Joint Interpretation Library. ETR-lite for composition : Annex A Composite smartcard evaluation : Recommended best practice. IC and ES composition



Similar documents
Joint Interpretation Library. Guidance for smartcard evaluation

Joint Interpretation Library. Security Evaluation and Certification of Digital Tachographs

Smartcard IC Platform Protection Profile

Supporting Document Guidance. Smartcard Evaluation. February Version 2.0 CCDB

Supporting Document Guidance. ETR template for composite evaluation of Smart Cards and similar devices. September Version 1.

Joint Interpretation Library

Security IC Platform Protection Profile

Certification Report. NXP Secure Smart Card Controller P40C012/040/072 VD

Details for the structure and content of the ETR for Site Certification. Version 1.0

Supporting Document Guidance. Security Architecture requirements (ADV_ARC) for smart cards and similar devices. April Version 2.

Security Standards BS7799 and ISO17799

Certification Report

Courtesy Translation

Build a CC assurance package dedicated to your risk assessment. Francois GUERIN Security Program Manager francois.guerin@gemalto.

Certification Report

Certification Report BSI-DSZ-CC for. Renesas AE45C1 (HD65145C1) Smartcard Integrated Circuit Version 01. from. Renesas Technology Corp.

Joint Interpretation Library

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Certification Report on REDOWL SecuOS V4.0 for RHEL4 of TSonNet Co., Ltd.

BSI-DSZ-CC-S for. Dream Chip Technologies GmbH Germany. Dream Chip Technologies GmbH

On Security Evaluation Testing

CERTIFICATION REPORT

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk) BSI-PP-0020-V MA01

Common Methodology for Information Technology Security Evaluation. Evaluation methodology. September Version 3.1 Revision 4 CCMB

Credit Card Processing Overview

Certification Report StoneGate FW/VPN 5.2.5

CardControl. Credit Card Processing 101. Overview. Contents

Common Criteria v3.1 Vulnerability Assessment: What is new?

BSI-DSZ-CC for. tru/cos tacho v1.1. from. Trueb AG

BSI-DSZ-CC-S for. GLOBALFOUNDRIES Singapore Pte. Ltd. GLOBALFOUNDRIES Singapore Pte. Ltd.

Document ID: JIL-Security-Event-Management-Processs-V1-0 Subject: Security Event Management Process. Introduction

Certification Report

Software Modularisation and the Common Criteria

DataPower XS40 XML Security Gateway and DataPower XI50 Integration Appliance Version 3.6. Security Target Version 0.75

Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components. September Version 3.

Certification Report

Guidelines for Developer Documentation

Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. September Version 3.

Developing a new Protection Profile for (U)SIM UICC platforms. ICCC 2008, Korea, Jiju Septembre 2008 JP.Wary/M.Eznack/C.Loiseaux/R.

Java Card Protection Profile Open Configuration

Protection Profile for UK Dual-Interface Authentication Card

Security Target for PalmSecure

Certification Report. NXP J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, and J2E082_M65 Secure Smart Card Controller Revision 3

TRUSTED SECURITY FILTER SECURITY TARGET

C033 Certification Report

A Study on Smart Card Security Evaluation Criteria for Side Channel Attacks

CERTIFICATION REPORT

Chapter 12. Development Tools for Microcontroller Applications

Supporting Document Mandatory Technical Document. Application of Attack Potential to Smartcards. March Version 2.7 Revision 1 CCDB

Certification Report

Intrusion Detection System System Protection Profile

National Information Assurance Partnership

Compucat Research Pty Limited 14 Wales St, Belconnen ACT 2617 ABN

C015 Certification Report

Canon ir6570/ir5570 Series ir Security Kit-B3. Security Target

Common Criteria V3.1. Evaluation of IT products and IT systems

Oracle Business Intelligence Enterprise Edition (OBIEE) Version with Quick Fix running on Oracle Enterprise Linux 4 update 5 x86_64

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Certification Report

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

Certification Report

Certification Report

C038 Certification Report

General Requirements for Accreditation of ASNITE. Testing Laboratories of Information Technology. (The 12th Edition) November 1, 2014

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

How To Protect Your Computer From Being Hacked

Common Criteria Protection Profile. electronic Health Card (ehc) elektronische Gesundheitskarte (egk)

- Table of Contents -

ETSI ETR 278 TECHNICAL March 1996 REPORT

TEST PLAN Issue Date: <dd/mm/yyyy> Revision Date: <dd/mm/yyyy>

Teradata Database Version 2 Release (V2R6.1.0) Security Target

Certification Report

Certification Report

Certification Report

Information Technology Security Evaluation Criteria. ITSEC Joint Interpretation Library (ITSEC JIL)

