Version: 1.0
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved
Smartcard reader
Leo V2
Security Target Lite
Common Criteria EAL3+
Document reference: XRD-2012-1626
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 2/18
Table of content
1 ST INTRODUCTION........................................................................................................... 3
1.1 ST REFERENCE ...........................................................................................................................3
1.2 TOE REFERENCE........................................................................................................................3
1.3 TOE INTRODUCTION ...................................................................................................................3
1.4 TOE OVERVIEW ..........................................................................................................................4
1.5 TOE DESCRIPTION......................................................................................................................4
2 LIFECYCLE........................................................................................................................ 5
3 CONFORMANCE CLAIMS ................................................................................................ 6
4 SECURITY PROBLEM DEFINITION ................................................................................. 7
4.1 SUBJECTS....................................................................................................................................7
4.2 ASSETS........................................................................................................................................7
4.2.1 Sensitive assets protected by the TOE.....................................................................................7
4.2.2 Sensitive assets of the TOE .....................................................................................................8
4.3 THREATS .....................................................................................................................................8
4.3.1 Threat agents...........................................................................................................................8
4.3.2 Attack potential .......................................................................................................................8
4.3.3 The threats to the TOE by an attacker are: ............................................................................9
4.4 ORGANISATIONAL SECURITY POLICIES .......................................................................................9
4.5 ASSUMPTIONS .............................................................................................................................9
5 SECURITY OBJECTIVES................................................................................................ 10
5.1 SECURITY OBJECTIVES FOR THE TOE......................................................................................10
5.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ......................................................................10
5.3 SECURITY OBJECTIVES RATIONALE...........................................................................................10
6 EXTENDED COMPONENTS DEFINITION ...................................................................... 11
7 SECURITY REQUIREMENTS.......................................................................................... 12
7.1 SECURITY FUNCTIONAL REQUIREMENTS...................................................................................12
7.2 FUNCTIONAL REQUIREMENT DEPENDENCIES............................................................................16
7.3 SECURITY ASSURANCE REQUIREMENTS ...................................................................................16
7.4 SECURITY REQUIREMENTS RATIONALE.....................................................................................17
8 ACRONYMS..................................................................................................................... 18
9 BIBLIOGRAPHY .............................................................................................................. 18
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 3/18
1 ST introduction
This security target describes the functional and organisational security requirements and
procedures for the TOE, a “secure pin entry device” (also known as “the Device”), and its
operational environment.
The target of evaluation is the Leo V2 smart card reader.
1.1 ST reference
Title of the Security Target Smartcard reader Leo V2 Security Target
Common Criteria EAL3+
Version 1.0
Issue date 11/07/2012
Document ID XRD-2012-1626
Author Damien COCHET, Claude MEGGLÉ
Evaluation level EAL3 +
Protection Profile Secure Smartcard Reader with Human Interface Protection
Profile v1.6
1.2 TOE reference
Target of evaluation Leo V2 (id 633)
Version PPD001-003-AXY* where X and Y are minor revisions
numbers not related to the security features of the TOE.
Issue date
Firmware version PK08.12
Issue date
*where X and Y are minor revisions numbers that are not related to the security features of the TOE.
1.3 TOE introduction
A smartcard is a piece of plastic, with an electronic component embedded in it. It has no
human interface but only a physical connector (ISO 7816 type ) to link to a smartcard reader,
and the smartcard reader has normally a serial type connector, to link to a Personal Computer
(PC), or Workstation. The PC may be a Microsoft Windows, Mac or Linux OS powered. The
security of the PC is out of scope of the TOE.
As a Personal Identification Number (also known and referred as ‘PIN’) is required for some
smartcard applications, this PIN is usually keyed on the PC keyboard and forwarded to the
smartcard through PC/SC [3] and ISO 7816 / EMV commands [4, 10]. As the security of the
PC cannot be guaranteed, a malware (virus, Trojan, worm, key logger…) could intercept the
PIN, record it to replay it or forward it to a remote attacker. Such a malware can also use the
security mechanisms of the smartcard to block the smartcard application (denial of service
attack type), by providing the smartcard with a modified (and false) personal data (example:
PIN).
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 4/18
As the smartcard may be used to sign some critical information, the display a Device may be
used to provide the user with a mean to check this information, even partially, or to approve
explicitly the operation before signing it.
