Java Cards

NXP JCOP 4 Security Target Lite v3.4 11

2020-07-14 16:10:53 M&W SmartCard 2

7.5   SFR Dependencies

Requirements

CC Dependencies

Satisfied Dependencies

FAU_ARP.1

FAU_SAA.1 Potential violation analys is

see §7.3.3.1 of [13]

FAU_SAS.1[SCP]

No other components.


FCO_NRO.2[SC]

FIA_UID.1 Timing of identification.

FIA_UID.1[SC]




FCS_CKM.1

[FCS_CKM.2 Cryptographic key distri bution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction

see §7.3.3.1 of [13]



FCS_CKM.2

[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction

see §7.3.3.1 of [13]



FCS_CKM.3

[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction

see §7.3.3.1 of [13]



FCS_CKM.4

[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

see §7.3.3.1 of [13]



FCS_COP.1

[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction.

see §7.3.3.1 of [13]



FCS_RNG.1

No dependencies

FCS_RNG.1[HDT]

No dependencies

FDP_ACC.1[EXT-MEM]

FDP_ACF.1 Security attribute based access control

FDP_ACF.1[EXTMEM]




FDP_ACC.1[SD]

FDP_ACF.1 Security attribute based access control

FDP_ACF.1[SD]

FDP_ACC.2[FIREWALL]

FDP_ACF.1 Security attribute based access control

see §7.3.3.1 of [13]

FDP_ACC.2[ADEL]

FDP_ACF.1 Security attribute based access control

see §7.3.3.1 of [13]

FDP_ACC.2[SecureBox]

FDP_ACF.1 Security attribute based access control

FDP_ACF.1[SecureBox]




FDP_ACC.2[RM]

FDP_ACF.1 Security attribute based access control

FDP_ACF.1[RM]

FDP_ACF.1[FIREWALL]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

see §7.3.3.1 of [13]



FDP_ACF.1[ADEL]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

see §7.3.3.1 of [13]



FDP_ACF.1[EXT-MEM]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

FDP_ACC.1[EXTMEM]


FMT_MSA.3[EXTMEM]




FDP_ACF.1[SecureBox]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

FDP_ACC.2[SecureBox]


FMT_MSA.3[SecureBox]




FDP_ACF.1[SD]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

FDP_ACC.1[SD]


FMT_MSA.3[SD]

FDP_ACF.1[RM]

FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation

FDP_ACC.2[RM]


FMT_MSA.3[RM]

FDP_IFC.1[JCVM]

FDP_IFF.1 Simple security attributes

see §7.3.3.1 of [13]

FDP_IFC.2[SC]

FDP_IFF.1 Simple security attributes

FDP_IFF.1[SC]




FDP_IFC.2[CFG]

FDP_IFF.1 Simple security attributes

FDP_IFF.1[CFG]




FDP_IFC.1[MODULAR-

FDP_IFF.1 Simple security attributes

see §7.3.3.1 of [13]

DESIGN]

FDP_IFF.1[JCVM]

FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation

see §7.3.3.1 of [13]


FDP_IFF.1[SC]

FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation

FDP_IFC.2[SC]


FMT_MSA.3[SC]

FDP_IFF.1[CFG]

FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation

FDP_IFC.2[CFG]


FMT_MSA.3[CFG]

FDP_IFF.1[MODULAR-

FDP_IFC.1 Subset information flow control, FMT_MSA.3 Static attribute initialisation

FDP_ IFC.1[MODULARDESIGN]

DESIGN]


FMT_ MSA.3[MODULARDESIGN]




FDP_ITC.2[CCM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path] FPT_TDC.1 Inter-TSF basic TSF data consistency

FDP_ACC.1[SD]


FTP_ITC.1[SC]

FDP_RIP.1[OBJECTS]

No dependencies.


FDP_RIP.1[ABORT]

No dependencies.

FDP_RIP.1[APDU]

No dependencies.

FDP_RIP.1[bArray]

No dependencies.

FDP_RIP.1[GlobalArray_

Refined]

No dependencies.

FDP_RIP.1[KEYS]

No dependencies.

FDP_RIP.1[TRANSIENT]

No dependencies.

FDP_RIP.1[ADEL]

No dependencies.

FDP_RIP.1[ODEL]

No dependencies.

FDP_ROL.1[FIREWALL]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]

see §7.3.3.1 of [13]



FDP_ROL.1[CCM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]

FDP_ACC.1[SD]



FDP_SDI.2[DATA]

No dependencies.


FDP_SDI.2[SENSITIVE_

RESULT]

No dependencies.

