NXP JCOP 4 Security Target Lite v3.4 11

2020-07-14 16:10:53 M&W SmartCard 63

7.5 SFR Dependencies

Requirements	CC Dependencies	Satisfied Dependencies
FAU_ARP.1	FAU_SAA.1 Potential violation analys is	see §7.3.3.1 of [13]
FAU_SAS.1[SCP]	No other components.
FCO_NRO.2[SC]	FIA_UID.1 Timing of identification.	FIA_UID.1[SC]

FCS_CKM.1	[FCS_CKM.2 Cryptographic key distri bution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction	see §7.3.3.1 of [13]

FCS_CKM.2	[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction	see §7.3.3.1 of [13]

FCS_CKM.3	[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction	see §7.3.3.1 of [13]

FCS_CKM.4	[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]	see §7.3.3.1 of [13]

FCS_COP.1	[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction.	see §7.3.3.1 of [13]

FCS_RNG.1	No dependencies
FCS_RNG.1[HDT]	No dependencies
FDP_ACC.1[EXT-MEM]	FDP_ACF.1 Security attribute based access control	FDP_ACF.1[EXTMEM]

FDP_ACC.1[SD]	FDP_ACF.1 Security attribute based access control	FDP_ACF.1[SD]
FDP_ACC.2[FIREWALL]	FDP_ACF.1 Security attribute based access control	see §7.3.3.1 of [13]
FDP_ACC.2[ADEL]	FDP_ACF.1 Security attribute based access control	see §7.3.3.1 of [13]
FDP_ACC.2[SecureBox]	FDP_ACF.1 Security attribute based access control	FDP_ACF.1[SecureBox]

FDP_ACC.2[RM]	FDP_ACF.1 Security attribute based access control	FDP_ACF.1[RM]
FDP_ACF.1[FIREWALL]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	see §7.3.3.1 of [13]

FDP_ACF.1[ADEL]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	see §7.3.3.1 of [13]

FDP_ACF.1[EXT-MEM]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	FDP_ACC.1[EXTMEM]
		FDP_ACC.1[EXTMEM]
		FMT_MSA.3[EXTMEM]

FDP_ACF.1[SecureBox]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	FDP_ACC.2[SecureBox]
		FDP_ACC.2[SecureBox]
		FMT_MSA.3[SecureBox]

FDP_ACF.1[SD]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	FDP_ACC.1[SD]
		FMT_MSA.3[SD]
FDP_ACF.1[RM]	FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation	FDP_ACC.2[RM]
		FMT_MSA.3[RM]
FDP_IFC.1[JCVM]	FDP_IFF.1 Simple security attributes	see §7.3.3.1 of [13]
FDP_IFC.2[SC]	FDP_IFF.1 Simple security attributes	FDP_IFF.1[SC]

FDP_IFC.2[CFG]	FDP_IFF.1 Simple security attributes	FDP_IFF.1[CFG]

FDP_IFC.1[MODULAR-	FDP_IFF.1 Simple security attributes	see §7.3.3.1 of [13]
DESIGN]	FDP_IFF.1 Simple security attributes	see §7.3.3.1 of [13]
FDP_IFF.1[JCVM]	FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation	see §7.3.3.1 of [13]
		see §7.3.3.1 of [13]
FDP_IFF.1[SC]	FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation	FDP_IFC.2[SC]
		FMT_MSA.3[SC]
FDP_IFF.1[CFG]	FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation	FDP_IFC.2[CFG]
		FMT_MSA.3[CFG]
FDP_IFF.1[MODULAR-	FDP_IFC.1 Subset information flow control, FMT_MSA.3 Static attribute initialisation	FDP_ IFC.1[MODULARDESIGN]
DESIGN]

		FMT_ MSA.3[MODULARDESIGN]

