ebook img

Security Target EFAS-4.5 PDF

121 Pages·2017·3.86 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security Target EFAS-4.5

EFAS-4 Security Target EFAS-4.5 c o d h. sc lig n e n atio Security Target EFAS-4.5 k zifi e p S 5 1 name of project: EFAS-4 2. -7 B F file name: 1030-100-SEC-EN31_APPR_SecurityTargetEFAS-4.doc g: n nu version: 31 h c ei z number of document: 1030-100-SEC-EN31 e B 0 rlaesntd eedreitde db by/ya/ta:t : DDrr.. HHoorrsstt KKiieeßßlliinngg // 1253..0081..22001107 n 1. status: APPR o si er location: project folder V 09 0 2 7. 0 29. Name date: signature: B: (in block letters): F -M prepared by: Dr. Horst Kießling 13.01.2017 Q d. reviewed by: Bernd Hoeppener 13.01.2017 n Ä e zt approved by: Simon Veselsky 13.01.2017 et h l c s eli hi T e/ b er C n: o v ellt st er nt e m u o d e b a g or V -M Q Important notice: This document is the property of intellic Germany GmbH and should not be copied or distributed without permission. EFAS-4 Security Target EFAS-4.5 Release notes: number version date page chapter changes, notes modified by of pages Dr. Horst 00 2010-08-25 all all Initial version 43 Kießling Adapted suggestions from Bernd Dr. Horst 2010-08-25 all all 42 Hoeppener and Dr. Bernd Rose Kießling added reasoning for SFR-TSF Dr. Horst 2010-08-26 all 9.3.1 49 mapping Kießling 2010-08-27 all - formal corrections Dr. B. Rose 49 integrated all pp SFSs with ST, enhanced rationale by SW- Dr. Horst 01 2010-08-31 all all 71 Update TSFs, amended Kießling reasoning Made corrections with respect to Dr. Horst 02 2010-09-01 all all 72 review comments Kießling Editorial changes, added tables Dr. Horst 03 2010-10-28 all all and sections from the PP, added 101 Kießling additional assets for SW-update Some formal corrections after 04 2010-11-04 all all Dr. Bernd Rose 101 review Editorial changes and formal Dr. Horst 05 2010-11-09 all all 102 amendments Kießling Added reference to SW-Update, Dr. Horst 06 2010-11-23 all all 102 editorial changes Kießling SFR operations, Added Dr. Horst 10 2010-12-02 all all 110 Statement of Compatibility Kießling Changes on requests of Dr. Horst 11 2011-02-24 all all certification body and evaluation 127 Kießling facility Software Update mechanism Dr. Horst 12 2011-03-01 all all 117 (AES) Kießling Integrity Mechanism MAC- Dr. Horst 13 2011-05-24 88 9.1.8 118 storage-location Kießling Dr. Horst 14 2011-10-06 all all Changes due to BSI comments 117 Kießling SC-Processor more precisely Dr. Horst 15 2011-10-24 all all 117 specified Kießling Minor corrections on SFR Dr. Horst 16 2011-11-07 all all operations 117 Kießling Minor corrections on SF.UPDATE SFRs FDP_ACC.1/SW-Upgrade, 49, Dr. Horst 17 2011-11-07 8.1.5.1 FDP_ACF.1/SW-Upgrade 117 52 Kießling corrected Dr. Horst 18 2011-11-10 14 3.2 Bluetooth interface does not exist 118 Kießling all all Changed TOE name Dr. Horst 19 2014-11-21 117 105ff 10 Adapted Compatibility Statement Kießling Changed TOE name to 4.5 Dr. Horst 20 2015-02-10 all all 117 Added SC configuration details Kießling 2015-04-27 all all Extended Life Cycle Drawing Dr. Horst 21 Extended Parameter Update 117 Kießling 2015-05-06 all all Description 22 2015-05-13 all all Updated CC revision number Dr. Horst 118 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 2 of 121 EFAS-4 Security Target EFAS-4.5 Corrected date format in footer Kießling Added rationale for extension of life cycle as compared to PP Explained abbreviations in life cycle drawing Added reference to SC certificate section 2.2 Corrected description in table 2: no “other SW components” other than MC-SW-parameters Editorial changes Removed refurbishment from 2.3.3 Life Cycle Drawing 2015-06-26 11 Figure 2 Dr. Horst 23 Removed rationale for 119 4.4 Kießling depersonalisation 86 9.1.3 Removed confidentiality requirement for communication Dr. Horst 24 2016-06-14 119 with remote company Kießling 19 4.1 Amended CEM Revision in 4.1 13 2.3.4 Dr. Horst 25 2016-07-11 16 3.2 Removed acceleration sensor 119 Kießling 14 Figure 4 Dr. Horst 26 2016-07-12 14 Figure 4 Removed header in image 119 Kießling Amended chip ID version after Dr. Horst 27 2016-07-13 8 2.2 119 Infineon reassessment Kießling Dr. Horst 2016-08-05 96 9.1.13 Modified integrity check functions 119 Kießling 22 5.1 40ff 8.1.1 54 8.1.5.2 56 8.1.5.4 Dr. Horst 28 2016-10-31 Unified Software Update Process 64 8.1.8.4 Kießling 79 8.3.1 88 9.1.4 95ff 9.1.13 K-Parameter removed, external device at SF.EX_CONF removed SFR FCS_COP.1/SHA-256 dependencies and hierarchy 95ff 9.1.13 added, mapping of all all Dr. Horst 29 2016-11-15 FCS_COP.1/SHA-256 to 120 99 9.3.1 Kießling SF.DATA_INT removed 49 8.1.4.1 SFR FCS_CKM.4 key destruction methods updated Additional key for loading outside operational phase described Removed colours and Dr. Horst 30 2016-12-01 all all cancellations for marking 120 Kießling changes Adaption of “Statement of Compatibility” to G12 processor Dr. Horst 31 2017-01-13 all all 121 variant, update of SC-ST- Kießling reference and SC-identification document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 3 of 121 EFAS-4 Security Target EFAS-4.5 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 4 of 121 EFAS-4 Security Target EFAS-4.5 Table of Contents 1 SCOPE ................................................................................................................................................................ 9 2 ST INTRODUCTION (ASE_INT) ................................................................................................................... 9 2.1 ST REFERENCE ................................................................................................................................................ 9 2.2 TOE REFERENCE ............................................................................................................................................. 9 2.3 TOE OVERVIEW .............................................................................................................................................. 