FDP_UIT.1[CCM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path]

FDP_ACC.1[SD]


FTP_ITC.1[SC]


FIA_AFL.1[PIN]

FIA_UAU.1 Timing of authentication.

see AppNote in FIA_

AFL.1[PIN]

FIA_ATD.1[AID]

No dependencies.


FIA_ATD.1[MODULAR-

DESIGN]

No dependencies.

FIA_UID.1[SC]

No dependencies.

FIA_UID.1[CFG]

No dependencies.

FIA_UID.1[RM]

No dependencies.

FIA_UID.2[AID]

No dependencies.

FIA_UID.1[MODULAR-

DESIGN]

No dependencies.

FIA_USB.1[AID]

FIA_ATD.1 User attribute definition

see §7.3.3.1 of [13]

FIA_USB.1[MODULAR-

FIA_ATD.1 User attribute definition

FIA_ ATD.1[MODULARDESIGN]

DESIGN]




FIA_UAU.1[SC]

FIA_UID.1 Timing of identification

FIA_UID.1[SC]




FIA_UAU.1[RM]

FIA_UID.1 Timing of identification

FIA_UID.1[RM]




FIA_UAU.4[SC]

No dependencies.


FMT_MSA.1[JCRE]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

see §7.3.3.1 of [13]



FMT_MSA.1[JCVM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

see §7.3.3.1 of [13]



FMT_MSA.1[ADEL]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

see §7.3.3.1 of [13]



FMT_MSA.1[SC]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_ACC.1[SD]


FMT_SMR.1[SD]

FMT_SMF.1[SC]

FMT_MSA.1[EXT-MEM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_ACC.1[EXTMEM]


FMT_SMF.1[EXTMEM]

FMT_MSA.1[SecureBox]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_ACC.2[SecureBox]

FMT_SMR.1


FMT_SMF.1[SecureBox]

FMT_MSA.1[CFG]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_IFC.2[CFG]


FMT_SMR.1[CFG]

FMT_SMF.1[CFG]

FMT_MSA.1[SD]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_ACC.1[SD]


FMT_SMR.1[SD]

FMT_SMF.1[SD]

FMT_MSA.1[RM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

FDP_ACC.2[RM]


FMT_SMF.1[RM]


FMT_MSA.1[MODULAR-

DESIGN]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control], FMT_SMR.1 Security roles, FMT_SMF.1 Specification of Management Functions

FDP_ IFC.1[MODULARDESIGN]


FMT_ SMR.1[MODULARDESIGN]

FMT_ SMF.1[MODULARDESIGN]




FMT_MSA.2[FIREWALL-

JCVM]

[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions

see §7.3.3.1 of [13]



FMT_MSA.3[FIREWALL]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

see §7.3.3.1 of [13]

FMT_MSA.3[JCVM]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

see §7.3.3.1 of [13]

FMT_MSA.3[ADEL]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

see §7.3.3.1 of [13]

FMT_MSA.3[EXT-MEM]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[EXTMEM]




FMT_MSA.3[SecureBox]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[SecureBox]


FMT_SMR.1




FMT_MSA.3[CFG]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[CFG]

FMT_SMR.1[CFG]




FMT_MSA.3[SD]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[SD]

FMT_SMR.1[SD]




FMT_MSA.3[SC]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[SC]

FMT_SMR.1[SD]




FMT_MSA.3[RM]

FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles

FMT_MSA.1[RM]

FMT_MSA.3[MODULAR-

DESIGN]

FMT_MSA.1 Management of security attributes, FMT_SMR.1 Security roles

FMT_ MSA.1[MODULARDESIGN]


FMT_ SMR.1[MODULARDESIGN]




FMT_MTD.1[JCRE]

FMT_SMR.1 Security roles FMT_ SMF.1 Specification of Management Functions

see §7.3.3.1 of [13]



FMT_MTD.3[JCRE]

FMT_MTD.1 Management of TSF data

see §7.3.3.1 of [13]

FMT_SMF.1

No dependencies.


FMT_SMF.1[ADEL]

No dependencies.

FMT_SMF.1[EXT-MEM]

No dependencies.

FMT_SMF.1[SecureBox]

No dependencies.

FMT_SMF.1[CFG]

No dependencies.

FMT_SMF.1[SD]

No dependencies.

FMT_SMF.1[SC]

No dependencies.

FMT_SMF.1[RM]

No dependencies.

FMT_SMF.1[MODULAR-

DESIGN]

No dependencies.