FDP_ITC.2[CCM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path] FPT_TDC.1 Inter-TSF basic TSF data consistency	FDP_ACC.1[SD]
		FTP_ITC.1[SC]
FDP_RIP.1[OBJECTS]	No dependencies.
FDP_RIP.1[ABORT]	No dependencies.
FDP_RIP.1[APDU]	No dependencies.
FDP_RIP.1[bArray]	No dependencies.
FDP_RIP.1[GlobalArray_ Refined]	No dependencies.
FDP_RIP.1[KEYS]	No dependencies.
FDP_RIP.1[TRANSIENT]	No dependencies.
FDP_RIP.1[ADEL]	No dependencies.
FDP_RIP.1[ODEL]	No dependencies.
FDP_ROL.1[FIREWALL]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]	see §7.3.3.1 of [13]

FDP_ROL.1[CCM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]	FDP_ACC.1[SD]

FDP_SDI.2[DATA]	No dependencies.
FDP_SDI.2[SENSITIVE_ RESULT]	No dependencies.
FDP_UIT.1[CCM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path]	FDP_ACC.1[SD]
		FTP_ITC.1[SC]

FIA_AFL.1[PIN]	FIA_UAU.1 Timing of authentication.	see AppNote in FIA_ AFL.1[PIN]
FIA_ATD.1[AID]	No dependencies.
FIA_ATD.1[MODULAR- DESIGN]	No dependencies.
FIA_UID.1[SC]	No dependencies.
FIA_UID.1[CFG]	No dependencies.
FIA_UID.1[RM]	No dependencies.
FIA_UID.2[AID]	No dependencies.
FIA_UID.1[MODULAR- DESIGN]	No dependencies.
FIA_USB.1[AID]	FIA_ATD.1 User attribute definition	see §7.3.3.1 of [13]
FIA_USB.1[MODULAR-	FIA_ATD.1 User attribute definition	FIA_ ATD.1[MODULARDESIGN]
DESIGN]	FIA_ATD.1 User attribute definition	FIA_ ATD.1[MODULARDESIGN]

FIA_UAU.1[SC]	FIA_UID.1 Timing of identification	FIA_UID.1[SC]

FIA_UAU.1[RM]	FIA_UID.1 Timing of identification	FIA_UID.1[RM]

FIA_UAU.4[SC]	No dependencies.
FMT_MSA.1[JCRE]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	see §7.3.3.1 of [13]

FMT_MSA.1[JCVM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	see §7.3.3.1 of [13]

FMT_MSA.1[ADEL]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	see §7.3.3.1 of [13]

FMT_MSA.1[SC]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_ACC.1[SD]
		FMT_SMR.1[SD]
		FMT_SMF.1[SC]
FMT_MSA.1[EXT-MEM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_ACC.1[EXTMEM]
		FDP_ACC.1[EXTMEM]
		FMT_SMF.1[EXTMEM]
FMT_MSA.1[SecureBox]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_ACC.2[SecureBox] FMT_SMR.1
		FDP_ACC.2[SecureBox] FMT_SMR.1
		FMT_SMF.1[SecureBox]
FMT_MSA.1[CFG]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_IFC.2[CFG]
		FMT_SMR.1[CFG]
		FMT_SMF.1[CFG]
FMT_MSA.1[SD]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_ACC.1[SD]
		FMT_SMR.1[SD]
		FMT_SMF.1[SD]
FMT_MSA.1[RM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	FDP_ACC.2[RM]
		FMT_SMF.1[RM]

FMT_MSA.1[MODULAR- DESIGN]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control], FMT_SMR.1 Security roles, FMT_SMF.1 Specification of Management Functions	FDP_ IFC.1[MODULARDESIGN]
		FDP_ IFC.1[MODULARDESIGN]
		FMT_ SMR.1[MODULARDESIGN]
		FMT_ SMF.1[MODULARDESIGN]

FMT_MSA.2[FIREWALL- JCVM]	[FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions	see §7.3.3.1 of [13]
FMT_MSA.2[FIREWALL- JCVM]

