Security Objectives for the Environment

Security objectives for the environment should trace back to aspects of identified threats that are not completely countered by the TOE and/or organizational security policies or assumptions not completely met by the TOE. Security objectives for the enviroment may be a reiteration of the assumptions portion of the TOE security environment. Thus, environmental security objectives are statements about aspects of the TOE’s environment that need to be addressed by mechanisms outside of the TOE. They assist in completely countering the threats and supporting the policies and assumptions for the TOE by specifying objectives that should be addressed in the TOE’s environment. Assurance requirements address the environmental objectives. These security objectives also levy additional requirements on the environment that are outside the scope of this PP.

Each environmental objective is stated in bold type font. Most objectives are followed by an explanation, in normal font, that supplies additional information and interpretation.

OE.Con_Cont: Code Configuration Control

The TOE will be labeled with a unique instance identifier that establishes its composition, and controls will be provided to ensure that the components have not been modified.

OE.Con_Des: Control of Design

Those responsible for the TOE must ensure that design information, details of hardware security mechanisms, IC specifications, IC databases, schematics/layouts,

33

software specifications, detailed designs, source code, or any other information are accessible only by authorized personnel.

Information that could lead to a compromise in security during TOE operation is routinely available during the design and manufacture of the TOE. This

information must be protected to prevent its availability to hostile parties.

OE.Con_Prod: Control of Product

The manufacturing process shall ensure the protection of the TOE from any kind of unauthorized use such as tampering or theft.

During various stages of manufacture and preparation for use, the TOE may exist in a variety of incomplete through finished forms. These instantiations of the TOE must be protected to prevent their becoming available to hostile parties.

OE.Con_Tools: Control of Tools

The TOE development process shall ensure the protection of the development tools from any kind of unauthorized use such as tampering or theft.

A variety of tools are routinely used during the development and test of the TOE.

These tools could provide significant information to a hostile party regarding the functionality of the TOE security systems and, thus, must be protected to prevent them from becoming available to hostile parties.

OE.Dlv_Aud: Delivery Audit

Procedures shall ensure that all nonconformance to mandated delivery processes are detected and that corrective actions are taken in case of improper operations.

OE.Dlv_Proc: Delivery Procedures

Procedures such as validation of code signatures shall ensure protection of TOE material/ information during delivery.

Numerous IC manufacturers, chip embedders, smart card personalizers, issuers, and others may have access to the TOE and its various support information prior to issuance. This information may be particularly vulnerable during transport between the various representatives. This objective should prevent this information from becoming available to hostile parties. Prevention includes

34

checking the verification of signed code that is downloaded prior to execution. A well-known example is checking digital signatures on signed Java applets.

OE.Dlv_Trn: Delivery Training

Procedures shall ensure that people dealing with the procedures for delivery (shipping department, carriers, reception department) have the required skill, training, and knowledge to meet the procedure requirements and to act fully in accordance with the above expectations.

Numerous IC manufacturers, chip embedders, smart card personalizers, issuers, and others may have access to the TOE and its various support information prior to issuance. This information may be particularly vulnerable during transport between the various representatives. This objective should prevent this information from becoming available to hostile parties.

OE.Ident: TOE Identification

Procedures must support the recording and preservation of TOE identification information on the TOE prior to being issued to the user.

The TOE consists of hardware and software elements. The software may be stored in a hard mask (through incorporation in the ROM photomask) or in nonvolatile memory. The hardware could have optional features that might or might not be enabled. It is therefore essential that an accurate identification be established for the exact instantiation of the final product compliant to this protection profile.

OE.Key_Gen: Key Generation

Key exchange keys are generated in a secure manner in accordance with X.509 Certificate Policy.

OE.Mask_Prot: Photomask Protection

The photomask fabrication management process shall ensure the protection of the mask from any kind of unauthorized use such as tampering or theft.

The photomask represents the instantiation of the hardware elements of the TOE and may contain ROM code. Information about secure functions and mask-programmed software and codes are included in the TOE photomasks.

Furthermore, availability of the photomasks could significantly reduce the effort

35

required to clone all or part of the TOE. The photomasks must therefore be protected to prevent them from becoming available to hostile parties.

OE.Personnel: Personnel

Personnel working as administrators or in other privileged positions shall be carefully selected and trained for reliability.

OE.SW_Develop: Software Development Process

All code to be used for the TOE will be developed using a software development process that is standard and consistent across the organization.

OE.Sample_Acs: Sample Access

Samples used to run tests shall be accessible only by authorized personnel.

The preparation of samples, sometimes in large quantities, is routine during the

development of a fully operational TOE. These samples represent the TOE in a variety of incomplete through finished forms. These instantiations must be protected to prevent them from becoming available to hostile parties.

OE.Sec_Com: Secure Communication

Only a trusted host² can establish a secure connection with the TOE.

The secure connection implies that the TOE is in a DoD authenticated state and that the host can be trusted.

OE.Train: User Training

Users will be trained on the usage policy of the TOE in accordance with proper security procedures.

2 Device to which a token authenticates to establish a secure communication path.

36