Tiêu chuẩn iso ts 17574 2017

Mos of the cont ent ofthis document is an ex mple shown in Annex A on how t o pr p r the se urity r q ir ment for EF eq ipment, in this case, a DSRC-b sed OBE with an IC card lo ded with

Electronic fee c ol ection — Guidelines

for security pr otection profiles

Pe c ption de télé é ge — Ligne s direc trice s co c rn nt les profils de

protection de la sécurité

Refer ence n mb r

T ir d edition

2 17-0

COPYRIGHT PROTECTED DOCUMENT

© ISO 2017, P blshed in Sw itz rlan

A ll rig hts r eserved Unles otherw ise spe ified, nopar of this p blc tion ma y be r epr od c d or utilz d otherw ise in an form

or b an me ns, ele tr onic or me hanic l, inclu in p oto opying , or postin on the internet or an intranet , w ithout prior

written permis ion Permis ion c n be req esed from either ISO at the ad r es below or ISO’s member bod y in the c u try of

the r eq eser

ISO c pyrig ht ofic

F reword i v

Introduction v

1 Sc ope 1

2 Nor mati ve r eferenc es 1

3 Terms and definitions 2

4 A bbreviated terms 4

5 EF C secur ity architecture and protection profie proc es es 5

5.1 General 5

5.2 EF se urity ar chite tur e 5

5.3 Pr ote tion profie prep r atory s eps 6

5.4 Relationship betwe n actors 7

6 Outlnes of Protectio Profie 9

6.1 Structur e 9

6.2 Contex t 1

A nne x A (informative)Proc edur es for pr eparing documents 11

A nne x B (informative)Example of thr eat anal ysis evaluation metho

.45 A nne x C (informative) Relevant security standar ds in the c onte x t of the EF C 50

A nne x D (informative) C mmon Criteria Rec og nitio A r rang ement (C RA ) .51

Biblog raphy 52

ISO (he Int ernational Org nization for Stan ardization) is a worldwidefede ation of national s an ards

b dies (ISO membe b dies) The work of pr p ring Int ernational Stan ards is normaly car ied out

through ISO t ech ical committ ees Each membe b dy int er st ed in a subje t for w hich a t ech ical

committ ee has be n es a lshed has the right t o be r pr sent ed on that committ ee Int ernational

org nizations, g ove nmental an non-g ove nmental, in laison with ISO, also take part in the work

ISO cola orat es closely with the Int ernational Ele trot ech ical C mmis ion (IEC) on al matt ers of

ele trot ech ical s an ardization

The proc d r s used t o develo this document an those int en ed for it furthe maint enanc ar

desc ibed in the ISO/IEC Dir ctives, Part 1 In p rticular the dife ent a pro al c it eria ne ded for the

dife ent ty es of ISO document should be not ed This document was draft ed in ac ordanc with the

edit orial rules of the ISO/IEC Dir ctives, Part 2 ( e www iso org dir ctives)

A tt ention is drawn t o the p s ibi ity that some of the element of this document ma be the subje t of

p t ent right ISO shal not be held r sponsible for identifying any or al such p t ent right Detais of

any p t ent right identified d ring the develo ment of the document wi be in the Introd ction an / r

on the ISO ls of p t ent de larations r c ived ( e www iso org p t ent )

Any trade name used in this document is information given for the convenienc of use s an does not

cons itut e an en orsement

For an ex lanation on the meaning of ISO spe ific terms an ex r s ions r lat ed to conformity as es ment,

as wel as information a out ISO’s adhe enc to the Wor ld Trade Org nization (WTO) principles in the

Te h ical Bar ie s to Trade (TBT) se the folowing URL: www iso org iso/ for word html

The committ ee r sp nsible for thisdocument is ISO/TC2 4, Intel gent tra s port sys tems

This third edition canc ls an r plac s the se on edition (ISO/TS 1 5 4:2 0 ), w hich has be n

t ech icaly r vised This edition inclu es the folowing significant chang es with r spe t t o thepr vious

edition:

— r q ir ment updat ed as t o r fle t the lat es ve sion of the ISO/IEC 1 40 se ies;

— a new Cla use 5 has be n added, comprising much of the t ext from the S o e of the pr vious

edition

Ele tronic fe cole tion (EF ) sy st ems ar subje t t o several way s of frau b th b use s an o e at ors

but also from peo le out ide the sy st em These se urity thr at ha e t o be met b dife ent ty es of

se urity measur s inclu ing se urity r q ir ment spe ifications

It is r commen ed that EF o e at ors or national org nizations, e.g highwa authorities or transp rt

minis ries, use the guidelne pro ided b this document t o pr p r their own EF / rot ection prof ile

