

**1 Security Target Lite**

**2 M9905 with optional ACL Software Libraries**

**3 According to Common Criteria CCEAL5 augmented (EAL5+)**

**4**

**5**

**6 Version: 6.2**

**7 Date: 2025-07-18**

## Table of Content

|          |                                                                                                |           |
|----------|------------------------------------------------------------------------------------------------|-----------|
| <b>1</b> | <b>Security Target Introduction (ASE_INT) .....</b>                                            | <b>4</b>  |
| 1.1      | Security Target and Target of Evaluation Reference .....                                       | 4         |
| 1.2      | Target of Evaluation overview .....                                                            | 5         |
| <b>2</b> | <b>Target of Evaluation Introduction.....</b>                                                  | <b>9</b>  |
| 2.1      | Definition of the TOE.....                                                                     | 9         |
| 2.1.1    | Major security functions of the TOE.....                                                       | 10        |
| 2.1.2    | Not part of the TOE Security Functionality .....                                               | 10        |
| 2.2      | Hardware of the TOE.....                                                                       | 10        |
| 2.3      | Firmware of the TOE .....                                                                      | 14        |
| 2.4      | Optional software of the TOE .....                                                             | 14        |
| 2.5      | Interfaces of the TOE.....                                                                     | 15        |
| 2.6      | Guidance documentation .....                                                                   | 15        |
| 2.7      | Forms of delivery.....                                                                         | 15        |
| 2.8      | Production sites .....                                                                         | 16        |
| 2.9      | TOE Configuration.....                                                                         | 17        |
| 2.10     | TOE initialization with Customer Software.....                                                 | 17        |
| <b>3</b> | <b>Conformance Claims (ASE_CCL) .....</b>                                                      | <b>19</b> |
| 3.1      | CC Conformance Claim .....                                                                     | 19        |
| 3.2      | PP Claim.....                                                                                  | 19        |
| 3.3      | Package Claim .....                                                                            | 19        |
| 3.4      | Conformance Rationale.....                                                                     | 20        |
| <b>4</b> | <b>Security Problem Definition (ASE_SPD).....</b>                                              | <b>23</b> |
| 4.1      | Threats .....                                                                                  | 23        |
| 4.1.1    | Additional Threat due to TOE specific Functionality .....                                      | 23        |
| 4.1.2    | Assets regarding the Threats.....                                                              | 24        |
| 4.2      | Organizational Security Policies.....                                                          | 25        |
| 4.2.1    | Augmented Organizational Security Policy.....                                                  | 25        |
| 4.3      | Assumptions .....                                                                              | 25        |
| 4.3.1    | Augmented Assumptions .....                                                                    | 27        |
| <b>5</b> | <b>Security objectives (ASE_OBJ).....</b>                                                      | <b>28</b> |
| 5.1      | Security objectives for the TOE.....                                                           | 28        |
| 5.2      | Security Objectives for the development and operational Environment.....                       | 29        |
| 5.2.1    | Clarification of "Usage of Hardware Platform (OE.Plat-App)" .....                              | 30        |
| 5.2.2    | Clarification of "Treatment of User Data (OE.Resp-App)" .....                                  | 30        |
| 5.2.3    | Clarification of "Protection during Composite product manufacturing (OE.Process-Sec-IC)" ..... | 30        |
| 5.3      | Security Objectives Rationale .....                                                            | 30        |
| <b>6</b> | <b>Extended Component Definition (ASE_ECD) .....</b>                                           | <b>33</b> |
| 6.1      | "Subset TOE security testing (FPT_TST)".....                                                   | 33        |
| 6.2      | Definition of FPT_TST.2 .....                                                                  | 33        |
| 6.3      | TSF self test (FPT_TST) .....                                                                  | 34        |
| <b>7</b> | <b>Security Requirements (ASE_REQ).....</b>                                                    | <b>35</b> |
| 7.1      | FAU_SAS.....                                                                                   | 36        |
| 7.2      | FPT_TST.2 .....                                                                                | 36        |
| 7.3      | FCS_RNG .....                                                                                  | 37        |
| 7.4      | Limited Capabilities and Limited Availability.....                                             | 38        |
| 7.5      | Memory access control.....                                                                     | 38        |
| 7.6      | Support of Cipher Schemes .....                                                                | 42        |
| 7.6.1    | Triple-DES Operation .....                                                                     | 42        |
| 7.6.2    | AES Operation.....                                                                             | 42        |
| 7.6.3    | Elliptic Curve DSA (ECDSA) operation .....                                                     | 43        |
| 7.6.4    | Elliptic Curve (EC) key generation.....                                                        | 44        |

|           |                                                                                      |           |
|-----------|--------------------------------------------------------------------------------------|-----------|
| 7.6.5     | Elliptic Curve Diffie-Hellman (ECDH) key agreement .....                             | 44        |
| 7.7       | Data Integrity .....                                                                 | 45        |
| 7.8       | TOE Security Assurance Requirements .....                                            | 46        |
| 7.8.1     | Refinements .....                                                                    | 47        |
| 7.9       | Security Requirements Rationale .....                                                | 47        |
| 7.9.1     | Rationale for the Security Functional Requirements .....                             | 47        |
| 7.9.1.1   | Dependencies of Security Functional Requirements .....                               | 49        |
| 7.9.2     | Rationale of the Assurance Requirements .....                                        | 51        |
| <b>8</b>  | <b>TOE Summary Specification (ASE_TSS) .....</b>                                     | <b>53</b> |
| 8.1       | SF_DPM: Device Phase Management .....                                                | 53        |
| 8.2       | SF_PS: Protection against Snooping .....                                             | 54        |
| 8.3       | SF_PMA: Protection against Modifying Attacks .....                                   | 55        |
| 8.4       | SF_PLA: Protection against Logical Attacks .....                                     | 56        |
| 8.5       | SF_CS: Cryptographic Support .....                                                   | 56        |
| 8.5.1     | 3DES encryption .....                                                                | 57        |
| 8.5.2     | AES encryption .....                                                                 | 57        |
| 8.5.1.1   | Elliptic Curves .....                                                                | 57        |
| 8.5.1.2   | Signature Generation .....                                                           | 57        |
| 8.5.1.3   | Asymmetric Key Generation .....                                                      | 57        |
| 8.5.2     | Asymmetric Key Agreement .....                                                       | 58        |
| 8.5.3     | Asymmetric Base Library .....                                                        | 58        |
| 8.6       | TRNG .....                                                                           | 58        |
| 8.7       | Assignment of Security Functional Requirements to TOE's Security Functionality ..... | 58        |
| 8.7       | Security Requirements are internally Consistent .....                                | 59        |
| <b>9</b>  | <b>References .....</b>                                                              | <b>61</b> |
| <b>10</b> | <b>Hash values .....</b>                                                             | <b>62</b> |
| <b>11</b> | <b>List of Abbreviations .....</b>                                                   | <b>63</b> |
| <b>12</b> | <b>Glossary .....</b>                                                                | <b>65</b> |
|           | <b>Revision History .....</b>                                                        | <b>66</b> |

## 1 1 Security Target Introduction (ASE\_INT)

### 2 1.1 Security Target and Target of Evaluation Reference

3 The title of this document is: Security Target Lite M9905 with optional ACL Software Libraries

4 The name of the TOE on the CC certificate is:

5 "Infineon Technologies Security Controller M9905 A11 with optional ACL v2.07.003 and v2.09.002"

6 The Target of Evaluation (TOE) comprises the Infineon Technologies Smart Card IC (Security  
7 Controller) M9905 A11 with optional ACL v2.07.003 and v2.09.002

8 The Security Target is based on the Protection Profile "Smartcard IC Platform Protection Profile"  
9 [PP].

10 The ST built in compliance to CC:2022.

11 Table 1 Identification

| Type                                                                                           | Version                                 | Date       | Title/Registration/Explanation                                     |
|------------------------------------------------------------------------------------------------|-----------------------------------------|------------|--------------------------------------------------------------------|
| Security Target<br>Method of identification is done by version, date and title                 |                                         |            |                                                                    |
| Security Target                                                                                | 6.2                                     | 2025-07-18 | Security Target Lite<br>M9905 with optional ACL Software Libraries |
| TOE Hardware<br>Method of identification is done by reading of GCIM                            |                                         |            |                                                                    |
| M9905                                                                                          | A11                                     |            | M9905 with Firmware Identifier 80001151                            |
| Libraries (optional)<br>Method of identification is done by hash values                        |                                         |            |                                                                    |
| NRG Management                                                                                 | 01.03.0927                              |            | Management of NRG cards                                            |
| NRG Reader                                                                                     | 01.02.0800                              |            | NRG reader mode support                                            |
| ACL                                                                                            | 2.07.003                                |            | Cl97-LIB-base.lib<br>Cl97-LIB-ecc.lib                              |
|                                                                                                | 2.09.002                                |            | ACL97-Crypto2304T-L90-base.lib<br>ACL97-Crypto2304T-L90-ecc.lib    |
| Hardware Guidance Documentation<br>Method of identification is done by version, date and title |                                         |            |                                                                    |
| General Guidance                                                                               | Revision 3.0                            | 2019-08-28 | 32-bit Security Controller M9900 Hardware Reference Manual         |
|                                                                                                | Edition 2020-04-15<br>Update 2025-06-06 | 2020-04-15 | M9900 Security Guidelines User's Manual                            |

| Type                                                        | Version             | Date       | Title/Registration/Explanation                                                                                                                                  |
|-------------------------------------------------------------|---------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                             | DDI 0403E.e         | 2021       | ARMv7-M Architecture Reference Manual, ARM DDI ARM DDI 0403E.e N (ID021621), ARM Limited, 2021                                                                  |
|                                                             | 5.9                 | 2024-11-25 | SLE97 security controllers Programmer's Reference Manual SLCx7_DFP Document release reference: Z8F80731571-A                                                    |
|                                                             | Edition 2014-08-10a | 2014-08-10 | SLE97 / SLC14 Family Production and Personalization User's Manual                                                                                               |
| M9905 Guidance                                              | 3.1                 | 2019-09-05 | M9905 M9906 Errata Sheet                                                                                                                                        |
| Library Guidance Documentation (optional)                   |                     |            |                                                                                                                                                                 |
| Method of identification is done by version, date and title |                     |            |                                                                                                                                                                 |
| ACL Guidance                                                | 2.07.003            | 2024-08-26 | CL97 Asymmetric Crypto Library for Crypto@2304T RSA / ECC / Toolbox, User Interface                                                                             |
|                                                             | 2.09.002            | 2024-06-27 | ACL97-Crypto2304T-L90 Asymmetric Crypto Library for Crypto@2304T RSA / ECC / Toolbox, User interface manual                                                     |
| CC documents                                                |                     |            |                                                                                                                                                                 |
| Method of identification is done by version, date and title |                     |            |                                                                                                                                                                 |
| PP                                                          | 1.0                 | 2007-06-15 | Security IC Platform Protection Profile BSI-PP-0035<br>The cert-id BSI-CC-PP-0035-2007 refers to the corresponding certification report.                        |
| CC                                                          | CC:2022 Revision 1  | 2022-11    | Security Evaluation<br>Part 1: CCMB-2022-11-001<br>Part 2: CCMB-2022-11-002<br>Part 3: CCMB-2022-11-003<br>Part 4: CCMB-2022-11-004<br>Part 5: CCMB-2022-11-005 |

1

2 The TOE can be identified with the Generic Chip Identification Mode (GCIM). The M-number  
 3 hardware is identified by the bytes 05 and 06, which are the first two bytes of the chip  
 4 identification number, having for the M9905 the value 0x0010. The design step, firmware identifier,  
 5 mask identifier, temperature range and system frequency are also included in the GCIM.  
 6 Additionally the customer can read the configuration area as defined in the SLE97 Programmer's  
 7 Reference Manual [11].

## 8 1.2 Target of Evaluation overview

9 The TOE comprises the Infineon Technologies AG security controller M9905 with optional ACL  
 10 Software Libraries .

11 The Toolbox libraries are additionally supporting software which is out of scope of this  
 12 certification.

1 The Toolbox libraries do not provide cryptographic support or additional security functionality as  
2 they provide only the following basic long integer arithmetic and modular functions in software,  
3 supported by the cryptographic coprocessor: Addition, subtraction, division, multiplication,  
4 comparison, reduction, modular addition, modular subtraction, modular multiplication, modular  
5 inversion and modular exponentiation. No security relevant policy, mechanism or function is  
6 supported. The toolbox library is deemed for software developers as support for simplified  
7 implementation of long integer and modular arithmetic operations.

8 The TOE is a member of the Infineon Technologies AG security controller family SLE97 meeting  
9 high requirements in terms of performance and security. The SLE97 family has been developed  
10 with a modular concept and different memory configurations, sets of peripherals and interfaces as  
11 well as different security features to satisfy market requirements. A summary product description  
12 is given in this Security Target (ST).

13 The TOE offers all functions that are both required and useful in security systems, and integrated  
14 peripherals that are typically needed in chipcard applications, such as information security,  
15 identification, access control, GSM and UMTS projects, electronic banking, digital signature and  
16 multi-application cards, ID cards, transportation and e-purse applications.

17 The TOE implements a dedicated security 32-bit RISC CPU designed on the basis of the ARMv7M  
18 architecture designed in 90 nm CMOS technology. The integrated peripherals combine enhanced  
19 performance and optimized power consumption for a minimized die size to make the SLE97  
20 controllers ideal for chipcard applications. The TOE offers a wide range of peripherals, including a  
21 UART (using the ISO interface), four timers, two watchdogs, a CRC module, a true RNG (TRNG),  
22 coprocessors for symmetric (e.g. DES, AES) and asymmetric (e.g. EC) cryptographic algorithms.  
23 Additionally, a range of communication interfaces, such as GPIO, I2C, SWP, USB, SSC/SPI and NRG  
24 interface are offered to provide maximum flexibility in terms of simultaneous communication  
25 ability.

26 The TOE provides a real 32-bit CPU-architecture and is compatible to the ARMv7-M instruction set  
27 architecture. The major components of the core system are the 32-bit CPU as a variant of the ARM  
28 Secure Core SC300, the Cache system, the Memory Protection Unit and the Memory  
29 Encryption/Decryption Unit. The TOE implements a full 32-bit addressing with up to 4 GByte linear  
30 addressable memory space, a simple scalable memory management concept and a scalable stack  
31 size. The flexible memory concept is built on the non volatile memory, respectively SOLID FLASH™  
32 NVM<sup>1</sup>. For the SOLID FLASH™ NVM the Unified Channel Programming (UCP) memory technology is  
33 used.

34 The TOE provides the low-level firmware components Boot Software (BOS) and Resource  
35 Management System (RMS) and the high-level firmware Flash Loader (FL) and NRG software.

36 The NRG software includes the NRG operating system and additionally the optional library  
37 Management of NRG cards (version 01.03.0927) and the optional library NRG Reader Mode  
38 Support (01.02.0800). The Management of NRG cards provides an API for the management and  
39 generation of NRG cards. The optional NRG reader mode support library (01.02.0800) enables an  
40 access to external NRG cards.

41 NRG software is not part of the TSF and does not implement any Security Functional Requirement.

---

<sup>1</sup> SOLID FLASH™ is an Infineon Trade Mark and stands for the Infineon EEPROM working as Flash memory. The abbreviation NVM is short for Non Volatile Memory.

1 The RMS firmware providing some functionality via an API to the Smartcard Embedded Software  
2 contains for example SOLID FLASH™ NVM service routines and functionality for the tearing save  
3 write into the SOLID FLASH™ NVM. The BOS firmware is used for test purposes during start-up and  
4 the FL allows downloading of user software to the NVM during the manufacturing process. The BOS  
5 is implemented in a separate Test-ROM being part of the TOE. The BOS executes the UMSLC test  
6 during the startup phase. It also includes the features "hardening" and the "Burn-In Test". The  
7 feature "hardening" analyzing a random SOLID FLASH™ NVM page after every regular program  
8 operation for written bits that are losing their charge, and, in this very unlikely case, the page is  
9 rewritten. The "Burn-In Test" during production is used to stress the chip in a high temperature,  
10 high internal voltage and active operation for a certain time and filtering out defect parts to get a  
11 low failure rate. The M9905 is qualified for an extended temperature range from -40°C to +105°C.

12 The two cryptographic co-processors serve the need of modern cryptography: The symmetric co-  
13 processor (SCP) combines both AES and Triple-DES with dual-key or triple-key hardware  
14 acceleration. The Asymmetric Crypto Co-processor, called Crypto2304T in the following, supports  
15 Elliptic Curve (EC) cryptography with high performance.

16 A True Random Number Generator (TRNG) specially designed for smart card applications is  
17 implemented. The TRNG fulfils the requirements from the functionality class PTG.2 of the AIS31  
18 and produces genuine random numbers which then can be used internally or by the user software.

19 The software part of the TOE consists of the cryptographic libraries for EC and asymmetric the Base  
20 libraries. If an EC library is part of the shipment, the corresponding asymmetric Base library is  
21 automatically included.

22 The EC library is used to provide a high-level interface to Elliptic Curve cryptography implemented  
23 on the hardware component Crypto2304T and includes countermeasures against SPA, DPA and  
24 DFA attacks. The routines are used for ECDSA signature generation, ECDSA signature verification,  
25 ECDSA key generation and Elliptic Curve Diffie-Hellman key agreement. The EC library is delivered  
26 as object code. The certification covers the standard NIST [DSS] and Brainpool [ECC] Elliptic Curves  
27 with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits. Note that  
28 there are numerous other curve types, being also secure in terms of side channel attacks on this  
29 TOE, which can the user optionally add in the composition certification process.

30 The asymmetric Base library provides the low-level interface to the asymmetric cryptographic  
31 coprocessor and has no user available interface. The asymmetric Base library does not provide any  
32 security functionality, implements no security mechanisms and does not contribute to a security  
33 functional requirement.

1 To fulfill the high security standards for smartcards today and also in the future, this TOE utilizes an  
2 integral security concept comprising countermeasure mechanisms specially designed against  
3 possible attack scenarios. The TOE provides a robust set of sensors for the purpose of monitoring  
4 proper chip operating conditions and detecting fault attack scenarios. The sensors are  
5 complemented with digital error detection mechanisms such as parities, error detection codes and  
6 instruction stream signatures. Probing and forcing attacks will be counteracted by the security  
7 optimized wiring approach, implemented by an Infineon-specific shielding combined with secure  
8 wiring of security critical signals, partly masking of security critical signals and by encryption of all  
9 memories inside the chip (RAM, ROM, NVM). A decentralized alarm propagation and system  
10 deactivation principle is implemented, further decreasing the risk of manipulating and tampering.  
11 Additionally, an online check of the security mechanisms is available by using the User Mode  
12 Security Life Control (UMSLC). Side-channel attacks (e.g. Timing Attack, SPA, DPA, EMA) are  
13 typically defeated using a combination of hardware and software mechanisms, for this the TOE  
14 provides several supporting features e.g. trash register writes and instruction interrupt prevention.  
15 The Instruction Stream Signature Checking (ISS) is a powerful countermeasure against fault attacks  
16 that try to manipulate the execution sequence of the instruction stream. All executed instructions  
17 are hashed in the CPUs signature register and the hardware automatically checks the fitting of the  
18 values.

19 In this security target the TOE is described and a summary specification is given. The security  
20 environment of the TOE during its different phases of the lifecycle is defined. The assets are  
21 identified which have to be protected through the security policy. The threats against these assets  
22 are described. The security objectives and the security policy are defined, as well as the security  
23 requirements. These security requirements are built up of the security functional requirements as  
24 part of the security policy and the security assurance requirements. These are the steps during the  
25 evaluation and certification showing that the TOE meets the targeted requirements. In addition, the  
26 functionality of the TOE matching the requirements is described.

