TNO Certification is an independent body with access to the
expertise of the entire TNO-organization
TNO Certification is a registered company with the Delft
Chamber of Commerce under number 27241271
TNO CERTIFICATION
Date
September 6, 2010
Reference
NSCIB-PP-09-25642-CR
Subject Project number
25642
NSCIB-PP-09-25642
Certification Report
Alcohol Interlock Protection Profile, version 1.0, dated August 31, 2010
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Laan van Westenenk 501
P.O. Box 541
7300 AM Apeldoorn
The Netherlands
Phone +31 55 5493468
Fax +31 55 5493288
E-mail: Certification@certi.tno.nl
BTW/VAT NR NL8003.32.167.B01
Bank ING at Delft
Bank account 66.77.18.141
stating ‘TNO Certification’
BIC of the ING Bank: INGBNL2A
IBAN: NL81INGB0667718141
TNO CERTIFICATION
HEREBY DECLARES THAT EVALUATION
HAS DEMONSTRATED THAT THE PRODUCT
Alcohol Interlock Protection Profile, version 1.0,
dated August 31, 2010,
Assurance Package: EAL3 augmented with ALC_FLR.2
Product and version
FROM
Ministry of Transport, Public Works and Water Management
located in Den Haag, Netherlands
Sponsor’s name and address
COMPLIES WITH THE
Common Criteria for Information Technology Security
Evaluation (CC), Version 3.1 Revision 3
Certification guidelines or standards
AS DEMONSTRATED BY / EVALUATION PERFORMED BY
Brightsight BV located in Delft, Netherlands
Testing Laboratory
APPLYING THE
Common Methodology for Information Technology
Security Evaluation (CEM), Version 3.1 Revision 3
NSCIB-PP-09-25642-CR
Certification Report number
THE CERTIFICATE HAS BEEN ISSUED ON
September 6, 2010
Date
September 6, 2015
Expiry Date
ISSUED IN: Apeldoorn, Netherlands
DIRECTOR TNO CERTIFICATION
The protection profile identified in this certificate has been evaluated at an accredited and licensed/approved evaluation facility using the
Common Methodology for IT Security Evaluation version 3.1 Revision 3 for conformance to the Common Criteria for IT Security Evaluation
version 3.1 Revision 3. This certificate applies only to the specific version of the protection profile listed in this certificate and in conjunction
with the complete Certification report. The evaluation has been conducted in accordance with the provisions of the Netherlands Scheme for
Certification in the area of IT security [NSCIB] and the conclusions of the evaluation facility in the evaluation technical report are consistent
with the evidence adduced. This certificate is not an endorsement of the protection profile by TNO Certification or by any other organisation
that recognises or gives effect to this certificate, and no warranty of the profile by TNO Certification or by any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
CERTIFICATE NUMBER C09-25642
ACCREDITED BY THE COUNCIL FOR ACCREDITATION
number page date
NSCIB-PP-09-25642-CR 4 September 6, 2010
Table of contents
Table of contents ...........................................................................................................................................4
Document Information ...................................................................................................................................4
Foreword.........................................................................................................................................................5
1 Executive Summary...............................................................................................................................6
1.1 Introduction .......................................................................................................................................6
1.2 Evaluation and Certification Details ................................................................................................6
1.3 Protection Profile Identification........................................................................................................6
2 Certification Results...............................................................................................................................7
2.1 Protection Profile Overview .............................................................................................................7
2.2 Security Functional Requirements ..................................................................................................8
2.3 Assurance Requirements ................................................................................................................8
2.4 Results of the PP-Evaluation...........................................................................................................8
2.5 Evaluator Comments/Recommendations.......................................................................................8
3 Protection Profile ...................................................................................................................................9
4 Definitions ..............................................................................................................................................9
5 Bibliography ...........................................................................................................................................9
Document Information
Date of issue 6 September 2010
Author R.T.M. Huisman
Version of report 1.0
Certification ID NSCIB-PP-09-25642
Sponsor Ministerie van Verkeer en Waterstaat
Evaluation Lab Brightsight BV
TOE name Alcohol Interlock Protection Profile,
version 1.0, dated August 31, 2010
Report title Certification Report
Report reference name NSCIB- PP-08-10381-CR
number page date
NSCIB-PP-09-25642-CR 5 September 6, 2010
Foreword
The Netherlands Scheme for Certification in the Area of IT Security (NSCIB) provides a third-party
evaluation and certification service for determining the trustworthiness of Information Technology
(IT) security products. Under this NSCIB, TNO Certification has the task of issuing certificates for IT
security products as well as protection profiles.
A part of the procedure is the technical examination (evaluation) of the product or protection profile
according to the Common Criteria assessment guidelines published by the NSCIB. Evaluations are
performed by an IT Security Evaluation Facility (ITSEF) under the oversight of the NSCIB
Certification Body, which is operated by TNO Certification in cooperation with the Ministry of the
Interior and Kingdom Relations.
