MICARDO V3.5 R1.0 eHC V1.0 1 / 73 ST-Lite Document Administration 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Document Administration Recipient Department Name DE-HID Joachim Schumacher Karsten Klohs For the attention of Department Name Summary The following document comprises the Security Target for a TOE evaluated according to Common Criteria Version 2.3. The TOE being subject of the evaluation is the smart- card product MICARDO V3.5 R1.0 eHC V1.0 from Sagem Orga GmbH. The IT product under consideration shall be evaluated ac- cording to CC EAL 4 augmented with a minimum strength level for the TOE security functions of SOF-high. Keywords Target of Evaluation (TOE), Common Criteria, IC, Dedicated Software, Smartcard Em- bedded Software, Basic Software, Application Software, Security Objectives, Assump- tions, Threats, TOE Security Function (TSF), TOE Security Enforcing Function (SEF), Level of Assurance, Strength of Functions (SOF), Security Functional Requirement (SFR), Security Assurance Requirement (SAR), Security Function Policy (SFP) Responsibility for updating the document Karsten Klohs karsten.klohs@sagem-orga.com Sagem ORGA GmbH MICARDO V3.5 R1.0 eHC V1.0 ST-Lite Document Id: 3MIC3EVAL.CSL.0004 Archive: 3 Product/project/subject: MIC3EVAL (Micardo V3 Evaluierung) Category of document: CSL (ST-Lite) Consecutive number: 0004 Version: V1.02 Date: 16 October 2009 Author: Karsten Klohs Confidentiality: Checked report: not applicable Authorized (Date/Signature): not applicable Accepted (Date/Signature): not applicable ©Sagem ORGA GmbH, Paderborn, 2009 MICARDO V3.5 R1.0 eHC V1.0 3 / 73 ST-Lite Document Organisation 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Document Organisation i Notation None of the notations used in this document need extra explanation. ii Official Documents and Standards See Bibliography. iii Revision History Version Type of change Author / team V1.00 First edition, the consolidated security target as approved by the evaluator. Karsten Klohs V1.01 Minor editorial changes as requested by the certification body Karsten Klohs V1.02 Reference fix Karsten Klohs MICARDO V3.5 R1.0 eHC V1.0 4 / 73 ST-Lite Table of Contents 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Table of Contents Document Organisation ...................................................................................3 i Notation...............................................................................................................3 ii Official Documents and Standards .....................................................................3 iii Revision History..................................................................................................3 Table of Contents..............................................................................................4 1 ST Introduction...........................................................................................6 1.1 ST Identification............................................................................................6 1.2 ST Overview.................................................................................................6 1.3 CC Conformance..........................................................................................8 2 TOE Description .......................................................................................10 2.1 TOE Definition ............................................................................................10 2.1.1 Overview.....................................................................................................10 2.1.2 TOE Product Scope....................................................................................11 2.1.3 Integrated Circuit (IC) with its Dedicated Software.....................................12 2.1.4 Smartcard Embedded Software .................................................................12 2.1.4.1 Basic Software............................................................................................13 2.1.4.2 Application Software...................................................................................14 2.2 TOE Life-Cycle ...........................................................................................14 2.3 TOE Environment.......................................................................................18 2.3.1 Development Environment .........................................................................18 2.3.2 Production Environment .............................................................................19 2.3.3 Personalisation Environment......................................................................20 2.3.4 End-User Environment ...............................................................................21 2.4 TOE Intended Usage..................................................................................22 3 TOE Security Environment......................................................................24 3.1 Assets.........................................................................................................24 3.1.1 Assets for the TOE .....................................................................................24 3.2 Assumptions...............................................................................................24 3.2.1 Assumptions for the TOE ...........................................................................24 3.3 Threats .......................................................................................................24 3.3.1 Threats on the TOE....................................................................................24 3.4 Organisational Security Policies.................................................................24 4 Security Objectives ..................................................................................25 4.1 Security Objectives for the TOE .................................................................25 4.2 Security Objectives for the Environment of the TOE ..................................25 5 IT Security Requirements ........................................................................25 5.1 TOE Security Requirements.......................................................................25 5.1.1 TOE Security Functional Requirements .....................................................25 5.1.1.1 Security Functional Requirements for the TOE..........................................26 5.1.2 SOF Claim for TOE Security Functional Requirements .............................45 5.1.3 TOE Security Assurance Requirements.....................................................45 5.1.4 Refinements of the TOE Security Assurance Requirements......................47 MICARDO V3.5 R1.0 eHC V1.0 5 / 73 ST-Lite Table of Contents 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 6 TOE Summary Specification ...................................................................47 6.1 TOE Security Functions..............................................................................47 6.1.1 TOE Security Functions / TOE-IC ..............................................................47 6.1.2 TOE Security Functions / TOE-ES .............................................................47 6.2 SOF Claim for TOE Security Functions......................................................59 6.3 Assurance Measures..................................................................................62 7 PP Claims..................................................................................................65 7.1 TOE´s eHC Application ..............................................................................65 7.1.1 PP References ...........................................................................................65 8 Rationale ...................................................................................................65 Reference.........................................................................................................66 I Bibliography ......................................................................................................66 II Summary of abbreviations ................................................................................72 III Glossary............................................................................................................73 MICARDO V3.5 R1.0 eHC V1.0 6 / 73 ST-Lite 0BST Introduction 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 1 ST Introduction 1.1 ST Identification This Security Target refers to the smartcard product “MICARDO V3.5 R1.0 eHC V1.0” (TOE) provided by Sagem Orga GmbH for a Common Criteria evaluation. Title: Security Target - MICARDO V3.5 R1.0 eHC V1.0 Document Category: Security Target for a CC Evaluation Document ID: Refer to Document Administration Version: Refer to Document Administration Publisher: Sagem Orga GmbH Confidentiality: confidential TOE: “MICARDO V3.5 R1.0 eHC V1.0” (Smartcard Product containing IC with Smartcard Embedded Software, including eHC Application, intended to be used within the German Health Care System) Certification ID: BSI-DSZ-CC-0602 IT Evaluation Scheme: German CC Evaluation Scheme Evaluation Body: SRC Security Research & Consulting GmbH Certification Body: Bundesamt für Sicherheit in der Informationstechnik (BSI) This Security Target has been built in conformance with Common Criteria V2.3. 1.2 ST Overview Target of Evaluation (TOE) and subject of this Security Target (ST) is the smartcard product “MICARDO V3.5 R1.0 eHC V1.0” developed by Sagem Orga GmbH. The TOE is realised as Smartcard Integrated Circuit (IC with contacts) with Smartcard Em- bedded Software, consisting of the MICARDO V3.5 Operating System platform and the dedicated electronic Health Card Application (eHC Application) as intended to be used for the German Health Care System. The TOE`s eHC Application is based on the MICARDO V3.5 Operating System platform. MICARDO V3.5 R1.0 eHC V1.0 7 / 73 ST-Lite 0BST Introduction 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs In particular, the TOE´s platform and its technical functionality and inherently integrated se- curity features are designed and developed under consideration of the following specifica- tions, standards and requirements: • Functional and security requirements defined in the specification /eHC1/ and /eHC2/ for the electronic Health Card (eHC) as employed within the German Health Care System • Requirements from the Protection Profiles/PP9911/, /PP-eHC/ • Technical requirements defined in /ISO 7816/, Parts 1, 2, 3, 4, 8, 9, 15 The TOE is intended to be used as electronic Health Card (eHC) within the German Health Care System. More detailed: The eHC Application running on the underlying MICARDO V3.5 Operating System platform is implemented according to the requirements in /eHC1/ and /eHC2/. The eHC Application in the sense of this ST covers all elementary files at the MF-level, the DF.HCA, the DF.ESIGN, the DF.CIA.ESIGN as defined in /eHC2/ and further Sagem Orga specific files. Under technical view, the TOE comprises the following components: • Integrated Circuit (IC) with Crypto Library "NXP SmartMX P5CC080V0B Secure Smart Card Controller with Cryptographic Library as IC Dedicated Support Soft- ware" provided by NXP Semiconductors GmbH • Smartcard Embedded Software comprising the MICARDO V3.5 Operating Sys- tem platform (designed as native implementation) and the dedicated eHC Applica- tion for the German Health Care System provided by Sagem Orga GmbH The configuration of the TOE as eHC will be done by Sagem Orga GmbH prior to the deliv- ery of the product. In any case, the TOE contains the dedicated eHC Application. The TOE contains at its delivery unalterable identification information on the delivered con- figuration. Furthermore, the TOE provides authenticity information which allow for an authen- ticity proof of the product. The TOE will be delivered from Sagem Orga GmbH in the following variants: • Delivery as not-initialised module or smartcard: The delivery of the modules resp. smartcards will be combined with the delivery of the customer specific initialisation file (in particular containing the evaluated eHC Application) developed by Sagem Orga GmbH. The initialisation file is sent (by a secured transfer way) to the Initialiser for loading the EEPROM initialisation data into the TOE during its initialisation phase whereat the production requirements defined in the Guidance for the Initialiser (as well delivered by Sagem Orga GmbH) have to be considered. In the case of the delivery of modules, the last part of the smartcard finishing pro- cess, i.e. the embedding of the delivered modules and final (card) tests, is task of the customer. • Delivery as initialised module or smartcard: MICARDO V3.5 R1.0 eHC V1.0 8 / 73 ST-Lite 0BST Introduction 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The initialisation of the modules resp. smartcards will be performed by Sagem Orga GmbH prior to the delivery of the TOE to the customer. In the case of the delivery of modules, the last part of the smartcard finishing pro- cess, i.e. the embedding of the delivered modules and final (card) tests, is task of the customer. The form of the delivery of the TOE does not influence the security features of the TOE in any way. However, in the case of the delivery of the product in initialised form, the initialisa- tion process at Sagem Orga GmbH will be considered in the framework of the TOE´s CC evaluation. As the manner of the delivery of the TOE does not affect the security of the TOE in any way the TOE will be named in the following with “eHC” for short, independently of its form of delivery. In order to be compliant with the requirements from the German Health Care System the TOE will be evaluated according to CC EAL 4 augmented with a minimum strength level for the TOE security functions of SOF-high. The CC evaluation and certification of the TOE implies the proof for compliance of the TOE´s eHC Application with the corresponding specifications /eHC1/ and /eHC2/ and their require- ments. The main objectives of this ST are • to describe the TOE as a smartcard product intended to be used as eHC • to define the limits of the TOE • to describe the assumptions, threats and security objectives for the TOE • to describe the security requirements for the TOE • to define the TOE security functions 1.3 CC Conformance The CC evaluation of the TOE is based upon • Common Criteria for Information Technology Security Evaluation, Part 1: Introduc- tion and General Model, Version 2.3, August 2005 (/CC 2.3 Part1/) • Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Requirements, Version 2.3, August 2005 (/CC 2.3 Part2/) • Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements, Version 2.3, August 2005 (/CC 2.3 Part3/) For the evaluation the following methodology will be used: • Common Methodology for Information Technology Security Evaluation, Part 2: Evaluation Methodology, Version 2.3, August 2005 (/CEM 2.3 Part2/) MICARDO V3.5 R1.0 eHC V1.0 9 / 73 ST-Lite 0BST Introduction 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs This Security Target is written in accordance with the above mentioned Common Criteria Version 2.3 and claims the following CC conformances: • Part 2 extended • Part 3 conformant • conformant to the Protection Profile “electronic Health Card (eHC) – elektronische Gesundheitskarte (eGK)” registered under BSI-PP-0020-V2 (/PP-eHC/) The chosen level of assurance for the TOE is EAL 4 augmented. The augmentation in- cludes the assurance components ADV_IMP.2, ATE_DPT.2, AVA_MSU.3 and AVA_VLA.4. The minimum strength level for the TOE security functions is SOF-high. In order to avoid redundancy and to minimize the evaluation efforts, the evaluation of the TOE will be conducted as a composite evaluation and will make use of the evaluation results of the CC evaluation of the underlying semiconductor "NXP SmartMX P5CC080V0B Secure Smart Card Controller with Cryptographic Library as IC Dedicated Support Software" pro- vided by NXP Semiconductors GmbH. The IC incl. its IC Dedicated Software is evaluated according to Common Criteria EAL 5 augmented with a minimum strength level for its secu- rity functions of SOF-high and is covered by the certification reports /BSI-CC-IC/ (IC family) and /BSI-CC-ICCL/ (Crypto-Library). The evaluation of the IC is based on the Protection Pro- file /BSI-PP-0002/. MICARDO V3.5 R1.0 eHC V1.0 10 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 2 TOE Description 2.1 TOE Definition 2.1.1 Overview The Target of Evaluation (TOE) is the smartcard product “MICARDO V3.5 R1.0 eHC V1.0” (eHC for short in the following) intended to be used as electronic Health Card (eHC) in the German Health Care System. In technical view the eHC is realised as a proprietary operating system with an Application Layer directly set-up on this operating system layer. The eHC is based on the microcontroller with Crypto Library "NXP SmartMX P5CC080V0B Secure Smart Card Controller with Cryptographic Library as IC Dedicated Support Software" provided by NXP Semiconductors GmbH. The IC incl. its Dedicated Software is evaluated according to Common Criteria EAL 5 augmented with a minimum strength level for its secu- rity functions of SOF-high (refer to /BSI-CC-IC/ and /BSI-CC-ICCL/). Roughly spoken, the TOE is composed from the following parts: • Integrated Circuit (IC) with its proprietary IC Dedicated Software (TOE-IC) • Smartcard Embedded Software (TOE-ES) consisting of - Basic Software (TOE-ES/BS) - Application Software (TOE-ES/AS) While the Basic Software consists of the MICARDO V3.5 Operating System platform of the TOE (realised as native implementation), the Application Software covers the Application Layer which is directly set-up on the MICARDO V3.5 Operating System platform and imple- ments the specific eHC Application. The pre-defined application belonging to the TOE com- prise own dedicated file and data systems with dedicated security structures, i.e. with appli- cation specific access rights for the access of subjects to objects and with application specific security mechanisms and PIN and key management. The design and implementation of the TOE´s dedicated eHC Application and their security structure follow the requirements in the specifications /eHC1/ and /eHC2/. The eHC Application in the sense of this ST covers all elementary files at the MF-level, the DF.HCA, the DF.ESIGN, the DF.CIA.ESIGN as defined in /eHC2/ and further Sagem Orga specific files. Furthermore, the eHC itself offers the possibility to check its authenticity. For this purpose, the eHC contains the private part of a dedicated authentication key pair which depends on the configuration of the TOE and may be chosen customer specific (for more details see chap. 2.1.4.2). The following figure shows the global architecture of the TOE and its components: MICARDO V3.5 R1.0 eHC V1.0 11 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The different components of the TOE depicted in the figure above will be described more detailed in the following sections. 