Public Security Target
Common Criteria EAL6 augmented / EAL6+

M7892 Design Steps D11 and G12

Author: Oleg Rudakov

Revision 1.7 as of 2016-11-16
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Target Introduction (ASE_INT)

1 Security Target Introduction (ASE_INT) ................................................................. 4
  1.1 Security Target and Target of Evaluation Reference ................................... 4
  1.2 Target of Evaluation overview ................................................................. 13

2 Target of Evaluation Description .................................................................. 18
  2.1 TOE Definition .......................................................................................... 18
  2.2 Scope of the TOE ........................................................................................ 24
  2.2.1 Hardware of the TOE ........................................................................... 24
  2.2.2 Firmware and software of the TOE ...................................................... 25
  2.2.3 Interfaces of the TOE ......................................................................... 27
  2.2.4 Guidance documentation ..................................................................... 28
  2.2.5 Forms of delivery ................................................................................ 29
  2.2.6 Production sites ................................................................................... 29

3 Conformance Claims (ASE_CCL) .................................................................. 30
  3.1 CC Conformance Claim ............................................................................. 30
  3.2 PP Claim .................................................................................................... 30
  3.3 Package Claim ........................................................................................... 30
  3.4 Conformance Rationale ............................................................................ 31
  3.4.1 Security Problem Definition ................................................................. 31
  3.4.2 Conformance Rationale ....................................................................... 31
  3.4.3 Adding Objective ................................................................................ 31
  3.4.4 AES and TDES ..................................................................................... 32
  3.4.5 Loader .................................................................................................. 32
  3.4.6 SHA ..................................................................................................... 32
  3.4.7 Summary .............................................................................................. 32
  3.5 Application Notes ...................................................................................... 33

4 Security Problem Definition (ASE_SPD) ......................................................... 34
  4.1 Threats ........................................................................................................ 34
  4.1.1 Additional Threat due to TOE specific Functionality ............................ 34
  4.1.2 Assets regarding the Threats ................................................................. 35
  4.2 Organizational Security Policies ................................................................. 35
  4.2.1 Augmented Organizational Security Policy ....................................... 36
  4.3 Assumptions ............................................................................................... 37
  4.3.1 Augmented Assumptions ................................................................... 38

5 Security Objectives (ASE_OBJ) .................................................................... 39
  5.1 Security objectives for the TOE ................................................................. 39
  5.2 Security Objectives for the development and operational Environment .... 40
  5.2.1 Clarification of “Protection during Composite product manufacturing (OE.Process-Sec-IC)” ... 41
  5.2.2 Clarification of “Treatment of User Data (OE.Resp-Appl)” ……………… 41
  5.3 Security Objectives Rationale ................................................................... 42

6 Extended Component Definition (ASE_ECD) ............................................... 44
  6.1 Component “Subset TOE security testing (FPT_TST.2)” ............................ 44
  6.2 Definition of FPT_TST.2 .......................................................................... 44
  6.3 TSF self-test (FPT_TST) ........................................................................... 44

7 Security Requirements (ASE_REQ) ................................................................. 46
  7.1 TOE Security Functional Requirements .................................................... 46
  7.1.1 Extended Components FCS_RNG.1 and FAU_SAS.1 ............................. 47
  7.1.2 Subset of TOE testing .......................................................................... 49
  7.1.3 Memory access control ....................................................................... 49
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

7.1.4 Support of Cipher Schemes ..................................................................................52
7.1.5 Data Integrity ...........................................................................................................65
7.1.6 Support of the Flash Loader ....................................................................................65
7.2 TOE Security Assurance Requirements .................................................................66
7.2.1 Refinements ............................................................................................................67
7.2.2 ADV_SPM Formal Security Policy Model ..............................................................69
7.3 Security Requirements Rationale ...........................................................................70
7.3.1 Rationale for the Security Functional Requirements ...........................................70
7.3.2 Rationale of the Assurance Requirements ............................................................76

8 TOE Summary Specification (ASE_TSS) ..................................................................77
8.1 SF_DPM: Device Phase Management ......................................................................77
8.2 SF_PS: Protection against Snooping ..........................................................................78
8.3 SF_PMA: Protection against Modifying Attacks .......................................................80
8.4 SF_PLA: Protection against Logical Attacks ...........................................................81
8.5 SF_CS: Cryptographic Support ..................................................................................82
8.5.1 Triple DES ..............................................................................................................82
8.5.2 AES ..........................................................................................................................84
8.5.3 RSA ..........................................................................................................................84
8.5.4 Elliptic Curves EC ....................................................................................................87
8.5.5 SHA-2 .......................................................................................................................88
8.5.6 SCL ............................................................................................................................89
8.5.7 Toolbox Library ......................................................................................................89
8.5.8 Base Library ...........................................................................................................89
8.5.9 PTRNG respectively TRNG .....................................................................................89
8.6 Assignment of Security Functional Requirements to TOE’s Security Functionality ..........................................................90
8.7 Security Requirements are internally consistent .......................................................91

9 Literature .......................................................................................................................92

10 Appendix ......................................................................................................................94

11 List of Abbreviations .....................................................................................................96

12 Glossary ..........................................................................................................................99
1 Security Target Introduction (ASE_INT)

1.1 Security Target and Target of Evaluation Reference

The title of this document is Public Security Target Common Criteria EAL6 augmented / EAL6+ M7892 Design Steps D11 and G12.

This document comprises the Infineon Technologies AG Security Controller (Integrated Circuit IC). M7892 Design Steps D11 and G12, with specific IC dedicated firmware and optional software:

- RSA v2.03.008
- EC v2.03.008
- SHA-2 v1.01
- Toolbox v2.03.008
- Symmetric Crypto Library v2.02.010

In addition, the TOE is available with alternative firmware packages as versioned in Table 1 – Identification.

The target of evaluation (TOE) M7892 Design Steps D11 and G12 is described in the following.

This confidential Security Target has the Revision 1.7 and is dated 2016-11-16.

The Target of Evaluation (TOE) is the Infineon Security Controller, M7892 Design Steps D11 and G12, with optional RSA2048/4096 v2.03.008, EC v2.03.008, SHA-2 v1.01 and Toolbox v2.03.008 libraries, symmetric crypto library v2.02.010 and with specific IC dedicated software (firmware).

The design steps of this TOE are D11 and G12.


The Protection Profile and the Security Target are built in compliance with Common Criteria v3.1.

The Security Target takes into account all relevant current final interpretations.

This TOE concept is based on the architecture, family concept and principles of the Integrity Guard implemented in the controllers by Infineon Technologies AG deemed for high security requiring applications.

This TOE is based and built from the equal design sources as already certified in the process BSI-DSZ-CC-0891-2015 and has seen further improvements.

The certification body of this process is the German BSI, whereas the abbreviation stands for Federal Office for Information Security, in German language Bundesamt für Sicherheit in der Informationstechnik.
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Target Introduction (ASE_INT)

Table 1

<table>
<thead>
<tr>
<th>Object</th>
<th>Version</th>
<th>Date</th>
<th>Registration</th>
</tr>
</thead>
<tbody>
<tr>
<td>Security Target Lite</td>
<td>Revision 1.7</td>
<td>2016-11-16</td>
<td>M7892 Design Steps D11 and G12</td>
</tr>
<tr>
<td>Target of Evaluation</td>
<td></td>
<td></td>
<td>M7892 Design Steps D11 and G12 With FW-Identifier 78.015.14.0 or alternatively with 78.015.14.1 or alternatively with 78.015.14.2 or alternatively with 78.015.18.2</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>And following optional alternative SW - libraries:</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>RSA2048 v2.03.008</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>RSA4096 v2.03.008</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>EC v2.03.008</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>and belonging User Guidance documentation (1). And further optional software:</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>SHA-2 v1.01</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>Toolbox v2.03.008</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>SCL v2.02.010</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>and belonging User Guidance documentation (1).</td>
</tr>
<tr>
<td>Protection Profile</td>
<td>1.0</td>
<td>2014-01-13</td>
<td>Security IC Platform Protection Profile with Augmentation Packages BSI-CC-PP-0084-2014</td>
</tr>
<tr>
<td>Common Criteria</td>
<td>3.1</td>
<td>2012-09</td>
<td>Common Criteria for Information Technology Security Evaluation</td>
</tr>
<tr>
<td></td>
<td>Revision 4</td>
<td></td>
<td>Part 1: Introduction and general model CCMB-2012-09-001</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>Part 2: Security functional requirements CCMB-2012-09-002</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>Part 3: Security Assurance Components CCMB-2012-09-003</td>
</tr>
</tbody>
</table>

1) Chapter 2.2.4 describes briefly the contents of the individual documents of the User Guidance Documentation, while the individual documents are versioned and entitled in chapter 9 literature and references. The listed set of user guidance documents belongs to the TOE.

The differences in the firmware package versions are not security relevant and from functional perspective transparent for the user. But, the later firmware package versions serve for improved robustness and timing improvements. Note also that the ROM contains no user data and the user has no access. The user has the free choice for combinations of firmware packages and optional cryptographic libraries (asymmetric v2.03.008 and symmetric v2.02.010). The TOE can be identified with the Generic Chip Identification Mode (GCIM). The M7892 hardware is identified by the bytes 05 and 06, which are the first two bytes of the chip identification number, having always the hexadecimal values: 0x0 0x1. Or, in other words, the binary value 0001 represents the hardware platform M7892. This together with the other output data of design step, production side and firmware identifier clearly describes this unique TOE. This TOE is represented by various products, differentiated by various configuration possibilities, done either by Infineon settings during production or, after delivery, by means of blocking at customer premises.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

Despite these configuration possibilities, all products are derived from the equal hardware design results, the M7892 Design Steps D11 and G12. The GCIM mode is explained and detailed in the user guidance document hardware reference manual HRM [1]. All product derivatives are identically from module design, layout and footprint, but are made different in their possibilities to connect to different types of antennas or to a contact based interface only. Therefore, the TOE is represented and made out of different mask sets:

The main difference between the mask sets of the TOE is on one metal mask (M1) to implement different input capacitances in the analogue part of the radio frequency interface (RFI). This differentiation in the input capacitances allows the connection to a wider range of various antenna types, or respectively, to a contact based interface only. Note that external antennas or interfaces are not part of the TOE.

An overview upon the different mask sets is given in Table 2.

To each of the capacitances related mask sets belonging to the TOE, an individual value is assigned, which is part of the data output of the Generic Chip Identification Mode (GCIM). This number is located in the GCIM part individual length byte to clearly differentiate between the mask sets related to the different input capacitances. Thereby, the clear identification of the silicon design step is given.

There are no other differences between the mask sets the TOE is produced with. Details are explained in the user guidance hardware reference manual HRM [1].

Overview of the mask sets and their combinations:

Table 2  

<table>
<thead>
<tr>
<th>Comb.</th>
<th>Type of Mask Set Difference</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>Mask set 1: 0pF</td>
</tr>
<tr>
<td>2</td>
<td>Mask set 2: 27pF</td>
</tr>
<tr>
<td>3</td>
<td>Mask set 4: 56pF</td>
</tr>
<tr>
<td>4</td>
<td>Mask set 5: 78pF</td>
</tr>
</tbody>
</table>

The M7892 Design Steps D11 and G12 allows for a maximum of configuration possibilities defined by the customer order or his blocking following the market needs. For example, a M7892 Design Steps D11 and G12 product can come in one project with the fully available SOLID FLASH™ NVM1 or in another project with any other SOLID FLASH™ NVM -size below the physical implementation size, or with a different RAM size. And more, the user has the free choice, whether he needs the symmetric co-processor SCP, or the asymmetric co-processor Crypto2304T, or both, or none of them. In addition, the user decides, whether the TOE comes with a free combination of software libraries or without any. And, to be even more flexible, various interface options can be chosen as well. To sum up the major selections, the user defines by his order:

---

1 Infineon® SOLID FLASH™ is an Infineon Trade Mark and stands for the Infineon EEPROM working as Flash memory. The abbreviation NVM is short for Non Volatile Memory.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

- The available memory sizes of the SOLID FLASH™ NVM and RAM. Note that there is no user available ROM on the TOE.
- The availability of the cryptographic coprocessors.
- The availability of the cryptographic library version.
- The availability of the Flash Loader for available interfaces like ISO-7816, contactless ISO-14443.
- The availability of various interface options.
- The possibility to tailor the product by blocking on his own premises.
- And, which of the firmware packages as versioned in Table 1 the TOE contains.
- The degree of freedom of the chip configuration is predefined by Infineon Technologies AG and made available via the order tool.

Beside fix TOE configurations, which can be ordered as usual, this TOE implements optionally the so called Bill-Per-Use (BPU) ability. This solution enables our customer to tailor the product on his own to the required configuration – project by project. By that BPU allows for significant reduction of logistic cost at all participating parties and serves for acceleration of delivery of tailored product to the end-user.

BPU enables our customers to block the chip on demand into the final configuration at his own premises, without further delivery or involving support by Infineon Technology.

The realization of it requires the presence of the Flash Loader software, enhanced with the BPU blocking software part. The presence of the BPU ability defines the customer with his order.

The user then receives this TOE in a predefined starting configuration, for example entirely unblocked. Again, the delivered starting configuration depends on the purchasing contract. After delivery, the user can put the TOE in volume on his stock and can block it down to the required sizes and features, whenever a certain configuration is required by a certain project.

Depending on the number of TOE products delivered, and their individual final blocked configuration, the customer receives a balancing payment. By that our customers are charged only for the true configurations required in their projects.

As written above, the software realizing the user allowed blocking, is implemented and delivered in the TOE – depending on the order - and is part of the evaluation and certificate. This software is an additional part of the Flash Loader software, but also the other firmware has seen a small enhancement to enable for BPU.

On the user production side, the blocking is done by the user; usually by taking an enhancement of the user own personalization flow and applying the according APDUs. These APDUs are predefined by Infineon Technologies and can also depend on the customer order. Only these APDUs can block the chip according to the user demands.

Infineon Technologies AG provides special software, running in parallel when doing the blocking. This software summarizes all devices and final configurations allowing for the later commercial balancing. The balancing depends on the number of chips and their individual final blockings the user has made over a defined time span. This special software can be used only for the commercial balancing, is not present on the TOE, not security relevant and therefore not part of this certificate.

All blockings are done by setting the according value in the chip configuration page, where certain parts are left available to the blocking software. Of course, strong means of authentication are in place. The blocking software is an additional part of the Flash Loader software and the only piece of software, able to manage the blocking APDUs. Therefore, the presence of the Flash Loader software is essential for the BPU ability. Anyhow, also the presence of the Flash Loader is an option and belongs to the user order.

The user can only apply a predefined and checksum protected set of allowed APDU configuration commands provided by Infineon Technologies AG. For this, the Flash Loader BPU software part, together with the
firmware, executes one of those APDUs. After the final blocking is done and the user additionally may have downloaded his software, the entire Flash Loader including the BPU software part is permanently deactivated.

Of course, exclusively all security relevant settings are contained in the IFX-only part. The Flash Loader BPU software does not access and has no access to the IFX-only part.

Once the user blocking by applying the APDU has been finalized and the Flash Loader was locked, the configuration page is no more accessible for changes. After the final deactivation of the Flash Loader the product is permanently fixed regarding its configurations and software. A reactivation of the Flash Loader is not possible. At the next start-up, the STS apply the settings, and, if called, a RMS-function can output the finally made chip configuration for verification and information purposes.

The entire configuration storage area is protected against manipulation, perturbation and false access. Note that the IFX-only part of the configuration page is already access protected prior delivery to the user and the TOE leaves the Infineon Technology premises only locked into User Mode.

The Flash Loader BPU software part is only present on the products which have been ordered with the BPU option. In all other cases this software is not present on the product. If a product is ordered without Flash Loader, also the Flash Loader software is not present and the BPU configuration changes are blocked in the IFX-configuration, which renders BPU functionality unusable. Various delivery combinations are given and for example, a product can come with a fix configuration and with Flash Loader, to enable the user to download software, but without BPU option. Following cases can occur:

- Order in fixed configuration, without Flash Loader: no download of user software and no blocking possibility after delivery
- Order in fixed configuration with Flash Loader but without BPU option: download of user software but no blocking possibility after delivery
- Order with Flash Loader and Bill-per-Use option in starting configuration: final chip configuration by the user and download of user software

Beside the various TOE configurations further possibilities of how the user inputs his software on the TOE, i.e. the operating system and applications, are in place. This provides a maximum of flexibility and for this an overview is given in the following table:
Table 3  Options to implement user software at Infineon production premises

<table>
<thead>
<tr>
<th></th>
<th>Options</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr>
<td>1.</td>
<td>The user or/and a subcontractor downloads the software into the SOLID FLASH™ NVM on his own. Infineon Technologies has not received user software and there are no user data in the ROM.</td>
<td>The Flash Loader can be activated by the user or subcontractor to download his software in the SOLID FLASH™ NVM – until the Flash Loader is finally deactivated by the user.</td>
</tr>
<tr>
<td>2.</td>
<td>The user provides software for the download into the SOLID FLASH™ NVM to Infineon Technologies AG. The software is downloaded to the SOLID FLASH™ NVM during chip production. I.e. there are no user data in the ROM.</td>
<td>There is no Flash Loader present.</td>
</tr>
<tr>
<td>3.</td>
<td>The user provides software for the download into the SOLID FLASH™ NVM to Infineon Technologies AG. The software is downloaded to the SOLID FLASH™ NVM during chip production. I.e. there are no user data in the ROM.</td>
<td>The Flash Loader is blocked afterwards but can be activated or reactivated by the user or subcontractor to download his software in the SOLID FLASH™ NVM. Precondition is that the user has provided an own reactivation procedure in software prior chip production to Infineon Technologies AG.</td>
</tr>
</tbody>
</table>

For the cases with Flash Loader on board and whenever the user has finalized his SW-download, respectively the TOE is in the final state and about to be delivered to the end-user, the user is obligated to lock the Flash Loader. The locking is the final step and results in a permanent deactivation of the Flash Loader. This means that once being in the locked status, the Flash Loader cannot be reactivated anymore.

Note that wherever a TOE comes without the Flash Loader, BPU is not possible.

The following listing contains the memory size ranges and other blocking options, focusing on the maximum respectively minimum user available limitations. Within those limitations the TOE configurations can vary under only one identical IC-hardware, regardless whether the configurations are set by Infineon or within further limitations by the user. All configurations the TOE is made off and all thereof resulting derivatives have no impact on security and are covered by the certificate.

Wherever user blocking is stated in the table below, the user can block the chip within the therein defined limitations, but only if the product was ordered with the BPU option.

The below given configuration possibilities are valid unchanged throughout the mentioned different mask sets. Wherever user blocking is stated below, the user can block the chip within the defined limitations, but only if the product was ordered with the user configuration capability.
### Configuration ranges and blocking options for the user

<table>
<thead>
<tr>
<th>Module / Feature (User view)</th>
<th>Max-Value (User view)</th>
<th>Min-Value (User view)</th>
<th>User Blocking</th>
<th>User Blocking Step</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Memories</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>SOLID FLASH™ NVM</td>
<td>Max. 404 kBytes</td>
<td>Min. 0 kBytes</td>
<td>Yes</td>
<td>1 kBytes</td>
</tr>
<tr>
<td>RAM for the user</td>
<td>8 kBytes</td>
<td>1 kBytes</td>
<td>Yes</td>
<td>1kBytes</td>
</tr>
<tr>
<td><strong>Modules</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Crypto2304T</td>
<td>Available</td>
<td>Not available</td>
<td>Yes</td>
<td>On/off</td>
</tr>
<tr>
<td>SCP</td>
<td>Available</td>
<td>Not available</td>
<td>Yes</td>
<td>On/off</td>
</tr>
<tr>
<td><strong>Interfaces</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>ISO 7816-3 slave</td>
<td>Available</td>
<td>Not available</td>
<td>Yes</td>
<td>On/off</td>
</tr>
<tr>
<td>RFI – ISO 14443 generally</td>
<td>Available</td>
<td>Not available</td>
<td>Yes</td>
<td>On/off</td>
</tr>
<tr>
<td>ISO 14443 Type A card mode</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
<tr>
<td>ISO 14443 Type B card mode</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
<tr>
<td>ISO 18092 NFC passive mode</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
<tr>
<td>Mifare hardware support for card mode</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
<tr>
<td>SW support for Mifare compatible 4k cards (3)</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
<tr>
<td>SW support for Mifare compatible 1k cards (3)</td>
<td>Available</td>
<td>Not available</td>
<td>By order only</td>
<td>None</td>
</tr>
</tbody>
</table>

The ST-Lite and the certification report are publicly available for download at https://www.bsi.bund.de.

All possible TOE configurations equal and/or within the below specified ranges are covered by the certificate.

The hardware reference manual HRM [1] provides an overview about the configuration options respectively ranges.

Note that there is no user available on-chip ROM module anymore. The user software and data are now located in a dedicated and protected part of the SOLID FLASH™ NVM. The long life storage endurance, the automatic management of often used memory pages, together with the means for error detection and correction serves for comparable respectively equal reliability and endurance, compared to a conventional ROM.

Beside the above listed flexible ranges, the user guidance contains a number of predefined configurations for those customers not making use of the BPU option. All of these configurations belong to the TOE as well and are of course made of the equal hardware and are inside the above declared ranges.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

Today’s predefined configurations of the TOE are listed in the hardware reference HRM [1]. These predefined products come with the most requested configurations and allow to produce volumes on stock in order to simplify logistic processes.

According to the BPU option, a non-limited number of configurations of the TOE may occur in the field. The number of various configurations depends on the user and purchase contact only.

Note that the TOE answers to the Non-ISO-ATR with the Generic Chip Identification Mode (GCIM) answer. This GCIM outputs a coded clear identifier for the chip type, the design step and further configuration information such as the firmware version. The user guidance document hardware reference manual HRM [1] enables for clear interpretation of the read out GCIM data.

These GCIM data enable the user for clear identification of the TOE and also of one of the different mask sets and therewith for checking the validity of the certificate.

In addition, a dedicated RMS function allows reading out the present configuration in detail. Again, together with the hardware reference manual HRM [1], this allows for clear identification of a product and its configuration.

All these steps for gathering identification and detailed configuration information can be done by the user himself, without involving Infineon Technologies AG.

The TOE consists of the hardware part, the firmware parts and the optional software parts. The Smartcard Embedded Software, i.e. the operating system and applications are not part of the TOE.

The firmware parts are the RMS library, the Service Algorithm Minimal (SA) and the STS firmware for test purpose (see chapter 2.2.2), located in IFX ROM and providing some functionality via an API to the Smartcard Embedded Software as well as the Flash Loader for downloading user software to the SOLID FLASH™ NVM. The Mifare compatible software interface and firmware patches are stored in the SOLID FLASH™ NVM. The TOE has no user ROM. IFX ROM contains no user data.

The software parts are differentiated into the cryptographic libraries RSA\(^1\), EC\(^2\) and SHA-2\(^3\), symmetric cryptographic library and the supporting libraries Toolbox and Base. In the descriptive context of the Security Target, it is regardless which version of the cryptographic libraries is addressed. For this the following documentation refers only to the cryptographic libraries.

RSA, EC, SHA-2, Toolbox and SCL provide certain functionality via an API to the Smartcard Embedded Software. The Base Library is only used internally by the RSA, EC and Toolbox libraries and has no user interface. If none of the three libraries RSA, EC and Toolbox is delivered, also the Base Library is not on board. The SHA-2 library does not use the Base Library.

The TOE can be delivered including - in free combinations - or not including any of the functionality of the cryptographic libraries SCL, EC, RSA, SHA-2 and the supporting Toolbox library. If RSA or EC or Toolbox is delivered, automatically the Base Library is part of the shipment too.

If the user decides not to use one or all of the crypto library(s), the specific library(s) is (are) not delivered to the user and the accompanying “Additional Specific Security Functionality (O.Add-Functions)” \(^{\text{Rivest-Shamir-Adleman (RSA) and/or EC and/or SHA-2 and/or Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES) is/are not provided by the TOE.}}\)

---

1 Rivest-Shamir-Adleman asymmetric cryptographic algorithm
2 The Elliptic Curve Cryptography is abbreviated with EC only in the further, in order to avoid conflicts with the abbreviation for the Error Correction Code ECC.
3 SHA Secure Hash Algorithm
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

The Toolbox library provides the user optionally basic arithmetic and modular arithmetic operations, in order to support user software development using long integer operations. These basic arithmetic operations do not provide any security functionality, implement no security mechanism, and do not proved additional specific security functionality - as defined for the cryptographic libraries.

The user developed software using the Toolbox basic operations is not part of the TOE.

The Base Library provides the low level interface to the asymmetric cryptographic coprocessor and has no user available interface. The Base Library does not provide any security functionality, implements no security mechanism, and does not provide additional specific security functionality.

Deselecting one of the libraries does not include the code implementing functionality, which the user decided not to use. Not including the code of the deselected functionality has no impact of any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the functionality.

The SCL, RSA, EC, SHA-2 and Toolbox libraries can be loaded, together with the Smartcard Embedded software, into the SOLID FLASH™ NVM. This holds also for the Base Library, if the RSA, EC or Toolbox or combinations hereof is/are part of the shipment.

All other Smartcard Embedded Software does not belong to the TOE and is not subject of the evaluation.
1.2 Target of Evaluation overview

The TOE comprises the Infineon Technologies Dual Interface Security Controller M7892 Design Steps D11 and G12 with specific IC dedicated software and optional SCL, RSA, EC, SHA-2 and Toolbox libraries.

The TOE is a member of the Infineon Technologies AG high security controller family meeting the highest requirements in terms of performance and security. A summary product description is given in this Security Target (ST).

This TOE is intended to be used in any application and device requiring the highest level of security, and can be used for example not only as a secure smart card, but also as a secure element on a printed circuit board or similar. The capabilities of this TOE can be used almost everywhere, where highly secure applications are in use and of course in any other application as well. This TOE is deemed for governmental, corporate, transport and payment markets, or wherever a secure root of trust is required. Various types of applications can use this TOE in almost any device or form factor, for example in closed loop logical access controls, physical access controls, secure internet access control and internet authentication, or as multi-application token or simply as encrypted storage.

This member of the high security controller family features a security philosophy focusing on data integrity instead of numerous sensors. By that two main principles combined in close synergy are utilized in the security concept called the “Integrity Guard”. These main principles are the comprehensive error detection, including the dual CPU, and the full encrypted data path, leaving no plain data on the chip. These principles proved that they provide excellent protection against invasive and non-invasive attacks known today.

The intelligent shielding algorithm finishes the layers, finally providing the so called intelligent implicit active shielding “I²-shield”. This provides physical protection against probing and forcing.

This dual interface controller is able to communicate using either the contact based or the contactless interface. The implemented dual interface provides a maximum flexibility in using following communication protocols respectively methods:

Contact based interfaces

- ISO 7816, The ISO defined standard contact based communication protocol, using the pads.
- Analogue Contactless Bridge mode (ACLB) The ACLB mode provides the possibility to leave the analogue communication to the external device. The connection is done via the Lₐ and Lₜ pads to the external device or external contactless reader chip directly. Therefore, an external antenna cannot be connected, if the user decides to use this interface option.

Contactless interfaces

- ISO 14443 Type A and Type B These are ISO defined proximity contactless protocols using an external antenna and the TOE implemented analogue and digital radio frequency interface.
- ISO/IEC 18092 passive mode, The ISO defined proximity contactless protocol using an external antenna and the TOE implemented analogue and digital radio frequency interface.
- Mifare compatible software interface, The proprietary proximity contactless protocol using an external antenna and the TOE implemented analogue and digital radio frequency interface, as well as the memory part reserved for Mifare use.
- And various further communication modes.
All interfaces and protocols can be made available sequentially. How the interfaces are used or combined depends exclusively on the user software. Independently from the used contactless protocol, the RFI provides also the option for Buffered Data Transfer (BDT) or Direct Data Transfer (DDT). Using the BDT mode the CPU is in sleep or halt mode and in DDT the CPU is active during data transfer. The difference between the modes is the power consumption and the time required.

The off chip modulation (OCM) enables using just the demodulator and modulator of the RFI to act as an “intelligent analogue interface” for an FPGA bondout. If activated, the OCM passes the demodulated data stream to the IO pad. Parallel to this data path, the demodulated data is also fed to the decoder of the RFI allowing for the protocol handling. The OCM is not available to users and for emulation purposes by Infineon only. Therefore, it is not displayed in the table below.

