COMMON CRITERIA PROTECTION PROFILE
for
NEW GENERATION CASH REGISTER FISCAL APPLICATON SOFTWARE
(NGCRFAS PP)
TSE-CCCS/PP-007
Revision No 2.0
Revision Date 06.05.2015
Document Code TSE-CCCS/PP-007
File Name NGCRFAS PROTECTION PROFILE
Prepared by Oğuz DEMİROĞLU
Approved by Salih SARI
2
Revision History
Revision
No Revision Reason
Date of
Revision
0.1 First Draft 04.05.2012
1.0 SFRs update 17.10.2012
1.1 "Gözlem raporu_1" update 17.12.2012
1.2 "Gözlem raporu_2" update 29.01.2013
1.3 "Gözlem raporu_3" update 01.04.2013
1.4 "Gözlem raporu_4" update 14.06.2013
1.5 "Gözlem raporu_5" update 02.08.2013
1.6 "Gözlem kararı 3" update 27.08.2013
1.7 "Gözlem kararı 3" update 28.08.2013
1.8 Maintanance update 18.12.2014
1.9 Maintenance update 29.04.2015
2.0 Maintenance update 06.05.2015
3
CONTENTS
1. PP INTRODUCTION.................................................................................................................. 4
1.1 PP Reference ................................................................................................................................ 4
1.2 TOE Overview ............................................................................................................................. 5
2. CONFORMANCE CLAIMS..................................................................................................... 11
2.1 CC Conformance Claim............................................................................................................. 11
2.2 PP Claim..................................................................................................................................... 11
2.3 Package Claim............................................................................................................................ 11
2.4 Conformance Claim Rationale................................................................................................... 11
2.5 Conformance Statement ............................................................................................................. 11
3. SECURITY PROBLEM DEFINITION................................................................................... 12
3.1 Introduction................................................................................................................................ 12
3.2 Threats........................................................................................................................................ 15
3.3 OSP ............................................................................................................................................ 18
3.4 Assumptions............................................................................................................................... 20
4. SECURITY OBJECTIVES....................................................................................................... 21
4.1 Security Objectives for the TOE ................................................................................................ 21
4.2 Security Objectives for the Operational Environment ............................................................... 21
4.3 Security Objective Rationale...................................................................................................... 23
5. EXTENDED COMPONENTS DEFINITION......................................................................... 28
6. SECURITY REQUIREMENTS ............................................................................................... 29
6.1 Security Functional Requirements for the TOE......................................................................... 29
6.2 Security Assurance Requirements for the TOE.......................................................................... 54
6.3 Security Requirements Rationale ............................................................................................... 54
7. ACRONYMS .............................................................................................................................. 72
8. BIBLIOGRAPHY ...................................................................................................................... 74
4
1. PP INTRODUCTION
This Protection Profile (PP) describes the following items:
 The Target of Evaluation (TOE) as a product and its position in production life cycle,
 The security environment of the TOE includes: the assets to be protected, the threats to
be encountered by the TOE , the development environment and production utilization
phases,
 The security objectives of the TOE and its supporting environment in terms of integrity
and confidentiality of application data and programs,
 Protection of the TOE and associated documentation during the development and
production phases,
 The Information Technology (IT) security requirements which include the TOE
functional requirements and the TOE assurance requirements.
1.1 PP Reference
Title: Common Criteria Protection Profile for New Generation Cash Register Fiscal
Application Software (NGCRFAS PP)
Sponsor: Presidency of Revenue Administration (PRA)
Editor(s):
Prepared by Oğuz DEMİROĞLU
Approved by Salih SARI
CC Version: 3.1 (Revision 4)
Assurance Level: Minimum assurance level for this PP is EAL 2.
General Status: Final
Version Number: 2.0as of 6th
May 2015
Registration : TSE-CCCS/PP-007
Key words: New Generation Cash Register, EMV, EFT-POS, SMART PINPAD, PRA,
Electronic Registration Unit.
Note: A glossary of terms used in the Protection Profile is given in ACRONYMS section of
the document (Section 7).
5
1.2 TOE Overview
The TOE addressed by this Protection Profile (PP) is an application software and crypto library
which is the main items of a Fiscal Cash Register (FCR). TOE is used to process the
transaction amount of purchases which can be viewed by both seller and buyer. Since
transaction amount is used to determine tax revenues; secure processing, storing and
transmission of this data is very important.
The FCR is mandatory for first-and second-class traders and is not mandatory for sellers who
sell the goods back to their previous seller as completely the same as the purchased good.
In addition to TOE, which is the main item of FCR, FCR may consist of several other hardware
and software components as described in Section 1.2.1, 1.2.2 for full functionality. TOE and
related components are given in Figure 1. Usage and major security features of TOE are
described in section 1.2.3.
1.2.1 General overview of the TOE and related components
Figure 1 shows the general overview of the TOE and its related components as regarded in this
PP. The green part of Figure 1 is the TOE. Yellow parts; that are given as input/output
interface, fiscal memory, daily memory, database, ERU, fiscal certificate memory; are TOE’s
environmental components which are crucial for functionality and security. Connections
between the TOE and its environment are also subject to evaluation since these connections are
made over the interfaces of the TOE.
6
Figure 1TOE and related components
1.2.2 Required Non-TOE Hardware/Software
Software and hardware environment of the TOE are described below.
1.2.2.1 Software environment of TOE
Application runs at the top of an operating system’s kernel, file-system as in a typical software
environment. This structure is shown in Table 1.
Table 1Typical software environment of TOE
File System
Operating System Kernel
In addition to TOE, following software components are also necessary for security and
functionality of the FCR:
7
 FCR operating system which supports following features
o at least 32-bit data processing capacity
o multi-processing
o IPv4 and IPv6
o NTP (Network Time Protocol)
 Database, which is used to store sales data, has the following features;
i. Database has data recording, organizing, querying, reporting features
ii. Database stores sales records for main product groups (food, clothing, electronics,
glassware etc.) and sub-product groups (milk, cigarette, fruit, trousers etc.) in order
to track detailed statistics
iii. Database has an indexing mechanism
1.2.2.2 Hardware Environment of TOE
In addition to TOE, following hardware components are also necessary for security and
functionality of the FCR:
 Fiscal memory
i. Fiscal memory has following features;
a. Fiscal memory has the capacity to store at least 10 years (3650 days) of data,
b. Fiscal memory keeps data at least 5 years after the capacity specified in (a)
has been reached,
c. Fiscal memory has to be fixed within FCR in a way that it cannot be
removed without damaging the chassis.
d. Fiscal memory is protected by mesh cover,
e. Fiscal memory has the ability to be protected against magnetic and
electronic threats,
When the connection between fiscal memory and main processor is broken,
FCR enters in maintenance mode,
f. The data stored in the fiscal memory is not be lost in case of power off,
g. Fiscal memory accepts only positive amounts from the application and the
peripherals,
h. FCR checks "Z" reports from fiscal memory during device start-up. In case
where there are days for which Z report was not generated, FCR will be able
to run in normal mode only after it generates Z report for the missing days.
Seasonal firms can take cumulative Z report by specifying date and time
range.
8
ii. Fiscal Memory includes following data;
a. Fiscal symbol, company code and identification number of the device,
b. Cumulative sum of the total sales and Value Added Tax (VAT) amounts for
all sales receipts, starting from the device activation time (i.e. first use),
c. Date and number of "Z" reports with total sales and VAT per day,
d. The number of receipts per day.
 Daily memory has following features;
i. Receipt total and total VAT amount for each receipt are to be stored in the daily
memory instantly. This data can be transmitted to PRA-IS, instantly or daily
depending on demand.
ii. Data in the daily memory which is not already transmitted to fiscal memory, cannot
be modified in an uncontrolled way.
iii. Data transmitted from daily memory to fiscal memory is to be kept in daily memory
for at least 10 days.
iv. Z reports, taken at the end of the day; and X reports, taken within the current day
are produced by using the data in the daily memory.
v. Following values are stored in the daily memory
a. total VAT amount per day,
b. total daily sales values per day grouped by payment type
c. payment type (Cash, credit card etc.)
d. number of receipts.
 FCR supports X.509 formatted digital certificate generated by Authorized Certificate
Authority. This Public Key Infrastructure(PKI) compatible digital certificate is
called fiscal certificate and is used for authentication and secure communication
between PRA-IS and FCR through Trusted Service Manager (TSM). For physical
security, FCR is protected by electronic and mechanic systems called electronic seal.
FCR uses cryptographic library for secure communication with PRA-IS and TSM
 Electronic Record Unit(ERU)is used to keep second copy of the receipt and has
following features;
i. ERU stores information about receipts and FCR reports (except ERU reports) in a
retrievable form.
ii. ERU has at least 1.2 million row capacity. ERU may be included in the sealed part
of the FCR. In this case ERU must have at least 40 million row capacity.
iii. Data stored in ERU cannot be modified
9
iv. ERU also supports features specified in “Fiscal Cash Register General
Communique Serial Number: 67, Part A” which is about Law No: 3100 except item
(ii) above.
 FCR devices support at least one of the internal ETHERNET, PSTN or mobile
communication technology (GPRS etc.) interfaces and EFTPOS-integrated FCR
devices support at least two of these interfaces for communication with PRA-IS (for
data transfer) and TSM system (for parameter management and software update).
External ETHERNET may be accepted as internal in case the data is encrypted in fiscal
unit.
 Incoming and outgoing data traffic for FCR passes over a firewall.
 FCR supports the use of EFT-POS/SMART PINPAD.
 FCR has a printer to print sales receipt.
 FCR needs some input/output devices for functionalities listed below;
i. FCR has a keyboard unit. It may optionally use a touch screen additionally
ii. FCR has separate displays for cashier and buyer.
iii. FCR has an internal battery to keep time information.
1.2.3 Major security and functional features
The major functional and security features of the TOE are described below.
1.2.3.1 TOE functional features
The TOE is a part of a FCR which is an electronic device for calculating and recording sales
transactions and for printing receipts. TOE provides the following services;
i. TOE stores sales data in fiscal memory.
ii. TOE stores total receipt and total VAT amount for each receipt in daily memory.
iii. TOE is able to generate reports (X report, Z report etc.).
iv. TOE is able to transmit Z reports, receipt information, sale statistics and other
information determined by PRA to PRA-IS in PRA Messaging Protocol format.
v. TOE stores records of important events as stated in PRA Messaging Protocol
Document [6] and transmits to PRA-IS in PRA Messaging Protocol format in a secure
way.
vi. TOE is able to be used by users in secure state mode or maintenance mode. Roles and
modes of operation are described in 3.1.2 and 3.1.3 respectively.
