Java Cards

NXP JCOP 4 Security Target Lite v3.4 10

2020-07-14 16:10:36 M&W SmartCard 4

7.3   Security Assurance Requirements

The assurance requirements of this evaluation are EAL6 augmented by ASE_TSS.2 and ALC_FLR.1. The assur-ance requirements ensure, among others, the security of the TOE during its development and production.


ADV_SPM.                           Formal TOE security policy model

Hierarchical-To                       No other components.

Dependencies                        ADV_FSP.4 Complete functional specification

ADV_SPM.1.1D                      The developer shall provide a formal security policy model for the [assignment:FIREWALL

access control SFP (FDP_ACC.2[FIREWALL])].

7.4   Security Requirements Rationale for the TOE

7.4.1 Identification

OT.SID

SFR

Rationale

FIA_UID.2[AID]

Subjects’ identity is AID-based (applets, packages) and is met by the SFR. Installation procedures ensure protectionagainst forgery (the AID of an applet is under the controlof the TSFs) or re-use of identities and is met by the SFR.


FIA_USB.1[AID]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR. Installation procedures ensure protectionagainst forgery (the AID of an applet is under the controlof the TSFs) or re-use of identities and is met by the SFR.


FMT_MSA.1[JCRE]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.1[JCVM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.1[ADEL]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.3[FIREWALL]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.3[JCVM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.3[ADEL]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MTD.1[JCRE]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MTD.3[JCRE]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_SMF.1[ADEL]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.3[EXT-MEM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.1[EXT-MEM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_SMF.1[EXT-MEM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FIA_ATD.1[AID]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FDP_ITC.2[CCM]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.1[SC]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_MSA.3[SC]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

FMT_SMF.1[SC]

Subjects’ identity is AID-based (applets, packages) and ismet by the SFR.

OT.SID_MODULE



SFR

Rationale

FDP_IFC.1[MODULAR-DESIGN]

The modular design information flow control policy contributes to meet this objective.

FDP_IFF.1[MODULAR-DESIGN]

The modular design information flow control policy contributes to meet this objective.

FIA_ATD.1[MODULAR-DESIGN]

Subject’s identity is AID-based and is met by the SFR.

FIA_USB.1[MODULAR-DESIGN]

Subject’s identity is AID-based and is met by the SFR.(Re-) loading of a previously deleted Module or Modulereplacement are not possible, protecting against identityforgery.


FMT_MSA.1[MODULAR-DESIGN]

Contributes indirectly to meet this objective.

FMT_MSA.3[MODULAR-DESIGN]

Contributes indirectly to meet this objective.

FMT_SMF.1[MODULAR-DESIGN]

Contributes indirectly to meet this objective.

FMT_SMR.1[MODULAR-DESIGN]

Contributes indirectly to meet this objective.

FPT_FLS.1[MODULAR-DESIGN]

Contributes indirectly to meet this objective.

FIA_UID.1[MODULAR-DESIGN]

Contributes to meet the objective by only allowing invocation of Modules if they are present.

7.4.2 Execution

OT.FIREWALL



SFR

Rationale

FDP_ACC.2[FIREWALL]

The FIREWALL access control policy contributes to meetthis objective.

FDP_ACF.1[FIREWALL]

The FIREWALL access control policy contributes to meetthis objective.

FDP_IFC.1[JCVM]

The JCVM information flow control policy contributes tomeet this objective.

FDP_IFF.1[JCVM]

The JCVM information flow control policy contributes tomeet this objective.

FMT_MSA.1[JCRE]

Contributes indirectly to meet this objective.

FMT_MSA.1[JCVM]

Contributes indirectly to meet this objective.

FMT_MSA.1[ADEL]

Contributes indirectly to meet this objective.

FMT_MSA.2[FIREWALL-JCVM]

Contributes indirectly to meet this objective.

FMT_MSA.3[FIREWALL]

Contributes indirectly to meet this objective.

FMT_MSA.3[JCVM]

Contributes indirectly to meet this objective.

FMT_MSA.3[ADEL]

Contributes indirectly to meet this objective.

FMT_MTD.1[JCRE]

Contributes indirectly to meet this objective.