A further option is the Advanced Mode for Mifare (AMM) allowing for very high transfer bit rates: In order to increase the contactless interface performance even more, the RFI can be configured in terms of baud rates for reception and transmission and the setting of the sub-carrier frequency used for the load modulation at very high bit rates for equal and more than 848kBit/s.

The following table depicts the configurable interfaces and communication possibilities. Note the possibility of a contactless communication while also the ISO7816 interface is active and can be used. If a contactless protocol is chosen, it can be used exclusively only, or in combination with the ISO7816 interface.

### Table 5  
**Interface combination of the TOE**

<table>
<thead>
<tr>
<th>Contactless Interface</th>
<th>Pads</th>
<th>La / Lb (connected to the external antenna)</th>
</tr>
</thead>
<tbody>
<tr>
<td>Protocol</td>
<td></td>
<td></td>
</tr>
<tr>
<td>ISO14443 A</td>
<td>ISO 14443 B</td>
<td>ISO 18092 NFC passive mode</td>
</tr>
<tr>
<td>ISO - CB</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Contact-based Interface</th>
<th>Pads</th>
<th>ISO - CB</th>
</tr>
</thead>
<tbody>
<tr>
<td>Interface</td>
<td></td>
<td></td>
</tr>
<tr>
<td>ISO 7816</td>
<td>ISO14443 A</td>
<td>ISO 14443 B</td>
</tr>
</tbody>
</table>

The TOE provides a real 16-bit CPU-architecture and is compatible to the MCS®251 instruction set with an execution time faster than a standard MCS®251 microcontroller at the same clock frequency. The major components of the core system are the dual CPU (Central Processing Units), acting as one, the MMU (Memory Management Unit) and MED (Memory Encryption/Decryption Unit). The dual CPU controls each other in order to detect faults and serve by this for data integrity. The TOE implements a full 16 MByte linear addressable memory space for each privilege level, a simple scalable Memory Management concept and a scalable stack size. The flexible memory concept consists of ROM- and Flash-memory as part of the nonvolatile memory (NVM), respectively SOLID FLASH™ NVM. For the SOLID FLASH™ NVM the Unified Channel Programming (UCP) memory technology is used.

The RMS library providing some functionality via an API to the Smartcard Embedded Software contains for example SOLID FLASH™ NVM service routines. The Service Algorithm provides functionality for the tearing save write into the SOLID FLASH™ NVM. The STS firmware is used for test purposes during start-up and the Flash Loader allows downloading user software to the SOLID FLASH™ NVM during the manufacturing process. The firmware parts are implemented in the ROM and in access protected areas of the SOLID FLASH™ NVM.

The BSI has changed names and abbreviations for Random Number Generators, which is clarified as follows:

The Physical True Random Number Generator (PTRG), also named True Random Number Generator (TRNG) is a
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

physical random number generator and meets the requirements of the functionality class AIS31 PTG.2, see [16]. It is used for provision of random number generation as a security service to the user and for internal purposes. The produced genuine random numbers can be used directly or as seed for the Deterministic Random Number Generator (DRNG), former named as Pseudo Random Number Generator (PRNG). The DRNG respectively PRNG is not in the scope of the evaluation. The TRNG respectively PTRNG is specially designed for smart cards, but can also be used in any other application where excellent physical random data are required.

The two cryptographic co-processors serve the need of modern cryptography: The symmetric co-processor (SCP) combines both AES and Triple-DES with dual-key or triple-key hardware acceleration. The Asymmetric Crypto Co-processor, called Crypto2304T in the following, is an optimized version of the Crypto@1408 used in the SLE88-family with performance improvements for RSA-2048 bit (4096-bit with CRT) and Elliptic Curve (EC) cryptography.

The software part of the TOE consists of the cryptographic SCL, RSA-, EC- and the SHA-2 libraries and the supporting Toolbox and Base Libraries. If RSA or EC or Toolbox or combinations hereof are part of the shipment, automatically the Base Library is included.

The RSA library is used to provide a high level interface to RSA (Rivest, Shamir, Adleman) cryptography implemented on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for the generation of RSA Key Pairs, the RSA signature verification, the RSA signature generation and the RSA modulus recalculation. The hardware Crypto2304T unit provides the basic long number calculations (add, subtract, multiply, square with 1100 bit numbers) with high performance. The RSA library is delivered as object code and in this way integrated in the user software. The RSA library can perform RSA operations from 512 to 4096 bits. Following the BSI recommendations, key lengths below 1976 bit are not included in the certificate.

The EC library is used to provide a high level interface to Elliptic Curve cryptography implemented on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for ECDSA signature generation, ECDSA signature verification, ECDSA key generation and Elliptic Curve Diffie-Hellman key agreement. In addition, the EC library provides an additional function for calculating primitive elliptic curve operations like ECC Add and ECC Double. EC curves over prime field $F_p$, as well as over $GF(2^n)$ finite field are supported too. Note that the according user guidance the Elliptic Curve cryptographic functions are abbreviated using ECC.

The EC library is delivered as object code and in this way integrated in the user software. The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Numerous other curve types, being also secure in terms of side channel attacks on this TOE, exist, which the user optionally can add in the composition certification process.

The SHA-library provides the calculation of a hash value of freely chosen data input in the CPU. The SHA-library is delivered as object code and is in this way available for the user software. This secure hash-algorithm SHA-2 is intended to be used for hashing any type of user data. Further essential information about the usage is given in the confidential user guidance.

This secure hash-algorithm SHA-2 is intended to be used for signature generation, verification and generic data integrity checks. The use for keyed hash operations like HMAC or similar security critical operations involving keys, is not subject of this TOE and requires specific security improvements and DPA analysis including the operating system, which is not part of this TOE.

The Toolbox library does not provide cryptographic support or additional security functionality as it provides only the following basic long integer arithmetic and modular functions in software, supported by the

---

1 BSI Bundesamt für Sicherheit in der Informationstechnik – Federal Office for Information Security
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

cryptographic coprocessor: Addition, subtraction, division, multiplication, comparison, reduction, modular addition, modular subtraction, modular multiplication, modular inversion and modular exponentiation. No security relevant policy, mechanism or function is supported. The Toolbox library is deemed for software developers as support for simplified implementation of long integer and modular arithmetic operations.

The Base Library provides the low level interface to the asymmetric cryptographic coprocessor and has no user available interface. The Base Library does not provide any security functionality, implements no security mechanism, and does not provide additional specific security functionality.

The SCL Library offers a high-level interface for performing symmetric cryptography algorithms using SCP co-processor. The SCL has implemented block repetitions, dummy calculations, backward calculation rounds and known-answer test security functions using 128, 192 and 256 AES algorithm, and DES3 or DES algorithms. The SCL also supports ECB, CBC, CTR, CFB and PCBC block cipher modes, however the PCBC mode is not a part of this evaluation. The SCL provides public API [125] containing cipher block management functions (Cipher*), block cipher mode encryption/decryption functions (BCM*), cipher block instantiation helper functions CipAlg_*.Sec1 and CipAlg_*.Sec2, however the CipAlg_*.Sec1 functions are not a part of this evaluation.

Note that this TOE can come with both cryptographic co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both cryptographic co-processors blocked. The blocking depends on the user’s choice. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors. The TOE can also be delivered without a specific optional software library. In this case the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) or/and Elliptic Curve Cryptography (EC) or/and SHA-2 or/and SCL.

To fulfill the highest security standards for smartcards today and also in the future, this TOE implements a progressive digital security concept, which already has been certified in various forerunner processes and which has proven its resistance against attackers with high attack potential. This TOE utilizes digital security features to include customer friendly security, combined with a robust design overcoming the disadvantages on analogue protection technologies. The TOE provides full on-chip encryption of the data path, covering the core including the ALUs of the CPUs, busses, memories and cryptographic co-processors leaving no plaintext on the chip. Therefore the attractiveness for attackers is extremely reduced as encrypted signals are of no use for the attacker – neither for manipulation nor for eavesdropping.

In addition, the TOE is equipped with a full error detection capability for the complete data path. The dual CPU approach allows error detection even while processing. A comparator detects whether a calculation was performed without errors. This approach does not leave any parts of the core circuitry unprotected. The concept allows that the relevant attack scenarios are detected, whereas other conditions that would not lead to an error would mainly be ignored. That renders the TOE robust against environmental influences.

Subsequently, the TOE implements what we call intelligent implicit shielding (I2S). These measures constitute a shield on sensitive and security relevant signals which is not recognizable as a shield. This provides excellent protection against invasive physical attacks, such as probing, forcing or similar.

In this security target the TOE is described and a summary specification is given. The security environment of the TOE during its different phases of the lifecycle is defined. The assets are identified which have to be protected through the security policy. The threats against these assets are described. The security objectives and the security policy are defined, as well as the security requirements. These security requirements are built up of the security functional requirements as part of the security policy and the security assurance requirements. These are the steps during the evaluation and certification showing that the TOE meets the targeted requirements. In addition, the functionality of the TOE matching the requirements is described.

The assets, threats, security objectives and the security functional requirements are defined in this Security Target and in the Protection Profile [12] and are referenced here. These requirements build up a minimal standard common for all Smartcards.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Target Introduction (ASE_INT)

The security functions are defined here in the security target as property of this specific TOE. Here it is shown how this specific TOE fulfills the requirements for the common standard defined in the Common Criteria documents [13], [14], [15] and in the Security IC Platform Protection Profile [12].
2 Target of Evaluation Description

The TOE description helps to understand the specific security environment and the security policy. In this context the assets, threats, security objectives and security functional requirements can be employed. The following is a more detailed description of the TOE than in the Security IC Platform Protection Profile [12] as it belongs to the specific TOE. The Security IC Platform Protection Profile is in general often abbreviated with ‘PP’ and its version number.

2.1 TOE Definition

This TOE consists of a Security Dual Interface Controllers as integrated circuits (IC), meeting the highest requirements in terms of performance and security. The TOE products are manufactured by Infineon Technologies AG in a 90 nm CMOS-technology (L90).

This TOE is intended to be used in smart cards and any other form factor for particularly applications requiring highest levels of security and for its previous use as developing platform for smart card operating systems according to the lifecycle model from Protection Profile [12].

The term Smartcard Embedded Software is used in the following for all operating systems and applications stored and executed on the TOE. The TOE is the platform for the Smartcard Embedded Software. The Smartcard Embedded Software itself is not part of the TOE.

The TOE consists of a core system, memories, co-processors, peripherals, security modules and analogue peripherals.

Following diagram provides a simplified overview upon the hardware subsystems which are briefly described below:
The major components of the core system are the dual CPU (Central Processing Units) including the internal encryption leaving no plain data anywhere, the MMU (Memory Management Unit), the MED (Memory Encryption/Decryption Unit) and the CACHE memory.

The CPU – here the two processor parts (CPU1 and CPU2) are seen from functional perspective as one - is compatible with the instruction set of the forerunner family 66-PE and is therefore also compatible to the SAB 80251 instruction set (8051 is a subset hereof) and to the MCS® 251 instruction set which is enhanced. Anyhow, the dual-CPU is faster than the standard processor at the equal clock frequency. It provides additional powerful instructions for smart card or other applications. It thus meets the requirements for the new generation of operating systems. Despite its compatibility the CPU implementation is entirely proprietary and not standard.

The two processor parts of the CPU control each other in order to detect faults and maintain by this the data integrity. A comparator detects whether a calculation was performed without errors and allows error detection even while processing. Therefore the TOE is equipped with a comprehensive error detection capability, which is designed to leave no relevant parts of the circuitry unprotected.

The CPU accesses the memory via the integrated Memory Encryption and Decryption unit (MED), which transfer the data from the memory encryption schema to the CPU encryption schema without decrypting into intermediate plain data. The error detection unit (EDU) automatically manages the error detection of the individual memories and detects incorrect transfer of data between the memories by means of error code comparison.

The access rights of the firmware, user operating system and application to the memories are controlled and enforced by the memory management unit (MMU).
The CACHE memory – or simply, the CACHE – is a high-speed memory-buffer located between the CPU and the (external) main memories holding a copy of some of the memory contents to enable access to the copy, which is considerably faster than retrieving the information from the main memory. In addition to its fast access speed, the CACHE also consumes less power than the main memories. All CACHE systems own their usefulness to the principle of locality, meaning that programs are inclined to utilize a particular section of the address space for their processing over a short period of time. By including most or all of such a specific area in the CACHE, system performance can be dramatically enhanced. The implemented post failure detection identifies and manages errors if appeared during storage.

The controllers of this TOE store both code and data in a linear 16-MByte memory space, allowing direct access without the need to swap memory segments in and out of memory using a memory management unit.

The memory block contains the ROM, RAM and the SOLID FLASH™ NVM. All data of the memory block is encrypted and all memory types are equipped with an error detection code (EDC), the SOLID FLASH™ NVM in addition with an error correction code (ECC). Errors in the memories are automatically detected (EDC) and in terms of the SOLID FLASH™ NVM 1-Bit-errors are also corrected (ECC). The TOE uses also Special Function Registers SFR. These SFR registers are used for general purposes and chip configuration. These registers are located in the SOLID FLASH™ NVM as configuration area page.

The non-volatile ROM contains the firmware parts and is accessible for Infineon only, while the RAM is a volatile memory and used by the core.

The coprocessor block contains the two co-processors for cryptographic operations are implemented on the TOE: The Crypto2304T for calculation of asymmetric algorithms like RSA and Elliptic Curve (EC) and the Symmetric Cryptographic Processor (SCP) for dual-key or triple-key triple-DES and AES calculations. These co-processors are especially designed for smart card applications with respect to the security and power consumption, but can of course be used in any other application of form factor where suitable. The SCP module computes the complete DES algorithm within a few clock cycles and is especially designed to counter attacks like DPA, EMA and DFA.

Note that this TOE can come with both crypto co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both crypto co-processors blocked. The blocking depends on the customer demands prior to the production of the hardware. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors.

The security peripherals block contains the small remaining set of sensors and filters. This small set of sensors is left in order to detect excessive deviations from the specified operational range, while not being over-sensitive. These features do not need adjustment or calibration and makes the chip even more robust. Conditions that would not be harmful for the operation would in most cases not influence the proper function. The small set of sensors is not necessary for the chip security but serve for robustness. Having the integrity guard concept in place, the sensors - except a single one - are no more required for the TOE security. The only sensor left, contributing to a security mechanism, is the frequency sensor. All other sensors are assigned to be security supporting only.

The filters are on board to make the TOE more robust against perturbations on the supply lines.

The block control is constituted out of the modules Interrupt Controller (ITP) and Peripheral Event Channel controller (PEC), the modules supplying clock (ICO) and Power Management / Voltage regulator, the Interface Management Module combined with the UmSLC. The UmSLC enables for checking the proper functions of modules and subsystems and checks the correct operation of the TOE.

The implemented clock management is optimized to reduce the overall power consumption. Contactless products provide a low-power halt mode for operation with reduced power consumption. The Clock Unit (CLKU) supplies the clocks for all components of the TOE. The Clock Unit can work in an internal and external
clock mode. The system frequency can be configured and this enables a programmer to choose the best-fitting frequency for an application in consideration of a potential current limit and a demanded application performance.

The peripherals block is constituted out of PTRNG, DRNG, CRC, Timer & WDT, the RFI and the UART. The modules are briefly described in the following:

The TRNG respectively PTRNG is specially designed for smart cards, but can also be used in any other application where excellent physical random data are required. The TRNG respectively PTRNG fulfills the requirements from the functionality class PTG.2 of the AIS31 and produces genuine random numbers which then can be used directly or as seed for the Deterministic Random Number Generator (DRNG), former named as Pseudo Random Number Generator (PRNG). The DRNG respectively PRNG is not in the scope of the evaluation.

The cyclic redundancy check (CRC) module is a checksum generator. The checksum is a unique number associated with a message or another block of data consisting of several bytes. The idea of the CRC method is to treat the input data as a binary bit stream and divide that stream by a fixed binary number. The remainder of that division is the CRC checksum.

The timer enables for easy implementation of communication protocols such as T=1 and all other time-critical operations. The timer can be programmed for particular applications, such as measuring the timing behavior of an event. Timer events can generate interrupt requests to be used for peripheral event channel data transfers. The watchdog is implemented to provide the user some additional control of the program flow. More details are given in the hardware reference module HRM [1].

This dual interface controller is able to communicate using either the contact based or the contactless interface. The implemented dual interface provides a maximum flexibility in using following communication protocols respectively methods:

**Contact based interfaces**

- ISO 7816
  The ISO defined standard contact based communication protocol, using the pads.
- Analogue Contactless Bridge mode (ACLB)
  The ACLB mode provides the possibility to leave the analogue communication to the external device. The connection is done via the \(L_a\) and \(L_b\) pads to the external device or external contactless reader chip directly. Therefore, an external antenna cannot be connected, if the user decides to use this interface option.

**Contactless interfaces**

- ISO 14443 Type A and Type B
  The ISO defined proximity contactless protocols using an external antenna and the TOE implemented analogue and digital radio frequency interface.
- ISO/IEC 18092 passive mode
  The ISO defined proximity contactless protocol using an external antenna and the TOE implemented analogue and digital radio frequency interface.
- Mifare compatible software interface
  The proprietary proximity contactless protocol using an external antenna and the TOE implemented analogue and digital radio frequency interface, as well as the memory part reserved for Mifare use.

This flexibility enables for example also for bypassing the coding/decoding of the RFI and leaves its interpretation up to the software. By that further and also proprietary protocols can be implemented by the user software. Note that anything contacting from outside the chip and also any user software managing the communication are not part of this TOE.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Target of Evaluation Description

The availability of the ACLB modes is configured during TOE production and depends on the customer order. The individual combinations of the interface options are depicted in the table below.

This TOE offers the so called Analogue Contactless Bridge (ACLB) communication possibility. The ACLB mode provides the possibility to leave the analogue communication to the external device connect directly to an external contactless reader chip using the L_a and L_b pads. Therefore, an external antenna cannot be connected, if the user decides to use this mode.

The individual combinations of the interface options are depicted in the table above.

Supporting a Mifare compatible software interface application requires a dedicated small space of memory. In this context and depending on user’s choice, various memory sections each of 1 up to 4 kBytes can be defined. The number and location of these memory sections is simply limited by the available SOLID FLASH™ NVM space. Also these memory sections are read/write protected and are defined and generated by the user.

This TOE offers also the order option for the so called Advanced Mode for Mifare Technology (AMM), enabling the user software to directly access the Mifare cryptographic functions. If ordered, the TOE provides the related configured register interfaces to the user software. Note that the entire software required for using the AMM, such as the functional calls, data transfer and program flow etc., have to be implemented by the user software. This software is not part of the TOE.

A further option is the advanced communication mode ACM allowing for very high bit rates.

The bus system comprises two separate bus entities: a memory bus supporting high-speed communication between the Core and Memories, and a peripheral bus for high-speed communication with the peripherals.

Subsequently, an intelligent shielding algorithm finishes the layers, finally providing the so called intelligent implicit active shielding “I²-shield”. This provides physical protection against probing and forcing.

The STS (self-test software), RMS (Resource Management System), Service Algorithm Minimal (SA) and Flash Loader together compose the TOE firmware stored in the ROM and the patches hereof in the SOLID FLASH™ NVM. All mandatory functions for internal testing, production usage and start-up behavior (STS), and also the RMS and SA functions are grouped together in a common privilege level. These privilege levels are protected by a hardwired Memory Management Unit (MMU) setting.

The user software can be implemented in various options depending on the user’s choice as described in chapter 1.1. Thereby the user software, or parts of it, can be downloaded into the SOLID FLASH™ NVM, either during production of the TOE or at customer side. In the latter case, the user downloads his software or the final parts of it at his own premises, using the Flash Loader software.

The SHA-library provides the calculation of a hash value of freely chosen data input in the CPU. The SHA-library is delivered as object code and is in this way available for the user software. This secure hash-algorithm SHA-2 is intended to be used for signature generation, verification and generic data integrity checks. This secure hash-algorithm SHA-2 is intended to be used for hashing any type of user data. Further essential information about the usage is given in the confidential user guidance.

The toolbox library does not provide cryptographic support or additional security functionality as it provides only the following basic long integer arithmetic and modular functions in software, supported by the cryptographic coprocessor: Addition, subtraction, division, multiplication, comparison, reduction, modular addition, modular subtraction, modular multiplication, modular inversion and modular exponentiation. No security relevant policy, mechanism or function is supported. The toolbox library is deemed for software developers as support for simplified implementation of long integer and modular arithmetic operations.

The Base Library provides the low level interface to the asymmetric cryptographic coprocessor and has no user available interface. The base library does not provide any security functionality, implements no security mechanism, and does not provide additional specific security functionality.
Target of Evaluation Description

The RSA library is used to provide a high level interface to RSA (Rivest, Shamir, Adleman) cryptography implemented on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for the generation of RSA Key Pairs, the RSA signature verification, the RSA signature generation and the RSA modulus recalculation. The hardware Crypto2304T unit provides the basic long number calculations (add, subtract, multiply, square with 1100 bit numbers) with high performance. The RSA library is delivered as object code and in this way integrated in the user software. The RSA library can perform RSA operations from 512 to 4096 bits.

Following the BSI recommendations, key lengths below 1976 bit are not included in the certificate.

The EC library is used to provide a high level interface to Elliptic Curve cryptography implemented on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for ECDSA signature generation, ECDSA signature verification, ECDSA key generation and Elliptic Curve Diffie-Hellman key agreement. In addition, the EC library provides an additional function for calculating primitive elliptic curve operations like ECC Add and ECC Double. EC curves over prime field Fp, as well as over GF(2^n) finite field are supported too. Note that the according user guidance the Elliptic Curve cryptographic functions are abbreviated using ECC.

The EC library is delivered as object code and in this way integrated in the user software. The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Numerous other curve types, being also secure in terms of side channel attacks on this TOE, exist, which the user optionally can add in the composition certification process.

The SCL library provides public cipher API for user application. The Cipher API contains functionality on operation with the SCL: configuration of runtime settings, encryption and decryption of multiple data blocks using one of the built-in Block Cipher Modes: ECB, CBC, CTR, CFB and PCBC. The SCL also provides functionality of adding custom BCMs. Public AES API provides encryption and decryption of a 128-bit block using AES standard. The flowing key sizes are supported: 128 bits, 192 bits, 256 bits. Public DES API provides encryption and decryption of a 64-bit block using the following algorithms: DES and 3DES with an effective key size of 56 bits (+ 8 parity bits) as well as 112 and 168 bits.

Note that this TOE can come with both cryptographic co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both cryptographic co-processors blocked. The blocking depends on the user’s choice. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors. The TOE can be delivered without a specific library. In this case the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) or/and Elliptic Curve Cryptography (EC) or/and SHA-2 and /or Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES).

The TOE sets a new, improved standard of integrated security features, thereby meeting the requirements of all smart card and other related applications or form factors, such as information integrity, access control, mobile telephone and identification, as well as uses in electronic funds transfer and healthcare systems.

To sum up, the TOE is a powerful dual interface security controller with a large amount of memory and special peripheral devices with improved performance, optimized power consumption, free to choose contact based or contactless operation, at minimal chip size while implementing high security. It therefore constitutes the basis for future smart card and other related applications or form factors.

---

1 BSI Bundesamt für Sicherheit in der Informationstechnik – Federal office for information security
2.2 Scope of the TOE

The TOE comprises several types of hardware each differing by slight mask set changes to allow for maximum flexibility in terms of connection to antennas and implementation into different package and module types. All these changes have no influence on the security or any security policy related to the TOE.

Therefore, this TOE includes:

- The silicon die, respectively the Integrated Circuit (IC) respectively the hardware of this TOE.
- The TOE is also delivered in various configurations, achieved by means of blocking by the customer and/or depending on the customer order.
- The according equal firmware on all derivatives, and with or without
- Optional equal software in various combinations for all TOE derivatives.
- User’s guidance documentation including hardware, software, cryptolibrary, Flash Loader, secure coding, and other reference manuals.

All product derivatives of this TOE, including all configuration possibilities differentiated by the GCIM data and the configuration information output, are manufactured by Infineon Technologies AG. In the following descriptions, the term “manufacturer” stands short for Infineon Technologies AG, the manufacturer of the TOE.

New configurations can occur at any time depending on the user blocking or by different configurations applied by the manufacturer. In any case the user is able to clearly identify the TOE hardware, its configuration and proof the validity of the certificate independently, meaning without involving the manufacturer.

The various blocking options, as well as the means used for the blocking, are done during the manufacturing process or at user premises. Entirely all means of blocking and the, for the blocking involved firmware respectively software parts, used at Infineon and/or the user premises, are subject of the evaluation. All resulting configurations of a TOE derivative are subject of the certificate. All resulting configurations are either at the predefined limits or within the predefined configuration ranges.

The firmware used for the TOE internal testing and TOE operation, the firmware and software parts exclusively used for the blocking, the parts of the firmware and software required for cryptographic support are part of the TOE and therefore part of the certification. The documents as described in section 2.2.4 and listed in Table 1, are supplied as user guidance.

Not part of the TOE and not part of the certification are:

- The Smartcard Embedded Software respectively user software, and
- The piece of software running at user premises and collecting the BPU receipts coming from the TOE. This BPU software part is the commercially deemed part of the BPU software, not running on the TOE, but allowing refunding the customer, based on the collected user blocking information. The receipt from each blocked TOE is collected by this software – chip by chip.

2.2.1 Hardware of the TOE

The hardware part of the TOE as defined in the Protection Profile [12] is comprised of:

Core System

Proprietary dual CPU implementation being comparable to the 80251 microcontroller architecture from functional perspective and with enhanced MCS® 251 instruction set

CACHE with Post Failure Detection
Memory Encryption/Decryption Unit (MED) and Error Detection Unit (EDU)
Memory Management Unit (MMU)
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Target of Evaluation Description

Memories
SOLID FLASH™ NVM, the Electrically Erasable and Programmable Read Only Memory (EEPROM) implementing the Unified Channel Programming concept (UCP)
Read-Only Memory (ROM), not available for the user
Random Access Memory (RAM)

Peripherals
True Random Number Generator (TRNG) respectively
Physical True Random Number Generator (PTRNG)
Deterministic Random Number Generator (DRNG) respectively
Pseudo Random Number Generator (PRNG)
Watchdog and Timers
Universal Asynchronous Receiver/Transmitter (UART)
Checksum module (CRC)
RF interface (radio frequency power and signal interface)

Control
Dynamic Power Management
Internal Clock Oscillator (ICO)
Interrupt and Peripheral Event Channel Controller (ITP and PEC)
Interface Management Module (IMM)
User mode Security Life Control (UmSLC)
Voltage Regulator

Coprocessors
Crypto2304T for asymmetric algorithms like RSA and EC (optionally blocked)
Symmetric Crypto Co-processor for DES and AES Standards (optionally blocked)

Security Peripherals
Filters
Sensors

Buses
Memory Bus
Peripheral Bus

2.2.2 Firmware and software of the TOE
For this TOE, the user can chose between different alternative firmware packages and can also chose the optional cryptographic library. The exact versions of firmware respectively software alternatives are given in Table 1.

As the differences between the various versions are transparent to the user from functional and interface perspective, the descriptions for the firmware and cryptographic library pieces hold true.

The entire firmware of the TOE consists of different parts:

One part comprises the RMS and SA routines used for providing the chip resource management interface for the user. The routines are used for tearing save handling of the SOLID FLASH™ NVM, user testing of the security functions and error correction (Resource Management System, IC Dedicated Support Software in PP [12]).
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Target of Evaluation Description

These routines are stored in a reserved area of the IFX ROM, while belonging patches (if any) are located in the SOLID FLASH™ NVM. There is no ROM available for the user.

The second part is the STS, consisting of test and initialization routines (Self-Test Software, IC Dedicated Test Software in PP [12]). The STS routines are stored in the ROM and the belonging patch is located in the access protected SOLID FLASH™ NVM area. The STS is not accessible for the user software.

The third part is the Flash Loader. This piece of software enables the download of the user software or parts of it to the SOLID FLASH™ NVM. The Flash Loader routines are stored in the especially protected test ROM but parts of it are also stored in the SOLID FLASH™ NVM. Depending on the order, the Flash Loader comes with the BPU-software enabling for TOE configuration at user premises. After completion of the download and/or final configuration of the TOE, and prior delivery to the end user, the user is obligated to lock the Flash Loader. Locking is the permanent deactivation of the Flash Loader meaning that if once locked it can no more be reactivated and used. Note that the Flash Loader routines are always present, but are deactivated in case of the derivatives ordered without the software download option. Thus the user interface is identically in both cases – with and without Flash Loader on board - and consequently the related interface routines can be called in each of the derivatives. Already the MMU blocks calls of the Flash Loader software at derivatives coming without Flash Loader. In derivatives with Flash Loader the related function is performed.