2.1.2 TOE Product Scope The following table contains an overview of all deliverables associated to the TOE: TOE component Description / Additional Information Type Transfer Form TOE-IC NXP SmartMX P5CC080V0B Secure Smart Card Controller (incl. its IC Dedicated Software, covering in particular the Crypto Library) HW / SW TOE-ES/BS Smartcard Embedded Software / Part Basic Software (implemented in ROM/EEPROM of the microcontroller) SW TOE-ES/AS Smartcard Embedded Software / Part Applica- tion Software (containing the eHC Application implemented in the EEPROM of the microcon- troller) SW Delivery of not- initialised / initialised modules or smart- cards Delivery of initialisa- tion files in elec- tronic form (if appli- cable) Note: The TOE will be delivered from Sagem Orga GmbH as not-initialised or initialised product (module / smartcard). To finalize the TOE as not-initialised product, the initialisation file developed by Sagem Orga GmbH must be loaded during the initialisation phase by the Initialiser (Sagem Orga GmbH or other initialisation facility). User Guide / User of the MI- CARDO platform User guidance for the User of the MICARDO Operating System platform DOC Document in paper / electronic form User Guide / Initialiser of the eHC Card User guidance for the Initialiser of the eHC Card DOC Document in paper / electronic form User Guide / Personaliser of User guidance for the Personaliser of the eHC Card (in particular the eHC Application) DOC Document in paper / electronic form TOE-IC TOE-ES/AS Application Layer eHC Application TOE-ES/BS IC P5CC080V0B Native Platform Memory Management, I/O, Security Features, Transaction Facilities MICARDO Layer Initialisation Module Personalisation Module Crypto- Lib MICARDO V3.5 R1.0 eHC V1.0 12 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs TOE component Description / Additional Information Type Transfer Form the eHC Card Identification Data Sheet of the eHC Card Data Sheet with information on the actual iden- tification data and configuration of the eHC Card delivered to the customer DOC Document in paper / electronic form Aut-Key of the eHC Card Public part of the authentication key pair rele- vant for the authenticity of the eHC Card Note: The card´s authentication key pair is gen- erated by Sagem Orga GmbH and depends on the TOE´s configuration delivered to the cus- tomer. Furthermore, the key pair may be cho- sen customer specific. KEY Document in paper form / electronic file Pers-Key of the eHC Card Personalisation key (pair of keys used for en- cryption and MAC respectively) relevant for the personalisation of the eHC Card Note: The card´s personalisation key pair is generated by Sagem Orga GmbH and depends on the TOE´s configuration delivered to the customer. Furthermore, the key may be chosen customer specific. KEY Document in paper form / electronic file Note: Deliverables in paper form require a personal passing on or a procedure of at least the same security. For deliverables in electronic form an integrity and authenticity attribute will be attached. 2.1.3 Integrated Circuit (IC) with its Dedicated Software Basis for the TOE´s Smartcard Embedded Software is the microcontroller with Crypto Library "NXP SmartMX P5CC080V0B Secure Smart Card Controller with Cryptographic Library as IC Dedicated Support Software". The microcontroller and its Dedicated Software are devel- oped and produced by NXP Semiconductors GmbH (within phase 2 and 3 of the smartcard product life-cycle, see chap. 2.2). Detailed information on the IC Hardware, the IC Dedicated Software (in particular the Crypto Library) and the IC interfaces can be found in /ST-IC/ and /ST-IC+CL/. 2.1.4 Smartcard Embedded Software The Smartcard Embedded Software of the TOE comprises the MICARDO V3.5 Operating System platform and applications running on this platform and is therefore divided into two parts with specific contents: • Basic Software (MICARDO V3.5 Operating System platform) • Application Software (Application Layer with dedicated eHC Application) Each part of the Smartcard Embedded Software is designed and developed by Sagem Orga GmbH in phase 1 of the smartcard product life-cycle (see chap. 2.2). Embedding of the Smartcard Embedded Software into the TOE is performed in the later phases 3 and 5. MICARDO V3.5 R1.0 eHC V1.0 13 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The main parts of the Basic Software are brought into the card by the IC manufacturer in form of the ROM mask and stored in the User-ROM of the IC (phase 3). The Application Software, and perhaps additional parts of the Basic Software, are located in the EEPROM area and are lateron loaded by specific initialisation routines of the TOE (phase 5). Hereby, the loading requires an encrypted and with a cryptographic checksum secured initialisation file. The necessary keys for securing the initialisation process are stored inside the IC during production time. 2.1.4.1 Basic Software The Basic Software of the Smartcard Embedded Software comprises the MICARDO V3.5 Operating System platform of the TOE. Its main and security related parts are stored in the User-ROM of the underlying IC and are brought into the smartcard in form of the so-called ROM mask during the production process of the IC within phase 3 of the smartcard product life-cycle (see chap. 2.2). The MICARDO V3.5 Operating System platform of the TOE is designed as proprietary soft- ware consisting of two layers. In detail, the integral parts of the TOE´s operating system con- sist of the MICARDO Layer and the Initialisation Module. Both are based on a Native Plat- form which serves as an abstraction layer towards the IC. On the other side, the MICARDO Layer and the Initialisation Module provide an interface between the operating system and the overlying Application Layer with the dedicated eHC Application. The MICARDO Layer implements the executable code for the card commands and all gen- eral technical and security functionality of the MICARDO V3.5 Operating System platform as data objects and structures, file and object handling, security environments, security resp. cryptographic algorithms, key and PIN management, security states, access rules, secure messaging etc. As mentioned, the Native Platform of the TOE´s operating system serves as an abstraction layer between the MICARDO Layer resp. the Initialisation Module and the IC. For this task, it provides essential operating system components and low level routines concerning memory management, I/O handling, transaction facilities, system management, security features and cryptographic mechanisms. For the cryptographic features, the Native Platform makes use of a specific module, the Crypto Library, which supports and implements the TOE´s core cryptographic functionality. The Crypto Library is provided as IC Dedicated Support Software by the underlying IC. In view of the Smartcard Embedded Software, the Crypto Library is accessible only via the Na- tive Platform. For the initialisation process of the TOE conducted within phase 5 of the smartcard product life-cycle (see chap. 2.2) the operating system of the TOE puts dedicated initialisation rou- tines at disposal which are solely accessible during the initialisation phase and which are realised within the Initialisation Module. After the initialisation has been successfully com- pleted these commands are no longer available. Furthermore, the functionality of deleting the complete initialisation file after the initialisation (deletion of the whole EEPROM area) is dis- abled for the TOE. The Initialisation Module puts the following features at disposal: MICARDO V3.5 R1.0 eHC V1.0 14 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs • specific initialisation routines • specific test routines for the EEPROM area Loading of an initialisation file is only possible by use of the TOE´s specific initialisation rou- tines. Hereby, the initialisation file to be loaded has to be secured before with an encryption and a cryptographic checksum, both done with dedicated keys of the TOE. The test routines for the EEPROM area can be used for a check of the correct functioning of the memory. Furthermore, the Initialisation Module manages the specific states of the TOE´s operating system according to specified and unalterable rules. In order to support the personalisation process the MICARDO V3.5 Operating System con- tains a personalisation module. This module provides a dedicated set of personalisation commands. These commands are only available after successful authentication with the per- sonalisation key and are restricted to modify data intended for personalisation. Furthermore, the personalisation modules allows for the establishment of a trusted channel to secure the transfer of confidential data to the card. The personalisation commands are permanently disabled after successful personalisation. 2.1.4.2 Application Software The Application Software part of the TOE´s Smartcard Embedded Software comprises the Application Layer and is directly set-up on the TOE´s Basic Software. It consists of the TOE´s dedicated eHC Application which is implemented according to the requirements in /eHC1/ and /eHC2/. The Application Software will be brought into the smartcard in cryptographically secured form during the initialisation process within phase 5 of the smartcard product life-cycle (see chap. 2.2). The initialisation process uses the specific initialisation routines of the TOE´s operating system, and the Application Software will be stored in the EEPROM area of the IC. The eHC offers the capability to check its authenticity. For this purpose, the TOE contains the private part of a dedicated RSA authentication key pair over which by an internal authen- tication procedure the authenticity of the eHC can be proven. The authentication key pair depends on the Initialisation File (containing the Application Software to be initialised) and its configuration and may be chosen customer specific. The corresponding public part of the authentication key pair is delivered through a trusted way to the external world. Furthermore, the TOE contains a data area for storing identification data of the TOE and its configuration. The data area will be filled in the framework of the initialisation of the TOE with a specific operating system command and can be read out with a further specific operating system command. Once the identification data have been written, there is afterwards no change possible. 2.2 TOE Life-Cycle MICARDO V3.5 R1.0 eHC V1.0 15 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The smartcard product life-cycle of the TOE is decomposed into seven phases. In each of these phases different authorities with specific responsibilities and tasks are involved: Phase Description Phase 1 Smartcard Embedded Software Develop- ment The Smartcard Embedded Software Developer (Sagem Orga GmbH) is in charge of • the development of the Smartcard Embedded Software (Basic Software, Application Software) and • the specification of the IC initialisation and pre-persona- lisation requirements (though the actual data for the IC initialisation and pre-personalisation come from Phase 4, 5 resp. 6). The purpose of the Smartcard Embedded Software designed dur- ing phase 1 is to control and protect the TOE during phases 4 to 7 (product usage).The global security requirements of the TOE are such that it is mandatory during the development phase to antici- pate the security threats of the other phases. Phase 2 IC Development The IC Designer (NXP Semiconductors GmbH) • designs the IC, • develops the IC Dedicated Software, • provides information, software or tools to the Smartcard Embedded Software Developer, and • receives the Smartcard Embedded Software (only Basic Software) from the developer through trusted delivery and verification procedures. From the IC design, IC Dedicated Software and Smartcard Em- bedded Software, the IC Designer (NXP Semiconductors GmbH) • constructs the smartcard IC database, necessary for the IC photomask fabrication. Phase 3 IC Manufacturing and Testing The IC Manufacturer (NXP Semiconductors GmbH) is respon- sible for • producing the IC through three main steps: - IC manufacturing, - IC testing, and - IC pre-personalisation. The IC Mask Manufacturer (NXP Semiconductors GmbH) • generates the masks for the IC manufacturing based upon an output from the smartcard IC database. Phase 4 IC Packaging and Testing The IC Packaging Manufacturer (Sagem Orga GmbH) is re- sponsible for • the IC packaging (production of modules) and • testing. Phase 5 Smartcard Product Finishing Process The Smartcard Product Manufacturer (Sagem Orga GmbH or MICARDO V3.5 R1.0 eHC V1.0 16 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs other initialisation facility) is responsible for • the initialisation of the TOE (in form of the initialisation of the modules of phase 4 or complete smartcards) and • its testing. The smartcard product finishing process comprises the embed- ding of the (initialised) modules for the TOE and the card produc- tion what is done alternatively by Sagem Orga GmbH or by the customer. Final card tests only aim at checking the quality of the card pro- duction, in particular concerning the bonding and implantation of the modules. Phase 6 Smartcard Personalisation The Personaliser / Card Management System is responsible for • the smartcard personalisation and • final tests. The personalisation of the smartcard includes the printing of the (card holder specific) visual readable data onto the physical smartcard, and the writing of (card holder specific) TOE User Data and TSF Data into the smartcard. Phase 7 Smartcard End-Usage The Smartcard Issuer is responsible for • the smartcard product delivery to the smartcard end- user (card holder), and the end of life process. The authorized personalisation agents (card management sys- tems) are allowed • to add data for a new application, modify or delete an eHC application, but not to load additional executable code. Functions used for this are specifically secured func- tions for this usage phase (for example the require card-to-card authentication and secure messaging). This functionality doesn’t imply that the card can be switched back to an earlier life cycle stage. The TOE is used as eHC by the smart card holder in the opera- tional use phase. Appropriate procedures for a secure delivery process of the TOE or parts of the TOE under construction from one development resp. production site to another site within the smartcard product life-cycle are established. This concerns any kind of delivery performed from phase 1 to 5, including: - intermediate delivery of the TOE or parts of the TOE under construction within a phase, - delivery of the TOE or parts of the TOE under construction from one phase to the next. In particular, the delivery of the Crypto Library from NXP Semiconductors GmbH to Sagem Orga GmbH follows the dedicated secured delivery process defined in /ST-IC+CL/. The de- livery of the ROM mask and the EEPROM pre-personalisation data from Sagem Orga GmbH to NXP Semiconductors GmbH is done by using the dedicated secured delivery procedure MICARDO V3.5 R1.0 eHC V1.0 17 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs specified by NXP Semiconductors GmbH following the so-called NXP Order Entry Form P5CC080V0B . The IC manufacturer NXP Semiconductors GmbH delivers the IC with its IC Dedicated Soft- ware and the ROM mask supplied by Sagem Orga GmbH at the end of phase 3 in form of wafers according to /UG-IC/, chap. 2.1, Delivery Method 2, bullet point 1. The IC Dedicated Test Software stored in the Test-ROM is disabled before the delivery of the IC and cannot be used in the following phases. The FabKey procedure described in /UG-IC/, chap. 2.1, Delivery Method 2, bullet point 2 is replaced by the following procedure which provides at least equivalent security: The TOE´s operating system puts in the non-initialised status the command “Verify ROM” at disposal, with which a SHA-1 hash value over the complete ROM and data freely chosen by the exter- nal world can be generated. Prior to the initialisation of the IC, the authenticity of the IC with its ROM mask will be proven by using the functionality “Verify ROM” and comparing the new generated hash value over the ROM data and the data freely chosen with a corresponding external reference value which is accessible only for Sagem Orga GmbH . With regard to the smartcard product life-cycle of the TOE described above, the different development and production phases of the TOE with its IC incl. its IC Dedicated Software and with its Smartcard Embedded Software (Basic Software, Application Software) are part of the evaluation of the TOE. Different ways for the delivery of the TOE are established: • Delivery as initialised product: - The TOE is delivered at the end of phase 5 in form of complete cards, i.e. after the initialisation process of the TOE has been successfully finished, final card tests have been successfully conducted and the card production has been ful- filled. - Alternatively, the TOE is delivered within phase 5 in form of initialised and tested modules. In this case, the smartcard finishing process (embedding of the deliv- ered initialised modules, final (card) tests) is task of the customer. • Delivery as not-initialised product: - The TOE is delivered within phase 5 in form of not-initialised cards, i.e. the initiali- sation of the product and final (card) tests have to be performed by the Initialiser. - Alternatively, the TOE is delivered at the end of phase 4 in form of not-initialised modules. In this case, the product´s initialisation and the smartcard finishing proc- ess (embedding of the modules, final (card) tests) are task of the customer. MICARDO V3.5 R1.0 eHC V1.0 18 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 2.3 TOE Environment Considering the TOE and its life-cycle described above, four types of environments can be distinguished: - development environment corresponding to phase 1 and 2, - production environment corresponding to phase 3 to phase 5, - personalisation environment corresponding to phase 6, - end-user environment corresponding to phase 7. 