27 The assets, threats, security objectives and the security functional requirements are defined in this  
28 Security Target and in [PP] and are referenced here. These requirements build up a minimal  
29 standard common for all Smartcards.

30 The security functions are defined here in the security target as property of this specific TOE. Here  
31 it is shown how this specific TOE fulfills the requirements for the standard defined in the Protection  
32 Profile [PP].

33 The TOE uses also Special Function Registers SFR. These SFR registers are used for general  
34 purposes and chip configuration. These registers are located in the SOLID FLASH™ NVM as  
35 configuration area page.  
36 A shielding algorithm finishes the upper layers above security critical signals and wires, finally  
37 providing the so called "security optimized wiring".  
38 The TOE with its integrated security features meets the requirements of all smart card applications  
39 such as information integrity, access control, mobile telephone and identification, as well as uses in  
40 electronic funds transfer and healthcare systems.  
41 To sum up, the TOE is a powerful smart card IC with a large amount of memory and special  
42 peripheral devices with improved performance, optimized power consumption, at minimal chip  
43 size while implementing high security.

## 1 2 Target of Evaluation Introduction

2 The TOE description helps to understand the specific security environment and the security policy.  
3 In this context the assets, threats, security objectives and security functional requirements can be  
4 employed. The following is a more detailed description of the TOE than in [PP] as it belongs to the  
5 specific TOE.

6

### 7 2.1 Definition of the TOE

8 The TOE comprises three parts:

9 • Hardware of the smart card security controller including all configurations and derivatives  
10 • Associated firmware, software and optional software  
11 • Guidance Documents.

12 The hardware configuration options and configuration methods are described in the chapters 1.1  
13 and 2.9. The second part of this TOE includes the associated firmware and software required for  
14 operation. The TOE can be delivered in various configurations, achieved by means of blocking and  
15 depending on the customer order.

16 The documents as described in section 2.6 and listed in Table 1, are supplied as user guidance. All  
17 product derivatives of this TOE, including all configuration possibilities differentiated by the GCIM  
18 data and the configuration information output, are manufactured by Infineon Technologies AG. In  
19 the following descriptions, the term "manufacturer" stands short for Infineon Technologies AG, the  
20 manufacturer of the TOE. The Smartcard Embedded Software respectively user software is not part  
21 of the TOE. In any case the user is able to clearly identify the TOE hardware, its configuration and  
22 proof the validity of the certificate independently, meaning without involving the manufacturer.  
23 The various blocking options, as well as the means used for the blocking, are done during the  
24 manufacturing process or at user premises. Entirely all means of blocking and the blocking of the  
25 involved firmware respectively software parts, used at Infineon Technologies AG and/or the user  
26 premises, are subject of the evaluation. All resulting configurations of a TOE derivative are subject  
27 of the certificate. All resulting configurations are either at the predefined limits or within the  
28 predefined configuration ranges.

29 One or more additional metal layer may be added on top of one of the TOE mask sets. These  
30 additional metal layer(s) just reroute the pads. Therefore, this last rerouting on top does not  
31 change the function of the TOE itself; it depends on the package only, and is not relevant for the  
32 security of the TOE. For these reasons, the metal layers are out of the scope of the certification and  
33 do not belong to the TOE. Of course, in all cases passivation and isolation coating is applied on top  
34 of the last layers carrying wires.

35 A shielding algorithm finishes the upper layers above security critical signals and wires, finally  
36 providing the so called "security optimized wiring".

37 The firmware used for the TOE internal testing and TOE operation and the cryptographic EC and  
38 base libraries are part of the TOE and therefore part of the certification. The documents as  
39 described in chapter 2.6 are supplied as user guidance. BPU functionality is part of the TOE but is  
40 not in the certification scope.

41 The term Smartcard Embedded Software is used in the following for all operating systems and  
42 applications stored and executed on the TOE. The TOE is the platform for the Smartcard Embedded  
43 Software. The Smartcard Embedded Software itself is not part of the TOE. The TOE does not require  
44 any non-TOE hardware/software/firmware.

### 2.1.1 Major security functions of the TOE

2 The major security functions of the TOE are:

- 3 • Memory Protection Unit
- 4 • Memory Encryption/Decryption Unit
- 5 • Sensors for the purpose of monitoring proper chip operating conditions and detecting fault
- 6 attack scenarios complemented with digital error detection mechanisms such as parities, error
- 7 detection codes and instruction stream signatures
- 8 • Security optimized wiring for protection of security critical signals
- 9 • Instruction Stream Signature Checking (ISS) as a countermeasure against fault attacks that try
- 10 to manipulate the execution sequence of the instruction stream
- 11 • Symmetric cryptographic coprocessor supporting AES and 3DES
- 12 • Crypto2304T, an asymmetric crypto coprocessor together with the libraries supporting EC
- 13 (optional)
- 14 • Cryptographic libraries for EC computations (optional)
- 15 • A true random number generator, which can be used as a security service to the user and for
- 16 internal purposes
- 17 •

### 2.1.2 Not part of the TOE Security Functionality

19 Not part of the certification are

- 20 • the Smartcard Embedded Software respectively user software (not part of the TOE),
- 21 • the piece of software running at user premises and collecting the BPU receipts coming from the
- 22 TOE. This BPU software part is the commercially deemed part of the BPU software, not running
- 23 on the TOE, but allowing refunding the customer, based on the collected user blocking
- 24 information. The receipt from each blocked TOE is collected by this software – chip by chip.

26 Not part of the TSF are

- 27 • The NRG software
- 28 • The CRC module
- 29 • The parts Toolbox and RSA of the ACL libraries
- 30 • All other delivered libraries which do not have a security claim in this ST.

## 31 2.2 Hardware of the TOE

32 The hardware part of the TOE (see Figure 2) as defined in [PP] is comprised of:

33 Core System

- 34 • 32-bit CPU implementation of ARM Secure Core SC300 based on ARMv7-M Instruction set
- 35 architecture including the Instruction Stream Signature Checking (ISS)
- 36 • CACHE for code and data buffering
- 37 • Memory Encryption/Decryption Unit (MED) and Error Detection Unit
- 38 • Memory Protection Unit (MPU)
- 39 • Nested Vectored Interrupt Controller (NVIC)

41 Interfaces

- 42 • Universal Asynchronous Receiver/Transmitter (UART)

1   • Single-Wire Protocol (SWP) with NRG interface  
2   • Inter Integrated Circuit (I2C) interface  
3   • General Purpose Input Output (GPIO)  
4   • Synchronous Serial Communication (SSC) which provides the  
5    Serial Peripheral Interface (SPI)  
6   • Universal Serial Bus (USB) interface  
7   • Standard ISO Interface (PAD)

8

9   **Memories**

10   • Read-Only Memory (ROM, for internal firmware)  
11   • Random Access Memory (RAM)  
12   • SOLID FLASH™ NVM memory (NVM)

13   Note that the TOE has implemented a SOLID FLASH™ NVM memory module. Parts of this memory  
14   module are configured to work as an EEPROM.

15

16   **Peripherals**

17   • True Random Number Generator (TRNG)  
18   • System Module (SYS)  
19   • Clock Unit (CLK)

20

21   **Coprocessors**

22   • Crypto2304T co-processor for asymmetric algorithms (Crypto, optional)  
23   • Symmetric Crypto co-processor for 3DES and AES  
24   •

25   **Analog Module (ANA)**

26   • Glitch Sensor  
27   • Temperature Sensor  
28   • Backside Light Detector  
29   • User Mode Security Life Control (UMSLC)

30

31   **Buses**

32   • Memory Bus  
33   • Peripheral Bus

34

35

1 **Figure 1**

|          |                                       |      |                              |
|----------|---------------------------------------|------|------------------------------|
| 2 Core   | Core System                           | ROM  | Read Only Memory             |
| 3 NVM    | SOLID FLASH™ NVM                      | RAM  | Random Access Memory         |
| 4 CLK    | Clock Unit                            | SYS  | System Module                |
| 5 Crypto | Crypto2304T                           | SCP  | Symmetric Crypto Processor   |
| 6 CRC    | Cyclic Redundancy Check               | TRNG | True Random Number Generator |
| 7 T&W    | Timer and Watchdog                    | UART | UART                         |
| 8 I2C    | Inter Integrated Circuit              | GPIO | General Purpose IO           |
| 9 SSC    | Synchronous Serial Communication      | SWP  | Single Wire Protocol         |
| 10 USB   | Universal Serial Bus                  | ANA  | Analog Units                 |
| 11 ISO   | Standard Interface                    | ISO  | Standard ISO Interface       |
| 12 EXF   | External Flash-memory (not available) |      |                              |

14 **Figure 2 Block diagram of the M9905 products (TOE parts are filled with light green, interface parts are filled in light blue)**

16  
17 The TOE consists of smart card ICs (Security Controllers) meeting high requirements in terms of  
18 performance and security. They are manufactured by Infineon Technologies AG in a 90 nm CMOS-  
19 technology (L90). This TOE is intended to be used in smart cards for particularly security-relevant  
20 applications and for its previous use as developing platform for smart card operating systems  
21 according to the lifecycle model from [PP]

22 The term Smartcard Embedded Software is used in the following for all operating systems and  
23 applications stored and executed on the TOE. The TOE is the platform for the Smartcard Embedded  
24 Software. The Smartcard Embedded Software itself is not part of the TOE.

1 The TOE consists of a core system, memories, co-processors, security peripherals, control logic and  
2 peripherals. The major components of the core system are the 32-bit CPU (Central Processing Unit),  
3 the MPU (Memory Protection Unit), the MED (Memory Encryption/Decryption Unit), the Nested  
4 Vectored Interrupt Controller (NVIC), the Instruction Stream Signature Checking (ISS) and the  
5 Cache system. The TOE contains the co-processors for EC (Crypto2304T) and DES/AES (SCP)  
6 processing, a CRC module and the true random number generator, four timers and two watchdog  
7 timers and several external interface services. All data of the memory block is encrypted, RAM and  
8 ROM are equipped with an error detection code (EDC) and the SOLID FLASH™ NVM is equipped in  
9 addition with an error correction code (ECC).

10 The memories are connected to the Core with the Memory Bus and the peripherals are connected  
11 with the Peripheral Bus.

12 The Analog Modules (ANA) serve for operation within the specified range and manage the alarms.  
13 A set of sensors (temperature sensor, backside light detector, glitch sensor) is used to detect  
14 excessive deviations from the specified operational range and serve for robustness of the TOE and  
15 the UMSLC function can be used to test the alarm lines.

16 The CPU is compatible with the instruction set of the ARMv7\_M architecture. Despite its  
17 compatibility the CPU implementation is entirely proprietary and not standard.

18 The CPU accesses the memory via the integrated Memory Encryption and Decryption unit (MED).  
19 The memory model of the TOE provides two distinct, independent levels. Additionally, up to eight  
20 regions can be defined with different access rights controlled by the Memory Protection Unit  
21 (MPU). Errors in RAM and ROM are automatically detected (EDC, Error Detection Code), in terms of  
22 the SOLID FLASH™ NVM errors are detected and 1-Bit-errors are also corrected (ECC, Error  
23 Correction Code).

24 The controller of this TOE stores both code and data in a linear 4-GByte memory space, allowing  
25 direct access without the need to swap memory segments in and out of memory using a memory  
26 protection unit.

27 The CACHE is a high-speed memory-buffer located between the CPU and the main memories  
28 holding a copy of some of the memory contents to enable access, which is considerably faster than  
29 retrieving the information from the main memory. In addition to its fast access speed, the CACHE  
30 also consumes less power than the main memories. The CACHE is equipped with an integrity check  
31 to verify the contents of the cache memories.

32 A True Random Number Generator (TRNG) specially designed for smart card applications is  
33 implemented. The TRNG fulfils the requirements from the functionality class PTG.2 of the AIS31  
34 and produces genuine random numbers which then can be used internally or by the user software.

35 The implemented sleep mode logic (clock stop mode per ISO/IEC 7816-3) is used to reduce the  
36 overall power consumption. The timers permit easy implementation of communication protocols  
37 such as T=1 and all other time-critical operations. The UART-controlled I/O interface allows the  
38 smart card controller and the terminal interface to be operated independently.

39 The Clock Unit (CLKU) supplies the clocks for all components of the TOE. It generates the system  
40 clock and an approximately 1MHz clock for the timers. The 1MHz clock is derived from an internal  
41 oscillator, while the system clock may either be based on the internal oscillator clock (internal clock  
42 mode) or on an external clock (external clock mode). Additionally, a sleep mode is available. When  
43 operating in the internal clock mode the system frequency can be configured by the user software  
44 combined with the current limitation functionality. In the external clock mode, the clock is derived  
45 from the external clock and a parameter with the range of 1 to 8. The system frequency may be 1 up  
46 to 8 times the externally applied frequency but is of course limited to the maximum system  
47 frequency and can be combined with the current limitation function.

1 Two co-processors for cryptographic operations are implemented on the TOE. The Crypto2304T  
2 for calculation of asymmetric algorithms and the Symmetric Cryptographic Processor (SCP) for  
3 dual-key or triple-key triple-DES and AES calculations. These co-processors are especially designed  
4 for smart card applications with respect to the security and power consumption. The SCP module  
5 computes the complete DES algorithm within a few clock cycles and is especially designed to  
6 counter attacks like DPA, EMA and DFA. The Crypto2304T module provides basic functions for the  
7 implementation of EC cryptographic libraries.

8 Note that this TOE can be delivered with Crypto2304T co-processor accessible or blocked. The  
9 blocking depends on the customer demands prior to the production of the hardware. No  
10 accessibility of the deselected cryptographic co-processors is without impact on any other security  
11 policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the  
12 cryptographic co-processors.

13 The cyclic redundancy check (CRC) module is a 16-bit checksum generator, which is not part of the  
14 TSF and therefore shall not be used for security-critical data. The TOE includes two timer modules  
15 each with two 16-bit general purpose timers. The timer module can be used also as watchdog timer  
16 to monitor system operation for possible timeouts and to check the correct order of operation.

17 An Interface Management module, located in the System Module (SYS), provides the TOE with the  
18 possibility to maintain two or more data interfaces simultaneously. The TOE is provided with,  
19 dependent on the configuration, different peripherals and interfaces as the Universal Serial Bus  
20 (USB), the SWP Slave Peripheral (SWP), the Synchronous Serial Communication (SSC), which  
21 provides the serial Peripheral Interface (SPI), the GPIO module (GPIO), the Inter-Integrated Circuit  
22 Module (I2C) and the Standard ISO Interface (PAD) to satisfy the different market requirements.

23

## 24 2.3 Firmware of the TOE

25 The entire firmware of the TOE consists of different parts:

26 The BOS (Boot Software) and the RMS (Resource Management System) compose the TOE firmware  
27 stored in the ROM and the patches hereof in the SOLID FLASH™ NVM. All mandatory functions for  
28 start-up and internal testing (BOS) are protected by a dedicated hardware firewall. Additionally  
29 two levels are provided, the privileged level and the non-privilege level, both are protected by a  
30 hardwired Memory Protection Unit (MPU) setting.

31 The firmware executes the UMSLC test during the startup phase and includes the features  
32 "hardening" and the "Burn-In Test". The feature "hardening" analyzing a random SOLID FLASH™  
33 NVM page after every regular program operation for written bits that are losing their charge, and,  
34 in this very unlikely case, the page is rewritten. The "Burn-In Test" during production is used to  
35 stress the chip in a high temperature, high internal voltage and active operation for a certain time  
36 and filtering out defect parts to get a low failure rate. The TOE is qualified for an extended  
37 temperature range from -40°C to +105°C.

38 The RMS is accessible in privileged level only. The FL (Flash Loader) allows downloading of user  
39 software to the NVM during the manufacturing process and can be completely deactivated.

40

## 41 2.4 Optional software of the TOE

42 The optional software part of the TOE consists of the cryptographic libraries EC and asymmetric  
43 Base libraries.

44 The EC library is used to provide a high level interface to Elliptic Curve cryptography and includes  
45 countermeasures against SPA, DPA and DFA attacks. The routines are used for ECDSA signature  
46 generation, ECDSA key generation and Elliptic Curve Diffie-Hellman key agreement. The EC library  
47

1 is delivered as object code and integrated in this way into the user software. The certification  
 2 covers the standard NIST [DSS] and Brainpool [ECC] Elliptic Curves with key lengths of 160, 163,  
 3 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits. Note that there are numerous other curve  
 4 types, being also secure in terms of side channel attacks on this TOE, which can be user optionally  
 5 add in the composition certification process.

6 The Asymmetric Base library provides the low level interface to the asymmetric cryptographic  
 7 coprocessor for the ECC cryptographic libraries and has no user available interface. It does not  
 8 support any security relevant policy or function. The Base and ECC library can optionally be  
 9 delivered in the alternative versions:

- 10 • The version v2.07.003
- 11 • The version v2.09.002

## 13 2.5 Interfaces of the TOE

- 14 • The physical interface of the TOE to the external environment is the entire surface of the IC.
- 15 • The electrical interface of the TOE to the external environment is constituted by the pads of the  
 16 chip:
  - 17 – The five ISO 7816 pads consist particularly of the contacted RES, I/O, CLK lines and supply  
 18 lines VCC and GND. The contact based communication is according to ISO 7816/ETSI/EMV.  
 19 The I2C communication can be driven via the ISO 7816 pads. In this case no other  
 20 communication using the ISO 7816 pads is possible.
  - 21 – The GPIO interface consists of 4 pads which can be individually configured and combined.
  - 22
  - 23 – Also the I2C and the SSC/SPI communication can be exclusively driven via the GPIO pads. In  
 24 this case no other communication using the GPIO pads is possible.
  - 25 – The USB interface is built out of two dedicated pads for data communication and two pads  
 26 used from the ISO 7816 interface supplying power and ground.
  - 27 – The SWP interface is built out of one pad to support the SWP slave functionality.
  - 28 • The data-oriented I/O interface to the TOE is formed by the I/O pad.
  - 29 • The interface to the firmware is constituted by special registers used for hardware configuration  
 30 and control (Special Function Registers, SFR).
  - 31 • The interface of the TOE to the operating system is constituted on one hand by the RMS routine  
 32 calls and on the other by the instruction set of the TOE.
  - 33 • The interface of the TOE to the test routines is formed by the BOS test routine call, i.e. entry to  
 34 test mode (OS-TM entry).
  - 35 • The interface to the EC calculations is defined by the EC library (optionally).

## 36 2.6 Guidance documentation

37 The guidance documentation is listed in Table 1

## 38 2.7 Forms of delivery

39 The TOE can be delivered in form of bare dies, in form of plain wafers, in form of complete modules  
 40 (wire bond module M4.x, provided as single chip wire bond or as stacked wire bond), or in one of  
 41 the following an IC cases: MFC5.8 (FCOS), PG-VQFN-8-1, PG-VQFN-32-13 (SMD) and P-M2M4.7-8-  
 42 1. In any case the testing of the TOE is finished and the extended test features are removed. From a  
 43 security policy point of view the different forms of delivery do not have any impact.

44 The delivery can therefore be at the end of phase 3 or at the end of phase 4 which can also include  
 45 pre-personalization steps according to PP [PP].

1 The delivery to the software developer (phase 2 → phase 1) is handled by downloading via  
 2 SecureX portal. It contains the documentation as described above and the development and  
 3 debugging tools.  
 4 Part of the software delivery could also be the Flash Loader program, provided by Infineon  
 5 Technologies, running on the TOE and receiving via the UART interface the transmitted information  
 6 of the user software to be loaded into the SOLID FLASH™ NVM memory. The download is only  
 7 possible after successful authentication. In addition, the user can permanently block further use of  
 8 the Flash Loader. Whether the Flash Loader program is present or not depends on the procurement  
 9 order.

