29
ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it Security Target RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0

Security Target RFID Identification and Geolocation system ... · The RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 is a "Waste Bin Identification

  • Upload
    others

  • View
    15

  • Download
    1

Embed Size (px)

Citation preview

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

Security Target

RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0

Pag.2of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

DOCUMENTVERSIONS

Version Date Author Amendments1.0 06/16/2017 AdrianoColdebella Firstissue1.1 07/17/2017 AdrianoColdebella Conformanceclaimhasbeenreviewed1.2 09/14/2017 AdrianoColdebella Documentversionhasbeenreviewed1.3 10/05/2017 AdrianoColdebella Conformanceclaimhasbeenreviewed1.4 14/12/2017 AdrianoColdebella Minordocumentrevisionandbugfix

Table1–Documentversion

Pag.3of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

Summary0 DocumentIntroduction.............................................................................................................................5

0.1 Documentstructure.........................................................................................................................50.2 Acronyms.........................................................................................................................................50.3 Definitions........................................................................................................................................60.4 Reference.........................................................................................................................................6

1 SecurityTargetintroduction(ASE_INT)....................................................................................................71.1 SecurityTargetreference................................................................................................................71.2 TOEreference..................................................................................................................................71.3 TOEoverview...................................................................................................................................7

1.3.1 UsageandmajorsecurityfeaturesofaTOE................................................................................71.3.2 TOEtype......................................................................................................................................81.3.3 Requirednot-TOEhardware/software/firmware........................................................................8

1.4 TOEdescription................................................................................................................................81.4.1 LimitsoftheTOE........................................................................................................................101.4.2 Physicalscope............................................................................................................................101.4.3 Logicalscope..............................................................................................................................11

2 CONFORMANCECLAIM(ASE_CCL)..........................................................................................................132.1 CCconformanceclaim...................................................................................................................132.2 PPclaim..........................................................................................................................................132.3 Packageclaim.................................................................................................................................132.4 Conformancerationale..................................................................................................................13

3 SecurityProblemDefinition(ASE_SPD)...................................................................................................143.1 Assets.............................................................................................................................................143.2 Threats...........................................................................................................................................143.3 OrganizationalSecurityPolicies.....................................................................................................153.4 Assumptions...................................................................................................................................15

4 SecurityObjectives..................................................................................................................................174.1 SecurityObjectivesfortheTOE.....................................................................................................174.2 SecurityObjectivesfortheoperationalenvironment...................................................................174.3 Securityobjectivesrationale..........................................................................................................18

4.3.1 Securityobjectivescoverage.....................................................................................................184.3.2 Securityobjectivessufficiency...................................................................................................18

5 Extendedcomponentdefinition.............................................................................................................216 SecurityRequirements............................................................................................................................22

Pag.4of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

6.1 ExtendedComponentDefinition...................................................................................................226.2 SecurityFunctionalRequirements.................................................................................................22

6.2.1 Dataauthentication(FDP_DAU)................................................................................................226.2.2 InternalTOEtransfer(FDP_ITT).................................................................................................236.2.3 Storeddataintegrity(FDP_SDI).................................................................................................236.2.4 Faulttolerance(FRU_FLT).........................................................................................................236.2.5 DependancyAnalysis.................................................................................................................23

6.3 SecurityAssuranceRequirements.................................................................................................246.3.1 SecurityAssuranceRequirementsRationale.............................................................................26

6.4 Securityrequirementsrationale....................................................................................................266.4.1 SecurityRequirementCoverage................................................................................................266.4.2 SecurityRequirementsSufficiency............................................................................................26

7 TOESummarySpecification....................................................................................................................28

IndexImagesFigure1-WasteBinIdentificationSystem.......................................................................................................9Figure2–TOE’sphysicalscope.......................................................................................................................10Figure3–Messagestructure..........................................................................................................................11Figure4–TOE’slogicalscope.........................................................................................................................11

IndextablesTable1–Documentversion..............................................................................................................................2Table2-Acronyms............................................................................................................................................5Table3-Definitions...........................................................................................................................................6Table4–Requirednot-TOEcomponents..........................................................................................................8Table5-SecurityObjectivesMapping............................................................................................................18Table6–Dependenciesofthefunctionalrequirements.................................................................................23Table7-SecurityAssuranceRequirements(SAR)...........................................................................................24Table8-SecurityFunctionalRequirementtoTOESecurityObjectiveMapping.............................................26

Pag.5of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

0 DocumentIntroduction

0.1 Documentstructure

TheSecurityTargetcontainsthefollowingadditionalsections:

s SecurityTargetIntroduction[Rif.§1]:thissectiongivesanoverviewoftheTOE,describestheTOEintermsofitsphysicalandlogicalboundaries,andstatesthescopeoftheTOE.

s Conformanceclaim[Rif.§2]:thissectionstatestheConformanceClaimstoCommonCriteria.s Securityproblemdefinition[Rif.§3]:thissectiondetailsasset,threatsthatarecounteredbytheTOE

andtheenvironment,theorganizationalpolicythattheTOEmustfulfillandtheassumptions.s Security objectives [Rif. §4]: this section details the security objectives of the TOE and of his

environment.s ExtendedComponentsDefinition[Rif.§5]:thissectiondefinestheextendedcomponentutilizedin

thisST.s Securityrequirements:[Rif.§6]:thissectionpresentsthesecurityfunctionalrequirements(SFR)for

theTOE,anddetailstheassurancerequirements(SAR).s TOEsummaryspecification[Rif.§7]:thissectiondescribesthesecurityfunctionsrepresentedinthe

TOEthatsatisfythesecurityrequirements.

0.2 Acronyms

Acronym DescriptionCC CommonCriteriaEAL EvaluationAssuranceLevelGPRS GeneralPacketRadioServiceGPS GlobalPositioningSystemIT InformationTechnologyPP ProtectionProfileRFID RadioFrequencyIDentificationSAR SecurityAssuranceRequirementSF SecurityFunctionSFP SecurityFunctionPolicySFR SecurityFunctionalRequirementST SecurityTargetTOE TargetofEvaluationTSF TOESecurityFunctionWBIS WasteBinIdentificationSystems

Table2-Acronyms

Pag.6of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

0.3 Definitions

Terms DefinitionWASTEBIN Isthecontainerusedbyhouseholderstoputtheirownwaste.Include:

bags,binsandwheeliebinswithID-TAGID-TAG Arfid(radio-frequencyidentification)chipinstalledonaWASTEBINfor

itsuniqueidentification.READER DeviceconnectedwithVehiclecomputer(bywireorwireless)usedfor

decodeandtransmittovehiclesoftwaretheinformationstoredonaID-TAG

VEHICLESOFTWARE SoftwareinstalledonvehiclecomputerdistributedwitheachArco40Evodevice

CLEARANCE DATAMANAGEMENTMODULE

Partofvehiclesoftwareresponsibleofcomposition,securestorageandtransmissionofCLEARANCEDATARECORD

CLEARANCE DATARECORD

DatastructurerepresentedaWASTEBINclearance

SECURITYMODULE IsapartofServersidesoftwarethatreceiveinformation(asCLEARANCEDATARECORDS)fromArco40Evodevice

APPLICATIONSERVER IstheserverthatcontainthesecuritymoduleapplicationTable3-Definitions

0.4 Reference

[RIF.1] WBISPP104 - Protection ProfileWaste Bin Identification SystemsWBIS-PP Version 1.04 BSI-PP-0010-2004

[RIF.2] CommonCriteriaforInformationTechnologySecurityEvaluation.Part1-3,April2017,Version3.1Revision5.

