TOE life cycle status is set in an
irreversible way to mark the following phases in the given order: manufacturing,
personalization and operational use. The only role allowed to set the life cycle
status is the Personalization Agent.
 Software integrity check of TOE’s assets: The TOE doesn’t allow to analyze,
debug or modify TOE’s software during the operational use. In phase 3 and 4 no
comands are allowed to load executable code.
 Security features provided by the hardware: The TOE benefits of a set of
features provided by the certified IC Platform.
7.4 Documentation
The guidance documentation specified in Annex A is delivered to the customer together
with the product. The intended customer of the product is the issuing State or
Organization, who is in charge of delivering the electronic document to the holders.
The guidance documentation contains all the information for secure initialization,
configuration and secure use the TOE in accordance with the requirements of the Security
Target [TDS].
Customers should also follow the recommendations for the safe use of the TOE contained
in par. 8.2 of this report.
7.5 Protection Profile (PP) claim
The TOE claims strict conformance to the following Protection Profile:
 BSI-CC-PP-0055-2009 [BSI-55], which defines the security objectives and
requirements for the contactless chip of machine readable travel documents
(MRTD) protected by Basic Access Control (BAC).
Being the TOE a general purpose electronic document, in ST all references in the PP to
the use of the TOE for travel have been removed. For the same reason, with respect to the
PP, the acronym “MRTD” has been replaced by the term “e-Document”, the term "travel
Page 16 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
document" has been replaced by the terms "e-Document" or "electronic document", and
the term "traveler" has been replaced by the terms "user" or "presenter".
7.6 Functional and assurance requirements
All Security Assurance Requirements (SAR) have been selected from CC Part 3 [CC3].
Please refer to the Security Target [TDS] for the complete description of all security
objectives, the threats that these objectives should address, the Security Functional
Requirements (SFR) and the security functions that realize the same objectives.
All the Security Functional Requirements (SFR) have been selected or derived by
extension from CC Part 2 [CC2]. In particular, considering that the Security Target claims
strict conformance to the PP [BSI-55], all extended components from such a PP are
included: FAU_SAS, FCS_RND, FMT_LIM and FPT_EMSEC.
7.7 Evaluation conduct
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guideline [LGP3] and
the Scheme Information Note [NIS3] and in accordance with the requirements of the
Common Criteria Recognition Arrangement [CCRA].
Therefore, considering that the TOE is a composite product, the evaluation has been
conducted following the recommendations contained in the document “Composite product
evaluation for Smart Cards and similar devices” [CCDB], as required by the international
agreements CCRA and SOGIS. In particular, the penetration tests have been completed in
July 2017, within 18 months from the Platform vulnerability analysis (December 2016, the
reference date indicated in the relevant evaluation [ETR-COMP]).
The purpose of the evaluation is to provide assurance on the effectiveness of the TOE to
meet the requirements stated in the relevant Security Target [TDS]. Initially the Security
Target has been evaluated to ensure that constitutes a solid basis for an evaluation in
accordance with the requirements expressed by the standard CC. Then, the TOE has
been evaluated on the basis of the statements contained in such a Security Target. Both
phases of the evaluation have been conducted in accordance with the CC Part 3 [CC3]
and the Common Evaluation Methodology [CEM].
The Certification Body OCSI has supervised the conduct of the evaluation performed by
the evaluation facility (LVS) Systrans CCLAB.
The evaluation was completed on 2 August 2017 with the issuance by LVS of the
Evaluation Technical Report [RFV], which was approved by the Certification Body on
August 30, 2017. Then, the Certification Body issued this Certification Report.
7.8 General considerations on the validity of the certification
The evaluation focused on the security features declared in the Security Target [TDS], with
reference to the operating environment specified therein. The evaluation has been
performed on the TOE configured as described in Annex B. Potential customers are
Page 17 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
advised to check that this corresponds to their own requirements and to pay attention to
the recommendations contained in this Certification Report.
