VDO DTCO 1381 REL. 1.3 - Specifications

The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Protection marks for restricting the use of documents and products
(DIN 34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
Security Target
DTCO 1381, Release 1.3v
Digital Tachograph - Vehicle Unit
Author:
Winfried Rogenz, I CV AM TTS LRH
Revision:
Siemens VDO Automotive AG
Heinrich-Hertz-Straße 45
D-78052 Villingen-Schwenningen
Postfach1640
D-78006 Villingen-Schwenningen
Tel:
+49 7721 / 67 - 2147
Fax:
+49 7721 / 67 – 79 2147
winfried.rogenz@continental-corporation.com
E-Mail:
1.15.1.0
Status:
Final
File:
Security Target_V.doc
Release
DTCO 1381 Release 1.3v
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
1 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Protection marks for restricting the use of documents and products
(DIN 34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
1 History of changes
Version
Date
1.0
2.0
3.0
4.0
4.1
30.03.2000 Rogenz, Winfried, LM/ZU
11.10.2000 Rogenz, Winfried, LM/ZU
24.11.2000 Rogenz, Winfried, LM/ZU
Lindinger, Andreas, LE/FF
Näther Horst, LE/FF
01.12.2000 Rogenz, Winfried LM/ZU
23.03.2001 Rogenz, Winfried LM/ZU
4.2
09.10.2002 Rogenz, Winfried LBDZU
4.3
03.06.2004 Rogenz, Winfried
0403.01 Rev. 1.6)
0403.01 Rev. 1.7)
10.06.2005 Rogenz, Winfried TCO H
07.07.2005 Rogenz, Winfried TCO H
0403.01 Rev. 1.8)
08.07.2005 Rogenz, Winfried TCO H
0403.01 Rev. 1.9)
02.08.2005 Rogenz, Winfried TCO H
0403.01 (Rev. 1.10)
03.05.2006 Winfried Rogenz TCO H
Rev. 1.11
08.06.2006 Zalan Szilagyi
1.11.1.0
1.11.1.1
1.11.1.2
1.11.1.3
2007-02-16 Adrian Farcas
Rogenz
2007-03-01 Müller F.
2007-03-02 Rogenz, Winfried, SV CV Div
TCO H
2007-03-02 Rogenz, Winfried, SV CV Div
TCO H
2007-06-13 Friedrich Müller
2007-06-13 Friedrich Müller
2007-10-25 Rogenz Winfried
2007-11-14 Rogenz Winfried
2012-04-25 Rogenz Winfried
1.11.1.4
1.11.1.5
1.13
1.14
1.15
1.15.1.0
Designed by
Date
Author, editor
Department
reason
rough draft
draft
revision together with LE/FF
completion for evaluation
revision after evaluation
Final release
revision after publication of
Annex I(B) (CR (EC) No.
1360/2002
Final release
Revision after publication of
amendment of 3821/85 by CR
(EC) No. 432/2004
Adaptation for Release 1.2
Revision after evaluation
Final release
Revision after evaluation
Final release
Revision for certification
Final release
2. Revision for certification
Final release
Accept all changes for
Release_1.2_DocFinish
Update for Release 1.2a
No changes
New PDM Number
completion for evaluation
Editorial corrections
Accept all changes for Rel1.2a
Prepare document for Rel1.3
Update for Release 1.3
Correction after review
Update for Release 1.3v
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
2 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
2 List of contents
1 History of changes .............................................................................................................. 2
2 List of contents.................................................................................................................... 3
3 Introduction ......................................................................................................................... 4
4 Abbreviations and definitions ............................................................................................ 5
4.1
Abbreviations ................................................................................................................... 5
4.2
Definitions ........................................................................................................................ 5
5 Product rationale ................................................................................................................. 7
5.1
Vehicle Unit description and method of use ..................................................................... 7
5.2
Vehicle Unit life cycle ..................................................................................................... 14
5.3
Subjects, objects, and access rights .............................................................................. 16
5.4
Threats .......................................................................................................................... 21
5.5
Security objectives ......................................................................................................... 22
5.6
Information Technology Security Objectives .................................................................. 22
5.7
Physical, personnel or procedural means ...................................................................... 23
6 Security enforcing functions ............................................................................................ 25
6.1
Identification and authentication..................................................................................... 26
6.2
Access control ............................................................................................................... 29
6.3
Accountability ................................................................................................................ 33
6.4
Audit .............................................................................................................................. 37
6.5
Object reuse .................................................................................................................. 39
6.6
Accuracy ........................................................................................................................ 40
6.7
Reliability of service ....................................................................................................... 42
6.8
Data exchange .............................................................................................................. 44
6.9
Cryptographic support.................................................................................................... 45
7 Definition of security mechanisms .................................................................................. 46
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
8 Minimum strength of security mechanisms .................................................................... 46
9 Level of assurance ............................................................................................................ 46
10 Rationale .......................................................................................................................... 47
11 References ....................................................................................................................... 52
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
3 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
3 Introduction
This document contains a description of the vehicle unit DTCO 1381, Release 1.3v ( the TOE), of the
threats it must be able to counteract and of the security objectives it must achieve. It specifies the
required security enforcing functions. It states the claimed minimum strength of security mechanisms
and the required level of assurance for the development and the evaluation.
This document is based on the Vehicle Unit Generic Security Target, which is described in Appendix
10 1 of Annex 1B 2 of the European Regulation (EEC) No 3821/85 3 amended by the European Regulation (EEC) No 2135/98 4 and last amended by CR (EC) No.561/2006 and CR (EC) No. 1791/2006
.The document states the security functions and assumptions on the environment and describes how
they are implemented in the vehicle unit DTCO 1381. . Wherever it is referred to DTCO 1381, it deals
with the current TOE DTCO 1381, Release 1.3.v
Requirements referred to in the document, are those of the body of Annex 1B. For clarity of reading,
duplication sometimes arises between Annex 1B body requirements and security target requirements.
In case of ambiguity between a security target requirement and the Annex 1B body requirement referred by this security target requirement, the Annex 1B body requirement shall prevail.
Annex 1B body requirements not referred by security targets are not the subject of security enforcing
functions.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for
the purpose of traceability to development and evaluation documentation.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
4 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
4 Abbreviations and definitions
4.1 Abbreviations
CAN
Controller Area Network
DTCO
Digital Tachograph
EQTj.C
equipment certificate
EQTj.SK
equipment private key
EQTj.PK
equipment public key
EUR.PK
European public key
Km
Master key
Kmvu
Part of the Master key, will manage the pairing between a motion
sensor and the vehicle unit
Kid
Individual device key for protection of the session key between
motion sensor and vehicle unit
Ksm
Session key between motion sensor and vehicle unit
Kst
Session key between tachograph cards and vehicle unit
MSi.C
Member State certificate
PIN
Personal Identification Number
ROM
Read Only Memory
SEF
Security Enforcing Function
TBD
To Be Defined
TOE
Target Of Evaluation
VU
Vehicle Unit
4.2 Definitions
Digital Tachograph
Recording Equipment.
Entity
A device connected to the VU (specific definition see S1).
Management Device
A dedicated device for software upgrade of theTOE
Motion data
The data exchanged with the VU, representative of speed and
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
5 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
distance travelled (specific definition see O17).
Motion Sensor
Part of the recording equipment, providing a signal representative
of vehicle speed and/or distance travelled.
Physically separated
parts
Physical components of the vehicle unit that are distributed in the
vehicle as opposed to physical components gathered into the vehicle unit casing.
Security data
The specific data needed to support security enforcing functions
(e.g. crypto keys) (specific definition see O2, O3).
SW-Upgrade
SW-Upgrade installs a new version of software in the TOE.
SW-Upgrade Modul
(SWUM)
A component of software in the TOE which is responsible for the
realization and control of the software upgrade
System
Equipment, people or organisations, involved in any way with the
recording equipment.
Tachograph cards
Smart cards intended for use with the recording equipment.
Tachograph cards allow for identification by the recording equipment of the identity (or identity group) of the cardholder and allow
for data transfer and storage. A tachograph card may be of the
following types:
- driver card,
- control card,
- workshop card,
- company card.
User
Users are to be understood as human user of the equipment.
Normal users of the VU comprise drivers, controllers, workshops
and companies (specific definition see S2).
User data
Any data, other than security data, recorded or stored by the VU,
required by Chapter III.12. (specific definition see O1, O4 to O16).
Vehicle Unit
The recording equipment excluding the motion sensor and the
cables connecting the motion sensor. The vehicle unit may either
be a single unit or be several units distributed in the vehicle, as
long as it complies with the security requirements of this regulation.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
6 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
5 Product rationale
5.1 Vehicle Unit description and method of use
The VU is intended to be installed in road transport vehicles. Its purpose is to record, store, display,
print and output data related to driver activities. It is connected to a motion sensor with which it exchanges vehicle’s motion data.
