EN 419251-2:2013

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Sicherheitsanforderungen für
Geräte zur Authentifizierung - Teil 2: Schutzprofil für Erweiterung für vertrauenswürdigen Kanal zur zertifizierung von GenerierungsanwendungenProfils de protection pour dispositif d'authentification - Partie 2: Dispositf avec import de clé, génération de clé et administration; Communication sécurisée vers l'application de génération de certificats et l'application d'administrationSecurity requirements for device for authentication - Part 2: Protection profile for extension for trusted channel to certificate generation application35.240.15Identifikacijske kartice in sorodne napraveIdentification cards and related devicesICS:Ta slovenski standard je istoveten z:EN 419251-2:2013SIST EN 419251-2:2013en01-maj-2013SIST EN 419251-2:2013SLOVENSKI
STANDARD
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 419251-2
March 2013 ICS 35.240.15 English Version
Security requirements for device for authentication - Part 2: Protection profile for extension for trusted channel to certificate generation application
Profils de protection pour dispositif d'authentification - Partie 2: Dispositf avec import de clé, génération de clé et administration; Communication sécurisée vers l'application de génération de certificats et l'application d'administration Sicherheitsanforderungen für Geräte zur Authentisierung - Teil 2: Schutzprofil für Erweiterung für vertrauenswürdigen Kanal zur Zertifikaterzeugungsanwendung This European Standard was approved by CEN on 7 December 2012.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre:
Avenue Marnix 17,
B-1000 Brussels © 2013 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 419251-2:2013: ESIST EN 419251-2:2013

Figures Figure 1 — TOE Security Features . 13 Figure 2 — Personalisation application environment . 14 Figure 3 — Administration application environment . 15 Figure 4 — Authentication application environment . 16 Figure 5 — TOE Life Cycle . 19 SIST EN 419251-2:2013

ISO/IEC 15408-21), Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components ISO/IEC 15408-31), Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation 3 Conformance 3.1 CC Conformance Claim This Protection Profile (PP) is CC Part 2 extended and CC Part 3 conformant and written according to ISO/IEC 15408-1, -2, -3 and ISO/IEC 18045. 3.2 PP Claim This PP does not claim conformance to any other Protection Profile. 3.3 Package Claim The evaluation assurance level for this PP is EAL4-augmented with the assurance components AVA_VAN.5 and ALC_DVS.2. 3.4 Conformance Rationale Since this PP is not claiming conformance to any other protection profile, no rationale is necessary here.
3.5 Conformance Statement The conformance required by this PP is the demonstrable-PP conformance. This would facilitate conformance claim to both the PP “Authentication device” and other PPs for Security Target (ST) authors.
1) ISO/IEC 15408-1, -2 and -3 respectively correspond to Common Criteria for Information Technology Security Evaluation, Parts 1, 2 and 3. SIST EN 419251-2:2013

Authentication Protocol sensitive data data used in the process of authentication of the TOE by the external entity Note 1 to entry: These data are linked to the Authentication private key, e.g. Authentication Certificate or APuK. Note 2 to entry: Authentication Protocol sensitive data may be empty if the environment is trusted, and the holder public key known to the system. 4.3 Certificate electronic attestation, which links the APuK to a person and confirms the identity of that person (as defined in Directive [8], article 2, Clause 9) 4.4 Certificate Info information associated with an Authentication key pair that consists of either:  a signer's public key certificate; or
 one or more hash values of a signer's public key certificate together the identifier of the hash function used to compute these hash values, and some information which allows the signer to disambiguate between several signers certificates 4.5 Configuration set of groups Note 1 to entry: Each configuration corresponds to one PP. It has its own rationale. See [2]. 4.6 Group set of Assets, threats, objectives, and Requirements, addressing a specific function Note 1 to entry: See [2]. 4.7 Holder legitimate holder of the authentication device Note 1 to entry: See 9.2 for more details. 4.8 Issuer user of the authentication device during personalisation Note 1 to entry: See 9.2 for more details. SIST EN 419251-2:2013

6 Overview of the target of evaluation 6.1 TOE Type The aimed objective is to define security requirements that an authentication device shall conform to in the perspective of a security evaluation. The Target of Evaluation (TOE 2)) considered in this PP corresponds to a hardware device (such as, for example, a smart card or USB token) allowing its legitimate holder to authenticate himself when accessing an on-line service or to guarantee the origin authentication of data sent by the User to a distant agent 3). This PP has been constructed such as to make it possible for an ST writer to claim conformance to both this PP and PP-SSCD [3], [4], [5], [6], [7], and easily merge these PPs into one ST. 6.2 TOE Usage In order to connect to an on-line service with restricted access or send data whose origin should be authenticated, the Holder shall use his personal authentication device. The service provided by the device requires the prior input of authentication data by the Holder on a terminal device (as specified in 6.5). The authentication service included in the TOE relies solely on public-key cryptography mechanisms to allow the Holder to authenticate himself and access to the on-line service with restricted access or to enable the origin authentication of data sent by the Holder. Note that authentication devices implementing shared key (i.e. symmetric-key) mechanisms for authentication purposes are therefore not considered in this PP. 6.3 Security Features of the TOE The primary functionality of the TOE is to enable the Holder to authenticate himself in order to access an on-line service or guarantee the origin authentication of data sent by the Holder to a distant agent.
2) In the document the terms authentication device, device and TOE are equivalent. 3) He is a physical person that receives some authenticated data from the users. SIST EN 419251-2:2013

Figure 1 — TOE Security Features Figure 1 shows all the security features of the TOE, in the Personnalisation, Usage and Administration environments. The legend explains how different colors identity the security features of the different groups: Core, KeyImp, KeyGen, and Admin. Further details on groups can be found in [2].
Figure 2 — Personalisation application environment 7.2.2 Functionalities The Personalisation application interfaces the TOE at the Personalisation facility. These operations take place before the issuance of the TOE. After the issuance of the TOE, when the TOE is in Usage phase, an Administrator can perform Administration operations, using an Administration application, see 7.3. This application initialises all data specific to the end user. These data can include:  APrK;  User RAD;  Administrator RAD. If the TOE generates the APrK, the application retrieves the APuK and sends it to the CA that will generate the certificate. If the TOE imports the APrK, the application retrieves the APuK and sends it to the TOE. The application also ensures that the APuK is securely - protected in integrity - sent from the key pair generator to the CA that generates the certificate. 7.2.3 Communication As the environment is trusted, Transfer of sensitive data is protected by the environment. SIST EN 419251-2:2013

Figure 3 — Administration application environment 7.3.2 Functionalities The Administration application interfaces the TOE at the Administration facility. The connection to the facility can be online. This application performs the administration operations of the TOE. These operations are:  Retrieving authentication logs;  Reset User RAD Retry counter. Before performing these operations, the administrator shall authenticate himself to the TOE, using the administrator RAD. 7.3.3 Communication As the environment is untrusted, Transfer of sensitive data is protected by a trusted channel. SIST EN 419251-2:2013

Figure 4 — Authentication application environment 7.4.2 Functionalities The Authentication application interfaces the TOE when the holder needs to be authenticated by the Verifier. It can run on several devices:  a PC at home to access online services (e-administration, e-commerce…);  a specific device to identify and authenticate a card holder (police control…). The TOE may contain several Authentication keys. It may also contain Signature keys. Therefore the Authentication application shall ensure a clear and secure human interface to prevent any confusion, when selecting the Verifier and the authentication key. The VAD can also be entered via a separate Human Interface. 7.4.3
Communication The Authentication application is in a Trusted environment. The TOE and the Authentication application exchange the following sensitive data:  Import of Holder VAD for authentication;  Import of Holder RAD for update;  Request for authentication from a specific Verifier. SIST EN 419251-2:2013

7.6 Key Generator 7.6.1 Functionalities The Key Generator generates a public key pair. The private key is securely transmitted to the TOE. The environment shall make sure that the public key is securely transmitted to the CA for the generation of the certificate.
7.6.2 Communication Communication between the Key generator and the TOE shall be secured. During the personalisation phase, which takes place in a trusted environment, this communication can be split in two phases:  Transfer from the Key Generator to the Personalisation application; then  Transfer from the Personalisation application to the TOE. SIST EN 419251-2:2013
...