2.3.1 Development Environment Phase 1 - Smartcard Embedded Software Development To assure security of the development process of the Smartcard Embedded Software, a se- cure development environment with appropriate personnel, organisational and technical se- curity measures at Sagem Orga GmbH is established. Only authorized and experienced personnel which understands the importance and the rigid implementation of the defined security procedures is involved in the development activities. The development process comprises the specification, the design, the coding and the testing of the Smartcard Embedded Software. For design, implementation and test purposes secure computer systems preventing unauthorized access are used. For security reasons the coding and testing activities will be done independently of each other. All sensitive documentation, data and material concerning the development process of the Smartcard Embedded Software are handled in an appropriately and sufficiently secure way. This concerns both the transfer as well as the storing of all related sensitive documents, data and material. Furthermore, all development activities run under a configuration control sys- tem which guarantees for an appropriate traceability and accountability. The Smartcard Embedded Software of the developer, more precise the Basic Software part dedicated for the ROM of the IC, is delivered to the IC manufacturer through trusted delivery and verification procedures. The Application Software and additional parts of the Basic Soft- ware are delivered in form of a cryptographically secured initialisation file as well through trusted delivery and verification procedures to the initialisation centre. Phase 2 – IC Development During the design and layout process only people involved in the specific development pro- ject for the IC have access to sensitive data. Different people are responsible for the design data of the IC and for customer related data. The security measures installed at NXP Semi- conductors GmbH ensure a secure computer system and provide appropriate equipment for the different development tasks. MICARDO V3.5 R1.0 eHC V1.0 19 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 2.3.2 Production Environment Phase 3 - IC Manufacturing and Testing The verified layout data are provided by the developers of NXP Semiconductors GmbH di- rectly to the wafer fab. The wafer fab generates and forwards the layout data related to the relevant photomask to the IC mask manufacturer (NXP Semiconductors GmbH). The photomask is generated off-site and verified against the design data of the development before usage. The accountability and traceability is ensured among the wafer fab and the photomask provider. The production of the wafers includes two different steps regarding the production flow. In the first step the wafers are produced with the fixed mask independent of the customer. After that step the wafers are completed with the customer specific mask and the remaining mask. The computer tracking ensures the control of the complete process including the storage of the semifinished wafers. The test process of every die is performed by a test centre of NXP Semiconductors GmbH. Delivery processes between the involved NXP Semiconductors GmbH sites provide ac- countability and traceability of the produced wafers. The delivery of the ICs from NXP Semi- conductors GmbH to Sagem Orga GmbH is made in form of wafers whereby non-functional ICs are marked on the wafer. Phase 4 – IC Packaging and Testing For security reasons the processes of IC packaging and testing at Sagem Orga GmbH are done in a secure environment with adequate personnel, organisational and technical security measures. Only authorized and experienced personnel which understands the importance and the rigid implementation of the defined security procedures is involved in these activities. All sensitive material and documentation concerning the production process of the TOE is handled in an appropriately and sufficiently secure way. This concerns both the transfer as well as the storing of all related sensitive material and documentation. All operations are done in such a way that appropriate traceability and accountability exist. Phase 5 - Smartcard Product Finishing Process To assure security of the initialisation process of the TOE, a secure environment with ade- quate personnel, organisational and technical security measures at the Initialiser is estab- lished. Only authorized and experienced personnel which understands the importance and the rigid implementation of the defined security procedures is involved in the initialisation and test activities. The initialisation process of the TOE comprises the loading of the TOE´s Application Soft- ware and the remaining EEPROM-parts of the TOE´s Basic Software which have been MICARDO V3.5 R1.0 eHC V1.0 20 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs specified, coded, tested and cryptographically secured in phase 1 of the product life-cycle. The TOE allows only the initialisation of the intended initialisation file with its Application Software and its parts of the Basic Software. For security reasons, secure systems within a separate network and preventing unauthorized access are used for the initialisation process. The smartcard finishing process comprises the embedding of the modules and final card tests. All sensitive documentation, data and material concerning the production processes of the TOE at Sagem Orga GmbH within phase 5 are handled in an appropriately and sufficiently secure way. This concerns both the transfer as well as the storing of all related sensitive documents, data and material. Furthermore, all operations run under a control system which supplies appropriate traceability and accountability. At the end of this phase, the TOE is complete as smartcard and can be supplied for delivery to the personalisation centre for personalisation. 2.3.3 Personalisation Environment Note: The phases from the end of phase 5 up to phase 7 in the smartcard product life-cycle are not part of the TOE development and production process in the sense of this Security Target. Information about the phases 6 and 7 are just included to describe how the TOE is used after its development and production. Phase 6 - Smartcard Personalisation Central task for the personaliser is the personalisation of the initialised product, i.e the load- ing of card resp. card holder specific data into the dedicated eHC Application already existing on the initialised card. The personalisation process and its security depends directly on the access rules which have been initialised and which are explicitly enforced by the personalisation commands. Further- more, the use of this commands requires a mutual authentification between the card and the personalisation unit. Additionally, this authentification establishes a trusted channel for the secured transfer of confidential personalisation data. . However, the establishment of a secure environment for the personalisation process with adequate personnel, organisational and technical security measures is in the responsibility of the personalisation centre itself. In particular, the personaliser is responsible for the set-up of a secure personalisation process and for taking into account the requirements and recom- mendations given in the TOE´s user guidance for the personaliser. The secure key man- agement and handling of the cryptographic keys for securing the data transfer within the per- sonalisation process (if applicable) and the secure handling of the personalisation data itself is task of the personalisation centre. MICARDO V3.5 R1.0 eHC V1.0 21 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 2.3.4 End-User Environment Phase 7 – Smartcard End-usage In the end-usage phase, the TOE is under control of the card holder, and the eHC Applica- tion with their file systems, objects and data residing on the card are used in their intended way in the German Health Care System. However, according to the card structure and the access rules set for the different objects, further card management activities (as e.g. deleting or adding applications, inserting further personalisation data) may be possible for authorised users. MICARDO V3.5 R1.0 eHC V1.0 22 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 2.4 TOE Intended Usage Introducing information on the intended usage of the TOE is given within chap. 1.2. The pre- sent chapter will provide additional and more detailed information on the Operating System platform and on the eHC Application residing on the card at delivery time point. In general, the MICARDO V3.5 Operating System platform is designed as multifunctional platform for high security applications. Therefore, the TOE provides an Operating System platform with a wide range of technical functionality and an adequate set of inherently inte- grated security features. The MICARDO V3.5 Operating System platform supports the following services: • Oncard-generation of RSA key pairs of high quality (with appropriate key lengths) • Different signature schemes (based on RSA with appropriate key lengths and padding schemes) • Different encryption schemes (based on DES and RSA with appropriate key lengths and padding schemes) • Key derivation schemes • PIN based authentication scheme • Different key based authentication schemes (based on DES and RSA, with / with- out session key agreement) • Hash value calculation • Random number generation of high quality • Calculation and verification of cryptographic checksums • Verification of CV certificates • Protection of the communication between the TOE and the external world against disclosure and manipulation (Secure Messaging) • Protection of files and data by access control functionality • Life-cycle state information related to the Operating System itself as well as to all objects processed by the card • Confidentiality of cryptographic keys, PINs and further security critical data • Integrity of cryptographic keys, PINs and further security critical data • Confidentiality of operating system code and its internal data • Integrity of operating system code and its internal data (self test functionality) • Resistance of crypto functionality against Side Channel Analysis (SPA, DPA, TA, DFA) • Card management functionality • Channel management (with separation of channel related objects) MICARDO V3.5 R1.0 eHC V1.0 23 / 73 ST-Lite 1BTOE Description 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs To support the security of the above mentioned features of the TOE, the MICARDO V3.5 Operating System platform provides appropriate countermeasures for resistance especially against the following attacks: • Cloning of the product • Unauthorised disclosure of confidential data (during generation, storage and processing) • Unauthorised manipulation of data (during generation, storage and processing) • Identity usurpation • Forgery of data to be processed • Derivation of information on the private key from the related public part for oncard- generated RSA key pairs • Side Channel Attacks The resistance of the TOE against such attack scenarios is reached by usage of appropriate security features already integrated in the underlying IC as well as by implementing addi- tional appropriate software countermeasures. The specific eHC Application of the TOE comprises a file system with objects, access rules and data according to the requirements in /eHC1/ and /eHC2/. The eHC and its dedicated eHC Application provide the following main security services: • Mutual Authentication between the eHC and a HPC or an SMC • Mutual Authentication between the eHC and a security device (e. g. for online up- date of contract data in the card) • Authentication of the card holder by use of one of two PINs, called PIN.CH and PIN.home (Note: Both of these PINs are used for general functions of the eHC.) • Secure storage of contractual and medical data, with respect to confidentiality, in- tegrity and authenticity of these data • Authentication of the card using a private key and an X.509 certificate • Document content key decipherment using a private key Additional detailed information on the intended usage of the TOE and its functionality is given within the chapters 1.2 and 2.1.2. MICARDO V3.5 R1.0 eHC V1.0 24 / 73 ST-Lite 2BTOE Security Environment 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 3 TOE Security Environment 3.1 Assets Assets are security–relevant elements to be directly protected by the TOE whereby assets have to be protected in terms of confidentiality and integrity. Confidentiality of assets is al- ways intended with respect to untrusted users of the TOE and its security-critical compo- nents, whereas the integrity of assets is relevant for the correct operation of the TOE and its security-critical components. The confidentiality of the code of the TOE is included in this ST for several reasons. First, the confidentiality is needed for the protection of intellectual/industrial property on security or effectiveness mechanisms. Second, though protection shall not rely exclusively on code con- fidentiality, disclosure of the code may weaken the security of the involved application. For instance, knowledge about the implementation of the operating system or the applications running on the operaing system may benefit an attacker. This also applies to internal data of the TOE, which may similarly provide leaks for further attacks. 3.1.1 Assets for the TOE For a detailed description of the TOE´s assets related to the refer to /PP-eHC/, chap. 3.1.1. 3.2 Assumptions 3.2.1 Assumptions for the TOE For a detailed description of the assumptions related to the TOE refer to /PP-eHC/, chap. 3.3. 3.3 Threats The TOE is required to counter different type of attacks against its specific assets. A threat agent could try to threaten these assets either by functional attacks or by environmental ma- nipulation, by specific hardware manipulation, by a combination of hardware and software manipulations or by any other type of attacks. 3.3.1 Threats on the TOE For a detailed description of the threats related to the TOE refer to /PP-eHC/, chap. 3.2. 3.4 Organisational Security Policies MICARDO V3.5 R1.0 eHC V1.0 25 / 73 ST-Lite 3BSecurity Objectives 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs For a detailed description of the organisational security policies related to the TOE´s dedi- cated eHC Application refer to /PP-eHC/, chap. 3.1. 4 Security Objectives 4.1 Security Objectives for the TOE The security objectives for the TOE cover principally the following aspects: • integrity and confidentiality of the TOE´s assets • protection of the TOE and its associated documentation and environment during the development and production phases. For a detailed description of the specific security objectives related to the TOE´s dedicated eHC Application refer to /PP-eHC/, chap. 4.1. 4.2 Security Objectives for the Environment of the TOE For a detailed description of the specific security objectives related to the environment of the TOE´s dedicated eHC Application refer to /PP-eHC/, chap. 4.2 and 4.3. 5 IT Security Requirements 5.1 TOE Security Requirements This section covers the subsections “TOE Security Functional Requirements” and ”TOE Se- curity Assurance Requirements”. 5.1.1 TOE Security Functional Requirements The TOE Security Functional Requirements (SFRs) define the functional requirements for the TOE using functional requirement components drawn directly from /CC 2.3 Part2/, func- tional requirement components of /CC 2.3 Part2/ with extension as well as self-defined func- tional requirement components. This chapter considers the SFRs concerning the IC (TOE- IC) as well as the SFRs concerning the Smartcard Embedded Software (TOE-ES). Notes: The SFRs for the TOE are listed in the following chapters within tables. Thereby, the tables contain in the left column the original definition of the respective SFR and its elements, de- MICARDO V3.5 R1.0 eHC V1.0 26 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs pendencies, hierarchical information, management and audit functions. The right column supplies the iterations, selections, assignments and refinements chosen for the TOE. Operations in the SFRs already carried out within the Protection Profiles are highlighted in bold face, further operations carried out in this ST are written in bold and italic face. In general, the SFRs can be categorized as follows: cryptographic support, user data protec- tion, identification and authentication, security management, protection of the TSF, trusted paths/channels. 