The purpose of the Device is to avoid compromising the PIN or modifying the critical
information to be signed by such a malware: the PIN is never keyed on the PC keyboard, but
on the Device keypad, and forwarded directly to the smartcard and never transmitted to the
PC. There is no way for a malware to ask for a PIN to the Device and to receive this PIN.
There is also no way for a malware to ask for a PIN on the PC keyboard and forward it to the
smartcard.
The Device is supposed to be used in a private environment. That is to say that the Device is
to be used by an individual, or a small group of persons (limited to a well defined group
persons), in a place under control of this individual, or group of persons, so it can be used at
home, or at the office. The Device is not intended to be used in a public area.
The Device embeds a « smartcard reader ».
1.4 TOE overview
The Leo V2 smart card reader is a secure PIN entry device, a universal smart card reader with
keypad, display and a connecting cable with USB connector. The Leo V2 smart card reader
cannot be used in standalone mode. It must be plugged in a Personal Computer USB plug to
offer capability for secure PIN entry. The Personal Computer can be a PC with a Windows OS,
Linux or Mac OS. The secure PIN entry functionality can be activated from a software
application loaded in the PC (not provided and out of scope of this TOE), and used in
conjunction with a secure smartcard (not provided and out of scope of this TOE).
1.5 TOE description
The Leo V2 smart card reader is a universal smart card reader devices, which can
communicate with ISO 7816 and EMV2004 compliant processor cards through the PC/SC [3]
application interface. The devices work with any smart card transmission protocol compliant
with ISO 7816 [4] (T=0, T=1).
Leo V2 reader has a keypad with silicone keys, to enter a digital PIN. The numeric keys “0” to
“9” as well as the keys “Clear” (yellow), “OK” (green) and “Cancel” (red) are present. The
reader complies with PC/SC part 10 [3] and CCID secure command specifications [8].
Therefore, within the frame of a Secure Pin Entry session, the device inserts the digits keyed
on the keypad as a PIN in the PIN field of the command to the smart card. The PIN is
formatted according to external parameters transmitted through the accurate CCID
PC_RDR_Secure commands as described in [8]. The firmware in the TOE manages the
security functions.
The reader can be connected to all USB equipped host systems, like PC computers, running
Microsoft Windows, Linux or Mac OS.
It is used as peripherals in the PC surrounding field. The reader is provided with power supply
through the USB interface. It cannot be used in standalone mode.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 5/18
PC applications communicate with the reader through PC/SC [3] interfaces. The reader is
declared and recognized as a PC/SC [3] device by its PC host driver. All functions at the
interfaces are illustrated for PC/SC in accordance with [3].
DISPLAY
Smart
card
interface
USB
interface
Microcontroller
RAM
Flash
(FW)
KEYPAD
Details on available host software such as drivers are available in the user manual of the Leo
V2.
The driver software is not included in this evaluation. The TOE ends at the USB interface to
the host computer. Installation software including drivers, manual and tools can be
downloaded from:
http://www.xiring.com/XIRING-support_leo_by_XIRING.asp
The Leo V2 reader is able to enter identification data (PIN) and convey it securely to a smart
card, for instance a secure signature creation device. It can be used also to allow authorise
access to some applications or to the computer itself, if the appropriate software has been
installed, and the firmware of the TOE adapted.
The firmware is filtering the commands sent to the reader for secure PIN input, and allows only
PC/SC commands which involved data identification (PIN). Therefore there is no way to
address directly the pinpad or the display.
The housing is sealed by means of falsification secure security stickers, which will be
destroyed when someone attempt to open it. Stickers can be used only once.
2 Lifecycle
The firmware is part of the TOE. It is integrated in the TOE at the end of the fabrication
process by flashing an EEPROM memory (and destroying a fuse thus disabling the possibility
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 6/18
of flashing another firmware). Security stickers are put in place at the end of the fabrication
process.
The fabrication process is outsourced to a partner factory/manufacturer. Security policies,
defined by XIRING, enforcing confidence in firmware integrity management from delivery
through flashing operation on the production chain have been transmitted to the manufacturer.
A specific policy for security sticker management at the factory site was also defined for the
manufacturer.
Figure 1: Lifecycle of the TOE.
Grey blocks are in the scope of the TOE. The delivery point is located at the XIRING partner
factory where goods are passed to a forwarder for delivery.
