EURUSD
Your shopping cart is empty.
CEN

prEN 419111-2

(Main)

Protection profiles for signature creation and verification application - Signature creation application - Part 2: Core PP

Protection profiles for signature creation and verification application - Signature creation application - Part 2: Core PP

This document is a Protection Profile that defines the security requirements for a Signature Creation Application. This is the core document, which means that only the security functions that are mandatory are included. The ST writer can include other security functions in his TOE. For this purpose, he can include some of those described in prEN 419111-3:2013.

Schutzprofile für eine Anwendung zum Erzeugen und Prüfen von Signaturen - Signatur Kreation Anwendung - Teil 2: Core PP

Profils de protection pour application de création et de vérification de signature - Application de création de signature - Partie 2: Profils PP de base

Le présent document est un profil de protection (PP) qui définit les exigences de sécurité applicables à une application de création de signature (ou SCA, pour Signature Creation Application). Il s’agit d’un document de base, ce qui signifie qu’il n’inclut que les fonctions de sécurité obligatoires. Le rédacteur de la cible de sécurité (ou ST, pour Security Target) peut inclure d’autres fonctions dans sa cible d’évaluation (ou TOE, pour Target Of Évaluation). A cette fin, il peut inclure certaines extensions parmi celles décrites dans le prEN 419111 3:2013 [2].

Zaščitni profili za uporabo pri oblikovanju in preverjanju podpisov - Aplikacija oblikovanja podpisa - 2. del: Jedrni PP

General Information

Status
Not Published
Publication Date
07-Dec-2014
Withdrawal Date
07-Jun-2015
ICS
35.240.15 - Identification cards. Chip cards. Biometrics
Technical Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Drafting Committee
CEN/TC 224/WG 17 - Protection Profiles in the context of SSCD
Current Stage
4098 - Decision to abandon - Enquiry
Start Date
24-Jan-2018
Completion Date
14-Apr-2025
Mandate
M/460 - Standardisation Mandate to the European Standardisation Organizations CEN, CENELEC and ETSI in the field of Information and Communication Technologies applied to Electronic Signatures
Ref Project
oSIST prEN 419111-2:2013 - Protection profiles for signature creation and verification application - Signature creation application - Part 2: Core PP
prEN 419111-2:2013prEN 419111-2:2013
PreviousNext
Draft
prEN 419111-2:2013
English language
42 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-julij-2013
=DãþLWQLSURILOL]DXSRUDERSULREOLNRYDQMXLQSUHYHUMDQMXSRGSLVRY$SOLNDFLMD
REOLNRYDQMDSRGSLVDGHO-HGUQL33
Protection profiles for signature creation and verification application - Signature creation
application - Part 2: Core PP
Schutzprofile für eine Anwendung zum Erzeugen und Prüfen von Signaturen - Signatur
Kreation Anwendung - Teil 2: Core PP
Profils de protection pour application de création et de vérification de signature -
Application de création de signature - Partie 2: Profils PP de base
Ta slovenski standard je istoveten z: prEN 419111-2
ICS:
35.240.15 Identifikacijske kartice in Identification cards and
sorodne naprave related devices
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2013
ICS 35.240.15 Will supersede CWA 14170:2004
English Version
Protection profiles for signature creation and verification
application - Signature creation application - Part 2: Core PP
Profils de protection pour application de création et de Schutzprofile für eine Anwendung zum Erzeugen und
vérification de signature - Application de création de Prüfen von Signaturen - Signatur Kreation Anwendung -
signature - Partie 2: Profils PP de base Teil 2: Core PP
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/TC 224.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations which
stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other language
made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 419111-2:2013: E
worldwide for CEN national Members.

Contents Page
Foreword .5
1 Scope .6
2 Normative references .6
3 Terms and definitions .6
4 Symbols and abbreviations .6
5 TOE overview .7
5.1 TOE Type .7
5.2 TOE Usage .7
5.3 TOE Environment.7
5.3.1 Overview .7
5.3.2 External entities .8
5.3.3 Other Entities .8
5.4 TOE operations .8
5.4.1 Introduction .8
5.4.2 Pre-signature operations .8
5.4.3 Signature computation .8
5.5 TOE-environment operations .9
6 Conformance claims .9
6.1 CC Conformance Claim .9
6.2 PP Claim .9
6.3 Package Claim .9
6.4 Conformance Rationale .9
6.5 Conformance Statement .9
7 Security problem definition . 10
7.1 Assets . 10
7.1.1 Document . 10
7.1.2 Certificate . 10
7.1.3 Certificate path . 10
7.1.4 Signature policy . 10
7.1.5 Signature attribute . 10
7.2 Threats . 10
7.2.1 T.Document . 10
7.2.2 T.Signature_Policy. 10
7.2.3 T.Certificate . 11
7.2.4 T.Signer_consent . 11
7.2.5 T.Digital_Signature . 11
7.3 Organisational security policies . 11
7.4 Assumptions . 11
7.4.1 A.Platform . 11
7.4.2 A.SSCD . 12
7.4.3 A.Signer . 12
7.4.4 A.CSP . 12
8 Security objectives . 12
8.1 Security objectives for the TOE . 12
8.1.1 OT.Signer_Control . 12
8.1.2 OT.Document . 12
8.1.3 OT.Certificate . 12
8.1.4 OT.Signature_Attributes . 13
8.1.5 OT.Signature_Policy . 13
8.1.6 OT.Crypto . 13
8.1.7 OT.Sig_Verify . 13
8.2 Security objectives for the operational environment . 13
8.2.1 OE.Platform . 13
8.2.2 OE.SSCD. 14
8.2.3 OE.SSCD_communication_protected . 14
8.2.4 OE.Signer_Presence . 14
8.2.5 OE.Output_Device . 14
8.2.6 OE.Checker . 14
8.2.7 OE.Signer . 14
8.2.8 OE.CSP . 15
8.3 Rationale for Security objectives . 15
9 Extended component definition . 16
10 Security requirements . 16
10.1 General . 16
10.2 Security requirements for the TOE . 17
10.2.1 Introduction . 17
10.3 Security assurance requirements for the TOE . 35
10.4 Security Requirement rationales . 36
10.4.1 Security Functional Requirement rationale . 36
10.4.2 Rationale for SFR Dependencies . 38
10.4.3 Security Assurance Requirements Rationale . 40
10.4.4 Security requirements – internal consistency . 40
Bibliography . 41
Index . 42

