Council Regulation (EEC) No 3821/85Show full title

[F1 [F2TACHOGRAPH CARD GENERIC SECURITY TARGET U.K.

1. Introduction U.K.

This document contains a description of the tachograph card, of the threats it must be able to counteract and of the security objectives it must achieve. It specifies the required security enforcing functions. It states the claimed minimum strength of security mechanisms, and the required level of assurance for the development and the evaluation.

Requirements referred to in the document, are those of the body of Annex I B. For clarity of reading, duplication sometimes arises between Annex I B body requirements and security target requirements. In case of ambiguity between a security target requirement and the Annex I B requirement referred by this security target requirement, the Annex I B body requirement shall prevail.

Annex I B body requirements not referred by security targets are not the subject of security enforcing functions.

A tachograph card is a standard smart card carrying a dedicated tachograph application, and shall comply with up-to-date functional and assurance security requirements applicable to smart cards. This security target therefore incorporates only the extra security requirements needed by the tachograph application.

Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for the purpose of traceability to development and evaluation documentation.

2. Abbreviations, definitions and references U.K.

2.1. Abbreviations U.K.

2.2. Definitions U.K.

2.3. References U.K.

3. Product Rationale U.K.

3.1. Tachograph card description and method of use U.K.

A tachograph card is a smart card, as described in (IC PP) and (ES PP), carrying an application intended for its use with the recording equipment.

The basic functions of the tachograph card are:

• to store card identification and card holder identification data. These data are used by the vehicle unit to identify the cardholder, provide accordingly functions and data access rights, and ensure cardholder accountability for his activities,

• to store cardholder activities data, events and faults data and control activities data, related to the cardholder.

A tachograph card is therefore intended to be used by a card interface device of a vehicle unit. It may also be used by any card reader (e.g. of a personal computer) which shall have full read access right on any user data.

During the end-usage phase of a tachograph card life cycle (phase 7 of life-cycle as described in (ES PP)), vehicle units only may write user data to the card.

The functional requirements for a tachograph card are specified in Annex I B body text and Appendix 2.

3.2. Tachograph card life cycle U.K.

The tachograph card life cycle conforms to smart card life cycle described in (ES PP).

3.3. Threats U.K.

In addition to the smart card general threats listed in (ES PP) and (IC PP), the tachograph card may face the following threats:

3.3.1. Final aims U.K.

The final aim of attackers will be to modify user data stored within the TOE.

3.3.2. Attack paths U.K.

TOE's assets may be attacked by:

• trying to gain illicit knowledge of TOE's hardware and software design and especially of its security functions or security data. Illicit knowledge may be gained though attacks to designer or manufacturer material (theft, bribery, …) or through direct examination of the TOE (physical probing, inference analysis, …),

• taking advantage of weaknesses in TOE design or realisation (exploit errors in hardware, errors in software, transmission faults, errors induced in TOE by environmental stress, exploit weaknesses of security functions such as authentication procedures, data access control, cryptographic operations, …),

• modifying the TOE or its security functions through physical, electrical or logical attacks or combination of these.

3.4. Security Objectives U.K.

The main security objective of the entire digital tachograph system is the following:

Therefore the main security objectives of the TOE, contributing to this global security objective are the following:

3.5. Information technology security objectives U.K.

In addition to the smart card general security objectives listed in (ES PP) and (IC PP), the specific IT security objectives of the TOE that contributes to its main security objectives during its end-usage life-cycle phase are the following:

3.6. Physical, personnel or procedural means U.K.

The physical, personnel or procedural requirements that contribute to the security of the TOE are listed in (ES PP) and (IC PP) (chapters security objectives for the environment).

4. Security enforcing functions U.K.

This paragraph refines some of the permitted operations such as assignment or selection of (ES PP) and provides additional SEF functional requirements.

4.1. Compliance to protection profiles U.K.

[CPP_301] The TOE shall comply with (IC PP).

[CPP_302] The TOE shall comply with (ES PP) as refined further.

4.2. User identification and authentication U.K.

The card must identify the entity in which it is inserted and know whether it is an authenticated vehicle unit or not. The card may export any user data whatever the entity it is connected to, except the control [F3and the company card] which may export card holder identification data to authenticated vehicle units only (such that a controller is ensured that the vehicle unit is not a fake one by seeing his name on display or printouts).

4.2.1. User identification U.K.

Assignment (FIA_UID.1.1) List of TSF mediated actions : none.

[X1Assignment (FIA_ATD.1.1) List of security attributes :

4.2.2. User authentication U.K.

Assignment (FIA_UAU.1.1) List of TSF mediated actions :

• Driver and Workshop cards: export user data with security attributes (card data download function),

• Control card: export user data without security attributes except cardholder identification data.

[UIA_301] Authentication of a vehicle unit shall be performed by means of proving that it possesses security data that only the system could distribute.

Selection (FIA_UAU.3.1 and FIA_UAU.3.2): prevent.

Assignment (FIA_UAU.4.1) Identified authentication mechanism(s) : any authentication mechanism.

[UIA_302] The Workshop card shall provide an additional authentication mechanism by checking a PIN code (This mechanism is intended for the vehicle unit to ensure the identity of the card holder, it is not intended to protect workshop card content).

4.2.3. Authentication failures U.K.

[F4Additionally the following assignments describe the card reaction for each single user authentication failure.

Assignment (FIA_AFL.1.1) Number : 1, list of authentication events : authentication of a card interface device.

Assignment (FIA_AFL.1.2) List of actions :

• warn the entity connected,

• assume the user as NON_VEHICLE_UNIT.

Additionally the following assignments] describe the card reaction in the case of failure of the additional authentication mechanism required in UIA_302.

Assignment (FIA_AFL.1.1) Number : 5, list of authentication events : PIN checks (workshop card).

Assignment (FIA_AFL.1.2) List of actions :

• warn the entity connected,

• block the PIN check procedure such that any subsequent PIN check attempt will fail,

• be able to indicate to subsequent users the reason of the blocking.

4.3. Access control U.K.

4.3.1. Access control policy U.K.

During end-usage phase of its life cycle, the tachograph card is the subject of one single access control security function policy (SFP) named AC_SFP.

Assignment (FDP_ACC.2.1) Access control SFP : AC_SFP.

4.3.2. Access control functions U.K.

Assignment (FDP_ACF.1.1) Access control SFP : AC_SFP.

Assignment (FDP_ACF.1.1) Named group of security attributes : USER_GROUP.

Assignment (FDP_ACF.1.2) Rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects :

4.4. Accountability U.K.

[ACT_301] The TOE shall hold permanent identification data.

[ACT_302] There shall be an indication of the time and date of the TOE's personalisation. This indication shall remain unalterable.

4.5. Audit U.K.

The TOE must monitor events that indicate a potential violation of its security.

Assignment (FAU_SAA.1.2) Subset of defined auditable events:

• cardholder authentication failure (5 consecutive unsuccessful PIN checks),

• self test error,

• stored data integrity error,

• activity data input integrity error.

4.6. Accuracy U.K.

4.6.1. Stored data integrity U.K.

Assignment (FDP_SDI.2.2) Actions to be taken : warn the entity connected,

4.6.2. Basic data authentication U.K.

Assignment (FDP_DAU.1.1) List of objects or information types : activity data.

Assignment (FDP_DAU.1.2) List of subjects : any.

4.7. Reliability of service U.K.

4.7.1. Tests U.K.

Selection (FPT_TST.1.1): during initial start-up, periodically during normal operation.

Note: during initial start-up means before code is executed (and not necessarily during Answer To Reset procedure). U.K.

[RLB_301] The TOE's self tests shall include the verification of the integrity of any software code not stored in ROM.

[RLB_302] Upon detection of a self test error the TSF shall warn the entity connected.

[RLB_303] After OS testing is completed, all testing-specific commands and actions shall be disabled or removed. It shall not be possible to override these controls and restore them for use. Command associated exclusively with one life cycle state shall never be accessed during another state.

4.7.2. Software U.K.

[RLB_304] There shall be no way to analyse, debug or modify TOE's software in the field.

[RLB_305] Inputs from external sources shall not be accepted as executable code.

4.7.3. Power supply U.K.

[RLB_306] The TOE shall preserve a secure state during power supply cut-off or variations.

4.7.4. Reset conditions U.K.

[RLB_307] If power is cut (or if power variations occur) from the TOE, or if a transaction is stopped before completion, or on any other reset conditions, the TOE shall be reset cleanly.

4.8. Data exchange U.K.

4.8.1. Data exchange with a vehicle unit U.K.

[DEX_301] The TOE shall verify the integrity and authenticity of data imported from a vehicle unit.

[DEX_302] Upon detection of an imported data integrity error, the TOE shall:

• warn the entity sending the data,

• not use the data.

[DEX_303] The TOE shall export user data to the vehicle unit with associated security attributes, such that the vehicle unit will be able to verify the integrity and authenticity of data received.

4.8.2. Export of data to a non-vehicle unit (download function) U.K.

[DEX_304] The TOE shall be able to generate an evidence of origin for data downloaded to external media.

[DEX_305] The TOE shall be able to provide a capability to verify the evidence of origin of downloaded data to the recipient.

[DEX_306] The TOE shall be able to download data to external storage media with associated security attributes such that downloaded data integrity can be verified.

4.9. Cryptographic support U.K.

[CSP_301] If the TSF generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes. Generated cryptographic session keys shall have a limited (TBD by manufacturer and not more than 240) number of possible use.

[CSP_302] If the TSF distributes cryptographic keys, it shall be in accordance with specified cryptographic key distribution methods.

5. Definition of security mechanisms U.K.

Required security mechanisms are specified in Appendix 11.

All other security mechanisms are to be defined by the TOE manufacturer.

6. Claimed minimum strength of mechanisms U.K.

The minimum strength of mechanisms for the Tachograph Card is High as defined in (ITSEC).

7. Level of Assurance U.K.

The target level of assurance for the Tachograph Card is ITSEC level E3 , as defined in (ITSEC).

8. Rationale U.K.

The following matrixes give a rationale for the additional SEFs by showing:

• which SEFs counteract which threats,

• which SEFs fulfil which IT security objectives.