Council Regulation (EEC) No 3821/85Dangos y teitl llawn

[F1 [F2Appendix 10 GENERIC SECURITY TARGETS

This appendix specifies the minimum required content of motion sensor, vehicle unit and tachograph card security targets. U.K.

In order to form the security targets against which they may seek security certification, manufacturers shall refine and complete the documents as necessary, without amending nor deleting existing threats, objectives, procedural means and security enforcing functions specifications.

MOTION SENSOR GENERIC SECURITY TARGET U.K.

1. Introduction U.K.

This document contains a description of the motion sensor, of the threats it must be able to counteract and of the security objectives it must achieve. It specifies the required security enforcing functions. It states the claimed minimum strength of security mechanisms and the required level of assurance for the development and the evaluation.

Requirements referred to in the document, are those of the body of Annex I B. For clarity of reading, duplication sometimes arises between Annex I B body requirements and security target requirements. In case of ambiguity between a security target requirement and the Annex I B body requirement referred by this security target requirement, the Annex I B body requirement shall prevail.

Annex I B body requirements not referred by security targets are not the subject of security enforcing functions.

Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for the purpose of traceability to development and evaluation documentation.

2. Abbreviations, definitions and references U.K.

2.1. Abbreviations U.K.

2.2. Definitions U.K.

2.3. References U.K.

3. Product rationale U.K.

3.1. Motion sensor description and method of use U.K.

The motion sensor is intended to be installed in road transport vehicles. Its purpose is to provide a VU with secured motion data representative of vehicle's speed and distance travelled.

The motion sensor is mechanically interfaced to a moving part of the vehicle, which movement can be representative of vehicle's speed or distance travelled. It may be located in the vehicle's gear box or in any other part of the vehicle.

In its operational mode, the motion sensor is connected to a VU.

It may also be connected to specific equipment for management purposes (TBD by manufacturer).

The typical motion sensor is described in the following figure:

3.2. Motion sensor life cycle U.K.

The typical life cycle of the motion sensor is described in the following figure:

3.3. Threats U.K.

This paragraph describes the threats the motion sensor may face.

3.3.1. Threats to access control policies U.K.

3.3.2. Design related threats U.K.

3.3.3. Operation oriented threats U.K.

3.4. Security objectives U.K.

The main security objective of the digital tachograph system is the following:

Therefore the security objective of the motion sensor, contributing to the global security objective, is:

3.5. Information technology security objectives U.K.

The specific IT security objectives of the motion sensor contributing to its main security objective, are the following:

3.6. Physical, personnel or procedural means U.K.

This paragraph describes physical, personnel or procedural requirements that contribute to the security of the motion sensor.

3.6.1. Equipment design U.K.

3.6.2. Equipment delivery U.K.

3.6.3. Security data generation and delivery U.K.

3.6.4. Recording equipment installation, calibration, and inspection U.K.

3.6.5. Law enforcement control U.K.

3.6.6. Software upgrades U.K.

4. Security enforcing functions U.K.

4.1. Identification and authentication U.K.

[UIA_101] The motion sensor shall be able to establish, for every interaction, the identity of any entity it is connected to.

[UIA_102] The identity of a connected entity shall consist of:

• an entity group:

  • VU,

  • Management device,

  • Other,

• an entity ID (VU only).

[UIA_103] The entity ID of a connected VU shall consist of the VU approval number and the VU serial number.

[UIA_104] The motion sensor shall be able to authenticate any VU or management device it is connected to:

• at entity connection,

• at power supply recovery.

[UIA_105] The motion sensor shall be able to periodically re-authenticate the VU it is connected to.

[UIA_106] The motion sensor shall detect and prevent use of authentication data that has been copied and replayed.

[UIA_107] After (TBD by manufacturer and not more than 20) consecutive unsuccessful authentication attempts have been detected, the SEF shall:

• generate an audit record of the event,

• warn the entity,

• continue to export motion data in a non secured mode.

4.2. Access control U.K.

Access controls ensure that information is read from, created in, or modified into the TOE only by those authorised to do so.

4.2.1. Access control policy U.K.

[ACC_101] The motion sensor shall control access rights to function and data.

4.2.2. Data access rights U.K.

[ACC_102] The motion sensor shall ensure that motion sensor identification data can be written once only (requirement 078).

[ACC_103] The motion sensor shall accept and/or store user data from authenticated entities only.

[ACC_104] The motion sensor shall enforce appropriate read and write access rights to security data.

4.2.3. File structure and access conditions U.K.

[ACC_105] Application and data files structure and access conditions shall be created during the manufacturing process, and then locked from any future modification or deletion.