10 **Table 2 TOE deliveries: forms and methods**

| TOE Component               | Delivered Format               | Delivery Method                                                                                                            | Comment                           |
|-----------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
| M9905 A11                   | See text above                 | Customer chooses delivery method. This ST describes under which circumstances transport protection is provided by the TOE. |                                   |
| All Firmware                | –                              | –                                                                                                                          | Stored on the delivered hardware. |
| All software libraries      | ARM Library File (object code) | Secured download <sup>1</sup>                                                                                              | –                                 |
| All User Guidance documents | Personalized PDF               | Secured download                                                                                                           | –                                 |

11  
12 The TOE is identified by the components as described in the physical scope in chapter 2.2.

13

- 14 The Hardware version, design step and Firmware version shall be read out from the chip by the
- 15 Generic Chip Identification Mode (GCIM) and compared against the correct versions. The
- 16 procedure how to read that data is described in the Programmers Reference Manual. The
- 17 correct versions are listed in chapter 2.3
- 18
- 19 The correct library versions shall be verified by the corresponding hash values as defined in
- 20 chapter 10.
- 21 The user guidance documents shall be compared to the versions listed in chapter 2.6

22

## 23 2.8 Production sites

24 The silicon of the design is produced in Dresden.

The delivery measures are described in the ALC\_DVS aspect.

25 **Table 3 Production site in chip identification**

| Production Site  | Chip Identification                          |
|------------------|----------------------------------------------|
| Dresden, Germany | byte number 13 (Fab number): 02 <sub>H</sub> |

26  
27 <sup>1</sup> Secured download is a way of delivery of documentation and TOE related software using a secure iShare connected to  
Infineon customer portal. The TOE user needs a DMZ Account to login (authenticate) via the Internet.

## 1 2.9 TOE Configuration

2 The TOE hardware offers different configuration options, which a customer can choose. The  
3 mechanism to choose a configuration can be done by the following methods:

- 4 1. by product selection or dialog-based in Tools,
- 5 2. via Bill-per-Use (BpU) and Flash Loader (FL),

6 The degree of freedom for configuring the TOE is predefined by Infineon Technologies AG. The list  
7 of TOE configurations is given in the confidential ST.

8 Besides fix TOE configurations, which can be ordered as usual, this TOE implements optionally the  
9 so called Bill-Per-Use (BPU) ability. This solution enables the customer to tailor the product on his  
10 own to the required configuration by blocking parts of the chip on demand into the final  
11 configuration at his own premises, without further delivery or involving support by Infineon  
12 Technology AG. Customers, who are intended to use this feature receive the TOE in a predefined  
13 configuration including the Flash Loader software, enhanced with the BPU blocking software. The  
14 blocking information is part of a chip configuration area and can be modified by customers using  
15 specific APDUs. Once a final blocking is done, further modifications are disabled.

16 The BPU software part is only present on the products which have been ordered with the BPU  
17 option. In all other cases this software is not present on the product.

18 Additionally the user can choose between different optional software libraries.

19 The user can choose the management of NRG libraries (version 01.03.0927) and/or the NRG reader  
20 mode support library (01.02.0800). Please note that the NRG libraries are not part of this  
21 certification.

23 The hardware of this TOE can be delivered with the following configuration options:

- 24 • both crypto co-processors accessible
- 25 • with a blocked Crypto2304T

26 In the case the Crypto2304T is blocked, no EC computation supported by hardware is possible. No  
27 accessibility of the deselected cryptographic co-processors is without impact on any other security  
28 policy of the TOE; it is exactly equivalent to the situation where the user decides just not to use the  
29 cryptographic co-processors.

30 The TOE can be delivered with the following optional libraries

- 31 • ECC
- 32 • Asymmetric Base library for ECC

34 In case of deselecting one or several of these libraries the TOE does not provide the respective  
35 functionality.

36

## 37 2.10 TOE initialization with Customer Software

38 Beside the various TOE configurations further possibilities of how the user inputs his software on  
39 the TOE are in place. This provides a maximum of flexibility and for this an overview is given in the  
40 following table:

42 Table 4 Options to implement user software at Infineon production premises

|   |                                                                                                                                                                                                    |                                                                                                                                        |
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| 1 | The user or/and a subcontractor downloads the software into the SOLID FLASH™ NVM memory on his own. Infineon Technologies AG has not received user software and there are no user data in the ROM. | The Flash Loader can be activated or reactivated by the user or subcontractor to download his software in the SOLID FLASH™ NVM memory. |
| 2 | The user provides software for the download into the SOLID FLASH™ NVM memory to                                                                                                                    | The Flash Loader is deactivated.                                                                                                       |

|   |                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                                                                             |
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|   | Infineon Technologies AG. The software is downloaded to the SOLID FLASH™ NVM memory during chip production. There are no user data in the ROM.                                                                                |                                                                                                                                                                                                                                                                                                             |
| 3 | The user provides software for the download into the SOLID FLASH™ NVM memory to Infineon Technologies AG. The software is downloaded to the SOLID FLASH™ NVM memory during chip production. There are no user data in the ROM | The Flash Loader is blocked afterwards but can be activated or reactivated by the user or subcontractor to download his software in the SOLID FLASH™ NVM memory. Precondition is that the user has provided an own reactivation procedure in software prior to chip production to Infineon Technologies AG. |

1

2 The Generic Chip Identification Mode (GCIM) data of the TOE allows a unique identification of each  
 3 TOE and provides several detailed production information. The Chip Identification Mode data is  
 4 accessible by a non-ISO reset or can be read directly from the configuration area located at the NVM  
 5 by the user operating system. The SLE97 Hardware Reference Manual [HRM] gives a detailed  
 6 description of the GCIM data.

1    3            **Conformance Claims (ASE\_CCL)**

2    3.1        **CC Conformance Claim**

3    This Security Target (ST) and the TOE claim conformance to Common Criteria version CC:2022,  
4    part 1 [CC-1], part 2 [CC-2], part 3 [CC-3] part 4 [CC-4]and part 5 [CC-5].

5    Conformance of this ST is claimed for:  
6    Common Criteria part 2 extended and Common Criteria part 3 conformant.

7    3.2        **PP Claim**

8    This Security Target is in **strict conformance** to the  
9    Security IC Platform Protection Profile [PP].

10   The Security IC Platform Protection Profile is registered and certified by the Bundesamt für  
11   Sicherheit in der Informationstechnik<sup>1</sup> (BSI) under the reference BSI-PP-0035, Version 1.0, dated  
12   15.06.2007.

13   The security assurance requirements of the TOE are according to the Security IC Platform  
14   Protection Profile [PP]. They are all drawn from [CC-3].

15   The augmentations of the PP [PP] are listed below.

16

17   **Table 5      Augmentations of the assurance level of the TOE**

| Assurance Class          | Assurance components | Description                                |
|--------------------------|----------------------|--------------------------------------------|
| Lifecycle support        | ALC_DVS.2            | Sufficiency of security measures           |
| Vulnerability assessment | AVA_VAN.5            | Advanced methodical vulnerability analysis |

18

19   3.3        **Package Claim**

20   This Security Target does not claim conformance to a package of the PP [PP].

21   The assurance level for the TOE is EAL5 augmented with the components ALC\_DVS.2 and  
22   AVA\_VAN.5.

23

24

---

<sup>1</sup> Bundesamt für Sicherheit in der Informationstechnik (BSI) is the German Federal Office for Information Security

### 1 3.4 Conformance Rationale

2 This security target claims strict conformance only to one PP, the PP [PP].

3 The Target of Evaluation (TOE) is a typical security IC as defined in PP chapter 1.2.2 comprising:

4 • the circuitry of the IC (hardware including the physical memories),  
5 • configuration data, initialisation data related to the IC Dedicated Software and the behaviour of  
6 the security functionality  
7 • the IC Dedicated Software with the parts  
8 • the IC Dedicated Test Software,  
9 • the IC Dedicated Support Software.

10 The TOE is designed, produced and/or generated by the TOE Manufacturer.

11 Security Problem Definition:

12 Following the PP [PP], the security problem definition is enhanced by adding two additional  
13 threats, an organization security policy and an augmented assumption. Including these add-ons, the  
14 security problem definition of this security target is consistent with the statement of the security  
15 problem definition in the PP [PP], as the security target claimed strict conformance to the PP [PP].

16 Conformance Rationale:

17 The augmented organizational security policy P.Add-Functions, coming from the additional security  
18 functionality of the cryptographic libraries, the augmented assumption A.Key-Function, related to  
19 the usage of key-depending function, the threat T-Masquerade.TOE and the threat memory access  
20 violation, due to specific TOE memory access control functionality, have been added. These add-ons  
21 have no impact on the conformance statements regarding CC [CC-1] and PP [PP], with following  
22 rationale:

23 The security target remains conformant to CC part 2 [CC-2], as the possibility to introduce  
24 additional restrictions is given.

25 The security target fulfils the strict conformance claim of the PP [PP] due to the application notes 5,  
26 6 and 7 which apply here. By those notes the addition of further security functions and security  
27 services are covered, even without deriving particular security functionality from a threat but from  
28 a policy.

29 Due to additional security functionality, one coming from the cryptographic libraries - O.Add-  
30 Functions, the memory access control - O.Mem-Access, and the hash additional security objectives  
31 have been introduced. These add-ons have no impact on the conformance statements regarding CC  
32 [CC-1] and PP [PP], with following rational:

33 The security target remains conformant to CC part 2 [CC-2], as the possibility to introduce  
34 additional restrictions is given.

35 The security target fulfils the strict conformance of the PP [PP] due to the application note 9  
36 applying here. This note allows the definition of high-level security goals due to further functions or  
37 services provided to the Security IC Embedded Software.

38 Therefore, the security objectives of this security target are consistent with the statement of the  
39 security objectives in the PP [PP], as the security target claimed strict conformance to the PP [PP].

40

41 All security functional requirements defined in the PP [PP] are included and completely defined in  
42 this ST. The security functional requirements listed in the following are all taken from Common  
43 Criteria part 2 [CC-2] and additionally included and completely defined in this ST:

1     • FDP\_ACC.1 "Subset access control"  
 2     • FDP\_ACF.1 "Security attribute based access control"  
 3     • FMT\_MSA.1 "Management of security attributes"  
 4     • FMT\_MSA.3 "Static attribute initialisation"  
 5     • FMT\_SMF.1 "Specification of Management functions"  
 6     • FCS\_COP.1 "Cryptographic support"  
 7     • FCS\_CKM.1 "Cryptographic key generation"  
 8     • FDP\_SDI.1 "Stored data integrity monitoring"  
 9     • FDP\_SDI.2 "Stored data integrity monitoring and action"

10   The security functional requirement  
 11   • FPT\_TST.2 "Subset TOE security testing" (Requirement from [CC-2])  
 12   is included and completely defined in this ST, section 6.  
 13   All assignments and selections of the security functional requirements are done in the PP [PP] and  
 14   in this security target in section 7.8.  
 15   The Assurance Requirements of the TOE obtain the Evaluation Assurance Level 5 augmented with  
 16   the assurance components ALC\_DVS.2 and AVA\_VAN.5 for the TOE.  
 17   •  
 18   • With CC:2022 several SFR changes are introduced. Due to this ST claiming conformance to  
 19   CC:2022 and PP0035 [PP], rationales are provided that these changes do not affect the  
 20   conformance claim to PP0035:  
 21   • FCS\_COP.1: for this SFR dependencies are changed in CC:2022. FCS\_CKM.4 is removed and  
 22   instead FCS\_CKM.6 added. Further FCS\_CKM.5 is added for key derivation as an alternative.  
 23   • FCS\_CKM.1: for this SFR dependencies are changed in CC:2022. Additionally, to FCS\_CKM.2 and  
 24   FCS\_COP.1, one further SFR is introduced as alternative: FCS\_CKM.5. This SFR targets key  
 25   derivation, subsequent to FCS\_CKM.1. In CC:2022 key derivation would have been part of  
 26   FCS\_CKM.1 and thus conformance to [PP] can still be claimed. FCS\_CKM.4 is removed and  
 27   instead FCS\_CKM.6 added. All other dependencies (i.e. FCS\_RNG.1 or FCS\_RBG.1) are in addition  
 28   to the already existing ones, i.e. add stricter requirements.  
 29   • FCS\_CKM.6 replaces FCS\_CKM.4 and adds further requirements on the timing of key  
 30   destruction. As an alternative dependency to FCS\_CKM.1, FCS\_CKM.5 (key derivation) can be  
 31   used. As FCS\_CKM.5 is neither used within [PP] nor within this ST, it has no relevance in this  
 32   context.  
 33   • FCS\_RNG.1: this SFR is taken from [CC-2] rather than [PP].  
 34   • FMT\_LIM.1 and FMT\_LIM.2 are taken from [CC-2] rather than [PP]. There is a slightly different  
 35   phrasing (i.e. removing redundancy from FMT\_LIM.1) and availability and capability policy  
 36   mentioned in both SFR's. The meaning though is the same and therefore conformance can still  
 37   be claimed.  
 38   Further with CC:2022 some SAR changes were introduced. Rationales are provided that these  
 39   changes do not affect the conformance claim to [PP]:  
 40   • ASE\_CCL.1: for CC:2022 several extensions were introduced (e.g. exact conformance to PP),  
 41   which add to the already existing assurance requirements. No relaxation was introduced.  
 42   • ASE\_INT.1: introduction of multi-assurance in combination with PP-configuration: not relevant  
 43   for [PP]  
 44   • ASE\_REQ.2: extended for multi assurance: not relevant for [PP]  
 45   • AVA\_VAN.5: extension about third party components introduced. No relaxation was introduced.

<sup>1</sup> • ALC\_TAT.1: extension with guidance on the minimum content for an implementation standards description and rules with ADV\_COMP.1. No relaxation was introduced.

<sup>2</sup>

<sup>3</sup>

## 4 Security Problem Definition (ASE\_SPD)

2 The content of the PP [PP] applies to this chapter completely.

### 3 4.1 Threats

4 The threats are directed against the assets and/or the security functions of the TOE. For example,  
5 certain attacks are only one step towards a disclosure of assets while others may directly lead to a  
6 compromise of the application security. The more detailed description of specific attacks is given  
7 later on in the process of evaluation and certification. An overview on attacks is given in PP [PP]  
8 section 3.2.

9 The threats to security are defined and described in PP [PP] section 3.2.

10 **Table 6 Threats according PP [PP]**

| Threat              | Description                             |
|---------------------|-----------------------------------------|
| T.Phys-Manipulation | Physical Manipulation                   |
| T.Phys-Probing      | Physical Probing                        |
| T.Malfunction       | Malfunction due to Environmental Stress |
| T.Leak-Inherent     | Inherent Information Leakage            |
| T.Leak-Forced       | Forced Information Leakage              |
| T.Abuse-Func        | Abuse of Functionality                  |
| T.RND               | Deficiency of Random Numbers            |

#### 11 4.1.1 Additional Threat due to TOE specific Functionality

12 The additional functionality of introducing sophisticated privilege levels and access control allows  
13 the secure separation between the operation system(s) and applications, the secure downloading  
14 of applications after personalization and enables multitasking by separating memory areas and  
15 performing access controls between different applications. Due to this additional functionality  
16 “area based memory access control” a new threat is introduced.

17 The Smartcard Embedded Software is responsible for its User Data according to the assumption  
18 “Treatment of User Data (A.Resp-Appl)”. However, the Smartcard Embedded Software may  
19 comprise different parts, for instance an operating system and one or more applications. In this  
20 case, such parts may accidentally or deliberately access data (including code) of other parts, which  
21 may result in a security violation.

22 The TOE shall avert the threat “Memory Access Violation (T.Mem-Access)” as specified below.

23 T.Mem-Access      Memory Access Violation

24 Parts of the Smartcard Embedded Software may cause security violations by accidentally or  
25 deliberately accessing restricted data (which may include code) or privilege levels. Any restrictions  
26 are defined by the security policy of the specific application context and must be implemented by  
27 the Smartcard Embedded Software.

28 T.Masquerade\_TOE      Masquerade of the TOE

29 An attacker may threaten the property being a genuine TOE by producing a chip which is not a  
30 genuine TOE but wrongly identifying itself as genuine TOE sample. This threat has been  
31 additionally introduced because the chip can be delivered without an User OS doing the  
32 identification.

1 **Table 7 Additional threats due to TOE specific functions and augmentations**

|                  |                         |
|------------------|-------------------------|
| T.Mem-Access     | Memory Access Violation |
| T.Masquerade_TOE | Masquerade of the TOE   |

2  
3 **4.1.2 Assets regarding the Threats**

4 The primary assets concern the User Data which includes the user data as well as program code  
5 (Security IC Embedded Software) stored and in operation and the provided security services. These  
6 assets have to be protected while being executed and or processed and on the other hand, when the  
7 TOE is not in operation.

8 This leads to four primary assets with its related security concerns:

9

- 10 SC1 Integrity of User Data and of the Security IC Embedded Software (while being  
executed/processed and while being stored in the TOE's memories),
- 11 SC2 Confidentiality of User Data and of the Security IC Embedded Software (while being  
processed and while being stored in the TOE's memories)
- 12 SC3 Correct operation of the security services provided by the TOE for the Security IC  
Embedded Software.
- 13 SC4 Continuous availability of random numbers

14 SC4 is an additional security service provided by this TOE which is the availability of random  
15 numbers. These random numbers are generated either by a true random number or a deterministic  
16 random number generator or by both, when a true random number is used as seed for the  
17 deterministic random number generator. Note that the generation of random numbers is a  
18 requirement of the PP [PP].

19 To be able to protect the listed assets the TOE shall protect its security functionality as well.  
20 Therefore critical information about the TOE shall be protected. Critical information includes:

21

- 22 logical design data, physical design data, IC Dedicated Software, and configuration data
- 23 Initialisation Data and Pre-personalisation Data, specific development aids, test and  
characterisation related data, material for software development support, and reticles.

24 The information and material produced and/or processed by the TOE Manufacturer in the TOE  
25 development and production environment (Phases 2 up to TOE Delivery) can be grouped as  
26 follows:

27

- 28 logical design data,
- 29 physical design data,
- 30 IC Dedicated Software, Security IC Embedded Software, Initialisation Data and Pre-  
personalisation Data,
- 31 specific development aids,
- 32 test and characterisation related data,
- 33 material for software development support, and
- 34 reticles and products in any form

35 as long as they are generated, stored, or processed by the TOE Manufacturer.

36 For details see PP [PP] section 3.1.

## 1 4.2 Organizational Security Policies

2 The TOE has to be protected during the first phases of their lifecycle (phases 2 up to TOE delivery  
3 which can be after phase 3 or phase 4). Later on each variant of the TOE has to protect itself. The  
4 organizational security policy covers this aspect.

5 P.Process-TOE Protection during TOE Development and Production

6 An accurate identification must be established for the TOE. This requires that each instantiation of  
7 the TOE carries this unique identification.

8 The organizational security policies are defined and described in PP [PP] section 3.3. Due to the  
9 augmentations of PP [PP] an additional policy is introduced and described in the next chapter.

10 **Table 8 Organizational Security Policies according PP [PP]**

|               |                                                  |
|---------------|--------------------------------------------------|
| P.Process-TOE | Protection during TOE Development and Production |
|---------------|--------------------------------------------------|

### 11 4.2.1 Augmented Organizational Security Policy

12 Due to the augmentations of the PP [PP] an additional policy is introduced.

13 The TOE provides specific security functionality, which can be used by the Smartcard Embedded  
14 Software. In the following specific security functionality is listed which is not derived from threats  
15 identified for the TOE's environment because it can only be decided in the context of the smartcard  
16 application, against which threats the Smartcard Embedded Software will use the specific security  
17 functionality.

