Bundesamt für Sicherheit in der Informationstechnik
Certification Report
BSI-PP-0020-V2-2007
Protection Profile
for
electronic Health Card (eHC) –
elektronische Gesundheitskarte (eGK),
Version 2.0
developed on behalf of the
Federal Ministry of Health, Germany
BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 Bonn
Telefon +49 (0)3018 9582-0, Infoline +49 (0)3018 9582-111, Telefax +49 (0)3018 9582-455
Bundesamt für Sicherheit in der Informationstechnik
Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 185 - 189 – D-53175 Bonn – Postfach 20 03 63 – D-53133 Bonn
Telefon +49 (0)3018 9582-0, Infoline +49 (0)3018 9582-111, Telefax +49 (0)3018 9582-455
Certificate BSI-PP-0020-V2-2007
Protection Profile
for
electronic Health Card (eHC) –
elektronische Gesundheitskarte
(eGK), Version 2.0
developed on behalf of the
Federal Ministry of Health, Germany
Assurance Package: EAL 4 augmented with
ADV_IMP.2, AVA_MSU.3 and AVA_VLA.4
Common Criteria Arrangement
Bonn, 15. February 2007 The President of the Federal
Office for Information Security
Dr. Helmbrecht L.S.
The Protection Profile mentioned above was evaluated at an accredited and licenced/approved evaluation facility on the
basis of the Common Criteria for Information Technology Security Evaluation (CC), Version 2.3 (ISO/IEC 15408)
applying the Common Methodology for Information Technology Security Evaluation (CEM), Version 2.3.
This certificate applies only to the specific version and release of the Protection Profile and in conjunction with the
complete Certification Report.
The evaluation has been conducted in accordance with the provisions of the certification scheme of the the Bundesamt
für Sicherheit in der Informationstechnik. The conclusions of the evaluation facility in the evaluation technical report are
consistent with the evidence adduced.
This certificate is not an endorsement of the Protection Profile by the the Bundesamt für Sicherheit in der
Informationstechnik or any other organisation that recognises or gives effect to this certificate, and no warranty of the
Protection Profile by the the Bundesamt für Sicherheit in der Informationstechnik or any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
This page is intentionally left blank.
BSI-PP-0020-V2-2007 Certification Report
Preliminary Remarks
Under the BSIG1
Act, the Bundesamt für Sicherheit in der Informationstechnik
(BSI) has the task of issuing certificates for information technology products as
well as for Protection Profiles (PP).
A PP defines an implementation-independent set of IT security requirements for
a category of TOEs which are intended to meet common consumer needs for IT
security. The development and certification of a PP or the reference to an
existent one gives consumers the possibility to express their IT security needs
without referring to a special product. Product or system certifications can be
based on Protection Profiles. For products which have been certified based on
a Protection Profile an individual certificate will be issued.
Certification of a Protection Profile is carried out on the instigation of the author,
hereinafter called the sponsor.
A part of the procedure is the technical examination (evaluation) of the
Protection Profile according to Common Criteria [1].
The evaluation is carried out by an evaluation facility recognised by the BSI or
by the BSI itself.
The result of the certification procedure is the present Certification Report. This
report contains among others the certificate (summarised assessment) and the
detailed Certification Results.
1
Act setting up the the Bundesamt für Sicherheit in der Informationstechnik (BSI-
Errichtungsgesetz, BSIG) of 17 December 1990, Bundesgesetzblatt I p. 2834
V
Certification Report BSI-PP-0020-V2-2007
Contents
Part A: Certification
Part B: Certification Results
Annex: Protection Profile
VI
BSI-PP-0020-V2-2007 Certification Report
A Certification
1 Specifications of the Certification Procedure
The certification body conducts the procedure according to the criteria laid down
in the following:
• BSIG2
• BSI Certification Ordinance3
• BSI Schedule of Costs4
• Special decrees issued by the Bundesministerium des Innern (Federal
Ministry of the Interior)
• DIN EN 45011
• BSI Certification - Description of the Procedure [3]
• Procedure for the Issuance of a PP certificate by the BSI
• Common Criteria for Information Technology Security Evaluation,
Version 2.35
[1]
• Common Methodology for IT Security Evaluation, Version 2.3 [2]
• BSI certification: Application Notes and Interpretation of the Scheme
(AIS) [4]
2
Act setting up the the Bundesamt für Sicherheit in der Informationstechnik (BSI-
Errichtungsgesetz, BSIG) of 17 December 1990, Bundesgesetzblatt I p. 2834
3
Ordinance on the Procedure for Issuance of a Certificate by the the Bundesamt für Sicherheit
in der Informationstechnik (BSI-Zertifizierungsverordnung, BSIZertV) of 07 July 1992,
Bundesgesetzblatt I p. 1230
4
Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der
Informationstechnik (BSI-Kostenverordnung, BSI-KostV) of 03 March 2005,
Bundesgesetzblatt I p. 519
5
Proclamation of the Bundesministerium des Innern of 10 May 2006 in the Bundesanzeiger
dated 19 May 2006, p. 3730
A-1
Certification Report BSI-PP-0020-V2-2007
2 Recognition Agreements
In order to avoid multiple certification of the same Protection Profile in different
countries a mutual recognition of Protection Profile certificates under certain
conditions was agreed.
