General Business Use Security Target Lite On the AT90SC Family of Devices Atmel Toolbox 00.03.01.07 Important notice to readers… Atmel makes no warranty for the use of its products, other than those expressly contained in the Company’s standard warranty which is detailed in Atmel’s Terms and Conditions located on the Company’s web site. The Company assumes no responsibility for any errors which may appear in this document, reserves the right to change devices or specifications detailed herein at any time without notice, and does not make any commitment to update the information contained herein. No licenses to patents or other intellectual property of Atmel are granted by the Company in connection with the sale of Atmel products, expressly or by implication. Atmel’s products are not authorized for use as critical components in life support devices or systems. The security of any system in which the product is used will depend on the system’s security as a whole. Where security or cryptography features are mentioned in this document this refers to features which are intended to increase the security of the product under normal use and in normal circumstances. All products are sold subject to Atmel’s Terms & Conditions of Supply and the provisions of any agreements made between Atmel and the Customer. In ordering a product covered by this document the Customer agrees to be bound by those Terms & Conditions and agreements and nothing contained in this document constitutes or forms part of a contract (with the exception of the contents of this Notice). A copy of Atmel’s Terms & Conditions of Supply is available on request.  Atmel Corporation 2007 (05 Oct 07) General Business Use 3 of 56 TPG0159A Contents Section 1 Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite .... 9 1.1 Identification................................................................................................. 9 1.2 Overview...................................................................................................... 9 1.3 Common Criteria Conformance Claim....................................................... 12 1.4 Document Objective .................................................................................. 12 1.5 Document Structure................................................................................... 12 1.6 Scope and Terminology............................................................................. 13 1.7 References ................................................................................................ 13 1.8 Revision History......................................................................................... 14 Section 2 Target of Evaluation Description................................................................ 15 2.1 TOE Definition ........................................................................................... 15 2.2 TOE Life-cycle ........................................................................................... 19 2.3 TOE Environment ...................................................................................... 21 2.4 TOE Intended Usage ................................................................................. 22 Section 3 TOE Security Environment ........................................................................ 25 3.1 Assets ........................................................................................................ 25 3.2 Assumptions .............................................................................................. 27 3.3 Threats....................................................................................................... 29 3.4 Organizational Security Policies ................................................................ 31 Section 4 Security Objectives.................................................................................... 33 4.1 Security Objectives for the TOE................................................................. 33 4.2 Security Objectives for the Environment.................................................... 36 Section 5 TOE Security Functional Requirements .................................................... 37 Security Target Lite 4 of 56 General Business Use (05 Oct 07) TPG0159A 5.1 The TOE Functional Requirements ...........................................................38 5.2 Security Requirements for the Environment ..............................................41 5.3 TOE Security Assurance Requirements ....................................................44 Section 6 TOE Summary Specification...................................................................... 47 6.1 TOE Security Functions.............................................................................47 6.2 TOE Assurance Measures.........................................................................49 Section 7 PP Claims.................................................................................................. 53 7.1 PP Reference.............................................................................................53 7.2 PP Refinements.........................................................................................53 7.3 PP Additions ..............................................................................................53 Appendix A Glossary..................................................................................................... 55 (05 Oct 07) General Business Use 5 of 56 TPG0159A Figures Figure 2-1 Complete Smartcard Device .............................................................................15 Figure 2-2 Smartcard Embedded Software........................................................................16 Figure 2-3 Smartcard Product Life Cycle ...........................................................................20 Figure 3-1 Assumptions......................................................................................................27 Figure 3-2 Standard Threats ..............................................................................................29 Figure 3-3 Attack Model for the TOE..................................................................................30 Figure 3-4 Organizational Security Policies........................................................................32 Figure 4-1 Standard Security Objectives............................................................................34 Figure 4-2 Security Objectives Related to Specific Functionality .......................................34 Figure 5-1 Standard Security Functional Requirements.....................................................38 Figure 5-2 Security Functional Requirements related to Specific Functionality .................38 Security Target Lite 6 of 56 General Business Use (05 Oct 07) TPG0159A (05 Oct 07) General Business Use 7 of 56 TPG0159A Tables Table 2-1 Smartcard Product Life-cycle...................................................................... 19 Table 2-2 Toolbox Product Life-cycle.......................................................................... 21 Table 5-1 EAL5 Package and Augmentation .............................................................. 44 Table 6-1 Relationship Between Assurance Requirements and Measures ................ 49 Security Target Lite 8 of 56 General Business Use (05 Oct 07) TPG0159A (05 Oct 07) General Business Use 9 of 56 TPG0159A Section 1 Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite 1.1 Identification 1 Title: Atmel Toolbox 00.03.01.07 on the Atmel AT90SC Family Security Target Lite 2 Version: TPG0159A_(05 Oct 07) 3 This Security Target Lite has been constructed with Common Criteria (CC) Version 2.3. 