10
1.2.3.2 TOE major security features
The TOE provides following security features;
i. TOE supports access control.
ii. TOE is able to detect disconnection between main processor and fiscal memory and
enter into the maintenance mode.
iii. TOE supports usage of ITU X509 v3 formatted certificate and its protected private key
for authentication and secure communication with PRA- IS and TSM.
iv. TOE supports secure communication between FCR-PRA-IS and FCR–TSM.
v. TOE supports secure communication with EFT-POS/SMART PINPAD
vi. TOE ensures the integrity of event data, sales data, authentication data, characterization
data and FCR parameters.
vii. TOE records important events defined in PRA Messaging Protocol Document [6] and
send urgent event data immediately to PRA-IS in a secure way.
viii. TOE detects physical attacks to FCR and enters into the maintenance mode in such
cases.
1.2.4 TOE type
TOE is a embedded software application and hardware or software crypto library within FCR.
11
2. CONFORMANCE CLAIMS
2.1 CC Conformance Claim
This protection profile claims conformance to:
 Common Criteria for Information Technology Security Evaluation, Part 1: Introduction
and General Model; CCMB-2012-09-001, Version 3.1, Revision 4, September 2012
[1]
 Common Criteria for Information Technology Security Evaluation, Part 2: Security
Functional Components; CCMB-2012-09-002, Version 3.1, Revision 4, September
2012 [2]
 Common Criteria for Information Technology Security Evaluation, Part 3: Security
Assurance Requirements; CCMB-2012-09-003, Version 3.1, Revision 4, September
2012 [3]
As follows
 Part 2 conformant,
 Part 3 conformant.
The
 Common Methodology for Information Technology Security Evaluation, Evaluation
Methodology; CCMB-2012-09-004, Version 3.1, Revision 4, September 2012 [4]
has to be taken into account.
2.2 PP Claim
This PP does not claim conformance to any protection profile.
2.3 Package Claim
The current PP is conformant to the following security requirements package:
 Assurance package EAL2 conformant to CC, part 3.
2.4 Conformance Claim Rationale
Since this PP does not claim conformance to any protection profile, this section is not
applicable.
2.5 Conformance Statement
This PP requires demonstrable conformance of any ST or PP claiming conformance to this PP.
12
3. SECURITY PROBLEM DEFINITION
3.1 Introduction
3.1.1 External Entities
PRA-IS
PRA-IS takes sales data and event data from FCR by sending query with parameters to FCR
through TSM.
Trusted Service Manager
TSM is the system which is used to load parameters, update software and manage FCR.
Attacker
Attacker tries to manipulate the TOE in order to change its expected behavior and
functionality. Attacker tries to breach confidentiality, integrity and availability of the FCR.
PRA On-site Auditor
PRA On-site Auditor is an employee of PRA who performs on site audits onsite to control the
existence of expected FCR functionalities by using the rights of FCR Authorised User.
Certificate storage
The certificate storage holds certificates and private key used for authentication and secure
communication. Certificate storage is protected inside physical and logical tampering system.
Time Information
FCR gets time information from trusted server. Time information is used during receipt, event,
fiscal memory record, daily memory record and ERU record creation and is also used to send
information to PRA-IS according to FCR Parameters.
Audit storage
Audit storage can be any appropriate memory unit in FCR. Audit storage stores important
events according to their criticality level (urgent, high, warning and information). List of events
can be found in PRA Messaging Protocol Document [6].
Storage unit
Storage units of FCR are database, fiscal memory, daily memory and ERU.
Input interface
Input interfaces provide necessary input data from input devices to the TOE. Input devices for
FCR may be keyboard, barcode reader, QR code (matrix barcode) reader, order tracking device
and global positioning devices.
13
External Device
External Device is the device which is used to communicate with FCR by using secure channel
according to External Device Communication Protocol Document [7]
Output interface
Output interfaces deliver outputs of the TOE to the output devices. Output devices for FCR
may be printer, display etc.
3.1.2 Roles
FCR Authorised User
FCR Authorised User is the user who uses the functions of FCR and operates FCR by
accessing the device over an authentication mechanism.
Authorised Manufacturer User
Authorised Manufacturer User works for FCR manufacturer and conducts maintenance works
on FCR.
3.1.3 Modes of FCR
Maintenance Mode: Maintenance Mode is the mode that allows only Authorised
Manufacturer User;
to fix FCR in case of any technical problem,
 to change date and time information,
 to change IP/Port information of TSM,
 to review event data,
 to start update operation of TOE.
FCR does not allow any fiscal transaction in maintenance mode. FCR enters this mode when
the following occur;
 FCR Certificate check fails,
 Mesh cover monitoring check fails,
 A disconnection between fiscal memory and main processor occurs,
 Electronic seal is opened, or forced by un authorised persons,
 A technical problem is determined by FCR Manufacturer.
Secure State Mode: Secure State Mode is the mode that allows;
 FCR Authorised User;
 to configure FCR,
14
 to take fiscal reports.
Secure State Mode is also allows;
 Unauthenticated Users;
 to do fiscal sales,
 to get FCR reports (except fiscal reports).
3.1.4 Assets
Sensitive data
Sensitive data is used for secure communication with PRA-IS and TSM. Confidentiality and
integrity of this asset needs to be protected.
Application Note 1: Sensitive data may consist of symmetric keys (TREK, TRAK, TRMK and
SSL session keys).
 TREK is used to provide confidentiality of data transfer to PRA-IS,
 TRAK is used to integrity control of data transferred to the PRA-IS,
 TRMK is used for key transportation from PRA-IS to TOE,
 SSL session keys are used for secure communication with the TSM.
Event data
Event data is used to obtain information about important events saved in audit storage. The
integrity of this asset is crucial while stored in FCR and both integrity and confidentiality of
this asset are important while it is transferred from TOE to PRA-IS. Event data is categorized
in PRA Messaging Protocol Document [6].
Sales data
Sales data is stored in storage unit. Sales data is required by PRA-IS to calculate tax amount
and to provide detailed statistics about sales. The integrity of this asset has to be protected
while stored in FCR; and both integrity and confidentiality have to be protected while it is
transferred from TOE to PRA-IS.
Characterization data (Identification data for devices)
Characterization data is a unique number assigned to each FCR given by the manufacturer.
PRA-IS uses characterization data for system calls to acquire sales data or event data of an
FCR. Integrity of this asset has to be protected.
15
Authentication data
Authentication data contains authentication information which is required for FCR Authorised
User and Authorised Manufacturer User to gain access to FCR functionalities. Both integrity
and confidentiality of this asset have to be protected.
Time Information
Time information is stored in FCR and synchronized with trusted server. Time information is
important when logging important events and sending reports to the PRA-IS. The integrity of
this asset has to be protected.
Server Certificates
Server certificates contain PRA-IS certificates (PPRA and PPRA-SIGN)PPRA and PPRA-SIGN
certificates are used for encryption and sign verification process during key transportation
between TOE and PRA-IS.
FCR Parameters
FCR parameters stored in FCR are updated by TSM after Z report is printed.
FCR parameters set;
 Sales and event data transferring time
 Criticality level of event data sent to the PRA-IS
 Maximum number of days that FCR will work without communicating with PRA-IS
3.2 Threats
Threats averted by TOE and its environment are described in this section. Threats described
below results from assets which are protected or stored by TOE or from usage of TOE with its
environment.
T.AccessControl
Adverse action: Authenticated users could try to use functions which are not allowed.
(e.g. FCRAuthorised User gainingaccess to Authorised ManufacturerUser functions)
Threat agent:An attackerwho has basic attack potential, has physical and logical access to
FCR.
Asset:Event data, sales data, time information.
T.Authentication
Adverse action: Unauthenticated users could try to use FCR functions except doing fiscal sales
and taking reports which are not fiscal.
16
Threat agent: An attacker who has basic attack potential, has logical and physical access to the
FCR
Asset: Sales data, event data, time information
T.MDData - Manipulation and disclosure of data
Adverse action: This threat deals with five types of data: event data, sales data, characterization
data, authentication data and FCR parameters.
 An attacker could try to manipulate the event data to hide its actions and unauthorised
access to the FCR, failure reports, and deletion of logs. An attacker also could try to
disclose important events while transmitted between PRA-IS and FCR.
 An attacker could try to manipulate or delete the sales data generated by TOE which may
result in tax fraud. In addition, an attacker also could try to disclose sales data while
transmitted between PRA-IS and FCR. Manipulation and deletion of sales data located in
FCR may be caused by magnetic and electronic reasons.
 An attacker could try to manipulate the characterization data to cover information about
taxfraud; to masqueradethe user identity.
 An attacker could try to manipulate the FCR parameters to use FCR in undesired
condition.
 An attacker also could try to disclose and modify authentication data in FCR to gain access
to functions which are not allowed to his/her.
Threat agent: An attacker who has basic attack potential, has physical and logical access to the
FCR.
Asset: Event data, sales data, characterizationdata, FCR parameters and authentication data.
T.Eavesdrop - Eavesdropping on event data, sales data and characterization data
Adverse action: An attacker could try to eavesdrop event data, sales data and characterization
data transmitted between the TOE and the PRA-IS and also between the TOE and the
distributed memory units (Fiscal Memory, Database, Daily Memory and ERU).
Threat agent: An attacker who has basic attack potential, physical and logical access to the
FCR.
Asset: Characterization data, sales data, and event data.
T.Skimming - Skimming the event data, sales data and characterization data
Adverseaction:An attacker could try to imitate TSM to set parameters to FCR via the
communication channel.
17
Threat agent: An attacker who has basic attack potential and logical access to the FCR.
Asset :FCR parameters
T.Counterfeit - FCR counterfeiting
Adverse action: An attacker could try to imitate FCR by using sensitive data while
communicating with PRA-IS and TSM to cover information about tax fraud.
Threat agent: An attacker who has basic attack potential,has physical and logical access to the
FCR.
Asset: Sensitive data
T. Server counterfeiting
Adverse action: An attacker could try to imitate PRA-IS by changing server certificates (PPRA
and PPRA-SIGN) in FCR. In this way,the attacker could try to receive information from FCR.
Threat agent: An attacker who has basic attack potential,has physical and logical access to the
FCR.
Asset: Server Certificates
T.Malfunction - Cause malfunction in FCR
Adverse action: An attacker may try to use FCR out of its normal operational conditions to
cause malfunction without the knowledge of TOE.
Threat agent: An attacker who has basic attack potential, has physical access to the FCR.
Asset: Sales data, event data.
T.ChangingTime
Adverse action: An attacker may try to change time to invalidate the information about logged
events and reports in FCR.
Threat agent: An attacker who has basic attack potential, has physical and logical access to the
FCR.
Asset: Time Information.
18
3.3 OSP
This section describes organizational security policies that must be satisfied.