Figures
Figure 1 — TOE environment . 7

Tables
Table 1 — Rationale for security objectives . 15
Table 2 — Subject security attributes . 17
Table 3 — Object security attributes . 17
Table 4 — Operations - attributes conditions and modifications . 18
Table 5 — Protection of sensitive data . 21
Table 6 — Signature SFP – Objects and Operations . 23
Table 7 — Signature SFP – subjects, objects and attributes . 24
Table 8 — Signature operation rules . 24
Table 9 — SSCD IFF Operations . 25
Table 10 — Driving Application IFF Operations . 25
Table 11 — Checker IFF Operations . 26
Table 12 — Input device IFF Operations . 26
Table 13 — Output device IFF Operations . 26
Table 14 — SSCD IFF Operations & attributes . 27
Table 15 — SSCD IFF Operations & conditions . 27
Table 16 — Driving Application IFF Operations & attributes . 27
Table 17 — Driving Application IFF Operations & conditions . 28
Table 18 — Checker IFF Operations & attributes . 28
Table 19 — Checker IFF Operations & conditions . 28
Table 20 — Input device IFF Operations & attributes . 29
Table 21 — Input device IFF Operations & conditions . 29
Table 22 — Output device IFF Operations & attributes . 30
Table 23 — Output device IFF Operations & conditions . 30
Table 24 — TOE SAR . 35
Table 25 — SFR vs Objectives on the TOE . 36
Table 26 — SFR dependencies . 38