9 2.3.1 TOE Definition and Operational Usage................................................................................................ 9 2.3.2 TOE Major Security Features for Operational Use ............................................................................ 10 2.3.3 TOE Type ............................................................................................................................................ 12 2.3.4 Non-TOE hardware/software/firmware .............................................................................................. 13 3 TOE DESCRIPTION ...................................................................................................................................... 15 3.1 ARCHITECTURE OVERVIEW ........................................................................................................................... 15 3.2 TOE HARDWARE ........................................................................................................................................... 15 3.3 TOE SOFTWARE ............................................................................................................................................ 17 3.4 DETAILS OF SECURITY MECHANISMS ............................................................................................................ 17 3.5 TOE PRODUCT SCOPE ................................................................................................................................... 18 3.6 TOE ENVIRONMENT ...................................................................................................................................... 18 3.6.1 Development Environment .................................................................................................................. 18 3.6.2 Manufacturing Environment ............................................................................................................... 18 3.6.3 Fitters and Workshop Environment .................................................................................................... 18 3.6.4 End User Environment ........................................................................................................................ 19 4 CONFORMANCE CLAIMS .......................................................................................................................... 20 4.1 CC CONFORMANCE CLAIMS .......................................................................................................................... 20 4.2 PP CLAIM ...................................................................................................................................................... 20 4.3 PACKAGE CLAIM ........................................................................................................................................... 20 4.4 CONFORMANCE RATIONALE .......................................................................................................................... 20 5 SECURITY PROBLEM DEFINITION ........................................................................................................ 21 5.1 INTRODUCTION .............................................................................................................................................. 21 5.2 THREATS ....................................................................................................................................................... 25 5.3 ORGANISATIONAL SECURITY POLICIES ......................................................................................................... 27 5.4 ASSUMPTIONS ............................................................................................................................................... 29 6 SECURITY OBJECTIVES ............................................................................................................................ 30 6.1 SECURITY OBJECTIVES FOR THE TOE ............................................................................................................ 30 6.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .................................................................... 31 6.3 SECURITY OBJECTIVE RATIONALE ................................................................................................................ 34 7 EXTENDED COMPONENTS DEFINITION .............................................................................................. 38 8 SECURITY REQUIREMENTS ..................................................................................................................... 39 8.1 SECURITY FUNCTIONAL REQUIREMENTS ....................................................................................................... 39 8.1.1 Overview ............................................................................................................................................. 40 8.1.2 Class FAU Security Audit ................................................................................................................... 44 8.1.2.1 FAU_GEN Security audit data generation ....................................................................................................... 44 8.1.2.2 FAU_SAR Security audit review..................................................................................................................... 45 8.1.2.3 FAU_STG Security audit event storage........................................................................................................... 45 8.1.3 Class FCO Communication ................................................................................................................ 45 8.1.3.1 FCO_NRO Non-repudiation of origin ............................................................................................................. 45 8.1.4 Class FCS Cryptographic Support ...................................................................................................... 