Ärendetyp: 6 Diarienummer: 14FMV7878-71:1
Dokument ID CB-015
Uncontrolled copy when printed
Template:
CSEC_mall_doc.dot,
7.0
HEMLIG/
enligt Offentlighets- och sekretesslagen
(2009:400)
2017-06-16
Country of origin: Sweden
Försvarets materielverk
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
Issue: 1.0, 2017-jun-16
Authorisation: Jerry Johansson, Lead certifier , CSEC
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 2 (16)
Table of Contents
1 Executive Summary 3
2 Identification 4
3 Security Policy 5
3.1 Cryptographic Support 5
3.2 User Data Protection 5
3.3 Identification and Authentication 5
3.4 Security Management 6
3.5 Protection of the TSF 6
4 Assumptions and Clarification of Scope 7
4.1 Usage Assumptions 7
4.2 Environmental Assumptions 7
4.3 Clarification of Scope 7
5 Architectural Information 9
6 Documentation 10
7 IT Product Testing 11
7.1 Developer Testing 11
7.2 Evaluator Testing 11
7.3 Penetration Testing 11
8 Evaluated Configuration 12
9 Results of the Evaluation 13
10 Evaluator Comments and Recommendations 14
11 Bibliography 15
Appendix A Scheme Versions 16
A.1 Scheme/Quality Management System 16
A.2 Scheme Notes 16
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 3 (16)
1 Executive Summary
The TOE is SAM 5000, a smartcard/VQFN chip used for cryptographic operations
and secure storage of cryptographic keys. The TOE is used in several roles as part of a
road-toll system. The TOE is a composition of an application software and a certified
platform consisting of a hardware chip, a firmware, and a software library.
The application software version is SAM 5000 build 4.9. The hardware chip is the In-
fineon Technologies Smart Card IC Security Controller M9900, design step A22 and
G11, of the SLE97 family (smart card), or the SLI97 family (VQFN chip). The firm-
ware has identifier 80001141, and the software library is SLE97 Asymmetric Crypto
Library for Crypto@2304T RSA/ECC/Toolbox v1.03.006.
The TOE is delivered in batches to customers who operate a road-toll system, who in
turn deliver single TOEs to end users of the road-toll system.
The certified platform is compliant with the Security IC Platform Protection Profile,
BSI-PP-0035 [PP], and is certified by BSI in 2016-11-23 with certificate identifier
BSI-DSZ-CC-0827-V4-2016.
There are four assumptions being made in the ST regarding the secure usage and envi-
ronment of the TOE. The TOE relies on these to counter the fourteen threats and com-
ply with the five organisational security policies (OSPs) in the ST. The assumptions,
threats and OSPs are described in chapter 4 Assumptions and Clarification of Scope.
The evaluation has been performed by Combitech AB in Växjö, Sweden. Site-visit
and parts ot the testing was performed in Vienna, Austria.
The evaluation was completed in 2017-06-08. The evaluation was conducted in ac-
cordance with the requirements of Common Criteria (CC), version 3.1 release 4.
Combitech AB is a licensed evaluation facility for Common Criteria under the Swe-
dish Common Criteria Evaluation and Certification Scheme. Combitech AB is also
accredited by the Swedish accreditation body according to ISO/IEC 17025 for Com-
mon Criteria.
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports, and by observing site-visit and testing. The certifier de-
termined that the evaluation results confirm the security claims in the Security Target
(ST) and the Common Methodology for evaluation assurance level EAL 5.
The technical information in this report is based on the Security Target (ST) and the
Final Evaluation Report (FER) produced by Combitech AB.
The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other organ-
isation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 4 (16)
2 Identification
Certification Identification
Certification ID CSEC2014007
Name and version of the
certified IT product
SAM 5000 build 4.9,
SLE97 Asymmetric Crypto Library for Cryp-
to@2304T RSA/ECC/Toolbox v1.03.006,
BOS-V1 and RMS firmware with ID 80001141
Infineon Technologies Smart Card IC Security Con-
troller M9900, design step A22 and G11, of the
SLE97 family (smart card), or the SLI97 family
(VQFN chip)
Security Target Identification Security Target for Kapsch SAM 5000, Kapsch Traf-
ficCom AB, 2017-06-13, document version G
Security Target Lite for Kapsch SAM 5000, Kapsch
TrafficCom,8633 902-390, revision A
EAL EAL 5
Sponsor Kapsch TrafficCom AB
Developer Kapsch TrafficCom AB
ITSEF Combitech AB
Common Criteria version 3.1 release 4
CEM version 3.1 release 4
QMS version 1.20.4
Recognition Scope CCRA, SOGIS och EA/MLA
Within CCRA the certificate is recognised as EAL 2
and within SOGIS the certificate is recognized as
EAL 4.