P.Certificate
It has to be assured that certificates which are installed at initialization step, are compatible
with ITU X.509 v3 format. FCR contains;
 FCR certificate,
 Certification Authority root and sub-root (subordinate) certificates that are used for
verification of all certificates that are produced by Certification Authority,
 PPRA certificate that is used for key transport process between FCR and PRA-IS,
 PPRA-SIGN certificate that is used by TOE for signature verification,
 Update Control certificate that is used to verify the signature of the TOE.
P.Certificates Installation
It has to be assured that environment of TOE provides secure installation of certificates
(PPRAPPRA-SIGN, Certification Authority root and sub-root certificates, Update Control
certificate, FCR certificates if handled as soft ) into the FCR at initialization phase. Before the
installation of certificates, it has to be assured that asymmetric key pair is generated in a
manner which maintains security posture.
P.Comm_EXT -Communication betweenTOEand External Device
It has to be assured that communication between TOEand External Devices is used to
encrypted using AESalgorithm with 256 bits according to External Device Communication
Protocol Document[7].
P.InformationLeakage-Informationleakage fromFCR
It has to be assured that TOE’s environment provides a secure mechanism which prevents
attacker to obtain sensitive information (privatekey) whenFCR performs signature operation;
i.e by side channel attacks like SPA(Simple Power Analysis), SEMA (Simple Electromagnetic
Analysis), DPA (Differential Power Analysis), DEMA(Differential Electromagnetic Analysis).
P.SecureEnvironment
It has to be assured that environment of TOE senses disconnection between fiscal memory and
main processor. Then TOE enters into the maintenance mode and logs urgent event.
It has to be assured that fiscal memory doesn't accept transactions with negative amounts
which results in a decrease of total tax value.
19
It has to be assured that environment of TOE provides a mechanism that sales data in daily
memory which is not reflected to the fiscal memory cannot be deleted and modified in an
uncontrolled way.
It has to be assured that sales data in ERU cannot be deleted and modified.
P.PhysicalTamper
It has to be assured that TOE environment and TOE provide a tamper respondent system which
is formed by electromechanical seals.
It has to be assured that physical tampering protection system protects the keys (asymmetric
key, symmetric key),the certificates, event data, characterization data, FCR parameters and
sales data in FCR.
It has to be assured that TOE logs this type of events and enters into the maintenance mode
when physical tampering protection system detect unauthorised access.
It has to be assured that authorised access such as maintenance work or service works are
logged.
It has to be also assured that physical tampering protection system (mesh cover) protects fiscal
memory.
P.PKI - Public key infrastructure
It has to be assured that IT environment of the TOE provides public key infrastructure for
encryption, signing and key agreement.
P.UpdateControl
TOE is allowed to be updated by onlyTSM or Authorised Manufacturer User to avoid possible
threats during this operation, FCR shall verify the signature of the new version of TOE to
ensure that the TOE to be updated is signed by the correct organisation. Thus, the TOE to be
updated is ensured to be the correct certified version because only the certified versions will be
signed. In addition, FCR shall check version of TOE to ensure that it is the latest version.
20
3.4 Assumptions
This section describes assumptions that must be satisfied by the TOE's operational
environment.
A. TrustedManufacturer
It is assumed that manufacturing is done by trusted manufacturers. They process manufacturing
step in a manner which maintains IT security.
A.Control
It is assumed that PRA-IS personnel performs random controls on FCR. During these controls
PRA-IS personnel should check that if tax amount and total amount printed values on receipt
and sent to PRA-IS are the same. In addition to this, a similar check should be made for events
as well.
A.Initialisation
It is assumed that environment of TOE provides secure initialization steps. Initialization step is
consist of secure boot of operating system, and integrity check for TSF data. Moreover, if
certificate is handled as soft (not in the smartcard) it is assumed that environment of TOE
provides secure installation of it to the FCR in initialization phase. Before certificate
installation it is assumed that asymmetric key pair generated in a manner which maintains
security posture.
A. TrustedUser
User is assumed to be trusted. It is assumed that for each sale a sales receipt is provided to the
buyer.
A.Activation
It is assumed that environment of TOE provides secure activation steps at the beginning of the
TOE operation phase and after each maintenance process.
A.AuthorisedService
It is assumed that repairing is done by trusted authorised services. The repairing step is
processed in a manner which maintains legal limits.
A.Ext_Key
It is assumed that External Device (EFT-POS/SMART PINPAD) generates strong key for
communicating with TOE and stores it in a secure way.
A.Ext_Device Pairing
It is assumed that External Device and TOE are paired by Authorised Service.
21
4. SECURITY OBJECTIVES
This chapter describes security objectives for the TOE and its operational environment.
4.1 Security Objectives for the TOE
This part describes security objectives provided by the TOE.
O.AccessControl
TOE must control authenticated user’s access to functions and data by using authorization
mechanism.
O.Event
TOE must record important events stated as in PRA Messaging Protocol Document [6].
O.Integrity
TOE must provide integrity for sales data, event data, characterization data, authentication
data, sensitive data, server certificates and FCR parameters located in the FCR and between the
distributed memory units.
O.Authentication
TOE must run authentication mechanismforusers and systems.
O.Function
TOE must ensure that processing of inputs to derive sales data and event data is accurate.
TOE must ensure that time information is accurate by doing anomaly detection.
TOE must enter a maintenance mode when maintenance mode events occur in section 3.1.3
O.Transfer
TOE must provide confidentiality,integrity and authenticity for sales data, event data,
characterization data transferred to the PRA-IS and FCR parameters transferred from
TSM.TOE must provide confidentiality, integrity and authenticity for information send/received
during external device communication.
4.2 Security Objectives for the Operational Environment
This part describes security objectives provided by the operational environment.
OE.Manufacturing
Manufacturer should ensure that FCR is protected against physical attacks during
manufacturing.
OE.Delivery
22
Authorised Manufacturer User must ensure that delivery and activation of theTOE done by a
secure way.
OE.KeyGeneration
Asymmetric key and certificate generation mechanism shall be compatible with ITU X.509
format and accessible only by trusted persons.
OE.SecureStorage
Asymmetric private key shall be stored within smartcard or Secure-IC’s.
Sensitive Data, all certificates, event data, characterization data and sales data shall be stored
within secure environment protected by electronic seal.
OE.KeyTransportation
Transportation and installation of asymmetric private key to the FCR must be done by
protecting their confidentiality and integrity. In addition to this, transportation and installation
of server certificates, Certification Authority root and sub-root certificates, FCR certificates
and update control certificates must be done by protecting their integrity.
OE.TestEnvironment
Before FCR activation; test interfaces (functions, parameters) inserted in TOE shall be disabled
or removed.
OE.StrongAlgorithm
Environment of TOE shall use asymmetric private keys for signature operation by using
libraries of smartcard and Secure-IC’s. These libraries used in FCR shall be strong. They
should also have protection against side channel analysis (SPA, DPA, SEMA, DEMA).
OE.UpgradeSoftware
FCR software updates should be get passed verdict from Common Criteria maintenance or
reevaluation procedures (according to update type) before installed to the FCR. This will be
validated by the FCR, using the cryptographic signature control methods.
OE.TrustedUser
Usersshall act responsibly.
OE.Control
PRA Onsite Auditor must check FCR functionality by controlling tax amount on the receipt
and tax amount sent to the PRA-IS.
OE.External Device
23
External Device should generate strong key for communicating with TOE and should store it in
a secure way.
OE.Ext_Pairing
External Device should be paired with TOE by only Authorised Service.
OE.SecureEnvironment
Fiscal memory shall not accept transactions with negative amounts which results in a decrease
of total tax value.
Tampering protection system shall protect fiscal memory with mesh cover.
Environment of TOE provides secure initialization steps. Initialization step is consist of secure
boot of operating system, and integrity check for TSF data.
4.3 Security Objective Rationale
Table 2 provides security problem definition covered by security objectives. Threats and OSPs
are addressed by security objectives for the TOE and its operational environment. Assumptions
are addressed by only security objectives for the operational environment.
Table 2Security Objective Rationale
Threats OSPs Assumptions
T.AccessControl
T.
Authentication
T.MDData
T.Eavesdropping
T.Server
Counterfeiting
T.Skimming
T.Counterfeit
T.Malfunction
T.ChangingTime
P.Certificate
P.Certificates
Installation
P.SecureEnvironment
P.PhysicalTamper
P.PKI
P.InformationLeakage
P.Comm_EXT
P.UpdateControl
A.Ext_Key
A.TrustedManufacturer
A.Control
A.AuthorisedService
A.Initialisation
A.Activation
A.Ext_Device
Pairing
A.TrustedUser
O.AccessControl X X X X
O.Event X X X X X X X X X X
O.Integrity X X X X X X
O.Authentication X X
O.Function X X X
O.Transfer X X X
OE.External Device X
OE.Manufacturing X
OE.Delivery X X
25
OE.KeyGeneration X X
OE.SecureStorage X X X X X X
OE.KeyTransportation X X X
OE.TestEnvironment X
OE.StrongAlgorithm X
OE.UpgradeSoftware X
OE.TrustedUser X X
OE.Control X
OE.SecureEnvironment X X X
OE.Ext_Pairing X
26
Justification about Table 2 is given below;
T.AccessControl is addressed by O.AccessControl to control user access to functions and
data; O.Event to log all access attempts.
T.Authentication is addressed by O.Authentication to ensure that if user is authenticated to the
FCR; O.Event to log successful/unsuccessful authentication attempts.
T.MDDatais addressed by O.Integrity to ensure integrity of sales data,event data,
characterization data, authentication data and FCR parameters in FCR with logical and
physical security features; O.Transfer to ensure integrity, confidentiality and authenticity of
sales data, event data and characterization data during transferring to PRA-IS and parameters
during transfering from TSM to FCR ; O.Event to log unexpected behavior of these
memories and unexpected behavior in transferring data; OE.SecureStorage to provide secure
environment for Sensitive Data, all certificates, event data, characterization data and sales data.
T.Eavesdropping is addressed by O.Transfer to ensure confidentiality of sales data, event data
and characterization data during communication with PRA-IS; O.Integrity to ensure the
integrity of event data, sales data and characterization data; O.Event to log physical tamper; by
OE.SecureStorage to provide secure environment for event data, characterization data and sales
data
T.Server Counterfeiting is addressed by O.Integritytoensure the integrity of server certificates
(PPRA, PPRA-SIGN); O.Eventto log physical tamper; OE.SecureStorage to provide secure
environment for server certificates.
T.Skimming is addressed by O.Authentication to establish communication only with permitted
systems.
T.Counterfeitis addressed by O.Integrity to ensure the integrity of sensitive data; O.Event to
log physical tamper; OE.SecureStorage to provide secure environment for sensitive data.
T.Malfunctionis addressed by O.Function to ensure functions processing accurately; O.Event
to log unexpected behavior of functions.
T.ChangingTime is addressed byO.Event to log unexpected changes in time information; by
O.Access Control to control user access to time information;by O.Function to ensure accuracy
of time information.