46 8.1.4.1 FCS_CKM Cryptographic key management ................................................................................................... 46 8.1.4.2 FCS_COP Cryptographic operation ................................................................................................................ 49 8.1.5 Class FDP User Data Protection ........................................................................................................ 51 8.1.5.1 FDP_ACC Access control policy .................................................................................................................... 51 8.1.5.2 FDP_ACF Access control functions ................................................................................................................ 53 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 5 of 121 EFAS-4 Security Target EFAS-4.5 8.1.5.3 FDP_ETC Export from the TOE ..................................................................................................................... 56 8.1.5.4 FDP_ITC Import from outside of the TOE ...................................................................................................... 56 8.1.5.5 FDP_RIP Residual information protection ...................................................................................................... 58 8.1.5.6 FDP_SDI Stored data integrity ........................................................................................................................ 59 8.1.6 Class FIA Identification and Authentication ....................................................................................... 59 8.1.6.1 FIA_AFL Authentication failures .................................................................................................................... 59 8.1.6.2 FIA_ATD User attribute definition ................................................................................................................. 60 8.1.6.3 FIA_UAU User authentication ........................................................................................................................ 61 8.1.6.4 FIA_UID User identification ........................................................................................................................... 63 8.1.7 Class FPR Privacy .............................................................................................................................. 63 8.1.7.1 FPR_UNO Unobservability ............................................................................................................................. 63 8.1.8 Class FPT Protection of the TSF ........................................................................................................ 63 8.1.8.1 FPT_FLS Fail secure ....................................................................................................................................... 63 8.1.8.2 FPT_PHP TSF physical protection .................................................................................................................. 64 8.1.8.3 FPT_STM Time stamps ................................................................................................................................... 64 8.1.8.4 FPT_TDC Inter-TSF TSF Data Consistency ................................................................................................... 65 8.1.8.5 FPT_TST TSF self test .................................................................................................................................... 65 8.1.9 Class FRU Resource Utilisation ......................................................................................................... 66 8.1.9.1 FRU_PRS Priority of service ........................................................................................................................... 66 8.1.10 Class FMT Security Management .................................................................................................. 66 8.1.10.1 FMT_MSA Management of security attributes .......................................................................................... 66 8.1.10.2 FMT_MOF Management of functions in TSF............................................................................................ 68 8.1.10.3 FMT_SMF Specification of Management Functions ................................................................................. 68 8.1.10.4 FMT_SMR Security management roles ..................................................................................................... 68 8.2 SECURITY ASSURANCE REQUIREMENTS ........................................................................................................ 69 8.3 SECURITY REQUIREMENTS RATIONALE ......................................................................................................... 70 8.3.1 Security Functional Requirements Rationale ...................................................................................... 70 8.3.2 Rationale for SFR’s Dependencies ...................................................................................................... 80 8.3.3 Security Assurance Requirements Rationale ....................................................................................... 81 8.3.4 Security Requirements – Internal Consistency .................................................................................... 82 8.3.4.1 SFRs ................................................................................................................................................................ 82 8.3.4.2 SARs ................................................................................................................................................................ 82 9 TOE SUMMARY SPECIFICATION ............................................................................................................ 84 9.1 TOE SECURITY FUNCTIONS ........................................................................................................................... 