Common Criteria for Information Technology Security Evaluation PROTECTION PROFILE

Transcription

1 Common Criteria for Information Technology Security Evaluation PROTECTION PROFILE Smartcard Personalisation Sites without Mailer Handling Version 1.0 Issue July 2000 Registered at the French Certification Body under the number PPnc/0008

2 For any kind of request for comments, please at This document is paginated from i to iv and from 1 to 60.

3 Smartcard Personalisation Sites without ii Mailer Handling Table of contents Chapter 1 Protection Profile introduction Identification of the Protection Profile General presentation PP overview Process model References Chapter 2 TOE Description Introduction TOE definition Customer order reception and processing Customer tools reception and acceptance Customer data reception and acceptance Technical personalisation process Delivery of supplies Scope of the PP Environment of the TOE Use of the TOE Chapter 3 TOE Security Environment Introduction Assets Assets managed by the TOE Assets included in the TOE Personnel Assumptions Threats Threats concerning assets managed by the TOE Threats concerning assets included in the TOE Organisational security policies Security organisation Personnel management Classification Storage Access control Assets management Chapter 4 Security objectives Security objectives for the TOE July 2000 Version 1.0 Page i of ii

4 Table of contents Smartcard Personalisation Sites without Mailer Handling 4.2 Security objectives for the environment Chapter 5 Security functional requirements TOE security functional requirements List of the selected functional requirements Functional requirements applicable to the customer order Functional requirements applicable to the customer data Functional requirements applicable to the personalisation data Functional requirements applicable to the traceability information Functional requirements applicable to the manufacturer programmes Functional requirements applicable to the data reporting Non IT security requirements for the TOE Chapter 6 TOE security assurance requirements Chapter 7 Application notes Cryptographic functional requirements FDP_ITT.1_CO requirement FDP_ITT.1_CD requirement Chapter 8 Rationale Introduction Security objectives rationale Assumptions Threats Organisational security policies Security requirements rationale Security functional requirements rationale Security functional requirements dependencies Strength of function level rationale Evaluation assurance level rationale Security assurance requirements dependencies Security requirements are mutually supportive and internally consistent. 58 Annex A Glossary Page ii of ii Version 1.0 July 2000

5 Smartcard Personalisation Sites without Mailer Handling List of figures List of figures Fig. 1.1 Smartcard product life-cycle Fig. 1.2 Description of the personalisation process July 2000 Version 1.0 Page iii of vi

6 List of tables Smartcard Personalisation Sites without Mailer Handling List of tables Tab. 5.1 Actions to be considered for the management functions in FMT management class Tab. 5.2 Actions to be considered for the management functions in FMT management class Tab. 5.3 Actions to be considered for the management functions in FMT management class Tab. 5.4 Actions to be considered for the management functions in FMT management class Tab. 5.5 Actions to be considered for the management functions in FMT management class Tab. 5.6 Actions to be considered for the management functions in FMT management class Tab. 8.1 Mapping between assumptions, threats, OSPs and security objectives Tab. 8.2 Mapping assumptions and security objectives Tab. 8.3 Threats and Security objectives Tab. 8.4 Organisational security policies and security objectives Tab. 8.5 Mapping of security requirements and TOE security objectives Tab. 8.6 Functional dependencies analysis Tab. 8.7 Assurance dependencies analysis Page iv of vi Version 1.0 July 2000

7 Smartcard Personalisation Sites without 8Mailer Handling Chapter 1 Protection Profile introduction 1.1 Identification of the Protection Profile Title: Registration: Protection Profile for Smartcard Personalisation Sites without Mailer Handling Version 1.0, July 2000 PPnc/ A glossary of terms used in the Protection Profile [PP] is given in annex A. 2 A personalisation site conforming to this PP may also offer additional security services, depending on the application involved. 3 This document has been drawn up pursuant to version 2.1 of the Common Criteria for Information Technology Security Evaluation. 4 This document is complementary to the Smartcard Integrated Circuit Protection Profile, registered in France under reference PP/9806, and to the Smartcard Embedding Sites, registered in France under the reference PPnc/0007. PP/9806 document was used with the aim of achieving overall coherence, particularly in the description of those activities linked to the life cycle of the smartcard, associated security services and the vocabulary used. 1.2 General presentation PP overview 5 This Protection Profile was conducted under the french IT Security Evaluation and Certification Scheme. Work was performed under the supervision of a working group containing representatives of the following smartcard issuers: - GIE Cartes Bancaires, - GIE Sesam Vitale, - GIP Carte de Professionnel de Santé, - Société Européenne du Porte-Monnaie Electronique, 6 and AFPC [ Association des Fabricants et des Personnalisateurs de Carte ]. July 2000 Version 1.0 Page 1 of 60