3 Conformance Claims
The security target with its functional requirements claims a demonstrable conformance to the
“Secure Smartcard Reader with Human Interface” Protection Profile [12].
Therefore, this security target is conformant to the Common Criteria, Version 3.1, Release 3,
dated July 2009 as follow:
- Part 2 of the Common Criteria, Version 3.1, Release 3, dated July 2009,
- Part 3 of the Common Criteria, Version 3.1, Release 3, dated July 2009
The claimed assurance level is EAL3 augmented with AVA.VAN.3, ADV_FSP.4, ADV_TDS.3,
ADV_IMP.1, ALC_TAT.1 and ALC_FLR.3.
Hardware
development
Hardware
development
Hardware
assembly / fabrication
Firmware
insertion / flashing
Use phase
Delivery
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 7/18
4 Security problem definition
PPrivate environment
Untrusted
PC
TOE Secure
Smartcard
Secure physical path
Figure 2: The TOE and its environment.
4.1 Subjects
S.PC: A personal computer that can communicate with the pinpad via a USB connection.
S.INTERFACE: represents a logical or physical communication interface that can be used by
any type of users.
S.USER: A user of the TOE.
S.ICC: A smartcard that can be used with the TOE.
4.2 Assets
4.2.1 Sensitive assets protected by the TOE
The assets that have to be protected are identification data (B.PIN) of the user and critical
information to be displayed before signing (B.DIS).
B.PIN
The identification data (B.PIN) is an external asset which passes through the Device. The
Device has been designed to protect this external asset, in confidentiality (this data must be
passed uniquely to the smartcard), and in integrity (a modified identification data can block the
smartcard application).
Sensitivity: confidentiality, integrity
B.DIS
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 8/18
The critical information to be approved (B.DIS) is an internal (message in the firmware for
example) or external asset. The Device has been designed to protect this asset against
modification inside the TOE.
Examples of external assets:
An external asset may be a piece of data received from the PC in a command, displayed on
the display of the device and checked by the user before validating the command. An external
asset may be also a piece of data received from the smartcard, displayed on the display of the
device and checked by the user before validating the command.
Sensitivity: integrity
4.2.2 Sensitive assets of the TOE
The assets of the TOE which can be attacked are:
B.FIRM The Firmware of the TOE
B.HARD The Hardware of the TOE
B.FIRM The firmware .This sensitive asset corresponds to all TOE programs. These programs
are held in memory of the TOE.
Sensitivity: integrity.
B.HARD The hardware. This sensitive asset corresponds to the hardware casing of the TOE,
in the use stage, just after firmware download.
Sensitivity: integrity.
4.3 Threats
4.3.1 Threat agents
During the use stage, a threat agent can be:
U_agressor: an aggressor: this is a person who has not received a product in an authorised
way or otherwise gains illicit access to the TOE. The aggressor may gain access to the TOE
through the PC, or have temporary access to the TOE when not in use, and modify it.
As the TOE is to be used in a private environment, the legitimate user is not considered
hostile.
4.3.2 Attack potential
Individuals performing attacks have an Enhanced Basic attack potential. They correspond to
malicious persons possessing the computing skills of a well-informed user having gained
access to some restricted information about the TOE.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 9/18
4.3.3 The threats to the TOE by an attacker are:
The assets that have to be protected are identification data (B.PIN) of the user, and critical
information to be displayed before signing (B.DIS) as well as the firmware (B.FIRM) and
hardware (B.HARD) of the smart card reader itself. The reader itself has no secret.
T.PIN_DISCLOSE: An attacker can try to access the pin B.PIN, and transmit it out of the TOE,
by gaining access to the firmware B.FIRM or the hardware B.HARD of the TOE.
T.PIN_MODIFY: An attacker can try to modify the pin B.PIN in the TOE and block the
smartcard application (false Pin counter), by modifying the firmware B.FIRM or inserting a
hardware bug in the hardware B.HARD.
T.DIS: An attacker modifies the information to be displayed and/or signed by the Device
(B.DIS), before sending it to the Device. Or an attacker can try to modify the critical information
to be approved (B.DIS), by modifying the firmware B.FIRM or inserting a bug in the hardware
B.HARD.