Certification date 2017-06-16
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 5 (16)
3 Security Policy
• Cryptographic Support
• User Data Protection
• Identification and Authentication
• Security Management
• Protection of the TSF
3.1 Cryptographic Support
The TOE provides cryptographic support to the user and for the protection of the TSF.
The cryptographic support includes encryption and decryption of data and keys using
AES, DES, RSA and ECC algorithms. Authentication of data is provided as AES and
DES MAC calculation and verification as well as digital signatures using RSA or ECC
algorithms.
Cryptographic keys are generated for AES, DES, RSA, and ECC as well as using an
EC DH scheme.
Backup is taken of cryptographic keys and keys are destroyed in a secure way.
Algoritmer
• Data Encryption Standard (DES),
• Triple Data Encryption Standard (3DES),
• Rivest-Shamir-Adleman Cryptography (RSA),
• Advanced Encryption Standard (AES),
• Secure Hash Algorithm (SHA-1, SHA-256) as part of signature calcula-
tion/verification,
• Random Number Generator (RNG), and
• Elliptic Curve Cryptography (ECC).
3.2 User Data Protection
Access control to sensitive assets is restricted by an access control policy, Access
Condition Policy that requires authentication according to configurable access condi-
tions.
Import and export of sensitive assets are restricted by an information flow control pol-
icy, Import/Export Key Policy, that requires authentication before import or export
can take place and ensures that the assets are confidentiality, integrity, and authentica-
tion protected.
3.3 Identification and Authentication
Authentication is required according to access conditions set for each asset. The au-
thentication can be performed either by PIN, a challenge-response scheme, a Diffie-
Hellman key exchange scheme, or a calculated MAC authentication code. Re-
authentication is required according to configurable conditions. The PIN secrets shall
be of a certain length and unsuccessful authentication attempts shall block the PIN.
Unsuccessful attempts to unblock the PIN shall block the unblocking function.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 6 (16)
3.4 Security Management
Certain management functions can be performed and the access condition security at-
tributes shall have restricted default values.
3.5 Protection of the TSF
Measures are applied to detect replay attempts at export and import of keys as well as
for reading and updating binary file contents within the TOE. Memory provided by the
operational environment is functionally tested at start-up and the result can be read by
the user.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 7 (16)
4 Assumptions and Clarification of Scope
4.1 Usage Assumptions
The Security Target [ST] makes three assumptions on the usage of the TOE.
A.Deployment – The TOE operational environment is assumed to react on faulty de-
ployment performed by the Authorized service personnel.
A.No_Evil – Authorized admins and service personnel are assumed to be security
screened to be non-hostile, sufficiently trained, and willing to follow their instructions,
before authorized to interact with the TOE.
A.Counter – The TOE operational environment is assumed to use the Security Critical
Commands Usage Counter to request a new authentication before e.g. 20000 Triple-
DES or AES operations have been performed.
4.2 Environmental Assumptions
The Security Target [ST] makes one assumption on the operational environment of the
TOE.
A.OBU_Protection – The operational environment of the TOE when deployed as TR-
SAM in an OBU is assumed to be equipped with tamper protection.
4.3 Clarification of Scope
The Security Target contains six threats, which have been considered during the eval-
uation.
T.Logical_Leak – A threat agent may logically attack the TOE in order to reveal sen-
sitive assets. The modification may be achieved through deficiencies in the TOE ex-
ternal communication protocols or in the TOE internal asset handling.
T.Logical_Manipulation – A threat agent may logically attack the TOE in order to
modify or remove sensitive assets. The attack may be achieved through deficiencies in
the TOE external communication protocols or in the TOE internal assets handling.
T.Eavesdropping – A threat agent may listen to and successfully interpret sensitive as-
sets sent or received over the TOE external interface.
T.Spoofing – A threat agent may try to disguise as an authorised user to disclose, ma-
nipulate or remove sensitive assets.
T.Replay – A threat agent may gain access to sensitive information by replaying TOE
external communication.
T.Unint_Corruption – An authorised user may by mistake override or bypass security
features of the TOE or enable opportunities for others to do so.
The Security Target also contains eight threats, which have been considered both dur-
ing the evaluation and certification of the underlying platform and during the evalua-
tion of the current TOE.
T.Phys-Manipulation – Physical Manipulation – see [PP] section 3.2.
