ID Motion V1 Security Target ST Applicable on: Page : 1 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto ID Motion V1 Security Target UPDATES Date Author Modification 12 July 12 Gemalto Creating from evaluated ST (V1.7.2) ID Motion V1 Security Target ST Applicable on: Page : 2 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto CONTENT 1. INTRODUCTION ....................................................................................................................................................5 1.1 SECURITY TARGET IDENTIFICATION ....................................................................................................................5 1.2 SECURITY TARGET OVERVIEW ............................................................................................................................5 1.3 TARGET OF EVALUATION DESCRIPTION...............................................................................................................6 1.3.1 Product Description....................................................................................................................................6 1.3.2 Intended Method of Use..............................................................................................................................9 1.3.3 Smartcard Product Life Cycle ....................................................................................................................9 1.3.4 Target of Evaluation Location and Usage................................................................................................10 1.3.5 Supporting Firmware................................................................................................................................10 1.3.6 Supporting Security Infrastructure ...........................................................................................................11 1.3.7 Application Load Units (ALU)..................................................................................................................12 1.3.8 Key Transformation Unit (KTU)...............................................................................................................13 1.3.9 Application Load and Delete Certificates (ALCs & ADCs)......................................................................13 1.3.10 Keys ..........................................................................................................................................................13 1.3.11 MULTOS Initialisation Security Data ......................................................................................................15 1.3.12 MSM Controls Data..................................................................................................................................16 1.3.13 Loading Applications................................................................................................................................17 2. CONFORMANCE CLAIMS.................................................................................................................................19 2.1 COMMON CRITERIA CONFORMANCE CLAIMS ....................................................................................................19 2.2 PROTECTION PROFILE CLAIM AND PACKAGE CLAIM .........................................................................................19 3. SECURITY PROBLEM DEFINITION ...............................................................................................................20 3.1 ASSETS ..............................................................................................................................................................20 3.2 THREATS ...........................................................................................................................................................20 3.2.1 Unauthorised Full or Partial Cloning of the Target of Evaluation..........................................................21 3.2.2 Threats on Phase 1 ...................................................................................................................................21 3.2.3 Threats on Delivery for/from Phase 1 to Phases 4 to 6............................................................................22 3.2.4 Threats on Phases 4 to 7...........................................................................................................................22 3.2.5 Threats on Phases 6 to 7...........................................................................................................................23 3.2.6 Threats on Phase 7 ...................................................................................................................................24 3.3 ORGANISATIONAL SECURITY POLICIES..............................................................................................................26 3.4 ASSUMPTIONS....................................................................................................................................................26 3.4.1 Assumptions on the Target of Evaluation Delivery Process (Phases 4 to 7)...........................................26 3.4.2 Assumptions on Phases 4 to 6...................................................................................................................26 3.4.3 Assumption on Phase 7.............................................................................................................................26 3.4.4 Assumption on Loaded-Application Development (Phase A1).................................................................27 3.5 COMPOSITION TASKS.........................................................................................................................................27 3.5.1 Statement of Compatibility – Threats .......................................................................................................27 3.5.2 Statement of Compatibility – OSPs...........................................................................................................29 3.5.3 Statement of Compatibility – Assumptions ...............................................................................................30 3.5.4 Statement of Compatibility – Security Objectives.....................................................................................31 3.5.5 Statement of Compatibility – SFRs ...........................................................................................................33 4. SECURITY OBJECTIVES ...................................................................................................................................34 4.1 SECURITY OBJECTIVES FOR THE TARGET OF EVALUATION................................................................................34 4.1.1 Objectives on Phase 1...............................................................................................................................35 4.1.2 Objectives on the Target of Evaluation Delivery Process (Phases 4 to 7) ...............................................37 4.1.3 Objectives on Delivery from Phase 1 to Phases 4, 5 and 6 ......................................................................37 4.1.4 Objectives on Phases 4 to 6......................................................................................................................38 4.1.5 Objectives on Phase 7...............................................................................................................................38 4.1.6 Objectives on Loaded-Application Development and Loading (Phases A1 and A2)................................38 5. EXTENDED COMPONENTS DEFINITION .....................................................................................................39 6. SECURITY REQUIREMENTS............................................................................................................................40 ID Motion V1 Security Target ST Applicable on: Page : 3 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.1 SUPPORTING SECURITY INFRASTRUCTURE ........................................................................................................40 6.2 SECURITY FUNCTIONAL REQUIREMENTS (SFRS)...............................................................................................41 6.2.1 Security Audit Automatic Response (FAU_ARP)......................................................................................41 6.2.1.1 FAU_ARP.1 Security alarms..................................................................................................................................41 6.2.2 Security audit analysis (FAU_SAA)..........................................................................................................41 6.2.2.1 Potential violation analysis.....................................................................................................................................41 6.2.3 Cryptographic key management (FCS_CKM)..........................................................................................42 6.2.3.1 FCS_CKM.3 Cryptographic key access .................................................................................................................42 6.2.3.2 FCS_CKM.4 Cryptographic key destruction..........................................................................................................42 6.2.4 FCS_COP Cryptographic operations.......................................................................................................42 6.2.4.1 FCS_COP.1 Cryptographic operations...................................................................................................................42 6.2.5 Access control policy FDP_ACC..............................................................................................................42 6.2.5.1 FDP_ACC.2 Complete access control....................................................................................................................42 6.2.6 Access control functions FDP_ACF.........................................................................................................43 6.2.6.1 FDP_ACF.1 Security attribute based access control ..............................................................................................43 6.2.7 Data authentication FDP_DAU ...............................................................................................................44 6.2.7.1 FDP_DAU.1 Basic data authentication ..................................................................................................................44 6.2.8 Import from outside TSF control FDP_ITC .............................................................................................44 6.2.8.1 FDP_ITC.1 Import of user data without security attributes....................................................................................44 6.2.9 Residual information protection FDP_RIP ..............................................................................................44 6.2.9.1 FDP_RIP.1 Subset residual information protection................................................................................................44 6.2.10 Rollback (FDP_ROL) ...............................................................................................................................44 6.2.10.1 FDP_ROL.1 Basic rollback................................................................................................................................44 6.2.11 Stored data integrity (FDP_SDI)..............................................................................................................45 6.2.11.1 FDP_SDI.2 Stored data integrity monitoring and action....................................................................................45 6.2.12 Authentication failures (FIA_AFL)...........................................................................................................45 6.2.12.1 FIA_AFL.1 Authentication failure handling ......................................................................................................45 6.2.13 User attribute definition (FIA_ATD) ........................................................................................................45 6.2.13.1 FIA_ATD.1 User attribute definition .................................................................................................................45 6.2.14 User Authentication (FIA_UAU)..............................................................................................................45 6.2.14.1 FIA_UAU.1 Timing of authentication ...............................................................................................................45 6.2.14.2 FIA_UAU.4 Single-use Authentication Mechanisms.........................................................................................45 6.2.15 User identification (FIA_UID) .................................................................................................................46 6.2.15.1 FIA_UID.1 Timing of identification ..................................................................................................................46 6.2.16 User-subject Binding (FIA_USB) .............................................................................................................46 6.2.16.1 FIA_USB.1 User-subject binding.......................................................................................................................46 6.2.17 Management of function in the TSF (FMT_MOF) ...................................................................................46 6.2.17.1 FMT_MOF.1 Management of security functions behaviour..............................................................................46 6.2.18 Management of security attributes (FMT_MSA) ......................................................................................46 6.2.18.1 FMT_MSA.1 Management of security attributes...............................................................................................46 6.2.18.2 FMT_MSA.2 Secure security attributes.............................................................................................................47 6.2.18.3 FMT_MSA.3 Static attribute initialisation.........................................................................................................47 6.2.19 Management of TSF data (FMT_MTD)....................................................................................................47 6.2.19.1 FMT_MTD.1 Management of TSF data ............................................................................................................47 6.2.19.2 FMT_MTD.2 Management of limits on TSF data .............................................................................................47 6.2.20 Security management roles (FMT_SMR)..................................................................................................47 6.2.20.1 FMT_SMR.1 Security roles ...............................................................................................................................47 6.2.21 Unobservability (FPR_UNO) ...................................................................................................................47 6.2.21.1 FPR_UNO.1 Unobservability.............................................................................................................................47 6.2.22 Fail secure (FPT_FLS).............................................................................................................................48 6.2.22.1 FPT_FLS.1 Failure with preservation of secure state.........................................................................................48 6.2.23 TSF Physical protection (FPT_PHP).......................................................................................................48 6.2.23.1 FPT_PHP.3 Resistance to physical attack..........................................................................................................48 6.2.24 Trusted recovery (FPT_RCV)...................................................................................................................48 6.2.24.1 FPT_RCV.4 Function recovery..........................................................................................................................48 6.2.25 Inter-TSF TSF data consistency (FPT_TDC)...........................................................................................49 6.2.25.1 FPT_TDC.1 Inter-TSF basic TSF data consistency ...........................................................................................49 6.2.26 TSF self test (FPT_TST) ...........................................................................................................................49 6.2.26.1 FPT_TST.1 TSF Testing ....................................................................................................................................49 6.2.27 Resource allocation (FRU_RSA)..............................................................................................................49 ID Motion V1 Security Target ST Applicable on: Page : 4 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.2.27.1 FRU_RSA.1 Maximum quotas...........................................................................................................................49 6.3 SECURITY ASSURANCE REQUIREMENTS (SARS) ...............................................................................................50 6.3.1 ALC_DVS.2: Sufficiency of Security Measures ........................................................................................50 6.3.2 AVA_VAN.5: Advanced Methodical Vulnerability Analysis.....................................................................50 6.4 SECURITY FUNCTIONAL REQUIREMENTS DEPENDENCIES ..................................................................................51 7. TARGET OF EVALUATION SUMMARY SPECIFICATION........................................................................53 7.1 SECURITY FUNCTIONALITY ...............................................................................................................................53 7.1.1 Application Load Certificate Control SF (SF1)........................................................................................53 7.1.2 Application Delete Certificate Control SF (SF2) .....................................................................................53 7.1.3 Unprotected/Protected Application Load Unit SF (SF3) .........................................................................53 7.1.4 Confidential Application Load Unit SF (SF4)..........................................................................................54 7.1.5 MSM Controls Data Load Management SF (SF5) ...................................................................................54 7.1.6 Application Execution Management SF (SF6) .........................................................................................55 7.1.7 Critical Data Overwrite SF (SF7) ............................................................................................................56 7.1.8 Reset Protection SF (SF8) ........................................................................................................................57 7.1.9 Integrity Checks SF (SF9).........................................................................................................................57 7.1.10 Start-up Validity Checks and Initialisation SF (SF10).............................................................................57 7.1.11 Tamper Resistant Software Behaviours SF (SF11) ..................................................................................58 7.1.12 Smartcard Authentication SF (SF12) .......................................................................................................59 7.1.13 Mapping between Security Functions and Security Functional Requirements ........................................59 ABBREVIATIONS AND ACRONYMS.......................................................................................................................61 VOCABULARY .............................................................................................................................................................62 REFERENCES ...............................................................................................................................................................62 FIGURES Figure 2: Smartcard IC with Multi-Application Platform Life Cycle....................................................................................................10 Figure 3: MULTOS Infrastructure Context Diagram ............................................................................................................................11 Figure 4: MULTOS Initialisation Security Data Information Flow ......................................................................................................16 Figure 5: MSM Controls Data Information Flow..................................................................................................................................16 Figure 6 : Principal Key and Data Exchanges in Loading MCD Applications......................................................................................17 TABLES Table 1: MULTOS Security Infrastructure Keys ..................................................................................................................................15 Table 2: Relationship between phases and threats.................................................................................................................................25 Table 9: Functional dependencies in Multi-Application environment ..................................................................................................52 Table 11: Mapping between security functions and security functional requirements..........................................................................60 ID Motion V1 Security Target ST Applicable on: Page : 5 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 1. INTRODUCTION 1.1 SECURITY TARGET IDENTIFICATION Security Target Title: ID Motion V1 Security target Security Target Version Number: 1.7.2 Identity of the Target of Evaluation (TOE): The Target of Evaluation is ID Motion V1 platform mask on SLE78 family component. This Multos OS MULTOS V4.3.1 product masked on an Infineon device. Mask on the SLE78CLX1600PM and on SLE78CLX1600P ML3-74: MULTOS M3 masked on the Infineon SLE78CLX1600PM with patch 0122v001 (chip should be SLE78CLX1600PM, SLE78CLX1440PM, SLE78CLX800PM, SLE78CLX480PM, SLE78CLX360PM) ML3-75: MULTOS M3 masked on the Infineon SLE78CLX1600P with patch 0122v001 ((chip should be SLE78CLX1600P, SLE78CLX1440P, SLE78CLX1280P, SLE78CLX800P, SLE78CLX480P, SLE78CLX360P) The specific chips, SLE78CLXxxxPM/M7820 A11 Smartcard Integrated Circuit are identified in the BSI reports BSI-DSZ-CC-0813-2012 There chips will be referred to as SLE78CLXxxxP(M)devices in the remainder of the document. Version of the TOE: Each mask reference is identified by having an ic_type field. G230M mask on SLE78CLX1600PM (ML3-74) is identified by having an ic-type field value is: 0x74 and AMDID field of 0122v001 G230 mask on SLE78CLX1600P (ML3-75) is identified by having an ic-type field value is: 0x75 and AMDID field of 0122v001 The ic_type field is returned as part of the response to the “Get Manufacturer Data” command, and the AMDID is returned as part of the response to the “Get Configuration Data” Command. Common Criteria: Version 3.1, Revision 3, July 2009 1.2 SECURITY TARGET OVERVIEW The integrated circuit card (ICC), or smartcard, is an ideal tool for the delivery of distributed, secure information processing at low cost. However, an application developed for one smartcard is usually not portable to another. Furthermore, many current smartcard operating systems allow only one application per card, meaning end users must carry a multitude of cards, one for each function or service required. Multos International, in its role as a member of the MULTOS Consortium (also known as MAOSCO), is developing an open, high-security multi-application operating system to address the current shortcomings of smartcard operating systems. This operating system is called MULTOS. In order to satisfy the objectives set for it, MULTOS should be able to: Execute an application written for MULTOS - application execution should be independent of the underlying smartcard hardware. Load many applications - applications should be able to co-exist on the smartcard. Ensure that applications are securely loaded and segregated - they should not be able to interfere with each other or with MULTOS. In summary, MULTOS provides a common development and operating platform for smartcard applications. It allows multiple applications to be loaded onto a single smartcard and execute without interfering with or being interfered with by other applications. It also allows applications written for MULTOS to execute on different types of smartcard independent of the underlying smartcard hardware ID Motion V1 Security Target ST Applicable on: Page : 6 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 1.3 TARGET OF EVALUATION DESCRIPTION This part of the Security Target describes the Target of Evaluation as an aid to the understanding of its security requirements and addresses the product type, the intended usage and the general IT features of the TOE. 1.3.1 Product Description MULTOS is an operating system for integrated circuit cards (also known as smartcards). It is designed to allow multiple smartcard applications to be securely loaded and executed on a smartcard. The MULTOS operating system is decomposed into ten (10) modules (equivalent to the term “subsystems” used by Common Criteria). The following diagram shows these using a layered model, with the MULTOS operating system modules shaded. Each layer requests services from lower layers and provides services to higher layers. Each module is designed to encapsulate and hide the data that it owns. Beside the TOE, the product also contain native applications and native modules used by ICAO application (out of scope of the TOE) • Mel applications and modules ROMed: • MPCOS V3.7 • Pin Server Application (PSA) v1.0 • Etravel EAC v1.4 • IAS Classic v3.5 • Mel applications in EEPROM: • MOCA client v1.0 ID Motion V1 Security Target ST Applicable on: Page : 7 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Figure 1: Layered Structure of MULTOS Software SLE78C(L)XxxxPE(M) Smartcard Controller and RMS RF Lib HW Crypto Libs IO UF CF SS MM CR SD MULTOS API Native Libs AM MULTOS Applications IM CH Initialisation Mode Subsystem MULTOS-Specific Subsystems MULTOS- Independent Subsystems Hardware- Dependent Subsystems MULTOS Codelets Inside TOE & Covered by IC evaluation TOE ID Motion V1 Security Target ST Applicable on: Page : 8 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto The hardware-dependent subsystems consist of the following. • RF Lib : RF Library • HW: Hardware Services subsystem • Crypto Libs: Cryptographic Libraries The MULTOS-independent subsystems consist of the following • SS: Startup Shutdown subsystem • IO: I/O Communications subsystem • CF: Cryptographic Functions subsystem • UF: Utility Functions subsystem The Initialisation Mode subsystem consists of the following. • IM: Initialisation Mode subsystem The MULTOS-specific subsystems consist of the following • CR: Command Router subsystem • CH: Command Handlers subsystem • MM: Application Memory Manager subsystem • SD: System Data subsystem • MULTOS API: MULTOS API subsystem • Native Libs: Native Libraries • AM: Application Abstract Machine subsystem The user of the smartcard accesses the applications loaded on the MULTOS operating system via an Interface Device (IFD), which could be a Point-of-Sale terminal, Automatic Teller Machine, or some other device which supports ISO 7816 smartcard protocols. Communications across the IFD-MULTOS interface comprise a message transmitted by the smartcard when it is reset (the Answer-to-Reset or ATR message), followed by command-response pairs, where a command is a message from the IFD to MULTOS and a response is a message from MULTOS to the IFD. By means of these command-response pairs, MULTOS allows: a) Applications to be loaded onto and deleted from the smartcard. b) An IFD to access data and applications which are loaded on the card. c) Information specific to the card to be retrieved by an IFD. MULTOS is a single-threaded operating system. Only one application can be executing at any given time. MULTOS does not provide mechanisms for concurrency or multi-tasking. Following power-on of the smartcard and initialization, the basic execution sequence for MULTOS is as follows: a) Wait for input from the IFD. b) Parse the input. c) If the input is a MULTOS command, process the command and write a response to the IFD. d) Otherwise, execute the currently selected application and write to the IFD any output created by the application. e) Loop back to a). Applications to be loaded on MULTOS-based smartcards are written in a hardware-independent language called MULTOS Executable Language (MEL). MEL applications are interpreted by MULTOS, rather than being compiled and executed directly on the smartcard processor. MULTOS also provides for shared code routines, called Codelets, which can be called by an executing application. Codelets can be loaded into MULTOS during IC manufacture or at smartcard personalization time. A codelet has its own code address space but executes in the context of the calling application, so has access to the application’s data. MULTOS is targeted to operate on the Infineon Technologies SLE78CLXxxxP(M) Smartcard Integrated Circuits (ICs). The IC provides the microprocessor to execute the instructions comprising the executable code of MULTOS. ID Motion V1 Security Target ST Applicable on: Page : 9 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto The Infineon Technologies SLE78CLXxxxP(M) is a dual interface integrated circuit see Hardware reference manual for details [HW-Manual]. 1.3.2 Intended Method of Use MULTOS is intended to provide a hardware-independent environment for the execution of multiple applications that provide a variety of functions and services to the holder of the smartcard. Applications may be developed and supplied by different organizations from different industries, and consequently may provide many different services e.g., financial, communication or access control. The security requirements of different applications may also vary (i.e., some applications may require a high level of security while others may only have a low level or no security requirements). A user of a MULTOS-equipped smartcard will be able to select any of the loaded applications and execute them. The user will access the facilities of the smartcard via an appropriate IFD. MULTOS implements a command interface for handling commands received from the IFD. MULTOS provides a number of system calls (called primitives) which allow the currently executing application to request particular services from MULTOS. MULTOS provides the following features: • MULTOS will ensure all requests to load applications are appropriately authorized. MULTOS will support a capability to ensure the authenticity and integrity of an application when loading the application onto the smartcard. MULTOS will also ensure all requests to delete applications are appropriately authorized. Reasons for wishing to delete applications may be because they are found to contain errors, because an updated application is available, or to make room on the smartcard for a more desirable application. • MULTOS will support a capability to load encrypted applications onto the smartcard, decrypt such applications and make them available to the smartcard user for execution • MULTOS will ensure no application loaded on the smartcard can interfere with the operation of any other loaded application or with MULTOS. MULTOS will also ensure that an application’s code and data will not be available to other applications after it has been deleted. MULTOS will provide the capability to authenticate a card as a valid MULTOS equipped smartcard. • MULTOS will provide the capability to restrict the use of regulated features of the smartcard (e.g., strong cryptography) to authorised applications. • MULTOS defines certain functions (installing keys, loading applications and deleting applications) as sensitive functions. For each of these functions, if the number of failed attempts to execute the function reaches a pre-defined limit over the life of the smartcard, MULTOS will permanently disable the function. In the case of installing keys, this means the card is unusable, as no applications can be loaded until keys have been installed. In the cases of application loading and deleting, other functions of the card remain available. It is assumed that authorised applications which are loaded and executed by MULTOS are responsible for the secure processing of their own information. MULTOS provides an environment for secure loading and execution of smartcard applications. The MULTOS access control policy maintains separate storage and execution space for applications loaded onto an MCD. The application execution management mechanism ensures each application, including its code and data areas, is kept separate from every other application loaded on the MCD. Each application that is restricted to its own code and data space cannot gain access to the code or data of another loaded application. Note that cryptographic primitives are out of scope. 1.3.3 Smartcard Product Life Cycle The Smartcard product life-cycle is decomposed into seven phases, according to the “Smartcard Integrated Circuit Protection Profile”. ID Motion V1 Security Target ST Applicable on: Page : 10 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Silicon Manufacturer IC production manufacturer Silicon Manufacturer or Card Manufacturer Silicon Manufacturer or Card Manufacturer Card Manufacturer End User Figure 2: Smartcard IC with Multi-Application Platform Life Cycle 1.3.4 Target of Evaluation Location and Usage MULTOS will initially be developed in software. Following successful implementation and testing, the MULTOS executable will be masked in Read Only Memory (ROM) and embedded on smartcards. Once the MULTOS chip has been embedded on a target smartcard, interaction with it will be via commands issued to the card from an IFD or service requests (i.e., MULTOS system calls, known as primitives) made by an executing application. 1.3.5 Supporting Firmware MULTOS requires firmware run-time libraries to support writing data to EEPROM. These libraries are supplied by Infineon Technologies. They provide low-level routines to support writing data to EEPROM, which is used on the target smartcard for the storage of applications. MULTOS requires the run-time libraries to execute correctly according to specification, to ensure data is written to the correct address within EEPROM. & Gemalto ID Motion V1 Security Target ST Applicable on: Page : 11 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 1.3.6 Supporting Security Infrastructure It is assumed MULTOS-equipped smartcards and MULTOS applications will be manufactured and distributed within a commercial framework providing a procedural security infrastructure. Figure 3 provides a simplified context diagram of the MULTOS commercial framework and security infrastructure. Figure 3: MULTOS Infrastructure Context Diagram In Figure 3, the box labeled “MSM” includes MAOSCO in addition to the MSM role. In this product version including Gemalto the role of the IC Manufacturer is split. • The founder (Infineon) manufactures the chips and performs limited EEPROM injection including a diversified transport key (used by Initialisation Mode). • Gemalto then performs the final manufacturing step by injecting the iKMA keys and data into the EEPROM. . The following roles and responsibilities are assumed within the infrastructure: a) MULTOS Security Manager (MSM): defines and polices the MULTOS security infrastructure and provides criteria and services necessary for MULTOS participants to operate within the infrastructure. It acts as Certification Authority for the security infrastructure. It is assumed only one MSM exists. The MSM must be trusted by all participants in the infrastructure b) MULTOS Implementor: the organisation that implements a MULTOS version. The MULTOS Implementor is licensed by MAOSCO and provides its MULTOS version to the IC Manufacturer. The MULTOS Implementor requests the MSM to provide MSM Controls Data, although this may be delivered to the MCD Manufacturer or MCD Issuer. c) Integrated Circuit (IC) Manufacturer: manufacturer of silicon from which chips and smartcards are made. It is assumed the IC Manufacturer is trusted to perform its tasks correctly: This includes: ID Motion V1 Security Target ST Applicable on: Page : 12 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto • To perform limited EEPROM injection, • • The injection of diversified transport key (used by Initialisation Mode). d) Gemalto: is included in the new scheme in order to perform the final manufacturing step by injecting the iKMA keys and data into the EEPROM; The initialised ICs are provided to MCD Manufacturers: e) MULTOS Carrier Device (MCD) Manufacturer: responsible for embedding the IC in its plastic carrier and for background printing on the card. The result is an initialised MCD. This operation is assumed not to be security sensitive. The MCD Manufacturer may also receive MSM Controls Data from the MSM and enable the MCDs. Initialised and enabled MCDs are provided to MCD Issuers. f) MCD Issuer: responsible for issuing to users the MCD itself. The MCD Issuer may also enable initialised MCDs, by loading MSM Controls Data received from the MSM onto the MCDs. MCD Issuers retain the ultimate authority over what applications are loaded on their MCDs. MCD Issuers register applications with the MSM, provide information related to the applications and receive application load and delete certificates from the MSM. g) Application Writer: licensed by MAOSCO to produce applications for MULTOS. Supplies applications under contract to Application Issuers. h) Application Issuer: an organisation that wishes to offer an application to MCD Users. The Application Issuer agrees with an MCD Issuer that the application can be loaded onto MCDs belonging to the MCD Issuer. i) Application Provider: the organisation that takes responsibility for an application, by certifying it with the organisation’s public key and encrypting it where necessary. The Application Provider is a role that can be performed by an Application Writer, Application Issuer or MCD Issuer, rather than necessarily, being an organisation in its own right. j) Application Loader: responsible for performing the technical operation of loading applications onto MCDs. The Application Loader enters into an agreement with one or more Application Issuers and MCD Issuers for loading applications supplied by one or more Application Providers. k) MCD User: final user of the MCD. The MSM authorises potential MULTOS platforms (known as MA-cards). To receive MSM authorisation, a platform must comply with criteria covering attributes of the platform itself and the procedures associated with its manufacture. MA-cards are assumed to satisfy the following requirements: a) They are manufactured in a controlled environment conforming to MSM rules. b) They are subject to type approval by the MSM. c) They possess a level of tamper resistance. 