Page 1 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
REF: 2012-32-INF-2355 v1
Target: Público
Date: 09.05.2018
Created by: CERT10
Revised by: CALIDAD
Approved by: TECNICO
CERTIFICATION REPORT
File: 2012-32 Aselsan STC-8250A v1.1
Applicant: 0860042250 Aselsan A.S.
References:
[EXT-1930] Certification request of Aselsan STC-8250A v1.1
[EXT-3787] Evaluation Technical Report of Aselsan STC-8250A v1.1.
The product documentation referenced in the above documents.
Certification report of the product Aselsan STC-8250A v1.1, as requested in [EXT-
1930] dated 19/10/2012, and evaluated by the laboratory Epoche & Espri S.L.U., as
detailed in the Evaluation Technical Report [EXT-3787] received on 28/02/2018.
Page 2 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
TABLE OF CONTENTS
EXECUTIVE SUMMARY. .................................................................................................................................3
TOE SUMMARY ..............................................................................................................................................3
SECURITY ASSURANCE REQUIREMENTS................................................................................................4
SECURITY FUNCTIONAL REQUIREMENTS ..............................................................................................5
IDENTIFICATION..............................................................................................................................................6
SECURITY POLICIES .......................................................................................................................................7
ASSUMPTIONS AND OPERATIONAL ENVIRONMENT ...........................................................................7
CLARIFICATIONS ON NON-COVERED THREATS....................................................................................7
OPERATIONAL ENVIRONMENT FUNCTIONALITY.................................................................................8
ARCHITECTURE................................................................................................................................................8
LOGICAL ARCHITECTURE...........................................................................................................................8
PHYSICAL ARCHITECTURE.........................................................................................................................8
DOCUMENTS ......................................................................................................................................................8
PRODUCT TESTING..........................................................................................................................................9
EVALUATED CONFIGURATION ...................................................................................................................9
EVALUATION RESULTS................................................................................................................................10
COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM.......................................10
CERTIFIER RECOMMENDATIONS ............................................................................................................10
GLOSSARY ........................................................................................................................................................10
BIBLIOGRAPHY...............................................................................................................................................11
SECURITY TARGET........................................................................................................................................11
RECOGNITION AGREEMENTS....................................................................................................................12
EUROPEAN RECOGNITION OF ITSEC/CC – CERTIFICATES (SOGIS-MRA) ......................................................12
INTERNATIONAL RECOGNITION OF CC – CERTIFICATES (CCRA).....................................................................12
Page 3 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
EXECUTIVE SUMMARY.
This document constitutes the Certification Report for the certification dossier of the
product Aselsan STC-8250A v1.1, a digital tachograph which purpose is record,
store, display, print and output data related to driver activities
Developer/manufacturer: Aselsan A.Ş.
Sponsor: Aselsan A.Ş.
Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de
Inteligencia (CNI).
ITSEF: Epoche & Espri S.L.U.
Protection Profile: Protection Profile Digital Tachograph-Vehicle Unit (VU-PP), BSI-
CC-PP-0057, Version 1.0, 13th July 2010, Bundesamt für Sicherheit in der
Informationstechnik.
Evaluation Level: EAL4 + ATE_DPT.2, AVA_VAN.5.
Evaluation end date: 28/02/2018.
All the assurance components required by the evaluation level EAL4 (augmented
with ATE_DPT.2 and AVA_VAN.5) have been assigned a “PASS” verdict.
Consequently, the laboratory Epoche & Espri S.L.U. assigns the “PASS” VERDICT
to the whole evaluation due all the evaluator actions are satisfied for the EAL4+, as
defined by the Common Criteria for Information Technology Security Evaluation
version 3.1 R4 and the Common Methodology for Information Technology Security
Evaluation version 3.1 R4.
Considering the obtained evidences during the instruction of the certification request
of the product Aselsan STC-8250A v1.1, a positive resolution is proposed.
TOE SUMMARY
The Target of Evaluation (TOE) is a vehicle unit (VU) in the sense of Annex I B of
Commission Regulation (EC) No. 1360/2002 ‘Requirements for construction, testing,
installation and inspection’ dated 05.08.2002 and amended by Commission
Regulation (EC) No 432/2004 of 5 March 2004 Council Regulation (EC) No
1791/2006 of 20 November 2006, Commission Regulation (EC) No 68/2009 of 23
January 2009 and Commission Regulation (EU) No 1266/2009 of 16 December
2009.
