N-PosCore v.1.1.0.0 Version Number 1.3 N-PosCore v.1.1.0.0 Security Target EnPOS Bilişim N-PosCore v.1.1.0.0 Version Number 1.3 Page 2 Table of Contents 1. ST INTRODUCTION...................................................................................................... 6 1.1. ST Reference and TOE Reference................................................................................... 6 1.1.1. Document Conventions, Terminology & Acronyms.................................................. 6 1.1.2. Conventions ................................................................................................................ 6 1.1.3. Acronyms.................................................................................................................... 7 1.2. TOE Overview................................................................................................................. 8 1.2.1. General overview of the TOE and related components.............................................. 9 1.2.2. Required non-TOE hardware/software/firmware ..................................................... 11 1.2.3. Major security and functional features ..................................................................... 14 1.3. TOE Type ...................................................................................................................... 15 1.4. TOE Description............................................................................................................ 15 1.4.1. Physical Scope .......................................................................................................... 15 1.4.2. Logical Scope............................................................................................................ 16 2. CONFORMANCE CLAIM........................................................................................... 18 2.1. CC Conformance Claim................................................................................................. 18 2.2. PP and Package Claim................................................................................................... 18 2.2.1. Protection Profile (PP) Claim ................................................................................... 18 2.2.2. Package Claim .......................................................................................................... 18 2.3. Conformance Claim Rationale....................................................................................... 18 3. SECURITY PROBLEM DEFINITION ........................................................................ 19 3.1. TOE Security Policy...................................................................................................... 19 3.1.1. External Entities........................................................................................................ 19 3.1.2. Roles ......................................................................................................................... 20 3.1.3. Modes of FCR........................................................................................................... 21 3.1.4. Assets........................................................................................................................ 21 3.2. Threats ........................................................................................................................... 23 N-PosCore v.1.1.0.0 Version Number 1.3 Page 3 3.3. OSP................................................................................................................................ 25 3.4. Assumptions................................................................................................................... 27 4. SECURITY OBJECTIVES ........................................................................................... 29 4.1. Security Objectives for the TOE.................................................................................... 29 4.2. Security Objectives for the Operational Environment................................................... 30 4.3. Security Objective Rationale ......................................................................................... 31 5. EXTENDED COMPONENT DEFINITION................................................................. 36 6. SECURITY REQUIREMENTS.................................................................................... 37 6.1. Security Functional Requirements for the TOE ............................................................ 37 6.1.1. Class FAU Security Audit ........................................................................................ 37 6.1.2. Class FCO Communication ...................................................................................... 38 6.1.3. Class FCS Cryptographic Support............................................................................ 39 6.1.4. Class FDP User Data Protection............................................................................... 43 6.1.5. Class FIA Identification and Authentication ............................................................ 50 6.1.6. Class FMT Security Management ............................................................................ 52 6.1.7. Class FPT Protection of the TSF .............................................................................. 57 6.1.8. Class FTP Trusted Patch/Channels........................................................................... 61 6.2. Security Assurance Requirements for the TOE............................................................. 62 6.3. Security Requirements Rationale................................................................................... 62 6.3.1. Security Functional Requirements Rationale............................................................ 62 6.3.2. Rationale for Security Functional Requirements dependencies ............................... 76 6.3.3. Security Assurance Requirements Rationale............................................................ 80 6.3.4. Security Requirements - Internal Consistency.......................................................... 81 7. TOE SUMMARY SPECIFICATIONS ......................................................................... 82 7.1. Event Log Function ....................................................................................................... 82 7.2. Cryptographic Operation ............................................................................................... 82 7.3. Identification and Authentication Function ................................................................... 83 N-PosCore v.1.1.0.0 Version Number 1.3 Page 4 7.4. Access Control Function................................................................................................ 83 7.5. Data Integrity Function.................................................................................................. 84 7.6. Import/Export Function ................................................................................................. 84 7.7. TSF Protection............................................................................................................... 84 7.8. TOE Self-Testing Function............................................................................................ 85 7.9. TSF Management Function ........................................................................................... 85 N-PosCore v.1.1.0.0 Version Number 1.3 Page 5 Version History Version No Reason for Change Release Date 0.1 First Release 11/12/2013 0.2 Prepared for Evaluation Application 15/04/2014 0.3 Updated according to the remarks of the evaluation facility 03/06/2014 0.4 EFT-POS Communication requirements introduced 13/08/2014 0.5 Updated according to the Protection Profile 25/11/2014 0.6 Updated According to the Protection Profile 16/12/2014 0.7 Updated According to the Protection Profile v1.8 31/12/2014 0.8 Updated According to the remarks from the evaluation facility 05/12/2014 0.9 Updated According to the remarks from the evaluation facility 09/01/2015 1.0 Updated According to the remarks from the evaluation facility 14/01/2015 1.1 Updated According to the changes in TDS 19/01/2015 1.2 Application Note added by TSF self tests 20/01/2015 1.3 Updated According to the remarks from the evaluation facility 23/03/2015 Approvals Name Role Date Mehmet ÇAKIR ST Author (BEAM Teknoloji) 23.03.2015 Emre ÇAKIR ST Author (BEAM Teknoloji) 23.03.2015 Yalçın TAMA ST Author (EnPOS Bilişim) 23.03.2015 N-PosCore v.1.1.0.0 Version Number 1.3 Page 6 1. ST INTRODUCTION This section presents the following information:  Identifies the Security Target (ST) and Target of Evaluation (TOE);  Specifies the ST conventions,  Defines the terminology and acronyms used in the ST,  Defines TOE overview and TOE description. 1.1.ST Reference and TOE Reference ST Title: N-PosCore v.1.1 Security Target ST Version: v 1.3 TOE Identification: N-PosCore v.1.1 CC Identification: Common Criteria for Information Technology Security Evaluations, version 3.1R4 Technical References [5] Technical Guidance, version 1.0, October 2012 [6] PRA Messaging protocol, version 1.0, October 2012 [7] External Device Communication Protocol Document version 1.0 Keywords: Revenue Administration, Fiscal Application Software, New Generation Cash Register, EMV, EFT-POS, PRA, Electronic Registration Unit. Tablo 1 ST and TOE References 1.1.1. Document Conventions, Terminology & Acronyms This section specifies the formatting information used in the ST. 1.1.2. Conventions In this Security Target some notations and conventions which are taken from the Common Criteria v3.1R3 have been used in order to guide to the reader. During the specification of the functional requirements under the Section 4, the functional components are interpreted according to the “assignment” and “selection” operations. N-PosCore v.1.1.0.0 Version Number 1.3 Page 7 The outcome of the assignment operations are shown with underlined identified between “[brackets]”. The outcome of the selection operations are shown with bold and italic and identified between “[brackets]”. Iterated functional requirement components are shown with a “/IDENTIFIER” for the components which used more than once with varying operations. Refinement operations are used in the ST. Removed parts of the requirements shown with strikethrough. Under the term “Application Note”, an informal explanation added under some of the functional requirements in order to highlight or to describe the component in detail. 1.1.3. Acronyms AES : Advanced Encryption Standard CC : Common Criteria CCMB : Common Criteria Management Board DEMA : Differential Electromagnetic Analysis DFA : Differential Fault Analysis DPA : Differential Power Analysis EAL : Evaluation Assurance Level (defined in CC) EFTPOS : Electronic Funds Transfer at Point of Sale ERU : Electronic Recording Unit FCR : Fiscal Cash Register FCRAS : Fiscal Cash Register Application Software IT : Information Technology ITU : International Telecommunication Union OSP : Organizational Security Policy PP : Protection Profile N-PosCore v.1.1.0.0 Version Number 1.3 Page 8 PKI : Public Key Infrastructure PRA : Presidency of Revenue Administration PRA-IS : Presidency of Revenue Administration Information Systems SAR : Security Assurance Requirements SEMA : Simple Electromagnetic Analysis SFR : Security Functional Requirements SHA : Secure Hash Algorithm SPA : Simple Power Analysis SSL - CA : Secure Sockets Layer - Client Authentication TOE : Target of Evaluation TSF : TOE Security Functionality (defined in CC) TSE : Türk Standartları Enstitüsü TSM : Trusted Service Manager VAT : Value Added Tax FMC : Peripheral’s control card of TOE 1.2.TOE Overview The TOE addressed by this Security Target (ST) is an application which is the main items of a Fiscal Cash Register (FCR). TOE is used to process the transaction amount of purchases which can be viewed by both seller and buyer. Since transaction amount is used to determine tax revenues; secure processing, storing and transmission of this data is very important. The FCR is mandatory for first-and second-class traders. FCR is not mandatory for sellers who sell the goods back to its previous seller completely the same as the purchased good. FCR consists of different parts. The TOE being the main item of an FCR named as N-PosCore, there are also several additional components necessary to get a fully functional FCR, described in Section 1.2.2. TOEs related components are given in Figure 1. Usage and major security features of