1.2 Overview Protection Profile Claims 4 This Security Target Lite (ST-Lite) is based on the Protection Profile BSI-PP-002-2001, with additions taken from the Smartcard Integrated Circuit Augmentations BSI-AUG- 2002: AT90SC Family Project Derivation 5 The AT90SC family of devices consists of a microcontroller (MCU) device with security features. The device is a member of a family of single chip MCU devices which are intended for use within Smartcard products. The family codename is AT90SC ASL4 and the ‘parent’ device of the family, the initial device in the family was the VEGA2 project, part number AT90SC19264RC, certified under the French CC scheme, Ref. 2002/04. Document Title Date BSI-PP-002-2001 Smartcard IC Platform Protection Profile V1.0 July 2001 BSI-AUG-2002 Smartcard Integrated Circuit Platform Augmentations March 2002 Note The complete Hardware and Software part that is the AT90SC product and the Atmel Cryptographic Toolbox is complaint to the BSI-PP-002-2001, this Security Target Lite details only the software part of the completed AT90SC part therefore this ST-Lite is based on the PP rather than fully compliant. Security Target 10 of 56 General Business Use (05 Oct 07) TPG0159A Cryptographic Toolbox 6 The IC dedicated Support Software defined in this Security Target Lite, is a Cryptographic Toolbox that provides a set of cryptographic functions that can be used by the Smartcard embedded Software on the AT90SC hardware device. The AT90SC family provides a Cryptographic Accelerator and MCU to provide hardware support to the cryptographic toolbox functions. The crypto library is stored in the ROM* of the AT90SC family and is linked to the Smartcard Embedded Software. TOE Information: Assurance Level 7 The TOE is being evaluated against the CC Smartcard IC Platform Protection Profile (BSI-PP-002-2001) to Evaluation Assurance Level 5 (EAL5) augmented with AVA_VLA.4, ALC_DVS.2 and AVA_MSU.3 under the Common Criteria scheme. Sponsor 8 Atmel Smart Card ICs, a division of ATMEL Corporation, is the developer and the sponsor for the AT90SC ASL4 evaluations. Note * The AT90SC may also feature FLASH parts the crypto Toolbox and Smartcard Embedded Software would therefore be stored in FLASH, this Security Target Lite will refer to ROM as the storage area for the Crpyto Toolbox, the Smartcard Embedded Software Developer should refer to the AT90SC device Security Target for details of the FLASH memory map. TOE Name Atmel Toolbox 00.03.01.xx Latest Toolbox Revision Number 00.03.01.07 Atmel Toolbox Certified Part Numbers 00.03.01.03 Certified with hardware Evaluation 00.03.01.04 M-2005/06 Atmel Corporation 3235 Orchard Parkway San Jose CA95131 USA Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite (05 Oct 07) General Business Use 11 of 56 TPG0159A Evaluation Scheme 9 The TOE is evaluated under the French CC Scheme Evaluator 10 The TOE is independently verified by the following Test facility (ITSEF), registered with the French CC Scheme. Brief TOE Description 11 The TOE is the Atmel Cryptograhic Toolbox 00.03.01.07, stored in ROM, on the AT90SC family of smartcards with cryptographic accelerator. The Atmel toolbox allows the smartcard embedded software the ability to perform the following cryptographic functions. ! SHA-1 algorithm ! RSA without CRT algorithm ! RSA with CRT algorithm ! Miller Rabin algorithm ! EC-DSA ! ECDH Centre De Certification Direction centrale de la securite des systemes d’information 51 bouleverard de la Tour-maubourg 75700 Paris France Thalès Security Systems - CEACI BPI 1414 18 avenue Edouard Belin Toulouse France Security Target 12 of 56 General Business Use (05 Oct 07) TPG0159A 1.3 Common Criteria Conformance Claim 12 This Security Target Lite is conformant to parts 2 and 3 of the Common Criteria, V2.3, as follows: ! Part 2 extended: the security functional requirements are based on those identified in part 2 of the Common Criteria, the additional security functional requirement is defined in BSI-PP-002-2001 Protection Profile. ! Part 3 conformant: the security assurance requirements are in the form of an EAL (assurance package) that is based upon assurance components in part 3 of the Common Criteria (CC).The augmentations used are also taken from part 3 of the Common Criteria. 1.4 Document Objective 13 The purpose of this document is to satisfy the Common Criteria (CC) requirements for a Security Target Lite; in particular, to specify the security requirements and functions, and the assurance requirements and measures, where applicable from the BSI-PP- 002-2001, Smartcard IC Platform Protection Profile. 1.5 Document Structure Section 1 introduces the Security Target Lite, and includes sections on terminology, references and main actors. Section 2 contains the product description and describes the TOE as an aid to the understanding of its security requirements and addresses the product type, the intended usage and the general features of the TOE. Section 3 describes the TOE security environment. Section 4 describes the required security objectives. Section 5 describes the TOE security functional requirements. Section 6 describes the TOE security functions. Section 7 describes the Protection Profile (PP) claims. Appendix A provides a glossary of the terms and abbreviations. Atmel Toolbox 00.03.01.07 on the AT90SC Family Security Target Lite (05 Oct 07) General Business Use 13 of 56 TPG0159A 1.6 Scope and Terminology 14 Parts of this document are based on the AT90SC Technical Data Sheet [TD], and the Toolbox 3.x on AT90SCxxxxC Family with AdvX [TBX] application note. 15 The term Target of Evaluation (TOE) is standard CC terminology and refers to the software being evaluated, that is the Atmel Toolbox 00.03.01.07 on the AT90SC Family.The stated toolbox commands form the main part of the evaluation. 16 Security objectives are defined herein with labels in the form O.xx_xx. These labels are used elsewhere for reference. Similarly, modes, assets, subjects, threats, assumptions and organizational security policy are defined with labels of the form M.xx_xx, D.xx_xx, S.xx_xx, T.xx_xx, A.xx_xx, and P.xx_xx respectively. 17 Hexadecimal numbers are prefixed by $, e.g. $FF is 255 decimal. Binary numbers are prefixed by%, e.g.%0001 1011 is decimal 27. An integer value may be expressed as a hexadecimal, binary or decimal number, whichever form is the most convenient. 1.7 References 18 The Toolbox 00.03.01.07 Deliverables List (EDL) identifies the latest revision of the following documents, the EDL list details all the deliverables sent as evidence, as part of the TOE evaluation. Within this Security Target Lite the above are referred to with the use of [ ] brackets, for example [TD] refers to the document AT90SC Technical Datasheet, the ST user should refer to the this document for further information. Some documents listed above are only available to an ITSEF, the Composite product developer should refer to their ITSEF for guidance on what they require. [ESOF] AT90SC Strength of Security Functions Analysis [AM_IS] AT90SC Address and Instruction Set [TD_GEN] AT90SC Technical Data (TPR0160) [TBX] Toolbox 3.x on AT90SCxxxxC Family with AdvX (TPR0133) [APP_AdvX] AdvX for AT90SC Family (TPR0116) [APP_SCRY] Securing Cryptographic Operations on AT90SC products with the Toolbox 3.x (TPR0141) [APP_CRYPT] Efficient use of AdvX for Implementing Cryptographic Operations (TPR0142) Security Target 14 of 56 General Business Use (05 Oct 07) TPG0159A 1.8 Revision History Rev Date Description Originator A 05 Oct 07 Initial release for 00.03.01.07 Revision John Boggie (05 Oct 07) General Business Use 15 of 56 TPG0159A Section 2 Target of Evaluation Description 19 This part of the Security Target Lite (ST-Lite) describes the Target of Evaluation (TOE) as an aid to the understanding of its security requirements and address the product type, the intended usage and the general features of the TOE. 2.1 TOE Definition 20 The Target of Evaluation is the Cryptographic Software part of a AT90SC smartcard. The TOE can be as support software for cryptographic functions on an already certified Hardware Platform (AT90SC device).Figure 2-1 defines a complete Smart card device this includes both the Hardware and Software parts of the device. Figure 2-1 Complete Smartcard Device Note The Smartcard Embedded Software Developer must take into