FMT_SMR.1

FIA_UID.1 Timing of identification

see §7.3.3.1 of [13]

FMT_SMR.1[INSTALLER]

FIA_UID.1 Timing of identification

see §7.3.3.1 of [13]

FMT_SMR.1[ADEL]

FIA_UID.1 Timing of identification

see §7.3.3.1 of [13]

FMT_SMR.1[CFG]

FIA_UID.1 Timing of identification

FIA_UID.1[CFG]




FMT_SMR.1[SD]

FIA_UID.1 Timing of identification

FIA_UID.1[SC]




FMT_SMR.1[MODULAR-

DESIGN]

FIA_UID.1 Timing of identification

FIA_ UID.1[MODULARDESIGN]




FPR_UNO.1

No dependencies.


FPT_EMSEC.1

No dependencies.

FPT_FLS.1

No dependencies.

FPT_FLS.1[INSTALLER]

No dependencies.

FPT_FLS.1[ADEL]

No dependencies.

FPT_FLS.1[ODEL]

No dependencies.

FPT_FLS.1[CCM]

No dependencies.

FPT_FLS.1[MODULAR-

DESIGN]

No dependencies.

FPT_TDC.1

No dependencies.

FPT_RCV.3[INSTALLER]

AGD_OPE.1 Operational user guidance

see §7.3.3.1 of [13]

FPT_PHP.3

No dependencies.


FTP_ITC.1[SC]

No dependencies.

ADV_SPM.1

ADV_FSP.4 Complete functional specification

see §7.3.3.1 of [13]


Tab. 7.40: SFRs Dependencies


7.5.1 Rationale for Exclusion of Dependencies

The dependency FIA_UID.1 of FMT_SMR.1[INSTALLER] is unsupported. This ST does not require the iden-

tification of the "Installer" since it can be considered as part of the TSF.

The dependency FIA_UID.1 of FMT_SMR.1[ADEL] is unsupported. This ST does not require the identificationof the "applet deletion manager"since it can be considered as part of the TSF.

The dependency FIA_UID.1 of FMT_SMR.1[MODULAR-DESIGN] is unsupported. This ST does not requirethe identification of the "Module Invoker" since it can be considered as part of the TSF.

The dependency FMT_SMF.1 of FMT_MSA.1[JCRE]is unsupported. The dependency between FMT_MSA.1[JCRE]and FMT_SMF.1 is not satisfied because no management functions are required for the Java Card RE.

The dependency FAU_SAA.1 of FAU_ARP.1 is unsupported. The dependency of FAU_ARP.1onFAU_SAA.1assumes that a "potential security violation" generates an audit event. On the contrary, the events listed in FAU_ ARP.1 are self-contained (arithmetic exception, ill-formed bytecodes, access failure) and ask for a straightforward reaction of the TSFs on their occurrence at runtime. The JCVM or other components of the TOE detect these events during their usual working order. Thus, there is no mandatory audit recording in this ST.

The dependency FIA_UAU.1 of FIA_AFL.1[PIN] is unsupported. The TOE implements the firewall accesscontrol SFP, based on which access to the object Implementing FIA_AFL.1[PIN]is organized.

The dependencies FMT_SMR.1 of FMT_MSA.1[SecureBox] and FMT_MSA.3[SecureBox]are unsupported.

Only S.JCRE is allowed to modify security attributes for the Secure Box before S.SBNativeCode is executed. Furthermore does the TOE not allow to specify alternative initial values for the security attributes of the Secure Box.

7.6   Security Assurance Requirements Rationale

The selection of assurance components is based on the underlying PP [13]. The Security Target uses the aug-mentations from the PP, chooses EAL6 and adds the components ASE_TSS.2 and ALC_FLR.1.

The rationale for the augmentations is the same as in the PP.

The assurance level EAL6 is an elaborated pre-defined level of the CC, part 3 [4]. The assurance components in an EAL level are chosen in a way that they build a mutually supportive and complete set of components.

The additional requirements chosen for augmentation do not add any dependencies, which are not already fulfilled for the corresponding requirements contained in EAL6. Therefore, the components ASE_TSS.2 and ALC_FLR.1 add additional assurance to EAL6, but the mutual support of the requirements is still guaranteed.