5.1.1.1 Security Functional Requirements for the TOE The following section gives a survey of the SFRs related to the TOE as specified in the Pro- tection Profile /PP-eHC/, chap. 5.1. The SFRs of the Protection Profile have been supple- mented appropriately. For the TOE´s dedicated eHC Application, the TOE maintains the SFP_access_rules as de- fined in /PP-eHC/, chap. 4.1.1. FCS Cryptographic Support FCS_CKM Cryptographic Key Management FCS_CKM.1 Cryptographic Key Generation PP eHC FCS_CKM.1.1 The TSF shall generate cryptographic keys in accor- dance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes [as- signment: cryptographic key sizes] that meet the following: [assignment: list of standards]. Hierarchical to: No other components Dependencies: - [FCS_CKM.2 Cryptographic key distribution or FCS_COP.1 Cryptographic operation] - FCS_CKM.4 Cryptographic key destruction - FMT_MSA.2 Secure security attributes Management: a) the management of changes to cryptographic key attributes. Examples of key attributes include user, key type (e.g. public, private, secret), validity period, and use (e.g. digital signature, key encryption, key agreement, data encryption) FCS_CKM.1/SM FCS_CKM.1.1/SM The TSF shall generate cryptographic keys in accor- dance with a specified cryptographic key generation algorithm [card-to-card authentication with secure messaging] and specified cryptographic key sizes [192bit (resp 168 bit, if parity bits are used)] that meet the following: [ - /eHC1/ (7.2) ]. MICARDO V3.5 R1.0 eHC V1.0 27 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Audit: a) Minimal: Success and failure of the activity b) Basic: The object attribute(s), and object value(s) excluding any sensitive information (e.g. secret or private keys) FCS_CKM.1/RSA FCS_CKM.1.1/RSA The TSF shall generate cryptographic keys in accor- dance with a specified cryptographic key generation algorithm [RSA Key Generation] and specified cryp- tographic key sizes [2048 bit modulus length] that meet the following: [/ALGCAT/, chap. 1.3, 3.1, 4]. FCS_CKM.4 Cryptographic Key Destruction PP eHC FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accor- dance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. Hierarchical to: No other components Dependencies: - [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security at- tributes or FCS_CKM.1 Cryptographic key generation] - FMT_MSA.2 Secure security attributes Management: a) the management of changes to cryptographic key attributes. Examples of key attributes include user, key type (e.g. public, private, secret), validity period, and use (e.g. digital signature, key encryption, key agreement, data encryption) Audit: a) Minimal: Success and failure of the activity b) Basic: The object attribute(s), and object value(s) excluding any sensitive information (e.g. secret or private keys) FCS_CKM.4 FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accor- dance with a specified cryptographic key destruction method [erasure of a 3TDES session key] that meets the following: [physical erasure of the key]. Application Note The TOE shall destroy the Triple-DES encryption ses- sion key and the Retail-MAC message authentication session keys for secure messaging after reset or ter- mination of secure messaging session or reaching fail secure state according to FPT_FLS.1. FCS_COP Cryptographic Operation FCS_COP.1 Cryptographic Operation PP eHC MICARDO V3.5 R1.0 eHC V1.0 28 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FCS_COP.1.1 The TSF shall perform [assignment: list of crypto- graphic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [as- signment: list of standards]. Hierarchical to: No other components Dependencies: - [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security at- tributes or FCS_CKM.1 Cryptographic key generation] - FCS_CKM.4 Cryptographic key destruction - FMT_MSA.2 Secure security attributes Management: --- Audit: a) Minimal: Success and failure, and the type of cryp- tographic operation b) Basic: Any applicable cryptographic mode(s) of operation, subject attributes and object attributes FCS_COP.1/CSA FCS_COP.1.1/CSA The TSF shall perform [digital signature-creation] in accordance with a specified cryptographic algorithm [RSA] and cryptographic key sizes [of 2048 bit modulus length] that meet the following: [ /PKCS1/ ]. FCS_COP.1/CCA_SIGN FCS_COP.1.1/CCA_SIGN The TSF shall perform [digital signature-creation] in accordance with a specified cryptographic algorithm [RSA] and cryptographic key sizes [of 2048 bit modulus length] that meet the following: [ - /ISO 9796-2/(DS scheme 1) ]. FCS_COP.1/ASYM_DEC FCS_COP.1.1/ ASYM_DEC The TSF shall perform [decryption] in accordance with a specified cryptographic algorithm [RSA] and cryptographic key sizes [of 2048 bit modulus length] that meet the following: [ - /PKCS1/ ]. FCS_COP.1/CCA_VERIF FCS_COP.1.1/ CCA_VERIF The TSF shall perform [digital signature- MICARDO V3.5 R1.0 eHC V1.0 29 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs verification] in accordance with a specified crypto- graphic algorithm [RSA] and cryptographic key sizes [of 2048 bit modulus length] that meet the following: [ - /ISO 9796-2/(DS scheme 1) ]. FCS_COP.1/SYM FCS_COP.1.1/SYM The TSF shall perform [encryption and decryption] in accordance with a specified cryptographic algorithm [3DES in CBC mode] and cryptographic key sizes [168 bit] that meet the following: [ - /FIPS 46-3/ ]. FCS_COP.1/MAC FCS_COP.1.1/MAC The TSF shall perform [generation and verification of message authentication code] in accordance with a specified cryptographic algorithm [Retail MAC] and cryptographic key sizes [192 bit (resp. 168 bit if par- ity bits are used)] that meet the following: [ - /ANSI X9.19/with DES ]. FCS_COP.1/Hash FCS_COP.1.1/Hash The TSF shall perform [hashing] in accordance with the specified cryptographic algorithm [SHA-256] and cryptographic key sizes [none] that meet the follow- ing: [ - /SHA/ ]. FCS_RND Generation of Random Numbers FCS_RND.1 Quality Metric for Random Numbers PP eHC FCS_RND.1.1 The TSF shall provide a mechanism to generate ran- dom numbers that meet [assignment: a defined qual- ity metric]. Hierarchical to: No other components Dependencies: No dependencies FCS_RND.1 FCS_RND.1.1 The TSF shall provide a mechanism to generate ran- dom numbers that meet [deterministic RNG of qual- ity class K4]. MICARDO V3.5 R1.0 eHC V1.0 30 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Management: --- Audit: --- FDP User Data Protection FDP_ACC Access Control Policy FDP_ACC.2 Complete Access Control PP eHC FDP_ACC.2.1 The TSF shall enforce the [assignment: access con- trol SFP] on [assignment: list of subjects and objects] and all operations among subjects and objects cov- ered by the SFP. FDP_ACC.2.2 The TSF shall ensure that all operations between any subject in the TSC and any object within the TSC are covered by an access control SFP. Hierarchical to: FDP_ACC.1 Dependencies: - FDP_ACF.1 Security attribute based access control Management: --- Audit: --- FDP_ACC.2 FDP_ACC.2.1 The TSF shall enforce the [SFP_access_rules] on [all subjects and objects defined by SFP_access_rules] and all operations among sub- jects and objects covered by the SFP. FDP_ACC.2.2 The TSF shall ensure that all operations between any subject in the TSC and any object within the TSC are covered by an access control SFP. FDP_ACF Access Control Functions FDP_ACF.1 Security Attribute Based Access Control PP eHC FDP_ACF.1.1 The TSF shall enforce the [assignment: access con- trol SFP] to objects based on the following: [assign- ment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant secu- rity attributes, or named groups of SFP-relevant se- curity attributes]. FDP_ACF.1 FDP_ACF.1.1 The TSF shall enforce the [SFP_access_rules] to objects based on the following: [all subjects and objects together with their respective security attributes as defined in SFP_access_rules]. MICARDO V3.5 R1.0 eHC V1.0 31 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FDP_ACF.1.2 The TSF shall enforce the following rules to deter- mine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules gov- erning access among controlled subjects and con- trolled objects using controlled operations on con- trolled objects]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of sub- jects to objects]. Hierarchical to: No other components Dependencies: - FDP_ACC.1 Subset access control - FMT_MSA.3 Static attribute initialisation Management: a) Managing the attributes used to make explicit ac- cess or denial based decisions Audit: a) Minimal: Successful requests to perform an opera- tion on an object covered by the SFP b) Basic: All requests to perform an operation on an object covered by the SFP c) Detailed: The specific security attributes used in making an access check FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and con- trolled objects is allowed: [rules for all access meth- ods and the access rules defined in SFP_access_rules]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [rules for all access methods and the access rules defined in SFP_access_rules]. FDP_RIP Residual Information Protection FDP_RIP.1 Subset Residual Information Protection PP eHC FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: allocation of the resource to, deallocation of the resource from] the following objects: [assign- ment: list of objects]. Hierarchical to: No other components Dependencies: No dependencies FDP_RIP.1 FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [deallocation of the resource from] the following objects: [security relevant material (as secret and private cryptographic keys, PINs, PUCs, data in all files which are not freely accessible, ...)]. MICARDO V3.5 R1.0 eHC V1.0 32 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Management: a) The choice of when to perform residual information protection (i.e. upon allocation or deallocation) could be made configurable within the TOE Audit: --- FDP_SDI Stored Data Integrity FDP_SDI.2 Stored Data Integrity Monitoring and Action PP eHC FDP_SDI.2.1 The TSF shall monitor user data stored within the TSC for [assignment: integrity errors] on all objects, based on the following attributes: [assignment: user data attributes]. FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [assignment: action to be taken]. Hierarchical to: FDP_SDI.1 Dependencies: No dependencies Management: a) The actions to be taken upon the detection of an integrity error could be configurable Audit: a) Minimal: Successful attempts to check the integrity of user data, including an indication of the results of the check b) Basic: All attempts to check the integrity of user data, including an indication of the results of the check, if performed c) Detailed: The type of integrity error that occurred d) Detailed: The action taken upon detection of an integrity error FDP_SDI.2/Int-PersData FDP_SDI.2.1/Int-PersData The TSF shall monitor user data and specific TSF data stored within the TSC for [integrity errors] on all objects, based on the following attributes: [checksum secured persistently stored data]. Application Note The following data persistently stored by the TOE have the attribute „checksum secured persistently stored data“: - User / application data (e.g. in files on the card) - Keys (incl. attributes) - PINs / PUCs (incl. attributes) - File and object management information (as e.g. access rules, object life cycle states) - Card life cycle status information Refinement The check for integrity errors shall be done before usage resp. processing of the data. The checksum securing shall concern the data objects as well as the data values themselves. FDP_SDI.2.2/Int-PersData Upon detection of a data integrity error, the TSF shall [ - prohibit the use of the altered data - inform the connected entity about integrity error ]. FDP_SDI.2/Int-TempData FDP_SDI.2.1/Int-TempData The TSF shall monitor user data and specific TSF data stored within the TSC for [integrity errors] on all objects, based on the following attributes: [checksum secured temporarily stored data]. Application Note MICARDO V3.5 R1.0 eHC V1.0 33 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The following data temporarily stored by the TOE have the attribute „checksum secured temporarily stored data“: - User / application data (as hash values, ...) - Keys (incl. attributes) - Card Context including different Channel Contexts (actual Security Environment, status information as the actual security status for Key and PIN based authentication, information on the availabil- ity of session keys, ...) - Input data for electronic signatures Refinement The check for integrity errors shall be done before usage resp. processing of the data. The checksum securing shall concern the data objects as well as the data values themselves. FDP_SDI.2.2/Int-TempData Upon detection of a data integrity error, the TSF shall [ - prohibit the use of the altered data - inform the connected entity about integrity error ]. FDP_UCT Inter-TSF User Data Confidentiality Transfer Pro- tection FDP_UCT.1 Basic Data Exchange Integrity PP eHC FDP_UCT.1.1 The TSF shall enforce the [assignment: access con- trol SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] objects in a manner protected from unauthorised disclosure. Hierarchical to: No other components Dependencies: - [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path] - [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] Management: --- Audit: a) Minimal: The identity of any user or subject using the data exchange mechanisms b) Basic: The identity of any unauthorised user or FDP_UCT.1 FDP_UCT.1.1 The TSF shall enforce the [SFP_access_rules] to be able to [transmit and receive] objects in a manner protected from unauthorised disclosure. MICARDO V3.5 R1.0 eHC V1.0 34 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs subject attempting to use the data exchange mecha- nisms c) Basic: A reference to the names or other indexing information useful in identifying the user data that was transmitted or received. This could include secu- rity attributes associated with the information FDP_UIT Inter-TSF User Data Integrity Transfer Protection FDP_UIT.1 Data Exchange Integrity PP eHC FDP_UIT.1.1 The TSF shall enforce the [assignment: access con- trol SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from [selection: modification, dele- tion, insertion, replay] errors. FDP_UIT.1.2 The TSF shall be able to determine on receipt of user data, whether [selection: modification, deletion, inser- tion, replay] has occurred. Hierarchical to: No other components Dependencies: - [FDP_ACC.1 Subset access control or FDP_IFC.1 Subset information flow control] - [FTP_ITC.1 Inter-TSF trusted channel or FTP_TRP.1 Trusted path] Management: --- Audit: a) Minimal: The identity of any user or subject using the data exchange mechanisms b) Basic: The identity of any user or subject attempt- ing to use the user data exchange mechanisms, but who is unauthorised to do so c) Basic: A reference to the names or other indexing information useful in identifying the user data that was transmitted or received; this could include security attributes associated with the user data d) Basic: Any identified attempts to block transmis- sion of user data e) Detailed: The types and/or effects of any detected modifications of transmitted user data FDP UIT.1 FDP_UIT.1.1 The TSF shall enforce the [SFP_access_rules] to be able to [transmit and receive] user data in a manner protected from [modification, deletion, insertion and replay] errors. FDP_UIT.1.2 The TSF shall be able to determine on receipt of user data, whether [modification, deletion, insertion and replay] has occurred. MICARDO V3.5 R1.0 eHC V1.0 35 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FIA Identification and Authentication FIA_AFL Authentication Failures FIA_AFL.1 Authentication Failure Handling PP eHC FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: positive integer number], “an administrator configur- able positive integer within [assignment: range of acceptable values]“] unsuccessful authentication attempts occur related to [assignment: list of authen- tication events]. FIA_AFL.1.2 When the defined number of unsuccessful authenti- cation attempts has been met or surpassed, the TSF shall [assignment: list of actions]. Hierarchical to: No other components Dependencies: - FIA_UAU.1 Timing of authentication Management: a) management of the threshold for unsuccessful authentication attempts b) management of actions to be taken in the event of an authentication failure Audit: a) Minimal: the reaching of the threshold for the un- successful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subse- quent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal) FIA_AFL.1/PIN FIA_AFL.1.1/PIN The TSF shall detect when [3] unsuccessful authenti- cation attempts occur related to [consecutive failed human user authentication for the health care application]. FIA_AFL.1.2/PIN When the defined number of unsuccessful authentica- tion attempts has been met or surpassed, the TSF shall [ - block the PIN for authentication until suc- cessful unblock with resetting code ]. FIA_AFL.1/PUC FIA_AFL.1.1/PUC The TSF shall detect when [10] successful or unsuc- cessful authentication attempts occur related to [us- age of the eHC-PIN unblocking code]. FIA_AFL.1.2/PUC When the defined number of successful or unsuc- cessful authentication attempts has been met or sur- passed, the TSF shall [ - warn the entity connected - not unblock the referenced blocked PIN - block the PUC resp. the verification mechanism for this PUC such that any subsequent authentication attempt with MICARDO V3.5 R1.0 eHC V1.0 36 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs this PUC will fail and an unblocking of all blocked PINs related to this PUC is no longer possible - be able to indicate to subsequent users the reason for the blocking of the PUC ]. FIA_ATD User Attribute Definition FIA_ATD.1 User Attribute Definition PP eHC FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: list of security attributes]. Hierarchical to: No other components Dependencies: No dependencies Management: a) if so indicated in the assignment, the authorised administrator might be able to define additional secu- rity attributes for users Audit: --- FIA_ATD.1 FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [identity and role]. FIA_UAU User Authentication FIA_UAU.1 Timing of Authentication PP eHC FIA_UAU.1.1 The TSF shall allow [assignment: list of TSF medi- ated actions] on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF- medi- ated actions on behalf of that user. Hierarchical to: No other components Dependencies: - FIA_UID.1 Timing of identification Management: a) management of the authentication data by an ad- FIA_UAU.1 FIA_UAU.1.1 The TSF shall allow [reading the ATR, reading the Card Verifiable Authentication Certificate, reading the Certificate Service Provider self-signed Cer- tificate, Identification by providing the users eHC- PIN, identification by providing the users certifi- cate, execution of commands allowed without preceding successful authentication due to the access rules set] on behalf of the user to be per- formed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF- medi- ated actions on behalf of that user. MICARDO V3.5 R1.0 eHC V1.0 37 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs ministrator b) management of the authentication data by the associated user c) managing the list of actions that can be taken be- fore the user is authenticated Audit: a) Minimal: Unsuccessful use of the authentication mechanism b) Basic: All use of the authentication mechanism c) Detailed: All TSF mediated actions performed be- fore authentication of the user FIA_UAU.4 Single-use Authentication Mechanisms PP eHC FIA_UAU.4.1 The TSF shall prevent reuse of authentication data related to [assignment: identified authentication mechanism(s)]. Hierarchical to: No other components Dependencies: No dependencies Management: --- Audit: a) Minimal: Attempts to reuse authentication data FIA_UAU.4 FIA_UAU.4.1 The TSF shall prevent reuse of authentication data related to [Card-to-Card Authentication Mecha- nism]. FIA_UID User Identification FIA_UID.1 Timing of Identification PP eHC FIA_UID.1.1 The TSF shall allow [assignment: list of TSF- mediated actions] on behalf of the user to be per- formed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Hierarchical to: No other components Dependencies: No dependencies Management: a) the management of the user identities FIA_UID.1 FIA_UID.1.1 The TSF shall allow [reading the ATR, reading the Card Verifiable Authentication Certificate, reading the Certificate Service Provider Certificate, execu- tion of commands allowed without preceding suc- cessful authentication due to the access