consideration the AT90SC Security Target as well as this Security Target Lite when using this document. Complete Smart Card Device Certified Hardware Platform (AT90SCxxxxx) Smartcard Embedded Software Security Target 16 of 56 General Business Use (05 Oct 07) TPG0159A Hardware Definition 21 The hardware part is the physical IC. This part of the Smartcard system is evaluated independently and may be used as the basis for many composite products (that is it may be used with various software applications). Software Definition 22 The software is embedded in the hardware and is designed to operate the hardware. The software consists of a smartcard embedded software provided by a customer (Smartcard Embedded Software Developer), and a Cryptographic Toolbox (TBX) provided by Atmel, the TBX is merged with the Smartcard embedded software in Phase 2 of the life cycle. Figure 2-2 shows a further breakdown of the Smartcard Embedded Software. Figure 2-2 Smartcard Embedded Software 23 The TOE boundary is the Atmel Cryptographic Software as shown in Figure 2-2. As defined above this Crypto toolbox (TBX), forms part of a complete Smartcard application. The TOE can only be thought of as a part of the complete application. The TOE offers support to the Smartcard Embedded Software to allow cryptographic functions to be performed by the Hardware certified AT90SC device, at the request of the Smartcard Embedded Software. 00.03.01.xx Atmel Toolbox 24 The Atmel Toolbox [TBX], software library allows fast cryptographic algorithm implementations (RSA, SHA-1, Prime Generation,...) on the hardware AT90SC. The TOE shall also provide software cryptographic primitives to ease the customer proprietary software implementation of these algorithms (full multiply, square, partial multiply, division,...) as well as DSA and EC-DSA data signature. The primitives listed Complete Smartcard Embedded Software Customer Embedded Software Atmel Cryptographic Toolbox 00.03.01.xx Software Target of Evaluation Description (05 Oct 07) General Business Use 17 of 56 TPG0159A as well as DSA and EC-DSA. The cryptographic library is stored in the ROM of the AT90SC device. 25 The Smartcard Embedded Software when wishing to run a cryptographic function, calls a set command as listed in [TBX], this command will call a function to perform one of the following cryptograhic functions. ! SHA-1 algorithm ! RSA without CRT algorithm ! RSA with CRT algorithm ! Miller Rabin algorithm ! EC-DSA ! ECDH TOE Interfaces 26 The TOE interfaces consist of: ! Interface between the Smartcard Embedded Software and the Atmel Toolbox ! The interface between the AT90SC CPU and the Atmel Toolbox ! The Interface between the AT90SC Crypto RAM and the Atmel Toolbox TOE Development 27 As the TOE is developed to be part of the complete Smartcard device, the following documents are used by the TOE developer during the TOE development phase. Note Please note that storage of the software Toolbox and the access rights applied are not discussed in this ST, the certified AT90SC Hardware ST gives full details of the Access Control and Firewall rules defined for the Hardware TOE. [AM_IS] AT90SC Address and Instruction Set [TD_GEN] AT90SC Technical Data (TPR0160) [APP_AdvX] AdvX for AT90SC Family (TPR0116) [APP_CRYPT] Efficient use of AdvX for Implementing Cryptographic Operations (TPR0142) Security Target 18 of 56 General Business Use (05 Oct 07) TPG0159A Customer Software Guidance Documents 28 The guidance documents applicable for the development of the smartcard embedded software for this TOE are: 29 The software developer should refer to the Certification report issued by DCSSI for the correct revisions of the documents stated above. 2.1.1 Scope of Evaluation Summary Part of the TOE ! Atmel Security User Guidance as detailed on page 18 ! The TOE interfaces as detailed in Section 26 ! Phases 2-3 of the Life Cycle ! The complete Atmel Toolbox 00.03.01.07 software ! Atmel Toolbox Cryptographic functions Outwith the TOE ! Strength of Cryptographic Functions ! Phases 1 and 4-7 of the Life Cycle [TBX] Toolbox 3.x on AT90SCxxxxC Family with AdvX (TPR0133) [APP_AdvX] AdvX for AT90SC Family (TPR0116) [APP_SCRY] Securing Cryptographic Operations on AT90SC products with the Toolbox 3.x (TPR0141) [] [APP_RNG] Generation of Random Numbers with a Controlled Entropy on AT90SC Family (TPR0166) Target of Evaluation Description (05 Oct 07) General Business Use 19 of 56 TPG0159A 2.2 TOE Life-cycle 30 To understand the Life Cycle of the TOE, it must be included in the overall Smartcard Life Cycle first. 2.2.1 Smartcard Life Cycle 31 The standard smartcard product life-cycle consisting of 7 phases where the following authorities are involved . Table 2-1 Smartcard Product Life-cycle Phase 1 Smartcard software development The smartcard software developer is in charge of the smartcard embedded software development and the specification of IC pre-personalization requirements, Phase 2 IC Development The IC designer designs the IC, develops IC dedicated software, provides information, software or tools to the smartcard software developer, and receives the software from the developer, through trusted delivery and verification procedures. From the IC design, IC dedicated software and smartcard embedded software, the IC designer constructs the smartcard IC database, necessary for the IC photomask fabrication. Phase 3 IC manufacturing and testing The IC manufacturer is responsible for producing the IC through three main steps: ! IC manufacturing ! IC testing ! IC pre-personalization Phase 4 IC packaging and testing The IC packaging manufacturer is responsible for the IC packaging and testing. Phase 5 Smartcard product finishing process The smartcard product manufacturer is responsible for the smartcard product finishing process and testing. Phase 6 Smartcard personalization The personalizer is responsible for the smartcard personalization and final tests. Other application software may be loaded onto the chip at the personalization process. Phase 7 Smartcard end-usage The smartcard issuer is responsible for the smartcard product delivery to the smartcard end-user, and the end of life process. Security Target 20 of 56 General Business Use (05 Oct 07) TPG0159A Figure 2-3 Smartcard Product Life Cycle Legend Limits of the development cycle Trusted delivery and verification procedures Smartcard Embedded software Pre-personalization data and Atmel Toolbox data, or customer Toolbox where applicable IC sensitive information software, tools (not applicable) Test Libraries, Atmel Crypto Library Design Center; MaskPrep Maskshop Wafer Fab Test Center . Production Phase See Hardware ST User Phase Development Phase Smartcard IC Database Construction IC Photomask Fabrication IC Testing and Security Encoding IC Manufacturing IC Packaging Smartcard Product Finishing Process Testing (1) Personalization Testing (1) Smartcard Product End-Usage (1) End of Life Process IC Design IC Dedicated Software IC Personalization requirements Smartcard embedded software IC Personalization requirements Testing (1) Phase 7 Phase 6 Phase 5 Phase 3 Phase 2 Phase 1 Phase 4 See Hardware ST IC Personalization requirements Product Construction Product Usage (1) Any faulty AT90SC devices would be returned to the Testing Centre to perform failure analysis. Target of Evaluation Description (05 Oct 07) General Business Use 21 of 56 TPG0159A 2.2.2 Atmel Toolbox Life Cycle 32 The Atmel Toolbox integrates into the smartcard life cycle in phase 2 development phase, before this in phase 1 and after this in phases 4-7 the toolbox must be considered as part of the smartcard is protected by the smartcard delivery procedures. 33 The applicable phase to the toolbox is phase 2 of the smartcard, to show the life of the TOE this phase requires to be refined, as detailed in Table 2-2. 