9    Contents

1 ST Introduction (ASE_INT)

1.1 ST Reference and TOE Reference

1.2 TOE Overview


1.2.1 Usage and Major Security Features of the TOE

1.2.2 TOE Type

1.2.3 Required non-TOE Hardware/Software/Firmware

1.3 TOE Description


1.3.1 TOE Components and Composite Certi fication

1.3.2 Optional TOE Functionality

1.3.3 TOE Life Cycle

1.3.4 TOE Identification

1.3.5 Evaluated Package Types


2 Conformance Claims (ASE_CCL)


2.1 CC Conformance Claim

2.2 Package Claim

2.3 PP Claim

2.4 Conformance Claim Rationale


2.4.1 TOE Type

2.4.2 SPD Statement

2.4.3 Security Objectives Statement

2.4.4 Security Functional Requirements State ment

3 Security Aspects


3.1 Confidentiality

3.2 Integrity

3.3 Unauthorized Executions

3.4 Bytecode Verification

3.5 Card Management

3.6 Services

3.7 External Memory

3.8 Configuration Module

3.9 Modular Design

3.10 Restricted Mode

4 Security Problem Definition (ASE_SPD)


4.1 Assets


4.1.1 User Data

4.1.2 TSF Data

4.2 Threats


4.2.1 Confidentiality

4.2.2 Integrity

4.2.3 Identity Usurpation

4.2.4 Unauthorized Execution

4.2.5 Denial of Service

4.2.6 Card Management

4.2.7 Services

4.2.8 Miscellaneous

4.2.9 Operating System

4.2.10 Random Numbers

4.2.11 Configuration Module

4.2.12 Secure Box

4.2.13 Module replacement

4.2.14 Restricted Mode

4.3 Organisational Security Policies

4.4 Assumptions

5 Security Objectives


5.1 Security Objectives for the TOE


5.1.1 Identification

5.1.2 Execution

5.1.3 Services

5.1.4 Object Deletion

5.1.5 Applet Management

5.1.6 External Memory

5.1.7 Card Management

5.1.8 Smart Card Platform

5.1.9 Secure Box

5.1.10 Random Numbers

5.1.11 Configuration Module

5.1.12 Restricted Mode

5.2 Security Objectives for the Operational Environment

5.3 Security Objectives Rationale


5.3.1 Threats

5.3.2 Organisational Security Policies

5.3.3 Assumptions


6 Extended Components Definition (ASE_ECD)


6.1 Definition of Family ”Audit Data Storage (FAU_SAS)”

6.2 Definition of Family ”TOE emanation (FPT_EMSEC)”

7 Security Requirements (ASE_REQ)


7.1 Definitions


7.1.1 Groups

7.1.2 Subjects

7.1.3 Objects

7.1.4 Informations

7.1.5 Security Attributes

7.1.6 Operations

7.2 Security Functional Requirements


7.2.1 COREG_LC Security Functional Requirements

7.2.2 INSTG Security Functional Requirements

7.2.3 ADELG Security Functional Requirements

7.2.4 RMIG Security Functional Requirements

7.2.5 ODELG Security Functional Requirements

7.2.6 CarG Security Functional Requirements .

7.2.7 EMG Security Functional Requirements .

7.2.8 ConfG Security Functional Requirements

7.2.9 SecBoxG Security Functional Requirements

7.2.10 ModDesG Security Functional Requirements

7.2.11 RMG Security Functional Requirements .

7.2.12 Further Security Functional Requirements

7.3 Security Assurance Requirements

7.4 Security Requirements Rationale for the TOE


7.4.1 Identification

7.4.2 Execution

7.4.3 Services

7.4.4 Object Deletion

7.4.5 Applet Management

7.4.6 External Memory

7.4.7 Card Management

7.4.8 Smart Card Platform

7.4.9 Random Numbers

7.4.10 Configuration Module

7.4.11 Secure Box

7.4.12 Restricted Mode

7.5 SFR Dependencies


7.5.1 Rationale for Exclusion of Dependencies


7.6 Security Assurance Requirements Rationale

8 TOE summary specification (ASE_TSS)


8.1 Introduction

8.2 Security Functionality

8.3 Protection against Interference and Logical Tampering

8.4 Protection against Bypass of Security Related Actions

9 Contents

10 Glossary

11 Acronyms

12 Bibliography

13 Legal information


13.1 Definitions

13.2 Disclaimers

13.3 Licenses

13.4 Patents

13.5 Trademarks

Java Card is an open standard from Sun Microsystems for a smart card developmentplatform. Smart cards created using the Java Card platform have Java applets stored on them. The applets can be added to or changed after the card is issued.

There are two basic types of smart cards. The memory smart card is the familiar removable memory device; it usually features read and write capabilities and perhaps security features. The more complex version, the processor smart card, is a very small and extremely portable computing device that could be carried in your wallet. Java-based smart cards belong to the latter category. They store data on an integrated microprocessor chip. Applets are loaded into the memory of the microprocessor and run by the Java Virtual Machine. Similarly to MULTOS, another smart card development technology, Java Card enables multiple application programs to be installed and coexist independently. Individual applets are protected by a firewall to preserve their integrity and prevent tampering. Applications can be updated dynamically.

In the United States, the Department of Defense, Visa, and American Express are among the organizations creating Java Card-based applications.


Home
Product
News
Contact us