Users identify themselves to the VU using tachograph cards.
The VU records and stores user activities data in its data memory, it also records user activities data in
tachograph cards. The VU outputs data to display, printer and external devices.
The vehicle unit’s operational environment while installed in a vehicle is described in the following
figure:
Driver slot
Other inputs / outputs
Co-driver slot
Motion
sensor
motion
data
downloading &
calibration
connector
Card Interface
Card Interface
Display
VU
user's inputs
printer
Calibration
Data
download
calibration
device
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
(Remote
data download)
External
storage
media
External
storage
media
Other
devices
Figure 1 VU operational environment
The VU general characteristics, functions and mode of operations are described in Chapter II of Annex
1B. The VU functional requirements are specified in Chapter III of Annex IB.
The typical VU is described in the following figure. It must be noted that although the printer mechanism is part of the TOE, the paper document once produced is not.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
7 / 52
TOE
(Other
Connectors)
Display &
Visual
warning
Co-Driver Card
reader
Printer
Downloading & Calibration
Connector
Driver Card reader
(Buzzer)
Sensor
Connector
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
Processor
Security Components
Operator inputs
Paper
printout
Power supply
Data memory
Power supply
Connector
Figure 2 Typical VU
5.1.1
(…) optional
Implementation in the TOE
The DTCO 1381 fulfils the description and method of use as described in section 5.1. The following
figure shows the basic architecture of the actual TOE, the DTCO 1381:
VehicleConnectors
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
VehicleInterface
CANInterface
Operator
key buttons
Display
DriverChipcardInterface
Motion
SensorInterface
K-LineDiagnostic
microcontroller
with firmware
security components
Co-DriverChipcardInterface
InfoInterface
Power
Supply
RTC
Battery
External data
memory
Calibration-/DownloadingInterface
Printer
Calibration-/DownloadingConnetocr
Figure 3 Basic architecture TOE DTCO 1381
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
8 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
The Scope of supply of the TOE includes the DTCO 1381 and the appropriate manuals.
The following description shows the general functions implemented in the TOE.
5.1.2
General functions in the TOE:
(1) monitoring tachograph cards insertions and withdrawals
The TOE monitors two chip card interfaces ( for a driver and a co-driver) to detect tachograph card
insertions and withdrawals.
Upon tachograph card insertion the TOE detects:
whether the card inserted is a valid tachograph card;
and in such a case identifies the card type.
(2) speed and distance measurement
Vehicle speed and distance are recorded using the real-time signal of the motion sensor.
The current speed value is stored every second in the data memory over a driving time of 24 hours.
The speed resolution value is 1 km/h, the speed range is 0 km/h up to 220 km/h.
The distance resolution value is 0,1 km, the distance range is 0 km up to 9 999 999,9 km.
The TOE records speed profiles as an optional feature.
(3) time measurement
The TOE incorporates a real-time clock buffered by a battery. The basis for the measurement is the
required UTC-format. The time resolution value is 1 sec.
(4) monitoring driver activities
The TOE permanently and separately monitors the activities of one driver and one co-driver as
DRIVING, WORK, AVAILABILITY, or BREAK/REST.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
With the operator key buttons the driver and/or the co-driver can manually select WORK,
AVAILABILITY, or BREAK/REST.
When the vehicle is moving, the TOE selects automatically DRIVING for the driver and AVAILABILITY
for the co-driver.
(5) monitoring driving status
The TOE selects the driving status CREW when two valid driver cards are inserted in the equipment,
the driving status SINGLE is selected in any other case.
(6) drivers manual entries
With the operator key buttons on the front panel of the TOE the driver and/or the co-driver have the
possibility to manually enter the places where the daily work periods begin and/or end.
After card insertion the cardholder can manually enter activities, with their dates and times of beginning
and end, among WORK or AVAILABILITY or BREAK/REST only, strictly included within the period last
card withdrawal – current insertion only.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
9 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
The driver can enter, in real time, the following two specific conditions: “OUT OF SCOPE” (begin, end)
and “FERRY / TRAIN CROSSING”.
(7) company locks management
This function of the TOE manages the locks placed by a company to restrict data access in company
mode to itself. Locking-in is possible at the insertion of a company card.
Locking-out is only possible for the company whose lock is “in” or if another company locks in. A previous locked-in company will then be automatically locked-out.
(8) monitoring control activities
This function of the TOE monitors DISPLAYING, PRINTING, VU and card DOWNLOADING activities
carried out while in control mode. This function also monitors OVER SPEEDING CONTROL activities
while in control mode.
(9) detection of events and/or faults
The following events and faults are detected and stored:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
"Insertion of a non valid card" event
"Card conflict" event
"Time overlap" event
"Driving without an appropriate card" event
"Card insertion while driving" event
"Last card session not correctly closed" event
"Over speeding" event
"Power supply interruption" event
"Motion data error" event
"Security breach attempt" event
"Card" fault
"Recording equipment" fault includes
internal fault
Printer fault
Display fault
Downloading fault
motion sensor fault
Additional specific faults (e.g. CAN-transmission-fault) are also detected and stored in the TOE.
(10) built-in and self tests
The TOE is provided with the capacity to detect automatically system malfunctions related to firmware,
external data memory, chipcard interfaces, downloading and the motion sensor.
(11) reading from data memory
The TOE is able to read any data stored in its external data memory.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
10 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
(12) recording and storing in data memory
The external data memory is used for recording all activities of both drivers (1 and 2) and the vehicle
over a period of 365 calendar days under the assumptions of Annex I (B) 2.
The TOE is able to record and store the following data: (see O1 to O18).
(13) reading from tachograph cards
The TOE is able to read from tachograph cards the necessary data related to the functional requirements.
(14) recording and storing in tachograph cards
The TOE is able to record and store in tachograph cards the necessary data related to the functional
requirements.
(15) displaying
The display is a LC display. There may be shown on the display different display menus and data.
(16) printing
The TOE incorporates a thermo-printer. The paper roll can be changed. The printouts can be selected
and activated by use of display and operator keys.
(17) warning
The TOE warns the user when detecting any event and/or fault. It also warns the driver 15 minutes
before and at the time of exceeding 4 h:30 min. continuous driving time. The warnings are visualised
by the use of pictograms combined with text announcement and by the use of the display.
(18) data downloading to external media
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The calibration-/downloading connector on the front is used for the downloading of the external data
memory or a driver card contents during control, calibration and company mode. The TOE provides
the downloading through its calibration-/ downloading interface.
(19) output data to additional external devices
The TOE is able to output data ( e.g. speed and distance) to instrument clusters and to the vehicle.
Other data can be output to other components via the vehicle connectors. The TOE is able to output
data (e.g. driver activities) via a separated info-interface (external interface).
(20) calibration
The front calibration-/downloading connector is used for the calibration of the necessary parameters
(w-factor, odometer, VIN etc. ). The TOE provides the calibration through its calibration-/ downloading
interface.
Furthermore, the functions of the equipment and the measuring of the signals are checked during periodic inspection (every 2 years) via this connector.
For calibration and measuring via this connector approved tools (e.g. the MTC mobile test computer)
will be available.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
11 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
The calibration in calibration mode is also possible via K-line-diagnostic and CAN interface.
(21) time adjustment
The time adjustment function in the TOE allows the user to adjust the current time in amounts of 1 minute maximum at intervals of not less than 7 days. Only in calibration mode this function is without
limitation.
(22) Software upgrade
The software upgrade is only possible in the calibration mode of the TOE. The TOE application
transfers the control to the software upgrade modul (SWUM). The SWUM controls all resources of the
TOE and manages the whole cycle. After the software upgrade the SWUM gives back the control to
the TOE. application.
(23) Remote Download
It is possible to authenticate a company card via external interfaces (CAN-Diagnostic, K-LineDiagnostic over the front calibration-/downloading connector). This company card is inserted in a
personal computer connected with a dedicated application (with a card reader) in the company office.
A remote download is carried out according to the following procedure:
•
Identification and Authentication of a company card over the above mentioned external
interfaces.
•
Transfer of a download list (including all required download data blocks)
•
Download of the data blocks of the download list in a specified period
5.1.3
Power saving mode of the TOE
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
A power saving mode is implemented as an additional, optional feature. It is only used by vehicle
manufacturers, which need this feature. In this case the TOE is programmed at the Vehicle Unit
manufacturer site to enable the power saving mode.