4.3. Accountability U.K.

[ACT_101] The motion sensor shall hold in its memory motion sensor identification data (requirement 077).

[ACT_102] The motion sensor shall store in its memory installation data (requirement 099).

[ACT_103] The motion sensor shall have a capability to output accountability data to authenticated entities at their request.

4.4. Audit U.K.

[AUD_101] The motion sensor shall, for events impairing its security, generate audit records of the events.

[AUD_102] The events affecting the security of the motion sensor are the following:

• security breach attempts,

  • authentication failure,

  • stored data integrity error,

  • internal data transfer error,

  • unauthorised case opening,

  • hardware sabotage.

• sensor fault.

[AUD_103] Audit records shall include the following data:

• date and time of the event,

• type of event,

• connected entity identity.

when required data is not available, an appropriate default indication shall be given (TBD by manufacturer).

[AUD_104] The motion sensor shall send the generated audit records to the VU at the moment of their generation, and may also store them in its memory.

[AUD_105] In the case where the motion sensor stores audit records, it shall ensure that 20 audit records will be maintained independent of audit storage exhaustion, and shall have a capability to output stored audit records to authenticated entities at their request.

4.5. Accuracy U.K.

4.5.1. Information flow control policy U.K.

[ACR_101] The motion sensor shall ensure that motion data may only been processed and derived from sensor mechanical input.

4.5.2. Internal data transfers U.K.

The requirements of this paragraph apply only if the motion sensor makes use of physically separated parts.

[ACR_102] If data are transferred between physically separated parts of the motion sensor, the data shall be protected from modification.

[ACR_103] Upon detection of a data transfer error during an internal transfer, transmission shall be repeated and the SEF shall generate an audit record of the event.

4.5.3. Stored data integrity U.K.

[ACR_104] The motion sensor shall check user data stored in its memory for integrity errors.

[ACR_105] Upon detection of a stored user data integrity error, the SEF shall generate an audit record.

4.6. Reliability of service U.K.

4.6.1 Tests U.K.

[RLB_101] All commands, actions, or test points, specific to the testing needs of the manufacturing phase shall be disabled or removed before the end of the manufacturing phase. It shall not be possible to restore them for later use.

[RLB_102] The motion sensor shall run self-tests, during initial start-up, and during normal operation to verify its correct operation. The motion sensor self-tests shall include a verification of the integrity of security data and a verification of the integrity of stored executable code (if not in ROM).

[RLB_103] Upon detection of an internal fault during self-test, the SEF shall generate an audit record (sensor fault).

4.6.2. Software U.K.

[RLB_104] There shall be no way to analyse or debug the motion sensor software in the field.

[RLB_105] Inputs from external sources shall not be accepted as executable code.

4.6.3. Physical protection U.K.

[RLB_106] If the motion sensor is designed so that it can be opened, the motion sensor shall detect any case opening, even without external power supply for a minimum of 6 months. In such a case, the SEF shall generate an audit record of the event (It is acceptable that the audit record is generated and stored after power supply reconnection).

If the motion sensor is designed so that it cannot be opened, it shall be designed such that physical tampering attempts can be easily detected (e.g. through visual inspection).

[RLB_107] The motion sensor shall detect specified (TBD by manufacturer) hardware sabotage.

[RLB_108] In the case described above, the SEF shall generate an audit record and the motion sensor shall: (TBD by manufacturer).

4.6.4. Power supply interruptions U.K.

[RLB_109] The motion sensor shall preserve a secure state during power supply cut-off or variations.

4.6.5. Reset conditions U.K.

[RLB_110] In case of a power supply interruption, or if a transaction is stopped before completion, or on any other reset conditions, the motion sensor shall be reset cleanly.

4.6.6. Data availability U.K.

[RLB_111] The motion sensor shall ensure that access to resources is obtained when required and that resources are not requested nor retained unnecessarily.

4.6.7. Multiple applications U.K.

[RLB_112] If the motion sensor provides applications other than the tachograph application, all applications shall be physically and/or logically separated from each other. These applications shall not share security data. Only one task shall be active at a time.

4.7. Data exchange U.K.

[DEX_101] The motion sensor shall export motion data to the VU with associated security attributes, such that the VU will be able to verify its integrity and authenticity.

4.8. Cryptographic support U.K.

The requirements of this paragraph are applicable only where needed, depending upon security mechanisms used and upon the manufacturer's solutions.

[CSP_101] Any cryptographic operation performed by the motion sensor shall be in accordance with a specified algorithm and a specified key size.

[CSP_102] If the motion sensor generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes.

[CSP_103] If the motion sensor distributes cryptographic keys, it shall be in accordance with specified key distribution methods.