The TOE is intended to be installed in road transport vehicles. Its purpose is to
record, store, display, print and output data related to driver activities. The VU
records and stores user activities data in its internal data memory, it also records
user activities data in tachograph cards. The VU outputs data to display, printer and
Page 4 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
external devices. It is connected to a motion sensor with which it exchanges
vehicle’s motion data. Users identify themselves to the VU using tachograph cards.
The TOE receives motion data from the motion sensor and activity data via the
facilities for entry of user’s. It stores all these user data internally and can export
them to the tachograph cards inserted, to the display, to the printer, and to electrical
interfaces.
The block diagram of the TOE is depicted in Figure 1 (it is noted that although the
printer mechanism is part of the TOE, the paper document once produced is not).
SECURITY ASSURANCE REQUIREMENTS
The product was evaluated with all the evidence required to fulfil the evaluation level
EAL4 and the evidences required by the additional components ATE_DPT.2 and
AVA_VAN.5, according to Common Criteria v3.1 R4.
Class Family/Component
ASE: Security Target
Evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ADV: Development
ADV_ARC.1 Security architecture description
ADV_FSP.4 Complete functional specification
ADV.IMP.1 Implementation representation of the TSF
ADV_TDS.3 Basic Modular Design
AGD: Guidance
documents
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC: Life cycle support ALC_CMC.4 Production support, acceptance procedures and
Page 5 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
automation
ALC_CMS.4 Problem tracking CM coverage
ALC_DVS.1 Identification of security measures
ALC_TAT.1 Well-defined development tools
ALC_DEL.1 Delivery procedures
ALC_LCD.1 Developer defined life-cycle model
ATE: Tests
ATE_COV.2 Analysis of coverage
ATE_DPT.2 Testing: security enforcing modules
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
AVA: Vulnerability
assessment
AVA_VAN.5 Advanced methodical vulnerability analysis
SECURITY FUNCTIONAL REQUIREMENTS
The product security functionality satisfies the following functional requirements,
according to the Common Criteria v3.1 R4:
Class Component
FAU: Security audit
GEN.1 Audit data generation
SAR.1 Audit review
STG.1 Protected audit trail storage
FCO: Communication NRO.1 Selective proof of origin
FCS: Cryptographic Support
CKM.1/TDES Cryptographic key generation
CKM.1/AES Cryptographic key generation
CKM.2 Cryptographic key distribution
CKM.3 Cryptographic key access
CKM.4 Cryptographic key destruction
COP.1/TDES Cryptographic operation
COP.1/RSA Cryptographic operation
COP.1/AES Cryptographic operation
COP.1/ECDSA Cryptographic operation
FDP: User data protection
ACC.1/FIL Subset access control
ACC.1/FUN Subset access control
ACC.1/DAT Subset access control
ACC.1/UDE Subset access control
ACC.1/IS Subset access control
ACC.1/SW-Upgrade Subset access control
ACF.1/FIL Security attribute based access control
ACF.1/FUN Security attribute based access control
ACF.1/DAT Security attribute based access control
ACF.1/UDE Security attribute based access control
ACF.1/IS Security attribute based access control
ACF.1/SW-Upgrade Security attribute based access
control
ETC.2 Export of user data with security attributes
ITC.1 Import of user data without security attributes
ITC.2//IS Import of user data with security attributes
ITC.2//SW-Upgrade Import of user data with security
attributes
RIP.1 Subset residual information protection
SDI.2 Stored data integrity
FIA: Identification and authentication AFL.1/MS Authentication failure handling
Page 6 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
AFL.1/TC Authentication failure handling
ATD.1//TC User attribute definition
UAU.1/TC Timing of authentication
UAU.1/PIN Timing of authentication
UAU.1/MD Timing of authentication
UAU.2//MS User authentication before any action
UAU.3/MS Unforgeable authentication
UAU.3/TC Unforgeable authentication
UAU.3/MD Unforgeable authentication
UAU.5//TC Multiple authentication mechanisms
UAU.6/MS Re-authenticating
UAU.6/TC Re-authenticating
UID.2/MS User identification before any action
UID.2/TC User identification before any action
UID.2/MD User identification before any action
FMT: Security management
MSA.1 Management of security attributes
MSA.3/FUN Static attribute initialisation
MSA.3/FIL Static attribute initialisation
MSA.3/DAT Static attribute initialisation
MSA.3/UDE Static attribute initialisation
MSA.3/IS Static attribute initialisation
MSA.3/SW-Upgrade Static attribute initialisation
MOF.1 Management of security functions behaviour
SMF.1 Specification of Management Functions
SMR.1//TC Security roles
FPR: Privacy UNO.1 Unobservability
FPT: Protection of the TSF
FLS.1 Failure with preservation of secure state
PHP.2//Power_Deviation Notification of physical
attack
PHP.2//HW_sabotage Notification of physical attack
PHP.3 Resistance to physical attack
STM.1 Reliable time stamps
TDC.1//IS Inter-TSF basic TSF data consistency
TDC.1/SW-Upgrade Inter-TSF basic TSF data
consistency
TST.1 TSF testing
FRU: Resource Utilization PRS.1 Limited priority of service
IDENTIFICATION
Product: Aselsan STC-8250A v1.1 (more details in Table 1)
Security Target: Aselsan STC-8250A Security Target v2.5, 18.10.2017.
