SN100 Series - Secure Element with Crypto Library
Security Target Lite
Rev. 3.5 — 21 April 2021

Document information

<table>
<thead>
<tr>
<th>Information</th>
<th>Content</th>
</tr>
</thead>
<tbody>
<tr>
<td>Keywords</td>
<td>NXP, SN100 Series, SN100x Single Chip Secure Element and NFC Controller, Crypto Library, Common Criteria, Security Target Lite, SN100_SE B2.1 C25 / C48 / C58</td>
</tr>
<tr>
<td>Abstract</td>
<td>This document is the Security Target Lite of the Secure Element of the SN100x Single Chip Secure Element and NFC Controller Series with IC Dedicated Software, developed and provided by NXP Semiconductors. The Secure Element complies with Evaluation Assurance Level 6 of the Common Criteria for Information Technology Security Evaluation Version 3.1 with augmentations.</td>
</tr>
</tbody>
</table>
## Revision history

<table>
<thead>
<tr>
<th>Revision number</th>
<th>Date</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.5</td>
<td>21.04.2021</td>
<td>Derived from full Security Target v3.5</td>
</tr>
</tbody>
</table>
1 ST Introduction

1.1 ST Reference


1.2 TOE Reference

The TOE is named "SN100 Series - Secure Element with Crypto Library". It consists of

• the Secure Element subsystem of the IC hardware platform SN100x ¹,
• IC Dedicated Software (Crypto Library, Services Software and IC Dedicated Support Software), and
• documentation describing the usage of the TOE.

The TOE is available in three configuration named

• B2.1 C25
• B2.1 C48
• B2.1 C58

In this document the TOE is abbreviated to "SN100_SE" ².

1.3 TOE Overview

1.3.1 Usage and major security functionality

The SN100x Single Chip Secure Element and NFC Controller Series combines on a single die an Embedded Secure Element and a NFC Controller. The two subsystems are called "SN100_SE" and "SN100_NFC". The NFC Controller ist not part of the TOE.

The Embedded Secure Element SN100_SE is based on a Flash-based secure microcontroller platform. A high frequency clocked ARM SC300 core along with state of the art cryptographic hardware coprocessors brings secured applications to a new level in performances and security (see Section 1.3.1.1). The TOE includes Security Software, composed of Services Software and a Crypto Library, that can be used by the Security IC Embedded Software (see Section 1.3.1.2).

The TOE is integral part of the SN100x IC. Note that SN100x without any Security IC Embedded Software for the TOE is available for NXP internal use only.

1.3.1.1 IC Hardware

The hardware part of the SN100_SE incorporates an high frequency clocked ARM SC300 processor, a Public-Key Cryptography (PKC) coprocessor and a Direct Memory Access (DMA) controller, which are all connected over a Memory Management Unit (MMU) to a bus system. This bus system gives access to memories, hardware peripherals and communication interfaces.

---

¹ The "x" in SN100x indicates the type of the SN100 series (representing e.g. the NFC Controller configuration)
² Both notations SN100_SE and SN100x_SE are used throughout TOE documentation. Both terms shall be considered as synonym.
The ARM SC300 processor is a security enhanced variant of the ARM Cortex M3. It includes the SC300 core and the Nested Vector Interrupt Controller (NVIC). The core implements the ARMv7-M architecture, which supports a subset of the Thumb instruction set. The PKC coprocessor provides large integer arithmetic operations, which can be used by Security IC Embedded Software for asymmetric-key cryptography. Hardware peripherals include coprocessors for symmetric-key cryptography and for calculation of error-detecting codes, and also a random number generator. The DMA controller manages data transfers over communication interfaces like ISO/IEC 7816 compliant interface, Serial Peripheral Interface (SPI), I2C interface and the Secure Mailbox Interface. On-chip memories are Flash memory, ROM and RAMs. The Flash memory can be used to store data and code of Security IC Embedded Software. It is designed for reliable non-volatile storage.

SN100_SE is offered with the NXP Trust Provisioning Service, which involves secure reception, generation, treatment and insertion of customer data and code at NXP.

The documentation of SN100_SE includes a product data sheet, several product data sheet addenda, a user guidance and operation manual, and service documentation. This documentation describes secure configuration and secure use of SN100_SE as well as the services provided with it.

The security functionality of SN100_SE is designed to act as an integral part of a security system composed of SN100_SE and Security IC Embedded Software to strengthen it as a whole. Several security mechanisms of SN100_SE are completely implemented in and controlled by SN100_SE. Other security mechanisms must be treated by Security IC Embedded Software. All security functionality is targeted for use in a potential insecure environment, in which SN100_SE maintains

- correct operation of the security functionality,
- integrity and confidentiality of data and code stored to its memories and processed in the device,
- controlled access to memories and hardware components supporting separation of different applications.

This is ensured by the construction of SN100_SE and its security functionality.

SN100_SE basically provides

- hardware to perform computations on multiprecision integers, which are suitable for public-key cryptography,
- hardware to calculate the Data Encryption Standard with up to three keys,
- hardware to calculate the Advanced Encryption Standard (AES) with different key lengths,
- hardware to support Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB) and Counter (CTR) modes of operation for symmetric-key cryptographic block ciphers,
- hardware to support Galois/Counter Mode (GCM) of operation and Galois Message Authentication Code (GMAC) for symmetric-key cryptographic block ciphers,
- hardware to calculate Cyclic Redundancy Checks (CRC),
- hardware to serve with True Random Numbers,
- hardware and service software to control access to memories and hardware components.

In addition, SN100_SE embeds sensors, which ensure proper operating conditions of the device. Integrity protection of data and code involves error correction and error detection codes, light sensing and other security functionality. Encryption and masking
mechanisms are implemented to preserve confidentiality of data and code. The IC hardware is shielded against physical attacks.

Note that the SN100_SE also implements PUF functionality. However this hardware functionality is not in the scope of evaluation.

1.3.1.2 Security Software

The IC Dedicated Software provides Security Software that can be used by the Security IC Embedded Software. The Security Software is composed of Services Software and Crypto Library.

The Services Software consists of Flash Services Software, Services Framework Software and the part of the Services HAL (Hardware Abstraction Layer) that is not stored to ROM. The Flash Services Software manages technical demands of the Flash memory and serves the Security IC Embedded Software with an interface for Flash erase and/or programming. The Services Framework Software represents a collection of different abstractions and utility functions that provide a runtime environment to the individual Services. The Services HAL provides an interface for the Services Software to the hardware that controls the Flash memory.

The Services Software is considered part of the Service Code and is stored in the Flash memory of the TOE.

The Crypto Library consists of several binary packages that are pre-loaded to the Flash memory of the TOE for usage by the Security IC Embedded Software. The Crypto Library provides:

- AES
- Triple-DES (3DES)
- RSA
- RSA key generation
- RSA public key computation
- ECDSA (ECC over GF(p)) signature generation and verification
- ECC over GF(p) key generation
- ECDH (ECC Diffie-Hellmann) key exchange
- MontDH (Diffie Hellman key exchange on Montgomery Curves over GF(p)) key generation
- MontDH (Diffie Hellman key exchange on Montgomery Curves over GF(p)) key exchange
- EdDSA (Edwards-curve Digital Signature Algorithm) signature generation and verification
- EdDSA (Edwards-curve Digital Signature Algorithm) key generation
- ECDAA related functions
- Full point addition (ECC over GF(p))
- HMAC algorithms
- eUICC authentication functions (MILENAGE, TUAK and CAVE)
In addition, the Crypto Library implements a software (pseudo) random number generator which is initialized (seeded) by the hardware random number generator of the TOE. The Crypto Library also provides a secure copy routine, a secure memory compare routine, cyclic redundancy check (CRC) routines, and includes internal security measures for residual information protection.

Note that the Crypto Library v1.0.0 also implements
- KoreanSeed
- OSCCA SM2, OSCCA SM3 and OSCCA SM4
- Felica

However these library elements are not in the scope of evaluation.

The Crypto Library is considered part of the Shared Library functions and is stored in the Flash memory of the TOE.

1.3.2 TOE Type

The TOE is a Security Integrated Circuit Platform for various operating systems and applications with high security requirements.

1.3.3 Security During Development and Production

The Security IC product life cycle is scheduled in phases, which are defined in the Protection Profile [5].

Phase 2 IC Development, phase 3 IC Manufacturing as well as phase 4 IC Packaging of this life cycle are part of this Security Target. The TOE Delivery is at the end of phase 4.

The development environment of SN100_SE always ranges from phase 2 IC Development to TOE Delivery. All other phases are part of the operational environment. This addresses Application Note 1 in in the Protection Profile [5].

In phase 2 IC Development of SN100_SE access to sensitive design data of SN100_SE is restricted to people, who are involved in the development of the product.

In phase 3 IC Manufacturing the TOE as integral part of SN100x IC are produced and tested on wafers. In this phase NXP also serves as Composite Product Manufacturer by optionally storing Security IC Embedded Software to the Flash of SN100_SE. The NXP Trust Provisioning Service ensures confidentiality and integrity of any customer data in this phase. This incudes secure treatment and insertion of data and code received from the customer as well as random or derived data, which are generated by NXP.

In phase 4 IC Packaging SN100x ICs including the TOE are embedded into packages.

The delivery processes between all involved sites provide accountability and traceability of the dies. Authentic delivery of the TOE is supported by its NXP Trust Provisioning Service as described in [39].

1.3.4 Required non-TOE Hardware/Software/Firmware

Besides the SN100_SE the SN100x Single Chip Secure Element and NFC Controller comprises a NFC controller (SN100_NFC) and a shared Power Management Unit (SN100_PMU).

For operation the SN100_SE requires full function of the SN100_PMU subsystem, that is controlled by software of the SN100_NFC subsystem (see Figure 1).
The TOE does not include communication drivers in the IC Dedicated Support Software. Those need to be part of the Security IC Embedded Software.

1.4 TOE Description

1.4.1 Physical Scope of TOE

The SN100x IC is built upon two subsystems: "SN100_SE" and "SN100_NFC". Both subsystem use a shared Power Management Unit ("SN100_PMU"). The toplevel block diagram of SN100x is depicted in Figure 1.

![Toplevel block diagram of SN100x](image)

**Figure 1. Toplevel block diagram of SN100x**

The SN100_SE subsystem is built of IC hardware and IC Dedicated Software, and includes documentation. A block diagram of the TOE and its interfaces is depicted in Figure 2.
Figure 2. Block diagram of SN100_SE with Interfaces

The IC Dedicated Software of SN100_SE comprises
- IC Dedicated Support Software, composed of
  - Test software named Factory OS
  - Boot software named Boot OS
  - Memory Driver software named Flash Driver Software
- Security Software, composed
  - Services Software named Services Software
  - Library Software named Crypto Library

All other software is called Security IC Embedded Software and is not part of the TOE.
1.4.2 Evaluated Configurations

Each configuration of the TOE consists of a physical configuration (i.e. hardware component incl. ROM code and related documentation) and a logical configuration (i.e. Software components and configuration data stored to Flash memory).

The definition of the configuration identifiers of SN100_SE is detailed in Table 1.

Table 1. Configuration identifiers of the TOE

<table>
<thead>
<tr>
<th>Name</th>
<th>Symbol</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Series</td>
<td>srs</td>
<td>Series identifier in NXP product family</td>
</tr>
<tr>
<td>IC version</td>
<td>xy.z</td>
<td>x: base layer identifier of the development type</td>
</tr>
<tr>
<td></td>
<td></td>
<td>y: fixed metal masks identifier of the development type</td>
</tr>
<tr>
<td></td>
<td></td>
<td>z: customizable metal masks identifier of the development type, includes</td>
</tr>
<tr>
<td></td>
<td></td>
<td>the IC Dedicated Software stored to ROM</td>
</tr>
<tr>
<td>NXP software</td>
<td>wn</td>
<td>w: NXP software combination identifier of the development type, identifies</td>
</tr>
<tr>
<td></td>
<td></td>
<td>the IC Dedicated Software stored to ROM</td>
</tr>
<tr>
<td></td>
<td></td>
<td>n: version identifier of the NXP software combination, identifies software</td>
</tr>
<tr>
<td></td>
<td></td>
<td>version data stored to Flash</td>
</tr>
<tr>
<td>NXP hardware</td>
<td>v</td>
<td>Version identifier of the NXP hardware configuration, identifies the</td>
</tr>
<tr>
<td>configuration</td>
<td></td>
<td>version of configuration data stored to Flash</td>
</tr>
</tbody>
</table>

The symbols in the second column in Table 1 build the product name of a physical configuration according to the following rule:

$srs \ xy.z \ wn\ v$

Evaluated physical configuration of the TOE is

• SN100_SE B2.1

This subsystem in integral part of any variant of the SN100x Single Chip Secure Element and NFC Controller Series IC version B2.1. ³

All components of SN100_SE B2.1 that are common for all logical configurations are listed in Table 2 with their respective version numbers.

Evaluated logical configurations of the TOE stored to flash memory are

• SN100_SE B2.1 C25
• SN100_SE B2.1 C48
• SN100_SE B2.1 C58

All components that are specific for a certain configuration are given in Table 3 (for SN100_SE B2.1 C25), Table 4 (for SN100_SE B2.1 C48) and Table 5 (for SN100_SE B2.1 C58).

Table 2. Components common for all SN100_SE B2.1

<table>
<thead>
<tr>
<th>Category</th>
<th>Component</th>
<th>Identification</th>
<th>Delivery form</th>
</tr>
</thead>
<tbody>
<tr>
<td>IC Hardware</td>
<td>base layer and fixed metal masks</td>
<td>B2.1</td>
<td>Package</td>
</tr>
<tr>
<td>IC Dedicated Support Software</td>
<td>Factory OS</td>
<td>4.2.0</td>
<td>On-chip software. Stored to the ROM of the TOE</td>
</tr>
<tr>
<td></td>
<td>Boot OS</td>
<td>4.2.0</td>
<td>On-chip software. Stored to the ROM of the TOE</td>
</tr>
</tbody>
</table>

³ The "x" in SN100x indicates the type of the SN100 series (representing the NFC Controller configuration)
### Table 3. Components of SN100_SE B2.1 specific for C25

<table>
<thead>
<tr>
<th>Category</th>
<th>Component</th>
<th>Identification</th>
<th>Delivery form</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Configuration Data</strong></td>
<td>Factory Page</td>
<td>18218</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>System Page Common</td>
<td>18468</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>BootOS Patch</td>
<td>4.2.0 PL3 v4</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td><strong>Security Software</strong></td>
<td>Services Software</td>
<td>4.13.3.0</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>Crypto Library</td>
<td>1.0.0</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td><strong>Documentation, User Guidance and Operation Manual</strong></td>
<td>SN100_SE Information on Guidance and Operation</td>
<td>[10]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100 Services Addendum - Additional API and Operational Guidance</td>
<td>[12]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100x Crypto Library Information on Guidance and Operation</td>
<td>[13]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: Utils</td>
<td>[34]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: ECC over GF(p)</td>
<td>[29]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
</tbody>
</table>
Table 4. Components of SN100_SE B2.1 specific for C48

<table>
<thead>
<tr>
<th>Category</th>
<th>Component</th>
<th>Identification</th>
<th>Delivery form</th>
</tr>
</thead>
<tbody>
<tr>
<td>Configuration Data</td>
<td>Factory Page</td>
<td>18652</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>System Page Common</td>
<td>18468</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>BootOS Patch</td>
<td>4.2.0 PL5 v16</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td>Security Software</td>
<td>Services Software</td>
<td>4.13.7.1</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>Crypto Library</td>
<td>1.0.0</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>SN100 Services Addendum - Additional API and Operational Guidance</td>
<td>[12]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100x Crypto Library Information on Guidance and Operation</td>
<td>[13]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: Util</td>
<td>[34]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: ECC over GF(p)</td>
<td>[29]</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
</tbody>
</table>
Table 5. Components of SN100_SE B2.1 specific for C58

<table>
<thead>
<tr>
<th>Category</th>
<th>Component</th>
<th>Identification</th>
<th>Delivery form</th>
</tr>
</thead>
<tbody>
<tr>
<td>Configuration Data</td>
<td>Factory Page</td>
<td>18652</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>System Page Common</td>
<td>18468</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>BootOS Patch</td>
<td>4.2.0 PL5 v16</td>
<td>On-chip configuration page. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td>Security Software</td>
<td>Services Software</td>
<td>4.14.0.1</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td></td>
<td>Crypto Library</td>
<td>2.0.0</td>
<td>On-chip software. Stored to the FLASH area of the TOE</td>
</tr>
<tr>
<td>Documentation, User Guidance and Operation Manual</td>
<td>SN100_SE Information on Guidance and Operation</td>
<td>10</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100 Services User Manual - API and Operational Guidance</td>
<td>11</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100 Services Addendum - Additional API and Operational Guidance</td>
<td>12</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>SN100x Crypto Library Information on Guidance and Operation</td>
<td>13</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: SymCfG</td>
<td>33</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: RSA</td>
<td>27</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: RSA Key Generation</td>
<td>28</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: ECC over GF(p)</td>
<td>29</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: ECDAA</td>
<td>30</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: SHA</td>
<td>22</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: SecSHA</td>
<td>23</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: SHA3</td>
<td>24</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: SecSHA3</td>
<td>25</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: HMAC</td>
<td>26</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: HASH</td>
<td>21</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: eUICC</td>
<td>32</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>User Manual: KDF</td>
<td>36</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
<tr>
<td></td>
<td>Errata Sheet</td>
<td>37</td>
<td>Electronic Document (PDF via NXP Docstore)</td>
</tr>
</tbody>
</table>

Logical configuration options are provided for each physical configuration of SN100_SE, which do not modify the physical scope described in Section 1.4.1. Evaluated logical
configuration options are all or a subset of the order entry options available in the electronic Order Entry Form [38].

Table 6 identifies these evaluated logical configuration options. These options are detailed in [14].

Table 6. Evaluated logical configuration options

<table>
<thead>
<tr>
<th>Name of order entry option</th>
<th>Evaluated values</th>
</tr>
</thead>
<tbody>
<tr>
<td>SNSE_HWOPT_ENABLE_ISORESET</td>
<td>YES/NO</td>
</tr>
<tr>
<td>SNSE_SWOPT_ENABLE_CHMODE</td>
<td>YES/NO</td>
</tr>
<tr>
<td>SNSE_SWOPT_REENABLE_TESTMODE</td>
<td>YES/NO</td>
</tr>
<tr>
<td>SNSE_SWOPT_ENABLE_APPDISABLE</td>
<td>YES/NO</td>
</tr>
<tr>
<td>SNSE_SWOPT_SELECT_MODE</td>
<td>AAP</td>
</tr>
<tr>
<td>SNSE_HWOPT_SELECT_RAM_HS_START</td>
<td>[0..0xFF]</td>
</tr>
<tr>
<td>SNSE_HWOPT_SELECT_RAM_HS_END</td>
<td>[0..0xFF]</td>
</tr>
</tbody>
</table>

The logical configuration options given in Table 6 are complemented with additional evaluated logical configuration options. These are not selectable by the customer via electronic Order Entry Form, but are exclusively under control of NXP.

The TOE as integral part of SN100x IC is delivered as a packaged device. The security of the TOE does not rely on the way the pads are connected to the package. Therefore the security functionality of SN100_SE is not affected by the delivered package type.

The only available package type is "Wafer Level Chip Scale Package" (WLCSP). This package is a thin fine-pitch ball grid array package.

The commercial type name of the SN100x IC reflects package type in the name. It is assigned according to the following format:

SN100 b pp(p) / x y zz ff

The commercial type name of a physical configuration is built by replacing the symbols in the above format with the values identified in Table 7.

Table 7. Values of symbols in commercial type name

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>srs</td>
<td>SN100</td>
<td>Series in NXP product family</td>
</tr>
<tr>
<td>b</td>
<td>x</td>
<td>Basic type in the series of NXP product family, defining e.g. the NFC host interface</td>
</tr>
<tr>
<td>pp(p)</td>
<td>UK</td>
<td>Package type</td>
</tr>
<tr>
<td></td>
<td></td>
<td>UK = Wafer Level Chip Scale Package (WLCSP)</td>
</tr>
<tr>
<td>x</td>
<td>B</td>
<td>Base layer identifier</td>
</tr>
<tr>
<td>y</td>
<td>2</td>
<td>Fixed metal masks identifier</td>
</tr>
<tr>
<td>zz</td>
<td>1</td>
<td>ROM Mask reference</td>
</tr>
<tr>
<td>ff</td>
<td>Two characters (each either a letter or a number)</td>
<td>FabKey Number (FKN), which identifies the contents in AP-Flash at TOE Delivery, and the selection of logical configuration options, processed by Order Entry Form Tool individually for each OEF</td>
</tr>
</tbody>
</table>
Information on how to order SN100x and how to identify the logical configuration options of the SN100_SE after TOE Delivery is described in [14].

The TOE is integral part of the SN100x IC. Note that SN100x without any Security IC Embedded Software for the TOE is available for NXP internal use only.

The manufacturing process of SN100x allows options that can be selected by NXP in the electronic Order Entry Form [38]. The evaluated options are given in Table 8.

Table 8. Evaluated options of manufacturing process (NXP internal only)

<table>
<thead>
<tr>
<th>Name of order entry option</th>
<th>Evaluated values</th>
</tr>
</thead>
<tbody>
<tr>
<td>Diffusion Fab</td>
<td>GF7 / GF1 / SMIC[1]</td>
</tr>
</tbody>
</table>

[1] Wafers from sites GF1 and SMIC will be used for logical configurations C48/C58 only

The delivery method used for SN100x and information on how to identify the selected manufacturing options are described in [15].

1.4.3 Logical Scope of TOE

1.4.3.1 Hardware Description

The hardware of SN100_SE facilitates seven types of software components, which are depicted in Figure 3.

The hardware always starts-up with executing the Boot OS. The Boot OS finally jumps to a start address in either Factory OS, Customer OS or Bootloader OS. The hardware provides no other way to start these operating systems but via power-up or reset of the device. Not more than one operating system out of Factory OS, Customer OS and Bootloader OS can be executed per start-up cycle. Each of the operating systems may
interact with and with Library Software according to the programming interface they respectively provide.

The Factory OS implements security functionality against unauthorized access in the field. Startup into Bootloader OS is blocked by the TOE with order entry option = AAP until Customer OS explicitly unblocks this with next startup by changing the logical configuration to = BOR. Then Bootloader OS can reactivate this blockage with changing back to = AAP. Instead, order entry option = BOR causes the TOE to start-up into Bootloader OS when a special sequence is applied to a pad.

Jumps between types of software components imply transformations in system operation modes, which are under control of the hardware. The hardware distinguishes among five such system operation modes. These are named NXP Mode (NXP), Application Mode (AP), Bootloader Mode (BL), Service Mode (SV) and Shared Mode (SH). Figure 3 gives the basic assignment of system operation modes to the seven types of software components.

Transformations among NXP Mode, Bootloader Mode, Application Mode and Service Mode are usually transitions from one to another system operation mode. Exceptions are with logical configurations EN_SV_AP=YES, EN_SV_BL=YES and/or EN_BL_FOR_AP=YES. Logical configuration EN_SV_AP=YES resp. EN_SV_BL=YES enable Bootloader OS to also activate Application Mode resp. Bootloader Mode when it jumps to Services Software. These configurations fit to the needs of update functionality in a Bootloader OS provided by NXP for secure updates of Security IC Embedded Software. Such Bootloader OS itself is not in scope of this TOE. In logical configuration EN_BL_FOR_AP=YES the TOE always sets both, Application Mode and Bootloader Mode when jumping to Customer OS. This configuration is appropriate for NXP operating systems with integrated update functionality in the field. Such NXP operating systems themselves are not in scope of this TOE.

Shared Mode is always activated in addition to the system operation mode(s) of the software component type that jumps to Library Software. This allows to share Library Software among different types of software components.

System operation modes are used by the hardware to control access to memories and hardware components. The software component types are stored to different areas in the Flash memory, which are assigned with access rights that fit to their related software component type.

Furthermore, the ARM SC300 processor supports two CPU modes named "thread" and "handler", and also two CPU privilege levels named privileged and unprivileged (of which the latter one is also called "user" by ARM). These choices are combined to three valid CPU operation modes, which are privileged thread, unprivileged thread and privileged handler. The SC300 processor implements these CPU operation modes to control access to some of its configuration registers and instructions. Use of the two modes thread and handler is limited to the SC300 processor whereas the privilege levels are also used in the system to control access to memories and hardware components.

SN100_SE implements 64 Kbytes ROM, 2 Mbytes Flash, 52 Kbytes System RAM, 5 Kbytes PKC RAM and a Buffer RAM for Flash erase/programming and for Flash read caching. All these memories are accessible over the bus system on data/address busses, and the PKC RAM can also be directly accessed by the PKC coprocessor on a separate data/address bus. PKC RAM accesses are arbitrated in the RAM Controller. The hardware controls access to the memories over the bus system. Direct access to the PKC RAM is controlled by way of access control to the hardware component PKC coprocessor. Access to the PKC RAM by the CPU and the PKC coprocessor over the bus system is adjusted accordingly.
The hardware controls write, read and execute access to the memories over the bus system against system operation modes. This is done based on segments in the logical address space. In this context the whole ROM address space is reserved for NXP.