[CSP_104] If the motion sensor accesses cryptographic keys, it shall be in accordance with specified cryptographic keys access methods.

[CSP_105] If the motion sensor destroys cryptographic keys, it shall be in accordance with specified cryptographic keys destruction methods.

5. Definition of security mechanisms U.K.

The security mechanisms, fulfilling the motion sensor security enforcing functions, are defined by the motion sensor manufacturers.

6. Minimum strength of security mechanisms U.K.

The minimum strength of the motion sensor security mechanisms is High, as defined in (ITSEC).

7. Level of assurance U.K.

The target level of assurance for the motion sensor is ITSEC level E3, as defined in (ITSEC).

8. Rationale U.K.

The following matrixes give a rationale for the SEFs by showing:

• which SEFs or means counteract which threats,

• which SEFs fulfil which IT security objectives.

VEHICLE UNIT GENERIC SECURITY TARGET U.K.

1. Introduction U.K.

This document contains a description of the vehicle unit, of the threats it must be able to counteract and of the security objectives it must achieve. It specifies the required security enforcing functions. It states the claimed minimum strength of security mechanisms and the required level of assurance for the development and the evaluation.

Requirements referred to in the document, are those of the body of Annex I B. For clarity of reading, duplication sometimes arises between Annex I B body requirements and security target requirements. In case of ambiguity between a security target requirement and the Annex I B body requirement referred by this security target requirement, the Annex I B body requirement shall prevail.

Annex I B body requirements not referred by security targets are not the subject of security enforcing functions.

Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for the purpose of traceability to development and evaluation documentation.

2. Abbreviations, definitions and references U.K.

2.1. Abbreviations U.K.

2.2. Definitions U.K.

2.3. References U.K.

3. Product rationale U.K.

3.1. Vehicle unit description and method of use U.K.

The VU is intended to be installed in road transport vehicles. Its purpose is to record, store, display, print and output data related to driver activities.

It is connected to a motion sensor with which it exchanges vehicle's motion data.

Users identify themselves to the VU using tachograph cards.

The VU records and stores user activities data in its data memory, it also records user activities data in tachograph cards.

The VU outputs data to display, printer and external devices.

The vehicle unit's operational environment while installed in a vehicle is described in the following figure:

The VU general characteristics, functions and mode of operations are described in Chapter II of Annex I B.

The VU functional requirements are specified in Chapter III of Annex I B.

The typical VU is described in the following figure:

It must be noted that although the printer mechanism is part of the TOE, the paper document once produced is not.

3.2. Vehicle unit life cycle U.K.

The typical life cycle of the VU is described in the following figure:

3.3. Threats U.K.

This paragraph describes the threats the VU may face.

3.3.1. Threats to identification and access control policies U.K.

3.3.2. Design related threats U.K.

3.3.3. Operation oriented threats U.K.

3.4. Security objectives U.K.

The main security objective of the digital tachograph system is the following:

Therefore the security objectives of the VU, contributing to the global security objective, are the following:

3.5. Information technology security objectives U.K.

The specific IT security objectives of the VU contributing to its main security objectives, are the following:

3.6. Physical, personnel or procedural means U.K.

This paragraph describes physical, personnel or procedural requirements that contribute to the security of the VU.

3.6.1. Equipment design U.K.

3.6.2. Equipment delivery and activation U.K.

3.6.3. Security data generation and delivery U.K.

3.6.4. Cards delivery U.K.

3.6.5. Recording equipment installation, calibration, and inspection U.K.

3.6.6. Equipment operation U.K.

3.6.7. Law enforcement control U.K.

3.6.8. Software upgrades U.K.

4. Security enforcing functions U.K.

4.1. Identification and authentication U.K.

4.1.1. Motion sensor identification and authentication U.K.

[UIA_201] The VU shall be able to establish, for every interaction, the identity of the motion sensor it is connected to.

[UIA_202] The identity of the motion sensor shall consist of the sensor approval number and the sensor serial number.

[UIA_203] The VU shall authenticate the motion sensor it is connected to:

• at motion sensor connection,

• at each calibration of the recording equipment,

• at power supply recovery.

Authentication shall be mutual and triggered by the VU.

[UIA_204] The VU shall periodically (period TBD by manufacturer and more frequently than once per hour) re-identify and re-authenticate the motion sensor it is connected to, and ensure that the motion sensor identified during the last calibration of the recording equipment has not been changed.

[UIA_205] The VU shall detect and prevent use of authentication data that has been copied and replayed.

[UIA_206] After (TBD by manufacturer and not more than 20) consecutive unsuccessful authentication attempts have been detected, and/or after detecting that the identity of the motion sensor has changed while not authorised (i.e. while not during a calibration of the recording equipment), the SEF shall:

• generate an audit record of the event,

• warn the user,

• continue to accept and use non secured motion data sent by the motion sensor.

4.1.2. User identification and authentication U.K.

[UIA_207] The VU shall permanently and selectively track the identity of two users, by monitoring the tachograph cards inserted in respectively the driver slot and the co-driver slot of the equipment.

[UIA_208] The user identity shall consist of:

• a user group:

  • DRIVER (driver card),

  • CONTROLLER (control card),

  • WORKSHOP (workshop card),

  • COMPANY (company card),

  • UNKNOWN (no card inserted),

• a user ID, composed of:

  • the card issuing Member State code and of the card number,

  • UNKNOWN if user group is UNKNOWN.

UNKNOWN identities may be implicitly or explicitly known.

[UIA_209] The VU shall authenticate its users at card insertion.

[UIA_210] The VU shall re-authenticate its users:

• at power supply recovery,

• periodically or after occurrence of specific events (TBD by manufacturers and more frequently than once per day).

[UIA_211] Authentication shall be performed by means of proving that the card inserted is a valid tachograph card, possessing security data that only the system could distribute. Authentication shall be mutual and triggered by the VU.

[UIA_212] In addition to the above, workshops shall be required to be successfully authenticated through a PIN check. PINs shall be at least 4 characters long.

Note: In the case the PIN is transferred to the VU from an outside equipment located in the vicinity of the VU, PIN confidentiality need not be protected during the transfer. U.K.

[UIA_213] The VU shall detect and prevent use of authentication data that has been copied and replayed.

[UIA_214] After 5 consecutive unsuccessful authentication attempts have been detected, the SEF shall:

• generate an audit record of the event,

• warn the user,

• assume the user as UNKNOWN, and the card as non valid (definition z) and requirement 007).

4.1.3. Remotely connected company identification and authentication U.K.

Company remote connection capability is optional. This paragraph therefore applies only if this feature is implemented.

[UIA_215] For every interaction with a remotely connected company, the VU shall be able to establish the company's identity.

[UIA_216] The remotely connected company's identity shall consist of its company card issuing Member State code and of its company card number.

[UIA_217] The VU shall successfully authenticate the remotely connected company before allowing any data export to it.

[UIA_218] Authentication shall be performed by means of proving that the company owns a valid company card, possessing security data that only the system could distribute.

[UIA_219] The VU shall detect and prevent use of authentication data that has been copied and replayed.

[UIA_220] After 5 consecutive unsuccessful authentication attempts have been detected, the VU shall:

• warn the remotely connected company.

4.1.4. Management device identification and authentication U.K.

VU manufacturers may foresee dedicated devices for additional VU management functions (e.g. Software upgrading, security data reloading, …). This paragraph therefore applies only if this feature is implemented.

[UIA_221] For every interaction with a management device, the VU shall be able to establish the device identity.

[UIA_222] Before allowing any further interaction, the VU shall successfully authenticate the management device.

[UIA_223] The VU shall detect and prevent use of authentication data that has been copied and replayed.

4.2. Access control U.K.

Access controls ensure that information is read from, created in, or modified into the TOE only by those authorised to do so.

It must be noted that the user data recorded by the VU, although presenting privacy or commercial sensitivity aspects, are not of a confidential nature. Therefore, the functional requirement related to data read access rights (requirement 011) is not the subject of a security enforcing function.

4.2.1. Access control policy U.K.

[ACC_201] The VU shall manage and check access control rights to functions and to data.

4.2.2. Access rights to functions U.K.

[ACC_202] The VU shall enforce the mode of operation selection rules (requirements 006 to 009).

[ACC_203] The VU shall use the mode of operation to enforce the functions access control rules (requirement 010).

4.2.3. Access rights to data U.K.

[ACC_204] The VU shall enforce the VU identification data write access rules (requirement 076)

[ACC_205] The VU shall enforce the paired motion sensor identification data write access rules (requirements 079 and 155)

[ACC_206] After the VU activation, the VU shall ensure that only in calibration mode, may calibration data be input into the VU and stored into its data memory (requirements 154 and 156).

[ACC_207] After the VU activation, the VU shall enforce calibration data write and delete access rules (requirement 097).

[ACC_208] After the VU activation, the VU shall ensure that only in calibration mode, may time adjustment data be input into the VU and stored into its data memory (This requirement does not apply to small time adjustments allowed by requirements 157 and 158).

[ACC_209] After the VU activation, the VU shall enforce time adjustment data write and delete access rules (requirement 100).

[ACC_210] The VU shall enforce appropriate read and write access rights to security data (requirement 080).

4.2.4. File structure and access conditions U.K.

[ACC_211] Application and data files structure and access conditions shall be created during the manufacturing process, and then locked from any future modification or deletion.

4.3. Accountability U.K.

[ACT_201] The VU shall ensure that drivers are accountable for their activities (requirements 081, 084, 087, 105a, 105b, 109 and 109a).

[ACT_202] The VU shall hold permanent identification data (requirement 075).

[ACT_203] The VU shall ensure that workshops are accountable for their activities (requirements 098, 101 and 109).

[ACT_204] The VU shall ensure that controllers are accountable for their activities (requirements 102, 103 and 109).

[ACT_205] The VU shall record odometer data (requirement 090) and detailed speed data (requirement 093).

[ACT_206] The VU shall ensure that user data related to requirements 081 to 093 and 102 to 105b inclusive are not modified once recorded, except when becoming oldest stored data to be replaced by new data.

[ACT_207] The VU shall ensure that it does not modify data already stored in a tachograph card (requirements 109 and 109a) except for replacing oldest data by new data (requirement 110) or in the case described in Appendix 1 Paragraph 2.1 Note.

4.4. Audit U.K.

Audit capabilities are required only for events that may indicate a manipulation or a security breach attempt. It is not required for the normal exercising of rights even if relevant to security.

[AUD_201] The VU shall, for events impairing the security of the VU, record those events with associated data (requirements 094, 096 and 109).

[AUD_202] The events affecting the security of the VU are the following:

• Security breach attempts,

  • motion sensor authentication failure,

  • tachograph card authentication failure,

  • unauthorised change of motion sensor,

  • card data input integrity error,

  • stored user data integrity error,

  • internal data transfer error,

  • unauthorised case opening,

  • hardware sabotage,

• last card session not correctly closed,

• motion data error event,

• power supply interruption event,

• VU internal fault.

[AUD_203] The VU shall enforce audit records storage rules (requirement 094 and 096).

[AUD_204] The VU shall store audit records generated by the motion sensor in its data memory.

[AUD_205] It shall be possible to print, display and download audit records.

4.5. Object re-use U.K.

[REU_201] The VU shall ensure that temporary storage objects can be re-used without this involving inadmissible information flow.

4.6. Accuracy U.K.

4.6.1. Information flow control policy U.K.

[ACR_201] The VU shall ensure that user data related to requirements 081, 084, 087, 090, 093, 102, 104, 105, 105a and 109 may only be processed from the right input sources:

• vehicle motion data,

• VU's real time clock,

• recording equipment calibration parameters,

• tachograph cards,

• user's inputs.

[ACR_201a] The VU shall ensure that user data related to requirement 109a may only be entered for the period last card withdrawal — current insertion (requirement 050a).

4.6.2. Internal data transfers U.K.

The requirements of this paragraph apply only if the VU makes use of physically separated parts.

[ACR_202] If data are transferred between physically separated parts of the VU, the data shall be protected from modification.

[ACR_203] Upon detection of a data transfer error during an internal transfer, transmission shall be repeated and the SEF shall generate an audit record of the event.

4.6.3. Stored data integrity U.K.

[ACR_204] The VU shall check user data stored in the data memory for integrity errors.

[ACR_205] Upon detection of a stored user data integrity error, the SEF shall generate an audit record.

4.7. Reliability of service U.K.

4.7.1. Tests U.K.

[RLB_201] All commands, actions or test points, specific to the testing needs of the manufacturing phase of the VU shall be disabled or removed before the VU activation. It shall not be possible to restore them for later use.

[RLB_202] The VU shall run self tests, during initial start-up, and during normal operation to verify its correct operation. The VU self tests shall include a verification of the integrity of security data and a verification of the integrity of stored executable code (if not in ROM).

[RLB_203] Upon detection of an internal fault during self test, the SEF shall:

• generate an audit record (except in calibration mode) (VU internal fault),

• Preserve the stored data integrity.

4.7.2. Software U.K.

[RLB_204] There shall be no way to analyse or debug software in the field after the VU activation.

[RLB_205] Inputs from external sources shall not be accepted as executable code.

4.7.3. Physical protection U.K.

[RLB_206] If the VU is designed so that it can be opened, the VU shall detect any case opening, except in calibration mode, even without external power supply for a minimum of six months. In such a case, the SEF shall generate an audit record (It is acceptable that the audit record is generated and stored after power supply reconnection).

If the VU is designed so that it cannot be opened, it shall be designed such that physical tampering attempts can be easily detected (e.g. through visual inspection).

[RLB_207] After its activation, the VU shall detect specified (TBD by manufacturer) hardware sabotage.

[RLB_208] In the case described above, the SEF shall generate an audit record and the VU shall: (TBD by manufacturer).

4.7.4. Power supply interruptions U.K.

[RLB_209] The VU shall detect deviations from the specified values of the power supply, including cut-off.

[RLB_210] In the case described above, the SEF shall:

• generate an audit record (except in calibration mode),

• preserve the secure state of the VU,

• maintain the security functions, related to components or processes still operational,

• preserve the stored data integrity.

4.7.5. Reset conditions U.K.

[RLB_211] In case of a power supply interruption, or if a transaction is stopped before completion, or on any other reset conditions, the VU shall be reset cleanly.

4.7.6. Data availability U.K.

[RLB_212] The VU shall ensure that access to resources is obtained when required and that resources are not requested nor retained unnecessarily.

[RLB_213] The VU must ensure that cards cannot be released before relevant data have been stored to them (requirements 015 and 016)

[RLB_214] In the case described above, the SEF shall generate an audit record of the event.

4.7.7. Multiple applications U.K.

[RLB_215] If the VU provides applications other than the tachograph application, all applications shall be physically and/or logically separated from each other. These applications shall not share security data. Only one task shall be active at a time.

4.8. Data exchange U.K.

This paragraph addresses data exchange between the VU and connected devices.

4.8.1. Data exchange with motion sensor U.K.

[DEX_201] The VU shall verify the integrity and authenticity of motion data imported from the motion sensor

[DEX_202] Upon detection of a motion data integrity or authenticity error, the SEF shall:

• generate an audit record,

• continue to use imported data.

4.8.2. Data exchange with tachograph cards U.K.

[DEX_203] The VU shall verify the integrity and authenticity of data imported from tachograph cards.

[DEX_204] Upon detection of card data integrity or authenticity error, the VU shall:

• generate an audit record,

• not use the data.

[DEX_205] The VU shall export data to tachograph smart cards with associated security attributes such that the card will be able to verify its integrity and authenticity.

4.8.3. Data exchange with external storage media (downloading function) U.K.

[DEX_206] The VU shall generate an evidence of origin for data downloaded to external media.

[DEX_207] The VU shall provide a capability to verify the evidence of origin of downloaded data to the recipient.

[DEX_208] The VU shall download data to external storage media with associated security attributes such that downloaded data integrity and authenticity can be verified.

4.9. Cryptographic support U.K.

The requirements of this paragraph are applicable only where needed, depending upon security mechanisms used and upon the manufacturer's solutions.

[CSP_201] Any cryptographic operation performed by the VU shall be in accordance with a specified algorithm and a specified key size.

[CSP_202] If the VU generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes.

[CSP_203] If the VU distributes cryptographic keys, it shall be in accordance with specified key distribution methods.

[CSP_204] If the VU accesses cryptographic keys, it shall be in accordance with specified cryptographic keys access methods.

[CSP_205] If the VU destroys cryptographic keys, it shall be in accordance with specified cryptographic keys destruction methods.

5. Definition of security mechanisms U.K.

Required security mechanisms are specified in Appendix 11.

All other security mechanisms are to be defined by manufacturers.

6. Minimum strength of security mechanisms U.K.

The minimum strength of the Vehicle Unit security mechanisms is High , as defined in (ITSEC).

7. Level of assurance U.K.

The target level of assurance for the Vehicle Unit is ITSEC level E3, as defined in (ITSEC).

8. Rationale U.K.

The following matrixes give a rationale for the SEFs by showing:

• which SEFs or means counteract which threats,

• which SEFs fulfil which IT security objectives.

[X1

]

TACHOGRAPH CARD GENERIC SECURITY TARGET U.K.

1. Introduction U.K.

This document contains a description of the tachograph card, of the threats it must be able to counteract and of the security objectives it must achieve. It specifies the required security enforcing functions. It states the claimed minimum strength of security mechanisms, and the required level of assurance for the development and the evaluation.

Requirements referred to in the document, are those of the body of Annex I B. For clarity of reading, duplication sometimes arises between Annex I B body requirements and security target requirements. In case of ambiguity between a security target requirement and the Annex I B requirement referred by this security target requirement, the Annex I B body requirement shall prevail.

Annex I B body requirements not referred by security targets are not the subject of security enforcing functions.

A tachograph card is a standard smart card carrying a dedicated tachograph application, and shall comply with up-to-date functional and assurance security requirements applicable to smart cards. This security target therefore incorporates only the extra security requirements needed by the tachograph application.

Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for the purpose of traceability to development and evaluation documentation.