Protection Profile: Protection Profile Digital Tachograph-Vehicle Unit (VU-PP), BSI-
CC-PP-0057, Version 1.0, 13th July 2010, Bundesamt für Sicherheit in der
Informationstechnik.
Evaluation Level: Common Criteria v.3.1 R4 - EAL4 + ATE_DPT.2, AVA_VAN.5.
Page 7 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
TOE Identification Aselsan STC-8250A
TOE Version v1.1
TOE SW Version 0.8.3
OMAP SW file name avu-omap-0_8_3_0dpl-0_0_102_signed
ARM SW file name avu-arm-0_8_3_0dpl-svn2746-20171018
DSP SW file name AVU_DSP_0_0_102
MSP SP SW file name avu-msp-0_0_195_63_rls
MSP PP SW Version avu-msp_pp-0_5_0
TOE HW Version 5820-8250-0001S_RevA
Base Card (TBK) 5999-9945-9002S_RevA
Processor Card (MPK_PRD) 5999-9945-9001_RevB
Processor Card Covers(CR TOP) 5999-0045-9004_RevB
Processor Card Covers(CR BOTTOM) 5999-0045-9005_RevB
Processor Frame Top (FRMT) 5999-0045-9006_RevB
Processor Card Frame Bottom (FRMB) 5999-0045-9007_RevB
Front Panel Card (OPK) 5999-9945-9003S_RevA
Mechanics (MEC) 6009-0045-9006_RevB (Front cover)
5999-9045-9008_RevB (Bottom cover)
5999-9045-9009_RevB (Top cover)
Table 1
SECURITY POLICIES
The use of the product Aselsan STC-8250A v1.1 shall implement a set of security
policies assuring the fulfilment of different standards and security demands.
The detail of these policies is documented in the Security Target, section 4.5.
ASSUMPTIONS AND OPERATIONAL ENVIRONMENT
The assumptions are constraints to the conditions used to assure the security
properties and functionalities compiled by the security target. These assumptions
have been applied during the evaluation in order to determine if the identified
vulnerabilities can be exploited.
In order to assure the secure use of the TOE, it is necessary to start from these
assumptions for its operational environment. If this is not possible and any of them
could not be assumed, it would not be possible to assure the secure operation of the
TOE.
The detail of these assumptions is documented in the Security Target, section 4.6.
CLARIFICATIONS ON NON-COVERED THREATS
The following threats do not suppose a risk for the product Aselsan STC-8250A v1.1,
although the agents implementing attacks have the attack potential according to the
HIGH of EAL 4 + AVA_VAN.5 and always fulfilling the usage assumptions and the
proper security policies satisfaction.
Page 8 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
For any other threat not included in this list, the evaluation results of the product
security properties and the associated certificate, do not guarantee any resistance.
The detail of these threats is documented in the Security Target, section 4.4.
OPERATIONAL ENVIRONMENT FUNCTIONALITY
The product requires the cooperation from its operational environment to fulfil some
of the objectives of the defined security problem.
The detail of these security objectives for the TOE operational environment is
documented in the Security Target, section 5.2.