18 The IC Developer / Manufacturer must apply the policy "Additional Specific Security Functionality  
19 (P.Add-Functions)" as specified below.

|                 |                                            |
|-----------------|--------------------------------------------|
| P.Add-Functions | Additional Specific Security Functionality |
|-----------------|--------------------------------------------|

20

21 The TOE shall provide the following specific security functionality to the Smartcard Embedded  
22 Software:

23 • Advanced Encryption Standard (AES)  
24 • Triple Data Encryption Standard (3DES)  
25 • Elliptic Curve Cryptography (EC)

26

27 *Note: This TOE can be delivered with the Crypto2304T coprocessor accessible or blocked. In case  
28 the Crypto2304T is blocked, no ECC computation supported by hardware is possible. The  
29 ECC functionality has then to be removed from this policy.*

30 *Note: The TOE can also be delivered with the optional ECC library. The optional ECC library needs  
31 an accessible Crypto2304T. If the optional ECC library is not delivered then ECC functionality  
32 has to be removed from this policy.*

## 33 4.3 Assumptions

34 The TOE assumptions on the operational environment are defined and described in PP [PP] section  
35 3.4.

36 The assumptions concern the phases where the TOE has left the chip manufacturer.

1

2 A.Process-Sec-IC Protection during Packaging, Finishing and Personalization:  
3 It is assumed that security procedures are used after delivery of the TOE by the TOE Manufacturer  
4 up to delivery to the end-consumer to maintain confidentiality and integrity of the TOE and of its  
5 manufacturing and test data (to prevent any possible copy, modification, retention, theft or  
6 unauthorised use).

7 A.Plat-Appl Usage of Hardware Platform:  
8 The Security IC Embedded Software is designed so that the requirements from the following  
9 documents are met: (i) TOE guidance documents (refer to the Common Criteria assurance class  
10 AGD) such as the hardware data sheet, and the hardware application notes, and (ii) findings of the  
11 TOE evaluation reports relevant for the Security IC Embedded Software as documented in the  
12 certification report.

13 A.Resp-Appl Treatment of User Data:  
14 All User Data are owned by Security IC Embedded Software. Therefore, it must be assumed that  
15 security relevant User Data (especially cryptographic keys) are treated by the Security IC  
16 Embedded Software as defined for its specific application context.

17 The support of cipher schemas needs to make an additional assumption.

18 **Table 9 Assumption according PP [PP]**

|                  |                                                            |
|------------------|------------------------------------------------------------|
| A.Process-Sec-IC | Protection during Packaging, Finishing and Personalization |
| A.Plat-Appl      | Usage of Hardware Platform                                 |
| A.Resp-Appl      | Treatment of User Data                                     |

19

20

### 1 4.3.1 Augmented Assumptions

2 The developer of the Smartcard Embedded Software must ensure the appropriate “Usage of Key-  
3 dependent Functions (A.Key-Function)” while developing this software in Phase 1 as specified  
4 below.

| A.Key-Function | Usage of Key-dependent Functions |
|----------------|----------------------------------|
|----------------|----------------------------------|

5  
6 Key-dependent functions (if any) shall be implemented in the Smartcard Embedded Software in a  
7 way that they are not susceptible to leakage attacks (as described under T.Leak-Inherent and  
8 T.Leak-Forced).

9 Note, that here the routines which may compromise keys when being executed are part of the  
10 Smartcard Embedded Software. In contrast to this, the threats T.Leak-Inherent and T.Leak-Forced  
11 address (i) the cryptographic routines which are part of the TOE (For details see PP [PP] section  
12 3.4.).

## 1 5 Security objectives (ASE\_OBJ)

2 This section shows the subjects and objects where are relevant to the TOE.

3 A short overview is given in the following.

4 The user has the following standard high-level security goals related to the assets:

- 5 SG1 maintain the integrity of User Data and of the Security IC Embedded Software
- 6 SG2 maintain the confidentiality of User Data and of the Security IC Embedded Software
- 7 SG3 maintain the correct operation of the security services provided by the TOE for the Security
- 8 IC Embedded Software
- 9 SG4 provision of random numbers.

### 10 5.1 Security objectives for the TOE

11 The security objectives of the TOE are defined and described in PP [PP] section 4.1.

13 **Table 10 Objectives for the TOE according to PP [PP]**

|                     |                                                 |
|---------------------|-------------------------------------------------|
| O.Phys-Manipulation | Protection against Physical Manipulation        |
| O.Phys-Probing      | Protection against Physical Probing             |
| O.Malfunction       | Protection against Malfunction                  |
| O.Leak-Inherent     | Protection against Inherent Information Leakage |
| O.Leak-Forced       | Protection against Forced Information Leakage   |
| O.Abuse-Func        | Protection against Abuse of Functionality       |
| O.Identification    | TOE Identification                              |
| O.RND               | Random Numbers                                  |

14  
15 The TOE provides “Additional Specific Security Functionality (O.Add-Functions)” as specified  
16 below.

#### 17 **O.Add-Functions : Additional Specific Security Functionality**

18 The TOE must provide the following specific security functionality to the Smartcard Embedded  
19 Software:

- 20 Advanced Encryption Standard (AES)
- 21 Triple Data Encryption Standard (3DES)
- 22 Elliptic Curve Cryptography (EC) (optional)

23 The hardware of this TOE can be delivered with the following configuration options:

- 24 both crypto co-processors accessible
- 25 with a blocked Crypto2304T

26 In the case the Crypto2304T is blocked, no EC computations supported by hardware are possible.

27 The optional security relevant software part of the TOE consists of the following optional libraries:

- 28 EC Cryptographic Library

29  
30 The TOE shall provide “Area based Memory Access Control (O.Mem-Access)” as specified below.

1 **0.Mem-Access: Area based Memory Access Control**

2 The TOE must provide the Smartcard Embedded Software with the capability to define restricted  
3 access memory areas. The TOE must then enforce the partitioning of such memory areas so that  
4 access of software to memory areas and privilege levels is controlled as required, for example, in a  
5 multi-application environment.

6 **Table 11 Additional objectives due to TOE specific functions and augmentations**

|                 |                                            |
|-----------------|--------------------------------------------|
| O.Add-Functions | Additional specific security functionality |
| O.Mem-Access    | Area based Memory Access Control           |

7 **5.2 Security Objectives for the development and operational  
8 Environment**

9 The security objectives of the TOE are defined and described in PP [PP] section 4.1.

10 **Table 12 Objectives for the TOE according to PP [PP]**

|                   |                                                   |
|-------------------|---------------------------------------------------|
| OE.Plat-Appl      | Usage of Hardware Platform                        |
| OE.Resp-Appl      | Treatment of User Data                            |
| OE.Process-Sec-IC | Protection during composite product manufacturing |

11  
12 This ST further defines the objectives for the environment OE.Secure\_Delivery as specified below.

13 **OE.Secure\_Delivery:**

14 The TOE does not provide transport protection. Therefore, technical and / or organisational  
15 security procedures (e.g. a custom mutual authentication mechanism or a security transport)  
16 should be put in place by the customer to secure the personalized TOE during delivery as required  
17 by the security needs of the loaded IC Embedded Software.

18  
19 The table below lists the security objectives for the environment in the life cycle phases.

20 **Table 13 Security objectives for the environment**

|                                 |                                             |                                                                                                                                                                                                                                                                                                                                                                                      |
|---------------------------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Phase 1                         | OE.Plat-Appl                                | Usage of Hardware Platform                                                                                                                                                                                                                                                                                                                                                           |
|                                 | OE.Resp-Appl                                | Treatment of User Data                                                                                                                                                                                                                                                                                                                                                               |
| Phase 5 – 6<br>optional Phase 4 | OE.Process-Sec-IC                           | Protection during composite<br>product manufacturing                                                                                                                                                                                                                                                                                                                                 |
| Phase 3, 4                      | OE.Secure_Delivery<br>OE.Prevent-Masquerade | The TOE does not provide<br>transport protection. Therefore,<br>technical and / or organisational<br>security procedures (e.g. a<br>custom mutual authentication<br>mechanism or a security<br>transport) should be put in place<br>by the customer to secure the<br>personalized TOE during<br>delivery as required by the<br>security needs of the loaded IC<br>Embedded Software. |

### 1 5.2.1 Clarification of “Usage of Hardware Platform (OE.Plat-App)”

2 Regarding the cryptographic services this objective of the environment has to be clarified. The TOE  
 3 supports cipher schemes as additional specific security functionality. If required the Smartcard  
 4 Embedded Software shall use these cryptographic services of the TOE and their interface as  
 5 specified. When key-dependent functions implemented in the Smartcard Embedded Software are  
 6 just being executed, the Smartcard Embedded Software must provide protection against disclosure  
 7 of confidential data (User Data) stored and/or processed in the TOE by using the methods  
 8 described under “Inherent Information Leakage (T.Leak-Inherent)” and “Forced Information  
 9 Leakage (T.Leak-Forced)“.

10 The objectives of the environment regarding the memory, software and firmware protection and  
 11 the SFR and peripheral-access-rights-handling have to be clarified. For the separation of different  
 12 applications the Smartcard Embedded Software (Operating System) may implement a memory  
 13 management scheme based upon security functions of the TOE.

### 14 5.2.2 Clarification of “Treatment of User Data (OE.Resp-App)”

15 Regarding the cryptographic services this objective of the environment has to be clarified. By  
 16 definition cipher or plain text data and cryptographic keys are User Data. The Smartcard Embedded  
 17 Software shall treat these data appropriately, use only proper secret keys (chosen from a large key  
 18 space) as input for the cryptographic function of the TOE and use keys and functions appropriately  
 19 in order to ensure the strength of cryptographic operation.

20 This means that keys are treated as confidential as soon as they are generated. The keys must be  
 21 unique with a very high probability, as well as cryptographically strong. For example, it must be  
 22 ensured that it is beyond practicality to derive the private key from a public key if asymmetric  
 23 algorithms are used. If keys are imported into the TOE and/or derived from other keys, quality and  
 24 confidentiality must be maintained. This implies that appropriate key management has to be  
 25 realized in the environment.

26 Regarding the memory, software and firmware protection and the SFR and peripheral access rights  
 27 handling these objectives of the environment has to be clarified. The treatment of User Data is also  
 28 required when a multi-application operating system is implemented as part of the Smartcard  
 29 Embedded Software on the TOE. In this case the multi-application operating system should not  
 30 disclose security relevant user data of one application to another application when it is processed  
 31 or stored on the TOE.

### 32 5.2.3 Clarification of “Protection during Composite product 33 manufacturing (OE.Process-Sec-IC)”

34 The protection during packaging, finishing and personalization includes also the personalization  
 35 process (Flash Loader software) and the personalization data (TOE software components) during  
 36 Phase 4, Phase 5 and Phase 6.

## 37 5.3 Security Objectives Rationale

38 The security objectives rationale of the TOE are defined and described in PP [PP] section 4.4. For  
 39 organizational security policy P.Add-Functions, OE.Plat-App and OE.Resp-App the rationale is  
 40 given in the following description.

41 **Table 14 Security Objective Rationale**

| Assumption, Threat or Organisational Security Policy | Security Objective |
|------------------------------------------------------|--------------------|
| P.Add-Functions                                      | O.Add-Functions    |

|                  |                              |
|------------------|------------------------------|
| A.Key-Function   | OE.Plat-Appl<br>OE.Resp-Appl |
| T.Mem-Access     | O.Mem-Access                 |
| T.Masquerade_TOE | OE.Secure_Delivery           |

1

2 The justification related to the security objective "Additional Specific Security Functionality  
 3 (O.Add-Functions)" is as follows: Since O.Add-Functions requires the TOE to implement exactly the  
 4 same specific security functionality as required by P.Add-Functions; the organizational security  
 5 policy is covered by the objective.

6 Nevertheless the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-  
 7 Manipulation and O.Leak-Forced define how to implement the specific security functionality  
 8 required by P.Add-Functions. (Note that these objectives support that the specific security  
 9 functionality is provided in a secure way as expected from P.Add-Functions.) Especially O.Leak-  
 10 Inherent and O.Leak-Forced refer to the protection of confidential data (User Data or TSF data) in  
 11 general. User Data are also processed by the specific security functionality required by  
 12 P.Add-Functions.

13

14

15

16

17

18

19

20 Compared to PP [PP] clarification has been made for the security objective "Usage of Hardware  
 21 Platform (OE.Plat-Appl)": If required the Smartcard Embedded Software shall use these  
 22 cryptographic services of the TOE and their interface as specified. In addition, the Smartcard  
 23 Embedded Software must implement functions which perform operations on keys (if any) in such a  
 24 manner that they do not disclose information about confidential data. The non disclosure due to  
 25 leakage A.Key-Function attacks is included in this objective OE.Plat-Appl. This addition ensures that  
 26 the assumption A.Plat-Appl is still covered by the objective OE.Plat-Appl although additional  
 27 functions are being supported according to O.Add-Functions.

28 Compared to the PP [PP] a clarification has been made for the security objective "Treatment of User  
 29 Data (OE.Resp-Appl)": By definition cipher or plain text data and cryptographic keys are User Data.  
 30 So, the Smartcard Embedded Software will protect such data if required and use keys and functions  
 31 appropriately in order to ensure the strength of cryptographic operation. Quality and  
 32 confidentiality must be maintained for keys that are imported and/or derived from other keys. This  
 33 implies that appropriate key management has to be realized in the environment. That is expressed  
 34 by the assumption A.Key-Function which is covered from OE.Resp-Appl. These measures make sure  
 35 that the assumption A.Resp-Appl is still covered by the security objective OE.Resp-Appl although  
 36 additional functions are being supported according to P.Add-Functions.

37 Compared to the PP [PP] an enhancement regarding memory area protection has been established.  
 38 The clear definition of privilege levels for operated software establishes the clear separation of  
 39 different restricted memory areas for running the firmware, downloading and/or running the  
 40 operating system and to establish a clear separation between different applications. Nevertheless, it  
 41 is also possible to define a shared memory section where separated applications may exchange  
 42 defined data. The privilege levels clearly define by using a hierarchical model the access right from  
 43 one level to the other. These measures ensure that the threat T.Mem-Access is clearly covered by  
 44 the security objective O.Mem-Access.

- 1 The justification of the additional policy and the additional assumption show that they do not contradict to the rationale already given in the Protection Profile for the assumptions, policy and threats defined there.
- 2
- 3
- 4 The objective OE.Secure\_Delivery is defined to require transport protection by the environment ias
- 5 the TOE does not provide this objective.
- 6

## 1 6 Extended Component Definition (ASE\_ECD)

2 There are four extended components defined and described for the TOE:

3 • the family **FAU\_SAS** at the class FAU Security Audit  
4 • the component **FPT\_TST.2** at the class FPT Protection of the TSF

5 The extended component FAU\_SAS is defined and described in PP [PP] section 5. The component  
6 FPT\_TST.2 is defined in the following sections.

### 7 6.1 "Subset TOE security testing (FPT\_TST)"

8 The security is strongly dependent on the correct operation of the security functions. Therefore, the  
9 TOE shall support that particular security functions or mechanisms are tested in the operational  
10 phase (Phase 7). The tests can be initiated by the Smartcard Embedded Software and/or by the  
11 TOE or is done automatically and continuously.

12 Part 2 of the Common Criteria provides the security functional component "TSF testing  
13 (FPT\_TST.1)". The component FPT\_TST.1 provides the ability to test the TSF's correct operation.

14 For the user it is important to know which security functions or mechanisms can be tested. The  
15 functional component FPT\_TST.1 does not mandate to explicitly specify the security functions being  
16 tested. In addition, FPT\_TST.1 requires verification of the integrity of TSF data and of the stored TSF  
17 executable code which might violate the security policy. Therefore, the functional component  
18 "**Subset TOE security testing (FPT\_TST.2)**" of the family TSF self test has been newly created. This  
19 component allows that particular parts of the security mechanisms and functions provided by the  
20 TOE are tested.

### 21 6.2 Definition of FPT\_TST.2

22 The functional component "Subset TOE security testing (FPT\_TST.2)" has been newly created  
23 (Common Criteria Part 2 extended). This component allows that particular parts of the security  
24 mechanisms and functions provided by the TOE can be tested after TOE Delivery or are tested  
25 automatically and continuously during normal operation transparent for the user.  
26 This security functional component is used instead of the functional component FPT\_TST.1 from  
27 Common Criteria Part 2. For the user it is important to know which security functions or  
28 mechanisms can be tested. The functional component FPT\_TST.1 does not mandate to explicitly  
29 specify the security functions being tested. In addition, FPT\_TST.1 requires verifying the integrity of  
30 TSF data and stored TSF executable code which might violate the security policy.

31 The functional component "Subset TOE testing (FPT\_TST.2)" is specified as follows (Common  
32 Criteria Part 2 extended).

33

## 6.3 TSF self test (FPT\_TST)

2 Family Behavior The Family Behavior is defined in [CC-2] section 15.17.1.

### 3 Component leveling



5 FPT TST.1 The component FPT TST.1 is defined in [CC-2] section 15.17.1.

6 FPT\_TST.2 Subset TOE security testing, provides the ability to test the correct operation of  
7 particular security functions or mechanisms. These tests may be performed at start-  
8 up, periodically, at the request of the authorized user, or when other  
9 conditions are met. It also provides the ability to verify the integrity of TSF data and  
10 executable code.

## 11 Management: FPT\_TST.2

The following actions could be considered for the management functions in FMT: management of the conditions under which subset TSF self testing occurs, such as during initial start-up, regular interval or under specified conditions management of the time of the interval appropriate.

L6 Audit: FPT\_TST.2

17 There are no auditable events foreseen.

## 18 FPT\_TST.2 Subset TOE testing

Hierarchical to: No other components.

20 Dependencies: No dependencies

21 FPT\_TST.2.1 The TSF shall run a suite of self tests [selection: during initial start-up, periodically  
22 during normal operation, at the request of the authorized user, and/or at the  
23 conditions [assignment: conditions under which self test should occur]] to  
24 demonstrate the correct operation of [assignment: functions and/or mechanisms].

## 1 7 Security Requirements (ASE\_REQ)

2 For this section the PP [PP] section 6 can be applied completely.

3 The security functional requirements (SFR) for the TOE are defined and described in the PP [PP]  
4 section 6.1 and in the following description.

5 The Table 15 provides an overview of the functional security requirements of the TOE, defined in  
6 PP [PP] section 6.1. In the last column it is marked if the requirement is refined. The refinements  
7 are also valid for this ST.

8 **Table 15 Security functional requirements defined in PP [PP]**

| Security Functional Requirement | Refined in PP [PP] |
|---------------------------------|--------------------|
| FRU_FLT.2                       | Yes                |
| FPT_FLS.1                       | Yes                |
| FAU_SAS.1                       | No                 |
| FPT_PHP.3                       | Yes                |
| FDP_ITT.1                       | Yes                |
| FPT_ITT.1                       | Yes                |
| FDP_IFC.1                       | No                 |

9  
10 Table 16 provides an overview of all SFRs which are taken from the CC standard [CC-2]. They  
11 replace the corresponding SFRs from PP [PP].