P.Certificate is fulfilled by OE.KeyGeneration.
27
P.CertificateInstallation is fulfilled OE.KeyTransportation and OE.SecureStorage
P.SecureEnvironmentis fulfilled by OE.SecureEnvironment,O.Event,O.Integrityand
O.Function.
P.PhysicalTamper is fulfilled by OE.SecureEnvironment, O.AccessControl, O.Event,
O.Integrity and OE.SecureStorage.
P.PKI is fulfilled by OE.KeyTransportation
P.InformationLeakage is fulfilled by OE.StrongAlgorithmto ensure that cryptographic
algorithms used by FCR haveside channel protection.
P.Comm_EXT is fulfilled by O.Transfer.
P. UpdateControlis upheld by OE.UpgradeSoftware and O.AccessControl.
A.Ext_Key is upheld OE.External Device.
A.TrustedManufacturer is upheld by OE.Manufacturing and OE.TestEnvironment.
A.Control is upheld by OE.Control.
A. AuthorisedService is upheld by OE.TrustedUser.
A.Initialisation is upheld by OE.KeyGeneration, OE.SecureEnvironment and
OE.KeyTransportation.
A.Activation is upheld by OE.Delivery.
A.TrustedUser is upheld by OE.TrustedUser.
A.Ext_Device Pairing is upheld byOE.Ext_Pairing.
28
5. EXTENDED COMPONENTS DEFINITION
This protection profile does not use any components defined as extensions to CC part 2.
29
6. SECURITY REQUIREMENTS
This chapter describes the security functional and the assurance requirements which have to be
fulfilled by the TOE. Those requirements comprise functional components from CC part 2 and
the assurance components as defined for the Evaluation Assurance Level 2 from CC part 3.
The following notations are used:
Refinement operation (denoted in such a way that added words are in bold text and changed
words are crossed out): is used to add details to a requirement, and thus further restricts a
requirement.
Selection operation (denoted by italicised bold text and placed in square bracket): is used to
select one or more options provided by the CC in stating a requirement.
Assignment operation (denoted by underlined text and placed in square bracket): is used to
assign a specific value to an unspecified parameter, such as the length of a password. Showing
the value in square brackets indicates assignment.
Iteration operation are identified with a slash (e.g. “(/)”)
6.1 Security Functional Requirements for the TOE
This chapter defines the security functional requirements for the TOE according to the
functional requirements components drawn from the CC part 2 version 3.1 revision 4.
6.1.1 Class FAU Security Audit
6.1.1.1 FAU_GEN Security audit data generation
FAU_GEN.1 Audit data generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following
auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [not specified] level of audit; and
c) [the audi table security events specified in PRA Messaging Protocol
Document[6]].
30
FAU_GEN.1.2 The TSF shall record within each audit record at least the following
information:
a) Date and time of the event, type of event, subject identity (if
applicable), and the outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of
the functional components included in the PP/ST, [none].
6.1.1.2 FAU_SAR Security audit review
FAU_SAR.1 Audit review
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation.
FAU_SAR.1.1 The TSF shall provide [Authorised Manufacturer User] with the
capability to read [all event data] from the audit records.
FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the
user to interpret the information.
6.1.1.3 FAU_STG Security audit event storage
FAU_STG.1 Protected audit trail storage
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from
unauthorised deletion.
FAU_STG.1.2 The TSF shall be able to [prevent]unauthorised modifications to the
stored audit records in the audit trail.
FAU_STG.4 Prevention of audit data loss
Hierarchical to: FAU_STG.3 Action in case of possible audit data loss
Dependencies: FAU_STG.1 Protected audit trail storage
FAU_STG.4.1 The TSF shall [overwrite the oldest stored audit records] and [none] if
the audit trail is full.
31
6.1.2 Class FCO Communication
6.1.2.1 FCO_NRO Non-repudiation of origin
FCO_NRO.2 Enforced proof of origin
Hierarchical to: FCO_NRO.1 Selective proof of origin
Dependencies: FIA_UID.1 Timing of identification
FCO_NRO.2.1 The TSF shall enforce the generation of evidence of origin for
transmitted [sales data and event data] at all times.
FCO_NRO.2.2 The TSF shall be able to relate the [originator identity, time of origin]
of the originator of the information, and the [body of the message] of
the information to which the evidence applies.
FCO_NRO.2.3 The TSF shall provide a capability to verify the evidence of origin of
Information to [recipient] given [immediately].
6.1.3 Class FCS Cryptographic Support
6.1.3.1 FCS_CKM Cryptographic key management
FCS_CKM.1/ TRMK Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [RNG] and specified cryptographic key sizes [256 bits]
that meet the following: [assignment: list of standards].
FCS_CKM.2 Cryptographic key distribution
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
32
FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified
cryptographic key distribution method [according to PRA Messaging Protocol Document [6] ]
that meets the following: [assignment: list of standards].
FCS_CKM.1/TLS_AES Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [AES:128
bits and/or AES:256 bits] that meet the following: [RFC 5246].
FCS_CKM.1/TLS_HMAC Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [256 bits]
that meet the following: [RFC 5246].
FCS_CKM.1/DHE-KEY Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [RNG] and specified cryptographic key sizes [2048
bits] that meet the following: [assignment: list of standards].
FCS_CKM.1/EXT-DEV KHMAC Cryptographic key generation
33
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [PRF] and specified cryptographic key sizes [256 bits]
that meet the following: [RFC 5246].
FCS_CKM.1/EXT-DEVKENC Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a
specified cryptographic key generation algorithm [PRF] and specified
cryptographic key sizes [AES:256 bits] that meet the following: [RFC
5246].
FCS_CKM.4 Cryptographic key destruction
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified
cryptographic key destruction method [assignment: cryptographic keydestruction method] that
meets the following: [assignment: list of standards].
Application Note 2: Keys shall be deleted according to below Table 3.
Table 3Key Management Table
Keys When
TREK  The usage number that is specified PRA Messaging Protocol
Document [6]is exceeded
 Electronic seal is opened by authorized/unauthorized user
TRAK  The usage number that is specified PRA Messaging Protocol
34
Document [6] is exceeded
 Electronic seal is opened by authorized/unauthorized user
TRMK After key transport from PRA-IS to TOE for TREK and TRAK
KENC  Conditions specified in External Device Communication Protocol
Document [7] occur
 The usage number that is specified External Device Communication
Protocol Document[7] is exceeded
KHMAC  Conditions specified in External Device Communication Protocol
Document [7] occur
 The number that is specified External Device Communication
Protocol Document[7]is exceeded
DHE-KEY After key agrement between TOE and External Device
6.1.3.2 FCS_COP/ ENC - DEC Cryptographic operation
FCS_COP.1/TREK Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [encryption] in accordance with a specified
cryptographic algorithm [AES in CBC mode] and cryptographic key sizes [AES:256 bits ] that
meet the following: [NIST SP800-38A (CBC.AES256)].
FCS_COP.1/TRAK Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
35
FCS_COP.1.1 The TSF shall perform [encryption and decryption for integrity protection] in
accordance with a specified cryptographic algorithm [AES in CBC mode] and cryptographic
key sizes [AES:256 bits ] that meet the following: [NIST SP800-38A (CBC.AES256)].
FCS_COP.1/TRMK-DEC Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [decryption] in accordance with a specified
cryptographic algorithm [AES in CBC mode] and cryptographic key
sizes [256 bits] that meet the following: [NIST SP800-38A
(CBC.AES256)].
FCS_COP.1/PUB-ENC Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [encryption] in accordance with a specified
cryptographic algorithm [RSA] and cryptographic key sizes [2048 bits]
that meet the following: [PKCS#1 v2.1 (RSAES-PKCS1-v1_5) ].
FCS_COP.1/SIGN-VER Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
36
FCS_COP.1.1 The TSF shall perform [signature verification] in accordance with a
specified cryptographic algorithm [RSA] and cryptographic key sizes
[2048 bits] that meet the following: [PKCS#1 v1.5, SHA256 Type 2
(random padding)].
FCS_COP.1/ENC-DEC Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [encryption and decryption] in accordance with a
specified cryptographic algorithm [AES] and cryptographic key sizes [AES:128 bits and
AES:256bits] that meet the following: [assignment: list of standards].
Application Note3: TOE shall use one of the AES mode of operation listed below;
 CBC mode according to NIST SP800-38A standart
 GCM mode according to NIST SP 800-38Dstandart
FCS_COP.1/INT-AUTH Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [authentication and integrity protection] in accordance
with a specified cryptographic algorithm [HMAC-SHA256] and cryptographic key sizes [256
bits] that meet the following: [FIPS 198-1 and NIST FIPS PUB 180-2].
FCS_COP.1/HASHING Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
37
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [hashing] in accordance with a specified
cryptographic algorithm [SHA2] and cryptographic key sizes [none]
that meet the following: [NIST FIPS PUB 180-2].
FCS_COP.1/ EXT-DEV KEYEXCHANGE Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [key agreement] in accordance with a specified
cryptographic algorithm [DHE]and cryptographic key sizes [2048 bits]
that meet the following: [NIST SP 800-56A].
FCS_COP.1/EXT-DEV KENC Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [encryption and decryption] in accordance with a
specified cryptographic algorithm [AES with CBC] and cryptographic
key sizes [256bits] that meet the following:[NIST SP800-38A
(CBC.AES256)].
FCS_COP.1/ EXT-DEV KHMAC Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [encryption and decryption for integrity protection] in
accordance with a specified cryptographic algorithm [HMAC-SHA256] and cryptographic key
sizes [256 bits] that meet the following: [FIPS 198-1 and NIST FIPS PUB 180-2].
38
6.1.4 Class FDP User Data Protection
6.1.4.1 FDP_ACC Access control policy
FDP_ACC.1 Subset access control
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 The TSF shall enforce the [Administrative Access Control SFP] on
[Subjects: FCR Authorised User and Authorized Manufacturer User
Objects: Sales and event data, exchange rates, time information.
Operations: Secure state mode and maintenance mode
actions],[assignment: list of subjects, objects, and operations among
subjects and objects covered by the SFP].
6.1.4.2 FDP_ACF Access control functions
FDP_ACF.1 Security attribute based access control
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1 The TSF shall enforce the [Administrative Access Control SFP] to
objects based on the following [Subjects: FCR Authorised User and
Authorized Manufacturer User
Subject Attributes: Privileges
Objects: Sales and event data, exchange rates, time information
Object Attributes: Access Control List (Secure State Mode and
Maintenance Mode access rights)
Operations: Secure State Mode and Maintenance Mode actions describe
in 3.1.3],[assignment: list of subjects and objects controlled under the
indicated SFP, and for each, the SFP-relevant security attributes, or
named groups of SFP-relevant security attributes].
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: [verify the
operator’s privileges].
39
FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: [none].
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the
following additional rules: [none].
