NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite Rev. 1.1 — 29 March 2019 Product evaluation document COMPANY PUBLIC Document information Information Content Keywords Security Target, Crypto Library, Services Software, NCJ38AC B0.2CB Abstract This document is the Security Target of NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive. The TOE is a composite TOE, consisting of the hardware “NCJ38A0 High-performance secure microcontroller for Automotive” which is used as evaluated platform, and the “Security Software on NCJ38A0”, which is built upon this platform. Both parts are developed and provided by NXP Semiconductors. NCJ38AC complies with Evaluation Assurance Level 5 of the Common Criteria for Information Technology Security Evaluation Version 3.1 with augmentations. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 2 / 67 Revision history Revision number Date Description 1.1 2019-03-29 Adapt from full Security Target v1.1 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 3 / 67 Glossary AES Advanced Encryption Standard API Application Programming Interface CBC Cipher Block Chaining (a block cipher mode of operation) CBC-MAC Cipher Block Chaining Message Authentication Code CC Common Criteria Version 3.1 CRC Cyclic Redundancy Check DES Data Encryption Standard ECB Electronic Code Book (a block cipher mode of operation) ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman Key Exchange FLASH A type of Non-Volatile Memory that can be electrically erased and reprogrammed GCM Galois/Counter mode HMAC Keyed-Hashing for Message Authentication according to FIPS PUB 198-1 IT Information Technology KDF Key Derivation Function OSCCA Office of the State Commercial Cryptography Administration (PRC) PKC Public Key Cryptography PKCS#1 Public Key Cryptography Standard #1 for RSA Algorithms PP Protection Profile RAM Random Access Memory ROM Read Only Memory RNG Random Number Generator RSA Rivest-Shamir-Adelman Public Key Algorithms SFR Security Functional Requirement (CC context) SHA Secure Hash Algorithm ECDSA Elliptic Curve Digital Signature Algorithm ECDAA Elliptic Curve Direct Anonymous Attestation TDES Triple DES Algorithm (using 2 or 3 keys) TOE Target of Evaluation TPM 2.0 Trusted Platform Module v2.0 TSF Part of the TOE that realises the security functionality V2X Vehicle to Everything Communication NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 4 / 67 1 ST Introduction This chapter is divided into the following sections: "ST Identification", "TOE Overview" and "TOE Description". 1.1 ST Reference “NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive, Security Target, Revision 1.1, NXP Semiconductors, 29 March 2019" 1.2 TOE Reference The TOE is named "NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive". The TOE is a composite TOE, consisting of: • The hardware “NCJ38A0 High-performance secure microcontroller for Automotive” which is used as evaluated platform. • The software “Security Software on NCJ38A0” which is built upon this platform. This Security Target builds on the Hardware Security Target [35], which refers to the “NCJ38A0”, provided by NXP Semiconductors. This is not a composite evaluation in a sense that the software part is evaluated together with the hardware part. Therefore, both Security Targets shall be considered together. The NCJ38A0 High-performance secure microcontroller for Automotive is named "NCJ38A0" in short. The Security Software on NCJ38A0 is named "Security Software" in short. The TOE is delivered in two physical configurations NCJ38AC B0.2CB and B0.2C8. 1.3 TOE Overview 1.3.1 Introduction The Hardware Security Target [35] contains, in Section 1.3 “TOE Overview”, an introduction about the NCJ38A0 hardware TOE that is considered in the evaluation. The Hardware Security Target includes the NCJ38A0 hardware platform provided with IC Dedicated Software. The Security Software provides software that can be used by the Security IC Embedded Software. It consists of Services Software and Crypto Library. Services Software The Services Software consists of Flash Services Software and Services Framework Software. The Flash Services Software manages technical demands of the Flash memory and serves the Security IC Embedded Software with an interface for Flash erase and/or programming. The Services Framework Software represents a collection of different abstractions and utility functions that provide a runtime environment to the individual Services. Crypto Library NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 5 / 67 The Crypto Library consists of several binary packages that are intended to be linked to the Security IC Embedded Software. The Security IC Embedded Software developer links the binary packages that he needs to his Embedded Software and the whole is subsequently implemented in arbitrary memory (Flash) of the hardware platform. The NCJ38A0 provides the computing platform and cryptographic support by means of co- processors for the Crypto Library. The Security Software of NCJ38AC provides the security functionality described below in addition to the functionality described in the Hardware Security Target [35] for the hardware platform. The Security Software uses hardware functionality that is covered by the scope of the platform evaluation like the PKC coprocessor. The Crypto Library provides AES 1 , DES 1 , Triple-DES (3DES) 1 , RSA, RSA key generation, RSA public key computation, ECDSA (ECC over GF(p)) signature generation and verification, ECDH (ECC Diffie-Hellmann) key-exchange, full point addition (ECC over GF(p)), ECDAA, standard security level SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384, SHA-3/512 algorithms, high security level SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384, SHA-3/512 algorithms, and HMAC algorithms. 2 Dedicated cryptographic operations for Automotive are supported by V2X library elements: low-latency ECDSA signature generation and ECC key derivation. In addition, the Crypto Library implements a software (pseudo) random number generator which is initialized (seeded) by the hardware random number generator of the P73. The Crypto Library also provides a secure copy routine, a secure memory move routine, a secure memory compare routine, cyclic redundancy check (CRC) routines, and includes internal security measures for residual information protection. Note that the Crypto Library also implements KoreanSeed, Felica, OSCCA SM2, OSCCA SM3 and OSCCA SM4. However, KoreanSeed, Felica, OSCCA SM2, OSCCA SM3 and OSCCA SM4 are not in the scope of evaluation. Two versions of Crypto Library are within the scope of evaluation of the TOE NCJ38AC as follows: • B0.2CB: Crypto Library 2.6.1 (plus Services Software 1.13.3) • B0.2C8: Crypto Library 2.5.1 (plus Services Software 1.13.3) 1.3.2 Life-Cycle The Security Software is delivered in Phase 1 3 as a software package (a set of binary files) to the developer of Security IC Embedded Software, to support its development process and to ensure compatibility when using the Security Software on the product. The life cycle of the hardware platform as part of the TOE is described in Section 1.4.4 "Security During Development and Production" of the Hardware Security Target [35]. The Security Software uses the delivery process of the hardware platform, as the Security Software is preloaded to the Flash memory area of the IC. The Security Software is stored separately from the Security IC Embedded Software to the Flash memory area under control of NXP. 1 AES, DES, and Triple-DES can be used in ECB, CBC, CTR, CBC-MAC, or CMAC mode. In addition, AES can be used in GCM mode. 2 To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). 3 For a definition of the Phases refer to Section 1.2.3 'TOE life cycle’ of the Protection Profile [5] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 6 / 67 Security during Development and Production The development process of the TOE is part of the evaluation. The access to the implementation documentation, test bench and the source code is restricted to the development team of the TOE. The security measures installed within NXP, including a secure delivery process, ensure the integrity and quality of the delivered Security Software binary files. 1.3.3 Specific Issues of Hardware and the Common Criteria Regarding the Application Note 2 of the Protection Profile [5] the TOE provides additional functionality which is not covered in the Protection profile [5] and the Hardware Security Target [35]. This additional functionality is added this Security Target (see Section 3.3). 1.4 TOE Description The Target of Evaluation (TOE) consists of a hardware part (incl. IC Dedicated Software) and a software part: • The hardware part "NCJ38A0" consists of the NCJ38A0 with IC Dedicated Software. The IC Dedicated Software of NCJ38A0 comprises IC Dedicated Support Software. The IC Dedicated Support Software is composed of test software named Factory OS, boot software named Boot OS and memory driver software named Flash Driver Software. The NCJ38A0 provides a programming interface (PI) for NXP, which gives access to the Flash Driver Software. For details, see [35]. The hardware part of the TOE includes dedicated guidance documentation [37]. • The software part "Security Software" is an extension of IC Dedicated Software that provides Services Software and Crypto Library (either version 2.6.1 or 2.5.1), that can be operated on the hardware platform as described in this Security Target. The IC hardware and the IC Dedicated Support Software components of "NCJ38A0" are listed in Table 1. These parts of the TOE are not described in this document, please refer to the Hardware Security Target [35]. This latter document will be cited wherever appropriate. Table 1. IC Hardware and IC Dedicated Support Software components of NCJ38A0 common for any logical configuration Category Component Identificatio n Delivery form IC Hardware base layer and fixed metal masks B0.2 Package Factory OS 1.4.4 On-chip software. Stored to the ROM of the TOE Boot OS 1.2.3 PL4 v16 On-chip software. Stored to the ROM of the TOE. Boot OS patch stored to the System page in the FLASH area of the TOE IC Dedicated Support Software Flash Driver Software 1.5.2 On-chip software. Stored to the ROM of the TOE The TOE consists of all TOE components listed in Table 1 (also in Table 1 of the Hardware Security Target [35]) plus all components listed in Table 2 and either all components listed in Table 3 or Table 4. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 7 / 67 Table 2. Components of the TOE related to the Services Software Type Name Release Form of Delivery Flash Services Software Services Software Services Framework Software 1.13.3 Binary Services NVM image file encoded in Intel HEX format, stored to the Service Flash memory area of the die Documents Services User Manual, API and Operational Guidance [38] PDF document Table 3. Components of the TOE related to the Crypto Library 2.6.1 Type Name Release (Version or SHA-256 hash) Form of Delivery The Crypto Library consists of an entire set of individual Library Components, each providing an individual release version given below, that can be identified as decribed in [12] Crypto Library 2.6.1 Components are: 2.6.1 Binary Crypto Library NVM image file encoded in Intel HEX format, stored to the Shared Flash memory area of the die libphClEccGfpV2x.a 1.0 libphClUtilsV2x.a 2.0 libphClUtilsMathV2x.a bf4e249317cbef05590a65 4308ad30ae58c16a886e6 dc7d4fe31b36b5bd08e43 libphClRsa.a 1.0 libphClRsaKg.a 1.7 libphClEccGfp.a 0.16 libphClEcdaa.a 0.4 libphClSha.a 0.0 libphClSecSha.a 0.0 libphClSha3.a 0.0 libphClSecSha3.a 0.0 libphClRng.a 1.1 phClRngHealthTest.a 1.1 libphClUtils.a 1.0 phClUtilsAsym.a 1.0 libphClSymCfg.a 1.0 libphClHmac.a 0.0 Crypto Library libphClKoreanSeed.a [1] 0.0 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 8 / 67 Type Name Release (Version or SHA-256 hash) Form of Delivery libphClFelica.a [1] 0.5 libphClOscca.a [1] SM2: 0.3 SM3: 0.0 SM4: 0.0 User Guidance Manual [12] PDF document User Manual: ECC over GF(p) V2X [24] PDF document User Manual: Utils V2X [25] PDF document User Manual: Utils Math V2X [26] PDF document User Manual: RSA [21] PDF document User Manual: RSA Key Generation [22] PDF document User Manual: ECC over GF(p) [23] PDF document User Manual: ECDAA [27] PDF document User Manual: SHA [15] PDF document User Manual: SecSHA [16] PDF document User Manual: SHA3 [17] PDF document User Manual: SecSHA3 [18] PDF document User Manual: Hash [19] PDF document User Manual: RNG [13] PDF document User Manual: Utils [28] PDF document User Manual: SymCfg [29] PDF document User Manual: HMAC [20] PDF document User Manual: KoreanSeed [1] [30] PDF document User Manual: Felica [1] [31] PDF document User Manual: SM2 [1] [32] PDF document User Manual: SM3 [1] [33] PDF document Documents User Manual: SM4 [1] [34] PDF document [1] However, KoreanSeed, Felica, OSCCA SM2, OSCCA SM3 and OSCCA SM4 are not in the scope of evaluation. Table 4. Components of the TOE related to the Crypto Library 2.5.1 Type Name Release (Version or SHA-256 hash) Form of Delivery Crypto Library The Crypto Library consists of an entire set of individual Library Components, each providing an individual release version given below, that can be identified as decribed in [12] Crypto Library 2.5.1 Components are: 2.5.1 Binary Crypto Library NVM image file encoded in Intel HEX format, stored to the Shared Flash memory area of the die NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 9 / 67 Type Name Release (Version or SHA-256 hash) Form of Delivery libphClEccGfpV2x.a 1.0 libphClUtilsV2x.a 2.0 libphClUtilsMathV2x.a 68d8cb0ebb4bd4f7db11f 7b3df733fe257a3267c07c 27505e99f957ca61269dd libphClRsa.a 1.0 libphClRsaKg.a 1.7 libphClEccGfp.a 0.16 libphClEcdaa.a 0.4 libphClSha.a 0.0 libphClSecSha.a 0.0 libphClSha3.a 0.0 libphClSecSha3.a 0.0 libphClRng.a 1.0 phClRngHealthTest.a 1.1 libphClUtils.a 1.0 phClUtilsAsym.a 1.0 libphClSymCfg.a 1.0 libphClHmac.a 0.0 libphClKoreanSeed.a [1] 0.0 libphClFelica.a [1] 0.5 libphClOscca.a [1] SM2: 0.3 SM3: 0.0 SM4: 0.0 User Guidance Manual [12] PDF document User Manual: ECC over GF(p) V2X [24] PDF document User Manual: Utils V2X [25] PDF document User Manual: Utils Math V2X [26] PDF document User Manual: RSA [21] PDF document User Manual: RSA Key Generation [22] PDF document User Manual: ECC over GF(p) [23] PDF document User Manual: ECDAA [27] PDF document User Manual: SHA [15] PDF document User Manual: SecSHA [16] PDF document User Manual: SHA3 [17] PDF document User Manual: SecSHA3 [18] PDF document User Manual: Hash [19] PDF document Documents User Manual: RNG [14] PDF document NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 10 / 67 Type Name Release (Version or SHA-256 hash) Form of Delivery User Manual: Utils [28] PDF document User Manual: SymCfg [29] PDF document User Manual: HMAC [20] PDF document User Manual: KoreanSeed [1] [30] PDF document User Manual: Felica [1] [31] PDF document User Manual: SM2 [1] [32] PDF document User Manual: SM3 [1] [33] PDF document User Manual: SM4 [1] [34] PDF document [1] However, KoreanSeed, Felica, OSCCA SM2, OSCCA SM3 and OSCCA SM4 are not in the scope of evaluation. 1.4.1 Hardware description The NXP NCJ38A0 hardware is described in Section 1.4.3.1 “Hardware Description” of the Hardware Security Target [35]. The IC Dedicated Software delivered with the hardware platform is described in Section 1.4.3.2 “Software Description” of the Hardware Security Target [35]. 1.4.2 Software description The Security Software consists of Services Software and Crypto Library. 1.4.2.1 Services Software The Services Software comprises of the Flash Services Software and Services Framework Software. Flash Services Software • The Flash Services Software manages technical demands of the Flash memory and serves the Security IC Embedded Software with an interface for Flash erase and/or programming. • The Flash Services Software maintains the Flash with re-freshing, tearing-safe updates of Flash contents and wear leveling techniques to ensure integrity and consistency of its content and optimize its endurance. • For more details, see [38]. Services Framework Software • The Services Framework Software provides the utility functionality and interface for actual services. This comprises the control of services related functionality such as the resource management, patch handling, service and system configurations functionality. • For more details, see [38]. 1.4.2.2 Crypto Library Both Crypto Library 2.6.1 and 2.5.1 (or parts thereof 4 ) comprises a same set of cryptographic functions described as follows. 4 Crypto functions are supplied as a library rather than as a monolithic program, and hence a user of the library may include only those functions that are actually required – it is not necessary to include all NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 11 / 67 AES • The AES algorithm is intended to provide encryption and decryption functionality. • The Crypto Library implements AES algorithm with different security configurations. For more details on those different configurations please refer the user guidance documentation of the Crypto Library [12]. • The following modes of operation are supported for AES: ECB, CBC, CTR, GCM, CBC- MAC and CMAC. DES and TDES • The DES and Triple-DES (TDES) algorithm are intended to provide encryption and decryption functionality. • The Crypto Library implements DES algorithm with different security configurations. For more details on those different configurations please refer the user guidance documentation of the Crypto Library [12]. • The following modes of operation are supported for DES and Triple-DES: ECB, CBC, CTR, CBC-MAC and CMAC. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that Single-DES shall not be used. RSA • The RSA algorithm can be used for encryption and decryption as well as for signature generation, signature verification, message encoding and signature encoding. • The RSA key generation can be used to generate RSA key pairs. • The RSA public key generation computation can be used to compute the public key that belongs to a given private CRT key. The TOE supports various key sizes for RSA up to a limit of 4096 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). ECC (ECC over GF(p)) • The ECDSA (ECC over GF(p)) algorithm can be used for signature generation and signature verification. • The ECDSA V2X (ECC over GF(p)) algorithm can be used for signature generation for automotive applications. • The ECC (ECC over GF(p)) key derivation algorithm can be used for key derivation for automotive applications. • The ECDSA (ECC over GF(p)) key generation algorithm can be used to generate ECC over GF(p) key pairs for ECDSA. • The ECDH (ECC Diffie-Hellman) key exchange algorithm can be used to establish cryptographic keys. It can be also used as secure point multiplication. • Provide secure point addition for Elliptic Curves over GF(p). The TOE supports various key sizes for ECC over GF(p) up to a limit of 640 bits for signature generation, key pair generation and key exchange. For signature verification the TOE supports key sizes up to a limit of 640 bits. To fend off attackers with high attack cryptographic functions of the library in every Security IC Embedded Software. For example, it is possible to omit the RSA or the SHA-1 components. However, some dependencies exist; details are described in the User Guidance [12]. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 12 / 67 potential an adequate key length must be used (references can be found in national and international documents and standards). ECDAA • The ECDAA library component implements the ECDAA signature generation function as specified in TPM2.0 [9] specification. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). SHA • The SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 algorithms can be used for different purposes such as computing hash values in the course of digital signature creation or key derivation. • The Crypto Library implements two versions of each SHA algorithm with different security level: standard and high. The difference between the standard and high security level of the SHA implementations is that the high security level SHA is protected against more side-channel attacks. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that SHA-1 shall not be used. HMAC • The HMAC algorithm can be used to calculate Keyed-Hash Authentication code. The TOE supports the calculation of HMAC authentication code with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 or SHA-3/512 hash algorithms. The HMAC algorithm can use either the high security level or standard security level version of SHA, depending on required security level. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that HMAC with SHA-1 shall not be used. The TOE supports various key sizes for HMAC. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). KoreanSeed • The KoreanSeed library component implements the Korean SEED symmetric cipher. It supports 128 bit and 256 bit keys as well as ECB, CBC, CTR, and CBC_MAC operating modes. Note that KoreanSeed is not in the scope of evaluation. Felica • The Felica library component implements the Felica DES and Felica AES symmetric cipher. Note that Felica is not in the scope of evaluation. OSCCA SM2 • The OSCCA SM2 library component can be used for signature generation and signature verification. Note that OSCCA SM2 is not in the scope of evaluation. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 13 / 67 OSCCA SM3 • The OSCCA SM3 library component can be used to compute hash values in the course of digital signature creation or key derivation. Note that OSCCA SM3 is not in the scope of evaluation. OSCCA SM4 • The OSCCA SM4 library component implements the OSCCA SM4 symmetric cipher. Note that OSCCA SM4 is not in the scope of evaluation. Resistance of cryptographic algorithms against attacks The cryptographic algorithms are resistant against attacks as described in JIL, JIL- ATT-SC: Attack Methods for Smartcards and Similar Devices [54], which include Side Channel Attacks, Perturbation attacks, Differential Fault Analysis (DFA) and timing attacks, except for standard/high security level SHA and HMAC, which are only resistant against Side Channel Attacks and timing attacks. More details about conditions and restrictions for resistance against attacks are given in the user documentation of the Crypto Library [12]. Random number generation • Library component to access random numbers generated by a software (pseudo) random number generator and to perform a test of the hardware (true) random number generator at initialisation. Further security functionality of the Crypto Library 2.6.1 and 2.5.1 • Internal security measures for residual information protection • Secure Memory Copy routine • Secure Memory Move routine • Secure Memory Boolean Compare routine • CRC16 & CRC32 routines for cyclic redundancy check calculation Note that the TOE does not restrict access to the functions provided by the hardware: these functions are still directly accessible to the Security IC Embedded Software. 1.4.3 Documentation The documentation for the NXP NCJ38A0 hardware is listed in Section 1.4.3.3 “Documentation” of the Hardware Security Target [35]. The documentation for the Security Software is listed in the following sub-sections. 1.4.3.1 Services Software The use and operation of Flash Services Software is documented in [38]. 1.4.3.2 Crypto Library Both the Crypto Library 2.6.1 and 2.5.1 have associated user manuals and one user guidance documentation (see [12]). The user manuals contain: • the specification of the functions provided by the Crypto Library, • details of the parameters and options required to call the Crypto Library by the Security IC Embedded Software NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 14 / 67 and the user guidance document contains: • Guidelines on the secure usage of the Crypto Library, including the requirements on the environment (the Security IC Embedded Software calling the Crypto Library is considered to be part of the environment). 1.4.4 Interface of the TOE The interface to the NXP NCJ38A0 hardware is described in Section 1.4.5 “Interface of the TOE” of the Hardware Security Target [35]. The use of this interface is not restricted by the use of the Security Software. The interface to the NCJ38AC additionally consists of software function calls, as detailed in the “User Manual” documents of the Security Software. The developer of the Security IC Embedded Software will link the required functionality of the Security Software into the Security IC Embedded Software as required for his Application. 1.4.5 Life Cycle and Delivery of the TOE The life cycle of the hardware platform as part of the TOE is described in Section 1.4.4 "Security During Development and Production" of the Hardware Security Target [35]. The Security Software uses the delivery process of the hardware platform, as the Security Software is preloaded to the Flash memory area of the IC: • The Services Software is stored separately from the Security IC Embedded Software in the "Service Window" RAM area of the NCJ38A0 (see [36]). The content is defined via electronic Order Entry Form under control of NXP. • The Crypto Library is stored separately from the Security IC Embedded Software in the Shared Flash memory area of the NCJ38A0 (see [36]). The content is defined via electronic Order Entry Form under control of NXP. Additionally, the Security Software is delivered as part of Phase 1 5 as a software package (a set of binary files) to the developer of Security IC Embedded Software, to support its development process and to ensure compatibility when using the Security Software on the product. To protect the Security Software during the delivery process, the Security Software is encrypted and digitally signed. An overview of the sites involved during development and manufacturing of the TOE is given in Section 1.4.4 "Security During Development and Production" of the Hardware Security Target [35]. 1.4.6 TOE Type and TOE intended usage The TOE is an IC hardware platform for various operating systems and applications with high security requirements. The intended use cases are described in the Hardware Security Target [35], section 1.3.2 “Usage and major security functionality”, extended by the functionality as described in this Security Target in Section 1.3. Regarding to Phase 7 (for a definition of the Phases refer to Section ‘1.2.3 TOE life cycle’ of the Protection Profile [5]), the combination of the hardware and the Security IC Embedded Software is used by the end-user. The method of use of the product in this phase depends on the application. The TOE is intended to be used in an unsecured 5 For a definition of the Phases refer to Section 1.2.3 'TOE life cycle’ of the Protection Profile [5] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 15 / 67 environment, that is, the TOE does not rely on the Phase 7 environment to counter any threat. The Security Software is intended to support the development of the Security IC Embedded Software since the Security Software include countermeasures against the threats described in this Security Target. The used modules of the Security Software are implemented as an extention of the Security IC Dedicated Software in the memory of the hardware platform. 1.4.7 TOE User Environment The user environment for the NCJ38AC is the Security IC Embedded Software, developed by customers of NXP, to run on the NXP NCJ38A0 hardware. 1.4.8 General IT features of the TOE The general features of the NXP NCJ38A0 hardware are described in Section 1.3 “TOE overview” of the Hardware Security Target [35]. These are supplemented for the TOE by the functions listed in Introduction of this Security Target. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 16 / 67 2 Conformance Claims 2.1 Conformance Claim This Security Target and NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive claim conformance to version 3.1 of Common Criteria for Information Technology Security Evaluation, which comprises • "Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1, Revision 5, April 2017, CCMB-2017-04-001" [1] • "Common Criteria for Information Technology Security Evaluation Part 2: Security functional compo-nents, Version 3.1, Revision 5, April 2017, CCMB-2017-04-002" [2] • "Common Criteria for Information Technology Security Evaluation Part 3: Security assurance compo-nents, Version 3.1, Revision 5, April 2017, CCMB-2017-04-003" [3] The TOE is evaluated against this Security Target in consideration of the methodology in • "Common Methodology for Information Technology Security Evaluation: Evaluation Methodology, Version 3.1, Revision 5, April 2017, CCMB-2017-04-004" [4] This Security Target claims to be CC Part 2 extended and CC Part 3 conformant. Section 5 of this Security Target defines the security functional components, which are extended beyond CC Part 2, and also demonstrates that they are consistent with the above conformance claim. This Security Target also claims strict conformance to Protection Profile • "Security IC Platform Protection Profile with Augmentation Packages, Version 1.0, registered and certified by Bundesamt fuer Sicherheit in der Informationstechnik (BSI) under the reference BSI-PP-0084-2014" [5] This conformance claim includes the following packages of security requirements out of those for Cryptographic Services defined in the Protection Profile [5]. • Package "TDES" • Package "AES" The minimum assurance level for the Protection Profile [5] is EAL4 augmented with AVA_VAN.5 and ALC_DVS.2. This Security Target claims conformance to assurance package EAL5 augmented with ADV_IMP.2, ADV_INT.3, ADV_TDS.5, ALC_CMC.5, ALC_DVS.2, ALC_TAT.3, ALC_FLR.1, ATE_FUN.2, ASE_TSS.2 and AVA_VAN.5.. This claim includes and exceeds the minimum assurance level for the Protection Profile [5] as demonstrated in Security Assurance Requirements of this Security Target. The assurance level for evaluation and the functionality of the TOE are chosen in order to allow the confirmation that the TOE is suitable for use within devices compliant with the German Digital Signature Law. 2.2 Conformance Claim Rationale According to chapter 2 this Security Target claims strict conformance to the Protection Profile [5]. As shown in 1.3 the composed TOE consists of hardware (Secure Controller IC) and software (IC Dedicated Software). This is identical to the TOE as defined in [5] and therefore the TOE type is consistent. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 17 / 67 The Security Problem Definition in Section Section 3 of this Security Target includes all threats, organizational security policies and assumptions, which are identified in the Protection Profile [5], and this without any restrictions or modifications. In addition, this Security Target contains additional threats, organizational security policies and assumptions. The additional assumptions neither mitigate any threat (or a part of it) nor fulfil any organizational security policy (or part of it). This is demonstrated in Section Section 3.4 of this Security Target. The Security Objectives Rationale presented in Section Section 4.4 clearly identifies and justifies modifications and additions made to the rationale presented in the Protection Profile [5]. The Security Requirements Rationale presented in Section Section 6.3 has been updated with respect to the Protection Profile [5]. All PP requirements have been shown to be satisfied in the extended set of requirements whose completeness, consistency and soundness have been argued in the rationale sections of this Security Target. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 18 / 67 3 Security Problem Definition This Security Target claims strict conformance to the Security IC Platform protection profile [5]. The Assets, Assumptions, Threats and Organizational Security Policies of the Protection Profile are assumed here, together with extensions defined in chapter 3 “Security Problem Definition” of the Hardware Security Target [35]. In the following sub-sections the complete set of Assets, Assumptions, Threats and Organizational Security Policies will be listed. 3.1 Description of Assets Since this Security Target claims strict conformance to the PP [5], the assets defined in Section 3.1 of the Protection Profile apply to this Security Target. User Data and TSF data are mentioned as assets in the Hardware Securtiy Target [35]. Since the data computed by the Security Software contains keys, plain text and cipher text that are considered as User Data and e.g. blinding vectors that are considered as TSF data, the assets are considered as complete for this Security Target. 3.2 Threats Since this Security Target claims strict conformance to the PP [5], the threats defined in Section 3.2 of the Protection Profile, and described in Section 3.2 “Threats” of the Hardware Security Target [35] are entirely valid for this Security Target. All threats defined in section 3.2 of the Protection Profile [5], and threat T.Masquerade_TOE taken from package “Authentication of the Security IC” of the Protection Profile [5], as introduced in Hardware Security Target [35], are listed in Table 5. Table 5. Threats defined in the Protection Profile Name Title T.Malfunction Malfunction due to Environmental Stress T.Abuse-Func Abuse of Functionality T.Phys-Probing Physical Probing T.Phys-Manipulation Physical Manipulation T.Leak-Inherent Inherent Information Leakage T.Leak-Forced Forced Information Leakage T.RND Deficiency of Random Numbers T.Masquerade_TOE Masquerade the TOE Note 2. Within the Hardware Security Target [35], the threat T.RND has been used in a context where the hardware (true) random number generator is threatened. The NCJ38AC consists of both hardware (NXP NCJ38A0) and software (Services Software and Crypto Library). The Crypto Library provides random numbers generated by a software (pseudo) random number generator. Therefore the threat T.RND explicitly includes both deficiencies of hardware random numbers as well as deficiency of software random numbers. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 19 / 67 In compliance with Application Note 4 of the Protection Profile [5] the TOE provides security functionality that protects against the additional Threat introduced in Hardware Security Target [35], which is listed in Table 6. The definition and justification for that Threat are defined in the Hardware Security Target [35]. Table 6. Threats added in Hardware Security Target Name Title T.Unauthorized-Access Unauthorized Memory or Hardware Access 3.3 Organizational Security Policies 3.3.1 Security Policies from Protection Profile and Hardware Security Target The organizational Security Policies defined in section 3.3, section 7.3.2 and section 7.4 of the Protection Profile [5] are listed in Table 7. They entirely apply to this Security Target. Table 7. Organizational Security Policies defined in the Protection Profile Name Title P.Process-TOE Identification during TOE Development and Production P.Crypto-Service Cryptographic services of the TOE In compliance with Application Note 5 of the Protection Profile [5] the Hardware Security Target [35] introduces security functionality, which requires an additional organizational Security Policy 6 that is listed in Table 8. Table 8. Organizational Security Policies added in Hardware Security Target Name Title P.Add-Components Additional Specific Security Components 3.3.2 Security Policies specific to Crypto Library The Crypto Library part of the TOE uses the AES co-processor hardware to provide AES security functionality, and the DES co-processor hardware to provide DES security functionality. In addition to the security functionality provided by the hardware and defined in the Hardware Security Target [35] the following additional security functionality is provided by the Crypto Library for use by the Security IC Embedded Software: P.Add-Func Additional Specific Security Functionality The TOE provides the following additional security functionality to the Security IC Embedded Software: • AES encryption and decryption, • DES and Triple-DES encryption and decryption, • RSA encryption, decryption, signature generation, signature verification, message encoding and signature encoding. 6 This Security Policy provides the following additional security functionality to the Security IC Embedded Software: Integrity support of content stored to Flash memory, computation of Cyclic Redundancy Checks, and support for Galois/Counter Mode (GCM) and GMAC NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 20 / 67 • RSA public key computation • RSA key generation, • ECDSA (ECC over GF(p)) signature generation and verification, • ECDSA V2X (ECC over GF(p)) signature generation for automotive applications, • ECC (ECC over GF(p)) key derivation for automotive applications, • ECC over GF(p) key generation, • ECDH (ECC Diffie-Hellman) key exchange, • ECC over GF(p) point addition, • ECDAA (ECC Direct Anonymous Attestation), • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 Hash Algorithms, • HMAC algorithm, • access to the RNG (implementation of a software RNG), • secure memory copy routine, • secure memory move routine, • secure memory compare routine, • CRC16 and CRC32 routines, In addition, the TOE shall • provide protection of residual information, and • provide resistance against attacks as described in Note 4 and in Security Architectural Information. Regarding the Application Note 5 of the Protection Profile [5] there are no other additional policies defined in this Security Target. 3.4 Assumptions Since this Security Target claims strict conformance to the PP [5], the assumptions defined in Section 3.4 of the Protection Profile (see Table 9), and defined in Section 3.4 “Assumptions” of the Hardware Security Target [35] (see Table 10) are entirely valid for this Security Target. Table 9. Assumptions defined in the Protection Profile Name Title A.Process-Sec-IC Protection during Packaging, Finishing and Personalisation A.Resp-Appl Treatment of user data of the Composite TOE Table 10. Assumptions defined in Hardware Security Target Name Title A.Check-Init Check of TOE identification data NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 21 / 67 4 Security Objectives This chapter contains the following sections: “Security Objectives for the TOE”, “Security Objectives for the Security IC Embedded Software”, “Security Objectives for the Operational Environment”, and “Security Objectives Rationale”. 4.1 Security Objectives for the TOE 4.1.1 Security Objectives from the Protection Profile and the Hardware Security Target The security objectives for the TOE defined in section 4.1, section 7.3.2 and section 7.4 of the Protection Profile [5] are listed in Table 11. They entirely apply to this Security Target. Table 11. Security objectives for the TOE defined in the Protection Profile Name Title O.Malfunction Protection against Malfunctions O.Abuse-Func Protection against Abuse of Functionality O.Phys-Probing Protection against Physical Probing O.Phys-Manipulation Protection against Physical Manipulation O.Leak-Inherent Protection against Inherent Information Leakage O.Leak-Forced Protection against Forced Information Leakage O.RND Random Numbers O.Identification TOE Identification O.TDES Cryptographic service Triple-DES O.AES Cryptographic service AES In compliance with Application Note 9 of the Protection Profile [5] the TOE provides security functionality that results in the additional security objectives for the TOE as listed in Table 12. The security objectives in Table 12 are defined in the Hardware Security Target [35]. They entirely apply to this Security Target. Table 12. Security Objectives for the TOE added in the Hardware Security Target Name Title O.MEM-ACCESS Memory Access Control O.SFR-ACCESS Special Function Register Access Control O.FLASH-INTEGRITY Integrity support of data stored to Flash memory O.GCM-SUPPORT Support for NIST Galois/Counter Mode and GMAC O.CRC Cyclic Redundancy Checks 4.1.2 Security Objectives specific to Crypto Library Note 3. Within the Hardware Security Target [35], the objective O.RND has been used in context with the hardware (true) random number generator (RNG). In addition to this, the NCJ38AC also provides a software (pseudo) RNG. Therefore the objective O.RND NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 22 / 67 is extended to comprise also the quality of random numbers generated by the software (pseudo) RNG. See also Note 2 in Section 3.2, which extends T.RND in a similar way. The O.RND defined in the HW ST is modified as follows: O.RND The TOE will ensure the cryptographic quality of random number generation. For instance, random numbers shall not be predictable and shall have sufficient entropy. The TOE will ensure that no information about the generated random numbers is available to an attacker since they might be used, for instance, to generate cryptographic keys. This objective is applicable for both hardware (true) random number generator and software (pseudo) random number generator. The following additional security objectives for the Crypto Library are defined by this ST, and are provided by the software part of the TOE: O.SW_AES The TOE includes functionality to provide encryption and decryption facilities of the AES algorithm, see Note 4 O.SW_DES The TOE includes functionality to provide encryption and decryption facilities of the DES & Triple-DES algorithm, see Note 4 O.RSA The TOE includes functionality to provide encryption, decryption, signature creation, signature verification, message encoding and signature encoding using the RSA algorithm, see Note 4. O.RSA_PubExp The TOE includes functionality to compute an RSA public key from an RSA private key, see Note 4. O.RSA_KeyGen The TOE includes functionality to generate RSA key pairs, see Note 4. O.ECDSA The TOE includes functionality to provide signature creation and signature verification using the ECC over GF(p) algorithm, see Note 4. O.ECDSA_V2X The TOE includes functionality to provide signature generation using the ECC over GF(p) algorithm, see Note 4. O.ECCV2X_KeyDerivation The TOE includes functionality to provide V2X key derivation using the ECC over GF(p) algorithm, see Note 4. O.ECC_DHKE The TOE includes functionality to provide Diffie-Hellman key exchange based on ECC over GF(p), see Note 4. O.ECC_KeyGen The TOE includes functionality to generate ECC over GF(p) key pairs, see Note 4. O.ECC_Add The TOE includes functionality to provide a point addition based on ECC over GF(p) , see Note 4. O.ECDAA The TOE includes functionality to provide the TPM 2.0 EcDaa signature generation function, see Note 4. O.SHA The TOE includes functionality to provide electronic hashing facilities using the SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 algorithms. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 23 / 67 O.HMAC The TOE includes the functionality to provide keyed- hash message authentication facilities using the HMAC algorithm. O.COPY The TOE includes functionality to copy memory content, see Note 4. O.MOVE The TOE includes functionality to move memory content, see Note 4. O.COMPARE The TOE includes functionality to compare memory content, see Note 4. O.SW_CRC The TOE includes functionality to calculate Cyclic Redundancy Checksums. O.REUSE The TOE includes measures to ensure that the memory resources being used by the TOE cannot be disclosed to subsequent users of the same memory resource. Note 4. All introduced security objectives claiming cryptographic functionality and the security objectives for copy, move and compare are protected against attacks as described in the JIL, Attack Methods for Smartcards and Similar Devices [54], which include Side Channel Attacks, Perturbation Attacks (e.g., Differential Power Analysis or DPA), Differential Fault Analysis (DFA) and Timing Attacks. The following exceptions apply: 1. SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 are provided by the TOE with two implementations with different level of security: • One implementation does not contain protective measures against DPA and DFA • The other implementation does not contain protective measures against DFA but does contains protective measure against DPA 2. HMAC implementation does not contain protective measures against DFA. This does not mean that the implementation is insecure; rather at the time of this security target no promising attack has been found. More details about conditions and restrictions for resistance against attacks are given in the user documentation of the Crypto Library. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). 4.2 Security Objectives for the Security IC Embedded Software The security objectives for the Security IC Embedded Software defined in section 4.2 of the Protection Profile [5] are listed in Table 13. They entirely apply to this Security Target. Table 13. Security objectives for the Security IC Embedded Software defined in the Protection Profile Name Title OE.Resp-Appl Treatment of user data of the Composite TOE This Security Target does not add security objectives for the Security IC Embedded Software. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 24 / 67 4.3 Security Objectives for the Operational Environment The security objectives for the operational environment in section 4.3 of the Protection Profile [5] are listed in Table 14. They entirely apply to this Security Target. Table 14. Security objectives for the operational environment defined in the Protection Profile Name Title OE.Process-Sec-IC Protection during composite product manufacturing The Hardware Security Target [35] adds the security objectives for the operational environment listed in Table 15. The security objectives in Table 15 are defined in the Hardware Security Target [35]. They entirely apply to this Security Target. Table 15. Security Objectives for the operational environment added in the Hardware Security Target Name Title OE.Check-Init Check of TOE identification data 4.4 Security Objectives Rationale 4.4.1 Rationale for Security Objectives from Protection Profile and Hardware Security Target Section 4.4 of the Protection Profile [5] and Section 4.4 of the Hardware Security Target [35] provide a rationale how the threats, organisational security policies and assumptions are addressed by the objectives that are subject of the PP. They entirely apply to this Security Target. 4.4.2 Rationale for Security Objectives specific to Crypto Library The justification for the additional security objectives for Crypto Library are listed in Table 16 below. They are in line with the security objectives of the Protection Profile and supplement these according to the additional assumptions and organisational security policy. Table 16. Additional Security Objectives versus threats, assumptions or policies for Crypto Library Threat, Assumption/ Policy Security Objective Note T.RND O.RND T.RND and O.RND address the modifications for software (pseudo) random number generation made in Section 3.3.2 and Section 4.1.2. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 25 / 67 Threat, Assumption/ Policy Security Objective Note P.Add-Func O.RND O.SW_AES O.SW_DES O.RSA O.RSA_PubExp O.RSA_KeyGen O.ECDSA O.ECDSA_V2X O.ECCV2X_KeyDerivation O.ECC_DHKE O.ECC_KeyGen O.ECC_Add O.ECDAA O.SHA O.HMAC O.REUSE O.COPY O.MOVE O.COMPARE O.SW_CRC O.RND addresses the modification for software (pseudo) random number generation made in Section 4.1.2. Since the objectives O.SW_AES, O.SW_DES, O.RSA, O.RSA_PubExp, O.RSA_KeyGen, O.ECDSA, O.ECDSA_V2X, O.ECCV2X_KeyDerivation, O.ECC_DHKE, O.ECC_KeyGen, O.ECC_Add, O.SHA, O.HMAC, O.COPY, O.MOVE, O.COMPARE, O.SW_CRC and O.REUSE require the TOE to implement exactly the same specific security functionality as required by P.Add-Func, the organizational security policy P.Add-Func is covered by the security objectives. Since the extended definition of the objective O.RND require the TOE to implement a software RNG as required by P.Add-Func, the organizational security policy P.Add-Func is covered by the security objectives. In addition O.RNG addresses T.RNG in the same generic way as the Protection Profile [5]. Additionally, the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced define how to implement the specific security functionality required by P.Add-Func and therefore support P.Add-Func. These security objectives are also valid for the additional specific security functionality since they must also avert the related threats for the components added to the organisational security policy. The justification of the additional policy and the additional assumptions show that they do not contradict with the rationale already given in the Protection Profile [5] for the assumptions, policy and threats defined there. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 26 / 67 5 Extended Components Definition The extended components defined in chapter 5 of the Protection Profile [5] are listed in Table 17. They entirely apply to this Security Target. Table 17. Extended components defined in the Protection Profile Name Title FCS_RNG Generation of random numbers FMT_LIM Limited capabilities and availability FAU_SAS FAU_SAS Audit data storage FDP_SDC Stored data confidentiality To define the IT Security Functional Requirements of the TOE an additional family (FDP_SOP) of the Class FDP (user data protection) is defined here. This family describes the functional requirements for basic operations on data in the TOE. Note that the PP “Security IC Platform Protection Profile [5] also defines extended security functional requirements in chapter 5, which are included in this Security Target. As defined in CC Part 2, FDP class addresses user data protection. Secure basic operations (FDP_SOP) address protection of user data when it is processed by Copy or Compare function, respectively. Therefore, it is judged that FDP class is suitable for FDP_SOP family. The reason for adding an extra family to FDP class is that existing families do not address protection of user data against all relevant attacks. 5.1 Secure basic operations (FDP_SOP) Family Behaviour This family defines requirements addressing the protection of data during security relevant basic operations inside the TSF. The data can comprise user data as well as TSF data. Appropriate separation between user data or TSF data shall be ensured by sequential, atomic processing of either TSF data or user data. The integrity and confidentiality of the data shall be protected during the processing of the basic operation against attacks. Each influence or interaction of the TOE that is not intended and/or specified is considered as attack. Component levelling FDP_SOP secure basic operations 1 FDP_SOP.1 requires the TOE to provide the possibility to perform basic secure operations on data Management: FDP_SOP.1 There are no management activities foreseen. Audit: FDP_SOP.1 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 27 / 67 There are no actions defined to be auditable. FDP_SOP.1 Secure Basic Operations Hierarchical to: No other components. Dependencies: No dependencies. FDP_SOP.1.1 The TSF shall provide basic operations [selection: Copy, Move, Compare, ModMultiply, ModAddSub] on objects stored in the TOE. The basic operation is applied between objects stored in [Selection: memory location] 7 and [Selection: memory location] 8 . FDP_SOP.1.2 The TSF shall protect the data against attacks from [selection: disclosure, modification] that can be inherently applied during the processing of the basic operations. Application Notes: The different memories are seen as possible objects. The attacks addressed by disclosure and modification comprise side-channel attacks including timing attacks, fault injection attacks including manipulation of the basic operation result and attacks trying to violate the data separation based on the sequential operation. 