TOE are described in section 1.2.3. N-PosCore v.1.1.0.0 Version Number 1.3 Page 9 N-PosCore v.1.1 (TOE) is used as the fiscal application software for the FCR devices that satisfies the operational environment requirements and component properties defined in this Security Target. TOE is providing the following functionalities as well as the security functions stated in this document;  Dynamic promotion support  Product description in detail for the goods in sale  User friendly interface designed with consideration of user experience  Single-click sales via touch screen  On-Line and Off-Line execution  Receipt upon completion of transaction  Customizable user screen and receipt templates  Providing additional fields for end of receipts  Alert of users in defined circumstances  Advanced search capabilities for product with the support of single-click sales  N-PosCore aided Z-Reports at the end of the day  Unlimited definition of cash in/out process type  Sales with 6 different foreign currencies  Exporting a receipt to an invoice  Automated preparation of expense invoice  Unlimited number of authorized user  Follow-up incentives for the authorized users based of sales  Exporting sales report per authorized user  Detailed reporting for the data on Daily Memory, Fiscal Memory and ERU. 1.2.1. General overview of the TOE and related components Hata! Başvuru kaynağı bulunamadı. shows the general overview of the TOE and its related components as regarded in this ST. The orange part of Hata! Başvuru kaynağı bulunamadı. marked as Fiscal Application Software is the TOE. The figure also shows theinput/output interface, fiscal memory, daily memory, database, ERU, fiscal certificate memory; that are TOE’s environmental components and crucial for functionality and security. Connections between the TOE and its environment are also subject to evaluation since these connections are made over the interfaces of the TOE. N-PosCore v.1.1.0.0 Version Number 1.3 Page 10 Figure 1 General Architecture of the TOE N-PosCore v.1.1.0.0 Version Number 1.3 1.2.2. Required non-TOE hardware/software/firmware Software, hardware environment of the TOE are described below. 1.2.2.1. Software Environment of TOE TOE runs at the top of an operating system’s kernel, its file-system as in a typical software environment. This structure is shown in Hata! Başvuru kaynağı bulunamadı.. Table 1 Typical Software Environment of the TOE File System Operating System Kernel In addition to TOE, following software components are necessary for security and functionality of the FCR:  Application runs on an Windows 7 or higher which supports following features o at least 32 bit data processing capacity o multi-processing o IPv4 and IPv6 support o NTP (Network Time Protocol)  MSSQL 2008 Express or higher database which is used to store sales data, has the following features; i. Database has data recording, organizing, querying, reporting features ii. Database stores sales records for main product groups (food, clothing, electronics, glassware etc.) and sub-product groups (milk, cigarette, fruit, trousers etc.) in order to track detailed statistics iii. Database has indexing mechanism 1.2.2.2. Hardware Environment of TOE In addition to TOE, following hardware components are necessary for security and functionality of the FCR:  Fiscal memory i. Fiscal memory has following features; a. Fiscal memory has the capacity to store at least 10 years (3650 days) of data, N-PosCore v.1.1.0.0 Version Number 1.3 Page 12 b. Fiscal memory keeps data at least 5 years after the capacity specified in (a) has been reached, c. Fiscal memory has to be fixed within FCR in a way that it cannot be removed without damaging the chassis. d. Fiscal memory is protected by mesh cover, e. Fiscal memory has the ability to be protected against magnetic and electronic threats, When the connection between fiscal memory and main processor is broken, FCR enters in maintenance mode, f. The data stored in the fiscal memory is not be lost in case of power off, g. Fiscal memory accepts only positive amounts from the application and the peripherals, h. FCR checks "Z" reports from fiscal memory during device start-up. In case where there are days for which Z report was not generated, FCR will be able to run in normal mode only after it generates Z reports for the missing days. Seasonal firms can take cumulative Z report by specifying date and time range. ii. Fiscal Memory includes following data; a. Fiscal symbol, company code and identification number of the device, b. Cumulative sum of the total sales and Value Added Tax (VAT) amounts for all sales receipts, starting from the device activation time (i.e. first use), c. Date and number of "Z" reports with total sales and VAT per day, d. The number of receipts per day.  Daily memory has following features; i. Receipt total and total VAT amount for each receipt are to be stored in the daily memory instantly. This data can be transmitted to PRA information systems (PRA - IS), instantly or daily depending on demand. ii. Data in the daily memory which is not already transmitted to fiscal memory, cannot be modified in an uncontrolled way. N-PosCore v.1.1.0.0 Version Number 1.3 Page 13 iii. Data transmitted from daily memory to fiscal memory is to be kept in daily memory for at least 10 days. iv. Z reports, taken at the end of the day; and X reports, taken within the current day are produced by using the data in the daily memory. v. Following values are stored in the daily memory a. total VAT amount per day, b. total daily sales values per day grouped by payment type c. payment type (Cash, credit card etc.) d. number of receipts.  FCR supports X.509 formatted digital certificate generated by Authorized Certificate Authority. This Public Key Infrastructure (PKI) compatible digital certificate is called fiscal certificate and is used for authentication and secure communication between PRA-IS and FCR through Trusted Service Manager (TSM). For physical security, FCR is protected by electronic and mechanic systems called electronic seal. FCR uses cryptographic library for secure communication with PRA-IS and TSM  Electronic Record Unit (ERU) is used to keep second copy of the receipt and has following features; i. ERU stores information about receipts and reports (X, Z) in a retrievable form. ii. ERU has at least 1.2 million row capacity. Our ERU has minimum 3.187.297 row capacity. iii. Data stored in ERU cannot be modified iv. ERU also supports features specified in “Fiscal Cash Register General Communique Serial Number: 67, Part A” which is about Law No: 3100 except item (ii) above.  FCR devices have an ETHERNET interfaces.  FCR has a windows firewall to control incoming and outgoing data traffic.  FCR supports the use of EFTPOS  FCR has a printer to print sales receipt. N-PosCore v.1.1.0.0 Version Number 1.3 Page 14  FCR needs some input/output devices for functionalities listed below; i. FCR has keyboard unit. It may optionally use a touch screen additionally. ii. FCR has separate displays for cashier and buyer. iii. FCR has internal battery to keep time information. 1.2.3. Major security and functional features The functional and major security features of the TOE are described below. 1.2.3.1. TOE functional features The TOE is used as part of a FCR which is an electronic device for calculating and recording sales transactions and for printing receipts. TOE provides the following services; i. TOE stores sales data in fiscal memory. ii. TOE stores total receipt and total VAT amount for each receipt in daily memory. iii. TOE is able to generate reports (X report, Z report etc.). iv. TOE is able to transmit Z reports, receipt information, sale statistics and other information determined by PRA to PRA-IS in PRA Messaging Protocol format. v. TOE is able to start the communication with PRA-IS and instantly respond to requests originated from PRA-IS. vi. TOE stores records of important events as stated in PRA Messaging Protocol Document [6] and transmits to PRA-IS in PRA Messaging Protocol format in a secure way. vii. TOE is able to be used by users in secure state mode or maintenance mode. Roles and modes of operation are described in Hata! Başvuru kaynağı bulunamadı. and Hata! Başvuru kaynağı bulunamadı. respectively. 1.2.3.2. TOE major security features The TOE provides following security features; i. TOE supports access control. ii. TOE supports secure communication between main processor and fiscal memory. N-PosCore v.1.1.0.0 Version Number 1.3 Page 15 However, for the cases where the main processor and the fiscal memory are included within the same electronic seal secure communication is not mandatory. TOE is able to detect disconnection between main processor and fiscal memory and enter into the maintenance mode. iii. TOE supports usage of ITU X509 v3 formatted certificate and its protected private key for authentication and secure communication with PRA- IS and TSM. iv. TOE supports secure communication between FCR-PRA-IS and FCR–TSM. v. TOE ensures the integrity of event data, sales data, authentication data, characterization data and FCR parameters. vi. TOE records important events defined in PRA Messaging Protocol Document [6] and send urgent event data immediately to PRA-IS in a secure way. vii. TOE detects physical attacks to FCR and enters into the maintenance mode in such cases. 1.3.TOE Type TOE is a software application embedded within FCR. 1.4.TOE Description 1.4.1. Physical Scope The following functional components of the TOE are within the scope of this evaluation;  User Management  CORE FCRAS Functionalities  AKIS Integration  Event Logging  Fiscal Memory, ERU, Main Unit, Daily Memory Communication via FMC  Entity Framework  TSM and PRA-IS Communication according to GMP  Printer Management The connections between control cards in Fiscal unit and CPU and memories on those cards are shown below diagram. N-PosCore v.1.1.0.0 Version Number 1.3 Page 16 1.4.2. Logical Scope The logical scope of the TOE consists of the security functional features of the fiscal application software which is subject to a common criteria evaluation. The following security functions are in the logical scope of TOE;  Audit/Event Log: The function which generates and stored the events data according to the PRA Messaging Protocol and the SFRs stated in this Security Target.  Cryptography: The Cryptographic Libraries which are used by TSF for cryptographic operations like encrypt and decrypt of imported and exported data. This function also covers the key generation and destruction.  Identification and Authentication: TOE has various user roles and access rights during normal operation and an identification and authentication function controls the user identification and authentication securely. N-PosCore v.1.1.0.0 Version Number 1.3 Page 17  Access Control: The access rights in the TOE are controlled with an access control policies and functions. This function is enforced during authentication and data export. Also TOE enforce information flow control policy for EFTPOS and TSM.  Data Integrity: TOE protects the integrity of stored and exported data with the support of a TSF.  Import/Export: Data import and export are handled securely with an enforced policy with the control of a TSF.  TSF Protection: TSF protects the secure operation and in any case of defined corruptions TOE switches to maintenance mode to continue protecting its core functionality.  TOE Self Testing: TOE conducts self testing of its functionality during initial startup.  Security Management: TSF provides the security functions and restrict the access to these functions with specific capabilities defined in this security target. N-PosCore v.1.1.0.0 Version Number 1.3 Page 18 2. CONFORMANCE CLAIM 2.1.CC Conformance Claim This Security Target and TOE claims conformance to:  Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, CCMB-2012-09-001, Version 3.1, Revision 4, September 2012,  Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components, CCMB-2012-09-002, Version 3.1, Revision 4, September 2012,  Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components, CCMB-2012-09-003, Version 3.1, Revision 4, September 2012, As follows;  Part 2 conformant,  Part 3 conformant. The  Common Methodology for Information Technology Security Evaluation, Evaluation Methodology; CCMB-2012-09-004, Version 3.1, Revision 4, September 2012 has to be taken into account. 2.2.PP and Package Claim 2.2.1. Protection Profile (PP) Claim This Security Target claims conformance to New Generation Fiscal Application Software Protection Profile TSE-CCCS/PP-006. 