Certification Report: PP0017a

Certification Report: PP0017a

Bundesamt für Sicherheit in der Informationstechnik

BSI-PP-0017-2005

Protection Profile

for

Machine Readable Travel Document with „ICAO

Application", Basic Access Control

Version 1.0

developed on behalf of the

Federal Ministry of the Interior, Germany

Certification Report

- Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 Bonn

Telefon +49 228 9582-0, Infoline +49 228 9582-111, Telefax +49 228 9582-455

Bundesamt für Sicherheit in der Informationstechnik

Certificate BSI-PP-0017-2005

Protection Profile

for

Machine Readable Travel Document with „ICAO Application", Basic

Access Control, Version 1.0

Common Criteria Arrangement developed on behalf of the

Federal Ministry of the Interior, Germany

Assurance Package: EAL 4 augmented with

ADV_IMP.2 and ALC_DVS.2

Bonn, 26. October 2005

The Vice President of the Federal

Office for Information Security

Hange L.S.

The Protection Profile mentioned above was evaluated at an accredited and licenced/approved evaluation facility on the basis of the

Common Criteria for Information Technology Security Evaluation (CC), Version 2.1 (ISO/IEC 15408) applying the Common

Methodology for Information Technology Security Evaluation (CEM), Part 1 Version 0.6, Part 2 Version 1.0 and including final interpretations for compliance with Common Criteria Version 2.2 and Common Methodology Part 2, Version 2.2.

This certificate applies only to the specific version and release of the Protection Profile and in conjunction with the complete Certification

Report.

The evaluation has been conducted in accordance with the provisions of the certification scheme of the Federal Office for Information

Security. The conclusions of the evaluation facility in the evaluation technical report are consistent with the evidence adduced.

This certificate is not an endorsement of the Protection Profile by the Federal Office for Information Security or any other organisation that recognises or gives effect to this certificate, and no warranty of the Protection Profile by the Federal Office for Information Security or any other organisation that recognises or gives effect to this certificate, is either expressed or implied.

This page is intentionally left blank.

Report

Preliminary Remarks

Under the BSIG

1

Act, the Bundesamt für Sicherheit in der Informationstechnik

(BSI) has the task of issuing certificates for information technology products as well as for Protection Profiles (PP).

A PP defines an implementation-independent set of IT security requirements for a category of TOEs which are intended to meet common consumer needs for IT security. The development and certification of a PP or the reference to an existent one gives consumers the possibility to express their IT security needs without referring to a special product. Product or system certifications can be based on Protection Profiles. For products which have been certified based on a Protection Profile an individual certificate will be issued.

Certification of a Protection Profile is carried out on the instigation of the author, hereinafter called the sponsor.

A part of the procedure is the technical examination (evaluation) of the

Protection Profile according to Common Criteria [1].

The evaluation is carried out by an evaluation facility recognised by the BSI or by the BSI itself.

The result of the certification procedure is the present Certification Report. This report contains among others the certificate (summarised assessment) and the detailed Certification Results.

1

Act setting up the Bundesamt für Sicherheit in der Informationstechnik (BSI-

Errichtungsgesetz, BSIG) of 17 December 1990, Bundesgesetzblatt I p. 2834

V

Certification Report

Contents

Part A: Certification

Part B: Certification Results

Annex: Protection Profile

BSI-PP-0017-2005

VI

Report

A Certification

1 Specifications of the Certification Procedure

The certification body conducts the procedure according to the criteria laid down in the following:

• BSIG

2

BSI Certification Ordinance

3

BSI Schedule of Costs

Special decrees issued by the Bundesministerium des Innern (Federal

Ministry of the Interior)

4

DIN EN 45011

BSI Certification - Description of the Procedure (BSI 7125)

Procedure for the Issuance of a PP certificate by the BSI

Common Criteria for Information Technology Security Evaluation,

Version 2.1

5

Common Methodology for IT Security Evaluation, Part 1 Version 0.6,

Part 2 Version 1.0

2002

BSI certification: Application Notes and Interpretation of the Scheme

(AIS)

The use of Common Criteria Version 2.1, Common Methodology, part 2,

Version 1.0 and final interpretations as part of AIS 32 results in compliance of the certification results with Common Criteria Version 2.2 and Common

Methodology Part 2, Version 2.2 as endorsed by the Common Criteria recognition arrangement committees.