8 1 - Protection Profile introduction Smartcard Personalisation Sites without Mailer 7 This PP is intended to specify functional and assurance requirements applicable to smartcard personalisation sites without mailer handling. 8 The smartcards produced by such personalisation sites are used in the frame of applications that does not require for the user to own a personal number (e.g. pin code), that he/she may be asked to provide for accessing to specific operations allowed by the smartcard. 9 For the purposes of this PP, the Target of Evaluation [TOE] is defined as all smartcard personalisation processes and notably: 1) the customer order reception and processing, 2) the customer tools reception and acceptance, 3) the customer data reception and acceptance, 4) the technical personalisation process, 5) the delivery of supplies. 10 In this Protection Profile, a smartcard is defined as a plastic card indissociably integrating an identifiable electronic circuit, containing a non-volatile memory and a processing unit, in compliance with the specifications of ISO standards , -2, -4 and also possibly in compliance with the specifications of ISO standards , and communicating via an interface with contacts Process model 11 The smartcard product life-cycle is described in figure 1.1 and can be broken down into 7 phases: 1) the smartcard software development phase: basic software and operating system development, integration and validation; 2) the IC design phase: IC development, firmware development, reticule development, initialisation and test programme development, integration and validation, initialisation of identification information and delivery keys; 3) the IC manufacturing phase: IC manufacturing, testing, preparation and transfer to the embedding site; 4, 5) the card printing and the embedding process: IC, card and customer tools (used in the context of pre-personalisation of smartcards) reception and acceptance, module manufacturing and smartcard product finishing; the embedding phase is addressed by PPnc/0007; 6) the personalisation phase during which individual information regarding the holder and future use of the smartcard are recorded in a secure way in Page 2 of 60 Version 1.0 July 2000

9 Smartcard Personalisation Sites without Mailer Handling 1 - Protection Profile the IC memory and on the card body; the personalisation phase includes the following: - customer order reception and processing; - customer tools reception and acceptance; - customer data reception and acceptance; - smartcard reception and acceptance; - customer data processing; - smartcard personalisation; - printing of documents; - packaging of the smartcard with the associated paper documents; - data reporting; - delivery of supplies; In the context of this PP, personalisation is defined as the initial personalisation of a smartcard and consists in the last step before end-usage of the smartcard, and finishes with the delivery of the smartcard to the future holder; 7) the end-use phase: smartcard delivery to the end-user, use phase and end of life process. 12 In addition to these 7 phases, it should be mentioned a Key management activity which is carried out in parallel with all phases. It includes in particular the management of all secrets imported in the 7 phases of this life-cycle and used to protect the smartcard in the whole process. 13 It should be noted that the embedding process includes a pre-personalisation step which is different and independent of the personalisation phase and should not be confused with it. 14 It should also be noted that the different development and manufacturing phases of a smartcard are listed above in their theoretical order. The real sequence of phases depends on the industrial process within a given site. This has no influence on the use of this PP. July 2000 Version 1.0 Page 3 of 60

10 1 - Protection Profile introduction Smartcard Personalisation Sites without Mailer IC Pre-personalisation requirements* Smartcard embedded software Phase 1 Development phase Embedded software Pre-personnalisation data IC sensitive information software, tools Smartcard IC database construction IC Design IC Dedicated software IC Pre-personalisation requirements* IC Photomask Fabrication Phase 2 IC Manufacturing Production phase Card Printing Customer tools Reception and acceptance IC Testing Embedding Process Smartcard Reception Smartcard Acceptance Phase 3 Phases 4,5 K E Y M A N A G E M E N T User phase Customer data Reception and acceptance Customer order Reception and processing Smartcard Personalisation Packaging Delivery of supplies Phase 6 * Legend: Optional components Limits of the TOE Trusted delivery and verification procedures Smartcard product End-Usage End of life process Fig Smartcard product life-cycle Phase 7 Page 4 of 60 Version 1.0 July 2000

11 Smartcard Personalisation Sites without Mailer Handling 1 - Protection Profile 15 This PP covers the phase corresponding to the personalisation process, which includes the following steps: - customer order reception and processing; - customer tools reception and acceptance; - customer data reception and acceptance; - smartcard reception and acceptance; - customer data processing; - smartcard personalisation; - printing of documents; - packaging of the smartcard with the associated paper documents; - data reporting; - delivery of supplies. 16 The personalisation process is described in figure 1.2. The scope of the PP is limited to the operational part of the personalisation process: development of personalisation tools and industrialisation are out of the scope of this PP. As these two processes are also important to maintain the security of the smartcard, specific PP may be developed to cover these aspects. Customer tools Reception and acceptance Smartcard Reception and acceptance Customer data Reception and acceptance Customer data Processing Customer order Reception and processing Printing of documents Packaging Smartcard Personalisation Delivery of supplies * Fig Description of the personalisation process 17 The assets to be protected include the assets managed by the TOE (e.g. smartcards and customer data). The assets included in the TOE (e.g. traceability information) are also to be protected. 18 The security objectives of the personalisation sites are designed to protect their customers, employees and their service providers against the main risks to the security of persons, products, materials and information, in particular: July 2000 Version 1.0 Page 5 of 60