2.2.2. Package Claim The current ST is conformant to the following security requirements package:  Assurance package EAL2 conformant to CC, part 3. 2.3.Conformance Claim Rationale The type of TOE defined in this ST is consistent with the TOE type defined in the PP which is claimed in the section 2.2.1. N-PosCore v.1.1.0.0 Version Number 1.3 Page 19 3. SECURITY PROBLEM DEFINITION 3.1.TOE Security Policy 3.1.1. External Entities PRA-IS PRA-IS takes sales data and event data from FCR by sending query with parameters to FCR through TSM. Trusted Service Manager TSM is the system which is used to load parameters, update software and manage FCR. Attacker Attacker tries to manipulate the TOE in order to change its expected behavior and functionality. Attacker tries to breach confidentiality, integrity and availability of the FCR. PRA On-site Auditor PRA On-site Auditor is an employee of PRA who performs onsite audits onsite to control the existence of expected FCR functionalities by using the rights of FCR Authorized User. Certificate storage The certificate storage holds certificates and private key used for authentication and secure communication. Certificate storage is protected inside physical and logical tampering system. Time Information FCR gets time information from trusted server. Time information is used during receipt, event, fiscal memory record, daily memory record and ERU record creation and is also used to send information to PRA-IS according to FCR Parameters. N-PosCore v.1.1.0.0 Version Number 1.3 Page 20 Audit storage Audit storage can be any appropriate memory unit in FCR. Audit storage stores important events according to their criticality level (urgent, high, warning and information). List of events can be found in PRA Messaging Protocol Document [6]. Storage unit Storage units of FCR are database, fiscal memory, daily memory and ERU. Input interface Input interfaces provide necessary input data from input devices to the TOE. Input devices for FCR may be keyboard, barcode reader, QR code (matrix barcode) reader, order tracking device and global positioning devices. External Device External device is the device which is used to communicate with FCR by using secure channel according to External Device Communication Protocol Document [7]] Main Unit Main Unit is an external device which is used for doing following actions;  Provides visual interface for fiscal transaction,  Provides input interface for fiscal transaction,  Provides secure communication with TOE according to External Device Communication Protocol Document [7] Output interface Output interfaces deliver outputs of the TOE to the output devices. Output devices for FCR may be printer, display etc. 3.1.2. Roles FCR Authorised User FCR Authorised User is the user who uses the functions of FCR and operates FCR by accessing the device over an authentication mechanism. N-PosCore v.1.1.0.0 Version Number 1.3 Page 21 Authorised Manufacturer User Authorised Manufacturer User works for FCR manufacturer and conducts maintenance works on FCR. 3.1.3. Modes of FCR Maintenance Mode: Maintenance Mode is the mode that allows only Authorized Manufacturer User to fix FCR in case of any technical problem, to change date and time information; to review event data and to start update operation of TOE.FCR does not allow any fiscal transaction in maintenance mode. FCR enters this mode when the following occur;  FCR Certificate check fails,  Mesh cover monitoring check fails,  A disconnection between fiscal memory and main processor occurs,  Electronic seal is opened, or forced by unauthorized persons,  A technical problem is determined by FCR Manufacturer. Secure State Mode: Secure State Mode is the mode that allows;  FCR Authorized User;  to configure FCR,  to take fiscal and FCR reports 3.1.4. Assets Sensitive data Sensitive data is used for and secure communication with PRA-IS and TSM. Confidentiality and integrity of this asset needs to be protected. Application Note 1: Sensitive data may consist of symmetric keys. Event data Event data is used to obtain information about important events saved in audit storage. The integrity of this asset is crucial while stored in FCR and both integrity and confidentiality of this N-PosCore v.1.1.0.0 Version Number 1.3 Page 22 asset are important while it is transferred from TOE to PRA-IS. Event data is categorized in PRA Messaging Protocol Document [6]. Sales data Sales data is stored in storage unit. Sales data is required by PRA-IS to calculate tax amount and to provide detailed statistics about sales. The integrity of this asset has to be protected while stored in FCR; and both integrity and confidentiality have to be protected while it is transferred from TOE to PRA-IS. Characterization data (Identification data for devices) Characterization data is a unique number assigned to each FCR given by the manufacturer. PRA- IS uses characterization data for system calls to acquire sales data or event data of an FCR. Integrity of this asset has to be protected. Authentication data Authentication data contains authentication information which is required for FCR Authorized User and Authorized Manufacturer User to gain access to FCR functionalities. Both integrity and confidentiality of this asset have to be protected. Time Information Time information is stored in FCR and synchronized with trusted server. Time information is important when logging important events and sending reports to the PRA-IS. The integrity of this asset has to be protected. FCR Parameters FCR parameters stored in FCR are updated by TSM after Z report is printed. FCR parameters set;  Sales and event data transferring time  Criticality level of event data sent to the PRA-IS N-PosCore v.1.1.0.0 Version Number 1.3 Page 23  Maximum number of days that FCR will work without communicating with PRA-IS 3.2. Threats Threats averted by TOE and its environment are described in this section. Threats described below results from assets which are protected or stored by TOE or from usage of TOE with its environment. T.AccessControl Adverse action: Authenticated users could try to use functions which are not allowed. (e.g. FCR Authorized users access to FCR Manufacturer User management functions) Threat agent: An attacker who has basic attack potential, has physical and logical access to FCR. Asset: Event data, sales data, time information. T.Authentication Adverse action: Unauthorized users could try to use FCR functions. Threat agent: An attacker who has basic attack potential, has logical and physical access to the FCR Asset: Sales data, event data, time information T.MDData - Manipulation and disclosure of data Adverse action: This threat deals with four types of data: event data, sales data, characterization data and FCR parameters.  An attacker could try to manipulate the event data to hide its actions and unauthorized access to the FCR, failure reports, and deletion of logs. An attacker also could try to disclose important events while transmitted between PRA-IS and FCR.  An attacker could try to manipulate or delete the sales data generated by TOE which may result in tax fraud. In addition, an attacker also could try to disclose sales data while N-PosCore v.1.1.0.0 Version Number 1.3 Page 24 transmitted between PRA-IS and FCR. Manipulation and deletion of sales data may be caused by magnetic and electronic reasons.  An attacker could try to manipulate the characterization data to cover information about tax fraud; to masquerade the user identity.  An attacker could try to manipulate the FCR parameters to use FCR in undesired condition. Threat agent: An attacker who has basic attack potential, has physical and logical access to the FCR. Asset: Event data, sales data, characterization data, FCR parameters. T.Eavesdrop - Eavesdropping on event data, sales data and characterization data Adverse action: An attacker could try to eavesdrop event data, sales data and characterization data transmitted between the TOE and the PRA-IS and also between the TOE and the distributed memory units (Fiscal memory, Database, Daily memory, ERU). Threat agent: An attacker who has basic attack potential, physical and logical access to the FCR. Asset: Characterization data, sales data, and event data. T.Skimming - Skimming the event data, sales data and characterization data Adverse action: An attacker could try to imitate PRA-IS to receive information from FCR and to imitate TSM to set parameters to FCR via the communication channel. Threat agent: An attacker who has basic attack potential and logical access to the FCR. Asset : Sales data, and event data, FCR parameters. T.Counterfeit - FCR counterfeiting Adverse action: An attacker could try to imitate FCR by using sensitive (session keys) data while communicating with PRA-IS and TSM to cover information about tax fraud. N-PosCore v.1.1.0.0 Version Number 1.3 Page 25 Threat agent: An attacker who has basic attack potential, has physical and logical access to the FCR. Asset: Sensitive data (session keys). T.Malfunction - Cause malfunction in FCR Adverse action: An attacker may try to use FCR out of its normal operational conditions to cause malfunction without the knowledge of TOE. Threat agent: An attacker who has basic attack potential, has physical access to the FCR. Asset: Sales data, event data. T.ChangingTime Adverse action: An attacker may try to change time to invalidate the information about logged events and reports in FCR. Threat agent: An attacker who has basic attack potential, has physical and logical access to the FCR. Asset: Time Information. 3.3. OSP This section describes organizational security policies that must be satisfied. P.Certificate It has to be assured that certificates which are installed at initialization step, are compatible with ITU X.509 v3 format. FCR contains FCR certificate, Certification Authority root certificate, Certification Authority sub-root (subordinate) certificate and UpdateControl certificate. UpdateControl certificate is used to verify the signature of the TOE. P.Comm_EXT - Communication between TOE and External Device N-PosCore v.1.1.0.0 Version Number 1.3 Page 26 It has to be assured that communication between TOE and external devices is used to encrypted using AES algorithm with 256 bits according to External Device Communication Protocol Document [7]. P.InformationLeakage - Information leakage from FCR It has to be assured that TOE’s environment provides a secure mechanism which prevents attacker to obtain sensitive information (secret key) when FCR performs encryption operation; i.e by side channel attacks like SPA (Simple Power Analysis), SEMA (Simple Electromagnetic Analysis), DPA (Differential Power Analysis), DEMA (Differential Electromagnetic Analysis). P.SecureEnvironment It has to be assured that environment of TOE senses disconnection between fiscal memory and main processor. Then TOE enters into the maintenance mode and logs urgent event. Moreover, it has to be assured that fiscal memory doesn't accept transactions with negative amounts which results in a decrease of total tax value. Also it has to be assured that environment of TOE provides a mechanism that sales data in daily memory which is not reflected to the fiscal memory cannot be deleted and modified in an uncontrolled way. In addition to this, it has to be assured that sales data in ERU cannot be deleted and modified. P.PhysicalTamper It has to be assured that TOE environment and TOE provide a tamper respondent system which is formed by electromechanical seals. It has to be assured that physical tampering protection system protects the keys (asymmetric key, symmetric key), the certificates, event data, characterization data, FCR parameters and sales data in FCR. It has to be assured that TOE logs this type of events and enters into the maintenance mode when physical tampering protection system detect unauthorized access. On the other hand it has to be assured that authorized access such as maintenance work or service works are logged. It has to be also assured that physical tampering protection system (mesh cover) protects fiscal memory. N-PosCore v.1.1.0.0 Version Number 1.3 Page 27 P.PKI - Public key infrastructure It has to be assured that IT environment of the TOE provides public key infrastructure for encryption, signing and key agreement. P.UpdateControl TOE is allowed to be updated by only TSM or Authorized Manufacturer User to avoid possible threats during this operation, FCR shall verify the signature of the new version of TOE to ensure that the TOE to be updated is signed by the correct organization. Thus, the TOE to be updated is ensured to be the correct certified version because only the certified versions will be signed. In addition, FCR shall check version of TOE to ensure that it is the latest version. 