2

Act setting up the Bundesamtes für Sicherheit in der Informationstechnik (BSI-

Errichtungsgesetz, BSIG) of 17 December 1990, Bundesgesetzblatt I p. 2834

3

Ordinance on the Procedure for Issuance of a Certificate by the Bundesamtes für

Sicherheit in der Informationstechnik (BSI-Zertifizierungsverordnung, BSIZertV) of 7 July

1992, Bundesgesetzblatt I p. 1230

4

Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der

Informationstechnik (BSI-Kostenverordnung, BSI-KostV) of 03 March 2005,

Bundesgesetzblatt I p. 519

5

Proclamation of the Bundesministerium des Innern of 22 September 2000

A-1

Certification Report BSI-PP-0017-2005

In order to avoid multiple certification of the same Protection Profile in different countries a mutual recognition of Protection Profile certificates under certain conditions was agreed.

An arrangement (Common Criteria Arrangement) on the mutual recognition of certificates based on the CC evaluation assurance levels up to and including

EAL 4 was signed in May 2000. It includes also the recognition of Protection

Profiles based on the CC. The arrangement was signed by the national bodies of Australia, Canada, Finland, France, Germany, Greece, Italy, The

Netherlands, New Zealand, Norway, Spain, United Kingdom and the United

States. Israel joined the arrangement in November 2000, Sweden in February

2002, Austria in November 2002, Hungary and Turkey in September 2003,

Japan in November 2003, the Czech Republic in September 2004, the Republic of Singapore in March 2005 and India in April 2005.

A-2

Report

3 Performance of Evaluation and Certification

The certification body monitors each individual evaluation to ensure a uniform procedure, a uniform interpretation of the criteria and uniform ratings.

The Protection Profile for Machine Readable Travel Document with „ICAO

Application", Basic Access Control, Version 1.0 has undergone the certification procedure at the BSI.

The evaluation of the Protection Profile for Machine Readable Travel Document with „ICAO Application", Basic Access Control, Version 1.0 was conducted by

SRC Security Research & Consulting GmbH. The evaluation facility of SRC

Security Research & Consulting GmbH is an evaluation facility (ITSEF)

6

recognised by BSI.

Developer is the ‘Federal Office for Information Security (BSI)‘ on behalf of the

‘Federal Ministry of the Interior, Germany’.

The certification was concluded with

• the comparability check and the preparation of this Certification Report.

This work was completed by the BSI on 26. October 2005.

6

Information Technology Security Evaluation Facility

A-3

Certification Report BSI-PP-0017-2005

4 Publication

The following Certification Results contain pages B-1 to B-10.

The Protection Profile for Machine Readable Travel Document with „ICAO

Application", Basic Access Control, Version 1.0 has been included in the BSI list of certified and registered Protection Profiles, which is published regularly (see also Internet: http:// www.bsi.bund.de). Further information can be obtained via the BSI-Infoline +49 228 9582-111.

Further copies of this Certification Report may be ordered from the BSI

7

. The

Certification Report may also be obtained in electronic form at the internet address stated above.

7

- Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 Bonn

Telefon +49 228 9582-0, Infoline +49 228 9582-111, Telefax +49 228 9582-455

A-4

Content of the Certification Results

4 Strength of Functions

5 Results of the Evaluation

6 Definitions

7 Bibliography

Report

2

3

6

6

6

7

8

B-1

Certification Report BSI-PP-0017-2005

The Protection Profile (PP) [7] defines the security objectives and requirements for the contactless chip of machine readable travel documents (MRTD) based on the requirements and recommendations of the International Civil Aviation

Organisation (ICAO). It addresses the security method Basic Access Control in the Technical reports of the ICAO New Technology Working Group.

The Target of Evaluation (TOE) defined in the PP is the contactless integrated circuit chip of machine readable travel documents (MRTD’s chip) programmed according to the Logical Data Structure (LDS) [8] and providing the Basic

Access Control according to the ICAO document [9].