6.1.4.3 FDP_ETC Export from the TOE
FDP_ETC.2/TSM Export of user data with security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FDP_ETC.2.1 The TSF shall enforce the [Information Flow Control SFP with TSM and
PRA-IS] when exporting user data, controlled under the SFP(s), outside
of the TOE.
FDP_ETC.2.2 The TSF shall export the user data with the user data's associated
security attributes.
FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside
the TOE, are unambiguously associated with the exported user data.
FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported
from the TOE: [Communication with secure messaging according to
PRA Messaging Protocol Document[6]].
Application Note 4: User data (sales data, event data and TRMK) are exported from FCR to
the PRA-IS via TSM.
FDP_ETC.2 /EFT-POS/SMART PINPAD Export of user data with security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FDP_ETC.2.1 The TSF shall enforce the [Information Flow Control SFP with EFT-
POS/SMART PINPAD Device] when exporting user data, controlled
under the SFP(s), outside of the TOE.
FDP_ETC.2.2 The TSF shall export the user data with the user data's associated
security attributes.
FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside
the TOE, are unambiguously associated with the exported user data.
40
FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported
from the TOE: [Communication with secure messaging according to
External Device Communication Protocol Document[7]].
6.1.4.4 FDP_IFC Information flow control policy
FDP_IFC.1/TSMCOMMUNICATION Subset information flow control
Hierarchical to: No other components.
Dependencies: FDP_IFF.1 Simple security attributes
FDP_IFC.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM
and PRA- IS] on [subjects (TSM and PRA-IS) and objects(sales data,
event data reports, FCR parameters, TREK, TRAK and TRMK) as
specified in PRA Messaging Protocol Document [6]].
FDP_IFC.1/EFT-POS/SMART PINPADCOMMUNICATION Subset information flow control
Hierarchical to: No other components.
Dependencies: FDP_IFF.1 Simple security attributes
FDP_IFC.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT-
POS/SMART PINPAD Device] on [subjects (EFT-POS/SMART
PINPAD) and objects (amount information in sales data and outcome of
the operation) as specified in External Device Communication Protocol
Document[7]].
6.1.4.5 FDP_IFF Information flow control functions
FDP_IFF.1/TSMCOMMUNICATION Simple security attributes
Hierarchical to: No other components.
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialisation
41
FDP_IFF.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM
and PRA-IS] based on the following types of subject and information
security attributes: [TOE has ability to send reports related to sales data
and event data and TRMK to PRA-IS by using subject identifier
(IP/Port information) and object identifier (file name);TOE has ability
to receive TREK and TRAK from PRA-IS by using subject identifier
(IP/Port information) and object identifier (information label)according
to PRA Messaging Protocol Document [6];TOE has ability to receive
FCR parameters from TSM by using subject identifier (IP/Port
information) and object identifier (information label) according to PRA
Messaging Protocol Document[6]].
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject
and controlled information via a controlled operation if the following
rules hold: [Communication with secure messaging according to PRA
Messaging Protocol Document [6]].
FDP_IFF.1.3 The TSF shall enforce the [none].
FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the
following rules: [none].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the
following rules: [none].
FDP_IFF.1/EFT-POS/SMART PINPADCOMMUNICATION Simple security attributes
Hierarchical to: No other components.
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialization
FDP_IFF.1.1 The TSF shall enforce the [Information Flow Control SFP with EFT-
POS/SMART PINPAD Device] based on the following types of subject
and information security attributes: [TOE has ability to send amount
information to EFT-POS/SMART PINPAD Device by using subject
identifier (EFT-POS/SMART PINPAD label and source port).TOE has
ability to receive outcome of the operation conducted by the EFT-
POS/SMART PINPAD Device by using subject identifier (source port)].
42
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject
and controlled information via a controlled operation if the following
rules hold: [Communication with secure messaging according to
External Device Communication Protocol Document[7]].
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the
following rules: [none].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the
following rules: [none].
6.1.4.6 FDP_ITC Import from the outside of the TOE
FDP_ITC.2/TSM Import of user data with security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
[FTP_ITC.1 Inter-TSD trusted channel, or
FTP_TRP.1 Trusted Path]
FPT_TDC.1 Inter-TSF basic TSF data consistency
FDP_ITC.2.1 The TSF shall enforce the [Information Flow Control SFP with TSM
and PRA-IS] when importing user data, controlled under the SFP, from
outside of the TOE.
FDP_ITC.2.2 The TSF shall use the security attributes associated with the imported
user data.
FDP_ITC.2.3 The TSF shall ensure that the protocol used provides for the
unambiguous association between the security attributes and the user
data received.
FDP_ITC.2.4 The TSF shall ensure that interpretation of the security attributes of the
imported user data is as intended by the source of the user data.
FDP_ITC.2.5 The TSF shall enforce the following rules when importing user data
controlled under the SFP from outside the TOE: [Communication with
secure messaging according to PRA Messaging Protocol Document
[6]].
Application Note5: FCR parameters are imported from TSM to TOE. TREK and TRAK are
imported from PRA-IS to TOE
43
FDP_ITC.2/EFT-POS/SMART PINPAD Import of user data with security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
[FTP_ITC.1 Inter-TSD trusted channel, or
FTP_TRP.1 Trusted Path]
FPT_TDC.1 Inter-TSF basic TSF data consistency
FDP_ITC.2.1 The TSF shall enforce the [Information Flow Control SFP with EFT-
POS/SMART PINPAD Device] when importing user data, controlled
under the SFP, from outside of the TOE.
FDP_ITC.2.2 The TSF shall use the security attributes associated with the imported
user data
FDP_ITC.2.3 The TSF shall ensure that the protocol used provides for the
unambiguous association between the security attributes and the user
data received.
FDP_ITC.2.4 The TSF shall ensure that interpretation of the security attributes of the
imported user data is as intended by the source of the user data.
FDP_ITC.2.5 The TSF shall enforce the following rules when importing user data
controlled under the SFP from outside the TOE: [Communication with
secure messaging according to External Device Communication Protocol
Document[7]].
6.1.4.7 FDP_SDI Stored data integrity
FDP_SDI.2/MEMORY Stored data integrity monitoring and action
Hierarchical to: FDP_SDI.1 Stored data integrity monitoring
Dependencies: No dependencies.
FDP_SDI.2.1 The TSF shall monitor user data sales data stored in fiscal memory
and ERU; event data and characterization data stored in containers
controlled by the TSF for [integrity errors]on all objects, based on the
following attributes: [assignment: user data attributes].
FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [generate an
audit event and then enter into the maintenance mode].
FDP_SDI.2/DAILY and PRMTR Stored data integrity monitoring and action
44
Hierarchical to: FDP_SDI.1 Stored data integrity monitoring
Dependencies: No dependencies.
FDP_SDI.2.1 The TSF shall monitor user data sales data stored in containers daily
memory and FCR parameters stored in containers controlled by the
TSF for [integrity errors]on all objects, based on the following
attributes: [assignment: user data attributes].
FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [generate an
audit event and print Z report automatically].
6.1.5 Class FIA Identification and Authentication
6.1.5.1 FIA_AFL Authentication failures
FIA_AFL.1/MANUFACTURER Authentication failure handling
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: positive integer
number], an administrator configurable positive integer within
[assignment: range of acceptable values]] unsuccessful authentication
attempts occur related to [Authorized Manufacturer User
authentication].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has
been [met], the TSF shall [assignment: list of actions].
FIA_AFL.1/AUTHORISED Authentication failure handling
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: positive integer
number], an administrator configurable positive integer
within[assignment: range of acceptable values]] unsuccessful
authentication attempts occur related to [FCR Authorised User].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has
been [met], the TSF shall [assignment: list of actions].
6.1.5.2 FIA_UAU User authentication
FIA_UAU.1 Timing of authentication
45
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.1.1 The TSF shall allow [to do fiscal sales and to get FCR reports (except
fiscal reports)] on behalfof the user to be performed before the user is
authenticated.
FIA_UAU.1.2The TSF shall require each user to be successfully authenticated before
allowing any other TSF-mediated actions on behalf of that user.
FIA_UAU.4 Single-use authentication mechanisms
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_UAU.4.1 The TSF shall prevent reuse of authentication data related to[the
authentication mechanism employed to authenticate Authorized
Manufacturer User].
6.1.5.3 FIA_UID User Identification
FIA_UID.1 Timing of identification
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_UID.1.1 The TSF shall allow [to do fiscal sales and to get FCR report (except
fiscal reports)] on behalfof the user to be performed before the user is
identified.
FIA_UID.1.2 The TSF shall require each user to be successfully identified before
allowing any other TSF-mediated actions on behalf of that user.
6.1.6 Class FMT Security Management
6.1.6.1 FMT_MOF Management of security functions behaviour
FMT_MOF.1 Management of security functions behaviour
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
46
FMT_MOF.1.1 The TSF shall restrict the ability to [modify the behaviour of] the
functions [New Generation Cash Register Application Software normal
operation functions]to[assignment: the authorised identified
roles]nobody.
Application Note6: No auhtorised user makes the changes on the behaviour of the functions.
The TSF itself makes the behavioral changes according to the FCR parameters received from
TSM.
Application Note7:Ability to Modification of behaviour shall be used according to PRA
directives.Normal operation functions includes all FCR parameters that are sent to FCR by
TSM.
6.1.6.2 FMT_MSA Management of security attributes
FMT_MSA.1/PRIVILEGES Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Administrative Access Control SFP] to
restrict the ability to [modify] the security attributes [Privileges and
Access Control List] to [none].
FMT_MSA.1/ IP:PORTINFO Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM and
PRA-IS] to restrict the ability to [modify] the security attributes [IP:Port
Information] to [Authorised Manufacturer User].
FMT_MSA.1/FILE NAME and INFO-LABEL Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
47
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with TSM
and PRA-IS] to restrict the ability to [modify] the security attributes [file
name and information label] to [none].
FMT_MSA.1/EFT-POS/SMART PINPAD SOURCE PORT INFO Management of security
attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with
EFT_POS/SMART PINPAD Device] to restrict the ability to [modify]
the security attributes [Source Port] to [none].
FMT_MSA.1/ EFT-POS/SMART PINPAD LABEL INFO Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Information Flow Control SFP with
EFT_POS/SMART PINPAD Device] to restrict the ability to [modify]
the security attributes [EFT-POS/SMART PINPAD Label] to [none].
FMT_MSA.3/USERS and SYSTEMS Static attribute initialization
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
48
FMT_MSA.3.1 The TSF shall enforce the [Administrative Access Control SFP,
Information Flow Control SFP with TSM and PRA-IS] to provide
[restrictive]default values for security attributes that are used to enforce
the SFP.
FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to
override the default values when an object or information is created.
FMT_MSA.3/EFT-POS/SMART PINPAD Static attribute initialization
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 The TSF shall enforce the [Information Flow Control SFP with EFT-
POS/SMART PINPAD Device] to provide [permissive]default values for
security attributes that are used to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to
override the default values when an object or information is created.