3.4.Assumptions This section describes assumptions that must be satisfied by the TOE's operational environment. A. TrustedManufacturer It is assumed that manufacturing is done by trusted manufacturers. They process manufacturing step in a manner which maintains IT security. A.Control It is assumed that PRA-IS personnel performs random controls on FCR. During these controls PRA-IS personnel should check that if tax amount and total amount printed values on receipt and sent to PRA-IS are the same. In addition to this, a similar check should be made for events as well. A.Initialisation It is assumed that environment of TOE provides secure initialization steps. Initialization step is consist of secure boot of operating system, and integrity check for TSF data. Moreover, it is assumed that environment of TOE provides secure installation of certificate to the FCR in initialization phase. Before certificate installation it is assumed that asymmetric key pair generated in a manner which maintains security posture. N-PosCore v.1.1.0.0 Version Number 1.3 Page 28 A. TrustedUser User is assumed to be trusted. It is assumed that for each sale a sales receipt is provided to the buyer. A.Activation It is assumed that environment of TOE provides secure activation steps at the beginning of the TOE operation phase and after each maintenance process. A. AuthorisedService It is assumed that repairing is done by trusted authorized services. The repairing step is processed in a manner which maintains legal limits. A.Ext_Key It is assumed that External Device (EFT-POS, Main Unit) generates strong key for communicating with TOE. N-PosCore v.1.1.0.0 Version Number 1.3 Page 29 4. SECURITY OBJECTIVES This chapter describes security objectives for the TOE and it's environment. 4.1.Security Objectives for the TOE This part describes security objectives provided by the TOE. O.AccessControl TOE must control authenticated user’s access to functions and data by using authorization mechanism. O.Event TOE must record important events stated as in PRA Messaging Protocol Document [6]. O.Integrity TOE must provide integrity for sales data, event data, characterization data, authentication data, sensitive data (session keys) and FCR parameters. O.Authentication TOE must run authentication mechanism for users and systems. O.Function TOE must ensure that processing of inputs to derive sales data and event data is accurate. TOE must ensure that time information is accurate by doing anomaly detection. TOE must enter a maintenance mode when maintenance mode events occur in section 3.1.3 O.Transfer TOE must provide confidentiality, integrity and authenticity for sales data, event data, characterization data transferred to the PRA-IS and FCR parameters transferred from TSM.TOE also provides integrity for sales data and event data transferred from memories to other memories. TOE must provide confidentiality, integrity and authenticity for information send/received during external device communication. N-PosCore v.1.1.0.0 Version Number 1.3 Page 30 4.2.Security Objectives for the Operational Environment This part describes security objectives provided by the operational environment. OE.Manufacturing Manufacturer should ensure that FCR is protected against physical attacks during manufacturing. OE.Delivery Authorised Manufacturer User must ensure that delivery and activation of the TOE done by a secure way. OE.KeyGeneration Asymmetric key generation mechanism shall be accessible only by trusted persons. OE.SecureStorage Asymmetric private key shall be stored within smartcard or Secure-IC’s. Keys (asymmetric key, symmetric key), certificates, event data, characterization data and sales data shall be stored within secure environment protected by electronic seal. OE.KeyTransportation Transportation and installation of asymmetric private key and certificates to the FCR must be done by protecting its confidentiality and integrity. OE.TestEnvironment Before FCR activation; test interfaces (functions, parameters) inserted in TOE shall be disabled or removed. OE.StrongAlgorithm N-PosCore v.1.1.0.0 Version Number 1.3 Page 31 Environment of TOE shall use asymmetric private keys for signature operation by using libraries of smartcard and Secure-IC’s. These libraries used in FCR shall be strong. They should also have protection against side channel analysis (SPA, DPA, SEMA, DEMA, and DFA). OE.UpgradeSoftware FCR software updates should be get passed verdict from Common Criteria maintenance or reevaluation procedures (according to update type) before installed to the FCR. This will be validated by the FCR, using the cryptographic signature control methods. OE.TrustedUser Users shall act responsibly. OE.Control PRA Onsite Auditor must check FCR functionality by controlling tax amount on the receipt and tax amount sent to the PRA-IS. OE.External Device External Device should generate strong key for communicating with TOE. OE.SecureEnvironment Fiscal memory shall not accept transactions with negative amounts which results in a decrease of total tax value. Tampering protection system shall protect fiscal memory with mesh cover. Environment of TOE provides secure initialization steps. Initialization step is consist of secure boot of operating system, and integrity check for TSF data. 4.3.Security Objective Rationale Table provides security problem definition covered by security objectives. Threats and OSPs are addressed by security objectives of the TOE and it's environment. Assumptions are addressed by only security objectives of the operational environment. N-PosCore v.1.1.0.0 Version Number 1.3 Table 2 Security Objectives Rationale Threats OSPs Assumptions T.AccessControl T. Authentication T.MDData T.Eavesdropping T.Skimming T.Counterfeit T.Malfunction T.ChangingTime P.Certificate P.SecureEnvironment P.PhysicalTamper P.PKI P.InformationLeakage P.Comm_EXT P.UpdateControl A.Ext_Key A.TrustedManufacturer A.Control A. AuthorisedService A.Initialisation A.Activation A.TrustedUser O.AccessControl X X X O.Event X X X X X X X X X O.Integrity X X X X X O.Authentication X X X X O.Function X X X O.Transfer X X X OE.External Device X OE.Manufacturing X N-PosCore v.1.1.0.0 Version Number 1.3 Page 33 OE.Delivery X X OE.KeyGeneration X X OE.SecureStorage X OE.KeyTransportation X X OE.TestEnvironment X OE.StrongAlgorithm X OE.UpgradeSoftware X OE.TrustedUser X X OE.Control X OE.SecureEnvironme nt X X X X X X N-PosCore v.1.1.0.0 Version Number 1.3 Justification about Hata! Başvuru kaynağı bulunamadı. is given below; T.AccessControl is addressed by O.AccessControl to control user access to functions and data; O.Authentication to provide authentication mechanism for users; O.Event to log all access attempts. T.Authentication is addressed by O.Authentication to ensure that if user is authenticated to the FCR; O.Event to log successful/unsuccessful authentication attempts. T.MDData is addressed by O.Integrity to ensure integrity of sales data, event data, characterization data and FCR parameters in FCR with logical and physical security features; O.Transfer to ensure integrity, confidentiality and authenticity of sales data, event data and characterization data during transferring to PRA-IS and parameters during transfering from TSM to FCR ; O.Event to log unexpected behavior of these memories and unexpected behavior in transferring data; OE.SecureEnvironment to provide electronic seal. T.Eavesdropping is addressed by O.Transfer to ensure confidentiality of sales data, event data and characterization data during communication with PRA-IS; O.Integrity to ensure the integrity of event data, sales data and characterization data; O.Event to log physical tamper; by OE.SecureEnvironment to provide electronic seal. T.Skimming is addressed by O.Authentication to establish communication only with permitted systems. T.Counterfeit is addressed by O.Integrity to ensure the integrity of sensitive data (session keys); O.Event to log physical tamper; OE.SecureEnvironment to provide electronic seal. T.Malfunction is addressed by O.Function to ensure functions processing accurately; O.Event to log unexpected behavior of functions. T.ChangingTime is addressed by O.Event to log unexpected changes in time information; by O.Access Control to control user access to time information; by O.Function to ensure accuracy of time information. P.Certificate is fulfilled by OE.KeyGeneration. N-PosCore v.1.1.0.0 Version Number 1.2 Page 35 P.SecureEnvironment is fulfilled by OE.SecureEnvironment, O.Event, O.Integrity and O.Function. P.PhysicalTamper is fulfilled by OE.SecureEnvironment, O.AccessControl, O.Event, O.Integrity and OE.SecureStorage P.PKI is fulfilled by OE.Delivery and OE.KeyTransportation P.InformationLeakage is fulfilled by OE.StrongAlgorithm to ensure that cryptographic algorithms used by FCR have side channel protection. P.Comm_EXT is fulfilled by O.Transfer. P. UpdateControl is upheld by OE.UpgradeSoftware and O.Authentication. A.Ext_Key is upheld OE.External Device. A. TrustedManufacturer is upheld by OE.Manufacturing and OE.TestEnvironment. A.Control is upheld by OE.Control. A. AuthorisedService is upheld by OE.TrustedUser. A.Initialisation is upheld by OE.KeyGeneration, OE.SecureEnvironment and OE.KeyTransportation. A.Activation is upheld by OE.Delivery. A. TrustedUser is upheld by OE.TrustedUser. N-PosCore v.1.1.0.0 Version Number 1.2 Page 36 5. EXTENDED COMPONENT DEFINITION This Security Target does not use any components defined as extensions to CC part 2. N-PosCore v.1.1.0.0 Version Number 1.2 Page 37 6. SECURITY REQUIREMENTS 6.1.Security Functional Requirements for the TOE This chapter defines the security functional requirements for the TOE according to the functional requirements components drawn from the CC part 2 version 3.1 revision 4. 6.1.1. Class FAU Security Audit 6.1.1.1. FAU_GEN Security audit data generation FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit; and c) [the auditable events specified in PRA Messaging Protocol Document[6]].1 FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [none]. 6.1.1.2. FAU_SAR Security audit review FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation. N-PosCore v.1.1.0.0 Version Number 1.2 Page 38 FAU_SAR.1.1 The TSF shall provide [Authorized Manufacturer User] with the capability to read [all event data] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.1.1.3. FAU_STG Security audit event storage FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to [prevent] unauthorized modifications to the stored audit records in the audit trail. FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protected audit trail storage FAU_STG.4.1 The TSF shall [overwrite the oldest stored audit records] and [none] if the audit trail is full. 6.1.2. Class FCO Communication 6.1.2.1. FCO_NRO Non-repudiation of origin FCO_NRO.2 Enforced proof of origin Hierarchical to: FCO_NRO.1 Selective proof of origin Dependencies: FIA_UID.1 Timing of identification FCO_NRO.2.1 The TSF shall enforce the generation of evidence of origin for transmitted [Sales data and event data] at all times. FCO_NRO.2.2 The TSF shall be able to relate the [originator identity, time of origin] of the originator of the information, and the [body of the message] of the information to which the evidence applies. N-PosCore v.1.1.0.0 Version Number 1.2 Page 39 FCO_NRO.2.3 The TSF shall provide a capability to verify the evidence of origin of information to [recipient] given [immediately]. 