The TOE comprises the circuitry of the MRTD’s chip (the integrated circuit, IC) with hardware for the contactless interface, e.g. antennae, capacitors, the IC

Dedicated Software with the parts IC Dedicated Test Software and IC

Dedicated Support Software, the IC Embedded Software (operating system), the MRTD application and the associated guidance documentation. The TOE is usually integrated into a passport book of an MRTD holder for whom the issuing state or organisation has personalised the MRTD.

The TOE life cycle is described in terms of the four life cycle phases: Phase 1

“Development”, Phase 2 “Manufacturing”, Phase 3 “Personalization of the

MRTD”, Phase 4 “Operational Use”. The intention of the PP is to consider at least the phases 1 and 2 as part of the evaluation and therefore define TOE delivery according to CC after phase 2 or later.

The PP defines the following Security Objectives for the TOE:

Identifier for Sec.Objective Issue addressed by the Security Objective

OT.AC_Pers Access Control for Personalization of logical MRTD

OT.Data_Int

OT.Data_Conf

Integrity of personal data

Confidentiality of personal data

OT.Prot_Abuse-Func

OT.Prot_Inf_Leak

OT.Prot_Phys-Tamper

OT.Prot_Malfunction

Protection against Abuse of Functionality

Protection against Information Leakage

Protection against Physical Tampering

Protection against Malfunctions

Table 1: Security Objectives for the TOE

The PP defines the Security Objectives for the environment of the TOE divided into several categories:

B-2

Report

Identifier for Sec.Objective Issue addressed by the Security Objective

Security Objectives for the

Development and Manufacturing

Environment

OD.Assurance

OD.Material

Assurance Security Measures in Development and

Manufacturing Environment

Control over MRTD Material

Security Objectives for the

Operational Environment

For the Issuing State or Organisation:

OE.Personalization Personalization of logical MRTD

For the Receiving State or organization:

OE.Exam_MRTD Examination of the MRTD passport book

OE.Passive_Auth_Verif Verification by Passive Authentication

OE.Prot_Logical_MRTD

For the MRTD Holder:

OE.Secure_Handling

Protection of data of the logical MRTD

Secure handling of the MRTD by MRTD holder

Table 2: Security Objectives for the environment of the TOE

For details and application notes refer to the PP chapter 3.5. Security

Functional Requirements for the TOE and for the IT-Environment are derived from these Security Objectives as outlined in the following chapter.

2 Security Functional Requirements

This section contains the functional requirements that must be satisfied by a

TOE which is compliant to the Protection Profile. The TOE Security Functional

Requirements (SFR) selected in the Security Target are Common Criteria Part

2 extended as shown in the following tables.

The following SFRs are taken from CC part 2:

Security Functional Requirement Identifier and addressed issue

FCS_CKM.1/BAC_MRTD

FCS_CKM.4

FCS_COP.1/SHA_MRTD

FCS_COP.1/TDES_MRTD

FCS_COP.1/MAC_MRTD

Cryptographic key generation – Generation of Document Basic Access Keys by the TOE

Cryptographic key destruction - MRTD

Cryptographic operation – Hash for Key

Derivation by MRTD

Cryptographic operation – Encryption /

Decryption Triple DES

Cryptographic operation – Retail MAC

B-3

Certification Report BSI-PP-0017-2005

Security Functional Requirement

FDP

FDP_ACC.1 (PRIM)

FDP_ACC.1 (BASIC)

FDP_ACF.1 (PRIM)

FDP_ACF.1 (Basic)