12 **Table 16 Security functional requirements defined in CC [CC-2]**

| Security Functional Requirement |
|---------------------------------|
| FMT_LIM.1                       |
| FMT_LIM.2                       |
| FCS_RNG.1                       |

13  
14  
15 The Table 17 provides an overview about the augmented security functional requirements, which  
16 are added additional to the TOE and defined in this ST. All requirements are taken from Common  
17 Criteria Part 2 [CC-2], with the exception of the requirement FPT\_TST.2, which is defined in this ST  
18 completely.  
19

20 **Table 17 Augmented security functional requirements**

| Security Functional Requirement |
|---------------------------------|
| FPT_TST.2                       |
| FDP_ACC.1                       |
| FDP_ACF.1                       |
| FMT_MSA.1                       |
| FMT_MSA.3                       |
| FMT_SMF.1                       |
| FCS_COP.1                       |
| FCS_CKM.1                       |
| FDP_SDI.1                       |

---

|           |                                             |
|-----------|---------------------------------------------|
| FDP_SDI.2 | Stored data integrity monitoring and action |
|-----------|---------------------------------------------|

1  
2 All assignments and selections of the security functional requirements of the TOE are done in PP  
3 [PP] and in the following description.  
4 The above marked extended components FMT\_LIM.1 and FMT\_LIM.2 are introduced in PP [PP] to  
5 define the IT security functional requirements of the TOE as an additional family (FMT\_LIM) of the  
6 Class FMT (Security Management). This family describes the functional requirements for the Test  
7 Features of the TOE. The new functional requirements were defined in the class FMT because this  
8 class addresses the management of functions of the TSF.  
9 The additional component FAU.SAS is introduced to define the security functional requirements of  
10 the TOE of the Class FAU (Security Audit). This family describes the functional requirements for the  
11 storage of audit data and is described in the next chapter.  
12 The requirement FPT\_TST.2 is the subset of TOE testing and originated in [CC-2]. This requirement  
13 is given as the correct operation of the security functions is essential. The TOE provides  
14 mechanisms to cover this requirement by the smartcard embedded software and/or by the TOE  
15 itself.

## 16 7.1 FAU\_SAS

17 To define the security functional requirements of the TOE an additional family (FAU\_SAS) of the  
18 Class FAU (Security Audit) is defined here. This family describes the functional requirements for  
19 the storage of audit data. It has a more general approach than FAU\_GEN, because it does not  
20 necessarily require the data to be generated by the TOE itself and because it does not give specific  
21 details of the content of the audit records.

22 The TOE shall meet the requirement "Audit storage (FAU\_SAS.1)" as specified below (Common  
23 Criteria Part 2 extended).

24  
25 FAU\_SAS.1 Audit Storage

26 Hierarchical to: No other components

27 Dependencies: No dependencies.

28 FAU\_SAS.1.1 The TSF shall provide the test process before TOE Delivery with the  
29 capability to store the Initialization Data and/or Pre-personalization Data  
30 and/or supplements of the Security IC Embedded Software in the not  
31 changeable configuration page area and non-volatile memory.

## 32 7.2 FPT\_TST.2

33 The security is strongly dependent on the correct operation of the security functions. Therefore, the  
34 TOE shall support that particular security functions or mechanisms are tested in the operational  
35 phase (Phase 7). The tests can be initiated by the Smartcard Embedded Software and/or by the  
36 TOE.

37 The TOE shall meet the requirement "Subset TOE testing (FPT\_TST.2)" as specified below  
38 (Common Criteria Part 2 extended).

39  
40 FPT\_TST.2 Subset TOE testing

41 Hierarchical to: No other components

42 Dependencies: No dependencies

1 FPT\_TST.2.1 The TSF shall run a suite of self tests at the request of the authorized user to  
2 demonstrate the correct operation of the alarm lines and/or the  
3 environmental sensor mechanisms

4 **7.3 FCS\_RNG**

5 To define the IT security functional requirements of the TOE an additional family (FCS\_RNG) of the  
6 class FCS (cryptographic support) is defined in [CC-2].

7  
8 **FCS\_RNG.1 Random Number Generation**

9 Hierarchical to: No other components

10 Dependencies: No dependencies

11 FCS\_RNG.1 Random numbers generation Class PTG.2 according to [CC-2]

12 FCS\_RNG.1.1 The TSF shall provide a physical<sup>1</sup> random number generator that  
13 implements:

14 PTG.2.1 A: total failure test detects a total failure of entropy source  
15 immediately when the RNG has started. When a total failure is detected, no  
16 random numbers will be output.

17 PTG.2.2 : If a total failure of the entropy source occurs while the RNG  
18 is being operated, the RNG prevents the output of any internal random  
19 number that depends on some raw random numbers that have been  
20 generated after the total failure of the entropy source.

21  
22 PTG.2.3: The online test shall detect non-tolerable statistical defects of the  
23 raw random number sequence (i) immediately when the RNG has started,  
24 and (ii) while the RNG is being operated. The TSF must not output any  
25 random numbers before the power-up online test has finished successfully  
26 or when a defect has been detected.

27 PTG.2.4 :The online test procedure shall be effective to detect non-  
28 tolerable weaknesses of the random numbers soon.

29  
30 PTG.2.5 :The online test procedure checks the quality of the raw random  
31 number sequence. It is triggered continuously. The online test is suitable for  
32 detecting non-tolerable statistical defects of the statistical properties of the  
33 raw random numbers within an acceptable period of time.<sup>2</sup>

34  
35 FCS\_RNG.1.2 The TSF shall provide numbers in the format 8- or 16-bit<sup>3</sup> that meet

36  
37 PTG.2.6: Test procedure A, as defined in [RNG] does not distinguish the  
internal random numbers from output sequences of an ideal RNG.

<sup>1</sup> [selection: physical, non-physical true, deterministic, hybrid physical, hybrid deterministic]

<sup>2</sup> [assignment: list of security capabilities]

<sup>3</sup> [selection: bits, octets of bits, numbers [assignment: format of the numbers]]

PTG.2.7: The average Shannon entropy per internal random bit exceeds 0.997.<sup>1</sup>

## 3 7.4 Limited Capabilities and Limited Availability

<sup>4</sup> The SFR's FMT\_LIM.1 and FMT\_LIM.2 from [PP] are adapted due to CC:2022.

|                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>FMT_LIM.1</b> | <b>Limited Capabilities</b>                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Hierarchical to: | No other components.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Dependencies:    | FMT_LIM.2: Limited availability                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| FMT_LIM.1.1      | The TSF shall limit its capabilities so that in conjunction with “Limited availability (FMT_LIM.2)” the following policy is enforced: <u>Deploying Test Features after TOE Delivery does not allow user data of the Composite TOE to be disclosed or manipulated, TSF data to be disclosed or manipulated, software to be reconstructed and no substantial information about construction of TSF to be gathered which may enable other attacks</u> <sup>2</sup> . |

5

| FMT_LIM.2        | Limited availability                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Hierarchical to: | No other components.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Dependencies:    | FMT_LIM.1 Limited capabilities.                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| FMT_LIM.2.1      | The TSF shall be designed in a manner that limits its availability so that in conjunction with “Limited capabilities (FMT_LIM.1)” the following policy is enforced: <u>Deploying Test Features after TOE Delivery does not allow user data of the Composite TOE to be disclosed or manipulated, TSF data to be disclosed or manipulated, software to be reconstructed and no substantial information about construction of TSF to be gathered which may enable other attacks<sup>3</sup>.</u> |

6 7.5 Memory access control

7 Usage of multiple applications in one Smartcard often requires code and data separation in order to  
8 prevent that one application can access code and/or data of another application. For this reason the  
9 TOE provides Area based Memory Access Control. The underlying Memory Protection Unit (MPU)  
0 is documented in section 4 of the [HRM].

1 The security service being provided is described in the Security Function Policy (SFP) Memory  
2 Access Control Policy. The security functional requirement “Subset access control (FDP\_ACC.1)”  
3 requires that this policy is in place and defines the scope where it applies. The security functional  
4 requirement “Security attribute based access control (FDP\_ACF.1)” defines security attribute usage  
5 and characteristics of policies. It describes the rules for the function that implements the Security  
6 Function Policy (SFP) as identified in FDP\_ACC.1. The decision whether an access is permitted or  
7 not is taken based upon attributes allocated to the software. The Smartcard Embedded Software  
8 defines the attributes and memory areas. The corresponding permission control information is  
9 evaluated “on-the-fly” by the hardware so that access is granted/effective or denied/inoperable.

---

<sup>1</sup> [assignment: a defined quality metric]

<sup>2</sup> [assignment: Limited capability and availability policy]

<sup>3</sup> [assignment: Limited capability and availability policy]

1 The security functional requirement "Static attribute initialisation (FMT\_MSA.3)" ensures that the  
2 default values of security attributes are appropriately either permissive or restrictive in nature.  
3 Alternative values can be specified by any subject provided that the Memory Access Control Policy  
4 allows that. This is described by the security functional requirement "Management of security  
5 attributes (FMT\_MSA.1)". The attributes are determined during TOE manufacturing (FMT\_MSA.3)  
6 or set at run-time (FMT\_MSA.1).

7 From TOE's point of view the different roles in the Smartcard Embedded Software can be  
8 distinguished according to the memory based access control. However the definition of the roles  
9 belongs to the user software.

10 The following Security Function Policy (SFP) Memory Access Control Policy is defined for the  
11 requirement "Security attribute based access control (FDP\_ACF.1)":

12

### 13 Memory Access Control Policy

14 The TOE shall support the standard ARMv7 Protected Memory System Architecture model.

15 The MPU provides full support for:

- 16 • Protection regions.
- 17 • Overlapping protection regions, with ascending region priority:
  - 18 - Region 7 = highest priority.
  - 19 - Region 0 = lowest priority.
- 20 • Access permissions.
- 21 • MPU mismatches and permission violations invoke the programmable-priority MemManage  
22 fault handler.

23 The MPU can be used to:

- 24 • Enforce privilege rules, preventing user applications from corrupting operating system data.
- 25 • Separate processes, blocking the active task from accessing other tasks' data.
- 26 • Enforce access rules, allowing memory regions to be defined as read-only or detecting  
27 unexpected memory accesses.

### 28 Subjects, Objects and Operations of the policy

- 29 • Subjects: privilege or non-privilege level of the ARM processor
- 30 • Objects: memory/code addresses
- 31 • Operations: Read a/o write a/o execute access

### 33 Attributes of the policy:

- 34 • MPU enable/disable bit.
- 35 • 8 regions with the following attributes
  - 36 - A unique priority
  - 37 - The enable bit
  - 38 - the start address and size
  - 39 - an access matrix which defines if an Operation of a Subject to an Object lying in the region is  
40 allowed or denied
- 41 • The default region with the following security attribute:
  - 42 - A bit which defines if an Operation for the Subject (privilege level) is allowed or if no  
43 Operation is allowed for any Subject.

### 45 Roles of the policy:

**1** The roles correspond 1-1 to the subjects.

### 3 Properties of the policy:

- If an address is contained in multiple enabled regions, then the region with the highest priority defines the access rights.
- If an address is contained in no region then the default region defines the access rights.
- The region defining the access rights checks in the access matrix if the Subject has access to the Object with respect to the desired Operation. In case the access is denied the MPU throws an access violation exception.

The TOE shall meet the requirement "Subset access control (FDP\_ACC.1)" as specified below.

## FDP\_ACC.1 Subset access control

Hierarchical to: No other components.

Dependencies: FDP\_ACF.1 Security attribute based access control

FDP\_ACC.1.1 The TSF shall enforce the Memory Access Control Policy on all Subjects, all Objects and all Operations.

The TOE shall meet the requirement "Security attribute based access control (FDP\_ACF.1)" as specified below.

FDP\_ACF.1 Security attribute based access control

Hierarchical to: No other components.

Dependencies: FDP\_ACC.1 Subset access control

FMT\_MSA.3 Static attribute

FDP\_ACF.1.1 The TSF shall enforce the Memory Access Control Policy to objects based on the following: As specified in the definition of the memory access control policy.

FDP\_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed:  
As specified in the definition of the memory access control policy.

FDP\_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: none

FDP\_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: none

The TOE shall meet the requirement “Static attribute initialisation (FMT\_MSA.3)” as specified below.

FMT MSA.3 Static attribute initialization

Winnipeg skyline from North - 1960s

Dependencies: FMT\_MSA.1 Management of security attributes  
FMT\_SMP.1 security roles

1 FMT\_MSA.3.1 The TSF shall enforce the Memory Access Control Policy to provide  
2 restrictive<sup>1</sup> default values for security attributes that are used to enforce the  
3 SFP.  
4  
5 FMT\_MSA.3.2 The TSF shall allow the privilege level to specify alternative initial values to  
6 override the default values when an object or information is created.  
7  
8  
9  
10 The TOE shall meet the requirement “Management of security attributes (FMT\_MSA.1)” as specified  
11 below:  
12  
13 **FMT\_MSA.1** Management of security attributes  
14  
15 Hierarchical to: No other components.  
16  
17 Dependencies: [FDP\_ACC.1 Subset access control or FDP\_IFC.1 Subset information flow  
18 control]  
19 FMT\_SMF.1 Specification of management functions  
20 FMT\_SMR.1 Security roles  
21  
22 FMT\_MSA.1.1 The TSF shall enforce the Memory Access Control Policy to restrict the ability  
23 to modify<sup>2</sup> the security attributes which are defined in the Memory Access  
24 Control Policy<sup>3</sup> to the privilege level<sup>4</sup>.  
25 The TOE shall meet the requirement “Specification of management functions (FMT\_SMF.1)” as  
26 specified below:  
27  
28 **FMT\_SMF.1** Specification of management functions  
29  
30 Hierarchical to: No other components  
31  
32 Dependencies: No dependencies  
33  
34 FMT\_SMF.1.1 The TSF shall be capable of performing the following security management  
35 functions: The privilege level shall be able to access the configuration  
36 registers of the MPU.  
37

<sup>1</sup> The static definition of the access rules is documented in [HRM]

<sup>2</sup> [selection: change\_default, query, modify, delete, [assignment: other operations]]

<sup>3</sup> [assignment: list of security attributes]

<sup>4</sup> [assignment: list of security attributes]

## 1 7.6 Support of Cipher Schemes

2 The following additional specific security functionality is implemented in the TOE:

3 FCS\_COP.1 Cryptographic operation requires a cryptographic operation to be performed in  
4 accordance with a specified algorithm and with a cryptographic key of specified sizes. The specified  
5 algorithm and cryptographic key sizes can be based on an assigned standard; dependencies are  
6 discussed in Section 7.9.1.1.

7 The following additional specific security functionality is implemented in the TOE:

8

- Advanced Encryption Standard (AES)
- Triple Data Encryption Standard (3DES)
- Elliptic Curve Cryptography (EC)<sup>1</sup>

### 12 General statements with regard to Elliptic Curves:

13 The EC library is delivered as object code and in this way integrated in the user software. The  
14 certification covers the standard NIST [DSS] and Brainpool [ECC] Elliptic Curves with key lengths of  
15 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits. Note that there are numerous  
16 other curve types, being also secure in terms of side channel attacks on this TOE, which the user can  
17 optionally add in the composition certification process.

18

### 19 7.6.1 Triple-DES Operation

20 The DES Operation of the TOE shall meet the requirement “Cryptographic operation (FCS\_COP.1)”  
21 as specified below.

22 FCS\_COP.1/DES      Cryptographic operation

23 Hierarchical to:      No other components.

24 Dependencies:      [FDP\_ITC.1 Import of user data without security attributes, or  
25 FDP\_ITC.2 Import of user data with security attributes, or  
26 FCS\_CKM.1 Cryptographic key generation, or  
27 FCS\_CKM.5 Cryptographic key derivation]  
28 FCS\_CKM.6 Timing and event of cryptographic key destruction

29

30 FCS\_COP.1.1/DES      The TSF shall perform encryption and decryption in accordance with a  
31 specified cryptographic algorithm Triple Data Encryption Standard (3DES)  
32 in Electronic Codebook Mode (ECB) and in the Cipher Block Chaining Mode  
33 (CBC) and cryptographic key sizes of 2 x 56 or 3 x 56 bit that meet the  
34 following: [N38A], [N867]

### 37 7.6.2 AES Operation

38 The AES Operation of the TOE shall meet the requirement “Cryptographic operation (FCS\_COP.1)”  
39 as specified below.

---

<sup>1</sup> In case a user deselects the EC library, the TOE provides basic HW-related routines for EC calculations.  
For a secure library implementation the user has to implement additional countermeasures.

|    |                        |                                                                                                                                                                                                                                                                                                                                                          |
|----|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1  |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 2  | <b>FCS_COP.1/AES</b>   | Cryptographic operation                                                                                                                                                                                                                                                                                                                                  |
| 3  | Hierarchical to:       | No other components.                                                                                                                                                                                                                                                                                                                                     |
| 4  | Dependencies:          | [FDP_ITC.1 Import of user data without security attributes, or<br>FDP_ITC.2 Import of user data with security attributes, or<br>FCS_CKM.1 Cryptographic key generation or<br>FCS_CKM.5 Cryptographic key derivation]<br>FCS_CKM.6 Timing and event of cryptographic key destruction                                                                      |
| 5  |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 6  |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 7  |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 8  |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 9  | <b>FCS_COP.1.1/AES</b> | The TSF shall perform <u>encryption</u> and <u>decryption</u> in accordance with a specified cryptographic algorithm: <u>Advanced Encryption Standard (AES)</u> in <u>Electronic Codebook Mode (ECB)</u> and in the <u>Cipher Block Chaining</u> and cryptographic key sizes of <u>128 bit or 192 bit or 256 bit</u> that meet following: [N197], [N38A] |
| 10 |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 11 |                        |                                                                                                                                                                                                                                                                                                                                                          |
| 12 | <u>Mode (CBC)</u>      |                                                                                                                                                                                                                                                                                                                                                          |
| 13 | the                    |                                                                                                                                                                                                                                                                                                                                                          |

### 15 7.6.3 Elliptic Curve DSA (ECDSA) operation

**16** The Modular Arithmetic Operation of the TOE shall meet the requirement “Cryptographic operation (FCS\_COP.1)” as specified below.  
**17**

|    |                          |                                                                                         |
|----|--------------------------|-----------------------------------------------------------------------------------------|
| 19 | <b>FCS_COP.1/ECDSA</b>   | Cryptographic operation                                                                 |
| 20 | Hierarchical to:         | No other components.                                                                    |
| 21 | Dependencies:            | [FDP_ITC.1 Import of user data without security attributes, or                          |
| 22 |                          | FDP_ITC.2 Import of user data with security attributes, or                              |
| 23 |                          | FCS_CKM.1 Cryptographic key generation or                                               |
| 24 |                          | FCS_CKM.5 Cryptographic key derivation]                                                 |
| 25 |                          | FCS_CKM.6 Timing and event of cryptographic key destruction                             |
| 26 | <b>FCS_COP.1.1/ECDSA</b> | The TSF shall perform <u>signature generation</u> in                                    |
| 27 |                          | accordance with a specified cryptographic algorithm <u>ECDSA</u> and cryptographic      |
| 28 |                          | key sizes <u>160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521</u> bits that |
| 29 |                          | meet the following standard:                                                            |

30  
31 Signature Generation:  
32 According to section 7.3 in ANSI X9.62 – 2005  
33 Not implemented is step d) and e) thereof.  
34 The output of step e) has to be provided as input to our function by  
35 the caller.  
36 Deviation of step c) and f):  
37 The jumps to step a) were substituted by a return of  
38 the function with an error code, the jumps are emulated by another  
39 call to our function.

42 Note: This TOE can be delivered with the Crypto2304T coprocessor accessible or blocked. In case  
43 the Crypto2304T is blocked, no ECC computation supported by hardware is possible and this  
44 SFR is not applicable.

1 Note: The TOE can be delivered with an optional ECC library. Any optional ECC library contains the  
2 ECC algorithms stated above. If no optional ECC library is available then this SFR is not  
3 applicable.

4

#### 5 7.6.4 Elliptic Curve (EC) key generation

6 The key generation for the EC shall meet the requirement "Cryptographic key generation  
7 (FCS\_CKM.1)"

8 FCS\_CKM.1/EC      Cryptographic key generation

9

10 Hierarchical to:      No other components.

11 Dependencies:      [FCS\_CKM.2 Cryptographic key distribution, or

12 FCS\_CKM.5 Cryptographic key derivation, or

13 FCS\_COP.1 Cryptographic operation]

14 [FCS\_RBG.1 Random bit generation, or

15 FCS\_RNG.1 Generation of random numbers]

16 FCS\_CKM.6 Timing and event of cryptographic key destruction

17 FCS\_CKM.1.1/EC      The TSF shall generate cryptographic keys in accordance with a specified  
18 cryptographic key generation algorithm Elliptic Curve EC specified in ANSI  
19 X9.62-2005 and specified cryptographic key sizes 160, 163, 192, 224, 233,  
20 256, 283, 320, 384, 409, 512 or 521 bits that meet the following:

21      ECDSA Key Generation:

22      According to the appendix A4.3 in ANSI X9.62-2005

23      the cofactor h is not supported.