FMT_MTD.3[JCRE]

Contributes indirectly to meet this objective.

FMT_SMF.1

Contributes indirectly to meet this objective.

FMT_SMF.1[ADEL]

Contributes indirectly to meet this objective.

FMT_SMR.1

Contributes indirectly to meet this objective.

FMT_SMR.1[INSTALLER]

Contributes indirectly to meet this objective.

FMT_SMR.1[ADEL]

Contributes indirectly to meet this objective.

FMT_MSA.3[EXT-MEM]

Contributes indirectly to meet this objective.

FMT_MSA.1[EXT-MEM]

Contributes indirectly to meet this objective.

FMT_SMF.1[EXT-MEM]

Contributes indirectly to meet this objective.

FDP_ITC.2[CCM]

Contributes indirectly to meet this objective.

FMT_SMR.1[SD]

Contributes indirectly to meet this objective.

FMT_MSA.1[SC]

Contributes indirectly to meet this objective.

FMT_MSA.3[SC]

Contributes indirectly to meet this objective.

FMT_SMF.1[SC]

Contributes indirectly to meet this objective.

OT.GLOBAL_ARRAYS_CONFID

FDP_IFC.1[JCVM]

The JCVM information flow control policy meets the objective by preventing an application from keeping a pointer toa shared buffer, which could be used to read its contentswhen the buffer is being used by another application.


FDP_IFF.1[JCVM]

The JCVM information flow control policy meets this objective by preventing an application from keeping a pointerto a shared buffer, which could be used to read its contents when the buffer is being used by another application.


FDP_RIP.1[OBJECTS]

Contributes to meet the objective by protecting the array parameters of remotely invoked methods, which areglobal as well, through the general initialization of methodparameters.


FDP_RIP.1[ABORT]

Contributes to meet the objective by protecting the array parameters of remotely invoked methods, which areglobal as well, through the general initialization of methodparameters.


FDP_RIP.1[APDU]

Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer and the global byte array input parameter (bArray)to an applet’s install method. Contributes to meet this objective by fulfilling the clearing requirement of these arrays.


FDP_RIP.1[bArray]

Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer and the global byte array input parameter (bArray)to an applet’s install method. Contributes to meet this objective by fulfilling the clearing requirement of these arrays.


FDP_RIP.1[KEYS]

Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters.


FDP_RIP.1[TRANSIENT]

Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters.


FDP_RIP.1[ADEL]

Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters.


FDP_RIP.1[ODEL]

Contributes to meet the objective by protecting the arrayparameters of invoked methods, which are global as well,through the general initialization of method parameters.


FDP_RIP.1[GlobalArray_Refined]

Only arrays can be designated as global, and the onlyglobal arrays required in the Java Card API are the APDUbuffer, the global byte array input parameter (bArray) to anapplet’s install method and the global arrays created bythe JCSystem.makeGlobalArray(...) method. Contributesto meet this objective by fulfilling the clearing requirementof these arrays.


OT.GLOBAL_ARRAYS_INTEG



SFR

Rationale

FDP_IFC.1[JCVM]

Contributes to meet the objective by preventing an application from keeping a pointer to the APDU buffer ofthe card or to the global byte array of the applet’s installmethod. Such a pointer could be used to access andmodify it when the buffer is being used by another application.


FDP_IFF.1[JCVM]

Contributes to meet the objective by preventing an application from keeping a pointer to the APDU buffer ofthe card or to the global byte array of the applet’s installmethod. Such a pointer could be used to access andmodify it when the buffer is being used by another application.


OT.NATIVE



SFR

Rationale

FDP_ACF.1[FIREWALL]

Covers this objective by ensuring that the only means toexecute native code is the invocation of a Java Card APImethod. This objective mainly relies on the environmental objective OE.APPLET, which uphold the assumption

A.APPLET.


OT.OPERATE



SFR

Rationale

FAU_ARP.1

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


FDP_ACC.2[FIREWALL]

Contributes to meet this objective by protecting the TOEthrough the FIREWALL access control policy.

FDP_ACF.1[FIREWALL]

Contributes to meet this objective by protecting the TOEthrough the FIREWALL access control policy.