The Flash address space is sectioned into an AP-Flash segment, a BL-Flash segment, an SV-Flash segment, an SH-Flash segment and a CFG-Flash segment. The AP-Flash segment is accessible in Application Mode without restrictions and blocked in Bootloader Mode for read and execute. The BL-Flash segment is accessible in Bootloader Mode without restrictions and completely blocked in Application Mode. Both segments are also blocked in Service Mode. The SV-Flash segment is accessible to Service Mode without restrictions. It is blocked in Application Mode and blocked in Bootloader Mode for read and execute. The SH-Flash segment is accessible for execute in Application Mode, Bootloader Mode and Service Mode, but blocked in all these system operation modes for read and write, except Bootloader Mode, which has write access when Shared Mode isn't also active. Library Software always has the same access rights like the software component from which it is executed and on top of that also has read access to the SH-Flash segment.

The CFG-Flash segment consists of several NXP areas, three System Pages and an area of the Buffer RAM for Flash erase/programming (PBRAM area), which are all under specific access control. The NXP areas are reserved for NXP. The three System Pages are combined of a System Page Application, which is blocked in Bootloader Mode and can be read in Application Mode, a System Page Bootloader, which is blocked in Application Mode and can be read in Bootloader Mode, and a System Page Common, which can be read in both, Bootloader Mode and Application Mode. All three pages are accessible in read and write in Service Mode so that write access to these in Application Mode and Bootloader Mode can be put under the control of service software. The PBRAM area isn't accessible in Application Mode, Bootloader Mode and Service Mode as long as it is unlocked. In this state, any allowed write access to an address in the Flash address space outside the PBRAM area immediately locks the PBRAM area to the accessing mode. In this context, Application Mode and Bootloader Mode are not distinguished, and they are overruled by Service Mode in case it is active together with one of these. In case the PBRAM area is locked to Application Mode and Bootloader Mode, and Service Mode is active together with one of these, the locking state is updated to Service Mode with any allowed write access to an address in the Flash address area inside or outside the PBRAM area.

The System RAM address space is composed of an AP-RAM segment, an SV-RAM segment and a PUF-RAM segment. The AP-RAM segment is available for use in Application Mode and in Bootloader Mode whereas SV-RAM segment and PUF-RAM segment are reserved for NXP.

The above described restrictions are valid by default for memory access over the bus system by the CPU. Such access by the PKC coprocessor and DMA controller is blocked completely by default, except for PKC coprocessor access to the PUF-RAM segment, which is reserved for NXP, and to the PKC RAM, which is accessible like for the CPU.

The Memory Management Unit can be utilized by software running in privileged level to open access windows over the bus system for PKC coprocessor and DMA controller to areas, which are blocked by default. Such windows for the PKC coprocessor are restricted to AP-Flash segment, BL-Flash segment, SV-Flash segment, SH-Flash segment and AP-RAM segment and for the DMA controller to the AP-RAM segment. The Memory Management Unit can also be utilized by software running in privileged level to open access windows over the bus system for the CPU. Such windows must be inside segments that are accessible to the software which then can block access to the underlying segments and by this restrict access beyond its default. Access rights to
all windows can be defined for system operation modes and CPU privilege levels. The Memory Management Unit therewith allows the software to protect its operating system and to implement an access control policy among its different applications.

SN100_SE implements a wide range of hardware components. It embeds the Fast Accelerator for Modular Exponentiation of 3rd Generation (Fame3), which can be utilized by the software to accelerate computations required for public-key cryptography like such related to RSA, Elliptic Curve Cryptography (ECC), and Secure Hash Function (SHA).

Hardware component Symmetric Block Cipher (SBC) serves the IC Security Embedded Software with interfacing to a DES coprocessor, an AES coprocessor and a GCM coprocessor. The DES coprocessor provides Triple-DES calculation in 2-key or 3-key operation with a length of 56 bits for each key. The AES coprocessor performs AES encryption and decryption calculations with key lengths of 128, 192 or 256 bits. The GCM coprocessor implements a Galois Field Multiplier to support Galois/Counter Mode (GCM) of operation and GMAC performed by the Crypto Library. Besides ECB mode the SBC hardware supports Cipher Block Chaining Mode (CBC), Cipher Feedback Mode, (CFB) Output Feedback Mode (OFB) and Counter Mode (CTR).

Two CRC coprocessors each serve with checksum computation based on CRC generation polynomials CRC-8, CRC-16 and CRC-32. The Random Number Generator generates true random numbers, which are compliant to AIS31 and FIPS 140-2.

SN100_SE also implements a watchdog counter with time-out mechanism that can be utilized by the software to abort irregular program executions, and provides a CPU Guard with several security functionality, which can be utilized by the software to secure its execution.

Hardware components of SN100_SE can be controlled by the IC Security Embedded Software via Special Function Registers, which are accessible over the bus system on two separate busses. The peripheral control bus is provided for communication and thus gives access to the Special Function Registers of the DMA controller, the communication interfaces, the I/O switch matrix and a component for checksum computations over data streams of the communication interfaces. The Special Function Registers of all other hardware components are accessed on the control bus.

The hardware controls write and read access to its Special Function Registers to the point of single bits and this against Application Mode/Bootloader Mode, Service Mode, NXP Mode and against both privilege levels. This control does not distinguish between Bootloader Mode and Application Mode since these are separated via different start-up cycles in which Special Function Registers are reset to their default values. Also, this control does not consider Shared Mode since it is never stand-alone active. This is valid for accesses from the SC300 processor, whereas accesses from the PKC coprocessor are completely blocked for both busses and accesses from the DMA controller are completely blocked for the control bus.

Based on the above conditions the bus system can be utilized by software running in privileged level to further manage access to hardware components among Application Mode/Bootloader Mode and Service Mode as well as among the CPU privilege levels, which is then enforced by the hardware.

SN100_SE implements complex security functionality to protect code and data during processing and while stored to the device. This includes appropriate memory encryptions and masking schemes to preserve confidentiality. This also includes error detection codes, the Flash Secure Fetch Plus and manifold light sensing to protect integrity. Active and passive shielding is present and operating conditions are monitored by sensors on temperature, power supplies and frequencies.
The TOE hardware operates with an power supply provided by the shared Power Management Unit ("SN100_PMU"). Normal operation is done in power mode ACTIVE, in which all hardware components are in operative condition. The device can be set into power modes SLEEP, DEEP SLEEP and DEEP POWER DOWN, which have different levels of reduced availability of hardware components with appropriately reduced power consumption.

1.4.3.2 IC Dedicated Support Software Description

The IC Dedicated Support Software of SN100_SE consists of the Factory OS, the Boot OS and the Flash Driver Software.

Boot OS, Factory OS and Flash Driver Software are stored to ROM. Patches to the Boot OS are stored to Flash.

The Factory OS provides controlled access to different levels of testing capabilities of SN100_SE. Full testing capabilities are under restricted access to NXP for production testing of SN100_SE and also for in-depth analysis of field returns from particular utilizations of SN100_SE with Customer OS. In addition, limited testing capabilities are accessible to NXP for basic analysis of field returns, which target to preserve the composite product in its original condition. Beyond that, the Factory OS provides the Composite Product Manufacturer with some basic functional testing of SN100_SE and also with a readout of the identification flags of SN100_SE from System Page Common.

The Factory OS implements security functionality to protect from unauthorized access and measures that also authorized access cannot compromise confidentiality of content stored to AP-Flash, BL-Flash, SH-Flash and SV-Flash windows as well as System Page Application, System Page Bootloader and System Page Common.

The Boot OS is executed during start-up after power-on or reset of SN100_SE. It sets up the device and its configuration, and finally jumps to Customer OS, Bootloader OS or Factory OS.

The Flash Driver Software consists of the part of the Services HAL (Hardware Abstraction Layer) that is stored to ROM. The Services HAL provides an interface for the Services Software to the hardware that controls the Flash memory.

1.4.3.3 Services Software Description

The Services Software comprises the Flash Services Software, the Services Framework Software and the part of the Services HAL (Hardware Abstraction Layer) that is not stored to ROM.

Flash Services Software
- The Flash Services Software manages technical demands of the Flash memory and serves the Security IC Embedded Software with an interface for Flash erase and/or programming.
- The Flash Services Software maintains the Flash with re-freshing, tearing-safe updates of Flash contents and wear leveling techniques to ensure integrity and consistency of its content and optimize its endurance.
- For more details, see [11].

Services Framework Software
- The Services Framework Software provides the utility functionality and interface for actual services. This comprises the control of services related functionality such as the resource management, patch handling, service and system configurations functionality.
1.4.3.4 Crypto Library Description

The Crypto Library (or parts thereof\(^4\)) comprises a set of cryptographic functions.

**AES**
- The AES algorithm is intended to provide encryption and decryption functionality.
- The Crypto Library implements AES algorithm with different security configurations. For more details on those different configurations please refer the user guidance documentation of the Crypto Library [13].
- The following modes of operation are supported for AES: ECB, CBC, CFB, CTR, GCM, CBC-MAC, CCM, CMAC and OFB (Crypto Library v2.0.0 only).

**TDES**
- The Triple-DES (TDES) algorithm is intended to provide encryption and decryption functionality.
- The Crypto Library implements Triple-DES algorithm with different security configurations. For more details on those different configurations please refer the user guidance documentation of the Crypto Library [13].
- The following modes of operation are supported for Triple-DES: ECB, CBC, CFB, CTR, CBC-MAC, RetailMAC, CMAC and OFB (Crypto Library v2.0.0 only).
- To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards).

**RSA**
- The RSA algorithm can be used for encryption and decryption as well as for signature generation, signature verification, message encoding and signature encoding.
- The RSA key generation can be used to generate RSA key pairs.
- The RSA public key generation computation can be used to compute the public key that belongs to a given private CRT key.

The TOE supports various key sizes for RSA from 512 to 4096 bits.

**ECC over GF(p)**
- The ECDSA (ECC over GF(p)) algorithm can be used for signature generation and signature verification.
- The ECC over GF(p) key generation algorithm can be used to generate key pairs for ECDSA and ECDH.
- The ECDH (ECC Diffie-Hellman) key exchange algorithm can be used to establish cryptographic keys. It can be also used as secure point multiplication.
- Provide secure point addition for Elliptic Curves over GF(p).

The TOE supports various key sizes for ECC over GF(p) from 128 to 640 bits for signature generation, key pair generation and key exchange. For signature verification the TOE supports key sizes up to a limit of 640 bits.

**ECDAA**

---

\(^4\) Crypto functions are supplied as a library rather than as a monolithic program, and hence a user of the library may include only those functions that are actually required – it is not necessary to include all cryptographic functions of the library in every Security IC Embedded Software. For example, it is possible to omit the RSA or the SHA-1 components. However, some dependencies exist; details are described in the User Manual [10].
• The ECDAA library component can be used for ECDAA signature generation as specified in the TPM 2.0 [72] specification.

**EdDSA & MontDH**

• The EdDSA and MontDH over GF(p) library component implements the EdDSA and MontDH over GF(p) related functions:
  – EdDSA key generation, signature generation and signature verification (generalization of Ed25519 and Ed448), support for filling of EdDSA domain parameters
  – MontDH key generation and key exchange for the DH key exchange scheme MontDH (generalization of Curve25519 and Curve448).

**eUICC**

• The eUICC library component implements the following MILENAGE and TUAK USIM modes: 3G authentication mode, 3G resynchronization mode, Virtual 2G mode, 3G + Kc mode, Anonymity keys for the 3G modes
• Support of the following CAVE operations: SSD generation, Authentication signature generation, CMEA Key and VPM generation

**SHA**

• The SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 algorithms can be used for different purposes such as computing hash values in the course of digital signature creation or key derivation.
• The Crypto Library implements two versions of each SHA algorithm with different security level: standard and high. The difference between the standard and high security level of the SHA implementations is that the high security level SHA is protected against more side-channel attacks.

To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that SHA-1 shall not be used.

**HMAC**

• The HMAC algorithm can be used to calculate Keyed-Hash Authentication code. The TOE supports the calculation of HMAC authentication code with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 or SHA-3/512 hash algorithms. The HMAC algorithm can use either the high security level or standard security level version of SHA, depending on required security level.

To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that HMAC with SHA-1 shall not be used.

The TOE supports various key sizes for HMAC. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards).

**Resistance of cryptographic algorithms against attacks**

The cryptographic algorithms are resistant against attacks as described in JIL [9], which include Side Channel Attacks, Perturbation attacks, Differential Fault Analysis (DFA) and timing attacks, except for standard/high security level SHA and HMAC, which are only resistant against Side Channel Attacks and timing attacks.
More details about conditions and restrictions for resistance against attacks are given in the user documentation of the Crypto Library [13].

Random number generation

• Library component to access random numbers generated by a software (pseudo) random number generator and to perform a test of the hardware (true) random number generator at initialisation.

Further security functionality of the Crypto Library

• Internal security measures for residual information protection
• Secure Memory Copy routine
• Secure Memory Boolean Compare routine
• CRC16 & CRC32 routines for cyclic redundancy check calculation

Further security functionality of the Crypto Library v2.0.0

• KDF hash-based key derivation
• Routines for secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition

Note that the TOE does not restrict access to the functions provided by the hardware: these functions are still directly accessible to the Security IC Embedded Software.

1.4.4 Interfaces of the TOE

Electrical interface

The electrical interface of SN100_SE are the 11 lines between the I/O subsystem and the communication pads, that are exclusively used by the SN100_SE subsystem. The interface can be configured to establish communication with the TOE via the following interfaces:

• Serial Peripheral Interface (SPI)
• I²C interface
• ISO/IEC 7816 compliant interface by use of ISO/IEC 7816 UART
• GPIO interface by use of Special Function Registers

The TOE also provides an electrical interface to the SN100_PMU subsystem, which connects power supply voltage input and ground as reference voltage.

Additional dedicated control interface is:

• Control Interface between Analog Control Block and Power-Clock-Reset Module of the SN100_NFC subsystem

Logical interface

Figure 4 illustrates the logical interface to the Security IC Embedded Software (internal interfaces not drawn, refer to Figure 2 instead).
The logical interface of SN100_SE is composed of the following:

- SC300 Instruction set and Register interface acc. to [40], which is accessible to Security IC Embedded Software as well as Library Software and Services Software running on SN100_SE
- Special Function Registers interface acc. to [14], which is accessible to Security IC Embedded Software as well as Library Software
- Special Function Registers interface acc. to [14], which is accessible to Security IC Embedded Software as well as Services Software
- Crypto Library API, which is accessible to Security IC Embedded Software
- Services Software API, which is accessible to Security IC Embedded Software
- Secure System Mailbox interface for data exchange with SN100_NFC subsystem, which is accessible to Security IC Embedded Software

All logical interfaces other than the Secure System Mailbox interface are accessible via the electrical interfaces SPI, I²C, UART and GPIO.

**Physical interface**

The chip surface must be considered as an interface of the TOE as well. This interface could be exposed to environmental stress or physically manipulated by an attacker.

### 1.4.5 TOE Documentation Overview

- The documentation of the components of the SN100_SE that are common for all logical configurations are identified with their respective version numbers in Table 2 of Section 1.4.2. All components that are specific for SN100_SE B2.1 C25 are listed in Table 3. All components that are specific for SN100_SE B2.1 C48 are listed in Table 4.
- The interfaces of SN100_SE are linked to the documentation in Section 1.4.4.
- Proper use and operation of the hardware is described in [14], with details on some particular hardware components in [16] and [17].
- Particular information on secure use and operation for the hardware is provided in [10].
• Operational guidance for the Services Software is given in [11] and [12].
• The Crypto Library has a separate user guidance documentation [13] and associated user manuals per library component. The user guidance document contains guidelines on the secure usage of the Crypto Library, including the requirements on the environment (the Security IC Embedded Software calling the Crypto Library is considered to be part of the environment). The user manuals contain the specification of the functions provided by the Crypto Library and details of the parameters and options required to call the Crypto Library by the Security IC Embedded Software.
• Information on packaging and delivery of the TOE is given in [15]. This document also describes method for identification of the selected manufacturing option.
2 Conformance Claims

2.1 Conformance Claim

This Security Target and SN100_SE claim conformance to version 3.1 of Common Criteria for Information Technology Security Evaluation, which comprises:


SN100_SE is evaluated against this Security Target in consideration of the methodology in


This Security Target claims to be CC Part 2 extended and CC Part 3 conformant. Section 5 of this Security Target defines the security functional components, which are extended beyond CC Part 2, and also demonstrates that they are consistent with the above conformance claim.

This Security Target also claims strict conformance to Protection Profile


This claim includes conformance to packages defined in the Protection Profile [5]:
- Package "TDES" (with augmentations)
- Package "AES" (with augmentations)

The minimum assurance level for the Protection Profile [5] is EAL4 augmented with AVA_VAN.5 and ALC_DVS.2.

This Security Target claims conformance to assurance package EAL6 augmented with ALC_FLR.1 and ASE_TSS.2.

This claim includes and exceeds the minimum assurance level for the Protection Profile [5] as demonstrated in Section 6.2 of this Security Target.

2.2 Conformance Claim Rationale

SN100_SE is the type of TOE defined in Section 1.3.2 of this Security Target. Its components are detailed in Section 1.4.1 of this Security Target. These descriptions are consistent with the TOE definition in section 1.2.2 of the Protection Profile [5].

The security problem definition in Section 3 of this Security Target includes all threats, organizational security policies and assumptions, which are identified in the Protection Profile [5], and this without any restrictions or modifications. In addition, this Security Target contains new threats, organizational security policies and assumptions. The new assumptions neither mitigate any threat (or a part of it) nor fulfill any organizational security policy (or part of it). This is demonstrated in Section 3.4 of this Security Target.
This Security Target claim package-augmented conformance to the packages for Cryptographic Services "TDES" and "AES", as the selections in the Security Functional Requirements FCS_COP.1 are augmented by additional list of standards.
3 Security Problem Definition

3.1 Description of Assets

The assets and emanating high-level security concerns in section 3.1 of the Protection Profile [5] entirely apply to this Security Target. In compliance with Application Note 8 in the Protection Profile [5] this Security Target identifies the access restrictions of the TOE to its memories and hardware as a further asset. The high-level security concerns of this Security Target are summarized below.

- SC1 Integrity of user data of the Composite TOE and of Security IC Embedded Software, while being executed/processed and while being stored in the TOE’s protected memories
- SC2 Confidentiality of user data of the Composite TOE and of Security IC Embedded Software, while being executed/processed and while being stored in the TOE’s protected memories
- SC3 Correct operation of the security services provided by the TOE for Security IC Embedded Software
- SC4 Deficiency of Random Numbers
- SC5 Correct operation of access restrictions to memories and hardware as provided by the TOE for Security IC Embedded Software

To be able to protect the assets the TOE shall protect its TOE security functionality. Critical information about the TOE security functionality shall be protected by the development environment and the operational environment. Critical information includes the following.

- Logical design data
- Physical design data
- IC Dedicated Software
- Configuration data
- Initialization data and pre-personalization data
- Specific development aids
- Test and characterization related data
- Material for software development support
- Photomasks

3.2 Threats

The threats defined in section 3.2 of the Protection Profile [5] are listed in Table 9. They entirely apply to this Security Target.

Table 9. Threats defined in the Protection Profile

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>T.Malfunction</td>
<td>Malfunction due to Environmental Stress</td>
</tr>
<tr>
<td>T.Abuse-Func</td>
<td>Abuse of Functionality</td>
</tr>
<tr>
<td>T.Phys-Probing</td>
<td>Physical Probing</td>
</tr>
<tr>
<td>T.Phys-Manipulation</td>
<td>Physical Manipulation</td>
</tr>
<tr>
<td>T.Leak-Inherent</td>
<td>Inherent Information Leakage</td>
</tr>
<tr>
<td>T.Leak-Forced</td>
<td>Forced Information Leakage</td>
</tr>
</tbody>
</table>
The threat T.RND explicitly includes both deficiencies of hardware (true) random numbers as well as deficiency of software (pseudo) random numbers provided by the Crypto Library.

In compliance with Application Note 4 of the Protection Profile [5] the TOE provides security functionality that protects against the additional threat listed in Table 10.

### Table 10. Threats added in this Security Target

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>T.Unauthorized-Access</td>
<td>Unauthorized Memory or Hardware Access</td>
</tr>
</tbody>
</table>

The threat in Table 10 is defined below.

**T.Unauthorized-Access**

**Adverse action:**

An attacker may try to read, modify or execute code or data stored to restricted memory areas. An attacker may try to access or operate restricted hardware components by executing code that accidentally or deliberately accesses these restricted hardware components.

- Any code executed or data used in a system operation mode, with and without Shared Mode, may accidentally or deliberately access code or data or hardware components restricted to other system operation modes.
- Any code executed or data used in unprivileged level may accidentally or deliberately access code or data or hardware components restricted to privileged level.
- Any code executed or data used in unprivileged level, which is assigned to a certain application, may accidentally or deliberately access code or data or hardware components restricted to unprivileged level of the same system operation mode but assigned to another application.

**Threat agent:**

Attacker with high attack potential and access to the TOE.

**Asset:**

Code and data belonging to Security IC Embedded Software as well as code and data belonging to IC Dedicated Software.

The TOE provides security functionality for control of access to its memories and hardware components. This control targets to prevent

- Boot OS and Factory OS from being compromised by other software component types,
- Flash Driver Software and Services Software from being compromised by other Security IC Embedded Software - and vice versa,
- Customer OS from being compromised by Bootloader OS - and vice versa,
- Security IC Embedded Software assigned to privileged level from being compromised by Security IC Embedded Software assigned to unprivileged level,
3.3 Organizational Security Policies

The organizational security policies defined in section 3.3 and section 7.4 of the Protection Profile [5] are listed in Table 11. They entirely apply to this Security Target.

Table 11. Organizational security policies defined in the Protection Profile

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>P.Process-TOE</td>
<td>Identification during TOE Development and Production</td>
</tr>
<tr>
<td>P.Crypto-Service</td>
<td>Cryptographic services of the TOE</td>
</tr>
</tbody>
</table>

In compliance with Application Note 5 of the Protection Profile [5] the TOE provides security components and security functionality, which require additional organizational security policies that are listed in Table 12.

Table 12. Organizational security policies added in this Security Target

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>P.Add-Components</td>
<td>Additional Specific Hardware Security Components</td>
</tr>
<tr>
<td>P.Add-Func</td>
<td>Additional Specific Security Functionality of Crypto Library</td>
</tr>
</tbody>
</table>

The organizational security policies in Table 12 are defined as follows.

**P.Add-Components**  
*Additional Specific Hardware Security Components*  
The TOE shall provide the following additional security functionality to the Security IC Embedded Software:

- Integrity support of content stored to Flash memory
- Computation of Cyclic Redundancy Checks
- Support for Galois/Counter Mode (GCM) and GMAC

The security policies of the TOE include specific security policies for the Crypto Library. The Crypto Library part of the TOE uses the AES co-processor hardware to provide AES security functionality, and the DES co-processor hardware to provide Triple-DES security functionality. The following security functionality is provided by the Crypto Library for use by the Security IC Embedded Software:

**P.Add-Func**  
*Additional Specific Security Functionality of Crypto Library*  
The TOE shall provide the following additional security functionality to the Security IC Embedded Software:

- AES encryption and decryption
- Triple-DES encryption and decryption
- RSA encryption, decryption, signature generation, signature verification, message encoding and signature encoding
- RSA public key computation
- RSA key generation
• ECDSA (ECC over GF(p)) signature generation and verification
• ECC over GF(p) key generation
• ECDH (ECC Diffie-Hellman) key exchange
• ECC over GF(p) point addition
• TPM 2.0 ECDAA (ECC-based Direct Anonymous Attestation) signature generation
• MontDH (Montgomery Curves over GF(p)) key generation
• MontDH (Diffie Hellman on Montgomery Curves) key exchange
• EdDSA (Edwards-curve Digital Signature Algorithm) signature generation and verification
• EdDSA (Edwards-curve Digital Signature Algorithm) key generation
• eUICC authentication functions
• HMAC algorithm
• access to the RNG (implementation of a software RNG)
• secure memory copy routine
• secure memory compare routine
• Cyclic Redundancy Checks routine

Crypto Library v2.0.0 only:
• KDF hash-based key derivation
• routines for secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition

In addition, for this functionality the TOE shall provide protection of residual information, and resistance against attacks as described in Note 4 and in Section 7.2.2.

3.4 Assumptions

The assumptions defined in section 3.4 of the Protection Profile [5] are listed in Table 13. They entirely apply to this Security Target.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>A.Process-Sec-IC</td>
<td>Protection during Packaging, Finishing and Personalisation</td>
</tr>
<tr>
<td>A.Resp-Appl</td>
<td>Treatment of user data of the Composite TOE</td>
</tr>
</tbody>
</table>

In compliance with Application Notes 6 and 7 of the Protection Profile [5] the TOE provides security functionality, which requires an additional assumption that is listed in Table 14.
Table 14. Assumptions added in this Security Target

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>A.Check-Init</td>
<td>Check of TOE identification data</td>
</tr>
</tbody>
</table>

The assumption in Table 14 is defined below.

