SMART CARD PROTECTION PROFILE DRAFT 1'0

1
SMART CARD PROTECTION PROFILE DRAFT 1.0

• Smart Card Security Users Group
• SCPP Workshop
• Cartes 99 Paris France
• 16 November 1999

2
A Protection Profile is Intended to ...

• permit the implementation independent expression
  of security requirements for a set of TOEs that
  will comply fully with a set of security
  objectives
• define TOE requirements that are known to be
  useful and effective in meeting the identified
  objectives, both for functions and assurance
• contain the rationale for security objectives and
  security requirements

3
Common Criteria for Information Technology
Security Evaluation Smart Card Security
User Group Smart Card Protection
Profile Draft Draft Version 1.0 November 1,
1999
4
Protection Profile Overview
This PP describes the IT security requirements
for a smart card to be used in connection with
highly sensitive applications, such as banking
industry financial payment systems. The security
requirements in this PP apply to the card as
issued to the cardholder. The requirements cover
the smart card's integrated circuit and operating
software, but do not include specific
applications. This PP is applicable to both
contact and contactless smart cards, without
special regard for form factor or physical card
security features. This PP does not cover
security requirements for card terminals or
networks interfacing with them. It is anticipated
that application-specific PPs or Security Targets
could be developed that incorporate the
requirements in this PP as their foundation.
Available at http//csrc.nist.gov/cc/sc/sclist.htm
5
1 Introduction
1.1 Identification 1.2 PP Overview 1.3 Smart
Card Overview 1.3 Assurance Level 1.4 Related
Standards and Documents 1.5 Related Protection
Profiles and Documents 1.6 PP Organization

• provides a summary of the PP in narrative form
• intended primarily consumer reference

6
1.3 Assurance level

• assurance level EAL 4 augmented
• AVA_VLA.3 Vulnerability Analysis, Moderately
  resistant
• ADV_INT.1 TSF Internals, Modularity
• Strength of Function is High

(rationale for these is presented in Section 7)
7
2 TOE Description
2.1 Overview 2.2 Definition of TOE 2.3
Technology 2.4 Applications 2.5
Cryptography 2.6 Environments 2.7 Reader 2.8
Attacker Capabilities 2.9 TOE Identification

• general information about the TOE
• serves as an aid to understanding its security
  requirements
• provides context for the PPs evaluation
• intended primarily for consumer reference

8
2.2 Overview

• Target of Evaluation is smart card
• integrated circuit
• operating software
• excludes
• printing
• magnetic stripe
• holograms
• does not address
• card accepting device
• data interface network
• application(s)

9
3 TOE Security environment
3.1 Assets 3.2 Assumptions 3.3 Threats 3.4
Organizational Security Policies

• describes security aspects of the environment in
  which the TOE is to be used
• describes the manner in which the TOE is to be
  employed
• the TOE security environment includes
• assumptions regarding the TOEs intended usage
  and environment of use
• threats relevant to secure TOE operation
• organizational security policies with which the
  TOE must comply
• intended primarily for consumer reference

10
3.1 Assets

• primary is the user data representing information
  to be protected
• secondary are the resources necessary to preserve
  security
• the application data contained in the TOE (such
  as IC and system specific data, initialization
  data, IC pre-personalization requirements and
  personalization data)
• the various cryptographic keys which are used in
  the security processes of the TOE
• the IC design and specifications
• the software design and specifications,
  implementation and related documentation
• the IC and software development tools and
  technology

Assets Information or resources to be protected
by the countermeasures of a TOE
11
3.2 Assumptions

• SCSUG-SCPP identifies 4 assumptions

Assumptions - A statement of assumptions which
are to be met by the environment of the TOE in
order for the TOE to be considered secure. This
statement can be accepted as axiomatic for the
TOE evaluation.
12
3.3 Threats

• SCSUG-SCPP identifies 39 threats

• Threats - A statement of threats to security of
  the assets would identify all the threats
  perceived by the security analysis as relevant to
  the TOE. The CC characterizes a threat in terms
  of
• a threat agent
• a presumed attack method
• any vulnerabilities that are the foundation for
  the attack
• identification of the asset under attack

13
3.3 Threats

• Threats Addressed by the TOE
• Threats addressed by the TOE in the Operational
  Environment
• Threats Associated with Physical Attack on the
  TOE
• Threats Associated with Logical Attack on the TOE
• Threats Associated with Inadequate Specification
• Threats Associated with Unanticipated
  Interactions
• Threats Regarding Cryptographic Functions
• Threats which Monitor Information
• Miscellaneous Threats
• Threats addressed by the TOE in the Development
  Environment
• Threats Associated with Disclosure of Information
• Threats Associated with Theft of Objects
• Threats Associated with Modification of
  Information
• Threats addressed by the Operating Environment