Foreword
This document (prEN 419111-2:2013) has been prepared by Technical Committee CEN/TC 224 “Personal
identification, electronic signature and cards and their related systems and operations”, the secretariat of
which is held by AFNOR.
This document is currently submitted to the CEN Enquiry.
This document, together with prEN 419111-1:2013 and prEN 419111-3:2013, will supersede
CWA 14170:2004.
EN 419111 consists of the following parts under the general title "Protection profiles for signature creation and
verification application":
 Part 1: Introduction.
This part is an introduction to EN 419111;
 Part 2: Signature creation application – Core PP.
This part is a PP for the SCA, specifying only the core security functions;
 Part 3: Signature creation application – Possible extensions.
This part specifies possible additional security functions that can be added to the core SCA PP;
 Part 4: Signature verification application – Core PP.
This part is a PP for the SVA, specifying only the core security functions;
 Part 5: Signature verification application – Possible extensions.
This part specifies possible additional security functions that can be added to the core SVA PP.
1 Scope
This document is a Protection Profile that defines the security requirements for a Signature Creation
Application. This is the core document, which means that only the security functions that are mandatory are
included. The ST writer can include other security functions in his TOE. For this purpose, he can include some
of those described in prEN 419111-3:2013 [2].
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
prEN 419111-1:2013, Protection profiles for signature creation and verification application – Part 1:
Introduction
prEN 14169-1:2011, Protection profiles for secure signature creation device – Part 1: Overview
FprEN 14169-2:2013, Protection profiles for secure signature creation device – Part 2: Device with key
generation
prEN 14169-3:2010, Protection profiles for secure signature creation device – Part 3: Device with key import
prEN 14169-4:2010, Protection profiles for secure signature creation device – Part 4: Extension for device
with key generation and trusted communication with certificate generation application
prEN 14169-5:2010, Protection profiles for secure signature creation device – Part 5: Device with key
generation and trusted communication with signature-creation application
prEN 14169-6:2010, Protection profiles for secure signature creation device – Part 6: Device with key import
and trusted communication with signature-creation application
[NR1] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general
model – July 2009 – Version 3.1 Rev. 3 CCMB-2009-07-001
[NR2] Common Criteria for Information Technology Security Evaluation – Part 2: Security functional
components – July 2009 – Version 3.1 Rev. 3 CCMB-2009-07-002
[NR3] Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance
components – July 2009 – Version 3.1 Rev. 3 CCMB-2009-07-003
[NR4] Common Criteria for Information Technology Security Evaluation – Evaluation methodology – July
2009 – Version 3.1 Rev. 3 CCMB-2009-07-004
3 Terms and definitions
For the purposes of this document, the terms and definitions given in prEN 419111-1:2013 apply.
4 Symbols and abbreviations
For the purposes of this document, the symbols and abbreviations given in prEN 419111-1:2013 apply.
5 TOE overview
5.1 TOE Type
This PP aims at defining security requirements that an SCA shall conform to in the perspective of a security
evaluation. The Target of Evaluation (TOE) considered in this PP corresponds to software, running on an
operating system and hardware, the SCP. The TOE, using services provided by the SCP and by an SSCD
allows the signatory to generate an electronic signature.
This TOE is the minimum configuration for an SCA. Many features that belong to the environment in this TOE
could be added inside the TOE as suggested in prEN 419111-1:2013.
5.2 TOE Usage
The TOE, connected to an SSCD, enables to create electronic signature conformant to Directive 1999/93/EC
[1].
5.3 TOE Environment
5.3.1 Overview
Figure 1 — TOE environment
The environment displayed in Figure 1 — TOE environment is given as an example.
5.3.2 External entities
The following entities are external entities of the TOE. They are connected to the TOE.
 SSCD
 Driving Application
 OS
 Input device
 Output device
A brief description of these external entities is given in prEN 419111-1:2013, 5.6.2.
5.3.3 Other Entities
The following entities are not directly external entities of the TOE, because they are not connected to the TOE,
but to external entities of the TOE.
 CSP
 PIN pad or Bio pad
 Interface device
A brief description of these entities is given in prEN 419111-1:2013, 5.6.3.
5.4 TOE operations
5.4.1 Introduction
This section describes operations that are performed in the TOE.
5.4.2 Pre-signature operations
These operations include:
 SD Selection and import
 Invoking SD checker
 Signatory's intent to sign
 Collection of other information
They are described in prEN 419111-1:2013, 5.7.2.2.
5.4.3 Signature computation
Signature computation includes:
 DTBSR Composer
 Management of SSCD interface
 Digital Signature integrity verification
 SDO composer
These operations are described in prEN 419111-1:2013, 5.7.2.3.
5.5 TOE-environment operations
These operations include:
 Checker
 Certificate management
 Signature Policy management
 Sensitive data exchange with SSCD
They are described in prEN 419111-1:2013, 5.7.3.
TOE-environment operations also include:
• Get information/commands from input device
• Send SD / attributes to output device
They are described in prEN 419111-1:2013, 5.7.4.
6 Conformance claims
6.1 CC Conformance Claim
This Protection Profile (PP) is CC Part 2 extended and CC Part 3 conformant and written according to the
Common Criteria version 3.1R3 ([NR1], [NR2], [NR3], and [NR4]).
6.2 PP Claim
This PP does not claim conformance to any other Protection Profile.
6.3 Package Claim
The evaluation assurance level for this PP is EAL4 augmented with the assurance component ALC_FLR.1.
CEN/TC 224 note: Different countries currently use different levels of EAL. So national bodies are requested
to explicitly comment on this choice.
6.4 Conformance Rationale
Since this PP is not claiming conformance to any other protection profile, no rationale is necessary here.
6.5 Conformance Statement
The conformance required by this PP is the demonstrable-PP conformance. This will facilitate conformance
claim to both this PP and other PP for Security Target (ST) authors.
7 Security problem definition
7.1 Assets
7.1.1 Document
The document that is to be signed is one asset that has to be protected in integrity. It is present in the TOE
under the following forms:
 SD Signer’s Document
 DTBS Data To Be Signed
 DTBSR Data To Be Signed Representation
 DTBSR_DS Data To Be Signed Representation Digital Signature
 SDO Signed Data Object, computed according to the SP and other data selected by the signer.
7.1.2 Certificate
The certificate needs to be protected in integrity.
7.1.3 Certificate path
The certificate path needs to be protected in integrity.
7.1.4 Signature policy
The signature policy needs to be protected in integrity.
7.1.5 Signature attribute
The signature attributes need to be protected in integrity.
7.2 Threats
7.2.1 T.Document
Any data originally intended by the End-User to be signed are modified by an attacker after they are under
TOE control. This manipulation can be done on the document under different forms: SD, DTBS, DTBSR, and
DTBSR_DS.
The document may be in a format allowing ambiguous interpretations.
It may contain information that the signer is not aware of.
The document may differ from what the signer expects.
7.2.2 T.Signature_Policy
The Signature Policy can be modified by an attacker, e.g. by removing or modifying a signature attribute.
The signer can mistakenly select a security policy after being fooled by an attacker.
This threatens the SDO as it will be computed according to a wrong SP.
7.2.3 T.Certificate
An attacker may modify the certificate reference selected by the signer, such that the DTBSR does not contain
the right reference.
This threatens the SDO as it will be computed using a wrong certificate.
7.2.4 T.Signer_consent
An attacker may try to bypass the signer’s consent.
This threatens the SDO as it will be computed using data not selected by the legitimate signer.
7.2.5 T.Digital_Signature
An attacker may try to modify the DTBSR_DS, during its import from the SSCD or when it is in the TOE.
This threatens the SDO as it will be computed using data not selected by the legitimate signer.
7.3 Organisational security policies
OSP.Crypto
The cryptographic algorithms used on the TOE shall conform to the rules established by the relevant CC
certification body.
7.4 Assumptions
7.4.1 A.Platform
The TOE is installed on a personal computer located in an admission restricted area ensuring that those
resources the TOE is relying on cannot be manipulated without user notification.
It is assumed that the host platform on which the TOE is installed is either directly under the responsibility of
the signer or under the control of the organisation to which the signer belongs or of which he is the customer.
The operation system of the host platform is supposed to provide low-level communication interface to the
following external interfaces:
 SSCD
 Input device
 Output device.
The operation system of the host platform is supposed to provide separate execution contexts for the various
processes executed.
In addition, it is assumed that the following security measures are implemented:
• the host platform is protected from the viruses;
• the data exchange between the host platform and other IT elements via an open network are controlled by
a firewall;
• the access to the administration functions of the host platform is restricted to the administrators of the
platform (thereinafter the “Host administrator”). The user account is different from the host administrator
account;
• the installation and the update of the software of the host platform is under the control of the host
administrator;
• the operating system of the host platform does not allow the execution of untrusted applications.
7.4.2 A.SSCD
It is assumed that the SSCD is certified as an SSCD according to one PP defined in prEN 14169-1:2011,
FprEN 14169-2:2013, prEN 14169-3:2010, prEN 14169-4:2010, prEN 14169-5:2010 and prEN 14169-6:2010.
7.4.3 A.Signer
It is assumed that Signers, the end-users of the TOE are trustworthy and follow the instructions of the
guidance delivered with the TOE.
7.4.4 A.CSP
It is assumed that the SCA uses only qualified certificates (see Directive 1999/93/EC, Article 2:9 and
Annexes I & II [1]) or non-qualified certificates issued by trustworthy CSP.
8 Security objectives
8.1 Security objectives for the TOE
8.1.1 OT.Signer_Control
The TOE shall provide the signer with means to explicitly express (i.e., in a voluntary and non-ambiguous
way) its agreement to select documents, certificate, signature policy, and to start the process of signature.
The TOE shall provide the signer with means to cancel the signature process at any step until the validation of
the SDO by the signer. If the signer cancels the signature process, the TOE shall provide means to prevent
the use of the DTBSR_DS.
8.1.2 OT.Document
The TOE shall protect user data from undetected manipulation as long as these data are under control of the
TOE itself.
After the signer’s agreement for signature, the TOE shall guarantee that the actually processed documents
correspond exactly to the documents selected to be signed.
8.1.3 OT.Certificate
The TOE shall check that the certificate selected by the signer is compliant with the signature policy to be
applied.
The TOE shall control that the certificate selected by the signer is used during its validity period.
The TOE shall transfer the necessary information to the SSCD so that it can activate the private key
corresponding to the selected certificate.
8.1.4 OT.Signature_Attributes
The TOE shall present to the signer an exact representation of the attributes that will be signed.
The TOE shall control the presence and the compliance of the signature attributes selected by the signer with
the signature policy to be applied.
If the signer gives his agreement for several documents, the signature attributes used for the signature of
each document shall be identical.
8.1.5 OT.Signature_Policy
The TOE shall compute the SDO according to the SP.
The TOE shall protect SP from undetected manipulation as long as it is under control of the TOE itself.
8.1.6 OT.Crypto
The TOE shall implement cryptographic algorithms having the following properties:
The hash algorithms shall not allow the creation of two documents producing the same hash.
The algorithms shall conform to the relevant Certification Body cryptography requirements.
8.1.7 OT.Sig_Verify
The TOE shall be capable to state whether the DTBSR_DS provided by the SSCD is valid or not.
8.2 Security objectives for the operational environment
8.2.1 OE.Platform
The host platform, on which the TOE is installed, shall be located in an admission restricted area ensuring that
those resources the TOE is relying on cannot be manipulated without user notification.
The host platform, on which the TOE is installed, shall be either directly under the responsibility of the signer
or under the control of the organisation to which the signer belongs or of which he is the customer.
The operation system of the host platform shall provide low-level communication interface to the following
external interfaces:
 SSCD
 Input device
 Output device.
The operation system of the host platform shall provide separate execution contexts for the various processes
executed.
In addition, the following security measures shall be implemented:
• the host platform shall be protected from the viruses;
• the data exchange between the host platform and other IT elements via an open network shall be
controlled by a firewall;
• the access to the administration functions of the host platform shall be restricted to the administrators of
the platform (thereinafter the “Host administrator”). The user account shall be different from the host
administrator account;
• the installation and the update of the software of the host platform shall be under the control of the host
administrator;
• the operating system of the host platform shall not allow the execution of untrusted applications.
8.2.2 OE.SSCD
The SSCD shall be a certified SSCD, according to prEN 14169-1:2011, FprEN 14169-2:2013,
prEN 14169-3:2010, prEN 14169-4:2010, prEN 14169-5:2010 and prEN 14169-6:2010.
It shall contain at least one SCD.
If several SCD are available, the SSCD shall provide a means to select one, and to link it to the certificate
selected by the Signer.
8.2.3 OE.SSCD_communication_protected
The environment between the SCA and SSCD shall be protected so that no sensitive data can be leaked or
be corrupted by an attacker during it transfer between SCA and SSCD.
8.2.4 OE.Signer_Presence
The signer shall remain present between the moments when he agrees to sign the documents and when he
enters his authentication data to activate the key of signature.
Application note
If for any reason the signer cannot remain present, he shall start again the process from the beginning:
selection of the documents to be signed, selection of the attributes, etc.
8.2.5 OE.Output_Device
The host platform on which the TOE is installed shall have output device applications which:
 either accurately display the document to be signed,
 or warn the signer of possible problems of incompatibilities between the output device application and the
characteristics of the document.
In case the document to be signed already contains signatures, the signer shall have a means to know the
identity of previous signers and to verify these signatures.
8.2.6 OE.Checker
The environment of the TOE shall provide a module able to determine if the semantics of the document to be
signed is conformant to the rules defined for the determined format.
8.2.7 OE.Signer
The Signers, the end-users of the TOE shall be trustworthy and follow the instructions of the guidance
delivered with the TOE.
8.2.8 OE.CSP
The certificates, whether qualified or non-qualified shall be issued by trustworthy CSP.
8.3 Rationale for Security objectives
Table 1 — Rationale for security objectives