Pag.7of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

1 SecurityTargetintroduction(ASE_INT)

1.1 SecurityTargetreference

Title: SecurityTargetfor“IdentificationandGeolocationsystemforwastecollectionArco40evov.1.0”ver.1.4

Date: 14/12/2017

Author:AdrianoColdebella

1.2 TOEreference

Productname:Arco40evov.1.0

Developer:Altaress.r.l.

1.3 TOEoverview

1.3.1 UsageandmajorsecurityfeaturesofaTOETheTOEallowstoidentifywastebins(orotherurbanfurniture)byanID-TAG(e.g.anelectronicchipwhichisreferredtoastransponder)inordertodeterminehowoftenaspecificwastebinhasbeencleared,washed,etc....Notethatthistypeofsystemsdoesnotidentifythewastedirectlybutthewastebin,whichcontainsthewastefordisposal.

Thepurposeofthistypeofsystemsistocount,howoftenthewastebinshavebeenclearedinordertoallowanoriginator-relatedbillingofwastefees.

The TOE allows certifying that the flow of data from the RFID tag to the Vehicle Software and to theApplicationserverissecureduringitswholeprocess.

Inageneralway,thedescribedprocessisapplicabletoeveryurbanfurnitureandactionperformed.

Awastebinidentificationsystemimplementsanoriginator-relatedbillingandassessmentoffeesforwastemanagement.Aside fromtheuseof thesesystemsby towncouncils,otherareasofapplication inbillingscenariosintheprivatedomainandbusinessareasarepossible.

TheWASTEBIN isequippedwithadatacarrier(ID-TAG).TheID-TAGstoresidentificationdata,whichareusedfortheidentificationofthewastebin.Thesedataareuniqueandnotconfidential.Usuallythereisaonetoonecorrespondencebetweenasetof identificationdataandtheperson(orbusinesscompanyororganisation)whoissubjecttocharge.Theidentificationdataarereadduring(orbefore/after)clearanceoftheWASTEBINbytheREADER.Possiblemalfunctionsduringtransferandmanipulationsaredetected.Theidentificationdataisthentransmittedtothevehiclesoftware.Thevehiclesoftwaresupplementsthesedatabyadding:

s Dateand timeof ID-TAG reading (obtained fromvehicle computer clock synchronizedwithGPSreceiver);

s GPSpositionofthevehicleduringID-TAGreading;s VehicleIDuniqueidentifier;s Clearanceidentificationnumber(acounterofvalidreadingsdoneforthevehicleID);

andthenformsaCLEARANCEDATARECORDfromallthesedata.

TherecordsaretransmittedbytheCLEARANCEDATAMANAGEMENTMODULEtotheSECURITYMODULEintheapplicationServer.TheCLEARANCEDATAMANAGEMENTMODULEensuresbymeansofadequatemeasures(e.g.backupofdata)thatthetransferisevenpossibleafteralossofdataintheprimarymemory.

Pag.8of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

The SECURITYMODULE ensures that possible malfunctions during transfer are detected and the failedrecordsareretransmitteduntilthetransmissionsucceeds.

Theclearancerecordsaretransmittedtoexternalsystems(e.g.ofthetowncouncilauthorities)forthebillingprocess. Such external systems can provide additional functionality (e.g. detection of possiblemisuse inreplayed clearance data record etc.) aside from the billing functionality to supplement the securityfunctionalityoftheTOE.

1.3.2 TOEtypeTheRFIDIdentificationandGeolocationsystemforwastecollection-Arco40evov.1.0 isa"WasteBinIdentificationSystem(WBIS)"asdefinedintheWBIS-PP.WBISaresystemswhichallowtheidentificationofclearanceWASTE-BINwithID-TAG,inordertodeterminehowoftenaspecificWASTEBINhasbeencleared.

Thepurposeofthistypeofsystemsistocounthowoftenthewastebinshavebeencleared,inordertoallowanoriginator-relatedbillingofwastefees.

1.3.3 Requirednot-TOEhardware/software/firmwareThe TOE is a product that follows the common criteria WBIS-PP. The TOE consists as an ID-TAG, theCLEARANCEDATAMODULEinvehiclesoftware,andSECURITYMODULEinAPPLICATIONSERVER.AllothercomponentsarenotpartoftheTOEbutoftheTOEenvironment.

Thefollowingtabledescribeswholenon-TOEsystemcomponents.Seefigure2forfurtherdetails.

Name type Version Description

READER Hw various DevicethatreadsanddecodeanID-TAG

SOLARIS Hw 1.0 Arco40EvomainboardbasedonArmA5processor

SOLARISkernel Sw 1.0 Altaresoperatingsystemkernelbasedonlinux4.4.x

SOLARISbsp Sw 1.0 Solaris board support package. It Integrates all devicedrivers for Solaris board, mosquitto broker for datacommunicationandbootloader.

EVOWD SW 1.0 EVOwatchdogapplication

EVOUI SW 1.0 EVOuserinterfacemanager

Evo.json Config 1.0 ConfigurationfilefortheEVOFSM

EVOFSM SW 1.0 EVOFiniteStateMachine.Isthemainapplicationprograminvehiclecomputer

Table4–Requirednot-TOEcomponents

1.4 TOEdescription

Wastebinidentificationsystems(WBIS)consistofthefollowingcomponents:

s ID-TAGcontainingtheidentificationdataoftheWASTE-BINs VehiclewithREADER,vehiclecomputerwithGPS/GPRSandoptionalsensors.Thevehiclesoftware

isinstalledonthevehiclecomputerandtheCLEARANCEDATAMANAGEMENTMODULEisapartofit.

s APPLICATIONSERVERintheDatacenter.Thesecuritymoduleisinstalledontheapplicationserver.

ThefollowingFigureshowsanoverviewofawastebinidentificationsystem.

Pag.9of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

Figure 1 - Waste Bin Identification System

Awastebinidentificationsystemimplementsanoriginator-relatedbillingandassessmentoffeesforwastemanagement.Aside from theuseof these systemsby town councils other areasof application inbillingscenariosintheprivatedomainandbusinessareasarepossible.