1.3.7 Application Load Units (ALU) An Application Load Unit (ALU) is generated by an Application Provider to load applications. An ALU may be uncertified or certified. An uncertified ALU simply contains a clear text copy of the application. A certified ALU contains, in addition to the application, an application signature, which authenticates the application. The Application Provider may also encrypt parts of the application, in which case a Key Transformation Unit is included in the certified ALU. ID Motion V1 Security Target ST Applicable on: Page : 13 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 1.3.8 Key Transformation Unit (KTU) An Application Provider wishing to utilise application confidentiality will generate a Key Transformation Unit (KTU). The KTU contains descriptors for the areas of the application’s code and data that have been encrypted. Each descriptor contains the start address of the protected area, the length of the protected area, an indicator of the algorithm used and the key used to encrypt the contents of the area. The descriptors and some header information (including application identifier and target MCD number) are then encrypted, using the target MCD’s public transport key, and included in the KTU. 1.3.9 Application Load and Delete Certificates (ALCs & ADCs) Application Load Certificates (ALCs) and Application Delete Certificates (ADCs) are generated by the MSM to respectively load and delete an application on to and from an MCD. Each ALC contains the unique Application ID of the application for which it is created. Each ALC refers to a particular domain, which defines the set of MCDs that the application may be loaded on to and deleted from. The domain is defined by a set of load permissions and may be: a) A specific MCD. b) A subset of the cards issued by an MCD Issuer. c) All cards issued by an MCD Issuer. d) Limited to a subset of cards enabled on specific dates. e) A combination of the above. An ALC contains load controls that define exactly what load operations are allowed. The load controls specify: a) If application certification has been used. b) If application confidentiality has been used. c) If reloading a deleted application is permitted. The ALC also contains feature permissions, which define what regulated features the application may use. For the initial version of MULTOS, the only regulated features are strong cryptography functions. The ADC for an application is created at the same time as the ALC. It contains the same unique Application ID and the same set of load permissions as the corresponding ALC. 1.3.10 Keys The following table lists each of the various cryptographic keys required to support the MULTOS security infrastructure. Each key is identified by a name. The key type (symmetric or asymmetric) and its role within the MULTOS security infrastructure are also listed. Asymmetric keys have two components: a secret key and a public key. In the following table, secret components of asymmetric keys are identified by a “_sk” suffix, while public components are identified by the suffix “_pk”. Key Name Type Role kck kck_sk asymmetric Global Key Certification Key Held securely by MSM ; used by MSM to certify ADCs and ALCs (and indirectly through these, Application Provider public keys (ack_pk)) Held in EEPROM of every MCD ; used by MULTOS to verify ALCs, ADCs and ID Motion V1 Security Target ST Applicable on: Page : 14 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Key Name Type Role kck_pk Application Provider public keys. ack ack_sk ack_pk asymmetric Application Provider’s asymmetric key; generated by Application Provider Held by Application Provider; used by Application Provider to sign application certificate. Provided to MCD Issuer, who gets it certified by the MSM when ALCs and ADCs are requested. tkck tkck_sk tkck_pk asymmetric Transport Key Certification Key Held securely by MSM; used by MSM to certify MCD-specific public transport keys (mkd_pk). Held by MSM; copy provided to Application Providers; used by Application Providers to verify and retrieve certified MCD-specific public transport keys (mkd_pk_c). tkv symmetric MCD-specific transport key; generated by MSM; stored in non-volatile memory of target MCD; used by MSM to encrypt MCD-specific MSM Controls Data and also by MULTOS to decrypt the MSM Controls Data. mkd mkd_sk mkd_pk mkd_pk_c asymmetric MCD-specific asymmetric transport key. Held in non-volatile memory of target MCD; used by MULTOS to decrypt KTU. Held by MSM; stored in non-volatile memory of target MCD; copy provided to Application Providers; used by Application Providers to encrypt KTU for target MCD. mkd_pk, certified by MSM using tkck_sk to indicate it’s authenticity. By decrypting this with tkck_pk the mkd_pk can be recovered for use. tkf symmetric Fixed part of MCD-specific transport key; generated by MSM; stored in non- volatile memory of MCD; used by MSM, MCD Issuer and Application Loader to check authenticity of target MCD; tkf is fixed for all MCDs. misa_mk symmetric MISA Master Key; generated by MSM; used by MSM to generate misa_bk. misa_bk symmetric MISA Base Key (each key value is unique to a given MISA). Used by MISA and MSM to determine tkv for a specific MCD. hm asymmetric While not strictly a key as such, this RSA public key is used as an input the MULTOS proprietary Asymmetric Hash algorithm which is based on RSA. This is used during the verification of ALC/ADCs, msm controls and application signatures. ID Motion V1 Security Target ST Applicable on: Page : 15 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Table 1: MULTOS Security Infrastructure Keys The critical keys, which are managed by the MSM and support the MULTOS security infrastructure, are: a) Global Key Certification Key (GKCK) (identified above as kck). b) Transport Key Certification Key (TKCK) (identified above as tkck). The GKCK supports the authentication of MULTOS applications and the authorisation of requests by MCD Issuers to load and delete applications. The secret GKCK (kck_sk) is held securely by the MSM and is used to sign ALCs and ADCs. ALCs and ADCs contain the Application Provider’s public key (ack_pk), so signing the ALC/ADC also certifies ack_pk for use with MCDs. The public GKCK (kck_pk) is installed in the ROM Mask of each instance of MULTOS (i.e., it is available on every MCD). The TKCK supports the provision of application confidentiality and MCD authentication. An asymmetric transport key is created for each MCD (this is mkd). The public part of mkd (mkd_pk) is certified by the MSM using the secret part of the TKCK (tkck_sk). Application Providers wishing to utilise application confidentiality when loading applications onto an MCD obtain from the MCD Issuer the public part of mkd, certified by the MSM (i.e., mkd_pk_c). The Application Provider uses the public part of the TKCK (tkck_pk) to authenticate mkd_pk and uses mkd_pk to encrypt the KTU for the target MCD. 1.3.11 MULTOS Initialisation Security Data MULTOS Initialisation Security Data is generated by the MSM and supplied to Gemalto for incorporation into MULTOS. MULTOS Initialisation Security Data comprises two elements: a) The public GKCK (kck_pk) and Hash Modulus (hm), which is included in MULTOS EEPROM. b) Security data, which is injected into non-volatile memory. The MULTOS security data is injected into non-volatile memory during MULTOS initialisation. This is performed using a device called a MULTOS Injection Security Application (MISA). The MSM constructs data for each MISA, including a unique MISA identifier. The MISA then constructs the data to be injected into the MCD. The MULTOS security data includes: a) A unique identifier based on the MISA identifier and ICC serial number. b) MCD-specific symmetric transport keys (tkf and tkv), which are used in loading the MCD-specific asymmetric transport key (mkd) as a component of the MSM Controls Data. c) Initialisation date, indicating when the security data was injected into the MCD. d) A security flag indicating MSM Controls Data has not been loaded. Figure 4 depicts the information flow from the MSM to the Gemalto. MSM kck_sk tkck_sk,tkck_pk mkd_pk, tkf, tkv Gemalto kck_pk, tkf,tkv, unique MSD identifier (mcd_id), initialisation date, security flag ID Motion V1 Security Target ST Applicable on: Page : 16 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Figure 4: MULTOS Initialisation Security Data Information Flow 1.3.12 MSM Controls Data The MCD must be loaded with its permissions and asymmetric transport key set (i.e., mkd) before application loading can be supported. The transport key (comprising the private key, and certified public key) and permissions are provided by the MSM to the MCD Manufacturer or MCD Issuer in MSM Controls Data. This data also includes the MCD’s unique identifier and is protected by the MCD-specific symmetric transport key (tkv). Once the transport keys have been generated and encrypted, MSM destroys the copy of mkd_sk it generated, in order to ensure the confidentiality of this key. Figure 5 depicts the information flow from the MSM to the MCD Manufacturer or MCD Issuer. Figure 5: MSM Controls Data Information Flow ID Motion V1 Security Target ST Applicable on: Page : 17 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 1.3.13 Loading Applications The principal key and data exchanges involved in loading applications onto MCDs are depicted in Figure 5. Figure 6 : Principal Key and Data Exchanges in Loading MCD Applications The Application Provider provides its public key (ack_pk) and details of the application to be loaded to the MCD Issuer. The MCD Issuer forwards ack_pk and the application details to the MSM. The MSM creates an ALC, which contains the application details in the Key Header. ID Motion V1 Security Target ST Applicable on: Page : 18 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto MSM creates the Key Certificate over the information in the Key Header, concatenated with ack_pk, and signs it with the secret GKCK (kck_sk). The MSM provides the ALC to the MCD Issuer. If the Application Provider has requested use of application confidentiality, the MSM also provides the MCD Issuer with the target MCD’s certified public transport key (mkd_pk_c) and the public TKCK (tkck_pk). The MSM Issuer provides mkd_pk_c and tkck_pk to the Application Provider and the ALC to the Application Loader. The Application Provider creates an ALU for the application to be loaded onto the MCD. The ALU comprises the following components: a) Application unit, containing the application’s code and data. b) application signature (optional). c) KTU (optional). If the Application Provider requires application authentication, it includes an application signature in the ALU. The application signature is created over the application unit and signed with the Application Provider’s secret key (ack_sk). If the Application Provider requires application confidentiality, it includes a KTU. The KTU is signed using the target MCD’s public key (mkd_pk), retrieved from mkd_pk_c using tkck_pk. The Application Provider provides the ALU to the Application Loader. The Application Loader loads the ALU on the target MCD, using the ALC to demonstrate the load has been authorised by the MSM. ID Motion V1 Security Target ST Applicable on: Page : 19 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 2. CONFORMANCE CLAIMS This section describes how the ST claims conformance with Common Criteria for Information Technology Security Evaluation v3.1, revision 3. 2.1 COMMON CRITERIA CONFORMANCE CLAIMS This ST has been built with Common Criteria for Information Technology Security Evaluation, Version 3.1, revision 3, as the following: • Part 2 conformant. • Part 3 conformant with EAL5 level augmented. The EAL5 level from CC Part 3 is augmented with the assurance components ALC_DVS.2 and AVA_VAN.5. 2.2 PROTECTION PROFILE CLAIM AND PACKAGE CLAIM This ST is based on PP/0010 Version 2.0, Issue November 2000, registered at the French Certification Body. Please note that the PP/0010 is upwardly compatible with the PP/9806 and PP/9911. Therefore, this ST is also based on Smartcard IC Protection Profile PP/9806, Version 2.0, Issue September 1998 and Smartcard IC with Embedded Software Protection Profile PP/9911, Version 2.0, Issue June 1999. Note: Items which are common to PP/9806 and PP/0010 are indicated by a “*” in this Security Target. ID Motion V1 Security Target ST Applicable on: Page : 20 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3. SECURITY PROBLEM DEFINITION This section describes the security problem to be addressed by the TOE and the operational environment in which the TOE is intended to be used. It provides a description of the assets to be protected, the threats, the organisational security policies and the assumptions about the operational environment of the TOE. 3.1 ASSETS Assets are security relevant elements of the TOE that include: Assets linked to the IC with Multi-Application Secure Platform itself: • The IC specifications, design, development tools. • The IC Dedicated software. • The integrity of the Multi-Application Platform Software. • Multi-Application Platform specifications, implementation, test programs and related documentation. • The confidential TSF data (tkf, tkv and mkd_sk). Assets are also linked to Loaded-Applications on the platform: • Application provider User Data: − Loaded-Application software loaded on the platform . − Confidential Loaded-Application SF data. (Encrypted SF data for the eventual Loaded Application Security Functions). • The TOE resources: − Card resources: memory space and computation power made available to a Loaded-Application and its security functions. Assets are also linked to end user, card holder and application provider: • End User Data for users of Native Applications. • End User Data for users of Loaded Applications. NOTE: even if the PP scope does not include the applications, the TOE must provide security mechanisms such that Loaded Applications can protect the End User data when required. Assets have to be protected in terms of confidentiality, authenticity and control of their origin. 3.2 THREATS The TOE and its operational environment as defined in chapter 2 are required to counter the threats described hereafter. A threat agent (an attacker) wishes to abuse the assets either by functional attacks or by environmental manipulation, by specific hardware manipulation, by a combination of hardware and software manipulations or by any other type of attacks. Threats have to be split in: • Threats against which specific protection within the TOE is required (class I). • Threats against which specific protection within the environment is required (class II). ID Motion V1 Security Target ST Applicable on: Page : 21 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3.2.1 Unauthorised Full or Partial Cloning of the Target of Evaluation T.CLON* Functional cloning by attackers of the TOE (full or partial) appears to be relevant to all phases of the TOE life-cycle, from phase 1 to phase 7, but only phases 1 and 4 to 7 are considered here, since functional cloning in phases 2 and 3 are purely in the scope of Smartcard IC PP. Generally, this threat is derived from specific threats by attackers, addressing User Data and potentially TSF data, combining unauthorised disclosure, modification or theft of assets at different phases. 3.2.2 Threats on Phase 1 Common Criteria v3 does not require threats for the development environment so these threats (and any references to them) should be ignored for this version of Common Criteria. Instead, Common Criteria v3 requires that the development environment is evaluated in the ALC assurance class of the evaluation. During phase 1, three types of threats by attackers have to be considered: a) Threats on the Smartcard Embedded Software (ES) and its development environment, such as unauthorised disclosure, modification or theft of the Smartcard Embedded Software and/or initialisation data. b) Threats on the assets transmitted from the IC designer to the Smartcard software developer during the Smartcard ES development. c) Threats on the Smartcard Embedded Software and initialisation data transmitted during the delivery process from the Smartcard software developer to the IC designer. Unauthorised disclosure of assets This type of threat covers unauthorised disclosure of assets by attackers who may possess a wide range of technical skills, resources and motivation. Such attackers may also have technical awareness of the product. T.DIS_INFO* (type b) An attacker may cause unauthorised disclosure of the assets delivered by the IC designer to the Smartcard Embedded Software developer, such as sensitive information on IC specification, design and technology, software and tools if applicable. T.DIS_DEL* (type c) An attacker may cause unauthorised disclosure of the Asset Smartcard Embedded Software and any additional application data (such as IC pre-personalisation requirements) during the delivery to the IC designer. NOTE application data means TSF data. T.DIS_ES1 (type a) An attacker may cause unauthorised disclosure of ES (technical or detailed specifications, implementation code) and/or TSF data (such as secrets, or control parameters for protection system, specification and implementation for security mechanisms). T.DIS_TEST_ES (type a and c) An attacker may cause unauthorised disclosure of the Smartcard ES test programs or any related information. Theft or unauthorised use of assets Potential attackers may gain access to the TOE and perform operations for which they are not authorised. For example, such an attacker may personalise, modify or influence the product in order to gain access to the Smartcard application system. T.T_DEL* (type c) An attacker may target theft of the Smartcard Embedded Software and any additional application data (such as pre-personalisation requirements) during the delivery process to the IC designer. ID Motion V1 Security Target ST Applicable on: Page : 22 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto NOTE application data means TSF data. T.T_TOOLS (type a and b) An attacker may target theft or unauthorised use of the Smartcard ES development tools (such as PC, development software, databases). T.T_SAMPLE2 (type a) An attacker may target theft or unauthorised use of TOE samples (e.g. bond-out chips with the Embedded Software). Unauthorised modification of assets The TOE may be subjected by attackers to different types of logical or physical attacks, which may compromise security. Due to the intended usage of the TOE (the TOE environment may be hostile), the TOE security may be bypassed or compromised reducing the integrity of the TOE security mechanisms and disabling their ability to manage the TOE security. This type of threats includes the implementation of malicious Trojan horses. T_MOD_DEL* (type c) An attacker may cause unauthorised modification of the Smartcard Embedded Software and any additional application data (such as IC pre-personalisation requirements) during the delivery process to the IC designer. Note: Application data means TSF data. T.MOD (type a) An attacker may cause unauthorised modification of ES and/or TSF data or any related information (technical specifications). 