12 1 - Protection Profile introduction Smartcard Personalisation Sites without Mailer - attacks, be they accidental or with criminal intent on people; - theft of smartcards; - unauthorised use of the TOE. 19 The envisaged environment is a site, or several sites, having high level physical security. 20 Current smartcard applications involve applications and users requiring a high level of security. 21 The main objectives of this PP are: - to describe the TOE, and to define it in the context of the smartcard life cycle, - to describe the TOE security environment, including the assets to be protected and the threats to be countered by the TOE or its operational environment, the assumptions that are done and the organisational security policies that are used, - to describe the security objectives for the TOE and its supporting environment in terms of programme and data integrity and confidentiality, TOE protection and associated documentation, - to specify the security requirements which includes the TOE security functional requirements and the TOE security assurance requirements, - to give a rationale for this PP. 22 The level of assurance for this PP is specific. It is defined in Chapter 6 TOE security assurance requirements. 1.3 References 23 This PP has been build on the following references: - [CC-1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model CCIMB , version 2.1 August 1999, - [CC-2] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements CCIMB , version 2.1 August 1999, - [CC-3] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements CCIMB , version 2.1 August 1999, Page 6 of 60 Version 1.0 July 2000

13 Smartcard Personalisation Sites without Mailer Handling 1 - Protection Profile - [PP/9806] Smartcard Integrated Circuit Protection Profile, Version 2.0, Issue September 1998, registered PP/9806, - [PPnc/0007] Smartcard Embedding Sites, Version 1.0, Issue June 2000, registered PPnc/0007. July 2000 Version 1.0 Page 7 of 60

14 1 - Protection Profile introduction Smartcard Personalisation Sites without Mailer Page 8 of 60 Version 1.0 July 2000

15 Smartcard Personalisation Sites without 14 Mailer Handling Chapter 2 TOE Description 2.1 Introduction 24 This part of the PP describes the TOE and its environment and constitutes an aid in approaching the associated security requirements. It describes the functions of the security target, its operating mode and general characteristics. 2.2 TOE definition 25 The complete smartcard production model is presented in Chapter 1 section Within this cycle, the smartcard personalisation, includes the following steps: 1) the customer order reception and processing; 2) the customer tools reception and acceptance; 3) the customer data reception and acceptance; 4) the technical personalisation process, which includes the following: - smartcard reception and acceptance; - customer data processing; - smartcard personalisation; - printing of documents; - packaging of the smartcard with the associated paper documents; - data reporting; 5) the delivery of supplies. 27 These processes correspond to phase 6 of the process model presented in Chapter All the steps corresponding to the smartcard personalisation, constitute the TOE covered in the current PP. 29 It is also important to note that each of the steps covered by the current PP is autonomous. Each can be performed in different sites or by different manufacturers, and materials, data and programmes can be stored in the meantime and delivered. 30 In addition, the steps included in this PP depend on the manufactured product. July 2000 Version 1.0 Page 9 of 60

16 2 - TOE Description Smartcard Personalisation Sites without Mailer Handling Customer order reception and processing 31 Customer order reception and processing involves the following services: - identification and authentication of the customer order; - identification of the product being ordered; - determination of quantities and deadlines; - definition of customer conditions (e.g. delivery requirements). 32 In most of cases, the reception of the customer order does not launch immediately the production. It is the transfer of the customer data by the customer to the manufacturer that is generally considered as constituting a valid order, and does actually launch the production of smartcards. 33 A separate order (e.g. a facsimile or a voucher) may in some cases be sent in addition to the customer data. This separate order has the same level of sensitivity than the customer order itself. In the following, the customer order includes this separate order Customer tools reception and acceptance 34 Customer tools (e.g. lot cards, applets, programme devices) are delivered to the manufacturer according to the specifications of the customers. Reception of customer tools by the manufacturer implies acceptance of its responsibility regarding protection of these tools Customer data reception and acceptance 35 Customer data reception and acceptance involved the following services: - reception of the customer data, consisting in a file (or a few files) generally transferred through a telecommunication network; - acceptance of the customer data, including the recognition of customer data and initial checks (integrity, ). 36 Acceptance of customer data by the site implies the actual transfer of responsibilities regarding the order or the corresponding assets Technical personalisation process Smartcard reception and acceptance 37 The cards are coming from the embedding process, during which they may have been pre-personalised. 38 Smartcards acceptance corresponds to the transfer of responsibility and acceptance by the manufacturer of its responsibility for all events occurring at a later stage which may have any effect whatsoever on smartcard security. This step may lead to the refusal of cards and their return to suppliers. Page 10 of 60 Version 1.0 July 2000