Thesystemallowsbillingscenariosaccordingtothenumberofclearancesofaspecificwastebin.Also, inphasethereadingthetag,thesystemprovidesthepossibilityofassigning"anomalies",forexample:wrongconferment,brokenbin,etc

Thewastebinsareequippedwithadatacarrier(ID-TAG).TheID-TAGstoresidentificationdata,whichareusedfortheidentificationofthewastebin.Thesedataareuniqueandnotconfidential.Usuallythereisaonetoonecorrespondencebetweenasetofidentificationdataandthepersonwhoissubjecttocharge.TheidentificationdataarereadbytheREADERduring(orbefore/after)clearanceofthewastebinbythereader.Possible malfunctions during transfer and manipulations are detected. The identification data is thentransmittedtothevehiclesoftware.Thevehiclesoftwaresupplementsthesedatabyadding:

s Dateand timeof ID-TAG reading (obtained fromvehicle computer clock synchronizedwithGPSreceiver);

s GPSpositionofthevehicleduringID-TAGreading;s VehicleIDuniqueidentifier;s Clearanceidentificationnumber(acounterofvalidreadingsdoneforthevehicleID);

One ormore records of clearance can be combined. In this way all clearance records of a tour can becombinedtoaclearancedatasetoftheentiretour.

EachCLEARANCEDATARECORD istransmittedbytheCLEARANCEDATAMANAGEMENTMODULEtotheapplication Server and receivedbySECURITYMODULE. TheCLEARANCEDATAMANAGEMENTMODULEensuresbymeansofadequatemeasures(e.g.backupofdata)thatthetransferisevenpossibleafteralossofdataintheprimarymemory.TheSECURITYMODULEensuresthatduringtransferofclearancedatarecordtotheApplicationserveronlythosedatarecordswhichwerecreatedinaclearancevehicleareacceptedasvaliddata.Inaddition,possiblemalfunctionsduringtransferaredetected.

Theclearancedatarecordscanbestoredonaservercomputerbytheapplicationserversoftware.Optionallythe data records can be analyzed further in order to defeat additional possible attacks (invalid, copiedidentificationdata,etc.).Theclearancerecordscontainedintheapplicationservercanexporttoexternalsystems (e.g. of the town council authorities) for the billing process. Such external systems can provide

Pag.10of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

additionalfunctionality(e.g.detectionofpossiblemisuseinreplayedclearancedatarecordsetc.)asidefromthebillingfunctionalitytosupplementthesecurityfunctionalityoftheTOE.

TheID-TAGandthedatatransferbetweentheID-TAGandthevehiclesoftware,thedatastoredinthevehicleaswellasthetransferbetweenthevehiclesoftwareandthesecuritymodulearesubjecttopotentialattacks.When considering theattackpotential onemust take intoaccount thepotential valueof thedata tobeprotected.Thisvaluecanberegardedaslow.Thereforelowattackpotentialcanbeassumed.Onlyauthorizedpersonnel has access to the vehicle software and the security module due to suitable physical andorganizationalmeasures.ThisprotectionisimplementedbythevehiclewithitscomponentsandintheDatacenterwiththeservercomputer.

1.4.1 LimitsoftheTOETheTOEconsistsofanID-TAG,theCLEARANCEDATAMANAGEMENTMODULEincludedinvehiclesoftwareandtheSECURITYMODULE.Allothercomponents(seealsoFig.1)arenotpartoftheTOEbutoftheTOEenvironment.TheTOEhasanexternalinterfacetothememoriesofthevehiclecomputer,alogicalinternalinterface between the ID-TAG and the vehicle software, a logical internal interface between the vehiclesoftwareandthesecuritymodule,andanexternal interfacebetweenthesecuritymoduleandtheserversoftware.ThephysicalchannelfromtheID-TAGtothevehiclesoftwareandfromthevehiclesoftwaretotheSECURITYMODULEarenotpartoftheTOE.Additionalinterfaces,especiallytotheaccountingcenters,arenotpartoftheevaluation.TheDBandthePresentationmoduleinapplicationsoftwarearealsonotpartoftheTOE.

1.4.2 PhysicalscopeFigure2showsthephysicalscopeoftheTOE.

Figure 2 – TOE’s physical scope

ThephysicalRFIDtagcanbeoneofthefollowing:

• UHFEPCClass1Gen2ISO18000-6;• HF13,56MHzISO18000-3,15693;• LF125kHz(EM4100,EM4200)orLF124,2kHz(HDX,FDXb)ISO11784,11785;

EachkindofRFIDtagrequiresaspecificREADER.Thevehiclecomputer isbasedonAltaresSolarisBoarddesignedandproducedbyAltaressrlwhoprovidesalsotheoperatingsystembasedonlinuxkernel4.4.xandtheBSP (boardsupportpackage).TheBSP level,namedSolarisBSP, integrates thedevicedriversand thesoftwareALTSNDusedforguaranteeasecurecommunicationlayerbetweenvehiclecomputerandremote

Pag.11of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

server.TheCDMMapplication in theapplication level implementstheCLEARANCEDATAMANAGEMENTMODULE.

Attheserverside,thesecuritymoduleisrealizedbytwodaemons(adaemonisatypeofprogramonUnix-likeoperatingsystemsthatrunsunobtrusivelyinthebackground,ratherthanunderthedirectcontrolofauser,waitingtobeactivatedbytheoccuranceofaspecificeventorcondition):

• ALTLISTthatimplementsthesecuritylevelincommunication(QoS1);• ALTSYNC that provide the synchronization between data received and the application central

database

Figure 3 – Message structure

1.4.3 LogicalscopeThisSTisstrictlyconformantwith[WBISPP104]asshowsatfigure1andthereforeitslogicalscopeisfullyapplicable.(TOEscopemarkedyellow).

Figure 4 – TOE’s logical scope

Theprevious logicalscope is instantiatedfor theactualTOEasshown inthe figure2 (TOEscopemarkedyellow):

Themainsecurityfeaturesavailablearethefollowing:

• Recognitionofinvalididentificationdata:TheTOEwillrecognizemanipulationofidentificationdata(AT1)storedinID-TAGorduringtransferbetweenID-TAGandtheREADERinvehicle.

Pag.12of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

• Recognition of invalid clearance data records: The TOE will recognize any attempt to transferarbitrary(i.e. invalid)clearancedatarecords(AT+)tothesecuritymodule.TheTOEwillrecognizemanipulations of clearance record (AT) during processing and storage within the vehicle andmanipulationsoftheclearancedatarecords(AT+)byrandomjamduringtransferfromthevehiclesoftwaretothesecuritymodule.

• Faulttolerance:ThevehiclesoftwareasapartoftheTOEwillensurethatthedataoftheclearancedatarecords(AT+)issecuredbyaredundantsavingofthedatainasecondarymemoryinsuchawaythatthetransferoftheclearancedatarecords(AT+)fromthevehiclesoftwaretothesecuritymoduleispossibleinacasethatclearancedatarecords(AT+)arelostintheprimarymemoryofthevehiclesoftware.

• Automatic retransmission: TheTOEwill identify ifdatahasnotbeenadequately receivedby thesecuritymoduleanditwillrecoverrepeatingdatatransmission.

Pag.13of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

2 CONFORMANCECLAIM(ASE_CCL)

2.1 CCconformanceclaim

STandTOEareconformanttoversion3.1(Revision5)oftheCommonCriteriaforInformationTechnologySecurityEvaluation.