In the power saving mode the microcontroller changes its state between normal running and the so
called interruptible power down mode in which nearly the whole microcontroller is switched off and only
some interrupts remain enabled, to wake up the microcontroller.
By one of this interrupt-inputs the controller is cyclically waked up by a signal, generated by the real
time clock RTC. It then works out all of its normal functions and afterwards enters the power down
mode again.
When the TOE is in the power saving mode, the display is switched off.
The power saving mode is only entered, when specific conditions are fulfilled.
The power saving mode is ended and the display is switched on, if one of these specific conditions for
the entrance into this mode is no more fulfilled.
Some events make it necessary respectively useful to wake up the microcontroller directly by an interrupt and not to wait for the cyclic interrupt of the RTC.
These interrupt sources are separate inputs of the controller. So the reason for the wake up can be
detected in the program.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
12 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
All of the functions of the program of the TOE are performed too in the power saving mode with some
exceptions.
5.1.4
Manuals
For the TOE exist the following manuals:
Operating instructions:
for drivers /co-drivers and
haulage company
as a specification which gives the operating instructions for the driver/codriver for normal usage and informs the driver/co-driver about the behaviour of the TOE
as a specification to inform the staff of the haulage company about the
behaviour of the TOE and gives the operating instructions for the staff of
the haulage company for normal usage of the TOE by the company
(company lock, data downloading, etc.).
for control officers
as a specification to inform the control officers about the behaviour of the
TOE and gives the operating instructions for the national control authorities for normal usage of the TOE by control officers (data downloading,
over speeding control, etc.).
Technical product manual
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
This manual contains a description of the process to
-
install the TOE into the vehicle,
-
activate the TOE,
-
pair the TOE with the motion sensor,
-
calibrate the TOE (with the description of default parameters) and
-
carry out the periodic inspection of the TOE.
Technical description "software upgrade"
-
upgrade of the software in the TOE,
These manuals are the guidance documents for authorised workshop staff, fitters and vehicle
manufacturers.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
13 / 52
5.2 Vehicle Unit life cycle
Components
design and
development
Software
development
Security data
generation
Manufacturing
Components
manufacturing
Assembly
Components
supply
Security data
insertion
Storage
Distribution
Repair
Storage
New
Installation
2nd hand
Activation
Calibration
Repair
Periodic
inspection
End user
environment
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Sensor
pairing
Manufacturing environment
Design /
Development
Design phase
The typical life cycle of the VU is described in the following figure:
Fitters and Workshops environment
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
Operation
End of life
Figure 4 VU typical life cycle
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
14 / 52
Implementation in the TOE
Design /
Development
Components
design and
development
Software
development
Security data
generation
Manufacturing
Components
manufacturing
Assembly
Components
supply
Security data
insertion
Storage
Distribution
Design phase
5.2.1
Manufacturing environment
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
Repair
New
IInstallation
2nd hand
Activation
Sensor
pairing
Calibration
Softwareupgrade
End user
environment
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Periodic
Inspection
Fitters and Workshops environment
Storage
Operation
End of life
Recycling
Figure 5 Life Cycle of the TOE DTCO 1381
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
15 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
For the TOE a repair in the fitters and workshop environments isn't planned. Fitters or workshops can
only change elements of the TOE as e.g. front covers, printer....
* Note: The security data generation is performed in a trusted environment in the production and the
keys will be certified by the National Certification Authority.
5.3 Subjects, objects, and access rights
5.3.1
Subjects
For the TOE the following types of subjects exist:
S1
entities:
S1.1 installation device in the manufacturing process for storing objects O1, O2, O18 in the external
data memory of the TOE
S1.2 motion sensor in pairing and operational mode
S1.3 calibration device (programming tools)
S1.4 intelligent dedicated equipment for downloading (e.g. personal computer)
S1.5 tachograph cards
S1.6 management device
S2
users:
S2.1 drivers and co-drivers (in operational mode)
S2.2 workshop staff , fitters and staff of vehicle manufacturers (in calibration mode)
S2.3 control officers from national control authorities (in control mode)
S2.4 staff of the respective haulage company (in company mode)
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
S2.5 unknown
Note: The human users S2.1 to S2.4 of the recording equipment in road transport vehicles identify
themselves to the TOE using tachograph cards. Authentication and access control for those users is
performed by TOE unit by identifying the type of tachograph cards.
5.3.2
Objects
For the specification of the security functions of the TOE the following objects are relevant. Definitions
5
of data objects are provided in the Appendix 1 of Annex IB.
O1
equipment identification data
O1.1 vehicle unit identification data
O1.2 motion sensor identification data
O2
security elements to be stored in the TOE
O2.1 european public key EUR.PK
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
16 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
O2.2 member State certificate MSi.C
O2.3 equipment certificate EQTj.C includes equipment public key EQTj.PK
O2.4 equipment private key EQTj.SK
O2.5 part of the Master key Kmvu
O2.6 security device public key SECDEV.PK
O3
security elements to generate and to be stored in the TOE
O3.1 session key between motion sensor and vehicle unit Ksm
O3.2 session key between tachograph cards and vehicle unit Kst
O4
driver card insertion and withdrawal data
O5
driver activity data
O6
places where daily work periods start and/or end
O7
odometer data
O8
detailed speed data
O9
events data
O9.1 card conflict
O9.2 driving without an appropriate card
O9.3 card insertion while driving
O9.4 last card session not correctly closed
O9.5 over speeding
O9.6 power supply interruption
O9.7 motion data error
O9.8 security breach attempt
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
O10 faults data
O10.1
card fault
O10.2
recording equipment faults
O11 calibration data
O12 time adjustment data
O13 control activity data
O14 company locks data
O15 download activity data
O16 specific conditions data
O17 motion data representative of vehicle's speed and distance travelled
O18 individual device key Kid
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2007-11-14
SV CV Div TCO LRH
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Version
Pages
17 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
Department
2007-11-14
Date
SV CV Div TCO LRH
Department
Pages
18 / 52
Released by
Version
Winfried Rogenz
SECURITY TARGET DTCO 1381, Release 1.3v
Date
O19 PIN from workshop card
Designed by
Designation
Security Target DTCO 1381, Release 1.3
Document
40225345 SPE 000 AA
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381,Release 1.3v
5.3.3
Access rights
The Table 1 describes the access rights under the rules as described in chapter 6.2.
O1.1 O1.2 O2
S1.1
O3
O4
O5
O6
O7
O8
O9
O10
O11
O12
O13
O14
O16
O17
O18
O19
w
w
w
(once)
(once)
(once)
S1.2
W
g/u
w/r
S1.3
w/r
u
w/r
S1.4
r
S1.5
S1.6
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
O15
r
R
r
r
r
r
r
r
r
r
u
u
S2.1
r
R
u
g/u
w/r
w/r
w/r
w/r
w/r
w/r
w/r
r
r
r
r
S2.2
r
R
u
g/u
w/r
w/r
w/r
w/r
w/r
w/r
w/r
w/r
w/r
r
r
w/r
w/r
S2.3
r
R
u
g/u
w/r
r
R
r
r
r
r
r
r
w/r
r
w/r
r
S2.4
r
R
u
g/u
w/r
r
R
r
r
r
r
r
r
r
w/r
w/r
r
w
W
w
w
w
w
S2.5
w/r
u
w
r = read; w = write; g = generate, u = use
Table 1 Access rights
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
20 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
5.4 Threats
This paragraph describes the threats the VU may face.
5.4.1
T.Access
Users could try to access functions not allowed to them (e.g.
drivers gaining access to calibration function).
T.Identification
Users could try to use several identifications or no identification.
5.4.2
Design related threats
T.Faults
Faults in hardware, software, communication procedures could
place the VU in unforeseen conditions compromising its security.
T.Tests
The use of non invalidated test modes or of existing back doors
could compromise the VU security.
T.Design
Users could try to gain illicit knowledge of design either from
manufacturer’s material (through theft, bribery, …) or from reverse engineering.
5.4.3
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Threats to identification and access control policies
Operation oriented threats
T.Calibration_Parameters
Users could try to use mis-calibrated equipment (through calibration data modification, or through organisational weaknesses).
T.Card_Data_Exchange
Users could try to modify data while exchanged between VU and
tachograph cards (addition, modification, deletion, replay of signal).
T.Clock
Users could try to modify internal clock.
T.Environment
Users could compromise the VU security through environmental
attacks (thermal, electromagnetic, optical, chemical, mechanical,…).
T.Fake_Devices
Users could try to connect fake devices (motion sensor, smart
cards) to the VU.
T.Hardware
Users could try to modify VU hardware.
T.Motion_Data
Users could try to modify the vehicle’s motion data (addition,
modification, deletion, replay of signal).
