NXP JCOP 4 Security Target Lite v3.4 6
Threats | ||||||||
5.3.1. | Confidentiality | |||||||
T.CONFID-APPLI-DATA | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing correct identification of applets. | |||||||
OT.FIREWALL | Counters this threat by providing the Java Card Virtual Machine Firewall as specified in [39]. | |||||||
Counters this threat by preventing the disclosure of the informa-tion stored in the APDU buffer. | ||||||||
OT.OPERATE | Counters the threat by ensuring that the firewall, which is dynam-ically enforced, shall never stop operating. | |||||||
OT.REALLOCATION | Counters this threat by preventing any attempt to read a piece of information that was previously used by an application but has been logically deleted. It states that any information that was formerly stored in a memory block shall be cleared before the block is reused. | |||||||
OT.ALARM | Counters this threat by obtaining clear warning and error mes-sages from the firewall, which is a software tool automating crit-ical controls, so that the appropriate countermeasure can be taken. | |||||||
OT.CIPHER | Contributes to counter this threat by protecting the data shared or information communicated between applets and the CAD using cryptographic functions. | |||||||
Counters this threat by providing appropriate management of keys, PIN’s which are particular cases of an application’s sen- sitive data. | ||||||||
Counters this threat by providing appropriate management of keys, PIN’s which are particular cases of an application’s sen- | ||||||||
Counters this threat by providing appropriate management of keys, PIN’s which are particular cases of an application’s sen- sitive data. | ||||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecode. | |||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
OT.RNG | Counters this threat by providing appropriate management of keys, PIN’s which are particular cases of an application’s sen- sitive data. | |||||||
T.CONFID-JCS-CODE | ||||||||
Objective | Rationale | |||||||
OT.NATIVE | Counters this threat by ensuring that no native applications can be run to modify a piece of code. | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecode. | |||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
T.CONFID-JCS-DATA | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing correct identification of applets. | |||||||
OT.FIREWALL | Contributes to counter this threat by providing means of separat- ing data. | |||||||
OT.OPERATE | Counters the threat by ensuring that the firewall, which is dynam- ically enforced, shall never stop operating. | |||||||
Contributes to counter this threat by obtaining clear warning and error messages from the firewall, which is a software tool au- tomating critical controls, so that the appropriate countermeasure can be taken. | ||||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecode. | |||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
Counters this threat by providing correct identification of applets. | ||||||||
5.3.1.2 Integrity | ||||||||
T.INTEG-APPLI-CODE | ||||||||
Objective | Rationale | |||||||
OT.NATIVE | Counters this threat by ensuring that no native code can be run to modify a piece of code. | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecode. Byte- code verification ensures that each of the instructions used on the Java Card platform is used for its intended purpose and in the intended scope of accessibility. As none of these instruc- tions enables modifying a piece of code, no Java Card applet can therefore be executed to modify a piece of code. | |||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
The objective OE.CODE-EVIDENCE contributes to counter this threat by ensuring that integrity and authenticity evidences exist for the application code loaded into the platform. | ||||||||
T.INTEG-APPLI-CODE.LOAD | ||||||||
Contributes to counter this threat by controlling the access to card management functions such as the installation, update or dele- tion of applets. | ||||||||
Contributes to counter this threat by ensuring that the application code loaded into the platform has not been changed after code verification, which ensures code integrity and authenticity. | ||||||||
Counters this threat by ensuring that the loading of packages is done securely and thus preserves the integrity of packages code. | ||||||||
T.INTEG-APPLI-DATA[REFINED] | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing correct identification of applets. | |||||||
OT.FIREWALL | Contributes to counter this threat by providing means of separat-ing data. | |||||||
Counters this threat by ensuring the integrity of the information stored in the APDU buffer. Application data that is sent to the ap- plet as clear text arrives in the APDU buffer, which is a resource shared by all applications. | ||||||||
OT.OPERATE | Counters the threat by ensuring that the firewall, which is dynam- ically enforced, shall never stop operating. | |||||||
OT.REALLOCATION | Counters the threat by preventing any attempt to read a piece of information that was previously used by an application but has been logically deleted. It states that any information that was formerly stored in a memory block shall be cleared before the block is reused. | |||||||
OT.ALARM | Contributes to counter this threat by obtaining clear warning and error messages from the firewall, which is a software tool au- tomating critical controls, so that the appropriate countermeasure can be taken. | |||||||
OT.CIPHER | Contributes to counter this threat by protecting the data shared or information communicated between applets and the CAD using cryptographic functions. | |||||||
Counters this threat by providing appropriate management of keys, PINs which are particular cases of an application’s sen- sitive data. | ||||||||
Counters this threat by providing appropriate management of keys, PINs which are particular cases of an application’s sen- sitive data. | ||||||||
Counters this threat by providing appropriate management of keys, PINs which are particular cases of an application’s sen- sitive data. | ||||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecode. | |||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
Contributes to counter this threat by ensuring that the application code loaded into the platform has not been changed after code verification, which ensures code integrity and authenticity. | ||||||||
Contributes to counter this threat by ensuring that personaliza- tion of the application by its associated security domain is only performed by the authorized AP. | ||||||||
OT.RNG | Counters this threat by providing appropriate management of keys, PINs which are particular cases of an application’s sen- sitive data. | |||||||
T.INTEG-APPLI-DATA.LOAD | ||||||||
Objective | Rationale | |||||||
Contributes to counter this threat by controlling the access to card management functions such as the installation, update or dele- tion of applets. | ||||||||
Contributes to counter this threat by ensuring that the application code loaded into the platform has not been changed after code verification, which ensures code integrity and authenticity. | ||||||||
Counters this threat by ensuring that the loading of packages is done securely and thus preserves the integrity of packages code. | ||||||||
T.INTEG-JCS-CODE | ||||||||
Objective | Rationale | |||||||
OT.NATIVE | Counters this threat by ensuring that no native code can be run to modify a piece of code. | |||||||
Contributes to counter the threat by checking the bytecode. Byte- code verification ensures that each of the instructions used on the Java Card platform is used for its intended purpose and in the intended scope of accessibility. As none of these instruc- tions enables modifying a piece of code, no Java Card applet can therefore be executed to modify a piece of code. | ||||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
Contributes to counter this threat by ensuring that the application code loaded into the platform has not been changed after code verification, which ensures code integrity and authenticity. | ||||||||
T.INTEG-JCS-DATA | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing correct identification of applets. | |||||||
OT.FIREWALL | Contributes to counter this threat by providing means of separa- tion. | |||||||
OT.OPERATE | Counters the threat by ensuring that the firewall shall never stop operating. | |||||||
OT.ALARM | Contributes to counter this threat by obtaining clear warning and error messages from the firewall so that the appropriate counter- measure can be taken. | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecodes. | |||||||
Contributes to counter this threat by controlling the access to ex- ternal memory areas. | ||||||||
Contributes to counter this threat by controlling the access to card management functions. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.ALARMobjectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
Contributes to counter this threat by ensuring that the application code loaded into the platform has not been changed after code verification, which ensures code integrity and authenticity. Counters this threat by providing correct identification of applets. | ||||||||
T.SID. | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing unique subject identification. | |||||||
OT.FIREWALL | Counters the threat by providing separation of application data (like PINs). | |||||||
Counters this threat by preventing the disclosure of the installa- tion parameters of an applet (like its name). These parameters are loaded into a global array that is also shared by all the ap- plications. The disclosure of those parameters could be used to impersonate the applet. | ||||||||
Counters this threat by preventing the disclosure of the installa- tion parameters of an applet (like its name). These parameters are loaded into a global array that is also shared by all the ap- plications. The disclosure of those parameters could be used to impersonate the applet. | ||||||||
Contributes to counter this threat by preventing usurpation of identity resulting from a malicious installation of an applet on the card. | ||||||||
Counters this threat by providing unique subject identification. | ||||||||
T.SID. | ||||||||
Objective | Rationale | |||||||
OT.SID | Counters this threat by providing unique subject identification. | |||||||
OT.FIREWALL | Contributes to counter this threat by providing means of separa- tion. | |||||||
OT.OPERATE | Counters the threat by ensuring that the firewall shall never stop operating. | |||||||
Contributes to counter this threat by ensuring that installing an applet has no effect on the state of other applets and thus can’t change the TOE’s attribution of privileged roles. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and objectives of the TOE, thus indirectly related to the threats that these objectives con- tribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and objectives of the TOE, thus indirectly related to the threats that these latter objectives contribute to counter. | |||||||
T.EXE-CODE. | ||||||||
Objective | Rationale | |||||||
OT.FIREWALL | Counters the threat by preventing the execution of non-shareable methods of a class instance by any subject apart from the class instance owner. | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecodes. Bytecode verification ensures that each of the instructions used on the Java Card platform is used for its intended purpose and in the intended scope of accessibility. As none of these instruc- tions enables modifying a piece of code, no Java Card applet can therefore be executed to modify a piece of code. | |||||||
T.EXE-CODE. | ||||||||
Objective | Rationale | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecodes. Bytecode verification ensures that each of the instructions used on the Java Card platform is used for its intended purpose and in the intended scope of accessibility. Especially the control flow confinement and the validity of the method references used in the bytecodes are guaranteed. | |||||||
T.NATIVE | ||||||||
Objective | Rationale | |||||||
OT.NATIVE | Counters this threat by ensuring that a Java Card applet can only access native methods indirectly that is, through an API. | |||||||
OE.APPLET | Contributes to counter this threat by ensuring that no native ap- plets shall be loaded in post-issuance. | |||||||
OE.VERIFICATION | Contributes to counter the threat by checking the bytecodes. Bytecode verification also prevents the program counter of an applet to jump into a piece of native code by confining the control flow to the currently executed method. | |||||||
T.MODULE_EXEC | ||||||||
Objective | Rationale | |||||||
OT.OPERATE | Counters the threat by ensuring correct working order. | |||||||
OT.ALARM | Counters this threat by obtaining clear warning and error mes- sages when the TOE internal interface of a ”not present” Module shall be invoked. | |||||||
OE.APPLET | Contributes to counter this threat by ensuring that no native ap- plets shall be loaded in post-issuance. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.ALARM objectives of the TOE, thus indirectly related to the threats that these objec- tives contribute to counter. | |||||||
Counters this threat by providing correct identification of Modules. | ||||||||
5.3.1. | ||||||||
T.RESOURCES | ||||||||
Objective | Rationale | |||||||
OT.OPERATE | Counters the threat by ensuring correct working order. | |||||||
OT.RESOURCES | Counteres ; the threat directly by objectives on resource- management. | |||||||
Counters this threat by controlling the consumption of resources during installation and other card management operations. | ||||||||
OT.SCP.RECOVERY | Intended to support the OT.OPERATE and OT.RESOURCESob- jectives of the TOE, thus indirectly related to the threats that these objectives contribute to counter. | |||||||
OT.SCP.SUPPORT | Intended to support the OT.OPERATE and OT.RESOURCESob- jectives of the TOE, thus indirectly related to the threats that these objectives contribute to counter. | |||||||
5.3.1. | Card Management | |||||||
T.UNAUTHORIZED_CARD_MNGT | ||||||||
Objective | Rationale | |||||||
Contributes to counter this threat by controlling the access to card management functions such as the loading, installation, extradi- tion or deletion of applets. | ||||||||
Contributes to counter this threat by restricting the modification of an AP security domain keyset to the AP who owns it. | ||||||||
Contributes to counter this threat by preventing unauthorized users from initiating a malicious card management operation. | ||||||||
Contributes to counter this threat by protecting the integrity of the card management data while it is in transit to the TOE. | ||||||||
Counters this threat by ensuring that the loading of a package is safe. | ||||||||
Objective | Rationale | |||||||
Contributes to counter this threat by preventing unauthorized users from initiating a malicious card management operation. | ||||||||
Contributes to counter this threat by protecting the integrity of the card management data while it is in transit to the TOE | ||||||||
Contributes to counter this threat by preventing from disclosing encrypted data transiting to the TOE | ||||||||
T.LIFE_CYCLE | ||||||||
Objective | Rationale | |||||||
Contributes to counter this threat by controlling the access to card management functions such as the loading, installation, extradi- tion or deletion of applets | ||||||||
Contributes to counter this threat by restricting the use of an AP security domain keysets, and thus the management of the appli- cations related to this SD, to the AP who owns it | ||||||||
5.3.1. | Services | |||||||
T.OBJ-DELETION | ||||||||
Objective | Rationale | |||||||
Counters this threat by ensuring that object deletion shall not break references to objects. | ||||||||
5.3.1. | Miscellaneous | |||||||
T.PHYSICAL | ||||||||
Objective | Rationale | |||||||
OT.SCP.IC | Counters phyiscal attacks. Physical protections rely on the un- derlying platform and are therefore an environmental issue. | |||||||
Contributes to counter the threat by ensuring that if the limit of the Attack Counter is reached only limited functionality is available. | ||||||||
If the sensitive result is supported by the TOE, this threat is partially covered by the security objective OT.SENSITIVE_RE- SULTS_INTEG which ensures that sensitive results are protected against unauthorized modification by physical attacks. | ||||||||
Operating System | ||
T.OS_OPERATE | ||
Objective | Rationale | |
OT.OPERATE | Contributes to counter the threat by ensuring the correct continu- ation of operation of the TOE’s logical security functions. Security mechanisms have to be implemented to avoid fraudulent usage of the TOE, usage of certain memory regions, or usage of in- correct or unauthorized instructions or commands or sequence of commands. The security mechanisms must be designed to always put the TOE in a known and secure state. | |
5.3.1. | Random Numbers | |
T.RND | ||
Objective | Rationale | |
OT.RND | Counters the threat by ensuring the cryptographic quality of ran- dom number generation. For instance random numbers shall not be predictable and shall have sufficient entropy. Furthermore, the TOE ensures that no information about the produced random numbers is available to an attacker. | |
5.3.1.1 | Configuration Module | |
T.CONFIG | ||
Objective | Rationale | |
Counters the threat by ensuring that the customer can only read and write customer configuration items using the Customer Con- Figuration Token and NXP can read and write configuration items using the NXP Configuration Token. If access is disabled config- uration items can not be read or written. | ||
5.3.1.2 | ||
T.MODULE_REPLACEMENT | ||
Objective | Rationale | |
OT.OPERATE | Counters the threat by ensuring correct working order. | |
OE.APPLET | Contributes to counter this threat by ensuring that no native ap-plets shall be loaded in post-issuance. | |
OT.SCP.SUPPORT | Intended to support the OT.OPERATE objective of the TOE, thusindirectly related to the threats that these objectives contribute tocounter. | |
Counters this threat by providing correct identification of Modules. | ||
5.3.1.1 | Restricted Mode | |
Objective | Rationale | |
Counters the threat by ensuring that the Attack Counter can onlybe modified according to specified rules. | ||
Counters the threat by ensuring that the Attack Counter can onlybe modified according to the specified conditions. | ||
5.3. | Organisational Security Policies | |
OSP.VERIFICATION | ||
Objective | Rationale | |
OE.VERIFICATION | Enforces the OSP by guaranteeing that all the bytecodes shall beverified at least once, before the loading, before the installationor before the execution in order to ensure that each bytecode isvalid at execution time. | |
Contributing to enforce the OSP by ensuring that the loading of apackage into the card is safe. | ||
This policy is enforced by the security objective of the environ-ment OE.CODE-EVIDENCE which ensures that evidences existthat the application code has been verified and not changed afterverification. | ||
Contributing to enforce the OSP by ensuring that the loading of apackage into the card is safe. | ||
OSP.PROCESS-TOE | ||
Objective | Rationale | |
OT.IDENTIFICATION | Enforces this organisational security policy by ensuring that theTOE can be uniquely identified. |
OSP.KEY-CHANGE
Objective | Rationale |
Enforces the OSP by ensuring that the initial keys of the secu- rity domain are changed before any operation on them are per- formed. |
OSP.SECURITY-DOMAINS
Objective | Rationale |
Enforces the OSP by dynamically create, delete, and block the security domain during usage phase in post-issuance mode. |
OSP.SECURE-BOX
Objective | Rationale |
Addresses directly this organizational security policy by ensuring that the native code and data in Secure Box is separated from the rest of the TOE. Due to this separation the native code in the Secure Box cannot harm the code and data outside the Secure Box. |
5.3.3 Assumptions
A.APPLET
Objective | Rationale |
OE.APPLET | Upholds the assumption by ensuring that no applet loaded post- issuance shall contain native methods. |
A.VERIFICATION
Objective | Rationale |
OE.VERIFICATION | Upholds the assumption by guaranteeing that all the bytecodes shall be verified at least once, before the loading, before the in- stallation or before the execution in order to ensure that each bytecode is valid at execution time. |
This assumption is also upheld by the security objective of the en- vironment OE.CODE-EVIDENCE which ensures that evidences exist that the application code has been verified and not changed after verification. |
A.USE_DIAG
Objective | Rationale |
Directly upholds this assumption. |
A.USE_KEYS
Objective | Rationale |
Directly upholds this assumption. |
A.PROCESS-SEC-IC
Objective | Rationale |
Directly upholds this assumption. |
A.APPS-PROVIDER
Objective | Rationale |
Directly upholds this assumption. |
A.VERIFICATION-AUTHORITY
Objective | Rationale |
Directly upholds this assumption. |
9 Contents
1 ST Introduction (ASE_INT) | |||
1.2.3 Required non-TOE Hardware/Software/Firmware | |||
2 Conformance Claims (ASE_CCL) | |||
3 Security Aspects | |||
4 Security Problem Definition (ASE_SPD) | |||
6 Extended Components Definition (ASE_ECD) | |||
7 Security Requirements (ASE_REQ) | |||
8 TOE summary specification (ASE_TSS) | |||
13 Legal information | |||