84 9.1.1 SF.ACS Security Attribute Based Access Control ............................................................................... 84 9.1.2 SF.SECAUDIT Audit ........................................................................................................................... 85 9.1.3 SF.EX_CONF Confidentiality of Data Exchange ............................................................................... 87 9.1.4 SF.EX_INT Integrity and Authenticity of Data Exchange ................................................................... 88 9.1.5 SF.GEN_SKEYS Generation of Session Keys ..................................................................................... 89 9.1.6 SF.GEN_DIGSIG Generation of Digital Signatures optionally with Encryption ............................... 90 9.1.7 SF.VER_DIGSIG Verification of Digital Signatures optionally with Decryption ............................... 90 9.1.8 SF.DATA_INT Stored Data Integrity Monitoring and Action ............................................................ 91 9.1.9 SF.IA_KEY Key Based User / TOE Authentication ............................................................................. 92 9.1.10 SF.INF_PROT Residual Information Protection........................................................................... 95 9.1.11 SF.FAIL_PROT Failure and Tampering Protection ...................................................................... 95 9.1.12 SF.SELFTEST Self Test .................................................................................................................. 96 9.1.13 SF.UPDATE VU Software Upgrade ............................................................................................... 97 9.2 ASSURANCE MEASURES ................................................................................................................................ 98 9.3 TOE SUMMARY SPECIFICATION RATIONALE ................................................................................................. 99 9.3.1 Security Functions Rationale .............................................................................................................. 99 9.3.2 Assurance Measures Rationale ......................................................................................................... 106 10 STATEMENT OF COMPATIBILITY ....................................................................................................... 107 10.1 RELEVANCE OF SECURITY CONTROLLER TSF ........................................................................................ 107 10.2 SECURITY REQUIREMENTS...................................................................................................................... 107 10.2.1 Security Functional Requirements ................................................................................................ 107 10.2.2 Security Assurance Requirements ................................................................................................ 110 10.3 SECURITY OBJECTIVES ........................................................................................................................... 110 10.4 COMPATIBILITY: TOE SECURITY ENVIRONMENT .................................................................................... 112 10.4.1 Assumptions .................................................................................................................................. 112 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 6 of 121 EFAS-4 Security Target EFAS-4.5 10.4.2 Threats .......................................................................................................................................... 113 10.4.3 Organisational Security Policies .................................................................................................. 114 10.5 CONCLUSION .......................................................................................................................................... 115 11 ANNEX ........................................................................................................................................................... 117 11.1 GLOSSARY AND LIST OF ACRONYMS ....................................................................................................... 117 11.2 BIBLIOGRAPHY ....................................................................................................................................... 119 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 7 of 121 EFAS-4 Security Target EFAS-4.5 Table of Figures FIGURE 1: SIMPLIFIED DRAWING OF THE VU ............................................................................................................... 10 FIGURE 2: EFAS-4.5 LIFE-CYCLE ................................................................................................................................ 12 FIGURE 3: VU OPERATIONAL ENVIRONMENT .............................................................................................................. 13 FIGURE 4: EFAS-4.5 V03.00 WITH INTERFACES .......................................................................................................... 15 Table of Tables TABLE 1: PRIMARY ASSETS ......................................................................................................................................... 21 TABLE 2: SECONDARY ASSETS ..................................................................................................................................... 23 TABLE 3: SUBJECTS AND EXTERNAL ENTITIES ............................................................................................................. 25 TABLE 4: SECURITY OBJECTIVES FOR THE TOE........................................................................................................... 30 TABLE 5: SECURITY OBJECTIVE RATIONALE ............................................................................................................... 