T.Phys-Probing – Physical Probing – see [PP] section 3.2.
T.Malfunction – Malfunction due to Environmental Stress – see [PP] section 3.2.
T.Leak-Inherent – Inherent Information Leakage – see [PP] section 3.2.
T.Leak-Forced – Forced Information Leakage – see [PP] section 3.2.
T.Abuse-Func – Abuse of Functionality – see [PP] section 3.2.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 8 (16)
T.RND – Deficiency of Random Numbers – see [PP] section 3.2.
T.Mem-Access – Memory Access Violation – see [PlatformST] section 3.3.
The Security Target contains five Organisational Security Policies (OSPs), which have
been considered during the evaluation.
P.Crypto – The TOE shall provide cryptographic mechanisms, including mechanisms
to encrypt and decrypt user data, calculate and verify message authentication codes
over user data, calculate and verify digital signatures over user data, derive keys, en-
crypt and decrypt keys, and generate random data for key and challenge generation.
P.Keys – The TOE shall provide secure key mechanisms, including mechanisms to
generate, derive, import, export, and backup keys. The TOE (P-SAM) shall increment
a derivation counter monotonically every time a key is derived. The derivation counter
shall start on zero and shall not be possible to reset after SAM production until the key
is deleted.
P.Memory_Test – The TOE shall detect memory deficiencies in the operational envi-
ronment at initial start-up.
P.Process-TOE - Protection during TOE Development and Production – see [PP] sec-
tion 3.3.
P.Add-Functions – Additional Specific Security Functionality – see [PlatformST] sec-
tion 3.4.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 9 (16)
5 Architectural Information
The TOE physical scope is illustrated in the figure below.
The external calling application represents components in the road-toll system where
TOE is used.
The TOE SW is SAM 5000 build 4.9.
The certified platform consists of:
- the software library SLE97 Asymmetric Crypto Library for Crypto@2304T
RSA/ECC/Toolbox
- the firmware, including the boot software (BOS-V1) and the resource manage-
ment system (RMS)
- the hardware Infineon Technologies Smart Card IC Security Controller M9900,
design step A22 and G11, of the SLE97 family (smart card), or the SLI97 family
(VQFN chip).
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 10 (16)
6 Documentation
The end users of the TOE do not interact directly with the TOE. All interaction takes
place through components of the road-toll system. Therefore, the relevant guidance is
the API description used by the developer of the road-toll system, Kapsch TrafficCom
AB who also are the developer of the TOE:
Interface specification for Kapsch SAM 5000 [API].
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 11 (16)
7 IT Product Testing
7.1 Developer Testing
All external interfaces were tested thoroughly by the developer using a proprietary
programmable test tool. Both positive and negative tests were performed. The internal
interfaces were tested indirectly via testing the external interfaces. The SFRs were
completely covered. Both form factors were covered.
7.2 Evaluator Testing
The evaluators tested the TOE in their own premises in Växjö, Sweden. The develop-
er’s test tool was used to verify a subset of the devloper’s tests, as well as to run some
complementary tests. All versions of the TOE were tested.
The internal interfaces also were investigated by means of code review.
7.3 Penetration Testing
The evaluators performed negative tests, verifying the handling of various parameter
values and lengths.
The penetration testing also was supported by code review.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 12 (16)
8 Evaluated Configuration
The TOE is comprised of the card application SAM 5000 build 4.9, and the certified
platform.
The configurations of the certified platform that are used in the TOE are:
- the software library SLE97 Asymmetric Crypto Library for Crypto@2304T
RSA/ECC/Toolbox, version 1.03.006
- the firmware, including the boot software (BOS-V1) and the resource manage-
ment system (RMS), firmware ID 80001141
- the hardware Infineon Technologies Smart Card IC Security Controller M9900,
design step A22 and G11, of the SLE97 family (smart card), or the SLI97 family
(VQFN chip).
The TOE is used by a road-toll system in one of five different roles:
- Communication Point SAM, CP-SAM - Installed in a Road Side System.
- Central Services SAM, CS-SAM - Installed centrally in a security server in the
Toll Charger Central Services.
- Master SAM, M-SAM - Installed in a secure environment in a Key Initialization
Facility.
- OBU Personalisation SAM, P-SAM - Used for programming of On Board Units.
e.g. in On Board Unit production.
- Trusted Recorder SAM, TR-SAM - Installed in an On Board Unit in a vehicle.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 13 (16)
9 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Moderate.
The certifier reviewed the work of the evaluator and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators overall verdict is PASS.