The certification is not a guarantee that no vulnerabilities exist; it remains a probability (the
smaller the higher the assurance level) that exploitable vulnerabilities can be discovered
after the issuance of the certificate. This Certification Report reflects the conclusions of the
certification at the time of issuance. Potential customers are invited to check regularly the
arising of any new vulnerability after the issuance of this Certification Report, if the
vulnerability can be exploited in the operational environment of the TOE, check with the
developer if security updates have been developed and if those updates have been
evaluated and certified.
Page 18 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
8 Evaluation outcome
8.1 Evaluation results
Following the analysis of the Evaluation Technical Report [RFV] issued by the LVS
Systrans CCLAB and documents required for the certification, and considering the
evaluation activities carried out, the Certification Body OCSI concluded that TOE “ASapp-
eID-BAC v1.0" meets the requirements of Part 3 of the Common Criteria [CC3] provided
for the evaluation assurance level EAL4, augmented with ALC_DVS.2, with respect to the
security features described in the Security Target [TDS] and the evaluated configuration,
shown in Annex B.
Table 1 summarizes the final verdict of each activity carried out by the LVS in accordance
with the assurance requirements established in [CC3] for the evaluation assurance level
EAL4, augmented with ALC_DVS.2.
Assurance classes and components Verdict
Security Target evaluation Classe ASE Pass
Conformance claims ASE_CCL.1 Pass
Extended components definition ASE_ECD.1 Pass
ST introduction ASE_INT.1 Pass
Security objectives ASE_OBJ.2 Pass
Derived security requirements ASE_REQ.2 Pass
Security problem definition ASE_SPD.1 Pass
TOE summary specification ASE_TSS.1 Pass
Development Classe ADV Pass
Security architecture description ADV_ARC.1 Pass
Complete functional specification ADV_FSP.4 Pass
Implementation representation of the TSF ADV_IMP.1 Pass
Basic modular design ADV_TDS.3 Pass
Guidance documents Classe AGD Pass
Operational user guidance AGD_OPE.1 Pass
Preparative procedures AGD_PRE.1 Pass
Life cycle support Classe ALC Pass
Production support, acceptance procedures and
automation
ALC_CMC.4 Pass
Problem tracking CM coverage ALC_CMS.4 Pass
Page 19 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
Assurance classes and components Verdict
Delivery procedures ALC_DEL.1 Pass
Sufficiency of security measures ALC_DVS.2 Pass
Developer defined life-cycle model ALC_LCD.1 Pass
Well-defined development tools ALC_TAT.1 Pass
Test Classe ATE Pass
Analysis of coverage ATE_COV.2 Pass
Testing: basic design ATE_DPT.1 Pass
Functional testing ATE_FUN.1 Pass
Independent testing - sample ATE_IND.2 Pass
Vulnerability assessment Classe AVA Pass
Focused vulnerability analysis AVA_VAN.3 Pass
Table 1 – Final verdicts for assurance requirements
8.2 Recommendations
The conclusions of the Certification Body OCSI are summarized in Section 6 – Statement
of certification.
Potential customers of the product "ASapp-eID-BAC v1.0" are suggested to properly
understand the specific purpose of certification reading this Certification Report together
with the Security Target [TDS].
The TOE must be used according to the Security Objectives for the operational
environment specified in par. 4.2 of the Security Target [TDS]. It is assumed that, in the
operating environment of the TOE, all the assumptions and the organizational security
policies described in the TDS are respected, particularly those compatible with the
Platform HW (see [TDS] Appendix A).
This Certification Report is valid for the TOE in the evaluated configuration; in particular,
Annex A includes a number of recommendations relating to delivery, initialization,
configuration and safe use of the product, according to the guidance documentation
provided together with the TOE ([INI], [PER] and [USR]).
Page 20 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
9 Annex A – Guidelines for the safe use of the product
This annex provides considerations particularly relevant to the potential customers of the
product.