An arrangement (Common Criteria Arrangement) on the mutual recognition of
certificates based on the CC evaluation assurance levels up to and including
EAL 4 was signed in May 2000. It includes also the recognition of Protection
Profiles based on the CC. The arrangement was signed by the national bodies
of Australia, Canada, Finland, France, Germany, Greece, Italy, The
Netherlands, New Zealand, Norway, Spain, United Kingdom and the United
States. Israel joined the arrangement in November 2000, Sweden in February
2002, Austria in November 2002, Hungary and Turkey in September 2003,
Japan in November 2003, the Czech Republic in September 2004, the Republic
of Singapore in March 2005 and India in April 2005.
A-2
BSI-PP-0020-V2-2007 Certification Report
3 Performance of Evaluation and Certification
The certification body monitors each individual evaluation to ensure a uniform
procedure, a uniform interpretation of the criteria and uniform ratings.
The Protection Profile for electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK), Version 2.0 has undergone the certification procedure
at the BSI.
The evaluation of the Protection Profile for electronic Health Card (eHC) –
elektronische Gesundheitskarte (eGK), Version 2.0 was conducted by
T-Systems GEI GmbH, Prüfstelle IT-Sicherheit. The evaluation facility of
T-Systems GEI GmbH, Prüfstelle IT-Sicherheit is an evaluation facility (ITSEF)6
recognised by BSI.
Developer is the ‘SRC Security Research & Consulting GmbH‘ on behalf of the
‘Federal Ministry of Health, Germany’.
The certification was concluded with
• the comparability check and
• the preparation of this Certification Report.
This work was completed by the BSI on 15. February 2007.
6
Information Technology Security Evaluation Facility
A-3
Certification Report BSI-PP-0020-V2-2007
4 Publication
The following Certification Results contain pages B-1 to B-10.
The Protection Profile for electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK), Version 2.0 has been included in the BSI list of
certified and registered Protection Profiles, which is published regularly (see
also Internet: http:// www.bsi.bund.de). Further information can be obtained via
the BSI-Infoline +49 (0)3018 9582-111.
Further copies of this Certification Report may be ordered from the BSI7
. The
Certification Report may also be obtained in electronic form at the internet
address stated above.
7
BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 Bonn
Telefon +49 (0)3018 9582-0, Infoline +49 (0)3018 9582-111, Telefax +49 (0)3018 9582-455
A-4
BSI-PP-0020-V2-2007 Certification Report
B Certification Results
Content of the Certification Results
1 PP Overview................................................................................................ 2
2 Security Functional Requirements............................................................... 4
3 Assurance Package .................................................................................... 6
4 Strength of Functions .................................................................................. 6
5 Results of the Evaluation............................................................................. 7
6 Obligation for ST writer................................................................................ 7
7 Definitions.................................................................................................... 8
8 Bibliography................................................................................................. 9
B-1
Certification Report BSI-PP-0020-V2-2007
1 PP Overview
The Protection Profile (PP) [7] defines the security objectives and requirements
for the electronic Health Card (German: “elektronische Gesundheitskarte”)
based on the regulations for the German health care system. It addresses the
security services provided by this card, mainly:
•
•
•
•
•
•
•
•
•
•
Mutual Authentication between the eHC and a Health Professional Card
(HPC) or a Security Module Card (SMC),
Mutual Authentication between the eHC and a security device (e.g. for
online update of contract data in the card),
Authentication of the card holder by use of a PIN, the eHC-PIN,
Note: This eHC-PIN is used for general functions of the eHC. The electronic
signature application requires a separate PIN for its exclusive purposes.
Secure storage of contractual and medical data, with respect to
confidentiality, integrity and authenticity of these data,
Authentication of the card using a private key and a X.509 certificate and
Document content key decipherment using a private key.