**A.Check-Init**

Check of TOE identification data

It is assumed that either the Security IC Embedded Software implements a function, which checks the TOE identification data, or the Composite Product Manufacturer uses the command interface to the Factory OS of the TOE to check the TOE identification data. The TOE identification data are part of the initialization data. They are defined with the order entry of the TOE from the Composite Product Manufacturer and are injected by the TOE Manufacturer into the Flash memory of the TOE. TOE identification data can be used to identify and to trace a certain instantiation of the TOE.
4 Security Objectives

4.1 Security Objectives for the TOE

The security objectives for the TOE defined in section 4.1, section 7.2.1 and section 7.4 of the Protection Profile [5] are listed in Table 15. They entirely apply to this Security Target.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.Malfunction</td>
<td>Protection against Malfunctions</td>
</tr>
<tr>
<td>O.Abuse-Func</td>
<td>Protection against Abuse of Functionality</td>
</tr>
<tr>
<td>O.Phys-Probing</td>
<td>Protection against Physical Probing</td>
</tr>
<tr>
<td>O.Phys-Manipulation</td>
<td>Protection against Physical Manipulation</td>
</tr>
<tr>
<td>O.Leak-Inherent</td>
<td>Protection against Inherent Information Leakage</td>
</tr>
<tr>
<td>O.Leak-Forced</td>
<td>Protection against Forced Information Leakage</td>
</tr>
<tr>
<td>O.RND</td>
<td>Random Numbers</td>
</tr>
<tr>
<td>O.Identification</td>
<td>TOE Identification</td>
</tr>
<tr>
<td>O.TDES</td>
<td>Cryptographic service Triple-DES</td>
</tr>
<tr>
<td>O.AES</td>
<td>Cryptographic service AES</td>
</tr>
</tbody>
</table>

In compliance with Application Note 9 of the Protection Profile [5] the TOE provides security functionality that results in the additional security objectives for the TOE listed in Table 16.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.MEM-ACCESS</td>
<td>Memory Access Control</td>
</tr>
<tr>
<td>O.SFR-ACCESS</td>
<td>Special Function Register Access Control</td>
</tr>
<tr>
<td>O.FLASH-INTEGRITY</td>
<td>Integrity support of data stored to Flash memory</td>
</tr>
<tr>
<td>O.GCM-SUPPORT</td>
<td>Support for NIST Galois/Counter Mode and GMAC</td>
</tr>
<tr>
<td>O.CRC</td>
<td>Cyclic Redundancy Checks</td>
</tr>
</tbody>
</table>

In addition, the Crypto Library provides security functionality that results in the additional security objectives for the TOE listed in Table 17.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.SW_AES</td>
<td>Software AES</td>
</tr>
<tr>
<td>O.SW_DES</td>
<td>Software DES</td>
</tr>
<tr>
<td>O.RSA</td>
<td>RSA</td>
</tr>
<tr>
<td>O.RSA_PubExp</td>
<td>RSA public key</td>
</tr>
<tr>
<td>O.RSA_KeyGen</td>
<td>RSA key pairs generation</td>
</tr>
<tr>
<td>Name</td>
<td>Title</td>
</tr>
<tr>
<td>------------------</td>
<td>-----------------------------------------------</td>
</tr>
<tr>
<td>O.ECDSA</td>
<td>ECCSA signature generation &amp; verification</td>
</tr>
<tr>
<td>O.ECC_DHKE</td>
<td>ECC Diffie-Hellman key exchange</td>
</tr>
<tr>
<td>O.ECC_KeyGen</td>
<td>ECC key pairs generation</td>
</tr>
<tr>
<td>O.ECC_Add</td>
<td>ECC point addition</td>
</tr>
<tr>
<td>O.ECDAA</td>
<td>TPM 2.0 functions</td>
</tr>
<tr>
<td>O.SHA</td>
<td>SHA algorithms</td>
</tr>
<tr>
<td>O.HMAC</td>
<td>HMAC algorithm</td>
</tr>
<tr>
<td><strong>for Crypto Library v2.0.0:</strong></td>
<td><strong>KDF</strong></td>
</tr>
<tr>
<td>O.KDF</td>
<td>KDF hash-based key derivation</td>
</tr>
<tr>
<td>O.EDDSA</td>
<td>EdDSA signature generation &amp; verification</td>
</tr>
<tr>
<td>O.EDDSA_KeyGen</td>
<td>EdDSA key generation</td>
</tr>
<tr>
<td>O.MONT_KeyGen</td>
<td>MontDH key generation</td>
</tr>
<tr>
<td>O.MONT_DHKE</td>
<td>MontDH Diffie-Hellman key exchange</td>
</tr>
<tr>
<td>O.EUICC</td>
<td>eUICC</td>
</tr>
<tr>
<td>O.SW_CRC</td>
<td>Software CRC</td>
</tr>
<tr>
<td>O.COPY</td>
<td>Memory copy</td>
</tr>
<tr>
<td>O.COMpare</td>
<td>Memory compare</td>
</tr>
<tr>
<td>O.REUSE</td>
<td>Memory clear for reuse</td>
</tr>
<tr>
<td><strong>for Crypto Library v2.0.0:</strong></td>
<td><strong>Arithmetic operations</strong></td>
</tr>
<tr>
<td>O.ARITH_OP</td>
<td>Arithmetic operations</td>
</tr>
</tbody>
</table>

The security objectives in Table 16 and Table 17 are defined as follows:

**O.MEM-ACCESS**  
Memory Access Control  
The TOE controls access of the SC300 processor, the DMA Controller and the PKC coprocessor over the bus system to ROM, Flash address space, System RAM and PKC RAM. The TOE also controls access of the PKC coprocessor over its Direct Memory Access (DMA) channel to PKC RAM. Control of access is enforced on these ports by generic limitations as well as restrictions based on system operation modes and CPU privilege levels.

**O.SFR-ACCESS**  
Special Function Register Access Control  
The TOE controls access of the SC300 processor, the DMA Controller and the PKC coprocessor over the bus system to the Special Function Registers of the hardware components. Control of access is enforced on these ports by generic limitations as well as restrictions based on system operation modes and CPU privilege levels.
<table>
<thead>
<tr>
<th>Feature</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.FLASH-INTTEGRITY</td>
<td>Integrity support of data stored to Flash memory. The TOE preserves integrity of content stored to its Flash memory with wearout detection capabilities.</td>
</tr>
<tr>
<td>O.GCM-SUPPORT</td>
<td>Support for Galois/Counter Mode and GMAC. The TOE provides secure hardware based multiplication operation on blocks and incrementing function for the Galois/Counter Mode (GCM) and GMAC.</td>
</tr>
<tr>
<td>O.CRC</td>
<td>Cyclic Redundancy Checks. The TOE provides secure hardware based computation of Cyclic Redundancy Checks (CRC).</td>
</tr>
<tr>
<td>O.SW_AES</td>
<td>Software AES. The TOE includes functionality to provide encryption and decryption facilities of the AES algorithm, see Note 4.</td>
</tr>
<tr>
<td>O.SW_DES</td>
<td>Software DES. The TOE includes functionality to provide encryption and decryption facilities of the Triple-DES algorithm, see Note 4.</td>
</tr>
<tr>
<td>O.RSA</td>
<td>RSA. The TOE includes functionality to provide encryption, decryption, signature creation, signature verification, message encoding and signature encoding using the RSA algorithm, see Note 4.</td>
</tr>
<tr>
<td>O.RSA_PubExp</td>
<td>RSA public key. The TOE includes functionality to compute an RSA public key from an RSA private key, see Note 4.</td>
</tr>
<tr>
<td>O.RSA_KeyGen</td>
<td>RSA key pairs generation. The TOE includes functionality to generate RSA key pairs, see Note 4.</td>
</tr>
<tr>
<td>O.ECDSA</td>
<td>ECCSA signature generation &amp; verification. The TOE includes functionality to provide signature generation and signature verification using the ECC over GF(p) algorithm, see Note 4.</td>
</tr>
<tr>
<td>O.ECC_DHKE</td>
<td>ECC Diffie-Hellman key exchange. The TOE includes functionality to provide Diffie-Hellman key exchange based on ECC over GF(p), see Note 4.</td>
</tr>
<tr>
<td>O.ECC_KeyGen</td>
<td>ECC key pairs generation. The TOE includes functionality to generate ECC over GF(p) key pairs, see Note 4.</td>
</tr>
<tr>
<td>O.ECC_Add</td>
<td>ECC point addition. The TOE includes functionality to provide a point addition based on ECC over GF(p), see Note 4.</td>
</tr>
<tr>
<td>O.ECDAA</td>
<td>ECDAA TPM 2.0 functions. The TOE includes functionality to support the TPM 2.0 ECDAA signature generation, see Note 4.</td>
</tr>
<tr>
<td>Function</td>
<td>Description</td>
</tr>
<tr>
<td>----------</td>
<td>-------------</td>
</tr>
<tr>
<td>O.SHA</td>
<td>SHA algorithms&lt;br&gt;The TOE includes functionality to provide electronic hashing facilities using the SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 algorithms.</td>
</tr>
<tr>
<td>O.HMAC</td>
<td>HMAC algorithm&lt;br&gt;The TOE includes the functionality to provide keyed hash message authentication facilities using the HMAC algorithm.</td>
</tr>
<tr>
<td>O.KDF</td>
<td>KDF hash-based key derivation&lt;br&gt;The TOE includes the functionality to perform hash-based key derivation calculations using any of the SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 or SHA-3/512 hash algorithms. (For Crypto Library v2.0.0 only).</td>
</tr>
<tr>
<td>O.SW_CRC</td>
<td>Software CRC&lt;br&gt;The TOE includes functionality to provide Cyclic Redundancy Checks.</td>
</tr>
<tr>
<td>O.EDDSA</td>
<td>EdDSA signature generation &amp; verification&lt;br&gt;The TOE includes functionality to provide signature generation and signature verification using the EdDSA algorithm, see Note 4.</td>
</tr>
<tr>
<td>O.EDDSA_KeyGen</td>
<td>EdDSA key generation&lt;br&gt;The TOE includes functionality to generate EdDSA key pairs, see Note 4.</td>
</tr>
<tr>
<td>O.MONT_KeyGen</td>
<td>MontDH key generation&lt;br&gt;The TOE includes functionality to generate key pairs for the DH key exchange scheme MontDH which generalizes Curve25519 to a wider class of Montgomery curves over GF(p), see Note 4.</td>
</tr>
<tr>
<td>O.MONT_DHKE</td>
<td>MontDH Diffie-Hellman key exchange&lt;br&gt;The TOE includes functionality to provide Diffie-Hellman key exchange for the DH key exchange scheme MontDH which generalizes Curve25519 to a wider class of Montgomery curves over GF(p), see Note 4.</td>
</tr>
<tr>
<td>O.EUICC</td>
<td>eUICC&lt;br&gt;The TOE includes functionality to perform eUICC authentication functions using the cryptographic algorithms MILENAGE, CAVE and TUAK, see Note 4.</td>
</tr>
<tr>
<td>O.COPY</td>
<td>Memory copy&lt;br&gt;The TOE includes functionality to copy memory content, see Note 4.</td>
</tr>
<tr>
<td>O.COMPARE</td>
<td>Memory compare&lt;br&gt;The TOE includes functionality to compare memory content, see Note 4.</td>
</tr>
</tbody>
</table>
O.REUSE Memory flush for reuse
The TOE includes measures to ensure that the memory resources being used by the TOE cannot be disclosed to subsequent users of the same memory resource.

O.ARITH_OP Arithmetic operations
The TOE includes functionality for secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition, see Note 4. (For Crypto Library v2.0.0 only).

Note 4. All introduced security objectives claiming cryptographic functionality and the security objectives for copy and compare are protected against attacks as described in the JIL, Attack Methods for smartcards and Similar Devices [9], which include Side Channel Attacks, Perturbation attacks, Differential Fault Analysis (DFA) and timing attack. The following exceptions apply:

1. SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 are provided by the TOE with two implementations with different level of security:
   • One implementation that protects against non-differential side channel attacks (e.g. non-differential template attacks)
   • The second implementation protects against differential and non-differential side channel attacks
2. HMAC implementation do not contain protective measures against DFA.
3. The security objectives for copy, compare and arithmetic operations (secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition) are secured against fault attacks and non-differential side channel attacks. Please note that non-differential side channel attacks also include profiled non-differential attacks like standard template attacks.

More details about conditions and restrictions for resistance against attacks are given in the user documentation of the Crypto Library.

To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards).

4.2 Security Objectives for the Security IC Embedded Software
The security objectives for the Security IC Embedded Software defined in section 4.2 of the Protection Profile [5] are listed in Table 18. They entirely apply to this Security Target.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>OE.Resp-Appl</td>
<td>Treatment of user data of the Composite TOE</td>
</tr>
</tbody>
</table>

This Security Target does not add security objectives for the Security IC Embedded Software.

4.3 Security Objectives for the Operational Environment
The security objectives for the operational environment in section 4.3 of the Protection Profile [5] are listed in Table 19. They entirely apply to this Security Target.
Table 19. Security objectives for the operational environment defined in the Protection Profile

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>OE.Process-Sec-IC</td>
<td>Protection during composite product manufacturing</td>
</tr>
</tbody>
</table>

This Security Target adds the security objectives for the operational environment listed in Table 20.

Table 20. Security Objectives for the operational environment added in this Security Target

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>OE.Check-Init</td>
<td>Check of TOE identification data</td>
</tr>
</tbody>
</table>

The security objectives in Table 20 are defined below.

**OE.Check-Init**

**Check of TOE identification data**

To ensure the receipt of the correct TOE, the Security IC Embedded Software or the Composite Product Manufacturer shall check the TOE identification data. The TOE identification data are stored to System Page Common of the Flash. They can be used to identify and to trace a certain instantiation of the TOE.

4.4 Security Objectives Rationale

Table 21 traces the security objectives for the TOE in Section 4.1 back to the threats countered by them and the organisational security policies enforced by them. The table also traces the security objectives for the Security IC Embedded Software and for the operational environment in Section 4.2 and Section 4.3 back to the assumptions they uphold.

Table 21. Tracing of security objectives

<table>
<thead>
<tr>
<th>Name of threat, org. security policy or assumption</th>
<th>Name of security objective</th>
<th>Applied to life cycle phases</th>
</tr>
</thead>
<tbody>
<tr>
<td>T.Malfunction</td>
<td>O.Malfunction</td>
<td></td>
</tr>
<tr>
<td>T.Abuse-Func</td>
<td>O.Abuse-Func</td>
<td></td>
</tr>
<tr>
<td>T.Phys-Probing</td>
<td>O.Phys-Probing</td>
<td></td>
</tr>
<tr>
<td>T.Phys-Manipulation</td>
<td>O.Phys-Manipulation</td>
<td></td>
</tr>
<tr>
<td>T.Leak-Inherent</td>
<td>O.Leak-Inherent</td>
<td></td>
</tr>
<tr>
<td>T.Leak-Forced</td>
<td>O.Leak-Forced</td>
<td></td>
</tr>
<tr>
<td>T.RND</td>
<td>O.RND</td>
<td></td>
</tr>
<tr>
<td>T.Unauthorized-Access</td>
<td>O.MEM-ACCESS</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.SFR-ACCESS</td>
<td></td>
</tr>
<tr>
<td>P.Process-TOE</td>
<td>O.Identification</td>
<td>phases 2 to phase 4</td>
</tr>
<tr>
<td>P.Crypto-Service</td>
<td>O.TDES</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.AES</td>
<td></td>
</tr>
<tr>
<td>P.Add-Components</td>
<td>O.FLASH-INTEGRITY</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.GCM-SUPPORT</td>
<td></td>
</tr>
<tr>
<td>Name of threat, org. security policy or assumption</td>
<td>Name of security objective</td>
<td>Applied to life cycle phases</td>
</tr>
<tr>
<td>-------------------------------------------------</td>
<td>-----------------------------</td>
<td>-------------------------------</td>
</tr>
<tr>
<td>P.Add-Func</td>
<td>O.CRC</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.SW_AES</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.SW_DES</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.RSA</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.RSA_PubExp</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.RSA_KeyGen</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ECDSA</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ECC_DHKE</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ECC_KeyGen</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ECC_Add</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ECDAA</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.SHA</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.HMAC</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.EDDSA</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.EDDSA_KeyGen</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.MONT_KeyGen</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.MONT_DHKE</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.EUICC</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.COPY</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.COMPARE</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.REUSE</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.SW_CRC</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.RND</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.KDF</td>
<td></td>
</tr>
<tr>
<td></td>
<td>O.ARITH_OP</td>
<td></td>
</tr>
</tbody>
</table>

*for Crypto Library v2.0.0:*

<p>| | |</p>
<table>
<thead>
<tr>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
</tr>
</tbody>
</table>

The green and blue colored cells in Table 18 show how the Protection Profile [5] traces its security objectives back to its threats, organizational security policies and assumptions, see section 4.4. Green marks this for the mandatory security requirements of the protection profile, blue marks this for the augmentations including package "TDES" and "AES". Section 4.4 of the Protection Profile [5] also gives the security objective rationale for the tracings colored in green.
Security objectives O.TDES and O.AES together enforce organizational security policy P.Crypto-Service since they target such kind of cryptographic services defined in P.Crypto-Service.

O.MEM-ACCESS and O.SFR-ACCESS counter threat T.Unauthorized-Access for two reasons. First, O.MEM-ACCESS targets to control all access ports available in the TOE to its memories and O.SFR-ACCESS targets to control all access ports available in the TOE to the Special Function Registers of its hardware components. Secondly, both objectives target to control accesses via these ports based on system operation modes, which are used to separate software component types from each other and based on CPU privilege levels, which can be used by a software component type to separate its operating system from the applications it may implement and also to separate its applications from each other.

Security objectives O.FLASH-INTEGRITY, O.GCM-SUPPORT and O.CRC together enforce organizational security policy P.Add-Components since they target at the components defined in P.Add-Components.

The objectives O.SW_AES, O.SW_DES, O.RSA, O.RSA_PubExp, O.RSA_KeyGen, O.ECDSA, O.ECC_DHKE, O.ECC_KeyGen, O.ECC_Add, O.ECDAA, O.SHA, O.HMAC, O.KDF, O.EDDSA, O.EDDSA_KeyGen, O.MONT_KeyGen, O.MONT_DHKE, O.EUICC, O.COPY, O.COMPARE, O.ARITH_OP, O.SW_CRC and O.REUSE require the TOE to implement exactly the same specific security functionality as required by P.Add-Func, therefore the organizational security policy P.Add-Func is covered by the security objectives.

The security objective for the operational environment OE.Check-Init derives from assumption A.Check-Init. It requires the operational environment to implement the measure assumed in assumption A.Check-Init.
5 Extended Components Definition

The extended components defined in chapter 5 of the Protection Profile [5] are listed in Table 22. They entirely apply to this Security Target.

Table 22. Extended components defined in the Protection Profile

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>FCS_RNG</td>
<td>Generation of random numbers</td>
</tr>
<tr>
<td>FMT_LIM</td>
<td>Limited capabilities and availability</td>
</tr>
<tr>
<td>FAU_SAS</td>
<td>FAU_SAS Audit data storage</td>
</tr>
<tr>
<td>FDP_SDC</td>
<td>Stored data confidentiality</td>
</tr>
</tbody>
</table>

To define the IT Security Functional Requirements of the TOE an additional family (FDP_SOP) of the Class FDP (user data protection) is defined here. This family describes the functional requirements for basic operations on data in the TOE.

As defined in CC Part 2, FDP class addresses user data protection. Secure basic operations (FDP_SOP) address protection of user data when it is processed by Copy or Compare function, respectively. Therefore, it is judged that FDP class is suitable for FDP_SOP family.

The reason for adding an extra family to FDP class is that existing families do not address protection of user data against all relevant attacks.

5.1 Secure basic operations (FDP_SOP)

Family Behaviour

This family defines requirements addressing the protection of data during security relevant basic operations inside the TSF. The data can comprise user data as well as TSF data. Appropriate separation between user data or TSF data shall be ensured by sequential, atomic processing of either TSF data or user data. The integrity and confidentiality of the data shall be protected during the processing of the basic operation against attacks. Each influence or interaction of the TOE that is not intended and/or specified is considered as attack.

Component levelling

| FDP_SOP secure basic operations | 1 |

FDP_SOP.1 requires the TOE to provide the possibility to perform basic secure operations on data

Management: FDP_SOP.1

There are no management activities foreseen.

Audit: FDP_SOP.1

There are no actions defined to be auditable.
FDP_SOP.1 | Secure Basic Operations
---|---
Hierarchical to: | No other components.
Dependencies: | No dependencies.
FDP_SOP.1.1 | The TSF shall provide basic operations [selection: Copy, Compare, Arithmetic operations (secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition)] on objects stored in the TOE. The basic operation is applied between objects stored in [assignment: list of memory locations] and [assignment: list of memory locations].
FDP_SOP.1.2 | The TSF shall protect the data against attacks from [selection: disclosure, modification] that can be inherently applied during the processing of the basic operations.

Application Notes:
The different memories are seen as possible objects.
The attacks addressed by disclosure and modification comprise side-channel attacks including timing attacks, fault injection attacks including manipulation of the basic operation result and attacks trying to violate the data separation based on the sequential operation.
6 Security Requirements

6.1 Security Functional Requirements for the TOE

6.1.1 General


6.1.2 Security Functional Requirements from Protection Profile

Table 23 lists the security functional requirements for the TOE, which are defined in section 6.1 and in sections 7.4.1 and 7.4.2 of the Protection Profile [5]. They entirely apply to this Security Target.

Table 23. Security Functional Requirements from the Protection Profile

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>FRUFLT.2</td>
<td>Limited fault tolerance</td>
</tr>
<tr>
<td>FPTFLS.1</td>
<td>Failure with preservation of secure state</td>
</tr>
<tr>
<td>FMTLIM.1</td>
<td>Limited capabilities</td>
</tr>
<tr>
<td>FMTLIM.2</td>
<td>Limited availability</td>
</tr>
<tr>
<td>FPTPHP.3</td>
<td>Resistance to physical attack</td>
</tr>
<tr>
<td>FDPITT.1</td>
<td>Basic internal transfer protection</td>
</tr>
<tr>
<td>FPTITT.1</td>
<td>Basic internal TSF data transfer protection</td>
</tr>
<tr>
<td>FDPIFC.1</td>
<td>Subset information flow control</td>
</tr>
</tbody>
</table>

On some further Security Functional Requirements from the Protection Profile [5] operations are made. Table 23 gives an overview on the Security Functional Requirement that were subject to refinement, selection, assignment and/or iteration operations in this Security Target.

Table 24. Security Functional Requirements from the Protection Profile with operations done in this Security Target

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>FAUSAS.1</td>
<td>Audit storage</td>
</tr>
<tr>
<td>FDPSDC.1</td>
<td>Stored data confidentiality</td>
</tr>
<tr>
<td>FDPSDI.2</td>
<td>Stored data integrity monitoring and action</td>
</tr>
<tr>
<td>FCSRNG.1</td>
<td>Random number generation</td>
</tr>
<tr>
<td>FSCOP.1</td>
<td>Cryptographic operation</td>
</tr>
<tr>
<td>FSCOP.1/AE</td>
<td></td>
</tr>
<tr>
<td>FCSRNG.1/AGE</td>
<td></td>
</tr>
<tr>
<td>FCSRNG.1/FLT</td>
<td></td>
</tr>
</tbody>
</table>
FPT_FLS.1 requests the TSF to preserve a secure state when the TOE is exposed to operating conditions which may not be tolerated according to FRU_FLT.2. The TOE detects such operating conditions and forces itself into a secure state as long as these conditions are valid. This secure state is enforced by security feature SF.OPC as described in Section 7.1.3. This addresses Application Note 14 in the Protection Profile [5].

The TOE does not generate audit data for FRU_FLT.2 and/or FPT_FLS.1. This addresses Application Note 15 in the Protection Profile [5].

FPT_PHP.3 requests the TSF to resist physical manipulation and physical probing by responding automatically such that the security functional requirements are always enforced. The TOE implements two types of such automatic responses. One type of response is permanent and implicitly hampers exploitability or already incidence of physical attacks. The other type of response is conditional upon a failed check and explicitly detects physical attacks. Such type of response stops operation of the TOE or the attacked parts of it. These responses are enforced by security feature SF.PHY as described in Section 7.1.3. This addresses Application Note 19 in the Protection Profile [5].

Refinement, selection, assignment and iteration operations on the security functional requirements in Table 23 are performed in this Security Target as detailed below. Iteration operations are notified by a slash, which is appended to the name of the security functional requirement and followed by an identifier. Selection and assignment operations are denoted in italics. Refinements are denoted just as described in the Protection Profile [5].

This Security Target performs one selection and two assignment operations on FAU_SAS.1 according to Application Note 17 in the Protection Profile [5].

FAU_SAS.1
Audit storage
Hierarchical to: No other components.
Dependencies: No dependencies.
FAU_SAS.1.1
The TSF shall provide the test process before TOE Delivery with the capability to store the Initialisation Data, Pre-personalisation Data and other user data in the Flash memory.

This Security Target performs one assignment operation on FDP_SDC.1 according to Application Note 18 in the Protection Profile [5].

