TÜV Rheinland Nederland B.V.
Head office Apeldoorn:
Boogschutterstraat 11A
P.O. Box 541
7300 AM Apeldoorn
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 879
Location Apeldoorn:
Vissenstraat 6
P.O. Box 541
7300 AM Apeldoorn
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 879
Location Enschede:
JosinkEsweg10
P.O. Box 337
7500 AH Enschede
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 859
TÜV Rheinland Nederland B.V. is a
registered company with the
Amsterdam Chamber of Commerce
under number 27288788
info@nl.tuv.com
www.tuv.com/nl
Version
20101101
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Certification Report
Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie
1.8, 6 februari 2015
Sponsor and developer: Ministerie van Infrastructuur en Milieu
P.O. Box 20901
2500 EX Den Haag
The Netherlands
Evaluation facility: Brightsight
Delftechpark 1
2628 XJ Delft
The Netherlands
Reportnumber: NSCIB-PP-08-10381-CR3
Report version: 3
Projectnumber: NSCIB-PP-08-10381
Authors(s): NLNCSA
Date: 11 March 2015
Number of pages: 9
Number of appendices: 0
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 3/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
CONTENTS:
Foreword 4
Recognition of the certificate 5
International recognition 5
European recognition 5
1 Executive Summary 6
1.1 Introduction 6
1.2 Evaluation and Certification details 6
1.3 Protection Profile Identification 6
2 Certification Results 7
2.1 Protection Profile Overview 7
2.2 Security Functional Requirements 7
2.3 Assurance Requirements 8
2.4 Results of the PP Evaluation 8
2.5 Comments/Recommendations 8
3 Protection Profile 9
4 Definitions 9
5 Bibliography 9
Page: 4/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Foreword
The Netherlands Scheme for Certification in the Area of IT Security (NSCIB) provides a third-party
evaluation and certification service for determining the trustworthiness of Information Technology (IT)
security products. Under this NSCIB, TÜV Rheinland Nederland B.V. has the task of issuing
certificates for IT security products as well as for protection profiles and sites.
A part of the procedure is the technical examination (evaluation) of the product, protection profile or
site according to the Common Criteria assessment guidelines published by the NSCIB. Evaluations
are performed by an IT Security Evaluation Facility (ITSEF) under the oversight of the NSCIB
Certification Body, which is operated by TÜV Rheinland Nederland B.V. in cooperation with the
Ministry of the Interior and Kingdom Relations.
An ITSEF in the Netherlands is a commercial facility that has been licensed by TÜV Rheinland
Nederland B.V. to perform Common Criteria evaluations; a significant requirement for such a license is
accreditation to the requirements of ISO Standard 17025, General requirements for the accreditation
of calibration and testing laboratories.
By awarding a Common Criteria certificate, TÜV Rheinland Nederland B.V. asserts that the product or
site complies with the security requirements specified in the associated (site) security target, or that
the protection profile (PP) complies with the requirements for PP evaluation specified in the Common
Criteria for Information Security Evaluation. A (site) security target is a requirements specification
document that defines the scope of the evaluation activities.
The consumer should review the security target or protection profile, in addition to this certification
report, in order to gain an understanding of any assumptions made during the evaluation, the IT
product's intended environment, its security requirements, and the level of confidence (i.e., the
evaluation assurance level) that the product satisfies the security requirements stated in the (site)
security target.
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 5/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Recognition of the certificate
The presence of the Common Criteria Recognition Arrangement and SOG-IS logos on the certificate
indicate that this certificate is issued in accordance with the provisions of the CCRA and the SOG-IS
agreement and will be recognised by the participating nations.
International recognition
The CCRA has been signed by the Netherlands in May 2000 and provides mutual recognition of
certificates based on the CC. Starting 8 September 2014 the CCRA has been updated to provide
mutual recognition of certificates based on cPPs (exact use) or STs with evaluation assurance
components up to and including EAL2+ALC_FLR. The current list of signatory nations and approved
certification schemes can be found on: http://www.commoncriteriaportal.org.
Product certificates issued before 08 September 2014 are still under recognition according to the rules
of the previous CCRA (i.e. recognition based on assurance components up to and including
EAL4+ALC_FLR). Also certification procedures started before 8 September 2014 and Assurance
Continuity (maintenance and re-certification) of old certificates remain recognised according to the
rules of the previous CCRA.