The Target of Evaluation (TOE) defined in the PP is a smart card, the electronic
Health Card (eHC), which is conformant to the specification documents [8] and
[9]. The size of the card is type ID-1 according to ISO 7810 (the usual credit-
card-size).
The Health Card is a card with contacts according to ISO 7816-1 to –3. If it has
an additional contactless interface, none of the eHC functions shall be
accessible via this interface.
The overall system including the TOE and its environment are intended to
comply to the relevant German legal regulations, in particular the “Gesetz zur
Modernisierung der Gesetzlichen Krankenversicherung” (GKV-Moderni-
sierungsgesetz – GMG), the “Sozialgesetzbuch” (SGB) and the privacy
legislation (“Datenschutzgesetze des Bundes und der Länder”).
The TOE comprises the following parts:
TOE_IC, consisting of :
- the circuitry of the eHC’s chip (the integrated circuit, IC) and
- the IC Dedicated Software with the parts "IC Dedicated Test Software"
and "IC Dedicated Support Software"
TOE_ES
- the IC Embedded Software (operating system)
TOE_APP
- the eHC applications (data structures and their content)
and
guidance documentation delivered together with the TOE.
B-2
BSI-PP-0020-V2-2007 Certification Report
German health insurance companies issue electronic Health Cards to patients
insured by them. The card is used by the card holders when they use health
care services, which are covered by the insurance. A picture of the patient is
printed on the card in order to support identification. The eHC contains data for
•
•
•
card holder identification,
contractual and financial information to be exchanged between card holder
and health care provider and/or the health insurance company and
medical data, including electronic prescriptions.
(For a more detailed definition of the assets see PP [7] chapter 3.1.)
The TOE life cycle is described in terms of seven life cycle phases: Phase 1
“Smartcard Embedded Software Development”, Phase 2 “IC Development”,
Phase 3 “IC Manufacturing and Testing”, Phase 4 “IC Packaging and Testing“,
Phase 5 “ Smartcard Product Finishing Process”, Phase 6 “Smartcard
Personalization” and Phase 7 “Smartcard End-usage”. For the evaluation of the
HPC the phases 1 up to 4 as defined in Table 1 are part of the TOE
development in the sense of the CC. Phases 6 and 7 are part of the operational
use in the sense of the CC. Phase 5 may be part of one of these CC phases or
may be split between them depending on the specific model used by the TOE
developer. The writer of the ST shall define the exact boundary.
The PP defines the following Security Objectives for the TOE:
Identifier for Sec.Objective Issue addressed by the Security Objective
Sec.Objectives, which are
mainly TOE_APP oriented
OT.Access_rights Access Control Policy for Data in the TOE
Sec.Objectives, which are
mainly TOE_ES oriented
OT.AC_Pers Access control for Personalisation
OT.Additional_Applications Protection of additional Applications
OT.Services Services provided by the Card
OT.Cryptography Implementation of cryptographic Algorithms
Sec.Objectives, which are
mainly TOE_IC oriented
OT.Prot_Inf_Leak Protection against Information Leakage
OT.Prot_Phys_Tamper Protection against Physical Tampering
OT.Prot_Malfunction Protection against Malfunctions
OT.Prot_Abuse_Func Protection against Abuse of Functionality
Table 1: Security Objectives for the TOE
The PP defines the Security Objectives for the environment of the TOE divided
into two categories:
B-3
Certification Report BSI-PP-0020-V2-2007
Identifier for Sec.Objective Issue addressed by the Security Objective
Security Objectives for the Development
and Manufacturing Environment
OD.Assurance Assurance Security Measures in Development and
Manufacturing Environment
OD.Material Control over Smart Card Material
Security Objectives for the Operational
Environment
OE.Users Adequate Usage of TOE and IT-Systems in the
Environment
OE.Legal_Decisions Legal Responsibility of authorised Persons
OE.Data_Protection Protection of sensitive Data outside the eHC
OE.User_information Information about secure Usage
OE.Perso Secure Handling of Data during Personalisation
and additional Personalisation
Table 2: Security Objectives for the environment of the TOE
For details and application notes refer to the PP [7] chapter 4. Security
Functional Requirements for the TOE and for the IT-Environment are derived
from these Security Objectives as outlined in the following chapter.
2 Security Functional Requirements
This section contains the functional requirements that must be satisfied by a
TOE which is compliant to the Protection Profile. The TOE Security Functional
Requirements (SFR) selected in the Security Target are Common Criteria Part
2 extended as shown in the following tables.