6.1.3. Class FCS Cryptographic Support 6.1.3.1. FCS_CKM Cryptographic key management FCS_CKM.1/TLS_AES Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [AES:128 bit] that meet the following: [RFC 5246]. FCS_CKM.1/TLS_HMAC Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [256 bit] that meet the following: [RFC 5246]. FCS_CKM.1/DHE-KEY Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction N-PosCore v.1.1.0.0 Version Number 1.2 Page 40 FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [RNG] and specified cryptographic key sizes [2048 bits] that meet the following: [none]. FCS_CKM.1/EXT-DEV KHMAC Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [256 bits] that meet the following: [RFC 5246]. FCS_CKM.1/EXT-DEV KENC Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [AES: 256 bits] that meet the following: [RFC 5246]. FCS_CKM.4 Cryptographic key destruction Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [overwrite the previous key] that meets the following: [none]. N-PosCore v.1.1.0.0 Version Number 1.2 Page 41 6.1.3.2. FCS_COP/ ENC - DEC Cryptographic operation FCS_COP.1/ENC-DEC Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1 The TSF shall perform [encryption and decryption] in accordance with a specified cryptographic algorithm [AES] and cryptographic key sizes [AES:128 bits and AES:256 bits] that meet the following: [NIST SP800-38A]. FCS_COP.1/INT-AUTH Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1 The TSF shall perform [authentication and integrity protection] in accordance with a specified cryptographic algorithm [HMAC-SHA256] and cryptographic key sizes [256 bits] that meet the following: [FIPS 198-1 and NIST FIPS PUB 180-2]. FCS_COP.1/HASHING Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction N-PosCore v.1.1.0.0 Version Number 1.2 Page 42 FCS_COP.1.1 The TSF shall perform [hashing] in accordance with a specified cryptographic algorithm [SHA2] and cryptographic key sizes [none] that meet the following: [NIST FIPS PUB 180-2]. FCS_COP.1/ EXT-DEV KEYEXCHANGE Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1 The TSF shall perform [key agreement] in accordance with a specified cryptographic algorithm [DHE]and cryptographic key sizes [2048 bit] that meet the following: [NIST SP 800-56A]. FCS_COP.1/ EXT-DEV KENC Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1 The TSF shall perform [encryption and decryption] in accordance with a specified cryptographic algorithm [AES with CBC]and cryptographic key sizes [256 bits] that meet the following: [NIST SP 800-38A(CBC AES256)]. FCS_COP.1/ EXT-DEV KHMAC Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction N-PosCore v.1.1.0.0 Version Number 1.2 Page 43 FCS_COP.1.1 The TSF shall perform [encryption and decryption for integrity protection] in accordance with a specified cryptographic algorithm [HMAC-SHA256]and cryptographic key sizes [256 bits] that meet the following: [FIPS 198-1 and NIST FIPS PUB 180-2]. 6.1.4. Class FDP User Data Protection 6.1.4.1. FDP_ACC Access control policy FDP_ACC.1 Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1 The TSF shall enforce the [Administrative Access Control SFP] on [Subjects: FCR Authorized User and Authorized Manufacturer User Objects: Sales and event data, exchange rates, time information Operations: Secure state mode and maintenance mode actions], 6.1.4.2. FDP_ACF Access control functions FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialization FDP_ACF.1.1 The TSF shall enforce the [Administrative Access Control SFP] to objects based on the following [Subjects: FCR Authorized User and Authorized Manufacturer User Subject Attributes: User Identity,Privileges Objects: Sales and event data, exchange rates, time information Object Attributes: Access Control List (Secure State Mode and maintenance mode access rights) N-PosCore v.1.1.0.0 Version Number 1.2 Page 44 Operations: Secure State Mode and Maintenance Mode actions describe in Hata! Başvuru kaynağı bulunamadı.], FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [verify the operator’s user identity and privileges]. FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. 6.1.4.3. FDP_ETC Export from the TOE FDP_ETC.2/TSM Export of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FDP_ETC.2.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA-IS] when exporting user data, controlled under the SFP(s), outside of the TOE. FDP_ETC.2.2 The TSF shall export the user data with the user data's associated security attributes. FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data. FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported from the TOE: [secure communication with SSL CA]. FDP_ETC.2 /EFTPOS Export of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FDP_ETC.2.1 The TSF shall enforce the [Information Flow Control SFP with EFT-POS Device] when exporting user data, controlled under the SFP(s), outside of the TOE. N-PosCore v.1.1.0.0 Version Number 1.2 Page 45 FDP_ETC.2.2 The TSF shall export the user data with the user data's associated security attributes. FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data. FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported from the TOE: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. FDP_ETC.2/ MAIN UNIT Export of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FDP_ETC.2.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] when exporting user data, controlled under the SFP(s), outside of the TOE. FDP_ETC.2.2 The TSF shall export the user data with the user data's associated security attributes. FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data. FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported from the TOE: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. 6.1.4.4. FDP_IFC Information flow control policy FDP_IFC.1/TSMCOMMUNICATION Subset information flow control Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA- IS] on [subjects (TSM and PRA-IS) and objects (sales data, event data reports, FCR parameters) as specified in PRA Messaging Protocol document [6]]. FDP_IFC.1/EFTPOSCOMMUNICATION Subset information flow control Hierarchical to: No other components. N-PosCore v.1.1.0.0 Version Number 1.2 Page 46 Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT-POS Device] on [subjects (EFT-POS) and objects (amount information in sales data) as specified in External Device Communication Protocol Document [7]]. FDP_IFC.1/MAIN UNIT Subset information flow control Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] on [subjects (Main Unit) and objects (department information of purchased good, amount of purchased good, unit price of purchased good ) as specified in External Device Communication Protocol Document [7]]. FDP_IFF Information flow control functions FDP_IFF.1/TSMCOMMUNICATION Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation FDP_IFF.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA-IS] based on the following types of subject and information security attributes: [TOE has ability to send reports related to sales data and event data reports to PRA-IS by using subject identifier(IP/Port information) and object identifier (file name); TOE has ability to receive FCR parameters from TSM by using subject identifier (IP/Port information) and object identifier (information label) according to PRA Messaging Protocol document [6]]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [secure communication with SSL CA]. FDP_IFF.1.3 The TSF shall enforce the [none]. N-PosCore v.1.1.0.0 Version Number 1.2 Page 47 FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [none]. FDP_IFF.1/EFT-POSCOMMUNICATION Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT-POS Device] based on the following types of subject and information security attributes: [TOE has ability to send amount information to EFT-POS Device by using subject identifier (EFT-POS label and source port).TOE has ability to receive outcome of the operation conducted by the EFT-POS Device by using subject identifier (source port)] FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [none]. FDP_IFF.1/MAIN UNIT Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] based on the following types of subject and information security attributes: [TOE has ability to receive department information of purchased good, amount of purchased good and unit price of purchased good by using subject identifier (source port) and object identifier (information label). N-PosCore v.1.1.0.0 Version Number 1.2 Page 48 FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. FDP_IFF.1.3 The TSF shall enforce the [none]. FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [none]. 6.1.4.5. FDP_ITC Import from the outside of the TOE FDP_ITC.2/TSM Import of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSD trusted channel, or FTP_TRP.1 Trusted Path] FPT_TDC.1 Inter-TSF basic TSF data consistency FDP_ITC.2.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA- IS] when importing user data, controlled under the SFP, from outside of the TOE. FDP_ITC.2.2 The TSF shall use the security attributes associated with the imported user data. FDP_ITC.2.3 The TSF shall ensure that the protocol used provides for the unambiguous association between the security attributes and the user data received. FDP_ITC.2.4 The TSF shall ensure that interpretation of the security attributes of the imported user data is as intended by the source of the user data. FDP_ITC.2.5 The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TOE: [secure communication with SSL CA]. Application Note 2: User data (FCR parameters) is imported from TSM N-PosCore v.1.1.0.0 Version Number 1.2 Page 49 FDP_ITC.2/EFTPOS Import of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSD trusted channel, or FTP_TRP.1 Trusted Path] FPT_TDC.1 Inter-TSF basic TSF data consistency FDP_ITC.2.1 The TSF shall enforce the [Information Flow Control SFP with EFT-POS Device] when importing user data, controlled under the SFP, from outside of the TOE. FDP_ITC.2.2 The TSF shall use the security attributes associated with the imported user data FDP_ITC.2.3 The TSF shall ensure that the protocol used provides for the unambiguous association between the security attributes and the user data received. FDP_ITC.2.4 The TSF shall ensure that interpretation of the security attributes of the imported user data is as intended by the source of the user data. FDP_ITC.2.5 The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TOE: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. FDP_ITC.2/MAIN UNIT Import of user data with security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSD trusted channel, or FTP_TRP.1 Trusted Path] FPT_TDC.1 Inter-TSF basic TSF data consistency FDP_ITC.2.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] when importing user data, controlled under the SFP, from outside of the TOE. FDP_ITC.2.2 The TSF shall use the security attributes associated with the imported user data N-PosCore v.1.1.0.0 Version Number 1.2 Page 50 FDP_ITC.2.3 The TSF shall ensure that the protocol used provides for the unambiguous association between the security attributes and the user data received. FDP_ITC.2.4 The TSF shall ensure that interpretation of the security attributes of the imported user data is as intended by the source of the user data. FDP_ITC.2.5 The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TOE: [Communication with secure messaging according to External Device Communication Protocol Document [7]]. FDP_SDI Stored data integrity FDP_SDI.2/MEMORY Stored data integrity monitoring and action Hierarchical to: FDP_SDI.1 Stored data integrity monitoring Dependencies: No dependencies. FDP_SDI.2.1 The TSF shall monitor user data sales data stored in fiscal memory and ERU, event data, authentication data, characterization data stored in containers controlled by the TSF for [integrity errors] on all objects, based on the following attributes: [assignment: user data attributes]. FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [generate an audit event and transmit it to the PRA-IS according to PRA messaging protocol document [6] and then enter into the maintenance mode]. FDP_SDI.2/DAILY and PRMTR Stored data integrity monitoring and action Hierarchical to: FDP_SDI.1 Stored data integrity monitoring Dependencies: No dependencies. FDP_SDI.2.1 The TSF shall monitor user data sales data stored in daily memory and FCR parameters stored in containers controlled by the TSF for [integrity errors] on all objects, based on the following attributes: [assignment: user data attributes]. FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [generate an audit event and transmit it to the PRA-IS according to PRA messaging protocol document [6] and print Z report automatically]. 6.1.5. Class FIA Identification and Authentication N-PosCore v.1.1.0.0 Version Number 1.2 Page 51 6.1.5.1. FIA_AFL Authentication failures FIA_AFL.1/MANUFACTURER Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [[3]] unsuccessful authentication attempts occur related to [Authorized Manufacturer User authentication]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [lock authorized manufacturer user account for 30 min]. FIA_AFL.1/AUTHORISED Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [[3]] unsuccessful authentication attempts occur related to [FCR Authorized User]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [disable authorized user account]. 