T.Non_Activated
Users could use non activated equipment.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
21 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
T.Output_Data
Users could try to modify data output (print, display or download).
T.Power_Supply
Users could try to defeat the VU security objectives by modifying
(cutting, reducing, increasing) its power supply.
T.Security_Data
Users could try to gain illicit knowledge of security data during
security data generation or transport or storage in the equipment.
T.Software
Users could try to modify VU software.
T.Stored_Data
Users could try to modify stored data (security or user data).
5.5 Security objectives
The main security objective of the digital tachograph system is the following:
O.Main
The data to be checked by control authorities must be available
and reflect fully and accurately the activities of controlled drivers
and vehicles in terms of driving, work, availability and rest periods and in terms of vehicle speed.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Therefore the security objectives of the VU, contributing to the global security objective, are the following:
O.VU_Main
The data to be measured and recorded and then to be checked
by control authorities must be available and reflect accurately
the activities of controlled drivers and vehicles in terms of driving, work, availability and rest periods and in terms of vehicle
speed.
O.VU_Export
The VU must be able to export data to external storage media in
such a way as to allow for verification of their integrity and
authenticity.
5.6 Information Technology Security Objectives
The specific IT security objectives of the VU contributing to its main security objective, are the following:
O.Access
The VU must control user access to functions and data.
O.Accountability
The VU must collect accurate accountability data.
O.Audit
The VU must audit attempts to undermine system security and
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
22 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
should trace them to associated users.
O.Authentication
The VU should authenticate users and connected entities (when
a trusted path needs to be established between entities).
O.Integrity
The VU must maintain stored data integrity.
O.Output
The VU must ensure that data output reflects accurately data
measured or stored.
O.Processing
The VU must ensure that processing of inputs to derive user
data is accurate.
O.Reliability
The VU must provide a reliable service.
O.Secured_Data_Exchange
The VU must secure data exchanges with the motion sensor
and with tachograph cards.
5.7 Physical, personnel or procedural means
This paragraph describes physical, personnel or procedural requirements that contribute to the security
of the VU.
5.7.1
M.Development
VU developers must ensure that the assignment of responsibilities during development is done in a manner which maintains IT
security.
M.Manufacturing
VU manufacturers must ensure that the assignment of responsibilities during manufacturing is done in a manner which maintains IT security, and that during the manufacturing process the
VU is protected from physical attacks which might compromise
IT security.
5.7.2
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Equipment design
Equipment delivery and activation
M.Delivery
VU manufacturers, vehicle manufacturers and fitters or workshops must ensure that handling of the VU is done in a manner
which maintains IT security.
M.Activation
Vehicle manufacturers and fitters or workshops must activate
the VU after its installation before the vehicle leaves the premises where installation took place.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
23 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
5.7.3
M.Sec_Data_Generation
Security data generation algorithms must be accessible to
authorised and trusted persons only. They must be cryptographic strong.
M.Sec_Data_Transport
Security data must be generated, transported, and inserted into
the VU, in such a way to preserve its appropriate confidentiality
and integrity.
M.Sec_Data_Crypt
Security data inserted into the VU must be cryptographic strong.
5.7.4
Cards delivery
M.Card_Availability
Tachograph cards must be available and delivered to authorised
persons only.
M.Driver_Card_Uniqueness
Drivers must possess, at one time, one valid driver card only.
M.Card_Traceability
Card delivery must be traceable (white lists, black lists) , and
black lists must be used during security audits.
5.7.5
Recording equipment installation, calibration, and inspection
M.Approved_Workshops
Installation, calibration and repair of recording equipment must
be carried by trusted and approved fitters or workshops.
M.Regular_Inpections
Recording equipment must be periodically inspected and calibrated.
M.Faithful_Calibration
Approved fitters and workshops must enter proper vehicle parameters in recording equipment during calibration.
5.7.6
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Security data generation and delivery
Equipment operation
M.Faithful_Drivers
5.7.7
Drivers must play by the rules and act responsibly (e.g. use their
driver cards, properly select their activity for those that are
manually selected, …).
Law enforcement control
M.Controls
5.7.8
Law enforcement controls must be performed regularly and randomly, and must include security audits.
Software upgrades
M.Software_Upgrade
Designed by
Software revisions must be granted security certification before
they can be implemented in a VU.
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
24 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
•
The Management Device (MD) is installed in the approved workshops according to
M.Approved_Workshops.
•
The software update data and necessary key data (for the software update) are imported into
the MD by the approved workshops according to M.Approved_Workshops.
•
The Management Device supports the appropriate communication interface with the Digital
Tachograph and secures the relevant secrets inside the MD as appropriate.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
25 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6 Security enforcing functions
6.1 Identification and authentication
<SEF1>
The TOE provides this security enforcing function of identification and authentication of
entities and human users.
This SEF includes the following features:
6.1.1
Motion sensor identification and authentication
UIA_201
The VU shall be able to establish, for every interaction, the identity of the motion sensor
it is connected to.
UIA_202
The identity of the motion sensor shall consist of the sensor approval number and the
sensor serial number.
UIA_203
The VU shall authenticate the motion sensor it is connected to:
-
At motion sensor connection,
At each calibration of the recording equipment,
At power supply recovery.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Authentication shall be mutual and triggered by the VU.
UIA_204
The VU shall periodically (period TBD by manufacturer: every 10 seconds, in calibration
mode up to 45 minutes and more frequently than once per hour) re-identify and reauthenticate the motion sensor it is connected to, and ensure that the motion sensor
identified during the last calibration of the recording equipment has not been changed.
UIA_205
The VU shall detect and prevent use of authentication data that has been copied and
replayed.
UIA_206
After (TBD by manufacturer: 2 and not more than 20) consecutive unsuccessful authentication attempts have been detected, and/or after detecting that the identity of the motion
sensor has changed while not authorised (i.e. while not during a calibration of the recording equipment), the SEF shall:
-
Designed by
generate an audit record of the event,
warn the user,
continue to accept and use non secured motion data sent by the motion sensor.
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
26 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.1.2
User identification and authentication
UIA_207
The VU shall permanently and selectively track the identity of two users, by monitoring
the tachograph cards inserted in respectively the driver slot and the co-driver slot of the
equipment.
UIA_208
The user identity shall consist of:
a user group:
DRIVER (driver card),
CONTROLLER (control card),
WORKSHOP (workshop card),
COMPANY (company card),
UNKNOWN (no card inserted),
a user ID, composed of :
the card issuing Member State code and of the card number,
UNKNOWN if user group is UNKNOWN.
UNKNOWN identities may be implicitly or explicitly known.
-
UIA_209
The VU shall authenticate its users at card insertion.
UIA_210
The VU shall re-authenticate its users:
-
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
-
At power supply recovery,
periodically or after occurrence of specific events (TBD by manufacturers: every 12
hours and more frequently than once per day).
UIA_211
Authentication shall be performed by means of proving that the card inserted is a valid
tachograph card, possessing security data that only the system could distribute. Authentication shall be mutual and triggered by the VU.
UIA_212
In addition to the above, workshops shall be required to be successfully authenticated
through a PIN check. PIN's shall be at least 4 characters long.
Note: In the case the PIN is transferred to the VU from an outside equipment located in
the vicinity of the VU, PIN confidentiality need not be protected during the transfer.
UIA_213
The VU shall detect and prevent use of authentication data that has been copied and
replayed.
UIA_214
After 5 consecutive unsuccessful authentication attempts have been detected, the SEF
shall:
-
Designed by
generate an audit record of the event,
warn the user,
assume the user as UNKNOWN, and the card as non valid (definition z) and requirement 007).
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
27 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
definition z in
2
“non valid card” means:
a card detected as faulty, or which initial authentication failed, or which start of validity date is not
yet reached, or which expiry date has passed.
requirement 007/008 in
2
The recording equipment shall switch to the following mode of operation according to the valid
tachograph cards inserted into the card interface devices:
Co-driver slot
Mode of
operation
Driver slot
No card
Driver card
Control card
Workshop card
Company card
No card
Operational
Operational
Control
Calibration
Company
Driver card
Operational
Operational
Control
Calibration
Company
Operational
Operational
Control card
Control
Control
Control
(*)
(*)
Workshop card
Calibration
Calibration
Operational
Calibration
Company card
Company
Company
Operational
Operational
Operational
Company (*)
(*)
In these situations the recording equipment shall use only the tachograph card inserted in the driver
slot.
6.1.3
Remotely connected company identification and authentication
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Company remote connection capability is implemented.
UIA_215
For every interaction with a remotely connected company, the VU shall be able to establish the company’s identity.
UIA_216
The remotely connected company’s identity shall consist of its company card issuing
Member State code and of its company card number.