rules set] on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. MICARDO V3.5 R1.0 eHC V1.0 38 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs b) if an authorised administrator can change the ac- tions allowed before identification, the managing of the action lists Audit: a) Minimal: Unsuccessful use of the user identifica- tion mechanism, including the user identity provided b) Basic: All use of the user identification mechanism, including the user identity provided FMT Security Management FMT_LIM Limited capabilities and availability FMT_LIM.1 Limited capabilities PP eHC FMT_LIM.1.1 The TSF shall be designed in a manner that limits their capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is enforced [assignment: Limited capability and avail- ability policy]. Hierarchical to: No other components Dependencies: - FMT_LIM.2 Limited availability Management: --- Audit: --- FMT_LIM.1 FMT_LIM.1.1 The TSF shall be designed in a manner that limits their capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is en- forced [Deploying Test Features after TOE Delivery does not allow User Data to be disclosed or ma- nipulated, TSF data to be disclosed or manipu- lated, software to be reconstructed and no sub- stantial information about construction of TSF to be gathered which may enable other attacks]. FMT_LIM.2 Limited availability PP eHC FMT_LIM.2.1 The TSF shall be designed in a manner that limits their availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is en- forced [assignment: Limited capability and availability policy]. Hierarchical to: No other components Dependencies: - FMT_LIM.1 Limited capability FMT_LIM.2 FMT_LIM.2.1 The TSF shall be designed in a manner that limits their availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is en- forced [Deploying Test Features after TOE Delivery does not allow User Data to be disclosed or ma- nipulated, TSF data to be disclosed or manipu- lated, software to be reconstructed and no sub- stantial information about construction of TSF to be gathered which may enable other attacks]. MICARDO V3.5 R1.0 eHC V1.0 39 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Management: --- Audit: --- FMT_MTD Management of TSF Data FMT_MTD.1 Management of TSF Data PP eHC FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [as- signment: other operations]] the [assignment: list of TSF data] to [assignment: the authorised identified roles]. Hierarchical to: No other components Dependencies: - FMT_SMF.1 Specification of management func- tions - FMT_SMR.1 Security roles Management: a) managing the group of roles that can interact with the TSF data Audit: a) Basic: All modifications to the values of TSF data FMT_MTD.1/Ini FMT_MTD.1.1/Ini The TSF shall restrict the ability to [write] the [initiali- sation data] to [the TOE Manufacturer]. FMT_MTD.1/Pers FMT_MTD.1.1/Pers The TSF shall restrict the ability to [write] the [per- sonalisation data] to [the Personalisation Service Provider]. FMT_MTD.1/CMS FMT_MTD.1.1/CMS The TSF shall restrict the ability to [write] the [file structures for additional applications, crypto- graphic keys for additional applications, PINs and other user authentication reference data for addi- tional applications, access rights for additional applications] to [the Download Service Provider]. FMT_MTD.1/PIN FMT_MTD.1.1/PIN The TSF shall restrict the ability to [modify, unblock] the [PIN] to [the Card Holder]. MICARDO V3.5 R1.0 eHC V1.0 40 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FMT_MTD.1/KEY_MOD FMT_MTD.1.1/KEY_MOD The TSF shall restrict the ability to [modify] the [pub- lic key for CV certification verification] to [none]. FMT_SMF Specification of Management Functions FMT_SMF.1 Specification of Management Functions PP eHC FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [assignment: list of security management functions to be provided by the TSF]. Hierarchical to: No other components Dependencies: No dependencies Management: --- Audit: a) Minimal: Use of the management functions. FMT_SMF.1 FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [initialisation, per- sonalisation, service card management, modifica- tion of the PIN]. FMT_SMR Security Management Roles FMT_SMR.1 Security Roles PP eHC FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorised identified roles]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Hierarchical to: No other components Dependencies: - FIA_UID.1 Timing of identification Management: a) managing the group of users that are part of a role Audit: a) Minimal: modifications to the group of users that are part of a role b) Detailed: every use of the rights of a role FMT_SMR.1 FMT_SMR.1.1 The TSF shall maintain the roles [Health Profes- sional, Medical Assistant, Security Module Card (health care), Self Service Terminal, Health Insur- ance Agency Service Provider, Combined Ser- vices Provider, Card Holder, Download Service Provider, Personalisation Service Provider, TOE Manufacturer]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. MICARDO V3.5 R1.0 eHC V1.0 41 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FPT Protection of the TSF FPT_EMSEC TOE Emanation FPT_EMSEC.1 TOE Emanation PP eHC FPT_EMSEC.1.1 The TOE shall not emit [assignment: types of emis- sions] in excess of [assignment: specified limits] ena- bling access to [assignment: list of types of TSF data] and [assignment: list of types of user data]. FPT_EMSEC.1.2 The TSF shall ensure [assignment: type of users] are unable to use the following interface [assignment: type of connection] to gain access to [assignment: list of types of TSF data] and [assignment: list of types of user data]. Hierarchical to: No other components Dependencies: No dependencies Management: --- Audit: --- FPT_EMSEC.1 FPT_EMSEC.1.1 The TOE shall not emit [information on IC power consumption, information on command execution time, information on electromagnetic emanations] in excess of [non useful information] enabling ac- cess to [PIN and PUC] and [Card Authentication Private Key, Client Server Authentication Private Key, Document Cipher Key Decipher Key, secure messaging keys]. FPT_EMSEC.1.2 The TSF shall ensure [any user] are unable to use the following interface [smart card circuit contacts] to gain access to [PIN and PUC] and [Card Authen- tication Private Key, Client Server Authentication Private Key, Document Cipher Key Decipher Key, secure messaging keys]. Application Note The TOE shall prevent attacks against the listed se- cret data where the attack is based on external ob- servable physical phenomena of the TOE. Such at- tacks may be observable at the interfaces of the TOE or may origin from internal operation of the TOE or may origin by an attacker that varies the physical envi- ronment under which the TOE operates. The set of measurable physical phenomena is influenced by the technology employed to implement the smart card. The TOE has to provide a smart card interface with contacts according to ISO/IEC 7816-2 but the inte- grated circuit may have additional contacts or a con- tact less interface as well. Examples of measurable phenomena include, but are not limited to variations in the power consumption, the timing of signals and the electromagnetic radiation due to internal operations or data transmissions. FPT_FLS Fail Secure FPT_FLS.1 PP eHC MICARDO V3.5 R1.0 eHC V1.0 42 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Failure with Preservation of Secure State FPT_FLS.1.1 The TSF shall preserve a secure state when the fol- lowing types of failures occur: [assignment: list of types of failures in the TSF]. Hierarchical to: No other components Dependencies: - ADV_SPM.1 Informal TOE security policy model Management: --- Audit: a) Basic: Failure of the TSF FPT_FLS.1 FPT_FLS.1.1 The TSF shall preserve a secure state when the fol- lowing types of failures occur: [ - Exposure to operating conditions where therefore a malfunction could occur - Failure detected by TSF according to FPT_TST.1 ]. FPT_PHP Physical Protection FPT_PHP.3 Resistance to Physical Attack PP eHC FPT_PHP.3.1 The TSF shall resist [assignment: physical tampering scenarios] to the [assignment: list of TSF devices / elements] by responding automatically such that the TSP is not violated. Hierarchical to: No other components Dependencies: No dependencies Management: a) management of the automatic responses to physi- cal tampering Audit: --- FPT_PHP.3 FPT_PHP.3.1 The TSF shall resist [physical manipulation and physical probing] to the [TSF] by responding auto- matically such that the TSP is not violated. Application Note The TOE will implement appropriate measures to continuously counter physical manipulation and physi- cal probing. Due to the nature of these attacks (espe- cially manipulation) the TOE can by no means detect attacks on all of its elements. Therefore, permanent protection against these attacks is required ensuring that the TSP could not be violated at any time. Hence, “automatic response” means here (i) assuming that there might be an attack at any time and (ii) countermeasures are provided at any time. FPT_RVM Reference Mediation FPT_RVM.1 Non-Bypassability of the TSP PP eHC FPT_RVM.1.1 The TSF shall ensure that TSP enforcement func- tions are invoked and succeed before each function within the TSC is allowed to proceed. Hierarchical to: FPT_RVM.1 FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. MICARDO V3.5 R1.0 eHC V1.0 43 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs No other components Dependencies: No dependencies Management: --- Audit: --- FPT_SEP Domain Separation FPT_SEP.1 TSF Domain Separation PP eHC FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tam- pering by untrusted subjects. FPT_SEP.1.2 The TSF shall enforce separation between the secu- rity domains of subjects in the TSC. Hierarchical to: No other components Dependencies: No dependencies Management: --- Audit: --- FPT_SEP.1 FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tam- pering by untrusted subjects. FPT_SEP.1.2 The TSF shall enforce separation between the secu- rity domains of subjects in the TSC. FPT_TST TSF Self Test FPT_TST.1 TSF Testing PP eHC FPT_TST.1.1 The TSF shall run a suite of self tests [selection: dur- ing initial start-up, periodically during normal opera- tion, at the request of the authorised user, at the con- ditions [assignment: conditions under which self test should occur]] to demonstrate the correct operation of [selection: [assignment: parts of TSF], the TSF]. FPT_TST.1.2 The TSF shall provide authorised users with the ca- pability to verify the integrity of [selection: [assign- ment: parts of TSF data], TSF data]. FPT_TST.1 FPT_TST.1.1 The TSF shall run a suite of self tests [during initial start-up, periodically during normal operation] to demonstrate the correct operation of [the TSF]. Note During initial start-up means before code execution. Refinements The TOE's self tests shall include the verification of the integrity of any software code (incl. patches) MICARDO V3.5 R1.0 eHC V1.0 44 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs FPT_TST.1.3 The TSF shall provide authorised users with the ca- pability to verify the integrity of stored TSF executa- ble code. Hierarchical to: No other components Dependencies: - FPT_AMT.1 Abstract machine testing Management: a) management of the conditions under which TSF self testing occurs, such as during initial start-up, regular interval, or under specified conditions b) management of the time interval if appropriate Audit: a) Basic: Execution of the TSF self tests and the re- sults of the tests stored outside of the ROM. Upon detection of a self test error the TSF shall warn the entity connected. After OS testing is completed, all testing-specific commands and actions shall be disabled or removed. It shall not be possible to override these controls and restore them for use. Command associated exclu- sively with one life cycle state shall never be accessed during another state. FPT_TST.1.2 The TSF shall provide authorised users with the ca- pability to verify the integrity of [TSF data]. Refinement In this framework, the OS (i.e. the Smartcard Embed- ded Software of the TOE (TOE-ES)) itself is under- stood as „authorised user“. FPT_TST.1.3 The TSF shall provide authorised users with the ca- pability to verify the integrity of stored TSF executable code. Refinement The integrity check over the executable code stored outside the ROM area is covered by FPT_TST.1.1 and the related refinement. The requirement for checking the integrity of the ROM-code shall concern only the production phase, more precise the initialisation phase of the TOE´s life- cycle. Prior to the initialisation of the TOE, the ROM- code of the TOE shall be verifiable by authorised us- ers as the OS developer. The integrity of the ROM- code shall be provable only during the initialisation process. FTP Trusted Path/Channels FTP_ITC Inter-TSF Trusted Channel FTP_ITC.1 Inter-TSF Trusted Channel PP eHC .1.1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 FTP_ITC.1 FTP_ITC.1.1 The TSF shall provide a communication channel be- tween itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. MICARDO V3.5 R1.0 eHC V1.0 45 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The TSF shall permit [selection: the TSF, the remote trusted IT product] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [assignment: list of functions for which a trusted channel is required]. Hierarchical to: No other components Dependencies: No dependencies Management: a) Configuring the actions that require trusted chan- nel, if supported Audit: a) Minimal: Failure of the trusted channel functions b) Minimal: Identification of the initiator and target of failed trusted channel functions c) Basic: All attempted uses of the trusted channel functions d) Basic: Identification of the initiator and target of all trusted channel functions FTP_ITC.1.2 The TSF shall permit [the remote trusted IT product] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [all functions requiring a trusted chan- nel as defined by SFP_access_rules]. 5.1.2 SOF Claim for TOE Security Functional Requirements The required level for the Strength of Function of the TOE security functional requirements listed in the preceding chap. 5.1.1 is “SOF-high”. This correlates to the claimed assurance level with its augmentation by the assurance component AVA_VLA.4 (refer to the following chap. 5.1.3). 5.1.3 TOE Security Assurance Requirements The TOE security assurance level is fixed as EAL4 augmented by ADV_IMP.2, ATE_DPT.2, AVA_MSU.3 and AVA_VLA.4. The assurance level with its augmentations is chosen in view of the requirements in the Pro- tection Profiles /PP-eHC/ The following table lists the security assurance requirements (SARs) for the TOE: SAR MICARDO V3.5 R1.0 eHC V1.0 46 / 73 ST-Lite 4BIT Security Requirements 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs ACM_AUT.1 Partial CM Automation ACM_CAP.4 Generation Support and Acceptance Procedures Class ACM Configuration Management ACM_SCP.2 Problem Tracking CM Coverage ADO_DEL.2 Detection of Modification Class ADO Delivery and Operation ADO_IGS.1 Installation, Generation, and Start-up Procedures ADV_FSP.2 Fully Defined External Interfaces ADV_HLD.2 Security Enforcing High-Level Design ADV_IMP.2 Implementation of the TSF ADV_LLD.1 Descriptive Low-Level Design ADV_RCR.1 Informal Correspondence Demonstration Class ADV Development ADV_SPM.1 Informal TOE Security Policy Model AGD_ADM.1 Administrator Guidance Class AGD Guidance Documents AGD_USR.1 User Guidance ALC_DVS.1 Identification of Security Measures ALC_LCD.1 Developer Defined Life-Cycle Model Class ALC Life Cycle Support ALC_TAT.1 Well-defined Development Tools ATE_COV.2 Analysis of Coverage ATE_DPT.2 Testing: Low-Level Design Class ATE Tests ATE_FUN.1 Functional Testing MICARDO V3.5 R1.0 eHC V1.0 47 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs ATE_IND.2 Independent Testing – Sample AVA_MSU.3 Analysis and Testing for Insecure States AVA_SOF.1 Strength of TOE Security Function Evaluation Class AVA Vulnerability Assessment AVA_VLA.4 Highly Resistant 5.1.4 Refinements of the TOE Security Assurance Requirements All assurance components given in the table of chap. 5.1.3 are used as defined in /CC 2.3 Part3/ and /CEM 2.3 Part2/. 