3.2.3 Threats on Delivery for/from Phase 1 to Phases 4 to 6 Threats by attackers on data transmitted during the delivery process from the Smartcard developer to the IC packaging manufacturer, the Finishing process manufacturer or the Personaliser. These threats are described hereafter: T.DIS_DEL1 An attacker may cause unauthorised disclosure of and ES personalisation Data during delivery to the IC Packaging manufacturer, the Finishing process manufacturer or the Personaliser. T.DIS_DEL2 An attacker may cause unauthorised disclosure of ES personalisation Data delivered to the IC Packaging manufacturer, the Finishing process manufacturer or the Personaliser T.MOD_DEL1 An attacker may cause unauthorised modification of ES personalisation Data during delivery to the IC Packaging manufacturer, the Finishing process manufacturer or the Personaliser. T.MOD_DEL2 An attacker may cause unauthorised modification of and ES personalization Data delivered to the IC Packaging manufacturer, the Finishing process manufacturer or the Personaliser. 3.2.4 Threats on Phases 4 to 7 During these phases, the assumed threats could be described in four types: • Unauthorized disclosure of assets. • Theft or unauthorised use of assets. • UnauthorisedUnauthorized modification of assets. • Threats on Loaded-Applications. ID Motion V1 Security Target ST Applicable on: Page : 23 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Unauthorised disclosure of assets This type of threat covers unauthorised disclosure of assets by attackers who may possess a wide range of technical skills, resources and motivation. Such attackers may also have technical awareness of the product. T. DIS_ES2 An attacker may cause unauthorised disclosure of ES, Native-Application, and Loaded-Application TSF Data (such as data protection system, memory partitioning, cryptographic programs and keys). Theft or unauthorised use of assets Potential attackers may gain access to the TOE and perform operation for which they are not allowed. For example, such attackers may personalize the product in an unauthorised manner, or try to gain fraudulently access to the Smartcard system. T.T_ES An attacker may cause unauthorised use of TOE. (e.g. bond out chips with embedded software). T.T_CMD An attacker may cause unauthorised use of instructions or commands or sequence of commands sent to the TOE. Unauthorised modification of assets The TOE may be subjected by attackers to different types of logical or physical attacks, which may compromise security. Due to the intended usage of the TOE (the TOE environment may be hostile), the TOE security parts may be bypassed or compromised reducing the integrity of the TOE security mechanisms and disabling their ability to manage the TOE security. This type of threat includes the implementation of malicious Trojan horses, Trapdoors, downloading of viruses or unauthorised programs. T.MOD_TSF An attacker may cause unauthorised modification or destruction of TOE Security Function Data. (By any mean including probing, electronic perturbation etc.) T.MOD_LOAD An attacker may cause unauthorised loading of Native Applications. This includes also illegal modification of eventual Native Applications. As the TOE described in a Security Target claiming this PP must include eventual Native Applications, their loading or modification must be blocked during the usage phase. The threat includes bypassing this blocking. T.MOD_EXE An attacker may cause unauthorised execution of Platform or application software. T.MOD_SHARE An attacker may cause unauthorised modification of Platform or application behavior by interaction of different programs. T.MOD_SOFT* An attacker may cause unauthorised modification of Smartcard Embedded Software and data. 3.2.5 Threats on Phases 6 to 7 Threats on assets linked to Loaded-Applications These threats by attackers are specific to the Multi-Application Platform. They are centered on threats by attackers to loading/unloading of Loaded-Applications and to threats using a Loaded-Application to attack another. T.LOAD_MAN ID Motion V1 Security Target ST Applicable on: Page : 24 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Attackers loading an application on the platform bypassing the Administrator. This threat could lead to undue usage of card resources, and for unverified application to attack on other Loaded-Application TSF or User data. T.LOAD_APP Attackers loading an application that purports to be another Loaded-Application. This attacks card resources and end user data. T.LOAD_OTHER Attackers loading the software representation of a Loaded-Application intended for a specific platform domain onto other platform domains, thus taking from the Loaded-Application representation the security feature of being confined to a specific domain. This is an attack on Loaded-Application User Data. T.LOAD_MOD Attackers intercepting application load units and altering code or data without the permission of the Loaded- Application Provider. This attacks application provider user data. T.APP_DISC Attackers intercepting application load units and gaining access to confidential code or data. This is an attack on application provider user data’s confidentiality and knowledge. T.APP_CORR Attackers loading an application that partially or completely overwrites other Loaded-Applications, either corrupting or gaining access to code or data. This is an attack on Application Provider user data. T.APP_REMOVE Attackers removing a Loaded -Application without the involvement of the Administrator. This is an attack on Application Provider user data. T.ERR_REMOVE Attackers removing a Loaded-Application leaving confidential data and/or code in memory which can be examined This is an attack on Application Provider user data. T.DEL_REMOVE Attackers removing a Loaded-Application at the same time deleting part or all of another Loaded-Application. This is an attack on Application Provider user data. T.APP_READ Attackers using a loaded application to read confidential data or code belonging to another Loaded- Application. This attacks the confidentiality of User Data. T.APP_MOD Attackers using a Loaded-Application to modify data or code belonging to another Loaded-Application without its authorisation. This is an attack on Application Provider user data (and also End User data). T.RESOURCES Attackers targeting total or partial destruction of card resources delivered by the platform. NOTE: T.APP_DISC is also present during phase A1. 3.2.6 Threats on Phase 7 Unauthorised disclosure of assets T.DIS_DATA Attackers may cause unauthorised disclosure of User (application provider and end user) data and TSF data. Unauthorised modification of assets ID Motion V1 Security Target ST Applicable on: Page : 25 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto T.MOD_DATA Attackers may cause unauthorised modification or destruction of User (application provider and end user) Data and TSF data. Table 2 given below indicates the relationship between the phases of the Smartcard life cycle, the threats and the type of the threats: Threats Phase 1 Phase A1 Phase 4 Phase 5 Phase 6 Phase 7 T.CLON* Class II Class I Class I Class I Class I T.DIS_INFO* Class II T.DIS_DEL* Class II T.DIS_DEL1 Class II Class II Class II Class II T.DIS_DEL2 Class II Class II Class II T.DIS_ES1 Class II T.DIS_TEST_ES Class II T.DIS_ES2 Class I Class I Class I Class I T.T_DEL* Class II T.T_TOOLS Class II T.T_SAMPLE2 Class II T.T_ES Class I Class I Class I Class I T.T_CMD Class I Class I Class I Class I T.MOD_DEL* Class II T.MOD_DEL1 Class II Class II Class II Class II T.MOD_DEL2 Class II Class II Class II T.MOD Class II T.MOD_TSF Class I Class I Class I Class I T.MOD_SOFT* Class I Class I Class I Class I T.MOD_LOAD Class I Class I Class I Class I T.MOD_EXE Class I Class I Class I Class I T.MOD_SHARE Class I Class I Class I Class I T.DIS_DATA Class I T.MOD_DATA Class I T.LOAD_MAN Class I Class I T.LOAD_APP Class I Class I T.LOAD_OTHER Class I Class I T.LOAD_MOD Class I/II Class I/II T.APP_DISC Class II Class I/II Class I/II T.APP_CORR Class I Class I T.APP_REMOVE Class I Class I T.ERR_REMOVE Class I Class I T.DEL_REMOVE Class I Class I T.APP_READ Class I Class I T.APP_MOD Class I Class I T.RESOURCES Class I Class I Table 2: Relationship between phases and threats ID Motion V1 Security Target ST Applicable on: Page : 26 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Note: Phases 2 and 3 are covered in the scope of Smartcard IC PP. 3.3 ORGANISATIONAL SECURITY POLICIES OSP.CIPHER The TOE must contribute and provide cryptographic functions are required to actually protect the exchanged information. These cryptographic algorithms need to be consistent with cryptographic usage policies and standards. Remark that even if the TOE shall provide access to the appropriate TSFs, it is still the responsibility of the applets to use them. OSP.CONF-ALU The confidential ALU includes a KTU (key transformation unit) used to encrypt sensitive sections of the ALU (or the entire ALU). KTU itself is encrypted off-card using the card’s public asymmetric transport key (MKD-PK). MULTOS decrypts it using its private asymmetric transport key (MKD-SK). 3.4 ASSUMPTIONS Security always concerns the whole operational environment of the TOE. The weakest element of the chain determines the total system security. Assumptions described hereafter must be considered for a secure system using Smartcard products. 3.4.1 Assumptions on the Target of Evaluation Delivery Process (Phases 4 to 7) Procedures shall guarantee the control of the TOE delivery and storage process and conformance to its objectives as described in the following assumptions: A.DLV_PROTECT* Procedures shall ensure protection of TOE material/information under delivery and storage. A.DLV_AUDIT* Procedures shall ensure that corrective actions are taken in case of improper operation in the delivery process and storage. A.DLV_RESP* Procedures shall ensure that people dealing with the procedure for delivery have got the required skill. 3.4.2 Assumptions on Phases 4 to 6 A.USE_TEST* It is assumed that appropriate functionality testing of the TOE is used in phases 4, 5 and 6. A.USE_PROD* It is assumed that security procedures are used during all manufacturing and test operations through phases 4, 5, 6 to maintain confidentiality and integrity of the TOE and of its manufacturing and test data (to prevent any possible copy, modification, retention, theft or unauthorised use). 3.4.3 Assumption on Phase 7 A.USE_DIAG* It is assumed that secure communication protocols and procedures are used between Smartcard and terminal. ID Motion V1 Security Target ST Applicable on: Page : 27 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3.4.4 Assumption on Loaded-Application Development (Phase A1) A.APPLI_CONT Whenever a Loaded-Application is to be loaded on the platform, it is assumed that its development and production follow the Administrator Guidance. 3.5 COMPOSITION TASKS 3.5.1 Statement of Compatibility – Threats The following table lists the relevant threats of the SLE78CLXxxxPM and Derivates Security Target-lite relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012 provides the link to the threats related to the composite product, showing that there is no contradiction between the two. IC Relevant Threat Label IC Relevant Threat Title IC Relevant Threat Content Link to the composite- product threats T.Phys-Manipulation Physical Manipulation An attacker may physically modify the Security IC in order to(i)modify User Data (ii) modify the Security IC Embedded Software (iii) modify or deactivate security services of the TOE, or (iv) modify security mechanisms of the TOE to enable attacks disclosing or manipulating the User Data or the Security IC Embedded Software. T.DIS_ES2 T.T_CMD T.MOD_TSF T.MOD_EXE T.LOAD_MAN T.LOAD_APP T.APP_CORR T.APP_REMOVE T.ERR_REMOVE T.DEL_REMOVE T.APP_READ T.APP_MOD T.DIS_DATA T.MOD_DATA T.Phys-Probing Physical Probing An attacker may perform physical probing of the TOE in order: (i) to disclose User Data (ii) to disclose/reconstruct the Security IC Embedded Software or (iii) to disclose other critical information about the operation of the TOE to enable attacks disclosing or manipulating the User Data or the Security IC Embedded Software. T.DIS_ES2 T.MOD_TSF T.MOD_SOFT* T.DIS_DATA T.Malfunction Malfunction due to Environmental Stress An attacker may cause a malfunction of TSF or of the Security IC Embedded Software by applying environmental stress in order to (i) modify security services of the TOE or (ii) modify functions of the Security IC Embedded Software (iii) deactivate or affect security mechanisms of the TOE to enable attacks disclosing or manipulating the User Data or the Security IC Embedded Software. This may be achieved by operating the Security IC outside the normal operating conditions. T.DIS_ES2 T.T_CMD T.MOD_TSF T.MOD_EXE T.LOAD_MAN T.LOAD_APP T.APP_CORR T.APP_REMOVE T.ERR_REMOVE T.DEL_REMOVE T.APP_READ T.APP_MOD T.DIS_DATA T.MOD_DATA T.Leak-Inherent Inherent Information Leakage An attacker may exploit information which is leaked from the TOE during usage of the Security IC in order to disclose confidential User Data as part of T.DIS_ES2 T.DIS_DATA ID Motion V1 Security Target ST Applicable on: Page : 28 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto IC Relevant Threat Label IC Relevant Threat Title IC Relevant Threat Content Link to the composite- product threats the assets. No direct contact with the Security IC internals is required here. Leakage may occur through emanations, variations in power consumption, I/O characteristics, clock frequency, or by changes in processing time requirements. T.Leak-Forced Forced Information Leakage An attacker may exploit information which is leaked from the TOE during usage of the Security IC in order to disclose confidential User Data as part of the assets even if the information leakage is not inherent but caused by the attacker. T.DIS_ES2 T.DIS_DATA T.Abuse-Func Abuse of Functionality An attacker may use functions of the TOE which may not be used after TOE Delivery (e.g. test features) in order to: (i) disclose or manipulate User Data (ii) manipulate (explore, bypass, deactivate or change) security services of the TOE or (iii) manipulate (explore, bypass, deactivate or change) functions of the Security IC Embedded Software or (iv) enable an attack disclosing or manipulating the User Data or the Security IC Embedded Software. T.DIS_ES2 T.MOD_SOFT* T.APP_CORR T.APP_REMOVE T.ERR_REMOVE T.DEL_REMOVE T.APP_READ T.APP_MOD T.DIS_DATA T.MOD_DATA Note. Both T.DIS_ES1 and T.CLON* relate to Phase 1 which is before the existence of the IC product and T.RND is irrelevant to the composite product. Therefore, for this evaluation, all three of these threats are considered outside the scope of the TOE. ID Motion V1 Security Target ST Applicable on: Page : 29 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3.5.2 Statement of Compatibility – OSPs The following table lists the relevant OSPs of the SLE78CLXxxxPM and Derivates Security Target-lite relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012 and provides the link to the OSPs related to the composite product, showing that there is no contradiction between the two. IC OSP Label IC OSP Content Link to the composite-product P.Process-TOE Protection during TOE Development and Production: An accurate identification is established for the TOE. This requires that each instantiation of the TOE carries this unique identification. No contradiction with the present evaluation OSPs. Current evaluation has objectives related to delivery to IC manufacturer such as O.DLV_DATA, O.SOFT_DLV* and O.DLV_PROTECT* P.Add-Functions Additional Specific Security Functionality: The TOE shall provide the following specific security functionality to the Security IC Embedded Software: Data Encryptions Standard (DES) Triple Data Encryptions Standard (3DES). No contradiction with the present evaluation. Present evaluation makes use of DES and RSA functions. ID Motion V1 Security Target ST Applicable on: Page : 30 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3.5.3 Statement of Compatibility – Assumptions The following table lists the relevant assumptions of the SLE78CLXxxxPM and Derivates Security Target-lite relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012 and provides the link to the assumptions related to the composite product, showing that there is no contradiction between the two. IC assumption label IC assumption title IC assumption content IrP A CfPA SgPA Link to the composite product A.Process- Sec-IC Protection during Packaging, Finishing and Personalisation It is assumed that security procedures are used after delivery of the TOE by the TOE Manufacturer up to delivery to the end consumer to maintain confidentiality and integrity of the TOE and of its manufacturing and test data (to prevent any possible copy, modification, retention, theft or unauthorized use). This means that the Phases after TOE Delivery are assumed to be protected appropriately. X A.DLV_PROTECT* A.DLV_AUDIT* A.DLV_RESP* A.USE-TEST* A.USE_PROD* A.USE-DIAG* The assumptions are the same. A.Plat-Appl Usage of Hardware Platform The Security IC Embedded Software is designed so that the requirements from the following documents are met: (i) TOE guidance documents (refer to the Common Criteria assurance class AGD) such as the hardware data sheet, and the hardware application notes, and (ii) findings of the TOE evaluation reports relevant for the Security IC Embedded Software as documented in the certification report. X Fulfilled by the composite-SAR ADV_COMP.1 The Smartcard ES is designed so that the requirements are met. A.Resp-Appl Treatment of User Data All User Data are owned by Security IC Embedded Software. Therefore, it must be assumed that security relevant User Data (especially cryptographic keys) are treated by the Security IC Embedded Software as defined for its specific application context. X Assets have to be protected in terms of confidentiality, authenticity and control of their origin. Assets linked to: • IC and MAP specific data • MULTOS Initialisation Security Data • MSM Controls Data • NA TSF data := keys and identification data • Users of Loaded Applications • Loaded Application software • Loaded Application SF data ID Motion V1 Security Target ST Applicable on: Page : 31 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto IC assumption label IC assumption