4.4 Organisational security policies
OSP.USER: A written procedure or manual is given to the user by the smartcard provider, (or
by the company if the TOE is to be used in company premises) to inform the user how to use
the reader, how to store securely his smartcard (or smartcards), how to use securely his or
one of his smartcards with the reader, and how to store and use securely his PIN, and how to
check that the reader has not been tampered.
4.5 Assumptions
LEO V2 smart card readers are suitable both for the office and for private use.
Readers can support additional uses beyond those described in the Security Target. The end
user is informed about his or her responsibility during the use of the TOE.
A.USER.UNOBSERV: The user must enter his or her identification data unobserved.
A.USER.PIN: It is assumed that the user stores his or her identification data using
recommendations of the smartcard provider.
A.USER.KEYPAD: It is assumed that the user enters his or her identification data using the
keypad of the TOE.
A.USER.DIS: It is assumed that the user verifies the information displayed on the display
before approving it.
A.USER.USAGE: The TOE is designed for use in private environments or office environments.
That means that only a limited number of persons have access to the TOE.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 10/18
5 Security Objectives
The Device is used to get the identification data (B.PIN) from the User, and transfer it only to
the smartcard. The Device has been designed to protect the critical information to be approved
(B.DIS) against modification inside the TOE.
5.1 Security objectives for the TOE
The Leo V2 smart card reader is used to get the identification data (B.PIN) from the user. The
basic security objectives for the TOE are:
O.REVEAL: The TOE does not reveal any identification data. An identification data, as a
personal identification code (B.PIN) is not externalized from the TOE, except to the smartcard.
O.HARD_EVIDENT: The hardware casing cannot be opened easily and this opening should
be visible to the user (tamper evidence). The integrity of the hardware B.HARD can be
checked by the user.
O.SIGNAL: The TOE guarantees that the secure PIN entry mode is clearly signified to the
user.
5.2 Security objectives for the environment
The security objectives for the environment correspond in a general manner to those under 4.1
specified:
OE.PRIVATE: The TOE is to be used in private environments. In an office environment, the
TOE should be managed to prevent access to unauthorized users. That means that the smart
card reader is linked to a PC which is usable by a limited number of people only.
OE.MANUAL: The user is provided with a user manual explaining the rules or, refers to the
smartcard provider information for storing securely his PIN, verifies the data displayed before
entering his PIN, keys his PIN unobserved on the keypad of the TOE. The manual also
explains how to check TOE’s integrity, stop using it if tampered with and how to replace it.
5.3 Security objectives rationale
T.PIN_DISCLOSE: is countered by O.REVEAL (Protection).
Detection: O.HARD_EVIDENT should warn the user that T.PIN_DISCLOSE is possible.
Response: The user does not use the TOE anymore (replace it with a new one).
T.PIN_MODIFY: is countered by O.HARD_EVIDENT (Protection).
Detection: O.HARD_EVIDENT should warn the user that T.PIN_MODIFY is possible.
Response: The user does not use the TOE anymore (replace it with a new one).
T.DIS: is countered by: O.HARD_EVIDENT (should warn the user that T.DIS is possible) and
O.SIGNAL.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 11/18
Response: The user does not use the TOE anymore (replace it with a new one).