FDP_SDC.1
Stored data confidentiality
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_SDI.1.1
The TSF shall ensure the confidentiality of the information of the user data while it is stored in the Flash memory.
This Security Target performs two iteration operations on FDP_SDI.2, which comply with section 8.1 in CC Part 1 [1], and also performs two assignment operations on each iteration according to Application Note 18 in the Protection Profile [5].

**FDP_SDI.2/AGE**

**Stored data integrity monitoring and action - Ageing**

Hierarchical to: FDP_SDI.1 Stored data integrity monitoring

Dependencies: No dependencies.

The TSF shall monitor user data stored in containers controlled by the TSF for **integrity violations due to ageing** on all objects, based on the following attributes: **ageing check information associated with the data including code stored to the Flash memory**.

**FDP_SDI.2/FLT**

**Stored data integrity monitoring and action - Faults**

Hierarchical to: FDP_SDI.1 Stored data integrity monitoring

Dependencies: No dependencies.

The TSF shall monitor user data stored in containers controlled by the TSF for **modification, deletion, repetition or loss of data** on all objects, based on the following attributes: **integrity check information associated with the data including code stored to the Flash memory, the ROM, the System RAM, the PKC RAM and the Buffer RAM**.

**FDP_SDI.2/FCS**

**Random number generation - FCS.2**

Hierarchical to: No other components.

Dependencies: No dependencies.

This Security Target performs an iteration operation on FCS_RNG.1, which complies with section 8.1 in CC Part 1 [1]. It also performs two assignment operations on each iteration of FCS_RNG.1 according to Application Note 21 in the Protection Profile [5]. The operations follow the example and its Application Note 44 in section 7.5.1 of the Protection Profile in consideration of the updated documents [7] and [6].

**FCS_RNG.1/PTG.2**

**Random number generation - PTG.2**

Hierarchical to: No other components.

Dependencies: No dependencies.

Note: This security functional requirement complies with PTG.2 in [6].
FCS_RNG.1.1/PTG.2

The TSF shall provide a physical\(^\text{14}\) random number generator that implements:

**(PTG.2.1)** A total failure test detects a total failure of entropy source immediately when the RNG has started. When a total failure is detected, no random numbers will be output.

**(PTG.2.2)** If a total failure of the entropy source occurs while the RNG is being operated, the RNG prevents the output of any internal random number that depends on some raw random numbers that have been generated after the total failure of the entropy source.

**(PTG.2.3)** The online test shall detect non-tolerable statistical defects of the raw random number sequence (i) immediately when the RNG has started, and (ii) while the RNG is being operated. The TSF must not output any random numbers before the power-up online test has finished successfully or when a defect has been detected.

**(PTG.2.4)** The online test procedure shall be effective to detect non-tolerable weaknesses of the random numbers soon.

**(PTG.2.5)** The online test procedure checks the quality of the raw random number sequence. It is triggered continuously. The online test is suitable for detecting non-tolerable statistical defects of the statistical properties of the raw random numbers within an acceptable period of time.\(^\text{15}\)

FCS_RNG.1.2/PTG.2

The TSF shall provide octets of bits or packages of 32 bits\(^\text{16}\) that meet

**(PTG.2.6)** Test procedure A does not distinguish the internal random numbers from output sequences of an ideal RNG.

**(PTG.2.7)** The average Shannon entropy per internal random bit exceeds 0.997.\(^\text{17}\)

Sections 7.4.1 and 7.4.2 of the Protection Profile [5] perform operations on two iterations of each, FCS_COP.1 and FCS_CKM.4 for package "TDES" and for package "AES". This Security Target completes these operations in compliance with section 8.1 in CC Part 1 [1]: On the iterations of FCS_COP.1 selection and refinement operations are performed. On the iterations of FCS_CKM.4 assignments are made.

FCS_COP.1/TDES

**Cryptographic operation - TDES**

Hierarchical to: No other components.

Dependencies:

[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction.

---

\(^{14}\) [selection: physical, hybrid physical, hybrid deterministic]

\(^{15}\) [assignment: list of security capabilities]

\(^{16}\) [selection: bits, octets of bits, numbers [assignment: format of the numbers]]

\(^{17}\) [assignment: a defined quality metric]
The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm. 

**FCS_COP.1.1/TDES**

**Hierarchical to:** No other components.

**Dependencies:** 
[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

The TSF shall encrypt and decrypt data in accordance with a specified cryptographic algorithm.

**FCS_CKM.4/TDES**

**Cryptographic key destruction - TDES**

**Hierarchical to:** No other components.

**Dependencies:** 
[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method.

**FCS_CKM.4.1/TDES**

The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting the internally stored key that meets the following: none.

**FCS_COP.1/AES**

**Cryptographic operation - AES**

**Hierarchical to:** No other components.

**Dependencies:** 
[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm.

**FCS_COP.1.1/AES**

**Hierarchical to:** No other components.

**Dependencies:** 
[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

FCS_CKM.4.1/AES

The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting the internally stored key that meets the following: none.

---

18 [assignment: list of cryptographic operations]
19 [assignment: list of cryptographic algorithm]
20 [assignment: cryptographic key sizes]
21 [assignment: list of standards]
22 [assignment: cryptographic key destruction method]
23 [assignment: list of standards]
24 [assignment: list of cryptographic operations]
25 [assignment: list of cryptographic algorithm]
26 [assignment: cryptographic key sizes]
27 [assignment: list of standards]
28 [assignment: list of cryptographic key destruction method]
6.1.3 Security Functional Requirements added in this Security Target

Table 25 lists the Security Functional Requirements for the TOE, which are added in this Security Target. These Security Functional Requirements are taken from CC Part 2 [2]. They are subject to refinement, selection, assignment and/or iteration operations in this Security Target. The Security Functional Requirement based on the definition in Section 5.1 is listed here as well.

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>FDP_ACC.1:</td>
<td>Subset access control</td>
</tr>
<tr>
<td>• FDP_ACC.1/MEM</td>
<td></td>
</tr>
<tr>
<td>• FDP_ACC.1/SFR</td>
<td></td>
</tr>
<tr>
<td>FDP_ACF.1:</td>
<td>Security attribute based access control</td>
</tr>
<tr>
<td>• FDP_ACF.1/MEM</td>
<td></td>
</tr>
<tr>
<td>• FDP_ACF.1/SFR</td>
<td></td>
</tr>
<tr>
<td>FMT_MSA.1:</td>
<td>Management of security attributes</td>
</tr>
<tr>
<td>• FMT_MSA.1/MEM</td>
<td></td>
</tr>
<tr>
<td>• FMT_MSA.1/SFR</td>
<td></td>
</tr>
<tr>
<td>FMT_MSA.3:</td>
<td>Static attribute initialisation</td>
</tr>
<tr>
<td>• FMT_MSA.3/MEM</td>
<td></td>
</tr>
<tr>
<td>• FMT_MSA.3/SFR</td>
<td></td>
</tr>
<tr>
<td>FMT_SMF.1</td>
<td>Management of TSF data</td>
</tr>
<tr>
<td>FCS_COP.1:</td>
<td>Cryptographic operation</td>
</tr>
<tr>
<td>• FCS_COP.1/GCM</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/CRC</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/SW_AES</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/SW_DES</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/RSA</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/RSA_PAD</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/RSA_PubExp</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/ECDSA</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/ECC_DHKE</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/ECC_Add</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/ECDAA</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/SHA</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/HMAC</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/EDDSA</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/MONT_DHKE</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/EUICC</td>
<td></td>
</tr>
<tr>
<td>• FCS_COP.1/SW_CRC</td>
<td></td>
</tr>
<tr>
<td>FCS_CKM.1:</td>
<td>Cryptographic key generation</td>
</tr>
<tr>
<td>• FCS_CKM.1/RSA</td>
<td></td>
</tr>
<tr>
<td>• FCS_CKM.1/ECC</td>
<td></td>
</tr>
<tr>
<td>• FCS_CKM.1/EDDSA</td>
<td></td>
</tr>
<tr>
<td>• FCS_CKM.1/MONT</td>
<td></td>
</tr>
</tbody>
</table>
### Evaluation document

**COMPANY PUBLIC**

**SN100 Series - Secure Element with Crypto Library**

**Security Target Lite**

---

The security functional requirements in Table 25 address the Access Control Policy of the TOE. This Access Control Policy is applied to the memories and hardware components. It is enforced on the following access ports, which are:

- **CPU_ovBSY**: CPU access over the bus system
- **DMA_ovBSY**: DMA controller access over the bus system
- **PKC_ovBSY**: PKC coprocessor access over the bus system
- **PKC_ovDMA**: PKC coprocessor access over the DMA channel

by generic limitations as well as restrictions based on the following system operation modes (SOMs):

- **AP**: Application Mode
- **BL**: Bootloader Mode
- **SV**: Service Mode
- **SH**: Shared Mode
- **NXP**: NXP Mode

and the following CPU privilege levels:

- **P**: privileged
- **U**: unprivileged

The Access Control Policy controls access to two groups of objects, which are objects for access control to memories and objects for access control to hardware components. The objects of each group are detailed below.

**Objects for access control to memories** are as follows.

- **DWINs**: default address windows, which do not overlap in their address ranges with each other. All address ranges are fixed in hardware, except for one window, which can be configured by software as an option.

- **SWWINs**: software-controlled address windows, which must overlap with DWINs. They can be configured by software as an option.

**Objects for access control to hardware components** are as follows.

- **GSFR_ALL**: The Special Function Registers (SFRs) of all hardware components as composed of
  - **GSFR_PCBUS**: All SFRs of the hardware components connected to the peripheral control bus as composed of
    - **GSFR_DMAC**: SFRs of the DMA controller
    - **GSFR_IOSM**: SFRs of the IO Switch Matrix

---

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
</tr>
</thead>
<tbody>
<tr>
<td>FCS_CKM.4:</td>
<td>Cryptographic Key Destruction</td>
</tr>
<tr>
<td>• FCS_CKM.4/CL</td>
<td></td>
</tr>
<tr>
<td>FDP_RIP.1</td>
<td>Subset Residual Information Protection</td>
</tr>
<tr>
<td>FCS_RNG.1</td>
<td>Random number generation</td>
</tr>
<tr>
<td>• FCS_RNG.1/HYB-DET</td>
<td></td>
</tr>
<tr>
<td>• FCS_RNG.1/HYB-PHY</td>
<td></td>
</tr>
<tr>
<td>FDP_SOP.1</td>
<td>Secure basic operations</td>
</tr>
<tr>
<td>• FDP_SOP.1/Copy</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
</tr>
</tbody>
</table>

---

© NXP B.V. 2021. All rights reserved.
– GSFR_IOCC: SFRs of the IO-CRC/LRC
– GSFR_SMB: SFRs of the Secure Mailbox communication interface
– GSFR_GPIO: SFRs of the Port IO communication interface
– GSFR_UART: SFRs of the ISO7816 UART communication interface
– GSFR_I2C: SFRs of the I2C communication interface
– GSFR_SPI0: SFRs of the SPI communication interface
– GSFR_CBUS: All SFRs of the hardware components connected to the control bus as composed of
  – GSFR_GRD: SFRs of the CPU Guard
  – GSFR_PKC: SFRs of the PKC coprocessor
  – GSFR_SBC: SFRs of the SBC interface to AES and DES coprocessors
  – GSFR_PCR: SFRs of the PCR
  – GSFR_CRCi: SFRs of CRC coprocessor i=0,1
  – GSFR_TMRi: SFRs of Timer i=0,1,2,3
  – GSFR_WDG: SFRs of the Watchdog Timer
  – GSFR_PUF: SFRs of the PUF
  – GSFR_RNG: SFRs of the Random Number Generator
  – GSFR_OTHERS: SFRs of all other hardware components on the control bus

The objects for access control to memories are controlled against access rights in read (r) and write (w) and for CPU_ovBSY access also against access rights in execute (x). The objects for access control to hardware components are controlled against access rights in read (r) and write (w).

The Access Control Policy is applied to the following subjects of access control to memories and hardware components.

Subjects of access control to memories and hardware components are these:

• CPU_ovBSY: accesses via 7 types of software component types as follows
  – BOS_ovBSY: Boot OS, stored to DWIN_ROM, executed in NXP
  – FOS_ovBSY: Factory OS, stored to DWIN_ROM, executed in NXP
  – COS_ovBSY: Customer OS, stored to DWIN_AP-FLH, executed in AP or (AP and BL)
  – BLOS_ovBSY: Bootloader OS, stored to DWIN_BL-FLH, executed in BL
  – FDSW_ovBSY: Flash Driver Software, stored to DWIN_ROM, executed like ssw_ovBSYS
  – ssw_ovBSY: services software, stored to DWIN_SV-FLH, executed in
    – SV when called by software in AP, in BL or in AP + BL
    – SV + AP when called by software in BL or in AP + BL
    – SV + BL when called by software in BL or in AP + BL
    – SV + AP + BL when called by software in AP + BL
  – LSW_ovBSY: Library Software, stored to DWIN_SH-FLH, executed in SH and the
    SOM(s) of the software from which it is executed
  – DMA_ovBSY: accesses in the SOM(s) in which the actual CPU_ovBSY access runs, but
    SV and SH are masked out
  – PKC_ovBSY: accesses in the SOM(s) in which the PKC coprocessor was recently started
  – PKC_ovDMA: accesses w/o SOM(s)

The Access Control Policy of the above subjects to the above objects is defined in the following security functional requirements. The rules there are given for each port
accessing in a single SOM. In case a port accesses in more than one SOM the access rights of this port are the sum of its granted access rights in each single SOM except in cases where rules are explicitly stated for combinations of SOM(s). This occurs to some extent for combinations with SV+AP, SV+BL and BL+SH.

This Security Target performs two iteration operations on FDP_ACC.1 and also two assignment operations on each iteration, which comply with section 8.1 of CC Part 1 [1].

**FDP_ACC.1/MEM**  
**Subset access control - Memories**

Hierarchical to: No other components.

Dependencies: FDP_ACF.1 Security attribute based access control

**FDP_ACC.1.1/MEM**  
The TSF shall enforce the Access Control Policy[^30] on all subjects, all objects for access control to memories and all operations on the objects for access control to memories[^31].

---

**FDP_ACC.1/SFR**  
**Subset access control - Hardware components**

Hierarchical to: No other components.

Dependencies: FDP_ACF.1 Security attribute based access control

**FDP_ACC.1.1/SFR**  
The TSF shall enforce the Access Control Policy[^32] on all subjects, all objects for access control to Special Function Registers and all operations on the objects for access control to Special Function Registers[^33].

---

This Security Target performs two iteration operations on FDP_ACF.1 and also five assignment operations on each iteration, which comply with section 8.1 in CC Part 1 [1].

**FDP_ACF.1/MEM**  
**Security attribute based access control - Memories**

Hierarchical to: No other components

Dependencies: FDP_ACC.1 Subset access control  
FMT_MSA.3 Static attribute initialisation

**FDP_ACF.1.1/MEM**  
The TSF shall enforce the Access Control Policy[^34] to objects based on the following: all subjects and all objects for access control to memories and security attributes for memories[^35].

**Application Note:**  
List of all subjects and all objects for access control to memories and security attributes for memories is given in the full Security Target.

**FDP_ACF1.2/MEM**  
The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed

[^30]: [assignment: access control SFP]
[^31]: [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]
[^32]: [assignment: access control SFP]
[^33]: [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]
[^34]: [assignment: access control SFP]
[^35]: [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant security attributes, or named groups of SFP-relevant security attributes]
for CPU_ovBSY access to DWINs, DMA_ovBSY access to DWINs, PKC_ovBSY access to DWINs and PKC_ovDMA access to DWINs \(^{36}\).

**Application Note:** List of rules to determine if an operation among controlled subjects and controlled objects is allowed for CPU_ovBSY access to DWINs, DMA_ovBSY access to DWINs, PKC_ovBSY access to DWINs and PKC_ovDMA access to DWINs is given in the full Security Target.

**FDP_ACF1.3/MEM**

The TSF shall explicitly authorise access of subjects to objects based on the following additional rules:

rules to explicitly authorise DMA_ovBSY access to DMAWIN, PKC_ovBSY access to PKCWIN0 and PKC_ovBSY access to PKCWIN1 \(^{37}\).

**Application Note:** List of rules to explicitly authorise DMA_ovBSY access to DMAWIN, PKC_ovBSY access to PKCWIN0 and PKC_ovBSY access to PKCWIN1 is given in the full Security Target.

**FDP_ACF1.4/MEM**

The TSF shall explicitly deny access of subjects to objects based on the following additional rules:

CPU_ovBSY access to DWINs, CPU_ovBSY access to IDWINn and CPU_ovBSY access to SWINn \(^{38}\).

**Application Note:** List of rules to explicitly deny CPU_ovBSY access to DWINs, CPU_ovBSY access to IDWINn and CPU_ovBSY access to SWINn is given in the full Security Target.

**FDP_ACF.1/SFR**

Security attribute based access control - Hardware components

Hierarchical to: No other components.

Dependencies: FDP_ACC.1 Subset access control

FMT_MSA.3 Static attribute initialisation

**FDP_ACF.1.1/SFR**

The TSF shall enforce the Access Control Policy \(^{39}\) to objects based on the following: all subjects and all objects for access control to Special Function Registers and security attributes S2A_APACTRL, S2A_SVACTRL, S2S_APACTRL, S2S_SVACTRL \(^{40}\).

**FDP_ACF1.2/SFR**

The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed:

\(^{36}\) [assignment: rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects]

\(^{37}\) [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]

\(^{38}\) [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]

\(^{39}\) [assignment: access control SFP]

\(^{40}\) [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant security attributes, or named groups of SFP-relevant security attributes]
rules for CPU_ovBSY, DMA_ovBSY, PKC_ovBSY and
PKC_ovDMA access to SFR_PCBUS and SFR_CBUS.\footnote{41}

**Application Note:**

List of rules for CPU_ovBSY, DMA_ovBSY, PKC_ovBSY
and PKC_ovDMA access to SFR_PCBUS and
SFR_CBUS is given in the full Security Target.

**FDP_ACF1.3/SFR**

The TSF shall explicitly authorise access of subjects to
objects based on the following additional rules:

- CPU_ovBSY, DMA_ovBSY access to each group
  out of GSFR_DMAC, GSFR_IOSM, GSFR_IOCC,
  GSFR_SMB, GSFR_GPIO, GSFR_UART, GSFR_I2C,
  GSFR_SPI0 can be:
  - in AP for U: allowed in rw acc. to the rules for
each bit in GSFR_ALL for a group by setting its
corresponding bit in S2A_APUCTRL
  - in SV for U: allowed in rw acc. to the rules for
each bit in GSFR_ALL for a group by setting its
corresponding bit in S2A_SVUCTRL

- CPU_ovBSY access to each group out of GSFR_-
  GRD, GSFR_PKC, GSFR_SBC, GSFR_PCR, GSFR_
  CRCi, GSFR_TMRi, GSFR_WDG, GSFR_PUF,
  GSFR_RNG can be:
  - in AP for U: allowed acc. to the rules for each
  bit in GSFR_ALL in for a group by setting its
corresponding bit in S2S_APUCTRL
  - in SV for U: allowed acc. to the rules for each
  bit in GSFR_ALL in for a group by setting its
corresponding bit in S2S_SVUCTRL

**FDP_ACF1.4/SFR**

The TSF shall explicitly deny access of subjects to
objects based on the following additional rules:

- CPU_ovBSY, DMA_ovBSY access to each group
  out of GSFR_DMAC, GSFR_IOSM, GSFR_IOCC,
  GSFR_SMB, GSFR_GPIO, GSFR_UART, GSFR_I2C,
  GSFR_SPI0 can be:
  - in AP for P: denied in rw for a group by clearing its
corresponding bit in S2A_APACTRL
  - in SV for P: denied in rw for a group by clearing its
corresponding bit in S2A_SVACTRL

- CPU_ovBSY access to each group out of GSFR_-
  GRD, GSFR_PKC, GSFR_SBC, GSFR_PCR, GSFR_
  CRCi, GSFR_TMRi, GSFR_WDG, GSFR_PUF,
  GSFR_RNG can be:
  - in AP for P: denied in rw for a group by clearing its
corresponding bit in S2S_APACTRL

41 [assignment: rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects]

42 [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]
This Security Target performs two iteration operations on FMT_MSA.1 and also one selection and four assignment operations on each iteration, which comply with section 8.1 of CC Part 1.

**FMT_MSA.1/MEM**

**Management of security attributes - Memories**

**Hierarchical to:**
No other components

**Dependencies:**
- [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]
- FMT_SMR.1 Security roles
- FMT_SMF.1 Specification of Management Functions

**FMT_MSA.1.1/MEM**

The TSF shall enforce the Access Control Policy to restrict the ability to modify security attributes for memories to the authorised identified roles.

**Application Note:**
List of security attributes for memories and authorised identified roles is given in the full Security Target.

**FMT_MSA.1/SFR**

**Management of security attributes - Hardware components**

**Hierarchical to:**
No other components

**Dependencies:**
- [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]
- FMT_SMR.1 Security roles
- FMT_SMF.1 Specification of Management Functions

**FMT_MSA.1.1/SFR**

The TSF shall enforce the Access control Policy to restrict the ability to modify the security attributes S2S_APACTRL, S2S_APUCTRL, S2S_SVACTRL, S2S_SVUCTRL to the authorised identified roles.

This Security Target performs two iteration operations on FMT_MSA.3 and also one selection and two assignment operations on each iteration, which comply with section 8.1 of CC Part 1.

**FMT_MSA.3/MEM**

**Static attribute initialisation - Memories**

**Hierarchical to:**
No other components

**Dependencies:**
- FMT_MSA.1 Management of security attributes
- FMT_SMR.1 Security roles
The TSF shall enforce the Access Control Policy\(^{52}\) to provide restrictive\(^{53}\) default values for security attributes that are used to enforce the SFP.

**Application Note:** Restrictive default values of security attributes for memories are given in the full Security Target.

The TSF shall allow the no subject\(^ {54}\) to specify alternative initial values to override the default values when an object or information is created.

**FMT_MSA.3/SFR** Static attribute initialisation - Hardware components

**Hierarchical to:** No other components

**Dependencies:** FMT_MSA.1 Management of security attributes

The TSF shall enforce the Access Control Policy\(^{55}\) to provide restrictive\(^{56}\) default values for security attributes that are used to enforce the SFP.

**Application Note:** Restrictive default values of security attributes S2S_APACTRL, S2S_APUCTRL, S2S_SVACTRL, S2S_SVUCTRL are given in the full Security Target.

The TSF shall allow the no subject\(^ {57}\) to specify alternative initial values to override the default values when an object or information is created.

This Security Target performs two assignment operations on FMT_SMF.1, which comply with section 8.1 of CC Part 1 [1].

**FMT_SMF.1** Specification of Management Functions

**Hierarchical to:** No other components.

**Dependencies:** No dependencies.

**FMT_SMF.1.1** The TSF shall be capable of performing the following management functions:

- Transformations in system operation modes for subjects CPU_ovBSY, DMA_ovBSY and PKC_ovBSY
- Change in the CPU privilege level for subject(s) CPU_\(^ {58}\) ovBSY

**Application Note:** The conditions for the management functions are given in the full Security Target.

**Additional SFR regarding cryptographic functionality**

---

52 [assignment: access control SFP, information flow control SFP]
53 [selection, choose one of: restrictive, permissive, [assignment: other property]]
54 [assignment: the authorised identified roles]
55 [assignment: access control SFP, information flow control SFP]
56 [selection, choose one of: restrictive, permissive, [assignment: other property]]
57 [assignment: the authorised identified roles]
58 [assignment: list of management functions to be provided by the TSF]
This Security Target performs the following iterations on FCS_COP.1, which are in addition to those already done in sections 7.4.1 and 7.4.2 of the Protection Profile [5].

**FCS_COP.1/GCM**
- **Cryptographic operation - GCM support**
- **Hierarchical to:** No other components.
- **Dependencies:**
  - [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction.

**FCS_COP.1.1/GCM**
- The TSF shall perform *multiplication operation on blocks and incrementing function*[^59] in accordance with a specified cryptographic algorithm *Galois/Counter Mode (GCM)*[^60] and *GMAC*[^61] and cryptographic key sizes none[^62] that meet the following: *NIST SP 800-38D*[^46] 62.

**FCS_COP.1/CRC**
- **Cryptographic operation - CRC**
- **Hierarchical to:** No other components.
- **Dependencies:**
  - [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction.