2.3 TOE Environment 34 Considering the TOE, two types of environments are defined: ! Software development environment corresponding to Phase 2 (a,b,c) ! Code Entry environment corresponding to Phase 2 (e,f) 2.3.1 Software Development Environment 35 The Software Development Environment pertains to: ! Specification (a) ! Conception (b) ! Coding (c) ! Validation (d) 36 To assure security, the environment in which the development takes place is made secure with controllable accesses having traceability. Access to the development building is strictly monitored by a security person. Visitors must sign a log book and record the time of arrival and time of departure to the building. All visitors are escorted by authorized personnel at all times. All authorized personnel involved fully understand the importance and the rigid implementation of the defined security procedures. Table 2-2 Toolbox Product Life-cycle Phase 2 TOE Development (a) Specification (b) Conception (c) Coding (d) Validation (e) Code Entry (f) ROMGEN Security Target 22 of 56 General Business Use (05 Oct 07) TPG0159A 37 Specification and Conception of the TOE is performed by the Software Developer. Specification and conception documentation is stored using a file management system. The software development engineer uses appropriate software tools to make his code, the TOE data is secure and only available to authenticated engineers. Sensitive documents, databases on tapes, diskettes are stored in appropriate locked cupboards and safes. Disposal of unwanted confidential data is carried out by shredding (paper documents) or complete electronic erasures (electronic documents, databases, etc.). 2.3.2 TOE Code Entry Environment 38 The Code Entry Environment pertains to: ! Code Entry ! ROMGEN 39 As with the Software development environment, to assure security, the environment in which the Code Entry takes place is made secure with controllable accesses having traceability. Access to the development building is strictly monitored by a security person. Visitors must sign a log book and record the time of arrival and time of departure to the building. All visitors are escorted by authorized personnel at all times. All authorized personnel involved fully understand the importance and the rigid implementation of the defined security procedures. 40 The Software Developer releases the final Toolbox code to the Code Entry team. The processing of the Toolbox data by the Code Entry and ROMGEN teams is performed on a secure network accessible to authenticated engineers with password controls to ensure that the data is protected at all times. As with the Development environment sensitive documents, databases on tapes, diskettes are stored in appropriate locked cupboards and safes. Disposal of unwanted confidential data is carried out by shredding (paper documents) or complete electronic erasures (electronic documents, databases, etc.). 2.3.3 TOE User Environment 41 From after ROMGEN the TOE must be considered as part of the AT90SC hardware TOE, the user of the TOE must refer to the AT90SC Security Target for information on, the secure handling and delivery processes, from this stage onwards. 2.4 TOE Intended Usage 42 The TOE can be incorporated in several applications such as: ! Banking and finance market for credit/debit cards, electronic purse (stored value cards) and electronic commerce. ! Network based transaction processing such as mobile phones (GSM SIM cards), pay-TV (subscriber and pay-per-view cards), communication highways (Internet access and transaction processing). Target of Evaluation Description (05 Oct 07) General Business Use 23 of 56 TPG0159A ! Transport and ticketing market (access control cards). ! Governmental cards (ID-cards, healthcards, driver license etc). ! Multimedia commerce and Intellectual Property Rights protection. 43 During the phase 2 of the AT90SC life cycle the TOE is being developed and produced. The administrators are the following: ! The smartcard embedded software developer ! The Atmel Code Entry Team ! The Atmel ROMGEN Team Security Target 24 of 56 General Business Use (05 Oct 07) TPG0159A (05 Oct 07) General Business Use 25 of 56 TPG0159A Section 3 TOE Security Environment 44 This Security Target Lite is based on the BSI-PP-002-2001 protection profile. 45 This section describes the security aspects of the environment in which the certified AT90SC device is intended to be used, and addresses the description of the assets to be protected, the assumptions, the threats, and the organizational security policies. 46 Section 3 and 4 are taken directly from the BSI-PP-002-2001 Protection Profile to fully comply with the Protection Profile the complete system AT90SC Certified Hardware platform and the TOE must be taken into account, section 3 and 4 deal only with the parts of the PP that deal specifically with the Software Toolbox. 3.1 Assets 3.1.1 Assets regarding the Threats 47 Assets are security relevant elements of the TOE that include the Primary and Secondary assets. Primary Assets ! User application data (D.xxx_DATA) of the TOE comprising the IC pre- personalization requirements, located in: ! Crypto ROM (D.CRYPTO_ROM_DATA) The User data can be subject to manipulation and disclosure while being stored or processed by the TOE. ! Smartcard embedded software (D.xxx_SOFT) located in: ! Crypto ROM (D.CRYPTO_ROM_SOFT) Smartcard Embedded software needs to be protected to prevent manipulation and disclosure. ! IC dedicated software (D.xxx_DSOFT) located in: Note The Smartcard Embedded Software developer should refer to this document and also the specific AT90SC family member Security Target. Section 3 onwards can be though of as a building block that fits directly into the appropriate AT90SC Security Target. Security Target 26 of 56 General Business Use (05 Oct 07) TPG0159A ! Crypto ROM (D.CRYPTO_ROM_DSOFT)) 48 Therefore, the complete TOE itself is an asset. Secondary Assets 49 There are many ways to manipulate or disclose the User Data: 1. An attacker may manipulate the smartcard Embedded Software or the TOE (Primary assets) Such attacks usually require design information of the TOE to be obtained. Therefore, the design information is a secondary asset. ! IC specification (D.IC_SPEC) ! Design (D.DESIGN) ! Development tools (D.DEV_TOOLS) ! Technology (D.TECHNO) ! Photomasks (D.MASK) 50 The above secondary assets disclose the following information to an attacker and therefore need to be protected. 1. The IC dedicated Software with the parts IC Dedicated Test software, and IC dedicated support software 2. The TSF data 51 Assets must be protected in terms of confidentiality and integrity. Grouping of Assets / Object Definition 52 These assets can be grouped to define objects that must be protected, which is useful for the following sections of this document. ! O3: Crypto ROM: covering D.CRYPTO_ROM_DATA, D.CRYPTO_ROM_SOFT, D.CRYPTO_ROM_DSOFT TOE Security Environment (05 Oct 07) General Business Use 27 of 56 TPG0159A 3.2 Assumptions 53 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform Protection Profile”, the assumptions defined in section 3.2 of the PP (where applicable) are valid for this Security Target Lite and are listed below. Figure 3-1 Assumptions A.Plat-Appl A.Resp-Appl Scope of Protection Profile PP-BSI-002 Outwith the Protection Profile PP-BSI-002 A.Platform Security Security Target 28 of 56 General Business Use (05 Oct 07) TPG0159A A.Plaform Security Hardware Platform Security The security of the Hardware Platform on which the TOE is loaded, shall have sufficient security to fully protect the TOE and its assets. The random numbers generated by the Platform shall not be predictable and have sufficient entropy. The platform will ensure that no information about produced random numbers is available to an attacker, as this information may be used to generate cryptographic keys. A.Plat-Appl Usage of Platform The Smartcard Embedded Software shall be designed according to the latest TOE user guidance as stated in Section 28. The Smartcard Embedded Software designer should also take into account the findings of the TOE evaluation report. Applies to Phase 1 A.Resp-Appl Treatment of User Data User data is owned by the Smartcard Embedded Software. Therefore, is