T.Document X X  X X X X
T.Signature_Policy  X X X   X
T.Certificate X     X
T.Digital_Signature    X  X  X X
T.Signer_consent   X X X  X
OSP.Crypto X
A.CSP     X
A.Platform      X
A.Signer      X
A.SSCD       X
T.Document is countered by the following objectives:
The modification of the document is countered by
• OT.Document that ensures the integrity of the document, and
• OE.Platform that ensures the integrity of data and applications stored on the SCP and that provide
cryptographic algorithms support this integrity protection.
Ambiguous interpretations and hidden information are countered by
• OE.Checker that checks the semantic of the SDO, and
• OE.Output_Device that displays the SDO with the result of the checker to the signer.
Signing a different the document than the signer wants to sign is countered by
• OT.Signer_Control that requires approval of selected SP by the signer, and
• OT.Crypto that prevents an attacker from generating a document that would accept the same
signature.
T.Signature_Policy is countered by the following objectives:
The modification of the SP is countered by
• OT.Signature_Policy that ensures the integrity of the SP, and
• OT.Signature_Attributes that ensures the integrity of the attributes,
• OE.Platform that ensures the integrity of data and applications stored on the SCP and that provide
cryptographic algorithms support this integrity protection.
Using a different SP than the signer wants to use is countered by
OT.Certificate
OT.Crypto
OT.Document
OT.Signature_Attributes
OT.Signature_Policy
OT.Signer_Control
OT.Sig_Verify
OE.Checker
OE.CSP
OE.Output_Device
OE.Platform
OE.Signer
OE.Signer_Presence
OE.SSCD
OE.SSCD_communication_protected