6.1.5.2. FIA_UAU User authentication FIA_UAU.1 Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FIA_UAU.1.1 The TSF shall allow [to do fiscal sales to get X report] on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UAU.4 Single-use authentication mechanisms Hierarchical to: No other components. Dependencies: No dependencies. N-PosCore v.1.1.0.0 Version Number 1.2 Page 52 FIA_UAU.4.1 The TSF shall prevent reuse of authentication data related to [the authentication mechanism employed to authenticate Authorized Manufacturer User]. 6.1.5.3. FIA_UID User Identification FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. FIA_UID.1.1 The TSF shall allow [to do fiscal sales, to get X report] on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 6.1.6. Class FMT Security Management 6.1.6.1. FMT_MOF Management of security functions behavior FMT_MOF.1 Management of security functions behavior Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MOF.1.1 The TSF shall restrict the ability to [modify the behavior of] the functions [new generation cash register fiscal application software normal operation functions] to [assignment: the authorised identified roles] nobody. Application Note 3 : No authorized user makes the changes on the behavior of the functions. The TSF itself makes the behavioral changes according to the FCR parameters received from TSM. Application Note 4 : Ability to Modification of behavior shall be used according to PRA directives. Normal operation functions includes all FCR parameters that are sent to FCR by TSM. 6.1.6.2. FMT_MSA Management of security attributes FMT_MSA.1/USER IDENTITY Management of security attributes Hierarchical to: No other components. N-PosCore v.1.1.0.0 Version Number 1.2 Page 53 Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Administrative Access Control SFP] to restrict the ability to [modify] the security attributes [User Identity] to [FCR Authorized User]. FMT_MSA.1/PRIVILEGES Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Administrative Access Control SFP] to restrict the ability to [modify] the security attributes [Privileges] to [none]. FMT_MSA.1/ IP:PORT INFO Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA-IS] to restrict the ability to [modify] the security attributes [IP:Port Information] to [Authorised Manufacturer User]. FMT_MSA.1/FILE NAME and INFO-LABEL Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or N-PosCore v.1.1.0.0 Version Number 1.2 Page 54 FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM and PRA-IS] to restrict the ability to [modify] the security attributes [file name and information label] to [none]. FMT_MSA.1/ INFO-LABEL Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] to restrict the ability to [modify] the security attributes [information label] to [none]. FMT_MSA.1/MAIN UNIT SOURCE PORT INFO Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] to restrict the ability to [modify] the security attributes [Source Port] to [none]. FMT_MSA.1/EFTPOS SOURCE PORT INFO Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] N-PosCore v.1.1.0.0 Version Number 1.2 Page 55 FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT_POS Device] to restrict the ability to [modify] the security attributes [Source Port] to [none]. FMT_MSA.1/ EFT-POS LABEL INFO Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT_POS Device] to restrict the ability to [modify] the security attributes [EFT-POS Label] to [none]. FMT_MSA.3/USERS and SYSTEMS Static attribute initialization Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1 The TSF shall enforce the [Administrative Access Control SFP, Information Flow Control SFP with TSM and PRA-IS] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. FMT_MSA.3/EFTPOS Static attribute initialization Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles N-PosCore v.1.1.0.0 Version Number 1.2 Page 56 FMT_MSA.3.1 The TSF shall enforce the [Information Flow Control SFP with EFT-POS Device] to provide [permissive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. FMT_MSA.3/MAIN UNIT Static attribute initialization Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1 The TSF shall enforce the [Information Flow Control SFP with Main Unit] to provide [permissive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. 6.1.6.3. FMT_MTD Management of TSF data FMT_MTD.1/ FCR AUTHORISED USER Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [FCR Authorized User’s authentication data ] to [FCR Authorized User, Authorized Manufacturer User]. FMT_MTD.1/ AUTHORIZED MANUFACTURER USER Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to [create] the [Authorized Manufacturer User’s authentication data ] to [assignment: the authorized identified roles] [nobody]. N-PosCore v.1.1.0.0 Version Number 1.2 Page 57 Application Note 5: No authorized identified roles make the changes on Authorized Manufacturer User’s authentication data but TSM creates it. 6.1.6.4. FMT_SMF Specification of Management Functions FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [Authorized Manufacturer User modifies IP: Port Information, FCR Authorized User modifies User Identity] [none] 6.1.6.5. FMT_SMR Security management roles FMT_SMR.2 Restrictions on security roles Hierarchical to: FMT_SMR.1 Security roles Dependencies: FIA_UID.1 Timing of identification FMT_SMR.2.1 The TSF shall maintain the roles: [FCR Authorized User, Authorized Manufacturer User], FMT_SMR.2.2 The TSF shall be able to associate users with roles. FMT_SMR.2.3 The TSF shall ensure that the conditions [Authorized Manufacturer User shall take action in maintenance works and FCR Authorized User take action in secure state works], are satisfied. 6.1.7. Class FPT Protection of the TSF 6.1.7.1. FPT_FLS Fail secure FPT_FLS.1 Failure with preservation of secure state Hierarchical to: No other components. Dependencies: No dependencies. N-PosCore v.1.1.0.0 Version Number 1.2 Page 58 FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur:[except maintenance mode events that specified in section Hata! Başvuru kaynağı bulunamadı.] 6.1.7.2. FPT_PHP TSF physical protection FPT_PHP.2 Notification of physical attack Hierarchical to: FPT_PHP.1 Passive detection of physical attack Dependencies: FMT_MOF.1 Management of security functions behavior FPT_PHP.2.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF. FPT_PHP.2.2 The TSF shall provide the capability to determine whether physical tampering with the TSF's devices or TSF's elements has occurred. FPT_PHP.2.3 For [the devices/elements for which active detection is required in technical guidance document [5]], the TSF shall monitor the devices and elements and notify [FCR Authorized User], when physical tampering with the TSF's devices or TSF's elements has occurred. 6.1.7.3. FPT_RCV Trusted recovery FPT_RCV.1 Manual recovery Hierarchical to: No other components. Dependencies: AGD_OPE.1 Operational user guidance FPT_RCV.1.1 After [maintenance mode events which expressed in section 3.1.3 occur] the TSF shall enter a maintenance mode where the ability to return to a secure state is provided. FPT_RCV.4 Function recovery Hierarchical to: No other components. Dependencies: No dependencies. FPT_RCV.4.1 The TSF shall ensure that [except maintenance mode events that specified in section 3.1.3] have the property that the function either completes successfully, or for the indicated failure scenarios, recovers to a consistent and secure state. 6.1.7.4. FPT_STM Time stamps N-PosCore v.1.1.0.0 Version Number 1.2 Page 59 FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.1.7.5. FPT_TDC Inter-TSF TSF data consistency FPT_TDC.1 Inter-TSF basic TSF data consistency Hierarchical to: No other components. Dependencies: No dependencies. FPT_TDC.1.1 The TSF shall provide the capability to consistently interpret [CheckSum] when shared between the TSF and another trusted IT product. FPT_TDC.1.2 The TSF shall use [SSL client authentication] when interpreting the TSF data from another trusted IT product. 6.1.7.6. FPT_TEE Testing of external entities FPT_TEE.1/EXT Testing of external entities Hierarchical to: No other components. Dependencies: No dependencies. FPT_TEE.1.1 The TSF shall run a suite of tests [during initial start-up and during fiscal transactions] to check the fulfillment of [proper working of external entities]. FPT_TEE.1.2 If the test fails, the TSF shall [generate an audit event according to Technical Guidance [5]]. Application Note 6: External entities are ERU,fiscal memory,daily memory, mesh cover and electronic seal. FPT_TEE.1/TIME Testing of external entities Hierarchical to: No other components. Dependencies: No dependencies. FPT_TEE.1.1 The TSF shall run a suite of tests [during time synchronization with NTP] to check the fulfillment of [accuracy of time information]. N-PosCore v.1.1.0.0 Version Number 1.2 Page 60 FPT_TEE.1.2 If the test fails, the TSF shall [assignment: action(s)]. 6.1.7.7. FPT_TST TSF self test FPT_TST.1 TSF testing Hierarchical to: No other components. Dependencies: No dependencies. FPT_TST.1.1 The TSF shall run a suite of self-tests [during initial start-up and periodically during normal operation] to demonstrate the correct operation of [parts of the TSF]. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of [parts of the TSF data]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [part of the TSF]. Application Note: TSF conducts the following tests to the parts of the TSF during the start-up;  Fiscal Memory  Daily Memory  Certificate  Time update by NTP  Integrity of Event Records  Operating Mode of device  Incomplete receipt or slip document  Electronic seal  Software update from TSM TSF conducts the following tests to the parts of the TSF periodically;  Time Information  Time Update by NTP, before preparing Z Report  Controlling New parameters, after preparing  Controlling ERU, before printing each row on receipt printer.  Checking event records integrity, when a new event occurred.  Electornic seal. Authorized users can verify the integrity of the following parts of the TSF; N-PosCore v.1.1.0.0 Version Number 1.2 Page 61  Fiscal Memory records integrity.  Daily Memory records integrity.  Event records integrity. Authorized users can verify the integrity of the following parts of the TSF data The user shall be warned automatically (whether authorized user or ordinary user), when the integrity of following parts can not be verified.  Event data  Fiscal memory records  Daily memory records  Sales data base 6.1.8. Class FTP Trusted Patch/Channels 6.1.8.1. FTP_ITC Inter-TSF trusted channel FTP_ITC.1 Inter-TSF trusted channel Hierarchical to: No other components. Dependencies: No dependencies. FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [the TSF] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [sending user data (sales and event data) to PRA-IS and receiveing user data (FCR parameters and exchange rates) from TSM]. N-PosCore v.1.1.0.0 Version Number 1.2 Page 62 6.2. Security Assurance Requirements for the TOE The assurance requirements for the evaluation of the TOE and for its development and operating environment are chosen as the predefined assurance package EAL2. 