FDP_UCT.1/MRTD

FDP_UIT.1/MRTD

FIA

FIA_UID.1

FIA_UAU.1

Identifier and addressed issue

User data protection

Subset access control – Primary Access

Control

Subset access control – Basic Access control

Security attribute based access control –

Primary Access Control

Security attribute based access control –

Basic Access Control

Basic data exchange confidentiality - MRTD

Data exchange integrity - MRTD

Identification and authentication

Timing of identification

Timing of authentication

Single-use authentication of the Terminal by the TOE

Multiple authentication mechanisms FIA_UAU.5

FIA_UAU.6/MRTD Re-authenticating – Re-authenticating of

Terminal by the TOE

FMT_MOF.1

FMT_SMF.1

FMT_MTD.1/INI_ENA

FMT_MTD.1/INI_DIS

FMT_MTD.1/KEY_WRITE

FMT_MTD.1/KEY_READ

FPT

FPT_FLS.1

FPT_PHP.3

FPT_RVM.1

Management of functions in TSF

Specification of Management Functions

Management of TSF data – Writing of

Initialization Data and Pre-personalization

Data

Management of TSF data – Disabling of

Read Access to Initialization Data and Prepersonalization Data

Management of TSF data – Key Write

Management of TSF data – Key Read

Protection of the TOE Security Functions

Failure with preservation of secure state

Resistance to physical attack

Non-bypassability of the TSP

Table 3: SFRs for the TOE taken from CC Part 2

B-4

The following CC part 2 extended SFRs are defined:

Security Functional Requirement Identifier and addressed issue

FCS_RND.1/MRTD Quality metric for random numbers

Report

FPT Protection of the TOE Security Functions

Table 4: SFRs for the TOE, CC part 2 extended

Note: only the titles of the Security Functional Requirements are provided. For more details and application notes please refer to the PP chapter 5.

The following Security Functional Requirements are defined for the IT-

Environment of the TOE:

Security Functional Requirement Identifier and addressed issue

FCS_CKM.1/BAC_BT

FCS_CKM.4/BT

FCS_COP.1/SHA_BT

FCS_COP.1/ENC_BT

FCS_COP.1/MAC_BT

FCS_RND.1/BT

FDP

FDP_DAU.1/DS

FDP_UCT.1/BT

FDP_UIT.1/BT

FIA

Cryptographic key generation – Generation of Document Basic Access Keys by the

Basic Terminal

Cryptographic key destruction – BT

Cryptographic operation – Hash Function by the Basic Terminal

Cryptographic operation – Secure

Messaging Encryption / Decryption by the

Basic Terminal

Cryptographic operation – Secure messaging Message Authentication Code by the Basic Terminal

Quality metric for random numbers - Basic

Terminal

User data protection

Basic data authentication – Passive

Authentication

Basic data exchange confidentiality - Basic

Terminal

Data exchange integrity - Basic Terminal

Identification and authentication

B-5

Certification Report BSI-PP-0017-2005

Security Functional Requirement Identifier and addressed issue

Basic Terminal

FIA_UAU.6/BT Re-authentication - Basic Terminal

FIA_API.1/SYM_PT Authentication Proof of Identity -

Personalization Terminal Authentication with

Symmetric Key

Table 5: SFRs for the IT-Environment

Note: only the titles of the Security Functional Requirements are provided. For more details and application notes please refer to the PP chapter 5.

The security assurance requirements are based entirely on the assurance components defined in Part 3 of the Common Criteria. The assurance requirements comply with assurance level EAL 4 augmented (Evaluation

Assurance Level 4 augmented).

The following table shows the augmented assurance components.

Requirement Identifier

EAL4 TOE evaluation: Methodically designed and tested

+: ADV_IMP.2 Implementation of the TSF

+: ALC_DVS.2 Sufficiency of security measures

Table 6: SFRs for the IT-Environment

4 Strength of Functions

The minimum strength of function level is claimed SOF-high and covers but is not limited to the TSF required by the SFR FIA_UAU.4, FCS_RND.1 and

FPT_FLS.1 as far as probabilistic or permutational mechanisms are involved.

A TOEs implemented security functions shall meet this claimed strength from design and construction point of view. The strength of function available in a specific system context where the TOE is used depends on the selection of the data used to set up the communication to the TOE. Therefore the issuing state or organisation is responsible for the strength of function that can be achieved in a specific system context. This has to be assessed in the specific system context.

5 Results of the Evaluation

The Evaluation Technical Report (ETR), [6] was provided by the ITSEF according to the Common Criteria [1], the Methodology [2], the requirements of the Scheme [3] and all interpretations and guidelines of the Scheme (AIS) [4] as relevant for the TOE.