• OT.Signer_Control that requires approval of selected SP by the signer.

T.Certificate is countered by:
The modification of the certificate is countered by
• OT.Certificate that ensures the integrity of the certificate,
• OE.Platform that ensures the integrity of data and applications stored on the SCP and that provide
cryptographic algorithms support this integrity protection.

T.Digital_Signature is countered by:
The modification of the DTBSR_DS is countered by
• OT.Sig_Verify that ensures the signature was generated with the private key corresponding to the
signing certificate,
• OE.Platform that ensures the integrity of data and applications stored on the SCP and that provide
cryptographic algorithms support this integrity protection.
• OE.SSCD that ensures that the SSCD is a certified one.
• OE.SSCD_communication_protected that ensures the integrity of data transferred between the
TOE and the SSCD
T.Signer_consent is countered by:
• OT.Signer_Control, OE.Output_Device, and OE.Checker that ensure that the signer can correctly
see what he signs
• OE.Signer_Presence that prevents the signing process without the attendance of the signer

OSP.Crypto is enforced by:
• OT.Crypto that requires the use cryptographic algorithms that resist high potential attacks

A.CSP is covered by:
• OE.CSP that fully covers this assumption.

A.Platform is covered by:
• OE.Platform that fully covers this assumption.

A.Signer is covered by:
• OE.Signer that fully covers this assumption.

A.SSCD is covered by:
• OE.SSCD that fully covers this assumption.