FDP_ROL.1[FIREWALL]

Contributes to meet this objective by providing support forcleanly abort applets’ installation, which belongs to thecategory security-critical parts and procedures protection.


FIA_AFL.1[PIN]

Contributes to meet the objective by protecting the authentication.

FIA_USB.1[AID]

Contributes to meet this objective by controlling the communication with external users and their internal subjectsto prevent alteration of TSF data.


FPT_TDC.1

Contributes to meet this objective by protection in variousways against applets’ actions.

FPT_RCV.3[INSTALLER]

Contributes to meet this objective by providing safe recovery from failure, which belongs to the category of securitycritical parts and procedures protection.


FIA_ATD.1[AID]

Contributes to meet this objective by controlling the communication with external users and their internal subjectsto prevent alteration of TSF data.


FPT_FLS.1

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


FPT_FLS.1[INSTALLER]

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


FPT_FLS.1[ADEL]

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


FPT_FLS.1[ODEL]

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


FDP_ITC.2[CCM]

Contributes to meet this objective by detecting and blocking various failures or security violations during usualworking.


OT.REALLOCATION



SFR

Rationale

FDP_RIP.1[OBJECTS]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[ABORT]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[APDU]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[bArray]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[KEYS]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[TRANSIENT]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[ADEL]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[ODEL]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


FDP_RIP.1[GlobalArray_Refined]

Contributes to meet the objective by imposing that thecontents of the re-allocated block shall always be clearedbefore delivering the block.


OT.RESOURCES



SFR

Rationale

FAU_ARP.1

Contributes to meet this objective by detecting stack/memory overflows during execution of applications

FDP_ROL.1[FIREWALL]

Contributes to meet this objective by preventing that failedinstallations create memory leaks

FMT_MTD.1[JCRE]

Contributes to meet this objective since the TSF controlsthe memory management

FMT_MTD.3[JCRE]

Contributes to meet this objective since the TSF controlsthe memory management

FMT_SMF.1

Contributes to meet this objective since the TSF controlsthe memory management

FMT_SMF.1[ADEL]

Contributes to meet this objective since the TSF controlsthe memory management

FMT_SMR.1

Contributes to meet this objective since the TSF controlsthe memory management

FMT_SMR.1[INSTALLER]

Contributes to meet this objective since the TSF controlsthe memory management

FMT_SMR.1[ADEL]

Contributes to meet this objective since the TSF controlsthe memory management

FPT_RCV.3[INSTALLER]

Contributes to meet this objective by preventing that failedinstallations create memory leaks

FPT_FLS.1

Contributes to meet this objective by detecting stack/memory overflows during execution of applications

FPT_FLS.1[INSTALLER]

Contributes to meet this objective by detecting stack/memory overflows during execution of applications


FPT_FLS.1[ADEL]

Contributes to meet this objective by detecting stack/memory overflows during execution of applications


FPT_FLS.1[ODEL]

Contributes to meet this objective by detecting stack/memory overflows during execution of applications


FMT_SMR.1[SD]

Contributes to meet this objective since the TSF controlsthe memory management


FMT_SMF.1[SC]

Contributes to meet this objective since the TSF controlsthe memory management

OT.SENSITIVE_RESULTS_INTEG



SFR

Rationale

FDP_SDI.2[SENSITIVE_RESULT]

Directly contributes to meet the objective by ensuring thatintegrity errors related to the sensitive API result are detected by the TOE.


7.4.3 Services

OT.ALARM



SFR

Rationale

FAU_ARP.1

Contributes to meet this objective by defining TSF reaction upon detection of a potential security violation

FPT_FLS.1

Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur


FPT_FLS.1[INSTALLER]

Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur



FPT_FLS.1[ADEL]

Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur


FPT_FLS.1[ODEL]

Contributes to meet the objective by providing the guarantee that a secure state is preserved by the TSF whenfailures occur


OT.CIPHER



SFR

Rationale

FCS_CKM.1

Covers the objective directly

FCS_CKM.2

Covers the objective directly

FCS_CKM.3

Covers the objective directly

FCS_CKM.4

Covers the objective directly

FCS_COP.1

Covers the objective directly

FPR_UNO.1

Contributes to meet the objective by controlling the observation of the cryptographic operations which may be usedto disclose the keys