6.1.6.3 FMT_MTD Management of TSF data
FMT_MTD.1/ FCR AUTHORİSED USER Management of TSF data
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_default, query,
modify, delete, clear, [assignment: other operations]] the [FCR
Authorised User’s authentication data] to [assignment: the authorised
identified roles].
FMT_MTD.1/ AUTHORİZED MANUFACTURER USER Management of TSF data
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 The TSF shall restrict the ability to [create] the [Authorized
Manufacturer User’s authentication data] to [assignment: the authorised
identified roles]nobody.
49
Application Note8: No authorised identified roles make the changes on Authorized
Manufacturer User’s authentication data but TSM creates it.
6.1.6.4 FMT_SMF Specification of Management Functions
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following management
functions: [Authorized Manufacturer User modifies IP: Port
Information], [assignment: list of management functions to be provided
by the TSF].
6.1.6.5 FMT_SMR Security management roles
FMT_SMR.2 Restrictions on security roles
Hierarchical to: FMT_SMR.1 Security roles
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.2.1 The TSF shall maintain the roles:[FCR Authorised User,Authorised
Manufacturer User]
FMT_SMR.2.2 The TSF shall be able to associate users with roles.
FMT_SMR.2.3 The TSF shall ensure that the conditions [Authorised Manufacturer
User shall take action in maintenance works and FCR Authorised User
take action in secure state works] are satisfied.
6.1.7 Class FPT Protection of the TSF
6.1.7.1 FPT_FLS Fail secure
FPT_FLS.1 Failure with preservation of secure state
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of
failures occur:[except maintenance mode events that specified in
Section3.1.3]
50
6.1.7.2 FPT_PHP TSF physical protection
FPT_PHP.2 Notification of physical attack
Hierarchical to: FPT_PHP.1 Passive detection of physical attack
Dependencies: FMT_MOF.1 Management of security functions behaviour
FPT_PHP.2.1 The TSF shall provide unambiguous detection of physical tampering
that might compromise the TSF.
FPT_PHP.2.2 The TSF shall provide the capability to determine whether physical
tampering with the TSF's devices or TSF's elements has occurred.
FPT_PHP.2.3 For [the devices/elements for which active detection is required in
Technical Guidance Document [5]], the TSF shall monitor the devices
and elements and notify [all users]when physical tampering with the
TSF's devices or TSF's elements has occurred.
6.1.7.3 FPT_RCV Trusted recovery
FPT_RCV.1 Manual recovery
Hierarchical to: No other components.
Dependencies: AGD_OPE.1 Operational user guidance
FPT_RCV.1.1 After[maintenance mode events which expressed in section 3.1.3
occur] the TSF shall enter a maintenance mode where the ability
to return to a secure state is provided.
FPT_RCV.4 Function recovery
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_RCV.4.1 The TSF shall ensure that [except maintenance mode events that
specified in section 3.1.3] have the property that the function either
completes successfully, or for the indicated failure scenarios, recovers
to a consistent and secure state.
6.1.7.4 FPT_STM Time stamps
FPT_STM.1 Reliable time stamps
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.
51
6.1.7.5 FPT_TDC Inter-TSF TSF data consistency
FPT_TDC.1/TSM Inter-TSF basic TSF data consistency
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TDC.1.1 The TSF shall provide the capability to consistently interpret
[CheckSum] when shared between the TSF and another trusted IT
product.
FPT_TDC.1.2 The TSF shall use [Communication with secure messaging according to
PRA Messaging Protocol Document [6]] when interpreting the TSF data
from another trusted IT product.
FPT_TDC.1/EFT-POS/SMART PINPAD Inter-TSF basic TSF data consistency
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TDC.1.1 The TSF shall provide the capability to consistently interpret
[CheckSum] when shared between the TSF and another trusted IT
product.
FPT_TDC.1.2 The TSF shall use [Communication with secure messaging according to
External Device Communication Protocol Document[7]] when
interpreting the TSF data from another trusted IT product.
6.1.7.6 FPT_TEE Testing of external entities
FPT_TEE.1/EXT Testing of external entities
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TEE.1.1 The TSF shall run a suite of tests [during initialstart-up and during
fiscal transactions] to check the fulfillment of [proper working of
external entities].
FPT_TEE.1.2 If the test fails, the TSF shall [generate an audit event according to PRA
Messaging Protocol Document [6]].
Application Note9: External entities areERU, Fiscal Memory, Daily Memory, Mesh Cover and
Electronic Seal.
FPT_TEE.1/TIME Testing of external entities
Hierarchical to: No other components.
52
Dependencies: No dependencies.
FPT_TEE.1.1 The TSF shall run a suite of tests [during time synchronization with
NTP] to check the fulfillment of [accuracy of time information].
FPT_TEE.1.2 If the test fails, the TSF shall [assignment: action(s)].
6.1.8 Class FTP Trusted Patch/Channels
6.1.8.1 FTP_ITC Inter-TSF trusted channel
FTP_ITC.1/TSM Inter-TSF trusted channel
Hierarchical to: No other components.
Dependencies: No dependencies.
FTP_ITC.1.1 The TSF shall provide a communication channel between itself and
another trusted IT product that is logically distinct from other
communication channels and provides assured identification of its end
points and protection of the channel data from modification or
disclosure.
FTP_ITC.1.2 The TSF shall permit [theTSF] to initiate communication via the
trusted channel.
FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for
[sending user data (sales, event data and TRMK) to PRA-IS; receiveing
user data (TREK and TRAK) from PRA-IS and receiveing user data
(FCR parameters and exchange rates) from TSM].
FTP_ITC.1/EFT-POS/SMART PINPAD Inter-TSF trusted channel
Hierarchical to: No other components.
Dependencies: No dependencies.
FTP_ITC.1.1 The TSF shall provide a communication channel between itself and
another trusted IT product that is logically distinct from other
communication channels and provides assured identification of its end
points and protection of the channel data from modification or
disclosure.
FTP_ITC.1.2 The TSF shall permit [theTSF] to initiate communication via the
trusted channel.
53
FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel
for[sending amount information to EFT-POS/SMART PINPAD and
receiving outcome of the operation from EFT-POS/SMART PINPAD].
54
6.2 Security Assurance Requirements for the TOE
The assurance requirements for the evaluation of the TOE and for its development and
operating environment are chosen as the predefined assurance package EAL2.
6.3 Security Requirements Rationale
6.3.1 Security Functional Requirements Rationale
Table 4 provides an overview for security functional requirements coverage and also giving an
evidence for sufficiency and necessity of the SFRs chosen.
Table 4Coverage of security objectives by SFRs for TOE
O.AccessControl
O.Event
O.Integrity
O.Authentication
O.Function
O.Transfer
FAU_GEN.1 Audit data generation X
FAU_SAR.1 Audit review X
FAU_STG.1 Protected audit trail
storage
X
FAU_STG.4 Prevention of audit data
loss
X
FCO_NRO.2 Enforced proof of origin X
FCS_CKM.1/TRMK Cryptographic key
generation
X
FCS_CKM.2 Cryptographic key
distribution
X
FCS_CKM.1/TLS_AES Cryptographic key
generation
X
FCS_CKM.1/TLS_HMAC Cryptographic key
generation
X
FCS_CKM.1/DHE-KEY Cryptographic key
generation
X
55
FCS_CKM.1/EXT-DEV
KENC
Cryptographic key
generation
X
FCS_CKM.1/EXT-DEV
KHMAC
Cryptographic key
generation
X
FCS_CKM.4 Cryptographic key
destruction
X
FCS_COP.1/TREK Cryptographic operation X
FCS_COP.1/TRAK Cryptographic operation X
FCS_COP.1/ENC-DEC Cryptographic operation X
FCS_COP.1/INT-AUTH Cryptographic operation X
FCS_COP.1/HASHING Cryptographic operation X
FCS_COP.1/TRMK-DEC Cryptographic operation X
FCS_COP.1/PUB-ENC Cryptographic operation X
FCS_COP.1/SIGN-VER Cryptographic operation X
FCS_COP.1/EXT-DEV
KENC
Cryptographic operation X
FCS_COP.1/EXT-DEV
KHMAC
Cryptographic operation X
FCS_COP.1/EXT-DEV
KEYEXCHANGE
Cryptographic operation X
FDP_ACC.1 Subset access control X
FDP_ACF.1 Security attribute based
access control
X
FDP_ETC.2/TSM Export of user data with
security attributes
X
FDP_ETC.2 /EFT-
POS/SMART PINPAD
Export of user data with
security attributes
X
FDP_IFC.1/TSMCOMMU
NICATION
Subset information flow
control
X
56
FDP_IFC.1/EFT-
POS/SMART
PINPADCOMMUNICATI
ON
Subset information flow
control
X
FDP_IFF.1/TSMCOMMUN
ICATION
Simple security attributes X
FDP_IFF.1/EFT-
POS/SMART
PINPADCOMMUNICATI
ON
Simple security attributes X
FDP_ITC.2/TSM Import of user data with
security attributes
X
FDP_ITC.2/EFT-
POS/SMART PINPAD
Import of user data with
security attributes
X
FDP_SDI.2/ MEMORY Storeddata integrity
monitoring and action
X
FDP_SDI.2/DAILY and
PRMTR
Stored data integrity
monitoring and action
X
FIA_AFL.1/MANUFACTU
RER
Authentication failure
handling
X
FIA_AFL.1/AUTHORISED Authentication failure
handling
X
FIA_UAU.1 Timing of authentication X
FIA_UAU.4 Single-use authentication
mechanisms
X
FIA_UID.1 Timing of identification X
FMT_MOF.1 Management of security
functions behaviour
X
FMT_MSA.1/PRIVILEGES Management of security
attributes
X
57
FMT_MSA.1/IP:PORTINF
O
Management of security
attributes
X
FMT_MSA.1/FILE NAME
and INFO-LABEL
Management of security
attributes
X
FMT_MSA.1/EFT-
POS/SMART PINPAD
SOURCE PORT INFO
Management of security
attributes
X
FMT_MSA.1/EFT-
POS/SMART PINPAD
LABEL INFO
Management of security
attributes
X
FMT_MSA.3/USERS and
SYSTEMS
Static attribute
initialisation
X X
FMT_MSA.3/EFT-
POS/SMART PINPAD
Static attribute
initialisation
X
FMT_MTD.1/FCR
AUTHORİSED USER
Management of TSF data X X
FMT_MTD.1/
AUTHORİZED
MANUFACTURER USER
Management of TSF data X
FMT_SMF.1 Specification of
Management Functions
X
FMT_SMR.2 Restrictions on security
roles
X
FPT_FLS.1 Failure with preservation
of secure state
X
FPT_PHP.2 Notification of physical
attack
X X
FPT_RCV.1 Manual recovery X
FPT_RCV.4 Function recovery X
FPT_STM.1 Reliable time stamps X
58
FPT_TDC.1/TSM Inter-TSF basic TSF data
consistency
X
FPT_TDC.1/ EFT-
POS/SMART PINPAD
Inter-TSF basic TSF data
consistency
X
FPT_TEE.1/EXT Testing of external entities X
FPT_TEE.1/TIME Testing of external entities X
FTP_ITC.1/TSM Inter-TSF trusted channel X
FTP_ITC.1/EFT-
POS/SMART PINPAD
Inter-TSF trusted channel X
59
A detailed justification of required for suitability of the security functional requirements to
achieve the security objectives is given in Table 5
Table 5Suitability of the SFRs
Security
Objective
SecurityFunctionalRequirement
O.AccessControl
FDP_ACC.1
Provides security functional
policy for functions and
data
FDP_ACF.1
Defines security attributes
for functions and data
FAU_SAR.1
Allowsusers to readaudit
records
FMT_MSA.1/PRIVILEGES
Provides the functions to
restrict the ability to modify
the security attributes
(privileges) to nobody.