9 Extended component definition
There is none.
10 Security requirements
10.1 General
This section describes the operations and requirements that a TOE shall fulfil in order to be compliant to this
PP.
10.2 Security requirements for the TOE
10.2.1 Introduction
10.2.1.1 Subjects Objects and security attributes
10.2.1.1.1 Subjects
Table 2 — Subject security attributes
Subject Security attribute Possible Values Initial Value
AT.Authenticated Yes, No No
S.Signer
AT.Crediential Null, CredentialValue Null

10.2.1.1.2 Objects / Information
Table 3 — Object security attributes
Objects Attribute Possible Values default
O.SVD AT.Status Null, Extracted Null
AT.Status Null, Imported, OnCheck, Checked, Displayed, Null
SignerDecided
AT.CheckerStatus Null, OK, NOK Null
AT.SignerDecision Null, Approved, Rejected Null
O.SD
AT.CheckerOptional Boolean No
AT.OutputOptional Boolean No
AT.Digest Null, digest value Null
AT.Status Null, Imported, Verified, Displayed, SignerDecided, Null
AT.Validity Null, Valid, OutOfDate, Revocated, Inconclusive Null
AT.CompatibleSP Null, Compatible, Incompatible Null
O.Certificate AT.SignerDecision Null, Approved, Rejected Null
AT.Identifier Null, Identifier value Null
AT.Signing Null, Yes, No Null
AT.Root Null, Yes, No Null
AT.Status Null, Imported, Verified, Displayed, SignerDecided Null
O.SP AT.Validity Null, Valid, Invalid Null
AT.SignerDecision Null, Approved, Rejected Null
O.DTBS AT.Status Null, Computed Null
AT.Status Null, Computed, Displayed, SignerDecided, Exported Null
O.DTBSR
AT.SignerDecision Null, Approved, Rejected Null
AT.Status Null, Imported, Verified Null
O.DTBSR_DS
AT.VerifyStatus Null, OK, NOK Null
AT.Status Null, Computed, Displayed, SignerDecided, Exported Null
O.SDO
AT.SignerDecision Null, Approved, Rejected Null

10.2.1.2 Operations
10.2.1.2.1 Summary
Table 4 — Operations - attributes conditions and modifications summarises the operations performed by the TOE. It gives the pre-conditions and the post
conditions defined with attribute values.
Table 4 — Operations - attributes conditions and modifications
Object/ Operations Conditions Attribute modification
Row
Information
1. AT.Crediential[S.Signer] Import Credential from Input AT.Authenticated[S.Signer] == No AND AT.Crediential [S.Signer] = CredentialValue
device
AT.Crediential[S.Signer] == Null
2. AT.Crediential[S.Signer] Check Credential AT.Authenticated[S.Signer] == No AND AT.Authenticated[S.Signer] = Yes/No
AT.Crediential[S.Signer] == CredentialValue AT.Crediential[S.Signer] = Null
3. O.Certificate Import from Driving Application AT.Authenticated[S.Signer] == true AT.Status[O.Certificate] = Imported
OR AT.Validity[O.Certificate] = Null
Import from SSCD AT.CompatibleSP[O.Certificate] = Null
AT.Identifier[O.Certificate] = Null
AT.SignerDecision[O.Certificate] = Null
AT.Signing[O.Certificate] = Null
AT.Root[O.Certificate] = Null
4. O.Certificate Verify validity AT.Status[O.Certificate] == Imported AT.Status[O.Certificate] = Verified
AT.Validity[O.Certificate] =
Valid/OutOfDate/Inconclusive
AT.Root[O.Certificate] = Yes/No
5. O.Certificate Verify compatibility O.Certificate AT.Status[O.Certificate] == Imported AND AT.CompatibleSP[O.Certificate] =
vs. O.SP Compatible/Incompatible
AT.Status[O.SP] == Imported
6. O.Certificate Export to Output device AT.Status[O.Certificate] == Verified AT.Status[O.Certificate] = Displayed
Object/ Operations Conditions Attribute modification
Row
Information
7. O.Certificate Import Approval from Input device AT.Status[O.Certificate] == Displayed AT.Status[O.
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
CEN/TS 17489-5:2025(Main)
Personal identification - Secure and interoperable European breeder documents - Part 5: Trust establishment and management processes
SIST-TS CEN/TS 17489-5:2025