35 TABLE 6: SECURITY FUNCTIONAL GROUPS VS. SECURITY FUNCTIONAL REQUIREMENTS ............................................ 44 TABLE 7: COVERAGE OF SECURITY OBJECTIVES FOR THE TOE BY SFR ...................................................................... 72 TABLE 8: SUITABILITY OF THE SFRS ........................................................................................................................... 80 TABLE 9: SAR DEPENDENCIES .................................................................................................................................... 82 TABLE 10:OVERVIEW OF DEVELOPERS’ TOE RELATED DOCUMENTS .......................................................................... 99 TABLE 11: COVERAGE OF SECURITY FUNCTIONAL REQUIREMENTS BY TOE SECURITY FUNCTIONALITY ................. 101 TABLE 12: RELEVANCE OF SECURITY CONTROLLER TSF FOR COMPOSITE ST .......................................................... 107 TABLE 13: MAPPING OF SECURITY CONTROLLER OBJECTIVES TO TOE OBJECTIVES .................................................. 112 TABLE 14: MAPPING OF SECURITY CONTROLLER ASSUMPTIONS TO TOE OBJECTIVES .............................................. 113 TABLE 15: MAPPING OF SECURITY CONTROLLER THREATS TO TOE THREATS .......................................................... 114 TABLE 16: MAPPING OF SECURITY CONTROLLER OSPS TO TOE OSPS ..................................................................... 115 document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 8 of 121 EFAS-4 Security Target EFAS-4.5 1 Scope This document specifies the Security Target (ST) for the intellic EFAS-4.5 digital tachograph. 2 ST Introduction (ASE_INT) 2.1 ST Reference This document is the Security Target (ST) of the EFAS-4.5 (the TOE) provided by intellic Germany GmbH for a Common Criteria evaluation. Document Title: Security Target - EFAS-4.5 Document Date: 13.01.2017 Document Version: 31 Editor: Dr. Horst Kießling Publisher: intellic Germany GmbH CC-Version: 3.1 (Revision 4) Assurance Level: The minimum assurance level for this ST is EAL4 augmented. General Status: Released TOE: EFAS-4.5 TOE Developer: intellic Germany GmbH TOE Sponsor: intellic GmbH (Austria) Certification ID: BSI-DSZ-CC-0980 IT Evaluation Scheme:German CC Evaluation Scheme Evaluation Body: SRC Security Research & Consulting GmbH (SRC) 2.2 TOE Reference The target of evaluation (TOE) is the EFAS-4.5 digital tachograph with SW version 03.00 as developed by intellic Germany GmbH, based on INFINEON M7892 G12 (see [SCST]). The INFINEON SC is used with the following configuration (Sales name SLE78CFX3000P ):  M7892 Design Step G12 with FW-Identifier 78.015.18.2  and following optional alternative SW - libraries: RSA2048 v2.03.008 and belonging User Guidance documentation.  and further optional software: SHA-2 v1.01 and belonging User Guidance documentation. 2.3 TOE Overview 2.3.1 TOE Definition and Operational Usage The Target of Evaluation (TOE) addressed by the current security target is a vehicle unit (VU) in the sense of Annex I B [EU1B] intended to be installed in road transport vehicles. Its purpose is to record, store, display, print and output data related to driver activities. The VU records and stores user activities data in its internal data memory, it also document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 9 of 121 EFAS-4 Security Target EFAS-4.5 records user activities data in tachograph cards. The VU outputs data to display, printer and external devices. It is connected to a motion sensor with which it exchanges vehicle’s motion data. Users identify themselves to the VU using tachograph cards. The physical scope of the TOE is a device to be installed in a vehicle. The TOE consists of a hardware box (includes processing units, data memory, a real time clock, two smart card interface devices (driver and co-driver), a printer, a display, a visual warning, a calibration/ downloading connector, facilities for entry of user's inputs, embedded software and of related user manuals. It must be connected to a motion sensor (MS) and to a power supply unit; it can temporarily be connected with other devices used for calibration, data export, software upgrade and diagnostics. The TOE receives motion data from the motion sensor and activity data via the facilities for entry of user's. It stores all these user data internally and can export them to the tachograph cards inserted, to the display, to the printer, and to electrical interfaces for download purpose inclusive remote download after corresponding identification and authentication of the company (by means of the company card). Furthermore, the TOE contains the functionality for secure update of the defined parts of the TOE software. A simplified drawing of the VU is depicted in the following figure (it shall be noted that although the printer mechanism is part of the TOE, the paper document once produced is not): Figure 1: Simplified Drawing of the VU 2.3.2 TOE Major Security Features for Operational Use The main security feature of the TOE is as specified in [EU1B] (O.VU_Main): The data to be measured (the physical data measurement is performed by the motion sensor which is not part of this TOE) and recorded and then to be checked by control authorities must be available and reflect fully and accurately the activities of controlled drivers and vehicles in terms of driving, work, availability and rest periods and in terms of vehicle speed. document number version last change author status page 1030-100-SEC-EN31 31 2017-01-13 Dr. Horst Kießling APPR 10 of 121

Description:
EFAS-4. Security Target EFAS-4.5 document number version last change author status page. 1030-100-SEC-EN31. 31. 2017-01-13. Dr. Horst Kießling. APPR. 2 of 121. Release notes: version date page chapter changes, notes modified by number of pages. 00. 2010-08-25 all all. Initial version. Dr. Horst.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.