17 Smartcard Personalisation Sites without Mailer Handling 2 - TOE Description Customer data processing 39 Processing of customer data includes translation of the data received from the customer in data that can be used directly by the various pieces of software carrying out the different stage of the technical personalisation process. 40 It includes also their destruction, according to the requirements of the customer. Smartcard personalisation 41 The smartcard personalisation process includes electrical, mechanical tests or visual checks on the cards. These tests or checks may necessitate for the manufacturer to take samples of cards. 42 This stage includes: - electrical and optionally, magnetic personalisation of the smartcard, which consists in the writing of end-user, applicative and security data: - in the chip (electrical personalisation); - and optionally, on the magnetic strip (magnetic personalisation); - visual personalisation which implies the transfer of the data relative to the end-user, and optionally, applicative data on the body of the smartcard; this transfer can be achieved through any combination of embossing and printing. 43 This stage may also include the generation of personalisation data files, upon a request from the customer. Printing of documents 44 This step consists in printing of paper documents to be transmitted to the end-user, such as the insert for smartcard expedition, and optionally, of information used for the final control of finished products. Packaging 45 This step consists in matching the smartcard with the associated paper documents and putting together the personalised smartcard and the associated documents in envelopes. 46 The operation of matching is considered as a quality aspect of the personalisation process. During the packaging phase, it is only the traceability of smartcards that is considered in the context of this PP. July 2000 Version 1.0 Page 11 of 60

18 2 - TOE Description Smartcard Personalisation Sites without Mailer Handling Data reporting 47 It corresponds to the collection, process, storage and transmission within the TOE of data to provide evidence of correct execution of the order, and to constitute trails for future audits and investigations Delivery of supplies 48 The delivery of supplies includes the following services: - the forwarding of products, according to procedures specified by the customer; - the production of the execution report; - where applicable, prior information to the customer concerning the processing of the order; - where applicable, the forwarding of personalisation data files, according to procedures specified by the customer; - processing of the delivery order and information regarding delivery, - a final counting of personalised smartcards that may optionally be performed at this stage. 49 If non-delivered supplies are sent back to the personalisation site, then the manufacturer shall process these supplies according to the customer requirements. 2.3 Scope of the PP 50 The scope of the PP is limited to the following services offered by smartcard personalisation processes: a) the authentication and the processing of the customer order; b) the reception and acceptance of smartcard, customer tools and customer data, c) the traceability of smartcards and customer tools, the integrity and/or confidentiality of assets to be protected; d) the integrity of supplies to be delivered. 51 The traceability of smartcards consists in defining for each step of the personalisation process, and for each type of smartcards (e.g. for good smartcards or rejects) the quantity of the smartcards, their status, and their location. 52 The traceability of customer tools consists in defining for each step of the personalisation process, the quantity of the customer tools, their status, and their location. Page 12 of 60 Version 1.0 July 2000

19 Smartcard Personalisation Sites without Mailer Handling 2 - TOE Description 2.4 Environment of the TOE 53 As the TOE is a process, its environment of use is defined and will have to be described in related ST. 54 Organisational security policies that are to be satisfied by the environment will be verified through a site inspection in the context of the TOE evaluation to verify whether they are actually applied. 55 The site inspection will constitute an important part of the evaluation. 56 The environment of the TOE always includes: - the physical security of the site and of the premises in which the personalisation process is performed; this involves: - the systems for protection against natural events; - the physical access control systems; - the surveillance systems, - the safes, strong-rooms, - the electrical systems supplying the security equipment, - the personnel management procedures, including accreditation and checks, temporary staff, subcontractors and permanent subcontractors, and training; - the physical management of products and materials; - arrival and exit of cards, and particularly reception and forwarding procedures; - means of transport, where they are under the site(s) responsibility. 2.5 Use of the TOE 57 The TOE is used to manufacture smartcards. The smartcards produced by the use of the TOE involve applications and users requiring a high level of security. 58 The applications of the smartcard are diverse; this, however, is a non-exhaustive list: - payment through debit, credit, or electronic purse applications, - physical access control, - logical access control to IT systems including equipment, applications, data bases, and the protection of transmitted information, - network based transaction processing such as mobile phones or communication highways, - remote transactions on electronic commerce, pay TV, - transport and ticketing market, July 2000 Version 1.0 Page 13 of 60

20 2 - TOE Description Smartcard Personalisation Sites without Mailer Handling - administrative documents (identity card, social insurance card, medical record), - intellectual and industrial proprietary rights protection, - storage and transfer of secrets. Page 14 of 60 Version 1.0 July 2000