This protection profile certificate falls under the recognition rules of both previous and current CCRA.
European recognition
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA) version 3 effective from April
2010 provides mutual recognition of Common Criteria and ITSEC certificates at a basic evaluation
level for all products. A higher recognition level for evaluation levels beyond EAL4 (resp. E3-basic) is
provided for products related to specific technical domains. This agreement was initially signed by
Finland, France, Germany, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Italy
joined the SOGIS-MRA in December 2010. The current list of signatory nations, approved certification
schemes and the list of technical domains for which the higher recognition applies can be found on:
http://www.sogis.eu.
Page: 6/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
1 Executive Summary
1.1 Introduction
This Certification Report states the outcome of the Common Criteria security evaluation of the
Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015 [PP]. This Certification
Report is intended to assist prospective consumers when judging the suitability of the Protection
Profile for their particular requirements.
1.2 Evaluation and Certification details
The Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015 [PP] is developed
by Ministerie van Infrastructuur en Milieu located in Den Haag, Netherlands and they also act as the
sponsor of the evaluation and certification.
This version 1.8 of the PP-BCT is an update of the previously certified version 1.3 from 1 February
2010, which in turn was an update to the original certified version 1.0 from 13 October 2008”. The
change to the previously certified protection profile is at the level of changes/additions to the scope
and functionality of the defined TOE. The identification of the updated protection profile is indicated by
a new version number compared to the original protection profile as Configuration Management
procedures required a change in the version number from v1.3 into v1.8.
The original protection profile has been evaluated by Brightsight B.V. located in Delft, The Netherlands
and was completed on 17 October 2008. The re-assessment of the updated protection profile was
completed on 11 March 2015 with the approval of the evaluation technical report [ETR]
1
. The
certification procedure has been conducted in accordance with the provisions of the Netherlands
Scheme for Certification in the Area of IT Security [NSCIB].
The results documented in the ETR for this protection profile provide sufficient evidence that it meets
the requirements for protection profile (PP) evaluations specified in the Common Criteria for
Information Security Evaluation. The evaluation was conducted using the Common Methodology for
Information Technology Security Evaluation, Version 3.1 Revision 4 [CEM], for conformance to the
Common Criteria for Information Technology Security Evaluation, version 3.1 Revision 4 [CC].
TÜV Rheinland Nederland B.V., as the NSCIB Certification Body, declares that evaluation of the
Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015 meets all the conditions
for international recognition of Common Criteria Certificates and that the protection profile will be listed
on the NSCIB Certified Products list. It should be noted that the certification results only apply to the
specific version of the protection profile as evaluated.
1.3 Protection Profile Identification
Title: Beveiligingsprofiel Boordcomputer Taxi (PP-BCT)
PP Version: versie 1.8, 6 februari 2015
CC Version: 3.1 Revision 4 (September 2012)
CC Conformance Claim: Part 2 conformant, Part 3 conformant, EAL 3
Required conformance: Conformance claims to this protection profile
require strict conformance
1
The Evaluation Technical Report contains information proprietary to the developer and/or the
evaluator, and is not releasable for public review.
Page: 7/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
2 Certification Results
2.1 Protection Profile Overview
This Protection Profile “Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015“
[PP] is developed by the Dutch Ministry of Infrastructure and Environment (Ministerie van
Infrastructuur en Milieu) as a basis for the development of Security Targets in order to perform a
certification of an IT-product (TOE).
The “Boordcomputer Taxi” (BCT) is a control device intended for installation in cars that are used for
taxi transportation. Its purpose is to aid enforcement processes by electronic registration of the ride
administration and the working, drive and rest times and to make this information available on request
to authorized persons for verification.
The TOE has four modes of operation: operational mode, control mode, activation/inspection mode
and working mode. The operational mode has three operating levels: basic, working time and taxi
transport. When taxi transport is being offered or working time takes place the driver manually selects
the corresponding operating level. In the operational mode, operating level working time or taxi
transport, data is registered on the performed taxi rides and the working, drive and rest times of the
driver. The start and end of a ride is made known to the TOE by an active operating action by the
driver. In addition the loading condition (loaded/unloaded) shall be indicated.