The fourth part is the Mifare compatible software interface routines. Note that these routines are always present, but deactivated, in case of the derivatives come without RF interface. Thus the user software interface is identical in both cases and consequently the related Mifare compatible interface routines can be called in each of the derivatives. In case the related Mifare compatible software interface routines are called in derivatives without RF interface, an error code is returned. In the other case the related function is performed.

All parts of the firmware above are combined together by the TOE generation process to a single file and stored then in the data files, the TOE is produced from. This comprises the firmware files for the ROM, where only Infineon Technologies AG has access, as well as the data to be flashed in the SOLID FLASH™ NVM.

The optional software part of the TOE consists of the SCL, RSA-, the EC-, the SHA-2 and the Toolbox libraries.

The SCL library is used to provide a high-level interface to DES/3DES and AES symmetric cryptographic operation. It uses the SCP of the underlying hardware but implementes also countermeasures against all known weaknesses of the SCP v3 (e.g. dummy calculations and block repetitions). The SCL libinary consists of three C-library files: Cipher.lib, AES.lib, and DES.lib. These files are not distributed separately, and, therefore, all these files are called together Symmetric Cryptographic Library.

The RSA library is used to provide a high level interface to the RSA cryptography implemented on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for the generation of RSA Key Pairs, the RSA signature verification, the RSA signature generation and the RSA modulus recalculation. The module provides the basic long number calculations (add, subtract, multiply, square with 1100 bit numbers) with high performance.

The RSA library is delivered as object code and in this way integrated in the user software. The RSA library can perform RSA operations from 512 to 4096 bits. Depending on the customer’s choice, the TOE can be delivered with the 4096 code portion or with the 2048 code portion only. The 2048 code portion is included in both.

Parts of the evaluation are the RSA straight operations with key length from 1976 bits to 2048 bits, and the RSA CRT¹ operations with key lengths of 1976 Bits to 4096 Bits.

The EC library is used to provide a high level interface to Elliptic Curve cryptography and includes countermeasures against SPA, DPA and DFA attacks. The routines are used for ECDSA signature generation,

¹ CRT: Chinese Remainder Theorem
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Target of Evaluation Description

ECDSA signature verification, ECDSA key generation and Elliptic Curve Diffie-Hellman key agreement. In addition, the EC library provides an interface to an addition function for primitive elliptic curve operations like ECC Add and ECC Double. ECC curves over prime field $\mathbb{F}_p$, as well as over GF($2^n$) finite field are supported too. Note that the according user guidance abbreviates the Elliptic Curve cryptographic functions with ECC.

The EC library is delivered as object code and in this way integrated in the user software. The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Numerous other curve types, being also secure in terms of side channel attacks on this TOE, exist, which the user optionally can add in the composition certification process.

The SHA-library provides the calculation of a hash value of freely chosen data input in the CPU. The SHA-library is delivered as object code and is in this way available for the user software. This secure hash-algorithm SHA-2 is intended to be used for hashing any type of user data. Further essential information about the usage is given in the confidential user guidance.

The Toolbox library does not provide cryptographic support or additional security functionality as it provides only the following basic long integer arithmetic and modular functions in software, supported by the cryptographic coprocessor: Addition, subtraction, division, multiplication, comparison, reduction, modular addition, modular subtraction, modular multiplication, modular inversion and modular exponentiation. No security relevant policy, mechanism or function is supported. The Toolbox library is deemed for software developers as support for simplified implementation of long integer and modular arithmetic operations.

The Base Library provides the low level interface to the asymmetric cryptographic coprocessor and has no user available interface. The Base Library does not provide any security functionality, implements no security mechanism, and does not provide additional specific security functionality.

Note: The cryptographic libraries SCL, RSA-, EC- and SHA-2 are delivery options. Therefore the TOE may come with free combinations of or without these libraries. In the case of coming without one or any combination of these libraries the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) and/or Elliptic Curve Cryptography (EC) and/or SHA-2 and/or Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). The Toolbox and Base Library are no cryptographic libraries and provide no additional specific security functionality.

2.2.3 Interfaces of the TOE

- The physical interface of the TOE to the external environment is the entire surface of the IC.
- The electrical interface of the TOE to the external environment is constituted by the pads of the chip, particularly the contacted RES, I/O, CLK lines and supply lines VCC and GND, as well as by the contactless RF interface. The contact based communication is according to ISO 7816/ETSI/EMV. A further electrical interface is constituted by the La and Lb pads used for the antenna connection and alternatively for the ACLB communication mode connecting an external reader chip which is not part of the TOE.
- The RF interface (radio frequency power and signal interface) enables contactless communication between a PICC (proximity integration chip card, PICC) and a PCD reader/writer (proximity coupling device, PCD). Power supply is received and data are received or transmitted by an antenna which consists of a coil with a few turns directly connected to the IC. Depending on customer orders the contactless interface options are set by means of blocking either at Infineon premises or at the premises of the user.
- The data-oriented I/O interface to the TOE is formed by the I/O pad and by the various RF options.
- The interface to the firmware is constituted by special registers used for hardware configuration and control (Special Function Registers, SFR).
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Target of Evaluation Description

- The interface of the TOE to the operating system is constituted on one hand by the RMS routine calls and on the other by the instruction set of the TOE.
- The interface of the TOE to the test routines is formed by the STS test routine call, i.e. entry to test mode (STS-TM entry).
- The interface to the RSA calculations is defined from the RSA library interface.
- The interface to the EC calculations is defined from the EC library interface.
- The interface to the SHA-2 calculation is defined from the SHA-2 library interface.
- The interface to the symmetric crypto-operations DES/3DES/AES is defined from the SCL library interface.

Note that the interfaces to the cryptographic libraries (SCL, RSA, EC and SHA-2) are optionally depending on the customer order.

2.2.4 Guidance documentation

The guidance documentation consists of the listing given in the chapter 9. The exact versions of these documents are also given there, as well as the document number referenced here. The documents provide guidance as follows:

- The document [4] Asymmetric Cryptographic Library Crypto@2304T contain all interfaces of the RSA, EC and Toolbox library and are only delivered to the user in case the RSA library and/or the EC library is/are part of the delivered TOE.
- The document Secure Hash Algorithm (SHA-2) [6] contains all interfaces of the SHA-2 library and is only delivered to the user in case the SHA-2 library is part of the delivered TOE. The security guidelines contain all hints and recommendations for a secure programming of the TOE.
- The document Crypto@2304T User Manual [7] describes the architecture of cryptographic coprocessor on register level. It also provides a functional description of the register architecture, instruction set and gives programming guidance.
- The document Errata sheet [9] contains the description of all interfaces of the software to the hardware relevant for programming the TOE. The SLE70 Family Errata Sheet can be changed during the life cycle of the TOE. This is reported in a monthly updated list provided from Infineon Technologies AG to the user.
- The document Advanced Mode for Mifare Technology (AMM) [11] describes how to apply this type of communication. This documentation is provisioned to the user if the AMM option has been ordered and is an addendum to the Hardware Reference Manual HRM [1].

Finally the certification report may contain an overview of the recommendations to the software developer regarding the secure use of the TOE. These recommendations are also included in the ordinary documentation.
2.2.5 Forms of delivery

The TOE can be delivered in form of complete modules, with or without inlay mounting, in form of plain wafers or in any IC case (for example TSSOP28, VQFN32, VQFN40, CCS-modules, etc.) or in bare dies or whatever type of package or even in no package. The form of delivery does not affect the TOE security and it can be delivered in any type, as long as the processes applied and sites involved have been audited as compliant to the Common Criteria scheme.

The delivery can therefore be at the end of phase 3 or at the end of phase 4 which can also include pre-personalization steps according to PP [12]. Nevertheless in both cases the TOE is finished and the extended test features are removed. In this document are always both cases mentioned to avoid incorrectness but from the security policy point of view the two cases are identical.

The delivery to the software developer (phase 2 → phase 1) contains the development package and is delivered in form of documentation as described above, data carriers containing the tools and emulators as development and debugging tool. Part of the software delivery could also be the Flash Loader program, provided by Infineon Technologies AG, running on the TOE and receiving the transmitted information of the user software to be loaded into the SOLID FLASH™ NVM. The download is only possible after successful authentication and the user software can also be downloaded in an encrypted way. In addition, the user is after he finalized the download and prior deliver to third party obligated to permanently lock further use of the Flash Loader. Note that it depends on the procurement order, whether the Flash Loader program is present or not.

2.2.6 Production sites

The TOE may be handled in different production sites but the silicon of this TOE is produced in two dedicated production sites. To distinguish the different production sites of various products in the field, the production site is coded into the Generic Chip Ident Mode (GCIM) data. The exact coding of the generic chip identification data is given in the confidential Security Target [10].
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Conformance Claims (ASE_CCL)

3 Conformance Claims (ASE_CCL)

3.1 CC Conformance Claim

This Security Target (ST) and the TOE claim conformance to Common Criteria version v3.1 part 1 [13], part 2 [14] and part 3 [15].

Conformance of this ST is claimed for:

Common Criteria part 2 extended and Common Criteria part 3 conformant

3.2 PP Claim

The Security IC Platform Protection Profile with Augmentation Packages is registered and certified by the Bundesamt für Sicherheit in der Informationstechnik (BSI) under the reference:


The security assurance requirements of the TOE are according to the Security IC Platform Protection Profile [12]. They are all drawn from Part 3 of the Common Criteria version v3.1.

3.3 Package Claim

This Security Target is in strict conformance to the Security IC Platform Protection Profile with Augmentation Packages [12]:

- Package “Loader”, Package 1: Loader dedicated for usage in secured environment only, section 7.3.1. This package is optional and fulfilled only by TOE products coming with Flash Loader.
- Package “TDES”; section 7.4.1
- Package “AES”; section 7.4.2
- Package “Hash-functions”, section 7.4.3

The assurance level for the TOE is:

EAL6 augmented (EAL6+) with the component ALC_FLR.1.

The augmentation goes beyond the PP [12] and is achieved - with regard to CCv3.1 Part 3: Security assurance components – as follows:

<table>
<thead>
<tr>
<th>Assurance Class</th>
<th>Assurance components</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Life-cycle support</td>
<td>ALC_FLR.1</td>
<td>Basic flaw remediation</td>
</tr>
</tbody>
</table>

The targeted EAL6+ level includes already the augmentations of the PP [12] AVA_VAN.5 and ALC_DVS.2.

The Security IC Platform Protection Profile with Augmentation Packages is registered and certified by the Bundesamt für Sicherheit in der Informationstechnik (BSI) under the reference:


---

1 Bundesamt für Sicherheit in der Informationstechnik (BSI) is the German Federal Office for Information Security
2 Bundesamt für Sicherheit in der Informationstechnik (BSI) is the German Federal Office for Information Security
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Conformance Claims (ASE_CCL)

The security assurance requirements of the TOE are according to the Security IC Platform Protection Profile [12]. They are all drawn from Part 3 of the Common Criteria version v3.1.

3.4 Conformance Rationale

This security target claims strict conformance to the PP [12].

The Target of Evaluation (TOE) is a typical security IC as defined in PP chapter 1.2.2 comprising:

- The circuitry of the IC (hardware including the physical memories)
- Configuration data, initialization data related to the IC Dedicated Software and the behavior of the security functionality
- The IC Dedicated Software with the parts
- The IC Dedicated Test Software,
- The IC Dedicated Support Software.
- The associated user’s guidance documentation.

The TOE is designed, produced and/or generated by the TOE Manufacturer.

3.4.1 Security Problem Definition

Following the PP [12], the security problem definition is enhanced by adding an additional threat, an organization security policy and an augmented assumption. Including these add-ons, the security problem definition of this security target is consistent with the statement of the security problem definition in the PP [12], as the security target claimed strict conformance to the PP [12].

3.4.2 Conformance Rationale

The augmented organizational security policy P.Add-Functions, coming from the additional security functionality of the cryptographic libraries, the augmented assumption A.Key-Function, related to the usage of key-depending function, and the threat memory access violation T.Mem-Access, due to specific TOE memory access control functionality, have been added. These add-ons have no impact on the conformance statements regarding CC [13] and PP [12], with following rational:

- The security target remains conformant to CC [13], claim 482 as the possibility to introduce additional restrictions is given.
- The security target fulfills the strict conformance claim of the PP [12] due to the application notes 4, 5 and 6 which apply here. By those notes the addition of further security functions and security services are covered, even without deriving particular security functionality from a threat but from a policy.

3.4.3 Adding Objective

Due to additional security functionality, one coming from the cryptographic libraries - O.Add-Functions and due to the memory access control - O.Mem-Access additional security objectives have been introduced. These add-ons have no impact on the conformance statements regarding CC [13] and PP [12], with following rational:

- The security target remains conformant to CC [13], claim 482 as the possibility to introduce additional restrictions is given.
- The security target fulfills the strict conformance of the PP [12] due to the application note 8 applying here. This note allows the definition of high-level security goals due to further functions or services provided to the Security IC Embedded Software.
3.4.4 AES and TDES

The PP [12] implements the optional policy cryptographic services P.Crypto_Service with its packages “TDES” and “AES”. This TOE provides these optional packages requiring secure hardware based cryptographic services for the IC Embedded Software as outlined in chapter 7.1.4.

Due to these optional additional security functionalities the security objectives O.TDES and O.AES have been introduced. These add-ons have no impact on the conformance statements regarding CC [14] and PP [12], with following rational:

- The security target fulfills the strict conformance claim of the PP [12] due to the application notes applying here. By these notes the addition of further security functions and security services are covered, even without deriving particular security functionality from a threat or a policy.

3.4.5 Loader

The PP [12] implements the optional policy for applying a Loader. The Loader is used to load data into the SOLID FLASH™ NVM. The Loader policy defines the Package 1 P.LIM_Block_Loader where the Loader is dedicated for usage in secure environment only. This TOE provides a Loader complying with this optional package 1 as outlined in chapter 4.2 and 5.2. Due to these optional additional security functionalities the security objectives O.Cap_Avail_Loader, Capability and availability of the Loader, and for the environment OE.Lim_Block_Loader, Limitation of capability and blocking the Loader, have been introduced. These add-ons have no impact on the conformance statements regarding CC [14] and PP [12], with following rational:

- The security target fulfills the strict conformance claim of the PP [12] due to the application notes applying here. By this note the addition of further security functions and security services are covered, even without deriving particular security functionality from a threat or a policy.

3.4.6 SHA

The PP [12] covers the optional objective Cryptographic service Hash function (O.SHA) and enforces the organizational security policy P.Crypto-Service and meets the related functional requirements as outlined in chapter 7.1.4.10. These add-ons have no impact on the conformance statements regarding CC [14] and PP [12], with following rational:

- The security target fulfills the strict conformance claim of the PP [12] due to the application notes applying here. By this note the addition of further security functions and security services are covered, even without deriving particular security functionality from a threat or a policy.

3.4.7 Summary

Due to the above rational, the security objectives of this security target are consistent with the statement of the security objectives in the PP [12]. The security target augments the required assurance package EAL4+ augmented with AVA_VAN.5 and ALC_DVS.2 of the PP[12] to EAL6+ augmented with ALC_FLR.1. All assurance components required for the PP[12] are also contained or a hierarchically higher assurance component used in this ST.

All security functional requirements defined in the PP [12] are included and completely defined in this ST. Additionally the security functional requirements as listed in Table 16 were added.

The following security functional requirements are included and completely defined in this ST, section 6.

- FPT_TST.2 “Subset TOE security testing” (Requirement from [12])
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Conformance Claims (ASE_CCL)

All assignments and selections of the security functional requirements are done in the PP [12] and in this Security Target.

3.5 Application Notes

The functional requirement FCS_RNG.1 is defined in the Protection Profile [12] and complete in this ST according to “Anwendungshinweise und Interpretationen zum Schema (AIS)” respectively “Functionality classes and evaluation methodology for physical random number generators”, AIS31 [16].
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Problem Definition (ASE_SPD)

4 Security Problem Definition (ASE_SPD)

The content of the PP [12] applies to this chapter completely.

4.1 Threats

The threats are directed against the assets and/or the security functions of the TOE. For example, certain attacks are only one step towards a disclosure of assets while others may directly lead to a compromise of the application security. The more detailed description of specific attacks is given later on in the process of evaluation and certification.

The threats to security are defined and described in PP [12] section 3.2.

Table 7 Threats according PP [12]

| T.Phys-Manipulation | Physical Manipulation |
| T.Phys-Probing | Physical Probing |
| T.Malfunction | Malfunction due to Environmental Stress |
| T.Leak-Inherent | Inherent Information Leakage |
| T.Leak-Forced | Forced Information Leakage |
| T.Abuse-Func | Abuse of Functionality |
| T.RND | Deficiency of Random Numbers |

4.1.1 Additional Threat due to TOE specific Functionality

The additional functionality of introducing sophisticated privilege levels and access control allows the secure separation between the operation system(s) and applications, the secure downloading of applications after personalization and enables multitasking by separating memory areas and performing access controls between different applications. Due to this additional functionality “area based memory access control” a new threat is introduced.

The Smartcard Embedded Software is responsible for its User Data according to the assumption “Treatment of User Data of the Composite TOE (A.Resp-Appl)”. However, the Smartcard Embedded Software may comprise different parts, for instance an operating system and one or more applications. In this case, such parts may accidentally or deliberately access data (including code) of other parts, which may result in a security violation.

The TOE shall avert the threat “Memory Access Violation (T.Mem-Access)” as specified below.

Table 8 Additional threats due to TOE specific functions and augmentations

| T.Mem-Access | Memory Access Violation |
| Parts of the Smartcard Embedded Software may cause security violations by accidentally or deliberately accessing restricted data (which may include code) or privilege levels. Any restrictions are defined by the security policy of the specific application context and must be implemented by the Smartcard Embedded Software.
4.1.2 Assets regarding the Threats

The primary assets concern the User Data which includes the user data of the Composite TOE as well as program code (Security IC Embedded Software) stored and in operation and the provided security services. These assets have to be protected while being executed and or processed and on the other hand, when the TOE is not in operation.

This leads to four primary assets with its related security concerns:

- SC1 integrity of User data of the Composite TOE
- SC2 confidentiality of user data of the Composite TOE being stored in the TOE's protected memory areas
- SC3 correct operation of the security services provided by the TOE for the Security IC Embedded Software
- SC4 deficiency of random numbers

SC4 is covered by an additional security service provided by this TOE which is the availability of random numbers. These random numbers are generated either by a physical true random number (PTRNG) or a deterministic random number (DRNG) generator or by both, if the true random number output is used as source for the seed input of the deterministic random number generator. Note that the generation of random numbers is a requirement of the PP [12].

To be able to protect the listed assets the TOE shall protect its security functionality as well. Therefore critical information about the TOE shall be protected. Critical information includes:

- logical design data, physical design data, IC Dedicated Software, and configuration data
- Initialization Data and Pre-personalization Data, specific development aids, test and characterization related data, material for software development support, and photomasks.

The information and material produced and/or processed by the TOE Manufacturer in the TOE development and production environment (Phases 2 up to TOE Delivery) can be grouped as follows:

- logical design data,
- physical design data,
- IC Dedicated Software, Security IC Embedded Software, Initialization Data and Pre-personalization Data,
- specific development aids,
- test and characterization related data,
- material for software development support, and
- photomasks and products in any form,

as long as they are generated, stored, or processed by the TOE Manufacturer.

For details see PP [12] section 3.1.

4.2 Organizational Security Policies

The TOE has to be protected during the first phases of their lifecycle (phases 2 up to TOE delivery which can be after phase 3 or phase 4). Later on each variant of the TOE has to protect itself. The organizational security policy covers this aspect.

P.Process-TOE Identification during TOE Development and Production

An accurate identification must be established for the TOE. This requires
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Problem Definition (ASE_SPD)

that each instantiation of the TOE carries this unique identification.

Due to the augmentations of PP [12] and the chosen packages additional policies are introduced and described in the next chapter.

Table 9  Organizational Security Policies according PP [12]

<table>
<thead>
<tr>
<th>P.Process-TOE</th>
<th>Identification during TOE Development and Production</th>
</tr>
</thead>
</table>

4.2.1 Augmented Organizational Security Policy

Due to the augmentations of the PP [12] and the chosen packages additional policies are introduced.

The TOE provides specific security functionality, which can be used by the Smartcard Embedded Software. In the following specific security functionality is listed which is not derived from threats identified for the TOE’s environment because it can only be decided in the context of the smartcard application, against which threats the Smartcard Embedded Software will use the specific security functionality.

The IC Developer / Manufacturer must apply the policy “Additional Specific Security Functionality (P.Add-Functions)” as specified below.

<table>
<thead>
<tr>
<th>P.Add-Functions</th>
<th>Additional Specific Security Functionality</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The TOE shall provide the following specific security functionality to the Smartcard Embedded Software:</td>
</tr>
<tr>
<td></td>
<td>Rivest-Shamir-Adleman Cryptography (RSA)</td>
</tr>
<tr>
<td></td>
<td>Elliptic Curve Cryptography (EC)</td>
</tr>
<tr>
<td></td>
<td>Advanced Encryption Standard (AES)</td>
</tr>
<tr>
<td></td>
<td>Triple Data Encryption Standard (TDES)</td>
</tr>
</tbody>
</table>

Note: The cryptographic libraries RSA, EC, SHA-2 and the Toolbox library are delivery options. Therefore the TOE may come with free combinations of or even without these libraries. In the case of coming without one or any combination of the cryptographic libraries RSA, EC and SHA-2, the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) and/or Elliptic Curve Cryptography (EC) and/or SHA-2. The Toolbox library is no cryptographic library and provides no additional specific security functionality. If RSA, EC or Toolbox libraries are part of the shipment, the Base Library is automatically included. The Base Library does not proved additional specific functionality. If RSA, EC or Toolbox libraries are part of the shipment, the Base Library is automatically included. The Base Library does not proved additional specific functionality. The TOE can also be delivered with optional SCL, containing AES and 3DES algorithms with additional security countermeasures. The optional SCL needs an accessible SCP.

The IC Developer / Manufacturer must apply the organizational security policy “Cryptographic services of the TOE (P.Crypto-Service)” as specified below:

<table>
<thead>
<tr>
<th>P.Crypto-Service</th>
<th>Cryptographic services of the TOE</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The TOE provides secure hardware based cryptographic services for the IC Embedded Software:</td>
</tr>
<tr>
<td></td>
<td>• Triple Data Encryption Standard (TDES)</td>
</tr>
<tr>
<td></td>
<td>• Advanced Encryption Standard (AES)</td>
</tr>
<tr>
<td></td>
<td>• Hash function SHA</td>
</tr>
</tbody>
</table>

This TOE can come with both cryptographic co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both cryptographic co-processors blocked. The blocking depends on the customer...
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Problem Definition (ASE_SPD)

demands prior to the production of the hardware. In case the SCP is blocked, no AES and DES computation supported by hardware is possible. In case the Crypto2304T is blocked, no RSA and EC computation supported by hardware is possible. The use of the SHA-2 library is also possible with both cryptographic coprocessors blocked. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors.

The organizational security policy P.Lim_Block_Loader applies only at TOE product coming with activated Flash Loader as specified below:

<table>
<thead>
<tr>
<th>P.Lim_Block_Loader</th>
<th>Limiting and Blocking the Loader Functionality</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The composite manufacturer uses the Loader for loading of Security IC Embedded Software, user data of the Composite Product or IC Dedicated Support Software in charge of the IC Manufacturer. He limits the capability and blocks the availability of the Loader in order to protect stored data from disclosure and manipulation.</td>
</tr>
</tbody>
</table>

4.3 Assumptions

The TOE assumptions on the operational environment are defined and described in PP [12] section 3.4.

The assumptions concern the phases where the TOE has left the chip manufacturer.

<table>
<thead>
<tr>
<th>A.Process-Sec-IC</th>
<th>Protection during Packaging, Finishing and Personalization</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>It is assumed that security procedures are used after delivery of the TOE by the TOE Manufacturer up to delivery to the end-consumer to maintain confidentiality and integrity of the TOE and of its manufacturing and test data (to prevent any possible copy, modification, retention, theft or unauthorized use).</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>A.Resp-Appl</th>
<th>Treatment of User data of the Composite TOE</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>All User data of the Composite TOE are owned by Security IC Embedded Software. Therefore, it must be assumed that security relevant User data of the Composite TOE (especially cryptographic keys) are treated by the Security IC Embedded Software as defined for its specific application context.</td>
</tr>
</tbody>
</table>

The support of cipher schemas needs to make an additional assumption.

Table 10 Assumptions according PP [12]

<table>
<thead>
<tr>
<th>A.Process-Sec-IC</th>
<th>Protection during Packaging, Finishing and Personalization</th>
</tr>
</thead>
<tbody>
<tr>
<td>A.Resp-Appl</td>
<td>Treatment of User Data of the Composite TOE</td>
</tr>
</tbody>
</table>
4.3.1 Augmented Assumptions

Usage of Key-dependent Functions

The developer of the Smartcard Embedded Software must ensure the appropriate “Usage of Key-dependent Functions (A.Key-Function)” while developing this software in Phase 1 as specified below.

<table>
<thead>
<tr>
<th>A.Key-Function</th>
<th>Usage of Key-dependent Functions</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>Key-dependent functions (if any) shall be implemented in the Smartcard Embedded Software in a way that they are not susceptible to leakage attacks (as described under T.Leak-Inherent and T.Leak-Forced).</td>
</tr>
</tbody>
</table>

Note that here the routines which may compromise keys when being executed are part of the Smartcard Embedded Software. In contrast to this the threats T.Leak-Inherent and T.Leak-Forced address (i) the cryptographic routines which are part of the TOE. For details see PP [12] section 3.4.
5 Security objectives (ASE_OBJ)

This section shows the subjects and objects where are relevant to the TOE. A short overview is given in the following.

The user has the following standard high-level security goals related to the assets:

- SG1 maintain the integrity of user data (when being executed/processed and when being stored in the TOE’s memories) as well as
- SG2 maintain the confidentiality of user data (when being processed and when being stored in the TOE’s protected memories).
- SG3 maintain the correct operation of the security services provided by the TOE for the Security IC Embedded Software.
- SG4 provide true random numbers.

5.1 Security objectives for the TOE

The security objectives of the TOE are defined and described in PP [12] sections 4.1, 7.3.1, 7.4

Table 11 Objectives for the TOE according to PP [12]

<table>
<thead>
<tr>
<th>Subject</th>
<th>Objective</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.Phys-Manipulation</td>
<td>Protection against Physical Manipulation</td>
</tr>
<tr>
<td>O.Phys-Probing</td>
<td>Protection against Physical Probing</td>
</tr>
<tr>
<td>O.Malfunction</td>
<td>Protection against Malfunction</td>
</tr>
<tr>
<td>O.Leak-Inherent</td>
<td>Protection against Inherent Information Leakage</td>
</tr>
<tr>
<td>O.Leak-Forced</td>
<td>Protection against Forced Information Leakage</td>
</tr>
<tr>
<td>O.Abuse-Func</td>
<td>Protection against Abuse of Functionality</td>
</tr>
<tr>
<td>O.Identification</td>
<td>TOE Identification</td>
</tr>
<tr>
<td>O.RND</td>
<td>Random Numbers</td>
</tr>
<tr>
<td>O.Cap_Avail_Loader</td>
<td>Capability and availability of the Loader Valid only for the TOE derivatives delivered with activated Flash Loader.</td>
</tr>
<tr>
<td>O.TDES</td>
<td>Cryptographic service Triple-DES</td>
</tr>
<tr>
<td>O.AES</td>
<td>Cryptographic service AES</td>
</tr>
<tr>
<td>O.SHA</td>
<td>Cryptographic service Hash function</td>
</tr>
</tbody>
</table>

Note: The objective O.Cap_Avail_Loader applies only at TOE products coming with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these objectives may then reoccur as subject of the composite TOE.
The TOE provides “Additional Specific Security Functionality (O.Add-Functions)” as specified below.

<table>
<thead>
<tr>
<th>O.Add-Functions</th>
<th>Additional Specific Security Functionality</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The TOE must provide the following specific security functionality to the Smartcard Embedded Software:</td>
</tr>
<tr>
<td></td>
<td>• Rivest-Shamir-Adleman Cryptography (RSA)</td>
</tr>
<tr>
<td></td>
<td>• Elliptic Curve Cryptography (EC)</td>
</tr>
<tr>
<td></td>
<td>• Advanced Encryption Standard (AES)</td>
</tr>
<tr>
<td></td>
<td>• Triple Data Encryption Standard (TDES)</td>
</tr>
</tbody>
</table>

Note: The cryptographic libraries RSA, EC, SHA-2 and the Toolbox library are delivery options. If one of the libraries RSA, EC and Toolbox or combination hereof are delivered, the Base Lib is automatically part of it. Therefore the TOE may come with free combinations of or even without these libraries. In the case of coming without one or any combination of the cryptographic libraries RSA, EC and SHA-2, the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) and/or Elliptic Curve Cryptography (EC) and/or SHA-2. The Toolbox and Base Library are no cryptographic libraries and provide no additional specific security functionality. The TOE can also be delivered with optional SCL, containing AES and 3DES algorithms with additional security countermeasures. The optional SCL needs an accessible SCP.

Note: This TOE can come with both cryptographic co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both cryptographic co-processors blocked. The blocking depends on the customer demands prior to the production of the hardware. In case the SCP is blocked, no AES and DES computation supported by hardware is possible. In case the Crypto2304T is blocked, no RSA and EC computation supported by hardware is possible. The use of the SHA-2 library is also possible with both cryptographic coprocessors blocked. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors. The TOE can also be delivered with optional SCL, containing AES and 3DES algorithms with additional security countermeasures. The optional SCL needs an accessible SCP.

The TOE shall provide “Area based Memory Access Control (O.Mem-Access)” as specified below.

<table>
<thead>
<tr>
<th>O.Mem-Access</th>
<th>Area based Memory Access Control</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The TOE must provide the Smartcard Embedded Software with the capability to define restricted access memory areas. The TOE must then enforce the partitioning of such memory areas so that access of software to memory areas and privilege levels is controlled as required, for example, in a multi-application environment.</td>
</tr>
</tbody>
</table>

Table 12 Additional objectives due to TOE specific functions and augmentations

<table>
<thead>
<tr>
<th>O.Add-Functions</th>
<th>Additional specific security functionality</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.Mem-Access</td>
<td>Area based Memory Access Control</td>
</tr>
</tbody>
</table>

5.2 Security Objectives for the development and operational Environment

The security objectives for the security IC embedded software development environment and the operational environment are defined in PP [12] section 4.2, 4.3 and 7.2.1. The optional package valid if the Flash Loader is present on the TOE is defined in PP [12] section 7.3.1.
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security objectives (ASE_OBJ)

The operational environment of the TOE shall provide “Limitation of capability and blocking the Loader (OE.Lim_Block_Loader)” as specified below:

<table>
<thead>
<tr>
<th>OE.Lim_Block_Loader</th>
<th>Limitation of capability and blocking the Loader</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>The Composite Product Manufacturer will protect the Loader functionality against misuse, limit the capability of the Loader and terminate irreversibly the Loader after intended usage of the Loader.</td>
</tr>
</tbody>
</table>

Note: Both objectives OE.Lim_Block_Loader for the development and operation environment apply only at TOE products coming with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software this objective may then reoccur as subject of the composite TOE.

The table below lists the security objectives.

<table>
<thead>
<tr>
<th>Phase 1</th>
<th>Phase 5 – 6 optional Phase 4</th>
<th>Phase 5 – 6 optional Phase 4</th>
</tr>
</thead>
<tbody>
<tr>
<td>OE.Resp-Appl</td>
<td>OE.Process-Sec-IC</td>
<td>OE.Lim_Block_Loader</td>
</tr>
<tr>
<td>Treatment of User data of the Composite TOE</td>
<td>Protection during composite product manufacturing</td>
<td>Limitation of capability and blocking the loader. Valid only for the TOE derivatives delivered with activated Flash Loader.</td>
</tr>
</tbody>
</table>

5.2.1 Clarification of “Protection during Composite product manufacturing (OE.Process-Sec-IC)”

The protection during packaging, finishing and personalization includes also the personalization process (Flash Loader software) and the personalization data (TOE software components) during Phase 4, Phase 5 and Phase 6.

5.2.2 Clarification of “Treatment of User Data (OE.Resp-Appl)”

Regarding the cryptographic services this objective of the environment has to be clarified. By definition cipher plain text data and cryptographic keys are user data of the Composite TOE. The Smartcard Embedded Software shall treat these data appropriately, use only proper secret keys (chosen from a large key space) as input for the cryptographic function of the TOE and use keys and functions appropriately in order to ensure the strength of cryptographic operation.

This means that keys are treated as confidential as soon as they are generated. The keys must be unique with a very high probability, as well as cryptographically strong. For example, it must be ensured that it is beyond practicality to derive the private key from a public key if asymmetric algorithms are used. If keys are imported into the TOE and/or derived from other keys, quality and confidentiality must be maintained. This implies that appropriate key management has to be realized in the environment.

Regarding the memory, software and firmware protection and the SFR and peripheral access rights handling these objectives of the environment have to be clarified. The treatment of user data of the Composite TOE is also required when a multi-application operating system is implemented as a part of the Smartcard Embedded Software on the TOE. In this case the multi-application operating system should not disclose security relevant user data of one application to another application when it is processed or stored on the TOE.
5.3 Security Objectives Rationale

The security objectives rationale of the TOE are defined and described in PP [12] section 4.4. For the additional objectives of this ST a rational is provided below.

Table 14 Security Objective Rationale

<table>
<thead>
<tr>
<th>Assumption, Threat or Organizational Security Policy</th>
<th>Security Objective</th>
</tr>
</thead>
<tbody>
<tr>
<td>P.Add-Functions</td>
<td>O.Add-Functions</td>
</tr>
<tr>
<td>A.Key-Function</td>
<td>OE.Resp-Appl</td>
</tr>
<tr>
<td>T.Mem-Access</td>
<td>O.Mem-Access</td>
</tr>
<tr>
<td>P.Crypto-Service</td>
<td>O.TDES</td>
</tr>
<tr>
<td>P.Crypto-Service</td>
<td>O.AES</td>
</tr>
<tr>
<td>P.Crypto-Service</td>
<td>O.SHA</td>
</tr>
<tr>
<td>P.Lim_Block_Loader</td>
<td>O.Cap_Avail_Loader</td>
</tr>
<tr>
<td></td>
<td>OE.Lim_Block_Loader</td>
</tr>
</tbody>
</table>

The justification related to the security objective “Additional Specific Security Functionality (O.Add-Functions)” is as follows: Since O.Add-Functions requires the TOE to implement exactly the same specific security functionality as required by P.Add-Functions; the organizational security policy is covered by the objective.

Nevertheless the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced define how to implement the specific security functionality required by P.Add-Functions. (Note that these objectives support that the specific security functionality is provided in a secure way as expected from P.Add-Functions.) Especially O.Leak-Inherent and O.Leak-Forced refer to the protection of confidential data (User data of the composite TOE or TSF data) in general. User data of the composite TOE are also processed by the specific security functionality required by P.Add-Functions.

Compared to the PP [12] a further clarification has been made for the security objective “Treatment of user data of the Composite TOE (OE.Resp-Appl)”: By definition cipher or plain text data and cryptographic keys are user data of the Composite TOE. So, the Smartcard Embedded Software will protect such data if required and use keys and functions appropriately in order to ensure the strength of cryptographic operation. The user has appropriate means to generate a key in a safe environment and import it to the TOE. Quality and confidentiality must be maintained for keys that are imported and/or derived from other keys. This implies that appropriate key management has to be realized in the environment. That is expressed by the assumption A.Key—Function which is covered from OE.Resp-Appl. These measures make sure that the assumption A.Resp-Appl is still covered by the security objective OE.Resp-Appl although additional functions are being supported according to P.Add-Functions.

Compared to the PP [12] an enhancement regarding memory area protection has been established. The clear definition of privilege levels for operated software establishes the clear separation of different restricted memory areas for running the firmware, downloading and/or running the operating system and to establish a clear separation between different applications. Nevertheless, it is also possible to define a shared memory section where separated applications may exchange defined data. The privilege levels clearly define by using a hierarchical model the access right from one level to the other. These measures ensure that the threat T.Mem-Access is clearly covered by the security objective O.Mem-Access.

The PP [12] chapter 7.3.1 considers the life cycle phases of the TOE also with the organizational policy P.Lim_Block_Loader as the TOE must be protected against download of hazardous software before the user downloads his software and also after the user has completed his download. This is formalized with the
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security objectives (ASE_OBJ)

objective O.Cap_Avail_Loader requiring limited capability of the Loader functionality and irreversible termination of the Loader. Both requirements are fulfilled by the Flash Loader due the strong authentication means enabling only the allowed user for the download and due to final locking command to be applied by the user before delivery. As a consequence the operational environment objective OE.Lim_Block_Loader obligates the composite manufacturer to protect the Loader functionality against misuse, limit the capability of the Loader and terminate irreversibly the Loader after intended usage of the Loader. The Flash Loader provides the required functionality to be applied by the composite manufacturer for covering this objective.

The objective O.Cap_Avail_Loader as well as OE.Lim_Block_Loader and the organizational policy P.Lim_Block_Loader as discussed in PP [12] chapter 7.3.1 apply only at TOE products at the life cycle phase delivery, if the these products come with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these objectives may then reoccur as subject of the composite TOE.

The PP [12] includes the organizational security policy P.Crypto-Service Cryptographic services of the TOE in a different extend as it formalizes the objectives O.TDES, O.AES and O.SHA.
For the objective O.TDES a concrete standard reference (NIST) with operational modes is given the implementation must follow and also the cryptographic key destruction is regulated. The implementation complies to the given security functional requirements and the objective O.TDES is met.

For the objective O.AES a concrete standard reference (NIST) with a selection of key lengths is given the implementation must follow and also the cryptographic key destruction is regulated. The implementation complies to the given security functional requirements and the objective O.AES is met.

For the objective O.SHA a concrete standard reference (FIPS) with an algorithm selection is given the implementation must follow. The implementation complies to the given security functional requirements and the objective O.AES is met.

The justification of the additional policy and the additional assumption show that they do not contradict to the rationale already given in the Protection Profile for the assumptions, policy and threats defined there.
6 Extended Component Definition (ASE_ECD)

The following extended components are defined and described for the TOE:

- the family FCS_RNG at the class FCS Cryptographic Support
- the family FMT_LIM at the class FMT Security Management
- the family FAU_SAS at the class FAU Security Audit
- the family FDP_SDC at the class FDP User Data Protection
- the component FPT_TST.2 at the class FPT Protection of the TSF

The extended components FCS_RNG, FMT_LIM, FAU_SAS and FDP_SDC are defined and described in PP [12] section 5. The component FPT_TST.2 is defined in the following.

6.1 Component “Subset TOE security testing (FPT_TST.2)”

The security is strongly dependent on the correct operation of the security functions. Therefore, the TOE shall support that particular security functions or mechanisms are tested in the operational phase (Phase 7). The tests can be initiated by the Smartcard Embedded Software and/or by the TOE or is done automatically and continuously.

Part 2 of the Common Criteria provides the security functional component “TSF testing (FPT_TST.1)”. The component FPT_TST.1 provides the ability to test the TSF’s correct operation.

For the user it is important to know which security functions or mechanisms can be tested. The functional component FPT_TST.1 does not mandate to explicitly specify the security functions being tested. In addition, FPT_TST.1 requires verification of the integrity of TSF data and of the stored TSF executable code which might violate the security policy. Therefore, the functional component “Subset TOE security testing (FPT_TST.2)” of the family TSF self-test has been newly created. This component allows that particular parts of the security mechanisms and functions provided by the TOE are tested.

6.2 Definition of FPT_TST.2

The functional component “Subset TOE security testing (FPT_TST.2)” has been newly created (Common Criteria Part 2 extended). This component allows that particular parts of the security mechanisms and functions provided by the TOE can be tested after TOE Delivery or are tested automatically and continuously during normal operation transparent for the user.

This security functional component is used instead of the functional component FPT_TST.1 from Common Criteria Part 2. For the user it is important to know which security functions or mechanisms can be tested. The functional component FPT_TST.1 does not mandate to explicitly specify the security functions being tested. In addition, FPT_TST.1 requires verifying the integrity of TSF data and stored TSF executable code which might violate the security policy.

The functional component “Subset TOE testing (FPT_TST.2)” is specified as follows (Common Criteria Part 2 extended).

6.3 TSF self-test (FPT_TST)


Component leveling
FPT_TST.1: The component FPT_TST.1 is defined in [14] section 15.14 (444, 445, 446).

FPT_TST.2: Subset TOE security testing, provides the ability to test the correct operation of particular security functions or mechanisms. These tests may be performed at start-up, periodically, at the request of the authorized user, or when other conditions are met. It also provides the ability to verify the integrity of TSF data and executable code.

Management: FPT_TST.2

The following actions could be considered for the management functions in FMT:

- Management of the conditions under which subset TSF self-testing occurs, such as during initial start-up, regular interval or under specified conditions
- Management of the time of the interval appropriate.

Audit: FPT_TST.2

There are no auditable events foreseen.

<table>
<thead>
<tr>
<th>FPT_TST.2</th>
<th>Subset TOE testing</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies to other components.</td>
</tr>
</tbody>
</table>

**FPT_TST.2.1**

The TSF shall run a suite of self-tests [selection: during initial start-up, periodically during normal operation, at the request of the authorized user, and/or at the conditions [assignment: conditions under which self-test should occur]] to demonstrate the correct operation of [assignment: functions and/or mechanisms].
7  Security Requirements (ASE_REQ)

For this section the PP [12] section 6 can be applied completely.

7.1  TOE Security Functional Requirements

The security functional requirements (SFR) for the TOE are defined and described in the PP [12] section 6.1 and in the following description.

Following table provides an overview of the functional security requirements of the TOE, defined in the PP [12] section 6.1. In the last column it is marked if the requirement is refined. The refinements are also valid for this ST.

<table>
<thead>
<tr>
<th>Security Functional Requirement</th>
<th>Refined y/n or Defined in PP [12]</th>
</tr>
</thead>
<tbody>
<tr>
<td>FRUFLT.2 “Limited fault tolerance”</td>
<td>Yes</td>
</tr>
<tr>
<td>FPT_FLS.1 “Failure with preservation of secure state”</td>
<td>Yes</td>
</tr>
<tr>
<td>FMT_LIM.1 “Limited capabilities”</td>
<td>No</td>
</tr>
<tr>
<td>FMT_LIM.2 “Limited availability”</td>
<td>No</td>
</tr>
<tr>
<td>FAU_SAS.1 “Audit storage”</td>
<td>Defined</td>
</tr>
<tr>
<td>FDP_SDC.1 “Stored data confidentiality”</td>
<td>Defined</td>
</tr>
<tr>
<td>FDP_SDI.2 “Stored data integrity monitoring and action”</td>
<td>No</td>
</tr>
<tr>
<td>FPT_PHP.3 “Resistance to physical attack”</td>
<td>Yes</td>
</tr>
<tr>
<td>FDP_ITT.1 “Basic internal transfer protection”</td>
<td>Yes</td>
</tr>
<tr>
<td>FPT_ITT.1 “Basic internal TSF data transfer protection”</td>
<td>Yes</td>
</tr>
<tr>
<td>FDP_IFC.1 “Subset information flow control”</td>
<td>No</td>
</tr>
<tr>
<td>FCS_RNG.1 “Random number generation”</td>
<td>Defined</td>
</tr>
<tr>
<td>FMT_LIM.1/Loader “Limited Capabilities”</td>
<td>Defined</td>
</tr>
<tr>
<td>FMT_LIM.2/Loader “Limited Availability”</td>
<td>Defined</td>
</tr>
<tr>
<td>FCS_COP.1/TDES “Cryptographic operation – TDES”</td>
<td>No</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES “Cryptographic key destruction – TDES”</td>
<td>No</td>
</tr>
<tr>
<td>FCS_COP.1/AES “Cryptographic operation – AES”</td>
<td>No</td>
</tr>
<tr>
<td>FCS_CKM.4/AES “Cryptographic key destruction – AES”</td>
<td>No</td>
</tr>
<tr>
<td>FCS_COP.1/SHA “Cryptographic operation – SHA”</td>
<td>No</td>
</tr>
</tbody>
</table>

Following table provides an overview about the augmented security functional requirements, which are added additional to the TOE and defined in this ST. All requirements are taken from Common Criteria Part 2 [14], with the exception of the requirement FPT_TST.2 which is defined in this ST completely.
Table 16  Augmented security functional requirements

<table>
<thead>
<tr>
<th>Security Functional Requirement</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FPT_TST.2</td>
<td>“Subset TOE security testing“</td>
</tr>
<tr>
<td>FDP_ACC.1</td>
<td>“Subset access control“</td>
</tr>
<tr>
<td>FDP_ACF.1</td>
<td>“Security attribute based access control“</td>
</tr>
<tr>
<td>FMT_MSA.1</td>
<td>“Management of security attributes“</td>
</tr>
<tr>
<td>FMT_MSA.3</td>
<td>“Static attribute initialization“</td>
</tr>
<tr>
<td>FMT_SMF.1</td>
<td>“Specification of Management functions“</td>
</tr>
<tr>
<td>FDP_SDI.1</td>
<td>“Stored data integrity monitoring“</td>
</tr>
<tr>
<td>FCS_COP.1/RSA-v2.03.008</td>
<td>“Cryptographic Operation – RSA“</td>
</tr>
<tr>
<td>FCS_CKM.1/RSA-v2.03.008</td>
<td>“Cryptographic key management - RSA“</td>
</tr>
<tr>
<td>FCS_COP.1/ECDSA-v2.03.008</td>
<td>“Cryptographic Operation – ECDSA“</td>
</tr>
<tr>
<td>FCS_CKM.1/EC-v2.03.008</td>
<td>“Cryptographic key management - EC“</td>
</tr>
<tr>
<td>FCS_COP.1/ECDH-v2.03.008</td>
<td>“Cryptographic Operation – ECDH“</td>
</tr>
<tr>
<td>FCS_COP.1/AES_SCL</td>
<td>“Cryptographic operation – AES - SCL“</td>
</tr>
<tr>
<td>FCS_CKM.4/AES_SCL</td>
<td>“Cryptographic key destruction – AES - SCL“</td>
</tr>
<tr>
<td>FCS_COP.1/TDES_SCL</td>
<td>“Cryptographic operation – TDES - SCL“</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES_SCL</td>
<td>“Cryptographic key destruction – TDES - SCL“</td>
</tr>
</tbody>
</table>

All assignments and selections of the security functional requirements of the TOE are done in PP [12] and in the following description.

The security functional requirements FMT_LIM.1/Loader and FMT_LIM.2/Loader apply only at TOE products coming with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these security functional requirements may then reoccur as subject of the composite TOE.

7.1.1  Extended Components FCS_RNG.1 and FAU_SAS.1

7.1.1.1  FCS_RNG

To define the IT security functional requirements of the TOE an additional family (FCS_RNG) of the Class FCS (cryptographic support) is defined in the PP [12]. This family describes the functional requirements for random number generation used for cryptographic purposes.

Please note that the national regulation are outlined in PP [12] chapter 7.5.1 and in AIS31 [16]. These regulations apply for this TOE.

The functional requirement FCS_RNG.1 is fulfilled for FCS_RNG.1 as follows and is defined in the Protection Profile [12] according to “AIS31 Anwendungshinweise und Interpretationen zum Schema (AIS)” respectively in English language “A proposal for: Functionality classes for random number generators” [16].

<table>
<thead>
<tr>
<th>FCS_RNG.1</th>
<th>Random Number Generation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies</td>
</tr>
</tbody>
</table>

| FCS_RNG.1 | Random numbers generation Class PTG.2 according to [16] |
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

FCS_RNG.1.1 The TSF shall provide a physical random number generator that implements:

PTG.2.1 A total failure test detects a total failure of entropy source immediately when the RNG has started. When a total failure is detected, no random numbers will be output.

PTG.2.2 If a total failure of the entropy source occurs while the RNG is being operated, the RNG prevents the output of any internal random number that depends on some raw random numbers that have been generated after the total failure of the entropy source.

PTG.2.3 The online test shall detect non-tolerable statistical defects of the raw random number sequence (i) immediately when the RNG has started, and (ii) while the RNG is being operated. The TSF must not output any random numbers before the power-up online test has finished successfully or when a defect has been detected.

PTG.2.4 The online test procedure shall be effective to detect non-tolerable weaknesses of the random numbers soon.

PTG.2.5 The online test procedure checks the quality of the raw random number sequence. It is triggered continuously. The online test is suitable for detecting non-tolerable statistical defects of the statistical properties of the raw random numbers within an acceptable period of time.

FCS_RNG.1.2 The TSF shall provide numbers in the format 8- or 16-bit that meet

PTG.2.6 Test procedure A, as defined in [16] does not distinguish the internal random numbers from output sequences of an ideal RNG.

PTG.2.7 The average Shannon entropy per internal random bit exceeds 0.997.

Note: The physical random number generator implements total failure testing of the random source data and a continuous random number generator test according to:

7.1.1.2 FAU_SAS

The PP [12] defines additional security functional requirements with the family FAU_SAS of the class FAU (Security Audit). This family describes the functional requirements for the storage of audit data. It has a more general approach than FAU_GEN, because it does not necessarily require the data to be generated by the TOE itself and because it does not give specific details of the content of the audit records.

The TOE shall meet the requirement “Audit storage (FAU_SAS.1)” as specified below (Common Criteria Part 2 extended).

FAU_SAS.1 Audit Storage
Hierarchical to: No other components
Dependencies: No dependencies.

FAU_SAS.1.1 The TSF shall provide the test process before TOE Delivery with the capability to store the Initialization Data and/or Pre-personalization Data and/or supplements of the Security IC Embedded Software in the not changeable configuration page area and non-volatile memory.
**7.1.2 Subset of TOE testing**

The security is strongly dependent on the correct operation of the security functions. Therefore, the TOE shall support that particular security functions or mechanisms are tested in the operational phase (Phase 7). The tests can be initiated by the Smartcard Embedded Software and/or by the TOE.

The TOE shall meet the requirement “Subset TOE testing (FPT_TST.2)” as specified below (Common Criteria Part 2 extended).

<table>
<thead>
<tr>
<th>FPT_TST.2</th>
<th>Subset TOE testing</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies.</td>
</tr>
</tbody>
</table>

The TOE shall run a suite of self-tests at the request of the authorized user to demonstrate the correct operation of the alarm lines and/or following environmental sensor mechanisms:

- PFD - Post Failure Detection
- CORE – CPU related alarms
- SCP - Symmetric Cryptographic Co-Processor
- Temperature alarm
- Memory Bus
- EDC – Error Detection Code
- FSE – Internal Frequency Sensor alarm
- Light – Light sensitive alarm
- WDT - Watch Dog Timer related alarms
- SW – Software triggered alarm
- PTRNG respectively TRNG – Physical True Random Number Generator

**7.1.3 Memory access control**

Usage of multiple applications in one Smartcard often requires code and data separation in order to prevent that one application can access code and/or data of another application. For this reason the TOE provides Area based Memory Access Control. The underlying memory management unit (MMU) is documented in section 4 in the hardware reference manual HRM [1].

The security service being provided is described in the Security Function Policy (SFP) Memory Access Control Policy. The security functional requirement “Subset access control (FDP_ACC.1)” requires that this policy is in place and defines the scope it applies. The security functional requirement “Security attribute based access control (FDP_ACF.1)” defines security attribute usage and characteristics of policies. It describes the rules for the function that implements the Security Function Policy (SFP) as identified in FDP_ACC.1. The decision whether an access is permitted or not is taken based upon attributes allocated to the software. The Smartcard Embedded Software defines the attributes and memory areas. The corresponding permission control information is evaluated “on-the-fly” by the hardware so that access is granted/effective or denied/inoperable.

The security functional requirement “Static attribute initialization (FMT_MSA.3)” ensures that the default values of security attributes are appropriately either permissive or restrictive in nature. Alternative values can be specified by any subject provided that the Memory Access Control Policy allows that. This is described by the security functional requirement “Management of security attributes (FMT_MSA.1)”. The attributes are determined during TOE manufacturing (FMT_MSA.3) or set at run-time (FMT_MSA.1).
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Requirements (ASE_REQ)

From TOE’s point of view the different roles in the Smartcard Embedded Software can be distinguished according to the memory based access control. However the definition of the roles belongs to the user software.

The following Security Function Policy (SFP) **Memory Access Control Policy** is defined for the requirement “Security attribute based access control (FDP_ACF.1)”:

**Memory Access Control Policy**

The TOE shall control read, write, delete and execute accesses of software running at the privilege levels as defined below. Any access is controlled, regardless whether the access is on code or data or a jump on any other privilege level outside the current one.

The memory model provides distinct, independent privilege levels separated from each other in the virtual address space. These levels are referred to as the Infineon Technologies (IFX) level, operating system 1 and 2 levels (OS1, OS2), shared application level, and application 1 and 2 levels. A pseudo-level is the “current” level, which is simply the level on which code is currently being executed. The access rights are controlled by the MMU and related to the privilege level as depicted in following diagram:

**Table 17  Privilege levels of the TOE**

<table>
<thead>
<tr>
<th>Current level</th>
<th>0</th>
</tr>
</thead>
<tbody>
<tr>
<td>Reserved</td>
<td>1</td>
</tr>
<tr>
<td>IFX level</td>
<td>2</td>
</tr>
<tr>
<td>Operating System 1</td>
<td>3</td>
</tr>
<tr>
<td>Operating System 2</td>
<td>4</td>
</tr>
<tr>
<td>Shared Application</td>
<td>5</td>
</tr>
<tr>
<td>Application 1</td>
<td>6</td>
</tr>
<tr>
<td>Application 2</td>
<td>7</td>
</tr>
</tbody>
</table>

The TOE shall meet the requirement “Subset access control (FDP_ACC.1)” as specified below.

<table>
<thead>
<tr>
<th>FDP_ACC.1</th>
<th>Subset access control</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>FDP_ACF.1 Security attribute based access control</td>
</tr>
<tr>
<td>FDP_ACC.1.1</td>
<td>The TSF shall enforce the <strong>Memory Access Control Policy</strong> on all subjects (software running at the defined and assigned privilege levels), all objects (data including code stored in memories) and all the operations defined in the <strong>Memory Access Control Policy</strong>, i.e. privilege levels.</td>
</tr>
</tbody>
</table>

The TOE shall meet the requirement “Security attribute based access control (FDP_ACF.1)” as specified below.

<table>
<thead>
<tr>
<th>FDP_ACF.1</th>
<th>Security attribute based access control</th>
</tr>
</thead>
</table>
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

Hierarchical to: No other components.

Dependencies:
- FDP_ACC.1 Subset access control
- FMT_MSA.3 Static attribute initialization

**FDP_ACF.1.1**
The TSF shall enforce the Memory Access Control Policy to objects based on the following:

- **Subject:**
  - Software running at the IFX, OS1 and OS2 privilege levels required to securely operate the chip. This includes also privilege levels running interrupt routines.
  - Software running at the privilege levels containing the application software

- **Object:**
  - Data including code stored in memories

- **Attributes:**
  - The memory area where the access is performed to and/or
  - The operation to be performed.

**FDP_ACF.1.2**
The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed:

evaluate the corresponding permission control information of the relevant memory range before, during or after the access so that accesses to be denied cannot be utilized by the subject attempting to perform the operation.

**FDP_ACF.1.3**
The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: none.

**FDP_ACF.1.4**
The TSF shall explicitly deny access of subjects to objects based on the following additional rules: none.

The TOE shall meet the requirement “Static attribute initialisation (FMT_MSA.3)” as specified below.

---

**FMT_MSA.3** Static attribute initialisation

Hierarchical to: No other components.

Dependencies:
- FMT_MSA.1 Management of security attributes
- FMT_SMR.1 Security roles

**FMT_MSA.3.1**
The TSF shall enforce the Memory Access Control Policy to provide well defined 1 default values for security attributes that are used to enforce the SFP.

**FMT_MSA.3.2**
The TSF shall allow any subject, provided that the Memory Access Control Policy is enforced and the necessary access is therefore allowed 2, to specify alternative initial values to override the default values when an object or information is created.

---

1 The static definition of the access rules is documented in the hardware reference manual as listed in chapter 1.1.
The TOE shall meet the requirement “Management of security attributes (FMT_MSA.1)” as specified below:

<table>
<thead>
<tr>
<th>FMT_MSA.1 Management of security attributes</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
</tr>
<tr>
<td>- FDP_ACC.1 Subset access control or</td>
</tr>
<tr>
<td>FDP_IFC.1 Subset information flow control</td>
</tr>
<tr>
<td>- FMT_SMF.1 Specification of management functions</td>
</tr>
<tr>
<td>- FMT_SMR.1 Security roles</td>
</tr>
<tr>
<td>FMT_MSA.1.1 The TSF shall enforce the Memory Access Control Policy to restrict the ability to change default, modify or delete the security attributes permission control information to the software running on the privilege levels.</td>
</tr>
</tbody>
</table>

The TOE shall meet the requirement “Specification of management functions (FMT_SMF.1)” as specified below:

<table>
<thead>
<tr>
<th>FMT_SMF.1 Specification of management functions</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to: No other components</td>
</tr>
<tr>
<td>Dependencies:</td>
</tr>
<tr>
<td>No dependencies</td>
</tr>
<tr>
<td>FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: access the configuration registers of the MMU.</td>
</tr>
</tbody>
</table>

7.1.4 **Support of Cipher Schemes**

The following additional specific security functionality is implemented in the TOE:

FCS_COP.1 Cryptographic operation requires a cryptographic operation to be performed in accordance with a specified algorithm and with a cryptographic key of specified sizes. The specified algorithm and cryptographic key sizes can be based on an assigned standard; dependencies are discussed in Section 7.3.1.1 “Dependencies of Security Functional Requirements”.

The following additional specific security functionality is implemented in the TOE:

- Advanced Encryption Standard (AES)
- Triple Data Encryption Standard (3DES)
- Elliptic Curve Cryptography (EC)
- Rivest-Shamir-Adleman (RSA)²
- Secure Hash Algorithm (SHA-2)

Note that the additional function of the EC library, providing the primitive elliptic curve operations, does not add specific security functionality.

*Note: This TOE can come with both crypto co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both crypto co-processors blocked. The blocking depends on the customer demands prior to the production of the hardware. In case the SCP is blocked, no AES and DES computation supported by hardware is possible. In case the Crypto2304T is blocked, no RSA and EC computation supported by hardware is possible.*

¹ The Smartcard Embedded Software is intended to set the memory access control policy.

² For the case the TOE comes without RSA and/or EC library, the TOE provides basic HW-related routines for RSA and/or EC calculations. For a secure library implementation the user has to implement additional countermeasures himself.
hardware is possible. In case of a blocked Crypto2304T the optionally delivered cryptographic and the supporting Toolbox and Base Library cannot be used in that TOE product. The use of the SHA-2 library is also possible with both crypto coprocessors blocked. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors. The TOE can also be delivered with optional SCL, containing AES and TDES algorithms with additional security countermeasures. The optional SCL needs an accessible SCP.

7.1.4.1 Preface regarding Security Level related to Cryptography

The strength of the cryptographic algorithms was not rated in the course of the product certification (see [33] Section 9, Para.4, Clause 2). But cryptographic functionalities with a security level of lower than 100 bits can no longer be regarded as secure without considering the application context. Therefore, for these functions it shall be checked whether the related cryptographic operations are appropriate for the intended system. Some further hints and guidelines can be derived from the “Technische Richtlinie BSI TR-02102”, [www.bsi.bund.de](http://www.bsi.bund.de).

Any cryptographic functionality that is marked in the column “Security level above 100 Bits” of the following table with a “no” achieves a security level of lower than 100 Bits (in general context).

### Table 18 Cryptographic TOE functionality

<table>
<thead>
<tr>
<th>Cryptographic Mechanism</th>
<th>Standard of Implementation</th>
<th>Key Size in Bits</th>
<th>Security Level above 100 Bits</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Cryptographic Primitive</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Triple DES</td>
<td>[20], [21], [32]</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[20], [21], [32]</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>proprietary</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[20], [21]</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[21], [29], [30], [31]</td>
<td></td>
<td></td>
</tr>
<tr>
<td>AES</td>
<td>[21], [29], [30], [31]</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Cryptographic Mechanism</td>
<td>Standard of Implementation</td>
<td>Key Size in Bits</td>
<td>Security Level above 100 Bits</td>
</tr>
<tr>
<td>------------------------------------------------</td>
<td>----------------------------</td>
<td>------------------------------------------------------</td>
<td>-------------------------------</td>
</tr>
<tr>
<td>RSA encryption / decryption / signature generation / verification (only modular exponentiation part)</td>
<td>Version v2.03.008: [22], [28]</td>
<td>Modulus length = 1976 - 4096</td>
<td>Yes</td>
</tr>
<tr>
<td>Physical True RNG PTG.2</td>
<td>[16]</td>
<td>N/A</td>
<td>N/A</td>
</tr>
<tr>
<td>ECDH</td>
<td>[18], [19], [24], [27], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-{224, 256, 384, 521}, K-{233, 409}, B-{233, 283, 409} [18], brainpoolP[224,256,320,384,512]r1, brainpoolP[224,256,320,384,512]t1 [19]</td>
<td>Yes</td>
</tr>
<tr>
<td>ECDH</td>
<td>[18], [19], [24], [27], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-192, K-163 [18] and brainpoolP[160, 192]r1, brainpoolP[160, 192]t1 [19]</td>
<td>No</td>
</tr>
<tr>
<td>ECDSA key generation</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-{224, 256, 384, 521}, K-{233, 409}, B-{233, 283, 409} [18], brainpoolP[224,256,320,384,512]r1, brainpoolP[224,256,320,384,512]t1 [19]</td>
<td>Yes</td>
</tr>
<tr>
<td>ECDSA key generation</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-192, K-163 [18] and brainpoolP[160, 192]r1, brainpoolP[160, 192]t1 [19]</td>
<td>No</td>
</tr>
<tr>
<td>ECDSA signature generation</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-{224, 256, 384, 521}, K-{233, 409}, B-{233, 283, 409} [18], brainpoolP[224,256,320,384,512]r1, brainpoolP[224,256,320,384,512]t1 [19]); According to sections 7.3 [23]</td>
<td>Yes</td>
</tr>
<tr>
<td>ECDSA signature generation</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-192, K-163 [18] and brainpoolP[160, 192]r1, brainpoolP[160, 192]t1 [19]; According to sections 7.3 [23]</td>
<td>No</td>
</tr>
<tr>
<td>Cryptographic Mechanism</td>
<td>Standard of Implementation</td>
<td>Key Size in Bits</td>
<td>Security Level above 100 Bits</td>
</tr>
<tr>
<td>-----------------------------------------</td>
<td>----------------------------</td>
<td>---------------------------------------------------------------------------------</td>
<td>------------------------------</td>
</tr>
<tr>
<td>EDCSA signature verification</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-{224, 256, 384, 521}, K-{233, 409}, B-{233, 283, 409} [18], brainpoolP{224,256,320,384,512}r1, brainpoolP{224,256,320,384,512}t1 [19]; According to sections 7.3 [23]</td>
<td>Yes</td>
</tr>
<tr>
<td>EDCSA signature verification</td>
<td>[18], [19], [23], [26], [28]</td>
<td>Key sizes corresponding to the used elliptic curves P-192, K-163 [18] and brainpoolP{160, 192}r1, brainpoolP{160, 192}t1 [19]; According to sections 7.3 [23]</td>
<td>No</td>
</tr>
</tbody>
</table>
### 7.1.4.2 Triple-DES Operation

The DES Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below.

<table>
<thead>
<tr>
<th>FCS_COP.1/TDES</th>
<th>Cryptographic operation – TDES</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES</td>
<td>Cryptographic key destruction – TDES</td>
</tr>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
</tbody>
</table>

The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm TDES in the Electronic Codebook Mode (ECB), in the Cipher Block Chaining Mode (CBC), in the Blinding Feedback Mode (BLD), in the Cipher Block Chaining Mode (CBC-MAC), in the CBC-MAC- encrypt-last-block (CBC-MAC-ELB) and in the Recrypt Mode and cryptographic key sizes of 112 bit and 168 bit that meet the following standards:

- **ECB, CBC, BLD:**
  
  National Institute of Standards and Technology (NIST) SP 800-67 Rev. 1 [20]

- **ECB, CBC, BLD:**
  
  National Institute of Standards and Technology (NIST) SP 800-38A [21]

- **CBC-MAC, CBC-MAC-ELB:**
  
  ISO/IEC 9797-1 Mac Algorithm 1 [32]

- **Recrypt Mode**
  
  Proprietary, description given in the hardware reference manual HRM [1]

**Note:** The BLD and Recrypt operation modes are described in the hardware reference manual HRM [1] while the implementations of the other modes follow the referenced standards. Also the BLD is compliant to the referenced standards but is operated in a masked way.

<table>
<thead>
<tr>
<th>FCS_CKM.4.1/TDES</th>
<th>Cryptographic key destruction – TDES</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
</tbody>
</table>

The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting or zeroing that meets the following:

None

**Note:** The key destruction can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP key registers.
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

**FCS_COP.1/TDES_SCL**  Cryptographic operation

Hierarchical to: No other components.

Dependencies:
- [FDP_ITC.1 Import of user data without security attributes, or
- FDP_ITC.2 Import of user data with security attributes, or
- FCS_CKM.1 Cryptographic key generation]

**FCS_COP.1.1/TDES_SCL**  The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm DES/3DES in the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB) and Counter (CTR) Modes and with cryptographic key sizes of 112 bit and 168 bit that meet the following standards:

- **ECB, CBC, CFB, CTR:**
  National Institute of Standards and Technology (NIST) SP 800-67 Rev. 1 [20]

- **ECB, CBC, CFB, CTR:**
  National Institute of Standards and Technology (NIST) SP 800-38A [21]

**Note:** This SFR refers to the DES interface provided by the SCL. This TOE can be delivered with SCP accessible or blocked. In case the SCP is blocked, no 3DES computation supported by hardware is possible and this SFR is not applicable. The TOE can be delivered with the optional SCL library. If the SCL is not available then the SFR is not applicable.

**FCS_CKM.4/TDES_SCL**  Cryptographic key destruction – TDES - SCL

Hierarchical to: No other components.

Dependencies:
- [FDP_ITC.1 Import of user data without security attributes, or
- FDP_ITC.2 Import of user data with security attributes, or
- FCS_CKM.1 Cryptographic key generation]

**FCS_CKM.4.1/TDES_SCL**  The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method *overwriting or zeroing* that meets the following:

None

**Note:** The key destruction can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP key registers.

### 7.1.4.3 AES Operation

The AES Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” and “Cryptographic key destruction” as specified below.

**FCS_COP.1/AES**  Cryptographic operation – AES

Hierarchical to: No other components.

Dependencies:
- [FDP_ITC.1 Import of user data without security attributes, or
- FDP_ITC.2 Import of user data with security attributes, or
- FCS_CKM.1 Cryptographic key generation]
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Requirements (ASE_REQ)

<table>
<thead>
<tr>
<th>FCS_COP.1.1/AES</th>
<th>Cryptographic operation – AES</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation</td>
</tr>
</tbody>
</table>

FCS_COP.1.1/AES_SCL

| Hierarchical to:| No other components.         |
| Dependencies:   | FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation |

FCS_CKM.4/AES

<table>
<thead>
<tr>
<th>Cryptographic key destruction – AES</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
</tbody>
</table>

FCS_CKM4.1/AES_SCL

<table>
<thead>
<tr>
<th>Cryptographic key destruction – AES - SCL</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
</tbody>
</table>

FCS_CKM.4

<table>
<thead>
<tr>
<th>Cryptographic key destruction</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
</tbody>
</table>

FCS_CKM4.1

<table>
<thead>
<tr>
<th>The TSF shall perform decryption and encryption in accordance with a specified cryptographic algorithm AES in ECB, CBC, CTR and CFB mode and cryptographic key sizes of 128 bit, 192 bit and 256 bit that meet the following standards:</th>
</tr>
</thead>
<tbody>
<tr>
<td>• National Institute of Standards and Technology (NIST) SP 800-38A [21]</td>
</tr>
<tr>
<td>• ISO/IEC 10118-3 [29]</td>
</tr>
<tr>
<td>• ISO/IEC 18033-3 [30]</td>
</tr>
<tr>
<td>• FIPS 197 [31]</td>
</tr>
</tbody>
</table>

Note: The key destruction can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP key registers.
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

| cryptographic key destruction method overwriting or zeroing that meets the following: |
| Dependencies: None |

Note: This SFR refers to the AES interface provided by the SCL. This TOE can be delivered with SCP accessible or blocked. In case the SCP is blocked, no AES computation supported by hardware is possible and this SFR is not applicable. The TOE can be delivered with the optional SCL library. If the SCL is not available then the SFR is not applicable.

7.1.4.4  Rivest-Shamir-Adleman (RSA) operation

The Modular Arithmetic Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below.

Please consider also the statement of chapter 7.1.4.1.

Valid for cryptographic library version v2.03.008:

| FCS_COP.1/RSA-v2.03.008 |
| Cryptographic operation |
| Hierarchical to: No other components. |
| Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction |

FCS_COP.1.1/RSA-v2.03.008

The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm Rivest-Shamir-Adleman (RSA) and cryptographic key sizes 1976-4096 bits that meet the following standards:

**Encryption:**

1. According to section 5.1.1 RSAEP in PKCS [22]:
   - Supported for \( n < 2^{2048+128} \)
   - 5.1.1(1) not supported

2. According to section 8.2.2 IFEP-RSA in IEEE [28]:

Supported for \( n < 2^{4096+128} \)

**Decryption (with or without CRT):**

1. According to section 5.1.2 RSADP in PKCS [22]:

   for \( u = 2, \) i.e., without any \( (r_i, d_i, t_i), i > 2 \)
   - 5.1.2(1) not supported
   - 5.1.2(2.a) not supported for \( n < 2^{2048+64} \)
   - 5.1.2(2.b) supported for \( p \times q < 2^{4096+128} \)
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

- 5.1.2(2.b) (ii)&(v) not applicable due to u = 2

2. According to section 8.2.3 IEEE [28]:
- 8.2.1(I) supported for \( n < 2^{2048 + 64} \)
- 8.2.1(II) supported for \( p \times q < 2^{4096 + 128} \)

8.2.1(III) not supported

**Signature Generation (with or without CRT):**
1. According to section 5.2.1 RSASP1 in PKCS [22]:
   - for \( u = 2 \), i.e., without any \( (r_i, d_i, t_i), i > 2 \)
     - 5.2.1(1) not supported
     - 5.2.1(2.a) supported for \( n < 2^{2048 + 64} \)
     - 5.2.1(2b) supported for \( p \times q < 2^{4096 + 128} \)
     - 5.2.1(2b) (ii)&(v) not applicable due to \( u = 2 \)

2. According to section 8.2.4 IFSP-RSA1 in IEEE [28]:
   - 8.2.1(I) supported for \( n < 2^{2048 + 64} \)
   - 8.2.1(II) supported for \( p \times q < 2^{4096 + 128} \)

8.2.1(III) not supported

**Signature Verification:**
1. According to section 5.2.2 RSAVP1 in PKCS [22]:
   - supported for \( n < 2^{4096 +128} \)
     - 5.2.2(1) not supported

2. According to section 8.2.5 IEEE [28]:
   - Supported for \( n < 2^{4096 +128} \)

8.2.5(1) not supported

7.1.4.5 **Rivest-Shamir-Adleman (RSA) key generation**

The key generation for the RSA shall meet the requirement “Cryptographic key generation (FCS_CKM.1)”

<table>
<thead>
<tr>
<th>Valid for cryptographic library version v2.03.008:</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>FCS_CKM.1/RSA-v2.03.008</strong></td>
</tr>
</tbody>
</table>

Hierarchical to: No other components.

Dependencies: FCS_CKM.2 Cryptographic key distribution, or
              FCS_COP.1 Cryptographic operation]
              FCS_CKM.4 Cryptographic key destruction
The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm \textit{rsagen1} and specified cryptographic key sizes of $1976 - 4096$ bits that meet the following standard:

1. According to section 3.1 and 3.2 in PKCS [22]:
   
   for $u=2$, i.e., without any $(r_i, d_i, t_i)$, $i > 2$
   
   - 3.1 supported for $n < 2^{4096 + 128}$
   - 3.2(1) supported for $n < 2^{2048 + 64}$
   - 3.2(2) supported for $p \times q < 2^{4096 + 128}$

2. According to section 8.1.3.1 in IEEE [28]:
   
   - 8.1.3.1(1) supported for $n < 2^{2048 + 64}$
   - 8.1.3.1(2) supported for $p \times q < 2^{4096 + 128}$
   - 8.1.3.1(3) supported for $p \times q < 2^{2048 + 64}$

Note: For easy integration of RSA functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required

Please consider also the statement of chapter 7.1.4.1.

Note: The TOE can be delivered with or without the RSA library. If the TOE comes with, automatically the Base Library is part of the shipment. In the case of coming without the RSA library the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) realized with the security functional requirements FCS_COP.1/RSA-v2.03.008 and FCS_CKM.1/RSA-v2.03.008. In case of a blocked Crypto2304T the optionally delivered cryptographic and the supporting Toolbox and Base Library cannot be used in that TOE product.

### 7.1.4.6 General Preface regarding Elliptic Curve Cryptography

The EC library is delivered as object code and in this way integrated in the user software. The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Numerous other curve types, being also secure in terms of side channel attacks on this TOE, exist, which the user optionally can add in the composition certification process.

All curves are based on finite field GF(p) with size $p \in \left[ 2^{n-1}, 2^{521} \right]$ as well as curves based on a finite field GF($2^n$) with size $n \in [1; 41]$ are supported.

### 7.1.4.7 Elliptic Curve DSA (ECDSA) Signature Generation and Verification

The Modular Arithmetic Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below.

<table>
<thead>
<tr>
<th>FCS_COP.1/ECDSA- v2.03.008</th>
<th>Cryptographic operation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
</tbody>
</table>
Public Security Target
Common Criteria EAL6 augmented / EAL6+
Security Requirements (ASE_REQ)

Dependences: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction

FCS_COP.1.1/ECDSA-v2.03.008

The TSF shall perform signature generation and signature verification in accordance with a
specified cryptographic algorithm ECDSA and cryptographic key sizes 160, 163, 192, 224, 233,
256, 283, 320, 384, 409, 512 or 521 bits that meet the following standard:

For v2.03.008

**ECDSA Signature Generation:**

1. According to section "7.3 Signing Process" in ANSI X9.62 - 2005:
   o Step d) and e) not supported.
   o The output of step e) has to be provided as input to our function by the caller.
   o Deviation of step c) and f):
     ▪ The jumps to step a) were substituted by a return of the function with an error code, the jumps are emulated by another call to our function.

2. According to section "6.4.3 Signature process" in ISO/IEC 14888-3:2006:
   o 6.4.3.3 not supported.
   o 6.4.3.5 not supported:
     ▪ the hash-code H of the message has to be provided by the caller as input to our function.
   o 6.4.3.7 not supported.
   o 6.4.3.8 not supported.

3. According to section "7.2.7 ECSP-DSA" in IEEE Std 1363-2000:
   o Deviation of step (3) and (4):
     ▪ The jumps to step 1, were substituted by a return of the function with an error code, the jumps are emulated by another call to our function.

**ECDSA Signature Verification:**

1. According to section "7.4.1 Verification with the Public Key" in ANSI X9.62 - 2005:
   o Step b) and c) not supported.
   o The output of step c) has to be provided as input to our function by the caller.
   o Deviation of step d):
     ▪ Beside noted calculation, our algorithm adds a random multiple of BasepointOrder n to the calculated values \( u_1 \) and \( u_2 \).

2. According to section "6.4.4 Signature Verification Process" in ISO/IEC 14888-3:2006:
   o 6.4.4.2 not supported.
   o 6.4.4.3 not supported:
     ▪ the hash-code H of the message has to be provided by the caller as input to our function.


**Note:** The former ISO/IEC standard 15946 has been withdrawn.

For easy integration of EC functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required.
7.1.4.8 **Elliptic Curve (EC) key generation**

The key generation for the EC shall meet the requirement “Cryptographic key generation (FCS_CKM.1)”.

<table>
<thead>
<tr>
<th>FCS_CKM.1/EC-</th>
<th>Cryptographic key generation</th>
</tr>
</thead>
<tbody>
<tr>
<td>v2.03.008</td>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>FCS_CKM.2 Cryptographic key distribution, or</td>
</tr>
<tr>
<td></td>
<td>FCS_COP.1 Cryptographic operation</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4 Cryptographic key destruction</td>
</tr>
<tr>
<td>FCS_CKM.1.1/EC-</td>
<td>The TSF shall generate cryptographic keys in accordance with a specified cryptographic key</td>
</tr>
<tr>
<td>v2.03.008</td>
<td>generation algorithm <em>Elliptic Curve EC specified in [21] and ISO/IEC 15946-1:2002</em> and specified</td>
</tr>
<tr>
<td></td>
<td>cryptographic key sizes 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 bits that</td>
</tr>
<tr>
<td></td>
<td>meet the following standard:</td>
</tr>
<tr>
<td></td>
<td><strong>For v2.03.008</strong></td>
</tr>
<tr>
<td></td>
<td>ECDSA Key Generation:</td>
</tr>
<tr>
<td></td>
<td>1. According to the appendix A4.3 Elliptic Curve Key Pair Generation in ANSI X9.62 [23]: The optional cofactor ( h ) is not supported.</td>
</tr>
<tr>
<td></td>
<td>2. According to section 6.4.2 Generation of signature key and verification key in ISO/IEC 14888-3 [26]</td>
</tr>
</tbody>
</table>

Note: The former ISO/IEC standard 15946 has been withdrawn.

Note: For easy integration of EC functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required.

### 7.1.4.9 **Elliptic Curve Diffie-Hellman (ECDH) key agreement**

The Modular Arithmetic Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below. The following statements hold true for both cryptographic library versions.

<table>
<thead>
<tr>
<th>FCS_COP.1/ECDH-</th>
<th>Cryptographic operation</th>
</tr>
</thead>
<tbody>
<tr>
<td>v2.03.008</td>
<td>Hierarchical to: No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>[FDP_ITC.1 Import of user data without security attributes, or</td>
</tr>
<tr>
<td></td>
<td>FDP_ITC.2 Import of user data with security attributes, or</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.1 Cryptographic key generation]</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4 Cryptographic key destruction</td>
</tr>
<tr>
<td>FCS_COP.1.1/ECDH-</td>
<td>The TSF shall perform elliptic curve Diffie-Hellman key agreement in accordance with a</td>
</tr>
</tbody>
</table>
Note: The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Numerous other curve types, being also secure in terms of side channel attacks on this TOE, exist, which the user optionally can add in the composition certification process.

Note: For easy integration of EC functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required.

Note: The TOE can be delivered with or without the EC library. If the TOE comes with, automatically the Base Library is part of the shipment. In the case the TOE comes without, it does not provide the Additional Specific Security Functionality Elliptic Curve Cryptography realized with the security functional requirements FCS_COP.1/ECSA-v2.03.008, FCS_COP.1/ECDH-v2.03.008 and FCS_CKM.1/EC-v2.03.008. In case of a blocked Crypto2304T, the RSA and EC cryptographic library cannot be used. In case of a blocked Crypto2304T the optionally delivered cryptographic RSA and EC, as well as the supporting Toolbox and Base Library cannot be used in that TOE product.

The EC primitives allow the selection of various curves. The selection of the curves depends to the user.

7.1.4.10 SHA-2 Operation

The SHA-2 Operation of the TOE shall meet the requirement “Cryptographic operation (FCS_COP.1)” as specified below.

<table>
<thead>
<tr>
<th>FCS_COP.1/SHA</th>
<th>Cryptographic operation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]</td>
</tr>
<tr>
<td>FCS_CKM.4 Cryptographic key destruction</td>
<td></td>
</tr>
</tbody>
</table>

FCS_COP.1/SHA The TSF shall perform hashing in accordance with a specified cryptographic algorithm SHA-256 and SHA-512 and cryptographic key sizes none that meet the following FIPS 180-4:


Note that the SHA-2 cryptographic operation is a keyless operation.

In case of a blocked Crypto2304T, the cryptographic libraries RSA, EC and Toolbox are not delivered, but the SHA library still can be part of the TOE.
Public Security Target  
Common Criteria EAL6 augmented / EAL6+  

Security Requirements (ASE_REQ)  

Note: The TOE can be delivered without the SHA-2 library. In this case the TOE does not provide the Additional Specific Security Functionality SHA-2 library, realized with the security functional requirements FCS_COP.1/SHA.

Note: The secure hash-algorithm SHA-2 is intended to be used for signature generation, verification and generic data integrity checks. The SHA-library provides the calculation of a hash value of freely chosen data input in the CPU. The SHA-library is delivered as object code and is in this way available for the user software. Further essential information about the usage is given in the confidential user guidance.

7.1.5 Data Integrity

The TOE shall meet the requirement “Stored data integrity monitoring (FDP_SDI.1)” as specified below:

<table>
<thead>
<tr>
<th>FDP_SDI.1</th>
<th>Stored data integrity monitoring</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies</td>
</tr>
<tr>
<td>FDP_SDI.1.1</td>
<td>The TSF shall monitor user data stored in containers controlled by the TSF for inconsistencies between stored data and corresponding EDC on all objects, based on the following attributes: EDC values for RAM, ROM and the SOLID FLASH™ NVM.</td>
</tr>
</tbody>
</table>

The TOE shall meet the requirement “Stored data integrity monitoring and action (FDP_SDI.2)” as specified below:

<table>
<thead>
<tr>
<th>FDP_SDI.2</th>
<th>Stored data integrity monitoring and action</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>FDP_SDI.1 stored data integrity monitoring</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies</td>
</tr>
<tr>
<td>FDP_SDI.2.1</td>
<td>The TSF shall monitor user data stored in containers controlled by the TSF for data integrity and one- and/or more-bit-errors on all objects, based on the following attributes: corresponding EDC value for the memories and error correction for the SOLID FLASH™ NVM.</td>
</tr>
<tr>
<td>FDP_SDI.2.2</td>
<td>Upon detection of a data integrity error, the TSF shall correct 1 bit errors in the SOLID FLASH™ NVM automatically and inform the user about more bit errors.</td>
</tr>
</tbody>
</table>

The TOE shall meet the requirement “Stored data confidentiality (FDP_SDC.1)” as specified below:

<table>
<thead>
<tr>
<th>FDP_SDC.1</th>
<th>Stored data confidentiality</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies</td>
</tr>
<tr>
<td>FDP_SDC.1.1</td>
<td>The TSF shall ensure the confidentiality of the information of the user data while it is stored in the RAM, ROM, Cache and SOLID FLASH™ NVM.</td>
</tr>
</tbody>
</table>

7.1.6 Support of the Flash Loader

The usage of the Flash Loader is only allowed in secured environment during the production phase. For this reason the TOE shall meet the requirements “Limited capabilities (FMT_LIM.1/Loader)” as specified below:

<table>
<thead>
<tr>
<th>FMT_LIM.1/Loader</th>
<th>Limited capabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>FMT_LIM.2 Limited availability.</td>
</tr>
<tr>
<td>FMT_LIM.1.1/Loader</td>
<td>The TSF shall be designed and implemented in a manner that limits its capabilities</td>
</tr>
</tbody>
</table>
so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is enforced: Deploying Loader functionality after permanent deactivation does not allow stored user data to be disclosed or manipulated by unauthorized user.

The TOE shall meet the requirement “Limited availability – Loader (FMT_LIM.2/Loader)” as specified below:

**FMT_LIM.2/Loader**  
**Limited availability - Loader**

- **Hierarchical to:** No other components.
- **Dependencies:** FMT_LIM.1 Limited capabilities.
- **FMT_LIM.2/Loader**

The TSF shall be designed in a manner that limits its availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is enforced: The TSF prevents deploying the Loader functionality after permanent deactivation.

The security functional requirements FMT_LIM.1/Loader and FMT_LIM.2/Loader apply only at TOE products coming with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these security functional requirements may then reoccur as subject of the composite TOE.

### 7.2 TOE Security Assurance Requirements

The evaluation assurance level is EAL6 augmented with ALC_FLR.1.

In the following table, the security assurance requirements are given. The augmentation of the assurance components compared to the Protection Profile [12] is expressed with bold letters.

**Table 19**  
**Assurance Components**

<table>
<thead>
<tr>
<th>Aspect</th>
<th>Acronym</th>
<th>Description</th>
<th>Refinement</th>
</tr>
</thead>
<tbody>
<tr>
<td>Development</td>
<td>ADV_ARC.1</td>
<td>Security Architecture Description</td>
<td>In PP [12]</td>
</tr>
<tr>
<td></td>
<td>ADV_FSP.5</td>
<td>Complete semi-formal functional specification with additional error information</td>
<td>in ST</td>
</tr>
<tr>
<td></td>
<td>ADV_IMP.2</td>
<td>Complete mapping of the implementation representation of the TSF</td>
<td>in ST</td>
</tr>
<tr>
<td></td>
<td>ADV_INT.3</td>
<td>Minimally complex internals</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ADV_TDS.5</td>
<td>Complete semi-formal modular design</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ADV_SPM.1</td>
<td>Formal TOE security policy model</td>
<td></td>
</tr>
<tr>
<td>Guidance Documents</td>
<td>AGD_OPE.1</td>
<td>Operational user guidance</td>
<td>In PP [12]</td>
</tr>
<tr>
<td></td>
<td>AGD_PRE.1</td>
<td>Preparative procedures</td>
<td>In PP [12]</td>
</tr>
<tr>
<td>Life-Cycle Support</td>
<td>ALC_CMC.5</td>
<td>Advanced support</td>
<td>In ST</td>
</tr>
<tr>
<td></td>
<td>ALC_CMS.5</td>
<td>Development tools CM coverage</td>
<td>In ST</td>
</tr>
<tr>
<td></td>
<td>ALC_DEL.1</td>
<td>Delivery procedures</td>
<td>In PP [12]</td>
</tr>
<tr>
<td></td>
<td>ALC_DVS.2</td>
<td>Sufficiency of security measures</td>
<td>In PP [12]</td>
</tr>
<tr>
<td></td>
<td>ALC_LCD.1</td>
<td>Developer defined life-cycle model</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ALC_TAT.3</td>
<td>Compliance with implementation standards – all parts</td>
<td></td>
</tr>
</tbody>
</table>
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Requirements (ASE_REQ)

<table>
<thead>
<tr>
<th>Aspect</th>
<th>Acronym</th>
<th>Description</th>
<th>Refinement</th>
</tr>
</thead>
<tbody>
<tr>
<td>Security Target Evaluation</td>
<td>ALC_FLR.1</td>
<td>Basic Flaw Remediation</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_CCL.1</td>
<td>Conformance claims</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_ECD.1</td>
<td>Extended components definition</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_INT.1</td>
<td>ST introduction</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_OBJ.2</td>
<td>Security objectives</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_REQ.2</td>
<td>Derived security requirements</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_SPD.1</td>
<td>Security problem definition</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ASE_TSS.1</td>
<td>TOE summary specification</td>
<td></td>
</tr>
<tr>
<td>Tests</td>
<td>ATE_COV.3</td>
<td>Rigorous analysis of coverage</td>
<td>In ST</td>
</tr>
<tr>
<td></td>
<td>ATE_DPT.3</td>
<td>Testing: modular design</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ATE_FUN.2</td>
<td>Ordered functional testing</td>
<td></td>
</tr>
<tr>
<td></td>
<td>ATE_IND.2</td>
<td>Independent testing - sample</td>
<td></td>
</tr>
<tr>
<td>Vulnerability Assessment</td>
<td>AVA_VAN.5</td>
<td>Advanced methodical vulnerability analysis</td>
<td>in PP [12]</td>
</tr>
</tbody>
</table>

### 7.2.1  Refinements

Some refinements are taken unchanged from the PP [12]. In some cases a clarification is necessary. In the table above an overview is given where the refinement is done.

The refinements from the PP [12] have to be discussed here in the Security Target, as the assurance level is increased. The refinements from the PP [12] are included in the chosen assurance level EAL 6 augmented with ALC_FLR.1.

### 7.2.1.1  Development (ADV)

**ADV_IMP Implementation Representation:**

The refined assurance package ADV_IMP.1 implementation representation of the TSF requires the availability of the entire implementation representation, a mapping of the design description to the implementation representation with a level of detail that the TSF can be generated without further design decisions. In addition, the correspondence of design description and implementation representation shall be demonstrated.

The covered higher assurance package ADV_IMP.2 requires a complete and not curtailed mapping of the implementation representation of the TSF, and the mapping of the design description to the entire implementation representation. In addition, the correspondence of design description and the implementation representation shall be demonstrated. The ADV_IMP.1 aspect and refinement remains therefore valid. The enhancement underlines the refinement in the PP [12] and by that the entirely complete design i.e. not curtailed representation with according mapping was provided, demonstrated and reviewed.

**ADV_FSP Functional Specification:**

The ADV_FSP.4 package requires a functional description of the TSFIs and there assignment to SFR-enforcing, SFR-supporting, SFR-non-interfering, including related error messages, the assurance package. The enhancement of ADV_FSP.5 requires additionally a complete semi-formal functional specification with additional error information. In addition the package includes a tracing from the functional specification to the SFRs, as well as the TSFIs descriptions including error messages not resulting from an invocation of a TSFI. These aspects from ADV_FSP.5 are independent from the ADV_FSP.4 refinements from the PP [12] but
constitute an enhancement of it. By that the aspects of ADV_FSP.4 and its refinement in the PP [12] apply also here. The assurance and evidence was provided accordingly.

### 7.2.1.2 Life-cycle Support (ALC)

**ALC_CMS Configuration Management Scope:**

The Security IC embedded firmware and the optional software are part of TOE and delivered together with the TOE as the firmware and optional software are stored in the ROM and/or SOLID FLASH™ NVM. The presence of the optional parts belongs to the user order. Both, the firmware and software delivered with the TOE are controlled entirely by Infineon Technologies. In addition, the TOE offers the possibility that the user can download his software at his own premises. These parts of the software are user controlled only and are not part of this TOE. The download of this solely user controlled software into the SOLID FLASH™ NVM is protected by strong authentication means. In addition, the download itself could also be encrypted. By the augmentation of ALC_CMS.4 to ALC_CMS.5 the configuration list includes additional the development tools. The package ALC_CMS.5 is therefore an enhancement to ACL_CMS.4 and the package with its refinement in the PP [12] remains valid. The assurance and evidence was provided accordingly.

**ALC_CMC Configuration Management Capabilities:**

The PP refinement from the assurance package ALC_CMC.4 Production support, acceptance procedures and automation points out that the configuration items comprise all items defined under ALC_CMS to be tracked under configuration management. In addition a production control system is required guaranteeing the traceability and completeness of different charges and lots. Also the number of wafers, dies and chips must be tracked by this system as well as procedures applied for managing wafers, dies or complete chips being removed from the production process in order to verify and to control predefined quality standards and production parameters. It has to be controlled that these wafers, dies or assembled devices are returned to the same production stage from which they are taken or they have to be securely stored or destroyed otherwise.

The additionally covered extended package of ALC_CMC.5 Advance Support requires advanced support considering the automatisms configuration management systems, acceptance and documentation procedures of changes, role separation with regard to functional roles of personnel, automatisms for tracking and version controlling in those systems, and includes also production control systems. The additional aspects of ALC_CMC.5 constitute an enhancement of ACL_CMC.4 and therefore the aspects and ACL_CMC.4 refinements in the PP [12] remain valid. The assurance and evidence was provided.

### 7.2.1.3 Tests (ATE)

**ATE_COV Test Coverage:**

The PP refined assurance package ATE_COV.2 Analysis of coverage addresses the extent to which the TSF is tested, and whether or not the testing is sufficiently extensive to demonstrate that the TSF operates as specified. It includes the test documentation of the TSFIs in the functional specification. In particular the refinement requires that The TOE must be tested under different operating conditions within the specified ranges. In addition, the existence and effectiveness of mechanisms against physical attacks should be covered by evidence that the TOE has the particular physical characteristics. This is furthermore detailed in the PP [12].

This assurance package ATE_COV.2 has been enhanced to ATE_COV.3 to cover the rigorous analysis of coverage. This requires the presence of evidence that exhaustive testing on rigorous entirely all interfaces as documented in the functional specification was conducted. By that ATE_COV.2 and refinements as given in the PP [12] are enhanced by ATE_COV.3 and remain as well. The TSFIs were completely tested according to ATE_COV.3 and the assurance and evidence was provided.
7.2.2 ADV_SPM Formal Security Policy Model

It is the objective of this family to provide additional assurance from the development of a formal security policy model of the TSF, and establishing a correspondence between the functional specification and this security policy model. Preserving internal consistency the security policy model is expected to formally establish the security principles from its characteristics by means of a mathematical proof.

| ADV_SPM.1 | Formal TOE security policy model |
| Hierarchical to: | No other components |
| Dependencies: | ADV_FSP.4 Complete function description |

**ADV_SPM.1.1D**

The developer shall provide a formal security policy model for the *Memory Access Control Policy and the corresponding SFRs*

- *FDP_ACC.1 Subset Access Control*
- *FDP_ACF.1 Security attribute based access control*
- *FMT_MSA.1 Management of Security Attributes*
- *FMT_MSA.3 Static Attribute Initialization.*

Moreover, the following *SFRs shall be addressed by the formal security policy model*:

- *FDP_SDl.1 Stored data integrity monitoring*
- *FDP_SDl.2 Stored data integrity monitoring and action*
- *FDP_SDC Stored data confidentiality*
- *FDP_ITT.1 Basic Internal Transfer Protection*
- *FDP_IFC.1 Information Flow Control*
- *FPT_ITT.1 Basic internal TSF data transfer protection*
- *FPT_PHP.3 Resistance to physical attack*
- *FPT_FLS.1 Failure with preservation of secure state*
- *FRU_FLT.2 Limited fault tolerance*
- *FMT_LIM.1 Limited capabilities*
- *FMT_LIM.2 Limited availability*
- *FAU_SAS.1 Audit storage*
- *FMT_SMF.1 Specification of Management Functions*

**ADV_SPM.1.2D**

For each policy covered by the formal security policy model, the model shall identify the relevant portions of the statement of SFRs that make up that policy.

**ADV_SPM.1.3D**

The developer shall provide a formal proof of correspondence between the model and any formal functional specification.

**ADV_SPM.1.4D**

The developer shall provide a demonstration of correspondence between the model and the functional specification.
7.3 Security Requirements Rationale

7.3.1 Rationale for the Security Functional Requirements

The rational for the security functional requirements are given in the PP [12] chapter 6.3.1 with a mapping of the SFRs to their objectives. The SFRs and rational for the loader are given in PP [12] chapter 7.3.1 and the rational for the cryptographic services is given in chapter 7.4.

PP [12] chapter 6.1 includes also the definition of FDP_SDI.2 „Stored data integrity monitoring and action“.

The additional introduced SFRs are discussed below:

Table 20 Rational for additional SFR in the ST

<table>
<thead>
<tr>
<th>Objective</th>
<th>TOE Security Functional Requirements</th>
</tr>
</thead>
</table>
| O.Add-Functions| FCS_COP.1/RSA-v2.03.008 „Cryptographic operation“  
|                | FCS_COP.1/ECDSA-v2.03.008 „Cryptographic operation“  
|                | FCS_COP.1/ECDH-v2.03.008 „Cryptographic operation“  
|                | FCS_CKM.1/RSA-v2.03.008 „Cryptographic key generation “  
|                | FCS_CKM.1/EC-v2.03.008 „Cryptographic key generation“  
|                | FCS_COP.1/AES_SCL „Cryptographic operation“  
|                | FCS_COP.1/TDES_SCL „Cryptographic operation“  
|                | FCS_CKM.4/AES_SCL „Cryptographic key destruction“  
|                | FCS_CKM.4/TDES_SCL „Cryptographic key destruction“  
| O.Phys-Manipulation | FPT_TST.2 „Subset TOE security testing“  
|                | FDP_SDI.1 „Stored data integrity monitoring“  
| O.Mem-Access   | FDP_ACC.1 „Subset access control“  
|                | FDP_ACF.1 „Security attribute based access control“  
|                | FMT_MSA.3 „Static attribute initialization“  
|                | FMT_MSA.1 „Management of security attributes“  
|                | FMT_SMF.1 „Specification of Management Functions“  

The table above gives an overview, how the security functional requirements are combined to meet the security objectives. The justification related to the security objective “Additional Specific Security Functionality (O.Add-Functions)” is as follows:

The security functional requirement(s) “Cryptographic operation (FCS_COP.1)” exactly requires those functions to be implemented which are demanded by O.Add-Functions. FCS_CKM.1/RSA-v2.03.008 supports the generation of RSA keys, the FCS_CKM.1/EC-v2.03.008 supports the generation of EC keys needed for this cryptographic operations. Therefore, FCS_COP.1/RSA-v2.03.008, FCS_COP.1/ECDSA-v2.03.008, FCS_COP.1/ECDH-v2.03.008, FCS_CKM.1/RSA-v2.03.008, and FCS_CKM.1/EC-v2.03.008 are suitable to meet the security objective. The same objective applies also to the keys management functions of the SCL: FCS_COP.1/AES_SCL, FCS_COP.1/TDES_SCL, FCS_CKM.4/AES_SCL, and FCS_CKM.4/TDES_SCL.

The use of the supporting libraries Toolbox and Base has no impact on any security functional requirement nor does the use generate additional requirements.

Nevertheless, the developer of the Smartcard Embedded Software must ensure that the additional functions are used as specified and that the User data processed by these functions are protected as defined for the application context. These issues are addressed by the specific security functional requirements:
Public Security Target
Common Criteria EAL6 augmented / EAL6+

Security Requirements (ASE_REQ)

- [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes or FCS_CKM.1 Cryptographic key generation],
- FCS_CKM.4 Cryptographic key destruction.

All these requirements have to be fulfilled to support OE.Resp-Appl for FCS_COP.1/TDES (DES algorithm) and for FCS_COP.1/AES (AES algorithm).

The security functional requirements required to meet the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced define how to implement the specific security functionality. However, key-dependent functions could be implemented in the Smartcard Embedded Software.

The usage of cryptographic algorithms requires the use of appropriate keys. Otherwise these cryptographic functions do not provide security. The keys have to be unique with a very high probability, and must have a certain cryptographic strength etc. In case of a key import into the TOE (which is usually after TOE delivery) it has to be ensured that quality and confidentiality are maintained. Keys for DES and AES are provided by the environment. Keys for RSA and EC algorithms can be provided either by the TOE or the environment.

The justification of the security objective and the additional requirements (both for the TOE and its environment) show that they do not contradict to the rationale already given in the Protection Profile for the assumptions, policy and threats defined there.

The security functional component Subset TOE security testing (FPT_TST.2) has been newly created (Common Criteria Part 2 extended). This component allows that particular parts of the security mechanisms and functions provided by the TOE can be tested after TOE Delivery. This security functional component is used instead of the functional component FPT_TST.1 from Common Criteria Part 2. For the user it is important to know which security functions or mechanisms can be tested. The functional component FPT_TST.1 does not mandate to explicitly specify the security functions being tested. In addition, FPT_TST.1 requires verification of the integrity of TSF data and stored TSF executable code which might violate the security policy.

The tested security enforcing functions are SF_DPM Device Phase Management, SF_CS Cryptographic Support and SF_PMA Protection against modifying attacks.

The security functional requirement FPT_TST.2 will detect attempts to conduct a physical manipulation on the monitoring functions of the TOE. The objective of FPT_TST.2 is O.Phys-Manipulation. The physical manipulation will be tried to overcome security enforcing functions.

The security functional requirement “Subset access control (FDP_ACC.1)” with the related Security Function Policy (SFP) “Memory Access Control Policy” exactly require the implementation of an area based memory access control as required by O.Mem-Access. The related TOE security functional requirements FDP_ACC.1, FDP_ACF.1, FMT_MSA.3, FMT_MSA.1 and FMT_SMF.1 cover this security objective. The implementation of these functional requirements is represented by the dedicated privilege level concept.

The justification of the security objective and the additional requirements show that they do not contradict to the rationale already given in the Protection Profile for the assumptions, policy and threats defined there. Moreover, these additional security functional requirements cover the requirements by the PP [12] user data protection of the composite TOE protection of chapter 1.2.5 claim 35 and 36 which are not refined by the PP [12].

Nevertheless, the developer of the Smartcard Embedded Software must ensure that the additional functions are used as specified and that the User data processed by these functions are protected as defined for the application context. The TOE only provides the tool to implement the policy defined in the context of the application.

The security functional requirement “Stored data integrity monitoring (FDP_SDI.1)” requires the implementation of an Error Detection (EDC) algorithm which detects integrity errors of the data stored in all
memories. By this the manipulation of the TOE using corrupt data is prevented. Therefore FDP_SDI.1 is suitable to meet the security objective O. Phys-Manipulation.

The security functional requirement “Stored data integrity monitoring and action (FDP_SDI.2)” requires the implementation of an integrity observation and correction which is implemented by the Error Detection (EDC) and Error Correction (ECC) measures. The EDC is present throughout all memories of the TOE while the ECC is realized in the SOLID FLASH™ NVM. These measures detect and inform about one and more bit errors. In case of the SOLID FLASH™ NVM 1 bit errors of the data are corrected automatically. By the ECC mechanisms it is prevented that the TOE uses corrupt data. The security reset performs an action to prevent the TOE to operate with manipulated data. Therefore FDP_SDI.2 is suitable to meet the security objective O. Phys-Manipulation.

The objective O.Cap_Avail_Loader requires limited capabilities of the Loader functionality and irreversible termination of the Loader. First, this is covered by the functional requirement FMT_LIM.1/Loader which implements protection against data manipulation and disclosure by unauthorized users after permanent deactivation of the Flash Loader. Second, the functional requirement FMT_LIM.2/Loader limits the Flash Loader availability after the download has been finished by the user. The Flash Loader provides a final locking command which irreversibly terminates the Flash Loader availability. This command execution must be applied after user has finalized his download. As the functional requirements are met by the Flash Loader the objective is covered.

The above named objective O.Cap_Avail_Loader and the security functional requirements FMT_LIM.1/Loader and FMT_LIM.2/Loader apply only at TOE products coming with activated Flash Loader enabled for software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these security functional requirements may then reoccur as subject of the composite TOE.

The presence of true random numbers is the security goal 4 (SG4) which is formalized in the objective O.RND Random Numbers. This objective must be covered by fulfillment of the security functional requirement FCS_RNG. This is defined in the PP [12] chapter 5.1. The requirement implements a quality metric which is defined by national regulations. The implemented random number generation fulfills the definitions of ASI31 [14] in the quality classes as outlined in chapter 7.1.1.1. Therefore the SFR FCS_RNG and the objective O.RND are covered.

The CC part 2 defines the component FIA_SOS.2, which is similar to FCS_RNG.1, as follows:

<table>
<thead>
<tr>
<th>FIA_SOS.2</th>
<th>TSF Generation of secrets</th>
</tr>
</thead>
<tbody>
<tr>
<td>Hierarchical to:</td>
<td>No other components.</td>
</tr>
<tr>
<td>Dependencies:</td>
<td>No dependencies.</td>
</tr>
</tbody>
</table>

**FIA_SOS.2.1**  The TSF shall provide a mechanism to generate secrets that meet [assignment: a defined quality metric].

**FIA_SOS.2.2**  The TSF shall be able to enforce the use of TSF generated secrets for [assignment: list of TSF functions].

The rational for the functional requirement FCS_RNG is discussed in the PP [12], chapter 6.3.1.

### 7.3.1.1 Dependencies of Security Functional Requirements

The dependence of security functional requirements are defined and described in PP [12] section 6.3.2 for the following security functional requirements:

<table>
<thead>
<tr>
<th>FDP_ITT.1</th>
<th>FDP_IFC.1</th>
<th>FPT_ITT.1</th>
<th>FPT_PHP.3</th>
<th>FPT_FLS.1</th>
</tr>
</thead>
<tbody>
<tr>
<td>FRU_FLT.2</td>
<td>FMT_LIM.1</td>
<td>FMT_LIM.2</td>
<td>FCS_RNG.1</td>
<td>FAU_SAS.1</td>
</tr>
</tbody>
</table>
The dependencies of FMT_LIM.1/Loader and FMT_LIM.2/Loader apply only at TOE products which are delivered with activated Flash Loader.

Further dependencies of security functional requirements are given in following table:

Table 21  Dependencies for the cryptographic operation requirements
<table>
<thead>
<tr>
<th>Security Functional Requirement</th>
<th>Dependencies</th>
<th>Fulfilled by security requirements</th>
</tr>
</thead>
<tbody>
<tr>
<td>FCS_COP.1/RSA-v2.03.008</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM1], FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_CKM.1/RSA-v2.03.008</td>
<td>FCS_CKM.2 or FCS_COP.1, FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_COP.1/ECDSA-v2.03.008</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1], FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_CKM.1/EC-v2.03.008</td>
<td>FCS_CKM.2 or FCS_COP.1, FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_COP.1/ECDH-v2.03.008</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1], FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_COP.1/SHA</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1], FCS_CKM.4</td>
<td>Yes, see comment 3</td>
</tr>
<tr>
<td>FCS_COP.1/TDES</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1], FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1]</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_COP.1/AES</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1], FCS_CKM.4</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_CKM.4/AES</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1]</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES</td>
<td>[FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1]</td>
<td>Yes, see comment 2</td>
</tr>
<tr>
<td>FPT_TST.2</td>
<td>No dependencies</td>
<td>Yes</td>
</tr>
<tr>
<td>FDP_ACC.1</td>
<td>FDP_ACF.1</td>
<td>Yes</td>
</tr>
<tr>
<td>FDP_ACF.1</td>
<td>FMT_MSA.3, FDP_ACC.1</td>
<td>Yes</td>
</tr>
<tr>
<td>FMT_MSA.3</td>
<td>FMT_MSA.1, FMT_SMR.1</td>
<td>Yes, Not required, see comment 1</td>
</tr>
<tr>
<td>FMT_MSA.1</td>
<td>FDP_ACC.1, FDP_IFC.1, FMT_SMR.1</td>
<td>Yes, see comment 1</td>
</tr>
<tr>
<td>FMT_SMF.1</td>
<td>None</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SDI.1</td>
<td>None</td>
<td>N/A</td>
</tr>
<tr>
<td>FMT_LIM.1/Loader</td>
<td>FMT_LIM.2/Loader</td>
<td>Yes</td>
</tr>
<tr>
<td>FMT_LIM.2/Loader</td>
<td>FMT_LIM.1/Loader</td>
<td>Yes</td>
</tr>
</tbody>
</table>

Note: FDP_SDI.2 is discussed in the PP [12].

Comment 1:
The dependency FMT_SMR.1 introduced by the two components FMT_MSA.1 and FMT_MSA.3 is considered to be satisfied because the access control specified for the intended TOE is not role-based but enforced for each subject. Therefore, there is no need to identify roles in form of a security functional requirement FMT_SMR.1.
Comment 2:
These requirements all address the appropriate management of cryptographic keys used by the specified cryptographic function and are not part of the PP [12]. Most requirements concerning key management shall be fulfilled by the environment since the Smartcard Embedded Software is designed for a specific application context and uses the cryptographic functions provided by the TOE.

For the security functional requirement FCS_COP.1/TDES, FCS_COP.1/TDES_SCL, FCS_COP.1/AES, FCS_COP.1/AES_SCL, FCS_CKM.4/TDES, FCS_CKM.4/TDES_SCL, FCS_CKM.4/AES and FCS_CKM.4/AES_SCL the respective dependencies FCS_CKM.1 and FDP_ITC.1 or FDP_ITC.2 have to be fulfilled by the environment. The meaning is that the environment shall meet the requirement FCS_CKM.1 as defined in [14], section 10.1 and shall meet the requirements FDP_ITC.1 or FDP_ITC.2 as defined in [14], section 11.7. For the security functional requirement FCS_COP.1/TDES, FCS_COP.1/TDES_SCL, FCS_COP.1/AES and FCS_COP.1/AES_SCL the respective dependencies FCS_CKM.4 is fulfilled by the TOE. The cryptographic key destruction can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP hardware key registers. The SCL software also destroys dynamic cipher block code object in the memory, which leads to the memory clearance and keys destruction. Please refer also to the application notes 41 and 42 in the PP [12].

For the security functional requirement FCS_COP.1/RSA-v2.03.008, FCS_COP.1/ECDSA-v2.03.008 and FCS_COP.1/EC-v2.03.008 the respective dependencies FCS_CKM.4 and FDP_ITC.1 or FDP_ITC.2 have to be fulfilled by the environment. The meaning is that the environment shall meet the requirements FDP_ITC.1 or FDP_ITC.2 as defined in [14], section 11.7. The respective dependency FCS_CKM.1 has to be fulfilled by the TOE with the security functional requirement FCS_CKM.1/RSA-v2.03.008 (for FCS_COP.1/RSA-v2.03.008) and FCS_CKM.1/EC-v2.03.008 (for FCS_COP.1/ECDSA-v2.03.008 and FCS_COP.1/EC-v2.03.008) as defined in section 7.3.1.1. Additionally the requirement FCS_CKM.1 can be fulfilled by the environment as defined in [14], section 10.1.

For the security functional requirement FCS_CKM.1/RSA-v2.03.008 and FCS_CKM.1/EC-v2.03.008 the respective dependency FCS_COP.1 is fulfilled by the TOE. The environment covers the respective dependency FCS_CKM.4. That mean, that the environment shall meet the requirement FCS_CKM.4 as defined in [14], section 10.1.

The cryptographic libraries SCL, RSA, EC, SHA-2 and the Toolbox library are delivery options. If one of the libraries RSA, EC and Toolbox or combination hereof are delivered, the Base Lib is automatically part of it. Therefore the TOE may come with free combinations of or even without these libraries. In the case of coming without one or any combination of the cryptographic libraries RSA, EC and SHA-2, the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) and/or Elliptic Curve Cryptography (EC) and/or SHA-2 and/or Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). The Toolbox and Base Library are no cryptographic libraries and provide no additional specific security functionality. The TOE can be delivered with the optional SCL library. If the SCL is not available then the SFR is not applicable.

In case of a blocked Crypto2304T the optionally delivered cryptographic libraries and the supporting Toolbox and Base Libraries cannot be used in that specific TOE product. The SHA-2 library is computed in the CPUs. Therefore the IT environment has to fulfill the requirements of this chapter depending if the TOE comes with or without a/the library/ies. In case of a blocked Crypto2304T no cryptographic libraries are delivered.

Comment 3
The dependencies FCS_CKM.1 and FMT_CKM.4 are not required for the SHA-2 algorithm, because the SHA-2 algorithm is a keyless operation. So the environment is not obligated to meet certain requirements for key management.
Public Security Target  
Common Criteria EAL6 augmented / EAL6+ 
Security Requirements (ASE_REQ)

7.3.2 Rationale of the Assurance Requirements

The chosen assurance level EAL6 is augmentation with the requirements coming from ALC_FLR.1. In chapter (7.2) the different assurance levels are shown as well as the augmentations. The augmentations are in compliance with the Protection Profile [12].

An assurance level EAL6 with the augmentations ALC_FLR.1 is required for this type of TOE since it is intended to defend against highly sophisticated attacks without protective environment over a targeted long life time. Thereby, the TOE must withstand attackers with high attack potential, which is achieved by fulfilling the assurance class AVA_VAN.5.

In order to provide a meaningful level of assurance and that the TOE provides an adequate level of defense against such high potential attacks, the evaluators have access to all information regarding the TOE including the TSF internals, the low level design and source code including the testing of the modular design. Additionally the mandatory technical document “Application of Attack Potential to Smartcards” [17] shall be taken as a basis for the vulnerability analysis of the TOE.

Due to the targeted long life time of the Infineon Technologies products, a comprehensive flaw remediation process and database is in place to maintain the TOE also in future. Reported flaws of any kind, meaning, regardless whether the flaws reported have a more directed towards quality, functional or security, are tracked by a dedicated database and related processes.

And more, in order to continuously improve also future products reported flaws are analyzed whether they could affect also future products. Due to its overall importance for future development, the assurance class ALC_FLR.1 is included in this certification process.

This evaluation assurance package was selected to permit a developer gaining maximum assurance from positive security engineering based on good commercial practices as well as the assurance that the TOE is maintained during its targeted life time. The evaluation assurance package follows the EAL6 assurance classes as given in [15].

7.3.2.1 ALC_FLR.1 Basic Flaw Remediation

Flaws of any kind are entered into a dedicated database with related processes to solve those.

At the point in time where a flaw is entered, it is automatically logged who entered a flaw and who is responsible for solving it. In addition, it is also documented if, when and how an individual flaw has been solved.

Flaws are prioritized and assigned to a responsibility.

The assurance class ALC_FLR.1 has no dependencies.
8 TOE Summary Specification (ASE_TSS)

The product overview is given in section 2.1. In the following the Security Features are described and the relation to the security functional requirements is shown.

The TOE is equipped with following Security Features to meet the security functional requirements:

- SF_DPM  Device Phase Management
- SF_PS   Protection against Snooping
- SF_PMA  Protection against Modification Attacks
- SF_PLA  Protection against Logical Attacks
- SF_CS   Cryptographic Support

The following description of the Security Features is a complete representation of the TSF.

8.1 SF_DPM: Device Phase Management

The life cycle of the TOE is split-up in several phases. Chip development and production (phase 2, 3, 4) and final use (phase 4-7) is a rough split-up from TOE point of view. These phases are implemented in the TOE as test mode (phase 3) and user mode (phase 4-7).

In addition, a chip identification mode exists which is active in all phases. The chip identification data (O.Identification) is stored in a not-changeable configuration page area and non-volatile memory. In the same area further TOE configuration data is stored. In addition, user initialization data can be stored in the non-volatile memory during the production phase as well. During this first data programming, the TOE is still in the secure environment and in Test Mode.

The covered security functional requirement is FAU_SAS.1 “Audit storage”.

During start-up of the TOE the decision for one of the various operation modes is taken dependent on phase identifiers. The decision of accessing a certain mode is defined as phase entry protection. The phases follow also a defined and protected sequence. The sequence of the phases is protected by means of authentication.

The covered security functional requirements are FMT_LIM.1 “Limited Capabilities” and FMT_LIM.2 “Limited availability”.

During the production phase (phase 3 and 4) or after the delivery to the user (phase 5 or phase 6), the TOE provides the possibility to download, after a successful authentication process, a user specific encryption key, user code and data into the empty (erased) SOLID FLASH™ NVM area as specified by the associated control information of the Flash Loader software.

In case the user has ordered TOE derivatives without Flash Loader, the software download by the user (phase 5 or phase 6) is disabled and all user data of the Composite TOE is stored on the TOE at Infineon premises. In both cases the integrity of the loaded data is checked with a signature process after the download is completed. The data to be loaded may be transferred optionally in encrypted form. After finishing the load operation, the Flash Loader can be permanently deactivated, so that no further load operation with the Flash Loader is possible. These procedures are defined as phase operation limitation. If the TOE has been finalized by the user (phase 5 or phase 5) the user is obligated to lock the Flash Loader which results in a permanent disabling of the Flash Loader. A later reactivation possibility, i.e. after delivery to the end user, is after locking no more given.

The covered security functional requirement are FPT_LIM.1./Loader “Limited capabilities” and FPT_LIM.2/Loader “Limited availability – Loader”.

The above named functional requirements FPT_LIM.1./Loader “Limited capabilities” and FPT_LIM.2/Loader “Limited availability – Loader” apply only at TOE products coming with activated Flash Loader enabled for
software or data download by the user. In other cases the Flash Loader is not available anymore and the user software or data download is completed. Depending on the capabilities of the user software these security functional requirements may then reoccur as subject of the composite TOE.

During operation within a selected life cycle phase the accesses to memories are granted by the MMU controlled access rights and related privilege levels. The TOE operates always in a dedicated life cycle phase.

The covered security functional requirements are FDP_ACC.1 “Subset access control”, FDP_ACF.1 “Security attribute based access control” and FMT_MSA.1 “Management of security attributes”.

In addition, during each start-up of the TOE the address ranges and access rights are initialized by the STS with predefined values. The covered security functional requirement is FMT_MSA.3 “Static attribute initialization”.

The TOE clearly defines access rights and privilege levels in conjunction with the appropriate key management in dependency of the firmware or software to be executed. By this clearly defined management functions are implemented, enforced by the MMU, and the covered security functional requirement is FMT_SMF.1 “Specification of Management Functions”.

During the testing phase in production within the secure environment the entire SOLID FLASH™ NVM is deleted. The covered security functional requirement is FPT_PHP.3 “Resistance to physical attack”.

Each operation phase is protected by means of authentication and encryption. The covered security functional requirements are FDP_ITT.1 “Basic internal transfer protection” and FPT_ITT.1 “Basic internal TSF data transfer protection”.

The SF_DPM “Device Phase Management” covers the security functional requirements FAU_SAS.1, FMT_LIM.1, FMT_LIM.2, FMT_LIM.1/Loader, FMT_LIM.2/Loader, FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3, FMT_SMF.1, FPT_PHP.3, FDP_ITT.1 and FPT_ITT.1.

8.2 SF_PS: Protection against Snooping

All contents of all memories of the TOE are encrypted on chip to protect against data analysis on stored data as well as on internally transmitted data. There is no plain data on the chip. In addition the data transferred over the memory bus to and from (bi-directional encryption) the CPU, Co-processor (Crypto2304T and SCP), the special SFRs and the peripheral devices (CRC, RNG and Timer) are encrypted automatically with a dynamic key change. All security relevant transfer of addresses or data via the peripheral bus is dynamically masked and thus protected against readout and analysis.

The memory content and bus encryption is done by the MED using a complex key management. This means that the SOLID FLASH™ NVM, RAM, CACHE and the bus are encrypted with module dedicated and dynamic keys. The only key remaining static over the product life cycle is the specific ROM key, changing in case of a mask change only. Note that the ROM contains the firmware only and no user data.

Data are transferred, handled and computed only encrypted or masked anywhere on the TOE, and also the dual CPU computes entirely masked. Also the register files are masked.

The symmetric cryptographic co-processor is entirely masked at any time and also here the masks change dynamically. The encryption and masking means covers the data processing policy and FDP_IFC.1 “Subset information flow control”.

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FDP_IFC.1 “Subset information flow control”, FPT_ITT.1 “Basic internal TSF data transfer protection”, FDP_ITT.1 “Basic internal transfer protection” and FDP_SDC.1 “stored data confidentiality”.

The user can define his own key for an SOLID FLASH™ NVM area to protect his data. This user individually chosen key is then delivered by the operating system and included in the dynamic SOLID FLASH™ NVM encryption. The user specified SOLID FLASH™ NVM area is then encrypted with his key and a dynamic
component. The encryption of the memories is performed by the MED with a proprietary cryptographic algorithm and with a complex and dynamic key management providing protection against cryptographic analysis attacks. The few keys which have to be stored on the chip, for example the user chosen key and the chip specific ROM key, are protected against read out.

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FDP_IFC.1 “Subset information flow control”, FPT_ITT.1 “Basic internal TSF data transfer protection”, and FDP_ITT.1 “Basic internal transfer protection”.

The proprietary implementation of the dual CPU has no standard command set and discloses therefore no possibility for deeper analysis. The covered security functional requirement is FPT_PHP.3 “Resistance to physical attack”.

The entire design is kept in a non-standard way to complicate attacks using standard analysis methods to an almost not practical condition. A proprietary CPU implementation with a non-public bus protocol is used which renders analysis very complicated and time consuming. Besides the proprietary structures also the internal timing behavior is proprietary and by this aggravating significantly the analysis in addition. Important parts of the chip are especially designed to counter leakage or side channel attacks like DPA/SPA or EMA/DEMA.

Therefore, even the physical data gaining is difficult to perform, since timing and current consumption is almost independent of the dynamically encrypted, respectively masked and/or randomized data. In the design a number of components are automatically synthesized and mixed up to disguise and complicate analysis.

A further protective design method used is secure wiring. All security critical wires have been identified and protected by special routing measures against probing. Additionally, artificial shield lines are implemented and mixed up with normal signal lines required for chip operation, which renders probing attacks with high feasibility to not practical. This provides the so called intelligent implicit active shielding “I2-shield”.

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FPT_ITT.1 “Basic internal TSF data transfer protection” and FDP_ITT.1 “Basic internal transfer protection”.

In addition to their protection during processing of code and data their storage in the SOLID FLASH™ NVM is protected against side channel attacks too: Even if users operate with direct and static addressing for storing their secrets, the addresses are always translated to virtual addresses - if the address call is in the correct privilege level which is monitored by the MMU.

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FPT_ITT.1 “Basic internal TSF data transfer protection” and FDP_ITT.1 “Basic internal transfer protection”.

In contrast to the linear virtual address range the physical SOLID FLASH™ NVM pages are transparently and dynamically scrambled on every page modification. This scrambling is entirely independent from the user software and the MMU. In addition a software controlled refreshing of memory pages is implemented which exchanges the physical location of a memory page by reprogramming it to another location in dependency of the performed write cycles but also including randomness. The link between the physical address and the virtual address is stored internally and is not accessible by the operating system. This measurement causes that the physical location of data is different from chip to chip even the same software may use the same virtual addresses.

A low system frequency sensor FSE is implemented to prevent the TOE from single stepping. The sensor is tested by the user mode security life control UMSLC and connected to the clock pad.

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack” and FPT_FLS.1 “Failure with preservation of secure state”.

An induced error which cannot be corrected will be recognized by the Integrity Guard and leads to an alarm. In case of security critical detections a security alarm and reset is generated. The covered security functional requirement is FPT_FLS.1 “Failure with preservation of secure state”.
The **SF_PS** “Protection against Snooping” covers the security functional requirements FPT_PHP.3, FDP_IFC.1, FPT_ITT.1, FDP_ITT.1, FDP_SDC.1 and FPT_FLS.1.

### 8.3 SF_PMA: Protection against Modifying Attacks

First of all we can say that all security mechanisms effective against snooping **SF_PS** apply also here since a reasonable modification of data is almost impossible on dynamically encrypted, masked, scrambled, transparently relocated, randomized and topologically protected hardware. Due to this the covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FDP_IFC.1 “Subset information flow control”, FPT_ITT.1 “Basic internal TSF data transfer protection”, FDP_ITT.1 “Basic internal transfer protection”, FDP_SDC.1 “Store d data confidentiality” and FPT_FLS.1 “Failure with preservation of secure state”.

The TOE is equipped with an error detection code (EDC) which covers the memory system of RAM, ROM and SOLID FLASH™ NVM and includes also the MED and MMU. Thus introduced failures can be detected and in terms of single bit errors in the SOLID FLASH™ NVM also automatically corrected (FDP_SDI.2 “Stored data integrity monitoring and action”).

In order to prevent accidental bit faults during production in the ROM, over the data stored in ROM an EDC value is calculated (FDP_SDI.1 “Stored data integrity monitoring”).

The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FDP_SDI.1 “Stored data integrity monitoring” and FDP_SDI.2 “Stored data integrity monitoring and action”.

If a user tears the card resulting in a power off situation during a SOLID FLASH™ NVM programming operation or if other perturbation is applied, no data or content loss occurs and the TOE restarts power on. The SOLID FLASH™ NVM tearing save write functionality covers FPT_FLS.1 “Failure with preservation of secure state” since if the programming was not successful, the old data are still present and valid, which ensures a secure state although a programming failure occurred. This action includes also FDP_SDI.1 “Stored data integrity monitoring” as the new data to be programmed are checked for integrity and correct programming before the page with the old data becomes the new physical page for the next new data.

The covered security functional requirement is also FPT_PHP.3 “Resistance to physical attack“, since these measures make it difficult to manipulate the write process of the SOLID FLASH™ NVM. The covered security functional requirements are FPT_FLS.1 “Failure with preservation of secure state”, FPT_PHP.3 “Resistance to physical attack” and FDP_SDI.1 “Stored data integrity monitoring”.

The above mentioned error management in the memories and the tearing protection of the SOLID FLASH™ NVM contribute also to the security functional requirement FRUFLT.2 “Limited fault tolerance” as induced faults are detected with high probability and the correct operation is continued by taking the appropriate action.

The TOE is protected against fault and modifying attacks. The core provides the functionality of double-computing and e.g. result comparison of all tasks to detect incorrect calculations. The detection of an incorrect calculation is stored and the TOE enters a defined secure state which causes the chip internal reset process.

The implementation of the dual CPU computing on the same data is by this one of the most important security features of this platform. As also the results of both CPU parts are compared at the end, a fault induction of modifying attacks would have to be done on both CPU parts at the correct place with the correct timing – despite all other countermeasures like dynamic masking, encryption and others. As the comparison and the register files are also protected by various measures successful manipulative attacks are seen as being not practical.

During start up, the STS performs various configurations and subsystem tests. After the STS has finished, the operating system or application can call the User Mode Security Life Control (UMSLC) test. The UMSLC checks the alarm lines and/or functions and sensors for correct operation as given in the HRM [1]. This test can also be released actively by the user software during normal chip operation by calling an RMS function. As attempts to
modify the security features will be detected from the test, the covered security functional requirement is FPT_TST.2 “Subset TOE security testing”.

In the case that a physical manipulation or a physical probing attack is detected, the processing of the TOE is immediately stopped and the TOE enters a secure state called security reset. By release of a security reset all logic and memory of the co-processors (SCP and Crypto) immediately reset with their respectful reset values. The stored keys are overwritten with the default reset values and memory data structures are overwritten with random values. The covered security functional requirements are FCS_CKM.4 “Cryptographic key destruction”, FPT_FLS.1 “Failure with preservation of secure state”, FPT_PHP.3 “Resistance to physical attack”, and FPT_TST.2 “Subset TOE security testing”.

As physical effects or manipulative attacks may also address the program flow of the user software, a watchdog timer and a check point register are implemented. These features enable the user for checking the correct processing time and the integrity of the program flow of the user software. Another measure against modifying and perturbation respectively differential fault attacks (DFA) is the implementation of backward calculation in the SCP. By this induced errors are discovered. The covered security functional requirements are FPT_FLS.1 “Failure with preservation of secure state”, FDP_IFC.1 “Subset information flow control”, FPT_ITT.1 “Basic internal TSF data transfer protection”, FDP_ITT.1 “Basic internal transfer protection” and FPT_PHP.3 “Resistance to physical attack”.

All communication via the busses is in addition protected by a monitored hardware handshake. If the handshake was not successful an alarm can be generated. The covered security functional requirements are FPT_FLS.1 “Failure with preservation of secure state” and FPT_PHP.3 “Resistance to physical attack”.

The virtual memory system and privilege level model are enforced by the MMU. This controls the access rights throughout the TOE. There is a clear differentiation within the privilege levels defined. The covered security functional requirements are FDP_ACC.1 “Subset access control”, FDP_ACF.1 “Security attribute based access control”, FMT_MSA.1 “Management of security attributes”, FMT_MSA.3 “Static attribute initialization” and FMT_SMF1 “Specification of Management Functions”.

The SF_PMA “Protection against Modifying Attacks” covers the security functional requirements FCS_CKM.4, FPT_PHP.3, FDP_IFC.1, FPT_ITT.1, FDP_ITT.1, FMT_MSA.1, FMT_MSA.3, FMT_SMF.1, FDP_ACC.1, FDP_ACF.1, FRU_FLT.2, FPT_TST.2, FDP_SDC.1, FDP_SDI.1, FDP_SDI.2 and FPT_FLS.1.

8.4 SF_PLA: Protection against Logical Attacks

The memory access control of the TOE uses a memory management unit (MMU) to control the access to the available physical memory by using virtual memory addresses and to segregate the code and data to a privilege level model. The MMU controls the address permissions of up seven privileged levels and gives the software the possibility to define different access rights for the privileged levels 3 to 7. The address permissions of the privilege levels are controlled by the MMU. In case of an access violation the MMU will trigger a reset and then a trap service routine can react on the access violation. The policy of setting up the MMU and specifying the memory ranges for the privilege levels – with the exception of the IFX level - is defined from the user software (OS). The privilege levels 0, 1 and 2 are reserved for TOE internal operations. The privilege levels 3 and 4 are reserved for operation systems and the privilege levels 5, 6 and 7 are reserved for applications.

As the TOE provides support for separation of memory areas the covered security functional requirements are FDP_ACC.1 “Subset access control”, FDP_ACF.1 “Security attribute based access control”, FMT_MSA.1 “Static attribute initialisation”, FMT_MSA.1 “Management of security attributes” and FMT_SMF.1 “Specification of Management functions”. 
The TOE provides the possibility to protect the property rights of user code and data by the encryption of the SOLID FLASH™ NVM areas with a specific key defined by the user. Due to this key management FDP_ACF.1 is fulfilled. In addition, each memory present on the TOE is encrypted using either mask specific or chip individual or even session depending keys, assigned by a complex key management. Induced errors are recognized by the Integrity Guard concept and lead to an alarm with high feasibility. In case of security critical errors a security alarm is generated and the TOE ends up in a secure state. The covered security functional requirements are FPT_PHP.3 “Resistance to physical attack”, FDP_ITT.1 “Basic internal transfer protection”, FDP_IFC.1 “Subset information flow control” and FPT_FLS.1 “Failure with preservation of secure state”.

Beside the access protection and key management, also the use of illegal operation code is detected and will release a security reset.

The SF_PLA “Protection against Logical Attacks” covers the security functional requirements FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3, FPT_ITT.1, FDP_ITT.1, FDP_IFC.1, FPT_PHP.3, FPT_FLS.1 and FMT_SMF.1.

### 8.5 SF_CS: Cryptographic Support

The TOE is equipped with several hardware accelerators and software modules to support the standard symmetric and asymmetric cryptographic operations. This security function is introduced to include the cryptographic operation in the scope of the evaluation as the cryptographic function respectively mathematic algorithm itself is not used from the TOE security policy. On the other hand these functions are of special interest for the use of the hardware as platform for the software. The components are a co-processor supporting the DES and AES algorithms and a combination of a co-processor and software modules to support RSA cryptography, RSA key generation, ECDSA signature generation and verification, ECDH key agreement and EC public key calculation and public key testing.

Note that the additional function of the EC library, ECC_ADD, providing the primitive elliptic curve operations, does not add specific security functionality and that the according user guidance abbreviates the Elliptic Curve cryptographic functions with ECC.

**Note:** The cryptographic libraries SCL, RSA, EC, SHA-2 and the Toolbox library are delivery options. If one of the libraries RSA, EC and Toolbox or combination hereof are delivered, the Base Lib is automatically part of it. Therefore the TOE may come with free combinations of or even without these libraries. In the case of coming without one or any combination of the cryptographic libraries RSA, EC and SHA-2, the TOE does not provide the Additional Specific Security Functionality Rivest-Shamir-Adleman Cryptography (RSA) and/or Elliptic Curve Cryptography (EC) and/or SHA-2 and/or Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). The Toolbox and Base Library are no cryptographic libraries and provide no additional specific security functionality. The TOE can be delivered with the optional SCL library. If the SCL is not available then the SFR is not applicable.

**Note:** This TOE can come with both crypto co-processors accessible, or with a blocked SCP or with a blocked Crypto2304T, or with both crypto co-processors blocked. The blocking depends on the customer demands prior to the production of the hardware. In case the SCP is blocked, no AES and DES computation supported by hardware is possible. In case the Crypto2304T is blocked, no RSA and EC computation supported by hardware is possible. The use of the SHA-2 library is also possible with both crypto coprocessors blocked. No accessibility of the deselected cryptographic co-processors is without impact on any other security policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the cryptographic co-processors.

### 8.5.1 Triple DES

**Hardware-Implemented TDES**
Public Security Target
Common Criteria EAL6 augmented / EAL6+

TOE Summary Specification (ASE_TSS)

The TOE supports the encryption and decryption in accordance with the specified cryptographic algorithm Triple Data Encryption Standard (3DES) with cryptographic key sizes of 112 bit or 168 bit meeting the standard: National Institute of Standards and Technology (NIST), SP 800-67 [20]

The TOE implements the following alternative block cipher modes for the user:

- Electronic Codebook Mode (ECB)
- Cipher Block Chaining Mode (CBC)
- Blinding Feedback Mode (BLD)
- Cipher Block Chaining Mode Message Authentication Code (CBC-MAC)
- CBC-MAC- encrypt-last-block (CBC-MAC-ELB)
- Recrypt Mode.

The CBC-MAC and CBC-MAC-ELB complies with the standard:

ISO/IEC 9797-1 Mac Algorithm 1 [32]

The Recrypt Mode and the BLD are described in the hardware reference manual HRM [1], while the implementation of ECB, CBC and CFB follow the standard:

National Institute of Standards and Technology (NIST), SP 800-38A [21]

Note that the BLD follows also the standard, but in a masked way.

The key destruction as required by FCS_CKM.4 can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP key registers (FCS_CKM.4/TDES).

Please consider also the statement of chapter 7.1.4.1.

The covered security functional requirements are FCS_COP.1/TDES and FCS_CKM.4/TDES.

Software-Implemented TDES

The SCL78-SCP-v3 symmetric crypto library supports the ECB, CBC, CTR and CFB block cipher modes, defined by "NIST FIPS PUB 800-38A" and published in December 2001:

- Electronic Code-Book (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Counter (CTR)

The SCL 3DES complies with the standard:

DES Data Encryption defined by "NIST FIPS 46-3" and published in October 1999.

To implement FCS_CKM.4/TDES_SCL, SCL software performs reset triggering at the end of the kernel function (Des3Green_EnDecryption) by writing the “trigger reset” value 0xFFFF to the SCP_CTRL register (hardware). As a result, the key store register is overwritten with the reset value. The second step is a removal of the complete DES data object from RAM by overwriting it by random value.

Please consider also the statement of chapter 7.1.4.1.
Public Security Target
Common Criteria EAL6 augmented / EAL6+
TOE Summary Specification (ASE_TSS)

The covered security functional requirements are FCS_COP.1/TDES_SCL and FCS_CKM.4/TDES_SCL.

8.5.2 AES

Hardware-Implemented AES

The TOE supports the encryption and decryption in accordance with the specified cryptographic algorithm Advanced Encryption Standard (AES) and cryptographic key sizes of 128 bit or 192 bit or 256 bit that meet the standard:

- National Institute of Standards and Technology (NIST) SP 800-38A [21]
- ISO/IEC 10118-3 [29]
- ISO/IEC 18033-3 [30]
- FIPS 197 [31]

The key destruction as required by FCS_CKM.4 can be done by overwriting the key register interfaces or by software reset of the SCP which provides immediate zeroing of all SCP key registers (FCS_CKM.4/AES).

Please consider also the statement of chapter 7.1.4.1.

The covered security functional requirements are FCS_COP.1/AES and FCS_CKM.4/AES.

Software-Implemented AES

The SCL AES complies with the standard:


To implement FCS_CKM.4/AES_SCL, SCL software performs reset triggering at the end of the kernel function (Des3Green_EnDecryption) by writing the “trigger reset” value 0xFFFF to the SCP_CTRL register (hardware). As a result, the key store register is overwritten with the reset value. The second step is a removal of the complete AES data object from RAM by overwriting it by random value.

Please consider also the statement of chapter 7.1.4.1.

The covered security functional requirements are FCS_COP.1/AES_SCL and FCS_CKM.4/AES_SCL.

8.5.3 RSA

8.5.3.1 Encryption, Decryption, Signature Generation and Verification

The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm Rivest-Shamir-Adleman (RSA) and cryptographic key sizes 1976 - 4096 bits that meet the following standards:
**Encryption:**

1. According to section 5.1.1 RSAEP in PKCS [22]:
   - Supported for $n < 2^{4096+128}$
   - 5.1.1(1) not supported

2. According to section 8.2.2 IFEP-RSA in IEEE [28]:
   - Supported for $n < 2^{4096+128}$

**Decryption (with or without CRT):**

1. According to section 5.1.2 RSADP in PKCS [22]:
   
   for $u = 2$, i.e., without any $(r_i, d_i, t_i)$, $i > 2$
   
   - 5.1.2(1) not supported
   - 5.1.2(2.a) not supported for $n < 2^{2048+64}$
   - 5.1.2(2.b) supported for $p \times q < 2^{4096+128}$
   - 5.1.2(2.b) (ii)&(v) not applicable due to $u = 2$

2. According to section 8.2.3 IEEE [28]:
   - 8.2.1(I) supported for $n < 2^{2048+64}$
   - 8.2.1(II) supported for $p \times q < 2^{4096+128}$
   - 8.2.1(III) not supported

**Signature Generation (with or without CRT):**

1. According to section 5.2.1 RSASP1 in PKCS [22]:
   
   for $u = 2$, i.e., without any $(r_i, d_i, t_i)$, $i > 2$
   
   - 5.2.1(1) not supported
   - 5.2.1(2.a) supported for $n < 2^{2048+64}$
   - 5.2.1(2b) supported for $p \times q < 2^{4096+128}$
   - 5.2.1(2b) (ii)&(v) not applicable due to $u = 2$

2. According to section 8.2.4 IFSP-RSA1 in IEEE [28]:
   - 8.2.1(I) supported for $n < 2^{2048+64}$
   - 8.2.1(II) supported for $p \times q < 2^{4096+128}$
   - 8.2.1(III) not supported

**Signature Verification:**

1. According to section 5.2.2 RSAVP1 in PKCS [22]:
   
   supported for $n < 2^{4096+128}$
   - 5.2.2(1) not supported
According to section 8.2.5 IEEE [28]:

- Supported for $n < 2^{4096+128}$
- 8.2.5(1) not supported

Please consider also the statement of chapter 7.1.4.1

8.5.3.2 Asymmetric Key Generation

The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm RSA specified in PKCS#1 [22] and specified cryptographic key sizes of 1976 – 4096 bits that meet the following standard:

FCS_CKM.1/RSA-v2.03.008 is covered by:

1. According to section 3.1 and 3.2 in PKCS [22]:
   for $u=2$, i.e., without any $(r_i, d_i, t_i)$, $i > 2$
   - 3.1 supported for $n < 2^{4096+128}$
   - 3.2(1) supported for $n< 2^{2048+64}$
   - 3.2(2) supported for $p \times q < 2^{4096+128}$

2. According to section 8.1.3.1 in IEEE [28]:
   - 8.1.3.1(1) supported for $n < 2^{2048+64}$
   - 8.1.3.1(2) supported for $p \times q < 2^{4096+128}$
   - 8.1.3.1(3) supported for $p \times q < 2^{2048+64}$

Note: For easy integration of RSA functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required.

Please consider also the statement of chapter 7.1.4.1.

The covered security functional requirement is FCS_COP.1/RSA-v2.03.008 and FCS_CKM.1/RSA-v2.03.008.
8.5.4 Elliptic Curves EC

The certification covers the standard NIST [18] and Brainpool [19] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits, due to national AIS32 regulations by the BSI. Note that numerous other side channel attack resistant curve types exist, which the user optionally can add in the composition certification process.

All curves are based on finite field \( \text{GF}(p) \) with size \( p \in \left[2^{41} - 1, 2^{521}\right] \) as well as curves based on a finite field \( \text{GF}(2^n) \) with size \( n \in \left[41 - 1, 521\right] \) are supported.

8.5.4.1 Signature Generation and Verification

The TSF shall perform signature generation and signature verification in accordance with a specified cryptographic algorithm ECDSA and cryptographic key sizes 192 - 521 bits that meet the following standard:

FCS_COP.1/ECDSA-v2.03.008 is covered by:

**ECDSA Signature Generation:**

1. According to section "7.3 Signing Process" in ANSI X9.62 - 2005:
   - Step d) and e) not supported.
   - The output of step e) has to be provided as input to our function by the caller.
   - Deviation of step c) and f):
     - The jumps to step a) were substituted by a return of the function with an error code, the jumps are emulated by another call to our function.

2. According to section "6.4.3 Signature process" in ISO/IEC 14888-3:2006:
   - 6.4.3.3 not supported.
   - 6.4.3.5 not supported:
     - the hash-code \( H \) of the message has to be provided by the caller as input to our function.
   - 6.4.3.7 not supported.
   - 6.4.3.8 not supported.

3. According to section "7.2.7 ECSP-DSA" in IEEE Std 1363-2000:
   - Deviation of step (3) and (4):
     - The jumps to step 1, were substituted by a return of the function with an error code, the jumps are emulated by another call to our function.

**ECDSA Signature Verification:**

1. According to section "7.4.1 Verification with the Public Key" in ANSI X9.62 - 2005:
   - Step b) and c) not supported.
   - The output of step c) has to be provided as input to our function by the caller.
   - Deviation of step d):
     - Beside noted calculation, our algorithm adds a random multiple of BasepointOrder \( n \) to the calculated values \( u_1 \) and \( u_2 \).

2. According to section "6.4.4 Signature Verification Process" in ISO/IEC 14888-3:2006:
   - 6.4.4.2 not supported.
   - 6.4.4.3 not supported:
     - the hash-code \( H \) of the message has to be provided by the caller as input to our function.