ThefollowingconformanceclaimsaremadefortheTOEandST:

• CommonCriteriaforInformationTechnologySecurityEvaluation.Version3.1Rev.5Part1april2017• Common Criteria for Information Technology Security Evaluation, Part 2: Security functional

requirements,Version3.1Rev.5april2017• Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance

requirements,Version3.1Rev.5april2017

2.2 PPclaim

ThisSecurityTargetisstrictlyconformantwiththeProtectionProfileWasteBinIdentificationSystemsWBIS-PPVersion1.04BSI-PP-0010-2004.

2.3 Packageclaim

The claimed assurance package is EAL1, augmented with ASE_SPD.1, ASE_OBJ.2, ASE_REQ.2. TheseaugmentationarenecessaryfortheconformancetoPP,thatiscertifiedagainstversion2.1ofCC.

2.4 Conformancerationale

Thefollowingrationalesareprovided:

TheTOETypeintheSTisthesameastheTOEtypeinthereferencedPP,thatis,awastebinidentificationsystem.

Although[WBISPP104]wascertifiedagainstCommonCriteria2.1,thisSTclaimsconformancewithCommonCriteriaversion3.1R5,whichprovidesthesameorgreaterguarantees.

TheSecurityProblemDefinitionintheSTisstrictlyconformantwiththeSecurityProblemDefinitioninthePP,because:

• thethreatsintheSTareidenticaltothethreatsinthePP• theassumptionsintheSTareidenticaltotheassumptionsinthePP• theOSPsintheSTareidenticaltotheOSPsinthePP.

TheSecurityObjectivesfortheTOEintheSTareidenticaltotheSecurityObjectivesinthePP.

TheSecurityObjectivesfortheoperationalenvironmentintheSTareidenticaltotheSecurityObjectivesinthePP.

TheSecurityRequirementsarethesamestatedinthePP.

Moreover,astheassurancelevelofPPcontainsdifferentrequirementsfromthoseprovidedfromthecurrentversionofCommonCriteria,wehavechosenanEAL1assurancelevelaugmentedwithASE_SPD.1,ASE_OBJ.2andASE_REQ.2,whichallowsverificationthatthesecurityproblemisreallyaddressedbytheTOEanditsoperationalenvironment.

Pag.14of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

3 SecurityProblemDefinition(ASE_SPD)

Thepurposeofthissectionistodefinethenatureandscopeofthe“securityneeds”tobeaddressedbytheTOE.ThereforethissectionwillinvolveanyassumptionsthataremaderegardingtheTOEenvironment,theassets requiring protection, the identified threat agents and the threats they pose to the assets, andorganizationalsecuritypoliciesorruleswithwhichtheTOEmustcomplyinaddressingthesecurityneeds.

Inthefollowingtheassets,subjectsandthethreatagentswillbedefinedfirst.

3.1 Assets

AT ArecordofclearanceATcorrespondingtoaclearanceofawastebinisanassetintheWBIS.TherecordofclearanceATconsistsofthefollowingdatafields:

• AT1 Identificationdataofthewastebin• AT2 Dateandtimeoftheclearance.• AT3 GPSposition.• AT4VehicleID• AT5ClearanceID(counter)forthevehicle• AT6Additionalinformation

TherecordofclearanceATwillbecreatedwithinthevehiclecomputer.TheidentificationdataAT1isstoredintheID-TAGanditistheassetitselfuntilthecreationoftherecordofclearanceAT.AT2isretrievedfromtheinternalclockofthevehiclecomputersynchronizedwithGPSglobaltime.AT3isretrievedfromtheGPSsubsystemandAT4areretrievedfrominternalconfigurationfile(evo.json).AT5isaclearanceindexstoredinthesecure/nonvolatilememoryoftheSolarisboardandupdatedateachnewclearance.AT6isretrievedfromsensorssubsystemandcontainsadditionalinformationaboutclearance.

AT+ TherecordsofclearanceATwillbecombinedtoclearancedatablocksAT+beforetransferfromthevehiclesoftware to thesecuritymodule.TheclearancedatablockAT+ isanasset inWBISduringtransferbetweenvehiclesoftwareandsecuritymodule.

Subjects

S.Trusted TrustworthyUser

Thecrewofthecollectionvehicleandtheusersoftheofficecomputer.Personnelforinstallationandmaintenanceofthesystem.Furthermorepersonnelresponsibleforthesecurityoftheenvironment.

Threatagents

S.Attack Attacker

A human or a process acting on his behalf located outside the TOE. Themain goal of theS.Attackattackeristomodifyorcorruptapplicationsensitiveinformation.Theattackerhasatmostaknowledgeofobviousvulnerabilities.

3.2 Threats

An attacker interacts with the TOE interfaces to exploit vulnerabilities, resulting in arbitrary securitycompromises.Thethreatsaddressallassets.

T.Man Manipulatedidentificationdata

Pag.15of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

Anattacker(S.Attack)manipulatestheidentificationdata(AT1)withinanID-TAGbymeansofe.g.mechanicalimpact,whichcorruptstheidentificationdata(AT1)onlyinapurelyrandomway.

T.Jam#1 Disturbedidentificationdata

Anattacker(S.Attack)disturbsthetransferoftheidentificationdata(AT1)fromtheID-TAGtothe READER in vehicle by means of e.g. electromagnetic radiation, which corrupts theidentificationdata(AT1)onlyinapurelyrandomway.

T.Create Invalidrecordsofclearance

Anattacker(S.Attack)createsarbitraryclearancedatablocks(AT+)andtransmitsthemtothesecuritymodule.

T.Jam#2 Corruptedrecordofclearance

Anattacker(S.Attack)corruptsrecordsofclearance(AT)duringprocessingandstoragewithinthevehicleordisturbsthetransferofclearancedatarecords(AT+)fromthevehiclesoftwaretothesecuritymodulebymeansofe.g.electromagneticradiation,whichcorruptsthedataofclearancedatarecords(AT+)onlyinapurelyrandomway.

3.3 OrganizationalSecurityPolicies

ThefollowingruleisstatedfortheTOE:

P.Safe Faulttolerance

ThevehiclesoftwarepartoftheTOEshallensurethatthedataoftheclearancedatarecords(AT+)issecuredbyaredundantsavingofthedatainasecondarymemoryinsuchawaythatthe transfer of the clearance data records (AT+) from the vehicle software to the securitymoduleispossibleinacasethatclearancedatarecords(AT+)arelostintheprimarymemoryofthevehiclesoftware.

3.4 Assumptions

A.Id ID-TAG

The ID-TAG is fastenedtothewastebin.The identificationdata (AT1)of thewastebinaresavedintheID-TAG.ThereareonlyID-TAGswithuniqueidentificationdatainuse.Thecorrectcorrespondence of this data to the chargeable person is to be provided by organisationalmeanswhichareoutofthescopeoftheTOE.

A.Trusted Trustworthypersonnel

The crew of the collection vehicle and the user of the office computer (S.Trusted) areauthorisedandtrustworthy.Allpersonswhoinstallandmaintainthesystemareauthorisedandtrustworthy(S.Trusted).AllpersonsresponsibleforthesecurityoftheTOEenvironment(S.Trusted)areauthorisedandtrustworthy.