title IC assumption content IrP A CfPA SgPA Link to the composite product The OS owns security relevant User Data. O.DIS_MEMORY* O.MOD_MEMORY* O.LOAD O.REMOVE O.SECURITY O.SEGREGATE A.Key- Function Usage of Key- dependent Functions Key-dependent functions, if any, shall be implemented in the Security IC Embedded Software in a way that they are not susceptible to leakage attacks (as described under BSI.T.Leak-Inherent and BSI.T.Leak-Forced). Note that here the routines that may compromise keys when being executed are part of the Security IC Embedded Software. In contrast to this the threats BSI.T.Leak- Inherent and BSI.T.Leak- Forced address (i) the cryptographic routines which are part of the TOE and (ii) the processing of User Data including cryptographic keys. X O.TAMPER_ES O.SIDE O.DEV_DIS_ES O.INIT_ACS 3.5.4 Statement of Compatibility – Security Objectives The following table lists the relevant security objectives of the SLE78CLXxxxPM and Derivates Security Target-lite relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012 and provides the link to the security objectives related to the composite product, showing that there is no contradiction between the two. IC objective label IC objective title Link to the composite-product O.Phys-Manipulation Protection against Physical Manipulation O.TAMPER_ES O.SIDE O.CLON* O.FLAW* O.DIS_MECHANISM2 O.DIS_MEMORY* O.Phys-Probing Protection against Physical Probing O.TAMPER_ES O.SIDE O.CLON* O.Malfunction Protection against Malfunction due to Environmental Stress O.TAMPER_ES O.SIDE O.Leak-Inherent Protection against Inherent Information Leakage O.MOD_MEMORY* O.SIDE O.Leak-Forced Protection against Forced Information Leakage O.DIS_MEMORY* O.SIDE ID Motion V1 Security Target ST Applicable on: Page : 32 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto IC objective label IC objective title Link to the composite-product O.Abuse-Func Protection against Abuse of Functionality O.TAMPER_ES O.SIDE O.OPERATE* O.DIS_MECHANISM2 O.Identification TOE Identification No contradiction with the present evaluation. O.RND Random Numbers No contradiction with the present evaluation. O.Add-Functions Additional specific security functionality No contradiction with the present evaluation. Present evaluation makes use of DES and RSA functions. OE.Plat-Appl Usage of Hardware Platform The Smartcard ES is designed so that the requirements are met. No contradiction. OE.Resp-Appl Treatment of User Data The OS owns security relevant User Data. O.DIS_MECHANISM2 O.DIS_MEMORY* O.MOD_MEMORY* O. RESOURCE O.LOAD O.SECURITY O.EFFECT_L O.REMOVE O.EFFECT_R O.SEGREGATE OE.Process-TOE Protection during TOE Development and Production No contradiction with the present evaluation. O.DEV_TOOLS* O.DEV_DIS_ES O.SOFT_DLV* O.INIT_ACS O.SAMPLE_ACS O.DLV_PROTECT* O.DLV_AUDIT* O.DLV_RESP* O.DLV_DATA O.TEST_OPERATE* O.USE_DIAG* O.APPLI_DEV OE.Process- Sec-IC Protection during Packaging, Finishing and Personalisation No contradiction with the present evaluation. O.DEV_TOOLS* O.DEV_DIS_ES O.SOFT_DLV* O.INIT_ACS O.SAMPLE_ACS O.DLV_PROTECT* O.DLV_AUDIT* O.DLV_RESP* O.DLV_DATA O.TEST_OPERATE* O.USE_DIAG* O.APPLI_DEV ID Motion V1 Security Target ST Applicable on: Page : 33 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 3.5.5 Statement of Compatibility – SFRs The following table lists the relevant SFRs of the SLE78CLXxxxPM and Derivates Security Target-lite relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012 (and BSI-DSZ-CC-0606- 2010)and provides the link to the SFRs related to the composite product, showing that there is no contradiction between the two. Security Functional Requirement Refined in [PP] Link to the composite-product FRU_FLT.2 “Limited fault tolerance“ Yes No conflict. FPT_FLS.1 “Failure with preservation of secure state” Yes SF6,SF8, SF9, SF11 FMT_LIM.1 “Limited capabilities” No conflict. FMT_LIM.2 “Limited availability” No conflict. FAU_SAS.1 “Audit storage” No conflict. FPT_PHP.3 “Resistance to physical attack” Yes SF11 FDP_ITT.1 “Basic internal transfer protection” Yes No conflict. FDP_IFC.1 “Subset information flow control” No conflict. FPT_ITT.1 “Basic internal TSF data transfer protection” Yes No conflict. FCS_RND.1 “Quality metric for random numbers” No conflict. FPT_TST.2 “Subset TOE security testing“ SF9, SF10 FDP_ACC.1 “Subset access control” SF1, SF2 FDP_ACF.1 “Security attribute based access control” SF1, SF2 FMT_MSA.3 “Static attribute initialisation” SF5 FMT_MSA.1 “Management of security attributes” SF5 FMT_SMF.1 “Specification of Management functions” No conflict. FCS_COP.1 (3DES) “Cryptographic operation” SF4, SF5, FCS_COP.1 (RSA) “Cryptographic operation” SF1, SF2, SF3, SF4 FDP_SDI.1 “Stored data integrity monitoring” SF9 FDP_SDI.2 “Stored data integrity monitoring and action” SF9 ID Motion V1 Security Target ST Applicable on: Page : 34 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 4. SECURITY OBJECTIVES 4.1 SECURITY OBJECTIVES FOR THE TARGET OF EVALUATION The TOE shall achieve the following IT security objectives, and for that purpose, when IC physical security features are used, the specification of those IC physical security features shall be respected. When IC physical security features are not used, the Security Objectives shall be achieved in other ways: O.TAMPER_ES The TOE must prevent tampering with its security critical parts. In particular, the security mechanisms must prevent the unauthorised change of functional parameters, security attributes and secrets such as the life cycle sequence flags and cryptographic keys. O.SIDE The ES must be designed to avoid interpretations of electrical signals from the hardware part of the TOE. O.CLON* The TOE functionality must be protected from cloning. O.OPERATE* The TOE must ensure continued correct operation of its security functions. O.FLAW* The TOE must not contain flaws in design, implementation or operation. O.DIS_MECHANISM2 The TOE shall ensure that the ES security mechanisms are protected against unauthorised disclosure. O.DIS_MEMORY* The TOE shall ensure that sensitive information stored in memories is protected against unauthorised disclosure. NOTE sensitive information means User Data and TSF data. O.MOD_MEMORY* The TOE shall ensure that sensitive information stored in memories is protected against any corruption or unauthorised modification. NOTE sensitive information means User Data and TSF data. The following security objectives are necessary to meet the new threats specific to Multi-Application Platforms. This is why these objectives are new and not present in PP/9911. . O.ROLLBACK The TOE must be in a well-defined valid state before the loading of an application, even in case of failure of the previous loading or removal. A failure must not hinder the resources that the TOE can deliver. A rollback operation can be achieved either through specific commands or automatically. O.RESOURCE The TOE must provide the means of controlling the use of resources by its users and subjects so as to prevent permanent unauthorised denial of service. (For example it must prevent a Loaded-Application from taking control of the whole permanent memory (EEPROM) thus prohibiting other Loaded-Applications from using it). O.LOAD Loaded-Applications are only to be loaded onto a platform with the permission of the administrator. ID Motion V1 Security Target ST Applicable on: Page : 35 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto O.SECURITY The application load process must be able to guarantee, when required, the integrity, confidentiality, and to verify the claimed origin of the Loaded-Application code and data. O.EFFECT_L Loading an application must have no effect on the code and data of existing Loaded-Applications. O.REMOVE Removal of a Loaded-Application and consequent reuse of the Loaded-Application space is only to be performed with the authorisation of the administrator. The space must not hold any information relative to data or code linked to the removed Loaded-Application. O.EFFECT_R Removal of a Loaded-Application must have no effect on the code and data of the remaining independent Loaded-Applications. O.SEGREGATE Loaded-Applications are to be segregated from other Loaded-Applications. A Loaded-Application may not read from or write to another Loaded-Application’s code or data without its authorisation. Detailed information could be found in the MULTOS Architecture Specification - Application Abstract Machine [AAM] TEC-MAO-101-004/v4.3.1 O.CIPHER The TOE shall provide a means to cipher sensitive data for applications in a secure way. In particular, the TOE must support cryptographic algorithms consistent with cryptographic usage policies and standards. Security Objectives for the Operational Environment O.DECIPHER MULTOS CARD decrypts the KTU 4.1.1 Objectives on Phase 1 Note that these objectives for phase 1 are described to maintain compatibility with PP/0010 which is compliant to Common Criteria v2.1. Common Criteria v3 does not require objectives for the development environment so these objectives (and any references to them) should be ignored for this version of Common Criteria. Instead, Common Criteria v3 requires that the development environment is evaluated in the ALC assurance class of the evaluation. O.DEV_TOOLS* The Smartcard ES shall be designed in a secure manner, by using exclusively software development tools (compilers assemblers, linkers, simulators, etc.) and software-hardware integration testing tools (emulators) that will result in the integrity of program and data. O.DEV_DIS_ES The Embedded Software developer shall use established procedures to control storage and usage of the classified development tools and documentation, suitable to maintain the integrity and the confidentiality of the assets of the TOE. It must be ensured that tools are only delivered and accessible to the parties authorised personnel. It must be ensured that confidential information on defined assets is only delivered to the parties’ authorised personnel on a need-to-know basis. O.SOFT_DLV* The Embedded Software must be delivered from the Smartcard software developer (Phase I) to the IC designer through a trusted delivery and verification procedure that shall be able to maintain the integrity of the software and its confidentiality, if applicable. ID Motion V1 Security Target ST Applicable on: Page : 36 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto NOTE: In PP00/10 it will be always considered applicable. O.INIT_ACS Initialisation Data shall be accessible only by authorised personnel (physical, personnel, organisational, technical procedures). O.SAMPLE_ACS Samples used to run tests shall be accessible only by authorised personnel. ID Motion V1 Security Target ST Applicable on: Page : 37 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 4.1.2 Objectives on the Target of Evaluation Delivery Process (Phases 4 to 7) O.DLV_PROTECT* Procedures shall ensure protection of TOE material/information under delivery including the following objectives: • Non-disclosure of any security relevant information. • Identification of the element under delivery. • Meet confidentiality rules (confidentiality level, transmittal form, reception acknowledgement). • Physical protection to prevent external damage. • Secure storage and handling procedures (including rejected TOEs). • Traceability of TOE during delivery including the following parameters: • Origin and shipment details. • Reception, reception acknowledgement. • Location material/information. O.DLV_AUDIT* Procedures shall ensure that corrective actions are taken in case of improper operation in the delivery process (including if applicable any non-conformance to the confidentiality convention) and highlight all non- conformance to this process. O.DLV_RESP* Procedures shall ensure that people (shipping department, carrier, reception department) dealing with the procedure for delivery have got the required skill, training and knowledge to meet the procedure requirements and be able to act fully in accordance with the above expectations. 4.1.3 Objectives on Delivery from Phase 1 to Phases 4, 5 and 6 O.DLV_DATA Native-Application and ES data must be delivered from the Smartcard embedded software developer (phase 1) either to the IC Packaging manufacturer, the Finishing Process manufacturer or the Personaliser through a trusted delivery and verification procedure that shall be able to maintain the integrity and confidentiality of the ES(Note: some application data are not required for embedding and are then delivered directly to phases 4 to 6). ID Motion V1 Security Target ST Applicable on: Page : 38 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 4.1.4 Objectives on Phases 4 to 6 O.TEST_OPERATE* Appropriate functionality testing of the TOE shall be used in phases 4 to 6. During all manufacturing and test operations, security procedures shall be used through phases 4, 5 and 6 to maintain confidentiality and integrity of the TOE and its manufacturing and test data. 4.1.5 Objectives on Phase 7 O.USE_DIAG* Secure communication protocols and procedures shall be used between the Smartcard and the terminal. 4.1.6 Objectives on Loaded-Application Development and Loading (Phases A1 and A2) This Objective is specific to Loaded-Application development in the Smartcard IC with Multi-Application Platform environment. O.APPLI_DEV The Loaded-Application provider must: • Follow the Administrator Guidance and ensure that the applications are compliant with the Security Guidance for Application Developers. Amongst other topics application should ensure that sensitive assets are suitable protected (i.e encrypted) • Provide trusted delivery channel so that the integrity and origin of the Loaded-Application can be verified and that its confidentiality can be maintained. ID Motion V1 Security Target ST Applicable on: Page : 39 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 5. EXTENDED COMPONENTS DEFINITION None. ID Motion V1 Security Target ST Applicable on: Page : 40 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6. SECURITY REQUIREMENTS This chapter describes the security functional requirements for the TOE and the security assurance requirements for the TOE. To define the functional requirements, the supporting security infrastructure of the TOE is identified in the first section. 6.1 SUPPORTING SECURITY INFRASTRUCTURE The following roles and responsibilities are assumed within the MULTOS security infrastructure a) MULTOS Security Manager (MSM): defines and polices the MULTOS security infrastructure and provides criteria and services necessary for MULTOS participants to operate within the infrastructure. It acts as Certification Authority for the security infrastructure. It is assumed only one MSM exists. The MSM must be trusted by all participants in the the infrastructure b) MULTOS Implementor: the organisation that implements a MULTOS version. The MULTOS Implementor is licensed by MAOSCO and provides its MULTOS version to the IC Manufacturer. The MULTOS Implementor requests the MSM to provide MSM Controls Data, although this may be delivered to the MCD Manufacturer or MCD Issuer. c) Integrated Circuit (IC) Manufacturer: manufacturer of silicon from which chips and smartcards are made. It is assumed the IC Manufacturer is trusted to perform its tasks correctly: This includes: • To perform limited EEPROM injection, • The injection of diversified transport key (used by Initialisation Mode). Security keys and data are provided by the MSM. d) Gemalto: is included in the new scheme in order to perform the final manufacturing step by injecting the iKMA keys and data into the EEPROM The initialised ICs are provided to MCD Manufacturers: e) MULTOS Carrier Device (MCD) Manufacturer: responsible for embedding the IC in its plastic carrier and for background printing on the card. The result is an initialised MCD. This operation is assumed not to be security sensitive. The MCD Manufacturer may also receive MSM Controls Data from the MSM and enable the MCDs. Initialised and enabled MCDs are provided to MCD Issuers. c) MCD Issuer: responsible for issuing to users the MCD itself. The MCD Issuer may also enable initialised MCDs, by loading MSM Controls Data received from the MSM onto the MCDs. MCD Issuers retain the ultimate authority over what applications are loaded on their MCDs. MCD Issuers register applications with the MSM, provide information related to the applications and receive application load and delete certificates from the MSM. d) Application Writer: licensed by MAOSCO to produce applications for MULTOS. Supplies applications under contract to Application Issuers. e) Application Issuer: an organisation that wishes to offer an application to MCD Users. The Application Issuer agrees with an MCD Issuer that the application can be loaded onto MCDs belonging to the MCD Issuer. f) Application Provider: the organisation that takes responsibility for an application, by certifying it with the organisation’s public key and encrypting it where necessary. The Application Provider is a role that can be performed by an Application Writer, Application Issuer or MCD Issuer, rather than necessarily, being an organisation in its own right. g) Application Loader: responsible for performing the technical operation of loading applications onto MCDs. The Application Loader enters into an agreement with one or more Application Issuers and MCD Issuers for loading applications supplied by one or more Application Providers. ID Motion V1 Security Target ST Applicable on: Page : 41 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto h) MCD User: final user of the MCD. The MSM authorises potential MULTOS platforms (known as MA-cards). To receive MSM authorisation, a platform must comply with criteria covering attributes of the platform itself and the procedures associated with its manufacture. 6.2 SECURITY FUNCTIONAL REQUIREMENTS (SFRS) This section defines the functional requirements for the TOE using only functional requirement components drawn from the CC part 2. The assignment and selection operations are written in bold style for a better readability. 6.2.1 Security Audit Automatic Response (FAU_ARP) 6.2.1.1 FAU_ARP.1 Security alarms FAU_ARP.1.1 Abend Iteration. The TSF shall take action to cause the MCD to abend and become mute upon detection of a potential security violation. FAU_ARP.1.1 Shutdown Iteration. The TSF shall take action to cause the MCD to enter Shutdown mode upon detection of a potential security violation. 