1.1   Objective
This document is intended for the use of breeder document issuing authorities both policymakers and technical, for having uniform formats that conform to printed as well as digital requirements of CEN member and associated states (including EU member states).
The objectives are:
a)   provision of a common set of formats of breeder documents – printed and digital to be implemented by CEN member and associated states (including EU member states), with the extended objective of their acceptance internationally;
b)   the focus is on having common recognizable formats as well as prevention of identity fraud, particularly related to the use of breeder documents to obtain national and international ID documents, such as passports, and residence permits.
1.2   Human dimension of identity management
Each country’s identity management system also provides a framework for observing and protecting many of the human rights embodied in international declarations and conventions. Depending on the provisions in place, the system can ensure that citizens can exercise a wide range of rights, such as rights to property, privacy, freedom of movement and free choice of place of residence, as well as access to social services such as education, healthcare and social security. In states with more advanced technological infrastructure, population registration provides the basis for the establishment of a number of citizen-oriented computerized services, also known as e-services and e-government. Identity management is also central to prevention of discrimination in exercising guaranteed rights.
The identity management infrastructure provides the backbone for a functioning and viable state by securing civil, population and tax registers, as well other systems such as healthcare benefits, voter lists and the issuance of travel and identity documents based on verifiable identities. Such flaws may become visible during elections, where shortcomings in voter lists can affect confidence in the election process. In essence, a secure identity management system can be seen as the foundation, a root level, that is able to then feed into and help numerous other branches of key state services function effectively and accurately (OSCE, 2017, p.13) [27].
1.3   Security dimension of identity management
One of the key elements of a secure environment for cross-border travel is that the travel documents used by visitors meet international standards in terms of security of the document itself and security in that the document reflects the genuine identity of its holder. Similarly, the systems for issuing travel documents need to be linked to identity management systems to streamline decision-making processes, preferably through modernized systems that reflect developments in document security technology. As entries in registers or officially issued identification documents provide access to specific services, criminal networks are constantly looking for possible gaps in identity management systems to obtain genuine documents under fabricated or stolen identities. Documents obtained as result of gaps in identity management have enabled criminals to target business entities and cause significant financial losses through the use of genuine documents issued to non-existent identities (OSCE, 2017, p.14) [27].
Both legal and illegal immigration breeder docs are regularly used to determine an identity if no MRTD or eMRTD is presented. An identity which will be printed on an eRP, Foreigners ppt, Refugees travel doc etc. unless other supportive evidence of identity is provided.
Organized crime has not overlooked this and fraudulently obtained or falsified travel documents are regularly presented to hide the true identity.
Since a significant portion of the world’s population cannot reliably prove their identity, they rely on verbally presented identities and/or supportive breeder documents when registering in another country.
Asylum applicants who...

  • Technical specification
    69 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18139:2025(Main)
Personal identification - European guide for biometric recognition applications based on ID documents (ERG)
SIST-TS CEN/TS 18139:2025

This document defines requirements and provides guidance on:
•   capturing of facial images to be used for verification or identification purposes in applications based on reference images in identity or similar documents and traveller or visa databases;
•   capturing of fingerprint images to be used for verification or identification purposes in applications based on reference images in identity or similar documents and traveller or visa databases;
•   data quality maintenance for biometric data captured by/for verification or identification applications;
•   data authenticity maintenance for biometric data captured by/for verification or identification ap-plications.
This document addresses the following aspects which are specific for biometric data capturing:
•   biometric data quality and interoperability assurance;
•   data authenticity assurance;
•   morphing and other presentation attacks and biometric data injection attacks;
•   accessibility and usability;
•   recognition algorithms and their evaluation;
•   privacy and data protection;
•   optimal process design.
The following aspects are out of scope:
•   other aspects of IT security;
•   data capturing for ID document enrolment purposes, e.g. passport or ID card enrolment.

  • Technical specification
    30 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17489-2:2024(Main)
Secure and interoperable European Breeder Documents — Part 2: Data model
SIST-TS CEN/TS 17489-2:2025

This document specifies the abstract data model for breeder document data and the specific encodings of this abstract data model used in the CEN breeder document framework.
The abstract data model is a semantic description of the birth, marriage / partnership, and death certificate data, independently from their specific encoding. This abstract data model is extensible for further standardized and proprietary data of birth, marriage / partnership, and death certificates as well as for other types of breeder documents.
This abstract data model is technology agnostic, i.e. it is applicable for paper-based, server-based, and hardware-based breeder documents as well as further breeder document designs and technologies.
The specific encodings of this abstract data model comprise the encodings to be used for the machine readable technologies specified in part 3 of the framework as well as the encoding of human readable breeder document data. These encodings are used in the birth, marriage / partnership, and death certificate profiles specified in part 4 of the framework.

  • Technical specification
    25 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18099:2024(Main)
Biometric data injection attack detection
SIST-TS CEN/TS 18099:2025

This document provides an overview on:
-   Definitions on Biometric Data Injection Attack,
-   Biometric Data Injection Attack use case on main biometric system hardware for enrolment and verification,
-   Injection Attack Instruments on systems using one or several biometric modalities.
This document provides guidance on:
-   System for the detection of Injection Attack Instruments (defined in 3.12),
-   Appropriate mitigation risk of Injection Attack Instruments,
-   Creation of test plan for the evaluation of Injection Attack Detection system (defined in 3.9).
If presentation attacks testing is out of scope of this document, note that these two characteristics are in the scope of this document:
-   Presentation Attack Detection systems which can be used as injection attack instrument defence mechanism and/or injection attack method defence mechanism. Yet, no presentation attack testing will be performed by the laboratory to be compliant with this document (out of scope).
-   Bona Fide Presentation testing in order to test the ability of the Target Of Evaluation to correctly classify legitimate users.
The following aspects are out of scope:
-   Presentation Attack testing (as they are covered in ISO/IEC 30107 standards),
-   Biometric attacks which are not classified as Type 2 attacks (see Figure 1),
-   Evaluation of implementation of cryptographic mechanisms like secure elements,
-   Injection Attack Instruments rejected due to quality issues.