A.Access Accessprotection

Theenvironmentensuresbyappropriatemeans(closure,accesscontrolbypasswordsetc.)thatonlyuserorservicestaff(S.Trusted)candirectlyaccessthecomponentsoftheTOEexcepttheID-TAG.Themanipulationoftheinternalcommunicationchannelsbypotentialattacker(S.Attack)withintheIT-structureoftheservercomputerisexcludedbysufficientmeasures.

A.Check Checkofcompleteness

Pag.16of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

The user (S.trusted) checks at regular intervals if the transported data from the vehiclesoftwaretothesecuritymoduleinofficeiscomplete.Identifiedlossofdatawillberecoveredby repeated transport of data. The intervals are consistent with the capacity of thecorrespondingmemoryofthevehiclecomputer.

A.Backup Databackup

Theuser(S.Trusted)makesbackupcopiesofthedatacreatedbytheTOEatregularintervals.

Pag.17of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

4 SecurityObjectives

ThissectionidentifiesanddefinesthesecurityobjectivesfortheTOEanditsenvironment.Securityobjectivesreflect the stated intent and counter the identified threats, as well as comply with the identifiedorganisationalsecuritypoliciesandassumptions.

4.1 SecurityObjectivesfortheTOE

ThesecurityobjectivesfortheTOEmustdetermine(tothedesiredextent)theresponsibilityoftheTOEincounteringthethreatsandinsupportingtheOSPs.EachobjectivemustbetracedbacktoaspectsofidentifiedthreatstobecounteredbytheTOEandtoaspectsofOSPstobemetbytheTOE.ThesecurityobjectivesmaybeviewedasprovidingthereaderalinkfromtheidentifiedsecurityneedstothesecurityITrequirements.

OT.Inv#1 Recognitionofinvalididentificationdata

TheTOEshallrecognisemanipulationofidentificationdata(AT1)storedinID-TAGorduringtransferbetweenID-TAGandtheREADERinvehicle.

OT.Inv#2 Recognitionofinvalidclearancedatarecords

TheTOEshallrecogniseanyattempttotransferarbitrary(i.e.invalid)clearancedatarecords(AT+)tothesecuritymodule.TheTOEshallrecognisemanipulationsofrecordsofclearance(AT)duringprocessingandstoragewithinthevehicleandmanipulationsoftheclearancedatablocks(AT+)byrandomjamduringtransferfromthevehiclesoftwaretothesecuritymodule.

OT.Safe Faulttolerance

Thevehicle softwareas apartof theTOE shall ensure that thedataof the clearancedatarecords(AT+)issecuredbyaredundantsavingofthedatainasecondarymemoryinsuchaway that the transferof theclearancedata records (AT+) fromthevehicle software to thesecuritymoduleispossibleinacasethatclearancedatarecords(AT+)arelostintheprimarymemoryofthevehiclesoftware.

4.2 SecurityObjectivesfortheoperationalenvironment

OE.Id ID-TAG

The ID-TAG is fastenedtothewastebin.The identificationdata (AT1)of thewastebinaresavedintheID-TAG.ThereshallbeonlyID-TAGswithuniqueidentificationdatainuse.Thecorrect correspondence of this data to the chargeable person is to be provided byorganisationalmeanswhichareoutofthescopeoftheTOE.

OE.Trusted Trustworthypersonnel

Itshallbeensuredbyorganisationalmeansthatthecrewofthecollectionvehicleandtheuseroftheofficecomputer(S.Trusted)areauthorisedandtrustworthy.Allpersonswhich installand maintain the system shall be authorised and trustworthy (S.Trusted). All personsresponsible for the security of the TOE environment (S.Trusted) shall be authorised andtrustworthy.

OE.Access Accessprotection

Theenvironment shall ensureby appropriatemeans (closure, access control by passwordsetc.)thatonlyuserorservicestaff(S.Trusted)candirectlyaccessthecomponentsoftheTOEexcept the ID-TAG. Themanipulationof the internal communication channels by potential

Pag.18of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

attackers (S.Attack) within the IT - structure of the office computer shall be excluded bysufficientmeasures.

OE.CheckCheckofcompleteness

Itshallbeensuredthattheuser(S.Trusted)checksatregularintervalsifthetransporteddatafromthevehiclesoftwaretothesecuritymoduleinofficeiscomplete.Theidentifiedlossofdatashallberecoveredbyrepeatedtransportofdata.Theintervalsshallbeconsistentwiththecapacityofthecorrespondingmemoryofthevehiclecomputer.

OE.Backup Databackup

Itshallbeensuredthattheuser(S.Trusted)makesbackupcopiesofthedatacreatedbytheTOEatregularintervals.

4.3 Securityobjectivesrationale

4.3.1 SecurityobjectivescoverageThefollowingtableprovidesamappingofsecurityobjectivestotheenvironmentdefinedbythethreats,policiesandassumptions,illustratingthateachsecurityobjectivecoversatleastonethreatandthateachthreatiscounteredbyatleastoneobjective,assumptionorpolicy.

TOE Environment OT.INV#1 OT.INV#2 OT.Safe OE.Id OE.Trust

edOE.Acces

sOE.Check OE.Backu

pT.Man X T.Jam#1 X T.Create X T.Jam#2 X P.Safe X A.Check X A.Id X A.Trusted X A.Access X A.Backup X

Table5-SecurityObjectivesMapping

4.3.2 SecurityobjectivessufficiencyThe following rationale provides justification that the security objectives are suitable to counter eachindividual threat and that each security objective tracing back to a threat, when achieved, actuallycontributestotheremoval,diminishingormitigationofthatthreat.

4.3.2.1 ThreatsandSecurityObjectivesSufficiency

T.Man (Manipulatedidentificationdata)

dealswithattacksinwhichidentificationdata(AT1)ismanipulatedwithintheidentificationunit.AccordingtoOT.Inv#1theidentificationdata(AT1)whichiscorrupted(asseenafterbeingreadbythereader)willberecognisedbytheTOEwhichcountersdirectlythethreatT.Man.

T.Jam#1 (Disturbedidentificationdata)

deals with attacks in which disturbed identification data (AT1) (by random disturbance) ispresentedtothereader.AccordingtoOT.Inv#1theidentificationdatawhichiscorrupted(as

Pag.19of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

seenafterthereadbythereader)willberecognisedbytheTOEwhichcountersdirectlythethreatT.Jam#1.

T.Create (Invalidrecordsofclearance)

dealswithattacksinwhicharbitraryrecordsofclearancearecreatedandthentransportedtothe securitymodule.According toOT.Inv#2anyattempt to transportarbitrary (i.e. invalid)recordsofclearanceblockstothesecuritymodulewillberecognisedwhichcountersdirectlythethreatT.Create.

T.Jam#2 (Corruptedrecordsofclearance)

addressesattacksinwhichrecordsofclearance(AT)duringprocessingandstoragewithinthevehiclearecorruptedorthetransferoftheclearancedatablockstothesecuritymodule isdisturbed.AccordingtoOT.Inv#2corruptionsoftherecordsofclearanceduringprocessingandstoragewithinthevehicleandtheclearancedatablockswhicharecorruptedduringtransfertosecuritymodulewillberecognisedbytheTOEwhichcountersdirectlythethreatT.Jam#2.

4.3.2.2 PoliciesandSecurityObjectivesSufficiency

P.Safe (Faulttolerance)

establishestheavailabilityoftherelevantdataforthetransferoftheclearancedatarecords(AT+)fromthevehiclesoftwaretothesecuritymodulealsoincaseofthelossofthesedatainaprimarymemoryofthevehiclesoftwarebykeepingthedatainasecondarymemory.ThisisexactlyrepeatedbytheobjectiveOT.Safe,sothisobjectiveissufficientforP.Safe.

4.3.2.3 AssumptionsandSecurityObjectivesSufficiency

A.Id (Identificationunit)

ensuresthattheidentificationunitisfastenedtothewastebinwhichitidentifiesandthedataofinstalledidentificationunitsisunique.Thecorrespondencebetweentheidentificationdataandthechargeablecustomerisestablishedbyorganisationalmeans.SincetheobjectiveOE.Idstatesexactlythesame,itissufficientforA.Id.

A.Trusted (Trustworthypersonnel)

ensuresthatallsubjects(excepttheattacker)aretrustworthy.TheobjectiveOE.Trustedstatesexactlythesame,soitissufficientforA.Trusted.

A.Access (Accessprotection)

ensuresthattheaccesstotheTOE,exceptfortheidentificationunit,islimitedtotrustworthypersonnel only. It excludes also the ability of the attacker to influence the internalcommunication channels within the IT-structure of the office computer. The objectiveOE.Accessstatesexactlythesame,soitissufficientforA.Access.

A.Check (Checkofcompleteness)

ensuresthateveryclearancedatarecordsentbyavehicleis correctlyreceivedintherightsequenceandasktovehiclesoftwareincaseofagap.ThisisexactlyrepeatedbytheobjectiveOE.Check,sothisobjectiveissufficientforA.Check.

A.Backup (Databackup)

Pag.20of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

ensuresthattheusermakesbackupcopiesofthedatacreatedbytheTOEatregularintervalsas theTOEdoesnotprovideacorresponding functionality.TheobjectiveOE.Backupstatesexactlythesame,soitissufficientforA.Backup.

Pag.21of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

5 Extendedcomponentdefinition

Theextendedcomponentsusedarethosethataredefinedinthe[WBISPP104]ProtectionProfileclaimedinthisSecurityTarget.ThesecomponentsareusedmethodologicallyastheyaredefinedinthePP.

ItwaschosentodefineFDP_ITT.5explicitly,becausePart2oftheCommonCriteriadonotcontainagenericsecurity functional requirement for integrity protection of user data when it is transmitted betweenphysically-separated parts of the TOE. Furthermore FDP_ITT.5 has a more narrowed approach thanFDP_ITT.1, because it does not necessarily require that the TOE implements access control SFP and/orinformationflowcontrolSFP,anditaddressesonlymanipulationsofdata.

Pag.22of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

6 SecurityRequirements

ThissectiondefinesthesecurityrequirementssatisfiedbytheTOE.Eachrequirementhasbeenextractedfromversion 3.1 of theCommonCriteria, part 2 providing functional requirements andpart 3 providingassurancerequirements.

Part 2 of the Common Criteria defines an approved set of operations that may be applied to securityfunctionalrequirements. FollowingaretheapprovedoperationsandthedocumentconventionsthatareusedwithinthisSTtodepicttheirapplication:

Assignment: Theassignmentoperationprovides theability to specifyan identifiedparameterwithinarequirement. Assignments are depicted using bolded text and are surrounded by squarebracketsasfollows[assignment].

Refinement: Therefinementoperationallowstheadditionofextradetailtoarequirement.Refinementsareindicatedusingboldedtext,foradditions,andstrike-through,fordeletions.

6.1 ExtendedComponentDefinition

Theextendedcomponentsusedarethosethataredefinedinthe[WBISPP104]ProtectionProfileclaimedinthisSecurityTarget.ThesecomponentsareusedmethodologicallyastheyaredefinedinthePP.

FDP_ITT.5Internaltransferintegrityprotection

Hierarchicalto:Noothercomponents.

Dependencies:Nodependencies

FDP_ITT.5.1

TheTSFshallenforcethe[integritySFP]topreventthemodificationofuserdatawhenitistransmittedbetweenphysically-separatedpartsoftheTOE.

6.2 SecurityFunctionalRequirements

6.2.1 Dataauthentication(FDP_DAU)

6.2.1.1 Basicdataauthentication(FDP_DAU.1)

FDP_DAU.1.1

TheTSFshallprovideacapabilitytogenerateevidencethatcanbeusedasaguaranteeofthevalidityof[recordsofclearanceATandclearancedatarecordsAT+]

FDP_DAU.1.2

TheTSFshallprovide[user(S.Trusted)]withtheabilitytoverifyevidenceofthevalidityoftheindicatedinformation.

ApplicationNote:Itisconsideredthattheaboverequirementscanbefulfilledatthetargetedassuranceleveloftheevaluationwithoutusageofsecrets.

Pag.23of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

6.2.2 InternalTOEtransfer(FDP_ITT)

6.2.2.1 Internaltransferintegrityprotection(FDP_ITT.5)(CommonCriteriaPart2extended)

FDP_ITT.5.1

TheTSF shallenforce the [Data IntegrityPolicy] toprevent themodificationofuserdatawhen it istransmittedbetweenphysically-separatedpartsoftheTOE.

NOTE:ThefollowingSecurityFunctionPolicy(SFP)DataIntegrityPolicyisdefinedfortherequirement“Internaltransferintegrityprotection(FDP_ITT.5)”:TheUserData(AT1andAT+)shallbeprotectedinordertomaintainitsintegrity.

6.2.3 Storeddataintegrity(FDP_SDI)

6.2.3.1 Storeddataintegritymonitoring(FDP_SDI.1)

FDP_SDI.1.1

TheTSFshallmonitoruserdatastoredwithintheTSCincontainerscontrolledbytheTSFfor[randommanipulation] on all objects, based on the following attributes: [identification data AT1 withinidentificationunitandrecordsofclearanceATduringstoragewithinthevehicle].

6.2.4 Faulttolerance(FRU_FLT)

6.2.4.1 Degradedfaulttolerance(FRU_FLT.1)

FRU_FLT.1.1

TheTSF shallensure theoperationof [the transferof clearancedatablocks (AT+) fromthevehiclesoftware to the securitymodulewith the aid of the data stored in secondarymemory]when thefollowingfailuresoccur:[Lossofuserdataintheprimarymemoryofthevehiclesoftware].

6.2.5 DependancyAnalysisThefunctionalrequirementsdependenciesfortheTOEandfortheenvironmentarenotcompletelyfulfilled.Thefollowingtablegivesanoverviewofthedependenciesandshowshowtheyarefulfilled.

FunctionalRequirements CCRequiredDependencies SatisfiedDependences

FDP_DAU.1 norequest fulfilledFDP_ITT.5 norequest fulfilledFDP_SDI.1 norequest fulfilledFRU_FLT.1 FPT_FLS.1 Seenote1

Table6–Dependenciesofthefunctionalrequirements

NOTA1-FRU_FLT.1requirestheTOEtoensuretheoperationofthedatatransferfromthevehiclesoftwaretothesecuritymoduleevenifthedataislostwithinthevehiclesoftware.Thisrequirementisdriventofulfilthe organisational security policy,which relatesmore to the availability of the data then to the correctfunctionalityofthesoftwareanddoesnotrelatetoasecurestateoftheTOEintermsofthethreatstheTOEiscountering.AsthedependencycomponentFPT_FLS.1relatesmerelytosuchsecurestateoftheTOE(i.e.thesoftware)itisnotapplicablefortheTOE.

Pag.24of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

6.3 SecurityAssuranceRequirements

ThesecurityassurancerequirementsarethosecorrespondingtoEAL1componentsasdescribedinCommonCriteria3.1R5Part3,augmentedwithASE_SPD.1,ASE_OBJ.2,ASE_REQ.2.

AssuranceClass AssurancecomponentsADV:Development ADV_FSP.1BasicfunctionalspecificationAGD:Guidancedocuments AGD_OPE.1Operationaluserguidance

AGD_PRE.1PreparativeproceduresALC:Life-cyclesupport ALC_CMC.1LabellingoftheTOE

ALC_CMS.1TOECMcoverageASE:SecurityTargetEvaluation

ASE_CCL.1ConformanceclaimsASE_ECD.1ExtendedcomponentsdefinitionASE_INT.1STintroductionASE_OBJ.2SecurityobjectivesASE_REQ.2StatedsecurityrequirementsASE_SPD.1SecurityProblemDefinitionASE_TSS.1TOEsummaryspecification

ATE:Tests ATE_IND.1Independenttesting-conformanceAVA:Vulnerabilityassessment AVA_VAN.1Vulnerabilitysurvey

Table7-SecurityAssuranceRequirements(SAR)

ADV_FSP.1BasicfunctionalspecificationDependencies: None

Developer actionelements:

ADV_FSP.1.1D Thedevelopershallprovideafunctionalspecification.ADV_FSP.1.2D The developer shall provide a tracing from the functional

specificationtotheSFRs.

AGD_OPE.1OperationaluserguidanceDependencies: ADV_FSP.1 BasicfunctionalspecificationDeveloperactionelements: AGD_OPE.1.1D Thedevelopershallprovideoperationaluserguidance.

AGD_PRE.1PreparativeproceduresDependencies: NoneDeveloperactionelements:

AGD_PRE.1.1D The developer shall provide the TOE including its preparativeprocedures.

ALC_CMC.1LabelingoftheTOEDependencies: ALC_CMS.1 TOECMcoverageDeveloperactionelements: ALC_CMC.1.1D ThedevelopershallprovidetheTOEandareferencefortheTOE.

ALC_CMS.1TOECMcoverageDependencies: NoneDeveloperactionelements: ALC_CMS.1.1D ThedevelopershallprovideaconfigurationlistfortheTOE.

ASE_INT.1STintroductionDependencies: None

Pag.25of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

Developer actionelements: ASE_INT.1.1D ThedevelopershallprovideanSTintroduction.

ASE_CCL.1Conformanceclaims

Dependencies:ASE_INT.1 STintroductionASE_ECD.1 ExtendedcomponentsdefinitionASE_REQ.1 Statedsecurityrequirements

Developer actionelements

ASE_CCL.1.1D Thedevelopershallprovideaconformanceclaim.ASE_CCL.1.2D Thedevelopershallprovideaconformanceclaimrationale.

ASE_OBJ.2SecurityobjectivesDependencies: ASE_SPD.1 SecurityproblemdefinitionDeveloper actionelements

ASE_OBJ.2.1D Thedevelopershallprovideastatementofsecurityobjectives.ASE_OBJ.2.2D Thedevelopershallprovideasecurityobjectivesrationale.

ASE_ECD.1ExtendedcomponentsdefinitionDependencies: None

Developer actionelements

ASE_ECD.1.1D The developer shall provide a statement of securityrequirements.

ASE_ECD.1.2D Thedevelopershallprovideanextendedcomponentsdefinition.

ASE_REQ.2Derivedsecurityrequirements

Dependencies: ASE_ECD.1 ExtendedcomponentsdefinitionASE_OBJ.2 Securityobjectives

Developer actionelements:

ASE_REQ.2.1D The developer shall provide a statement of securityrequirements.

ASE_REQ.2.2D Thedevelopershallprovideasecurityrequirementsrationale.

ASE_SPD.1SecurityProblemDefinitionDependencies: NoneDeveloper actionelements: ASE_SPD.1.1D Thedevelopershallprovideasecurityproblemdefinition.

ASE_TSS.1TOEsummaryspecification

Dependencies:ASE_INT.1 STintroductionASE_REQ.1 StatedsecurityrequirementsADV_FSP.1 Basicfunctionalspecification

Developer actionelements: ASE_TSS.1.1D ThedevelopershallprovideaTOEsummaryspecification.

ATE_IND.1Independenttesting–conformance

Dependencies:ADV_FSP.1 BasicfunctionalspecificationAGD_OPE.1 OperationaluserguidanceAGD_PRE.1 Preparativeprocedures

Developer actionelements: ATE_IND.1.1D ThedevelopershallprovidetheTOEfortesting.

AVA_VAN.1Vulnerabilitysurvey

Dependencies:ADV_FSP.1 BasicfunctionalspecificationAGD_OPE.1 OperationaluserguidanceAGD_PRE.1 Preparativeprocedures

Developer actionelements: AVA_VAN.1.1D ThedevelopershallprovidetheTOEfortesting.

Pag.26of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

6.3.1 SecurityAssuranceRequirementsRationaleTheassurancelevelforthissecuritytargetEAL1+.ThisEALprovidesameaningfulincreaseinassuranceoveran unevaluated IT product or system by providing confidence in correct operation,while the threats tosecurityarenotviewedasserious,whichrelatesdirectlytotheratherlowvalueoftheTOE’sassets.EAL1providesindependentassurancetosupportthecontentionthatduecarehasbeenexercisedwithrespecttotheprotectionofinformationcontainedinrecordsofclearanceandthattheTOEprovidesusefulprotectionagainst identified threats as requiredby the customer. EAL1provides anevaluationof theTOEasmadeavailabletothecustomer,includingindependenttestingagainstaspecification,andanexaminationoftheguidancedocumentationprovided.It isintendedthatanEAL1evaluationcouldbesuccessfullyconductedwithoutassistancefromthedeveloperoftheTOE,andforminimaloutlay.Thisenablestherequiredflexibilityincomposingthesystemofmodulestakenfromthecurrentmarket,whilekeepingtheassociatedcostsforthe evaluation at reasonable low level. The ASE_SPD.1, ASE_OBJ.2 and ASE_REQ.2 augmentation allowsverificationthatthesecurityproblemisreallyaddressedbytheTOEanditsoperationalenvironment.

6.4 Securityrequirementsrationale

6.4.1 SecurityRequirementCoverageThe following table provides a mapping of SFR to the security objectives, showing that each securityfunctionalrequirementaddressesatleastonesecurityobjective.