6 TOE Summary Specification 6.1 TOE Security Functions 6.1.1 TOE Security Functions / TOE-IC For the definition of the TOE Security Functions (TSF) related to the TOE-IC refer to the Se- curity Targets /ST-IC/, chap. 6.1 and /eHC2/, chap. 6.1. The TSFs defined for the TOE-IC cover the following functions which are relevant for the TOE: F.RNG, F.HW_DES, F.OPC, F.PHY, F.LOG, F.COMP, F.MEM_ACC, F.SFR_ACC, F.DES, F.RSA_encrypt, F.RSA_sign, F.RSA_public, F.RSA_KeyGen, F.SHA, F.RNG_- Access, F.Object_Reuse, F.COPY. 6.1.2 TOE Security Functions / TOE-ES The following section gives a survey of the TSFs of the TOE´s Smartcard Embedded Soft- ware. TOE Security Functions / TOE-ES Access Control F.ACS_SFP Security Attribute Based Access Control The TSF enforces the SFPs SFP_access_rules as defined in chap. 5. MICARDO V3.5 R1.0 eHC V1.0 48 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The TSF controls the access to data stored in the TOE and to functionality provided by the TOE. The access control is realised by usage of access rules as security attributes. Access to a DF, an EF, a key, a PIN or other user data is only possible if the related access rule is fulfilled. In particular, the TSF checks prior to command execution if the command spe- cific requirements concerning user authentication and secure communication are satis- fied. Identification and Authentication F.IA_AKEY Key Based User / TOE Authentication Based on Asymmetric Cryptography The TSF provides the functionality of a key based external and internal authentication on the base of asymmetric cryptography. By an external authentication, users of the TOE can be authenticated with regard to the TOE. Vice versa, by an internal authentication, the TOE itself can be authenticated with regard to the external world. Both authentication mechanisms base on a challenge- response procedure using random numbers. The TSF enforces the following different internal and external authentication mecha- nisms: - Internal authentication without session key agreement according to /PKCS1/, /eHC1/, chap. 7 and 15 - External authentication without session key agreement according to /PKCS1/, /eHC1/, chap. 7 and 15 - Internal authentication including one step of session key and send sequence counter agreement according to /PKCS1/, /eHC1/, chap. 7 and 15 - External authentication including one step of session key and send sequence counter agreement according to /PKCS1/, chap. 7 and 15 - Internal authentication according to /eHC1/, chap. 7 and 15 Note: Each external authentication process requires a preceding Get Challenge – opera- tion. The private and public keys necessary on the card´s side for authentication purposes are either generated on-card (with support by the TSF F.RSA_KEYGEN) or imported during the initialisation, personalisation or end-usage phase of the TOE. In particular, the import of public keys can be performed in the form of CV certificates what is connected with the verification of the respective CV certificate under usage of the TSF F.VER_DIGSIG. In each case, the keys involved on the card´s side in the authentication processes have to be explicitly referenced prior to their usage. The access to the keys necessary for the authentication processes is controlled by the specific SFP which is defined for the respective application using the authentication keys. The execution of the specific SFP is task of the TSF F.ACS_SFP for access control. In the case of a successful external authentication attempt the TSF sets a corresponding actual security state for key based user authentication. The TSF makes use of asymmetric cryptography with generation and verification of RSA digital signatures resp. RSA encryption and decryption and is therefore directly connected with the TSF F.CRYPTO. MICARDO V3.5 R1.0 eHC V1.0 49 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Depending on the type of authentication mechanism, the combination of a successful internal and external authentication process can include the generation of session keys (incl. send sequence counter). Depending on the type of authentication mechanism, the TSF stores the generated session keys volatile and on demand as well persistently on the card. The generated keys can be used for securing the following data exchange between the TOE and the external world (in the current or a later session) with the objective of data confidentiality and data integrity and authenticity (Secure Messaging). In addition, as well depending on the type of authentication mechanism, the generated keys can be used further on for authentication processes based on symmetric cryptography. F.IA_SKEY Key Based User / TOE Authentication Based on Symmetric Cryptography The TSF provides the functionality of a key based external and internal authentication on the base of symmetric cryptography. By an external authentication, users of the TOE can be authenticated with regard to the TOE. Vice versa, by an internal authentication, the TOE itself can be authenticated with regard to the external world. Both authentication mechanisms base on a challenge- response procedure using random numbers. The TSF enforces the following different internal and external authentication mecha- nisms: - Internal authentication with / without individual key derivation and without session key generation according to /eHC1/, chap. 7 and 15, /PKCS1/ - External authentication with / without individual key derivation and without session key generation according to /eHC1/, chap. 7 and 15, /PKCS1/ - Mutual authentication with / without individual key derivation and without session key generation according /eHC1/, chap. 7 and 15, /PKCS1/ - Internal authentication with / without individual key derivation and including the first step of session key and send sequence counter generation according to /eHC1/, chap. 7 and 15, /ANSI X9.63/, /PKCS1/ - External authentication with / without individual key derivation and including the last step of session key and send sequence counter generation according to /eHC1/, chap. 7 and 15, /ANSI X9.63/, /PKCS1/ - Mutual authentication with / without individual key derivation and including session key and send sequence counter generation according to /eHC1/, chap. 7 and 15, /ANSI X9.63/, /PKCS1/ Note: Each external authentication process requires a preceding Get Challenge – opera- tion. The symmetric keys necessary on the card´s side for the authentication mechanisms can either be generated on-card by a derivation process for deriving individual keys before the main authentication process starts. This key derivation process is performed by the TSF F.CRYPTO. Alternatively, symmetric keys imported during the initialisation, personalisa- tion or end-usage phase of the TOE or agreed within a preceding authentication process can be used. The access to the keys necessary for the authentication processes is controlled by the specific SFP which is defined for the respective application using the authentication keys. The execution of the specific SFP is task of the TSF F.ACS_SFP for access control. In the case of a successful external authentication attempt the TSF sets a corresponding actual security state for key based user authentication. MICARDO V3.5 R1.0 eHC V1.0 50 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The TSF makes use of symmetric cryptography with DES based encryption, decryption, MAC generation resp. MAC verification. Hence, the TSF F.IA_SKEY is directly connected with the TSF F.CRYPTO. Depending on the type of authentication mechanism, the combination of a successful internal and external authentication process can include the generation of session keys (incl. send sequence counter). Depending on the type of authentication mechanism, the TSF stores the generated session keys volatile and on demand as well persistently on the card. The generated keys can be used for securing the following data exchange between the TOE and the external world (in the current or a later session) with the objective of data confidentiality and data integrity and authenticity (Secure Messaging). In addition, as well depending on the type of authentication mechanism, the generated keys can be used further on for authentication processes based on symmetric cryptography. F.IA_PWD Password Based User Authentication Users of the TOE can be authenticated (towards the TOE) by means of a card holder authentication process. For the card holder authentication process, the TSF compares the card holder verification information, here a password (PIN), provided by a subject with a corresponding secret reference value stored permanently on the card. The TSF uses for the authentication process the password referenced by the external world. The access to the relevant password resp. its reference value is controlled by the specific SFP which is defined for the respective application using the password. The execution of the specific SFP is task of the TSF F.ACS_SFP for access control. The card holder authentication process can be performed by usage of the command Ver- ify or Change Reference Data (whereat the latter command makes a password change possible). Each password used for authentication purposes is connected with an own error usage counter and an own usage counter. Furthermore, each password is connected with an own resetting code (PUK) whereat the resetting code itself is connected with an own us- age counter (but no error usage counter). The number of applications of a password for authentication purposes with the command Verify is limited by its usage counter. The TSF allows at maximum for a number of au- thentication attempts with a password as restricted by its usage counter. The value for the usage counter can be predefined as infinite, i.e. the password can be used without any limit. A password with an expired usage counter cannot be longer used for authentication purposes with the command Verify (but with the command Change Reference Data). In the case of a password with a finite usage counter, each authentication attempt with the command Verify decrements the usage counter of the password, independently whether the authentication attempt succeeds or fails. A successful authentication attempt with the command Change Reference Data re-initialises the usage counter to its prede- fined initial value. The TSF detects for a password when a predefined number of consecutive unsuccessful authentication attempts occurs related to the card holder authentication process. Each consecutive unsuccessful comparison of the presented password with the reference value stored on the card is recorded by the TSF in order to limit the number of further authentication attempts with this password. In the case of a successful authentication attempt a corresponding actual security state for the password is set and the error usage counter of the password is re-initialised to its predefined initial value. MICARDO V3.5 R1.0 eHC V1.0 51 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs If an authentication attempt with the password fails, the corresponding actual security state is reset and the error usage counter of the password is decreased. When the de- fined maximum number of unsuccessful authentication attempts has been met or sur- passed, the TSF blocks the corresponding password for any further authentication at- tempt. A password with an expired error usage counter can be unblocked by usage of the re- lated resetting code, provided that the usage counters of the password and of the reset- ting code are not expired. Otherwise, there is no way to unblock the password so that this password is invalid for each further authentication attempt. The unblocking of a blocked password can be performed by usage of the command Re- set Retry Counter only. In the case of a successful authentication attempt with the reset- ting code related to the blocked password, the expired error usage counter is re-initialised to its initial value (as well as for the usage counter of the password) and hence, the password can be used further on for authentication attempts. The number of applications of a resetting code for authentication purposes is limited by its usage counter. The TSF allows at maximum for a number of authentication attempts with the resetting code as restricted by its usage counter. Each unblocking attempt with the command Reset Retry Counter decrements the usage counter of the resetting code, in- dependently whether the authentication attempt with the resetting code succeeds or fails. The unblocking process for a blocked password can be combined with a change of this password. However, even if the command Reset Retry Counter resp. the authentication with the resetting code succeeds, the actual security state for the password will not be set. For security reasons, a password shall be connected with an error usage counter with a sufficiently small value as initial value. Furthermore, the usage of the related resetting code itself shall be limited by an usage counter with a sufficiently small initial value. In general, a security state set due to a successful authentication attempt can be valid for several following TOE commands. However, as well, it is possible to restrict the validity of such an authentication state to one single following TOE command, i.e. after the next command has accessed this security state it will be reset by the TSF. The TSF does not check the quality of passwords or resetting codes used. The sufficient quality of passwords and resetting codes lies in the responsibility of the external world only. The transfer of passwords and resetting codes to the TOE can be executed in unsecured mode, i.e. without usage of Secure Messaging, or alternatively in secured mode, i.e. with usage of Secure Messaging. In the latter case, the TSFs F.EX_CONF and F.EX_INT are involved. For the TOE´s eHC Application, the concrete usage of PIN and PUK, in particular the definition of error usage counters and usage counters and their initial values, the (mini- mal) lengths of PIN and PUK and the access to the commands Verify, Change Reference Data and Reset Retry Counter is regulated by the specification /eHC2/. Integrity of Stored Data F.DATA_INT Stored Data Integrity Monitoring and Action The TSF monitors data stored within the TOE for integrity errors. This concerns all - DFs MICARDO V3.5 R1.0 eHC V1.0 52 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs - EFs - Passwords incl. related attributes - Cryptographic keys incl. related attributes - Security critical data stored within the card and channel context (session keys incl. attributes, status information as actual security states for key and password based authentication, hash values, further security relevant card and channel information) The monitoring is based on the following attributes: - Checksum (CRC) attached to the header of a file - Checksum (CRC) attached to the data body of a file - Checksums (CRC) attached to each secret (password, cryptographic key) and its related attributes stored in the EEPROM - Checksums (CRC) attached to card and channel context related security critical in- formation Each access of the TOE to a DF, to an EF, to a secret (password or cryptographic key incl. its related attributes) or to security critical card resp. channel context data the TSF is secured with an integrity check on base of the mentioned attributes. Upon detection of a data integrity error, the TSF informs the user about this fault (output of a warning). If the checksum of the header of a file has been detected as corrupted, the data con- tained in the affected file are no longer accessible. If the data contained in a file are not of integrity, the affected data will be treated in the following way: - For the Read access, the affected data will be exported, but the data export will be connected with a warning. - For the Update access, the integrity error of the affected data will be ignored, and the data imported by the command will be stored and a new checksum will be computed. - For all remaining access modes, the affected data will not be used for data proc- essing. If a secret (password, cryptographic key) and its related attributes are corrupted, the se- cret and its related data will not be processed. If security critical card or channel context data are not of integrity, the Smartcard Embed- ded Software immediately jumps into an endless-loop (re-activation by reset possible). Data Exchange F.EX_CONF Confidentiality of Data Exchange The TSF provides the capability to ensure that secret data which is exchanged between the TOE and the external world remains confidential during transmission. For this pur- pose, encryption based on symmetric cryptography is applied to the secret data. The TSF ensures that the user and the user data's access condition have indicated confi- dentiality for the data exchange. Securing the data transfer with regard to data confidentiality is done by Secure Messag- ing according to the standard ISO/IEC 7816-4. MICARDO V3.5 R1.0 eHC V1.0 53 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The cryptographic key used for securing the data transfer is either a symmetric session or static key. In case of a session key, the key is negotiated during a preceding mutual au- thentication process (based on a random challenge and response procedure) between the TOE and the external world (realised by the TSFs F.IA_SKEY, F.IA_AKEY, F.CRYPTO). For encryption and decryption, the TSF makes use of the TSF F.CRYPTO for DES func- tionality. F.EX_INT Integrity and Authenticity of Data Exchange The TSF provides the capability to ensure that data which is exchanged between the TOE and the external world remains integer and authentic during transmission. For this purpose, cryptographic checksums based on symmetric cryptography are applied to the data. The TSF ensures that the user and the user data's access condition have indicated integ- rity and authenticity for the data exchange. Securing the data transfer with regard to data integrity and authenticity is done by Secure Messaging according to the standard /ISO 7816-4/. The cryptographic key used for securing the data transfer is either a symmetric session or static key. In case of a session key, the key is negotiated during a preceding mutual au- thentication process (based on a random challenge and response procedure) between the TOE and the external world (realised by the TSFs F.IA_SKEY, F.IA_AKEY, F.CRYPTO). For checksum securing and verification, the TSF makes use of the TSF F.CRYPTO for DES functionality. Object Reuse F.RIP Residual Information Protection The TSF ensures that any previous information content of a resource is explicitly erased upon the deallocation of the resource used for any of the following components: - All volatile and non-volatile memory areas used for operations in which security relevant material (as e.g. cryptographic data, passwords or other security critical data) is involved. Explicit erasure is defined as physical erasure. The TSF is supported by the TSF F.Object_Reuse of the underlying IC and its Dedicated Support Software. Protection F.FAIL_PROT Hardware and Software Failure Protection The TSF preserves a secure operation state of the TOE when the following types of fail- ures and attacks occur: - HW and/or SW induced reset - Power supply cut-off MICARDO V3.5 R1.0 eHC V1.0 54 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs - Power supply variations - Unexpected abortion of the execution of the TSF due to external or internal events (in particular, break of a transaction before completion) - System breakdown - Internal HW and/or SW failure - Manipulation of executable code - Corruption of status information (as e.g. card status information, object life cycle state, actual security state related to key and password based authentication, ...) - Environmental stress - Input of inconsistent or improper data - Tampering - Manipulation resp. insufficient quality of the HW-RNG The TSF makes use of HW and SW based security features and corresponding mecha- nisms to monitor and detect induced HW and SW failures and tampering attacks. In par- ticular, the TSF is supported by the IC specific TSFs F.OPC and F.PHY. Upon the detection of a failure of the above mentioned type the TSF reacts in such a way that the TSP is not violated. The TOE changes immediately to a locked state and cannot be used any longer within the actual session. Depending on the type of the detected at- tack to the underlying IC (incl. its Dedicated Software) or to the Smartcard Embedded Software code the TOE will be irreversible locked resp. can be reactivated by a reset. F.SIDE_CHAN Side Channel Analysis Control The TSF provides suitable HW and SW based mechanisms to prevent attacks by side channel analysis like Simple Power Analysis (SPA), Differential Power Analysis (DPA), Differential Fault Analysis (DFA) and Timing analysis (TA). The TSF ensures that all countermeasures available are used in such a way that they support each other. In particular, the TSF is supported by the TSF F.LOG of the underly- ing IC and its Dedicated