UIA_217
The VU shall successfully authenticate the remotely connected company before allowing
any data export to it.
UIA_218
Authentication shall be performed by means of proving that the company owns a valid
company card, possessing security data that only the system could distribute.
UIA_219
The VU shall detect and prevent use of authentication data that has been copied and
replayed.
UIA_220
After 5 consecutive unsuccessful authentication attempts have been detected, the VU
shall:
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
28 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
-
6.1.4
warn the remotely connected company.
Management device identification and authentication
VU manufacturers may foresee dedicated devices for additional VU management functions (e.g. Software upgrading, security data reloading, …). This paragraph therefore applies only if this feature is
implemented.
A dedicated management device is foreseen for the software upgrade of the TOE.
UIA_221
For every interaction with a management device, the VU shall be able to establish the
device identity.
UIA_222
Before allowing any further interaction, the VU shall successfully authenticate the
management device.
UIA_223
The VU shall detect and prevent use of authentication data that has been copied and
replayed.
6.2 Access control
Access controls ensure that information is read from, created in, or modified into the TOE only by those
authorised to do so.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
It must be noted that the user data recorded by the VU, although presenting privacy or commercial
sensitivity aspects, are not of a confidential nature. Therefore, the functional requirement related to
data read access rights (requirement 011) is not the subject of a security enforcing function.
Requirement 011 of Annex 1B:
The recording equipment can output any data to display, printer or external interfaces with the following exceptions:
-
-
in the operational mode, any personal identification (surname and first name(s)) not corresponding to a
tachograph card inserted shall be blanked and any card number not corresponding to a tachograph card inserted shall be partially blanked (every odd character shall be blanked),
in the company mode, driver related data can be output only for periods not locked by another company (as
identified by the first 13 digits of the company card number),
when no card is inserted in the recording equipment, driver related data can be output only for the current
and 8 previous calendar days.
<SEF2>
Designed by
The TOE provides this security enforcing function of access control for access to function
and data of the TOE.
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
29 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
This SEF includes the following features:
6.2.1
Access control policy
ACC_201
6.2.2
The VU shall manage and check access control rights to functions and to data.
Access rights to functions
ACC_202
The VU shall enforce the mode of operation selection rules (requirements 006 to 009).
requirement 006 in 2 :
The recording equipment shall possess four modes of operation:
-
operational mode,
control mode,
calibration mode,
company mode.
requirement 007/008 in 2 :
see chapter 6.1.2 security enforcing function UIA_214
requirement 009 in 2 :
The recording equipment shall ignore non valid cards inserted, except displaying, printing or
downloading data held on an expired card which shall be possible.
ACC_203
The VU shall use the mode of operation to enforce the functions access control rules
(requirement 010).
requirement 010 in 2 (the functions in the TOE as described in 5.1.2 are the same as
listed in II.2):
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
All functions listed in II.2. shall work in any mode of operation with the following exceptions:
-
−
6.2.3
the calibration function is accessible in the calibration mode only,
the time adjustment function is limited when not in the calibration mode,
the driver manual entries function are accessible in operational or calibration modes only,
the company locks management function is accessible in the company mode only,
the monitoring of control activities function is operational in the control mode only,
the downloading function is not accessible in the operational mode.
Access rights to data
ACC_204
The VU shall enforce the VU identification data write access rules (requirement 076)
requirement 076 in 2:
Vehicle unit identification data are recorded and stored once and for all by the vehicle unit manu-
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
30 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
facturer, except the software related data and the approval number which may be changed in
case of software upgrade.
ACC_205
The VU shall enforce the paired motion sensor identification data write access rules (requirements 079 and 155)
2
requirement 079 in :
The vehicle unit shall be able to record and store in its data memory the following currently paired
motion sensor identification data:
-
serial number,
approval number,
first pairing date,
requirement 155 in 2:
Pairing the motion sensor to the VU shall consist, at least, in:
-
ACC_206
updating motion sensor installation data held by the motion sensor (as needed),
copying from the motion sensor to the VU data memory necessary motion sensor identification data.
After the VU activation, the VU shall ensure that only in calibration mode, may calibration
data be input into the VU and stored into its data memory (requirements 154 and 156).
requirement 154 in 2:
The calibration function shall allow:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
-
-
to automatically pair the motion sensor with the VU,
to digitally adapt the constant of the recording equipment (k) to the characteristic coefficient of
the vehicle (w) (vehicles with two or more axle ratios shall be fitted with a switch device
whereby these various ratios will automatically be brought into line with the ratio for which the
equipment has been adapted to the vehicle),
to adjust (without limitation) the current time,
to adjust the current odometer value,
to update motion sensor identification data stored in the data memory,
to update or confirm other parameters known to the recording equipment: vehicle identification, w, l, tyre type and speed limiting device setting if applicable.
requirement 156 in 2:
The calibration function shall be able to input necessary data through the calibration/downloading
connector in accordance with the calibration protocol defined in Appendix 8. The calibration
function may also input necessary data through other connectors.
ACC_207
After the VU activation, the VU shall enforce calibration data write and delete access
rules (requirement 097).
requirement 097 in 2:
The recording equipment shall record and store in its data memory data relevant to:
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
31 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
-
ACC_208
known calibration parameters at the moment of activation,
its very first calibration following its activation,
its first calibration in the current vehicle (as identified by its VIN),
the 5 most recent calibrations (If several calibrations happen within one calendar day, only
the last one of the day shall be stored).
After the VU activation, the VU shall ensure that only in calibration mode, may time adjustment data be input into the VU and stored into its data memory (This requirement
does not apply to small time adjustments allowed by requirements 157 and 158).
requirement 157 in 2:
The time adjustment function shall allow for adjusting the current time in amounts of 1 minute
maximum at intervals of not less than 7 days.
2
requirement 158 in :
The time adjustment function shall allow for adjusting the current time without limitation, in calibration mode.
ACC_209
After the VU activation, the VU shall enforce time adjustment data write and delete access rules (requirement 100).
2
requirement 100 in :
The recording equipment shall record and store in its data memory data relevant to:
the most recent time adjustment,
the 5 largest time adjustments, since last calibration,
performed in calibration mode outside the frame of a full calibration.
-
ACC_210
The VU shall enforce appropriate read and write access rights to security data (requirement 080).
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
2
requirement 080 in :
The recording equipment shall be able to store the following security elements:
-
European public key,
Member State certificate,
Equipment certificate,
Equipment private key.
Recording equipment security elements are inserted in the equipment by the vehicle unit manufacturer.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
32 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.2.4
File structure and access conditions
ACC_211
Application and data files structure and access conditions shall be created during the
manufacturing process, and then locked from any future modification or deletion.
6.3 Accountability
<SEF3>
The TOE provides this security enforcing function of accountability for collection of accurate data in the TOE.
This SEF includes the following features:
ACT_201
The VU shall ensure that drivers are accountable for their activities (requirements 081,
084, 087 105a, 105b 109 and 109a).
requirement 081 in 2:
For each insertion and withdrawal cycle of a driver or workshop card in the equipment, the recording equipment shall record and store in its data memory:
-
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
-
the card holder’s name and first names as stored in the card,
the card’s number, issuing Member State and expiry date as stored in the card,
the insertion date and time,
the vehicle odometer value at card insertion,
the slot in which the card is inserted,
the withdrawal date and time,
the vehicle odometer value at card withdrawal,
the following information about the previous vehicle used by the driver, as stored in the card:
- VRN and registering Member State,
- card withdrawal date and time;
a flag indicating whether, at card insertion, the card holder has manually entered activities or
not.
requirement 084 in 2:
The recording equipment shall record and store in its data memory whenever there is a change of
activity for the driver and/or the co-driver, and/or whenever there is a change of driving status,
and/or whenever there is an insertion or withdrawal of a driver or workshop card:
-
the driving status (CREW, SINGLE)
the slot (DRIVER, CO-DRIVER),
the card status in the relevant slot (INSERTED, NOT INSERTED)(See Note),
the activity (DRIVING, AVAILABILITY, WORK, BREAK/REST).
the date and time of the change,
Note: INSERTED means that a valid driver or workshop card is inserted in the slot. NOT
INSERTED means the opposite i.e. no valid driver or workshop card is inserted in the slot (e.g.
a company card is inserted or no card is inserted)
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
33 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
2
requirement 087 in :
The recording equipment shall record and store in its data memory whenever a (co-) driver enters
the place where a daily work period begins and/or ends:
-
If applicable, the (co-)driver card number and card issuing Member State,
the date and time of the entry,
the type of entry (begin or end),
the country and region entered,
the vehicle odometer value.