27 Note: This TOE can be delivered with the Crypto2304T coprocessor accessible or blocked. In case  
28 the Crypto2304T is blocked, no ECC computation supported by hardware is possible and this  
29 SFR is not applicable.

30 Note: The TOE can be delivered with an optional ECC library. Any optional ECC library contains the  
31 ECC algorithms stated above. If no optional ECC library is available then this SFR is not  
32 applicable.

33

#### 34 7.6.5 Elliptic Curve Diffie-Hellman (ECDH) key agreement

35 The Modular Arithmetic Operation of the TOE shall meet the requirement "Cryptographic  
36 operation(FCS\_COP.1)" as specified below.

37 FCS\_COP.1/ECDH      Cryptographic operation

38 Hierarchical to:      No other components.

39

40

41

|    |                  |                                                                                     |
|----|------------------|-------------------------------------------------------------------------------------|
| 1  | Dependencies:    | [FDP_ITC.1 Import of user data without security attributes, or                      |
| 2  |                  | FDP_ITC.2 Import of user data with security attributes, or                          |
| 3  |                  | FCS_CKM.1 Cryptographic key generation, or                                          |
| 4  |                  | FCS_CKM.5 Cryptographic key derivation]                                             |
| 5  |                  | FCS_CKM.6 Timing and event of cryptographic key destruction                         |
| 6  |                  |                                                                                     |
| 7  | FCS_COP.1.1/ECDH | The TSF shall perform <u>elliptic curve Diffie-Hellman key agreement</u> in         |
| 8  |                  | accordance with a specified cryptographic algorithm <u>ECDH</u> and                 |
| 9  |                  | cryptographic key sizes of <u>160, 163, 192, 224, 233, 256, 283, 320, 384, 409,</u> |
| 10 |                  | <u>512 or 521 bits</u> that meet the following:                                     |
| 11 |                  | <u>According to section 5.4.1 in ANSI X9.63 – 2001: Unlike section 5.4.1.3 our,</u> |
| 12 |                  | <u>implementation not only returns the x-coordinate of the shared secret, but</u>   |
| 13 |                  | <u>rather the x-coordinate and y-coordinate.</u>                                    |
| 14 |                  |                                                                                     |

*Note: The certification covers the standard NIST [DSS] and Brainpool [ECC] Elliptic Curves with key lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits. Other types of elliptic curves can be added by the user during a composite certification process.*

*Note: This TOE can be delivered with the Crypto2304T coprocessor accessible or blocked. In case the Crypto2304T is blocked, no ECC computation supported by hardware is possible and this SFR is not applicable.*

*Note: The TOE can be delivered with an optional ECC library. Any optional ECC library contains the ECC algorithms stated above. If no optional ECC library is available then this SFR is not applicable.*

## Data Integrity

The TOE shall meet the requirement "Stored data integrity monitoring (FDP\_SDI.1)" as specified below:

## **FDP\_SDI.1** Stored data integrity monitoring

Hierarchical to: No other components

Dependencies: No dependencies

FDP\_SDI.1.1 The TSF shall monitor user data stored in containers controlled by the TSF for inconsistencies between stored data and corresponding EDC on all objects, based on the following attributes: EDC value for RAM and ROM and ECC value for the SOLID FLASH™ NVM and verification of stored data in the SOLID FLASH™ NVM.

The TOE shall meet the requirement "Stored data integrity monitoring and action (FDP\_SDI.2)" as specified below:

**FDP SDI.2** Stored data integrity monitoring and action

Hierarchical to: FDP SDI.1 stored data integrity monitoring

Dependencies: No dependencies

1 FDP\_SDI.2.1 The TSF shall monitor user data stored in containers controlled by the TSF  
 2 for data integrity and one- and/or more-bit-errors on all objects, based on  
 3 the following attributes: corresponding EDC value for RAM and ROM and  
 4 error correction ECC for the SOLID FLASH™ NVM.  
 5

6 FDP\_SDI.2.2 Upon detection of a data integrity error, the TSF shall correct 1 bit errors in  
 7 the SOLID FLASH™ NVM automatically and inform the user about more bit  
 8 errors.  
 9

10

## 7.8 TOE Security Assurance Requirements

12 The evaluation assurance level is EAL5 augmented with ALC\_DVS.2 and AVA\_VAN.5. In the  
 13 following table, the security assurance requirements are given. The augmentation of the  
 14 assurance components compared to the Protection Profile [PP] is expressed with bold letters.

15 Table 18 Assurance components

| Aspect                     | Acronym          | Description                                                                           | Refinement |
|----------------------------|------------------|---------------------------------------------------------------------------------------|------------|
| Development                | ADV_ARC.1        | Security Architecture Description                                                     | in PP [PP] |
|                            | <b>ADV_FSP.5</b> | <b>Complete semiformal functional specification with additional error information</b> | in ST      |
|                            | ADV_IMP.1        | Implementation representation of the TSF                                              | in PP [PP] |
|                            | <b>ADV_INT.2</b> | <b>Well-structured internals</b>                                                      | in ST      |
|                            | <b>ADV_TDS.4</b> | <b>Semi-formal modular design</b>                                                     | in ST      |
| Guidance Documents         | AGD_OPE.1        | Operational user guidance                                                             | in PP [PP] |
|                            | AGD_PRE.1        | Preparative procedures                                                                | in PP [PP] |
| Life-Cycle Support         | ALC_CMC.4        | Production support, acceptance procedures and automation                              | in PP [PP] |
|                            | <b>ALC_CMS.5</b> | <b>Development tools CM coverage</b>                                                  | in ST      |
|                            | ALC_DEL.1        | Delivery procedures                                                                   | in PP [PP] |
|                            | ALC_DVS.2        | Sufficiency of security controls                                                      | in PP [PP] |
|                            | ALC_LCD.1        | Developer defined life-cycle process                                                  | in PP [PP] |
|                            | <b>ALC_TAT.2</b> | <b>Compliance with implementation standards</b>                                       | in ST      |
| Security Target Evaluation | ASE_CCL.1        | Conformance claims                                                                    | in PP [PP] |
|                            | ASE_ECD.1        | Extended components definition                                                        | in PP [PP] |
|                            | ASE_INT.1        | ST introduction                                                                       | in PP [PP] |
|                            | ASE_OBJ.2        | Security objectives                                                                   | in PP [PP] |
|                            | ASE_REQ.2        | Derived security requirements                                                         | in PP [PP] |

|                          |           |                                            |            |
|--------------------------|-----------|--------------------------------------------|------------|
|                          | ASE_SPD.1 | Security problem definition                | in PP [PP] |
|                          | ASE_TSS.1 | TOE summary specification                  | in PP [PP] |
| Tests                    | ATE_COV.2 | Analysis of coverage                       | in PP [PP] |
|                          | ATE_DPT.3 | <b>Testing: modular design</b>             | in ST      |
|                          | ATE_FUN.1 | Functional testing                         | in PP [PP] |
|                          | ATE_IND.2 | Independent testing - sample               | in PP [PP] |
| Vulnerability Assessment | AVA_VAN.5 | Advanced methodical vulnerability analysis | in PP [PP] |

## 1 7.8.1 Refinements

2 Some refinements are taken unchanged from the PP [PP]. In some cases a clarification is necessary.  
 3 In Table 18 an overview is given where the refinement is done.

4 Refinements from the PP [PP] have to be discussed here in the Security Target, as the assurance  
 5 level is increased.

6 Life cycle support (ALC\_CMS, ALC\_TAT)

7 The refinement from the PP [PP] can be applied even at the chosen assurance level EAL 5  
 8 augmented with ALC\_CMS.5 and ALC\_TAT.2. The assurance package ALC\_CMS.4 is extended to  
 9 ALC\_CMS.5 with aspects regarding the configuration control system for the TOE. The assurance  
 10 package ALC\_TAT.1 is extended to ALC\_TAT.2 with aspects regarding the implementation standards  
 11 for the TOE.

12 Development (ADV\_FSP)

13 The refinement from the PP [PP] can be applied even at the chosen assurance level EAL 5  
 14 augmented with ADV\_FSP.5, ADV\_TDS.4 and ADV\_INT.2.

15 For details of the refinement see PP [PP].

16 Tests (ATE\_DPT.3)

17 The refinement from the PP [PP] can be applied even at the chosen assurance level EAL 5  
 18 augmented with ATE\_DPT.3. The assurance package ATE\_DPT.2 is augmented to ATE\_DPT.3  
 19 relating to the requirements of the assurance level EAL 5. The refinement is not touched.

20

## 21 7.9 Security Requirements Rationale

### 22 7.9.1 Rationale for the Security Functional Requirements

23 The security functional requirements rationale of the TOE are defined and described in PP [PP]  
 24 section 6.3 for the following security functional requirements: FDP\_ITT.1, FDP\_IFC.1, FPT\_ITT.1,  
 25 FPT\_PHP.3, FPT\_FLS.1, FRU\_FLT.2, FMT\_LIM.1, FMT\_LIM.2, FCS\_RNG.1 and FAU\_SAS.1.

26 The security functional requirements FPT\_TST.2, FDP\_ACC.1, FDP\_ACF.1, FMT\_MSA.1, FMT\_MSA.3,  
 27 FMT\_SMF.1, FCS\_COP.1, FCS\_CKM.1, FDP\_SDI.1 and FDP\_SDI.2 are defined in the following  
 28 description:

29

1 **Table 19 Rational for additional SFR in the ST**

| Objective           | TOE Security Functional Requirements                                                                                 |
|---------------------|----------------------------------------------------------------------------------------------------------------------|
| O.Add-Functions     | FCS_COP.1/DES<br>FCS_COP.1/AES<br>FCS_COP.1/ECDSA (optional)<br>FCS_COP.1/ECDH (optional)<br>FCS_CKM.1/EC (optional) |
| O.Phys-Manipulation | FPT_TST.2                                                                                                            |
| O.Mem-Access        | FDP_ACC.1<br>FDP_ACF.1<br>FMT_MSA.3<br>FMT_MSA.1<br>FMT_SMF.1                                                        |
| O.Malfunction       | FDP_SDI.1<br>FDP_SDI.2                                                                                               |

2

3 The table above gives an overview, how the security functional requirements are combined to meet  
4 the security objectives. The detailed justification is given in the following:

5 The justification related to the security objective “Additional Specific Security Functionality  
6 (O.Add-Functions)” is as follows:

7 The security functional requirement(s) “Cryptographic operation (FCS\_COP.1)” exactly requires  
8 those functions to be implemented which are demanded by O.Add-Functions. FCS\_CKM.1/EC  
9 supports the generation of EC keys needed for these cryptographic operations. Therefore,  
10 FCS\_COP.1/ECDSA, FCS\_COP.1/ECDH and FCS\_CKM/EC are suitable to meet the security objective.  
11 The use of the supporting Base library has no impact on any security functional requirement nor  
12 does its use generate additional requirements.

13 The security functional requirements required to meet the security objectives O.Leak-Inherent,  
14 O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-Forced define how to implement  
15 the specific security functionality. However, key-dependent functions could be implemented in the  
16 Smartcard Embedded Software.

17 The usage of cryptographic algorithms requires the use of appropriate keys. Otherwise, these  
18 cryptographic functions do not provide security. The keys have to be unique with a very high  
19 probability, and must have a certain cryptographic strength etc. In case of a key import into the TOE  
20 (which is usually after TOE delivery) it has to be ensured that quality and confidentiality are  
21 maintained. Keys for 3DES and AES are provided by the environment, the keys for EC algorithms  
22 can be provided either by the TOE or the environment.

23 In this ST the objectives for the environment OE.Plat-Appl and OE.Resp-Appl have been clarified.  
24 The Smartcard Embedded Software defines the use of the cryptographic functions FCS\_COP.1  
25 provided by the TOE. The requirements for the environment FDP\_ITC.1, FDP\_ITC.2, FCS\_CKM.1 and  
26 FCS\_CKM.6 support an appropriate key management. These security requirements are suitable to  
27 meet OE.Resp-Appl.

28 The justification of the security objective and the additional requirements (both for the TOE and its  
29 environment) show that they do not contradict the rationale already given in the Protection Profile  
30 for the assumptions, policy and threats defined there.

1 The security functional component Subset TOE security testing (FPT\_TST.2) has been newly  
 2 created (Common Criteria Part 2 extended). This component allows that particular parts of the  
 3 security mechanisms and functions provided by the TOE can be tested after TOE Delivery. This  
 4 security functional component is used instead of the functional component FPT\_TST.1 from  
 5 Common Criteria Part 2. For the user it is important to know which security functions or  
 6 mechanisms can be tested. The functional component FPT\_TST.1 does not mandate to explicitly  
 7 specify the security functions being tested. In addition, FPT\_TST.1 requires verification of the  
 8 integrity of TSF data and stored TSF executable code which might violate the security policy.

9 The tested security enforcing functions are SF\_DPM Device Phase Management and SF\_PMA  
 10 Protection against modifying attacks.

11 The security functional requirement FPT\_TST.2 will detect attempts to conduct a physical  
 12 manipulation on the monitoring functions of the TOE. The objective of FPT\_TST.2 is O.Phys-  
 13 Manipulation. The physical manipulation will be tried to overcome security enforcing functions.

14 The security functional requirement "Subset access control (FDP\_ACC.1)" with the related Security  
 15 Function Policy (SFP) "Memory Access Control Policy" exactly require the implementation of an  
 16 area based memory access control as required by O.Mem-Access. The related TOE security  
 17 functional requirements FDP\_ACC.1, FDP\_ACF.1, FMT\_MSA.3, FMT\_MSA.1 and FMT\_SMF.1 cover this  
 18 security objective. The implementation of these functional requirements is represented by the  
 19 dedicated privilege level concept.

20 The justification of the security objective and the additional requirements show that they do not  
 21 contradict to the rationale already given in the Protection Profile for the assumptions, policy and  
 22 threats defined there. Moreover, these additional security functional requirements cover the  
 23 requirements by [CC-2] user data protection of chapter 11 which are not refined by the PP [PP].

24 Nevertheless, the developer of the Smartcard Embedded Software must ensure that the additional  
 25 functions are used as specified and that the User Data processed by these functions are protected as  
 26 defined for the application context. The TOE only provides the tool to implement the policy defined  
 27 in the context of the application.

28 The justification related to the security objective "Protection against Malfunction due to  
 29 Environmental Stress (O.Malfunction)" is as follows:

30 The security functional requirement "Stored data integrity monitoring (FDP\_SDI.1)" requires the  
 31 implementation of an Error Detection (EDC) algorithm which detects integrity errors of the data  
 32 stored in RAM, ROM and SOLID FLASH™ NVM (in the SOLID FLASH™ NVM more bit errors are  
 33 detected). By this the malfunction of the TOE using corrupt data is prevented. Therefore FDP\_SDI.1  
 34 is suitable to meet the security objective.

35 The security functional requirement "Stored data integrity monitoring and action (FDP\_SDI.2)"  
 36 requires the implementation of an integrity observation and correction which is implemented by  
 37 the Error Detection (EDC) and Error Correction (ECC) measures. The EDC is present in RAM and  
 38 ROM of the TOE while the ECC is realized in the SOLID FLASH™ NVM. These measures detect and  
 39 inform about one and more bit errors. In case of the SOLID FLASH™ NVM 1-bit errors of the data  
 40 are corrected automatically. By the ECC mechanisms it is prevented that the TOE uses corrupt data.  
 41 Therefore FDP\_SDI.2 is suitable to meet the security objective.

### 42 43 7.9.1.1 Dependencies of Security Functional Requirements

44 The dependencies of security functional requirements are defined and described in PP [PP] section  
 45 6.3.2 for the following security functional requirements: FDP\_ITT.1, FDP\_IFC.1, FPT\_ITT.1,  
 46 FPT\_PHP.3, FPT\_FLS.1, FRU\_FLT.2, FMT\_LIM.1, FMT\_LIM.2, FCS\_RNG.1 and FAU\_SAS.1.

1 The dependence of security functional requirements for the security functional requirements  
 2 FPT\_TST.2, FDP\_ACC.1, FDP\_ACF.1, FMT\_MSA.1, FMT\_MSA.3, FMT\_SMF.1, FCS\_COP.1, FCS\_CKM.1,  
 3 FDP\_SDI.1 and FDP\_SDI.2 are defined in the following description.

4

5 Table 20 Dependency for cryptographic operation requirement

| Security Functional Requirement | Dependencies                                     | Fulfilled by security requirements  |
|---------------------------------|--------------------------------------------------|-------------------------------------|
| FCS_COP.1/DES                   | FCS_CKM.1 or FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.5 | See comment                         |
|                                 | FCS_CKM.6                                        | See comment                         |
| FCS_COP.1/AES                   | FCS_CKM.1 or FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.5 | See comment                         |
|                                 | FCS_CKM.6                                        | See comment                         |
| FCS_COP.1/ECDSA                 | FCS_CKM.1 or FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.5 | FCS_CKM.1/EC                        |
|                                 | FCS_CKM.6                                        | See comment                         |
| FCS_CKM.1/EC                    | FCS_CKM.2 or FCS_CKM.5 or FCS_COP.1              | FCS_COP.1/ECDH<br>FCS_COP.1/ECDSA   |
|                                 | FCS_RBG.1 or FCS_RNG.1                           | FCS_RNG.1                           |
|                                 | FCS_CKM.6                                        | See comment                         |
| FCS_COP.1/ECDH                  | FCS_CKM.1 or FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.5 | FCS_CKM.1/EC                        |
|                                 | FCS_CKM.6                                        | See comment                         |
| FPT_TST.2                       | None                                             | See comment                         |
| FDP_ACC.1                       | FDP_ACF.1                                        | Yes                                 |
| FDP_ACF.1                       | FDP_ACC.1<br>FMT_MSA.3                           | Yes<br>Yes                          |
| FMT_MSA.3                       | FMT_MSA.1<br>FMT_SMR.1                           | Yes<br>Not required,<br>see comment |
| FMT_MSA.1                       | FDP_ACC.1 or FDP_IFC.1<br>FMT_SMR.1<br>FMT_SMF.1 | Yes<br>See comment<br>Yes           |
| FMT_SMF.1                       | None                                             | N/A                                 |
| FDP_SDI.1                       | None                                             | N/A                                 |
| FDP_SDI.2                       | None                                             | N/A                                 |

6

7 Comment:

8 The security functional requirement "Cryptographic operation (FCS\_COP.1)" met by the TOE, has  
 9 the following dependencies:

1    • FCS\_CKM.1 or FDP\_ITC.1 or FDP\_ITC.2 or FCS\_CKM.5  
 2    • FCS\_CKM.6

3    The security functional requirement "Cryptographic key management (FCS\_CKM.1)" met by TOE,  
 4    has the following dependencies:

5    • FCS\_CKM.2 or FCS\_CKM.5 or FCS\_COP.1  
 6    • FCS\_RBG.1 or FCS\_RNG.1  
 7    • FCS\_CKM.6

8    These requirements all address the appropriate management of cryptographic keys used by the  
 9    specified cryptographic function and are not part of the PP [PP]. Most requirements concerning key  
 10   management shall be fulfilled by the environment since the Smartcard Embedded Software is  
 11   designed for a specific application context and uses the cryptographic functions provided by the  
 12   TOE.

13   For the security functional requirement FCS\_COP.1/DES, FCS\_COP.1/AES, the respective  
 14   dependencies FCS\_CKM.6 and FCS\_CKM.1, FCS\_CKM.5 or FDP\_ITC.1 or FDP\_ITC.2 have to be fulfilled  
 15   by the environment.

16   For the security functional requirement FCS\_COP.1/ECDSA, and FCS\_COP.1/ECDH, the respective  
 17   dependency FCS\_CKM.6 has to be fulfilled by the environment.

18   The security functional requirement FCS\_CKM.6 has to be fulfilled by the environment.

19   The dependency FMT\_SMR.1 introduced by the two components FMT\_MSA.1 and FMT\_MSA.3 is  
 20   considered to be satisfied because the access control specified for the intended TOE is not role-  
 21   based but enforced for each subject. Therefore, there is no need to identify roles in form of a  
 22   security functional requirement FMT\_SMR.1.

23   End of comment.

24

## 25    7.9.2    Rationale of the Assurance Requirements

26   The chosen assurance level EAL5 and the augmentation with the requirements ALC\_DVS.2 and  
 27   AVA\_VAN.5 were chosen in order to meet the assurance expectations explained in the following  
 28   paragraphs. In Table 18 the different assurance levels are shown as well as the augmentations. The  
 29   augmentations are in compliance with the Protection Profile.

30   An assurance level EAL5 with the augmentations ALC\_DVS.2 and AVA\_VAN.5 are required for this  
 31   type of TOE since it is intended to defend against **highly sophisticated attacks** without protective  
 32   environment. This evaluation assurance package was selected to permit a developer to gain  
 33   maximum assurance from positive security engineering based on good commercial practices. In  
 34   order to provide a meaningful level of assurance that the TOE provides an adequate level of defence  
 35   against such attacks, the evaluators should have access to all information regarding the TOE  
 36   including the TSF internals, the low level design and source code including the testing of the  
 37   modular design. Additionally the mandatory technical document "Application of Attack Potential to  
 38   Smartcards" [JIL] shall be taken as a basis for the vulnerability analysis of the TOE.

## 39    40    ALC\_DVS.2 Sufficiency of security measures

41   Development security is concerned with physical, procedural, personnel and other technical  
 42   measures that may be used in the development environment to protect the TOE.

1 In the particular case of a Security IC the TOE is developed and produced within a complex and  
2 distributed industrial process which must especially be protected. Details about the  
3 implementation, (e.g. from design, test and development tools as well as Initialization Data) may  
4 make such attacks easier. Therefore, in the case of a Security IC, maintaining the confidentiality of  
5 the design is very important.

6 This assurance component is a higher hierarchical component to EAL5 (which only requires  
7 ALC\_DVS.1). ALC\_DVS.2 has no dependencies.

8

9 AVA\_VAN.5 Advanced methodical vulnerability analysis

10 Due to the intended use of the TOE, it must be shown to be highly resistant to penetration attacks.  
11 This assurance requirement is achieved by the AVA\_VAN.5 component.

12 Independent vulnerability analysis is based on highly detailed technical information. The main  
13 intent of the evaluator analysis is to determine that the TOE is resistant to penetration attacks  
14 performed by an attacker possessing high attack potential.

15 AVA\_VAN.5 has dependencies to ADV\_ARC.1 "Security architecture description", ADV\_FSP.4  
16 "Complete functional specification", ADV\_TDS.3 "Basic modular design", ADV\_IMP.1  
17 "Implementation representation of the TSF", AGD\_OPE.1 "Operational user guidance", and  
18 ATE\_DPT.1 "Testing: basic design.

19 All these dependencies are satisfied by EAL5.

20 It has to be assumed that attackers with high attack potential try to attack Security ICs like smart  
21 cards used for digital signature applications or payment systems. Therefore, specifically AVA\_VAN.5  
22 was chosen in order to assure that even these attackers cannot successfully attack the TOE.

23

## 1 8 TOE Summary Specification (ASE\_TSS)

2 The product overview is given in section 2.1. In the following the Security Features are described  
3 and the relation to the security functional requirements is shown.

4 The TOE is equipped with the following Security Features to meet the security functional  
5 requirements:

- 6 • SF\_DPM Device Phase Management
- 7 • SF\_PS Protection against Snooping
- 8 • SF\_PMA Protection against Modification Attacks
- 9 • SF\_PLA Protection against Logical Attacks
- 10 • SF\_CS Cryptographic Support

11 The following description of the Security Features is a complete representation of the TSF.

### 13 8.1 SF\_DPM: Device Phase Management

14 The life cycle of the TOE is split-up in several phases. Chip development and production (phase 2, 3,  
15 4) and final use (phase 4-7) is a rough split-up from TOE point of view. These phases are  
16 implemented in the TOE as test mode (phase 3) and user mode (phase 4-7).

17 In addition, a chip identification mode exists which is active in all phases. The chip identification  
18 data (0.Identification) is stored in a in the not changeable configuration page area and non-volatile  
19 memory. In the same area further TOE configuration data is stored. In addition, user initialization  
20 data can be stored in the non-volatile memory during the production phase as well. During this first  
21 data programming, the TOE is still in the secure environment and in Test Mode.

22 The covered security functional requirement is FAU\_SAS.1 "Audit storage".

23 During start-up of the TOE the decision for one of the operation modes is taken dependent on phase  
24 identifiers. The decision of accessing a certain mode is defined as phase entry protection. The  
25 phases follow also a defined and protected sequence. The sequence of the phases is protected by  
26 means of authentication.

27 The covered security functional requirements are FMT\_LIM.1 "Limited capabilities" and FMT\_LIM.2  
28 "Limited availability".

29 During the production phase (phase 3 and 4) or after the delivery to the customer (phase 5 or  
30 phase 6), the TOE provides the possibility to download a user specific encryption key and user code  
31 and data into the empty (erased) SOLID FLASH™ NVM memory area as specified by the associated  
32 control information of the Flash Loader software. After finishing the load operation, the Flash  
33 Loader can be permanently deactivated, so that no further load operation with the Flash Loader is  
34 possible. These procedures are defined as phase operation limitation.

35 The covered security functional requirement is FMT\_LIM.2 "Limited availability".

36 During operation within a phase the accesses to memories are granted by the MPU controlled  
37 access rights and related levels.

38 The covered security functional requirements are FDP\_ACC.1 "Subset access control", FDP\_ACF.1  
39 "Security attribute-based access control" and FMT\_MSA.1 "Management of security attributes".

40 In addition, during each start-up of the TOE the address ranges and access rights are initialized by  
41 the Boot Software (BOS) with predefined values.

42 The covered security functional requirement is FMT\_MSA.3 "Static attribute initialisation".

1 The TOE clearly defines access rights and levels in conjunction with the appropriate key  
 2 management in dependency of the firmware or software to be executed.  
 3 The covered security functional requirement is FMT\_SMF.1 "Specification of Management  
 4 functions".  
 5 Each operation phase is protected by means of authentication and encryption.  
 6 The covered security functional requirements are FPT\_ITT.1 "Basic internal TSF data transfer  
 7 protection" and FDP\_IFC.1 "Subset information flow control". If any comparison of the  
 8 authentication code fails a direct security reset is performed. The covered security functional  
 9 requirements is FPT\_FLS.1 ("Failure with preservation of secure state").  
 10 The **SF\_DPM** "Device Phase Management" covers the security functional requirements FPT\_FLS.1,  
 11 FAU\_SAS.1, FMT\_LIM.1, FMT\_LIM.2, FDP\_ACC.1, FDP\_ACF.1, FMT\_MSA.1, FMT\_MSA.3, FMT\_SMF.1,  
 12 FPT\_ITT.1 and FDP\_IFC.1.

13

## 14 8.2 SF\_PS: Protection against Snooping

15 Several mechanisms protect the TOE against snooping the design or the user data during operation  
 16 and even if it is out of operation (power down).

17 The entire design is kept in a non standard way to prevent attacks using standard analysis methods.  
 18 Important parts of the chip are especially designed to counter leakage or side channel attacks like  
 19 DPA/SPA or EMA/DEMA. Therefore, even the physical data gaining is difficult to perform, since  
 20 timing and current consumption is independent of the processed data. In the design a number of  
 21 components are automatically synthesized and mixed up to disguise an attacker and to make an  
 22 analysis more difficult.

23 The covered security functional requirement is FPT\_PHP.3 "Resistance to physical attack".

24 A further protective design method used is secure wiring. All security critical wires have been  
 25 identified and protected by special routing measures against probing. Additionally the wires are  
 26 embedded into shield lines and used as normal signal lines for operation of the chip to prevent  
 27 successful probing. This measurement is called "security optimized wiring".

28 The covered security functional requirements are FPT\_PHP.3 "Resistance to physical attack",  
 29 FPT\_ITT.1 "Basic internal TSF data transfer protection", FPT\_FLS.1 "Failure with preservation of  
 30 secure state" and FDP\_ITT.1 "Basic internal transfer protection".

31 All contents of the memories RAM, ROM and SOLID FLASH™ NVM of the TOE are encrypted on chip  
 32 to protect them against data analysis. In addition the data transferred over the memory bus to and  
 33 from (bi-directional encryption) the CPU, Co-processor (Crypto2304T and SCP), the special SFRs  
 34 and the peripheral devices (RNG and Timer) are transported encrypted with an automatically  
 35 dynamic key change.

36 The encryption of the memory content is done by the MED using a proprietary cryptographic  
 37 algorithm and a complex key management providing protection against cryptographic analysis  
 38 attacks. This means that the SOLID FLASH™ NVM, RAM, ROM and the bus are encrypted with  
 39 module dedicated and dynamic keys. The only key remaining static over the product life cycle is the  
 40 specific ROM key changing from mask to mask.

41 All security relevant transfer of addresses or data via the peripheral bus is dynamically masked and  
 42 thus protected against readout and analysis.

43 The function Trash Register Writes can be activated by the user to hide the fact if a register has  
 44 been written.

45 The covered security functional requirements are FDP\_IFC.1 "Subset information flow control",  
 46 FPT\_PHP.3 "Resistance to physical attack", FPT\_ITT.1 "Basic internal TSF data transfer protection",  
 47 FPT\_FLS.1 "Failure with preservation of secure state" and FDP\_ITT.1 "Basic internal transfer  
 48 protection".

1

2 The **SF\_PS** "Protection against Snooping" covers the security functional requirements FPT\_PHP.3,  
3 FDP\_IFC.1, FPT\_ITT.1, FPT\_FLS.1 and FDP\_ITT.1.

#### 4 **8.3 SF\_PMA: Protection against Modifying Attacks**

5 The TOE is equipped with an error detection code (EDC) for protecting RAM and ROM and an ECC,  
6 which is realized in the SOLID FLASH™ NVM. Thus introduced failures are securely detected and, in  
7 terms of single bit errors in the SOLID FLASH™ NVM also automatically corrected (FDP\_SDI.2). For  
8 SOLID FLASH™ NVM in case of more than one bit errors and for RAM in case of any bit errors  
9 detected, a security alarm is triggered.

10 In order to prevent accidental bit faults during production in the ROM, over the data stored in ROM  
11 an EDC value is calculated (FDP\_SDI.1).

12 The covered security functional requirements are FRU\_FLT.2 "Limited fault tolerance", FDP\_PHP.3  
13 "Resistance to physical attack", FDP\_SDI.1 "Stored data integrity monitoring" and FDP\_SDI.2 "Stored  
14 data integrity monitoring and action".

15 If a user tears the card resulting in a power off situation during an SOLID FLASH™ NVM  
16 programming operation or if other perturbation is applied, no data or content loss occurs and the  
17 TOE restarts power on. The NVM tearing save write functionality covers FDP\_SDI.1 "Stored data  
18 integrity monitoring" as the new data to be programmed are checked for integrity and correct  
19 programming before the page with the old data becomes valid.

20  
21 The covered security functional requirement are FPT\_PHP.3 "Resistance to physical attack", since  
22 these measures make it difficult to manipulate the write process of the NVM, FPT\_FLS.1 "Failure  
23 with preservation of secure state" and FDP\_SDI.1 "Stored data integrity monitoring".

24 In the case that a physical manipulation or a physical probing attack is detected, the processing of  
25 the TOE is immediately stopped and the TOE enters a secure state called security reset.

26 A shielding algorithm finishes the upper layers above security critical signals and wires, finally  
27 providing the so called "security optimized wiring".

28  
29 The covered security functional requirements are FPT\_FLS.1 "Failure with preservation of secure  
30 state", FPT\_PHP.3 "Resistance to physical attack" and FPT\_TST.2 "Subset TOE security testing".

31 As physical effects or manipulative attacks may also address the program flow of the user software,  
32 two watchdog timers each with a check point register function are implemented. This feature  
33 allows the user to check the correct processing time and the integrity of the program flow of the  
34 user software.

35 The Instruction Stream Signature Checking (ISS) calculates a hash about all executed instructions  
36 and automatically checks the correctness of this hash value. If the code execution follows an illegal  
37 path an alarm is triggered.

38 Another measure against modifying and perturbation respectively differential fault attacks (DFA) is  
39 the implementation of backward calculation in the SCP. By this induced errors are discovered.

40 The covered security functional requirements are FPT\_FLS.1 "Failure with preservation of secure  
41 state", FDP\_IFC.1 "Subset information flow control", FPT\_ITT.1 "Basic internal transfer protection",  
42 FDP\_ITT.1 "Basic internal transfer protection" and FPT\_PHP.3 "Resistance to physical attack".

1 During start up, the TOE performs various configurations and subsystem tests. After the TOE  
 2 startup has finished, the operating system or application can call the User Mode Security Life  
 3 Control (UMSLC) test provided by the Resource Management System. The UMSLC checks the alarm  
 4 lines and/or the different security functions and sensors for correct operation. The test can be  
 5 triggered by user software during normal operation. As attempts to modify the security features  
 6 will be detected from the test, the covered security functional requirement is FPT\_TST.2 "Subset  
 7 TOE security testing".

8 The correct function of the TOE is only given in the specified range of the environmental operating  
 9 parameters. To prevent an attack exploiting that circumstance the TOE is equipped with a  
 10 temperature sensor, glitch sensor and backside light detection. The TOE falls into the defined  
 11 secure state in case of a specified range violation. The defined secure state causes the chip internal  
 12 reset process. Note that the specified range checking can only work when the TOE is running and  
 13 can not prevent reverse engineering.

14 The covered security functional requirements are FRU\_FLT.2 "Limited fault tolerance" and  
 15 FPT\_FLS.1 "Failure with preservation of secure state".

16 The **SF\_PMA** "Protection against Modifying Attacks" covers the security functional requirements  
 17 FPT\_PHP.3, FDP\_IFC.1, FPT\_ITT.1, FDP\_ITT.1, FPT\_TST.2, FDP\_SDI.1, FDP\_SDI.2, FRU\_FLT.2 and  
 18 FPT\_FLS.1.

19

## 20 8.4 SF\_PLA: Protection against Logical Attacks

21 The memory model of the TOE provides two distinct, independent levels called the privileged and  
 22 non-privilege level and the possibility to define up to eight memory regions with different access  
 23 rights enforced by the Management Protection Unit (MPU). This gives the user software the  
 24 possibility to define different access rights for the regions 0 to 7 for privilege or non-privilege level.  
 25 In the case of an access violation the MPU will trigger a trap. The policy of setting up the MPU and  
 26 specifying the memory ranges for the regions (0 to 7) is defined from the user software.

27 The covered security functional requirements are FDP\_ACC.1 "Subset access control", FDP\_ACF.1  
 28 "Security attribute based access control", FMT\_MSA.1 "Management of security attributes",  
 29 FMT\_MSA.3 "Static attribute initialisation" and FMT\_SMF.1 "Specification of Management  
 30 functions".

31 All memories present on the TOE (NVM, ROM, RAM) are encrypted using individual keys assigned  
 32 by complex key management. In case of security critical error a security alarm is generated and the  
 33 TOE ends up in a secure state.

34 The covered security functional requirements are FDP\_ACF.1 "Security attribute based access  
 35 control" and FPT\_FLS.1 "Failure with preservation of secure state".

36 The **SF\_PLA** "Protection against Logical Attacks" covers the security functional requirements  
 37 FDP\_ACC.1, FDP\_ACF.1, FMT\_MSA.1, FMT\_MSA.3, FPT\_FLS.1 and FMT\_SMF.1.

38

## 39 8.5 SF\_CS: Cryptographic Support

40 The TOE is equipped an asymmetric and a symmetric hardware accelerators to support the  
 41 standard symmetric and asymmetric cryptographic operations. This security function is introduced  
 42 to include the cryptographic operation in the scope of the evaluation as the cryptographic function  
 43 respectively mathematic algorithm itself is not used from the TOE security policy. The components  
 44 are a co-processor supporting the DES and AES algorithms and a co-processor and software  
 45 modules to support EC signature generation, ECDH key agreement and EC public key calculation  
 46 and testing. Additionally the TOE is equipped with a True Random Number Generator for the  
 47 generation of random numbers.

### 1 8.5.1 3DES encryption

2 The TOE supports the encryption and decryption in accordance with the specified cryptographic  
3 algorithm Triple Data Encryption Standard (3DES) in the Electronic Codebook Mode (ECB), Cipher  
4 Block Chaining Mode (CBC) and with cryptographic key sizes of 112 and 168 bit meeting the  
5 standard: [N867], [N38A], [N38B].

6 The covered security functional requirements are FCS\_COP.1/DES.  
7

### 8 8.5.2 AES encryption

9 The TSF supports the encryption and decryption in accordance with the specified cryptographic  
10 algorithm Advanced Encryption Standard (AES) ) in the Electronic Codebook Mode (ECB), Cipher  
11 Block Chaining Mode (CBC) and cryptographic key sizes of 128 bit or 192 bit or 256 bit according  
12 to the standard: [N197], [N38A], [N38B].

13 The covered security functional requirement is FCS\_COP.1/AES.

### 14 8.5.1 Elliptic Curves

15 The certification covers the standard NIST [DSS] and Brainpool [ECC] Elliptic Curves with key  
16 lengths of 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 Bits. Note that there exist  
17 numerous other curve types, being also secure in terms of side channel attacks on this TOE,  
18 which can the user optionally add in the composition certification process.  
19

#### 20 8.5.1.1 Signature Generation

21 The TSF shall perform signature generation in accordance with a specified cryptographic algorithm  
22 ECDSA and cryptographic key sizes 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521  
23 bits that meet the following standard:  
24

- 25 • According to section 7.3 in ANSI X9.62 – 2005:
- 26 • Not implemented is step d) and e) thereof.
- 27 • The output of step e) has to be provided as input to our function by the caller.
- 28 • Deviation of step c) and f):  
29 The jumps to step a) were substituted by a return of the function with an error code, the  
30 jumps are emulated by another call to our function.  
31

32 The covered security functional requirement is FCS\_COP.1/ECDSA.

#### 33 8.5.1.2 Asymmetric Key Generation

34 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key  
35 generation algorithm Elliptic Curve EC specified in ANSI X9.62-1998 and specified cryptographic  
36 key sizes 160, 163, 192, 224, 233, 256, 283, 320, 384, 409, 512 or 521 bits that meet the following  
37 standard:  
38

39 ECDSA Key Generation:

- 40 • According to the appendix A4.3 in ANSI X9.62-2005 the cofactor h is not supported.  
41

1 The covered security functional requirement is FCS\_CKM.1/EC.

### 2 8.5.1.3 Asymmetric Key Agreement

3 The TSF shall perform elliptic curve Diffie-Hellman key agreement in accordance with a specified  
4 cryptographic algorithm ECDH and cryptographic key sizes 160, 163, 192, 224, 233, 256, 283, 320,  
5 384, 409, 512 or 521 bits that meet the following standard:

6 • According to section 5.4.1 in ANSI X9.63 -2001 Unlike section 5.4.1.3 our implementation not  
7 only returns the x-coordinate of the shared secret, but rather the x-coordinate and y-  
8 coordinate.