FMT_MSA.3[FIREWALL]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	see §7.3.3.1 of [13]
FMT_MSA.3[JCVM]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	see §7.3.3.1 of [13]
FMT_MSA.3[ADEL]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	see §7.3.3.1 of [13]
FMT_MSA.3[EXT-MEM]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[EXTMEM]

FMT_MSA.3[SecureBox]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[SecureBox]
		FMT_MSA.1[SecureBox]
		FMT_SMR.1

FMT_MSA.3[CFG]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[CFG]
FMT_MSA.3[CFG]		FMT_SMR.1[CFG]

FMT_MSA.3[SD]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[SD]
FMT_MSA.3[SD]		FMT_SMR.1[SD]

FMT_MSA.3[SC]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[SC]
FMT_MSA.3[SC]		FMT_SMR.1[SD]

FMT_MSA.3[RM]	FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles	FMT_MSA.1[RM]
FMT_MSA.3[MODULAR- DESIGN]	FMT_MSA.1 Management of security attributes, FMT_SMR.1 Security roles	FMT_ MSA.1[MODULARDESIGN]
		FMT_ MSA.1[MODULARDESIGN]
		FMT_ SMR.1[MODULARDESIGN]

FMT_MTD.1[JCRE]	FMT_SMR.1 Security roles FMT_ SMF.1 Specification of Management Functions	see §7.3.3.1 of [13]

FMT_MTD.3[JCRE]	FMT_MTD.1 Management of TSF data	see §7.3.3.1 of [13]
FMT_SMF.1	No dependencies.
FMT_SMF.1[ADEL]	No dependencies.
FMT_SMF.1[EXT-MEM]	No dependencies.
FMT_SMF.1[SecureBox]	No dependencies.
FMT_SMF.1[CFG]	No dependencies.
FMT_SMF.1[SD]	No dependencies.
FMT_SMF.1[SC]	No dependencies.
FMT_SMF.1[RM]	No dependencies.
FMT_SMF.1[MODULAR- DESIGN]	No dependencies.
FMT_SMR.1	FIA_UID.1 Timing of identification	see §7.3.3.1 of [13]
FMT_SMR.1[INSTALLER]	FIA_UID.1 Timing of identification	see §7.3.3.1 of [13]
FMT_SMR.1[ADEL]	FIA_UID.1 Timing of identification	see §7.3.3.1 of [13]
FMT_SMR.1[CFG]	FIA_UID.1 Timing of identification	FIA_UID.1[CFG]

FMT_SMR.1[SD]	FIA_UID.1 Timing of identification	FIA_UID.1[SC]

FMT_SMR.1[MODULAR- DESIGN]	FIA_UID.1 Timing of identification	FIA_ UID.1[MODULARDESIGN]

FPR_UNO.1	No dependencies.
FPT_EMSEC.1	No dependencies.
FPT_FLS.1	No dependencies.
FPT_FLS.1[INSTALLER]	No dependencies.
FPT_FLS.1[ADEL]	No dependencies.
FPT_FLS.1[ODEL]	No dependencies.
FPT_FLS.1[CCM]	No dependencies.
FPT_FLS.1[MODULAR- DESIGN]	No dependencies.
FPT_TDC.1	No dependencies.
FPT_RCV.3[INSTALLER]	AGD_OPE.1 Operational user guidance	see §7.3.3.1 of [13]
FPT_PHP.3	No dependencies.
FTP_ITC.1[SC]	No dependencies.
ADV_SPM.1	ADV_FSP.4 Complete functional specification	see §7.3.3.1 of [13]
	Tab. 7.40: SFRs Dependencies

7.5.1 Rationale for Exclusion of Dependencies

The dependency FIA_UID.1 of FMT_SMR.1[INSTALLER] is unsupported. This ST does not require the iden-

tification of the "Installer" since it can be considered as part of the TSF.

The dependency FIA_UID.1 of FMT_SMR.1[ADEL] is unsupported. This ST does not require the identificationof the "applet deletion manager"since it can be considered as part of the TSF.

The dependency FIA_UID.1 of FMT_SMR.1[MODULAR-DESIGN] is unsupported. This ST does not requirethe identification of the "Module Invoker" since it can be considered as part of the TSF.

The dependency FMT_SMF.1 of FMT_MSA.1[JCRE]is unsupported. The dependency between FMT_MSA.1[JCRE]and FMT_SMF.1 is not satisfied because no management functions are required for the Java Card RE.

The dependency FAU_SAA.1 of FAU_ARP.1 is unsupported. The dependency of FAU_ARP.1onFAU_SAA.1assumes that a "potential security violation" generates an audit event. On the contrary, the events listed in FAU_ ARP.1 are self-contained (arithmetic exception, ill-formed bytecodes, access failure) and ask for a straightforward reaction of the TSFs on their occurrence at runtime. The JCVM or other components of the TOE detect these events during their usual working order. Thus, there is no mandatory audit recording in this ST.

The dependency FIA_UAU.1 of FIA_AFL.1[PIN] is unsupported. The TOE implements the firewall accesscontrol SFP, based on which access to the object Implementing FIA_AFL.1[PIN]is organized.

The dependencies FMT_SMR.1 of FMT_MSA.1[SecureBox] and FMT_MSA.3[SecureBox]are unsupported.

Only S.JCRE is allowed to modify security attributes for the Secure Box before S.SBNativeCode is executed. Furthermore does the TOE not allow to specify alternative initial values for the security attributes of the Secure Box.

7.6 Security Assurance Requirements Rationale

The selection of assurance components is based on the underlying PP [13]. The Security Target uses the aug-mentations from the PP, chooses EAL6 and adds the components ASE_TSS.2 and ALC_FLR.1.

The rationale for the augmentations is the same as in the PP.

The assurance level EAL6 is an elaborated pre-defined level of the CC, part 3 [4]. The assurance components in an EAL level are chosen in a way that they build a mutually supportive and complete set of components.

The additional requirements chosen for augmentation do not add any dependencies, which are not already fulfilled for the corresponding requirements contained in EAL6. Therefore, the components ASE_TSS.2 and ALC_FLR.1 add additional assurance to EAL6, but the mutual support of the requirements is still guaranteed.

9 Contents

1 ST Introduction (ASE_INT)
	1.1 ST Reference and TOE Reference
	1.2 TOE Overview
		1.2.1 Usage and Major Security Features of the TOE	1.2.2 TOE Type
		1.2.3 Required non-TOE Hardware/Software/Firmware
	1.3 TOE Description
		1.3.1 TOE Components and Composite Certi fication	1.3.2 Optional TOE Functionality
		1.3.3 TOE Life Cycle	1.3.4 TOE Identification
		1.3.5 Evaluated Package Types
2 Conformance Claims (ASE_CCL)
	2.1 CC Conformance Claim
	2.2 Package Claim
	2.3 PP Claim
	2.4 Conformance Claim Rationale
		2.4.1 TOE Type	2.4.2 SPD Statement
		2.4.3 Security Objectives Statement	2.4.4 Security Functional Requirements State ment
3 Security Aspects
	3.1 Confidentiality
	3.2 Integrity
	3.3 Unauthorized Executions
	3.4 Bytecode Verification
	3.5 Card Management
	3.6 Services
	3.7 External Memory
	3.8 Configuration Module
	3.9 Modular Design
	3.10 Restricted Mode
4 Security Problem Definition (ASE_SPD)
	4.1 Assets
		4.1.1 User Data	4.1.2 TSF Data
	4.2 Threats
		4.2.1 Confidentiality	4.2.2 Integrity
		4.2.3 Identity Usurpation	4.2.4 Unauthorized Execution
		4.2.5 Denial of Service	4.2.6 Card Management
		4.2.7 Services	4.2.8 Miscellaneous
		4.2.9 Operating System	4.2.10 Random Numbers
		4.2.11 Configuration Module	4.2.12 Secure Box
		4.2.13 Module replacement	4.2.14 Restricted Mode
	4.3 Organisational Security Policies
	4.4 Assumptions
5 Security Objectives
	5.1 Security Objectives for the TOE
		5.1.1 Identification	5.1.2 Execution
		5.1.3 Services	5.1.4 Object Deletion
		5.1.5 Applet Management	5.1.6 External Memory
		5.1.7 Card Management	5.1.8 Smart Card Platform
		5.1.9 Secure Box	5.1.10 Random Numbers
		5.1.11 Configuration Module	5.1.12 Restricted Mode
	5.2 Security Objectives for the Operational Environment
	5.3 Security Objectives Rationale
		5.3.1 Threats	5.3.2 Organisational Security Policies
		5.3.3 Assumptions
6 Extended Components Definition (ASE_ECD)
	6.1 Definition of Family ”Audit Data Storage (FAU_SAS)”
	6.2 Definition of Family ”TOE emanation (FPT_EMSEC)”
7 Security Requirements (ASE_REQ)
	7.1 Definitions
		7.1.1 Groups	7.1.2 Subjects
		7.1.3 Objects	7.1.4 Informations
		7.1.5 Security Attributes	7.1.6 Operations
	7.2 Security Functional Requirements
		7.2.1 COREG_LC Security Functional Requirements	7.2.2 INSTG Security Functional Requirements
		7.2.3 ADELG Security Functional Requirements	7.2.4 RMIG Security Functional Requirements
		7.2.5 ODELG Security Functional Requirements	7.2.6 CarG Security Functional Requirements .
		7.2.7 EMG Security Functional Requirements .	7.2.8 ConfG Security Functional Requirements
		7.2.9 SecBoxG Security Functional Requirements	7.2.10 ModDesG Security Functional Requirements
		7.2.11 RMG Security Functional Requirements .	7.2.12 Further Security Functional Requirements
	7.3 Security Assurance Requirements
	7.4 Security Requirements Rationale for the TOE
		7.4.1 Identification	7.4.2 Execution
		7.4.3 Services	7.4.4 Object Deletion
		7.4.5 Applet Management	7.4.6 External Memory
		7.4.7 Card Management	7.4.8 Smart Card Platform
		7.4.9 Random Numbers	7.4.10 Configuration Module
		7.4.11 Secure Box	7.4.12 Restricted Mode
	7.5 SFR Dependencies
		7.5.1 Rationale for Exclusion of Dependencies
	7.6 Security Assurance Requirements Rationale
8 TOE summary specification (ASE_TSS)
	8.1 Introduction
	8.2 Security Functionality
	8.3 Protection against Interference and Logical Tampering
	8.4 Protection against Bypass of Security Related Actions
9 Contents
10 Glossary
11 Acronyms
12 Bibliography
13 Legal information
	13.1 Definitions
	13.2 Disclaimers
	13.3 Licenses
	13.4 Patents
	13.5 Trademarks

Java Card is an open standard from Sun Microsystems for a smart card developmentplatform. Smart cards created using the Java Card platform have Java applets stored on them. The applets can be added to or changed after the card is issued.

There are two basic types of smart cards. The memory smart card is the familiar removable memory device; it usually features read and write capabilities and perhaps security features. The more complex version, the processor smart card, is a very small and extremely portable computing device that could be carried in your wallet. Java-based smart cards belong to the latter category. They store data on an integrated microprocessor chip. Applets are loaded into the memory of the microprocessor and run by the Java Virtual Machine. Similarly to MULTOS, another smart card development technology, Java Card enables multiple application programs to be installed and coexist independently. Individual applets are protected by a firewall to preserve their integrity and prevent tampering. Applications can be updated dynamically.

In the United States, the Department of Defense, Visa, and American Express are among the organizations creating Java Card-based applications.

Java Cards

NXP JCOP 4 Security Target Lite v3.4 11

Service & News

Java Cards

NXP JCOP 4 Security Target Lite v3.4 11

Service & News

Recommended content