21 Smartcard Personalisation Sites without 22 Mailer Handling Chapter 3 TOE Security Environment 3.1 Introduction 59 This section describes the aspects of the security environment in which the TOE is intended to be used and addresses the description of the assets to be protected, the personnel, the assumptions, the threats and the organisational security policies. 3.2 Assets Assets managed by the TOE 60 Based on the scope of the PP, the assets managed by the TOE are the following: - A.CUSTOMER_ORDER: the customer order; - A.CUSTOMER_DATA: the customer data provided by smartcard issuers regarding the end-user or related to the configuration of the smartcard; these data may be stored on the chip or printed on documents; - A.CUSTOMER_TOOLS: the customer tools (e.g. lot cards, mother cards, applets, programme devices, hardware security modules) delivered by the customer to the manufacturer, and used within the personalisation process; - A.CARDS: the smartcards, whatever is their status (good products or rejects); - A. PERSO_DATA: the personalisation data, which is split into two types of data: - A.PERSO_DATA_CONF: confidential personalisation data, e.g. manufacturing keys, end-user information (e.g. end-user keys); - A.PERSO_DATA_NONCONF: non confidential personalisation data, e.g. lot numbers; Personalisation data is aimed to be stored in smartcards; however, some may be provided by the card or may also be stored by the manufacturer in separate files, in case there is a request from the customer to access to it. 61 These assets are considered as user data for the TOE. 62 The TOE shall guarantee the integrity of the customer order during its processing. Moreover, the TOE shall ensure the customer order has been transmitted by an authorised customer. July 2000 Version 1.0 Page 15 of 60

22 3 - TOE Security Environment Smartcard Personalisation Sites without Mailer 63 The TOE shall guarantee the integrity of the customer data. 64 At all steps of the personalisation process including the reception phase, the TOE shall guarantee the traceability of smartcards and customer tools. These materials will be in different forms, depending on the step of the personalisation process. 65 The manufacturer shall be able to achieve a precise counting of the number of smartcards. 66 The TOE shall guarantee the integrity of the personalisation data. The TOE shall also guarantee the confidentiality of the personalisation data for which confidentiality is required. The way these data are protected by the card operating system is out of the scope of this PP Assets included in the TOE 67 Based on the scope of the PP, the assets belonging to the TOE are the following: - A.TRACE: the traceability information; - A.MANUF_PROG: the manufacturer programmes consisting in generation and personalisation programmes; - A.GENE_REPORT: the data reporting which consists of traceability information regarding the management of batches of smartcards or single smartcards; 68 These assets are considered as TSF data for the TOE. 69 The TOE shall guarantee the integrity of the traceability information. The traceability information contains, for each step of the personalisation process and for smartcards and customer tools, their quantity, their status and their location. 70 The TOE shall guarantee the integrity and the confidentiality of the manufacturer programmes. The development and industrialisation of manufacturer programmes are out of the scope of this PP, and may be the subject of other protection profiles. 71 The TOE shall guarantee the integrity of data reporting. 3.3 Personnel 72 The different personnel are: - internal personnel, permanently employed in the production process and the reception of the customer s information, Page 16 of 60 Version 1.0 July 2000

23 Smartcard Personalisation Sites without Mailer Handling 3 - TOE Security - internal personnel, occasionally employed in the production process, for example: - internal auditors, - maintenance staff, - development engineers and technicians, - trainees, - temporary staff, - external persons, for example: - permanent subcontractors (involved in maintenance, security, transport, ), - suppliers, - external auditors, - maintenance staff, - visitors, - customers. 3.4 Assumptions 73 The following general assumptions are done concerning the TOE: H. NAT The TOE is run in a physical environment protected against natural events, such as fire (detection, extinction), explosions, floods, lighting, pollution by gas or chemical products and dust. H. ELE The TOE is run in a physical environment, including emergency installations for supplying electricity to security equipment. H.M_PROG Outside the frame of their use by the TOE, the manufacturer programmes are protected with an appropriate level of security. July 2000 Version 1.0 Page 17 of 60

24 3 - TOE Security Environment Smartcard Personalisation Sites without Mailer 3.5 Threats Threats concerning assets managed by the TOE Threat concerning the customer order 74 The threats concern the falsification of a customer order and the modification of the customer order between its reception and its processing. T. CUSTOM_FALSE Falsification of a customer order. A false customer order may be received by the manufacturer. This lead to the issuing of smartcards that will be delivered to a fraudulent customer. T. CUSTOM_MOD Modification of the customer order between its reception and its processing. The manufactured supplies will not suit to the requirements of the customer or they will be delivered to an unauthorised customer. Technical personalisation process 75 The following threats apply to the technical personalisation process: T. CARD_LOSS Loss of smartcards. The loss of smartcards may be due to different factors, for example theft of smartcards by malicious agent (employees or external people). T.C_TOOLS_LOSS T.C_TOOLS_MISAPP T.C_DATA_MOD Loss of customer tools. The loss of customer tools may be due to different factors, for example theft of customer tools by malicious agent (employees or external people). Misappropriation of customer tools. A malicious agent may use customer tools for personalisation out of the scope of the intended manufacturing process. Modification of customer data. Customer data may be modified between its reception and its processing. It may also be modified during the personalisation operation itself. This threat is a result from operation by a malicious agent operation or from a bad use of the TOE. Page 18 of 60 Version 1.0 July 2000