A.USER_UNOBSERVED , A.USER_KEYPAD , A.USER_DIS, A.USER_PIN are fulfilled by
OE.MANUAL
A.USER_USAGE is fulfilled by OE.PRIVATE
OSP.USER is fulfilled by O.HARD_EVIDENT and OE.MANUAL
T.PIN_DISCLOSEE
T.DIS
T.PIN_MODIFY
A.USER_UNOBSERVED
A.USER_KEYPAD
A.USER_DIS
A.USER_USAGE
A.USER_PIN
OSP.USER
O.REVEAL X
O.HARD_EVIDENT X X X X
O.SIGNAL X X X X X
OE.PRIVATE X
OE.MANUAL X X X X X X
6 Extended components definition
This security target does not contain any extended components.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 12/18
7 Security Requirements
7.1 Security functional requirements
FDP_IFC.1 Subset information flow control
FDP_IFC.1.1 The TSF shall enforce the Information Flow Control SFP on:
Subjects:
• S.INTERFACE:
Informations:
• B.PIN: Identification data
and the operations covered by the SFP:
• OP.P_ENTRY: PIN entry
FDP_IFF.1 Simple security attributes
FDP_IFF.1.1 The TSF shall enforce the Information Flow Control SFP based on the
following types of subject and information security attributes:
Subjects:
• S.INTERFACE:
Attribute values:
USER through the keypad interface,
PC through the serial interface,
ICC Smart card through the card reader interface,
Informations:
• B.PIN: Identification data,
Attribute values:
USER through the keypad interface,
PC through the serial interface,
ICC Smart card through the card reader interface,
and the operations covered by the SFP:
• OP.P_ENTRY: PIN entry
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and
controlled information via a controlled operation if the following rules hold:
• OP.P_ENTRY receives OB.PIN only from S.INTERFACE attribute USER, and
transmits it only to S.INTERFACE attribute ICC
FDP_IFF.1.3 The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed:
The PC (S.PC) sends commands on behalf of the application to the reader, which
causes the TOE to then only cause the display (OB.DIS) to display the secure
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 13/18
PIN entry mode message “ENTRER CODE” (OP.D_CONTROL) and to pass the entered
PIN (OB.PIN) to the smart card (S_ICC), if both following conditions are met :
1.) The command sent is a CCID PC_To_RDR_Secure [8] command
2.) This PC_To_RDR_Secure command requests one of the following Secure
Entry command:
- Verify PIN.
- Change PIN.
The PIN (OB.PIN) must be entered by the user (S.USER) at the keypad of the TOE
(OP.P_ENTRY).
The PIN (OB.PIN) may be sent only over the card reader interface to the smart card
(S.ICC) for verification of the PIN (OP.P_VERIFY).
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following
rules:
The TOE must rejects the commands coming from the PC (S.PC) if the command sent is
a CCID PC_To_RDR_Xfr_Block and if this command carry an identification data (PIN).
It also rejects commands coming from the PC (S.PC) if the command sent is a CCID
PC_to RDR_Secure and this PC_to_RDR_Secure does not involve data identification
(PIN).
The reader informs the application running on the PC (S.PC) that the command has
been rejected by the appropriate return code.
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules:
B.PIN is not transmitted to S.INTERFACE attribute PC
SFR.FDP_RIP.2: Full residual information protection
SFR.FDP_RIP.2.1 The TSF shall ensure that any previous information content of a resource is
made unavailable upon the deallocation of the resource from all objects.
A memory rework of the buffer for the transmission of the PIN from the keypad to the
smart card is realized immediately after:
 Sending the PIN to the smartcard,
 extracting the card,
 abort by the user,
 timeout during the PIN input
TOE access
SFR.FTA_TAB.1: Default TOE access banners
SFR.FTA_TAB.1.1 Before establishing a user session, the TSF shall display an advisory
warning message regarding unauthorised use of the TOE.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 14/18
Note: During execution of the function “Secure PIN entry” a green lock icon must be lit. The
message “ENTRER CODE” (French translation of “Enter PIN” ) is displayed before the entry.
After transmission of the PIN to the signature component (smart card) and confirmation by the
smart card with the status byte SW1=0x90 the display shows “CODE CORRECT” (French
translation of “PIN OK”).
If the entered PIN is not correct, the message “CODE INCORRECT” (French translation of
“Wrong PIN” ) is displayed. The green lock icon is not lit anymore.
A disturbance of the card reader caused intentionally or due to a technical failure is indicated
to the user by displaying “ERREUR” (French translation of “ERROR).
Invalid data are rejected. An error message is transferred to the host.
TOE physical protection
FPT_PHP.1: Passive detection of physical attack
FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might
compromise the TSF.
The casing is sealed by means of falsification secure security stickers, which will be
destroyed during removal and thus can be used only once.
FPT_PHP.1.2 The TSF shall provide the capability to determine whether physical tampering
with the TSF’s devices or TSF’s elements has occurred.
