NXP JCOP 4 Security Target Lite v3.4 10
7.3 Security Assurance Requirements
The assurance requirements of this evaluation are EAL6 augmented by ASE_TSS.2 and ALC_FLR.1. The assur-ance requirements ensure, among others, the security of the TOE during its development and production.
ADV_SPM. Formal TOE security policy model
Hierarchical-To No other components.
Dependencies ADV_FSP.4 Complete functional specification
ADV_SPM.1.1D The developer shall provide a formal security policy model for the [assignment:FIREWALL
access control SFP (FDP_ACC.2[FIREWALL])].
7.4 Security Requirements Rationale for the TOE
7.4.1 Identification
OT.SID
SFR | Rationale |
Subjects’ identity is AID-based (applets, packages) and is met by the SFR. Installation procedures ensure protectionagainst forgery (the AID of an applet is under the controlof the TSFs) or re-use of identities and is met by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. Installation procedures ensure protectionagainst forgery (the AID of an applet is under the controlof the TSFs) or re-use of identities and is met by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. | |
OT.SID_MODULE | |
SFR | Rationale |
The modular design information flow control policy contributes to meet this objective. | |
The modular design information flow control policy contributes to meet this objective. | |
Subject’s identity is AID-based and is met by the SFR. | |
Subject’s identity is AID-based and is met by the SFR.(Re-) loading of a previously deleted Module or Modulereplacement are not possible, protecting against identityforgery. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes to meet the objective by only allowing invocation of Modules if they are present. | |
7.4.2 Execution | |
OT.FIREWALL | |
SFR | Rationale |
The FIREWALL access control policy contributes to meetthis objective. | |
The FIREWALL access control policy contributes to meetthis objective. | |
The JCVM information flow control policy contributes tomeet this objective. | |
The JCVM information flow control policy contributes tomeet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
Contributes indirectly to meet this objective. | |
OT.GLOBAL_ARRAYS_CONFID | |
The JCVM information flow control policy meets the objective by preventing an application from keeping a pointer toa shared buffer, which could be used to read its contentswhen the buffer is being used by another application. | |
The JCVM information flow control policy meets this objective by preventing an application from keeping a pointerto a shared buffer, which could be used to read its contents when the buffer is being used by another application. | |
Contributes to meet the objective by protecting the array parameters of remotely invoked methods, which areglobal as well, through the general initialization of methodparameters. | |
Contributes to meet the objective by protecting the array parameters of remotely invoked methods, which areglobal as well, through the general initialization of methodparameters. | |
Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer and the global byte array input parameter (bArray)to an applet’s install method. Contributes to meet this objective by fulfilling the clearing requirement of these arrays. | |
Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer and the global byte array input parameter (bArray)to an applet’s install method. Contributes to meet this objective by fulfilling the clearing requirement of these arrays. | |
Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters. | |
Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters. | |
Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters. | |
Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters. | |
Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer, the global byte array input parameter (bArray) to anapplet’s install method and the global arrays created bythe JCSystem.makeGlobalArray(...) method. Contributesto meet this objective by fulfilling the clearing requirementof these arrays. | |
OT.GLOBAL_ARRAYS_INTEG | |
SFR | Rationale |
Contributes to meet the objective by preventing an application from keeping a pointer to the APDU buffer ofthe card or to the global byte array of the applet’s installmethod. Such a pointer could be used to access andmodify it when the buffer is being used by another application. | |
Contributes to meet the objective by preventing an application from keeping a pointer to the APDU buffer ofthe card or to the global byte array of the applet’s installmethod. Such a pointer could be used to access andmodify it when the buffer is being used by another application. | |
OT.NATIVE | |
SFR | Rationale |
Covers this objective by ensuring that the only means toexecute native code is the invocation of a Java Card APImethod. This objective mainly relies on the environmental objective OE.APPLET, which uphold the assumption A.APPLET. | |
OT.OPERATE | |
SFR | Rationale |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
Contributes to meet this objective by protecting the TOEthrough the FIREWALL access control policy. | |
Contributes to meet this objective by protecting the TOEthrough the FIREWALL access control policy. | |
Contributes to meet this objective by providing support forcleanly abort applets’ installation, which belongs to thecategory security-critical parts and procedures protection. | |
Contributes to meet the objective by protecting the authentication. | |
Contributes to meet this objective by controlling the communication with external users and their internal subjectsto prevent alteration of TSF data. | |
Contributes to meet this objective by protection in variousways against applets’ actions. | |
Contributes to meet this objective by providing safe recovery from failure, which belongs to the category of securitycritical parts and procedures protection. | |
Contributes to meet this objective by controlling the communication with external users and their internal subjectsto prevent alteration of TSF data. | |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking. | |
OT.REALLOCATION | |
SFR | Rationale |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block. | |
OT.RESOURCES | |
SFR | Rationale |
Contributes to meet this objective by detecting stack/memory overflows during execution of applications | |
Contributes to meet this objective by preventing that failedinstallations create memory leaks | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective by preventing that failedinstallations create memory leaks | |