6.2.2 Security audit analysis (FAU_SAA) 6.2.2.1 Potential violation analysis FAU_SAA.1.1 Abend Iteration. The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement of the SFRs. FAU_SAA.1.2 Abend Iteration. The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of: • An apparent corruption of the MSM Controls Data or security data held within the EEPROM of MULTOS. • An unexpected hardware event occurred. • An apparent corruption of an application’s code space held within the Application Pool Block in the EEPROM of MULTOS. • An EEPROM write fails. known to indicate a potential security violation. b) none. FAU_SAA.1.1 Shutdown Iteration. The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP. FAU_SAA.1.2 Shutdown Iteration. The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of: • A critical process is interrupted. • There have been too many failed attempts to load MSM Controls Data. known to indicate a potential security violation. b) none. ID Motion V1 Security Target ST Applicable on: Page : 42 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.2.3 Cryptographic key management (FCS_CKM) 6.2.3.1 FCS_CKM.3 Cryptographic key access FCS_CKM.3.1. The TSF shall perform a read of cryptographic key in accordance with a specified cryptographic key access method, a temporary copy key in RAM that meets the following: none. 6.2.3.2 FCS_CKM.4 Cryptographic key destruction FCS_CKM.4.1. The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method, erasure of a temporary copy key present in RAM that meets the following: none. 6.2.4 FCS_COP Cryptographic operations 6.2.4.1 FCS_COP.1 Cryptographic operations FCS_COP.1.1 Iteration 1. The TSF shall perform digital signature verification in accordance with a specified cryptographic algorithm RSA decryption algorithm and cryptographic key sizes of 1024 bits for modulus and 3 for public exponent that meet the following: ANSI X9.31, PKCS # 1, PKCS#2 and IEEE- P13-63. FCS_COP.1.1 Iteration 2. The TSF shall perform MCD authentication in accordance with a specified cryptographic algorithm asymmetric hash algorithm and cryptographic key sizes of 576 bits for hash modulus and 3 for public exponent that meet the following: none. FCS_COP.1.1 Iteration 3. The TSF shall perform recovering of protected code or data segments of an application and recovering of MSM Controls Data in accordance with a specified cryptographic algorithm DES decryption and cryptographic key sizes of 8 byte (single key) or 16 byte (double key) that meet the following: FIPS-PUB 46-3. Note. For this evaluation single DES is considered outside the scope of the TOE. FCS_COP.1.1/RSA. The TSF shall perform decryption in accordance with a specified cryptographic algorithm RSA and cryptographic key sizes 1024 bits that meet the following: [ISO9796-2]. 6.2.5 Access control policy FDP_ACC 6.2.5.1 FDP_ACC.2 Complete access control FDP_ACC.2.1 Load Application SFP Iteration. The TSF shall enforce the Load Application SFP on MULTOS ES and Application Load Certificate, and all operations among subjects and objects covered by the SFP. FDP_ACC.2.1 Delete Application SFP Iteration. The TSF shall enforce the Delete Application SFP on MULTOS ES and Application Delete Certificate, and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2. The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. ID Motion V1 Security Target ST Applicable on: Page : 43 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.2.6 Access control functions FDP_ACF 6.2.6.1 FDP_ACF.1 Security attribute based access control FDP_ACF.1.1 Load Application SFP Iteration. The TSF shall enforce the Load Application SFP to objects based on Unique Application Identifier present in the ALC, Unique Application Identifier of loaded-applications, MCD Enabled Flag, Application Load Permissions, MCD Load Permissions, History List. FDP_ACF.1.2 Load Application SFP Iteration. The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed. See the table below. FDP_ACF.1.3 Load Application SFP Iteration. The TSF shall explicitly authorize access of subjects to objects based on the following additional rules. See the table below. FDP_ACF.1.4 Load Application SFP Iteration. The TSF shall explicitly deny access of subjects to objects based on the table below. Security attributes Governing access rules Authorizing access rules Denying access rules Unique Application Identifier present in the ALC and Unique Application Identifier of loaded-applications Verify there is other application currently loaded on this MCD with the same Application Identifier. Establish that there is no other application currently loaded on this MCD with the same Application Identifier. Application load process continues. Establish that there is another application currently loaded on this MCD with the same Application Identifier. Application load process is aborted. MCD enabled flag Verify the MCD is enabled (ie that the MSM Controls Data for this MCD has been installed) Establish that the MCD is enabled (ie that the MSM Controls Data for this MCD has been installed). Application load process continues. Establish that the MCD is not enabled (ie that the MSM Controls Data for this MCD has not been installed). Application load process is aborted. Application Load Permissions and MCD Load Permissions Verify the application load permissions are compatible with the MCD permissions which were installed when the card was enabled Establish that the application load permissions are compatible with the MCD permissions which were installed when the card was enabled. Application load process continues. Establish that the application load permissions are not compatible with the MCD permissions which were installed when the card was enabled. Application load process is aborted. History list Determine if the application is being re-load a second time on to this MCD, and whether that is permitted If the application is being re- load a second time on to this MCD, and that is permitted. Application load process continues. If the application is being re- load a second time on to this MCD, and that is not permitted. Application load process is aborted. FDP_ACF.1.1 Delete Application SFP Iteration. The TSF shall enforce the Delete application SFP to objects based on Unique Application Identifier present in the ADC, Unique Application Identifier of loaded-applications, Application Load Permissions, MCD Load Permissions. FDP_ACF.1.2 Delete Application SFP Iteration. The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed. See the table below. FDP_ACF.1.3 Delete Application SFP Iteration. The TSF shall explicitly authorize access of subjects to objects based on the following additional rules. See the table below. FDP_ACF.1.4 Delete Application SFP Iteration. The TSF shall explicitly deny access of subjects to objects based on the table below. ID Motion V1 Security Target ST Applicable on: Page : 44 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Security attributes Governing access rules Authorizing access rules Denying access rules Unique Application Identifier present in the ADC and Unique Application Identifier of loaded-applications Verify an application with the Application Identifier specified in the ADC is loaded on this MCD Establish that an application with the Application Identifier specified in the ADC is loaded on this MCD. Application deletion process continues. Establish that no application with the Application Identifier specified in the ADC is loaded on this MCD. Application deletion process is aborted. Application Load Permissions and MCD Load Permissions Verify the application permissions are compatible with the MCD permissions which were installed when the card was enabled Establish that the application permissions are compatible with the MCD permissions, which were installed when the card was enabled. Application deletion process continues. Establish that the application permissions are not compatible with the MCD permissions, which were installed when the card was enabled. Application deletion process is aborted. 6.2.7 Data authentication FDP_DAU 6.2.7.1 FDP_DAU.1 Basic data authentication FDP_DAU.1.1. The TSF shall provide a capability to generate evidence that can be used as a guarantee of the validity of application’s code spaces. FDP_DAU.1.2. The TSF shall provide MULTOS with the ability to verify evidence of the validity of the indicated information. 6.2.8 Import from outside TSF control FDP_ITC 6.2.8.1 FDP_ITC.1 Import of user data without security attributes FDP_ITC.1.1. The TSF shall enforce the Load Application SFP when importing user data, controlled under the SFP, from outside of the TSC. FDP_ITC.1.2. The TSF shall ignore any security attributes associated with the user data when imported from outside the TSC. FDP_ITC.1.3. The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TSC: none. 6.2.9 Residual information protection FDP_RIP 6.2.9.1 FDP_RIP.1 Subset residual information protection FDP_RIP.1.1. The TSF shall ensure that any previous information content of a resource is made unavailable upon the de-allocation of the resource from the following objects: application’s code and data spaces. 6.2.10 Rollback (FDP_ROL) 6.2.10.1 FDP_ROL.1 Basic rollback FDP_ROL.1.1. The TSF shall enforce Load Application SFP to permit the rollback of the load of an application on the application’s code and data. FDP_ROL.1.2. The TSF shall permit operations to be rolled back within a failure occurs during loading of an application. ID Motion V1 Security Target ST Applicable on: Page : 45 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.2.11 Stored data integrity (FDP_SDI) 6.2.11.1 FDP_SDI.2 Stored data integrity monitoring and action FDP_SDI.2.1. The TSF shall monitor user data stored in container controlled by TSF for memory corruption on all objects, based on the following attributes: four-byte check sum. FDP_SDI.2.2. Upon detection of a data integrity error, the TSF shall abend the current session. 6.2.12 Authentication failures (FIA_AFL) 6.2.12.1 FIA_AFL.1 Authentication failure handling FIA_AFL.1.1. The TSF shall detect when 20 unsuccessful authentication attempts occur related to execution of SetMSMControls command, DeleteMELApplication command and CreateMELApplication command. FIA_AFL.1.2. When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall permanently disable the incriminated command. 6.2.13 User attribute definition (FIA_ATD) 6.2.13.1 FIA_ATD.1 User attribute definition FIA_ATD.1.1. The TSF shall maintain the following list of security attributes belonging to individual users: See the table below. MULTOS Security Manager MCD Enabled Flag History List Entry MCD Issuer MCD Issuer Identifier Unique Application Identifier Application Load Permission MCD Permissions 6.2.14 User Authentication (FIA_UAU) 6.2.14.1 FIA_UAU.1 Timing of authentication FIA_UAU.1.1. The TSF shall allow processing of Check Data command on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2. The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.2.14.2 FIA_UAU.4 Single-use Authentication Mechanisms FIA_UAU.4.1. The TSF shall prevent reuse of authentication data related to application’s load and delete authentication mechanisms. ID Motion V1 Security Target ST Applicable on: Page : 46 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.2.15 User identification (FIA_UID) 6.2.15.1 FIA_UID.1 Timing of identification FIA_UID.1.1. The TSF shall allow processing of Check Data command on behalf of the user to be performed before the user is identified. FIA_UID.1.2. The TSF shall require each user to be successfully identified before allowing any other TSF- mediated actions on behalf of that user. 6.2.16 User-subject Binding (FIA_USB) 6.2.16.1 FIA_USB.1 User-subject binding MULTOS Security Manager MCD Enabled Flag History List Entry MCD Issuer MCD Issuer Identifier Unique Application Identifier Application Load Permission MCD Permissions FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: See table in section 6.2.6.1 (FDP_ACF.1) FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: See table in section 6.2.13 (FIA_ATD.1.1) FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: No changes are permitted. 6.2.17 Management of function in the TSF (FMT_MOF) 6.2.17.1 FMT_MOF.1 Management of security functions behaviour FMT_MOF.1.1. The TSF shall restrict the ability to determine the behaviour of the functions Application Load Certificate Control SF and Application Deletion Certificate Control SF to MSM. FMT_MOF.1.1. The TSF shall restrict the ability to enable the functions Application Load Certificate Control SF and Application Deletion Certificate Control SF to MSM. 6.2.18 Management of security attributes (FMT_MSA) 6.2.18.1 FMT_MSA.1 Management of security attributes FMT_MSA.1.1. The TSF shall enforce the Load Application SFP and Delete Application SFP to restrict the ability to load the following security attributes to the MSM: • MCD Issuer Product Identifier. • MCD Issuer Identifier. • MCD Batch Number. ID Motion V1 Security Target ST Applicable on: Page : 47 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto • RFU 2 (Reserved for Future Use). • RFU 4. • RFU 5. • RFU 6. • MCD-unique Identifier. • asymmetric transport key set (mkd). 6.2.18.2 FMT_MSA.2 Secure security attributes FMT_MSA.2.1. The TSF shall ensure that only secure values are accepted for security attributes. 6.2.18.3 FMT_MSA.3 Static attribute initialisation FMT_MSA.3.1. The TSF shall enforce the Load Application SFP and Delete Application SFP to provide MSM Controls Data default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2. The TSF shall allow the MSM to specify alternative initial values to override the default values when an object or information is created. 6.2.19 Management of TSF data (FMT_MTD) 6.2.19.1 FMT_MTD.1 Management of TSF data FMT_MTD.1.1. The TSF shall restrict the ability to load the MSM Controls Data to MSM. 6.2.19.2 FMT_MTD.2 Management of limits on TSF data FMT_MTD.2.1. The TSF shall restrict the specification of the limits for MSM Controls Data to MSM. FMT_MTD.2.2. The TSF shall take the following actions, if the TSF data are at, or exceed, the indicated limits: MCD becomes mute. 6.2.20 Security management roles (FMT_SMR) 6.2.20.1 FMT_SMR.1 Security roles FMT_SMR.1.1. The TSF shall maintain the roles: MULTOS Security Manager (MSM) MCD Issuer Application Provider FMT_SMR.1.2. The TSF shall be able to associate users with roles. 6.2.21 Unobservability (FPR_UNO) 6.2.21.1 FPR_UNO.1 Unobservability FPR_UNO.1.1. The TSF shall ensure that any users are unable to observe the cryptographic operations on Application Load Certificate, Application Delete Certificate, Application Load Unit, MSM Controls Data and hash digest of the contents of a selected area of MCD’s memory by MULTOS. ID Motion V1 Security Target ST Applicable on: Page : 48 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto The functional requirement must be understood in the sense of protection against observation of the mechanisms and TSF data used and of User data manipulated during the operation. The intent is to protect against side channel attacks. 6.2.22 Fail secure (FPT_FLS) 6.2.22.1 FPT_FLS.1 Failure with preservation of secure state FPT_FLS.1.1. The TSF shall preserve a secure state when the following types of failures occur: a) An apparent corruption of the MSM Controls Data or security data held within the EEPROM of MULTOS b) An unexpected hardware event occurred c) MULTOS determines that it has executed an invalid sequence of instructions (possibly due to electromagnetic or mechanical interference) d) A critical process is interrupted e) There have been too many failed attempts to load MSM Controls Data. 6.2.23 TSF Physical protection (FPT_PHP) 6.2.23.1 FPT_PHP.3 Resistance to physical attack FPT_PHP.3.1. The TSF shall resist the following physical tampering scenarios to the following list of TSF devices/elements by responding automatically such that the TSP is not violated. Physical tampering scenarios TSP devices/elements Abnormal use of reset signal All TSF devices/elements Abnormal use of power signal All TSF devices/elements Clock rate variations The processor Dynamic power analysis Cryptographic operations 6.2.24 Trusted recovery (FPT_RCV) 6.2.24.1 FPT_RCV.4 Function recovery FPT_RCV.4.1. The TSF shall ensure that the following list of functions and failure scenarios have the property that the SF either completes successfully, or for the indicated failure scenarios, recovers to a consistent and secure state. Security functions Failure scenarios Application Load Certificate Control SF Reset/power down during command processing Application Delete Certificate Control SF Reset/power down during command processing Too many failed Delete Command Unprotected/Protected Application Load Unit SF Reset/power down during command processing Too many failed Create Command Confidential Application Load Unit SF Reset/power down during command processing Too many failed Create Command ID Motion V1 Security Target ST Applicable on: Page : 49 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Security functions Failure scenarios MSM Controls Data Load Management SF Reset/power down during command processing Too many failed Set MSM Controls Command Critical Data Overwrite SF Reset/power down during command processing or application execution Reset Protection SF Reset/power down during command processing or application execution Integrity Checks SF Reset/power down during command processing or application execution Start-up Validity Checks and Initialisation SF Reset/power down during command processing or application execution All Security Functions EEPROM write failure Power loss Integrity failure 6.2.25 Inter-TSF TSF data consistency (FPT_TDC) 6.2.25.1 FPT_TDC.1 Inter-TSF basic TSF data consistency FPT_TDC.1.1. The TSF shall provide the capability to consistently interpret Application Load Certificate, Application Delete Certificate, Key Transformation Unit, Application Provider Signature and MSM Controls Data when shared between the TSF and another trusted IT product. FPT_TDC.1.2. The TSF shall use signatures format on the certificates, the Application Load Unit, the Key Transformation Unit and MSM Controls Data when interpreting the TSF data from another trusted IT product. 6.2.26 TSF self test (FPT_TST) 6.2.26.1 FPT_TST.1 TSF Testing FPT_TST.1.1. The TSF shall run a suite of self tests at the conditions when MULTOS is powered-up or reset to demonstrate the correct operation of some parts of the TSF. These self tests include checks that EEPROM memory is writable, that the chip’s active shield is operational and that the chip-level sensor self tests pass. FPT_TST.1.2. The TSF shall provide authorised users with the capability to verify the integrity of TSF data. FPT_TST.1.3. The TSF shall provide authorised users with the capability to verify the integrity of the stored TSF executable code. 6.2.27 Resource allocation (FRU_RSA) 6.2.27.1 FRU_RSA.1 Maximum quotas FRU_RSA.1.1. The TSF shall enforce maximum quotas of the following resources: EEPROM and X-RAM that applications, functions, codelets and primitives can use simultaneously. ID Motion V1 Security Target ST Applicable on: Page : 50 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.3 SECURITY ASSURANCE REQUIREMENTS (SARS) This section describes the SARs. The Assurance requirement is EAL5 augmented with additional assurance components listed in the following section. These components are hierarchical ones to the components specified in EAL5. 6.3.1 ALC_DVS.2: Sufficiency of Security Measures Developer action elements: ALC_DVS.2.1D. The developer shall produce development security documentation. Content and presentation of evidence elements: ALC_DVS.2.1C. The development security documentation shall describe all the physical, procedural, personnel, and other security measures that are necessary to protect the confidentiality and integrity of the TOE design and implementation in its development environment. ALC_DVS.2.2C. The development security documentation shall provide evidence that these security measures are followed during the development and maintenance of the TOE. ALC_DVS.2.3C. The evidence shall justify that the security measures provide the necessary level of protection to maintain the confidentiality and integrity of the TOE. Evaluator action elements: ALC_DVS.2.1E. The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ALC_DVS.2.2E. The evaluator shall confirm that the security measures are being applied. Dependencies: No dependencies. 