FMT_MSA.3/USERS and SYSTEMS
Provides the functions to
provide restrictive default
values for security
attributes that are used to
enforce the SFP and allows
nobody to specify
alternative initial values to
override the default values
when an object or
information is created.
FMT_SMF.1
Descripe the specification
of management functions
beingallowed to use in
maintenance mode and
secure state mode.
FMT_SMR.2
Maintainsthe roles with
restrictions
FMT_MTD.1/ FCR AUTHORİSED
USER
Provides authorised
processing of FCR
Authorised User’s
authentication data
FMT_MTD.1/ AUTHORİZED
MANUFACTURER USER
Provides authorised
processing of FCR
Manufacturer User’s
authentication data
O.Event
FAU_GEN.1
Generates correct audit
events
FPT_STM.1
Provides accurate time for
loggingevents
60
O.Integrity
FAU_STG.1
Protects stored audit data
integrity from unauthorised
deletion
FAU_STG.4
Prevents loss of auditdata
loss
FPT_PHP.2
Generation of audit event
detection of physical
tampering
FDP_SDI.2/MEMORY
Monitors user data stored
for integrity errors
FDP_SDI.2/DAILY and PRMTR
Monitors user data stored
forintegrity errors
FPT_TDC.1/TSM
Provides the capability to
consistently interpret TSF
data (checksum)
FPT_TDC.1/EFT-POS/SMART
PINPAD
Provides the capability to
consistently interpret TSF
data (checksum)
O.Authentication
FIA_AFL.1/MANUFACTURER
Detects and records
authentication failure
events for Autharised
Manufacturer User
FIA_AFL.1/AUTHORISED
Detects and records
authentication failure
events for FCR Authorised
User
FIA_UAU.1
Defines user authentication
before allowing to do fiscal
sales
FIA_UAU.4
Provides single use
authentication mechanism
for Autharised
Manufacturer User
FIA_UID.1
Defines user identification
before allowing to do fiscal
sales
FMT_MTD.1/ FCR AUTHORİSED
USER
Provides authorised
processing of FCR
Authorised User’s
authentication data
FMT_MTD.1/ AUTHORİZED
MANUFACTURER USER
Provides processing of
Authorised Manufacturer
User’s authentication data
FCS_COP.1/HASHING Provides authentication
operation for PRA-IS and
61
TSM
O.Function
FMT_MOF.1
Restricts the ability to
enable the functions to
nobody and, thus,
prevents an unintended
access to data in the
operational phase.
FPT_FLS.1
Failure types which makes
new generation cash
register fiscal application
software continue working
in secure state
FPT_RCV.1
Provides new generation
cash register fiscal
application software start
working in maintenance
mode in failure. (has ability
to switch to the secure state
manually)
FPT_RCV.4
Provides new generation
cash register
fiscal application software
start working
in maintenance mode in
failure. (has
ability to switch to the
secure state
automatically with
functions)
FPT_TEE.1/EXT
Provides test for IT
environment for
functioning accurately
FPT_TEE.1/TIME
Provides test for time
information for accuracy
O.Transfer
FCS_CKM.1/TLS_AES
Generates session keys
for communication between
FCR-PRA-IS and FCR–
TSM
FCS_CKM.1/TRMK
Generates session keys
for communication between
FCR-PRA-IS and FCR–
TSM
62
FCS_CKM.2
Provides cryptographic key
distribution to genarate
keys
FCS_CKM.1/TLS_HMAC
Generates session keys
for communication between
FCR-PRA-IS and FCR–
TSM
FMT_MSA.1/ EFT-POS/SMART
PINPAD LABEL INFO
Provides the functions to
restrict the ability to
modify the security
attribute (EFT-
POS/SMART PINPAD
label) to nobody
FMT_MSA.1/FILE NAME and INFO-
LABEL
Provides the functions to
restrict the abilityto modify
the security attribute (file
name) to nobody
FMT_MSA.1/ IP:PORT INFO
Provides the functions to
restrict the ability to modify
the security attribute
(IP/Port) to Authorized
Manufacturer User
FMT_MSA.1/EFT-POS/SMART
PINPAD SOURCE PORT INFO
Provides the functions to
restrict the ability to
modify the security
attribute (EFT-
POS/SMART PINPAD
source port) to nobody
FMT_MSA.3/USERS and SYSTEMS
Provides the functions to
provide restrictive default
values for security
attributes that are used to
enforce the SFP and allows
nobody to specify
alternative initialvalues too
verride the default values
when an object or
information is created
FMT_MSA.3/EFT-POS/SMART
PINPAD
Provides the functions to
provide permissive default
values for security attributes
that are used to enforce the
SFP and allows nobody
to specify alternative
initial values to override
the default values when an
63
object or information is
created
FCS_CKM.4
Destroys cryptographic
keys in the TOE
FCS_COP.1/ENC-DEC
Provides the cryptographic
operation for secure
communication between
PRA-IS and new generation
cash register fiscal
application software, and
between TSM and new
generation cash register
fiscal application software
FCS_COP.1/INT-AUTH
Provides authentication and
integrity protection for
comminication between
FCR-PRA-IS and FCR–
TSM
FCS_COP.1/TREK
Provides the cryptographic
operation for secure
communication between
PRA-IS and TOE
FCS_COP.1/TRAK
Provides authentication and
integrity protection for
comminication between
PRA-IS and TOE
FCS_COP.1/TRMK-DEC
Provides the cryptographic
operation for secure
communication between
PRA-IS and TOE
FCS_COP.1/PUB-ENC
Provides the cryptographic
operation for secure
communication between
PRA-IS-TOE
FCS_COP.1/SIGN-VER
Provides non-repuduation
for TREK and TRAK
sharing between PRA-IS
and TOE.
FCS_COP.1/HASHING
Provides the cryptographic
operation (hashing) for
communication with TSM
and PRA-IS
communication
FPT_PHP.2 Generation of audit event
detection of physical
64
tampering
FCO_NRO.2
Generates evidence of
origin of the data to be
transferred to thePRA-IS
FCS_CKM.1/DHE-KEY
Generates private key for
DHE key agreement
FCS_COP.1/EXT-DEV KENC
Provides symmetric
encryption in order to
establish secure
communication with
External Devices.
FCS_COP.1/ EXT-DEV KHMAC
Provides authentication and
integrity protection for
comminication with
External Devices.
FCS_CKM.1/EXT-DEV KENC
Generates keys for
communication between
TOE and External Devices
FCS_CKM.1/EXT-DEV KHMAC
Generates keys for
communication between
TOE and External Devices
FCS_COP.1/ EXT-DEV
KEYEXCHANGE
Provides
agreementoperation with
External Devices
FDP_ETC.2/TSM
Provides export of sales
data and event data from
the TOE to the PRA-IS
using the information flow
control SFP with TSM and
PRA-IS
FDP_ETC.2/EFT-POS/SMART
PINPAD
Provides export of amount
information in sales data
from the TOE to the EFT-
POS/SMART PINPAD
using the information flow
control SFP with EFT-
POS/SMART PINPAD
Devices
FDP_IFC.1/TSMCOMMUNICATION
Provides information flow
control policy for TSM and
PRA-IS communication
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION
Provides information flow
control policy for EFT-
POS/SMART PINPAD
communication
FDP_IFF.1/TSMCOMMUNICATION Provides information flow
control policy rules for
65
TSM and PRA-IS
communication
FDP_IFF.1/EFT-POS/SMART
PINPADCOMMUNICATION
Provides information flow
control policy rules for
EFT-POS/SMART
PINPAD communication
FDT_ITC.2/TSM
Provides protection of FCR
Parameters confidentiality
and integrity during import
from TSM
FDT_ITC.2/EFT-POS/SMART
PINPAD
Provides protection of
confidentiality and
integrity of outcome of the
operation conducted by the
EFT-POS/SMART
PINPAD device and AES
keys (KENC and
KHMAC)during import from
EFT-POS/SMART
PINPAD device
FTP_ITC.1/EFT-POS/SMART
PINPAD
Provides protection of data
(confidentiality+integrity)
during communication with
EFT-POS/SMART
PINPAD by the help of
secure channel
FTP_ITC.1/TSM
Provides protection of sales
data and event data
(confidentiality+integrity)
during communication with
PRA-IS by the help of
secure channel
66
6.3.2 Rationale for Security Functional Requirements dependencies
Selected security functional requirements include related dependencies. Table 6 below provides
a summary of the security functional requirements dependency analysis.
Table 6Security Functional Requirements dependencies
Dependencies: Included / not included
FAU_GEN.1 FPT_STM.1 included
FAU_SAR.1 FAU_GEN.1 included
FAU_STG.1 FAU_GEN.1 included
FAU_STG.4 FAU_STG.1 included
FCO_NRO.2 FIA_UID.1 Non-repudiation of the origin
satisfied for the event and sales data
send from FCR not on behalf of
each user but FCR itself.
Requirement satisfied but the
dependency is not fulfilled because
of the operational requirement.
FCS_CKM.1/TRMK FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_CKM.2; FCS_COP.1TRMK-
DEC; FCS_CKM.4 included
FCS_CKM.2 [FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1];
FCS_CKM.4
FCS_CKM.1/TRMK; FCS_CKM.4
FCS_CKM.1/TLS_AES FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_COP.1/ENC-DEC and
FCS_CKM.4 included
FCS_CKM.1/TLS_HMA
C
FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_COP.1/INT-AUTH and
FCS_CKM.4 included
FCS_CKM.1/EXT-DEV
KENC
FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_COP.1/EXT-DEV KENC and
FCS_CKM.4 included
.