9.1 Delivery
Since the TOE is a composite product, the delivery procedures entail interactions between
the application developer (HID Global / Arjo Systems) and the Platform manufacturer
(NXP).
In particular, the platform manufacturer implements the application in the integrated circuit
and activates the process of initialization and customization, with the cooperation of the
application developer. The document just created, encrypted with a special transport key,
is delivered to the customer, i.e. the Card Issuer (State or other Organization) of the
electronic document, by a trusted express courier. If the document is lost, however, it
cannot be altered, since, after the application is loaded and configured, it becomes read-
only. Finally, the Card Issuer delivers the individual documents to the holders personally at
the official issuer site, or sending by post, according to the local regulations.
The application developer HID Global / Arjo Systems is responsible for the maintenance of
the security aspects (integrity, confidentiality, availability).
More detail on such a procedure are contained in:
 Initialization Guidance for ASapp-eID Applet [INI];
 Personalization Guidance for ASapp-eID Applet [PER].
9.2 Initialization and secure use of the TOE
The secure initialization of the TOE and the safe preparation of its operational environment
in accordance with the security objectives specified in [TDS], should be done by following
the instructions in the appropriate sections of the guidance documentation:
 Initialization Guidance for ASapp-eID Applet [INI];
 Personalization Guidance for ASapp-eID Applet [PER];
 Operational User Guidance for ASapp-eID Applet [USR].
Page 21 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
10 Annex B – Evaluated configuration
The Target of Evaluation (TOE) is the product “ASapp-eID Machine Readable Electronic
Document - Basic Access Control”, short name “ASapp-eID-BAC v1.0”, developed by HID
Global / Arjo Systems.
The TOE is a composite product and comprises the following HW/SW components,
representing the evaluated configuration of the TOE, as reported in [TDS], to which the
evaluation results apply.
 the Platform “NXP JCOP 3 SECID P60 (OSA) – PL 2/5”, short name “JCOP3
SECID P60”, certified under The Netherland CC Scheme at EAL5+ (augmented
with AVA_VAN.5, ALC_DVS.2, ASE_TSS.2 and ALC_FLR.1) [NSCIB], which in
turn consists of:
 the circuitry of the e-Document’s chip NXP P6022J VB;
 the IC Dedicated Software with the parts IC Dedicated Test Software and IC
Dedicated Support Software;
 the IC Embedded Software (JCOP3 OSA).
 the Application Part of the TOE, an ICAO applet compliant with ICAO Doc 9303
([ICAO-P10] and [ICAO-P11]);
 the associated guidance documentation:
 Initialization Guidance for ASapp-eID Applet [INI];
 Personalization Guidance for ASapp-eID Applet [PER];
 Operational User Guidance for ASapp-eID Applet [USR].
Page 22 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
11 Annex C – Test activity
This annex describes the task of both the evaluators and the developer in testing activities.
For the assurance level EAL4, augmented with ALC_DVS.2, such activities include the
following three steps:
 evaluation of the tests performed by the developer in terms of coverage and level of
detail;
 execution of independent functional tests by the evaluators;
 execution of penetration tests by the evaluators.
11.1 Test configuration
For the execution of these activities a test environment has been placed at the LVS site
with the support of the developer, which provided the necessary resources. In particular,
the test configuration consists of the test card, a test card reader connected to the test PC,
running the test cases, developed for KEOLABS SCRIPTIS environment.
Before the tests, the software application has been initialized and configured in
accordance with the guidance documentation ([INI], [PER] and [USR]), as indicated in par
9.2.
Moreover, considering that the TOE is a composite product, the recommendations
contained in the document [CCDB] have been followed. In particular, the hardware
platform has already been certified and the results were reused from LVS, who was able to
directly evaluate the software application.