6.3.2 AVA_VAN.5: Advanced Methodical Vulnerability Analysis Developer action elements: AVA_VAN.5.1D The developer shall provide the TOE for testing. Content and presentation elements: AVA_VAN.5.1C The TOE shall be suitable for testing. Evaluator action elements: AVA_VAN.5.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VAN.5.2E The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VAN.5.3E The evaluator shall perform an independent, methodical vulnerability analysis of the TOE using the guidance documentation, functional specification, TOE design, security architecture description and implementation representation to identify potential vulnerabilities in the TOE. AVA_VAN.5.4E The evaluator shall conduct penetration testing based on the identified potential vulnerabilities to determine that the TOE is resistant to attacks performed by an attacker possessing High attack potential. Dependencies: ADV_ARC.1 Security architecture description. ADV_FSP.2 Security-enforcing functional specification. ADV_TDS.3 Basic modular design. ADV_IMP.1 Implementation representation of the TSF. AGD_OPE.1 Operational user guidance. AGD_PRE.1 Preparative procedures. ID Motion V1 Security Target ST Applicable on: Page : 51 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 6.4 SECURITY FUNCTIONAL REQUIREMENTS DEPENDENCIES This section demonstrates that all dependencies between components of security functional requirements included in this PP are satisfied. Table 9 lists all functional components including security requirements in the IT environment. For each component, the dependencies specified in Common Criteria are listed, and a reference to the component number is given. Number Security functional requirements Dependencies Line N° 1 FAU_SAA.1: Potential Violation Analysis FAU_GEN.1 * 2 FCS_CKM.3: Cryptographic Key Access FDP_ITC.1, FCS_CKM.4, FMT_MSA.2 9, 3, 20 3 FCS_CKM.4: Cryptographic Key Destruction FDP_ITC.1 , FMT_MSA.2 9, 20 4 FCS_COP.1: Cryptographic Operation FDP_ITC.1, FCS_CKM.4, FMT_MSA.2 9, 3, 20 5 FDP_ACC.2: Complete Access Control FDP_ACF.1 6 6 FDP_ACF.1: security attributes based Access Control FDP_ACC.1, FMT_MSA.3 H(5), 21 7 FDP_DAU.1: basic Data Authentication none 9 FDP_ITC.1: Import of user data without security attributes FDP_ACC.1,FMT_MSA.3 H(5), 21 10 FDP_RIP.1: subset residual information protection none 11 FDP_SDI.2: stored data integrity monitoring and action none 12 FIA_AFL.1: Authentication failure handling FIA_UAU.1 14 13 FIA_ATD.1: User attribute definition None 14 FIA_UAU.1: Timing of authentication FIA_UID.1 16 15 FIA_UAU.4: Single-use authentication mechanisms none 16 FIA_UID.1: timing of identification none 17 FIA_USB.1: user-subject binding FIA_ATD.1 13 18 FMT_MOF.1: management of security functions behaviour FMT_SMR.1 23 19 FMT_MSA.1: management of security attributes FDP_ACC.1, FMT_SMR.1 H(5), 23 20 FMT_MSA.2: Secure security attributes ADV_SPM.1, FSP_ACC.1, FMT_MSA.1, FMT_SMR.1 by EAL5 H(5), 19, 23 21 FMT_MSA.3: Secure attributes initialisation FMT_MSA.1, FMT_SMR.1 19, 23 22 FMT_MTD.1: management of TSF data FMT_SMR.1 23 23 FMT_SMR.1: security roles FIA_UID.1 16 24 FPR_UNO.1: Unobservability none 25 FPT_FLS.1: failure with preservation of secure state ADV_SPM.1 by EAL5 ID Motion V1 Security Target ST Applicable on: Page : 52 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Number Security functional requirements Dependencies Line N° 26 FPT_PHP.3: Resistance to physical attack none 28 FPT_TDC.1: inter-TSF basic TSF data consistency none 29 FPT_TST.1: TSF testing none 30 FAU_ARP.1: Security Alarms FAU_SAA.1 1 31 FDP_ROL.1: Basic Rollback FDP_ACC.1 H(5) 32 FMT_MTD.2: Management of limits on TSF data FMT_MTD.1, FMT_SMR.1 22, 23 33 (not used) 34 (not used) 35 FRU_RSA.1: Maximum quotas none Table 3: Functional dependencies in Multi-Application environment *: Dependencies are not met for the reasons given below. H(5) means that the dependency is satisfied by a higher hierarchical component. Table 9 shows that the functional component dependencies are satisfied by all functional components of the PP except for the components stated in bold characters, as explained as follows: The dependency of FAU_SAA.1 with FAU_GEN.1 is not applicable to the TOE; the FAU_GEN.1 component forces many security relevant events to be recorded (due to dependencies with other functional security components) and this is not achievable in a smartcard since many of these events result in card being in an insecure state where recording of the event itself could cause a security breach. It is then assumed that the function FAU_SAA.1 may still be used and the specific audited events will have to be defined in the ST independently with FAU_GEN.1. ID Motion V1 Security Target ST Applicable on: Page : 53 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 7. TARGET OF EVALUATION SUMMARY SPECIFICATION The TOE summary specification describes how the TOE meets each SFR. 7.1 SECURITY FUNCTIONALITY This following defines the TOE security functions. The italic paragraph parts correspond to actions provided by the security functions whereas the normal paragraph parts correspond to the context in which the security functions take place. Note that cryptographic primitives are out of scope. Table 3 shows how these security functions satisfy the TOE security functional requirements. 7.1.1 Application Load Certificate Control SF (SF1) SF1 ensures that the MSM Controls Data has been loaded before loading any application. SF5 maintains a flag to indicate whether or not MSM Controls Data has been loaded successfully onto the MCD. This flag is contained in MULTOS security data. SF1 authenticates an application load certificate as having been authorised by the MSM, using the MSM’s GKCK (kck_pk), prior to validating the loaded-application. SF1 calculates an asymmetric hash of the key header and compares it with the deciphered Key Certificate, using a RSA algorithm and kck_pk. SF1 ensures an authorised application has appropriate permissions (MCD Issuer product identifier, MCD Issuer identifier, MCD enables dates, MCD number, four permissions field reserved for future use) before load is validated. In this way, SF1 checks the eight application’s permissions against the eight MCD’s permissions. SF1 checks if an application, which has been previously loaded and then, deleted, is authorised by the MSM to be reloaded. The ALC contains a value that indicates if reloads of the application onto the same MCD are authorised. The value can be zero or a random number generated by the MSM. A value of zero means that the MSM has authorised multiple reloads of the application. SF1 ensures the application is not already loaded on the MCD. When an attempt is made to load the application, the AID (unique Application Identifier) contained in the ALC is checked against the AID associated with each application already loaded on the MCD. If a match is found, this indicates the application has already been loaded onto the MCD and the load attempt will fail. When loading the ALU components in the Application Pool Block in EEPROM, SF1 checks if there is enough space available. If it is not the case, SF1 returns an error. If load application fails, SF1 ensures that the temporary loaded-application is erased on the next reset. Permutational/probabilistic/cryptographic mechanisms used in this security function: RSA and asymmetric hash algorithms. 7.1.2 Application Delete Certificate Control SF (SF2) SF2 authenticates the Application Delete Certificate with the key kck_pk that is stored in the MCD’s ROM. The authentication is done through an asymmetric hash of the ADC and a comparison with the signature provided. SF2 delete an application only after receiving and authenticating a valid application delete certificate. SF2 checks that the Application ID extracted from the certificate matches to a loaded application and that the permissions are correct (the delete process uses the same interpretation of permissions as the load process). Only after all these checks have passed will SF2 delete the application. Permutational/probabilistic/cryptographic mechanisms used in this security function: RSA algorithm, asymmetric hash algorithm. 7.1.3 Unprotected/Protected Application Load Unit SF (SF3) SF3 manages the Unprotected/Protected Application Load Unit which is composed of the Application Code (clear text copy of the application) and the Application Signature (for the protected ALU). The protected ALU is used for application authentication. ID Motion V1 Security Target ST Applicable on: Page : 54 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto If the ALC indicates that application authentication is required (it is optional), the application is authenticated by its application signature. When application authentication is invoked, SF3 verifies the authenticity of the application. Once the application has been loaded onto the MCD, SF3 creates a digest of the application using the one-way hash function. SF3 then decrypts the application signature using the Application Provider’s public key (ack_pk), which is contained within the ALC. ack_pk is certified by the MSM. The MSM signs ack_pk using the secret GKCK (kck_sk). SF1 can verify the authenticity of ack_pk by decrypting it with the public GKCK (kck_pk). The hash digest from within decrypted signature is compared with the application digest generated by SF3. If they are equal, then the authenticity of the application is confirmed, since only the Application Provider could create the application signature and the Application Provider’s public key is certified by the MSM. If the decrypted signature does not match the application digest generated by SF3, application authentication fails and SF3 aborts the loading of this application.. Permutational/probabilistic/cryptographic mechanisms used in this security function: RSA algorithm, asymmetric hash algorithm. 7.1.4 Confidential Application Load Unit SF (SF4) SF4 manages the Confidential Application Load Unit which is composed of the Application Code (clear text copy of the application), the Application Signature (for application authentication) and the Key Transformation Unit (for application confidentiality). If application confidentiality is required (it is optional) SF4 allows to load applications which have protected areas of code or data. In order to protect the confidentiality of an application, the Application Provider is able to encrypt the relevant areas of the application using DES CBC or Triple DES CBC. The DES or Triple DES encryption key and descriptors for each of the encrypted areas are then encrypted using the public transport key (mkd_pk) of the MCD onto which the application is to be loaded. This information is placed into a KTU. The KTU is appended to the ALU. This ensures the confidentiality of sensitive parts of an application before it is loaded onto an MCD. Once the application is loaded, SF4 allows the decryption of the protected areas of the application so that the application can be securely executed on the MCD. Once SF1 has authenticated the Application Load Certificate, SF4 decrypts the KTU using the MCD-specific secret transport key (mkd_sk). SF4 uses the DES or Triple DES key recovered from the decrypted KTU to decrypt the protected application areas and complete the process of loading the application. This ensures that the protected application can be executed once it is safely loaded onto the MCD (where its confidentiality is protected by the Application Execution Management SF). After decrypting the KTU, SF4 checks that the msm_cotnrols_data_dates and MCD Number specified in the KTU matches the target MCD. SF4 also checks that the application id specified in the KTU matches the application id in the ALC for this application before proceeding. If these details do not match, the application load attempt fails. This ensures that the presented KTU is intended for this application loading on to the MCD in question. SF4 ensures only an authentic MCD is able to load and execute a protected application. Since the MCD-specific secret transport key is required in order to decrypt the protected application areas, only the target MCD can gain access to those areas. By successfully decrypting the KTU and recovering the DES or Triple DES key to decrypt the protected application areas, SF4 also authenticates the MCD as a valid MCD. This ensures the confidentiality of the protected application in the event it is loaded onto a smartcard that is not an authentic MCD. Permutational/probabilistic/cryptographic mechanisms used in this security function: RSA algorithm, DES algorithm. 7.1.5 MSM Controls Data Load Management SF (SF5) During implementation of MULTOS in silicon for the target processor, MULTOS security data is injected into non-volatile memory. The MULTOS security data includes an MCD-unique identifier (the MCD id), an MCD- unique symmetric transport key (tkv) and a security flag. MSM Controls Data for a specific MCD includes the MCD-unique identifier, the MCD’s permissions and the MCD-unique transport key (mkd). MSM Controls Data is encrypted by the MSM using the MCD-unique ID Motion V1 Security Target ST Applicable on: Page : 55 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto symmetric transport key (tkv). MSM Controls Data is provided to the MCD Issuer for loading on the target MCD. SF5 ensures the MCD only allow MSM Controls Data to be loaded once. The MCD Issuer presents the MSM Controls Data to the target MCD. This is done by submitting the Set MSM Controls command to MULTOS via an IFD. Before loading, SF5 checks the security data flag to verify if the MSM Controls Data has not already been installed. If the MSM Controls Data have already been loaded, the attempt to load is denied. SF5 ensures encrypted MSM Controls Data is able to be loaded on target MCD. Since MSM Controls Data is encrypted using a symmetric key specific to the target MCD, only the target MCD is able to decrypt the data and load it successfully. Furthermore, the MCD is able to load only its own MSM Controls Data, since it will not be able to decrypt any other MCD’s MSM Controls Data. This ensures an MCD cannot load MSM Controls Data intended for another MCD and therefore cannot masquerade as another MCD (e.g., in order to load applications not intended for it). SF5 verifies the integrity of the MSM Controls Data. SF5 generates a hash digest of the MSM Controls Data (less the last 16 bytes) and compares it with the attached hash digest (last 16 bytes of the decrypted data). If the two digests match, the MSM Controls Data has been received without corruption or tampering. SF5 ensures the MCD only loads its own unique MSM Controls Data. If the decrypted MCD-unique identifier does not match the MCD-unique identifier stored in non-volatile memory of the targeted MCD, the MSM Controls Data is rejected. If the MSM Controls Data is loaded successfully, SF5 sets the security flag to ‘0x5A’ in MULTOS security data to indicate this has occurred. This ensures that once the MCD Issuer has enabled and issued the MCD, bogus MSM Controls Data cannot be created and loaded onto the MCD. SF5 maintains a count of the number of failed (or incorrect) attempts to load the MSM Controls Data. SF10 monitors the value of this counter, and when the pre-determined limit is reached, the MCD shall be permanently shutdown from the next power on. Permutational/ probabilistic/cryptographic mechanisms used in this security function: DES algorithm, asymmetric hash algorithm. 7.1.6 Application Execution Management SF (SF6) SF6 ensures each application is restricted to accessing its own code and data. The only exceptions to the restriction on an application’s code and data access are as follows: a) Accessing data in the Public Data Area. b) Application delegation. c) Accessing Codelets. d) Accessing data via MULTOS primitives. SF6 also allows strong cryptography provided by the MCD to be regulated so that only authorised applications can access them. SF6 maintains separate storage and execution space for applications loaded onto an MCD. SF6 manages a pool of loaded applications. SF6 ensures each application, including its code and data areas, is kept separate from every other application loaded on the MCD. This ensures an application that is restricted to its own code and data space cannot gain access to the code or data of another loaded application. Each application is allocated to its own Application Pool Block within the Application Pool. Each Application Pool Block contains a unique identifier of the application loaded into the block. The intent of this mechanism is to allocate a portion of EEPROM memory to an application where that portion does not overlap regions allocated to any other applications and to tag these regions of memory with the application ID of that application. An application is able to read code for execution only from its own code space or from a pool of common routines controlled by SF6. SF6 executes only applications written in the MULTOS Execution Language (MEL). MEL is an interpreted language. MEL applications are executed on an Application Abstract Machine, which enables memory accesses by applications to be checked at the time of interpretation. SF6 ensures any attempt by an application to access code for execution is restricted to its own code space or to Codelets, which are controlled by SF6. This ensures an application is unable to compromise the integrity or confidentiality of the code of other applications loaded on the MCD. ID Motion V1 Security Target ST Applicable on: Page : 56 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto SF6 ensures no application is able to write to the code space of any application, including itself. SF6 ensures any attempt by an application to write data is restricted to the application’s own data space or to the Public data area. Any attempt by the application to write data outside these areas, including to its own or another applications code space, is blocked by SF6 and the application is terminated. SF6 ensures no application is able to read from or write to the data space of another application except via a mechanism provided and controlled by SF6. SF6 ensures any attempt by an application to read or write data is restricted to the application’s data space or to the Public data area. The Public data area is available for reading and writing by all applications and provides the mechanism for applications to communicate information with each other. This ensures an application is unable to compromise the integrity or confidentiality of the data of other applications loaded on the MCD. No application is able to cause the execution of another application except via a mechanism provided and controlled by SF6. SF6 also provides a mechanism for an application to delegate execution to another application. On delegation, a full context switch occurs, so the only information from the delegating application which is available to the delegated application is whatever might be held in the Public data area. (“Full context switch” means