assumed that security relevant User Data for example Cryptographic keys, are treated by the Smartcard Embedded Software according to the requirements of the specific end application. Applies to Phase 1 TOE Security Environment (05 Oct 07) General Business Use 29 of 56 TPG0159A 3.3 Threats 54 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform Protection Profile”, the threats defined in section 3.3 of the PP (where applicable) are valid for this Security Target Lite and are listed below According to BSI-PP-002-2001, there are the following standard high-level security concerns 55 The security concerns 1 and 2 give rise to the following threats: Figure 3-2 Standard Threats 56 The complete AT90SC device is exposed to different types of influences or interactions with it’s outside world. Some of them may result from just using the TOE, others may SC1 Manipulation of User Data and of the Smartcard Embedded Software (while being executed/processed and while being stored in the TOE’s memories) SC2 Disclosure of User Data and of the Smartcard Embedded Software (while being processed and while being stored in the TOE’s memories) T.Leak-Inherent Scope of Protection Profile PP-BSI-002 Outwith the Protection Profile PP-BSI-002 Security Target 30 of 56 General Business Use (05 Oct 07) TPG0159A also indicate an attack. The different types of influences or interactions are shown in Figure 3-3. Figure 3-3 Attack Model for the TOE 57 An interaction with the TOE can be done through the ISO interfaces (number 7-9 in Figure 3-3) which are realized using contacts. Influences or interactions with the TOE also occurs through the chip surface (number 1-6 in Figure 3-3). In number 1and 6 galvanic contacts are used. In number 2 and 5 the influence (arrow directed to the chip) does not require a contact. Number 3 and 4 refer to specific situations where the TOE and it’s functional behaviour is not only influenced but definite changes are made by applying mechanical, chemical and other methods (such as 1 and 2). Many attacks require a prior inspection and some reverse-engineering (number 3). 1 2 Electrical Stimulation Energy and Particle Exposure (e.g. temperature) 3 4 Inspection and Reverse-engineering Physical Manipulation 9 8 7 6 5 Electrical Simulation (glitches etc.) Communication Electrical Measurement and Analysis (Also for unbonded pads) Electrical Measurement and Analysis Electro-magnetic Interaction/radiation and Analysis TOE Security Environment (05 Oct 07) General Business Use 31 of 56 TPG0159A 58 The Smartcard Embedded Software must contribute to averting the threats: At least it must not undermine the security provided by the TOE. For details refer to the assumptions regarding the Smartcard Embedded Software, specified in Section 3.2. Standard Threats (referring to SC1 and SC2). 59 From the threats stated in Figure 3-3, the TOE shall avert the applicable threats listed below: 3.4 Organizational Security Policies 60 This Security Target Lite is based on the BSI-PP-002-2001 “Smartcard IC Platform Protection Profile”, the Security Policy defined in section 3.4 of the PP (where applicable) are valid for this Security Target Lite and are listed below. 61 The TOE may provide specific security functionality which can be used by the Smartcard Embedded Software. Particular specific security functionality may not necessarily be derived from threats identified for the TOE's environment because it can only be decided in the context of the smartcard application, against which threats the Smartcard Embedded Software will use the specific security functionality. Therefore, T.Leak-Inherent Inherent Information Leakage An attacker may exploit information which is leaked from the TOE during usage of the complete smartcard system in order to disclose confidential data (User Data or TSF data). No direct contact with the smartcard internal is required here. Leakage may occur through emanations, variations in power consumption, I/O characteristics, clock frequency, or by changes in processing time requirements. One example is the Differential Power Analysis (DPA). This leakage may be interpreted as a covert channel transmission but is more closely related to measurement of operating parameters, which may be derived either from direct (contact) measurements (numbers 6 and 7 Figure 3-3) or measurement of emanations (number 5) and can be related to the specific operation being performed. Security Target 32 of 56 General Business Use (05 Oct 07) TPG0159A the necessity of some specific functionality may not derived from a threat. The Security organizational policies are shown in Figure 3-4. Figure 3-4 Organizational Security Policies 62 The IC developer must apply the policy “Additional Specific Security Functionality” (P.Add-Functions) as specified below. P.Add-Functions Additional Specific Security Functionality The TOE must provide the following specific security functionality to the Smartcard Embedded Software, according to accepted international standard: ! Secure Hash Algorithm (SHA)) ! Rivest-Shamir-Adleman (RSA) With CRT ! Rivest-Shamir-Adleman (RSA) Without CRT ! Elliptical Curve Computation (ECC) ! RSA Key Generation The TOE must provide means to identify the correct revision of the TOE on request by the TOE user. P.Add-Functions Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002 (05 Oct 07) General Business Use 33 of 56 TPG0159A Section 4 Security Objectives 63 This Security Target Lite is based on the BSI-PP-002-2001 protection profile. 64 The security objectives of the TOE contains the following sections: ! Security Objectives for the TOE ! Security Objectives for the Environment 4.1 Security Objectives for the TOE According to this Security Target Lite, there are the following standard high level security goals: 65 Though the Smartcard Embedded Software stored in the AT90SC ROM, will in many cases not contain secret data or algorithms, it must be protected from being disclosed, since for instance knowledge of specific implementation details may assist an attacker. 66 These standard high-level security goals are refined below by defining security objectives as required by the Common Criteria (Figure 4-1). Note that the integrity of the TOE is a means to reach these objectives. SG1 Maintain the integrity of User Data and of the Smartcard Embedded Software (when executing TOE functions). SG2 maintain the confidentiality of User Data and of the Smartcard Embedded Software (when executing TOE functions). Security Target 34 of 56 General Business Use (05 Oct 07) TPG0159A Figure 4-1 Standard Security Objectives 67 According to this Security Target Lite there are the following high level security goals related to specific functionality: 68 The additional high level security considerations are refined below by defining security objectives as required by the Common Criteria. Figure 4-2 Security Objectives Related to Specific Functionality SG4 Provide additional security functionality. O.Leak-Inherent O.Identification Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002 O.Add-Functions Within scope of PP-BSI-0002 Outwith scope of PP-BSI-0002 Security Objectives (05 Oct 07) General Business Use 35 of 56 TPG0159A Standard Security Objectives (referring to SG1 and SG2) 69 The TOE shall provide protection on each of the Standard Security Objectives as listed below: Security Objectives Relating to Specific Functionality (referring to SG3 and SG4) 70 The TOE shall provide protection on each of the Specific Functionality Security Objectives as listed below: O.Leak-Inherent Protection Against Inherent Information Leakage The TOE must provide protection against disclosure of confidential data (User Data or TSF data) stored and/or processed in the smartcard IC ! By measurement and analysis of the shape and amplitude of signals (for example on the power, clock, or I/O lines) and ! By measurement and analysis of the time between events found by measuring signals (for instance on the power, clock, or I/O lines). This objective pertains to measurements with