The following SFRs are taken from CC part 2:
Security Functional Requirement Identifier and addressed issue
FCS Cryptographic support
FCS_CKM.1/SM Cryptographic Key Generation – Secure
Messaging Keys
FCS_CKM.4 Cryptographic Key Destruction
FCS_COP.1/SHA Cryptographic Operation – Hash Algorithm
FCS_COP.1/CCA_SIGN Cryptographic Operation – Digital Signature-
Creation for Card-to-Card Authentication
FCS_COP.1/CCA_VERIF Cryptographic Operation – Digital Signature-
Verification for Card-to-Card Authentication
FCS_COP.1/CSA Cryptographic Operation – Digital Signature-
Creation for Client-Server Authentication
FCS_COP.1/RSA_DEC Cryptographic Operation – RSA Decryption
FCS_COP.1/TDES Cryptographic Operation – Triple DES
Encryption / Decryption
B-4
BSI-PP-0020-V2-2007 Certification Report
Security Functional Requirement Identifier and addressed issue
FCS_COP.1/MAC Cryptographic operation – Retail MAC
FDP User data protection
FDP_ACC.2 Complete access control
FDP_ACF.1 Security attribute based access control
FDP_RIP.1 Residual Information Protection
FDP_SDI.2 Stored Data Integrity
FDP_UCT.1 Basic data exchange confidentiality
FDP_UIT.1 Data exchange integrity
FIA Identification and authentication
FIA_AFL.1/PIN Authentication failure handling – eHC-PIN
FIA_AFL.1/PUC Authentication failure handling – eHC-PIN-
unblocking code
FIA_ATD.1 User attribute definition
FIA_UID.1 Timing of identification
FIA_UAU.1 Timing of authentication
FIA_UAU.4 Single-use authentication mechanisms
FMT Security Management
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles
FMT_MTD.1/Ini Management of TSF data – Initialisation
FMT_MTD.1/Pers Management of TSF data – Personalization
FMT_MTD.1/CMS Management of TSF data – Card
Management
FMT_MTD.1/PIN Management of TSF data – Human user
authentication data
FMT_MTD.1/KEY_MOD Management of TSF data – Key
Management
FPT Protection of the TOE Security Functions
FPT_FLS.1 Failure with preservation of secure state
FPT_PHP.3 Resistance to physical attack
FPT_TST.1 TSF testing
FPT_RVM.1 Non-bypassability of the TSP
FPT_SEP.1 TSF domain separation
FTP Trusted Path/Channel
FTP_ITC.1 Inter-TSF Trusted Channel
Table 3: SFRs for the TOE taken from CC Part 2
B-5
Certification Report BSI-PP-0020-V2-2007
The following CC part 2 extended SFRs are defined:
Security Functional Requirement Identifier and addressed issue
FCS Cryptographic support
FCS_RND.1 Quality metric for random numbers
FMT Security management
FMT_LIM.1 Limited capabilities
FMT_LIM.2 Limited availability
FPT Protection of the TOE Security Functions
FPT_EMSEC.1 TOE Emanation
Table 4: SFRs for the TOE, CC part 2 extended
Note: Only the titles of the Security Functional Requirements are provided. For
more details and application notes please refer to the PP [7] chapter 5.
3 Assurance Package
The Security Assurance Requirements are based entirely on the assurance
components defined in Part 3 of the Common Criteria. The Assurance
Requirements comply with assurance level EAL 4 augmented (Evaluation
Assurance Level 4 augmented).
The following table shows the augmented assurance components:
Requirement Identifier
EAL4 TOE evaluation: Methodically designed, tested and
reviewed
+: ADV_IMP.2 Implementation of the TSF
+: AVA_MSU.3 Analysis and testing for insecure states
+: AVA_VLA.4 Highly resistant
Table 5: Augmented assurance components
4 Strength of Functions
The minimum strength of function level is claimed SOF-high This Protection
Profile does not contain any security functional requirement for which an explicit
strength of function claim is required.
B-6
BSI-PP-0020-V2-2007 Certification Report
5 Results of the Evaluation
The Evaluation Technical Report (ETR), [6] was provided by the ITSEF
according to the Common Criteria [1], the Methodology [2], the requirements of
the Scheme [3] and all interpretations and guidelines of the Scheme (AIS) [4] as
relevant for the TOE.
The verdict for the CC, Part 3 assurance component (according the class APE
for the Protection Profile evaluation) is summarised in the following table:
CC Aspect Result
CC Class APE PASS
APE_DES.1 PASS
APE_ENV.1 PASS
APE_INT.1 PASS
APE_OBJ.1 PASS
APE_REQ.1 PASS
APE_SRE.1 PASS
Table 6: Verdict for assurance class
The Protection Profile for electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK), Version 2.0 meets the requirements for Protection
Profiles as specified in class APE of the CC.