OT.RNG



SFR

Rationale

FCS_RNG.1

Covers the objective directly

FCS_RNG.1[HDT]

Covers the objective directly

OT.KEY-MNGT




SFR

Rationale

FCS_CKM.1

Covers the objective directly

FCS_CKM.2

Covers the objective directly

FCS_CKM.3

Covers the objective directly

FCS_CKM.4

Covers the objective directly

FCS_COP.1

Covers the objective directly

FDP_RIP.1[OBJECTS]

Covers the objective directly

FDP_RIP.1[ABORT]

Covers the objective directly

FDP_RIP.1[APDU]

Covers the objective directly

FDP_RIP.1[bArray]

Covers the objective directly

FDP_RIP.1[KEYS]

Covers the objective directly

FDP_RIP.1[TRANSIENT]

Covers the objective directly

FDP_RIP.1[ADEL]

Covers the objective directly

FDP_RIP.1[ODEL]

Covers the objective directly

FPR_UNO.1

Contributes to meet objective by controlling the observation of the cryptographic operations which may be used todisclose the keys


FDP_RIP.1[GlobalArray_Refined]

Covers the objective directly

FDP_SDI.2[DATA]

Covers the objective directly

OT.PIN-MNGT



SFR

Rationale

FDP_ACC.2[FIREWALL]

Contributes to meet the objective by protecting the accessto private and internal data of the objects

FDP_ACF.1[FIREWALL]

Contributes to meet the objective by protecting the accessto private and internal data of the objects

FDP_RIP.1[OBJECTS]

Contributes to meet the objective

FDP_RIP.1[ABORT]

Contributes to meet the objective

FDP_RIP.1[APDU]

Contributes to meet the objective

FDP_RIP.1[bArray]

Contributes to meet the objective

FDP_RIP.1[KEYS]

Contributes to meet the objective

FDP_RIP.1[TRANSIENT]

Contributes to meet the objective

FDP_RIP.1[ADEL]

Contributes to meet the objective

FDP_RIP.1[ODEL]

Contributes to meet the objective

FDP_ROL.1[FIREWALL]

Contributes to meet the objective

FPR_UNO.1

Contributes to meet the objective

FDP_RIP.1[GlobalArray_Refined]

Contributes to meet the objective

FDP_SDI.2[DATA]

Contributes to meet the objective

OT.TRANSACTION




SFR

Rationale

FDP_RIP.1[OBJECTS]

Covers the objective directly

FDP_RIP.1[ABORT]

Covers the objective directly

FDP_RIP.1[APDU]

Covers the objective directly

FDP_RIP.1[bArray]

Covers the objective directly

FDP_RIP.1[KEYS]

Covers the objective directly

FDP_RIP.1[TRANSIENT]

Covers the objective directly

FDP_RIP.1[ADEL]

Covers the objective directly

FDP_RIP.1[ODEL]

Covers the objective directly

FDP_ROL.1[FIREWALL]

Covers the objective directly

FDP_RIP.1[GlobalArray_Refined]

Covers the objective directly

7.4.Object Deletion

OT.OBJ-DELETION



SFR

Rationale

FDP_RIP.1[ODEL]

Contributes to meet the objective

FPT_FLS.1[ODEL]

Contributes to meet the objective

7.4.Applet Management

OT.APPLI-AUTH



SFR

Rationale

FCS_COP.1

Refinement: applies to FCS_COP.1[DAP]. Contributes tomeet the security objective by ensuring that the loadedExecutable Application is legitimate by specifying the algorithm to be used in order to verify the DAP signature ofthe Verification Authority.


FDP_ROL.1[CCM]

Contributes to meet this security objective by ensures thatcard management operations may be cleanly aborted.

FPT_FLS.1[CCM]

Contributes to meet the security objective by preserving asecure state when failures occur.

OT.DOMAIN-RIGHTS



SFR

Rationale

FDP_ACC.1[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FDP_ACF.1[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_MSA.1[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_MSA.3[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_SMF.1[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_SMR.1[SD]

Contributes to cover this security objective by enforcing aSecurity Domain access control policy (rules and restrictions) that ensures a secure card content management.