subsequent complex signal processing. Details correspond to an analysis of attack scenarios which is not given here. O.Identification TOE Identification The TOE must provide means to store Initialisation Data and Pre-personalisation Data in its non-volatile memory. The Initialisation Data (or parts of them) are used for TOE identification. O.Add-Function Additional Specific Security Functionality The TOE must provide the following specific security functionality to the Smartcard Embedded Software: ! Secure Hash Algorithm (SHA) ! Rivest-Shamir-Adleman (RSA) With CRT ! Rivest-Shamir-Adleman (RSA) Without CRT ! Elliptical Curve Computation (ECC) ! RSA Key Generation Security Target 36 of 56 General Business Use (05 Oct 07) TPG0159A 4.2 Security Objectives for the Environment Phase 1 71 The Smartcard Embedded Software shall provide for each of the Security Objectives for the Environment as stated below. Phase 2 72 The hardware Platform shall provide for the Security Objective for the environment as stated below.. OE.Plat-Appl Usage of TOE Platform To ensure that the TOE is used in a secure manner the Smartcard Embedded Software shall be designed so that the requirements from the following documents are met: ! TOE application notes ! Findings of the TOE evaluation reports relevant for the Smartcard Embedded Software OE.Resp-Appl Treatment of User Data Security relevant User Data (especially cryptographic keys) are treated by the Smartcard Embedded Software as required by the security needs of the specific application context. For example the Smartcard Embedded Software will not disclose security relevant user data to unauthorised users or processes when communicating with a terminal. OE.Platform security Hardware Platform Security The security of the Hardware Platform on which the TOE is loaded, must be of a sufficient quality to fully protect the TOE and its assets. The security of the hardware platform is especially relevant when taking into account the RNG used in conjuction with the TOE to produce cryptographic keys. The hardware platform RNG must be tested against a recognised quality metric. (05 Oct 07) General Business Use 37 of 56 TPG0159A Section 5 TOE Security Functional Requirements 73 This Security Target Lite is based on the BSI-PP-002-2001 protection profile. 74 The TOE security functional requirements define the functional requirements for the TOE using functional requirements components drawn from the Common Criteria part 2, and extended functional requirements defined in BSI-PP-002-2001. 75 The minimum strength of function level for the TOE security requirements is SOF-high. Note The Smartcard Embedded Software Developer must consider the whole product, to comply with the BSI-PP-002-2001 Protection Profile, the full AT90SC system SFRs must be considered, the developer should refer to both security targets. Security Target 38 of 56 General Business Use (05 Oct 07) TPG0159A 5.1 The TOE Functional Requirements Standard Security Functional Requirements 76 The Standard TOE Security Functional Requirements (where applicable to the TOE) as listed within the BSI-PP-002-2001 are shown in Figure 5-1 Figure 5-1 Standard Security Functional Requirements 77 The Security Functional Requirements related to specific Functionality are shown in Figure 5-2. Figure 5-2 Security Functional Requirements related to Specific Functionality Leakage Basic Internal Transfer Protection (FDP_ITT.1) Basic Internal TSF data Transfer (FPT_ITT.1) Protection Subset Information Flow Control (FDP_IFC.1) Audit Storage (FAU_SAS.1) Identification SFRs related to Specific Functionality - Cryptography Cryptograhic Operations (FCS_COP.1) Cryptography TOE Security Functional Requirements (05 Oct 07) General Business Use 39 of 56 TPG0159A 5.1.1 Functional Requirements Relating to Leakage Basic Internal Transfer Protection (FDP_ITT.1) 78 The TOE shall meet the requirement “Basic internal transfer protection” as specified below: Basic Internal TSF data transfer protection (FPT_ITT.1) 79 The TOE shall meet the requirement “Basic internal TSF data transfer protection” as specified below: FDP_ITT.1 Basic internal transfer protection Hierarchical to No other components FDP_ITT.1.1 The TSF shall enforce the Data Processing Policy to prevent the disclosure of user data when it is transmitted between physically-separated parts of the TOE. Dependencies FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control Refinement The different memories, the CPU and other functional units of the Smartcard device (e.g. a cryptographic co-processor) are seen as physically-separated parts of the Smartcard device. FPT_ITT.1 Basic internal TSF data transfer protection Hierarchical to No other components FPT_ITT.1.1 The TSF shall protect TSF data from disclosure when it is transmitted between separate parts of the TOE. Dependencies No dependencies Refinement The different memories, the CPU and other functional units of the smartcard device (e.g. a cryptographic co-processor) are seen as separated parts of the Smartcard device. This requirement is equivalent to FDP_ITT.1 above but refers to TSF data instead of User Data. Therefore, it should be understood as to refer to the same Data Processing Policy defined under FDP_IFC.1. Security Target 40 of 56 General Business Use (05 Oct 07) TPG0159A Subset Information Flow Control (FDP_IFC.1) 80 The TOE shall meet the requirement “Subset information flow control” as specified below: 81 The following Security Functional Policy (SFP) Data Processing Policy is defined for the requirement “Subset information flow control”: ! User Data and TSF data shall not be accessible from the TOE except when the Smartcard Embedded Software decides to communicate the User Data via an external interface. The protection shall be applied to confidential data only but without the distinction of attributes controlled by the Smartcard Embedded Software. 5.1.2 Functional Requirements Relating to Identification Audit Storage (FAU_SAS.1) 82 The TOE shall meet the requirement “Audit storage” as specified below: Cryptographic operation (FCS_COP.1) 83 The TOE shall meet the requirement “Cryptographic operation” on cryptographic operations as specified below: FDP_IFC.1 Subset information flow control Hierarchical to No other components FDP_IFC.1.1 The TSF shall enforce the Data Processing Policy on all confidential data when they are processed or transferred by the TOE or by the Smartcard Embedded Software. Dependencies FDP_IFF.1 Simple security attributes FAU_SAS.1 Audit storage Hierarchical to No other components FAU_SAS.1.1 The TSF shall provide test personnel before TOE Delivery with the capability to store the Initialisation Data and/or Pre- personalisation Data and/or supplements of the Smartcard Embedded Software in the audit records. Dependencies No dependencies FCS_COP.1 Cryptographic operation Hierarchical to No other components FCS_COP.1.1 The TSF shall perform software: TOE Security Functional Requirements (05 Oct 07) General Business Use 41 of 56 TPG0159A 5.2 Security Requirements for the Environment 5.2.1 Security Requirements for the IT-Environment 84 The environment shall meet the requirement “Quality metric for random numbers” as detailed below:: ! data encryption and decryption in accordance with a specified cryptographic algorithm: SHA-1, and cryptographic key size: (not disclosed in ST-Lite) that meet the following Secure Hash Standard, FIPS PUB 180-1, 17th April 1995 ! data encryption and decryption in accordance with a specified cryptographic algorithm: RSA without CRT data, and cryptographic key size: (not disclosed in ST- Lite) that meet the following, PKCS#1 V2.0, 1st October, 1998. ! data encryption and decryption in accordance with a specified cryptographic algorithm: RSA with CRT data, and cryptographic key size: (not disclosed in ST-Lite) bits that meet the following PKCS#1 V2.0, 1st October, 1998. ! data encryption and decryption in accordance with a specified cryptographic algorithm: EC-DSA, and cryptographic key size: (not disclosed in ST-Lite) that meet the following, FIPS 186-2, 27th January, 2007 for Digital Signatures. ! data encryption and decryption in accordance with a specified cryptographic algorithm: ECDH, and cryptographic key size: (not disclosed in ST-Lite) that meet the following ISO 15946-3:2002 for ECDH standard. Dependencies (FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes or FCS_CKM.1 Cryptographic key generation) FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes FCS_RND.1 Quality metric for random numbers Hierarchical to No other components FCS_RND.1.1 The TSF shall provide a mechanism to generate random numbers that meet [assignment: a defined quality metric]. Dependencies No dependencies Security Target 42 of 56 General Business Use (05 Oct 07) TPG0159A 5.2.2 Security Requirements for the NON-IT-Environment 85 In the following, security requirements for the Non-IT-Environment are defined. 