(P ), as se urity r q ir ment should be desc ibed from the s an p int of the o e at ors an / r

o e at ors’ org nizations

It should be not ed that this document is of a mor informative than normative natur an it is int en ed

t o be r ad in conju ction with the u de lying int ernational s an ards ISO/IEC 1 40 (al p rt )

Mos of the cont ent ofthis document is an ex mple shown in Annex A on how t o pr p r the se urity

r q ir ment for EF eq ipment, in this case, a DSRC-b sed OBE with an IC card lo ded with c ucial

data ne ded for the EF The ex mple r fe s t o a Ja anese national EF sy st em an should only be

r g rded as an ex mple

Aft er an EF /P ispr par d, it can be int ernational y r gist er d b the org nization that pr p r d the

EF /P so that othe o e at ors or cou tries that want t o develo their EF sy st em se urity se vic s

can r fe t o an alr ady r gist er d EF /P

This EF -r lat ed document on se urity se vic framework and EF /P is b sed on ISO/IEC 1 40 (al

p rt ) ISO/IEC 1 40 (al p rt )inclu es a set of r q ir ment for the se urity functions an as uranc

of IT-r lev nt prod ct an sy st ems Ope at ors, org nizations or authorities def ining their own EF /P

can use these r q ir ment This wi l be simiar t o the dife ent P s r gist er d b seve al financial

ins itutions, e.g for p yment ins rument l ke ICcards

The prod ct and sy st ems that we e develo ed in ac ordanc with ISO/IEC 1 40 (al p rt ) can be

publcly as ur d b theauthentication of the g overnment or designat ed priv t e ev luation ag encies

Electronic fee c ol ection — Guidelines for security

This document pro ides guidelnes for pr p ration an ev luation of se urity r q ir ment

spe if ications, r fe r d t o as Prot ection Prof iles (P ) in ISO/IEC 1 40 (al p rt ) and in

ISO/IEC TR 1 4 6

By Prot ection Prof ile(P ), it means a set of se urity r q ir ment for a cat eg ory of prod ct or sy st ems

that me t spe if ic ne ds A ty ical ex mple would be a P for On-Bo rd E uipment (OBE) t o be used in

an EF sy st em Howeve , the guidelnes in this document ar supe seded if a Prot ection Prof ile alr ady

exis s for the subsy st em in conside ation

The targ et of ev luation (TOE) for EF is lmit ed t o EF spe if ic roles an int erfac s as shown in

rolesan int erfac s, they ar as umed t o be out ide the sco e of TOE for EF

Figure 1 — Scope of TOE for EF

The se urity ev luation is pe formed b as es ing the se urity-r lat ed pro e ties of roles, entities an

int erfac s def ined in se urity targ et ( STs), as o p sed t o as es ing complet e proc s es w hich oft en ar

dis ribut ed o e mor entities an int erfac s than those co e ed b the TOE of this document

NOTE As es ing security is ues for complet e proces es is a complimentary ap ro ch, which may wel b

b nef icial to ap ly when evaluating the security of a syst em

2 Normati ve r eferences

The e ar no normative r fe enc s in this document

3 Terms and definitions

F or the purposes of this document, the fol owing t erms and def initionsa ply

ISO an IEC maintain t erminolo ical data ases for use in s an ardization at the folowing ad r s es:

— IECEle tro edia: a aia le at ht p:/ www ele tro edia org

— ISO Onlnebrow sing plat orm:a ai a le at ht p:/ www iso org o p

3.1

as urance req irement

se urity r q ir ment t o as ur con denc in the implementation of functional r q ir ment

3.2

audit

in epen ent r view an ex mination in orde t o ensur compl anc with es a l shed p lcy an

o e ational proc d r s and t o r commen as ociat ed chang es

3.3

avai abi ity

pro e ty ofbeing ac es ible an usa le up n deman b an authoriz d entity

right an o lg tions of in ivid als an org nizations with r spe t t o the cole tion, use, r t ention,

disclosur an disp sal of pe sonal information

[ SOURCE:ISO/TS1 2 9:2 1 , 3.3 ]

3.7

Evaluation As urance Level

EAL

set of as uranc r q ir ment , usualy inv lving documentation, analy sis an t es ing, r pr senting a

p int on a pr def ined as uranc scale, that form an as uranc p ckag e

3.8

functio al req irement

r q ir ment or a fu ction that a sy st em or sy st em comp nent is a le t o pe form