**FCS_COP.1.1/CRC**
- The TSF shall perform *calculation of cyclic redundancy checks*[^63] in accordance with a specified cryptographic algorithm *CRC-8, CRC-16 and CRC-32*[^64] and cryptographic key sizes none[^65] that meet the following:
  - *ITU-T I.432.1*[^59] (for CRC-8)
  - *ITU-T V.42*[^60] and *ITU-T X.25*[^61] (for CRC-16)
  - *ITU-T V.42*[^60] and *IEEE 802.3*[^62] (for CRC-32)

The TSF provides cryptographic functionality to help satisfy several high-level security objectives. In order for a cryptographic operation to function correctly, the operation must be performed in accordance with a specified algorithm and with a cryptographic key of a specified size. The following Functional Requirements to the TOE can be derived from this CC component:

**FCS_COP.1/SW_AES**
- **Cryptographic operation - AES**
- **Hierarchical to:** No other components.
- **FCS_COP.1.1/SW_AES**
  - The TSF shall perform *decryption and encryption*[^67] in accordance with a specified cryptographic algorithm *AES in ECB, CBC, CFB, CTR, GCM, CBC-MAC, CCM and CMAC (for Crypto Library v1.0.0)* or ECB, CBC,
CFB, CTR, GCM, CBC-MAC, CCM, CMAC and OFB (for Crypto Library v2.0.0) \(^{68}\) and cryptographic key sizes 128, 192 and 256 bit \(^{69}\) that meet the following FIPS 197 \([53]\), NIST SP 800-38A (ECB, CBC, CFB, OFB and CTR mode) \([42]\), NIST SP 800-38B (CMAC mode) \([44]\), NIST SP 800-38C (CCM mode) \([45]\), NIST SP 800-38D (GCM mode), and \([46]\), ISO 9797-1, Algorithm 1 (CBC-MAC mode) \([48]\) \(^{70}\).

**Application Notes:**
The security functionality is resistant against side channel analysis and other attacks described in \([9]\).

**Dependencies:**
[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

**FCS_COP.1/SW_DES**
Cryptographic operation - TDES

Hierarchical to: No other components.

**FCS_COP.1.1/SW_DES**
The TSF shall perform encryption and decryption \(^{71}\) in accordance with a specified cryptographic algorithm Triple-DES in ECB, CBC, CFB, CTR, CBC-MAC, RetailMAC and CMAC (for Crypto Library v1.0.0) or ECB, CBC, CFB, CTR, CBC-MAC, RetailMAC, CMAC and OFB (for Crypto Library v2.0.0) \(^{72}\) and cryptographic key sizes 2-key TDES (112 bit) and 3-key TDES (168 bit) \(^{73}\) that meet the following NIST SP 800-67 \([74]\), NIST Special Publication 800-38A, 2001 (ECB, CBC, CFB, OFB and CTR mode) \([42]\), ISO 9797-1, Algorithm 1 (CBC-MAC mode) \([48]\), ISO 9797-1 Algorithm 3 (RetailMAC) \([48]\), and NIST Special Publication 800-38B (CMAC mode) \([44]\) \(^{74}\).

**Application Notes:**
The security functionality is resistant against side channel analysis and other attacks described in \([9]\). To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards).

**Dependencies:**
[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

**FCS_COP.1/RSA**
Cryptographic operation

Hierarchical to: No other components.
FCS_COP.1.1/RSA

The TSF shall perform encryption, decryption, signature and verification\(^{75}\) in accordance with the specified cryptographic algorithm RSA\(^{76}\) and cryptographic key sizes 512 bits to 4096 bits\(^{77}\) that meet the following:

- PKCS #1, v2.2: RSAEP, RSADP, RSASP1, RSAVP1
- FIPS PUB 186-4-2013 \(^{52}\)\(^{10}\)

**Application Notes:**
The security functionality is resistant against side channel analysis and other attacks described in \[^{9}\].

**Dependencies:**
[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/RSA_PAD

Cryptographic operation

Hierarchical to:
No other components.

FCS_COP.1/RSA_PAD

The TSF shall perform message and signature encoding methods\(^{79}\) in accordance with the specified cryptographic algorithm EME-OAEP and EMSA-PSS\(^{80}\) and cryptographic key sizes 512 bits to 4096 bits\(^{81}\) that meet the following:

- PKCS #1, v2.2: EME-OAEP, EMSA-PSS \[^{64}\]\[^{82}\]
- PKCS #1 Padding v1.5: \[^{65}\]\[^{82}\]

**Application Notes:**
The security functionality is resistant against side channel analysis and other attacks described in \[^{9}\].

**Dependencies:**
[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/RSA_PubExp

Cryptographic operation

Hierarchical to:
No other components.

FCS_COP.1/RSA_PubExp

The TSF shall perform public key computation from a RSA CRT private key\(^{83}\) in accordance with the specified cryptographic algorithm RSA\(^{84}\) and cryptographic key sizes 512 bits to 4096 bits\(^{85}\) that meet the following:

- PKCS #1, v2.2 \[^{64}\]\[^{86}\]and FIPS PUB 186-4-2013 \[^{52}\]\[^{86}\]

**Application Notes:**
1. The security functionality is resistant against side channel analysis and other attacks described in \[^{9}\].
2. The computation will result in the generation of a public RSA key from the private key (in CRT format). As

\(^{75}\) [assignment: list of cryptographic operations]
\(^{76}\) [assignment: cryptographic algorithm]
\(^{77}\) [assignment: cryptographic key sizes]
\(^{78}\) [assignment: list of standards]
\(^{79}\) [assignment: list of cryptographic operations]
\(^{80}\) [assignment: cryptographic algorithm]
\(^{81}\) [assignment: cryptographic key sizes]
\(^{82}\) [assignment: list of standards]
\(^{83}\) [assignment: list of cryptographic operations]
\(^{84}\) [assignment: cryptographic algorithm]
\(^{85}\) [assignment: cryptographic key sizes]
\(^{86}\) [assignment: list of standards]
this key is implied by the private key, this is not true key
generation, and, to prevent duplication in this ST, this
has not been included as a separate FCS_CKM.1 SFR.

Dependencies: [FDP_ITC.1 Import of user data without security
attributes or FDP_ITC.2 Import of user data with
security attributes, or FCS_CKM.1 Cryptographic key
generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/ECDSA
Cryptographic operation
Hierarchical to: No other components.

FCS_COP.1.1/ECDSA
The TSF shall perform signature generation and
verification\(^{87}\) in accordance with the specified
cryptographic algorithm ECDSA and ECC over GF(p)\(^{88}\)
and cryptographic key sizes 128 to 640 bits\(^{89}\) that
meet the following: ISO/IEC 14888-3-2015\(^{56}\), ANSI
X9.62-1998\(^{63}\), and FIPS PUB 186-4-2013\(^{52}\)\(^{90}\).

Application Notes: The security functionality is resistant against side
channel analysis and other attacks described in [9].

Dependencies: [FDP_ITC.1 Import of user data without security
attributes or FDP_ITC.2 Import of user data with
security attributes, or FCS_CKM.1 Cryptographic key
generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/ECC_DHKE
Cryptographic operation
Hierarchical to: No other components.

FCS_COP.1.1/ECC_DHKE
The TSF shall perform Diffie-Hellman Key Exchange\(^{91}\)
in accordance with the specified cryptographic algorithm
ECC over GF(p)\(^{92}\) and cryptographic key sizes
128 to 640 bits\(^{93}\) that meet the following: ISO/IEC
11770-3-2015\(^{57}\), and ANSI X9.63\(^{75}\)\(^{94}\).

Application Notes: (1) The security functionality is resistant against side
channel analysis and other attacks described in [9].
(2) The security functionality does not provide the
complete key exchange procedure, but only the point
multiplication which is used for the multiplication of
the private key with the communication partner’s public key.
Therefore this function can be used as part of a Diffie-
Hellman key exchange as well pure point multiplication.

Dependencies: [FDP_ITC.1 Import of user data without security
attributes or FDP_ITC.2 Import of user data with
...
security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/ECC_Add
Cryptographic operation
Hierarchical to: No other components.
FCS_COP.1.1/ECC_Add
The TSF shall perform a full point addition\textsuperscript{95} in accordance with a specified cryptographic algorithm ECC over GF(p)\textsuperscript{96} and cryptographic key sizes 128 to 640 bits\textsuperscript{97} that meet the following: ISO/IEC 15946-1-2008\textsuperscript{[58]}\textsuperscript{98}

Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/ECDAA
Cryptographic operation
Hierarchical to: No other components.
FCS_COP.1.1/ECDAA
The TSF shall perform the TPM 2.0 ECDAA signature function\textsuperscript{99} in accordance with the specified cryptographic algorithm ECC over GF(p)\textsuperscript{100} and cryptographic key sizes 128 to 640 bits\textsuperscript{101} that meet the following: TPM Rev. 2.0 [72]

Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/SHA
Cryptographic operation
Hierarchical to: No other components.
FCS_COP.1.1/SHA
The TSF shall perform hashing\textsuperscript{102} in accordance with a specified cryptographic algorithm SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512\textsuperscript{103} and cryptographic

\textsuperscript{95} [assignment: list of cryptographic operations]
\textsuperscript{96} [assignment: cryptographic algorithm]
\textsuperscript{97} [assignment: cryptographic key sizes]
\textsuperscript{98} [assignment: list of standards]
\textsuperscript{99} [assignment: list of cryptographic operations]
\textsuperscript{100} [assignment: cryptographic algorithm]
\textsuperscript{101} [assignment: cryptographic key sizes]
\textsuperscript{102} [assignment: list of cryptographic operations]
\textsuperscript{103} [assignment: cryptographic algorithm]
Application Notes:

1) The security functionality is resistant against side channel analysis and timing attacks as described in [9].

2) The length of the data to hash has to be a multiple of one byte. Arbitrary bit lengths are not supported.

Dependencies:

[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/HMAC Cryptographic operation
Hierarchical to:
No other components.

FCS_COP.1.1/HMAC

The TSF shall perform keyed-hash message authentication code calculation\(^{106}\) in accordance with a specified cryptographic algorithm SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512\(^{107}\) and cryptographic key sizes none\(^{108}\) that meet the following: FIPS PUB 198-1-2008 \([54]\) and FIPS PUB 202-2015 \([55]\)\(^{109}\).

Application Notes:
The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies:

[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

FCS_COP.1/EDDSA Cryptographic operation
Hierarchical to:
No other components.

FCS_COP.1.1/EDDSA

The TSF shall perform signature generation and verification\(^{110}\) in accordance with the specified cryptographic algorithm EdDSA for twisted Edwards curves over GF(p) including the cryptographic algorithms Ed25519 and Ed448\(^{111}\) and cryptographic key sizes 128 to 640 bits\(^{112}\) that meet the following: IETF RFC 8032 \([66]\) and IETF RFC 8032 \([66]\) except for the scalar calculation\(^{113}\).

---

104 [assignment: cryptographic key sizes]
105 [assignment: list of standards]
106 [assignment: list of cryptographic operations]
107 [assignment: cryptographic algorithm]
108 [assignment: cryptographic key sizes]
109 [assignment: list of standards]
110 [assignment: list of cryptographic operations]
111 [assignment: cryptographic algorithm]
112 [assignment: cryptographic key sizes]
113 [assignment: list of standards]
### Application Notes:

1. The cryptographic key size refers to the bit length of the prime \( p \).
2. The security functionality is resistant against side channel analysis and other attacks described in [9].
3. For signature generation according to IETF RFC 8032 except for the scalar calculation, the scalar used for the point multiplication is chosen randomly and not computed from the private key. The generated signature is non-deterministic. The verification of the generated signature will pass successfully.

### Dependencies:

[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

### FCS_COP.1/MONT_DHKE

#### Cryptographic operation

The TSF shall perform **Diffie-Hellman Key Exchange**\(^{114}\) in accordance with the specified cryptographic algorithms **Curve25519** and **Curve448** and **generalizations thereof for a wider class Montgomery curves over GF(p)**\(^{115}\) and cryptographic key sizes \( 128 \) to \( 640 \text{ bits}^{116} \) that meet the following: **IETF RFC 7748**\(^{67}\).

### Application Notes:

1. The cryptographic key size refers to the bit length of the prime \( p \).
2. The security functionality is resistant against side channel analysis and other attacks described in [9].
3. The security functionality does not provide the complete key exchange procedure, but only an x-only point multiplication of a secret scalar derived from the passed private key with the communication partner's passed public key. Therefore this function can be used as part of a Diffie-Hellman key exchange as well pure point multiplication.

### Dependencies:

[FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

### FCS_COP.1/EUICC

#### Cryptographic operation

No other components.

---

114 [assignment: list of cryptographic operations]  
115 [assignment: cryptographic algorithm]  
116 [assignment: cryptographic key sizes]  
117 [assignment: list of standards]
The TSF shall perform eUICC authentication functions in accordance with the specified cryptographic algorithms MILENAGE, TUAK and CAVE and cryptographic key sizes none that meet the following: 3GPP TS 35.205/35.206 (MILENAGE) [68], 3GPP TS 35.231 (TUAK) [70], 3GPP2 S.S0053-0 (CAVE) [71].

Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

The TSF shall perform calculation of cyclic redundancy checks in accordance with a specified cryptographic algorithm CRC-16 and CRC-32 and cryptographic key sizes none that meet the following: ITU-T X.25 [61] (for CRC-16) and IEEE 802.3 [62] (for CRC-32).

 Dependencies: [FDP_ITC.1 Import of user data without security attributes or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation], FCS_CKM.4 Cryptographic key destruction.

The TSF provides functionality to generate a variety of key pairs. In order for the key generation to function correctly, the operation must be performed in accordance with a specified standard and with cryptographic key sizes out of a specified range. The following Security Functional Requirements to the TOE can be derived from this CC component:

The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm RSA and specified cryptographic key sizes 512-4096 bits that meet the following: PKCS #1, v2.2, FIPS PUB 186-4-2013.

[assignment: list of cryptographic operations]
[assignment: cryptographic algorithm]
[assignment: cryptographic key sizes]
[assignment: list of standards]
[assignment: list of cryptographic operations]
[assignment: cryptographic algorithm]
[assignment: cryptographic key sizes]
[assignment: list of standards]
[assignment: cryptographic key generation algorithm]
[assignment: cryptographic key sizes]
[assignment: list of standards]
Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction

FCS_CKM.1/ECC Cryptographic Key Generation
Hierarchical to: No other components.
FCS_CKM.1.1/ECC

The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm ECDSA (ECC over GF(p)) (for Crypto Library v1.0.0) or ECDSA and ECDH (ECC over GF(p)) (for Crypto Library v2.0.0)129, and specified cryptographic key sizes 128 to 640bits130 that meet the following: ISO/IEC 15946-1-2008 [58], ANSI X9.62-1998 [63] and FIPS PUB 186-4-2013 [62] and BSI TR-03111 [76].

Application Notes: The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction

FCS_CKM.1/EDDSA Cryptographic Key Generation
Hierarchical to: No other components.
FCS_CKM.1.1/EDDSA

The TSF shall generate keys pairs in accordance with a specified cryptographic algorithm EdDSA for twisted Edwards curves over GF(p), including the cryptographic algorithms Ed25519 and Ed448132 and specified cryptographic key sizes 128 to 640 bits133 that meet the following: IETF RFC 8032 [66].

Application Notes:
(1) The cryptographic key size refers to the bit length of the prime p.
(2) The security functionality is resistant against side channel analysis and other attacks described in [9].

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction

129 [assignment: cryptographic algorithm]
130 [assignment: cryptographic key sizes]
131 [assignment: list of standards]
132 [assignment: cryptographic key generation algorithm]
133 [assignment: cryptographic key sizes]
134 [assignment: list of standards]
FCS_CKM.1/MONT  Cryptographic Key Generation
Hierarchical to:  No other components.
FCS_CKM.1.1/MONT  The TSF shall generate key pairs for Diffie-Hellman Key Exchange in accordance with a specified cryptographic algorithm Curve25519 and Curve448 and generalizations thereof for a wider class Montgomery curves over GF(p)\(^{135}\) and specified cryptographic key sizes 128 to 640 bits\(^{136}\) that meet the following: IETF RFC 7748 \([66]\)\(^{137}\).

Application Notes:  The security functionality is resistant against side channel analysis and other attacks described in \([9]\).

Dependencies:  [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction

The Residual information protection addresses the need to ensure that information in a resource is no longer accessible when the resource is deallocated, and that therefore newly created objects do not contain information that was accidentally left behind in the resources used to create the objects. The following Functional Requirement to the TOE can be derived from the CC component FDP_RIP.1:

FDP_RIP.1  Subset Residual Information Protection
Hierarchical to:  No other components.
FDP_RIP.1.1  The TSF shall ensure that any previous information content of a resource is made unavailable upon the deallocation of the resource from\(^{138}\) the following objects: any memory resources used by the Crypto Library that contained temporary or secret values\(^{139}\).

Dependencies:  No dependencies.

Note 6. The TSF ensures that, upon exit from each function, with the exception of input parameters, return values or locations where it is explicitly documented that values remain at specific addresses, any memory resources used by that function that contained temporary or secret values are cleared.

FCS_CKM.4/CL  Cryptographic Key Destruction - Crypto Library
Hierarchical to:  No other components.
FCS_CKM.4.1  The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method \textit{o overwrite}\(^{140}\) that meets the following: ISO 11568-4-2007 \([49]\)\(^{141}\).

Application Notes:  The TOE provides the Security IC Embedded Software with library calls to perform various cryptographic

135 [assignment: cryptographic key generation algorithm]
136 [assignment: cryptographic key sizes]
137 [assignment: list of standards]
138 [selection: allocation of the resource to, deallocation of the resource from]
139 [assignment: list of objects]
140 [assignment: cryptographic key destruction method]
141 [assignment: list of standards]
algorithms that involve keys (e.g., AES, DES, RSA, etc.). Through the parameters of the library calls the Security IC Embedded Software provides keys for the cryptographic algorithms. To perform its cryptographic algorithms the library copies these keys, or a transformation thereof, to the working-buffer (supplied by the Security IC Embedded Software) and/or the memory/special function registers of the TOE. Depending upon the algorithm the library either overwrites these keys before returning control to the Security IC Embedded Software or provides a library call to through which the Security IC Embedded Software can clear these keys. In the case of a separate library call to clear keys the guidance instructs the Security IC Embedded Software when/how this call should be used.

Dependencies:
[FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]

Note:
Clearing of keys that are provided by the Security IC Embedded Software to the Crypto Library is the responsibility of the Security IC Embedded Software.

The TOE shall meet the requirements “Random number generation” as specified below.
The hardware part of the TOE provides a physical random number generator (RNG) that fulfils FCS_RNG.1/PTG.2 as defined in Section 6.1.2. The additional software part of the TOE (Crypto Library) implements a software (pseudo) RNG that fulfils FCS_RNG.1/HYB-DET (see below). This software RNG obtains its seed from the hardware RNG, after the TOE (Crypto Library) has performed a self test of the hardware RNG.

FCS_RNG.1/HYB-DET Random number generation
Hierarchical to:
FCS_RNG.1.1/HYB-DET

The TSF shall provide a hybrid deterministic random number generator that implements:
(K.4.1) a chi-squared test on the seed generator.
(DRG.4.1) The internal state of the RNG shall use PTRNG of class PTG.2 (as defined in [6]) as random source.
(DRG.4.2) The RNG provides forward secrecy (as defined in [6]).
(DRG.4.3) The RNG provides backward secrecy even if the current internal state is known (as defined in [6]).
(DRG.4.4) The RNG provides enhanced forward secrecy on demand (as defined in [6]).
The internal state of the RNG is seeded by an PTRNG of class PTG.2 (as defined in [6]).

**FCS_RNG.1.2/HYB-DET**

The TSF shall provide random numbers that meet:

(K.4.2) class K.4 of AIS20 [8].

(DRG.4.6) The RNG generates output for which $2^{48}$ strings of bit length 128 are mutually different with probability at least $1 - 2^{-24}$.

(DRG.4.7) Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. The random numbers must pass test procedure A (as defined in [6]).

**Application Notes:**

1. The security functionality is resistant against side channel analysis and similar techniques.

2. The TOE provides the Security IC Embedded Software with separate library calls to initialise the random number generator (which includes the chi-squared test) and to generate random data. The user can call an initialisation function upon use of the random number generator.

**Dependencies:**

No dependencies.

**Note:**

Only if the chi-squared test succeeds the hardware RNG seeds the software RNG implemented as part of the Crypto Library (as part of security functionality SS.SW\_RNG ).

The Crypto Library does not prevent the operating system from accessing the hardware RNG. If the hardware RNG is used by the operating system directly, it has to be decided based on the Security IC Embedded Software's security needs, what kind of test has to be performed and what requirements will have to be applied for this test. In this case the developer of the Security IC Embedded Software must ensure that the conditions prescribed in the Guidance, Delivery and Operation Manual for the TOE are met.

The software (pseudo) RNG, which is implemented in the software part of the TOE (Crypto Library), fulfils FCS\_RNG.1/HYB-PHY (see below) with a certain limitation. This limitation can be given by the Security IC Embedded Software. For details on the limitation please refer the user guidance documentation of the Crypto Library [13].

**FCS_RNG.1/HYB-PHY**

Random number generation

Hierarchical to: No other components.

---

143 [assignment: list of security capabilities]

144 [selection: bits, octets of bits, numbers [assignment: format of the numbers]]

145 [assignment: assignment: a defined quality metric]
FCS_RNG.1.1/HYB-PHY

The TSF shall provide a hybrid physical\textsuperscript{146} random number generator that implements:

(PTG.3.1) A total failure test detects a total failure of entropy source immediately when the RNG has started. When a total failure has been detected no random numbers will be output.

(PTG.3.2) If a total failure of the entropy source occurs while the RNG is being operated, the RNG prevents the output of any internal random number that depends on some raw random numbers that have been generated after the total failure of the entropy source.

(PTG.3.3) The online test shall detect non-tolerable statistical defects of the raw random number sequence (i) immediately when the RNG is started, and (ii) while the RNG is being operated. The TSF must not output any random numbers before the power-up online test and the seeding of the DRG.3 postprocessing algorithm have been finished successfully or when a defect has been detected.

(PTG.3.4) The online test procedure shall be effective to detect non-tolerable weaknesses of the random numbers soon.

(PTG.3.5) The online test procedure checks the raw random number sequence. It is triggered continuously\textsuperscript{147}. The online test is suitable for detecting nontolerable statistical defects of the statistical properties of the raw random numbers within an acceptable period of time.

(PTG.3.6) The algorithmic post-processing algorithm belongs to Class DRG.3 with cryptographic state transition function and cryptographic output function, and the output data rate of the post-processing algorithm shall not exceed its input data rate.

FCS_RNG.1.2/HYB-PHY

The TSF shall provide numbers\textsuperscript{148} that meet:

(PTG.3.7) Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. The random numbers must pass test procedure A (as defined in [6]).

(PTG.3.8) The internal random numbers shall use PTRNG of class PTG.2 as random source for the post-processing\textsuperscript{149, 150}

\textsuperscript{146} [selection: physical, hybrid physical, hybrid deterministic]
\textsuperscript{147} [selection: externally, at regular intervals, continuously, upon specified internal events]
\textsuperscript{148} [selection: bits, octets of bits, numbers [assignment: format of the numbers]]
\textsuperscript{149} [selection: use PTRNG of class PTG.2 as random source for the post-processing, have [assignment: work factor], require [assignment: guess work]]
\textsuperscript{150} [assignment: a defined quality metric]
6.2 Security Assurance Requirements for the TOE

Table 26 lists the security assurance requirements for the TOE. These security functional requirements are either copied from the Protection Profile [5] without modifications, or augmented from there, or newly added in this Security Target as indicated in column three of the table. This partly addresses Application Note 22.

151 [selection: Copy, Compare, Arithmetic operations (secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition)]
152 [assignment: list of memory locations]
153 [assignment: list of memory locations]
154 [selection: disclosure, modification]
155 [selection: Copy, Compare, Arithmetic operations (secure modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition)]
156 [assignment: list of memory locations]
157 [assignment: list of memory locations]
158 [selection: disclosure, modification]
Table 26. Security assurance requirements for the TOE

<table>
<thead>
<tr>
<th>Name</th>
<th>Title</th>
<th>compared to PP</th>
</tr>
</thead>
<tbody>
<tr>
<td>ADV_ARC.1</td>
<td>Security architectural description</td>
<td>as in PP</td>
</tr>
<tr>
<td>ADV_FSP.5</td>
<td>Complete semi-formal functional specification with additional error information</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ADV_IMP.2</td>
<td>Complete mapping of the implementation representation of the TSF</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ADV_INT.3</td>
<td>Minimally complex internals</td>
<td>added for EAL6</td>
</tr>
<tr>
<td>ADV_SPM.1</td>
<td>Formal TOE security policy model</td>
<td>added for EAL6</td>
</tr>
<tr>
<td>ADV_TDS.5</td>
<td>Complete semiformal modular design</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>AGD_OPE.1</td>
<td>Operational user guidance</td>
<td>as in PP</td>
</tr>
<tr>
<td>AGD_PRE.1</td>
<td>Preparative procedures</td>
<td>as in PP</td>
</tr>
<tr>
<td>ALC_CMC.5</td>
<td>Advanced support</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ALC_CMPS.5</td>
<td>Development tools CM coverage</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ALC_DEL.1</td>
<td>Delivery procedures</td>
<td>as in PP</td>
</tr>
<tr>
<td>ALC_DVS.2</td>
<td>Sufficiency of security measures</td>
<td>as in PP</td>
</tr>
<tr>
<td>ALC_FLR.1</td>
<td>Basic flaw remediation</td>
<td>not in PP, added for EAL6+</td>
</tr>
<tr>
<td>ALC_LCD.1</td>
<td>Developer defined life-cycle model</td>
<td>as in PP</td>
</tr>
<tr>
<td>ALC_TAT.3</td>
<td>Compliance with implementation standards - all parts</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ASE_CCL.1</td>
<td>Conformance claims</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_ECD.1</td>
<td>Extended components definition</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_INT.1</td>
<td>ST introduction</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_OBJ.2</td>
<td>Security objectives</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_REQ.2</td>
<td>Derived security requirements</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_SPD.1</td>
<td>Security problem definition</td>
<td>as in PP</td>
</tr>
<tr>
<td>ASE_TSS.2</td>
<td>TOE summary specification with architectural design summary</td>
<td>augmented from PP to EAL6+</td>
</tr>
<tr>
<td>ATE_COV.3</td>
<td>Rigorous analysis of coverage</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ATE_DPT.3</td>
<td>Testing: modular design</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ATE_FUN.2</td>
<td>Ordered functional testing</td>
<td>augmented from PP to EAL6</td>
</tr>
<tr>
<td>ATE_IND.2</td>
<td>Independent testing - sample</td>
<td>as in PP</td>
</tr>
<tr>
<td>AVE_VAN.5</td>
<td>Advanced methodical vulnerability analysis</td>
<td>as in PP</td>
</tr>
</tbody>
</table>

This Security Target performs an assignment operation on ADV_SPM.1 as follows.
ADV_SPM.1
ADV_SPM.1.1D: The developer shall provide a formal security policy model for the

- Access Control Policy of the TOE according to FDP_ACC.1/MEM, FDP_ACF.1/MEM, FMT_MSA.1/MEM, FMT_MSA.3/MEM as well as FDP_ACC.1/SFR, FDP_ACF.1/SFR, FMT_MSA.1/SFR, FMT_MSA.3/SFR and also FMT_SMF.1

All refinements in section 6.2.1 of the Protection Profile [5] to security assurance requirements in Table 26, which are copied from the Protection Profile without modifications, entirely apply to this Security Target.

All refinements in section 6.2.1 of the Protection Profile [5] to security assurance requirements in Table 26, which are augmented from the Protection Profile, are discussed below in their applicability to this Security Target. This addresses Application Note 23 in the Protection Profile [5].

Refinements regarding ADV_FSP

Refinement no. 215 to ADV_FSP.4 in the Protection Profile [5] is not relevant for this Security Target since the TOE does not embed IC Dedicated Test Software.

The Factory OS is not considered as IC Dedicated Test Software but instead as IC Dedicated Support Software since it is not only used to support testing of the TOE during production and does provide security functionality to be used after TOE delivery, which both contradicts to abstract 12 on page 8 of the Protection Profile [5]. However, the Factory OS provides testing capabilities for production testing and analysis of field returns, which is under restricted access to NXP and not for usage by the Composite Product Manufacturer. Therefore, these testing capabilities are considered as "test tool", which don't have to be described in the Functional Specification, but only be evaluated against their abuse after TOE delivery. Apart from that the Factory OS provides the Composite Product Manufacturer with some basic functional testing of SN100_SE and also with a readout of the identification flags of SN100_SE from System Page Common, which must be described in the Functional Specification.

Refinements no. 216, no. 217 and no. 218 to ADV_FSP.4 in the Protection Profile [5] are entirely applicable to ADV_FSP.5 since the refinements clarify the scope of the functional specification, and ADV_FSP.5 adds to this scope in accordance with the refinements.

Refinements regarding ADV_IMP

Refinement no. 223 to ADV_IMP.1 in the Protection Profile [5] is redundant since it is implicitly covered by the augmentation to ADV_IMP.2. First, ADV_IMP.2 requires the developer to provide the mapping between the TOE design description and the entire implementation representation instead of a sample of it only as in ADV_IMP.1. Second, ADV_IMP.2 requires the evaluator to confirm that, for the entire implementation representation and not only for a sample of it as in ADV_IMP.1, the information provided meets all requirements for content and presentation of evidence.

Refinements regarding ALC_CMC

Refinement no. 205 to ALC_CMC.4 in the Protection Profile [5] is entirely applicable to ALC_CMC.5 since the refinement clarifies the scope of configuration items in ALC_CMC.4, and ALC_CMC.5 does not touch this scope.

159 [assignment: list of policies that are formally modelled]
Refinement no. 206 to ALC_CMC.4 in the Protection Profile [5] is entirely applicable to ADV_CMC.5 since the refinement details requirements on configuration management of the TOE for ALC_CMC.4, which are not subverted in ADV_CMC.5.

**Refinements regarding ALC_CMS**

Refinement no. 199 to ALC_CMS.4 in the Protection Profile [5] is a clarification of the configuration item “TOE implementation representation”. Although NXP as the TOE manufacturer is providing the Security IC Embedded Software, this item is not relevant for the configuration list, as the Security IC Embedded Software is developed independently from the TOE.

Compared to ALC_CMS.4 component ALC_CMS.5 only adds the requirement for a new configuration items to be included in the configuration list. (ALC_CMS.5.1C). Therefore the refinement in the PP regarding ADV_CMS.4 can be applied without changes and is valid for ADV_CMS.5.

**Refinements regarding ATE_COV**

Refinements no. 226 and no. 227 to ATE_COV.2 in the Protection Profile [5] are entirely applicable to ATE_COV.3 since they define some particular requirements on the test coverage for ATE_COV.2, which are not subverted in ATE_COV.3.

### 6.3 Security Requirements Rationale

#### 6.3.1 Rationale for the Security Functional Requirements

*Table 27* maps the Security Objectives for the TOE to the Security Functional Requirements for the TOE.

<table>
<thead>
<tr>
<th>Security Objective for the TOE</th>
<th>Security Functional Requirement of the TOE</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.Malfunction</td>
<td>FRU_FLT.2, FPT_FLS.1</td>
</tr>
<tr>
<td>O.Abuse-Func</td>
<td>FMT_LIM.1, FMT_LIM.2</td>
</tr>
<tr>
<td></td>
<td>FRU_FLT.2, FTP_FLS.1</td>
</tr>
<tr>
<td></td>
<td>FPT_PHP.3</td>
</tr>
<tr>
<td></td>
<td>FDP_ITT.1, FPT_ITT.1, FDP_IFC.1</td>
</tr>
<tr>
<td>O.Phys-Probing</td>
<td>FPT_PHP.3</td>
</tr>
<tr>
<td>O.Phys-Manipulation</td>
<td>FDP_SDC.1</td>
</tr>
<tr>
<td></td>
<td>FDP_SDI.2/FLT</td>
</tr>
<tr>
<td>O.Leak-Inherent</td>
<td>FDP_ITT.1, FPT_ITT.1, FDP_IFC.1</td>
</tr>
<tr>
<td>O.Leak-Forced</td>
<td>FRU_FLT.2, FPT_FLS.1</td>
</tr>
<tr>
<td>O.RND</td>
<td>FPT_PHP.3</td>
</tr>
<tr>
<td></td>
<td>FCS_RNG.1/PTG.2</td>
</tr>
<tr>
<td></td>
<td>FRS_FLT.2, FPT_FLS.1</td>
</tr>
<tr>
<td>Security Objective for the TOE</td>
<td>Security Functional Requirement of the TOE</td>
</tr>
<tr>
<td>--------------------------------</td>
<td>-------------------------------------------</td>
</tr>
<tr>
<td></td>
<td>FPT_PHP.3</td>
</tr>
<tr>
<td></td>
<td>FDP_ITT.1, FPT_ITT.1, FDP_IFC.1</td>
</tr>
<tr>
<td>O.Identification</td>
<td>FAU_SAS.1</td>
</tr>
<tr>
<td>O.TDES</td>
<td>FCS_COP.1/TDES</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4/TDES</td>
</tr>
<tr>
<td>O.AES</td>
<td>FCS_COP.1/AES</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4/AES</td>
</tr>
<tr>
<td>O.FLASH-INTEGRITY</td>
<td>FDP_SD.1/AGE</td>
</tr>
<tr>
<td>O.GCM-SUPPORT</td>
<td>FCS_COP.1/GCM</td>
</tr>
<tr>
<td>O.CRC</td>
<td>FCS_COP.1/CRC</td>
</tr>
<tr>
<td>O.MEM-ACCESS</td>
<td>FDP_ACC.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FDP_ACF.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.3/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_SMF.1</td>
</tr>
<tr>
<td>O.SFR-ACCESS</td>
<td>FDP_ACC.1/SFR</td>
</tr>
<tr>
<td></td>
<td>FDP_ACF.1/SFR</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.1/SFR</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.3/SFR</td>
</tr>
<tr>
<td></td>
<td>FMT_SMF.1</td>
</tr>
</tbody>
</table>

The green and blue colored cells in Table 27 show how the Protection Profile [5] maps its security objectives for the TOE to the Security Functional Requirements for the TOE, see section 6.3.1 and section 7.4.2. of the Protection Profile [5]. Green marks this for the mandatory security requirements of the protection profile, blue marks this for the augmentations. Section 6.3.1 of the Protection Profile [5] also gives the rationale for the mappings colored in green.

The justification related to security objective O.TDES is as follows:
O.TDES is met by FCS_COP.1/TDES and FCS_CKM.4/TDES since FCS_COP.1/TDES requests the TOE to implement the cryptographic service targeted in O.TDES according to approved public standards and FCS_CKM.4/TDES requests the TOE to implement a secure destruction method for its cryptographic key.

The justification related to security objective O.AES is as follows:
O.AES is met by FCS_COP.1/AES and FCS_CKM.4/AES since FCS_COP.1/AES requests the TOE to implement the cryptographic service targeted in O.AES according to approved public standards and FCS_CKM.4/AES requests the TOE to implement a secure destruction method for its cryptographic key.

The justification related to security objective O.MEM-ACCESS is as follows:
O.MEM-ACCESS is met by FDP_ACC.1/MEM, FDP_ACF.1/MEM, FMT_MSA.1/MEM, FMT_MSA.3/MEM and FMT_SMF.1 together.
FDP_ACC.1/MEM requests the TOE to enforce the Access Control Policy to its memories. FDP_ACF.1/MEM gives the rules for all access ports of the TOE versus system operation modes and CPU privilege levels, which must be applied to the objects, and also the dependencies of these rules on security attributes. FMT_MSA.1/MEM and FMT_MSA.3/MEM give the restrictions required on these security attributes. FMT_SMF.1 finally lists the rules for all access ports that make the TOE changing their system operation modes and CPU privilege levels.

The justification related to security objective O.SFR-ACCESS is as follows:
O.SFR-ACCESS is met by FDP_ACC.1/SFR, FDP_ACF.1/SFR, FMT_MSA.1/SFR, FMT_MSA.3/SFR and FMT_SMF.1 together.

FDP_ACC.1/SFR requests the TOE to enforce the Access Control Policy to its hardware components. FDP_ACF.1/SFR gives the rules for all access ports of the TOE versus system operation modes and CPU privilege levels, which must be applied to the objects, and also the dependencies of these rules on security attributes. FMT_MSA.1/MEM and FMT_MSA.3/MEM give the restrictions required on these security attributes. FMT_SMF.1 finally lists the rules for all access ports that make the TOE changing their system operation modes and CPU privilege levels.

The justification related to security objective O.FLASH-INTEGRITY is as follows:
O.FLASH-INTEGRITY is met by FDP_SDI.2/AGE for the following reason. O.FLASH-INTEGRITY targets to preserve integrity over life-time and FDP_SDI.2/AGE addresses this with a request to monitor integrity and either correct violations or indicate a wearout failure.

The justification related to security objective O.GCM-SUPPORT is as follows:
O.GCM-SUPPORT is met by FCS_COP.1/GCM since FCS_COP.1/GCM requests the TOE to implement the support for cryptographic services targeted in O.GCM-SUPPORT according to an approved public standard. No keys are used by the support for the cryptographic services.

The justification related to security objective O.CRC is as follows:
O.CRC is met by FCS_COP.1/CRC since FCS_COP.1/CRC requests the TOE to implement the cryptographic service targeted in O.CRC according approved public standards. No keys are used by the cryptographic service.

The rationale for the Security Functional Requirements for Crypto Library which are additional to the PP is described below.

Note 7. O.RND taken from the PP [5] is considered to be generic and therefore covers both hardware RNG and software RNG. For O.RND additional requirements (FCS_RNG.1/HYB-DET, and FCS_RNG.1/HYB-PHY) have been added. The explanation following Table 28 describes this in detail.

Table 28. Mapping of SFRs to Security Objectives for Crypto Library in this ST

<table>
<thead>
<tr>
<th>Objective</th>
<th>TOE Security Functional Requirements</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.SW_AES</td>
<td>FCS_COP.1/SW AES</td>
</tr>
<tr>
<td>O.SW_DES</td>
<td>FCS_COP.1/SW DES</td>
</tr>
<tr>
<td>O.RSA</td>
<td>FCS_COP.1/RSA</td>
</tr>
<tr>
<td></td>
<td>FCS_COP.1/RSA_Pad</td>
</tr>
<tr>
<td>O.RSA_PubExp</td>
<td>FCS_COP.1/RSA_PubExp</td>
</tr>
</tbody>
</table>
## Objective  TOE Security Functional Requirements

<table>
<thead>
<tr>
<th>Objective</th>
<th>TOE Security Functional Requirements</th>
</tr>
</thead>
<tbody>
<tr>
<td>O.RSA_KeyGen</td>
<td>FCS_CKM.1/RSA</td>
</tr>
<tr>
<td>O.ECDSA</td>
<td>FCS_COP.1/ECDSA</td>
</tr>
<tr>
<td>O.ECC_DHKE</td>
<td>FCS_COP.1/ECC_DHKE</td>
</tr>
<tr>
<td>O.ECC_Add</td>
<td>FCS_COP.1/ECC_Add</td>
</tr>
<tr>
<td>O.ECC_KeyGen</td>
<td>FCS_CKM.1/ECC</td>
</tr>
<tr>
<td>O.ECDAA</td>
<td>FCS_COP.1/ECDAA</td>
</tr>
<tr>
<td>O.SHA</td>
<td>FCS_COP.1/SHA</td>
</tr>
<tr>
<td>O.HMAC</td>
<td>FCS_COP.1/HMAC</td>
</tr>
<tr>
<td>O.KDF (#Crypto Library v2.0.0 only)</td>
<td>FCS_COP.1/KDF</td>
</tr>
<tr>
<td>O.EDDSA</td>
<td>FCS_COP.1/EDDSA</td>
</tr>
<tr>
<td>O.EDDSA_KeyGen</td>
<td>FCS_CKM.1/EDDSA</td>
</tr>
<tr>
<td>O.MONT_KeyGen</td>
<td>FCS_CKM.1/MONT</td>
</tr>
<tr>
<td>O.MONT_DHKE</td>
<td>FCS_COP.1/MONT_DHKE</td>
</tr>
<tr>
<td>O.EUICC</td>
<td>FCS_COP.1/EUICC</td>
</tr>
<tr>
<td>O.SW_CRC</td>
<td>FCS_COP.1/SW_CRC</td>
</tr>
<tr>
<td>O.COPY</td>
<td>FDP_SOP.1/Copy</td>
</tr>
<tr>
<td>O.COMPARE</td>
<td>FDP_SOP.1/Compare</td>
</tr>
<tr>
<td>O.ARITH_OP (#Crypto Library v2.0.0 only)</td>
<td>FDP_SOP.1/Arith_op</td>
</tr>
<tr>
<td>O.REUSE</td>
<td>FDP_RIP.1</td>
</tr>
<tr>
<td>O.RND</td>
<td>FCS_RNG.1/HYB-DET</td>
</tr>
<tr>
<td></td>
<td>FCS_RNG.1/HYB-PHY</td>
</tr>
</tbody>
</table>

The justification of the security objectives O.SW_AES, O.SW_DES, O.RSA, O.RSA_PubExp, O.RSA_KeyGen, O.ECDSA, O.ECC_DHKE, O.ECC_Add, O.ECC_KeyGen, O.ECDAA, O.SHA, O.HMAC, O.KDF, O.EDDSA, O.EDDSA_KeyGen, O.MONT_KeyGen, O.MONT_DHKE, O.EUICC, O.COPY, O.COMPARE, O.ARITH_OP and O.SW_CRC are all as follows:

- Each objective is directly implemented by a single SFR specifying the (cryptographic) service that the objective wishes to achieve (see the above table for the mapping).
- The requirements and architectural measures that originally were taken from the Protection Profile [5] support the objective:
  - ADV.ARC.1 (and underlying platform SFRs) supports the objective by ensuring that the TOE works correctly (i.e., all of the TOE’s capabilities are ensured) within the specified operating conditions and maintains a secure state when the TOE is outside the specified operating conditions. A secure state is also entered when perturbation or DFA attacks are detected.
  - ADV.ARC.1 (and underlying platform SFRs) ensures that no User Data (plain text data, keys) or TSF Data is disclosed when they are transmitted between different functional units of the TOE (i.e., the different memories, the CPU, cryptographic co-processors), thereby supporting the objective in keeping confidential data secret.
• ADV.ARC.1 (and underlying platform SFRs) by ensuring that User Data and TSF Data are not accessible from the TOE except when the Security IC Embedded Software decides to communicate them via an external interface.

The justification of the security objective O.REUSE is as follows:

• O.REUSE requires the TOE to provide procedural measures to prevent disclosure of memory contents that was used by the TOE. This applies to the SN100 Series - Secure Element with Crypto Library and is met by the SFR FDP_RIP.1 and FCS_CKM.4/CL, which requires the library to make unavailable all memory contents that has been used by it. Note that the requirement for residual information protection applies to all functionality of the Cryptographic Library.

The justification of the security objective O.RND is as follows:

• O.RND requires the TOE to generate random numbers with (a) ensured cryptographic quality (i.e. not predictable and with sufficient entropy) such that (b) information about the generated random numbers is not available to an attacker.

1. Ensured cryptographic quality (sufficient entropy part) of generated random numbers is met by FCS_RNG.1.1/HYB-DET through the characteristic ‘hybrid deterministic’, by FCS_RNG.1.1/HYB-PHY through the characteristic ‘hybrid physical’, and by the random number generator meeting NIST SP 800-90A. Ensured cryptographic quality (not predictable part) of generated random numbers is met by FCS_RNG.1/HYB-DET through the characteristic ‘chi-squared test of the seed generator’, by FCS_RNG.1/HYB-PHY through the characteristic ‘cryptographic post-processing algorithm’, and FCS_RNG.1 from the certified hardware platform.

2. Information about the generated random numbers is not available to an attacker is met through ADV.ARC.1, which prevent physical manipulation and malfunction of the TOE and support this objective because they prevent attackers from manipulating or otherwise affecting the random number generator.

6.3.2 Dependencies of Security Functional Requirements

The dependencies of the Security Functional Requirements for the TOE are given in Table 29.

<table>
<thead>
<tr>
<th>SFR of the TOE</th>
<th>Dependencies</th>
<th>Fulfilled by SFRs</th>
</tr>
</thead>
<tbody>
<tr>
<td>FRU_FLT.2</td>
<td>FPT_FLS.1</td>
<td>FPT_FLS.1</td>
</tr>
<tr>
<td>FPT_FLS.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FMT_LIM.1</td>
<td>FMT_LIM.2</td>
<td>FMT_LIM.2</td>
</tr>
<tr>
<td>FMT_LIM.2</td>
<td>FMT_LIM.1</td>
<td>FMT_LIM.1</td>
</tr>
<tr>
<td>FPT_PHP.3</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_ITT.1</td>
<td>FDP_ACC.1 or FDP_IFC.1</td>
<td>FDP_IFC.1</td>
</tr>
<tr>
<td>FPT_ITT.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_JFC.1</td>
<td>FDP_IFF.1</td>
<td>N/A, see sec. 6.3.2 in PP [5]</td>
</tr>
<tr>
<td>FAU_SAS.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SDC.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SDI.2/AGE</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SDI.2/FLT</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FCS_RNG.1/PTG.2</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>SFR of the TOE</td>
<td>Dependencies</td>
<td>Fulfilled by SFRs</td>
</tr>
<tr>
<td>--------------------------------</td>
<td>--------------------------------</td>
<td>---------------------------------------</td>
</tr>
<tr>
<td>FCS_COP.1/TDES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/TDES</td>
</tr>
<tr>
<td>FCS_COP.1/AES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/AES</td>
</tr>
<tr>
<td>FCS_COP.1/GCM</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_COP.1/CRC</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_CKM.4/TDES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_CKM.4/AES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FDP_ACC.1/MEM</td>
<td>FDP_ACF.1</td>
<td>FDP_ACF.1/MEM</td>
</tr>
<tr>
<td>FDP_ACC.1/SFR</td>
<td>FDP_ACF.1</td>
<td>FDP_ACF.1/SFR</td>
</tr>
<tr>
<td>FDP_ACF.1/MEM</td>
<td>FDP_ACC.1</td>
<td>FDP_ACC.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.3</td>
<td>FMT_MSA.3/MEM</td>
</tr>
<tr>
<td>FDP_ACF.1/SFR</td>
<td>FDP_ACC.1</td>
<td>FDP_ACC.1/SFR</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.3</td>
<td>FMT_MSA.3/SFR</td>
</tr>
<tr>
<td>FMT_MSA.1/MEM</td>
<td>FDP_ACC.1 or FDP_IFC.1</td>
<td>FDP_ACC.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_SMR.1</td>
<td>see item 3 below</td>
</tr>
<tr>
<td></td>
<td>FMT_SMF.1</td>
<td>FMT_SMF.1</td>
</tr>
<tr>
<td>FMT_MSA.1/SFR</td>
<td>FDP_ACC.1 or FDP_IFC.1</td>
<td>FDP_ACC.1/SFR</td>
</tr>
<tr>
<td></td>
<td>FMT_SMR.1</td>
<td>see item 3 below</td>
</tr>
<tr>
<td></td>
<td>FMT_SMF.1</td>
<td>FMT_SMF.1</td>
</tr>
<tr>
<td>FMT_MSA.3/MEM</td>
<td>FMT_MSA.1</td>
<td>FMT_MSA.1/MEM</td>
</tr>
<tr>
<td></td>
<td>FMT_SMR.1</td>
<td>see item 3 below</td>
</tr>
<tr>
<td></td>
<td>FMT_MSA.1</td>
<td>FMT_MSA.1/SFR</td>
</tr>
<tr>
<td>FMT_SMF.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FCS_COP.1/SW_AES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/SW_DES</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/RSA</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>FCS_CKM.1/RSA (for keys if generated by this SFR) otherwise see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/RSA_PAD</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/RSA_PubExp</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/ECDSA</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>FCS_CKM.1/ECC (for keys if generated by this SFR) otherwise see item 1 below</td>
</tr>
<tr>
<td></td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>SFR of the TOE</td>
<td>Dependencies</td>
<td>Fulfilled by SFRs</td>
</tr>
<tr>
<td>---------------</td>
<td>--------------</td>
<td>------------------</td>
</tr>
<tr>
<td>FCS_COP.1/ECC_DHKE</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/ECC_DHKE</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/ECC_DHKE</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/ECC_Add</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/ECC_Add</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/ECDSA</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/SHA</td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_COP.1/HMAC</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/KDF (Crypto Library v2.0.0 only)</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/KDF (Crypto Library v2.0.0 only)</td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_COP.1/EDDSA</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/MONT_DHKE</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>FCS_CKM.1/MONT (for keys if generated by this SFR) otherwise see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/MONT_DHKE</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_COP.1/EUICC</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/EUICC</td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_COP.1/SW_CRC</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>see item 1 below</td>
</tr>
<tr>
<td>FCS_COP.1/SW_CRC</td>
<td>FCS_CKM.4</td>
<td>N/R, see item 2 below</td>
</tr>
<tr>
<td>FCS_CKM.1/RSA</td>
<td>FCS_CKM.2 or FCS_COP.1</td>
<td>FCS_COP.1/RSA</td>
</tr>
<tr>
<td>FCS_CKM.1/RSA</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_CKM.1/ECC</td>
<td>FCS_CKM.2 or FCS_COP.1</td>
<td>FCS_COP.1/ECCDHKE</td>
</tr>
<tr>
<td>FCS_CKM.1/ECC</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_CKM.1/EDDSA</td>
<td>FCS_CKM.2 or FCS_COP.1</td>
<td>FCS_COP.1/EDDSA</td>
</tr>
<tr>
<td>FCS_CKM.1/EDDSA</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_CKM.1/MONT</td>
<td>FCS_CKM.2 or FCS_COP.1</td>
<td>FCS_COP.1/MONT_DHKE</td>
</tr>
<tr>
<td>FCS_CKM.1/MONT</td>
<td>FCS_CKM.4</td>
<td>FCS_CKM.4/CL</td>
</tr>
<tr>
<td>FCS_CKM.4/CL</td>
<td>FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1</td>
<td>FCS_CKM.1/RSA, FCS_CKM.1/ECC, FCS_CKM.1/EDDSA, FCS_CKM.1/MONT</td>
</tr>
<tr>
<td>FDP_RIP.1</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FCS_RNG.1/HYB-DET</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FCS_RNG.1/HYB-PHY</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SOP.1/Copy</td>
<td>none</td>
<td>N/A</td>
</tr>
<tr>
<td>FDP_SOP.1/Compare</td>
<td>none</td>
<td>N/A</td>
</tr>
</tbody>
</table>
6.3.3 Rationale for the Security Assurance Requirements

The Protection Profile [5] targets EAL4 augmented with ALC_DVS.2, and AVA_VAN.5 and also gives a rationale for this choice, which is entirely applicable to this Security Target.