8.5.4.2 Asymmetric Key Generation

The TSF shall generate cryptographic keys in accordance with a specific cryptographic key generation algorithm Elliptic Curve EC specified in ANSI X9.62-1998 and ISO/IEC 15946-1:2002 and specified cryptographic key sizes 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 bits that meet the following standard:

FCS_CKM.1/EC-v2.03.008 is covered by:

<table>
<thead>
<tr>
<th>ECDSA Key Generation:</th>
</tr>
</thead>
<tbody>
<tr>
<td>4. According to the appendix A4.3 Elliptic Curve Key Pair Generation in ANSI X9.62 [23]: The optional cofactor h is not supported.</td>
</tr>
<tr>
<td>5. According to section 6.4.2 Generation of signature key and verification key in ISO/IEC 14888-3 [26]</td>
</tr>
</tbody>
</table>

8.5.4.3 Asymmetric Key Agreement

The TSF shall perform elliptic curve Diffie-Hellman key agreement in accordance with a specified cryptographic algorithm ECDH and cryptographic key sizes 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 bits that meet the following standard:

FCS_COP.1/ECDH-v2.03.008 is covered by:

   Unlike section 5.4.1(3) our implementation not only returns the x-coordinate of the shared secret, but rather the x-coordinate and the y-coordinate.
2. According to section Appendix D.6 Key agreement of Diffie-Hellman type in ISO/IEC 11770-3 [27] the function enables the operations described in appendix D.6
3. According to section 7.2.1 ECSVHDP in IEEE Std. 1363:2000 [28].
   Unlike section 7.2.1 our implementation not only returns the x-coordinate of the shared secret, but rather the x-coordinate and the y-coordinate.

Note: For easy integration of EC functions into the user’s operating system and/or application, the library contains single cryptographic functions respectively primitives which are compliant to the standard. The primitives are referenced above. Therefore, the library supports the user to develop an application representing the standard if required.

8.5.5 SHA-2

The TOE comes optionally with the SHA-2 library for hash value calculation. The SHA-library provides the calculation of a hash value of freely chosen data input in the CPU. The SHA-library is delivered as object code and is in this way available for the user software. This secure hash-algorithm SHA-2 is intended to be used for hashing any type of user data. Further essential information about the usage is given in the confidential user guidance. Following requirement and standard is valid:

The TSF shall perform hash-value calculation of user chosen data in accordance with a specified cryptographic algorithm SHA-2 and with cryptographic key sizes of none that meet the following standards:
Public Security Target
Common Criteria EAL6 augmented / EAL6+
TOE Summary Specification (ASE_TSS)


The covered security functional requirement is FCS_COP.1/SHA.

8.5.6 SCL

The SCL78-SCP-v3 symmetric crypto library is delivered as a binary code and is in this way available for the user software. The API of the SCL includes security functions:

“Cipher_*” for operations with cipher’s software object;

“BCM_*” for Block Cipher Mode operations

“CipAlg_AES*_SEC2” for AES-calculations on Cipher Block

“CipAlg_DES*_SEC2” for DES/DES3 calculations on Cipher Block

For details on the provided security functionality of the SCL please refer to the “software implementation” section of the chapters 8.5.1 and 8.5.2.

8.5.7 Toolbox Library

The Toolbox provides the following basic long integer arithmetic and modular functions in software, supported by the cryptographic coprocessor: Addition, subtraction, division, multiplication, comparison, reduction, modular addition, modular subtraction, modular multiplication, modular inversion and modular exponentiation. No security relevant policy, mechanism or function is supported. The Toolbox library is deemed for software developers as support for simplified implementation of long integer and modular arithmetic operations.

The Toolbox does not cover security functional requirements.

8.5.8 Base Library

The Base Library provides the low level interface to the asymmetric cryptographic coprocessor and has no user available interface. The Base Library does not provide any security functionality, implements no security mechanism, and does not provide additional specific security functionality.

The Base Library does not cover security functional requirements and has no user interface.

8.5.9 PTRNG respectively TRNG

Random data is essential for cryptography as well as for security mechanisms. The TOE is equipped with a physical True Random Number Generator (PTRNG respectively TRNG, FCS_RNG.1). The random data can be used from the Smartcard Embedded Software and is also used from the security features of the TOE, like masking. The PTRNG respectively TRNG implements also self-testing features. The PTRNG respectively TRNG is compliant to the requirements of the functionality class PTG.2 of AIS31, please refer to [16].

The covered security functional requirements are FCS_RNG.1, FPT_PHP.3, FDP_ITT.1, FPT_ITT.1, FDP_IFC.1, FPT_TST.2 and FPT_FLS.1.

The SF_CS “Cryptographic Support” covers the security functional requirements FCS_COP.1/TDES, FCS_CKM.4/TDES, FCS_COP.1/TDES_SCL, FCS_CKM.4/TDES_SCL, FCS_COP.1/AES, FCS_CKM.4/AES, FCS_COP.1/AES_SCL, FCS_CKM.4/AES_SCL, FCS_COP.1/RSA-v2.03.008, FCS_CKM.1/RSA-v2.03.008, FCS_COP.1/ECDSA-v2.03.008, FCS_CKM.1/ECDSA-v2.03.008, FCS_COP.1/ECDH-v2.03.008, FCS_CKM.1/SHA, FPT_PHP.3, FDP_ITT.1, FPT_ITT.1, FDP_IFC.1, FPT_TST.2, FPT_FLS.1 and FCS_RNG.1.
8.6 Assignment of Security Functional Requirements to TOE’s Security Functionality

The justification and overview of the mapping between security functional requirements (SFR) and the TOE’s security functionality (SF) is given in the sections above. The results are shown in the table below. The security functional requirements are addressed by at least one relating security feature.

The various functional requirements are often covered manifold. As described above the requirements ensure that the TOE is checked for correct operating conditions and if a not correctable failure occurs that a stored secure state is achieved, accompanied by data integrity monitoring and actions to maintain the integrity although failures occurred. An overview is given in the table below.

Table 22 Mapping of SFR and SF

<table>
<thead>
<tr>
<th>Security Functional Requirement</th>
<th>SF_DPM</th>
<th>SF_PS</th>
<th>SF_PMA</th>
<th>SF_PLA</th>
<th>SF_CS</th>
</tr>
</thead>
<tbody>
<tr>
<td>FAU_SAS.1</td>
<td>X</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_LIM.1</td>
<td>X</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_LIM.2</td>
<td>X</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_LIM.1/Loader</td>
<td>X</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_LIM.2/Loader</td>
<td>X</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_ACC.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
</tr>
<tr>
<td>FDP_ACF.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
</tr>
<tr>
<td>FPT_PHP.3</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_ITT.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_SDC.1</td>
<td></td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_SDI.1</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_SDI.2</td>
<td></td>
<td>X</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FDP_IFC.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
</tr>
<tr>
<td>FMT_MSA.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_MSA.3</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FMT_SMF.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
<td></td>
</tr>
<tr>
<td>FRU_FLT.2</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FPT_ITT.1</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
</tr>
<tr>
<td>FPT_TST.2</td>
<td></td>
<td>X</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FPT_FLS.1</td>
<td></td>
<td>X</td>
<td>X</td>
<td>X</td>
<td></td>
</tr>
<tr>
<td>FCS_RNG.1</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_COP.1/TDES</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_CKM.4/TDES</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_COP.1/AES</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_CKM.4/AES</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_COP.1/TDES_SCL</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
## 8.7 Security Requirements are internally consistent

For this chapter the PP [12] section 6.3.4 can be applied completely.

In addition to the discussion in section 6.3 of PP [12] the security functional requirement FCS_COP.1 is introduced. The security functional requirements required to meet the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced also protect the cryptographic algorithms implemented according to the security functional requirement FCS_COP.1. Therefore, these security functional requirements support the secure implementation and operation of FCS_COP.1.

As disturbing, manipulating during or forcing the results of the test checking the security functions after TOE delivery, this security functional requirement FPT_TST.2 has to be protected. An attacker could aim to switch off or disturb certain sensors or filters and preserve the detection of his manipulation by blocking the correct operation of FPT_TST.2. The security functional requirements required to meet the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced also protect the security functional requirement FPT_TST.2. Therefore, the related security functional requirements support the secure implementation and operation of FPT_TST.2.

The requirement FPT_TST.2 allows testing of some security mechanisms by the Smartcard Embedded Software after delivery. In addition, the TOE provides an automated continuous user transparent testing of certain functions.

The implemented privilege level concept represents the area based memory access protection enforced by the MMU. As an attacker could attempt to manipulate the privilege level definition as defined and present in the TOE, the functional requirement FDP_ACC.1 and the related other requirements have to be protected themselves. The security functional requirements required to meet the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced also protect the area based memory access control function implemented according to the security functional requirement described in the security functional requirement FDP_ACF.1 with reference to the Memory Access Control Policy and details given in FDP_ACF.1. Therefore, those security functional requirements support the secure implementation and operation of FDP_ACF.1 with its dependent security functional requirements.

<table>
<thead>
<tr>
<th>Security Functional Requirement</th>
<th>SF_DPM</th>
<th>SF_PS</th>
<th>SF_PMA</th>
<th>SF_PLA</th>
<th>SF_CS</th>
</tr>
</thead>
<tbody>
<tr>
<td>FCS_CKM.4/TDES_SCL</td>
<td></td>
<td>X</td>
<td></td>
<td></td>
<td>X</td>
</tr>
<tr>
<td>FCS_COP.1/AES_SCL</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_CKM.4/AES_SCL</td>
<td></td>
<td>X</td>
<td></td>
<td></td>
<td>X</td>
</tr>
<tr>
<td>FCS_COP.1/RSA-v2.03.008</td>
<td></td>
<td>X</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>FCS_CKM.1/RSA-v2.03.008</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>X</td>
</tr>
<tr>
<td>FCS_COP.1/ECDSA-v2.03.008</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>X</td>
</tr>
<tr>
<td>FCS_COP.1/EC-v2.03.008</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>X</td>
</tr>
<tr>
<td>FCS_COP.1/SHA</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
### Literature

<table>
<thead>
<tr>
<th>Ref. No.</th>
<th>Version</th>
<th>As of</th>
<th>Document</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>v1.7.1</td>
<td>2015-09-21</td>
<td>M7892 Controller Family for Security Applications, Family Hardware Reference Manual, called HRM</td>
</tr>
<tr>
<td>3</td>
<td>v9.1</td>
<td>2016-02-11</td>
<td>16-bit Controller Family, SLE 70, Programmer's Reference Manual</td>
</tr>
<tr>
<td>4</td>
<td>v2.03.008</td>
<td>2014-07-31</td>
<td>SLE70 Asymmetric Crypto Library Crypto@2304T, RSA / EC / Toolbox, User Interface</td>
</tr>
<tr>
<td>5</td>
<td>v2.02.010</td>
<td>2016-10-14</td>
<td>SCL78 Symmetric Crypto Library for SCP v3 DES/AES 16-bit Security Controller User Interface</td>
</tr>
<tr>
<td>6</td>
<td>2009-11</td>
<td>Chipcard and Security ICs, Slx70 Family, Secure Hash Algorithm SHA-2, (SHA 256/224, SHA 512/384) (optional)</td>
<td></td>
</tr>
<tr>
<td>7</td>
<td>2010-03-23</td>
<td>SLE70 Crypto@2304T User Manual</td>
<td></td>
</tr>
<tr>
<td>8</td>
<td>2016-10-12</td>
<td>M7892 Security Guidelines</td>
<td></td>
</tr>
<tr>
<td>9</td>
<td>1.9</td>
<td>2015-03-26</td>
<td>M7892 16-bit Security Controller Family, confidential Errata Sheet</td>
</tr>
<tr>
<td>10</td>
<td>1.7</td>
<td>2016-11-16</td>
<td>Confidential Security Target for this TOE</td>
</tr>
<tr>
<td>11</td>
<td>1.1</td>
<td>2013-09-24</td>
<td>AMM Advanced Mode for Mifare-Compatible Technology, M7892_HRM_Addendum_AMM</td>
</tr>
<tr>
<td>13</td>
<td>3.1 Rev. 4</td>
<td>2012-09</td>
<td>Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model; Version 3.1 Revision 4 September 2012, CCMB-2012-09-001</td>
</tr>
<tr>
<td>14</td>
<td>3.1 Rev. 4</td>
<td>2012-09</td>
<td>Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements; Version 3.1 Revision 4 September 2012, CCMB-2012-09-002</td>
</tr>
<tr>
<td>15</td>
<td>3.1 Rev. 4</td>
<td>2012-09</td>
<td>Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements; Version 3.1 Revision 4 September 2012, CCMB-2012-09-003</td>
</tr>
</tbody>
</table>

The table is continued on next page regarding the referenced standards and other references.
# Literature

<table>
<thead>
<tr>
<th>Ref. No.</th>
<th>Version</th>
<th>As of</th>
<th>Document</th>
</tr>
</thead>
<tbody>
<tr>
<td>20</td>
<td>SP 800-67 Rev. 1</td>
<td>2012-01</td>
<td>National Institute of Standards and Technology (NIST), Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Revised January 2012, Technology Administration, U.S. Department of Commerce</td>
</tr>
<tr>
<td>21</td>
<td>SP 800-38A</td>
<td>2001-12</td>
<td>National Institute of Standards and Technology(NIST), Technology Administration, US Department of Commerce, NIST Special Publication SP 800-38A (for AES and DES)</td>
</tr>
<tr>
<td>22</td>
<td>v2.1 RFC3447</td>
<td>2002-06-14</td>
<td>PKCS #1: RSA Cryptography Standard, RSA Laboratories</td>
</tr>
<tr>
<td>33</td>
<td>I</td>
<td>2009-08-14</td>
<td>Act on the Federal Office for Information Security (BSI-Gesetz - BSiG), Bundesgesetzbblatt I p. 2821.</td>
</tr>
</tbody>
</table>
## Appendix

Following tables document the hash signatures of the respective optional cryptographic library software version. For convenience purpose several hash algorithms were used.

### Table 23: Reference of Hash Values of the optional Cryptographic Libraries

<table>
<thead>
<tr>
<th>RSA, EC, Toolbox Version v2.03.008:</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>C170-LIB-base-XSMALL-HUGE.lib:</strong></td>
<td></td>
</tr>
<tr>
<td>MD5=00503528859c293140fe231265c1cdba</td>
<td></td>
</tr>
<tr>
<td>SHA1=7723660ac9222527f429c94ce015dac1ab2a2ff6</td>
<td></td>
</tr>
<tr>
<td>SHA256=77d5f9f0d03e38d7c0d0a3b33a9ae6bf2192748573e01fcad29a418998dad724</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>C170-LIB-ecc-XSMALL-HUGE.lib:</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5=b189b6ecb0435c91797e8b9bdce7edd8</td>
<td></td>
</tr>
<tr>
<td>SHA1=b94a7a3a4af019febeb3236fff5f1bc36af2c8b</td>
<td></td>
</tr>
<tr>
<td>SHA256=aaec91f8b273efdf3a7510be5cf2e2d825e01be9e2d9caf7c5dc595bd79c4b870</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>C170-LIB-2k-XSMALL-HUGE.lib:</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5=4820f7af7ead4b76b53ec9498505c715</td>
<td></td>
</tr>
<tr>
<td>SHA1=d1c8df9a2b9b29ae7395a3ab0bf13a965a0957d2</td>
<td></td>
</tr>
<tr>
<td>SHA256=e6b3a3b31c339f18806e6838674cda16f1eecc7f536c55034217a6f958874c130</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>C170-LIB-4k-XSMALL-HUGE.lib:</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5=0d18984da350fae0b080999fa8ce60541</td>
<td></td>
</tr>
<tr>
<td>SHA1=3d2dc9c7f4992f1883ae3bf498b9dac460f309</td>
<td></td>
</tr>
<tr>
<td>SHA256=6ec924a46a729df061826fd4ab1fd8a9f3aeb54e745be5e7ca69665dc6f94</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th><strong>C170-LIB-toolbox-XSMALL-HUGE.lib:</strong></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5=eda24cea852510b37dea323719362d8</td>
<td></td>
</tr>
<tr>
<td>SHA1=1d86a3b26a8000b80e727b8c98fd6a1172ece91</td>
<td></td>
</tr>
<tr>
<td>SHA256=b03c32463922bb2d4312bf8c62e747cd48f0752d02e90129042fedefa36bf092</td>
<td></td>
</tr>
</tbody>
</table>

### SHA-2 Library Version 1.01:

<table>
<thead>
<tr>
<th>SHA-2 values computed from: SLE70-SHA2-Lib_RE_1v01_2009-06-29.LIB</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5=70d2df490185b419fb820d597d82d117</td>
<td></td>
</tr>
<tr>
<td>SHA1= df15ff79b5f5ab70bbad0ee031953e1877cabd47</td>
<td></td>
</tr>
<tr>
<td>SHA256=765fc5d47cf8274833476406b24010a56ebcf4b0972704ddd27e2d3e3e086f8</td>
<td></td>
</tr>
</tbody>
</table>

### SCL Library Version v2.02.010
Scl78-SCP-v3-LIB-cipher-XSMALL-HUGE.lib:
MD5=fda1638129910ae1b67e0eafe46856ff
SHA1=745411582d5f1af4b6f1771e921b1935d57b82a6
SHA256=b758150725a310d4269de566426a70e7114d6af13a25ff712e16144ba1a9b5e4

Scl78-SCP-v3-LIB-des-XSMALL-HUGE.lib:
MD5=714000373a23db40fe94424ed2e7bbe04
SHA1=f4c1f11055166000238ef23b4e4841051d1f4983
SHA256=beacd54f096f9967b9223764c6e09189ab743b2009956df187c5dbe8e2ef4d1d

Scl78-SCP-v3-LIB-aes-XSMALL-HUGE.lib:
MD5=964432c8339a8e3432a5a52a6888e1f8
SHA1=5f104d9ea356d29622d46fb7c0fdecde595a0b7d
SHA256=592c1c0fe7d4dfa5b68b09c6092542cbe3a07bb6fb2c0029b44a8bc4b0bca48
## 11 List of Abbreviations

<table>
<thead>
<tr>
<th>Abbreviation</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AES</td>
<td>Advanced Encryption Standard</td>
</tr>
<tr>
<td>AIS31</td>
<td>“Anwendungshinweise und Interpretationen zu ITSEC und CC Funktionalitätsklassen und Evaluationsmethodologie für physikalische Zufallszahlengeneratoren”</td>
</tr>
<tr>
<td>APB</td>
<td>Advanced Peripheral Bus</td>
</tr>
<tr>
<td>API</td>
<td>Application Programming Interface</td>
</tr>
<tr>
<td>AXI</td>
<td>Advanced eXtensible Interface Bus Protocol</td>
</tr>
<tr>
<td>BPU</td>
<td>Bill Per Use</td>
</tr>
<tr>
<td>CC</td>
<td>Common Criteria</td>
</tr>
<tr>
<td>CI</td>
<td>Chip Identification Mode (STS-CI)</td>
</tr>
<tr>
<td>CIM</td>
<td>Chip Identification Mode (STS-CI), same as CI</td>
</tr>
<tr>
<td>CPU</td>
<td>Central Processing Unit</td>
</tr>
<tr>
<td>CRC</td>
<td>Cyclic Redundancy Check</td>
</tr>
<tr>
<td>Crypto2304T</td>
<td>Asymmetric Cryptographic Processor</td>
</tr>
<tr>
<td>CRT</td>
<td>Chinese Reminder Theorem</td>
</tr>
<tr>
<td>DES</td>
<td>Data Encryption Standard</td>
</tr>
<tr>
<td>DPA</td>
<td>Differential Power Analysis</td>
</tr>
<tr>
<td>DFA</td>
<td>Differential Failure Analysis</td>
</tr>
<tr>
<td>DTRNG</td>
<td>Deterministic Random Number Generator</td>
</tr>
<tr>
<td>EC</td>
<td>Elliptic Curve Cryptography</td>
</tr>
<tr>
<td>ECC</td>
<td>Error Correction Code and Elliptic Curve Cryptography depending on the context</td>
</tr>
<tr>
<td>EDC</td>
<td>Error Detection Code</td>
</tr>
<tr>
<td>EDU</td>
<td>Error Detection Unit</td>
</tr>
<tr>
<td>SOLID FLASH™ NVM</td>
<td>Electrically Erasable and Programmable Read Only Memory</td>
</tr>
<tr>
<td>EMA</td>
<td>Electromagnetic analysis</td>
</tr>
<tr>
<td>FL</td>
<td>Flash Loader</td>
</tr>
<tr>
<td>Flash</td>
<td>Infineon® SOLID FLASH™ Memory</td>
</tr>
<tr>
<td>HW</td>
<td>Hardware</td>
</tr>
<tr>
<td>IC</td>
<td>Integrated Circuit</td>
</tr>
<tr>
<td>ICO</td>
<td>Internal Clock Oscillator</td>
</tr>
<tr>
<td>ID</td>
<td>Identification</td>
</tr>
<tr>
<td>IMM</td>
<td>Interface Management Module</td>
</tr>
</tbody>
</table>
Public Security Target
Common Criteria EAL6 augmented / EAL6+

List of Abbreviations

ITP  Interrupt and Peripheral Event Channel Controller
I/O  Input/Output
IRAM Internal Random Access Memory
ITSEC Information Technology Security Evaluation Criteria
M Mechanism
MED Memory Encryption and Decryption
MMU Memory Management Unit
NVM Non Volatile Memory
O Object
OS Operating system
PEC Peripheral Event Channel
PRNG Pseudo Random Number Generator
PROM Programmable Read Only Memory
PTRNG Physical Random Number Generator
RAM Random Access Memory
RFI Radio Frequency Interface
RMS Resource Management System
RNG Random Number Generator
ROM Read Only Memory
RSA Rives-Shamir-Adleman Algorithm
SA Service Algorithm Minimal
SCL Symmetric Cryptographic Library
SCP Symmetric Cryptographic Processor
SF Security Feature
SFR Special Function Register, as well as Security Functional Requirement
The specific meaning is given in the context
SPA Simple power analysis
STS Self-Test Software
SW Software
SO Security objective
T Threat
TM Test Mode (STS)
TOE Target of Evaluation
### List of Abbreviations

<table>
<thead>
<tr>
<th>Abbreviation</th>
<th>Definition</th>
</tr>
</thead>
<tbody>
<tr>
<td>TRNG</td>
<td>True Random Number Generator</td>
</tr>
<tr>
<td>TSC</td>
<td>TOE Security Functions Control</td>
</tr>
<tr>
<td>TSF</td>
<td>TOE Security Functionality</td>
</tr>
<tr>
<td>UART</td>
<td>Universal Asynchronous Receiver/Transmitter</td>
</tr>
<tr>
<td>UM</td>
<td>User Mode (STS)</td>
</tr>
<tr>
<td>UmSLC</td>
<td>User mode Security Life Control</td>
</tr>
<tr>
<td>WDT</td>
<td>Watch Dog Timer</td>
</tr>
<tr>
<td>XRAM</td>
<td>eXtended Random Access Memory</td>
</tr>
<tr>
<td>3DES</td>
<td>Triple DES Encryption Standard</td>
</tr>
<tr>
<td>Glossary</td>
<td>Definition</td>
</tr>
<tr>
<td>----------------------------------------------</td>
<td>----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</td>
</tr>
<tr>
<td>Application Program/Data</td>
<td>Software which implements the actual TOE functionality provided for the user or the data required for that purpose</td>
</tr>
<tr>
<td>Bill-Per-Use</td>
<td>Bill-Per-Use concept allowing the user to configure the chips</td>
</tr>
<tr>
<td>Central Processing Unit</td>
<td>Logic circuitry for digital information processing</td>
</tr>
<tr>
<td>Chip Identification Data</td>
<td>Data stored in the SOLID FLASH™ NVM containing the chip type, lot number (including the production site), die position on wafer and production week and data stored in the ROM containing the STS version number</td>
</tr>
<tr>
<td>Chip Identification Mode</td>
<td>Operational status phase of the TOE, in which actions for identifying the individual chip by transmitting the Chip Identification Data take place</td>
</tr>
<tr>
<td>Controller</td>
<td>IC with integrated memory, CPU and peripheral devices</td>
</tr>
<tr>
<td>Crypto2304T</td>
<td>Cryptographic coprocessor for asymmetric cryptographic operations (RSA, Elliptic Curves)</td>
</tr>
<tr>
<td>Cyclic Redundancy Check</td>
<td>Process for calculating checksums for error detection</td>
</tr>
<tr>
<td>Electrically Erasable and Programmable Read Only Memory (SOLID FLASH™ NVM)</td>
<td>Non-volatile memory permitting electrical read and write operations</td>
</tr>
<tr>
<td>End User</td>
<td>Person in contact with a TOE who makes use of its operational capability</td>
</tr>
<tr>
<td>Firmware</td>
<td>Is software essential to put the chip into operation. The firmware is located in the ROM and parts of it in the SOLID FLASH™ NVM</td>
</tr>
<tr>
<td>Flash Loader</td>
<td>Software enabling to download software after delivery</td>
</tr>
<tr>
<td>Hardware</td>
<td>Physically present part of a functional system (item)</td>
</tr>
<tr>
<td>Integrated Circuit</td>
<td>Component comprising several electronic circuits implemented in a highly miniaturized device using semiconductor technology</td>
</tr>
<tr>
<td>Internal Random Access Memory</td>
<td>RAM integrated in the CPU</td>
</tr>
<tr>
<td>Mechanism</td>
<td>Logic or algorithm which implements a specific security function in hardware or software</td>
</tr>
<tr>
<td>Memory Encryption and Decryption</td>
<td>Method of encoding/decoding data transfer between CPU and memory</td>
</tr>
<tr>
<td>Memory</td>
<td>Hardware part containing digital information (binary data)</td>
</tr>
<tr>
<td>Microprocessor</td>
<td>CPU with peripherals</td>
</tr>
<tr>
<td>Object</td>
<td>Physical or non-physical part of a system which contains information and is acted upon by subjects</td>
</tr>
</tbody>
</table>
### Glossary

<table>
<thead>
<tr>
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Operating System</strong></td>
<td>Software which implements the basic TOE actions necessary to run the user application</td>
</tr>
<tr>
<td><strong>Programmable Read Only Memory</strong></td>
<td>Non-volatile memory which can be written once and then only permits read operations</td>
</tr>
<tr>
<td><strong>Random Access Memory</strong></td>
<td>Volatile memory which permits write and read operations</td>
</tr>
<tr>
<td><strong>Random Number Generator</strong></td>
<td>Hardware part for generating random numbers</td>
</tr>
<tr>
<td><strong>Read Only Memory</strong></td>
<td>Non-volatile memory which permits read operations only</td>
</tr>
<tr>
<td><strong>Resource Management System</strong></td>
<td>Part of the firmware containing SOLID FLASH™ NVM programming routines, AIS31 test bench etc.</td>
</tr>
<tr>
<td><strong>SCP</strong></td>
<td>Is the symmetric cryptographic coprocessor for symmetric cryptographic operations (3DES, AES).</td>
</tr>
<tr>
<td><strong>Self-Test Software</strong></td>
<td>Part of the firmware with routines for controlling the operating state and testing the TOE hardware</td>
</tr>
<tr>
<td><strong>Security Function</strong></td>
<td>Part(s) of the TOE used to implement part(s) of the security objectives</td>
</tr>
<tr>
<td><strong>Security Target</strong></td>
<td>Description of the intended state for countering threats</td>
</tr>
<tr>
<td><strong>Smart Card</strong></td>
<td>Is a plastic card in credit card format with built-in chip. Other form factors are also possible, i.e. if integrated into mobile devices</td>
</tr>
<tr>
<td><strong>Software</strong></td>
<td>Information (non-physical part of the system) which is required to implement functionality in conjunction with the hardware (program code)</td>
</tr>
<tr>
<td><strong>Subject</strong></td>
<td>Entity, generally in the form of a person, who performs actions</td>
</tr>
<tr>
<td><strong>Target of Evaluation</strong></td>
<td>Product or system which is being subjected to an evaluation</td>
</tr>
<tr>
<td><strong>Test Mode</strong></td>
<td>Operational status phase of the TOE in which actions to test the TOE hardware take place</td>
</tr>
<tr>
<td><strong>Threat</strong></td>
<td>Action or event that might prejudice security</td>
</tr>
<tr>
<td><strong>User Mode</strong></td>
<td>Operational status phase of the TOE in which actions intended for the user takes place</td>
</tr>
</tbody>
</table>