3 9

integrity

key manag ement

g ene ation, dis ribution, st orag e, a plcation an r v cation of enc y tion key s

proc s det ermining that a prod ct of each phaseof the sy st em lfe ycle develo ment proc s fulfils al

the r q ir ment spe ified in the pr vious phase

3.1

relabiity

a i ity of a devic or a sy st em t o pe form it int en ed function u de given conditions of use for a

spe if ied pe iod of time or n mbe of cycles

entity w hich levies t ol for the useof vehicles in a t ol domain

Not e 1t o entry: In other documents, the terms operat or or t ol operator can b used

[ SOURCE:ISO 1 5 3:2 1 , 3.1 , modified]

3.24

tol service provider

TSP

entity pro iding t ol se vic sin oneor mor t ol domains

Not e 1t o entry: In other documents, the terms is uer or contract is uer might b used

Not e 2 t o entry: T e t ol service provider can provide the OB or might provide only a ma netic card or a smart

card to b used with an OB provided by a third party (like a mo ile telep one an a SIM card can b o tained

from diferent parties)

Not e 3t o entry: T e t ol service provider is responsible for the operation ( fu ctioning)of the OB

[ SOURCE:ISO 1 5 3:2 1 , 3.2 , modif ied]

4 A bbreviated terms

C RA C mmon Crit eria R eco nition Ar ang ement

CN c lular networks

DSRC dedicat ed short-rang e commu ication

EAL Ev luation As uranc Level

EF ele tronic fe cole tion

GNS glo al na ig tion sat el t e sy st ems

HMI h man machine int erfac

ICC int egrat ed cir uit (s) card

IT information t ech olo y

OBE On-Bo rd Eq ipment

P Prot ection Profile

SFP se urity fu ction polcy

SOF s r ngth of function

ST se urity targ et

TOE targ et of ev luation

TSF TOE se urity fu ctions

5 EF C security architecture and pr otection profi e pr oc es es

5.1 General

This clause gives an o e view of the cont ext an use of this document in t erms of the EF se urity

ar hit ectur an prot ection profile proc s es

This document is int ended t o be r ad in conju ction with the u de lying s andards ISO/IEC 1 40 (al

p rt ) an ISO/IEC TR 1 4 6 Although a la man could r ad the f irs p rt of the document t o ha e an

o e view on how t o pr p r a Prot ection Prof ile for EF eq ipment, the an ex es, p rticularly A.4 an

an int egrat ed cir uit (s) card (ICC)as an ex mple t o desc ibe b th the s ructur of the PP, as wel as the

pro osed cont ent

prod ct The commu ication lnk (betwe n the OB an the RSE) is b sed on DSRC

An ex Bgives an ex mple of how a thr at analy sis can be done, w hie An ex C pro idesan o e view of

the r lev nt se urity s an ards in the cont ext of the EF , w hich pro ides the b ckgroun of EF roles

an int erfac s

5.2 EFC secur ity ar chitecture

b x es ar the aspe t mos ly r lat ed t o the pr p ration of P s for EF syst ems

Figure 2 — Overal view of security ar hitecture

5.3 Protection profi e preparatory steps

The main purp se of a P is t o analy se the se urity environment of a subje t and then t o spe ify the

r q ir ment me ting the thr at that ar the output of the se urity environment analy sis The subje t

s u ied is caled the targ et of ev luation (TOE) In this document, an OBE with an IC is used as an

ex mple of the TOE

The pr parat ory work of EF /P consis s of the st eps shown in Figur 3 ( in lne with the cont ent

desc ibed in Clause 6)

Figure 3 — Proces of preparing a Protectio Profie for E C equipment

A PP ma be r gist er d publcly b the entity pr p ring the P in orde t o make it known an a aia le

t o othe p rties that ma use the same PP for their own EF sy st ems

5.4 Relationship between actor s

By se urity targ et ( ST), it means a set of se urity r q ir ment an spe if ications t o be used as the

b sis for ev luation of an identified TOE Whi e the P could be lo ked upon as the EF t ol se vic

pro ide s’ r q ir ment , the ST could be lo ked up n as the documentation of a supple as for the

complanc with an fulfilment of the P for the TOE, e.g an OBE

the EF eq ipment supple an an ev luat or F or an int ernational r gis ry org nization, i.e Common

Crit eria R eco nition Ar ang ement (C RA) and cur ent r gist er d P s, r fe t o An ex D

Figure 4 — Relatio ships betwe n o erator , suppler and evaluator

The ST is simiar t o the P , ex cept that it contains ad itional implementation-spe ific information

detai ing how the se urity r q ir ment ar r al z d in a p rticular prod ct or syst em Henc , the ST

inclu es the folowing p rt not ou d in a P :

— a TOE summary spe if ication that pr sent the TOE-spe if ic se urity functions and as uranc

measur s;

— an o tional P claims the p rtion that ex lains P s with w hich the ST is claimed t o be conformant

( if any);

— a rationale containing ad itional evidenc es a lshing that the TOE summary spe if ications

ensur satis action of the implementation-in epen ent r q ir ment an that claims a out P

conformanc ar satisf ied;

— actual se urity fu ctions of EF prod ct wi be designed b sed on this ST ( e ex mple in Figur 5)

Figure 5 — Example of design based o a PP

6 Outl nes ofPr otection Pr ofi e

6.1 Structure

The cont ent of a Prot ection Prof ile for a part or int erfac of an EF sy st em is shown in Figur 6

Figure 6 — C ntent of a Protectio Profi e

6.2 Contex t

Guidelnes for pr p ring P ar as folow s:

a) Ove view ( e A.1)

b) Targ et of ev luation (TOE, se A.2)

The sco eof the TOE shal be spe if ied

c) S curity environment ( e A.3)

Develo ment, o e ation an control methods of the TOE ar desc ibed in orde t o clarify the

working o e ation r q ir ment R eg rding these r q ir ment , IT as et , for w hich the TOE mus be

prot ect ed, an the se urity thr at t o w hich the TOE is ex osed, shal be spe if ied

d) S curity o je tives ( e A.4)

S curity p lcies for thr at t o the TOE ar det ermined The p lcies ar divided int o t ech ical polcy

an o e ational/control p lcy

S curity o je tives should be consist ent with the o e ational aim or prod ct purpose of theTOE

Ope ational/control p lcy is defined as pe son el an phy sical o je tives in the s atus for w hich the

TOE is used or o e at ed The o e ational/control p lcy inclu es control and o e ational rules for

o e at ors

e) S curity r q ir ment ( e A.5)

In ac ordanc with the se urity o je tives def ined in A.4, conc et e se urity r q ir ment for se urity

thr at s at ed in A.3 ar spe if ied The se urity r q ir ment consis of functional r q ir ment

(t ech ical r q ir ment ) an as uranc r q ir ment for se urity q alty

Fu ctional r q ir ment ar pro ided, sele ting ne es ary r q ir ment from ISO/IEC 1 40 - 2 an

det ermining p ramet ers

R eg rding as uranc r q ir ment , as uranc r q ir ment designat ed in ISO/IEC 1 40 -3 ar ado t ed

b det ermining ev luation levels for as uranc r q ir ment , w hich ar pro ided in ISO/IEC 1 40 - 2

an ISO/IEC 1 408-3

f) Rationale of jus if ication/efe tivenes ( e A.6)

The cont ent of P ar che ked w hen ne es ary and co e se urity r q ir ment for the TOE The

che ked it ems ar as folow s:

1) al se urity environment ne ded ar co e ed;

2) se urity o je tives should complet ely me t the se urity environment ;

3) se urity r q ir ment should implement se urity o je tives

A g ene al outlne of the document for Prot ection Profile (P ) is desc ibed.

It should be not ed that this cla use is informative in natur Mos of the cont ent is an ex mple on how

t o pr par the se urity r q ir ment for EF eq ipment, in this case, an OBE with a smart card (ICC)

lo ded with c ucial data ne ded for the ele tronic fe col e tion

A 1.2 Identification infor mation

Identification information for the document is as folow s:

a) document itle;

b) ve sion/ release n mbe ;

c) pr paration dat e;

d) pr par d b

E AMP E Identif ication information:

1) document itle: E C On-Bo rd E uipment S curity Protection Prof ile;

2) reference /ver ion n mb r: 1.0;

3) preparation dat e: 2 0 -1 -2 ;

4) prepared by: ABC As ociation

A 1.3 Tar g et of evaluation (T OE) des ription

TOE is identif ied as folow s:

a) prod ct ;

b) ve sion/ release n mbe ;

c) develo e

E AMP E TOE des ription:

1) prod ct: E C On-Bo rd E uipmen

2) ver ion/rele se n mb r: 1.0;

3) developer: AB Co Ltd

A 1.4 In ac c ordanc e w ith ISO/IEC 15408 (al parts)

The pr p r d “ Prot ection Prof ile” in ac ordanc with ISO/IEC 1 40 (al p rt ) is s at ed ex lcitly

The ve sion an pr p ration data of r fe enc d ISO/IEC 1 40 (al p rt ) ar also s at ed

E AMP E ISO/IE 1 40 (al parts)conformance stat ement ac ording to:

— ISO/IE 1 40 -1 T ird E ition 2 0 -1 -1 ;

— ISO/IE 1 40 -2 Third E ition 2 0 -0 -1 ;