An ITSEF in the Netherlands is a commercial facility that has been licensed by TNO Certification to
perform Common Criteria evaluations; a significant requirement for such a license is accreditation to
the requirements of ISO Standard 17025, General requirements for the accreditation of calibration and
testing laboratories.
By awarding a Common Criteria certificate, TNO Certification asserts that the protection profile
complies with the requirements for protection profile (PP) evaluation specified in the Common
Criteria for Information Security Evaluation. A protection profile is an implementation-independent
set of security requirements for a category of IT that meets specific consumer needs. The objective of
a protection profile evaluation is to ensure that the protection profile is complete, consistent,
technically sound and, therefore, suitable for use as the basis of security requirements for the relevant
category of IT.
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Recognition of the certificate
The Common Criteria Recognition Arrangement and SOG-IS logos are printed on the certificate to
indicate that this certificate is issued in accordance with the provisions of the CCRA and the SOG-IS
agreement
The CCRA has been signed by the Netherlands in May 2000 and provides mutual recognition of
certificates based on the CC evaluation assurance levels up to and including EAL4. The current list of
signatory nations and approved certification schemes can be found on:
http://www.commoncriteriaportal.org.
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA) version 3 from April 2010
provides mutual recognition of Common Criteria and ITSEC certificates at a basic evaluation level for
all products. A higher recognition level for evaluation levels beyond EAL4 (resp. E3-basic) is
provided for products in the technical domain of Smart cards and similar Devices. This agreement was
initially signed by Finland, France, Germany, The Netherlands, Norway, Spain, Sweden and the
United Kingdom.
number page date
NSCIB-PP-09-25642-CR 6 September 6, 2010
1 Executive Summary
1.1 Introduction
This certification Report states the outcome of the Common Criteria security evaluation of the Alcohol
Interlock Protection Profile, version 1.0, dated August 31, 2010 [PP]. It is intended to assist
prospective consumers when judging the suitability of the Protection Profile for their particular
requirements.
1.2 Evaluation and Certification Details
The Alcohol Interlock Protection Profile, version 1.0, dated August 31, 2010 is developed by the
Dutch Ministry of Transport, Public Works and Water Management (Ministerie van Verkeer en
Waterstaat) and they also act as the sponsor of the evaluation and certification.
The protection profile has been evaluated by Brightsight B.V. located in Delft, The Netherlands and
was completed on September 1, 2010, The certification procedure has been conducted in accordance
with the provisions of the Netherlands Scheme for Certification in the Area of IT Security [NSCIB].
The certification was completed on September 6, 2010 with the preparation of this Certification
Report.
The results documented in the evaluation technical report [ETR]1
for this protection profile provide
sufficient evidence that it meets the requirements for protection profile (PP) evaluations specified in
the Common Criteria for Information Security Evaluation. The evaluation was conducted using the
Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3
[CEM], for conformance to the Common Criteria for Information Technology Security Evaluation,
version 3.1 Revision 3 [CC].
TNO Certification, as the NSCIB Certification Body, declares that the evaluation of the Alcohol
Interlock Protection Profile, version 1.0, dated August 31, 2010 meets all the conditions for
international recognition of Common Criteria certificates and that the protection profile will be listed
on the NSCIB Certified Protection Profile list. It should be noted that the certification results only
apply to the specific version of the protection profile as evaluated.
1.3 Protection Profile Identification
Title: Alcohol Interlock
PP Version: 1.0, August 31, 2010
CC Version: 3.1 Revision 3 (July 2009)
CC Conformance Claim: Part 2 conformant, Part 3 conformant, EAL 3
augmented with ALC_FLR.2
Required conformance: Conformance claims to this protection profile
requires strict conformance
1
The Evaluation Technical Report contains information proprietary to the developer and/or the evaluator, and is
not releasable for public review.
number page date
NSCIB-PP-09-25642-CR 7 September 6, 2010
2 Certification Results
2.1 Protection Profile Overview
This Protection Profile “Alcohol Interlock Protection Profile, version 1.0, dated August 31, 2010” is
developed by the Dutch Ministry of Transport, Public Works and Water Management (Ministerie van
Verkeer en Waterstaat) as a basis for the development of Security Targets in order to perform a
certification of an IT-product (TOE).
An Alcohol Interlock is a device that seeks to ensure that drivers are unable to use their car when they
are intoxicated: before they are able to start their car they have to breathe into the Interlock and when
this breath contains more than the allowed amount of alcohol, the car will not start.
