Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smartcard Evaluation TM8104 – IT Security Evaluation 2008-11-13Linda Ariani Gunawan.

Published byJulius Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Smartcard Evaluation TM8104 – IT Security Evaluation 2008-11-13Linda Ariani Gunawan."— Presentation transcript:

1 Smartcard Evaluation TM8104 – IT Security Evaluation 2008-11-13Linda Ariani Gunawan

2 Document CCDB-2006-04-001 Version 1.3 Revision 1, March 2006 Type: guidance document Intended for evaluation sponsor and smartcard developers Field of special use: smartcards and similar devices

3 SMARTCARD OVERVIEW

4 Smartcard Plastic card embedded with a computer chip that stores and transacts data between users Usage: – Telecommunication: SIM card, pay phone – Banking: debit/credit cards – Transportation: pay toll, bus/tram/train card – E-passport, ID card, health card, access card and many more

5 Smartcard Types Contact cards Contactless cards Dual interface cards

6 Smartcards Related Standards ISO 7816 “Identification cards – Integrated circuit cards with contacts” EMV – Europay, MasterCard, Visa ETSI – GSM FIPS 140 (1-3) and 201 OCF – Open Card Framework PC/SC – Interoperability Specification for ICCs and Personal Computer Systems

7 THE GUIDANCE DOCUMENT

8 Definition – IC Integrated Circuit (IC)

9 Definition – Software IC Dedicated Software IC Firmware proprietary, embedded developed by IC Developer 2 parts: – IC Dedicated Test Software Only used to test IC – IC Dedicated Support Software Provide functions after IC manufacturing & testing process Smartcard Embedded Software (ES) embedded NOT developed by IC Designer But by embedded software developer 2 types: – Basic Software (BS) in charge of generic functions of smart card IC OS, general routines, interpreters – Application Software (AS) dedicated to applications

10 Definitions – Data Identification data defined by IC manufacturer injected into non-volatile memory during manufacturing process usage: traceability IC Pre-personalization data supplied by software developer injected into non-volatile memory during manufacturing process customer data

11 Definitions – Personalization IC Pre-personalization process at IC manufacturer site load customer data onto IC then IC is irreversibly set into “issuer mode” Smartcard Personalization process at card issuer smartcard is configured, security parameters loaded, secret key set then smartcard is irreversibly set into “user mode”

12 Definitions – Product IC platform smartcard component not an end-user product may undergo evaluation e.g. without AS Smartcard product fully operational smartcard both IC+ES including AS

13 Smartcard Architectures Closed architectureOpen architecture

14 Smartcard Product Life-Cycle Ph 1. Smartcard embedded software development Smartcard Embedded Software Developer Smartcard embedded software Specification of IC pre- personalization requirements Ph 2. IC development IC Designer IC design IC dedicated software support Smartcard IC database for IC photomask fabrication

15 Smartcard Product Life-Cycle Ph 3. IC manufacturing and testing Ph 4. IC packaging and testing IC Manufacturer IC product IC manufacturing IC testing IC pre-personalization IC Packaging Manufacturer Ph 5. Smartcard product finishing process Smartcard Product Manufacturer IC packaging and testing Smartcard product finishing and testing

16 Smartcard Product Life-Cycle Ph 6. Smartcard personalization Ph 7. Smartcard end-usage Smartcard product delivery Personalizer Smartcard personalization and final test Smartcard Issuer Smartcard End-User

17 Roles in Evaluation Process IC Manufacturer ES/AS Developer Card Manufacturer Card Issuer Sponsor Evaluator Certification Body Requesting evaluation and financing it Maybe developer of TOE, card issuer or independent Laboratory performs the evaluation Issue certificate Developer

18 Evaluation Preparation Steps

19 Roles Contributions IC Manufacturer – Evaluation scope: include IC – Provides ST for IC to sponsor – Provides evaluation deliverable to evaluation lab ES/AS Developer – Evaluation scope: include ES/AS – (Assist) write ST – Provides evaluation deliverable to evaluation lab – Provides IC pre-personalization data

20 Roles Contributions Card Issuer – Approve ST – Define Smartcard personalization data – Write smartcard product guidance documentation Sponsor – Write and/or approve ST – Ensure every required evaluation deliverable available for evaluator

21 Roles Contributions Evaluator – Analyses evidences – Evaluation process: Conformance and penetration testing on TOE Site visit to development premises Site visit to production premises (evaluation incl. IC) Write evaluation reports

22 Roles Contributions Certification body – Approve evaluation scope in ST before evaluation process starts – Give advice – Monitor evaluation work – Issue certificate and certification report

23 Common Targeted EAL EAL1+ – EAL1 augmented with AVA_VLA.2 EAL4+ – EAL4 augmented with ADV_IMP.2, ALC_DVS.2 and AVA_VLA.4 Detailed roles contribution are specified in detail for both EALs According CC v2

24 Theoretical Planning for EAL4+ Evaluation Assumption: – Evaluation phase only – IC is certified – Infinite # of evaluators with good knowledge – No delay – No iteration, developers are well trained 6 months is achievable

25 Theoretical Planning for EAL4+ Evaluation

26 Smartcard Sub-processes for EAL4+ software development for smartcard only, not application development 4 sub processes: – Development environment – Security Target – Guidance documentation – Development/Test Reusability through training and document template

27 Testing Methodology Used by security evaluation laboratory Define attack and strategies list

Download ppt "Smartcard Evaluation TM8104 – IT Security Evaluation 2008-11-13Linda Ariani Gunawan."

Similar presentations

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
best practice project management methodology ©Platinum Services Group Limited What is XPRODi ?

best practice project management methodology ©Platinum Services Group Limited What is XPRODi ?
Calyxinfo Walking through Calyx Info The Organisation.

Calyxinfo Walking through Calyx Info The Organisation.
Ecosystem Scenarios for Cloud-based NFC Payments

Ecosystem Scenarios for Cloud-based NFC Payments
Terminal Quality Management Overview 2010

Terminal Quality Management Overview 2010
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.
ITIL: Service Transition

ITIL: Service Transition
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
1 Software Requirement Analysis Deployment Package for the Basic Profile Version 0.1, January 11th 2008.

1 Software Requirement Analysis Deployment Package for the Basic Profile Version 0.1, January 11th 2008.
Cadle & Yeates Ch 5 Revised by Ivor Perry Sept. 20031 Detailed Planning - 1.

Cadle & Yeates Ch 5 Revised by Ivor Perry Sept Detailed Planning - 1.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
1 Samples The following slides are provided as samples and references for the Quarterly Reviews Additional slides will be added.

1 Samples The following slides are provided as samples and references for the Quarterly Reviews Additional slides will be added.
Project Management Methodology (PMM)

Project Management Methodology (PMM)
COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.

COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
ISO 9000 Certification ISO 9001 and ISO 9000.3.

ISO 9000 Certification ISO 9001 and ISO

Similar presentations

Ads by Google