  • Technical specification
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 18108:2024(Main)
Personal identification - Usage of biometrics in breeder documents
SIST-TP CEN/TR 18108:2025

This document provides guidance on usage of biometrics in breeder documents, in particular regarding
-   encoding of biometric reference data;
-   data quality maintenance for biometric reference data;
-   data authenticity maintenance for biometric reference data; and
-   privacy preservation of biometric reference data.
This document addresses advantages and disadvantages of biometric modes, in particular regarding
-   verification performance;
-   privacy impact;
-   feasibility of biometric acquisition considering the age of the capture subjects;
-   limits of validity and need for updating biometric reference data.
The following aspects are out of scope:
-   format and structure of breeder documents;
-   general security aspects, which are covered in CEN/TS 17489-1 [1].

  • Technical report
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 18030:2023(Main)
Personal identification - Biometrics - Overview of biometric verification systems implemented across Europe
SIST-TP CEN/TR 18030:2024

This Technical Report provides an overview of the current deployment of biometric systems within Europe. It addresses the challenges that are being faced, in order to detect the current needs for improving the specifications for the implementation and deployment of biometric systems. This Technical Report considers all kind of deployments, from border control to ad-hoc services. As most of the deployed systems are based on the use of fingerprints or face recognition, this Technical Report will focus on these two biometric modalities, from the system integrator and interoperability points of view.
Identity documents, in terms of production, structure, interoperability, etc., are out of the scope of this TR. The TR is focused on the performance at system level.
The current European legislative initiatives around this topic (e.g., Entry/Exit System, framework for interoperability between EU information systems, etc.) need a robust framework study about the availability of standard technologies to improve interoperability in biometric products around the European Union.
By showing these needs, a set of recommendations for future standardization works is provided.
From a methodological perspective, the report gathers information of different entities with this classification:
- Capture/enrolment of biometrics including the quality assurance and the generation of feature or biometric models from the images.
- Best practices and guidelines to use biometrics in Europe.
- Data Quality environment using biometrics in European networks.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 17982:2023(Main)
European Digital Identity Wallets standards Gap Analysis
SIST-TP CEN/TR 17982:2024

This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.

  • Technical report
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 2382-37:2023(Main)
Information technology - Vocabulary - Part 37: Biometrics (ISO/IEC 2382-37:2022)
SIST EN ISO/IEC 2382-37:2024

This document establishes a systematic description of the concepts in the field of biometrics pertaining to recognition of human beings. This document also reconciles variant terms in use in pre-existing International Standards on biometrics against the preferred terms, thereby clarifying the use of terms in this field.
This document does not cover concepts (represented by terms) from information technology, pattern recognition, biology, mathematics, etc. Biometrics uses such fields of knowledge as a basis.
In principle, mode-specific terms are outside of scope of this document.

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17661:2021(Main)
Personal identification – European enrolment guide for biometric ID documents (EEG)
SIST-TS CEN/TS 17661:2022

This document consolidates information relating to successful and high quality biometric enrolment processes of facial and fingerprint systems, while indicating risk factors and providing appropriate mitigations. This information supports decisions regarding procurement, design, deployment and operation of these biometric systems.
This document provides guidance on:
—   capturing of facial images to be used as reference images in identity and secure documents;
—   capturing of fingerprint images to be used as reference images in identity and secure documents;
—   data quality maintenance for biometric reference data;
—   data authenticity maintenance for biometric reference data.
The document addresses the following aspects which are specific for biometric reference data capturing:
—   biometric data quality and interoperability ensurance;
—   data authenticity ensurance;
—   morphing and other presentation attack detection as well as other unauthorized changes;
—   accessibility and usability;
—   privacy and data protection;
—   optimal enrolment design.
The following aspects are out of scope:
—   IT security;
—   data capturing for verification purposes, e.g. in ABC gates;
—   capturing biometric data for enrolment in other systems different from data enrolment for integration in secure MRTD, like entry/exit systems.
This document consolidates the role of the enrolment process in a biometric system and differentiates the enrolment from the authentication, while mentioning key factors of the enrolment process that are feature independent.
Interests of the existing stakeholders are broken down and provide an insight on different views of the enrolment. In addition, organisational enrolment approaches are covered.
This document is not concerned with IT requirements or the capturing of biometric data for inspection, identification or verification purposes without the required step of creating an identity document using the captured data.

  • Technical specification
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17631:2021(Main)
Personal identification - Biometric group access control
SIST-TS CEN/TS 17631:2021

This document provides guidance on providing access:
— to areas with physical access control, e.g. entertainment facilities, train stations, shops, libraries, banks, or border control,
— for small groups of persons, e.g. families with small children or seniors, or other accompanied persons in need of support,
— by means of biometric authentication technologies, e.g. facial, fingerprint, or vein recognition,
— in the European regulatory context.
The document addresses the following aspects, which are specific for biometric and group access:
— accessibility and usability,
— user guidance including group guidance and interaction control,
— privacy including data set content,
— presentation attack detection,
— applicable biometric technologies,
— storage of reference data,
— biometric process integration,
— specific needs considering biometrics for groups,
— biometric performance and error rates, and
— group internal linkage.
The following aspects which reflect on generic access control issues are out of scope:
— IT security,
— application specific physical security,
— policy definition,
— processes not related to biometric authentication, and
— specific performance requirements of identification (1:N) and verification (1:1) applications.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day