Protection Profile for Server Virtualization

Certification Report

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Transcription:

ETR-lite for composition : Annex A Composite smartcard evaluation : Recommended best practice IC and ES composition Version 1.2 March 2002

ETR-lite for Composition Annex A Table of Contents 1. Foreword... 4 2. Objective... 4 3. Evaluation of a composite smartcard product... 4 3.1 Introduction... 4 3.2 Composition activities... 5 4. Use of a certified integrated circuit... 7 4.1 Objective... 7 4.2 Case 1: Maintenance... 7 4.3 Case 2: No maintenance... 8 5 References... 9 March 2002 Version 1.2 Page 3 / 9

ETR-lite for Composition Annex A Joint Interpretation Library 1. Foreword 1 This document constitutes one of the annexes of the document Joint Interpretation Library, ETR-lite for composition and is concerned with smartcard technology. 2. Objective 2 The objective of this document is to define the deliverables as output of an integrated circuit evaluation in order to perform a composite smart card evaluation. These deliverables can be part of the ETR-lite for composition document. 3 In this annex, a composite smartcard is considered as an integrated circuit with its embedded software. The embedded software is defined as the software embedded on the integrated circuit such as an operating system, general routines and interpreters (smartcard basic software) or a software dedicated to an application. 3. Evaluation of a composite smartcard product 3.1 Introduction 4 The evaluation of a composite smartcard product requires the evaluation of the integrated circuit and the evaluation of its embedded software. During the embedded software evaluation, additional evaluation activities called composition activities have to be done. The composition activities are required to verify that weaknesses are not introduced by the integration of the composite product. 5 All evaluation activities required to certify a composite smartcard product are stated in the following table : Assurance Requirements Integrated Circuit Evaluation Activities Composite Smartcard Evaluation Activities Embedded Software Dedicated Activities Composition Activities ASE: Security Target Evaluation of the composite product Security Target ACM: Configuration management [CEM] Integration of the embedded software in the IC manufacturer configuration management system ADO: Delivery and operation [CEM] Consistency check for delivery and prepersonalisation procedures ADV: Development [CEM] Compliance with the Page 4 / 9 Version 1.2 March 2002

ETR-lite for Composition Annex A Assurance Requirements AGD: Guidancedocuments ALC: Life cycle support Integrated Circuit Evaluation Activities Composite Smartcard Evaluation Activities Embedded Software Dedicated Activities [CEM] [CEM] Composition Activities IC user guidance ATE: Tests [CEM] Composite product functional testing AVA: Vulnerability assessment [CEM] Composite product vulnerability analysis 6 Therefore the evaluators of subsequent composite product evaluations will need to have access to detailed results of the integrated circuit evaluation in order to validate the effectiveness of the security requirements which are implemented by a combination of hardware and software [IC-HW-Meth]. These detailed results have to be included in the ETR-lite for composition document. 7 The evaluator in charge of the composition activities needs sufficient skills in integrated circuit and embedded software evaluation. He has to rely on the information/deliverables from the integrated circuit evaluation in order to re-use the results. Therefore if different parties perform the evaluation, the composite product evaluator is not liable for the integrated circuit evaluation. 3.2 Composition activities Evaluation of the composite product Security Target 8 A Security Target for the composite product has to be written and evaluated. The evaluator has to examine for any conflicting assumptions, conflicting non-it requirements, compatibility of objectives and requirements and functionality needed by the embedded software but not part of the integrated circuit evaluation. 9 If the match between the integrated circuit security target and the composite product security target has been done at the level of the protection profiles they claim, the check is no more required. 10 The sponsor of the composite product evaluation must ensure that the following the security target or its public version (see concept of ST-lite) of the integrated circuit. March 2002 Version 1.2 Page 5 / 9

ETR-lite for Composition Annex A Joint Interpretation Library Integration of the embedded software in the integrated circuit manufacturer configuration management system 11 The evaluator of the composite product shall verify that the evaluated configuration management system of the integrated circuit manufacturer is actually used for the embedded software. 12 The sponsor of the composite product evaluation must ensure that the following the element of evidence for the use of the evaluated configuration management system of the integrated circuit manufacturer for the software to be embedded (e.g. configuration list). Consistency check for delivery and prepersonalisation procedures 13 The composite product evaluator shall verify that delivery procedures of the embedded software are consistent with the acceptance procedures used by the integrated circuit manufacturer. 14 The composite product evaluator shall verify that prepersonalisation parameters defined by the embedded software developer are used by the integrated circuit manufacturer. 15 The sponsor of the composite product evaluation must ensure that the following the element of evidence for the embedded software reception and acceptance by the integrated circuit manufacturer, the element of evidence for the parameter acceptance and use. Compliance with the integrated circuit user guidance 16 The composite product evaluator shall verify that recommendations for software developer (integrated circuit user guidance) have been taken into account in the embedded software development. 17 The sponsor of the composite product evaluation must ensure that the following the integrated circuit user guidance. Product functional testing 18 The functional testing of the composite product shall be performed on samples. 19 The sponsor of the composite product evaluation must ensure that the following samples with the embedded software to be evaluated. Page 6 / 9 Version 1.2 March 2002