86 For the Hardware Platform the requirement “ Hardware Platform Security (RE.Hardware Platform)” is valid.. 87 For the development of the Smartcard Embedded Software (in Phase 1) the requirement “Design and implementation of the Smartcard Embedded Software (RE.Phase-1)” is valid. RE.Platform Security Hardware Platform Security The TOE user must ensure that the security of the Hardware Platform on which the TOE is loaded, must be of a sufficiently quality to fully protect the TOE and its assets. The security of the hardware platform is especially relevant when taking into account the RNG used in conjuction with the TOE to produce cryptographic keys. The hardware platform RNG must be tested against a recognised quality metric. RE.Phase-1 Design and Implementation of the Smartcard Embedded Software The developers shall design and implement the Smartcard Embedded Software in such a way that it meets the requirements from the following documents (i) data sheet for the TOE, (ii) TOE application notes, and (iii) findings of the TOE evaluation reports relevant for the Smartcard Embedded Software. (See section 2.1 Customer Software Guidance) The developers shall implement the Smartcard Embedded Software in a way that it protects security relevant User Data (especially cryptographic keys) as required by the security needs of the specific application context. TOE Security Functional Requirements (05 Oct 07) General Business Use 43 of 56 TPG0159A 88 The Smartcard Embedded Software shall meet the requirements RE.Cipher. RE.Cipher Cipher Schemas The developers of Smartcard Embedded Software must not implement routines in a way which may compromise keys when the routines are executed as part of the Smartcard Embedded Software. Performing functions which access cryptographic keys could allow an attacker to misuse these functions to gather information about the key which is used in the computation of the function. Keys must be kept confidential as soon as they are generated. The keys must be unique with a very high probability, as well as cryptographically strong. For example, it must be ensured that it is not possible to derive the private key from a public key if asymmetric algorithms are used. This implies that an appropriate key management has to be realized in the environment. Security Target 44 of 56 General Business Use (05 Oct 07) TPG0159A 5.3 TOE Security Assurance Requirements 89 The assurance requirement is EAL5 augmented of additional assurance components listed in Table 5-1. 90 Some of the augmentation components are hierarchical ones to the components specified in EAL5. 91 All the components are drawn from Common Criteria Part 3. Table 5-1 EAL5 Package and Augmentation Assurance Class EAL5 Package TBX_00.03.01.xx EAL5+ Package Augmented From EAL5 ACM_AUT 1 1 No ACM_CAP 4 4 No ACM_SCP 3 3 No ADO_DEL 2 2 No ADO_IGS 1 1 No ADV_FSP 3 3 No ADV_HLD 3 3 No ADV_IMP 2 2 No ADV_INT 1 1 No ADV_LLD 1 1 No ADV_RCR 2 2 No ADV_SPM 3 3 No AGD_ADM 1 1 No AGD_USR 1 1 No ALC_DVS 1 2 Yes ALC_FLR N/A N/A No ALC_LCD 2 2 No ALC_TAT 2 2 No ATE_COV 2 2 No ATE_DPT 2 2 No ATE_FUN 1 1 No ATE_IND 2 2 No AVA_CCA 1 1 No AVA_MSU 2 3 Yes AVA_SOF 1 1 No AVA_VLA 3 4 Yes (05 Oct 07) General Business Use 45 of 56 TPG0159A 92 The refinements to the assurance requirements as stated within the Protection Profile BSI-PP002-2001 have been taken into account. Security Target 46 of 56 General Business Use (05 Oct 07) TPG0159A (05 Oct 07) General Business Use 47 of 56 TPG0159A Section 6 TOE Summary Specification 93 This section defines the TOE security functions that implement the security functional requirements defined in Section 5.1, and the TOE assurance measures that implement the security assurance requirements defined in Section 5.3. 6.1 TOE Security Functions 6.1.1 Cryptography (SF10) 94 The TSF shall provide a cryptographic algorithm to be able to transmit and receive objects in a manner protected from data retrieval or modification. 95 The TSF shall provide software ! M10.2 SHA-1 data signing capability. ! M10.3 RSA without CRT data encryption/ decryption capability ! M10.4 RSA with CRT data encryption/decryption. 96 Those may be used by the smartcard embedded software to support data encryption and decryption for maintaining data integrity, and protect against sensitive data unauthorized disclosure. 97 M10.6 the TSF shall provide software RSA cryptographic key generation capability using Miller Rabin algorithm. 98 M10.7 the TSF shall provide software sign and verify signatures with ECC, conforming to EC-DSA standard. Note The TSF and Security Mechanism (Mx.x) are numbered in a way to allow the Smartcard Embedded Software Developer to see how the TSF detailed fits into the equivalent TSFs for the certified AT90SC ST. Note The Atmel Toolbox must be considered as a whole Security Target 48 of 56 General Business Use (05 Oct 07) TPG0159A 99 M10.8 the TSF shall provide software point multiplication on an elliptical curve, conforming to EC-DSA standard. 100 M10.9 the TSF shall provide software point addition on an elliptical curve, conforming to EC-DSA standard. 101 M10.10 the TSF shall provide software point doubling on an elliptical curve, conforming to EC-DSA standard. 102 M10.11 the TSF shall provide software ECDH cryptographic capability using Elliptic Curve point operations. 103 M10.12 the TSF shall provide a software function that performs a selftest operation of the TOE, at the end of the selftest function the TOE will output a Version number. 104 The Strength of Function claimed for the cryptography security function is high. 105 An assessment of the strength of the following algorithms does not form part of the evaluation: ! SHA-1 algorithm ! RSA without CRT algorithm ! RSA with CRT algorithm ! Miller Rabin algorithm ! EC-DSA ! ECDH. 6.1.2 Security Functions Based on Permutations/combinations 106 Not applicable. TOE Summary Specification (05 Oct 07) General Business Use 49 of 56 TPG0159A 6.2 TOE Assurance Measures 107 Table 6-1 specifies how they satisfy the TOE security assurance requirements. Security Target Lite (SA1) 108 SA1 shall provide the “TOE Security Target Lite” document plus its references. Table 6-1 Relationship Between Assurance Requirements and Measures Security Target Lite Configuration Management Delivery and Operation Development Activity Guidance Life Cycle Support Test Activity Vulnerability assessment Smartcard Devices Development Site Test Site Manufacturing Site Sub-contractor Site Assurance Requirement SA1 SA2 SA3 SA4 SA5 SA6 SA7 SA8 SA9 SA10 SA11 SA12 SA13 ASE_xxx x ACM_AUT.1 x x x x x ACM_CAP.4 x x x x x ACM_SCP.3 x x x x x ADO_DEL.2 x x x x x ADO_IGS.1 x x x x x ADV_FSP.3 x ADV_HLD.3 x ADV_IMP.2 x ADV_LLD.1 x ADV_RCR.2 x ADV_SPM.3 x AGD_ADM.1 x AGD_USR.1 x ALC_DVS.2 x x x x x ALC_LCD.2 x x x x x ALC_TAT.2 x x x x x ATE_COV.2 x x x ATE_DPT.2 x x x ATE_FUN.1 x x x ATE_IND.2 x x x AVA_CCA.1 x x AVA_MSU.3 x x AVA_SOF.1 x x AVA_VLA.4 x x Security Target 50 of 56 General Business Use (05 Oct 07) TPG0159A Configuration Management (SA2) 109 SA2 shall provide the “CC Configuration Management (ACM)” interface document plus its references. Delivery