Support Software. The TSF acts in such a manner that all security critical operations of the TOE, in particu- lar the TOE´s cryptographic operations, are suitably secured by these HW and SW coun- termeasures. The TSF guarantees that information on IC power consumption, information on command execution time and information on electromagnetic emanations do not lead to useful in- formation on processed security critical data as secret cryptographic keys or passwords. In particular, the IC contacts as Vcc, I/O and GND or the IC surface do not make it possi- ble for an attacker to gain access to security critical data as secret cryptographic keys or passwords. The TSF enforces the installation of a secure session before any cryptographic operation is started. In particular, the installation of a secure session does not only concern the core cryptographic operation itself. All preparing security relevant actions performed prior to the core cryptographic operation as e.g. the generation of session keys, the process of loading keys into the dedicated IC cryptographic modules and the data preparation as re- formatting or padding are involved as well. Furthermore, the secure session covers all security relevant actions which follow the core cryptographic operation as e.g. the post- processing of the output data. MICARDO V3.5 R1.0 eHC V1.0 55 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs F.SELFTEST Self Test The TSF covers different types of self tests whereat each self test consists of a check of a dedicated integrity attribute related to (parts of) the TOE´s code resp. data. The TSF inte- grates self tests with the following objectives: The TSF provides the capability of conducting a self test during initial start-up, i.e. after each reset, to demonstrate the correct operation of its TSFs. This self test is performed automatically by the TOE and consists of the verification of the integrity of any software code stored in the EEPROM area. Furthermore, the TSF provides authorised users - here the Smartcard Embedded Soft- ware of the TOE (TOE-ES) itself - with the capability to verify the integrity of TSF data during run-time. The self test is performed automatically by the TOE and is supported by the TSF F.DATA_INT. Additionally, the TSF provides authorised users with the capability to verify the integrity of stored TSF executable code. This concerns only the production phase, more precise the initialisation phase of the TOE (phase 5 of the product´s life cycle). Prior to the initialisa- tion of the TOE, the ROM-code of the TOE can be verified on demand by the Smartcard Embedded Software developer. The integrity of the whole EEPROM-code is checked automatically by the TOE during the storage of the initialisation file in the framework of the TOE´s initialisation. These self tests are supported by the TSF F.CRYPTO (SHA-1 hash value calculation, MAC verification). The TSF supports all other TSFs defined for the Smartcard Embedded Software (TOE- ES). Cryptographic Operations F.CRYPTO Cryptographic Support The TSF provides cryptographic support for the other TSFs using cryptographic mecha- nisms. The TSF supports: - DES/3DES algorithm according to the standard /FIPS 46-3/ resp. /ANSI X9.52/ with a key length of 168 bit (used for encryption, decryption, MAC generation and verification according to /FIPS 46-3/, /ANSI X9.52/, /ANSI X9.19/, /eHC1/, chap. 7) - RSA core algorithm according to the standard /PKCS1/ with key lengths of 2048 bit modulus lengths (used for RSA encryption, decryption, signature generation and verification, see other TSFs related to RSA based mechanisms) - Random number generation by a pseudo RNG. The generator is seeded by the hardware random number generator (see /UG-CL/, /UG-CL-RND/) - SHA-256 hash value calculation according to /ALGCAT/, chap. 2 - Negotiation of 3DES session keys The resistance of the TSF against SPA, DPA, DFA and TA is part of the TSF F.SIDE_CHAN. The random number generation is in particular used for RSA and DES key generation and authentication mechanisms. The mechanism for the generation of session keys is directly connected with the TSFs MICARDO V3.5 R1.0 eHC V1.0 56 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs F.IA_AKEY and F.IA_SKEY which realise internal and external authentication processes. Furthermore, the generation of random numbers of high quality, and depending on the authentication type, the SHA-256 hash value calculation of TSF F.CRYPTO are involved. The TSF is directly supported by the TSFs of the underlying IC and its Cryptographic Library which supply cryptographic functionality. In particular, the TSFs F.RNG, F.HW_DES, F.DES, F.RSA_encrypt, F.RSA_sign, F.RSA_public, F.RSA_KeyGen, F.SHA and F.RNG_Access are involved. F.RSA_KEYGEN RSA Key Pair Generation The TSF generates RSA key pairs with key lengths of 2048 bit modulus length for asymmetric cryptography which can be used later on e.g. for digital signatures or authen- tication purposes. The TSF enforces the key pair generation process and the related key material to meet the following requirements: - The RSA key pair generation process follows a well-designed key generation algo- rithm of sufficient quality; in particular, the requirements for RSA keys and their generation in /ALGCAT/, chap. 3.1 and 4 as well as in the corresponding European algorithm paper, chap. 4.5.2, 4.6, Annex C.2 and C.3 are taken into account. - Random numbers used in the key pair generation process for the generation of the primes are of high quality to ensure that the new key pair is unpredictable and unique with a high probability. - The generation of the random numbers necessary for the primes is performed by usage of a deterministic RNG running on the TOE. - Prime numbers produced in the key pair generation process are unique with a high probability and satisfy the requirements in /ALGCAT/, chap. 3.1 and 4. In particu- lar, the so-called epsilon-condition is considered. - The primes are independently generated. - Sufficiently good primality tests with convincing limits are implemented to guaran- tee with a high probability for the property of the generated prime candidates to be prime. In particular, the actual version of the significance limit for primality tests is considered. - In the key pair generation process, for the public exponent given by the external world the corresponding private exponent is calculated and converted into its CRT parameters. - For each key length, the generated key pairs show a “good” distribution within the key range; in particular, the generated new key pair is unique with a high probabil- ity. - Only cryptographically strong key pairs with the intended key length are generated. In particular, for any generated key pair, the private key cannot be derived from the corresponding public key. - The key pair generation process includes a dedicated check if the generated pri- vate and public key match; only valid key pairs are issued. - During the key pair generation process, it is not possible to gain information about the chosen random numbers, about the calculated primes, about other secret val- ues which will be used for the key pair to be generated or about the generated key pair and its parts itself. - During the key pair generation process, it is not possible to gain information about the design of the routines realising the key pair generation. - The key pair generation process includes a physical destruction of the old private MICARDO V3.5 R1.0 eHC V1.0 57 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs key part before the new key pair is generated. The resistance of the TSF against SPA, DPA, DFA and TA is part of the TSF F.SIDE_CHAN. The TSF makes use of the TSF F.CRYPTO for random number generation and RSA signature generation and verification. The public part of the generated key pair can be exported with an authentication attribute which either can be a MAC (generation supported by the TSF F.CRYPTO) or a digital signature (generation supported by the TSF F.GEN_DIGSIG) over the public key data. F.GEN_DIGSIG RSA Generation of Digital Signatures The TSF provides a digital signature functionality based on asymmetric cryptography, particularly based on the RSA algorithm with key lengths of 2048 bit modulus length. The TSF digital signature function will be used for several purposes with different formats for the digital signature input: - Explicit generation of digital signatures using the signature scheme with appendix according to the standard /PKCS1/, chap. 8.2.1 and with hash algorithm SHA-2 (256 bit), see /eHC1/, chap. 7 - Explicit generation of digital signatures using the signature scheme with appendix according to the standard /PKCS1/ with random number based on the hash algo- rithm SHA-2 (224, 256, 384 resp. 512 bit) resp. RIPEMD160 (external hash value calculation), see /eHC1/, chap. 7 - Implicit generation of digital signatures within authentication mechanisms for the creation of authentication tokens using the signature scheme with message recov- ery according to the standard /PKCS1/ based on the hash algorithm SHA-256, see /eHC1/, chap. 7 and 16 - Implicit generation of digital signatures within authentication mechanisms for the creation of authentication tokens using the signature scheme with message recov- ery according to the standard /ALGCAT/, chap. 8.2.1 without hash and OID, but with an additional limitation of the length of the input message, see /eHC1/, chap. 7 and 16 The TSF function for generation of a digital signature uses the private key which has been referenced before. The random numbers necessary for the padding of the data within the signature process are generated by using the TSF F.CRYPTO for random number generation. Furthermore, for the signature calculation itself, the TSF makes use of the TSF F.CRYPTO, and the computation of hash values is as well based on the TSF F.CRYPTO. Each private key used for the signature generation function is either generated on-card by usage of the TSF F.RSA_KEYGEN or is generated by the external world and loaded onto the card during the initialisation, personalisation or end-usage phase of the TOE. In the latter case, it is in the responsibility of the external world to guarantee for a sufficient cryp- tographic strength of the private key and to handle the private key outside the card in a sufficient secure manner. The resistance of the TSF against SPA, DPA, DFA and TA is part of the TSFs F.Log and F.SIDE_CHAN. For each private key - generated on-card or imported with the assump- tion that the external world meets the requirements on the key handling as defined before - the TSF digital signature function works in such a manner that the private key cannot be MICARDO V3.5 R1.0 eHC V1.0 58 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs derived from the signature and the signature cannot be generated by other individuals not possessing that secret. Furthermore, the TSF digital signature function works in such a manner that no information about the private key can be disclosed during the generation of the digital signature. F.VER_DIGSIG RSA Verification of Digital Signatures The TSF provides a functionality to verify digital signatures based on asymmetric cryptog- raphy, particularly based on the RSA algorithm with key lengths of 2048 bit modulus length. The TSF function to verify a digital signature will be used for several purposes with differ- ent formats for the digital signature input: - Implicit verification of digital signatures within authentication mechanisms for the verification of authentication tokens using the signature scheme with message re- covery according to the standard /PKCS1/ based on the hash algorithm SHA-256, /eHC1/, chap. 7 and 16 - Implicit verification of digital signatures within the verification and unwrapping of imported CV certificates using the signature scheme with message recovery ac- cording to the standard /PKCS1/based on the hash algorithm SHA-256, see /eHC1/, chap. 7, 8 and 16 The TSF function to verify a digital signature uses the public key which has been refer- enced before. For the verification mechanism itself, the TSF makes directly use of the TSF F.CRYPTO, and the computation of hash values is as well based on the TSF F.CRYPTO. Each public key used for the function to verify a digital signature is either generated on- card by usage of the TSF F.RSA_KEYGEN or is generated by the external world and loaded onto the card during the initialisation, personalisation or end-usage phase of the TOE. In particular, loading via a CV certificate by a suitable preceding operation is possi- ble. F.RSA_ENC RSA Encryption The TSF provides a functionality to encrypt data based on asymmetric cryptography, particularly based on the RSA algorithm with key lengths of 2048 bit modulus length. The TSF encryption function will be used for several purposes with different formats for the encryption input: - Explicit encryption of a plain text using the “encryption scheme” with formatted plain message according to the standard /PKCS1/, chap. 7.2.1 and with hash al- gorithm SHA-256, see /eHC1/, chap. 7 - Implicit encryption within authentication mechanisms for the generation of authenti- cation tokens using the “encryption primitive” according to the standard /PKCS1/, chap. 5.1.1 The TSF encryption function uses the public key which has been referenced before. For the encryption mechanism itself, the TSF makes directly use of the TSF F.CRYPTO. Each public key used for the encryption function is either generated on-card by usage of the TSF F.RSA_KEYGEN or is generated by the external world and loaded onto the card during the initialisation, personalisation or end-usage phase of the TOE. In particular, loading via a CV certificate by a suitable preceding operation is possible. MICARDO V3.5 R1.0 eHC V1.0 59 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs F.RSA_DEC RSA Decryption The TSF provides a functionality to decrypt data based on asymmetric cryptography, particularly based on the RSA algorithm with key lengths of 2048 bit modulus length. The TSF decryption function will be used for several purposes with different formats for the data supplied within the cryptogram: - Explicit decryption of a cryptogram using the “decryption scheme” with formatted input according to the standard /PKCS1/, chap. 7.2.2 and with hash algorithm SHA-256, see /eHC1/, chap. 7 - Implicit decryption within authentication mechanisms for the verification of authenti- cation tokens using the “decryption primitive” according to the standard /PKCS1/, chap. 5.1.2 The TSF decryption function uses the private key which has been referenced before. For the decryption mechanism itself, the TSF makes directly use of the TSF F.CRYPTO. Each private key used for the decryption function is either generated on-card by usage of the TSF F.RSA_KEYGEN or is generated by the external world and loaded onto the card during the initialisation, personalisation or end-usage phase of the TOE. In the latter case, it is in the responsibility of the external world to guarantee for a sufficient cryptographic strength of the private key and to handle the private key outside the card in a sufficient secure manner. The resistance of the TSF against SPA, DPA, DFA and TA is part of the TSFs F.Log and F.SIDE_CHAN. For each private key - generated on-card or imported with the assump- tion that the external world meets the requirements on the key handling as defined before - the TSF decryption function works in such a manner that the private key cannot be de- rived from the cryptogram and the cryptogram cannot be deciphered by other individuals not possessing that secret. Furthermore, the TSF decryption function works in such a manner that no information about the private key may be disclosed during the decipher- ment of the cryptogram. 6.2 SOF Claim for TOE Security Functions According to Common Criteria, /CC 2.3 Part1/ and /CC 2.3 Part3/, all TOE Security Func- tions (TSF) which are relevant for the assurance requirement AVA_SOF.1 are identified in this section. For the TSFs explicitly defined for the underlying IC, information on the SOF claim can be found in /ST-IC/ and /ST-IC+CL/. The TSFs related to the complete product using mechanisms which can be analysed for their permutational or probabilistic properties and which contribute to AVA_SOF.1 are the follow- ing: TOE Security Function SOF Claim Description / Explanation MICARDO V3.5 R1.0 eHC V1.0 60 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs F.ACS_SFP Not applicable The TSF is not realised by permutational or probabilistic mechanisms. F.IA_AKEY SOF high The TSF implements under usage of the TSFs F.CRYPTO, parts for RSA operations, hash value calculation and random number generation, and of the TSFs F.GEN_DIGSIG, F.VER_DIGSIG, F.ENC and F.DEC cryptographic mechanisms for authentication. The TSF is realised by permutational and probabilistic mecha- nisms. F.IA_SKEY SOF-high The TSF implements under usage of the TSFs F.CRYPTO, parts for DES operations and random number generation, cryp- tographic mechanisms for authentication. The TSF is realised by permutational and probabilistic mecha- nisms. F.IA_PWD SOF high The TSF includes a probabilistic password mechanism for the authentication of the user. F.DATA_INT Not applicable In general, the mechanisms for generating and checking CRC- checksums can be analysed with permutational or probabilistic methods. But these mechanisms are not relevant for AVA_SOF.1 as the securing of data areas by CRC-checksums is only intended to secure against accidental data modification. F.EX_CONF Not applicable The TSF includes cryptographic mechanisms using DES func- tionality from the TSF F.CRYPTO. Refer to the explanations for F.CRYPTO concerning the SOF claim resp. valuation of DES based encryption / decryption functions. F.EX_INT Not applicable The TSF includes cryptographic mechanisms using DES func- tionality from the TSF F.CRYPTO. Refer to the explanations for F.CRYPTO concerning the SOF claim resp. valuation of DES based MAC generation / MAC verification functions. F.RIP Not applicable The TSF is not realised by permutational or probabilistic mechanisms. F.FAIL_PROT Not applicable The TSF is not realised by permutational or probabilistic mechanisms. F.SIDE_CHAN Not applicable The TSF is not realised by permutational or probabilistic mechanisms. F.SELFTEST Not applicable The TSF is not realised by permutational or probabilistic mechanisms, except for the functionality supported by the TSFs F.DATA_INT and F.CRYPTO (→ refer to the SOF claim for these TSFs). F.CRYPTO SOF high The TSF includes cryptographic algorithms SHA-256, RSA with key lengths 2048 bit modulus length