The Alcohol Interlock (the TOE) consists of three parts:
Ø A Handset: this is located inside the driver compartment of the car, it contains an alcohol
sensor, and is able to interact with the driver
Ø An Onboard Unit (OBU): this is usually located inside the engine compartment of the car, and
is used to store audit records and prevent the starting of the car without a successful alcohol
test having been carried out. The OBU is connected to the car: these connections are
considered to be part of the OBU.
Ø A Readout Application: this is located inside a Garage (one Garage can serve thousands of
cars fitted with interlocks). The Readout Application is used for functions such as calibration,
adjustment and readout of the alcohol interlock, as well as for uploading settings to and
recording data and observations in the alcohol interlock, or uploading data from the alcohol
interlock to a Register or Broker.
The TOE has the following major security features:
Ø The Handset and OBU parts of the TOE are able to detect events (starting the car, failed
breath test etc.) and store these events
Ø Authenticated users can use the Readout Application of the TOE to read out these events and
send them onwards. These users can also use the Readout Application to delete the
events/erase the memory.
Ø All parts of the TOE protect the events against unauthorized modification, deletion, insertion
and disclosure.
The Protection Profile defines five different classes of TOEs (A, B1, B2, C1 and C2), each of which
has slightly different requirements and objectives. This difference in Classes is caused by the fact that:
Ø The Register has a strictly defined format in which it wishes to store data. As there is no
standard for this format yet, each country or organization will tend to use its own proprietary
format.
Ø The Handset/OBU may not be able to support all of these formats
If the Handset/OBU does not support the required format, the files have to be converted somewhere:
Ø either in the Readout Application,
Ø or at the Broker.
The assets to be protected by a TOE claiming conformance to this PP are defined in the Protection
Profile [PP], section 3.1. Based on these assets the security problem is defined only in terms of
Threats. This is outlined in the Protection Profile [PP], section 3.3.
number page date
NSCIB-PP-09-25642-CR 8 September 6, 2010
These Threats are split into Security Objectives to be fulfilled by a TOE claiming conformance to this
PP and Security Objectives to be fulfilled by the Environment of a TOE claiming conformance to this
PP.
2.2 Security Functional Requirements
Based on the Security Objectives to be fulfilled by a TOE claiming conformance to this PP the
security policy is expressed by the set of Security Functional Requirements to be implemented by a
TOE.
The TOE Security Functional Requirements (SFR) are outlined in the [PP], section 5.2. They are all
selected from Common Criteria Part 2. Thus the SFR claim is called: Common Criteria Part 2
conformant.
2.3 Assurance Requirements
The TOE security assurance requirements claimed in the Protection Profile are based entirely on the
assurance components defined in part 3 of the Common Criteria. Thus the SAR claim is called:
Common Criteria Part 3 conformant, EAL 3 augmented with ALC_FLR.2.
(for the definition and scope of assurance packages according to CC see [CC], part 3 for details).
2.4 Results of the PP-Evaluation
The evaluation lab determined that the claims as made in the Alcohol Interlock Protection Profile,
version 1.0, dated August 31, 2010 are in conformance with the requirements for Protection Profiles as
specified in class APE of the CC.
The evaluation lab has performed all APE work units in accordance with the APE section of the CEM
and recorded its findings in an Evaluation Technical Report [ETR]2
.
2.5 Evaluator Comments/Recommendations
There are no specific Evaluator Comments or Recommendations.
2
The Evaluation Technical Report contains information proprietary to the developer and/or the evaluator, and is
not releasable for public review.
number page date
NSCIB-PP-09-25642-CR 9 September 6, 2010
3 Protection Profile
The Alcohol Interlock Protection Profile, version 1.0, dated August 31, 2010 is included here by
reference.
4 Definitions
This list of Acronyms and the glossary of terms contains elements that are not already defined by the
CC or CEM:
CC Common Criteria
ITSEF IT Security Evaluation Facility
NSCIB Nederlands Schema voor Certificatie op het gebied van IT-Beveiliging
PP Protection Profile
TNO Netherlands Organization for Applied Scientific Research
TOE Target of Evaluation
5 Bibliography
This section lists all referenced documentation used as source material in the compilation of this
report:
[CC] Common Criteria for Information Technology Security Evaluation, Parts I, II and III,
version 3.1 Revision 3, July 2009
[CEM] Common Methodology for Information Technology Security Evaluation, version 3.1
Revision 3, July 2009.
[ETR] Evaluation Technical Report Alcohol Interlock Protection Profile version 1.0, September
1, 2010 (10-RPT-176 v1.0, ETR APE-Alcohol-Interlock PP).
[NSCIB] Netherlands Scheme for Certification in the Area of IT Security / Nederlands schema
voor certificatie op het gebied van IT-beveiliging, Version 1.2, 9 December 2004.
[PP] Alcohol Interlock Protection Profile, version 1.0, dated August 31, 2010.