The verdicts for the assurance classes and components are summarised in the follow-
ing table:
Development ADV PASS
Security Architecture ADV_ARC.1 PASS
Functional Specification ADV_FSP.5 PASS
Implementation Representation ADV_IMP.1 PASS
TSF Internals ADV_INT.2 PASS
TOE Design ADV_TDS.5 PASS
Guidance Documents AGD PASS
Operational User Guidance AGD_OPE.1 PASS
Preparative Procedures AGD_PRE.1 PASS
Life-cycle Support ALC PASS
CM Capabilities ALC_CMC.4 PASS
CM Scope ALC_CMS.5 PASS
Delivery ALC_DEL.1 PASS
Development Security ALC_DVS.1 PASS
Life-cycle Definition ALC_LCD.1 PASS
Tools and Techniques ALC_TAT.2 PASS
Security Target Evaluation ASE PASS
ST Introduction ASE_INT.1 PASS
Conformance Claims ASE_CCL.1 PASS
Security Problem Definition ASE_SPD.1 PASS
Security Objectives ASE_OBJ.2 PASS
Extended Components Definition ASE_ECD.1 PASS
Security Requirements ASE_REQ.2 PASS
TOE Summary Specification ASE_TSS.1 PASS
Tests ATE PASS
Coverage ATE_COV.2 PASS
Depth ATE_DPT.3 PASS
Functional Tests ATE_FUN.1 PASS
Independent Testing ATE_IND.2 PASS
Vulnerability Assessment AVA PASS
Vulnerability Analysis AVA_VAN.4 PASS
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 14 (16)
10 Evaluator Comments and Recommendations
DES has been included as a security mechanism in the TOE for compatibility with
legacy systems. Whenever possible, it is recommended to use triple-DES or AES in-
stead.
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 15 (16)
11 Bibliography
ST Security Target for Kapsch SAM 5000, Kapsch TrafficCom,
2017-06-13, revision G, Confidential
STLite Security Target Lite for Kapsch SAM 5000, Kapsch TrafficCom,
8633 902-390, revision A
PP Security IC Platform Protection Profile, BSI-PP-0035, 2007-06-15,
version 1.0
PlatformST Security Target Lite M9900, M9905, M9906 including optional
Software Libraries RSA-EC-SCL-PSL, Infineon, 2016-10-11,
Version 2.6
API Interface Specification for Kapsch 5000, Kapsch TrafficCom,
2016-08-16, revision G
CC Common Criteria for Information Technology Security, Part 1-3,
CCMB-2017-04-001 through 003, version 3.1, revision 5
CEM Common Methodology for Information Technology Security
Evaluation, CCMB-2017-04-004, version 3.1, revision 5
SP-002 Evaluation and Certification, CSEC, 2017-04-04, version 25.0
SP-188 Scheme Crypto Policy, CSEC, 2017-04-04, version 7.0
JIL Composite product evaluation for Smart Cards and similar devices,
JIL, version 1.4, Aug. 2015
SITE REQ Minimum site security requirements, JIL, version 1.1, July 2013
ARC Security Architecture requirements (ADV_ARC) for Smart Cards and
similar devices, CCRA, CCDB-2014-04-001, version 2.1, Apr. 2014,
Swedish Certification Body for IT Security
Certification Report - Kapsch SAM 5000
1.0 2017-06-16
CB-015 16 (16)
Appendix A Scheme Versions
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme has been used.
A.1 Scheme/Quality Management System
During the certification project, the following versions of the quality management sys-
tem (QMS) have been applicable since the certification application was received:
QMS 1.19.3 valid from 2016-06-02
QMS 1.20 valid from 2016-10-20
QMS 1.20.1 valid from 2017-01-12
QMS 1.20.2 valid from 2017-02-27
QMS 1.20.3 valid from 2017-04-24
QMS 1.20.4 valid from 2017-05-11
In order to ensure consistency in the outcome of the certification, the certifier has ex-
amined the changes introduced in each update of the quality management system.
The changes between consecutive versions are outlined in “Ändringslista CSEC QMS
1.20.4”. The certifier concluded that, from QMS 1.19.3 to the current QMS 1.20.4,
there are no changes with impact on the result of the certification.
A.2 Scheme Notes
The following Scheme interpretations have been considered during the certification.
Scheme Note 11 - Methodology for AVA_VAN 4 and 5
Scheme Note 15 - Demonstration of test coverage
Scheme Note 16 - Additional planning requirements
Scheme Note 18 - Highlighted Requirements on the Security Target