Contributes to meet this objective by detecting stack/memory overflows during execution of applications | |
Contributes to meet this objective by detecting stack/memory overflows during execution of applications | |
Contributes to meet this objective by detecting stack/memory overflows during execution of applications | |
Contributes to meet this objective by detecting stack/memory overflows during execution of applications | |
Contributes to meet this objective since the TSF controlsthe memory management | |
Contributes to meet this objective since the TSF controlsthe memory management | |
OT.SENSITIVE_RESULTS_INTEG | |
SFR | Rationale |
Directly contributes to meet the objective by ensuring thatintegrity errors related to the sensitive API result are detected by the TOE. | |
7.4.3 Services | |
OT.ALARM | |
SFR | Rationale |
Contributes to meet this objective by defining TSF reaction upon detection of a potential security violation | |
Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur | |
Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur | |
Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur | |
Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur | |
OT.CIPHER | |
SFR | Rationale |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Contributes to meet the objective by controlling the observation of the cryptographic operations which may be usedto disclose the keys | |
OT.RNG | |
SFR | Rationale |
Covers the objective directly | |
Covers the objective directly | |
OT.KEY-MNGT | |
SFR | Rationale |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Contributes to meet objective by controlling the observation of the cryptographic operations which may be used todisclose the keys | |
Covers the objective directly | |
Covers the objective directly | |
OT.PIN-MNGT | |
SFR | Rationale |
Contributes to meet the objective by protecting the accessto private and internal data of the objects | |
Contributes to meet the objective by protecting the accessto private and internal data of the objects | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
OT.TRANSACTION | |
SFR | Rationale |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
Covers the objective directly | |
OT.OBJ-DELETION | |
SFR | Rationale |
Contributes to meet the objective | |
Contributes to meet the objective | |
7.4.Applet Management | |
OT.APPLI-AUTH | |
SFR | Rationale |
Refinement: applies to FCS_COP.1[DAP]. Contributes tomeet the security objective by ensuring that the loadedExecutable Application is legitimate by specifying the algorithm to be used in order to verify the DAP signature ofthe Verification Authority. | |
Contributes to meet this security objective by ensures thatcard management operations may be cleanly aborted. | |
Contributes to meet the security objective by preserving asecure state when failures occur. | |
OT.DOMAIN-RIGHTS | |
SFR | Rationale |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations. | |
OT.COMM_AUTH | |
SFR | Rationale |
Contributes to meet the security objective by specifyingsecure cryptographic algorithm that shall be used to determine the origin of the card management commands. | |
Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands. | |
Contributes to meet the security objective by ensuring theorigin of card administration commands. | |
Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands. | |
Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands. | |
Contributes to meet the security objective by specifyingsecurity attributes enabling to authenticate card management requests. | |
Contributes to meet the security objective by specifyingsecurity attributes enabling to authenticate card management requests. | |
Contributes to meet the security objective by specifyingthe actions that can be performed before authenticatingthe origin of the APDU commands that the TOE receives. | |
Contributes to meet the security objective by specifyingthe actions that can be performed before authenticatingthe origin of the APDU commands that the TOE receives. | |
OT.COMM_INTEGRITY | |
Contributes to meet the security objective by by specifying secure cryptographic algorithm that shall be used toensure the integrity of the card management commands. | |
Contributes to cover this security objective by defining theroles enabling to send and authenticate the card management requests for which the integrity has to be ensured. | |
Contributes to meet the security objective by ensuring theintegrity of card management commands. | |
Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the integrity of administration requests. | |
Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the integrity of administration requests. | |
Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the integrity ofcard management requests. | |
Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the integrity ofcard management requests. | |
Contributes to meet the security objective by specifyingthe actions activating the integrity check on the card management commands. | |
OT.COMM_CONFIDENTIALITY | |
SFR | Rationale |
Contributes to meet this objective by specifying securecryptographic algorithm that shall be used to ensure theconfidentiality of the card management commands. | |
Contributes to cover the security objective by defining theroles enabling to send and authenticate the card management requests for which the confidentiality has to be ensured. | |
Contributes to cover the security objective by ensuring theconfidentiality of card management commands. | |
Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the confidentiality of administration requests. | |
Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the confidentiality of administration requests. | |
Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the confidentiality of card management requests by decrypting those requests and imposing management conditions on that attributes. | |
Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the confidentiality of card management requests by decrypting those requests and imposing management conditions on that attributes. | |
Contributes to cover the security objective by specifyingthe actions ensuring the confidentiality of the card management commands. | |
7.4.External Memory | |
OT.EXT-MEM | |
SFR | Rationale |