11.2 Functional tests performed by the developer
11.2.1 Test coverage
The test plan presented by the developer has been largely based on the following
reference documents, normally used for products such as electronic passports and similar:
 ICAO: Machine Readable Travel Documents – Technical Report – RF Protocol and
Application Test Standard for EMRTD – Part 3: Tests for Application Pro-tocol and
Logical Data Structure, version 2.10, July 2016 [ICAO-TR];
 BSI TR-03105 Part 3.2: Advanced Security Mechanisms for Machine Readable
Travel Documents – Extended Access Control (EACv1) Tests for security
implementation, version 1.4.1, April 2014 [BSI-TR].
In addition, the developer designed independently other additional tests in order to
demonstrate the complete coverage of the functional requirements SFR and of the security
functions.
Page 23 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
11.2.2 Test results
The evaluators executed a series of tests, a sample chosen from those described in the
test plan presented by the developer, positively verifying the correct behavior of the TSFI
and correspondence between expected results and achieved results for each test.
11.3 Functional and independent tests performed by the evaluators
Therefore, the evaluators have designed independent testing to verify the correctness of
the TSFI.
They did not used testing tools in addition to the specific components of the TOE that
allowed to check all TSFI selected for independent testing.
In the design of independent tests, the evaluators have considered aspects that in the
developer test plan were not present or ambiguous or inserted in more complex tests,
which covered a mix of interfaces but with a level of detail not adequate.
The evaluators also designed and executed some tests independently from similar tests of
the developer, based only on the evaluation documentation.
Finally, considering that the TOE is a composite product, the behavior of the TOE as a
whole has been verified, carrying out the additional activities specified in the family
ATE_COMP, according to the document [CCDB].
All tests performed by independent evaluators generated positive results.
11.4 Vulnerability analysis and penetration tests
For the execution of these activities the same test environment already used for the
activities of the functional tests has been used (see. par. 11.1).
The evaluators have first verified that the test configurations were consistent with the
version of the TOE under evaluation, that is indicated in the [TDS], par. 1.4.
In a first phase, the evaluators have conducted researches using various sources in the
public domain, such as Internet, books, publications, conference proceedings, including
the various editions of ICCC, JIL and CCDB documents, etc., in order to identify known
vulnerabilities applicable to types of products similar to the TOE, i.e. electronic documents
eMRTD. They identified several potential vulnerabilities, most of which, however, refer to
the hardware platform already certified EAL5+, and therefore not exploitable with the
Enhanced-Basic potential attack belongs to AVA_VAN.3.
In a second step, the evaluators examined the evaluation documentation (Security Target,
functional specification, TOE design, security architecture and operational documentation,
including the Platform) to identify any additional potential vulnerabilities of the TOE. From
this analysis, together with the source code examination, the evaluators have actually
determined the presence of other potential vulnerabilities; however, also in this case, most
of them have already been considered during the evaluation of the Platform, as
documented in the relevant Final Report [ETR-COMP].
Page 24 of 24 OCSI/CERT/SYS/09/2016/RC Vers. 1.0
Then, the evaluators have analyzed in detail the potential vulnerabilities identified in the
two previous steps, to ensure their effective exploitability in the TOE operating
environment. This analysis led to identify some actual potential vulnerabilities.
Therefore, the evaluators have designed some possible attack scenarios, with Enhanced-
Basic attack potential, and penetration tests to verify the exploitability of the vulnerabilities
potential candidates. The penetration tests have been described with sufficient detail for
their repeatability using for this purpose test sheets, also used, appropriately compiled with
the results, as the report of the tests themselves.
Moreover, considering that the TOE is a composite product, the behavior of the TOE as a
whole has been verified, carrying out the additional activities specified in the family
AVA_COMP, according to the document [CCDB].
On the basis of the penetration tests, the evaluators have actually found that no attack
scenario with potential Enhanced-Basic can be completed successfully in the operating
environment of the TOE as a whole. Therefore, none of the previously identified potential
vulnerabilities can be exploited effectively. They have not identified residual vulnerabilities,
i.e. vulnerabilities that, although not exploitable in the operating environment of the TOE,
could only be exploited by an attacker with attack potential higher than Enhanced-Basic.