B-6

Report

The verdict for the CC, Part 3 assurance component (according the class APE for the Protection Profile evaluation) is summarised in the following table.

CC Aspect

CC Class APE

APE_DES.1

APE_ENV.1

APE_INT.1

APE_OBJ.1

APE_REQ.1

APE_SRE.1

Result

Table 7: Assurance class

PASS

PASS

PASS

PASS

PASS

PASS

PASS

The Protection Profile for Machine Readable Travel Document with „ICAO

Application", Basic Access Control, Version 1.0 meets the requirements for

Protection Profiles as specified in class APE of the CC.

6 Definitions

6.1 Acronyms

CC

Common Criteria for IT Security Evaluation

ICAO International Civil Aviation Organisation

ITSEF

MRTD

MRZ

Information Technology Security Evaluation Facility

Machine readable travel document

Machine readable zone

SFP

SOF

TOE

TSC

TSF

TSP

Security Function Policy

Strength of Function

Target of Evaluation

TSF Scope of Control

TOE Security Functions

TOE Security Policy

B-7

Certification Report BSI-PP-0017-2005

6.2 Glossary

Augmentation - The addition of one or more assurance component(s) from

Part 3 to an EAL or assurance package.

Extension - The addition to an ST or PP of functional requirements not contained in Part 2 and/or assurance requirements not contained in Part 3 of the CC.

Protection Profile - An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs.

Security Function - A part or parts of the TOE that have to be relied upon for enforcing a closely related subset of the rules from the TSP.

Security Target - A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.

Strength of Function - A qualification of a TOE security function expressing the minimum efforts assumed necessary to defeat its expected security behaviour by directly attacking its underlying security mechanisms.

SOF-basic - A level of the TOE strength of function where analysis shows that the function provides adequate protection against casual breach of TOE security by attackers possessing a low attack potential.

SOF-medium - A level of the TOE strength of function where analysis shows that the function provides adequate protection against straightforward or intentional breach of TOE security by attackers possessing a moderate attack potential.

SOF-high - A level of the TOE strength of function where analysis shows that the function provides adequate protection against deliberately planned or organised breach of TOE security by attackers possessing a high attack potential.

Target of Evaluation - An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation.

TOE Security Functions - A set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the

TSP.

TOE Security Policy - A set of rules that regulate how assets are managed, protected and distributed within a TOE.

TSF Scope of Control - The set of interactions that can occur with or within a

TOE and are subject to the rules of the TSP.

8 Bibliography

[1] Common Criteria for Information Technology Security Evaluation,

Version 2.1, August 1999

B-8

Report

[2] Common Methodology for Information Technology Security Evaluation

(CEM), Part 1, Version 0.6; Part 2: Evaluation Methodology, Version 1.0,

August 1999

[3] BSI certification: Procedural Description (BSI 7125)

[4] Application Notes and Interpretations of the Scheme (AIS) as relevant for the TOE.

[5] German IT Security Certificates (BSI 7148, BSI 7149), periodically updated list published also on the BSI Web-site

[6] Evaluation Technical Report for a PP evaluation, Version 1.1, 26. August

2005, Common Criteria Protection Profile Machine Readable Travel

Document with „ICAO Application", Basic Access Control, SRC

(confidential document) with „ICAO Application", Basic Access Control, BSI-PP-0017, Version

1.0, 18. August 2005, BSI

[8] Machine Readable Travel Documents Technical Report, Development of a Logical Data Structure – LDS, For Optional Capacity Expansion

Technologies, Revision –1.7, published by authority of the secretary general, International Civil Aviation Organization, LDS 1.7, 2004-05-18

[9] Machine Readable Travel Documents Technical Report, PKI for Machine

Readable Travel Documents Offering ICC Read-Only Access, Version -

1.1, Date - October 01, 2004, published by authority of the secretary general, International Civil Aviation Organization

B-9

Certification Report BSI-PP-0017-2005

B-10

This page is intentionally left blank.

The Protection Profile (PP) [7] is provided within a separate document.

Report

C-1

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement