1 / 27

Smartcard Evaluation

Smartcard Evaluation. TM8104 – IT Security Evaluation. 2008-11-13. Linda Ariani Gunawan. Document. CCDB-2006-04-001 Version 1.3 Revision 1, March 2006 Type: guidance document Intended for evaluation sponsor and smartcard developers

naomi
Download Presentation

Smartcard Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Smartcard Evaluation TM8104 – IT Security Evaluation 2008-11-13 Linda Ariani Gunawan

  2. Document • CCDB-2006-04-001 • Version 1.3 Revision 1, March 2006 • Type: guidance document • Intended for evaluation sponsor and smartcard developers • Field of special use: smartcards and similar devices

  3. SMARTCARD OVERVIEW SMARTCARD Overview

  4. Smartcard • Plastic card embedded with a computer chip that stores and transacts data between users • Usage: • Telecommunication: SIM card, pay phone • Banking: debit/credit cards • Transportation: pay toll, bus/tram/train card • E-passport, ID card, health card, access card and many more

  5. Smartcard Types • Contact cards • Contactless cards • Dual interface cards

  6. Smartcards Related Standards • ISO 7816 “Identification cards – Integrated circuit cards with contacts” • EMV – Europay, MasterCard, Visa • ETSI – GSM • FIPS 140 (1-3) and 201 • OCF – Open Card Framework • PC/SC – Interoperability Specification for ICCs and Personal Computer Systems

  7. THE GUIDANCE DOCUMENT THE Guidance Document

  8. Definition – IC • Integrated Circuit (IC)

  9. Definition – Software IC Dedicated Software Smartcard Embedded Software (ES) embedded NOT developed by IC Designer But by embedded software developer 2 types: Basic Software (BS) in charge of generic functions of smart card IC OS, general routines, interpreters Application Software (AS) dedicated to applications • IC Firmware • proprietary, embedded • developed by IC Developer • 2 parts: • IC Dedicated TestSoftware • Only used to test IC • IC Dedicated Support Software • Provide functions after IC manufacturing & testing process

  10. Definitions – Data Identification data IC Pre-personalization data supplied by software developer injected into non-volatile memory during manufacturing process customer data • defined by IC manufacturer • injected into non-volatile memory during manufacturing process • usage: traceability

  11. Definitions – Personalization IC Pre-personalization Smartcard Personalization process at card issuer smartcard is configured, security parameters loaded, secret key set then smartcard is irreversibly set into “user mode” • process at IC manufacturer site • load customer data onto IC • then IC is irreversibly set into “issuer mode”

  12. Definitions – Product IC platform Smartcard product fully operational smartcard both IC+ES including AS • smartcard component • not an end-user product • may undergo evaluation • e.g. without AS

  13. Smartcard Architectures Closed architecture Open architecture

  14. Smartcard Product Life-Cycle Smartcard embedded software IC dedicated software Ph 1. Smartcard embedded software development Smartcard Embedded Software Developer Specification of IC pre-personalization requirements support Ph 2. IC development IC design IC Designer Smartcard IC database for IC photomask fabrication

  15. Smartcard Product Life-Cycle Ph 3. IC manufacturing and testing • IC manufacturing • IC testing • IC pre-personalization IC product IC Manufacturer Ph 4. IC packaging and testing IC packaging and testing IC Packaging Manufacturer Ph 5. Smartcard product finishing process Smartcard Product Manufacturer Smartcard product finishing and testing

  16. Smartcard Product Life-Cycle Personalizer Ph 6. Smartcard personalization Smartcard product delivery Ph 7. Smartcard end-usage Smartcard Issuer Smartcard End-User Smartcard personalization and final test

  17. Roles in Evaluation Process Developer • Requesting evaluation and financing it • Maybe developer of TOE, card issuer or independent Sponsor IC Manufacturer ES/AS Developer Evaluator • Laboratory performs the evaluation Card Issuer Certification Body Card Manufacturer • Issue certificate

  18. Evaluation Preparation Steps

  19. Roles Contributions • IC Manufacturer • Evaluation scope: include IC • Provides ST for IC to sponsor • Provides evaluation deliverableto evaluation lab • ES/AS Developer • Evaluation scope: include ES/AS • (Assist) write ST • Provides evaluation deliverableto evaluation lab • Provides IC pre-personalization data

  20. Roles Contributions • Card Issuer • Approve ST • Define Smartcard personalization data • Write smartcard product guidance documentation • Sponsor • Write and/or approve ST • Ensure every required evaluation deliverable available for evaluator

  21. Roles Contributions • Evaluator • Analyses evidences • Evaluation process: • Conformance and penetration testing on TOE • Site visit to development premises • Site visit to production premises (evaluation incl. IC) • Write evaluation reports

  22. Roles Contributions • Certification body • Approve evaluation scope in ST before evaluation process starts • Give advice • Monitor evaluation work • Issue certificate and certification report

  23. Common Targeted EAL • EAL1+ • EAL1 augmented with AVA_VLA.2 • EAL4+ • EAL4 augmented with ADV_IMP.2, ALC_DVS.2 and AVA_VLA.4 • Detailed roles contribution are specified in detail for both EALs • According CC v2

  24. Theoretical Planning for EAL4+ Evaluation • Assumption: • Evaluation phase only • IC is certified • Infinite # of evaluators with good knowledge • No delay • No iteration, developers are well trained • 6 months is achievable

  25. Theoretical Planning for EAL4+ Evaluation

  26. Smartcard Sub-processes for EAL4+ • software development for smartcard only, not application development • 4 sub processes: • Development environment • Security Target • Guidance documentation • Development/Test • Reusability through training and document template

  27. Testing Methodology • Used by security evaluation laboratory • Define attack and strategies list

More Related