6 Obligation for ST writer
In case that phase 5 “Smart Card Product Finishing Process“ of the PP is not
part of the CC phase “TOE Development“ (see PP [7], chapter 2.3) the ST
writer has to add an assumption for a secure Smart Card Product Finishing
environment (see PP [7], table 1) and an according objective for the
environment.
B-7
Certification Report BSI-PP-0020-V2-2007
7 Definitions
7.1 Acronyms
CC Common Criteria for IT Security Evaluation
EAL Evaluation Assurance Level
eHC electronic Health Card
IT Information Technology
ITSEF Information Technology Security Evaluation Facility
HPC Health Professional Card
PP Protection Profile
SF Security Function
SFP Security Function Policy
SMC Security Module Card
SOF Strength of Function
SSCD-PP Protection Profile Secure Signature Creation Device
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSP TOE Security Policy
7.2 Glossary
Augmentation - The addition of one or more assurance component(s) from
Part 3 to an EAL or assurance package.
Extension - The addition to an ST or PP of functional requirements not
contained in Part 2 and/or assurance requirements not contained in Part 3 of
the CC.
Protection Profile - An implementation-independent set of security require-
ments for a category of TOEs that meet specific consumer needs.
Security Function - A part or parts of the TOE that have to be relied upon for
enforcing a closely related subset of the rules from the TSP.
Security Target - A set of security requirements and specifications to be used
as the basis for evaluation of an identified TOE.
Strength of Function - A qualification of a TOE security function expressing
the minimum efforts assumed necessary to defeat its expected security
behaviour by directly attacking its underlying security mechanisms.
B-8
BSI-PP-0020-V2-2007 Certification Report
SOF-basic - A level of the TOE strength of function where analysis shows that
the function provides adequate protection against casual breach of TOE secu-
rity by attackers possessing a low attack potential.
SOF-medium - A level of the TOE strength of function where analysis shows
that the function provides adequate protection against straightforward or inten-
tional breach of TOE security by attackers possessing a moderate attack poten-
tial.
SOF-high - A level of the TOE strength of function where analysis shows that
the function provides adequate protection against deliberately planned or
organised breach of TOE security by attackers possessing a high attack poten-
tial.
Target of Evaluation - An IT product or system and its associated
administrator and user guidance documentation that is the subject of an evalua-
tion.
TOE Security Functions - A set consisting of all hardware, software, and firm-
ware of the TOE that must be relied upon for the correct enforcement of the
TSP.
TOE Security Policy - A set of rules that regulate how assets are managed,
protected and distributed within a TOE.
TSF Scope of Control - The set of interactions that can occur with or within a
TOE and are subject to the rules of the TSP.
8 Bibliography
[1] Common Criteria for Information Technology Security Evaluation,
Version 2.3
[2] Common Methodology for Information Technology Security Evaluation
(CEM), Version 2.3
[3] BSI certification: Procedural Description (BSI 7125)
[4] Application Notes and Interpretations of the Scheme (AIS) as relevant for
the TOE.
[5] German IT Security Certificates (BSI 7148, BSI 7149)
[6] Evaluation Technical Report for a PP evaluation, Version 2.01, 30.
January 2007, Common Criteria Protection Profile electronic Health Card
(eHC) – elektronische Gesundheitskarte (eGK), BSI-PP-0020-V2-2007,
T-Systems GEI GmbH (confidential document)
[7] Common Criteria Protection Profile electronic Health Card (eHC) –
elektronische Gesundheitskarte (eGK), BSI-PP-0020-V2-2007, Version
2.0, 29. January 2007, BSI
[8] Die Spezifikation der elektronischen Gesundheitskarte, Teil 1:
Kommandos, Algorithmen und Funktionen der Betriebssystem-Plattform,
Version 1.1.0, 07. Februar 2006, gematik
B-9
Certification Report BSI-PP-0020-V2-2007
[9] Die Spezifikation der elektronischen Gesundheitskarte, Teil 2:
Anwendungen und anwendungsspezifische Strukturen, Version 1.2.1,
07. September 2006, gematik
[10] Protection Profile Secure Signature Creation Device Type 2 resp. Type
3, registered and certified by Bundesamt für Sicherheit in der
Informationstechnik (BSI) under the reference BSI-PP-0005-2002T resp.
BSI-PP-0006-2002T
B-10
BSI-PP-0020-2005 Certification Report
C Annex: Protection Profile
The Protection Profile (PP) [7] is provided within a separate document.
C-1