that SF6 writes all information related to the execution of the delegating application to an area under its control, then commences execution of the delegated application. When the delegated application ends its execution, the execution context of the delegating application is restored and it is able to continue execution from the point of delegation.) occurs, so the only information from the delegating application which is available to the delegated application is whatever might be held in the Public data area. This ensures an application cannot make use of another application to compromise the integrity or confidentiality of other applications. Applications execute only within their own environment and cannot be made to execute in another application’s environment. SF6 ensures no application is able to write to the code space of MULTOS and no application is able to read from or write to the data space of MULTOS except via a mechanism provided and controlled by SF6. SF6 provides system primitives that can be invoked by applications, which return to the application specific system data values and allow specific system data values to be updated. Any other attempt by an application to access MULTOS code or data is blocked by SF6. This ensures no application is able to compromise the integrity of MULTOS or the confidentiality of its sensitive information. SF6 ensures only applications specifically authorised by the MSM can access strong cryptography primitives. The ALC contains a flag indicating whether or not the application is authorised to use MULTOS’s strong cryptography primitives. This information is stored with the application when it is loaded onto the MCD. Every time an application attempts to call a strong cryptography primitive, SF6 checks the control flag to determine if the application is allowed to make the call. If it is, SF6 will process the call. If the flag indicates access is not authorised, SF6 will return an error condition to the application. The MSM wishes to control which applications can access strong cryptography. This is necessary to comply with government restrictions on the use by Application Writers of strong cryptography. An Application Writer must obtain appropriate documentation (e.g., an export license) from the appropriate government body before the MSM will authorise the application’s use of strong cryptography. The MSM authorises an application to use strong cryptography by digitally signing its ALC with the cryptography access flag set to allowed. SF6 ensures a series of functions that allow MULTOS to address all required X-RAM and EEPROM it needs as follows: MULTOS needs to be able to access data held in up to 64K of EEPROM/X-RAM. 7.1.7 Critical Data Overwrite SF (SF7) SF7 ensures that no part of an application’s code or data, excluding data the application has placed into the Public data area, can be accessed after the application has been deleted. When SF7 deletes an application from the MCD, it overwrites the application’s code and data spaces with a fixed pattern of bytes. In this way, any other application subsequently loaded into the same space will be unable to determine any information relating to the deleted application. Data that the application has written to the Public data area is not overwritten, since this provides the means for the application to communicate with other applications. By placing data in the Public data area, an application is effectively deciding the data can be accessed by any application. ID Motion V1 Security Target ST Applicable on: Page : 57 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto 7.1.8 Reset Protection SF (SF8) When allocating memory to an application, a number of pointers must be manipulated. These pointers are held in EEPROM memory and are susceptible to corruption if the MCD should loose power while being updated. To protect against this, SF8 establishes a critical region around the operations that update these pointers. If the MCD is powered down or reset while in this critical region, SF8 will permanently shutdown the MCD. In this way, SF8 ensures that critical memory allocation operations occur as an atomic operation (i.e., they are either not initiated or are guaranteed to complete). 7.1.9 Integrity Checks SF (SF9) SF9 protects MULTOS critical data by applying an integrity check to the following information: a) MISA injected security data. b) MSM Controls Data. c) Application code spaces. SF9 calculates a four-byte check sum over the MISA (MULTOS Injection Security Application) injected security data and the MSM controls data when the MSM controls have been successfully set. This check sum is re-calculated and verified by SF9 before sending out a response to any command. A failure of the check sum causes SF9 to abend the session. This integrity check hence ensures that the smartcard will not attempt to send any response that may be based on corrupted data. In addition, when an application is loaded onto the MCD (by successful execution of the Create MEL Application command), SF9 calculates a four-byte check sum over the application’s code space. SF9 stores this check sum in the application pool block for the application. When an application is selected as the current file, SF9 calculates the check sum over its code space and compares it with the stored check sum to confirm the continued integrity of the application. If the calculated and stored check sums do not match, SF9 abends the session. A full integrity check verifies the checksum of the full MSM Controls data whereas a partial integrity check excludes the verification of the codelets within the MSM Controls data. A full integrity check is performed at startup and a partial integrity check is performed just prior to sending a response to every command in order to make sure that security data and MSM Controls data remain unchanged. Therefore, MULTOS is not vulnerable to attempts to corrupt its memory. Permutational/probabilistic/cryptographic mechanisms used in this security function: 4-byte checksum. 7.1.10 Start-up Validity Checks and Initialisation SF (SF10) If the MCD is reset or loses power while MULTOS is processing a command or executing an application, SF10 will perform the usual validity checks and initialisation when MULTOS is restarted: a) The MCD validity check allows SF10 to determine that MULTOS is still in a valid state (if it is not, SF10 will shutdown permanently). b) SF10 erases the Public data area (to protect any sensitive information placed there by an application executing at the time of reset/power loss). c) SF10 erases from the Application Pool any application in the Application Pool that is in the “opened” state (since the application load process has been interrupted). d) SF10 initialises the Active Application Block to the shell application if any is present, or otherwise to a null value to indicate that no application is currently selected. e) SF10 rolls back any uncommitted writes in the Data Item Buffer. The validity check can fail for the following reasons: a) A check of the integrity of the security data (comprising Initialisation Security Data and MSM Controls Data) fails, the MCD can no longer function correctly and SF10 abends. A change to the MCD’s security data could indicate an attempt to attack the MCD or a failure of the MCD memory. ID Motion V1 Security Target ST Applicable on: Page : 58 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto b) The Application Memory Manager module detects it was in the middle of a critical operation when the system was reset. SF10 permanently shuts down the MCD in this circumstance. The Memory Manager Software Module’s data will be inconsistent, with no means to recover it to a consistent state. Critical operations involve the manipulation of memory addresses associated with an application and cannot be recovered. c) The maximum number of failed attempts to execute the Set MSM Controls command has been reached; since MSM Controls Data cannot be successfully loaded, it is not possible to load applications, so SF10 permanently shuts down the MCD. The decrementing of the counter forms part of SF5. The Data Item Buffer or Data Item Stack holds a “stack” of data item copies. Each data item copy held in this stack contains a copy of a particular Static data item which MULTOS has, or is in the process of, updated as the result of executing an application MEL instruction or primitive. This data item stack also contains information that allows SF10 to determine, for each data item copy in the stack, whether the source data item has been successfully and completely updated. The data item copy contains the following items. These items are located within the data item copy in the order given, with the first item at the lowest address: • Flags and byte counts that allow navigation through the data item stack to find the most recent data item copy, to create a new data item copy, or to determine whether the most recent data item copy is a copy of an item which is in the process of being updated. • A pointer to the start of the data item which the data item copy refers to. • A copy of the data item. When a data item copy is created SF10 marks it as ACTIVE and when the source data item is successfully and completely updated SF10 marks the data item copy as USED. If the card is reset and SF10 founds an ACTIVE block on the stack, SF10 will copy it back to its original location and mark it as USED. At the end of initialisation, MULTOS is in the Ready state, waiting to process commands from the IFD. It therefore returns to a known secure state following a reset or power-down/power-up. Permutational/probabilistic/cryptographic mechanisms used in this security function: 4-byte checksum. 7.1.11 Tamper Resistant Software Behaviours SF (SF11) MisExecution Detection When required, SF11 detects possible mis-executions of the operating system due to unexpected external electro-magnetic or mechanical interference. SF11 calculates a parameter in two independent ways. SF11 then compares the two results. If the two results do not match, SF11 will make the MCD become mute. By doing this, SF11 will always trap a single mis-execution of the code which causes one of the parameters to contain an incorrect value. Failed Command Counter This counter is a software counter-measure against power analysis. To limit the number of allowed failed attacks; SF11 maintains a count of the number of unsuccessful attempts to perform critical operations that rely on cryptographic mechanism. It makes infeasible attacks on these operations that rely on brute force attacks on the underlying cryptographic mechanism that supports it. SF11 uses this to protect the RSA decryption mechanism used when loading and deleting applications as well as to protect the DES decryption mechanism used during the loading of the MSM Controls data. If a sufficient number (20 attempts) of unsuccessful commands is presented for any of these operations, SF11 will take appropriate action for the operation in question. SF11 uses a down count that is initialised to its full value during manufacturing. SF11 decrements the counter before beginning the cryptographic mechanism that is being protected and re-increments it if the operation is successful. Hardware Sensor Checks. SF11 shall also perform any software checks of security sensors or features provided by the hardware. TheInfineon platform includes an Active Shield that can detect attempts to physically probe the chip. SF11 shall check the shield at regular intervals and cause the termination of the current session if the shield has been disturbed. The Infineon platform includes a Current Scrambling Engine (CURSE) which attempts to mask the power consumption of the chip to external observation. SF11 shall initialise the CURSE on power up. ID Motion V1 Security Target ST Applicable on: Page : 59 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto SF11 shall include a software check of the correct operation of the hardware Random Number Generator. The current session shall be ended if this check should fail. 7.1.12 Smartcard Authentication SF (SF12) SF12 provides a means for MCD Issuers to determine that an MCD is an authentic initialised MCD prior to loading it with MSM Controls Data. On request, SF12 provides a digest of the contents of a selected area of memory within an initialised MCD. For that, SF12 uses the Check Data Command. This digest can be used for comparison with the results of the same request applied to a known authentic initialised MCD, in order to verify the authenticity of the target MCD. The digest had to be representative of the contents of the memory which is subject to authentication (i.e., the selected area of memory together with a fixed portion of MULTOS data). So SF12incorporates a portion of fixed MULTOS data in the digest. SF12 requires as input: The start address of the memory area to be checked The length of the memory area to be checked A random challenge value. SF12 performs a bit-wise exclusive OR function on the random challenge value and the first part of the fixed transport key (tkf). The result of this operation is concatenated, by SF12, with the second part of tkf and a one way hash algorithm applied to it. Using this hash as an initial value, SF12 computes a hash digest over the contents of the indicated memory area. The inclusion in the digest of fixed MULTOS data (in the form of tkf) enables the authenticity of the MCD to be checked by comparing the digest with the result produced from the same request applied to the same area of memory on a known authentic initialised MCD. The random challenge value ensures the returned digest cannot be spoofed. SF12 ensures it is not possible to infer from the digest any information regarding the contents of the memory area checked. The digest is formed using a one-way hash function over the specified memory area and random challenge value. This acts to prevent any useful information being returned in the digest and therefore prevents any potential compromise of sensitive MULTOS information. SF12 is only available on initialised MCDs (i.e., which have not yet been enabled). This function is only useful for authenticating MCDs before they are enabled. Allowing its use after the MCD is enabled could provide a means for probing for information related to applications loaded on the MCD. As it serves no useful purpose once the MCD is enabled and, despite the way in which the digest is constructed, could be used to attack the MCD, it is prudent to disable this function after loading MSM Controls Data. If this function is called on an enabled MCD, an error condition is returned. No digest is calculated. Permutational/probabilistic/cryptographic mechanisms used in this security function: RSA algorithm. 7.1.13 Mapping between Security Functions and Security Functional Requirements Table below shows which functions satisfy which requirements and that all requirements are met. Note that each security function contributes to the satisfaction of at least one TOE security functional requirement. Functional requirements/ Security functions SF1 SF2 SF3 SF4 SF5 SF6 SF7 SF8 SF9 SF10 SF11 SF12 FAU_ARP.1 X X X X X FAU_SAA.1 X X X X X FCS_CKM.3 X X X X X X FCS_CKM.4 X X X X X X FCS_COP.1 X X X X X X ID Motion V1 Security Target ST Applicable on: Page : 60 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Functional requirements/ Security functions SF1 SF2 SF3 SF4 SF5 SF6 SF7 SF8 SF9 SF10 SF11 SF12 FDP_ACC.2 X X FDP_ACF.1 X X FDP_DAU.1 X FDP_ITC.1 X X FDP_RIP.1 X FDP_ROL.1 X FDP_SDI.2 X FIA_AFL.1 X FIA_ATD.1 X X X X X FIA_UAU.1 X FIA_UAU.4 X X FIA_UID.1 X FIA_USB.1 X X X X X FMT_MOF.1 X FMT_MSA.1 X FMT_MSA.2 X FMT_MSA.3 X FMT_MTD.1 X FMT_MTD.2 X FMT_SMR.1 X X X X X X FPR_UNO.1 X FPT_FLS.1 X X X X FPT_PHP.3 X FPT_RCV.4 X FPT_TDC.1 X X X X X FPT_TST.1 X X FRU_RSA.1 X X Table 4: Mapping between security functions and security functional requirements ID Motion V1 Security Target ST Applicable on: Page : 61 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Glossary Abbreviations and Acronyms Term Description ABEND Abnormal End (of MEL application execution). ADC Application Delete Certificate. ALC Application Load Certificate. ALU Application Load Unit. APB Application Pool Block. ATR Answer To Reset. CC Common Criteria (for Information Technology Security Evaluation, Version 2.1). CM Configuration Management. DES Data Encryption Standard (algorithm). EAL Evaluation Assurance Level. EEPROM Electronically Erasable Programmable Read Only Memory. ES Embedded Software IC Integrated Circuit. IFD Interface Device (to smartcard). IT Information Technology. KTU Key Transform Unit. MAOSCO MAOSCO refers to the MULTOS Consortium. The MULTOS Consortium controls the MULTOS specification and is responsible for advancing the MULTOS OS in all smartcard related markets. MCD MULTOS Carrier Device. MEL MULTOS Executable Language (application language). MSM MULTOS Security Manager. OSP Organisational Security Policies. PP Protection Profile. RAM Random Access Memory. ROM Read Only Memory. RSA Rivest-Shamir-Aldeman (algorithm). SAR Security Assurance Requirement. SFR Security Functional Requirement. SFP Security Function Policy. ST Security Target. TOE Target Of Evaluation. ID Motion V1 Security Target ST Applicable on: Page : 62 / 62 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret . No disclosure to a third party without prior written consent of Gemalto Term Description TSC TSF Scope of Control. TSF TOE Security Functions. TSFI TSF Interface. TSP TOE Security Policy. Vocabulary Term Description Embedded software Software embedded in a smartcard IC. Embedded software may be in any part of the non-volatile memory of the IC. Integrated circuit (IC) Electronic component(s) designed to perform processing and/or memory functions. Phases Refers to the seven phases of the smartcard product lifecycle, as outlined in the “Smartcard Integrated Circuit Protection Profile.” I/O peripherals Material components of the TOE that manage its inputs/outputs. Smartcard A card according to ISO 7816 requirements, which has a non- volatile, memory and a processing unit embedded within it. Smartcard embedded software Composed of embedded software in charge of generic functions of the smartcard IC such as operating system, general routines and interpreters (smartcard basic software) and embedded software dedicated to the applications (smartcard application software). References [1] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, Version 3.1, Revision 3, July 2009. [2] Common Criteria for Information Technology Security Evaluation, Part 2: Security functional requirements, Version 3.1, Revision “, July 2009. [3] Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance requirements, Version 3.1, Revision ”, July 2009. [4] Common Criteria for Information Technology Security Evaluation, Protection Profile, Smartcard Integrated Circuit with Multi-Application Secure Platform, Version 2.0, November 2000, registered by French Certification Board under number PP/0010. [5] BSI reports BSI-DSZ-CC-0813-2012 [6] Infineon Technologies SLE78CLXxxxPM and Derivates Security Target-lite (relating to the IC product certified by the BSI under BSI-DSZ-CC-0813-2012). [AAM] MULTOS Architecture Specification - Application Abstract Machine - TEC-MAO- 101-004/v4.3.1 [HW-Manual] Hardware Reference Manual May 2012