ETR-lite for Composition Annex A Composite product vulnerability analysis 20 The composite product evaluator shall perform a vulnerability analysis for the composite product using the results of the integrated circuit evaluation. This vulnerability analysis shall be confirmed by penetration testing. 21 During the composite product vulnerability analysis, the composite product evaluator has to investigate if the deactivation of an hardware security mechanism can be used to perform an attack on the composite product. If the analysis shows that an attack could be practicable, the composite product evaluator has to perform penetration tests on prepared samples. 22 Prepared samples are integrated circuits with the embedded software to be evaluated where an hardware security mechanism is deactivated by chip modification tools. These samples are used to perform the attack identified during the composite product vulnerability analysis. 23 The sponsor of the composite product evaluation must ensure that the following, as part of the ETR-lite for Composition document, are made available to the composite product evaluator : the list of the integrated circuit security mechanisms. For each mechanism, the generic type of the attack which have been performed during the integrated circuit evaluation and the effort needed to achieve the attack shall be provided (see [AP-SC] for the calculation of the effort). if required, information for deactivating the integrated circuit mechanisms or already prepared samples. 4. Use of a certified integrated circuit 4.1 Objective 24 The objective is to use efficiently the results of the evaluation of an integrated circuit for the evaluation of a composite smartcard product. 4.2 Case 1: Maintenance 25 The results of the evaluation of the integrated circuit can be integrally re-used if the integrated circuit is certified and covered by a maintenance programme. This maintenance programme has to be consistent with the CC approach with, in addition for smartcard, independent penetration testing as part of each maintenance step, where necessary. March 2002 Version 1.2 Page 7 / 9

ETR-lite for Composition Annex A Joint Interpretation Library IC Evaluation Maintenance ES Evaluation IC Certificate Composite Product Certificate 4.3 Case 2: No maintenance 26 If the certified integrated circuit is not covered by a maintenance programme, the results of the following evaluation tasks have to be reviewed by the certification bodies and where necessary updated : Strength of functions and vulnerability analysis to verify that : new vulnerabilities or new attacks have not been discovered, vulnerabilities found in the previous evaluation did not become exploitable now due to the increase of performance of tools available, integrated circuit development and production environment evaluation to verify that the configuration management system, the organisational security measures and the delivery procedures are still applied. Case 2a: Re-certification 27 By the re-certification process, the certification body certifies that the previous integrated circuit evaluation results remain valid or that results have been updated by the integrated circuit evaluator. 28 With an integrated circuit re-certification, the results of the integrated circuit evaluation can be integrally re-used for the composite product evaluation. Case 2b: Updating as part of the composite product evaluation 29 In case the integrated circuit is neither covered by a maintenance programme nor re-certified, the composite product evaluator has to verify that the previous integrated circuit evaluation results remain valid or, if necessary, he has to update the results. 30 The sponsor of the composite product evaluation must ensure that the following are made available to the composite product evaluator : ACM, ALC_DVS and ADO_DEL deliveries, Page 8 / 9 Version 1.2 March 2002

ETR-lite for Composition Annex A AVA_SOF and AVA_VLA deliveries. 31 If available by the integrated circuit manufacturer, the associated evaluation reports or a part of the reports can be provided to the composite product evaluator in order to limit the activities to be performed. 5 References 32 These references are correct in march 2002 but may be updated subsequently. [CC] [CEM] [IC-HW-Meth] [CC-IC [AP-SC] Common Criteria for Information Technology Security Evaluation, Version 2.1, August 1999. Common Methodology for Information Security Evaluation (CEM), Part 2, Version 1.0, August 1999. Joint Interpretation Library, Integrated Circuit Hardware Evaluation Methodology, Vulnerability Assessment, Version 1.3, April 2000. Joint Interpretation Library, The Application of CC to Integrated Circuits, version 1.0, January 2000. Joint Interpretation Library, Application of Attack Potential to Smartcards, version 1.0, March 2002. March 2002 Version 1.2 Page 9 / 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information