The casing is sealed by means of falsification secure security stickers, which will be
destroyed during removal and thus can be used only once. Thus the user can recognize
by the condition of the safety seal that no manipulations at the hardware were made. If
the safety seal has been tampered, then the user is at risk that his PIN can be
compromised, by an electronic bug inserted in the device, or a logical bug inserted in
the firmware.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 15/18
Security seals
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 16/18
7.2 Functional requirement dependencies
Security
requirement
Dependencies Comments
FDP_IFC.1
FDP_IFF.1
FTA_TAB.1.1
FDP_RIP.2
FDP_PHP.1
FDP_IFF.1
FDP_IFC.1,
FMT_MSA.3
None
None
None
This component is a selected component
This components is a selected component
N/A (there are no initial values)
7.3 Security assurance requirements
The requirements for the aimed evaluation assurance level 3 are listed in table 4 Common
Criteria part 3 as follows. The augmentation AVA.VAN.3 and its dependencies are required for
this type of product in regard of potential attackers (enhanced basic) considering that the
usage is in private environment. ALC_FLR.3 with dependencies are listed in red. ALC_FLR3 is
required to provide TOE users with confidence in the product they are using. The ADV
components shall be refined to cope with the hardware acceptance process. The ST writer
shall specify the procedures to be applied by the TOE developer to check the integrity of the
hardware.
Assurance class Assurance component
ADV: Development
ADV_ARC.1 Security architecture description
ADV_FSP.4 Complete Functional Specification
ADV_TDS.3 Basic modular design
ADV_IMP.1 Implementation representation of the TSF
AGD: Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative Procedures
ALC: Life cycle support ALC_CMC.3 Authorisation controls
ALC_CMS.3 Implementation representation CM
coverage
ALC_DEL.1 Delivery procedures
ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life cycle model
ALC_FLR.3 Systematic flaw remediation
ALC_TAT.1 Well-defined development tools
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 17/18
ASE: security target evaluation ASE_INT.1 ST Introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE: Tests
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: basic design
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing: sample
AVA: Vulnerability assessment AVA.VAN.3 Focused vulnerability analysis
7.4 Security requirements rationale
Security requirements / Security objectives:
O.REVEAL O.HARD_EVIDENT O.SIGNAL
FDP_IFC.1.1 X
FDP_IFF.1.1 X
FDP_IFF.1.2 X
FDP_IFF.1.4 X
FDP_IFF.1.5 X
FTA_TAB.1.1 X
FDP_RIP.2.1 X
FDP_PHP.1.1 X
FDP_PHP.1.2 X
O.REVEAL is covered by FDP_IFC.1.1 and FDP_IFF.1.1, FDP_IFF.1.4 , FDP_IFF.1.5 as the
flow control is managed inside the TOE.
O.REVEAL is covered also by FDP_RIP.2.1, as the critical information B.PIN is not stored.
O.HARD_EVIDENT is covered by FDP_PHP.1.1 and FDP_PHP.1.2, which give the user the
ability to detect tampering of the TOE.
Security target lite/ Leo V2 / EAL3+ XRD-2012-1626
© XIRING. Communication, reproduction et utilisation interdites - Copyright and all other rights reserved 18/18
8 Acronyms
CC Common Criteria
CCID Integrated Circuit Cards Interface Devices
CT-API Card terminal Application Programming Interface
EMV Eurocard Mastercard Visa
ID Identifier
PC Personal Computer
PC/SC Personal Computer / Smart Card
PIN Personal Identification Number
SPR Secure Pin Pad Reader
USB Universal Serial Bus
9 Bibliography
[1] Decret 2001-
272
Decret du 30/03/2001 chapitre 1 : Des dispositifs sécurisés de création
de signature électronique
[2] 1999/99/CE European Community Directive on electronic signature
[3] PC-SC V 2.0 Interoperability Specification for ICCs and Personal
Computer Systems, Revision 2.02.6, April 2009
http://www.pcscworkgroup.com/specifications/files/pcsc10_v2.02.06.pdf
[4] ISO/IEC 7816 Integrated circuit(s) cards with contacts
http://www.iso.org/iso/catalogue_detail.htm?csnumber=29257
[8] CCID Chip/Smart Card Interface Devices, Revision 1.1, April 22rd 2005
http://www.usb.org/developers/devclass_docs/DWG_Smart-
Card_CCID_Rev110.pdf
[9] Common
Criteria
Common Criteria for Information Technology Security Evaluation
Part 1-3, September 2006
[10] EMV 2004 Integrated Circuit Card Terminal Specifications for Payment Systems,
version 4.1
[11] CC 1316-4 Article 1316-4 du Code Civil relatif à la signature électronique
[12] PP SSR Secure Smartcard Reader with Human Interface Protection Profile v1.6