OT.INV#1 OT.INV#2 OT.Safe

FDP_DAU.1 X FDP_ITT.5 X X FDP_SDI.1 X X FRU_FLT.1 X

Table8-SecurityFunctionalRequirementtoTOESecurityObjectiveMapping

6.4.2 SecurityRequirementsSufficiency

OT.Inv#1 (Recognitionofdisturbedidentificationdata)

addressestherecognitionofmanipulationofidentificationdata(AT1)ofrecordsofclearance(AT)withintheidentification unit andwhile being transferred between the identification unit and the vehicle software,whichareseparatedpartsoftheTOE.Theprotectionoftheintegrityoftheidentificationdata(AT1)whichisstoredintheidentificationunitisrequiredbyFDP_SDI.1andcountersdirectlyrandommanipulationsofthisdata.TheprotectionoftheUserDataAT1toensureits integrity isrequiredbyFDP_ITT.5forthetransferbetween physically-separated parts of the TOE. Ensuring the data integrity protects directly againstmanipulationsofthedataduringthetransfer.

OT.Inv#2 (Recognitionofinvaliddatablocks)

addressestherecognitionofmanipulationofdataclearanceblocks(AT+),whicharetransferredbetweenthevehiclesoftwareandthesecuritymodule,whicharephysicallyseparatedpartsoftheTOE.Theprotectionofthe User Data AT+ to ensure its integrity is required by FDP_ITT.5 for the transfer between physicallyseparatedpartsoftheTOE.Ensuringthedataintegrityprotectsdirectlyagainstmanipulationsofthedata.OT.Inv#2addressesalsotherecognitionofinvalidrecordsofclearanceATduringprocessingandstorageinthevehicleandmanipulationsof clearancedatablocksAT+ transferred to the securitymodule. TheTOEprovidesaccordingtoFDP_DAU.1acapabilitytocreateanevidencewhichcanbeusedbytheusertoverifythevalidityofthedata.Theprotectionoftheintegrityoftheuserdata(AT)whichisstoredinthevehicleisrequiredbyFDP_SDI.1andcountersdirectlyrandommanipulationsofthisdata.TherequirementsFDP_ITT.5,

Pag.27of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

FDP_DAU.1andFDP_SDI.1aremutually supportive for thedataauthenticityand integrity.Therefore therequirementsFDP_ITT.5,FDP_DAU.1andFDP_SDI.1coversufficientlythesecurityobjectiveOT.Inv#2.

OT.Safe (Faulttolerance)

addressestheavailabilityoftherelevantdatafortransferoftheclearancedatablocks(AT+)fromthevehiclesoftware to the securitymoduleeven in the caseofdata losswithin theprimarymemoryof thevehiclesoftware.TheoperationofthisdatatransferwiththeaidofasecondarymemoryafterthelossofthedatainprimarymemoryisrealisedbytheTOEaccordingtoFRU_FLT.1.

Pag.28of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

7 TOESummarySpecification

ThissectiondescribeshowtheTOEmeetseachSFRproviding,foreachSFRfromthestatementofsecurityrequirements,adescriptionofhowtheSFRismet,providingpotentialconsumersoftheTOEwithahigh-levelviewofhoweachSFRissatisfied.

OT.Inv#1 Recognitionofinvalididentificationdata

TheTOEshallrecognisemanipulationofidentificationdata(AT1)storedinID-TAGorduringtransferbetweenID-TAGandthereaderinvehicle.

TheobjectiveisperformedwithSFRFDP_ITT.5eFDP_SDI.1

OT.Inv#2 Recognitionofinvalidclearancedatablocks

TheTOEshallrecogniseanyattempttotransferarbitrary(i.e. invalid)clearancedatablocks(AT+)tothesecuritymodule.TheTOEshallrecognisemanipulationsofrecordsofclearance(AT)duringprocessingandstoragewithinthevehicleandmanipulationsoftheclearancedatablocks(AT+)byrandomjamduringtransferfromthevehiclesoftwaretothesecuritymodule.

TheobjectiveisperformedwithSFRFDP_ITT.5,FDP_SDI.1eFDP_DAU.1

OT.Safe Faulttolerance

ThevehiclesoftwareasapartoftheTOEshallensurethatthedataoftheclearancedatablocks(AT+)issecuredbyaredundantsavingofthedatainasecondarymemoryinsuchawaythatthe transfer of the clearance data blocks (AT+) from the vehicle software to the securitymoduleispossibleinacasethatclearancedatablocks(AT+)arelostintheprimarymemoryofthevehiclesoftware.

TheobjectiveisperformedwithSFRFRU_FLT.1.

FDP_DAU.1 Basicdataauthentication

ThisSFRrequirestheTOEtoprovideacapabilitytogenerateevidencethatcanbeusedasaguaranteeofthevalidityoftherecords.Thisissatisfiedwiththeimplementationofasecuremechanismovereachstoredrecord.ThissecuremechanismisgeneratedbytheTOEintheevehiclesoftware.Anothersecuremechanismisusedforcommunicationsenttothesecuritymodulealongwiththerestoftherecord.Thisdataisfinallysavedinthedatabase.

FDP_ITT.5 Internaltransferintegrityprotection

ThisSFRrequirestheTOEtoprotecttheintegrityofAT1andATduringtransmissionbetweenphysicallyseparatedpartsoftheTOE.

Theimplementationofthisrequirementhastwodifferentparts:

ProtectionoftheintegrityofAT1duringtransmissionfromtheIDTagtothevehiclesoftware:This is achieved providing a checksum inside AT1 itself, which is verified by the vehiclesoftware.

ProtectionoftheintegrityofATduringtransmissionfromthevehiclesoftwaretothesecuritymodule:AsstatedinthepreviousSFR,achecksumisalsogeneratedbythevehiclesoftwareoverthecontentsofATandistransmittedforverificationtothesecuritymoduleintheofficesoftware.

Pag.29of29-RFID Identification and Geolocation system for waste collection - Arco40 evo v. 1.0 -–ver 1.4

ALTARES S.R.L. Via S. Andrea 53 – I 38062 ARCO (TN) Tel. +39 0464 512085 Fax +39 0464 515532 [email protected] - www.altares.it

FDP_SDI.1 Storeddataintegritymonitoring

FDP_SDI.1 requires the TSF to monitor the data stored for random manipulation. Thisrequirementalsohastwodifferentparts:

MonitoringofAT1integritywithinidentificationunit:asstatedinthesummaryspecificationofFDP_ITT.5thisisachievedwiththeverificationofthechecksuminAT1performedbythevehiclesoftware.

MonitoringofAT integrityduring storagewithin thevehicle:whena record is created it isautomatically saved to the secondary storagealongwith its checksum.When the record isrecoveredfortransmissiontothesecuritymodule,thischecksumisalsorecoveredandverifiedbeforesendingtothesecuritymodule.

FRU_FLT.1 Degradedfaulttolerance

ThisrequirementrequirestheTOEtoensurethateachdatablockistransferredtothesecuritymoduleeven incaseof lossofuserdatafromtheprimarymemory.This isachievedsavingeachdatablockinsecondarymemory(flash/sd)afterreadingit.