Contributes to meet the objective by the EXTERNAL MEMORY access control policy which protects the Java Card system memory against applet’s attempts of unauthorized access through the external memory facilities. | |
Contributes to meet the objective by the EXTERNAL MEMORY access control policy which protects the Java Card system memory against applet’s attempts of unauthorized access through the external memory facilities. | |
Contributes to meet the objective by controlling the external memory management | |
OT.CARD-MANAGEMENT | |
SFR | Rationale |
Contributes to meet the objective by the ADEL access control policy which ensures the non-introduction of security holes. The integrity and confidentiality of data that does not belong to the deleted applet or package is a byproduct of this policy as well | |
Contributes to meet the objective by the ADEL access control policy which ensures the non-introduction of security holes. The integrity and confidentiality of data that does not belong to the deleted applet or package is a byproduct of this policy as well | |
Contributes to meet the objective by ensuring the nonaccessibility of deleted data | |
Contributes to meet the objective by enforcing the ADEL access control SFP | |
Contributes to meet the objective by enforcing the ADEL access control SFP | |
Contributes to meet the objective by maintaing the role applet deletion manager | |
Contributes to meet the objective by protecting the TSFs against possible failures of the deletion procedures | |
Contributes to meet the objective by protecting the TSFs against possible failures of the installer | |
Contributes to meet the objective by protecting the TSFs against possible failures of the deletion procedures | |
Contributes to meet the objective by enforcing the Secure Channel Protocol information flow control policy and the Security Domain access control policy which controls the integrity of the corresponding data | |
Contributes to meet this security objective by ensures that card management operations may be cleanly aborted. | |
Contributes to meet the security objective by enforcing the Firewall access control policy and the Secure Channel Protocol information flow policy when importing card management data. | |
Contributes to meet the security objective by preserving a secure state when failures occur. | |
Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing a | |
Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations. | |
7.4.8 Smart Card Platform | |
OT.SCP.IC | |
SFR | Rationale |
Contributes to the coverage of the objective by resetting the card session or terminating the card in case of physical tampering. | |
Contributes to the coverage of the objective by ensuring leakage resistant implementations of the unobservable operations | |
Contributes to meet the objective | |
Contributes to the coverage of the objective by preventing bypassing, deactivation or changing of other security features. | |
OT.SCP.RECOVERY | |
SFR | Rationale |
Contributes to the coverage of the objective by ensuring reinitialization of the Java Card System and its data after card tearing and power failure | |
Contributes to the coverage of the objective by preserving a secure state after failure | |
SFR | Rationale |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
Contributes to meet the objective | |
OT.IDENTIFICATION | |
SFR | Rationale |
Covers the objective.The Initialisation Data (or parts of them) are used for TOE identification | |
7.4. Random Numbers | |
SFR | Rationale |
Counters the threat by ensuring the cryptographic quality of random number generation. For instance random numbers shall not be predictable and shall have sufficient entropy. Furthermore, the TOE ensures that no information about the produced random numbers is available to an attacker. | |
Counters the threat by ensuring the cryptographic quality of random number generation. For instance random numbers shall not be predictable and shall have sufficient entropy. Furthermore, the TOE ensures that no information about the produced random numbers is available to an attacker. | |
7.4. Configuration Module | |
OT.CARD-CONFIGURATION | |
SFR | Rationale |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by controlling the ability to modify configuration items. | |
Contributes to meet the objective by requiring identification before modifying configuration items. | |
7.4.1 Secure Box | |
OT.SEC_BOX_FW | |
SFR | Rationale |
Contributes to meet the objective by applying access control rules. | |
Contributes to meet the objective by applying access control rules. | |
Contributes to meet the objective by enforcing the SecureBox access control SFP. | |
Contributes to meet the objective by enforcing the SecureBox access control SFP. | |
Contributes to cover this security objective by enforcing the SecureBox access control policy which ensures a separation of the Secure Box from the rest of the TOE. | |
7.4.1 Restricted Mode | |
OT.ATTACK-COUNTER | |
SFR | Rationale |
Contributes to cover the objective by defining the security role ISD. | |
Contributes to cover the objective by restricting the initial value of the Attack Counter and allowing nobody to change the initial value. | |
Contributes to cover the objective by only allowing the ISD to modify the Attack Counter. | |
Contributes to cover the objective by requiring authentication before resetting the Attack Counter. | |
Contributes to cover the objective by requiring identification before resetting the Attack Counter. | |
OT.RESTRICTED-MODE | |
SFR | Rationale |
Contributes to cover the objective by defining the security role ISD. | |
Contributes to the coverage of the objective by defining the subject of the Restricted Mode access control SFP. | |
Contributes to cover the objective by controlling access to objects for all operations. | |
Contributes to cover the objective by defining the management functions of the restricted mode. | |
Contributes to cover the objective by requiring authentication before resetting the Attack Counter. | |
Contributes to cover the objective by requiring identification before resetting the Attack Counter. |
9 Contents
1 ST Introduction (ASE_INT) | |||
1.2.3 Required non-TOE Hardware/Software/Firmware | |||
2 Conformance Claims (ASE_CCL) | |||
3 Security Aspects | |||
4 Security Problem Definition (ASE_SPD) | |||
6 Extended Components Definition (ASE_ECD) | |||
7 Security Requirements (ASE_REQ) | |||
8 TOE summary specification (ASE_TSS) | |||
13 Legal information | |||