as well as random number generation by usage of a deterministic RNG of quality class K4. These algorithms and key lengths defined for the TSF comply with the requirements in /ALGCAT/, chap. 2, 3.1, 4 for qualified electronic signatures and fulfill therefore the requirements for MICARDO V3.5 R1.0 eHC V1.0 61 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs SOF high. The TSF part concerning DES functionality (used for encryption, decryption, MAC generation and MAC verification) are as well assigned to the SOF claim as permutational and probabilistic mechanisms are involved. The negotiation of session keys and the derivation of individual keys is not considered to part for the SOF analysis. F.RSA_KEYGEN SOF high The TSF includes permutational and probabilistic mechanisms for the key generation process itself as well as for the integrated random number generation and key check. In particular, func- tionality from the TSF F.CRYPTO (random number generation, RSA signature generation and verification) is used by this TSF. F.GEN_DIGSIG SOF high The TSF implements under usage of the TSF F.CRYPTO, parts for RSA operations and random number generation, crypto- graphic mechanisms for signature generation. The TSF is realised by permutational and probabilistic mecha- nisms, in particular the quality of the implemented security mechanisms against leakage can be analysed using permuta- tional or probabilistic methods. F.VER_DIGSIG Not applicable The implementation of the TSF uses only public keys and needs not to be considered with regard to high attack potential so that securing of the implementations against Simple Power Analysis (SPA), Differential Power Analysis (DPA), Differential Fault Analysis (DFA) and Timing Attacks (TA) is not necessary. Because of this fact, the TSF – although it can be analysed with permutational or probabilistic methods - is not relevant for AVA_SOF.1. Nevertheless, this TSF is secured by appropriate hardware security features. F.RSA_ENC Not applicable The implementation of the TSF uses only public keys and needs not to be considered with regard to high attack potential so that securing of the implementations against Simple Power Analysis (SPA), Differential Power Analysis (DPA), Differential Fault Analysis (DFA) and Timing Attacks (TA) is not necessary. Because of this fact, the TSF – although it can be analysed with permutational or probabilistic methods - is not relevant for AVA_SOF.1. Nevertheless, this TSF is secured by appropriate hardware security features. F.RSA_DEC SOF high The TSF implements under usage of the TSF F.CRYPTO, part for RSA operations, cryptographic mechanisms for decryption. The TSF is realised by permutational and probabilistic mecha- nisms, in particular the quality of the implemented security mechanisms against leakage can be analysed using permuta- tional or probabilistic methods. For each of the TOE Security Functions given in the preceding list an explicit claim of “SOF- high” is made. MICARDO V3.5 R1.0 eHC V1.0 62 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs The TOE´s cryptographic algorithms themselves can also be analysed with permutational or probabilistic methods but this is not in the scope of CC evaluations. 6.3 Assurance Measures Appropriate assurance measures will be employed by the developer of the TOE to satisfy the security assurance requirements defined in chap. 5.1.3. For the evaluation of the TOE, the developer will provide appropriate documents describing these measures and containing further information supporting the check of the conformance of these measures against the claimed assurance requirements. For the Smartcard Embedded Software part of the TOE (TOE-ES), the following table gives a mapping between the assurance requirements and the documents containing the relevant information for the respective requirement. All these documents concerning the TOE-ES are provided by the developer of the TOE-ES. The table below contains only the directly related documents, references to further documentation can be taken from the mentioned docu- ments. Overview of Developer´s TOE-ES related Documents Assurance Class Family Document containing the relevant information ACM_AUT - Document Configuration Control System ACM_CAP - Document Life-Cycle Model - Document Configuration Control System ACM Configuration Management ACM_SCP - Document Configuration Control System - Document Life-Cycle Model ADO_DEL - Document Life-Cycle Model ADO Delivery and Operation ADO_IGS - Document Installation, Generation and Start-Up Procedures ADV_FSP - Document Functional Specification ADV_HLD - Document High-Level Design - Detailed development documents as system specifications, design specifications, etc. ADV_LLD - Document Low-Level Design - Detailed development documents as system specifications, design specifications, etc. ADV_IMP - Source Code - Detailed development documents as system specifications, design specifications, etc. ADV Development ADV_RCR - Document Functional Specification - Document High-Level Design - Document Low-Level Design MICARDO V3.5 R1.0 eHC V1.0 63 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs ADV_SPM - Document TOE Security Policy Model AGD Guidance Documents AGD_ADM, AGD_USR - User Guidance for the Initialiser of the TOE - User Guidance for the Personaliser of the TOE - User Guidance for the User of the TOE´s MICARDO OS plat- form - User Guidance for the User of the TOE´s eHC ALC_DVS - Document Security of the Development Environment ALC_LCD - Document Life-Cycle Model ALC Life Cycle Sup- port ALC_TAT - Configuration List ATE_COV - Document Test Documentation - Detailed test documentation as system test specifications, test protocols, etc. ATE_DPT - Document Test Documentation - Detailed test documentation as system test specifications, test protocols, etc. ATE_FUN - Document Test Documentation - Detailed test documentation as system test specifications, test protocols, etc. ATE Tests ATE_IND - Samples of the TOE - Source Code AVA_MSU - Document Analysis of the Guidance Documents AVA_SOF - Document TOE Security Function Evaluation AVA Vulnerability Assessment AVA_VLA - Document Vulnerability Analysis As mentioned, the evaluation of the TOE will re-use evaluation results of the CC evaluation of the underlying IC with Crypto Library "NXP SmartMX P5CC080V0B Secure Smart Card Controller with Cryptographic Library as IC Dedicated Support Software" provided by NXP Semiconductors GmbH. Therefore, for the TOE-IC the following documents will be at least provided by the IC developer: Overview of Developer´s TOE-IC related Documents Class Documents Security Target Lite of the IC evaluation, /ST-IC/ Security Target Security Target Lite of the IC evaluation incl. Crypto Library, /ST-IC+CL/ MICARDO V3.5 R1.0 eHC V1.0 64 / 73 ST-Lite 5BTOE Summary Specification 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs User Guidance for the IC, /UG-IC/ Data Sheet for the IC, /DS-IC/ User Guidances User Guidances for the Crypto Library, /UG-CL/, /UG-CL-DES/, /UG-CL- RSA/, /UG-CL-RND/, /UG-CL-SHA/, /UG-CL-RSAKeyGen/, /UG-CL- Util/ MICARDO V3.5 R1.0 eHC V1.0 65 / 73 ST-Lite 6BPP Claims 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs 7 PP Claims The Security Target claims conformance to the Protection Profile /PP-eHC/. 7.1 TOE´s eHC Application 7.1.1 PP References The Security Target for the TOE and its eHC Application is based on the Protection Profile /PP-eHC/. 8 Rationale The following chapters cover the security objectives rationale, the security requirements ra- tionale and the TOE summary specification rationale. Furthermore, the chapter contains a statement of compatibility between the platform security target and this composite security target according to the requirements of /AIS36/. The chapter is not disclosed in the ST-Lite. MICARDO V3.5 R1.0 eHC V1.0 66 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Reference I Bibliography /CC 2.3 Part1/ Title: Common Criteria for Information Technology Security Evalua- tion, Part 1: Introduction and General Model Identification: CCIMB-2005-08-001 Version: Version 2.3 Date: August 2005 Author: CC Project Sponsoring Organisations CSE, SCSSI, BSI, NLNCSA, CESG, NIST, NSA /CC 2.3 Part2/ Title: Common Criteria for Information Technology Security Evalua- tion, Part 2: Security Functional Requirements Identification: CCIMB-2005-08-002 Version: Version 2.3 Date: August 2005 Author: CC Project Sponsoring Organisations CSE, SCSSI, BSI, NLNCSA, CESG, NIST, NSA /CC 2.3 Part3/ Title: Common Criteria for Information Technology Security Evalua- tion, Part 3: Security Assurance Requirements Identification: CCIMB-2005-08-003 Version: Version 2.3 Date: August 2005 Author: CC Project Sponsoring Organisations CSE, SCSSI, BSI, NLNCSA, CESG, NIST, NSA /CEM 2.3 Part2/ Title: Common Methodology for Information Technology Security Evaluation Identification: CCIMB-2005-08-004 Version: Version 2.3 Date: August 2005 Author: CC Project Sponsoring Organisations CSE, SCSSI, BSI, NLNCSA, CESG, NIST, NSA /AIS32/ Title: Übernahme international abgestimmter CC Interpretationen Identification: AIS 32 Date: 02.07.2001 Publisher: Bundesamt für Sicherheit in der Informationstechnik MICARDO V3.5 R1.0 eHC V1.0 67 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs /AIS36/ Title: Kompositionsevaluierung Identification: AIS 36, Version 2 Date: 12.11.2007 Publisher: Bundesamt für Sicherheit in der Informationstechnik /PP9911/ Title: Protection Profile - Smartcard Integrated Circuit with Embedded Software Identification: Registered at the French Certification Body (DCSSI) under the number PP/9911 Version: Version 2.0 Date: June 1999 Author: Atmel Smart Card ICs, Bull-SC&T, De la Rue – Card Systems, Eurosmart, Gemplus, Giesecke & Devrient GmbH, Hitachi Europe Ltd, Infineon Technologies AG, Microelectronica Es- pana, Motorola SPS, NEC Electronics, Oberthur Smart Card, ODS, ORGA Kartensysteme GmbH, Philips Semiconductors Hamburg, Schlumberger Cards Devision, Service Central de la Securite des Systemes d´Information, ST Microelectronics /BSI-PP-0002/ Title: Smartcard IC Platform Protection Profile Identification: Registered and Certified by Bundesamt für Sicherheit in der In- formationstechnik (BSI) under the reference BSI-PP-0002 Version: Version 1.0 Date: July 2001 Author: Atmel Smart Card ICs, Hitachi Europe Ltd, Infineon Technolo- gies AG, Philips Semiconductors /DS-IC/ Title: Product Data Sheet: P5Cx02x/040/073/080/144 family – Secure dual interface and contact PKI smart card controller Version: Revision 3.4 Date: 7st Nov. 2007 Publisher: NXP Semiconductors GmbH /UG-IC/ Title: Guidance, Delivery and Operation Manual for the P5Cx012/02x/040/073/080/144 V0B family Version: Revision 1.7 Date: 25th Feb. 2008 Publisher: NXP Semiconductors GmbH /UG-CL/ Title: Secured Crypto Library on the P5Cx02x/040/080/144 Family, User guidance manual: Overview Version: Revision 3.4 Date: 11th Aug. 2008 MICARDO V3.5 R1.0 eHC V1.0 68 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Publisher: NXP Semiconductors GmbH /UG-CL-DES/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: DES Library Version: Revision 3.0 Date: 24th Aug. 2007 Publisher: NXP Semiconductors GmbH /UG-CL-RSA/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: RSA Library Version: Revision 4.0 Date: 24th Aug. 2007 Publisher: NXP Semiconductors GmbH /UG-CL-RND/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: Random Number Generator Version: Revision 5.0 Date: 24nd Aug. 2007 Publisher: NXP Semiconductors GmbH /UG-CL-SHA/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: SHA-1, SHA-224 and SHA-256 Lib Version: Revision 4.1 Date: 24th Aug. 2007 Publisher: NXP Semiconductors GmbH /UG-CL-RSAKeyGen/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: RSA Key Generation Version: Revision 4.1 Date: 10th March 2008 Publisher: NXP Semiconductors GmbH /UG-CL-Util/ Title: Secured Crypto Library on the SmartMX, User guidance man- ual: Utility Library Version: Revision 1.0 Date: 24th Aug. 2007 Publisher: NXP Semiconductors GmbH Publisher: NXP Semiconductors GmbH /ST-IC/ MICARDO V3.5 R1.0 eHC V1.0 69 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Title: Security Target Lite –P5CC080V0B Identification: BSI-DSZ-CC-0410-2007(-MA-3b)4 Version: Revision 1.4 Date: th Feb 2008 Publisher: NXP Semiconductors GmbH /ST-IC+CL/ Title: Security Target Lite – Secured Crypto Library on the P5CC080V0B Identification: BSI-DSZ-CC-0417-2008(-MA-1b) Version: Revision 1.3 Date: 11th Aug 2008 Publisher: NXP Semiconductors GmbH /ISO 9796-2/ Title: Information Technology – Security Techniques – Digital Signa- ture Schemes Giving Message Recovery – Part 2: Integer Fac- torization Based Mechanisms Identification: ISO/IEC 9796-2 Version: Second Edition Date: 2002 Publisher: ISO / IEC /ISO 9798-3/ Title: Information Technology – Security Techniques – Entity Authen- tication Mechanisms – Part 3: Entity Authentication Using a public key algorithm Identification: ISO/IEC 9798-3 Version: Second Edition Date: 1998 Publisher: ISO / IEC /ISO 7816-4/ Title: Integrated circuit(s) cards with contacts. Part 4: Interindustry commands for interchange Identification: ISO/IEC 7816-4 Version: First edition Date: September 1.1995 Publisher: International Organization for Standardization/International Electrotechnical Commission /ISO 7816-8/ Title: Integrated circuit(s) cards with contacts. Part 8: Interindustry commands for interchange MICARDO V3.5 R1.0 eHC V1.0 70 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Identification: ISO/IEC FDIS 7816-8 Date: June 1998 Publisher: International Organization for Standardization/International Electrotechnical Commission /ISO 7816-9/ Title: Integrated circuit(s) cards with contacts. Part 9: Enhanced inter- industry commands Identification: ISO/IEC 7816-9 Version: First Edition Date: Sept. 2000 Publisher: International Organization for Standardization/International Electrotechnical Commission /SHA/ Title: Secure Hash Standard (SHS) Identification: FIPS Publication 180-2 Date: August 2002 Publisher: National Institute of Standards and Technology (NIST) /FIPS 46-3/ Title: Data Encryption Standard (DES) Identification: FIPS Publication 46-3 Date: October 1999 Publisher: National Institute of Standards and Technology (NIST) /ANSI X9.52/ Title: Triple Data Encryption Algorithm Modes of Operation Identification: ANSI X9.52 Date: 1998 Publisher: American National Standards Institute (ANSI) /PKCS1/ Title: PKCS #1 v2.1: RSA Cryptography Standard Date: June 2002 Publisher: RSA Laboratories /ISO 11770-3/ Title: Information Technology – Security Techniques – Key Manage- ment – Part 3: Mechanisms Using Asymmetric Techniques Identification: ISO/IEC 11770-3 Date: 1996 Publisher: ISO/IEC /ANSI X9.19/ Title: Financial Institution Retail Message Authentication MICARDO V3.5 R1.0 eHC V1.0 71 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Identification: ANSI X9.19 Date: 1996 Publisher: American National Standards Institute (ANSI) /ANSI X9.63/ Title: Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryp- tography Identification: ANSI X9.63 Date: 2001 Publisher: American National Standards Institute (ANSI) /eHC1/ Title: Spezifikation der elektronischen Gesundheitskarte, Teil 1: Spe- zifikation der elektrischen Schnittstelle Version: Version 2.2.2 Date: 16.09.2008 Publisher: gematik mbH /eHC2/ Title: Die Spezifikation der elektronischen Gesundheitskarte, Teil 2: Anwendungen und anwendungsspezifische Strukturen Version: Version 2.2.1 Date: 19.06.2008 Publisher: gematik mbH /ALGCAT/ Title: Geeignete Algorithmen zur Erfüllung der Anforderungen nach §17 Abs.1 bis 3 SigG vom 22. Mai 2001 in Verbindung mit An- lage 1 Anschnitt I Nr. 2 SigV vom 22. Nov. 2001 Identification: Bundesanzeiger (to be published) Date: 17.11.2008 Publisher: Bundesnetzagentur /PP-eHC/ Title: Protection Profile – electronic Health Card (eHC) – elektroni- sche Gesundheitskarte (eGK) Identification: BSI-PP-0020-V2-20007-MA02 Version: 2.60 Date: Juli 29th 2008 Publisher: Bundesamt für Sicherheit in der Informationstechnik (BSI) /BSI-CC-ICCL/ Title: Assurance Continuity Maintainance Report: NXP Smart Card Controller P5CD080V0B with IC dedicated software - Secured Crypto Library Release 2.1 MICARDO V3.5 R1.0 eHC V1.0 72 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs Identification: BSI-DSZ-CC-0417-2008-MA-01a Author: Bundesamt für Sicherheit in der Informationstechnik (BSI) Publisher: Bundesamt für Sicherheit in der Informationstechnik (BSI) /BSI-CC-IC/ Title: Assurance Continuity Maintenance Report: NXP Secure Smart Card ControllerP5CD080V0B, P5CC080V0B, P5CN080V0B and P5CC073V0B with specific IC Dedicated Software Identification: BSI-DSZ-CC-0410-2007-MA-04a Author: Bundesamt für Sicherheit in der Informationstechnik (BSI) Publisher: Bundesamt für Sicherheit in der Informationstechnik (BSI) II Summary of abbreviations A.x Assumption AC Access Condition AID Application Identifier ALW Always AM Access Mode AR Access Rule AS Application Software ATR Answer To Reset AUT Key Based Authentication BS Basic Software CC Common Criteria CGA Certification Generation Application CH Card Holder CHV Cardholder Verification CSP Certification Service Provider DES Data Encryption Standard DF Dedicated File DFA Differential Fault Analysis DPA Differential Power Analysis DTBS Data to be signed EAL Evaluation Assurance Level EF Elementary File EHC Electronic Health Card ES Embedded Software HPC Health Professional Card IC Integrated Circuit IFD Interface Device MAC Message Authentication Code MF Master File O.x Security Objective OS Operating System PAR Partial Access Rule P.x Organisational Security Policy PIN Personal Identification Number PP Protection Profile PUC PIN Unblocking Code MICARDO V3.5 R1.0 eHC V1.0 73 / 73 ST-Lite Reference 3MIC3EVAL.CSL.0004 V1.02 16 October 2009 Sagem ORGA GmbH Karsten Klohs PW Password PWD Password Based Authentication RAD Reference Authentication Data RSA Rivest-Shamir-Adleman Algorithm SAR Security Assurance Requirement SCA Signature Creation Application SCD Signature Creation Data SCS Signature Creation System SDO Signed Data Object SFP Security Function Policy SFR Security Functional Requirement SM Secure Messaging SMC Security Module Card SOF Strength of Functions SPA Simple Power Analysis SPM TOE Security Policy Model SSC Send Sequence Counter SSCD Secure Signature Creation Device ST Security Target SVD Signature Verification Data TA Timing Analysis T.x Threat TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Function TSP TOE Security Policy VAD Verification Authentication Data III Glossary For explanation of technical terms refer to the following documents: /PP9911/, Annex A /BSI-PP-0002/, Chap. 8.7