ARCHITECTURE
LOGICAL ARCHITECTURE
The section 2.3.2 Logical Scope of the Security Target describes the main security
functionality implemented by the TOE:
 Security Audit
 Cryptographic Support
 User Data Protection
 Identification & Authentication of Motion Sensor and Tachograph Cards
 Security Management
 Protection of the TSF
 Communication
 Privacy
 Resource utilization
PHYSICAL ARCHITECTURE
The physical scope of the TOE is Aselsan Digital Tachograph Vehicle Unit (Aselsan
STC-8250A v1.1) which is a device to be installed in a vehicle. The TOE consists of
a hardware box (includes a processing unit, a data memory, a real time clock, two
smart card interface devices (driver and co-driver), a printer, a display, a visual
warning, a calibration/downloading connector, facilities for entry of user’s inputs,
embedded software and of related manuals.
More details can be found in section 2.3.1 of the Security Target.
DOCUMENTS
The product includes the following documents that shall be distributed and made
available together to the users of the evaluated version.
Page 9 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
The following guides are required reading and part of the TOE:
 Quick User Guide. (AVU-QUI-RevA with stamp.pdf)
 Preparation Manual. AVU-AGD-PRE, Rev 0.8, 19.10.2017. (AVU-AGD-
PRE_v0.8.pdf)
 Operation Manual. AVU-AGD-OPE, Rev 0.7, 19.10.2017. (AVU-AGD-OPE-
v0.7.pdf)
PRODUCT TESTING
The developer has executed test for all the security functions. All the tests have been
performed by the developer in its premises, with a satisfactory result.
During the evaluation process it has been verified each unit test checking that the
security functionality that covers is been identified and also that the kind of test is
appropriate to the function that is intended to test.
All the tests have been developed using the testing scenario appropriate to the
established architecture in the security target. It has also been checked that the
obtained results during the tests fit or correspond to the previously estimated results.
To verify the results of the developer tests, the evaluator has repeated all the
developer functional tests in the developer premises. Likewise, he has selected and
repeated all the developer functional tests in the testing platform implemented in the
evaluation laboratory.
In addition, the lab has devised a test for each of the security functions of the product
verifying that the obtained results are consistent with the results obtained by the
developer.
It has been checked that the obtained results conform to the expected results and in
the cases where a deviation, in respect to the expected results, was present, the
evaluator has confirmed that this variation neither represents any security problem
nor a decrease in the functional capacity of the product.
EVALUATED CONFIGURATION
The evaluator has performed an installation and configuration of the TOE using the
information provided in the preparation manual and the operational manual.
The evaluator has followed the security measures described both in preparation
manual and the operational manual in order to fulfil the security objectives for the
operational environment described in the security target.
The TOE configuration used to execute the independent tests is consistent with the
evaluated configuration according to security target.
The following software version has been used:
 MSP SW v 0.195.63 (filename: avu-msp_0_0_195_63_rls.txt).
Page 10 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
 OMAP SW v 0.8.3 Deployment version (filename: avu-omap-0_8_3dpl-
0_0_102_signed.bin), composed by:
o DSP SW v. 0.0.102 (filename: AVU_DSP_0_0_102.out).
o ARM SW v. 0.8.3 Deployment version (filename: avuarm-0_8_3dpl-
svn2746-20171018.out).
 Personalization file (filename: keyVAluesVU4_signed.bin).
In addition to this, a production version of OMAP software has been used for specific
testing purpose (composed by the same DSP SW version and ARM SW v0.8.3
Production version).
EVALUATION RESULTS
The product Aselsan STC-8250A v1.1 has been evaluated against the Security
Target “Aselsan STC-8250A Security Target v2.5, 18.10.2017”.
All the assurance components required by the evaluation level EAL4 + ATE_DPT.2,
AVA_VAN.5 have been assigned a “PASS” verdict. Consequently, the laboratory
Epoche & Espri S.L.U assigns the “PASS” VERDICT to the whole evaluation due all
the evaluator actions are satisfied for the evaluation level EAL4 + ATE_DPT.2,
AVA_VAN.5, as defined by Common Criteria v3.1 R4 and the CEM v3.1 R4.
COMMENTS & RECOMMENDATIONS FROM THE
EVALUATION TEAM
The TOE usage is recommended as there are not exploitable vulnerabilities for the
TOE under its operational environment.
The following usage recommendations are given:
 The user guidance must be read and understood in order to operate the TOE
in an adequate manner according to the security target.
CERTIFIER RECOMMENDATIONS
Considering the obtained evidences during the instruction of the certification request
of the product Aselsan STC-8250A v1.1, a positive resolution is proposed.
