Introduction for EAL5+ Smartcard OS Evaluating Experience

2010. 7. 22

IT Security Evaluation facility

Hyun, Jin Su ( jshyun@kisa.or.kr)

AISEC 2010 2

Statistics of Over EAL5 Evaluation

Other Devices and Systems (10%)

Operating System (7%)

Boundary Protection Devices and Systems (1%)

Network and Network related Devices and Systems (1%)

Ics, Smart Cards and Smart Card related Devices

and Systems (81%)

Smart Card IC (64%)

MCU (12%)

COS (5%)

Card Reader (2%)

(CC Portal, 2010.7.6)

AISEC 2010 3

2010

2008

2007

2006

2005

0 5 10 15 20

1

3

5

8

15

7

Statistics of E-Passport Evaluation

2009

EAL4+

EAL5+

AISEC 2010 4

• 2006

– MULTOS SM10 (EAL4+, Samsung SDS)

• 2008

– S3FS91J / S3FS91H / S3FS91V (EAL4+, Samsung)

– KCOS e-Passport V1.0 (EAL4+, KOMSCO)

– XSmart e-Passport V1.0 (EAL4+, LG CNS)

– Samsung SDS SPass V1.0 (EAL4+, Samsung SDS)

• 2009

– XSmart OpenPlatform V1.0 (EAL4+, LG CNS)

– S3FS91J / S3FS91H / S3FS91V / S3FS93I with SWP (EAL4+, Samsung)

• 2010

– KCOS e-Passport V1.1 (EAL4+, KOMSCO)

– Samsung SDS SPass V1.1 (EAL4+, Samsung SDS)

– SK e-Pass V1.0 (EAL4+, SK C&C)

– XSmart e-Passport V1.1 (EAL5+, LG CNS)

IC Chip/COS Evaluation in Korea

AISEC 2010 5

Target of Evaluation

TOE XSmart e-Passport V1.1

Level EAL5+ (ADV_IMP.2)

E-Passport Protection Profile V2.1 PP

Sponsor LG CNS

AISEC 2010 6

Class EAL4 EAL5+

(e-passport) Description

ADV

ADV_ARC.1 ADV_ARC.1 - Same - But, the level of description is related with ADV_TDS and ADV_IMP

ADV_FSP.4 ADV_FSP.5 - EAL5 Requirement - Semi-Formal - All error messages from TSFI/non-TSFI

ADV_IMP.1 ADV_IMP.2 - e-Passport PP Requirement - EAL6 Requirement

ADV_TDS.3 ADV_TDS.4 - EAL5 Requirement - Semi Formal

- ADV_INT.2 - EAL5 Requirement - Well-Structured Modularity

AGD

AGD_OPE.1 AGD_OPE.1 - Same

AGD_PRE.1 AGD_PRE.1 - Same

EAL4 vs EAL5+(1)

AISEC 2010 7

Class EAL4 EAL5+

(e-passport) Description

ALC

ALC_CMC.4 ALC_CMC.4 - Same

ALC_CMS.4 ALC_CMS.5 - EAL5 Requirement - Add development tools to Configuration Item

ALC_DEL.1 ALC_DEL.1 - Same

ALC_DVS.1 ALC_DVS.1 - Same

ALC_LCD.1 ALC_LCD.1 - Same

ALC_TAT.1 ALC_TAT.2 - EAL5 Requirement - Well-Defined development tools

ATE

ATE_COV.2 ATE_COV.2 - Same

ATE_DPT.2 ATE_DPT.3 - e-Passport PP Requirement - EAL5 Requirement - Testing for the All TSF Subsystem & Module

ATE_FUN.1 ATE_FUN.1 - Same

ATE_IND.2 ATE_IND.2 - Same

AVA AVA_VAN.3 AVA_VAN.4 - e-Passport PP Requirement - EAL5 Requirement - Moderate Attack Potential

EAL4 vs EAL5+(2)

AISEC 2010 8

Semi-Formal Method(1)

What is Semi Formal?

AISEC 2010 9

• Definition

– Restricted syntax language with defined semantics [AIS34]

• Data Flow

• State-Transition

• Entity-Relation-Ship

• Data or Process or Program Structure

• UML (Unified Modeling Language)

Semi-Formal Method(2)

AIS34 : Evaluation Methodology for CC Assurance Classes for EAL5+ (CC v2.3 & v3.1) and EAL6 (CC v3.1)

AISEC 2010 10

Semi-Formal Method(3)

State Diagram

UML

Data Flow

AISEC 2010 11

Well Structured Modularity(1)

Modularity

AISEC 2010 12

Well Structured Modularity(2)

Is well structured ?

AISEC 2010 13

Is well structured ?

Well Structured Modularity(3)

AISEC 2010 14

• Coding Standards

• Modular Decomposition Principle

– Coupling / Cohesion

Well Structured Modularity(4)

Cohesion

Coincidental

Logical

Communicational

Sequential

Functional W

ell S

tructu

red

Temporal

Coupling

Well

Struct

ure

d

Data

Stamp

External

Common

Content

Control

AISEC 2010 15

Attack Potential(1)

Range of Values

Range of Values

For Smartcard

TOE Resistant to Attackers with

Attack Potential

Maximum Assurance

Component

0 ~ 9 0 ~ 15 No rating -

10 ~ 13 16 ~ 20 Basic AVA_VAN.2

14 ~ 19 21 ~ 24 Enhanced-Basic AVA_VAN.3

20 ~ 24 25 ~ 30 Moderate AVA_VAN.4

25 ~ 31 ~ High AVA_VAN.5

AISEC 2010 16

• Attack Methods for COS – SPA/DPA

– Fault Analysis

– EMA

– Perturbation Attack

– Other Attack Methods listed in Guidance for Smartcard Evaluation v2.0 and Korea Scheme.

• Korea Scheme – Korea CB require additional vulnerability testing for cryptographic algo

rithms evaluated in IC Chip (AVA_VAN4 or VAN5) • HW masked Block Cipher : DES/TDES or AES Algorithm

• Library for Public Cryptographic Algorithm : RSA, ECC

Attack Potential(2)

AISEC 2010 17

Keyword Developer Evaluator

Semi Formal Method High High

Well Structured Modularity High High

Well Defined Development Tool Low Low

Module Testing Medium Low

Attack Potential Medium High

Effort for EAL5

• Level of Effort for preparing EAL5

AISEC 2010 18

Conclusion

Thank you