FCS_CKM.1/EXT-DEV
KHMAC
FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_COP.1/ EXT-DEV KHMAC
and
FCS_CKM.4 included
67
FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2
or FCS_CKM.1
FCS_CKM.1(FCS_CKM.1/EXT-
DEV KENC, FCS_CKM.1/EXT-
DEV KHMAC,
FCS_CKM.1/TLS_HMAC,
FCS_CKM.1/TLS_AES,
FCS_CKM.1/TRMK,
FCS_CKM.1/DHE-KEY) included
FCS_COP.1/TRAK FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FDP_ITC.2/TSM and
FCS_CKM.4 included
FCS_COP.1/TREK FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FDP_ITC.2/TSM and
FCS_CKM.4 included
FCS_COP.1/TRMK-
DEC
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FCS_CKM.1/TRMK; FCS_CKM.4
FCS_COP.1/PUB-ENC FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
According to PRA messaging
protocol, there is no need to import
key for this SFR. Key is imported
during initialization.
According to PRA mesaging
protocol, PPRA and PTSM public key
should not be deleted. Tamper
system of the TOE protects keys
from misuse, disclosure or
modification.
FCS_COP.1/SIGN-VER FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
According to PRA messaging
protocol, there is no need to import
key for this SFR. Key is imported
during initialization.
According to PRA messaging
protocol, PPRA-SIGN public key
should not be deleted. Tamper
system of the TOE protects keys
from misuse, disclosure or
modification.
FCS_COP.1/ENC-DEC FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FCS_CKM.1/TLS_AES and
FCS_CKM.4 included
FCS_COP.1/INT-AUTH FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.1/TLS_HMAC and
FCS_CKM.4 included
68
;FCS_CKM.4
FCS_COP.1/HASHING FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
No need to include any
dependencies because there is no
need to use any key for HASHING
FCS_CKM.1/DHE-KEY
FCS_CKM.2 or
FCS_COP.1;
FCS_CKM.4
FCS_COP.1/ EXT-DEV
KEYEXCHANGE and
FCS_CKM.4
FCS_COP.1/EXT-DEV
KENC
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FCS_CKM.1/EXT-DEV KENC;
FCS_CKM.4included
FCS_COP.1/ EXT-DEV
KHMAC
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FCS_CKM.1/EXT-DEV KHMAC;
FCS_CKM.4included
FCS_COP.1/ EXT-DEV
KEYEXCHANGE
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
;FCS_CKM.4
FCS_CKM.1/DHE-
KEYandFCS_CKM.4 included
FDP_ACC.1 FDP_ACF.1 included
FDP_ACF.1 FDP_ACC.1;
FMT_MSA.3
FDP_ACC.1;
FMT_MSA.3/USERS and
SYSTEMS included
FDP_ETC.2/TSM FDP_ACC.1 or
FDP_IFC.1
FDP_ACC.1;
FDP_IFC.1/TSMCOMMUNICATI
ON included
FDP_ETC.2 /EFT-
POS/SMART PINPAD
FDP_ACC.1 or
FDP_IFC.1
FDP_ACC.1;
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION
included
FDP_IFC.1/TSMCOMM
UNICATION
FDP_IFF.1 FDP_IFF.1/TSMCOMMUNICATI
ON included
FDP_IFC.1/EFT-
POS/SMART
PINPADCOMMUNICA
TION
FDP_IFF.1 FDP_IFF.1/EFT-POS/SMART
PINPADCOMMUNICATION
included
FDP_IFF.1/TSMCOMM
UNICATION
FDP_IFC.1;
FMT_MSA.3
FDP_IFC.1/TSMCOMMUNICATI
ON; FMT_MSA.3/USERS and
SYSTEMS included
FDP_IFF.1/EFT-
POS/SMART
PINPADCOMMUNICA
TION
FDP_IFC.1;
FMT_MSA.3
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION;
FMT_MSA.3/EFT-POS/SMART
PINPADincluded
69
FDP_ITC.2/TSM FDP_ACC.1 or
FDP_IFC.1 ;
FTP_ITC.1 or
FTP_TRP.1 ;
FPT_TDC.1
FDP_IFC.1/TSMCOMMUNICATI
ON; FTP_ITC.1/TSM;
FPT_TDC.1/TSM included
FDP_ITC.2/EFT-
POS/SMART PINPAD
FDP_ACC.1 or
FDP_IFC.1 ;
FTP_ITC.1 or
FTP_TRP.1 ;
FPT_TDC.1
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION;
FTP_ITC.1/EFT-POS/SMART
PINPAD; FPT_TDC.1/EFT-
POS/SMART PINPADincluded
FDP_SDI.2/MEMORY No dependencies. -
FDP_SDI.2/DAILY and
PRMTR
No dependencies. -
FIA_AFL.1/MANUFAC
TURER
FIA_UAU.1 included
FIA_AFL.1/AUTHORIS
ED
FIA_UAU.1 included
FIA_UAU.1 FIA_UID.1 included
FIA_UAU.4 No dependencies -
FIA_UID.1 No dependencies -
FMT_MOF.1 FMT_SMR.1;
FMT_SMF.1
FMT_SMR.2 is hierarchical to
FMT_SMR.1;
FMT_SMF.1
FMT_MSA.1/PRIVILE
GES
FDP_ACC.1 or
FDP_IFC.1
FDP_ACC.1 included
FMT_MSA.1/
IP:PORTINFO
FDP_ACC.1 or
FDP_IFC.1
FDP_IFC.1/TSMCOMMUNICATI
ON included
FMT_MSA.1/FILE
NAME and INFO-
LABEL
FDP_ACC.1 or
FDP_IFC.1
FDP_IFC.1/TSMCOMMUNICATI
ON included
FMT_MSA.1/EFT-
POS/SMART PINPAD
SOURCE PORT INFO
FDP_ACC.1 or
FDP_IFC.1
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION
included
FMT_MSA.1/ EFT-
POS/SMART PINPAD
LABEL INFO
FDP_ACC.1 or
FDP_IFC.1
FDP_IFC.1/EFT-POS/SMART
PINPADCOMMUNICATION
included
FMT_MSA.3/USERS
and SYSTEMS
FMT_MSA.1 ;
FMT_SMR.1
FMT_MSA.1
(FMT_MSA.1/PRIVILEGES,
FMT_MSA.1/IP:PORTINFO and
FMT_MSA.1/FILE NAME and
INFO-LABEL) ;
FMT_SMR.2 is hierarchical to
70
FMT_SMR.1 included
FMT_MSA.3/EFT-
POS/SMART PINPAD
FMT_MSA.1 ;
FMT_SMR.1
FMT_MSA.1/ EFT-POS/SMART
PINPAD LABEL INFO ) ;
FMT_SMR.2 is hierarchical to
FMT_SMR.1 included
FMT_MTD.1/ FCR
AUTHORİSED USER
FMT_SMR.1 ;
FMT_SMF.1
FMT_SMR.2 is hierarchical to
FMT_SMR.1 ; FMT_SMF.1
included
FMT_MTD.1/
AUTHORİZED
MANUFACTURER
USER
FMT_SMR.1 ;
FMT_SMF.1
FMT_SMR.2 is hierarchical to
FMT_SMR.1 ; FMT_SMF.1
included
FMT_SMF.1 No dependencies. -
FMT_SMR.2 FIA_UID.1 included
FPT_FLS.1 No dependencies -
FPT_PHP.2 FMT_MOF.1 included
FPT_RCV.1 AGD_OPE.1 included (assurance component)
FPT_RCV.4 No dependencies -
FPT_STM.1 No dependencies -
FPT_TDC.1/TSM No dependencies -
FPT_TDC.1/EFT-
POS/SMART PINPAD
No dependencies -
FPT_TEE.1/EXT No dependencies -
FPT_TEE.1/TIME No dependencies -
FTP_ITC.1/TSM No dependencies -
FTP_ITC.1/EFT-
POS/SMART PINPAD
No dependencies -
71
6.3.3 Security Assurance Requirements Rationale
The current assurance package was chosen based on the pre-defined assurance packet EAL2.
EAL2 is chosen because the threats that were chosen are consistent with an attacker of basic
attack potential.
6.3.4 Security Requirements - Internal Consistency
The following part of the security requirements rationale shows that the set of security
requirements for the TOE consisting of the security functional requirements (SFRs) and the
security assurance requirements (SARs) together forms an internally consistent whole.
The dependency analysis inTable 6 shows that the basis for internal consistency between all
defined functional requirements is satisfied.
The assurance package EAL2 is a pre-defined set of internally consistent assurance
requirements. The assurance requirements are internally consistent as all (additional)
dependencies are satisfied and no inconsistency appears.
Inconsistency between functional and assurance requirements could only arise, if there are
functional-assurance dependencies being not met. So, there are no inconsistencies between the
goals of these two groups of security requirements.
72
7. ACRONYMS
AES : Advanced Encryption Standard
CC : Common Criteria
CCMB : Common Criteria Management Board
DEMA : Differential Electromagnetic Analysis
DES : Data Encryption Standard
DFA : Differential Fault Analysis
DPA : Differential Power Analysis
EAL : Evaluation Assurance Level (defined in CC)
EFTPOS : Electronic Funds Transfer at Point of Sale
EMV : Europay, MasterCard and Visa
ERU : Electronic Recording Unit
FCR : Fiscal Cash Register
GPRS : General Packet Radio Service
GPS : Global Positioning System
IT : Information Technology
ITU : International Telecommunication Union
OSP : Organizational Security Policy
PP : Protection Profile
PKI : Public Key Infrastructure
PRA : Presidency ofRevenue Administration
PRA-IS : Presidency ofRevenue Administration Information Systems
SAR : Security Assurance Requirements
SEMA : Simple Electromagnetic Analysis
SFR : Security Functional Requirements
SHA : Secure Hash Algorithm
73
SPA : Simple Power Analysis
SSL : Secure Sockets Layer
TOE : Target of Evaluation
TSF : TOE Security Functionality (defined in CC)
TSE : Turkish Standards Institute
TSM : Trusted Service Manager
VAT : Value Added Tax
74
8. BIBLIOGRAPHY
Common Criteria
[1] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and
General Model; CCMB-2012-09-001, Version 3.1, Revision 4, September 2012
[2] Common Criteria for Information Technology Security Evaluation, Part 2: Security
Functional Components; CCMB-2012-09-002, Version 3.1, Revision 4, September 2012
[3] Common Criteria for Information Technology Security Evaluation, Part 3: Security
Assurance Requirements; CCMB-2012-09-003, Version 3.1, Revision 4, September 2012
[4] Common Methodology for Information Technology Security Evaluation, Evaluation
Methodology; CCMB-2012-09-004, Version 3.1, Revision 4, September 2012
New Generation Cash Register Directives
[5] Technical Guidance (TK1) Document, current version
[6] PRA Messaging Protocol (for TK1) Document, current version
[7] External Device Communication Protocol Document, current version