2
requirement 105a in :
The recording equipment shall record in its data memory the following data relevant to specific
conditions:
-
Date and time of the entry,
Type of specific condition.
2
requirement 105b in :
The data memory shall be able to hold specific conditions data for at least 365 days (with the
assumption that on average, 1 condition is opened and closed per day). When storage capacity is
exhausted, new data shall replace oldest data.
2
requirement 109 in :
The recording equipment shall update data stored on valid driver, workshop and/or control cards
with all necessary data relevant to the period while the card is inserted and relevant to the card
holder. Data stored on these cards are specified in Chapter IV.
requirement 109a in 2:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The recording equipment shall update driver activity data (as specified in Chapter IV paragraph
5.2.5), stored on valid driver and/or workshop cards, with activity data manually entered by the
cardholder.
ACT_202
The VU shall hold permanent identification data (requirement 075).
2
requirement 075 in :
The recording equipment shall be able to store in its data memory the following vehicle unit identification data:
Designed by
name of the manufacturer,
address of the manufacturer,
part number,
serial number,
software version number,
software version installation date,
year of equipment manufacture,
approval number,
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
34 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
ACT_203
The VU shall ensure that workshops are accountable for their activities (requirements
098, 101 and 109).
requirement 098 in 2:
The following data shall be recorded for each of these calibrations:
-
Purpose of calibration (activation, first installation, installation, periodic inspection, other)
workshop name and address,
workshop card number, card issuing Member State and card expiry date,
vehicle identification,
parameters updated or confirmed: w, k, l, tyre type, speed limiting device setting, odometer
(old and new values), date and time (old and new values).
requirement 101 in 2:
The following data shall be recorded for each of these time adjustments:
-
date and time, old value,
date and time, new value,
workshop name and address,
workshop card number, card issuing Member State and card expiry date.
requirement 109 in 2:
The recording equipment shall update data stored on valid driver, workshop and/or control cards
with all necessary data relevant to the period while the card is inserted and relevant to the card
holder. Data stored on these cards are specified in Chapter IV.
ACT_204
The VU shall ensure that controllers are accountable for their activities (requirements
102, 103 and 109).
requirement 102 in 2:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The recording equipment shall record and store in its data memory the following data relevant to
the 20 most recent control activities:
-
date and time of the control,
control card number and card issuing Member State,
type of the control (displaying and/or printing and/or VU downloading and/or card downloading).
requirement 103 in 2:
In case of downloading, the dates of the oldest and of the most recent days downloaded shall
also be recorded.
2
requirement 109 in :
The recording equipment shall update data stored on valid driver, workshop and/or control cards
with all necessary data relevant to the period while the card is inserted and relevant to the card
holder. Data stored on these cards are specified in Chapter IV.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
35 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
ACT_205
The VU shall record odometer data (requirement 090) and detailed speed data (requirement 093).
requirement 090 in 2:
The data memory shall be able to store midnight odometer values for at least 365 calendar days.
requirement 093 in 2:
The recording equipment shall record and store in its data memory the instantaneous speed of
the vehicle and the corresponding date and time for every second of at least the last 24 hours
that the vehicle has been moving.
ACT_206
The VU shall ensure that user data related to requirements 081 to 093 and 102 to 105b
inclusive are not modified once recorded, except when becoming oldest stored data to
be replaced by new data.
requirement 081 to 083 in 2:
Driver card insertion and withdrawal data
requirement 084 to 086 in 2:
Driver activity data
2
requirement 087to 089 in :
2
requirement 090 to 092 in :
2
requirement 093 in :
Odometer data
Detailed speed data
2
requirement 102 to 103 in :
2
ACT_207
Places where daily work periods start and/or end
Control activity data
requirement 104 in :
Company locks data
requirement 105 in 2:
Download activity data
The VU shall ensure that it does not modify data already stored in a tachograph card
(requirement 109 and 109a) except for replacing oldest data by new data (requirement
110) or in the case described in Appendix 1 Paragraph 2.1.Note.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
requirement 109 in 2:
The recording equipment shall update data stored on valid driver, workshop and/or control cards
with all necessary data relevant to the period while the card is inserted and relevant to the card
holder. Data stored on these cards are specified in Chapter IV.
requirement 109a in 2:
see ACT_201
requirement 110 in 2:
Tachograph cards data update shall be such that, when needed and taking into account card
actual storage capacity, most recent data replace oldest data.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
36 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.4 Audit
Audit capabilities are required only for events that may indicate a manipulation or a security breach
attempt. It is not required for the normal exercising of rights even if relevant to security.
<SEF4>
The TOE provides this security enforcing function of audit related to attempts to undermine the security of the TOE and provides the traceability to associated users.
This SEF includes the following features:
Note: The security breach attempt "internal data transfer" does not apply to the TOE, because it does not make use of physically separated parts (see 6.6.2.).
AUD_201
The VU shall, for events impairing the security of the VU, record those events with associated data (requirements 094, 096 and 109).
requirement 094 in 2:
The recording equipment shall record and store in its data memory the following data for each
event detected according to the following storage rules:
Event
Card
conflict
Storage rules
- the 10 most recent events.
-
Driving
without
an appropriate card
the longest event for each of
the 10 last days of occurrence,
- the 5 longest events over the last
365 days.
Card
insertion
while
driving
Last
card
session
not correctly
closed
- the last event for each of the 10
last days of occurrence,
-
-
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
-
Designed by
-
- the 10 most recent events.
-
Date
Department
Data to be recorded per event
date and time of beginning of event,
date and time of end of event,
cards’ type, number and issuing Member
State of the two cards creating the conflict.
date and time of beginning of event,
date and time of end of event,
cards’ type, number and issuing Member
State of any card inserted at beginning
and/or end of the event,
number of similar events that day.
date and time of the event,
card’s type, number and issuing Member
State,
number of similar events that day
date and time of card insertion,
card’s type, number and issuing Member
State,
last session data as read from the card:
date and time of card insertion,
- VRN and Member State of registration.
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
37 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
Over
speeding (1)
the most serious event for each
of the 10 last days of occurrence (i.e. the one with the
highest average speed),
the 5 most serious events over
the last 365 days.
- the first event having occurred
after the last calibration
-
-
Power
supply
interruption (2)
the longest event for each of
the 10 last days of occurrence,
- the 5 longest events over the last
365 days.
Motion
data
error
the longest event for each of
the 10 last days of occurrence,
- the 5 longest events over the last
365 days.
Security
breach
attempt
- the 10 most recent events per
type of event.
-
-
-
-
-
-
date and time of beginning of event,
date and time of end of event,
maximum speed measured during the
event,
arithmetic average speed measured during
the event,
card’s type, number and issuing Member
State of the driver (if applicable),
number of similar events that day.
date and time of beginning of event,
date and time of end of event,
cards’ type, number and issuing Member
State of any card inserted at beginning
and/or end of the event,
number of similar events that day.
date and time of beginning of event,
date and time of end of event,
cards’ type, number and issuing Member
State of any card inserted at beginning
and/or end of the event,
number of similar events that day.
date and time of beginning of event,
date and time of end of event (if relevant),
cards’ type, number and issuing Member
State of any card inserted at beginning
and/or end of the event,
type of event.
2
requirement 096 in :
The recording equipment shall attempt to record and store in its data memory the following data
for each fault detected according to the following storage rules:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Fault
Card
fault
Storage rules
- the 10 most recent driver card
faults.
-
Recording
equipment
faults
the 10 most recent faults for
each type of fault,
- the first fault after the last calibration.
-
-
-
Data to be recorded per fault
date and time of beginning of fault,
date and time of end of fault,
card’s type number and issuing Member
State.
date and time of beginning of fault,
date and time of end of fault,
type of fault,
cards’ type, number and issuing Member
State of any card inserted at beginning
and/or end of the fault.
requirement 109 in 2:
The recording equipment shall update data stored on valid driver, workshop and/or control cards
with all necessary data relevant to the period while the card is inserted and relevant to the card
holder. Data stored on these cards are specified in Chapter IV.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
38 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
AUD_202
AUD_203
The events affecting the security of the VU are the following:
−
Security breach attempts:
− motion sensor authentication failure,
− tachograph card authentication failure,
− unauthorised change of motion sensor,
− card data input integrity error,
− stored user data integrity error,
− internal data transfer error,
− unauthorised case opening,
− hardware sabotage,
−
Last card session not correctly closed,
−
Motion data error event,
−
Power supply interruption event,
−
VU internal fault.
The VU shall enforce audit records storage rules (requirement 094 and 096).
requirement 094 in 2:
see security enforcing function AUD_201
requirement 096 in 2:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
see security enforcing function AUD_201
AUD_204
The VU shall store audit records generated by the motion sensor in its data memory.