6.3.Security Requirements Rationale 6.3.1. Security Functional Requirements Rationale Hata! Başvuru kaynağı bulunamadı. provides an overview for security functional requirements coverage and also giving an evidence for sufficiency and necessity of the SFRs chosen. Table 3 Coverage of security objectives by SFRs for TOE O.AccessControl O.Event O.Integrity O.Authentication O.Function O.Transfer FAU_GEN.1 Audit data generation X FAU_SAR.1 Audit review X FAU_STG.1 Protected audit trail storage X FAU_STG.4 Prevention of audit data loss X FCO_NRO.2 Enforced proof of origin X FCS_CKM.1/TLS_AES Cryptographic key generation X FCS_CKM.1/TLS_HMAC Cryptographic key generation X FCS_CKM.1/ DHE-KEY Cryptographic key generation X N-PosCore v.1.1.0.0 Version Number 1.2 Page 63 FCS_CKM.1/ EXT-DEV KENC Cryptographic key generation X FCS_CKM.1/ EXT-DEV KHMAC Cryptographic key generation X FCS_CKM.4 Cryptographic key destruction X FCS_COP.1/ENC-DEC Cryptographic operation X FCS_COP.1/INT-AUTH Cryptographic operation X FCS_COP.1/HASHING Cryptographic operation X FCS_COP.1/EXT-DEV KENC Cryptographic operation X FCS_COP.1/EXT-DEV KHMAC Cryptographic operation X FCS_COP.1/EXT-DEV KEYEXCHANGE Cryptographic operation X FDP_ACC.1 Subset access control X FDP_ACF.1 Security attribute based access control X FDP_ETC.2/TSM Export of user data with security attributes X FDP_ETC.2 /EFTPOS Export of user data with security attributes X FDP_ETC.2 / MAIN UNIT Export of user data with security attributes X FDP_IFC.1/TSMCOMMU NICATION Subset information flow control X FDP_IFC.1/EFTPOSCOM MUNICATION Subset information flow control X N-PosCore v.1.1.0.0 Version Number 1.2 Page 64 FDP_IFC.1/MAIN UNIT Subset information flow control X FDP_IFF.1/TSMCOMMUN ICATION Simple security attributes X FDP_IFF.1/EFT- POSCOMMUNICATION Simple security attributes X FDP_IFF.1/MAIN UNIT Simple security attributes X FDP_ITC.2/TSM Import of user data with security attributes X FDP_ITC.2/EFTPOS Import of user data with security attributes X FDP_ITC.2/MAIN UNIT Import of user data with security attributes X FDP_SDI.2/MEMORY Stored data integrity monitoring and action X FDP_SDI.2/DAILY and PRMTR Stored data integrity monitoring and action X FIA_AFL.1/MANUFACTU RER Authentication failure handling X FIA_AFL.1/AUTHORISED Authentication failure handling X FIA_UAU.1 Timing of authentication X FIA_UAU.4 Single-use authentication mechanisms X FIA_UID.1 Timing of identification X FMT_MOF.1 Management of security functions behaviour X FMT_MSA.1/USER IDENTITY Management of security attributes X N-PosCore v.1.1.0.0 Version Number 1.2 Page 65 FMT_MSA.1/PRIVILEGES Management of security attributes X FMT_MSA.1/IP:PORT INFO Management of security attributes X FMT_MSA.1/FILE NAME and INFO-LABEL Management of security attributes X FMT_MSA.1/INFO- LABEL Management of security attributes X FMT_MSA.1/MAIN UNIT SOURCE PORT INFO Management of security attributes X FMT_MSA.1/EFTPOS SOURCE PORT INFO Management of security attributes X FMT_MSA.1/EFT-POS LABEL INFO Management of security attributes X FMT_MSA.3/USERS and SYSTEMS Static attribute initialisation X X FMT_MSA.3/EFTPOS Static attribute initialisation X FMT_MSA.3/MAIN UNIT Static attribute initialisation X FMT_MTD.1/FCR AUTHORİSED USER Management of TSF data X FMT_MTD.1/ AUTHORİZED MANUFACTURER USER Management of TSF data X FMT_SMF.1 Specification of Management Functions X FMT_SMR.2 Restrictions on security roles X N-PosCore v.1.1.0.0 Version Number 1.2 Page 66 FPT_FLS.1 Failure with preservation of secure state X FPT_PHP.2 Notification of physical attack X X FPT_RCV.1 Manual recovery X FPT_RCV.4 Function recovery X FPT_STM.1 Reliable time stamps X FPT_TDC.1 Inter-TSF basic TSF data consistency X FPT_TEE.1/EXT Testing of external entities X FPT_TEE.1/TIME Testing of external entities X FPT_TST.1 TSF testing X X FTP_ITC.1 Inter-TSF trusted channel X N-PosCore v.1.1.0.0 Version Number 1.2 Page 67 A detailed justification of required for suitability of the security functional requirements to achieve the security objectives is given in Hata! Başvuru kaynağı bulunamadı.. Table 4 Suitability of the SFRs Security Objective Security Functional Requirement O.AccessControl FDP_ACC.1 Provides security functional policy for functions and data FDP_ACF.1 Defines security attributes for functions and data FAU_SAR.1 Allows users to read audit records FMT_MSA.1/USER IDENTITY Provides the functions to restrict the ability to modify the security attribute(User Identity) to FCR Authorised User FMT_MSA.1/PRIVILEGES Provides the functions to restrict the ability to modify the security attributes (privileges) to nobody. FMT_MSA.3/USERS and SYSTEMS Provides the functions to provide restrictive default values for security attributes that are used to enforce the SFP and allows nobody to specify alternative initial values to override the default values when an object or information is N-PosCore v.1.1.0.0 Version Number 1.2 Page 68 created. FMT_SMF.1 Descripe the specification of management functions being allowed to use in maintenance mode and secure state mode. FMT_SMR.2 Maintains the roles with restrictions FMT_MTD.1/ FCR AUTHORISED USER Provides authorised processing of FCR Authorised User’s authentication data FMT_MTD.1/ AUTHORİZED MANUFACTURER USER Provides authorised processing of FCR Manufacturer User’s authentication data O.Event FAU_GEN.1 Generates correct audit events FPT_STM.1 Provides accurate time for logging events O.Integrity FAU_STG.1 Protects stored audit data integrity from unauthorised deletion FAU_STG.4 Prevents loss of audit data loss FPT_PHP.2 Generation of audit event detection of physical tampering FDP_SDI.2/MEMORY Monitors user data stored for integrity errors FDP_SDI.2/DAILY and PRMTR Monitors user data stored N-PosCore v.1.1.0.0 Version Number 1.2 Page 69 for integrity errors FPT_TST.1 Ensures accuracy of its functions working by conducting self test FPT_TDC.1 Provides the capability to consistently interpret TSF data (checksum) O.Authentication FIA_AFL.1/MANUFACTURER Detects and records authentication failure events for Autharised Manufacturer User FIA_AFL.1/ AUTHORISED Detects and records authentication failure events for FCR Authorised User FIA_UAU.1 Defines user authentication before allowing to do fiscal sales FIA_UAU.4 Provides single use authentication mechanism for Autharised Manufacturer User FIA_UID.1 Defines user identification before allowing to do fiscal sales FMT_MTD.1/ FCR AUTHORİSED USER Provides authorised processing of FCR Authorised User’s authentication data FCS_COP.1/HASHING Provides authentication operation for PRA-IS and TSM N-PosCore v.1.1.0.0 Version Number 1.2 Page 70 O.Function FMT_MOF.1 Restricts the ability to enable the functions to nobody and, thus, prevents an unintended access to data in the operational phase. FPT_FLS.1 Failure types which makes new generation cash register fiscal application software continue working in secure state FPT_RCV.1 Provides new generation cash register fiscal application software start working in maintenance mode in failure. (has ability to switch to the secure state manually) FPT_RCV.4 Provides new generation cash register fiscal application software start working in maintenance mode in failure. (has ability to switch to the secure state automatically with functions) FPT_TEE.1/EXT Provides test for IT environment for functioning accurately FPT_TEE.1/TIME Provides test for time N-PosCore v.1.1.0.0 Version Number 1.2 Page 71 information for accuracy FPT_TST.1 Ensures accuracy of its functions working by conducting self test O.Transfer FCS_CKM.1/TLS_AES Generates session keys for communication between FCR-PRA-IS and FCR–TSM FCS_CKM.1/TLS_HMAC Generates session keys for communication between FCR-PRA-IS and FCR–TSM FMT_MSA.1/ EFT-POS LABEL INFO Provides the functions to restrict the ability to modify the security attribute(EFT-POS label) to nobody FMT_MSA.1/FILE NAME and INFO- LABEL Provides the functions to restrict the ability to modify the security attribute(file name) to nobody FMT_MSA.1/ IP:PORT Provides the functions to restrict the ability to modify the security attribute(IP/Port)to Authorized Manufacturer User FMT_MSA.1/EFTPOS SOURCE PORT INFO Provides the functions to restrict the ability to modify the security attribute(EFT-POS source N-PosCore v.1.1.0.0 Version Number 1.2 Page 72 port) to nobody FMT_MSA.1/ INFO-LABEL Provides the functions to restrict the ability to modify the security attribute(information label) to nobody FMT_MSA.1/MAIN UNIT SOURCE PORT INFO Provides the functions to restrict the ability to modify the security attribute(source port) to nobody FMT_MSA.3/USERS and SYSTEMS Provides the functions to provide restrictive default values for security attributes that are used to enforce the SFP and allows nobody to specify alternative initial values to override the default values when an object or information is created FMT_MSA.3/EFTPOS Provides the functions to provide permissive default values for security attributes that are used to enforce the SFP and allows nobody to specify alternative initial values to override the default values when an object or information is created N-PosCore v.1.1.0.0 Version Number 1.2 Page 73 FMT_MSA.3/MAIN UNIT Provides the functions to provide permissive default values for security attributes that are used to enforce the SFP and allows nobody to specify alternative initial values to override the default values when an object or information is created FCS_CKM.4 Destroys cryptographic keys in the TOE FCS_COP.1/ENC-DEC Provides the cryptographic operation for secure communication between PRA-IS and new generation cash register fiscal application software, and between TSM and new generation cash register fiscal application software FCS_COP.1/INT-AUTH Provides authentication and integrity protection for comminication between FCR-PRA-IS and FCR–TSM FPT_PHP.2 Generation of audit event detection of physical tampering FCO_NRO.2 Generates evidence of origin of the data to be transferred to the PRA-IS FCS_CKM.1/ DHE-KEY Generates private key for N-PosCore v.1.1.0.0 Version Number 1.2 Page 74 DHE key agreement FCS_COP.1/EXT-DEV KENC Provides symmetric encryption in order to establish secure communication with External Devices. FCS_COP.1/ EXT-DEV KHMAC Provides authentication and integrity protection for comminication with External Devices. FCS_CKM.1/ EXT-DEV KENC Generates keys for communication between TOE and External Devices FCS_CKM.1/ EXT-DEV KHMAC Generates keys for communication between TOE and External Devices FCS_COP.1/ EXT-DEV KEYEXCHANGE Provides agreement operation with External Devices FDP_ETC.2/TSM Provides export of sales data and event data from the TOE to the PRA-IS using the information flow control SFP with TSM and PRA-IS FDP_ETC.2/EFTPOS Provides export of amount information in sales data from the TOE to the EFT-POS using the information flow control SFP with EFT-POS Devices N-PosCore v.1.1.0.0 Version Number 1.2 Page 75 FDP_ETC.2 / MAIN UNIT Provides export of amount information in sales data from the TOE to the Main Unit using the information flow control SFP with Main Unit FDP_IFC.1/TSMCOMMUNICATION Provides information flow control policy for TSM and PRA-IS communication FDP_IFC.1/EFTPOSCOMMUNICATION Provides information flow control policy for EFT-POS communication FDP_IFC.1/MAIN UNIT Provides information flow control policy for MAIN UNIT communication FDP_IFF.1/TSMCOMMUNICATION Provides information flow control policy rules for TSM and PRA-IS communication FDP_IFF.1/EFTPOSCOMMUNICATION Provides information flow control policy rules for EFT-POS communication FDP_IFF.1/MAIN UNIT Provides information flow control policy rules for Main Unit communication FDT_ITC.2/TSM Provides protection of FCR Parameters confidentiality and integrity during import N-PosCore v.1.1.0.0 Version Number 1.2 Page 76 from TSM FDT_ITC.2/EFTPOS Provides protection of confidentiality and integrity of outcome of the operation conducted by the EFT-POS device and AES keys (KENC and KHMAC) during import from EFT-POS device FDP_ITC.2/MAIN UNIT Provides protection of confidentiality and integrity of communication with Main Unit. FTP_ITC.1 Provides protection of sales data and event data (confidentiality+integrity) during communication with PRA-IS by the help of secure channel 6.3.2. Rationale for Security Functional Requirements dependencies Selected security functional requirements include related dependencies. Hata! Başvuru kaynağı bulunamadı. below provides a summary of the security functional requirements dependency analysis. Table 5 Security Functional Requirements dependencies Dependencies: Included / not included FAU_GEN.1 FPT_STM.1 included FAU_SAR.1 FAU_GEN.1 included FAU_STG.1 FAU_GEN.1 included FAU_STG.4 FAU_STG.1 included N-PosCore v.1.1.0.0 Version Number 1.2 Page 77 FCO_NRO.2 FIA_UID.1 included FCS_CKM.1/TLS_ AES FCS_CKM.2 or FCS_COP.1; FCS_CKM.4 FCS_COP.1/ENC-DEC and FCS_CKM.4 included FCS_CKM.1/TLS_ HMAC FCS_CKM.2 or FCS_COP.1; FCS_CKM.4 FCS_COP.1/INT-AUTH and FCS_CKM.4 included FCS_CKM.1/ EXT- DEV KENC FCS_CKM.2 or FCS_COP.1; FCS_CKM.4 FCS_COP.1/EXT-DEV KENC and FCS_CKM.4 included . FCS_CKM.1/ EXT- DEV KHMAC FCS_CKM.2 or FCS_COP.1; FCS_CKM.4 FCS_COP.1/ EXT-DEV KHMAC and FCS_CKM.4 included FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 FCS_CKM.1(FCS_CKM.1 / EXT-DEV KENC, FCS_CKM.1/ EXT-DEV KHMAC, FCS_CKM.1/TLS_HMAC , FCS_CKM.1/TLS_AES and FCS_COP.1/ EXT- DEV KEYEXCHANGE) included FCS_COP.1/ENC- DEC FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 FCS_CKM.1/TLS_AES and FCS_CKM.4 included FCS_COP.1/INT- AUTH FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 FCS_CKM.1/TLS_HMAC and FCS_CKM.4 included FCS_COP.1/HASHI NG FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 No need to include any dependencies because there is no need to use any key for HASHING FCS_CKM.1/ DHE- KEY FCS_CKM.2 or FCS_COP.1; FCS_CKM.4 FCS_COP.1/ EXT-DEV KEYEXCHANGE and FCS_CKM.4 FCS_COP.1/EXT- DEV KENC FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 FCS_CKM.1/ EXT-DEV KENC ; FCS_CKM.4 included FCS_COP.1/ EXT- DEV KHMAC FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 FCS_CKM.1/ EXT-DEV KHMAC; FCS_CKM.4 included FCS_COP.1/ EXT- DEV KEYEXCHANGE FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 ;FCS_CKM.4 FCS_CKM.1/ DHE-KEY and FCS_CKM.4 included FDP_ACC.1 FDP_ACF.1 included N-PosCore v.1.1.0.0 Version Number 1.2 Page 78 FDP_ACF.1 FDP_ACC.1; FMT_MSA.3 FDP_ACC.1; FMT_MSA.3/USERS and SYSTEMS included FDP_ETC.2/TSM FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1; FDP_IFC.1/TSMCOMMU NICATION included FDP_ETC.2 /EFTPOS FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1; FDP_IFC.1/EFTPOSCOM MUNICATION included FDP_ETC.2 / MAIN UNIT FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1; FDP_IFC.1/MAIN UNIT FDP_IFC.1/TSMCO MMUNICATION FDP_IFF.1 FDP_IFF.1/TSMCOMMU NICATION included FDP_IFC.1/EFTPO SCOMMUNICATI ON FDP_IFF.1 FDP_IFF.1/EFT- POSCOMMUNICATION included FDP_IFC.1/MAIN UNIT FDP_IFF.1 FDP_IFF.1/MAIN UNIT included FDP_IFF.1/TSMCO MMUNICATION FDP_IFC.1; FMT_MSA.3 FDP_IFC.1/TSMCOMMU NICATION; FMT_MSA.3/USERS and SYSTEMS included FDP_IFF.1/EFT- POSCOMMUNICA TION FDP_IFC.1; FMT_MSA.3 FDP_IFC.1/EFTPOSCOM MUNICATION; FMT_MSA.3/EFTPOS included FDP_IFF.1/MAIN UNIT FDP_IFC.1; FMT_MSA.3 FDP_IFC.1/MAIN UNIT; FMT_MSA.3/MAIN UNIT FDP_ITC.2/TSM FDP_ACC.1 or FDP_IFC.1 ; FTP_ITC.1 or FTP_TRP.1 ; FPT_TDC.1 FDP_IFC.1/TSMCOMMU NICATION; FTP_ITC.1; FPT_TDC.1 included FDP_ITC.2/EFTPO S FDP_ACC.1 or FDP_IFC.1 ; FTP_ITC.1 or FTP_TRP.1 ; FPT_TDC.1 FDP_IFC.1/EFTPOSCOM MUNICATION; FTP_ITC.1; FPT_TDC.1 included FDP_ITC.2/MAIN UNIT FDP_ACC.1 or FDP_IFC.1 ; FTP_ITC.1 or FTP_TRP.1 ; FPT_TDC.1 FDP_IFC.1/MAIN UNIT; FTP_ITC.1; FPT_TDC.1 included FDP_SDI.2/MEMO RY No dependencies. - N-PosCore v.1.1.0.0 Version Number 1.2 Page 79 FDP_SDI.2/DAILY and PRMTR No dependencies. - FIA_AFL.1/MANU FACTURER FIA_UAU.1 included FIA_AFL.1/AUTH ORISED FIA_UAU.1 included FIA_UAU.1 FIA_UID.1 included FIA_UAU.4 No dependencies - FIA_UID.1 No dependencies - FMT_MOF.1 FMT_SMR.1; FMT_SMF.1 FMT_SMR.2 is hierarchical to FMT_SMR.1; FMT_SMF.1 FMT_MSA.1/USER IDENTITY FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1 included FMT_MSA.1/PRIVI LEGES FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1 included FMT_MSA.1/ IP:PORT INFO FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/TSMCOMMU NICATION included FMT_MSA.1/FILE NAME and INFO- LABEL FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/TSMCOMMU NICATION included FMT_MSA.1/ INFO-LABEL FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/MAIN UNIT included FMT_MSA.1/MAI N UNIT SOURCE PORT INFO FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/MAIN UNIT included FMT_MSA.1/EFTP OS SOURCE PORT INFO FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/EFTPOSCOM MUNICATION included FMT_MSA.1/ EFT- POS LABEL INFO FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1/EFTPOSCOM MUNICATION included FMT_MSA.3/USER S and SYSTEMS FMT_MSA.1 ; FMT_SMR.1 FMT_MSA.1 ( FMT_MSA.1/USER IDENTITY, FMT_MSA.1/PRIVILEGE S, FMT_MSA.1/IP:PORT INFO, FMT_MSA.1/FILE NAME and INFO- LABEL) ; FMT_SMR.1 is hierarchical to FMT_SMR.1 included FMT_MSA.3/EFTP OS FMT_MSA.1 ; FMT_SMR.1 FMT_MSA.1/ EFT-POS LABEL INFO ) ; FMT_SMR.2 is hierarchical to N-PosCore v.1.1.0.0 Version Number 1.2 Page 80 FMT_SMR.1 included FMT_MSA.3/MAI N UNIT FMT_MSA.1 ; FMT_SMR.1 FMT_MSA.1(FMT_MSA. 1/ INFO-LABEL, FMT_MSA.1/MAIN UNIT SOURCE PORT INFO) ; FMT_SMR.2 is hierarchical to FMT_SMR.1 included FMT_MTD.1/ FCR AUTHORİSED USER FMT_SMR.1 ; FMT_SMF.1 FMT_SMR.2 is hierarchical to FMT_SMR.1 ; FMT_SMF.1 included FMT_MTD.1/ AUTHORİZED MANUFACTURER USER FMT_SMR.1 ; FMT_SMF.1 FMT_SMR.2 is hierarchical to FMT_SMR.1 ; FMT_SMF.1 included FMT_SMF.1 No dependencies. - FMT_SMR.2 FIA_UID.1 FIA_UID.2 is hierarchical to FIA_UID.1 included FPT_FLS.1 No dependencies - FPT_PHP.2 FMT_MOF.1 included FPT_RCV.1 AGD_OPE.1 included (assurance component) FPT_RCV.4 No dependencies - FPT_STM.1 No dependencies - FPT_TDC.1 No dependencies - FPT_TEE.1/EXT No dependencies - FPT_TEE.1/TIME No dependencies - FPT_TST.1 No dependencies - FTP_ITC.1 No dependencies - 6.3.3. Security Assurance Requirements Rationale The current assurance package was chosen based on the pre-defined assurance packet EAL2. EAL2 is chosen because the threats that were chosen are consistent with an attacker of basic attack potential. N-PosCore v.1.1.0.0 Version Number 1.2 Page 81 6.3.4. Security Requirements - Internal Consistency The following part of the security requirements rationale shows that the set of security requirements for the TOE consisting of the security functional requirements (SFRs) and the security assurance requirements (SARs) together forms an internally consistent whole. The dependency analysis in Hata! Başvuru kaynağı bulunamadı. shows that the basis for internal consistency between all defined functional requirements is satisfied. The assurance package EAL2 is a pre-defined set of internally consistent assurance requirements. The assurance requirements are internally consistent as all (additional) dependencies are satisfied and no inconsistency appears. Inconsistency between functional and assurance requirements could only arise, if there are functional-assurance dependencies being not met. So, there are no inconsistencies between the goals of these two groups of security requirements. N-PosCore v.1.1.0.0 Version Number 1.2 Page 82 7. TOE SUMMARY SPECIFICATIONS The following security functions are implemented in order to satisfy the Security Functional Requirements in Section 6.1 of this Security Target. 7.1.Event Log Function Audit/Event Function is going to generate the logs for the following events listed in the auditable event list table which is containing the events specified in PRA Messaging Protocol Document[6]. For each auditable events in the list TSF will add Date and Time of the event and identity of the subject to the stored event. However since the list of events defined in the Messaging Protocol contain if the event is successful or unsuccessful by definition, TOE do not explicitly label the outcome of the event. The events will be exported to PRA-IS according to the requirements of the messaging protocol and they can only be reviewed by authorized manufacturer user. TOE provides the confidentiality and integrity of the event logs and store them at least 90 days. When the audit trail is full the TOE start to overwrite the oldest log in order to continue its function. This Security Function is satisfying the following SFRs; FAU_GEN.1, FAU_SAR.1, FAU_STG.1, FAU_STG.4, FDP_SDI.2, FDP_SDI.2/DAILY and PRMTR, FPT_STM.1 7.2.Cryptographic Operation TOE will use the cryptographic libraries from the operating system for key generation in accordance with AES with the key length of 256 bit in order to encrypt and decrypt the user data. Cryptography function is also responsible for successful SSL Authentication with PRA-IS and exported files will be signed with a private key in smard card of FCR. The session keys are destructed securely upon the completion of the communication with PRA- IS and during the communication the TOE use Hashing. TOE also establish a secure communication with third party devices like EFT-POS and Main Unit. In order to install a device to TOE, first a AES key generated by the device should be send securely to TOE by using public key of the TOE. TOE also provide a proof of origin for the event and sales data sent to TSM. N-PosCore v.1.1.0.0 Version Number 1.2 Page 83 This Security Function is satisfying the following SFRs; FCS_CKM.1/TLS_AES, FCS_CKM.1/TLS_HMAC, FCS_CKM.1/EXT-DEV KENC, FCS_CKM.1/EXT-DEV KHMAC, FCS_CKM.1/DHE-KEY, FCS_CKM.4, FCS_COP.1/ENC- DEC, FCS_COP.1/INT_AUTH, FCS_COP.1/EXT-DEV KENC, FCS_COP.1/EXT-DEV KHMAC, FCS_COP.1/HASHING, FCS_COP.1/EXT-DEV KEYEXCHANGE, FDP_ITC.2/EFTPOS, FDP_ITC.2/TSM, FDP_ITC.2/MAIN UNIT, FTP_ITC.1, FCO_NRO.2, FDP_ETC.2/TSM, FDP_ETC.2 /EFTPOS, FDP_ETC.2 / MAIN UNIT, 7.3.Identification and Authentication Function Identification and Authentication Function will support the following features;  Authentication failure handling for 3 consecutive unsuccessful authentication attempts  Enforce and identification and authentication mechanism for the following users; o FCR Authorised User – Manager o Authorized Manufacturer User Enforce identification and authentication mechanism for the following systems; o PRA-IS o TSM This Security Function is satisfying the following SFRs; FIA_AFL.1/MANUFACTURER, FIA_AFL.1/AUTHORISED, FIA_UAU.1, FIA_UAU.4, FIA_UID.1, FIA_UID.1, FDP_ITC.2/TSM, FDP_ETC.2/TSM 7.4.Access Control Function TOE enforces an access control policy for FCR Authorised Users and Authorized Manufacturer Users. The TOE will only be accessible to Manufacturer users in maintenance mode and FCR Authorised Users can use the system only in secure state mode. This Security Function is satisfying the following SFRs; FDP_ACC.1, FDP_ACF.1, FDP_IFF.1/TSMCOMMUNICATION, FDP_IFC.1/TSMCOMMUNICATION, FDP_IFF.1/EFTPOSCOMMUNICATION, FDP_IFC.1/EFTPOSCOMMUNICATION, FDP_IFC.1/MAIN UNIT, FDP_IFF.1/MAIN UNIT N-PosCore v.1.1.0.0 Version Number 1.2 Page 84 7.5.Data Integrity Function The memory space for Sales Data and Event Data will be subject to an integrity check in order to provide the integrity of the data. The hash number will be checked after/before writing a new field to the designated memory space and initialization. An audit event will be generated in case of integrity corruption and an event to PRA-IS will be transmitted if the type of the event is “urgent.” This Security Function is satisfying the following SFRs; FDP_SDI.2, FDP_SDI.2/DAILY and PRMTR 7.6.Import/Export Function The TOE will import and export files from/to trusted third parties via a Parameter Block and Communication Tables imported from TSM. Import Function will control the import of following files;  Parameter File  Communication Tables  Change Rates The imported files will be updated to the related memory block and according to the parameter file and communication tables, TOE export the event and sales data to PRA-IS securely. The following messages are exported to the PRA-IS;  Receipt Message  Receipt Void Message  Z Report Message  Event Record Message  Statistic Message This Security Function is satisfying the following SFRs; FDP_ETC.2/TSM, FDP_ETC.2/EFTPOS, FDP_ETC.2/MAIN UNIT, FDP_ITC.2/TSM, FDP_ITC.2/EFTPOS, FDP_ITC.2/MAIN UNIT 7.7.TSF Protection N-PosCore v.1.1.0.0 Version Number 1.2 Page 85 TSF will protect the secure operation of the TOE by conduction the following functionality;  Support the recovery and secure operation of whole functions in case of generation of events with the event type “Warning and Information”  In case of generation of an event with the event type “Urgent”, the function or module make the TOE switch to “Maintenance Mode”.  FCR Authorised users can not access to the System in “Maintenance Mode”.  Only Authorized Manufacturer User can access to the Device in “Maintenance Mode”  The device should automatically restarted upon switching from Maintenance Mode to Secure Mode.  With the support of Electronic Seal, TOE Security Functions will check the external switches frequently for a possible tampering.  In case of an internal temparing TOE switches to Maintenance Mode. This Security Function is satisfying the following SFRs; FPT_FLS.1, FPT_PHP.2, FPT_RCV.1, FPT_RCV.4, FPT_TDC.1 7.8.TOE Self-Testing Function TOE will conduct self testing during initial startup and conduct the following tests;  Testing external entities and components during start-up.  Testing TOE Functions during each start-up.  Updating time information at each startup and every time before getting a Z Report. Upon unsuccessful test results, TSF will generate an event log and take the necessary actions. This Security Function is satisfying the following SFRs; FPT_TST.1., FPT_TEE.1/EXT, FPT_TEE.1/TIME 7.9.TSF Management Function TOE provides the following management functions to the FCR Authorised User-Manager;  User Management  Configuration of the FCR  Reporting TOE provides the following management functions to the Authorized Manufacturer User;  Maintenance Mode Operations N-PosCore v.1.1.0.0 Version Number 1.2 Page 86 This Security Function is satisfying the following SFRs; FMT_MOF.1, FMT_MSA.1/USER IDENTITY, FMT_MSA.1/PRIVILEGES, FMT_MSA.1/IP:PORT INFO, FMT_MSA.1/FILE NAME and INFO-LABEL, FMT_MSA.1/INFO-LABEL, FMT_MSA.1/MAIN UNIT SOURCE PORT INFO, FMT_MSA.1/EFTPOS SOURCE PORT INFO, FMT_MSA.1/EFT-POS LABEL INFO, FMT_MSA.3/USERS and SYSTEMS, FMT_MSA.3/EFTPOS, FMT_MSA.3/MAIN UNIT, FMT_MTD.1/FCR AUTHORİSED USER, FMT_MTD.1/ AUTHORİZED MANUFACTURER USER, FMT_SMF.1, FMT_SMR.2