Protection Profile
EUROSMART members developed their first Protection Profile (PP) related to smart cards in 1997. The EUROSMART Security Working Group is dealing with smart card related Protection Profile development since than. Until today about 10 certified and about the same number of known attempts for smart card related Protection Profile exists.
Targets of Evaluation, TOE
A PP defines an implementation-independent set of IT security requirements for a category of Target of Evaluation (TOE). Such TOEs are intended to meet common consumer needs for IT security. Consumers can therefore construct or cite a PP to express their IT security needs without reference to any specific TOE.
Smartcard Integrated Circuit
The TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact and/or contactless) and volatile and non-volatile memories (hardware). The TOE also includes any IC Designer/Manufacturer proprietary IC Dedicated Software as long as it physically exists in the smartcard integrated circuit after being delivered by the IC manufacturer.
List of certified smartcard related Protection Profiles: Protection Profile Smart Card Integrated Circuit Platform PP-002, Version 1.0 July 2001; Protection Profile Smart Card Integrated Circuit With Embedded Software CPP9911, Version 2.0 July 1999; Protection Profile Smart Card Integrated Circuit CPP9806, Version 2.0 September 1998; Intersector Electronic Purse and Purchase Device Version for Pilot Schemes Only CPP9808, Version 1.2 February 1999; Intersector Electronic Purse and Purchase Device CPP9909, Version 1.2 February 1999.
The increase in the number and complexity of applications in the smartcard market is reflected in the increase of the level of data security required. The security needs for a smart card can be summarised as being able to counter those who want to defraud, gain unauthorised access to data and control a system using a smart card. Therefore it is mandatory to:
- maintain the integrity and the confidentiality of the content of the smartcard memory as required by the application(s) the smartcard is built for
- maintain the correct execution of the software residing on the card
This requires that the smartcard integrated circuit especially maintains the integrity and the confidentiality of its security enforcing and security relevant architectural components. Protected information is in general secret data such as Personal Identification Numbers, Balance Value (Stored Value Cards), and Personal Data Files. Other protected information includes data representing the access rights such as any cryptographic algorithms and keys needed for accessing and using the services provided by the system through use of the smartcard.
The intended environment is very large; and generally once issued the smartcard can be stored and used anywhere in the world, at any time, and no control can be applied to the smartcard and the card operational environment.
IC Dedicated Software (also known as IC firmware) is often used for testing purposes only during production but may also provide additional services to facilitate usage of the hardware and/or to provide additional services (for instance in the form of a library). In addition to the IC Dedicated Software, the Smartcard Integrated Circuit may also comprise hardware to perform testing. Other software is called Smartcard Embedded Software and is not part of the TOE.
The typical smart card integrated circuit product such as the TOE is composed of a processing unit, security components, I/O ports and volatile and non-volatile memories.
The smartcard integrated circuit is a platform to be used by the Smartcard Embedded Software. The smartcard integrated circuit itself may not possess any asset (such as critical data). All assets are those of the Smartcard Embedded Software. However, the hardware platform must
- maintain the integrity and the confidentiality of the content of the smartcard memory as required by the context of the Smartcard Embedded Software
- maintain the correct execution of the Smartcard Embedded Software
This requires that the smartcard integrated circuit especially maintains the integrity and the confidentiality of its security enforcing and security relevant architectural components. The TOE security mechanisms need to work together in different combinations to counter attacks. Owing to complex dependencies, these combinations are only apparent in the context of a specific attack scenario. Often the composition of a security function only becomes clear when considering a specific attack path during vulnerability analysis. A security mechanism may be needed in different security functions depending on the attack path. This has to be considered during the TOE evaluation.