14
3.4 Organizational Security Policies

• SCSUG-SCPP identifies 8 Policies

A statement of applicable organizational security
policies would identify relevant policies and
rules
15
4 Security Objectives
4.1 TOE Security Objectives 4.2 Environment
Security Objectives

• reflects the stated intent of the PP
• pertains to how the TOE will counter identified
  threats
• pertains to how the TOE will cover identified
  policies and assumptions
• categorizes objectives as being for the TOE or
  for the environment
• intended primarily for consumer reference

16
4 Security Objectives

• SCSUG-SCPP identifies
• 31 TOE IT Security Objectives
• 5 Environment Security Objectives

• counter the identified threats
• address identified organizational security
  policies and assumptions
• address all of the security concerns
• declare which security aspects are either
  addressed directly by the TOE or by its
  environment
• The security objectives for the environment
  would be implemented within the IT domain, and by
  non-technical or procedural means
• Only the security objectives for the TOE and its
  IT environment are addressed by IT security
  requirements

17
5 IT Security Requirements
5.1 TOE IT Security Requirements 5.1.1 TOE IT
Security Functional Requirements 5.1.2 TOE IT
Security Assurance Requirements 5.2 Security
Requirements for the IT Environment

• provides detailed requirements for the TOE
• provides detailed requirements for the TOE
  environment
• IT security requirements are subdivided into
• TOE Security Functional Requirements
• TOE Security Assurance Requirements
• intended primarily for developer reference

18
5.1.1 TOE IT Security Functional Requirements

• SCSUG-SCPP contains components from the families
• Class FAU Security audit
• Class FCS Cryptographic support
• Class FDP User data protection
• Class FIA Identification and authentication
• Class FMT Security management
• Class FPT Protection of the TOE Security
  Functions
• Class FTP Trusted path/channels

• refinement of the security objectives into a set
  of security requirements for the TOE and security
  requirements for the environment
• requirements ensure that the TOE can meet its
  security objectives

19
5.1.1 SFR Special Considerations

• FAU_GEN.3 - Audit sequence generation
• defined new SFR to provide audit without
  time/date requirement
• FDP_ACF.1 - Security attribute based access
  control
• refined to add Smart Card Access Control Policy
• FDP_IFF.1 - Simple security attributes
• refined to add Smart Card Information Flow
  Control Policy
• FMT_MOF.1 - Management of security functions
  behavior
• refined to add listing of functions to be managed

20
5.1.2 TOE IT Security Assurance Requirements

• SCSUG-SCPP contains components from the families
• Class ACM Configuration management
• Class ADO Delivery and operation
• Class ADV Development
• Class AGD Guidance documents
• Class ALC Life cycle support
• Class ATE Tests
• Class AVA Vulnerability assessment

• refinement of the security objectives into a set
  of security requirements for the TOE and security
  requirements for the environment
• requirements ensure that the TOE can meet its
  security objectives

21
5.1.2 SAR Special Considerations

• ADV_IMP.1 - Subset of the implementation of the
  TSF
• refined by adding specific subsets to be
  evaluated
• AVA_VLA.3 - Moderately resistant
• refined by adding specific guidelines for
  evaluation

22
6 PP Application Notes
6.1 Issues Unique to Smart Cards 6.2 Security
Audit Generation 6.3 Management of Functions in
TSF 6.4 Functional Component Operations 6.5 PP
Packages

• additional supporting relevant or useful for
• the construction of the TOE
• evaluation of the TOE
• use of the TOE

23
6.5 Packages

• SCSUG-SCPP proposes packages for
• integrated circuit
• operating software

• Definition
• an intermediate combination of components
• permits the expression of a set of functional or
  assurance requirements that meet an identifiable
  subset of security objectives
• intended to be reusable and to define
  requirements that are known to be useful and
  effective in meeting the identified objectives
• may be used in the construction of larger
  packages, PPs, and STs

24
SCSUG-SCPP
Single, Complete Evaluation
Integrated Platform
IC Package
OS Package
Composite TOE
Security Target

• claims compliance with SCSUG-SCPP
• describes Integrated Platform (containing IC
  Package OS Package)

Evaluation Evidence
Product Evaluation
25
SCSUG-SCPP
Integrated Platform
IC Package Use
IC Package
OS Package
IC TOE
IC Security Target

• references SCSUG-SCPP
• contains (at least) all elements of SCSUG-SCPP
  IC Package

IC Evaluation Evidence
IC Evaluation
26
SCSUG-SCPP
Integrated Platform
OS Package Use
IC Package
OS Package
OS TOE
OS Security Target

• references SCSUG-SCPP
• contains (at least) all elements of SCSUG-SCPP
  OS Package

OS Evaluation Evidence
OS Evaluation
27
Composite Evaluation
SCSUG-SCPP
Composite TOE
Integrated Platform
IC Package

• including
• evaluated IC
• evaluated OS
• composite (operational) TOE

OS Package
Evaluation Evidence

• IC product evaluation
• OS product evaluation
• demonstration of applicability of IC OS
  packages
• Integrated Platform evidence

Security Target

• claims compliance with SCSUG-SCPP
• describes Integrated Platform (containing IC
  Package OS Package)

Product Evaluation
28
7 Rationale
7.1 TOE Description Rationale 7.2 Security
Objectives Rationale 7.3 Security Requirements
Rationale 7.4 Internal Consistency and Mutual
Support 7.5 Rationale for Explicitly stated IT
security requirements 7.6 Rationale for
Refinement of IT Security Requirements 7.7
Rationale for Strength of Function High 7.8
Rationale for Assurance Level EAL4 Augmented

• presents evidence that the PP is a complete and
  cohesive set of requirements
• presents evidence that a conformant TOE would
  provide an effective set of IT security
  countermeasures within the security environment
• intended for evaluator reference

29
7.5 Rationale For Explicitly Stated IT Security
Requirements

• FAU_GEN.3 - Audit Sequence generation
• identical to FAU_GEN.1 - Audit data generation
  except
• deletes reference to date and time of event
• deletes dependency on FPT_STM.1 Reliable time
  stamps
• can be applied to smart cards

30
7.6 Rationale For Strength Of Function High

• operational environment includes
• control of TOE may rest with attacker
• exposure over prolonged periods of time
• attractive target
• statistical and probabilistic mechanisms may be
  vulnerable to prolonged repetitive probing
• SOF - High justified on basis of
• practicality
• cost effectiveness
• efficiency

31
7.7 Rationale For EAL4 Augmented

• EAL4
• reasonably high assurance
• does not require highly specialized processes and
  practices
• can be applied to existing products without undue
  expense and complexity
• Augmented with
• ADV_INT.1 - Modularity
• multiple developers/suppliers
• varied (and variable) interactions
• modularity is necessary to counter conflicts
• AVA_VLA.3 - Moderately resistant
• systematic search for vulnerabilities documented
  and presented
• consistent with present CEM definitions of attack
  potential
• higher levels may not be possible under present
  definitions

32
SCSUG-SCPP Sources

• CC definition
• CC support
• Guide for Production of Protection Profiles and
  Security Targets
• CCToolBox
• user input
• Visa International
• MasterCard International
• Mondex International
• Europay International

33
SCSUG-SCPP Reference PPs

• Visa Smart Card Protection Profile
• PP/9806 - Smartcard Integrated Circuit Protection
  Profile
• PPnc/9809 - Smartcard Integrated Circuit with
  Embedded Software
• PP/9810 - Smartcard Embedded Software
• PP9911 - Smartcard Integrated Circuit with
  Embedded Software
• CS2 - Protection Profile Guidance for Near-Term
  COTS
• Draft U.S. Government Traffic-Filter Firewall
  Protection Profile for Low-Risk Environments
• Draft U.S. Government Application-Level Firewall
  Protection Profile for Low-Risk Environments

34
SCSUG-SCPP Reviews

• SCSUG-PP review at NIST, 17-18 August 1999
• 178 PP Observation Reports (PPORs) addressed
• PPORs from users, developers, test labs, CC
  support organizations
• SCSUG-SCPP Vendor Meeting at NIST, September 1999
• 36 PPORs addressed
• PPORs from users, developers, CC support
  organizations
• SCSUG-SCPP Open Review
• PPORs welcomed from any source
• 90 day review period (1 November 1999 - 31
  January 2000)

35
Protection Profile Observation Report

• 1 Originators name
• 2 Originator organization
• 3 Return address
• 4 Date
• 5 Originators PPOR identifier
• 6 Observation type
• Editorial/Typo
• Minor Technical/Structural
• Major Technical/Structural
• Approach.
• 7 Title of the PPOR
• 8 PP document reference
• 9 Statement of observation
• 10 Suggested solution(s) and expected impact
• End of PPOR

submit to SCSUG technical editor
demcgovern_at_aol.com
36
Questions?