This Security Target augments from EAL4 to EAL6 in order to meet increasing assurance expectations of digital signature applications and electronic payment systems on the resistance to attackers with high attack potential. The augmentations to EAL4 in the Protection Profile [5] are mandatory for EAL6.

This Security Target augments EAL6 with ALC_FLR.1 and ASE_TSS.2 for the following reasons.

ALC_FLR.1 is added to cover policies and procedures that are applied to track and correct flaws and to support surveillance of the TOE.

ASE_TSS.2 is chosen to give architectural information on the security functionality of the TOE, which enhances comprehensibility.

6.3.4 Dependencies of Security Assurance Requirements

The dependencies of the Security Assurance Requirements are given in Table 30. They are derived from Appendix C of CC [3] . The table indicates whether the SAR is directly or indirectly required. Only applicable dependencies from the highest level assurance components are considered.
### Table 30. Dependencies of the Security assurance requirements

<table>
<thead>
<tr>
<th>Name</th>
<th>Directly required</th>
<th>Indirectly required</th>
</tr>
</thead>
<tbody>
<tr>
<td>ADV_ARC.1</td>
<td>ADV_FSP.1, ADV_TDS.1</td>
<td>ADV_FSP.2</td>
</tr>
<tr>
<td>ADV_FSP.5</td>
<td>ADV_IMP.1, ADV_TDS.1</td>
<td>ADV_TDS.3, ALC_TAT.1</td>
</tr>
<tr>
<td>ADV_IMP.2</td>
<td>ADV_TDS.3, ALC_CMC.5, ALC_TAT.1</td>
<td>ADV_FSP.4, ALC_CMS.1, ALC_DVS.2, ALC_LCD.1</td>
</tr>
<tr>
<td>ADV_INT.3</td>
<td>ADV_IMP.1, ADV_TDS.3, ALC_TAT.1</td>
<td>ADV_FSP.4</td>
</tr>
<tr>
<td>ADV_SPM.1</td>
<td>ADV_FSP.4</td>
<td>ADV_TDS.1</td>
</tr>
<tr>
<td>ADV_TDS.5</td>
<td>ADV_FSP.5</td>
<td>ADV_IMP.1, ADV_TDS.3, ALC_TAT.1</td>
</tr>
<tr>
<td>AGD_OPE.1</td>
<td>ADV_FSP.1</td>
<td>none</td>
</tr>
<tr>
<td>AGD_PRE.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_CMC.5</td>
<td>ALC_CMS.1, ALC_DVS.2, ALC_LCD.1</td>
<td>none</td>
</tr>
<tr>
<td>ALC_CMS.5</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_DEL.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_DVS.2</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_FLR.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_LCD.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ALC_TAT.3</td>
<td>ADV_IMP.1</td>
<td>ADV_FSP.4, ADV_TDS.3</td>
</tr>
<tr>
<td>ASE_CCL.1</td>
<td>ASE_ECD.1, ASE_INT.1, ASE_REQ.1</td>
<td>none</td>
</tr>
<tr>
<td>ASE_ECD.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ASE_INT.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ASE_OBJ.2</td>
<td>ASE_SPD.1</td>
<td>none</td>
</tr>
<tr>
<td>ASE_REQ.2</td>
<td>ASE_ECD.1, ASE_OBJ.2</td>
<td>ASE_SPD.1</td>
</tr>
<tr>
<td>ASE_SPD.1</td>
<td>none</td>
<td>none</td>
</tr>
<tr>
<td>ASE_TSS.2</td>
<td>ADV_ARC.1, ADV_INT.1, ASE_REQ.1</td>
<td>ADV_FSP.2, ADV_TDS.1, ASE_ECD.1</td>
</tr>
<tr>
<td>ATE_COV.3</td>
<td>ADV_FSP.2, ATE_FUN.1</td>
<td>ADV_TDS.1, ATE_COV.1</td>
</tr>
<tr>
<td>ATE_DPT.3</td>
<td>ADV_ARC.1, ADV_TDS.4, ATE_FUN.1</td>
<td>ADV_FSP.5, ADV_IMP.1, ALC_TAT.1, ARE_COV.1</td>
</tr>
<tr>
<td>ATE_FUN.2</td>
<td>ATE_COV.1</td>
<td>ADV_FSP.2, ADV_TDS.1, ATE_FUN.1</td>
</tr>
<tr>
<td>ATE_IND.2</td>
<td>ADV_FSP.2, AGD_OPE.1, ATE_PRE.1, ATE_FUN.1</td>
<td>ADV_TDS.1</td>
</tr>
</tbody>
</table>
| AVA_VAN.5       | ADV_ARC.1, ADV_FSP4, ADV_IMP.1, ADV_TDS.3, AGD_OPE.1, ATE_PRE.1, ATE_DPT.1 | ALC_TAT.1, ATE_COV.1, ATE_FUN.1

### 6.3.5 Security Requirements are Internally Consistent

The statement on internal consistency of security requirements in section 6.3.4 of the Protection Profile [5] entirely applies to this Security Target.

Security functional requirements FRU_FLT.2, FPT_FLS.1, FPT_PHP.3, FDP_SDC.1, FDP_SDI.2/FLT, FDP_ITT.1, FPT_ITT.1, FDP_IFC.1, which meet security objectives
O.Malfunction, O.Phys-Probing, O.Phys-Manipulation, O.Leak-Inherent and O.Leak-Forced, protect the whole security functionality of the TOE and with this also the cryptographic operations requested in all iterations on FCS_COP.1, related operations on keys as requested in the iterations on FCS_CKM.4 as well as the access control policy according to FMT_SMF.1 and both iterations on each of FDP_ACC.1, FDP_ACF.1, FMT_MAS.1 and FMT_MSA.3.

The iterations FDP_SDI.2/FLT and FDP_SDI.2/AGE on FCS_SDI.2 complement each other in protecting integrity since they both request security functionality that detects integrity violations. Therefore FDP_SDI.2/AGE also adds to O.Phys-Manipulation.

The iterations on FCS_COP and FCS_CKM do not conflict since they address different operations with different keys.

The two iterations on each FDP_ACC.1, FDP_ACF.1, FMT_MSA.1 and FMT_MSA.3 do not contradict as they are related to different objects and their requests on shared security attributes fit together.
7 TOE Summary Specification

7.1 Portions of the TOE Security Functionality

7.1.1 Security Functionality of the TOE

The TOE Security Functionality (TSF) is composed of Security Services (SS) and Security Features (SF). They together fulfill the security functional requirements for the TOE, which are identified in Section 6.1.

The Security Services of the TOE are summarized in Table 31 and described in Section 7.1.2.

The Security Features of the TOE are summarized in Table 32 and described in Section 7.1.3.

The TOE also implements security functionality, which is not part of its Security Services and Security Features like the PKC coprocessor. Such security functionality isn't required to meet the security functional requirements for the TOE. Instead, it can be used by Security IC Embedded Software to implement further Security Services and Security Features.

Table 31. Security Services of the Hardware Security Target

<table>
<thead>
<tr>
<th>Security Services</th>
<th>Name</th>
</tr>
</thead>
<tbody>
<tr>
<td>SS.RNG</td>
<td>Random Number Generator</td>
</tr>
<tr>
<td>SS.TDES</td>
<td>Triple-DES coprocessor</td>
</tr>
<tr>
<td>SS.AES</td>
<td>AES coprocessor</td>
</tr>
<tr>
<td>SS.GCM</td>
<td>GCM coprocessor</td>
</tr>
<tr>
<td>SS.SBC</td>
<td>SBC interface functions</td>
</tr>
<tr>
<td>SS.CRC</td>
<td>CRC coprocessor</td>
</tr>
<tr>
<td>SS.SW_AES</td>
<td>Software AES</td>
</tr>
<tr>
<td>SS.SW_DES</td>
<td>Software DES</td>
</tr>
<tr>
<td>SS.RSA</td>
<td>RSA</td>
</tr>
<tr>
<td>SS.RSA_Pad</td>
<td>RSA Padding</td>
</tr>
<tr>
<td>SS.RSA_PublicExp</td>
<td>RSA Public Exponentiation</td>
</tr>
<tr>
<td>SS.ECDSA</td>
<td>Elliptic Curve Digital Signature Algorithm (ECDSA)</td>
</tr>
<tr>
<td>SS.ECC_DHKE</td>
<td>ECC Diffie Hellman Key Exchange</td>
</tr>
<tr>
<td>SS.ECC_Add</td>
<td>Full ECC Point Addition</td>
</tr>
<tr>
<td>SS.ECDAA</td>
<td>Elliptic Curve Direct Anonymous Attestation (ECDAA)</td>
</tr>
<tr>
<td>SS.RSA_KeyGen</td>
<td>RSA Key Generator</td>
</tr>
<tr>
<td>SS.ECC_KeyGen</td>
<td>ECC Key Generator</td>
</tr>
<tr>
<td>SS.SHA</td>
<td>Secure Hash Algorithms</td>
</tr>
<tr>
<td>SS.HMAC</td>
<td>HMAC</td>
</tr>
<tr>
<td>SS.KDF (Crypto Library v2.0.0 only)</td>
<td>KDF</td>
</tr>
</tbody>
</table>
### Security Services of the TOE

#### 7.1.2 SS.RNG : Random Number Generator

SS.RNG serves Security IC Embedded Software with random numbers.

For this purpose SS.RNG implements a physical hardware Random Number Generator, which claims functionality class PTG2 of the pre-defined RNG classes in [6]. With this it is suitable for generation of signature key pairs, generation of session keys for symmetric encryption mechanisms, random padding bits, zero-knowledge proofs, generation of seeds for Digital Random Number Generation (DRNG).

The Random Number Generator fulfills the online test requirements defined in [6] and embeds hardware test functionality to detect hardware defects and quality issues of the random numbers.

This security functionality covers:
- FPT_PHP.3
- FCS_RNG.1/PTG.2
7.1.2.2 SS.TDES: Triple-DES coprocessor

SS.TDES serves Security IC Embedded Software with calculation of the Triple Data Encryption Algorithm (TDEA) based on the Data Encryption Standard (DES) as defined in [74].

For this purpose SS.TDES implements a Triple-DES coprocessor in hardware, which can be configured by the Security IC Embedded Software to calculate the Triple DES algorithm or the Triple DES inverse algorithm on blocks of 64 bits with selectable keying option 1 of two 56-bit keys or keying option 2 of three 56-bit keys according to [74]. The keys shall be provided by the Security IC Embedded Software.

This security functionality covers:
- FCS_COP.1/TDES

7.1.2.3 SS.AES: AES coprocessor

SS.AES serves Security IC Embedded Software with calculation of the Advanced Encryption Standard (AES) algorithm as defined in [53].

For this purpose SS.AES implements an AES coprocessor in hardware, which can be configured by the Security IC Embedded Software to calculate the AES algorithm or the inverse AES algorithm on blocks of 128 bits with a selectable key length of 128, 192 or 256 bits. The keys shall be provided by the Security IC Embedded Software.

This security functionality covers:
- FCS_COP.1/AES

7.1.2.4 SS.GCM: GCM coprocessor

SS.GCM serves Security IC Embedded Software with support of Galois/Counter Mode (GCM) of operation for symmetric-key cryptographic block ciphers and Galois Message Authentication Code (GMAC) as defined in [46].

For this purpose SS.GCM implements a GCM coprocessor in hardware, which can be configured by the Security IC Embedded Software to perform Galois field multiplication of two 128-bits input values according to section 6.3 of [46].

This security functionality covers:
- FCS_COP.1/GCM

7.1.2.5 SS.SBC: SBC interface functions

SS.SBC serves the Security IC Embedded Software with support of Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB) and Counter (CTR) modes of operation for symmetric block ciphers as defined in “NIST SP 800-38A” [42], “Addendum to NIST SP 800-38A” [43] and with support of Galois/Counter Mode (GCM) of operation for symmetric block ciphers and Galois Message Authentication Code (GMAC) as defined in “NIST SP 800-38D” [46].

For this purpose SS.SBC implements XOR operations in hardware and also implements an increment function in hardware according to section 6.2 of “NIST SP 800-38D” [46] with \( s = 32 \). In addition, the TOE implements a register bank that handles input and output data of SS.TDES, SS.AES, SS.GCM as well as their pre- and post-processing with XOR operations and increment function.
This security functionality covers:

- FCS_COP.1/TDES
- FCS_CKM.4/TDES
- FCS_COP.1/AES
- FCS_CKM.4/AES
- FCS_COP.1/GCM

### 7.1.2.6 SS.CRC : CRC coprocessor

SS.CRC serves the Security IC Embedded Software with calculation of cyclic redundancy checks as defined in [59] for 8 bits, in [61] for 16 bits and in [62] for 32 bits.

For this purpose SS.CRC implements two CRC coprocessors in hardware. Each CRC coprocessor can be configured by Security IC Embedded software to calculate a cyclic redundancy check over a data stream of selectable number of one, two, three or four input bytes. The Security IC embedded Software can choose the cyclic redundancy check out of an 8-bits value based on the polynomial in [59], a 16-bits value based on the polynomial in [61] and a 32-bits value based on the polynomial in [62].

This security functionality covers:

- FCS_COP.1/CRC

### 7.1.2.7 SS.SW_AES : Software AES

The TOE uses the AES coprocessor to provide AES encryption and decryption facility using 128, 192 and 256 bit keys.

The TOE implements additional countermeasures that are configurable at runtime and provides functionality for handling checksums over loaded keys.

The supported modes are ECB, CBC, CFB, CTR, GCM, CBC-MAC, CCM, OFB (Crypto Library v2.0.0 only) and CMAC (i.e. the CBC mode applied to the block cipher algorithm AES).

The CBC-MAC mode of operation is rather similar to the CBC mode of operation, but returns only the last cipher text (see also ISO/IEC 9797-1 [48], Algorithm 1).

SS.SW_AES is a basic cryptographic function which provides the AES algorithm as defined by the standard “FIPS PUB 197-2001” [53].

The interface to SS.SW_AES allows AES operations independent from prior key loading. The user has to take care that adequate keys of the correct size are loaded before the cryptographic operation is performed. Details are described in the user guidance [13] and the user manual [33].

This security functionality covers:

- FCS_COP.1/SW_AES

### 7.1.2.8 SS.SW_DES : Software DES

The TOE uses the Triple-DES hardware coprocessor to provide a Triple-DES encryption and decryption. The Triple-DES function uses double-length or triple-length keys with sizes of 112 or 168 bits respectively.

The TOE implements additional counter measures that are configurable at runtime and provides functionality for handling checksums over loaded keys.
The supported modes are ECB, CBC, CFB, CTR, CBC-MAC, RetailMAC, OFB (Crypto Library v2.0.0 only) and CMAC (i.e. the CBC mode applied to the block cipher algorithm TDES).

The CBC-MAC mode of operation is rather similar to the CBC mode of operation, but returns only the last cipher text (see also “ISO/IEC 9797-1” [48], Algorithm 1, or “FIPS PUB 81-1980” [50], Appendix F).

To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that Single-DES shall not be used.

SS.SW_DES is a modular basic cryptographic function which provides the Triple-DES algorithm (with two and three keys) as defined by the standard NIST SP 800-67 [74].

The interface to SS.SW_DES allows performing 2-key and 3-key Triple-DES operations independent from prior key loading. The user has to take care that adequate keys of the correct size are loaded before the cryptographic operation is performed. Details are described in the user manual [33]. All modes of operation (ECB, CBC, CTR, CBC MAC) can be applied to two-key TDES and three-key TDES.

This security functionality covers:

- FCS_COP.1/SW_DES

### 7.1.2.9 SS.RSA

The TOE provides functions that implement the RSA algorithm and the RSA-CRT algorithm for data encryption, decryption, signature and verification. All algorithms are defined in PKCS #1, v2.2 (RSAEP, RSADP, RSAP1, RSAVP1) and FIPS PUB 186-4-2013 [52].

This routine supports various key lengths from 512 bits to 4096 bits. To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards).

The TOE contains modular exponentiation functions, which, together with other functions in the TOE, perform the operations required for RSA encryption or decryption. Two different RSA algorithms are supported by the TOE, namely the “Simple Straight Forward Method” (called RSA “straight forward”, the key consists of the pair n and d) and RSA using the “Chinese Remainder Theorem” (RSA CRT, the key consists of the quintuple p, q, dp, dq, qInv).

This security functionality covers:

- FCS_COP.1/RSA

### 7.1.2.10 SS.RSA_Pad : RSA Padding

The TOE provides functions that implement the RSA algorithm and the RSA-CRT algorithm for message and signature encoding. This IT security functionality supports the EME-OAEP and EMSA-PSS signature scheme. All algorithms are defined in PKCS#1 v2.2 (EME-OAEP, EMSA-PSS) [64] and PKCS#1 v1.5 [65].

This routine supports various key lengths from 512 bits to 4096 bits.

This security functionality covers:

- FCS_COP.1/RSA_PAD
7.1.2.11 SS.RSA_PublicExp : RSA Public Exponentiation

The TOE provides functions that implement computation of an RSA plain public key from a private CRT key. All algorithms are defined in PKCS #1, v2.2. and FIPS PUB 186-4-2013 [52].

This routine supports various key lengths from 512 bits to 4096 bits (CRT).

This security functionality covers:
  • FCS_COP.1/RSA_PubExp

7.1.2.12 SS.ECDSA : Elliptic Curve Digital Signature Algorithm (ECDSA)

The TOE provides functions to perform ECDSA Signature Generation and Signature Verification according to ISO/IEC 14888-3 [56], ANSI X9.62-1998 [63] and FIPS PUB 186-4-2013 [52].

Note that hashing of the message must be done beforehand and is not provided by this security functionality, but could be provided by SS.SHA.

The supported key length is 128 to 640 bits for both signature generation and for signature verification.

This security functionality covers:
  • FCS_COP.1/ECDSA

7.1.2.13 SS.ECC_DHKE : ECC Diffie Hellman Key Exchange

The TOE provides functions to perform Diffie-Hellman Key Exchange according to ISO/IEC 11770-3-2015 [57] and ANSI X9.63 [75]. It can also be used as secure point multiplication.

The supported key length is 128 to 640 bits.

This security functionality covers:
  • FCS_COP.1/ECC_DHKE

7.1.2.14 SS.ECC_Add : Full ECC Point Addition

The TOE provides functions to perform a full ECC point addition according to ISO/IEC 15946-1-2008 [58].

The supported key length is 128 to 640 bits.

This security functionality covers:
  • FCS_COP.1/ECC_Add

7.1.2.15 SS.ECDAA : Elliptic Curve Direct Anonymous Attestation (ECDAA)

The TOE provides the ECDAA related function to perform an ECDAA signature calculation as specified in the TPM 2.0 [72].

This security functionality covers:
  • FCS_COP.1/ECDAA
7.1.2.16 **SS.RSA_KEYGEN : RSA Key Generator**

The TOE provides functions to generate RSA key pairs as described in PKCS #1, v2.2, FIPS PUB 186-4-2013 [52]. With this the TOE complies to the content of SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms [73].

It supports various key lengths from 512 bits to 4096 bits.

Two different output formats for the key parameters are supported by the TOE, namely the "Simple Straight Forward Method" (RSA "straight forward") and RSA using the "Chinese Remainder Theorem" (RSA CRT).

This security functionality covers:
- FCS_CKM.1/RSA

7.1.2.17 **SS.ECC_KEYGEN : ECC Key Generator**

The TOE provides functions to perform ECC over GF(p) Key Generation according to ISO/IEC 15946-1 [58], ANSI X9.62-1998 [63] and FIPS PUB 186-4-2013 [52]. With this the TOE complies to the content of SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms [73].

It supports key length from 128 to 640 bits.

This security functionality covers:
- FCS_CKM.1/ECC

7.1.2.18 **SS.SHA : Secure Hash Algorithms**

The TOE implements functions to compute the Secure Hash Algorithms SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 according to the standard FIPS PUB 180-4-2011 [51] and SHA-3/224, SHA-3/256, SHA-3/384 and SHA-3/512 according to the standard and FIPS PUB 180-4-2011 [51] and FIPS PUB 202-2015 [55].

To fend off attackers with high attack potential an adequate security level must be used (references can be found in national and international documents and standards). In particular this means that SHA-1 shall not be used.

This security functionality covers:
- FCS_COP.1/SHA

7.1.2.19 **SS.HMAC**

The TOE provides functions to perform HMAC Keyed-hash Message Authentication algorithm according to FIPS 198-1 [54] and FIPS 202 [55].

The TOE supports the calculation of HMAC authentication code with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 or SHA-3/512 hash algorithms. The HMAC algorithm can use either the high security level or standard security level version of SHA, depending on required security level.

There is no limitation on the supported key length except that it must be a multiple of 8 bits.

To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). In particular this means that HMAC with SHA-1 shall not be used.
This security functionality covers:

• FCS_COP.1/HMAC

7.1.2.20 SS.KDF

The TOE provides a function to perform hash-based key derivation according to ANSI X9.63 [75].

The TOE supports the calculation of KDF with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-3/224, SHA-3/256, SHA-3/384 or SHA-3/512 hash algorithms. The KDF algorithm can use either the high security level or standard security level version of SHA, depending on required security level.

To fend off attackers with high attack potential an adequate key length must be used (references can be found in national and international documents and standards). In particular this means that HMAC with SHA-1 shall not be used.

This security functionality covers:

• FCS_COP.1/KDF

7.1.2.21 SS.EDDSA : Edwards-curve Digital Signature Algorithm (EdDSA)

This TSF performs EdDSA signature generation and verification for cryptographic key sizes 128 to 640 bits. It meets IETF RFC 8032 [66] as well as IETF RFC 8032 [66] except for the scalar calculation (where the scalar used for the point multiplication is chosen randomly and not computed from the private key).

This security functionality covers:

• FCS_COP.1/EDDSA

7.1.2.22 SS.EDDSA_KeyGen : EdDSA Key Generation

The TSF generates private/public key pairs for the EdDSA signature scheme for key sizes from 128 to 640 bits that meets the IETF RFC 8032 [66].

This security functionality covers:

• FCS_CKM.1/EDDSA

7.1.2.23 SS.MONT_KeyGen : MontDH Key Generation

The TSF generates key pairs for Diffie-Hellman Key Exchange in accordance with the Curve25519 and Curve448 and generalizations thereof for a wider class Montgomery curves over GF(p) with key sizes from 128 to 640 bits. It meets IETF RFC 7748 [67].

This security functionality covers:

• FCS_CKM.1/MONT

7.1.2.24 SS.MONT_DHKE : MontDH Key Exchange

The TSF performs Diffie-Hellman Key Exchange in accordance with Curve25519 and Curve448 and generalizations thereof for a wider class Montgomery curves over GF(p) with key sizes from 128 to 640 bits. It meets IETF RFC 7748 [67].

This security functionality covers:
7.1.2.25 **SS.EUICC : eUICC Authentication**

The TSF provides services for authentication for eUICC applications. It implements the cryptographic algorithms MILENAGE, TUAK and CAVE.

This security functionality covers:
- FCS_COP.1/EUICC

7.1.2.26 **SS.COPY : Secure Copy**

The security service SS.COPY implements functionality to copy memory content in a secure manner protected against attacks.

This security functionality covers:
- FDP_SOP.1/Copy

7.1.2.27 **SS.COMPARE : Secure Compare**

The security service SS.COMPARE implements functionality to compare different blocks of memory content in a manner protected against attacks.

This security functionality covers:
- FDP_SOP.1/Compare

7.1.2.28 **SS.ARITH_OP : Secure arithmetic operations**

The security service SS.ARITH_OP provides a function to do arithmetic operations (modular addition, modular subtraction, modular multiplication, modular inversion, arithmetic comparison and exact addition) in a side channel resistant way.

This security functionality covers:
- FDP_SOP.1/Arith_op

7.1.2.29 **SS.SW_CRC : Software CRC**

SS.SW_CRC serves the Security IC Embedded Software with calculation of of cyclic redundancy checks as defined in [61] for 16 bits and in [62] for 32 bits.

This security functionality covers:
- FCS_COP.1/SW_CRC

7.1.2.30 **SS.SW_RNG : Software RNG**

SS.SW_RNG consists of a software (pseudo) RNG that can be used as a general purpose random source, and of appropriate online tests for the hardware RNG (SS.RNG):

- The Crypto Library implements a software RNG that complies to class PTG.3 for Hybrid-physical RNG and class DRG.4 for Hybrid-deterministic RNG according to [6].
  - The software RNG is seeded by random numbers taken from the hardware RNG. The implementation of the software RNG is based on the standard NIST SP 800-90A as described in [47].
• The Crypto Library implements appropriate online tests according to the Hardware User Guidance Manual [10] for the hardware RNG, to complete PTG.2 as required by FCS_RNG.1/PTG.2. The interface of SS.SW_RNG allows to test the hardware RNG and to seed the software RNG after successful testing.

This security functionality covers:
• FCS_RNG.1/HYB-DET
• FCS_RNG.1/HYB-PHY

7.1.3 Security Features of the TOE

7.1.3.1 SF.OPC : Control of Operating Conditions

SF.OPC controls operating conditions of the TOE. These are explicitly controlled by security functionality that simply hampers feeding certain electrical stimulations into the device. Such security functionality is composed of frequency filters and voltage limiters. Operating conditions of the device are explicitly controlled also by security functionality that actively monitors certain electrical parameters. These parameters are voltage levels of external supply from pad and internal supplies, frequencies of internal clocks and on-chip temperature. Such security functionality raises an error message whenever a monitored parameter drops out of its valid range. In addition, exposure of the device to light is explicitly controlled by security functionality that senses abnormal light over its whole surface, raising an error message when detected.

SF.OPC also controls operating conditions implicitly. This is done by security functionality that detects faults in code and data stored to memories and while processed in the device. Such faults might be inserted by electrical stimulations or by exposure of the device to energy or particles. Error detection codes are used to protect the memories as well as the access channels over the bus system to memories and to hardware peripherals on the control bus, the direct access channel to PKC RAM and security-relevant storage and processing in CPU coprocessor and hardware peripherals on the control bus including SBC interface with Triple-DES, AES, GCM coprocessors and CRC coprocessor. Watchdogs on error detection codes run over code and data stored to System RAM and PKC RAM, and the Secure Fetch Plus on code and data read from Flash memory can be configured and enabled by Security IC Embedded Software.

Further on, Security IC Embedded Software can configure and enable a Secure Fetch on CPU code and/or data accesses over the bus system and also range checks on values in general purpose, stack pointers and link registers of the CPU as well as checks on predefined CPU instructions for zero values in their operands or in the addresses of their resulting data accesses to memory. In addition, Security IC Embedded Software may protect its program flow by use of a signature watchdog on CPU code accesses over the bus system, by use of a secure counter and by use of a watchdog timer.

SF.OPC also provides the Security IC Embedded Software with multiple calculation modes for the Triple-DES, AES and GCM coprocessors. Triple-DES and AES coprocessors each is equipped with a fault detection mechanism on its key schedule that must be enabled by Security IC Embedded Software.

In case an error message is raised the TOE either (i) aborts code execution and forces a reset or (ii) raises an exception, which interrupts code execution and jumps to an exception vector on which the Security IC Embedded Software can react with an appropriate exception handler. In case of reset the TOE returns to its initial state and provides information on the reset source to the Security IC Embedded Software. In case
of an exception the TOE provides information on the exception source to the Security IC Embedded Software.

SF.OPC also implements security functionality that corrects errors in Flash memory. This security functionality covers:

- FRUFLT.2
- FPT_FLS.1
- FPT_PHP.3
- FDP_SDI.2/FLT

7.1.3.2 SF.PHY : Protection against Physical Manipulation

SF.PHY protects the TOE from physical probing and physical manipulation of its hardware, its IC Dedicated Software, its TSF data and Security IC Embedded Software stored to its Flash memory including user data of the Composite TOE. This is achieved by appropriate shielding techniques for all elements in the physical design of the TOE, as well as redundant routing of sensitive signals and layout constraints on particular placements and routings.

Selected security functionality in analog design parts of the TOE is additionally checked for its basic operability by a built-in selftests that run during startup of the device.

Memories and their interfaces are additionally protected against probing by appropriate encryption of stored content and address scrambling mechanisms.

This security functionality covers:

- FRUFLT.2
- FPT_FLS.1
- FPT_PHP.3
- FDP_SDC.1
- FDP_ITT.1
- FPT_ITT.1
- FDP_IFC.1

7.1.3.3 SF.LOG : Logical Protection

SF.LOG provides logical protection of the TOE that fights disclosure of confidential data stored to and processed in the TOE through tracing of power consumption or emanation and subsequent complex signal analysis.

Triple-DES, AES, GCM and CRC coprocessors each implements security functionality that eliminates exploitable side channel leakage. Such security functionality in Triple-DES and AES coprocessors uses masking techniques in data processing, inserts diverse dummy activity that can partly be configured by Security Embedded Software, and randomizations. GCM coprocessor and CRC coprocessor implement masking schemes on their data processing.

Input and output data of Triple-DES, AES and GCM coprocessors are handled via the register bank in the SBC interface that implements masking. XOR operations in the SBC interface are embedded in this masking.

The PKC coprocessor implements security functionality that effectively reduces side channel leakage by adding noise, inserting dummy activity and randomizations.
Code and data are masked on their transfer via the access channels over the bus system to memories and hardware peripherals on the control bus like SBC interface, CRC coprocessor and PKC coprocessor. The CPU embeds masking schemes for storage and processing of data and code.

SF.LOG also serves the Security IC Embedded Software with security functionality for additional protection for loading of data into the register bank of the SBC interface and into the input register of the CRC coprocessor.

This security functionality covers:
- FDP_ITT.1
- FPT_ITT.1
- FDP_IFC.1

7.1.3.4 SF.FOS-USE: Factory OS use restrictions

SF.FOS-USE restricts use of the Factory OS among three levels of testing capabilities of the TOE. Access to the lower level of testing capabilities is not blocked. Instead, its testing capabilities are very limited so that they cannot be exploited. The medium level of testing capabilities is blocked by an authentication procedure. After successful authentication to this level the TOE serves with testing capabilities to the extent that confidentiality of content stored to its memories cannot be compromised.

The upper level of testing capabilities is blocked by two authentication checks, of which the latter one also forces an erase of AP-Flash, BL-Flash, SH-Flash and SV-Flash windows as well as System Page Application, System Page Bootloader and System Page Common before full testing capabilities are provided.

Commands of the Factory OS are conditionally installed in stages and commands with test functionality are cut to tests of basic functionality only.

This security functionality covers:
- FMT_LIM.1
- FMT_LIM.2
- FAU_SAS.1

7.1.3.5 SF.MEM-ACC: Memory Access Control

SF.MEM-ACC controls access to the memories of the TOE. This is done based on physical restrictions in the bus system that block certain access ports for particular memories, and also direct memory access to PKC RAM is physically restricted to the PKC coprocessor.

In addition, security functionality is implemented that checks every single access over the bus system to the memories against predefined and/or configurable access rights for each of the following combinations of system operations modes and CPU privilege levels:
- NXP Mode
- Service Mode privileged
- Service Mode unprivileged
- Shared Mode
- Bootloader Mode privileged
- Bootloader Mode unprivileged
- Application Mode privileged
• Application Mode unprivileged

Every access over the bus system to a memory address is checked against access rights in read, write and execute. Access rights are set for predefined default address windows in ROM, Flash memory, System RAM and PKC RAM and also for configurable software-controlled address windows within these default address windows. Configurations are accessible to Security IC Embedded Software.

System operation modes and CPU privilege levels are assigned to each access port on the bus system and are transmitted over the bus system into the memory controllers. System operation modes and CPU privilege levels are also transmitted into the mode controller, which implements appropriate rules for transformations in system operation modes that dynamically update those assigned to CPU and DMA controller access ports, whereat Service Mode is permanently masked out for the DMA controller access port. CPU privilege levels are updated by the CPU. The PKC controller access port is assigned with system operation modes that are dynamically updated to the access rights actually valid for direct memory access to PKC RAM.

This security functionality covers:
• FMT_LIM.2
• FDP_ACC.1/MEM
• FDP_ACF.1/MEM
• FMT_MSA.1/MEM
• FMT_MSA.3/MEM
• FMT_SMF.1

7.1.3.6 SF.SFR-ACC : Special Function Register Access Control

SF.SFR-ACC controls access to the Special Function Registers of the TOE. This is done based on physical restrictions in the bus system that block DMA controller access to hardware components on the control bus and also PKC coprocessor access to hardware components on both, control bus and peripheral control bus.

In addition, security functionality is implemented that checks every single access over the bus system on the control bus and on the peripheral control bus to a Special Function Register against predefined and/or configurable access rights for the following combinations of system operation modes and CPU privilege levels:
• NXP Mode
• Service Mode privileged
• Service Mode unprivileged
• Bootloader Mode privileged or Application Mode privileged
• Bootloader Mode unprivileged or Application Mode unprivileged

Control of access to the Special Function Registers is done in two layers of security functionality. The first layer of security functionality is implemented in every hardware component that is connected to the control bus or to the peripheral control bus and checks each access to a Special Function Register per bit against predefined and partly configurable access rights in read and write. Such access rights cannot be enlarged in the second layer but only be further restricted. The second layer of security functionality is implemented in the bus system and can be configured to either completely block access to the group of Special Function Registers belonging to a hardware component or completely unblock it to the extent provided in the first layer. Configurations of access rights are accessible to Security IC Embedded Software.
Relevant combinations of system operation modes and CPU privilege levels are assigned to every access port on the bus system and are transmitted over the bus system into the hardware components on the control bus and on the peripheral control bus. System operation modes and CPU privilege levels are also transmitted into the mode controller, which implements appropriate rules for transformations in system operation modes that dynamically update those assigned to CPU and DMA controller access ports, whereat Service Mode is permanently masked out for the DMA controller access port. CPU privilege levels are updated by the CPU.

This security functionality covers:

- FMT_LIM.2
- FDP_ACC.1/SFR
- FDP_ACF.1/SFR
- FMT_MSA.1/SFR
- FMT_MSA.3/SFR
- FMT_SMF.1

7.1.3.7 SF.FLASH-SVC : Flash Services

SF.FLASH-SVC provides a Flash Services Software application programming interface (API), which serves Security IC Embedded Software with operations that update content in Flash memory (Flash erase and/or programming). These operations are tearing-save and verify the updated content in Flash memory.

SF.FLASH-SVC implements dynamic wear-leveling for Flash memory and serves a Flash Services Software application programming interface (API) that provides Security IC Embedded Software with functionality for static wear-leveling and Flash memory refreshing, and with wearout indication for Flash memory.

In addition, the Flash Services Software application programming interface (API) provides Security IC Embedded Software with write access control to certain System Pages depending on the System Operation Mode.

This security functionality covers:

- FRU_FLT.2
- FPT_FLS.1
- FDP_SDI.2/AGE
- FDP_ACC.1/MEM
- FDP_ACF.1/MEM

7.1.3.8 SF.Object_Reuse

The TOE provides internal security measures which clear memory areas used by the Crypto Library after usage. This functionality is required by the security functional component FDP_RIP.1 and FCS_CKM.4, taken from the Common Criteria Part 2 [2].

These measures ensure that a subsequent process may not gain access to cryptographic assets stored temporarily in memory used by the TOE.

This security functionality covers:

- FDP_RIP.1
- FCS_CKM.4
7.2 TOE Summary Specification Rationale

7.2.1 Rationale for the Portions of the TOE Security Functionality

Deleted here, only available in the full version of the Security Target.

7.2.2 Security Architectural Information

Deleted here, only available in the full version of the Security Target.
8 Bibliography

8.1 Evaluation documents


[7] Evaluation of random number generators, Bundesamt für Sicherheit in der Informationstechnik, Version 0.10


8.2 Developer documents

[10] SN100_SE Information on Guidance and Operation, Version 1.4, 13.08.2019, NXP Semiconductors

   For v4.13.x: Version 4.12, 31.08.2018
   For v4.14.0: Version 4.13, 05.04.2019

[12] SN100 Services Addendum - Additional API and Operational Guidance, NXP Semiconductors
   For v4.13.x: Version 0.4, 28.08.2018
   For v4.14.0: Version 0.5, 05.04.2019

[13] SN100x Crypto Library Information on Guidance and Operation, NXP Semiconductors
   For v1.0.0: Version 1.10, 30.07.2019
   For v2.0.0: Version 2.4, 30.07.2019

[14] SN100x_SE High-performance secure element subsystem, Product data sheet, DocID 412010, NXP Semiconductors


8.3 Standards


[43] Addendum to NIST SP 800-38A: Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode, National Nationale Institute of Standards and Technology, October 2010

[44] NIST SP 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005, Morris Dworkin, National Institute of Standards and Technology
[45] NIST SP 800-38C: Recommendation for Block Cipher Modes of Operation: The
CCM Mode for Authentication and Confidentiality, July 2007, Morris Dworkin,
National Institute of Standards and Technology

[46] NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/
Counter Mode (GCM) and GMAC, November 2007, Morris Dworkin, National
Institute of Standards and Technology

[47] NIST SP 800-90A, Revision 1: Recommendation for Random Number Generation
Using Deterministic Random Bit Generators, June 2015, Elaine Barker and John
Kelsey, National Institute of Standards and Technology

Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher

cryptosystems – Key management and life cycle, 2007

National Institute of Standards and Technology

Standards Publication, February 2011, US Department of Commerce/National
Institute of Standards and Technology

[52] FIPS PUB 186-4-2013: Digital Signature Standard, Federal Information Processing
Standards Publication, 2013, July, National Institute of Standards and Technology

[53] FIPS PUB 197-2001: ADVANCED ENCRYPTION STANDARD (AES), Federal
Information Processing Standards Publication 197, November 26, 2001, U.S.
Department of Commerce/National Institute of Standards and Technology

of Commerce/National Institute of Standards and Technology

[55] FIPS PUB 202-2015: SHA-3 Standard: Permutation-Based Hash and Extendable-
Output Functions, Federal Information Processing Standards Publication, August
2015, US Department of Commerce/National Institute of Standards and Technology

signatures with appendix -- Part 3: Discrete logarithm based mechanisms, 2016


Cryptographic techniques based on elliptic curves – Part 1: General, 2008

[59] "SERIES I: INTEGRATED SERVICES DIGITAL NETWORK, ISDN user-network
interfaces – Layer 1 Recommendations", International Telecommunication Union,
ITU-T Recommendation I.432.1, Februar 1999

[60] "SERIES V: DATA COMMUNICATION OVER THE TELEPHONE NETWORK, Error
control", International Telecommunication Union, ITU-T Recommendation V.42,
March 2002

[61] "SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATION,
Public data networks – Interfaces", International Telecommunication Union, ITU-T
Recommendation X.25, October 1996

[62] "IEEE Standard for Information technology — Telecommunications and information
exchange between systems — Local and metropolitan area networks — Specific
requirements Part 3: Carrier sense multiple access with collision detection (CSMA/
CD) access method and physical layer specifications", IEEE Computer Society,
IEEE Std 802.3™-2005, Dec-12, 2005

[64] PKCS#1 v2.2: RSA Cryptography Standard, October 2012, RSA Laboratories

[65] PKCS#1 v1.5: RSA Encryption, March 1998, RSA Laboratories


[68] 3GPP TS 35.205: 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General, v14.0.0, March 2017

[69] 3GPP TS 35.206: 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification, v14.0.0, March 2017

[70] 3GPP TS 35.231: 3G Security; Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification, v 13.0.0, January 2016

[71] 3GPP2 S.S0053-0: Common Cryptographic Algorithms, v2.0, May 2009

[72] TPM Rev. 2.0: Trusted Platform Module Library Specification, Family "2.0", Level 00, Revision 01.38 – September 2016 and ISO/IEC 11889:2015, Parts 1-4


[74] NIST SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, National Nationale Institute of Standards and Technology, Revised January 2012


[76] BSI TR-03111: Elliptic Curve Cryptography, Version 2.10, registered and certified by Bundesamt fuer Sicherheit in der Informationstechnik (BSI) under the reference BSI TR-03111
9 Legal information

9.1 Definitions

Draft — The document is a draft version only. The content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included herein and shall have no liability for the consequences of use of such information.

9.2 Disclaimers

Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information. NXP Semiconductors takes no responsibility for the content in this document if provided by an information source outside of NXP Semiconductors. In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory. Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

Right to make changes — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors and its suppliers accept no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer’s own risk.

Applications — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification. Customers are responsible for the design and operation of their applications and products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer’s sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer’s applications and products planned, as well as for the planned application and use of customer’s third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products. NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer’s applications or products, or the application or use by customer’s third party customer(s). Customer is responsible for doing all necessary testing for the customer’s applications and products using NXP Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer’s third party customer(s). NXP does not accept any liability in this respect.

Export control — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities.

9.3 Trademarks

Notice: All referenced brands, product names, service names and trademarks are the property of their respective owners.
## Tables

| Tab. 1. | Configuration identifiers of the TOE .................. 9 |
| Tab. 2. | Components common for all SN100_SE B2.1 ................................. 9 |
| Tab. 3. | Components of SN100_SE B2.1 specific for C25 ........................................... 10 |
| Tab. 4. | Components of SN100_SE B2.1 specific for C48 ........................................... 11 |
| Tab. 5. | Components of SN100_SE B2.1 specific for C58 ........................................... 12 |
| Tab. 6. | Evaluated logical configuration options .......... 13 |
| Tab. 7. | Values of symbols in commercial type name ... 13 |
| Tab. 8. | Evaluated options of manufacturing process (NXP internal only) .......................... 14 |
| Tab. 9. | Threats defined in the Protection Profile ........ 26 |
| Tab. 10. | Threats added in this Security Target .............. 27 |
| Tab. 11. | Organizational security policies defined in the Protection Profile ............................ 28 |
| Tab. 12. | Organizational security policies added in this Security Target ............................ 28 |
| Tab. 13. | Assumptions defined in the Protection Profile .................. 29 |
| Tab. 14. | Assumptions added in this Security Target ....... 30 |
| Tab. 15. | Security objectives for the TOE defined in the Protection Profile .......................... 31 |
| Tab. 16. | Security Objectives for the TOE added in this Security Target .......................... 31 |
| Tab. 17. | Security Objectives for the TOE related to Crypto Library added in this Security Target ....31 |
| Tab. 19. | Security objectives for the operational environment defined in the Protection Profile ...36 |
| Tab. 20. | Security Objectives for the operational environment added in this Security Target ..... 36 |
| Tab. 21. | Tracing of security objectives ........................... 36 |
| Tab. 22. | Extended components defined in the Protection Profile ........................................... 39 |
| Tab. 23. | Security Functional Requirements from the Protection Profile .................................... 41 |
| Tab. 24. | Security Functional Requirements from the Protection Profile with operations done in this Security Target ........................................... 41 |
| Tab. 25. | Security functional requirements added in this Security Target ........................................... 46 |
| Tab. 26. | Security assurance requirements for the TOE .................................................................. 68 |
| Tab. 27. | Mapping of the Security Objectives for the TOE to the Security Functional Requirements for the TOE ........................................... 70 |
| Tab. 28. | Mapping of SFRs to Security Objectives for Crypto Library in this ST ........................................... 72 |
| Tab. 29. | Dependencies of the Security Functional Requirements for the TOE .............................. 74 |
| Tab. 30. | Dependencies of the Security assurance requirements ................................................. 78 |
| Tab. 31. | Security Services of the Hardware Security Target .................................................. 80 |
| Tab. 32. | Security Features of the TOE .................................................................. 81 |
Figures

Fig. 1. Toplevel block diagram of SN100x .................... 7
Fig. 2. Block diagram of SN100_SE with Interfaces .... 8
Fig. 3. Types of software components and system operation modes facilitated by the hardware ... 14
Fig. 4. Logical interface of SN100_SE ......................... 22
## Contents

1 **ST Introduction** .................................................. 3  
1.1 ST Reference .................................................. 3  
1.2 TOE Reference ................................................ 3  
1.3 TOE Overview ................................................. 3  
1.3.1 Usage and major security functionality .......... 3  
1.3.1.1 IC Hardware ........................................ 3  
1.3.1.2 Security Software ................................ 5  
1.3.2 TOE Type .................................................. 6  
1.3.3 Security During Development and Production .... 6  
1.3.4 Required non-TOE Hardware/Software/Firmware .... 6  
1.4 TOE Description ............................................... 6  
1.4.1 Physical Scope of TOE ................................... 7  
1.4.2 Evaluated Configurations ............................... 9  
1.4.3 Logical Scope of TOE .................................... 14  
1.4.3.1 Hardware Description ................................ 14  
1.4.3.2 IC Dedicated Support Software Description .... 18  
1.4.3.3 Services Software Description .................... 18  
1.4.3.4 Crypto Library Description ....................... 19  
1.4.4 Interfaces of the TOE ..................................... 21  
1.4.5 TOE Documentation Overview ......................... 22  

2 **Conformance Claims** ............................................. 24  
2.1 Conformance Claim ........................................... 24  
2.2 Conformance Claim Rationale .............................. 24  

3 **Security Problem Definition** ................................ 26  
3.1 Description of Assets ....................................... 26  
3.2 Threats ................................................................... 26  
3.3 Organizational Security Policies ......................... 28  
3.4 Assumptions ..................................................... 29  

4 **Security Objectives** ............................................. 31  
4.1 Security Objectives for the TOE ......................... 31  
4.2 Security Objectives for the Security IC Embedded Software ............................................. 35  
4.3 Security Objectives for the Operational Environment ..................................................... 35  
4.4 Security Objectives Rationale .............................. 36  

5 **Extended Components Definition** ......................... 39  
5.1 Secure basic operations (FDP_SOP) ..................... 39  

6 **Security Requirements** ......................................... 41  
6.1 Security Functional Requirements for the TOE ........ 41  
6.1.1 General ..................................................... 41  
6.1.2 Security Functional Requirements from Protection Profile ........................................ 41  
6.1.3 Security Functional Requirements added in this Security Target .................................. 46  
6.2 Security Assurance Requirements for the TOE ........ 46  
6.3 Security Requirements Rationale .......................... 70  
6.3.1 Rationale for the Security Functional Requirements ................................................. 70  
6.3.2 Dependencies of Security Functional Requirements .................................................... 74  
6.3.3 Rationale for the Security Assurance Requirements .................................................... 77  

7 **TOE Summary Specification** ................................. 80  
7.1 Portions of the TOE Security Functionality ........ 80  
7.1.1 Security Functionality of the TOE ................. 80  
7.1.2 Security Services of the TOE ......................... 81  
7.1.2.1 SS.RNG : Random Number Generator ........ 81  
7.1.2.2 SS.TDES : Triple-DES coprocessor ............. 82  
7.1.2.3 SS.AES : AES coprocessor ....................... 82  
7.1.2.4 SS.GCM : GCM coprocessor .................... 82  
7.1.2.5 SS.SBC : SBC interface functions ............. 82  
7.1.2.6 SS.CRC : CRC coprocessor ...................... 83  
7.1.2.7 SS.SW_AES : Software AES ...................... 83  
7.1.2.8 SS.SW_DES : Software DES ..................... 83  
7.1.2.9 SS.RSA .................................................. 84  
7.1.2.10 SS.RSA_Pad : RSA Padding ...................... 84  
7.1.2.11 SS.RSA_PublicExp : RSA Public Exponentiation .................................................. 85  
7.1.2.12 SS.ECDSA : Elliptic Curve Digital Signature Algorithm (ECDSA) ......................... 85  
7.1.2.13 SS.ECC_DHKE : ECC Diffie Hellman Key Exchange ................................................. 85  
7.1.2.14 SS.ECC_Add : Full ECC Point Addition ...... 85  
7.1.2.15 SS.ECDSA : Elliptic Curve Direct Anonymous Attestation (ECDAA) ....................... 85  
7.1.2.16 SS.RSA_KeyGen : RSA Key Generator ........ 86  
7.1.2.17 SS.ECC_KeyGen : ECC Key Generator ....... 86  
7.1.2.18 SS.SHA : Secure Hash Algorithms ............ 86  
7.1.2.19 SS.HMAC .............................................. 86  
7.1.2.20 SS.KDF ................................................. 87  
7.1.2.21 SS.EDDSA : Edwards-curve Digital Signature Algorithm (EdDSA) ......................... 87  
7.1.2.22 SS.EDDSA_KeyGen : EdDSA Key Generation ..................................................... 87  
7.1.2.23 SS.MONT_KeyGen : MontDH Key Generation ..................................................... 87  
7.1.2.24 SS.MONT_DHKE : MontDH Key Exchange .... 87  
7.1.2.25 SS.EUICC : eUICC Authentication ............ 88  
7.1.2.26 SS.COPY : Secure Copy ......................... 88  
7.1.2.27 SS.COMpare : Secure Compare ............... 88  
7.1.2.28 SS.ARITH_OP : Secure arithmetic operations ..................................................... 88  
7.1.2.29 SS.SW_CRC : Software CRC ................. 88  
7.1.2.30 SS.SW_RNG : Software RNG ................. 88  
7.1.3 Security Features of the TOE ............................ 89  
7.1.3.1 SF.OPC : Control of Operating Conditions .... 89  
7.1.3.2 SF.PHY : Protection against Physical Manipulation .................................................. 90  
7.1.3.3 SF.LOG : Logical Protection ...................... 90  
7.1.3.4 SF.FOS-USE : Factory OS use restrictions .... 91  
7.1.3.5 SF.MEM-ACC : Memory Access Control .... 91  
7.1.3.6 SF.SFR-ACC : Special Function Register Access Control ........................................ 92  
7.1.3.7 SF.FLASH-SVC : Flash Services ................. 93

Dependencies of Security Assurance Requirements ................................................. 77  
Security Requirements are Internally Consistent .................................................. 78  

SN100 Series - Secure Element with Crypto Library  
Security Target Lite  

SN100 Series - Secure Element with Crypto Library  
All information provided in this document is subject to legal disclaimers.