AUD_205
It shall be possible to print, display and download audit records.
6.5 Object re-use
<SEF5>
The TOE provides this security enforcing function of object reuse.
This SEF includes the following features:
REU_201
Designed by
The VU shall ensure that temporary storage objects can be reused without this involving
inadmissible information flow.
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
39 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.6 Accuracy
<SEF6>
The TOE provides this security enforcing function of accuracy of stored data in the TOE.
This SEF includes the following features:
6.6.1
Information flow control policy
ACR_201
The VU shall ensure that user data related to requirements 081, 084, 087, 090, 093,
102, 104, 105, 105a and 109 may only be processed from the right input sources:
− vehicle motion data,
− VU’s real time clock,
− recording equipment calibration parameters,
− tachograph cards,
− user’s inputs.
requirement 081, 084, 087, 105, 105a, 109 in 2:
see chapter 6.3 security enforcing function ACT_201
2
requirement 102 in :
see chapter 6.3 security enforcing function ACT_204
requirement 090, 093 in 2:
see chapter 6.3 security enforcing function ACT_205
requirement 104 in 2:
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The recording equipment shall record and store in its data memory the following data relevant to
the 20 most recent company locks:
-
ACR_201a
lock-in date and time,
lock-out date and time,
company card number and card issuing Member State,
company name and address.
The VU shall ensure that user data related to requirement 109a may only be entered for
the period last card withdrawal – current insertion (requirement 050a).
requirement 109a in 2:
see chapter 6.3 security enforcing function ACT_201
2
requirement 50a in :
Upon driver (or workshop) card insertion, and only at this time, the recording equipment shall
remind to the cardholder the date and time of his last card withdrawal and the activity selected at
that time, and shall prompt the cardholder for a “Declaration ?”. If the prompt is negatively anDesigned by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
40 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
swered, the recording equipment shall require the cardholder to confirm his answer. If the prompt
is positively answered, the recording equipment shall:
-
-
allow the cardholder to manually enter activities, with their dates and times of beginning and
end, among WORK or AVAILABILITY or BREAK/REST only, strictly included within the period last card withdrawal – current insertion only,
allow the cardholder to modify or delete any such activities manually entered, until validation
by selection of a specific command, and then forbid any such modification,
not allow entry of activities that overlap activities already entered.
A positive answer to the prompt followed by no activity entries, shall be interpreted by the recording equipment as a negative answer to the prompt.
During this process, the recording equipment shall wait for entries no longer than the following
time-outs:
if no interaction with the equipment’s human machine interface is happening during 1 minute
(with an audible or visual warning after 30 seconds) or,
if the card is withdrawn or another driver (or workshop) card is inserted or,
as soon as the vehicle is moving,
in this case the recording equipment shall validate any entries already made.
-
6.6.2
Internal data transfers
The requirements of this paragraph apply only if the VU makes use of physically separated parts.
ACR_202
If data are transferred between physically separated parts of the VU, the data shall be
protected from modification.
ACR_203
Upon detection of a data transfer error during an internal transfer, transmission shall be
repeated and the SEF shall generate an audit record of the event.
Since the TOE is a single protected entity, this requirement does not apply for the TOE.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
6.6.3
Stored data integrity
ACR_204
The VU shall check user data stored in the data memory for integrity errors.
ACR_205
Upon detection of a stored user data integrity error, the SEF shall generate an audit record.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
41 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.7 Reliability of service
<SEF7>
The TOE provides this security enforcing function of reliability of service
This SEF includes the following features:
6.7.1
Tests
RLB_201
All commands, actions or test points, specific to the testing needs of the manufacturing
phase of the VU shall be disabled or removed before the VU activation. It shall not be
possible to restore them for later use.
RLB_202
The VU shall run self tests, during initial start-up, and during normal operation to verify its
correct operation. The VU self tests shall include a verification of the integrity of security
data and a verification of the integrity of stored executable code (if not in ROM).
RLB_203
Upon detection of an internal fault during self test, the SEF shall:
−
−
6.7.2
Software
RBL_204
There shall be no way to analyse or debug software in the field after the VU activation.
RLB_205
Inputs from external sources shall not be accepted as executable code.
6.7.3
Physical protection
RLB_206
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
generate an audit record (except in calibration mode) (VU internal fault),
preserve the stored data integrity.
If the VU is designed so that it can be opened, the VU shall detect any case opening,
except in calibration mode, even without external power supply for a minimum of 6
months. In such a case, the SEF shall generate an audit record (It is acceptable that the
audit record is generated and stored after power supply reconnection).
If the VU is designed so that it cannot be opened, it shall be designed such that physical
tampering attempts can be easily detected (e.g. through visual inspection).
RLB_207
After its activation, the VU shall detect specified (TBD by manufacturer) hardware sabotage:.
•
RLB_208
Manipulation of the mechanisms for the cart reader
In the case described above, the SEF shall generate an audit record and the VU shall:
(TBD by manufacturer).
For the mechanisms of the cart reader
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
42 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
The audit record is displayed and stored in the memory for event and faults. If possible
the data will be stored on the tachograph card and than the tachograph card
withdrawals.
6.7.4
Power supply interruptions
RLB_209
The VU shall detect deviations from the specified values of the power supply, including
cut-off.
RLB_210
In the case described above, the SEF shall:
− generate an audit record (except in calibration mode),
− preserve the secure state of the VU,
− maintain the security functions, related to components or processes still operational,
− preserve the stored data integrity.
6.7.5
Reset conditions
RLB_211
6.7.6
In case of a power supply interruption, or if a transaction is stopped before completion,
or on any other reset conditions, the VU shall be reset cleanly.
Data availability
RLB_212
The VU shall ensure that access to resources is obtained when required and that resources are not requested nor retained unnecessarily.
RLB_213
The VU must ensure that cards cannot be released before relevant data have been
stored to them (requirements 015 and 016).
requirement 015 in 2:
The recording equipment shall be so designed that the tachograph cards are locked in position on
their proper insertion into the card interface devices.
2
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
requirement 016 in :
The release of tachograph cards may function only when the vehicle is stopped and after the
relevant data have been stored on the cards. The release of the card shall require positive action
on behalf of the release.
RLB_214
6.7.7
In the case described above, the SEF shall generate an audit record of the event.
Multiple applications
The VU provides only the tachograph application.
RLB_215
Designed by
If the VU provides applications other than the tachograph application, all applications
shall be physically and/or logically separated from each other. These applications shall
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
43 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
not share security data. Only one task shall be active at a time.
6.8 Data exchange
This paragraph addresses data exchange between the VU and connected devices.
<SEF8>
This SEF includes the following features:
6.8.1
Data exchange with motion sensor
DEX_201
The VU shall verify the integrity and authenticity of motion data imported from the motion
sensor.
DEX_202
Upon detection of a motion data integrity or authenticity error, the SEF shall:
− generate an audit record,
− continue to use imported data.
6.8.2
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The TOE provides this security enforcing function of data exchange with connected entities.
Data exchange with tachograph cards
DEX_203
The VU shall verify the integrity and authenticity of data imported from tachograph cards.
DEX_204
Upon detection of a card data integrity or authenticity error, the SEF shall:
− generate an audit record,
− not use the data.
DEX_205
The VU shall export data to tachograph smart cards with associated security attributes
such that the card will be able to verify its integrity and authenticity.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
44 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
6.8.3
Data exchange with external storage media (downloading function))
DEX_206
The VU shall generate an evidence of origin for data downloaded to external media.
DEX_207
The VU shall provide a capability to verify the evidence of origin of downloaded data to
the recipient.
DEX_208
The VU shall download data to external storage media with associated security attributes
such that downloaded data integrity and authenticity can be verified.
6.9 Cryptographic support
The requirements of this paragraph are applicable only where needed, depending upon security
mechanisms used and upon the manufacturer’s solutions.
<SEF9>
The TOE provides this security enforcing function of cryptographic support.
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
This SEF includes the following features:
CSP_201
Any cryptographic operation performed by the VU shall be in accordance with a specified
algorithm and a specified key size.
CSP_202
If the VU generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes
CSP_203
If the VU distributes cryptographic keys, it shall be in accordance with specified key distribution methods.
CSP_204
If the VU accesses cryptographic keys, it shall be in accordance with specified cryptographic keys access methods.
CSP_205
If the VU destroys cryptographic keys, it shall be in accordance with specified cryptographic keys destruction methods.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
45 / 52
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
7 Definition of security mechanisms
Required security mechanisms are specified in Appendix 11 6.
All other security mechanisms are to be defined by manufacturers.
The TOE provides the security mechanisms as described in the documents for the detailed design to
its users and entities.