25 Smartcard Personalisation Sites without Mailer Handling 3 - TOE Security T.C_DATA_REPLAY T.P_DATA_DIS T.P_DATA_MOD Unauthorised replay of customer data. The threat consists in the storage of a single customer data in two or more different smartcards, while it should only be stored in one. This threat is a result from operation by a malicious agent operation or from a bad use of the TOE. Disclosure of personalisation data that requires confidentiality. This threat is a result from operation by a malicious agent operation or from a bad use of the TOE. Modification of personalisation data. This threat is a result from operation by a malicious agent operation or from a bad use of the TOE Threats concerning assets included in the TOE 76 The threats concern the modification of traceability data, the modification or disclosure of manufacturer programmes, and the modification of data reporting. T.TRACE_MOD T.M_PROG_DIS T.M_PROG_MOD Modification of traceability information. This threat may be performed by malicious agent (employee or external) or due to a bad use of the TOE. The intent may be to compensate smartcards and customer tools loss in order to avoid that loss is detected. Disclosure of manufacturer programmes. This threat may be performed by malicious agent (employee or external) or due to a bad use of the TOE. Through this, the attacker may facilitate replay of personalisation data, load fraudulent information in smartcards, or read sensitive information stored in smartcards. Modification of manufacturer programmes. This threat may be performed by malicious agent (employee or external) or due to a bad use of the TOE. Through this, the attacker may facilitate replay of personalisation data, load fraudulent information in smartcards, or read sensitive information stored in smartcards. July 2000 Version 1.0 Page 19 of 60

26 3 - TOE Security Environment Smartcard Personalisation Sites without Mailer T.REPORT_MOD Modification of data reporting. This threat may be performed by malicious agent (employee or external) or due to a bad use of the TOE. Through this, future investigations may not lead to accurate results. 3.6 Organisational security policies Security organisation 77 The following organisational security policies are mandatory for the TOE: P.ORG P.ORG_SEC_MANAG P.AUDIT A Security policy exists and defines the security objectives, the rules and procedures relating to the security of the TOE and the assets included or managed by the TOE. The security manager shall be independent from the operational board, and shall report directly to the management board. This policy shall also describe the specific measures to be followed where exceptional events occur. In this case, the safeguarding of human life being given priority. A site security manager, responsible for the issues relating to the security of the TOE, is appointed. The application of the security policy shall be checked at least once a year. Each audit gives rise to a record Personnel management 78 The following organisational security policies are mandatory for the TOE: P.PERSO_SENSIB P.PERSO_SELECT The personnel who runs the TOE is trained and is taken informed about the Security policy of the site. In particular, the personnel shall not disclose sensitive information, he may have access to, out of the context of professional purpose. The personnel who runs the TOE is selected based on hiring procedures appropriate to the sensitivity of the assets he will manipulate. Page 20 of 60 Version 1.0 July 2000

27 Smartcard Personalisation Sites without Mailer Handling 3 - TOE Security Classification 79 The following organisational security policy is mandatory for the TOE: P.CLASSIF Assets are classified in accordance with the level of risk involved. Depending on the manufacturing phase, the sensitivity of assets has to be defined Storage 80 The following organisational security policy is mandatory for the TOE: P.STORAGE The manufacturer shall store all the data relating to the operation or access to the TOE and its environment for a duration to be defined by its customer. This includes the following as a minimum: - the trace of access to the TOE, - traceability information, - audit data generated by the TOE Access control 81 The following organisational security policies are mandatory for the TOE: P.ACCESS P.ACCESS_REGIS P.ACCESS_ENVIR An access control policy is defined for the TOE and for its environment of use. Access to the TOE and its environment results in the registration of a reliable trace. The TOE is run in an environment with physical access control, surveillance system, that helps to implement the access control policy. These controls help in preventing the theft of smartcards or customer tools. July 2000 Version 1.0 Page 21 of 60

28 3 - TOE Security Environment Smartcard Personalisation Sites without Mailer Assets management 82 The following organisational security policies are mandatory for the TOE: P.SUPPLIES P.C_TOOLS P.DESTROY P.CUSTOM A policy of the flow of smartcards is defined for the TOE. This policy includes the reception, the storage, the forwarding, the delivery and the destruction of these supplies. At their reception, the authenticity and the quantity of smartcards shall be verified. This policy shall anticipate the processing of non-delivered supplies. A policy of the flow of customer tools is defined for the TOE. This policy includes the reception, the storage, the usage and possibly the destruction of these tools. At their reception, the authenticity and the quantity of customer tools shall be verified. The manufacturer shall destroy printed documents that are not used. The procedure employed upon reception of a customer order includes the customer authentication. Page 22 of 60 Version 1.0 July 2000

29 Smartcard Personalisation Sites without 24 Mailer Handling Chapter 4 Security objectives 83 Smartcard personalisation sites handle assets for which security must be protected. In addition, the possibility of attacks against these assets also put the staff handling them at risk. 84 The objectives of the personalisation sites are to provide security for staff, smartcards, customer order, customer data, customer tools, personalisation data, traceability information and manufacturer programmes. 4.1 Security objectives for the TOE 85 The TOE must achieve the following security objectives: O.LAUNCH O.TRACE O.INT_TRACE O.INT_C_DATA O.NO_REPLAY The TOE must ensure that the launch of production corresponds to the customer order and to the customer data. The TOE must ensure the traceability of smartcards and customer tools. The TOE must ensure the integrity of the traceability information. The TOE must ensure the integrity of the customer data. The TOE must ensure that a customer data is used more than once, only if this operation is explicitly authorised by the manufacturer. O.INT_P_DATA The TOE must ensure the integrity of the personalisation data. O.CONF_P_DATA The TOE must ensure the confidentiality of the personalisation data that requires confidentiality. O.INT_M_PROG The TOE must ensure the integrity of the manufacturer programmes. O.CONF_M_PROG The TOE must ensure the confidentiality of the manufacturer programmes. July 2000 Version 1.0 Page 23 of 60

30 4 - Security objectives Smartcard Personalisation Sites without Mailer Handling O.INT_REPORT O.AUTH O.INT_TOE O.ACCESS O.ACCESS_REGIS O.FLOW_CARD O.FLOW_C_TOOLS O.FLOW_CUSTOM O.FLOW_C_DATA The TOE must ensure the integrity of the data reporting. The TOE must authenticate the customer order, customer data, smartcards and customer tools. The TOE must be protected against unauthorised modification. Only authorised people have access to the TOE. The TOE must ensure the registration of a reliable trace of its use. A policy of the flow of smartcards is defined for the TOE. A policy of the flow of customer tools is defined for the TOE. A policy of the flow of customer order is defined for the TOE. A policy of the flow of customer data is defined for the TOE. 4.2 Security objectives for the environment OE.POL OE. NAT OE. ELE OE.M_PROG The environment of the TOE must satisfy the organisational security policies defined in Chapter 3 expected to be implemented by the TOE environment. The TOE is run in a physical environment protected against natural events. The TOE is run in a physical environment, including emergency installations for supplying electricity to security equipment. Out of the frame of their use by the TOE (during their development and industrialisation), the manufacturer programmes are protected with an appropriate level of security. Page 24 of 60 Version 1.0 July 2000

31 Smartcard Personalisation Sites without 40 Mailer Handling Chapter 5 Security functional requirements 5.1 TOE security functional requirements 86 The TOE security functional requirements define the functional requirements for the TOE using only functional requirements components drawn from the Common Criteria Part Moreover, some operations of selection and assignment have been performed in the context of this PP in order to make the functional requirements consistent with the security objectives they have to cover (see the rationale for clarification). The items inside the operation that do not need to be selected are strikethrough, and the ones that are selected are bold. 88 The minimum strength of function level for the TOE security requirements is SOF-low List of the selected functional requirements 89 The following table provides an overview of the functional requirements that are expected to be satisfied by the TSF. 90 The functional components have been iterated, according to the different types of assets to be protected. This operation has been performed to help the manufacturer when it will define its security target. Indeed, depending on the type of assets, different IT systems may be implemented. 91 The letters _CO, _CD, _P, _TR, _MP and _DR are added at the end of the name of the functional requirement when it applies respectively to the customer order, the customer data, the personalisation data, the traceability information, the manufacturer programmes and the data reporting. Asset Component Name Customer order FAU_ARP.1_CO Security alarms FAU_GEN.1_CO FAU_SAA.1_CO FDP_IFC.1_CO FDP_IFF.1_CO Audit data generation Potential violation analysis Subset information flow control Simple security attributes July 2000 Version 1.0 Page 25 of 60