Furthermore the TOE takes care of providing the basic data time and travelled distance, and the
position of the vehicle in all modes. In the operating level basic the registration of events is also
maintained. The operating level basic is a distinct operating level in the operational mode. In the other
modes the TOE integrates the basic functionality with the other functionality of the concerned mode.
The assets to be protected by a TOE claiming conformance to this PP are defined in the Protection
Profile [PP], article 3.3.3. Based on these assets the security problem is defined in terms of Security
Policies and Assumptions. This is outlined in the Protection Profile [PP], article 4.
These Security Policies and Assumptions are split into Security Objectives to be fulfilled by a TOE
claiming conformance to this PP and Security Objectives to be fulfilled by the Environment of a TOE
claiming conformance to this PP.
2.2 Security Functional Requirements
Based on the Security Objectives to be fulfilled by a TOE claiming conformance to this PP the security
policy is expressed by the set of Security Functional Requirements to be implemented by a TOE. The
security functional requirements are divided in a number of functional groups. Every group contains
one or more mutually coherent requirements. These groups are:
Ø Security roles: These define the different roles and modes of the TOE, and how these roles
are adopted.
Ø Identification an Authentication: These define how BCT-cards and other peripherals are
identified and where necessary authenticated.
Ø BCT-access policy: Here it is defined what needs to be recorded, and who is allowed to do
what with it.
Ø Signatures: Here it is defined how signatures are being requested from the System card and
BCT-card.
Ø Security audit: Here it is defined which system events are recorded and how these are
protected.
Ø Protection of the BCT: Here it is defined how the physical protection of the BCT functions and
how the integrity is guaranteed.
The TOE Security Functional Requirements (SFR) are outlined in the [PP], article 6. They are all
selected from Common Criteria Part 2. Thus the SFR claim is called: Common Criteria Part 2
conformant.
Page: 8/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
2.3 Assurance Requirements
The TOE security assurance requirements claimed in the Protection Profile are based entirely on the
assurance components defined in part 3 of the Common Criteria for the Evaluation Assurance Level 3
package. Thus the SAR claim is called: Common Criteria Part 3 conformant, EAL 3 conformant.
(for the definition and scope of assurance packages according to CC see [CC], part 3 for details).
2.4 Results of the PP Evaluation
The evaluation lab determined that the claims as made in the Protection Profile “Beveiligingsprofiel
Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015“ are in conformance with the requirements
for Protection Profiles as specified in class APE of the CC.
The evaluation was performed as a delta evaluation in which only the changes to the PP were
assessed to verify that the evaluation results of the previously certified PP can be reused. The certifier
concluded that the evaluation lab has performed all APE work units in accordance with the APE
section of the CEM. The findings are recorded in an Evaluation Technical Report [ETR].
2.5 Comments/Recommendations
There are no specific Evaluator Comments or Recommendations.
Page: 9/9 of report number: NSCIB-PP-08-10381-CR3, dated 11 March 2015
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
3 Protection Profile
The Protection Profile “Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015“
[PP] is included here by reference.
4 Definitions
This list of Acronyms and the glossary of terms contains elements that are not already defined by the
CC or CEM:
BCT Boordcomputer Taxi
IT Information Technology
ITSEF IT Security Evaluation Facility
NSCIB Nederlands Schema voor Certificatie op het gebied van IT-Beveiliging
PP Protection Profile
TOE Target of Evaluation
5 Bibliography
This section lists all referenced documentation used as source material in the compilation of this
report:
[CC] Common Criteria for Information Technology Security Evaluation, Parts I version
3.1 revision 1, and Part II and III, version 3.1,revision 4, September 2012.
[CEM] Common Methodology for Information Technology Security Evaluation, version 3.1,
Revision 4, September 2012.
[ETR]
2
Brightight, Evaluation Technical Report Boordcomputer Taxi Platform Protection
Profile version 2.0, 6 March 2015.
[NSCIB] Netherlands Scheme for Certification in the Area of IT Security, Version 2.1,
August 1
st
, 2011.
[PP] Beveiligingsprofiel Boordcomputer Taxi (PP-BCT), versie 1.8, 6 februari 2015.
(This is the end of this report).
2
The Evaluation Technical Report contains information proprietary to the developer and/or the
evaluator, and is not releasable for public review.