8 Minimum strength of security mechanisms
The minimum strength of the Vehicle Unit security mechanisms is High, as defined in ITSEC 7.
9 Level of assurance
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
The target level of assurance for the Vehicle Unit is ITSEC level E3, as defined in ITSEC 7.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
46 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
-
-
Delivery
Activation
Security Data Generation
Security Data Transport
Security Data Crypt
Card Availability
One Driver Card
Card Traceability
Approved Workshops
Regular Inspection Calibration
Faithful workshops
Faithful drivers
Law enforcement controls
Software Upgrade
Designed by
x
x
x
Date
Department
Document
40225345 SPE 000 AB
Security_Data
Software
Stored_Data
Access
Accountability
Audit
Authentication
Integrity
Output
Processing
Reliability
Secured_Data_Exchange
Access
Identification
Faults
Tests
Design
Calibration_Parameters
Card_Data_Exchange
Clock
Environment
Fake_Devices
Hardware
Motion_Data
Non_Activated
Output_Data
Power_Supply
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
10 Rationale
The following matrixes give a rationale for the SEFs by showing:
which SEFs or means counteract which threats,
which SEFs fulfil IT security objectives.
Threats
IT Objectives
Physical Personnel Procedural Means
Development
x x x
Manufacturing
x x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x x
x
x
x x x x x
x
x
x
Released by
Date
Department
Winfried Rogenz
2012-04-25
Designation
I CV AM TTS LRH
Security Target DTCO 1381, Release 1.3v
Version
Pages
47 / 52
Security Enforcing Functions
<SEF1> Identification and Authentication
UIA_201
UIA_202
UIA_203
UIA_204
UIA_205
UIA_206
UIA_207
UIA_208
UIA_209
UIA_210
UIA_211
UIA_212
UIA_213
UIA_214
UIA_215
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
IT Objectives
Security_Data
Software
Stored_Data
Access
Accountability
Audit
Authentication
Integrity
Output
Processing
Reliability
Secured_Data_Exchange
Threats
Access
Identification
Faults
Tests
Design
Calibration_Parameters
Card_Data_Exchange
Clock
Environment
Fake_Devices
Hardware
Motion_Data
Non_Activated
Output_Data
Power_Supply
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
UIA_216
UIA_217
UIA_218
UIA_219
UIA_220
UIA_221
UIA_222
UIA_223
Designed by
Sensor identification
Sensor identity
Sensor authentication
Sensor re-identification
and re-authentication
Unforgeable authentication
Authentication failure
Users identification
User identity
User authentication
User re-authentication
Authentication means
PIN checks
Unforgeable authentication
Authentication failure
Remote user identification
Remote user identity
Remote user authentication
Authentication means
Unforgeable authentication
Authentication failure
Management device
Identification
Management device
Authentication
Unforgeable authentication
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x x
x x
x
x
x
x
x
x x
x x
x
x
x
x
x x
x x
x
x
x x
x
x
x x
x
x
x
x
x
x x
x x
Date
x
x
x
x
x
x
x
x
Department
x
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
48 / 52
IT Objectives
Security_Data
Software
Stored_Data
Access
Accountability
Audit
Authentication
Integrity
Output
Processing
Reliability
Secured_Data_Exchange
Threats
Access
Identification
Faults
Tests
Design
Calibration_Parameters
Card_Data_Exchange
Clock
Environment
Fake_Devices
Hardware
Motion_Data
Non_Activated
Output_Data
Power_Supply
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
<SEF2> Access Control
ACC_201 Access control policy
ACC_202 Access rights to functions
ACC_203 Access rights to functions
ACC_204 VU ID
ACC_205 Connected sensor ID
ACC_206 Calibration data
ACC_207 Calibration data
ACC_208 Time adjustment data
ACC_209 Time adjustment data
ACC_210 Security Data
ACC_211 File structure and access conditions
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
X
x
x x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
<SEF3> Accountability
ACT_201 Drivers accountability
ACT_202 VU ID data
ACT_203 Workshops accountability
ACT_204 Controllers accountability
ACT_205 Vehicle movement
accountability
ACT_206 Accountability data
modification
ACT_207 Accountability data
modification
x
x x
x
x
x
x
x
x
x
x
x
<SEF4> Audit
AUD_201 Audit records
AUD_202 Audit events list
AUD_203 Audit records storage
rules
AUD_204 Sensor audit records
AUD_205 Audit tools
x
x
x x
x x
x
x
x
x
x
x
<SEF5> Re-use
REU_201 Re-use
Designed by
x
Date
Department
x x
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
49 / 52
IT Objectives
Security_Data
Software
Stored_Data
Access
Accountability
Audit
Authentication
Integrity
Output
Processing
Reliability
Secured_Data_Exchange
Threats
Access
Identification
Faults
Tests
Design
Calibration_Parameters
Card_Data_Exchange
Clock
Environment
Fake_Devices
Hardware
Motion_Data
Non_Activated
Output_Data
Power_Supply
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
<SEF6> Accuracy
ACR_201 Information flow control
policy
ACR_201a Information flow control
policy
ACR_202 Internal transfers
ACR_203 Internal transfers
ACR_204 Stored data integrity
ACR_205 Stored data integrity
x
x
x
x x
x
x
x
x x
x
x
x x x
x
x
x
x
x
x
<SEF7> Reliability
RLB_201
RLB_202
RLB_203
RLB_204
RLB_205
RLB_206
RLB_207
RLB_208
RLB_209
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
RLB_210
RLB_211
RLB_212
RLB_213
RLB_214
RLB_215
Designed by
Manufacturing tests
Self tests
Self tests
Software analysis
Software input
Case opening
Hardware sabotage
Hardware sabotage
Power supply interruptions
Power supply interruptions
Reset
Data Availability
Card release
card session not correctly closed
Multiple Applications
Date
x x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x x x
x
x
x
x
x x x
x
x
x
x
x
x
x
x
x
x
x x
x
x
x
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
50 / 52
IT Objectives
Security_Data
Software
Stored_Data
Access
Accountability
Audit
Authentication
Integrity
Output
Processing
Reliability
Secured_Data_Exchange
Threats
Access
Identification
Faults
Tests
Design
Calibration_Parameters
Card_Data_Exchange
Clock
Environment
Fake_Devices
Hardware
Motion_Data
Non_Activated
Output_Data
Power_Supply
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
<SEF8> Data exchange
DEX_201 Secured motion data
import
DEX_202 Secured motion data
import
DEX_203 Secured card data
import
DEX_204 Secured card data
import
DEX_205 Secured data export to
cards
DEX_206 Evidence of origin
DEX_207 Evidence of origin
DEX_208 Secured export to external media
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
<SEF9> Cryptographic support
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
CSP_201
CSP_202
CSP_203
CSP_204
CSP_205
Algorithms
key generation
key distribution
key access
key destruction
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
This table conplies to the corrigendum dated from 13.03.2004 published in the Official Journal of the
EU No. L 77.
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
51 / 52
The copying, distribution and utilization of this document as well as the
communication of its contents to others without expressed authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or
ornamental design registration.
Observe
Observe
Protection
marks
for restricting
the use
of documents
products
Protection
marks
for restricting
the use
of documents
and and
products
(DIN(DIN
34: 1998-01)
34: 1998-01)
SECURITY TARGET DTCO 1381, Release 1.3v
11 References
1
Appendix 10 of Annex 1B of Council Regulation (EEC) No. 3821/85 - Generic Security Targets
2
Annex 1B of Council Regulation (EEC) No. 3821/85 amended by CR (EC) No. 1360/2002, CR (EC)
No. 432/2004 and corrigendum dated from 13.03.2004 (OJ L 77) and last amended by CR (EC)
No.561/2006 and CR (EC) No. 1791/2006
3
Council Regulation (EEC) No. 3821/85 of the 20 December 1985 on recording equipment in road
transport.
4
Council REGULATION (EC) No 2135/98 of 24 September 1998 amending Regulation (EEC) No
3821/85 on recording equipment in road transport and Directive 88/599/EEC concerning the
application of Regulations (EEC) No 3820/84 and (EEC) No 3821/85
5
Appendix 1 of Annex 1B of Council Regulation (EEC) No. 3821/85 - Data Dictionary
6
Appendix 11 of Annex 1B of Council Regulation (EEC) No. 3821/85 - Common Security Mechanisms
7
ITSEC Information Technology Security Evaluation Criteria 1991
Designed by
Date
Department
Released by
Date
Department
Winfried Rogenz
2012-04-25
I CV AM TTS LRH
Designation
Security Target DTCO 1381, Release 1.3v
Document
40225345 SPE 000 AB
Version
Pages
52 / 52