9 3.

10 The covered security functional requirement is FCS\_COP.1/ECDH.

### 11 8.5.2 Asymmetric Base Library

12 The asymmetric Base library provides the low level interface to the asymmetric cryptographic  
13 coprocessor and has no user available interface. The asymmetric Base library does not provide  
14 any security functionality, implements no security mechanism, and does not provide additional  
15 specific security functionality. The asymmetric Base library does not cover security functional  
16 requirements.

17

### 18 8.5.3 TRNG

19 Random data is essential for cryptography as well as for security mechanisms. The TOE is equipped  
20 with a physical True Random Number Generator (TRNG, FCS\_RNG.1). The random data can be used  
21 from the Smartcard Embedded Software and is also used from the security features of the TOE, like  
22 masking. The TRNG implements also self testing features. The TRNG fulfills the requirements from  
23 the functionality class PTG.2 of [6].

24 The covered security functional requirement is FCS\_RNG.1 "Quality metric for random numbers",  
25 FPT\_PHP.3 "Resistance to physical attack", FDP\_ITT.1 "Basic internal transfer protection",  
26 FPT\_ITT.1 "Basic internal TSF data transfer protection, FDP\_IFC.1 "Subset information flow  
27 control", FPT\_TST.2 "Subset TOE security testing" and FPT\_FLS.1 "Failure with preservation of  
28 secure state".

29  
30 The SF\_CS "Cryptographic Support" covers the security functional requirements FCS\_COP.1/DES,  
31 FCS\_COP.1/AES, FCS\_COP.1/ECDSA, FCS\_COP.1/ECDH, FCS\_CKM.1/EC, FPT\_PHP.3, FDP\_ITT.1,  
32 FPT\_ITT.1, FPT\_FLS.1, FCS\_RNG.1 and FDP\_IFC.1.

## 33 8.6 Assignment of Security Functional Requirements to TOE's Security 34 Functionality

35 The justification and overview of the mapping between security functional requirements (SFR) and  
36 the TOE's security functionality (SF) is given in sections the sections above. The results are shown  
37 in Table 21. The security functional requirements are addressed by at least one relating security  
38 feature.

39 The various functional requirements are often covered manifold. As described above the  
40 requirements ensure that the TOE is checked for correct operating conditions and if a not  
41 correctable failure occurs that a stored secure state is achieved, accompanied by data integrity  
42 monitoring and actions to maintain the integrity although failures occurred. An overview is given in  
43 following table:

1

Table 21 Mapping of SFR and SF

| SFR             | SF_DPM | SF_PS | SF_PMA | SF_PLA | SF_CS |
|-----------------|--------|-------|--------|--------|-------|
| FAU_SAS.1       | X      |       |        |        |       |
| FMT_LIM.1       | X      |       |        |        |       |
| FMT_LIM.2       | X      |       |        |        |       |
| FDP_ACC.1       | X      |       |        | X      |       |
| FDP_ACF.1       | X      |       |        | X      |       |
| FPT_PHP.3       |        | X     | X      |        | X     |
| FDP_ITT.1       |        | X     | X      |        | X     |
| FDP_SDI.1       |        |       | X      |        |       |
| FDP_SDI.2       |        |       | X      |        |       |
| FDP_IFC.1       | X      | X     | X      |        | X     |
| FMT_MSA.1       | X      |       |        | X      |       |
| FMT_MSA.3       | X      |       |        | X      |       |
| FMT_SMF.1       | X      |       |        | X      |       |
| FRU_FLT.2       |        |       | X      |        |       |
| FPT_ITT.1       | X      | X     | X      |        | X     |
| FPT_TST.2       |        |       | X      |        |       |
| FPT_FLS.1       | X      | X     | X      | X      | X     |
| FCS_RNG.1       |        |       |        |        | X     |
| FCS_COP.1/DES   |        |       |        |        | X     |
| FCS_COP.1/AES   |        |       |        |        | X     |
| FCS_COP.1/ECDSA |        |       |        |        | X     |
| FCS_COP.1/ECDH  |        |       |        |        | X     |
| FCS_CKM.1/EC    |        |       |        |        | X     |

2

3

## 4 8.7 Security Requirements are internally Consistent

5 For this chapter the PP [PP] section 6.3.4 can be applied completely.

6 In addition to the discussion in section 6.3 of PP [PP] the security functional requirement  
 7 FCS\_COP.1 is introduced. The security functional requirements required to meet the security  
 8 objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-  
 9 Forced also protect the cryptographic algorithms implemented according to the security functional  
 10 requirement FCS\_COP.1. Therefore, these security functional requirements support the secure  
 11 implementation and operation of FCS\_COP.1.

12 As disturbing, manipulating during or forcing the results of the test checking the security functions  
 13 after TOE delivery, this security functional requirement FPT\_TST.2 has to be protected. An attacker  
 14 could aim to switch off or disturb certain sensors or filters and preserve the detection of his  
 15 manipulation by blocking the correct operation of FPT\_TST.2. The security functional requirements  
 16 required to meet the security objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-  
 17 Manipulation and O.Leak-Forced also protect the security functional requirement FPT\_TST.2.  
 18 Therefore, the related security functional requirements support the secure implementation and  
 19 operation of FPT\_TST.2.

1 The requirement FPT\_TST.2 allows testing of some security mechanisms by the Smartcard  
2 Embedded Software after delivery. In addition, the TOE provides an automated continuous user  
3 transparent testing of certain functions.

4 The implemented level concept represents the area based memory access protection enforced by  
5 the MPU. As an attacker could attempt to manipulate the privilege level definition as defined and  
6 present in the TOE, the functional requirement FDP\_ACC.1 and the related other requirements have  
7 to be protected themselves. The security functional requirements required to meet the security  
8 objectives O.Leak-Inherent, O.Phys-Probing, O.Malfunction, O.Phys-Manipulation and O.Leak-  
9 Forced also protect the area based memory access control function implemented according to the  
10 security functional requirement described in the security functional requirement FDP\_ACC.1 with  
11 reference to the Memory Access Control Policy and details given in FDP\_ACF.1. Therefore, those  
12 security functional requirements support the secure implementation and operation of FDP\_ACF.1  
13 with its dependent security functional requirements.

14 The requirement FDP\_SDI.2.1 allows detection of integrity errors of data stored in memory.  
15 FDP\_SDI.2.2 in addition allows correction of one-bit errors or taking further action. Both meet the  
16 security objective O.Malfunction. The requirements FRU\_FLT.2, FPT\_FLS.1, and FDP\_ACC.1 which  
17 also meet this objective are independent from FDP\_SDI.2 since they deal with the observation of the  
18 correct operation of the TOE and not with the memory content directly.

## 9 References

- [PP] Security IC Platform Protection Profile, Version 1.0, 15.06.2007, BSI-PP-0035
- [CC-1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model; CC:2022 Revision 1, November 2022, CCMB-2022-11-001
- [CC-2] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements; CC:2022 Revision 1, November 2022, CCMB-2022-11-002
- [CC-3] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements; CC:2022 Revision 1, November 2022, CCMB-2022-11-003
- [CC-4] Common Criteria for Information Technology Security Evaluation Part 4: Framework for the specification of evaluation methods and activities; CC:2022 Revision 1, November 2022, CCMB-2022-11-004
- [CC-5] Common Criteria for Information Technology Security Evaluation Part 5: Pre-defined packages of security requirements; CC:2022 Revision 1, November 2022, CCMB-2022-11-005
- [ARM] ARMv7-M Architecture Reference Manual, ARM DDI ARM DDI 0403E.e N (ID021621), ARM Limited, 2021
- [RNG] A proposal for: Functionality classes for random number generators, Version 2.0, 18. September 2011
- [HRM] SLE97 M9900 Hardware Reference Manual, Revision 3.0, 2019-08-28
- [JIL] Joint Interpretation Library, Application of Attack Potential to Smartcards, Version 3.2.1, February 2024
- [ERR] M9905 M9906 Errata Sheet, Rev.3.1, 2019-06-05
- [AIS31] Anwendungshinweise und Interpretationen zum Schema (AIS), AIS31, Version 3, 2013-05-15, Bundesamt für Sicherheit in der Informationstechnik
- [DSS] NIST: FIPS publication 186-4: Digital Signature Standard (DSS), July 2013
- [ECC] IETF: RFC 5639, Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, March 2010, <http://www.ietf.org/rfc/rfc5639.txt>
- [N867] National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Revised January 2012, Revision 1
- [N197] U.S. Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory (ITL), Advanced Encryption Standard (AES), FIPS PUB 197
- [N38A] National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Data Encryption Standard, NIST Special Publication 800-38A, Edition 2001
- [X962] American National Standard for Financial Services ANS X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), November 16, 2005, American National Standards Institute
- [X963] American National Standard for Financial Services X9.63-2001, Public Key Cryptograph for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, November 20, 2001, American National Standards Institute

## 1 10 Hash values

2 In the following tables, the hash signatures of the respective CL97 Crypto Library files are  
3 documented. For convenience purposes several hash values are referenced.

4  
5

| Library       | Hash                                                                                                                                                                                                                            |
|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ACL v2.07.003 | CI97-LIB-base.lib:<br>SHA256=02009f6c7b84b6e3d148dfa761143052720361c14babccc265aa8ce5a22a947a<br>CI97-LIB-ecc.lib:<br>SHA256=8f72c8ebdad3c99c59e9d115b284e6245122bb9ab38bd93da247c282c152638<br>3                               |
| ACL v2.09.002 | ACL97-Crypto2304T-L90-base.lib:<br>SHA256=1b93e84247402e585683564ba42859e5f386e9fc4758300946797832300f95c<br>d<br>ACL97-Crypto2304T-L90-ecc.lib:<br>SHA256=6354bada8cd0f395bf212bd56ade39675653a8c2d409673d377da5c150abc13<br>4 |
| NRG           | NRGManagement-01.03.0927-M9900.lib<br>SHA256=95f2ed5f6a3001146c9fef36c539ac2844839af0bacb92e44a2da474e6d5aa8e<br>NRGReader-01.02.0800-M9900.lib<br>SHA256=16848631a68b3094e29790ee34bbb95af208a9985c8e111f46849fffc4ef3385      |

6

## 1 11 List of Abbreviations

|    |             |                                                                      |
|----|-------------|----------------------------------------------------------------------|
| 2  | AES         | Advanced Encryption Standard                                         |
| 3  | AIS31       | “Anwendungshinweise und Interpretationen zu ITSEC und CC             |
| 4  |             | Funktionalitätsklassen und Evaluationsmethodologie für physikalische |
| 5  |             | Zufallszahlengeneratoren”                                            |
| 6  |             |                                                                      |
| 7  | API         | Application Programming Interface                                    |
| 8  | BOS         | Boot Software                                                        |
| 9  | CC          | Common Criteria                                                      |
| 10 | CPU         | Central Processing Unit                                              |
| 11 | CRC         | Cyclic Redundancy Check                                              |
| 12 | Crypto2304T | Asymmetric Cryptographic Processor                                   |
| 13 | CRT         | Chinese Reminder Theorem                                             |
| 14 | DPA         | Differential Power Analysis                                          |
| 15 | DFA         | Differential Failure Analysis                                        |
| 16 | EC          | Elliptic Curve                                                       |
| 17 | ECC         | Error Correction Code                                                |
| 18 | EDC         | Error Detection Code                                                 |
| 19 | EDU         | Error Detection Unit                                                 |
| 20 | GCIM        | Generic Chip Identification Mode (BOS-CIM)                           |
| 21 | EEPROM      | Electrically Erasable and Programmable Read Only Memory              |
| 22 | EMA         | Electro magnetic analysis                                            |
| 23 | HW          | Hardware                                                             |
| 24 | IC          | Integrated Circuit                                                   |
| 25 | ID          | Identification                                                       |
| 26 | IMM         | Interface Management Module                                          |
| 27 | I/O         | Input/Output                                                         |
| 28 | MED         | Memory Encryption and Decryption                                     |
| 29 | MPU         | Memory Protection Unit                                               |
| 30 | NRG         | ISO/IEC14443-3 Type A with CRYPTO1                                   |
| 31 | O           | Objective                                                            |
| 32 | OS          | Operating system                                                     |
| 33 | RAM         | Random Access Memory                                                 |
| 34 | RMS         | Resource Management System                                           |
| 35 | RNG         | Random Number Generator                                              |
| 36 | ROM         | Read Only Memory                                                     |
| 37 | RSA         | Rives-Shamir-Adleman Algorithm                                       |
| 38 | SCL         | Symmetric Crypto Library                                             |
| 39 | SCP         | Symmetric Cryptographic Processor                                    |

|    |       |                                                                       |
|----|-------|-----------------------------------------------------------------------|
| 1  | SF    | Security Feature                                                      |
| 2  | SFR   | Special Function Register, as well as Security Functional Requirement |
| 3  | SPA   | Simple power analysis                                                 |
| 4  | SW    | Software                                                              |
| 5  | T     | Threat                                                                |
| 6  | TM    | Test Mode (BOS)                                                       |
| 7  | TOE   | Target of Evaluation                                                  |
| 8  | TRNG  | True Random Number Generator                                          |
| 9  | TSF   | TOE Security Functionality                                            |
| 10 | UART  | Universal Asynchronous Receiver/Transmitter                           |
| 11 | UM    | User Mode (BOS)                                                       |
| 12 | UMSLC | User Mode Security Life Control                                       |
| 13 | 3DES  | Triple DES Encryption Standard                                        |

## 12 Glossary

|    |    |                                                                            |                                                                                                                                                                                                                  |
|----|----|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2  | 3  | Boot System                                                                | Part of the firmware with routines for controlling the operating state and testing the TOE hardware                                                                                                              |
| 4  | 5  | Central Processing Unit                                                    | Logic circuitry for digital information processing                                                                                                                                                               |
| 6  | 7  | Chip                                                                       | Integrated Circuit]                                                                                                                                                                                              |
| 8  | 9  | Chip Identification Mode data                                              | Data stored in the SOLID FLASH™ NVM containing the chip type, lot number (including the production site), die position on wafer and production week and data stored in the ROM containing the BOS version number |
| 10 | 11 | Chip Identification Mode                                                   | Operational status phase of the TOE, in which actions for identifying the individual chip by transmitting the Chip Identification Mode data take place                                                           |
| 12 | 13 | Controller                                                                 | IC with integrated memory, CPU and peripheral devices                                                                                                                                                            |
| 14 | 15 | Crypto2304T                                                                | Cryptographic coprocessor for asymmetric cryptographic operations                                                                                                                                                |
| 16 | 17 | Cyclic Redundancy Check                                                    | Process for calculating checksums for error detection                                                                                                                                                            |
| 18 | 19 | Electrically Erasable and Programmable Read Only Memory (SOLID FLASH™ NVM) | Non-volatile memory permitting electrical read and write operations                                                                                                                                              |
| 20 | 21 | Firmware                                                                   | Part of the software implemented as hardware                                                                                                                                                                     |
| 22 | 23 | Hardware                                                                   | Physically present part of a functional system (item)                                                                                                                                                            |
| 24 | 25 | Integrated Circuit                                                         | Component comprising several electronic circuits implemented in a highly miniaturized device using semiconductor technology                                                                                      |
| 26 | 27 | Memory Encryption and Decryption                                           | Method of encoding/decoding data transfer between CPU and memory                                                                                                                                                 |
| 28 | 29 | Memory                                                                     | Hardware part containing digital information (binary data)                                                                                                                                                       |
| 30 | 31 | Microprocessor                                                             | CPU with peripherals                                                                                                                                                                                             |
| 32 | 33 | Non-privilege level                                                        | Restricted (non Supervisor) mode of the CPU                                                                                                                                                                      |
| 34 | 35 | Object                                                                     | Physical or non-physical part of a system which contains information and is acted upon by subjects                                                                                                               |
| 36 | 37 | Operating System                                                           | Software which implements the basic TOE actions necessary for operation                                                                                                                                          |
| 38 | 39 | Privilege level                                                            | Supervisor mode of the CPU                                                                                                                                                                                       |
| 40 | 41 | Programmable Read Only Memory                                              | Non-volatile memory which can be written once and then only permits read operations                                                                                                                              |
| 40 | 41 | Random Access Memory                                                       | Volatile memory which permits write and read operations                                                                                                                                                          |
| 41 |    | Random Number Generator                                                    | Hardware part for generating random numbers                                                                                                                                                                      |

|    |                            |                                                                                                                                            |
|----|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| 1  | Read Only Memory           | Non-volatile memory which permits read operations only                                                                                     |
| 2  | Resource Management System | Part of the firmware containing SOLID FLASH™ NVM programming routines, AIS31 testbench etc.                                                |
| 3  | Security Mechanism         | Logic or algorithm which implements a specific security function in hardware or software                                                   |
| 4  | SCP                        | Symmetric cryptographic coprocessor for symmetric cryptographic operations (3DES, AES).                                                    |
| 5  | Security Function          | Part(s) of the TOE used to implement part(s) of the security objectives                                                                    |
| 6  | Security Target            | Description of the intended state for countering threats                                                                                   |
| 7  | Smart Card                 | Plastic card in credit card format with built-in chip                                                                                      |
| 8  | Software                   | Information (non-physical part of the system) which is required to implement functionality in conjunction with the hardware (program code) |
| 9  | Subject                    | Entity, generally in the form of a person, who performs actions                                                                            |
| 10 | Target of Evaluation       | Product or system which is being subjected to an evaluation                                                                                |
| 11 | Test Mode                  | Operational status phase of the TOE in which actions to test the TOE hardware take place                                                   |
| 12 | Threat                     | Action or event that might prejudice security                                                                                              |
| 13 | User                       | Person in contact with a TOE who makes use of its operational capability                                                                   |
| 14 | User Mode                  | Operational status phase of the TOE in which actions intended for the user takes place                                                     |
| 15 | WLB                        | Wafer Level Ballgrid Array                                                                                                                 |
| 16 | WLP                        | Wafer Level Package                                                                                                                        |
| 17 |                            |                                                                                                                                            |
| 18 |                            |                                                                                                                                            |
| 19 |                            |                                                                                                                                            |
| 20 |                            |                                                                                                                                            |
| 21 |                            |                                                                                                                                            |
| 22 |                            |                                                                                                                                            |
| 23 |                            |                                                                                                                                            |
| 24 |                            |                                                                                                                                            |
| 25 |                            |                                                                                                                                            |
| 26 |                            |                                                                                                                                            |
| 27 |                            |                                                                                                                                            |

## 28 Revision History

### 29 Major changes since the last revision

| Page or Reference | Description                     |
|-------------------|---------------------------------|
| 4.9               | Version of last recertification |
| 6.2               | Final version                   |

#### **Other Trademarks**

All referenced product or service names and trademarks are the property of their respective owners.

**Edition 2025-07-18**

**Published by**

**Infineon Technologies AG  
81726 Munich, Germany**

**© 2025 Infineon Technologies AG.  
All Rights Reserved.**

**Do you have a question about this  
document?**

**Email: [csscustomerservice@infineon.com](mailto:csscustomerservice@infineon.com)**

#### **IMPORTANT NOTICE**

The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics ("Beschaffenheitsgarantie").

With respect to any examples, hints or any typical values stated herein and/or any information regarding the application of the product, Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind, including without limitation warranties of non-infringement of intellectual property rights of any third party.

In addition, any information given in this document is subject to customer's compliance with its obligations stated in this document and any applicable legal requirements, norms and standards concerning customer's products and any use of the product of Infineon Technologies in customer's applications.

The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer's technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application.

For further information on the product, technology delivery terms and conditions and prices please contact your nearest Infineon Technologies office ([www.infineon.com](http://www.infineon.com)).

#### **WARNINGS**

Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office.

Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies' products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury.