[F1 [F2ANNEX I B U.K. REQUIREMENTS FOR CONSTRUCTION, TESTING, INSTALLATION AND INSPECTION
Textual Amendments
Appendix 10 GENERIC SECURITY TARGETS
VEHICLE UNIT GENERIC SECURITY TARGET U.K.
1. Introduction U.K.
This document contains a description of the vehicle unit, of the threats it must be able to counteract and of the security objectives it must achieve. It specifies the required security enforcing functions. It states the claimed minimum strength of security mechanisms and the required level of assurance for the development and the evaluation.
Requirements referred to in the document, are those of the body of Annex I B. For clarity of reading, duplication sometimes arises between Annex I B body requirements and security target requirements. In case of ambiguity between a security target requirement and the Annex I B body requirement referred by this security target requirement, the Annex I B body requirement shall prevail.
Annex I B body requirements not referred by security targets are not the subject of security enforcing functions.
Unique labels have been assigned to threats, objectives, procedural means and SEF specifications for the purpose of traceability to development and evaluation documentation.
2. Abbreviations, definitions and references U.K.
2.1. Abbreviations U.K.
Personal identification number
Read only memory
Security enforcing function
To be defined
Target of evaluation
Vehicle Unit.
2.2. Definitions U.K.
Recording equipment
The data exchanged with the motion sensor, representative of speed and distance travelled
Physical components of the VU that are distributed in the vehicle as opposed to physical components gathered into the VU casing
The specific data needed to support security enforcing functions (e.g. crypto keys)
Equipment, people or organisations, involved in any way with the recording equipment
Users are to be understood as human user of the equipment. Normal users of the VU comprise drivers, controllers, workshops and companies
Any data, other than security data, recorded or stored by the VU, required by Chapter III.12.
2.3. References U.K.
ITSEC Information Technology Security Evaluation Criteria 1991.
3. Product rationale U.K.
3.1. Vehicle unit description and method of use U.K.
The VU is intended to be installed in road transport vehicles. Its purpose is to record, store, display, print and output data related to driver activities.
It is connected to a motion sensor with which it exchanges vehicle's motion data.
Users identify themselves to the VU using tachograph cards.
The VU records and stores user activities data in its data memory, it also records user activities data in tachograph cards.
The VU outputs data to display, printer and external devices.
The vehicle unit's operational environment while installed in a vehicle is described in the following figure:
The VU general characteristics, functions and mode of operations are described in Chapter II of Annex I B.
The VU functional requirements are specified in Chapter III of Annex I B.
The typical VU is described in the following figure:
It must be noted that although the printer mechanism is part of the TOE, the paper document once produced is not.
3.2. Vehicle unit life cycle U.K.
The typical life cycle of the VU is described in the following figure:
3.3. Threats U.K.
This paragraph describes the threats the VU may face.
3.3.1. Threats to identification and access control policies U.K.
Users could try to access functions not allowed to them (e.g. drivers gaining access to calibration function)
Users could try to use several identifications or no identification.
3.3.2. Design related threats U.K.
Faults in hardware, software, communication procedures could place the VU in unforeseen conditions compromising its security
The use of non invalidated test modes or of existing back doors could compromise the VU security
Users could try to gain illicit knowledge of design either from manufacturer's material (through theft, bribery, …) or from reverse engineering
3.3.3. Operation oriented threats U.K.
Users could try to use mis-calibrated equipment (through calibration data modification, or through organisational weaknesses)
Users could try to modify data while exchanged between VU and tachograph cards (addition, modification, deletion, replay of signal)
Users could try to modify internal clock
Users could compromise the VU security through environmental attacks (thermal, electromagnetic, optical, chemical, mechanical, …)
Users could try to connect fake devices (motion sensor, smart cards) to the VU
Users could try to modify VU hardware
Users could try to modify the vehicle's motion data (addition, modification, deletion, replay of signal)
Users could use non activated equipment
Users could try to modify data output (print, display or download)
Users could try to defeat the VU security objectives by modifying (cutting, reducing, increasing) its power supply
Users could try to gain illicit knowledge of security data during security data generation or transport or storage in the equipment
Users could try to modify VU software
Users could try to modify stored data (security or user data).
3.4. Security objectives U.K.
The main security objective of the digital tachograph system is the following:
The data to be checked by control authorities must be available and reflect fully and accurately the activities of controlled drivers and vehicles in terms of driving, work, availability and rest periods and in terms of vehicle speed
Therefore the security objectives of the VU, contributing to the global security objective, are the following:
The data to be measured and recorded and then to be checked by control authorities must be available and reflect accurately the activities of controlled drivers and vehicles in terms of driving, work, availability and rest periods and in terms of vehicle speed
The VU must be able to export data to external storage media in such a way as to allow for verification of their integrity and authenticity.
3.5. Information technology security objectives U.K.
The specific IT security objectives of the VU contributing to its main security objectives, are the following:
The VU must control user access to functions and data
The VU must collect accurate accountability data
The VU must audit attempts to undermine system security and should trace them to associated users
The VU should authenticate users and connected entities (when a trusted path needs to be established between entities)
The VU must maintain stored data integrity
The VU must ensure that data output reflects accurately data measured or stored
The VU must ensure that processing of inputs to derive user data is accurate
The VU must provide a reliable service
The VU must secure data exchanges with the motion sensor and with tachograph cards.
3.6. Physical, personnel or procedural means U.K.
This paragraph describes physical, personnel or procedural requirements that contribute to the security of the VU.
3.6.1. Equipment design U.K.
VU developers must ensure that the assignment of responsibilities during development is done in a manner which maintains IT security
VU manufacturers must ensure that the assignment of responsibilities during manufacturing is done in a manner which maintains IT security, and that during the manufacturing process the VU is protected from physical attacks which might compromise IT security.
3.6.2. Equipment delivery and activation U.K.
VU manufacturers, vehicle manufacturers and fitters or workshops must ensure that handling of non activated VUs is done in a manner which maintains VU security
Vehicle manufacturers and fitters or workshops must activate the VU after its installation before the vehicle leaves the premises where installation took place.
3.6.3. Security data generation and delivery U.K.
Security data generation algorithms must be accessible to authorised and trusted persons only
Security data must be generated, transported, and inserted into the VU, in such a way to preserve its appropriate confidentiality and integrity.
3.6.4. Cards delivery U.K.
Tachograph cards must be available and delivered to authorised persons only
Drivers must possess, at one time, one valid driver card only
Card delivery must be traceable (white lists, black lists), and black lists must be used during security audits.
3.6.5. Recording equipment installation, calibration, and inspection U.K.
Installation, calibration and repair of recording equipment must be carried by trusted and approved fitters or workshops
Recording equipment must be periodically inspected and calibrated
Approved fitters and workshops must enter proper vehicle parameters in recording equipment during calibration.
3.6.6. Equipment operation U.K.
Drivers must play by the rules and act responsibly (e.g. use their driver cards, properly select their activity for those that are manually selected, …).
3.6.7. Law enforcement control U.K.
Law enforcement controls must be performed regularly and randomly, and must include security audits.
3.6.8. Software upgrades U.K.
Software revisions must be granted security certification before they can be implemented in a VU.
4. Security enforcing functions U.K.
4.1. Identification and authentication U.K.
4.1.1. Motion sensor identification and authentication U.K.
[UIA_201] The VU shall be able to establish, for every interaction, the identity of the motion sensor it is connected to.
[UIA_202] The identity of the motion sensor shall consist of the sensor approval number and the sensor serial number.
[UIA_203] The VU shall authenticate the motion sensor it is connected to:
at motion sensor connection,
at each calibration of the recording equipment,
at power supply recovery.
Authentication shall be mutual and triggered by the VU.
[UIA_204] The VU shall periodically (period TBD by manufacturer and more frequently than once per hour) re-identify and re-authenticate the motion sensor it is connected to, and ensure that the motion sensor identified during the last calibration of the recording equipment has not been changed.
[UIA_205] The VU shall detect and prevent use of authentication data that has been copied and replayed.
[UIA_206] After (TBD by manufacturer and not more than 20) consecutive unsuccessful authentication attempts have been detected, and/or after detecting that the identity of the motion sensor has changed while not authorised (i.e. while not during a calibration of the recording equipment), the SEF shall:
generate an audit record of the event,
warn the user,
continue to accept and use non secured motion data sent by the motion sensor.
4.1.2. User identification and authentication U.K.
[UIA_207] The VU shall permanently and selectively track the identity of two users, by monitoring the tachograph cards inserted in respectively the driver slot and the co-driver slot of the equipment.
[UIA_208] The user identity shall consist of:
a user group:
DRIVER (driver card),
CONTROLLER (control card),
WORKSHOP (workshop card),
COMPANY (company card),
UNKNOWN (no card inserted),
a user ID, composed of:
the card issuing Member State code and of the card number,
UNKNOWN if user group is UNKNOWN.
UNKNOWN identities may be implicitly or explicitly known.
[UIA_209] The VU shall authenticate its users at card insertion.
[UIA_210] The VU shall re-authenticate its users:
at power supply recovery,
periodically or after occurrence of specific events (TBD by manufacturers and more frequently than once per day).
[UIA_211] Authentication shall be performed by means of proving that the card inserted is a valid tachograph card, possessing security data that only the system could distribute. Authentication shall be mutual and triggered by the VU.
[UIA_212] In addition to the above, workshops shall be required to be successfully authenticated through a PIN check. PINs shall be at least 4 characters long.
Note: In the case the PIN is transferred to the VU from an outside equipment located in the vicinity of the VU, PIN confidentiality need not be protected during the transfer. U.K.
[UIA_213] The VU shall detect and prevent use of authentication data that has been copied and replayed.
[UIA_214] After 5 consecutive unsuccessful authentication attempts have been detected, the SEF shall:
generate an audit record of the event,
warn the user,
assume the user as UNKNOWN, and the card as non valid (definition z) and requirement 007).
4.1.3. Remotely connected company identification and authentication U.K.
Company remote connection capability is optional. This paragraph therefore applies only if this feature is implemented.
[UIA_215] For every interaction with a remotely connected company, the VU shall be able to establish the company's identity.
[UIA_216] The remotely connected company's identity shall consist of its company card issuing Member State code and of its company card number.
[UIA_217] The VU shall successfully authenticate the remotely connected company before allowing any data export to it.
[UIA_218] Authentication shall be performed by means of proving that the company owns a valid company card, possessing security data that only the system could distribute.
[UIA_219] The VU shall detect and prevent use of authentication data that has been copied and replayed.
[UIA_220] After 5 consecutive unsuccessful authentication attempts have been detected, the VU shall:
warn the remotely connected company.
4.1.4. Management device identification and authentication U.K.
VU manufacturers may foresee dedicated devices for additional VU management functions (e.g. Software upgrading, security data reloading, …). This paragraph therefore applies only if this feature is implemented.
[UIA_221] For every interaction with a management device, the VU shall be able to establish the device identity.
[UIA_222] Before allowing any further interaction, the VU shall successfully authenticate the management device.
[UIA_223] The VU shall detect and prevent use of authentication data that has been copied and replayed.
4.2. Access control U.K.
Access controls ensure that information is read from, created in, or modified into the TOE only by those authorised to do so.
It must be noted that the user data recorded by the VU, although presenting privacy or commercial sensitivity aspects, are not of a confidential nature. Therefore, the functional requirement related to data read access rights (requirement 011) is not the subject of a security enforcing function.
4.2.1. Access control policy U.K.
[ACC_201] The VU shall manage and check access control rights to functions and to data.
4.2.2. Access rights to functions U.K.
[ACC_202] The VU shall enforce the mode of operation selection rules (requirements 006 to 009).
[ACC_203] The VU shall use the mode of operation to enforce the functions access control rules (requirement 010).
4.2.3. Access rights to data U.K.
[ACC_204] The VU shall enforce the VU identification data write access rules (requirement 076)
[ACC_205] The VU shall enforce the paired motion sensor identification data write access rules (requirements 079 and 155)
[ACC_206] After the VU activation, the VU shall ensure that only in calibration mode, may calibration data be input into the VU and stored into its data memory (requirements 154 and 156).
[ACC_207] After the VU activation, the VU shall enforce calibration data write and delete access rules (requirement 097).
[ACC_208] After the VU activation, the VU shall ensure that only in calibration mode, may time adjustment data be input into the VU and stored into its data memory (This requirement does not apply to small time adjustments allowed by requirements 157 and 158).