2. Abbreviations, definitions and references U.K.

2.1. Abbreviations U.K.

2.2. Definitions U.K.

2.3. References U.K.

3. Product Rationale U.K.

3.1. Tachograph card description and method of use U.K.

A tachograph card is a smart card, as described in (IC PP) and (ES PP), carrying an application intended for its use with the recording equipment.

The basic functions of the tachograph card are:

• to store card identification and card holder identification data. These data are used by the vehicle unit to identify the cardholder, provide accordingly functions and data access rights, and ensure cardholder accountability for his activities,

• to store cardholder activities data, events and faults data and control activities data, related to the cardholder.

A tachograph card is therefore intended to be used by a card interface device of a vehicle unit. It may also be used by any card reader (e.g. of a personal computer) which shall have full read access right on any user data.

During the end-usage phase of a tachograph card life cycle (phase 7 of life-cycle as described in (ES PP)), vehicle units only may write user data to the card.

The functional requirements for a tachograph card are specified in Annex I B body text and Appendix 2.

3.2. Tachograph card life cycle U.K.

The tachograph card life cycle conforms to smart card life cycle described in (ES PP).

3.3. Threats U.K.

In addition to the smart card general threats listed in (ES PP) and (IC PP), the tachograph card may face the following threats:

3.3.1. Final aims U.K.

The final aim of attackers will be to modify user data stored within the TOE.

3.3.2. Attack paths U.K.

TOE's assets may be attacked by:

• trying to gain illicit knowledge of TOE's hardware and software design and especially of its security functions or security data. Illicit knowledge may be gained though attacks to designer or manufacturer material (theft, bribery, …) or through direct examination of the TOE (physical probing, inference analysis, …),

• taking advantage of weaknesses in TOE design or realisation (exploit errors in hardware, errors in software, transmission faults, errors induced in TOE by environmental stress, exploit weaknesses of security functions such as authentication procedures, data access control, cryptographic operations, …),

• modifying the TOE or its security functions through physical, electrical or logical attacks or combination of these.

3.4. Security Objectives U.K.

The main security objective of the entire digital tachograph system is the following:

Therefore the main security objectives of the TOE, contributing to this global security objective are the following:

3.5. Information technology security objectives U.K.

In addition to the smart card general security objectives listed in (ES PP) and (IC PP), the specific IT security objectives of the TOE that contributes to its main security objectives during its end-usage life-cycle phase are the following:

3.6. Physical, personnel or procedural means U.K.

The physical, personnel or procedural requirements that contribute to the security of the TOE are listed in (ES PP) and (IC PP) (chapters security objectives for the environment).

4. Security enforcing functions U.K.

This paragraph refines some of the permitted operations such as assignment or selection of (ES PP) and provides additional SEF functional requirements.

4.1. Compliance to protection profiles U.K.

[CPP_301] The TOE shall comply with (IC PP).

[CPP_302] The TOE shall comply with (ES PP) as refined further.

4.2. User identification and authentication U.K.

The card must identify the entity in which it is inserted and know whether it is an authenticated vehicle unit or not. The card may export any user data whatever the entity it is connected to, except the control [F3and the company card] which may export card holder identification data to authenticated vehicle units only (such that a controller is ensured that the vehicle unit is not a fake one by seeing his name on display or printouts).

4.2.1. User identification U.K.

Assignment (FIA_UID.1.1) List of TSF mediated actions : none.

[X1Assignment (FIA_ATD.1.1) List of security attributes :

4.2.2. User authentication U.K.

Assignment (FIA_UAU.1.1) List of TSF mediated actions :

• Driver and Workshop cards: export user data with security attributes (card data download function),

• Control card: export user data without security attributes except cardholder identification data.

[UIA_301] Authentication of a vehicle unit shall be performed by means of proving that it possesses security data that only the system could distribute.

Selection (FIA_UAU.3.1 and FIA_UAU.3.2): prevent.

Assignment (FIA_UAU.4.1) Identified authentication mechanism(s) : any authentication mechanism.

[UIA_302] The Workshop card shall provide an additional authentication mechanism by checking a PIN code (This mechanism is intended for the vehicle unit to ensure the identity of the card holder, it is not intended to protect workshop card content).

4.2.3. Authentication failures U.K.

[F4Additionally the following assignments describe the card reaction for each single user authentication failure.

Assignment (FIA_AFL.1.1) Number : 1, list of authentication events : authentication of a card interface device.

Assignment (FIA_AFL.1.2) List of actions :

• warn the entity connected,

• assume the user as NON_VEHICLE_UNIT.

Additionally the following assignments] describe the card reaction in the case of failure of the additional authentication mechanism required in UIA_302.