FTP_ITC.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FCO_NRO.2[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FDP_IFC.2[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FDP_IFF.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FMT_MSA.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FMT_MSA.3[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FMT_SMF.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FIA_UID.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FIA_UAU.1[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


FIA_UAU.4[SC]

Contributes to cover this security objective by enforcingSecure Channel Protocol information flow control policythat ensures the integrity and the authenticity of card management operations.


OT.COMM_AUTH



SFR

Rationale

FCS_COP.1

Contributes to meet the security objective by specifyingsecure cryptographic algorithm that shall be used to determine the origin of the card management commands.


FMT_SMR.1[SD]

Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands.


FTP_ITC.1[SC]

Contributes to meet the security objective by ensuring theorigin of card administration commands.

FDP_IFC.2[SC]

Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands.


FDP_IFF.1[SC]

Contributes to meet the security objective by specifyingthe authorized identified roles enabling to send and authenticate card management commands.


FMT_MSA.1[SC]

Contributes to meet the security objective by specifyingsecurity attributes enabling to authenticate card management requests.


FMT_MSA.3[SC]

Contributes to meet the security objective by specifyingsecurity attributes enabling to authenticate card management requests.


FIA_UID.1[SC]

Contributes to meet the security objective by specifyingthe actions that can be performed before authenticatingthe origin of the APDU commands that the TOE receives.


FIA_UAU.1[SC]

Contributes to meet the security objective by specifyingthe actions that can be performed before authenticatingthe origin of the APDU commands that the TOE receives.


OT.COMM_INTEGRITY

FCS_COP.1

Contributes to meet the security objective by by specifying secure cryptographic algorithm that shall be used toensure the integrity of the card management commands.


FMT_SMR.1[SD]

Contributes to cover this security objective by defining theroles enabling to send and authenticate the card management requests for which the integrity has to be ensured.


FTP_ITC.1[SC]

Contributes to meet the security objective by ensuring theintegrity of card management commands.

FDP_IFC.2[SC]

Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the integrity of administration requests.


FDP_IFF.1[SC]

Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the integrity of administration requests.


FMT_MSA.1[SC]

Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the integrity ofcard management requests.


FMT_MSA.3[SC]

Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the integrity ofcard management requests.


FMT_SMF.1[SC]

Contributes to meet the security objective by specifyingthe actions activating the integrity check on the card management commands.


OT.COMM_CONFIDENTIALITY



SFR

Rationale

FCS_COP.1

Contributes to meet this objective by specifying securecryptographic algorithm that shall be used to ensure theconfidentiality of the card management commands.


FMT_SMR.1[SD]

Contributes to cover the security objective by defining theroles enabling to send and authenticate the card management requests for which the confidentiality has to be ensured.


FTP_ITC.1[SC]

Contributes to cover the security objective by ensuring theconfidentiality of card management commands.

FDP_IFC.2[SC]

Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the confidentiality of administration requests.



FDP_IFF.1[SC]

Contributes to cover the security objective by enforcingthe Secure Channel Protocol information flow control policy to guarantee the confidentiality of administration requests.


FMT_MSA.1[SC]

Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the confidentiality of card management requests by decrypting those requests and imposing management conditions on that attributes.


FMT_MSA.3[SC]

Contributes to cover the security objective by specifyingsecurity attributes enabling to guarantee the confidentiality of card management requests by decrypting those requests and imposing management conditions on that attributes.


FMT_SMF.1[SC]

Contributes to cover the security objective by specifyingthe actions ensuring the confidentiality of the card management commands.


7.4.External Memory

OT.EXT-MEM



SFR

Rationale

FDP_ACC.1[EXT-MEM]

Contributes to meet the objective by the EXTERNAL MEMORY access control policy which protects the Java Card system memory against applet’s attempts of unauthorized access through the external memory facilities.


FDP_ACF.1[EXT-MEM]

Contributes to meet the objective by the EXTERNAL MEMORY access control policy which protects the Java Card system memory against applet’s attempts of unauthorized access through the external memory facilities.