— ISO/IE 1 40 -3 T ird E ition 2 0 -0 -1

F or use s of se urity “ Prot ection Prof ile” , the ty es of devic desc ibed in “ Prot ection Prof ile” ar

desc ibed ex lcitly t o help them det ermine the a plcation

E AMP E

1.4.2TOE fu ctional outline (OB for E C system)

The fu ctionaloutline is as fol ows

a) E C fu ction:

1) mutual authentication with IC card;

2) trans ription (caching)of IC card data t o OB ;

3) enc y tion of radio commu ication with RSE;

4) as urance of mes a e inte rity;

5) mutual authentication with RSE;

6) stora e of secured information (enc y tion key)used in OB d ring E C transaction

b) S t-u fu ction:

1) authentication of set-u card;

2) caching of vehicle information from IC card t o OB

c) HMI fu ction:

1) report of E C biling results to user ;

2) guidance of E C lane

A 1.5.3 Evaluatio A ssuranc e Le vel (EA L)

Ev luation As uranc Levels for o je tives ar sele t ed Each EAL def ines a p ckag e consis ing of

as uranc comp nent an det ermines the degr e of as uranc r q ir ment on se urity sy st ems The

jus if ication for the sele t ed EAL is s at ed

E AMP E

A.1.5.3 E C OB (EAL is 5)

OB fu ctions as eq ipment for e-Commer e in E C transactions T e security sy st ems of E C OB are v lnera le

to at ack u der the control of in ivid al user T erefore, a high as urance level (EAL) wil b req ired for E C OB

A 2 Tar g et ofevaluation (T OE)

A 2.1 T OE objecti ves and methodolog y

A 2.1.1 T OE use o jecti ves

The folowing indicat es o je tives for TOE use an the ty e of environment in w hich it is used

E AMP E E C memb r (users) use the E C syst em at t ol g tes by inserting the IC card with E C memb r

contract information for set lement Vehicle information such as an aut omo ile inspection certif ication is st ored

in OB b forehan For storing vehicle information, a per onalization card for initialization is used T e OB

(TOE), which re ds/writes data t o IC cards for set-u s/set lements an transmits/receives data to ro d side

eq ipment for t ol col ection transactions, prot ects interface an internal data from e ternal thre ts

A 2.1.2 T OE use method log y

User req est an operat or t o instal an OBE an set u vehicle information such as aut omo ile inspection

certif ication t o OB In ad ition, user receive the IC with E C memb r contract information

b) Operat or preparations:

Operat or is ue set-u information in response t o user’ s req ests

c) Operation proced res:

When user are pas ing through t olg t es, the t ol s are bil ed to the IC cards for set lement with E C memb r

contract information, which is inserted in the instal ed On-Bo rd E uipment with vehicle information When a

le itimate IC card for set lement is inserted in the OB with cor ect vehicle information, the t ol fe is calculated

in the commu ication zone of RSE at t olg t es

F or a chang or u date of E C memb r contract information, such as vehicle information, set-u cards an IC

are u dated (reis ued/rere istered)

d) Use proced res:

User use the E C system of inserting IC cards with E C memb r contract information at t olg tes ac ording to

the E C memb r contract or OB man als

e) Limitations of use:

In g neral, 24 h use is availa le,as long as E C lanes are open at tol g t es

A 2.2 T OE functions

A 2.2.1 F nctio s pr ovided b T OE

Fu ctions, w hich ar pro ided b the TOE, ar desc ibed Al fu ctions for data transactions, w hich

shal be prot ect ed, ar lst ed

E AMP E

a) E C transactions:

1) E C commu ication control fu ction;

2) non-secure data record fu ction;

3) HMI in ut/outp t control fu ction;

4) IC card insert status detect fu ction;

5) On-Bo rd E uipment self-check fu ction

b) S curity mod le:

1) data st orag e or prot ection fu ction;

2) user ac es control fu ction;

3) authentication fu ction (DSRC, IC );

4) enc y tion/dec y tion fu ction;

5) IC interface fu ction;

6) E C transaction interface fu ction;

7) set-u card re d fu ction

A 2.2.2 F nctio s not provided b T OE

When the TOE fu ction is a p rt of the fu ctions of an entir sy st em, the sco e of the TOE in the w hole

sy st em should be shown as in Figur A.1 w hich show s an ex mple w he e the OBE is the sco e of the TOE

F or the purpose of r fe enc , Figur A.2 showing the o e al se urity p lcy sco e should be inclu ed

E AMP E

Figure A.1 — E ample w here the TOE is shown in its co text

Figure A.2 — Overal security pol cy s o e

A 2.2.3 Mis ing functio s

When fu ctions, w hich usual y should be pro ided b the TOE in this se tion, ar not inclu ed in the

TOE, the fu ction cont ent an r asoning for ex clusion should be desc ibed

A 2.3 T OE str ucture

A 2.3.1 Har d war e structure

The s ructur with r lat ed hardwar unit on TOE o e ation is desc ibed The sco e of TOE in the

E AMP E

Figure A.3— Example of TOE hardware structure

Figure A.4 — E C sy stem model of the E C S curity Framewor k

A 2.3.2 Sof ware str ucture

The s ructur with r lat ed sof war in the o e ation of the TOE is desc ibed In the s ructur , the sco e

of the TOE in the s ructur should be s at ed Espe ialy, w hen the o e ation of the TOE depen s on

o e ating sy st em (OS) an data control pro rams, the dis ribution of functions should be desc ibed

A 2.3.3 Rationale

It should be ve ified that the desc ibed it emsar consist ent

a) Absenc of inconsist ent pro ision it ems

b) Absenc of un efined or u clear se tionsof pro ided cont ent in this subclause

A 3 Security environment

A 3.1 Operation/ perational environment ofT OE

A 3.1.1 General

S curity r q ir ment t o det ermine se urity o je tives for the TOE o e ation ar pro ided

A 3.1.2 Operatio al envir onments

The methodolo y of the use of the TOE such as the o e ational environment, o e ational time,

o e ational sit e, use proc d r an location of use is desc ibed The desc ibed cont ent of A.2.1.2 ar

desc ibed in detai from the aspe t of fu ctionalty

a) Ope ational proc d r s

R eg rding the o e ational proc d r s of the TOE, the o e ation of an int egrat ed EF sy st em inclu ing

the r lat ed vehicles and ICC for p yment ar desc ibed

b) Ope ational time

The o e ational time zone of the TOE is desc ibed

E AMP E T e operational time is an time that E C vehicles use on E C tol ro ds

c) Ope ational sit es

Ope ational sit esof the TOE ar desc ibed

d) Use proc d r s

The proc d r sfrom the pur hase (o tain) t o the disp sal of the TOE b use s ar desc ibed inclu ing

ins al ation of the TOE, set-up of the TOE an o e ation at t ol ro ds

E AMP E 1 User p r hase E C OB at OB de ler (car de ler , car shops) An OB is instal ed in a vehicle

In ad ition, the on-b ard information ne ded for the E C operation such as vehicle information is stored as

on-b ard information

E AMP E 2 Afer an E C memb r contract is esta lished, user g t an IC , which is is ued by c edit card

companies

E AMP E 3 User wil b a le t o use the E C syst em by inserting an IC in an OB instaled in a vehicle T e

vehicles, which are capa le of using E C syst ems,are cal ed E C vehicles

E AMP E 4 User use tol ro ds with the IC inserted in an OB in an E C vehicle an pas through the

t olg t es without stop ing

e) Use sit es

Sit es, w he e use s ar a le t o use TOE, ar desc ibed

E AMP E Tol ro ds, along which E C RSE are instal ed

f) Limit an r q ir ment in use such asa ai a le n mbe s of TOE ar desc ibed

E AMP E 1 T e n mb r of OB instaled per vehicle is limited to one

E AMP E 2 OB is f ix ed (built-n) in a vehicle

E AMP E 3 OB can b used 24 h a day as long as E C lanes are open for operation

A 3.1.3 Physical c ontrol

P y sical control r lat ed t o the o e ation of the TOE is desc ibed

a) Ins al ation sit es an control

Ins alation sit es and phy sical control of the TOE ar desc ibed

E AMP E 1 OB is f ix ed (built-n) in a vehicle

The pe sonnel r q ir ment for the r sp nsibi ity an confidenc of the TOE o e ations ar desc ibed

In ad ition, the r q ir ment for p t ential uses, motiv tions, methods an ex e tise of at acks ar

pro ided

a) TOE-r lat ed ag ent

The folowing it ems r g rding the man factur rs, o e at ors an use s of TOE ar s at ed

E AMP E 1 Per on el req irements:

T pe: Man facturer of On-Bo rd E uipment

Risk of ilicit use: There are risks of il icit use since the responsibility for security control is a sent.

Expertise: No ne d of e pertise for security

Trail Ne ative list check is implemented while E C vehicles are pas ing through t olg tes

b) A ttacke s

The folowing it ems ar desc ibed for i icit use r q ir ment a ains w hich cou t ermeasur s ar

taken b the TOE

T pe: Ilicit hird party among E C user

P rpose of il icit use: OB data forg ry, manip lation, o taining of per onal information F org ery an il icit

modif ication of OB medium

Motivation: To red ce tol fe s or avoid t ol fe claims by il icit use of information S le of forg d OB

Me ns: Forg ry of vehicle information on On-Bo rd E uipment Forg ry of I/F data b tween OB an IC

t o cou terfeit some ne’ s card F org ery of E C OB by analysing OB int ernal y

Expertise: Comprehen the int ernal transaction by analysing E C On-Bo rd E uipment internal y

A 3.1.5 Co necti vity/operatio al environments

The environment for TOE con e tivity an o e ation is pro ided Only the s ructur , w hich is pro ided

in this subclause, shal be TOE

a) Conne tivity

Transactions for RSE at t ol g t es an ICC ne ded for the o e ation of the TOE ar desc ibed

E AMP E

— OB ex chang information via radio commu ication (5,8G z)with RSE at t olg t es

— OB re d IC card data (card n mb r, E C memb r contract information) b fore vehicles pas through

tolg tes When vehicles pas through t ol g t es, OB sen ap lica le IC card internal data to RSE t o transmit

bil ing an transaction record data

b) Ope ational r q ir ment

Hardware /sof war r q ir ment (CPU implementation spe d, r q ir d memory, input/output

devic s)ne ded for o e ation of the TOE ar desc ibed

A 3.1.6 Rationale

It isve if ied that the desc ibed it ems ar consist ent

a) Absenc of inconsist ent pro ision it ems

A 3.2 S cur ity thr eats

A 3.2.1 Deter minatio of tar g et resourc es for pr otectio

a) S le tion of targ et r sour esfor prot ection

Targ et r sour es for prot ection, t o be prot ect ed b the TOE, ar det ermined R esour es, w hich neg tively

imp ct se vic s of the TOE b falsification, alt eration an los , ar targ et ed for prot ection R eg rding

det ermined in ivid al targ et ed r sour es for prot ection, the lfe ycle such as g ene ation, transaction,

st orag e an disposal ar clearly desc ibed If the e ar in ir ct r sour es for a TOE transaction, the

in ir ct r sour esar det ermined as wel

E AMP E 1

1) Targ t protection resour es to b prot ected by the TOE:

— E C memb r contract information: IC internal data (i.e IC card n mb r);

— vehicle information: OBE internal data such as vehicle clas if ication codes;

— t ol g te information: e it/enter information,b r ier information an transaction record information;

— information stated a ove, transmitt ed by radio commu ication through OBE b tween ro d side u its at

t ol g tes an IC ;

— t ol information: st ora e in IC such as bil ing information

2) Targ t resour es for prot ection such as lifecycle:

— OB instal ation in a vehicle;

— trans ription of vehicle information int o OB ;

— OB operation at tol ro ds;

— OB disposal

b) Ev luation of targ et r sour es for prot ection

The v lues of det ermined targ et r sour es for prot ection ar ev luat ed The ev luation is divided int o

thr e levels as fol ow s:

Level 1: se urity pro lems’ imp ct on the entir syst em for the TOE, e.g the sy st em might be

malfu ctioning or down

Level 2: se urity pro lems dras ical y compromise the v lue of the sy st em for the TOE, e.g the

social r sp nsibi ty for the sy st ems is imp ir d;howeve , r st oration ofsy st ems is at aina le

Level 3: se urity pro lems hin e the o e ation of the TOE, e.g o e ation of the sy st em is

t emp rari y int er upt ed, r sulting in se ious impact on the use s

E AMP E 2

E aluation of targ t resour es for protection:

Level 1: None (no targ t resour e for protection, which impacts sy stems such as destroying E C syst ems);

Level 2: E C memb r contract information;

Level 3: Vehicle information, t olg te information, t ol information

how (cou t erfeiting, ta ping, des ruction), means (a ai a le r sour es, int erfac , ex e tise), thr at

(falsification, ex osur , se vic int er uption)an r asons

major thr at ar as folows:

1) lack of con dentialty;

2) lack of prot ection;

3) lack of a aia i ty;

4 ) lack of r sp nsibi ity;

5) lack of int egrity;

se urity weak es es ar s at ed

Thr at analy sis for l fe ycle of targ et data for prot ection is shown in Ta le A.1

Table A.1 — Thre t analy sis for l fecycle of ETC On-Board E uipment data for protection —

information

A 3.2.3 Rationale

It isve ified that the desc ibed it ems ar consist ent

a) Absenc of inconsist ent pro ision it ems

b) Absenc of un ef ined or u clear se tionsof pro ided cont ent in this subcla use

A 3.3 S cur ity pol cy of operational entity

A 3.3.1 General

S curity it ems for o e ational entities for the TOE ar pro ided in ac ordanc with the rules an

p lcies The document names desc ibing conc et e rules ar desc ibed

A 3.3.2 Identification of secur ity polcies of operatio al entities

a) Use p lcy of targ et r sour e for prot ection

Use p l cy (t o w hom, w hat ca a i ty, w hen, w he e) of targ et r sour e for prot ection is pro ided

b) Maint enanc p lcy (updat e, disp sal)of targ et r sour e for prot ection

c) Ope ational rules an a plca le laws for se urity

i.e se urity polcy b sed on “ Law for prohibiting i lcit ac es ” ispro ided

d) Sy st em an r sponsibi ity d ty for se urity p lcy

A 3.3.3 Rationale

Among se urity polcy it ems of each o e ational entity, it is che ked that the e is no contradiction in

the pro ision cont ent with the methodolo y an r sult being desc ibed

a) Absenc of inconsist ent pro ision it ems

b) Absenc of un efined or u clear se tionsof pro ided cont ent in this subclause

A 4 Security objecti ves

A 4.1 General

R eg rding se urity thr at l st ed in A.3.2, se urity o je tives ar det ermined from b th aspe t of

t ech ical o je tives, w hich ar pro ided b EF sy st ems or the o e ational environment ofthe EF

sy st em, an o e ation control o je tives

A 4.2 Technical security objecti ves

Te hnical se urity o je tives pro ide se urity o je tives, w hich ar implement ed b se urity fu ctions

such as enc y tion of data an control of ac es authentication

a) F or det ermination of se urity o je tives, t echnical se urity o je tives a ains thr at ar clearly

desc ibed

b) S curity o je tives ar det ermined from the aspe t of “control” , “ pr vention” , “det ection” an

“ re o e y

Control: the g ene ation of se urity thr at is controled

E AMP E 1 Bil ing resour e information such as E C contract information is stored so securely in IC an

SAM instaled in OB for caching that it is protected from tampering

Pr vention: pr vent e urity des ruction w hen se urity thr at is g ene at ed

E AMP E 2 Data are protected by enc y ted data of radio commu ication information

Det ection: se urity thr at ar det ect ed

E AMP E 3 Data falsif ication is detected by ad ing an authentication code t o the mes a e data

R eco e y: w hen se urity thr at ar det ect ed, the original se ur s atus wi l be r st or d

E AMP E 4 When a forg ery of OB or IC is detect ed, ne ative information is recorded an the use is

terminated For le itimate user , a new OB or IC is reis ued

The folowing ar some of the b sic element of se urity o je tives

a) Av i a i ity

Information transaction r sour e is efe tively used anytime anyw he e, w hen ne ded Major

se urity o je tives ar as fol ows

1) Te m of v ldity: set ing the t erm of v l dity for IC cards, IC cards ne d t o be chang ed

pe iodicaly

2) Damag e control: eq ipment at t olg t es control ng t ol bi lng information should ha e d al

configuration t o a oid being damag ed

3) A ut omation:pe sonnel int ervention for pr p ration of bi s is el minat ed.

b) Confidential ty

Information is prot ect ed from i eg l ac es

1) A cc s control:

— o e ation ca a i ity of eq ipment is che ked;

— commu ication p ths ar che ked

2) Confidentialty of data: data of EF membe contract information/ i lng information ar

enc y t ed

3) Enc y tion key manag ement: g ene ation of c y t ogra hic key, dis ribution and st orag e ar

manag ed

c) Prot ection

Information is prot ect ed from i icit alt eration or faci tation

1) A cc s control: usag e ca a i ity of data and pro ram lbrary ar che ked

2) Data flow control: lo ic sp c for data flow is pro ided; between int ernal networks an

ext ernal networks, t ele ommu ication data ar filt er d

3) Data prot ection: data falsif ication an i leg l ad ition of data inse tion of forwarding blocks

ar det ect ed

d) Legitimacy

Original information is ve ified Commu ication document is ve if ied t o be the same original

document In ad ition, the r cords for r sour e use ar ve if ied

1) Trace /au it: information for radio t ele ommu ication is r corded as lo data t o be used t o

det ect pro lems and for se urity o je tives

2) Det ection of se urity int ervention: i icit int erventions ar det ect ed in adv nc

e) Trac a i ty

Use s atus of targ et r sour e for prot ection is analysed and any u usual s atus is det ect ed

1) Identification/a uthentication: t ol fe s ar charg ed t o actual EF use s through

identif ication/ uthentication

2) S s ion control:radio commu ication p ths ar prot ect ed from i icit int ervention

3) Priv cy: EF contract information an use information ar prot ect ed from ex osur

4 ) S curity entity prot ection: se urity entities ar che ked for b p s or int erfe enc

f) Common r q ir ment

Common r q ir ment for se urity o je tives ar as fol ow s

1) Digital signatur :E-signatur is r q ir d for ve if ication for EF contract information