7 [assignment: list of memory locations] 8 [assignment: list of memory locations] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 28 / 67 6 Security Requirements 6.1 Security Functional Requirements To support a better understanding of the combination Protection Profile and Security Target of the hardware platform (NCJ38A0) vs. this Security Target (NCJ38AC High- performance secure microcontroller with Crypto Library for Automotive), the TOE SFRs are presented in the following sections. 6.1.1 SFRs from the Protection Profile and the Hardware Security Target The Security Functional Requirements (SFRs) for the TOE are specified in section 6.1 and in sections 7.4.1 and 7.4.2 of the Protection Profile [5]. They are defined in the Common Criteria [2] or in the Protection Profile [5]. Note 5. The requirements in Table 18 and Table 19 have been stated in the Hardware Security Target [35] and are fulfilled by the chip hardware, if not indicated otherwise in this section. Table 18. Security functional requirements from the Hardware Security Target taken from Protection Profile Name Title FRU_FLT.2 Limited fault tolerance FPT_FLS.1 Failure with preservation of secure state FMT_LIM.1 Limited capabilities FMT_LIM.2 Limited availability FAU_SAS.1 Audit storage FDP_SDC.1 Stored data confidentiality FDP_SDI.2/AGE Stored data integrity monitoring and action - Ageing FDP_SDI.2/FLT Stored data integrity monitoring and action - Faults FPT_PHP.3 Resistance to physical attack FDP_ITT.1 Basic internal transfer protection FPT_ITT.1 Basic internal TSF data transfer protection FDP_IFC.1 Subset information flow control FCS_RNG.1/PTG.2 Random number generation - PTG.2 FCS_COP.1/TDES Cryptographic operation - TDES FCS_COP.1/AES Cryptographic operation - AES FCS_COP.1/GCM Cryptographic operation - GCM FCS_COP.1/CRC Cryptographic operation - CRC FCS_CKM.4/TDES Cryptographic key destruction -TDES FCS_CKM.4/AES Cryptographic key destruction - AES NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 29 / 67 Table 19. Security functional requirements from the Hardware Security Target based on CC Part 2 Name Title FDP_ACC.1/MEM Subset access control - Memories FDP_ACC.1/SFR Subset access control - Hardware components FDP_ACF.1/MEM Security attribute based access control - Memories FDP_ACF.1/SFR Security attribute based access control - Hardware components FMT_MSA.1/MEM Management of security attributes - Memories FMT_MSA.1/SFR Management of security attributes - Hardware components FMT_MSA.3/MEM Static attribute initialisation - Memories FMT_MSA.3/SFR Static attribute initialisation - Hardware components FMT_SMF.1 Specification of Management Functions 6.1.2 Security Functional Requirements added in this Security Target 6.1.2.1 Crypto Library The SFRs specific for Crypto Library are described in Table 20. Table 20. SFRs defined in this Security Target for Crypto Library Name Title Defined in FCS_COP.1/SW_AES Cryptographic operation - AES CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/SW_DES Cryptographic operation - DES and TDES CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/RSA Cryptographic operation - RSA (RSA encryption, decryption, signature generation and verification) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/RSA_PAD Cryptographic operation - RSA PKCS#1 Padding (RSA message and signature encoding) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/RSA_PubExp Cryptographic operation - RSA PubKey (RSA public key computation)RSA CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECDSA Cryptographic operation - ECDSA (ECC over GF(p) signature generation and verification) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECDSA_V2X Cryptographic operation - ECDSA V2X (ECC over GF(p) signature generation) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECCV2X_ KeyDerivation Cryptographic operation - ECC V2X KDF (ECC over GF(p) key derivation) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECC_DHKE Cryptographic operation - ECDH (ECC Diffie- Hellman key exchange) CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECC_Additional Cryptographic operation - ECC Point Addition CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/ECDAA Cryptographic operation - TPM 2.0 ECDAA CC Part 2 [2]; specified in this ST, see below. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 30 / 67 Name Title Defined in FCS_COP.1/SHA Cryptographic operation (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512) [1] CC Part 2 [2]; specified in this ST, see below. FCS_COP.1/HMAC Cryptographic operation - HMAC CC Part 2 [2]; specified in this ST, see below. FCS_CKM.1/RSA Cryptographic key generation (RSA key generation) CC Part 2 [2]; specified in this ST, see below. FCS_CKM.1/ECC ECC Cryptographic key generation (ECC over GF(p) key generation) CC Part 2 [2]; specified in this ST, see below. FCS_CKM.4 Cryptographic Key Destruction CC Part 2 [2]; specified in this ST, see below. FDP_RIP.1 Subset Residual Information Protection CC Part 2 [2]; specified in this ST, see below. FCS_RNG.1/HYB-DET Random number generation PP Section 5.1 [5]; specified in this ST, see below. FCS_RNG.1/HYB-PHY Random number generation PP Section 5.1 [5]; specified in this ST, see below. FCS_COP.1/SW_CRC Cryptographic operation - CRC CC Part 2 [2]; specified in this ST, see below. [1] Due to the AVA_VAN.5 requirement SHA-1 shall not be used. The requirements listed in Table 20 are detailed in the following sub-sections. Additional SFR regarding cryptographic functionality The TSF provides cryptographic functionality to help satisfy several high-level security objectives. In order for a cryptographic operation to function correctly, the operation must be performed in accordance with a specified algorithm and with a cryptographic key of a specified size. The following Functional Requirements to the TOE TOE can be derived from this CC CC component: FCS_COP.1/SW_AES Cryptographic operation - AES Hierarchical to: No other components. FCS_COP.1.1/SW_AES The TSF shall perform encryption and decryption 9 in accordance with a specified cryptographic algorithm AES in ECB, CBC, CTR, GCM, CBC-MAC or CMAC 10 and cryptographic key sizes 128, 192 or 256 bit 11 that meet the following FIPS PUB 197 [47], NIST SP 800-38A (ECB, CBC and CTR mode) [50], NIST SP 800-38D (GCM mode) [52], ISO 9797-1, Algorithm 1 ( CBC-MAC mode) [53], and NIST SP 800-38B (CMAC mode) [51] 12 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. 9 [assignment: list of cryptographic operations] 10 [assignment: cryptographic algorithm] 11 [assignment: cryptographic key sizes] 12 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 31 / 67 Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/SW_DES Cryptographic operation - DES and TDES Hierarchical to: No other components. FCS_COP.1.1/SW_DES The TSF shall perform encryption and decryption 13 in accordance with a specified cryptographic algorithm and Triple-DES in ECB, CBC, CTR, CBC-MAC or CMAC 14 and cryptographic key sizes 1-key DES (56 bit), 2-key TDES (112 bit) or 3-key TDES (168 bit) 15 that meet the following FIPS Publication 46-3 (DES and TDES) [46] and NIST Special Publication 800-38A, 2001 (ECB, CBC and CTR mode) [50], ISO 9797-1, Algorithm 1 (CBC- MAC mode) [53], and NIST Special Publication 800-38B (CMAC mode) [51] 16 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/RSA Cryptographic operation - RSA Hierarchical to: No other components. FCS_COP.1.1/RSA The TSF shall perform encryption, decryption, signature generation and verification 17 in accordance with a specified cryptographic algorithm RSA 18 and cryptographic key sizes 512 bits to 4096 bits 19 that meet the following: PKCS #1, v2.2: RSAEP, RSADP, RSASP1, RSAVP1 [56] 20 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. 13 [assignment: list of cryptographic operations] 14 [assignment: cryptographic algorithm] 15 [assignment: cryptographic key sizes] 16 [assignment: list of standards] 17 [assignment: list of cryptographic operations] 18 [assignment: cryptographic algorithm] 19 [assignment: cryptographic key sizes] 20 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 32 / 67 FCS_COP.1/RSA_PAD Cryptographic operation - RSA PKCS#1 Padding Hierarchical to: No other components. FCS_COP.1.1/RSA_PAD The TSF shall perform message and signature encoding methods 21 in accordance with a specified cryptographic algorithm EME-OAEP and EMSA-PSS 22 and cryptographic key sizes 512 bits to 4096 bits 23 that meet the following: PKCS #1, v2.2: EME-OAEP and EMSA-PSS [56] 24 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/RSA_PubExp Cryptographic operation - RSA PubKey Hierarchical to: No other components. FCS_COP.1.1/RSA_PubExp The TSF shall perform public key computation 25 in accordance with a specified cryptographic algorithm RS A 26 and cryptographic key sizes 512 bits to 4096 bits 27 that meet the following: PKCS #1, v2.2 [56] 28 . Application Notes: (1) The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). (2) The computation will result in the generation of a public RSA key from the private key (in CRT format). As this key is implied by the private key, this is not true key generation, and, to prevent duplication in this ST, this has not been included as a separate FCS_CKM.1 SFR. Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ECDSA Cryptographic operation - ECDSA Hierarchical to: No other components. FCS_COP.1.1/ECDSA The TSF shall perform signature generation and verification 29 in accordance with a specified 21 [assignment: list of cryptographic operations] 22 [assignment: cryptographic algorithm] 23 [assignment: cryptographic key sizes] 24 [assignment: list of standards] 25 [assignment: list of cryptographic operations] 26 [assignment: cryptographic algorithm] 27 [assignment: cryptographic key sizes] 28 [assignment: list of standards] 29 [assignment: list of cryptographic operations] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 33 / 67 cryptographic algorithm ECDSA / ECC over GF(p) 30 and cryptographic key sizes 128 to 640 bits 31 that meet the following: ISO/IEC 15946-2 [40], FIPS PUB 186-4 [48] and ANSI X9.62 [55] 32 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ECDSA_V2X Cryptographic operation - ECDSA V2X Hierarchical to: No other components. FCS_COP.1.1/ECDSA_V2X The TSF shall perform signature generation 33 in accordance with a specified cryptographic algorithm ECDSA / ECC over GF(p) 34 and cryptographic key sizes 128 to 640 bits 35 that meet the following: ISO/IEC 15946-2 [40], FIPS PUB 186-4 [48] and ANSI X9.62 [55] 36 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ ECCV2X_KeyDerivation Cryptographic operation - ECC V2X KDF Hierarchical to: No other components. FCS_COP.1.1/ ECCV2X_KeyDerivation The TSF shall perform ECC key derivation of ECC keys 37 in accordance with a specified cryptographic algorithm ECC Key Derivation / ECC over GF(p) 38 and cryptographic key sizes 128 to 640 bits 39 that meet the following: ISO/IEC 15946-1 [39] 40 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate 30 [assignment: cryptographic algorithm] 31 [assignment: cryptographic key sizes] 32 [assignment: list of standards] 33 [assignment: list of cryptographic operations] 34 [assignment: cryptographic algorithm] 35 [assignment: cryptographic key sizes] 36 [assignment: list of standards] 37 [assignment: list of cryptographic operations] 38 [assignment: cryptographic algorithm] 39 [assignment: cryptographic key sizes] 40 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 34 / 67 key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ECC_DHKE Cryptographic operation - ECDH Hierarchical to: No other components. FCS_COP.1.1/ECC_DHKE The TSF shall perform Diffie-Hellman Key Exchange 41 in accordance with a specified cryptographic algorithm ECC over GF(p) 42 and cryptographic key sizes 128 to 640 bits 43 that meet the following: ISO/IEC 15946-3 [41] 44 . Application Notes: (1) The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). (2) The security functionality does not provide the complete key exchange procedure, but only the point multiplication which is used for the multiplication of the private key with the communication partner’s public key. Therefore this function can be used as part of a Diffie- Hellman key exchange as well pure point multiplication. Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ECC_Add itional Cryptographic operation - ECC Point Addition Hierarchical to: No other components. FCS_COP.1.1/ECC_Additio- nal The TSF shall perform a full point addition 45 in accordance with a specified cryptographic algorithm ECC over GF(p) 46 and cryptographic key sizes 128 to 640 bits 47 that meet the following: ISO/IEC 15946-1 [39] 48 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). 41 [assignment: list of cryptographic operations] 42 [assignment: cryptographic algorithm] 43 [assignment: cryptographic key sizes] 44 [assignment: list of standards] 45 [assignment: list of cryptographic operations] 46 [assignment: cryptographic algorithm] 47 [assignment: cryptographic key sizes] 48 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 35 / 67 Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/ECDAA Cryptographic operation - TPM 2.0 ECDAA Hierarchical to: No other components. FCS_COP.1.1/ECDAA The TSF shall perform the TPM 2.0 ECDAA signature generation function 49 in accordance with a specified cryptographic algorithm ECC over GF(p) 50 and cryptographic key sizes 128 to 640 bits 51 that meet the following: TPM Rev. 2.0 [9] Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. FCS_COP.1/SHA Cryptographic operation Hierarchical to: No other components. FCS_COP.1.1/SHA The TSF shall perform hashing 52 in accordance with a specified cryptographic algorithm SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 53 and cryptographic key size none 54 that meet the following: FIPS 180-4 [44] and FIPS 202 [45] 55 . Application Notes: 1) The security functionality is resistant against side channel analysis and timing attacks as described in [54]. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards).. (2) The length of the data to hash has to be a multiple of one byte. Arbitrary bit lengths are not supported. Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. 49 [assignment: list of cryptographic operations] 50 [assignment: cryptographic algorithm] 51 [assignment: cryptographic key sizes] 52 [assignment: list of cryptographic operations] 53 [assignment: cryptographic algorithm] 54 [assignment: cryptographic key sizes] 55 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 36 / 67 FCS_COP.1/HMAC Cryptographic operation - HMAC Hierarchical to: No other components. FCS_COP.1.1/HMAC The TSF shall perform keyed-hash message authentication code calculation 56 in accordance with a specified cryptographic algorithm SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 57 and cryptographic key sizes multiple of 8 bits 58 that meet the following: FIPS PUB 198-1 [43] and FIPS 202 [45] 59 Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards).. Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. The TSF provides functionality to generate a variety of key pairs. In order for the key generation to function correctly, the operation must be performed in accordance with a specified standard and with cryptographic key sizes out of a specified range. The following Security Functional Requirements to the TOE can be derived from this CC component: FCS_CKM.1/RSA Cryptographic Key Generation Hierarchical to: No other components. FCS_CKM.1.1/RSA The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm RSA 60 and specified cryptographic key sizes 512 to 4096 bits 61 that meet the following: PKCS #1, v2.2 [56] and FIPS PUB 186-4 [48] 62 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1/ECC Cryptographic Key Generation Hierarchical to: No other components. 56 [assignment: list of cryptographic operations] 57 [assignment: cryptographic algorithm] 58 [assignment: cryptographic key sizes] 59 [assignment: list of standards] 60 [assignment: cryptographic key generation algorithm] 61 [assignment: cryptographic key sizes] 62 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 37 / 67 FCS_CKM.1.1/ECC The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm ECDSA ( ECC over GF(p)) 63 and specified cryptographic key sizes 128 to 640 bits 64 that meet the following: ISO/IEC 15946-1 [39] , ANSI X9.62 [55] and FIPS PUB 186-4 [48]. 65 . Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FDP_RIP.1 Subset Residual Information Protection Hierarchical to: No other components. This family addresses the need to ensure that information in a resource is no longer accessible when the resource is deallocated, and that therefore newly created objects do not contain information that was accidentally left behind in the resources used to create the objects. The following Functional Requirement to the TOE can be derived from the CC component FDP_RIP.1: FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the deallocation of the resource from 66 the following objects: all objects (variables) used by the Crypto Library as specified in the user guidance documentation 67 . Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] Note 6. The TSF ensures that, upon exit from each function, with the exception of input parameters, return values or locations where it is explicitly documented that values remain at specific addresses, any memory resources used by that function that contained temporary or secret values are cleared FCS_CKM.4 Cryptographic Key Destruction Hierarchical to: No other components. FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method ov erwrite 68 that meets the following: ISO11568 69 Application Notes: The NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive provides the smartcard embedded software with library calls to perform various cryptographic algorithms that 63 [assignment: cryptographic algorithm] 64 [assignment: cryptographic key sizes] 65 [assignment: list of standards] 66 [selection: allocation of the resource to, deallocation of the resource from] 67 [assignment: list of objects] 68 [assignment: cryptographic key destruction method] 69 [assignment: list of standards] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 38 / 67 involve keys (e.g., AES, DES, RSA, etc.). Through the parameters of the library calls the smartcard embedded software provides keys for the cryptographic algorithms. To perform its cryptographic algorithms the library copies these keys, or a transformation thereof, to the working- buffer (supplied by the smartcard embedded software) and/or the memory/special function registers of the NC J38A. Depending upon the algorithm the library either overwrites these keys before returning control to the smartcard embedded software or provides a library call to through which the smartcard embedded software can clear these keys. In the case of a separate library call to clear keys the guidance instructs the smartcard embedded software when/how this call should be used. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] Note: Clearing of keys that are provided by the smartcard embedded software to the Crypto Library is the responsibility of the smartcard embedded software. The TOE shall meet the requirements “Random number generation” as specified below. The hardware part of the TOE (NXP NCJ38A0) provides a physical random number generator (RNG) that fulfils FCS_RNG.1 as already mentioned above in Section 6.1.1. The additional software part of the TOE (Crypto Library) implements a software (pseudo) RNG that fulfils FCS_RNG.1/HYB-DET (see below). This software RNG obtains its seed from the hardware RNG, after the TOE (Crypto Library) has performed a self test of the hardware RNG. FCS_RNG.1/HYB-DET Random number generation Hierarchical to: No other components. FCS_RNG.1.1/HYB-DET The TSF shall provide a hybrid deterministic 70 random number generator that implements: (K.4.1) a chi-squared test on the seed generator. (DRG.4.1) The internal state of the RNG shall use PTRNG of class PTG.2 (as defined in [7]) as random source. (DRG.4.2) The RNG provides forward secrecy (as defined in [7]). (DRG.4.3) The RNG provides backward secrecy even if the current internal state is known (as defined in [7]). (DRG.4.4) The RNG provides enhanced forward secrecy on demand (as defined in [7]). (DRG.4.5) The internal state of the RNG is seeded by an PTRNG of class PTG.2 71 (as defined in [7]). 70 [selection: physical, non-physical true, deterministic, hybrid physical, hybrid deterministic] 71 [assignment: list of security capabilities] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 39 / 67 FCS_RNG.1.2/HYB-DET The TSF shall provide random numbers that meet: (K.4.2) class K.4 of AIS20 [8]. (DRG.4.6) The RNG generates output for which 2 48 strings of bit length 128 are mutually different with probability at least 1 – 2 -24 . (DRG.4.7) Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. The random numbers must pass test procedure A (as defined in [7]). Application Notes: (1) The security functionality is resistant against side channel analysis and similar techniques. (2) The NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive provides the smartcard embedded software with separate library calls to initialise the random number generator (which includes the chi-squared test) and to generate random data. The user can call an initialisation function upon use of the random number generator. Dependencies: No dependencies. Note: Only if the chi-squared test succeeds the hardware RNG seeds the software RNG implemented as part of the Crypto Library on P73 (as part of security functionality SS.SW_RNG). Note: The Crypto Library does not prevent the operating system from accessing the hardware RNG. If the hardware RNG is used by the operating system directly, it has to be decided based on the Smartcard Embedded Software's security needs, what kind of test has to be performed and what requirements will have to be applied for this test. In this case the developer of the Smartcard Embedded Software must ensure that the conditions prescribed in the Guidance, Delivery and Operation Manual for the NCJ38A0 High-performance secure microcontroller for Automotive are met. The software (pseudo) RNG, which is implemented in the software part of the TOE (Crypto Library), fulfils FCS_RNG.1/HYB-PHY (see below) with a certain limitation. This limitation can be given by the Security IC Embedded Software. For details on the limitation please refer the user guidance documentation of the Crypto Library [12]. FCS_RNG.1/HYB-PHY Random number generation Hierarchical to: No other components. FCS_RNG.1.1/HYB-PHY The TSF shall provide a hybrid physical 72 random number generator that implements: (PTG.3.1) A total failure test detects a total failure of entropy source immediately when the RNG has started. 72 [selection: physical, non-physical true, deterministic, hybrid physical, hybrid deterministic] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 40 / 67 When a total failure has been detected no random numbers will be output. (PTG.3.2) If a total failure of the entropy source occurs while the RNG is being operated, the RNG prevents the output of any internal random number that depends on some raw random numbers that have been generated after the total failure of the entropy source. (PTG.3.3) The online test shall detect non-tolerable statistical defects of the raw random number sequence (i) immediately when the RNG is started, and (ii) while the RNG is being operated. The TSF must not output any random numbers before the power-up online test and the seeding of the DRG.3 postprocessing algorithm have been finished successfully or when a defect has been detected. (PTG.3.4) The online test procedure shall be effective to detect non-tolerable weaknesses of the random numbers soon. (PTG.3.5) The online test procedure checks the raw random number sequence. It is triggered continuously 73 . The online test is suitable for detecting nontolerable statistical defects of the statistical properties of the raw random numbers within an acceptable period of time. (PTG.3.6) The algorithmic post-processing algorithm belongs to Class DRG.3 with cryptographic state transition function and cryptographic output function, and the output data rate of the post-processing algorithm shall not exceed its input data rate. FCS_RNG.1.2/HYB-PHY The TSF shall provide numbers 74 that meet: (PTG.3.7) Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. The random numbers must pass test procedure A (as defined in [7]). (PTG.3.8) The internal random numbers shall use PTRNG of class PTG.2 as random source for the post- processing 75 . FCS_COP.1/SW_CRC Cryptographic operation - CRC Hierarchical to: No other components. FCS_COP.1.1/SW_CRC The TSF shall perform calculation of cyclic redundancy checks 76 in accordance with a specified cryptographic algorithm CRC-16 resp. CRC-32 77 and cryptographic 73 [selection: externally, at regular intervals, continuously, upon specified internal events] 74 [selection: bits, octets of bits, numbers [assignment: format of the numbers]] 75 [selection: use PTRNG of class PTG.2 as random source for the post-processing, have [assignment: work factor], require [assignment: guess work]] 76 [assignment: list of cryptographic operations] 77 [assignment: cryptographic algorithm] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 41 / 67 key sizes none 78 that meet the following: CRC-CCITT [10] resp. IEEE 802.3 [11] 79 . Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction. 6.1.2.1.1 Extended Security Functional Requirements for Crypto Library The SFRs in Section 6.1.2.1 are further supplemented by the following iterations of an extended SFR, as listed in Table 21. Table 21. Extended SFRs defined for Crypto Library Name Title Defined in FDP_SOP.1/Copy Secure Basic operations (secure copy) Specified in this ST, see below. FDP_SOP.1/Move Secure Basic operations (secure move) Specified in this ST, see below. FDP_SOP.1/Compare Secure Basic operations (secure compare) Specified in this ST, see below. The FDP_SOP.1 (secure basic operations) is introduced as a new component within a new family FDP_SOP consisting only of that new component. The secure basic operations involve memory operations. The subjects of these operations are: • Code stored in memories (ROM, RAM and FLASH) And the objects of these operations are: • Data stored in memories (ROM, RAM and FLASH) And finally, the operations themselves are: • Copy objects stored in memories (ROM, RAM and FLASH) to RAMRAM. • Move objects stored in RAM to another place in RAM. • Compare two objects stored in memories (ROM, RAM and FLASH). FDP_SOP.1/Copy Secure Basic Operations Hierarchical to: No other components. FDP_SOP.1.1/Copy The TSF shall provide basic operations Copy on objects stored in the TOE. The basic operation is applied between objects stored in ROM, RAM and Flash 80 and R AM 81 . FDP_SOP.1.2/Copy The TSF shall protect the data against attacks from disclosure and modification that can be inherently applied during the processing of the basic operations. Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. FDP_SOP.1/Move Secure Basic Operations Hierarchical to: No other components. 78 [assignment: cryptographic key sizes] 79 [assignment: list of standards] 80 [assignment: list of memory locations] 81 [assignment: list of memory locations] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 42 / 67 FDP_SOP.1.1/Move The TSF shall provide basic operations Move on objects stored in the TOE. The basic operation is applied between objects stored in RAM 82 and RAM 83 . FDP_SOP.1.2/Move The TSF shall protect the data against attacks from disclosure and modification that can be inherently applied during the processing of the basic operations. Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. FDP_SOP.1/Compare Secure Basic Operations Hierarchical to: No other components. FDP_SOP.1.1/Compare The TSF shall provide basic operations Compare on objects stored in the TOE. The basic operation is applied between objects stored in ROM, RAM and Flash 84 and ROM, RAM and Flash 85 . FDP_SOP.1.2/Compare The TSF shall protect the data against attacks from disclosure and modification that can be inherently applied during the processing of the basic operations. Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [54]. Dependencies: No dependencies. 6.2 Security Assurance Requirements Table 22 lists the security assurance requirements for the TOE. These security functional requirements are either copied from the Protection Profile [5] without modifications, or augmented from there, or newly added in this Security Target as indicated in column three of the table. This partly addresses Application Note 22. Table 22. Security assurance requirements for the TOE Name Title compared to PP ADV_ARC.1 Security architectural description as in PP ADV_FSP.5 Complete semi-formal functional specification with additional error information augmented from PP ADV_IMP.2 Complete mapping of the implementation representation of the TSF augmented from PP ADV_INT.3 Minimally complex internals added for EAL5 ADV_TDS.5 Complete semiformal modular design augmented from PP AGD_OPE.1 Operational user guidance as in PP AGD_PRE.1 Preparative procedures as in PP ALC_CMC.5 Advanced support augmented from PP 82 [assignment: list of memory locations] 83 [assignment: list of memory locations] 84 [assignment: list of memory locations] 85 [assignment: list of memory locations] NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 43 / 67 Name Title compared to PP ALC_CMS.5 Development tools CM coverage augmented from PP ALC_DEL.1 Delivery procedures as in PP ALC_DVS.2 Sufficiency of security measures as in PP ALC_FLR.1 Basic flaw remediation not in PP, added for EAL5+ ALC_LCD.1 Developer defined life-cycle model as in PP ALC_TAT.3 Compliance with implementation standards - all parts augmented from PP ASE_CCL.1 Conformance claims as in PP ASE_ECD.1 Extended components definition as in PP ASE_INT.1 ST introduction as in PP ASE_OBJ.2 Security objectives as in PP ASE_REQ.2 Derived security requirements as in PP ASE_SPD.1 Security problem definition as in PP ASE_TSS.2 TOE summary specification with architectural design summary augmented from PP ATE_COV.2 Analysis of coverage as in PP ATE_DPT.3 Testing: modular design augmented from PP ATE_FUN.2 Ordered functional testing augmented from PP ATE_IND.2 Independent testing - sample as in PP AVA_VAN.5 Advanced methodical vulnerability analysis as in PP All refinements in section 6.2.1 of the Protection Profile [5] to security assurance requirements in Table 22, which are copied from the Protection Profile without modifications, entirely apply to this Security Target. All refinements in section 6.2.1 of the Protection Profile [5] to security assurance requirements in Table 22, which are augmented from the Protection Profile, are discussed below in their applicability to this Security Target. This addresses Application Note 23 in the Protection Profile [5]. Refinements regarding ADV_FSP Refinement no. 215 to ADV_FSP.4 in the Protection Profile [5] is not relevant for this Security Target since the TOE does not embed IC Dedicated Test Software. The Factory OS is not considered as IC Dedicated Test Software but instead as IC Dedicated Support Software since it is not only used to support testing of the TOE during production and does provide security functionality to be used after TOE delivery, which both contradicts to abstract 12 on page 8 of the Protection Profile [5]. However, the Factory OS provides testing capabilities for production testing and analysis of field returns, which is under restricted access to NXP and not for usage by the Composite Product Manufacturer. Therefore, these testing capabilities are considered as "test tool", which don't have to be described in the Functional Specification, but only be evaluated against their abuse after TOE delivery. Apart from that the Factory OS provides the Composite Product Manufacturer with some basic functional testing of the TOE and also with a readout of the identification flags of the TOE from System Page Common, which must be described in the Functional Specification. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 44 / 67 Refinements no. 216, no. 217 and no. 218 to ADV_FSP.4 in the Protection Profile [5] are entirely applicable to ADV_FSP.5 since the refinements clarify the scope of the functional specification, and ADV_FSP.5 adds to this scope in accordance with the refinements. Refinements regarding ADV_IMP Refinement no. 223 to ADV_IMP.1 in the Protection Profile [5] is redundant since it is implicitly covered by the augmentation to ADV_IMP.2. First, ADV_IMP.2 requires the developer to provide the mapping between the TOE design description and the entire implementation representation instead of a sample of it only as in ADV_IMP.1. Second, ADV_IMP.2 requires the evaluator to confirm that, for the entire implementation representation and not only for a sample of it as in ADV_IMP.1, the information provided meets all requirements for content and presentation of evidence. Refinements regarding ALC_CMC Refinement no. 205 to ALC_CMC.4 in the Protection Profile [5] is entirely applicable to ALC_CMC.5 since the refinement clarifies the scope of configuration items in ALC_CMC.4, and ALC_CMC.5 does not touch this scope. Refinement no. 206 to ALC_CMC.4 in the Protection Profile [5] is entirely applicable to ADV_CMC.5 since the refinement details requirements on configuration management of the TOE for ALC_CMC.4, which are not subverted in ADV_CMC.5. Refinements regarding ALC_CMS Refinement no. 199 to ALC_CMS.4 in the Protection Profile [5] is entirely applicable to ALC_CMS.5 since the refinement clarifies the scope of the configuration item "TOE implementation representation" on the configuration list of ALC_CMS.4, and ALC_CMS.5 adds new configuration items to the configuration list. 6.3 Security Requirements Rationale 6.3.1 Rationale for the Security Functional Requirements 6.3.1.1 SFRs from the Hardware Security Target Table 23 list the mapping of the security objectives to the security functional requirements from the Hardware Security Target [35]. This mapping entirely applies to this Security Target. Table 23. Mapping of the security objectives to the security functional requirements of the Hardware Security Target Security objective for the TOE Security functional requirement of the TOE O.Malfunction FRU_FLT.2, FPT_FLS.1 FMT_LIM.1, FMT_LIM.2 FRU_FLT.2, FTP_FLS.1 FPT_PHP.3 O.Abuse-Func FDP_ITT.1, FPT_ITT.1, FDP_IFC.1 FPT_PHP.3 O.Phys-Probing FDP_SDC.1 O.Phys-Manipulation FDP_SDI.2/FLT NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 45 / 67 Security objective for the TOE Security functional requirement of the TOE FPT_PHP.3 O.Leak-Inherent FDP_ITT.1, FPT_ITT.1 , FDP_IFC.1 FRU_FLT.2, FPT_FLS.1 FPT_PHP.3 O.Leak-Forced FDP_ITT.1, FPT_ITT.1, FDP_IFC.1 FCS_RNG.1/PTG.2 FRU_FLT.2, FPT_FLS.1 FPT_PHP.3 O.RND FDP_ITT.1, FPT_ITT.1 , FDP_IFC.1 O.Identification FAU_SAS.1 FCS_COP.1/TDES O.TDES FCS_CKM.4/TDES FCS_COP.1/AES O.AES FCS_CKM.4/AES O.FLASH-INTEGRITY FDP_SDI.2/AGE O.GCM-SUPPORT FCS_COP.1/GCM O.CRC FCS_COP.1/CRC FDP_ACC.1/MEM FDP_ACF.1/MEM FMT_MSA.1/MEM FMT_MSA.3/MEM O.MEM-ACCESS FMT_SMF.1 FDP_ACC.1/SFR FDP_ACF.1/SFR FMT_MSA.1/SFR FMT_MSA.3/SFR O.SFR-ACCESS FMT_SMF.1 6.3.1.2 SFRs specific to Crypto Library The rationale for the security functional requirements that are specific for Crypto Library is described below. Note 7. O.RND has been extended if compared to the one in PP [5] to include also a software RNG (see also Note 3). The rationale given in the PP only covers the part of O.RND dealing with the hardware RNG. For O.RND additional functionality (software RNG) and additional requirements (FCS_RNG.1/HYB-DET, and FCS_RNG.1/HYB-PHY) have been added. The explanation following Table 24 describes this in detail. This ST lists a number of security objectives and SFRs for NCJ38AC, which are additional to both the PP and the Hardware ST. These are listed in the following table. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 46 / 67 Table 24. Mapping of SFRs to Security Objectives for Crypto Library in this ST Objective TOE Security Functional Requirements O.SW_AES FCS_COP.1/SW AES ADV.ARC.1 (and underlying platform SFRs) O.SW_DES FCS_COP.1/SW DES ADV.ARC.1 (and underlying platform SFRs) O.RSA FCS_COP.1/RSA FCS_COP.1/RSA_Pad ADV.ARC.1 (and underlying platform SFRs) O.RSA_PubExp FCS_COP.1/RSA_PubExp ADV.ARC.1 (and underlying platform SFRs) O.RSA_KeyGen FCS_CKM.1/RSA ADV.ARC.1 (and underlying platform SFRs) O.ECDSA FCS_COP.1/ECDSA ADV.ARC.1 (and underlying platform SFRs) O.ECDSA_V2X FCS_COP.1/ECDSA_V2X ADV.ARC.1 (and underlying platform SFRs) O.ECCV2X_KeyDerivation FCS_COP.1/ECCV2X_KeyDerivation ADV.ARC.1 (and underlying platform SFRs) O.ECC_DHKE FCS_COP.1/ECC_DHKE ADV.ARC.1 (and underlying platform SFRs) O.ECC_Add FCS_COP.1/ECC_Additional ADV.ARC.1 (and underlying platform SFRs) O.ECC_KeyGen FCS_CKM.1/ECC ADV.ARC.1 (and underlying platform SFRs) O.ECDAA FCS_COP.1/ECDAA ADV.ARC.1 (and underlying platform SFRs) O.SHA FCS_COP.1/SHA ADV.ARC.1 (and underlying platform SFRs) O.HMAC FCS_COP.1/HMAC ADV.ARC.1 (and underlying platform SFRs) O.COPY FDP_SOP.1/Copy ADV.ARC.1 (and underlying platform SFRs) O.MOVE FDP_SOP.1/Move ADV.ARC.1 (and underlying platform SFRs) O.COMPARE FDP_SOP.1/Compare ADV.ARC.1 (and underlying platform SFRs) O.SW_CRC FCS_COP.1/SW_CRC ADV.ARC.1 (and underlying platform SFRs) O.REUSE FDP_RIP.1 FCS_CKM.4 O.RND FCS_RNG.1/HYB-DET FCS_RNG.1/HYB-PHY ADV.ARC.1 (and underlying platform SFRs) NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 47 / 67 The justification of the security objectives O.SW_AES, O.SW_DES, O.RSA, O.RSA_PubExp, O.RSA_KeyGen, O.ECDSA, O.ECDSA_V2X, O.ECCV2X_KeyDerivation, O.ECC_DHKE, O.ECC_Add, O.ECC_KeyGen, O.ECDAA, O.SHA, O.HMAC, O.COPY, O.MOVE, O.COMPARE and O.SW_CRC are all as follows: • Each objective is directly implemented by a single SFR specifying the (cryptographic) service that the objective wishes to achieve (see the above table for the mapping). • The requirements and architectural measures that originally were taken from the Protection Profile [5] and thus were also part of the Security Target of the hardware (chip) evaluation support the objective: – ADV.ARC.1 (and underlying platform SFRs) supports the objective by ensuring that the TOE works correctly (i.e., all of the TOE’s capabilities are ensured) within the specified operating conditions and maintains a secure state when the TOE is outside the specified operating conditions. A secure state is also entered when perturbation or DFA attacks are detected. – ADV.ARC.1 (and underlying platform SFRs) ensures that no User Data (plain text data, keys) or TSF Data is disclosed when they are transmitted between different functional units of the TOE (i.e., the different memories, the CPU, cryptographic co- processors), thereby supporting the objective in keeping confidential data secret. • ADV.ARC.1 (and underlying platform SFRs) by ensuring that User Data and TSF Data are not accessible from the TOE except when the Security IC Embedded Software decides to communicate them via an external interface. The justification of the security objective O.REUSE is as follows: • O.REUSE requires the TOE to provide procedural measures to prevent disclosure of memory contents that was used by the TOE. This applies to the NCJ38AC High- performance secure microcontroller with Crypto Library for Automotive and is met by the SFR FDP_RIP.1 and FCS_CKM.4, which requires the library to make unavailable all memory contents that has been used by it. Note that the requirement for residual information protection applies to all functionality of the Cryptographic Library. The justification of the security objective O.RND is as follows: • O.RND requires the TOE to generate random numbers with (a) ensured cryptographic quality (i.e. not predictable and with sufficient entropy) such that (b) information about the generated random numbers is not available to an attacker. 1. Ensured cryptographic quality (sufficient entropy part) of generated random numbers is met by FCS_RNG.1.1/HYB-DET through the characteristic ‘hybrid deterministic’, by FCS_RNG.1.1/HYB-PHY through the characteristic ‘hybrid physical’, and by the random number generator meeting NIST SP 800-90A. Ensured cryptographic quality (not predictable part) of generated random numbers is met by FCS_RNG.1/HYB-DET through the characteristic ‘chi-squared test of the seed generator’, by FCS_RNG.1/HYB-PHY through the characteristic ‘cryptographic post-processing algorithm’, and FCS_RNG.1 from the certified hardware platform. 2. Information about the generated random numbers is not available to an attacker is met through ADV.ARC.1, which prevent physical manipulation and malfunction of the TOE and support this objective because they prevent attackers from manipulating or otherwise affecting the random number generator. 6.3.2 Dependencies of security requirements Table 25 shows all dependencies of the security functional requirements for the SFRs from the Hardware Security Target. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 48 / 67 Table 25. Dependencies of the security functional requirements for the Hardware TOE SFR of the TOE Dependencies Fullfilled by SFRs FRU_FLT.2 FPT_FLS.1 FPT_FLS.1 FPT_FLS.1 none N/A FMT_LIM.1 FMT_LIM.2 FMT_LIM.2 FMT_LIM.2 FMT_LIM.1 FMT_LIM.1 FPT_PHP.3 none N/A FDP_SDC.1 none N/A FDP_SDI.2/FLT none N/A FDP_ITT.1 FDP_ACC.1 or FDP_IFC.1 FDP_IFC.1 FPT_ITT.1 none N/A FDP_IFC.1 FDP_IFF.1 N/R, see sec. 6.3.2 in PP [5] FCS_RNG.1/PTG.2 none N/A FAU_SAS.1 none N/A FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FCS_COP.1/TDES FCS_CKM.4 FCS_CKM.4/TDES FCS_CKM.4/TDES FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FCS_COP.1/AES FCS_CKM.4 FCS_CKM.4/AES FCS_CKM.4/AES FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FDP_SDI.2/AGE none N/A FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FCS_COP.1/CRC FCS_CKM.4 N/R, see item 2 below FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 see item 1 below FCS_COP.1/GCM FCS_CKM.4 N/R, see item 2 below FDP_ACC.1/MEM FDP_ACF.1 FDP_ACF.1/MEM FDP_ACC.1 FDP_ACC.1/MEM FDP_ACF.1/MEM FMT_MSA.3 FMT_MSA.3/MEM FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1/MEM FMT_SMR.1 see item 3 below FMT_MSA.1/MEM FMT_SMF.1 FMT_SMF.1 FMT_MSA.1 FMT_MSA.1/MEM FMT_MSA.3/MEM FMT_SMR.1 see item 3 below FDP_ACC.1/SFR FDP_ACF.1 FDP_ACF.1/SFR FDP_ACC.1 FDP_ACC.1/SFR FDP_ACF.1/SFR FMT_MSA.3 FMT_MSA.3/SFR FDP_ACC.1 or FDP_IFC.1 FDP_ACC.1/SFR FMT_MSA.1/SFR FMT_SMR.1 see item 3 below NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 49 / 67 SFR of the TOE Dependencies Fullfilled by SFRs FMT_SMF.1 FMT_SMF.1 FMT_MSA.1 FMT_MSA.1/SFR FMT_MSA.3/SFR FMT_SMR.1 see item 3 below FMT_SMF.1 none N/A 1. The dependencies of security functional requirements FCS_COP.1/TDES, FCS_COP.1/AES, FCS_COP.1/CRC and FCS_COP.1/GCM on FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 are not considered in this Security Target. This is because the decision on how to import user data and how to generate the keys shall be left to the Security IC Embedded Software. 2. The dependencies of security functional requirements FCS_COP.1/CRC and FCS_COP.1/GCM on FCS_CKM.4 don't have to be considered in this Security Target since their operations do not need any cryptographic keys. 3. The dependencies of security functional requirements FMT_MSA.1/MEM, FMT_MSA.3/MEM, FMT_MSA.1/SFR and FMT_MSA.3/SFR on FMT_SMR.1 are not considered in this Security Target. This is because the security attributes shall be managed by Security IC Embedded Software based on which the Security IC Embedded Software shall be capable to maintain roles and assign users to roles appropriate to its needs. SFRs [FDP_ITC.1, or FDP_ITC.2 or FCS_CKM.1] are not included in this Security Target for FCS_COP.1/SW_AES, FCS_COP.1/SW_DES, FCS_COP.1/SHA and FCS_COP.1/ HMAC since the TOE only provides a pure engine for these algorithms without additional features like the handling of keys or importing data from outside the TOE. Therefore, the Security IC Embedded Software must fulfil these requirements related to the needs of the realized application. Note that the requirement for residual information protection applies to all functionality of the Cryptographic Library. Therefore SFR FCS_CKM.4 fulfills dependencies of FCS_COP.1 for all its iterations SW_AES, SW_DES, RSA, RSA_PAD, RSA_PubExp, ECDSA, ECDSA_V2X, ECCV2X_KeyDrivation, ECC_DHKE, ECC_Additional, ECDAA, SHA, HMAC and SW_CRC. 6.3.3 Rationale for the Security Assurance Requirements The Protection Profile [5] targets EAL4 augmented with ALC_DVS.2, and AVA_VAN.5 and also gives a rationale for this choice, which is entirely applicable to this Security Target. This Security Target augments from EAL4 to EAL5 in order to meet increasing assurance expectations of digital signature applications and electronic payment systems on the resistance to attackers with high attack potential. The augmentations to EAL4 in the Protection Profile [5] are mandatory for EAL5. This Security Target augments EAL5 with ALC_FLR.1 and ASE_TSS.2 for the following reasons. ALC_FLR.1 is added to cover policies and procedures that are applied to track and correct flaws and to support surveillance of the TOE. ASE_TSS.2 is chosen to give architectural information on the security functionality of the TOE, which enhances comprehensibility. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 50 / 67 In addition, this Security Target also augments EAL5 with ADV_IMP.2, ADV_INT.3, ADV_TDS.5, ALC_CMC.5, ALC_TAT.3, and ATE_FUN.2 for the following reasons. ADV_TDS.5 is added to provide a complete semiformal modular design of the TOE. ADV_IMP.2 is added to provide a complete mapping of the implementation representation of the TSF. ADV_INT.3 is added to provide justification of the complexity of the TOE. ALC_CMC.5 is added to fulfill ADV_IMP.2. ALC_TAT.3 is added to adapt a complete compliance to relevant implementation standards. ATE_FUN.2 is added to provide well-structured and well-documented tests. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 51 / 67 7 TOE Summary Specification This chapter describes the “IT Security Functionality”. 7.1 IT Security Functionality The evaluation of this NCJ38AC is performed as an evaluation, where the TOE comprises both the underlying hardware and the embedded software (Services Software and Crypto Library. The TOE of this evaluation therefore extends the security functionality already available in the chip platform (see Section 7.1 “Portions of the TOE Security Functionality” of the Hardware Security [35]). Note 8. The security functionality SS.RNG implements the hardware RNG. The NCJ38AC also implements software RNG as part of security functionality SS.SW_RNG; for details see Section 7.1.1.2.15. The hardware RNG is not externally visible through the interfaces of the Crypto Library; instead users of the Crypto Library are intended to use the software RNG (SS.SW_RNG). Note 9. The security functionality SF.LOG is extended by the NCJ38AC as described in Security Architectural Information. The additional security functionality provided by the TOE is described in the following sub-sections. The IT security functionalities directly correspond to the TOE security functional requirements defined in Section 6.1. The definitions of the IT security functionalities refer to the corresponding security functional requirements. 7.1.1 Security Services 7.1.1.1 Security Services of the hardware platform The Security Services of the hardware platform NCJ38A0 are described in the the Hardware Security Target [35] and are listed in Table 26. These Security Services entirely apply to the TOE. Table 26. Security Services of the Hardware Security Target Security Services Name SS.RNG Random Number Generator SS.TDES Triple-DES coprocessor SS.AES AES coprocessor SS.GCM GCM coprocessor SS.SBC SBC interface functions SS.CRC CRC coprocessor 7.1.1.2 Security Services specific to Crypto Library The security services for NCJ38AC include the security services for the hardware platform and, in addition, the following security services for Crypto Library. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 52 / 67 7.1.1.2.1 SS.SW_AES The TOE uses the P73 AES hardware coprocessor to provide AES encryption and decryption facility using 128, 192 or 256 bit keys. The TOE implements additional countermeasures that are configurable at runtime and provides functionality for handling checksums over loaded keys. The supported modes are ECB, CBC, CTR, GCM, CBC-MAC and CMACECB, CBC, CBC-MAC and CMAC (i.e. the CBC mode applied to the block cipher algorithm AES). In addition, the TOE provides the ability to compute a CBC-MAC. The CBC-MAC mode of operation is rather similar to the CBC mode of operation, but returns only the last cipher text (see also [53], Algorithm 1). SS.SW_AES is a basic cryptographic function which provides the AES algorithm as defined by the standard [47]. The interface to SS.SW_AES allows AES operations independent from prior key loading. The user has to take care that adequate keys of the correct size are loaded before the cryptographic operation is performed. Details are described in the user guidance [12] and the user manual [29]. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/SW_AES 7.1.1.2.2 SS.SW_DES The TOE uses the P73 Triple-DES hardware coprocessor to provide a DES encryption and decryption facility using 56-bit keys, and to provide Triple-DES encryption and decryption. The Triple-DES function uses double-length or triple-length keys with sizes of 112 or 168 bits respectively. The TOE implements additional countermeasures that are configurable at runtime and provides functionality for handling checksums over loaded keys. The supported modes are ECB, CBC, CTR, CBC-MAC and CMAC ECB, CBC, CBC- MAC and CMAC(i.e. the CBC mode applied to the block cipher algorithm TDES or DES). In addition, the TOE provides the ability to compute a CBC-MAC. The CBC-MAC mode of operation is rather similar to the CBC mode of operation, but returns only the last cipher text (see also [53], Algorithm 1, or [49], Appendix F). Like ECB, CBC, and CTR, the CBC-MAC mode of operation can also be applied to both DES and TDES as underlying block cipher algorithm. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that Single-DES shall not be used. SS.SW_DES is a modular basic cryptographic function which provides the DES and Triple-DES algorithm (with two and three keys) as defined by the standard [46]. The interface to SS.SW_DES allows performing Single-DES or 2-key and 3-key Triple- DES operations independent from prior key loading. The user has to take care that adequate keys of the correct size are loaded before the cryptographic operation is performed. Details are described in the user manual [29]. All modes of operation (ECB, NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 53 / 67 CBC, CTR, CBC MAC) can be applied to DES, two-key TDES and three-key TDES for a total of nine possible combinations. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/SW_DES 7.1.1.2.3 SS.RSA The TOE provides functions that implement the RSA algorithm and the RSA-CRT algorithm for data encryption, decryption, signature and verification. All algorithms are defined in PKCS #1, v2.2 (RSAEP, RSADP, RSAP1, RSAVP1) [56]. This routine supports various key lengths from 512 bits to 4096 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). The TOE contains modular exponentiation functions, which, together with other functions in the TOE, perform the operations required for RSA encryption or decryption. Two different RSA algorithms are supported by the TOE, namely the "Simple Straight Forward Method" (called RSA "straight forward", the key consists of the pair n and d) and RSA using the "Chinese Remainder Theorem" (RSA CRT, the key consists of the quintuple p, q, dp, dq, qInv). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/RSA 7.1.1.2.4 SS.RSA_Pad The TOE provides functions that implement the RSA algorithm and the RSA-CRT algorithm for message and signature encoding. This IT security functionality supports the EME-OAEP and EMSA-PSS signature scheme. All algorithms are defined in PKCS #1, v2.2 (EME-OAEP, EMSA-PSS) [56]. This routine supports various key lengths from 512 bits to 4096 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/RSA_PAD 7.1.1.2.5 SS.RSA_PublicExp The TOE provides functions that implement computation of an RSA public key from a private CRT key. All algorithms are defined in PKCS #1, v2.2 [56]. This routine supports various key lengths from 512 bits to 4096 bits (CRT). To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 54 / 67 Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/RSA_PubExp 7.1.1.2.6 SS.ECDSA The TOE provides functions to perform ECDSA Signature Generation and Signature Verification according to ISO/IEC 15946-2 [40], FIPS PUB 186-4 [48] and ANSI X9.62 [55]. Note that hashing of the message must be done beforehand and is not provided by this security functionality, but could be provided by SS.SHA. The supported key length is 128 to 640 bits for signature generation and 128 to 640 bits for signature verification. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/ECDSA 7.1.1.2.7 SS.ECCV2X The TOE provides functions to perform ECDSA Signature Generation according to ISO/IEC 15946-2 [40], FIPS PUB 186-4 [48] and ANSI X9.62 [55] as well as EC key derivation according to ISO/IEC 15946-1 [39]. Note that hashing of the message must be done beforehand and is not provided by this security functionality, but could be provided by SS.SHA. The supported key length is 128 to 640 bits for signature generation and 128 to 640 bits for signature verification. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/ECDSA_V2X • FCS_COP.1/ECCV2X_KeyDerivation 7.1.1.2.8 SS.ECC_DHKE The TOE provides functions to perform Diffie-Hellman Key Exchange according to ISO/ IEC 15946-3 [41]. The supported key length is 128 to 640 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 55 / 67 This security functionality covers: • FCS_COP.1/ECC_DHKE 7.1.1.2.9 SS.ECC_Additional The TOE provides functions to perform a full ECC point addition according to ISO/IEC 15946-1 [39] . The supported key length is 128 to 640 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/ECC_Additional 7.1.1.2.10 SS.ECDAA The TOE provides the ECDAA related functions as specified in the TPM2.0 [9] specification: EcDaa signature generation (see Part 4 of [9]). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/ECDAA 7.1.1.2.11 SS.RSA_KeyGen The TOE provides functions to generate RSA key pairs as described in PKCS #1, v2.2 [56] and FIPS PUB 186-4 [48] (Algorithm acc. Appendix B.3.3). With this the TOE complies to the content of SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms [57]. It supports various key lengths from 512 bits to 4096 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Two different output formats for the key parameters are supported by the TOE, namely the "Simple Straight Forward Method" (RSA "straight forward") and RSA using the "Chinese Remainder Theorem" (RSA CRT). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_CKM.1/RSA 7.1.1.2.12 SS.ECC_KeyGen The TOE provides functions to perform ECC over GF(p) Key Generation according to ISO/IEC 15946-1 section 6.1 [39], “ANSI X9.62 [55] and FIPS PUB 186-4 [48]. With this the TOE complies to the content of SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms [57]. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 56 / 67 It supports key length from 128 to 640 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_CKM.1/ECC 7.1.1.2.13 SS.SHA The TOE implements functions to compute the Secure Hash Algorithms SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 according to the standard FIPS 180-4 [44] and SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 according to the standard FIPS 202 [45]. The TOE implements functions to compute the Secure Hash Algorithms SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 according to the standard FIPS 180-4 [44] and SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 according to the standard FIPS 202 [45]. To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that SHA-1 shall not be used. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/SHA 7.1.1.2.14 SS.HMAC The TOE provides functions to perform HMAC Keyed-hash Message Authentication algorithm according to FIPS 198-1 [43]. There is no limitation on the supported key length except that it must be a multiple of 8 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). In particular this means that HMAC with SHA-1 shall not be used. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FCS_COP.1/HMAC 7.1.1.2.15 SS.SW_RNG The TOE contains both a hardware Random Number Generator (RNG) and a software RNG; for the hardware RNG (SS.RNG) see the Note 8. SS.SW_RNG consists of the implementation of the software RNG and of appropriate online tests for the hardware RNG (as required for FCS_RNG.1/HYB-DET and FCS_RNG.1/HYB-PHY taken from the Protection Profile [5] and the proposal for AIS20/31 [7]): The Crypto Library implements a software (pseudo) RNG that can be used as a general purpose random source. This software RNG has to be seeded by random numbers taken NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 57 / 67 from the hardware RNG implemented in the P73 processor. The implementation of the software RNG is based on the standard NIST SP 800-90A as described in [42]. In addition, the Crypto Library implements appropriate online tests according to the Hardware User Guidance Manual [37] for the hardware RNG, which fulfils the functionality class P2 defined by the AIS31 [6] and class PTG.2 defined by the proposal for AIS20/31 [7], as required by SFR FCS_RNG.1/HYB-DET and SFR FCS_RNG.1/HYB- PHY. The interface of SS.SW_RNG allows to test the hardware RNG and to seed the software RNG after successful testing. This security functionality covers: • FCS_RNG.1/HYB-DET • FCS_RNG.1/HYB-PHY 7.1.1.2.16 SS.COPY The security service SS.COPY implements functionality to copy memory content in a secure manner protected against attacks. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FDP_SOP.1/Copy 7.1.1.2.17 SS.MOVE The security service SS.MOVE implements functionality to move memory content in a secure manner protected against attacks. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FDP_SOP.1/Move 7.1.1.2.18 SS.COMPARE The security service SS.COMPARE implements functionality to compare different blocks of memory content in a manner protected against attacks. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: • FDP_SOP.1/Compare 7.1.1.2.19 SS.SW_CRC SS.SW_CRC serves the Security IC Embedded Software with calculation of of cyclic redundancy checks as defined in [10] for 16 bits and in [11] for 32 bits. Attack resistance for this security functionality is discussed in Security Architectural Information. This security functionality covers: NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 58 / 67 • FCS_COP.1/SW_CRC 7.1.2 Security Features 7.1.2.1 Security Features from the hardware platform The Security Features of the hardware platform NCJ38A0 are described in the the Hardware Security Target [35] and are listed in Table 27. These Security Services entirely apply to the TOE. Table 27. Security Features of the Hardware Security Target Security Features Name SF.OPC Control of Operating Conditions SF.PHY Protection against Physical Manipulation SF.LOG Logical Protection SF.FOS-USE Factory OS use restrictions SF.MEM-ACC Memory Access Control SF.SFR-ACC Special Function Register Access Control SF.FLSV-SUP Flash Services Software support 7.1.2.2 Crypto Library The security features for NCJ38AC include the security features for the hardware platform and, in addition, the following security features for Crypto Library. 7.1.2.2.1 SF.Object_Reuse The TOE provides internal security measures which clear memory areas used by the Crypto Library after usage. This functionality is required by the security functional component FDP_RIP.1 and FCS_CKM.4, taken from the Common Criteria Part 2 [2]. These measures ensure that a subsequent process may not gain access to cryptographic assets stored temporarily in memory used by the TOE. This security functionality covers: • FDP_RIP.1 • FCS_CKM.4 7.2 Security Architectural Information Details deleted here, available only in the full version of the Security Target. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 59 / 67 8 Annexes 8.1 Further Information contained in the PP The Annex of the Protection Profile ([5], chapter 7) provides further information. Section 7.1 of the PP describes the development and production process of smartcards, containing a detailed life-cycle description and a description of the assets of the Integrated Circuits Designer/Manufacturer. Section 7.6 of the PP gives examples of Attack Scenarios. 8.2 Glossary and Vocabulary Note: To ease understanding of the used terms the glossary of the Protection Profile [5] is included here. Application Data All data managed by the Security IC Embedded Software in the application context. Application data comprise all data in the final Security IC. Authentication reference data Data used to verify the claimed identity in an authentication procedure. Authentication verification data Data used to prove the claimed identity in an authentication procedure. Composite Product Integrator Role installing or finalizing the IC Security IC Embedded Software and the applications on platform transforming the TOE into the unpersonalized Composite Product after TOE delivery. The TOE Manufacturer may implement IC Security IC Embedded Software delivered by the Security IC Embedded Software Developer before TOE delivery (e.g. if the IC Security IC Embedded Software is implemented in ROM or is stored in the non-volatile memory as service provided by the IC Manufacturer or IC Packaging Manufacturer). Composite Product Manufacturer The Composite Product Manufacturer has the following roles (i) the Security IC Embedded Software Developer (Phase 1), (ii) the Composite Product Integrator (Phase 5) and (iii) the Personalizer (Phase 6). If the TOE is delivered after Phase 3 in form of wafers or sawn wafers (dice) he has the role of the IC Packaging Manufacturer (Phase 4) in addition. The customer of the TOE Manufacturer who receives the TOE during TOE Delivery. The Composite Product Manufacturer includes the Security IC Embedded Software developer and all roles after TOE Delivery up to Phase 6 (refer to Figure 2 on page 10 and Section 7.1.1). End-consumer User of the Composite Product in Phase 7. IC Dedicated Software IC proprietary software embedded in a Security IC (also known as IC firmware) and developed by the IC Developer. Such software is required for testing purpose (IC Dedicated Test Software) but may provide additional NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 60 / 67 services to facilitate usage of the hardware and/or to provide additional services (IC Dedicated Support Software). IC Dedicated Test Software That part of the IC Dedicated Software (refer to above) which is used to test the TOE before TOE Delivery but which does not provide any functionality thereafter. IC Dedicated Support Software That part of the IC Dedicated Software (refer to above) which provides functions after TOE Delivery. The usage of parts of the IC Dedicated Software might be restricted to certain phases. Initialization Data Initialization Data defined by the TOE Manufacturer to identify the TOE and to keep track of the Security IC’s production and further life-cycle phases are considered as belonging to the TSF data. These data are for instance used for traceability and for TOE identification (identification data). Integrated Circuit (IC) Electronic component(s) designed to perform processing and/or memory functions. Key Generation An act of securely generate a key or a key pair (public and private) for cryptographic purposes. Memory The memory comprises of the RAM, ROM and the Flash of the TOE. Memory Management Unit The MMU maps the virtual addresses used by the CPU into the physical addresses of RAM, ROM and Flash. This mapping is done based on memory partitioning. Memory partitioning is fixed. MIFARE Contact-less smart card interface standard, complying with ISO14443A. Pre-personalization Data Any data supplied by the Card Manufacturer that is injected into the non-volatile memory by the Integrated Circuits manufacturer (Phase 3). These data are for instance used for traceability and/or to secure shipment between phases. Security IC (as used in this Protection Profile) Composition of the TOE, the Security IC Embedded Software, user data of the Composite TOE and the package (the Security IC carrier). Security IC Embedded Software Software embedded in a Security IC and normally not being developed by the IC Designer. The Security IC Embedded Software is designed in Phase 1 and embedded into the Security IC in Phase 3 or in later phases of the Security IC product life-cycle. Some part of that software may actually implement a Security IC application others may provide standard services. Nevertheless, this distinction doesn’t matter here so that the Security IC Embedded Software can be NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 61 / 67 considered as being application dependent whereas the IC Dedicated Software is definitely not. Security IC Product Composite product which includes the Security Integrated Circuit (i.e. the TOE) and the Security IC Embedded Software and is evaluated as composite target of evaluation in the sense of the Supporting Document Secured Environment Operational environment maintains the confidentiality and integrity of the TOE as addressed by OE.Process- Sec-IC and the confidentiality and integrity of the IC Security IC Embedded Software, TSF data or user data associated with the product by security procedures of the product manufacturer, personaliser and other actors before delivery to the end-user depending on the life- cycle. Test Features All features and functions (implemented by the IC Dedicated Test Software and/or hardware) which are designed to be used before TOE Delivery only and delivered as part of the TOE. TOE Delivery The period when the TOE is delivered which is (refer to Figure 2 on page 10) either (i) after Phase 3 (or before Phase 4) if the TOE is delivered in form of wafers or sawn wafers (dice) or (ii) after Phase 4 (or before Phase 5) if the TOE is delivered in form of packaged products. TOE Manufacturer The TOE Manufacturer must ensure that all requirements for the TOE (as defined in Section 1.2.2) and its development and production environment are fulfilled (refer to Figure 2 on page 10). The TOE Manufacturer has the following roles: (i) IC Developer (Phase 2) and (ii) IC Manufacturer (Phase 3). If the TOE is delivered after Phase 4 in form of packaged products, he has the role of the (iii) IC Packaging Manufacturer (Phase 4) in addition. TSF data Data for the operation of the TOE upon which the enforcement of the SFR relies. They are created by and for the TOE, that might affect the operation of the TOE. This includes information about the TOE’s configuration, if any is coded in non-volatile non-programmable memories (ROM), in non-volatile programmable memories (for instance E2PROM or flash memory), in specific circuitry or a combination thereof. User data of the Composite TOE All data managed by the Security IC Embedded Software in the application context. User data of the TOE Data for the user of the TOE, that does not affect the operation of the TSF. From the point of view of TOE defined in this PP the user data comprises the Security IC Embedded Software and the user data of the Composite TOE. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 62 / 67 9 Bibliography 9.1 Evaluation documents [1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1, Revision 5, April 2017, CCMB-2017-04-001 [2] Common Criteria for Information Technology Security Evaluation Part 2: Security functional compo-nents, Version 3.1, Revision 5, April 2017, CCMB-2017-04-002 [3] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance compo-nents, Version 3.1, Revision 5, April 2017, CCMB-2017-04-003 [4] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology, Version 3.1, Revision 5, April 2017, CCMB-2017-04-004 [5] Security IC Platform Protection Profile with Augmentation Packages, Version 1.0, registered and certified by Bundesamt fuer Sicherheit in der Informationstechnik (BSI) under the reference BSI-PP-0084-2014 [6] Anwendungshinweise und Interpretationen zum Schema, AIS31: Funktionalitaetsklassen und Evaluationsmethodologie fuer physikalische Zufallszahlengeneratoren, Version 2.1, 02.12.2011, Bundesamt fuer Sicherheit in der Informationstechnik [7] A proposal for: Functionality classes for random number generators, Version 2.0, 18 September 2011 [8] AIS20: Anwendungshinweise und Interpretationen zum Schema (AIS), Funktionalitätsklassen und Evaluationsmethodologie für deterministische Zufallszahlengeneratoren, Bundesamt für Sicherheit in der Informationstechnik (BSI), Version 1, December 2nd, 1999 [9] TPM Rev. 2.0: Trusted Platform Module Library Specification, Family "2.0", Level 00, Revision 01.07- March 2014 [10] "SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATION Public data networks – Interfaces, Interface between Data Terminal Equipment (DTE) and Data Circuit-terminating Equipment (DCE) for terminals operating in the packet mode and connected to public data networks by dedicated circuit", International Telecommunication Union, ITU-T Recommendation X.25, October 1996 [11] "IEEE Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Specific requirements Part 3: Carrier sense multiple access with collision detection (CSMA/ CD) access method and physical layer specifications", IEEE Computer Society, IEEE Std 802.3™ -2005, Dec-12, 2005 9.2 Developer documents [12] NCJ38A Crypto Library: Information on Guidance and Operation, Rev. 1.4, 29 March 2019, DocID: 508714 [13] P73N2M0 Crypto Library: User Manual – RNG Library, Rev. 1.0, 12 October 2016, DocID: 401410 [14] P73N2M0 Crypto Library: User Manual – RNG Library, Rev. 1.1, 19 February 2019, DocID: 401411 [15] P73N2M0 Crypto Library: User Manual – SHA Library, Rev. 1.0, 12 October 2016, DocID: 401710 [16] P73N2M0 Crypto Library: User Manual – Secure SHA Library, Rev. 1.0, 12 October 2016, DocID: 401810 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 63 / 67 [17] P73N2M0 Crypto Library: User Manual – SHA-3 Library, Rev. 1.0, 12 October 2016, DocID: 402010 [18] P73N2M0 Crypto Library: User Manual – Secure SHA-3 Library, Rev. 1.0, 12 October 2016, DocID: 402110 [19] P73N2M0 Crypto Library: User Manual – HASH Library, Rev. 1.0, 12 October 2016, DocID: 403810 [20] P73N2M0 Crypto Library: User Manual – HMAC Library, Rev. 1.0, 12 October 2016, DocID: 401310 [21] P73N2M0 Crypto Library: User Manual – Rsa Library (Rsa), Rev. 1.0, 11 October 2016, DocID: 401510 [22] P73N2M0 Crypto Library: User Manual – RSA Key Generation Library (RsaKg), Rev. 1.0, 11 October 2016, DocID: 401610 [23] P73N2M0 Crypto Library: User Manual – ECC over GF(p) Library, Rev. 1.0, 10 October 2016, DocID: 401210 [24] NCJ38A Crypto Library: User Manual – ECC over GF(p) V2X Library, Rev. 1.0, 31 October 2018, DocID: 508810 [25] NCJ38A Crypto Library: User Manual – Utils V2X Library, Rev. 1.0, 31 October 2018, DocID: 508910 [26] NCJ38A Crypto Library: User Manual – Utils Math V2X Library,Rev. 1.0, 24 October 2018, DocID: 509010 [27] P73N2M0 Crypto Library: User Manual – ECDAA, Rev. 1.0, 10 October 2016, DocID: 402410 [28] P73N2M0 Crypto Library: User Manual – Utils Library, Rev. 1.0, 11 October 2016, DocID: 402210 [29] P73N2M0 Crypto Library: User Manual – Symmetric Cipher Library (SymCfg), Rev. 1.0, 10 October 2016, DocID: 401110 [30] P73N2M0 Crypto Library: User Manual – Korean SEED Library, Rev. 1.0, 12 October 2016, DocID: 402310 [31] P73N2M0 Crypto Library: User Manual – FELICA, Rev. 1.0, 2 November 2016, DocID: 401910 [32] P73N2M0 Crypto Library: User Manual – OSCCA-SM2 over GF(p) Library, Rev. 1.1, 15 December 2016, DocID: 402511 [33] P73N2M0 Crypto Library: User Manual – OSCCA-SM3 Library, Rev. 1.0, 12 October 2016, DocID: 402610 [34] P73N2M0 Crypto Library: User Manual – OSCCA-SM4 Library, Rev. 1.0, 12 October 2016, DocID: 402710 [35] NCJ38A0 High-performance secure microcontroller for Automotive - Security Target, NXP Semiconductors, Version 1.2, 2 November 2018 [36] NCJ38A0HN, High-performance secure micro-controller for Automotive, Product data sheet, NXP Semiconductors, Rev. 3.0, DocID: 396330 [37] NCJ38A0, Information on User Guidance and Operation, User manual, NXP Semiconductors, Version 1.0, 05 February 2018 [38] P73 Services User Manual, API and Operational Guidance, Revision 2.4, 07.08.2018, NXP Semiconductors 9.3 Standards [39] ISO/IEC 15946-1: Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 1: General, 2008 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 64 / 67 [40] ISO/IEC 15946-2: Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 2: Digital Signatures, 2003 [41] ISO/IEC 15946-3-2006: Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 3: Key Establishment, 2006 [42] NIST Special Publication 800-90A, Revision 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015, Elaine Barker and John Kelsey, National Institute of Standards and Technology [43] FIPS PUB 198-1: The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication, July 2008, US Department of Commerce/National Institute of Standards and Technology [44] FIPS PUB 180-4: Secure Hash Standard, Federal Information Processing Standards Publication, February 2011, US Department of Commerce/National Institute of Standards and Technology [45] FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, Federal Information Processing Standards Publication, August 2015, US Department of Commerce/National Institute of Standards and Technology [46] FIPS PUB 46-3 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION DATA ENCRYPTION STANDARD (DES) Reaffirmed 1999 October 25 [47] FIPS PUB 197: Advanced Encryption Standard (AES), Federal Information Pro- cessing Standards Publication 197, November 26th, 2001, US Department of Com- merce/National Institute of Standards and Technology [48] FIPS PUB 186-4: Digital Signature Standard, Federal Information Processing Standards Publication, 2013, July, National Institute of Standards and Technology [49] FIPS PUB 81: DES modes of operation, Federal Information Processing Standards Publication, December 2nd, 1980, US Department of Commerce/National Institute of Standards and Technology [50] NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques, December 2001, Morris Dworkin, National Institute of Standards and Technology [51] NIST Special Publication 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005, Morris Dworkin, National Institute of Standards and Technology [52] NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007, Morris Dworkin, National Institute of Standards and Technology [53] ISO/IEC 9797-1: 2011 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher [54] JIL-ATT-SC: Attack Methods for Smartcards and Similar Devices, Joint Interpretation Library, Version 1.5, February 2009 [55] ANSI X9.62: Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Standard (ECDSA), American National Standard, November 16th, 2005 [56] PKCS #1, v2.2: RSA Cryptography Standard, RSA Laboratories, October 2012 9.4 Other documents [57] SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms, SOG-IS Crypto Working Group, Version 1.0, May 2016 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 65 / 67 10 Legal information 10.1 Disclaimers Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information. NXP Semiconductors takes no responsibility for the content in this document if provided by an information source outside of NXP Semiconductors. In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory. Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors’ aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors. Right to make changes — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof. Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors and its suppliers accept no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer’s own risk. Applications — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification. Export control — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities. 10.2 Trademarks Notice: All referenced brands, product names, service names and trademarks are the property of their respective owners. Adelante, Bitport, Bitsound, CoolFlux, CoReUse, DESFire, EZ-HV, FabKey, GreenChip, HiPerSmart, HITAG, I²C-bus logo, ICODE, I-CODE, ITEC, Labelution, MIFARE, MIFARE Plus, MIFARE Ultralight, MoReUse, QLPAK, Silicon Tuner, SiliconMAX, SmartXA, STARplug, TOPFET, TrenchMOS, TriMedia and UCODE — are trademarks of NXP B.V. HD Radio and HD Radio logo — are trademarks of iBiquity Digital Corporation. NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved. Product evaluation document Rev. 1.1 — 29 March 2019 COMPANY PUBLIC 66 / 67 Tables Tab. 1. IC Hardware and IC Dedicated Support Software components of NCJ38A0 common for any logical configuration .............................. 6 Tab. 2. Components of the TOE related to the Services Software ............................................. 7 Tab. 3. Components of the TOE related to the Crypto Library 2.6.1 .......................................... 7 Tab. 4. Components of the TOE related to the Crypto Library 2.5.1 .......................................... 8 Tab. 5. Threats defined in the Protection Profile ......... 18 Tab. 6. Threats added in Hardware Security Target ....19 Tab. 7. Organizational Security Policies defined in the Protection Profile .......................................19 Tab. 8. Organizational Security Policies added in Hardware Security Target ............................... 19 Tab. 9. Assumptions defined in the Protection Profile .............................................................. 20 Tab. 10. Assumptions defined in Hardware Security Target .............................................................. 20 Tab. 11. Security objectives for the TOE defined in the Protection Profile .......................................21 Tab. 12. Security Objectives for the TOE added in the Hardware Security Target ............................... 21 Tab. 13. Security objectives for the Security IC Embedded Software defined in the Protection Profile .............................................23 Tab. 14. Security objectives for the operational environment defined in the Protection Profile ...24 Tab. 15. Security Objectives for the operational environment added in the Hardware Security Target ................................................24 Tab. 16. Additional Security Objectives versus threats, assumptions or policies for Crypto Library ..............................................................24 Tab. 17. Extended components defined in the Protection Profile .............................................26 Tab. 18. Security functional requirements from the Hardware Security Target taken from Protection Profile .............................................28 Tab. 19. Security functional requirements from the Hardware Security Target based on CC Part 2 ...................................................................... 29 Tab. 20. SFRs defined in this Security Target for Crypto Library ..................................................29 Tab. 21. Extended SFRs defined for Crypto Library ......41 Tab. 22. Security assurance requirements for the TOE ................................................................. 42 Tab. 23. Mapping of the security objectives to the security functional requirements of the Hardware Security Target ............................... 44 Tab. 24. Mapping of SFRs to Security Objectives for Crypto Library in this ST ................................. 46 Tab. 25. Dependencies of the security functional requirements for the Hardware TOE ............... 48 Tab. 26. Security Services of the Hardware Security Target .............................................................. 51 Tab. 27. Security Features of the Hardware Security Target .............................................................. 58 NXP Semiconductors NCJ38AC High-performance secure microcontroller with Crypto Library for Automotive Security Target Lite © NXP B.V. 2019. All rights reserved. For more information, please visit: http://www.nxp.com For sales office addresses, please send an email to: salesaddresses@nxp.com Date of release: 29 March 2019 Contents 1 ST Introduction ................................................... 4 1.1 ST Reference .................................................... 4 1.2 TOE Reference ..................................................4 1.3 TOE Overview ................................................... 4 1.3.1 Introduction ........................................................ 4 1.3.2 Life-Cycle ...........................................................5 1.3.3 Specific Issues of Hardware and the Common Criteria ............................................... 6 1.4 TOE Description ................................................ 6 1.4.1 Hardware description .......................................10 1.4.2 Software description ........................................ 10 1.4.2.1 Services Software ............................................10 1.4.2.2 Crypto Library ..................................................10 1.4.3 Documentation .................................................13 1.4.3.1 Services Software ............................................13 1.4.3.2 Crypto Library ..................................................13 1.4.4 Interface of the TOE ........................................14 1.4.5 Life Cycle and Delivery of the TOE ................. 14 1.4.6 TOE Type and TOE intended usage ............... 14 1.4.7 TOE User Environment ................................... 15 1.4.8 General IT features of the TOE .......................15 2 Conformance Claims ........................................ 16 2.1 Conformance Claim .........................................16 2.2 Conformance Claim Rationale .........................16 3 Security Problem Definition .............................18 3.1 Description of Assets .......................................18 3.2 Threats .............................................................18 3.3 Organizational Security Policies ...................... 19 3.3.1 Security Policies from Protection Profile and Hardware Security Target ................................19 3.3.2 Security Policies specific to Crypto Library ...... 19 3.4 Assumptions .................................................... 20 4 Security Objectives ...........................................21 4.1 Security Objectives for the TOE ...................... 21 4.1.1 Security Objectives from the Protection Profile and the Hardware Security Target ........21 4.1.2 Security Objectives specific to Crypto Library ...21 4.2 Security Objectives for the Security IC Embedded Software ........................................ 23 4.3 Security Objectives for the Operational Environment .....................................................24 4.4 Security Objectives Rationale ..........................24 4.4.1 Rationale for Security Objectives from Protection Profile and Hardware Security Target ...............................................................24 4.4.2 Rationale for Security Objectives specific to Crypto Library ..................................................24 5 Extended Components Definition ....................26 5.1 Secure basic operations (FDP_SOP) .............. 26 6 Security Requirements .....................................28 6.1 Security Functional Requirements ...................28 6.1.1 SFRs from the Protection Profile and the Hardware Security Target ................................28 6.1.2 Security Functional Requirements added in this Security Target ......................................... 29 6.1.2.1 Crypto Library ..................................................29 6.2 Security Assurance Requirements ...................42 6.3 Security Requirements Rationale .................... 44 6.3.1 Rationale for the Security Functional Requirements ...................................................44 6.3.1.1 SFRs from the Hardware Security Target ........44 6.3.1.2 SFRs specific to Crypto Library .......................45 6.3.2 Dependencies of security requirements ...........47 6.3.3 Rationale for the Security Assurance Requirements ...................................................49 7 TOE Summary Specification ............................51 7.1 IT Security Functionality .................................. 51 7.1.1 Security Services .............................................51 7.1.1.1 Security Services of the hardware platform ..... 51 7.1.1.2 Security Services specific to Crypto Library .....51 7.1.2 Security Features .............................................58 7.1.2.1 Security Features from the hardware platform ............................................................58 7.1.2.2 Crypto Library ..................................................58 7.2 Security Architectural Information ....................58 8 Annexes ............................................................. 59 8.1 Further Information contained in the PP .......... 59 8.2 Glossary and Vocabulary ................................ 59 9 Bibliography ...................................................... 62 9.1 Evaluation documents ..................................... 62 9.2 Developer documents ......................................62 9.3 Standards .........................................................63 9.4 Other documents ............................................. 64 10 Legal information ..............................................65 10.1 Disclaimers ...................................................... 65 10.2 Trademarks ......................................................65