[ACC_209] After the VU activation, the VU shall enforce time adjustment data write and delete access rules (requirement 100).
[ACC_210] The VU shall enforce appropriate read and write access rights to security data (requirement 080).
4.2.4. File structure and access conditions U.K.
[ACC_211] Application and data files structure and access conditions shall be created during the manufacturing process, and then locked from any future modification or deletion.
4.3. Accountability U.K.
[ACT_201] The VU shall ensure that drivers are accountable for their activities (requirements 081, 084, 087, 105a, 105b, 109 and 109a).
[ACT_202] The VU shall hold permanent identification data (requirement 075).
[ACT_203] The VU shall ensure that workshops are accountable for their activities (requirements 098, 101 and 109).
[ACT_204] The VU shall ensure that controllers are accountable for their activities (requirements 102, 103 and 109).
[ACT_205] The VU shall record odometer data (requirement 090) and detailed speed data (requirement 093).
[ACT_206] The VU shall ensure that user data related to requirements 081 to 093 and 102 to 105b inclusive are not modified once recorded, except when becoming oldest stored data to be replaced by new data.
[ACT_207] The VU shall ensure that it does not modify data already stored in a tachograph card (requirements 109 and 109a) except for replacing oldest data by new data (requirement 110) or in the case described in Appendix 1 Paragraph 2.1 Note.
4.4. Audit U.K.
Audit capabilities are required only for events that may indicate a manipulation or a security breach attempt. It is not required for the normal exercising of rights even if relevant to security.
[AUD_201] The VU shall, for events impairing the security of the VU, record those events with associated data (requirements 094, 096 and 109).
[AUD_202] The events affecting the security of the VU are the following:
Security breach attempts,
motion sensor authentication failure,
tachograph card authentication failure,
unauthorised change of motion sensor,
card data input integrity error,
stored user data integrity error,
internal data transfer error,
unauthorised case opening,
hardware sabotage,
last card session not correctly closed,
motion data error event,
power supply interruption event,
VU internal fault.
[AUD_203] The VU shall enforce audit records storage rules (requirement 094 and 096).
[AUD_204] The VU shall store audit records generated by the motion sensor in its data memory.
[AUD_205] It shall be possible to print, display and download audit records.
4.5. Object re-use U.K.
[REU_201] The VU shall ensure that temporary storage objects can be re-used without this involving inadmissible information flow.
4.6. Accuracy U.K.
4.6.1. Information flow control policy U.K.
[ACR_201] The VU shall ensure that user data related to requirements 081, 084, 087, 090, 093, 102, 104, 105, 105a and 109 may only be processed from the right input sources:
vehicle motion data,
VU's real time clock,
recording equipment calibration parameters,
tachograph cards,
user's inputs.
[ACR_201a] The VU shall ensure that user data related to requirement 109a may only be entered for the period last card withdrawal — current insertion (requirement 050a).
4.6.2. Internal data transfers U.K.
The requirements of this paragraph apply only if the VU makes use of physically separated parts.
[ACR_202] If data are transferred between physically separated parts of the VU, the data shall be protected from modification.
[ACR_203] Upon detection of a data transfer error during an internal transfer, transmission shall be repeated and the SEF shall generate an audit record of the event.
4.6.3. Stored data integrity U.K.
[ACR_204] The VU shall check user data stored in the data memory for integrity errors.
[ACR_205] Upon detection of a stored user data integrity error, the SEF shall generate an audit record.
4.7. Reliability of service U.K.
4.7.1. Tests U.K.
[RLB_201] All commands, actions or test points, specific to the testing needs of the manufacturing phase of the VU shall be disabled or removed before the VU activation. It shall not be possible to restore them for later use.
[RLB_202] The VU shall run self tests, during initial start-up, and during normal operation to verify its correct operation. The VU self tests shall include a verification of the integrity of security data and a verification of the integrity of stored executable code (if not in ROM).
[RLB_203] Upon detection of an internal fault during self test, the SEF shall:
generate an audit record (except in calibration mode) (VU internal fault),
Preserve the stored data integrity.
4.7.2. Software U.K.
[RLB_204] There shall be no way to analyse or debug software in the field after the VU activation.
[RLB_205] Inputs from external sources shall not be accepted as executable code.