GLOSSARY
CCN Centro Criptológico Nacional
CNI Centro Nacional de Inteligencia
EAL Evaluation Assurance Level
Page 11 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
ETR Evaluation Technical Report
OC Organismo de Certificación
TOE Target Of Evaluation
BIBLIOGRAPHY
The following standards and documents have been used for the evaluation of the
product:
[CC_P1] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1, R4 Final, September 2012.
[CC_P2] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1, R4 Final, September 2012.
[CC_P3] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1, R4 Final, September 2012.
[CEM] Common Methodology for Information Technology Security Evaluation:
Version 3.1, R4 Final, September 2012.
SECURITY TARGET
Along with this certification report, the complete security target of the evaluation is
stored and protected in the Certification Body premises. This document is identified
as:
- Aselsan STC-8250A Security Target. Version 2.5. 18.10.2017.
The public version of this document constitutes the ST Lite. The ST Lite has also
been reviewed for the needs of publication according to [CCDB-2006-04-004], and it
is published along with this certification report in the Certification Body and CCRA
websites. The ST Lite identifier is:
- Aselsan Digital Tachograph Vehicle Unit (v1.1) Security Target (Lite Version).
Version 2.6. 26/04/2018.
Page 12 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
RECOGNITION AGREEMENTS
In order to avoid multiple certification of the same product in different countries a
mutual recognition of IT security certificates - as far as such certificates are based on
ITSEC or CC - under certain conditions was agreed.
European Recognition of ITSEC/CC – Certificates (SOGIS-MRA)
The SOGIS-Mutual Recognition Agreement (SOGIS-MRA) Version 3 became
effective in April 2010. It defines the recognition of certificates for IT-Products at a
basic recognition level and, in addition, at higher recognition levels for IT-Products
related to certain SOGIS Technical Domains only.
The basic recognition level includes Common Criteria (CC) Evaluation Assurance
Levels EAL 1 to EAL 4 and ITSEC Evaluation Assurance Levels E1 to E3 (basic).
For "Smartcards and similar devices" a SOGIS Technical Domain is in place. For
"HW Devices with Security Boxes" a SOGIS Technical Domains is in place, too. In
addition, certificates issued for Protection Profiles based on Common Criteria are
part of the recognition agreement.
The new agreement has been signed by the national bodies of Austria, Finland,
France, Germany, Italy, The Netherlands, Norway, Spain, Sweden and the United
Kingdom. The current list of signatory nations and approved certification schemes,
details on recognition, and the history of the agreement can be seen on the website
at https://www.sogis.org.
The SOGIS-MRA logo printed on the certificate indicates that it is recognised under
the terms of this agreement by the nations listed above.
The certificate of this TOE is recognized under SOGIS-MRA for assurance
components up to EAL4.
International Recognition of CC – Certificates (CCRA)
The international arrangement on the mutual recognition of certificates based on the
CC (Common Criteria Recognition Arrangement, CCRA-2014) has been ratified on
08 September 2014. It covers CC certificates based on collaborative Protection
Profiles (cPP) (exact use), CC certificates based on assurance components up to
and including EAL 2 or the assurance family Flaw Remediation (ALC_FLR) and CC
certificates for Protection Profiles and for collaborative Protection Profiles (cPP).
The CCRA-2014 replaces the old CCRA signed in May 2000 (CCRA-2000).
Certificates based on CCRA-2000, issued before 08 September 2014 are still under
recognition according to the rules of CCRA-2000. For on 08 September 2014
ongoing certification procedures and for Assurance Continuity (maintenance and re-
certification)of old certificates a transition period on the recognition of certificates
according to the rules of CCRA-2000 (i.e. assurance components up to and including
Page 13 of 13
https://oc.ccn.cni.es
Email: certificacion.ccn@cni.es
MINISTERIO
DE LA PRESIDENCIA
Y PARA LAS ADMINISTRACIONES TERRITORIALES
EAL 4 or the assurance family Flaw Remediation (ALC_FLR)) is defined until 08
September 2017.
As of September 2014 the signatories of the new CCRA-2014 are government
representatives from the following nations: Australia, Austria, Canada, Czech
Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy,
Japan, Malaysia, The Netherlands, New Zealand, Norway, Pakistan, Republic of
Korea, Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States.
The current list of signatory nations and approved certification schemes can be seen
on the website: http://www.commoncriteriaportal.org.
The Common Criteria Recognition Arrangement logo printed on the certificate
indicates that this certification is recognised under the terms of this agreement by the
nations listed above.
The certificate of this TOE is recognized under CCRA for all assurance components
up to EAL2 and ALC_FLR.