and Operation (SA3) 110 SA3 shall provide the “CC Delivery and Operation (ADO)” interface document plus its references. Development Activity (SA4) 111 SA4 shall provide the “CC Development Activity (ADV)” interface document plus its references. Guidance (SA5) 112 SA5 shall provide the “CC Guidance (AGD)” interface document plus its references. Life Cycle Support (SA6) 113 SA6 shall provide the “CC Life Cycle Support (ALC)” interface document plus its references. Test Activity (SA7) 114 SA7 shall provide the “CC Test Activity (ATE)” interface document plus its references, and undertaking of testing described therein. Vulnerability Assessment (SA8) 115 SA8 shall provide the “CC Vulnerability Assessment (AVA)” interface document plus its references, and undertaking of vulnerability assessment described therein. Smart Card Devices (SA9) 116 SA9 shall provide functional AT90SC smart card devices with TBX 3.x loaded and an engineering ROM to allow TOE testing. Development Site (SA10) 117 SA10 shall provide access to the development site. Test Site (SA11) 118 SA11 shall provide access to the test site. Manufacturing Site (SA12) 119 SA12 shall provide access to the manufacturing site. TOE Summary Specification (05 Oct 07) General Business Use 51 of 56 TPG0159A Sub-contractor Sites (SA13) 120 SA13 shall provide access to the sub-contractor sites. Security Target 52 of 56 General Business Use (05 Oct 07) TPG0159A (05 Oct 07) General Business Use 53 of 56 TPG0159A Section 7 PP Claims 7.1 PP Reference 121 This Security Target Lite is based on the Protection Profile “Smartcard IC Platform Protection Profile” V1.0 July 2001,and has been registered under the German Certification Scheme (BSI) under the reference BSI-PP-002-2001. 7.2 PP Refinements 122 For clarification of this Security Target Lite, modes, assets, subjects, threats, assumptions and organizational security policy are defined with labels of the form M.xx_xx, D.xx_xx, S.xx_xx, T.xx_xx, A.xx_xx, and P.xx_xx respectively. 7.3 PP Additions 123 The PP additions fall into the following categories, the additions: ! taken directly from Common Criteria V2.3 ! assumption and security objective for environment, defined in Section 3.2 of this Security Target Lite 7.3.1 Additions from BSI-AUG-2002 124 Additions include Assumptions, Threats, Organisational security Policies, Security Objectives and Security Functional Requirements. 7.3.1.1 Assumptions 125 This Security Target Lite specifies the additional Assumption, A.Platform Security. This assumption relates to the Hardware Platform security. 7.3.1.2 Organizational Security Policies 126 This Security Target Lite specifies the additional organizational security policies, P.Add- Functions this policy relates to the cryptographic functions provided by the TOE. Security Target 54 of 56 General Business Use (05 Oct 07) TPG0159A 7.3.1.3 Security Objectives 127 This Security Target Lite specifies the additional security objective, O.Add-Functions this objective relates to the cryptographic functions provided by the TOE. 7.3.1.4 Security Functional Requirements 128 This Security Target Lite specifies the additional security functional requirements: ! FCS_COP.1 relating to the cryptographic functions provided by the TOE 7.3.1.5 Security Functional Requirements for the NON-IT-Environment 129 This Security Target Lite specifies the additional security functional requirement for the NON-IT-Environment: ! RE.Cipher relating to the Smartcard Embedded Software development 7.3.2 Additions Defined in this Security Target Lite 7.3.2.1 Security Functional Requirements for the NON-IT-Environment 130 This Security Target Lite defines the additional security functional requirement for the NON-IT-Environment: ! RE.Platform Security relating to the Security of the Hardware Platform the TOE is loaded onto. (05 Oct 07) General Business Use 55 of 56 TPG0159A Appendix A Glossary A.1 Terms HASH Transformation of a string of characters into a usually shorter fixed length value or key that represents the original string. IC Dedicated Software IC Proprietary software which is required for testing purposes and to implement special functions. For Roper this includes the embedded test software and additional test programmes which are run from outside of the IC. The Crypto libraries also form part of the IC dedicated software. IC Designer Institution (or its agent) responsible for the IC Development. Atmel is the institution in respect of the TOE. IC Manufacturer Institution (or its agent) responsible for the IC manufacturing, testing and pre-personalization. Atmel is the institution in respect of the TOE. IC Packaging Manufacturer Institution (or its agent) responsible for the IC packaging and testing. IC Pre-personalization Data Required information to enable the smartcard IC to be configured by means of ROM options and to enable programming of the EEPROM with customer specified data. Integrated Circuit (IC) Electronic component(s) designed to perform processing and/or memory functions. Personalizer Institution (or its agent) responsible for the smartcard personalization and final testing. Smartcard A credit sized plastic card which has a non volatile memory and a processing unit embedded within it. Security Target 56 of 56 General Business Use (05 Oct 07) TPG0159A Smartcard Embedded Software Software embedded in the smartcard application (smartcard application software). This software is provided by smartcard embedded software developer (customer). Embedded software may be in any part of User ROM or EEPROM. Smartcard Embedded Software Developer Institution (or its agent) responsible for the smartcard embedded software development and the specification of pre-personalization requirements. Smartcard Issuer Institution (or its agent) responsible for the smartcard product delivery to the smartcard end-user. Smartcard Product Manufacturer Institution (or its agent) responsible for the smartcard product finishing process and testing. Printed on recycled paper. General Business Use TPG0159A–SMIC–05Oct07 © Atmel Corporation 2007. All rights reserved. Atmel® , logo and combinations thereof, Everywhere You Are® and others, are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others. Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL’S TERMS AND CONDI- TIONS OF SALE LOCATED ON ATMEL’S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDEN- TAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’s products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life. Atmel Corporation Atmel Operations 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 487-2600 Regional Headquarters Europe Atmel Sarl Route des Arsenaux 41 Case Postale 80 CH-1705 Fribourg Switzerland Tel: (41) 26-426-5555 Fax: (41) 26-426-5500 Asia Room 1219 Chinachem Golden Plaza 77 Mody Road Tsimshatsui East Kowloon Hong Kong Tel: (852) 2721-9778 Fax: (852) 2722-1369 Japan 9F, Tonetsu Shinkawa Bldg. 1-24-8 Shinkawa Chuo-ku, Tokyo 104-0033 Japan Tel: (81) 3-3523-3551 Fax: (81) 3-3523-7581 Memory 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 436-4314 Microcontrollers 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 436-4314 La Chantrerie BP 70602 44306 Nantes Cedex 3, France Tel: (33) 2-40-18-18-18 Fax: (33) 2-40-18-19-60 ASIC/ASSP/Smart Cards Zone Industrielle 13106 Rousset Cedex, France Tel: (33) 4-42-53-60-00 Fax: (33) 4-42-53-60-01 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906, USA Tel: 1(719) 576-3300 Fax: 1(719) 540-1759 Scottish Enterprise Technology Park Maxwell Building East Kilbride G75 0QR, Scotland Tel: (44) 1355-803-000 Fax: (44) 1355-242-743 RF/Automotive Theresienstrasse 2 Postfach 3535 74025 Heilbronn, Germany Tel: (49) 71-31-67-0 Fax: (49) 71-31-67-2340 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906, USA Tel: 1(719) 576-3300 Fax: 1(719) 540-1759 Biometrics/Imaging/Hi-Rel MPU/ High Speed Converters/RF Datacom Avenue de Rochepleine BP 123 38521 Saint-Egreve Cedex, France Tel: (33) 4-76-58-30-00 Fax: (33) 4-76-58-34-80 Literature Requests www.atmel.com/literature