FMT_SMF.1[EXT-MEM]

Contributes to meet the objective by controlling the external memory management

7.4.Card Management

OT.CARD-MANAGEMENT

SFR

Rationale

FDP_ACC.2[ADEL]

Contributes to meet the objective by the ADEL access control policy which ensures the non-introduction of security holes. The integrity and confidentiality of data that does not belong to the deleted applet or package is a byproduct of this policy as well


FDP_ACF.1[ADEL]

Contributes to meet the objective by the ADEL access control policy which ensures the non-introduction of security holes. The integrity and confidentiality of data that does not belong to the deleted applet or package is a byproduct of this policy as well


FDP_RIP.1[ADEL]

Contributes to meet the objective by ensuring the nonaccessibility of deleted data

FMT_MSA.1[ADEL]

Contributes to meet the objective by enforcing the ADEL access control SFP

FMT_MSA.3[ADEL]

Contributes to meet the objective by enforcing the ADEL access control SFP

FMT_SMR.1[ADEL]

Contributes to meet the objective by maintaing the role applet deletion manager

FPT_RCV.3[INSTALLER]

Contributes to meet the objective by protecting the TSFs against possible failures of the deletion procedures

FPT_FLS.1[INSTALLER]

Contributes to meet the objective by protecting the TSFs against possible failures of the installer

FPT_FLS.1[ADEL]

Contributes to meet the objective by protecting the TSFs against possible failures of the deletion procedures

FDP_UIT.1[CCM]

Contributes to meet the objective by enforcing the Secure Channel Protocol information flow control policy and the Security Domain access control policy which controls the integrity of the corresponding data


FDP_ROL.1[CCM]

Contributes to meet this security objective by ensures that card management operations may be cleanly aborted.

FDP_ITC.2[CCM]

Contributes to meet the security objective by enforcing the Firewall access control policy and the Secure Channel Protocol information flow policy when importing card management data.


FPT_FLS.1[CCM]

Contributes to meet the security objective by preserving a secure state when failures occur.

FDP_ACC.1[SD]

Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management.


FDP_ACF.1[SD]

Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_MSA.1[SD]

Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_MSA.3[SD]

Contributes to cover this security objective by enforcing a


Security Domain access control policy (rules and restrictions) that ensures a secure card content management.

FMT_SMF.1[SD]

Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management.


FMT_SMR.1[SD]

Contributes to cover this security objective by enforcing a Security Domain access control policy (rules and restrictions) that ensures a secure card content management.


FTP_ITC.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FCO_NRO.2[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FDP_IFC.2[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FDP_IFF.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FMT_MSA.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FMT_MSA.3[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FMT_SMF.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FIA_UID.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FIA_UAU.1[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FIA_UAU.4[SC]

Contributes to meet this security objective by enforcing Secure Channel Protocol information flow control policy that ensures the integrity and the authenticity of card management operations.


FMT_SMR.1[ADEL]


7.4.8 Smart Card Platform

OT.SCP.IC


SFR

Rationale

FAU_ARP.1

Contributes to the coverage of the objective by resetting the card session or terminating the card in case of physical tampering.


FPR_UNO.1

Contributes to the coverage of the objective by ensuring leakage resistant implementations of the unobservable operations


FPT_EMSEC.1

Contributes to meet the objective

FPT_PHP.3

Contributes to the coverage of the objective by preventing bypassing, deactivation or changing of other security features.


OT.SCP.RECOVERY


SFR

Rationale

FAU_ARP.1

Contributes to the coverage of the objective by ensuring reinitialization of the Java Card System and its data after card tearing and power failure


FPT_FLS.1

Contributes to the coverage of the objective by preserving a secure state after failure

OT.SCP.SUPPORT



SFR

Rationale

FCS_CKM.1

Contributes to meet the objective

FCS_CKM.4

Contributes to meet the objective

FCS_COP.1

Contributes to meet the objective

FDP_ROL.1[FIREWALL]

Contributes to meet the objective

OT.IDENTIFICATION



SFR

Rationale

FAU_SAS.1[SCP]

Covers the objective.The Initialisation Data (or parts of them) are used for TOE identification

7.4. Random Numbers





SFR

Rationale

FCS_RNG.1

Counters the threat by ensuring the cryptographic quality of random number generation. For instance random numbers shall not be predictable and shall have sufficient entropy. Furthermore, the TOE ensures that no information about the produced random numbers is available to an attacker.


FCS_RNG.1[HDT]

Counters the threat by ensuring the cryptographic quality of random number generation. For instance random numbers shall not be predictable and shall have sufficient entropy. Furthermore, the TOE ensures that no information about the produced random numbers is available to an attacker.


7.4. Configuration Module

OT.CARD-CONFIGURATION

SFR

Rationale

FDP_IFC.2[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FDP_IFF.1[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FMT_MSA.3[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FMT_MSA.1[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FMT_SMR.1[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FMT_SMF.1[CFG]

Contributes to meet the objective by controlling the ability to modify configuration items.

FIA_UID.1[CFG]

Contributes to meet the objective by requiring identification before modifying configuration items.

7.4.1 Secure Box

OT.SEC_BOX_FW




SFR

Rationale

FDP_ACC.2[SecureBox]

Contributes to meet the objective by applying access control rules.

FDP_ACF.1[SecureBox]

Contributes to meet the objective by applying access control rules.

FMT_MSA.3[SecureBox]

Contributes to meet the objective by enforcing the SecureBox access control SFP.

FMT_MSA.1[SecureBox]

Contributes to meet the objective by enforcing the SecureBox access control SFP.

FMT_SMF.1[SecureBox]

Contributes to cover this security objective by enforcing the SecureBox access control policy which ensures a separation of the Secure Box from the rest of the TOE.


7.4.1 Restricted Mode

OT.ATTACK-COUNTER



SFR

Rationale

FMT_SMR.1[SD]

Contributes to cover the objective by defining the security role ISD.

FMT_MSA.3[RM]

Contributes to cover the objective by restricting the initial value of the Attack Counter and allowing nobody to change the initial value.


FMT_MSA.1[RM]

Contributes to cover the objective by only allowing the ISD to modify the Attack Counter.

FIA_UAU.1[RM]

Contributes to cover the objective by requiring authentication before resetting the Attack Counter.

FIA_UID.1[RM]

Contributes to cover the objective by requiring identification before resetting the Attack Counter.

OT.RESTRICTED-MODE



SFR

Rationale

FMT_SMR.1[SD]

Contributes to cover the objective by defining the security role ISD.

FDP_ACC.2[RM]

Contributes to the coverage of the objective by defining the subject of the Restricted Mode access control SFP.

FDP_ACF.1[RM]

Contributes to cover the objective by controlling access to objects for all operations.

FMT_SMF.1[RM]

Contributes to cover the objective by defining the management functions of the restricted mode.

FIA_UAU.1[RM]

Contributes to cover the objective by requiring authentication before resetting the Attack Counter.

FIA_UID.1[RM]

Contributes to cover the objective by requiring identification before resetting the Attack Counter.

9    Contents

1 ST Introduction (ASE_INT)

1.1 ST Reference and TOE Reference

1.2 TOE Overview


1.2.1 Usage and Major Security Features of the TOE

1.2.2 TOE Type

1.2.3 Required non-TOE Hardware/Software/Firmware

1.3 TOE Description


1.3.1 TOE Components and Composite Certi fication

1.3.2 Optional TOE Functionality

1.3.3 TOE Life Cycle

1.3.4 TOE Identification

1.3.5 Evaluated Package Types


2 Conformance Claims (ASE_CCL)


2.1 CC Conformance Claim

2.2 Package Claim

2.3 PP Claim

2.4 Conformance Claim Rationale


2.4.1 TOE Type

2.4.2 SPD Statement

2.4.3 Security Objectives Statement

2.4.4 Security Functional Requirements State ment

3 Security Aspects


3.1 Confidentiality

3.2 Integrity

3.3 Unauthorized Executions

3.4 Bytecode Verification

3.5 Card Management

3.6 Services

3.7 External Memory

3.8 Configuration Module

3.9 Modular Design

3.10 Restricted Mode

4 Security Problem Definition (ASE_SPD)


4.1 Assets


4.1.1 User Data

4.1.2 TSF Data

4.2 Threats


4.2.1 Confidentiality

4.2.2 Integrity

4.2.3 Identity Usurpation

4.2.4 Unauthorized Execution

4.2.5 Denial of Service

4.2.6 Card Management

4.2.7 Services

4.2.8 Miscellaneous

4.2.9 Operating System

4.2.10 Random Numbers

4.2.11 Configuration Module

4.2.12 Secure Box

4.2.13 Module replacement

4.2.14 Restricted Mode

4.3 Organisational Security Policies

4.4 Assumptions

5 Security Objectives


5.1 Security Objectives for the TOE


5.1.1 Identification

5.1.2 Execution

5.1.3 Services

5.1.4 Object Deletion

5.1.5 Applet Management

5.1.6 External Memory

5.1.7 Card Management

5.1.8 Smart Card Platform

5.1.9 Secure Box

5.1.10 Random Numbers

5.1.11 Configuration Module

5.1.12 Restricted Mode

5.2 Security Objectives for the Operational Environment

5.3 Security Objectives Rationale


5.3.1 Threats

5.3.2 Organisational Security Policies

5.3.3 Assumptions


6 Extended Components Definition (ASE_ECD)


6.1 Definition of Family ”Audit Data Storage (FAU_SAS)”

6.2 Definition of Family ”TOE emanation (FPT_EMSEC)”

7 Security Requirements (ASE_REQ)


7.1 Definitions


7.1.1 Groups

7.1.2 Subjects

7.1.3 Objects

7.1.4 Informations

7.1.5 Security Attributes

7.1.6 Operations

7.2 Security Functional Requirements


7.2.1 COREG_LC Security Functional Requirements

7.2.2 INSTG Security Functional Requirements

7.2.3 ADELG Security Functional Requirements

7.2.4 RMIG Security Functional Requirements

7.2.5 ODELG Security Functional Requirements

7.2.6 CarG Security Functional Requirements .

7.2.7 EMG Security Functional Requirements .

7.2.8 ConfG Security Functional Requirements

7.2.9 SecBoxG Security Functional Requirements

7.2.10 ModDesG Security Functional Requirements

7.2.11 RMG Security Functional Requirements .

7.2.12 Further Security Functional Requirements

7.3 Security Assurance Requirements

7.4 Security Requirements Rationale for the TOE


7.4.1 Identification

7.4.2 Execution

7.4.3 Services

7.4.4 Object Deletion

7.4.5 Applet Management

7.4.6 External Memory

7.4.7 Card Management

7.4.8 Smart Card Platform

7.4.9 Random Numbers

7.4.10 Configuration Module

7.4.11 Secure Box

7.4.12 Restricted Mode

7.5 SFR Dependencies


7.5.1 Rationale for Exclusion of Dependencies


7.6 Security Assurance Requirements Rationale

8 TOE summary specification (ASE_TSS)


8.1 Introduction

8.2 Security Functionality

8.3 Protection against Interference and Logical Tampering

8.4 Protection against Bypass of Security Related Actions

9 Contents

10 Glossary

11 Acronyms

12 Bibliography

13 Legal information


13.1 Definitions

13.2 Disclaimers

13.3 Licenses

13.4 Patents

13.5 Trademarks

Java Card is an open standard from Sun Microsystems for a smart card developmentplatform. Smart cards created using the Java Card platform have Java applets stored on them. The applets can be added to or changed after the card is issued.

There are two basic types of smart cards. The memory smart card is the familiar removable memory device; it usually features read and write capabilities and perhaps security features. The more complex version, the processor smart card, is a very small and extremely portable computing device that could be carried in your wallet. Java-based smart cards belong to the latter category. They store data on an integrated microprocessor chip. Applets are loaded into the memory of the microprocessor and run by the Java Virtual Machine. Similarly to MULTOS, another smart card development technology, Java Card enables multiple application programs to be installed and coexist independently. Individual applets are protected by a firewall to preserve their integrity and prevent tampering. Applications can be updated dynamically.

In the United States, the Department of Defense, Visa, and American Express are among the organizations creating Java Card-based applications.


Home
Product
News
Contact us