32 5 - Security functional requirements Smartcard Personalisation Sites without Asset Component Name FIA_UAU.1_CO FIA_UID.1_CO FMT_SMR.1_CO FPT_STM.1_CO Timing of authentication Timing of identification Security roles Reliable time stamps Customer data FAU_ARP.1_CD Security alarms FAU_GEN.1_CD FAU_SAA.1_CD FDP_IFC.1_CD FDP_IFF.1_CD FIA_UAU.1_CD FIA_UID.1_CD FMT_SMR.1_CD FPT_STM.1_CD Audit data generation Potential violation analysis Subset information flow control Simple security attributes Timing of authentication Timing of identification Security roles Reliable time stamps Personalisation data FAU_ARP.1_P Security alarms Traceability information FAU_GEN.1_P FAU_SAA.1_P FIA_UAU.1_P FIA_UID.1_P FMT_SMR.1_P FPT_STM.1_P FAU_ARP.1_TR FAU_GEN.1_TR FAU_SAA.1_TR FIA_UAU.1_TR Audit data generation Potential violation analysis Timing of authentication Timing of identification Security roles Reliable time stamps Security alarms Audit data generation Potential violation analysis Timing of authentication Page 26 of 60 Version 1.0 July 2000

33 Smartcard Personalisation Sites without Mailer Handling 5 - Security functional Asset Component Name Manufacturer programmes FIA_UID.1_TR FMT_MTD.1_TR FMT_SMR.1_TR FPT_STM.1_TR FAU_ARP.1_MP FAU_GEN.1_MP FAU_SAA.1_MP FIA_UAU.1_MP FIA_UID.1_MP FMT_MTD.1_MP FMT_SMR.1_MP FPT_ITT.1_MP FPT_RPL.1_MP FPT_STM.1_MP Timing of identification Management of TSF data Security roles Reliable time stamps Security alarms Audit data generation Potential violation analysis Timing of authentication Timing of identification Management of TSF data Security roles Basic internal TSF data transfer protection Replay detection Reliable time stamps Data reporting FAU_ARP.1_DR Security alarms FAU_GEN.1_DR FAU_SAA.1_DR FIA_UAU.1_DR FIA_UID.1_DR FMT_MTD.1_DR FMT_SMR.1_DR Audit data generation Potential violation analysis Timing of authentication Timing of identification Management of TSF data Security roles FPT_ITI.1_DR Inter-TSF detection of modification July 2000 Version 1.0 Page 27 of 60

34 5 - Security functional requirements Smartcard Personalisation Sites without Asset Component Name FPT_ITT.1_DR FPT_STM.1_DR Basic internal TSF data transfer protection Reliable time stamps Functional requirements applicable to the customer order FAU_ARP.1_CO Security alarms FAU_ARP.1.1 The TSF shall take [assignment: list of the least disruptive actions] upon detection of a potential security violation. FAU_GEN.1_CO Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: minimum, basic, detailed, not specified] level of audit; and c) [assignment: other specifically defined auditable events]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: other audit relevant information] FAU_SAA.1_CO Potential violation analysis FAU_SAA.1.1 FAU_SAA.1.2 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP. The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of [assignment: subset of defined auditable events] known to indicate a potential security violation; b) [assignment: any other rules]. Page 28 of 60 Version 1.0 July 2000

35 Smartcard Personalisation Sites without Mailer Handling 5 - Security functional FDP_IFC.1_CO Subset information flow control FDP_IFC.1.1 The TSF shall enforce the [assignment: information flow control SFP] on [assignment: list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP]. FDP_IFF.1_CO Simple security attributes FDP_IFF.1.1 FDP_IFF.1.2 FDP_IFF.1.3 FDP_IFF.1.4 FDP_IFF.1.5 FDP_IFF.1.6 The TSF shall enforce the [assignment: information flow control SFP] based on the following types of subject and information security attributes: [assignment: the minimum number and type of security attributes]. The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: for each operation, the security attribute-based relationship that must hold between subject and information security attributes]. The TSF shall enforce the [assignment: additional information flow control SFP rules]. The TSF shall provide the following [assignment: list of additional SFP capabilities]. The TSF shall explicitly authorise an information flow based on the following rules: [assignment: rules, based on security attributes, that explicitly authorise information flows]. The TSF shall explicitly deny an information flow based on the following rules: [assignment: rules, based on security attributes, that explicitly deny information flows]. FIA_UAU.1_CO Timing of authentication FIA_UAU.1.1 FIA_UAU.1.2 The TSF shall allow [assignment: list of TSF mediated actions] on behalf of the user to be performed before the user is authenticated. The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UID.1_CO Timing of identification FIA_UID.1.1 FIA_UID.1.2 The TSF shall allow [assignment: list of TSF-mediated actions] on behalf of the user to be performed before the user is identified. The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. FMT_SMR.1_CO Security roles FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorised identified roles]. July 2000 Version 1.0 Page 29 of 60