4.7.3. Physical protection U.K.
[RLB_206] If the VU is designed so that it can be opened, the VU shall detect any case opening, except in calibration mode, even without external power supply for a minimum of six months. In such a case, the SEF shall generate an audit record (It is acceptable that the audit record is generated and stored after power supply reconnection).
If the VU is designed so that it cannot be opened, it shall be designed such that physical tampering attempts can be easily detected (e.g. through visual inspection).
[RLB_207] After its activation, the VU shall detect specified (TBD by manufacturer) hardware sabotage.
[RLB_208] In the case described above, the SEF shall generate an audit record and the VU shall: (TBD by manufacturer).
4.7.4. Power supply interruptions U.K.
[RLB_209] The VU shall detect deviations from the specified values of the power supply, including cut-off.
[RLB_210] In the case described above, the SEF shall:
generate an audit record (except in calibration mode),
preserve the secure state of the VU,
maintain the security functions, related to components or processes still operational,
preserve the stored data integrity.
4.7.5. Reset conditions U.K.
[RLB_211] In case of a power supply interruption, or if a transaction is stopped before completion, or on any other reset conditions, the VU shall be reset cleanly.
4.7.6. Data availability U.K.
[RLB_212] The VU shall ensure that access to resources is obtained when required and that resources are not requested nor retained unnecessarily.
[RLB_213] The VU must ensure that cards cannot be released before relevant data have been stored to them (requirements 015 and 016)
[RLB_214] In the case described above, the SEF shall generate an audit record of the event.
4.7.7. Multiple applications U.K.
[RLB_215] If the VU provides applications other than the tachograph application, all applications shall be physically and/or logically separated from each other. These applications shall not share security data. Only one task shall be active at a time.
4.8. Data exchange U.K.
This paragraph addresses data exchange between the VU and connected devices.
4.8.1. Data exchange with motion sensor U.K.
[DEX_201] The VU shall verify the integrity and authenticity of motion data imported from the motion sensor
[DEX_202] Upon detection of a motion data integrity or authenticity error, the SEF shall:
generate an audit record,
continue to use imported data.
4.8.2. Data exchange with tachograph cards U.K.
[DEX_203] The VU shall verify the integrity and authenticity of data imported from tachograph cards.
[DEX_204] Upon detection of card data integrity or authenticity error, the VU shall:
generate an audit record,
not use the data.
[DEX_205] The VU shall export data to tachograph smart cards with associated security attributes such that the card will be able to verify its integrity and authenticity.
4.8.3. Data exchange with external storage media (downloading function) U.K.
[DEX_206] The VU shall generate an evidence of origin for data downloaded to external media.
[DEX_207] The VU shall provide a capability to verify the evidence of origin of downloaded data to the recipient.
[DEX_208] The VU shall download data to external storage media with associated security attributes such that downloaded data integrity and authenticity can be verified.
4.9. Cryptographic support U.K.
The requirements of this paragraph are applicable only where needed, depending upon security mechanisms used and upon the manufacturer's solutions.
[CSP_201] Any cryptographic operation performed by the VU shall be in accordance with a specified algorithm and a specified key size.
[CSP_202] If the VU generates cryptographic keys, it shall be in accordance with specified cryptographic key generation algorithms and specified cryptographic key sizes.
[CSP_203] If the VU distributes cryptographic keys, it shall be in accordance with specified key distribution methods.
[CSP_204] If the VU accesses cryptographic keys, it shall be in accordance with specified cryptographic keys access methods.
[CSP_205] If the VU destroys cryptographic keys, it shall be in accordance with specified cryptographic keys destruction methods.
5. Definition of security mechanisms U.K.
Required security mechanisms are specified in Appendix 11.
All other security mechanisms are to be defined by manufacturers.
6. Minimum strength of security mechanisms U.K.
The minimum strength of the Vehicle Unit security mechanisms is High , as defined in (ITSEC).
7. Level of assurance U.K.
The target level of assurance for the Vehicle Unit is ITSEC level E3, as defined in (ITSEC).
8. Rationale U.K.
The following matrixes give a rationale for the SEFs by showing:
which SEFs or means counteract which threats,
which SEFs fulfil which IT security objectives.
[X1 
Editorial Information