Assignment (FIA_AFL.1.1) Number : 5, list of authentication events : PIN checks (workshop card).

Assignment (FIA_AFL.1.2) List of actions :

• warn the entity connected,

• block the PIN check procedure such that any subsequent PIN check attempt will fail,

• be able to indicate to subsequent users the reason of the blocking.

4.3. Access control U.K.

4.3.1. Access control policy U.K.

During end-usage phase of its life cycle, the tachograph card is the subject of one single access control security function policy (SFP) named AC_SFP.

Assignment (FDP_ACC.2.1) Access control SFP : AC_SFP.

4.3.2. Access control functions U.K.

Assignment (FDP_ACF.1.1) Access control SFP : AC_SFP.

Assignment (FDP_ACF.1.1) Named group of security attributes : USER_GROUP.

Assignment (FDP_ACF.1.2) Rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects :

4.4. Accountability U.K.

[ACT_301] The TOE shall hold permanent identification data.

[ACT_302] There shall be an indication of the time and date of the TOE's personalisation. This indication shall remain unalterable.

4.5. Audit U.K.

The TOE must monitor events that indicate a potential violation of its security.

Assignment (FAU_SAA.1.2) Subset of defined auditable events:

• cardholder authentication failure (5 consecutive unsuccessful PIN checks),

• self test error,

• stored data integrity error,

• activity data input integrity error.

4.6. Accuracy U.K.

4.6.1. Stored data integrity U.K.

Assignment (FDP_SDI.2.2) Actions to be taken : warn the entity connected,

4.6.2. Basic data authentication U.K.

Assignment (FDP_DAU.1.1) List of objects or information types : activity data.

Assignment (FDP_DAU.1.2) List of subjects : any.

4.7. Reliability of service U.K.

4.7.1. Tests U.K.

Selection (FPT_TST.1.1): during initial start-up, periodically during normal operation.

Note: during initial start-up means before code is executed (and not necessarily during Answer To Reset procedure). U.K.

[RLB_301] The TOE's self tests shall include the verification of the integrity of any software code not stored in ROM.

[RLB_302] Upon detection of a self test error the TSF shall warn the entity connected.

[RLB_303] After OS testing is completed, all testing-specific commands and actions shall be disabled or removed. It shall not be possible to override these controls and restore them for use. Command associated exclusively with one life cycle state shall never be accessed during another state.

4.7.2. Software U.K.

[RLB_304] There shall be no way to analyse, debug or modify TOE's software in the field.

[RLB_305] Inputs from external sources shall not be accepted as executable code.

4.7.3. Power supply U.K.

[RLB_306] The TOE shall preserve a secure state during power supply cut-off or variations.

4.7.4. Reset conditions U.K.

[RLB_307] If power is cut (or if power variations occur) from the TOE, or if a transaction is stopped before completion, or on any other reset conditions, the TOE shall be reset cleanly.

4.8. Data exchange U.K.

4.8.1. Data exchange with a vehicle unit U.K.

[DEX_301] The TOE shall verify the integrity and authenticity of data imported from a vehicle unit.

[DEX_302] Upon detection of an imported data integrity error, the TOE shall:

• warn the entity sending the data,

• not use the data.

[DEX_303] The TOE shall export user data to the vehicle unit with associated security attributes, such that the vehicle unit will be able to verify the integrity and authenticity of data received.

4.8.2. Export of data to a non-vehicle unit (download function) U.K.

[DEX_304] The TOE shall be able to generate an evidence of origin for data downloaded to external media.

[DEX_305] The TOE shall be able to provide a capability to verify the evidence of origin of downloaded data to the recipient.

[DEX_306] The TOE shall be able to download data to external storage media with associated security attributes such that downloaded data integrity can be verified.

4.9. Cryptographic support U.K.

[CSP_301] If the TSF generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes. Generated cryptographic session keys shall have a limited (TBD by manufacturer and not more than 240) number of possible use.

[CSP_302] If the TSF distributes cryptographic keys, it shall be in accordance with specified cryptographic key distribution methods.

5. Definition of security mechanisms U.K.

Required security mechanisms are specified in Appendix 11.

All other security mechanisms are to be defined by the TOE manufacturer.

6. Claimed minimum strength of mechanisms U.K.

The minimum strength of mechanisms for the Tachograph Card is High as defined in (ITSEC).

7. Level of Assurance U.K.

The target level of assurance for the Tachograph Card is ITSEC level E3 , as defined in (ITSEC).

8. Rationale U.K.

The following matrixes give a rationale for the additional SEFs by showing:

• which SEFs counteract which threats,

• which SEFs fulfil which IT security objectives.