BS EN 50436-6:2015
$198.66
Alcohol interlocks. Test methods and performance requirements – Data security
| Published By | Publication Date | Number of Pages |
| BSI | 2015 | 60 |
1.1 General
This European Standard specifies security requirements for the protection and handling of event records which are stored in the data memory of breath alcohol controlled alcohol interlocks and which may be downloaded, processed and transferred to supervising persons or organizations.
This European Standard is a supplement to EN 50436‑1 . It is to be decided by the respective jurisdiction whether the present standard has to be applied in addition to EN 50436‑1 .
This European standard may also be used as a supplement to EN 50436‑2 if a jurisdiction or a vehicle fleet operator decides that the data security in his preventive application has to have the same high level of requirements as for alcohol interlocks used in drink-driving-offender programmes.
This European Standard is mainly directed to test houses, manufacturers of alcohol interlocks, legislating authorities and organizations which handle and use the alcohol interlock event records.
In this European Standard, the alcohol interlock consists basically of handset and control unit. Optional accessory devices (e.g. cameras or GPS systems generating data related to event data of the alcohol interlock, as well as accessory devices handling or transferring data for a drink-driving-offender programme) authorized by the manufacturer as being part of the alcohol interlock system and which are intended to be used in the vehicle during operation are also to be considered part of the alcohol interlock, where applicable.
The service application communicates with the alcohol interlock and sends out the event records to a register, either directly or alternatively indirectly through a broker.
The scheme is depicted in Figure 1. It also shows which parts are within the scope of this European Standard and which are outside of the scope.
[Image removed.]
In this, and all other figures, the direction of the arrows indicates the flow of event records.
This European Standard applies to
-
the alcohol interlock,
-
the service application.
This European Standard does not apply to
-
data security of the broker,
-
data security of the register,
-
storage of downloaded data,
-
requirements for organizational processes, for example defining rights of access to the data.
1.2 Conformance claim
This European Standard conforms according to the Common Criteria for Information Technology Security Evaluation as Protection Profile to:
-
Common Criteria, Version 3.1, Revision 4, as defined by CCp1, CCp2, CCp3 and CEMe,
-
Common Criteria – Part 2 as Common Criteria – Part 2 conformant,
-
Common Criteria – Part 3 as Common Criteria – Part 3 conformant.
An earlier revision of CCp1 is published as ISO/IEC 15408‑1 .
An earlier revision of CCp2 is published as ISO/IEC 15408‑2 .
An earlier revision of CCp3 is published as ISO/IEC 15408‑3 .
An earlier revision of CEMe is published as ISO/IEC 18045 .
This European Standard is not based on any other Protection Profile.
This European Standard conforms to the evaluation assurance level EAL3 + ALC_FLR.2 (for explanation see 7.4).
Protection profiles or security targets that conform to this Protection Profile shall apply “Strict Protection-Profile-Conformance”.
For more information, see CCp1, Annex B5.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 8 | Introduction |
| 9 | 1 Scope 1.1 General Figure 1 – Alcohol interlock, service application, broker and register |
| 10 | 1.2 Conformance claim 2 Normative references |
| 11 | 3 Terms and definitions |
| 13 | 4 General 4.1 Use of the alcohol interlock 4.2 Major security features |
| 14 | 4.3 Hardware, software and firmware not being part of the alcohol interlock and the service application 5 Alcohol interlock classes 5.1 General 5.2 Class A: transparent service application without broker |
| 15 | Figure 2 – Class A alcohol interlock: the alcohol interlock generates the correct format for the register 5.3 Class B: transparent service application with broker Figure 3 – Class B1 alcohol interlock: the broker converts and sends to the register |
| 16 | Figure 4 – Class B2 alcohol interlock: the broker converts and sends to the service application 5.4 Class C: opaque service application Figure 5 – Class C1 and C2 alcohol interlock: the service application converts the event records |
| 17 | 5.5 Class D: service application without broker and without register Figure 6 – Class D alcohol interlock: the event records are transferred to the service application 6 Security objectives 6.1 General |
| 18 | Figure 7 – Relations between threats and security objectives 6.2 Security objectives for the alcohol interlock and the service application Table 1 – Objectives for different classes of alcohol interlocks |
| 20 | 6.3 Security objectives for the operational environment (informative) 6.3.1 Overview |
| 21 | Table 2 – Objectives for different classes of alcohol interlocks 6.3.2 General security objectives for the operational environment 6.3.3 Security objectives for the register |
| 22 | 6.3.4 Security objectives for the broker |
| 23 | 7 Security requirements 7.1 Terms |
| 24 | 7.2 Security Functional Requirements 7.2.1 General Figure 8 – Relations between threats, security objectives and security functional requirements |
| 25 | Table 3 – Security requirements for different classes of alcohol interlocks 7.2.2 FAU_GEN.1 Audit event records generation |
| 26 | 7.2.3 FAU_STG.1 Protected data memory 7.2.4 FAU_STG.3 Action in case of possible event records loss 7.2.5 FAU_STG.4 Prevention of event records loss 7.2.6 FCS_COP.1(1) Cryptographic operation |
| 27 | 7.2.7 FCS_COP.1(2) Cryptographic operation 7.2.8 FCS_COP.1(3) Cryptographic operation 7.2.9 FDP_ACC.1 Subset access control 7.2.10 FDP_ACF.1 Security attribute based access control |
| 28 | 7.2.11 FDP_ITT.1 Basic internal transfer protection |
| 29 | 7.2.12 FDP_ITT.3 Integrity monitoring 7.2.13 FDP_RIP.1 Subset residual information protection 7.2.14 FIA_UAU.2 User authentication before any action (not applicable if the authentication is done in the operational environment) 7.2.15 FIA_UID.2 User identification before any action (not applicable if the authentication is done in the operational environment) |
| 30 | 7.2.16 FPT_PHP.1(1) Passive detection of physical attack 7.2.17 FPT_PHP.1(2) Passive detection of physical attack 7.2.18 FPT_STM.1 Reliable time stamps 7.3 Cryptographic algorithms |
| 31 | 7.4 Security assurance requirements |
| 32 | Annex A (informative) Security problem definition A.1 General A.2 Assets A.3 Threat agents A.4 Threat overview |
| 33 | Figure A.1 – Threats to the alcohol interlock, the service application and the environment |
| 34 | Table A.1 – Threats for different classes of alcohol interlocks A.5 Threats A.5.1 Interfering with the sensors and the signals to the vehicle (I) |
| 35 | A.5.2 Prevention of detection of events (II) A.5.3 Prevention of generation of event records or generation of undesirable event records (III) A.5.4 Failure to correctly store event records in the alcohol interlock (IV) |
| 36 | A.5.5 Failure to correctly transfer event records between alcohol interlock and service application (V) A.5.6 Failure to correctly handle the event records in the service application (VI) |
| 37 | A.5.7 Failure to correctly transfer event records between service application and register (VII) A.5.8 Failure to correctly register event records at the register (VIII) A.5.9 Failure to correctly transfer event records between service application and broker (IX) |
| 38 | A.5.10 Failure to correctly convert event records at the broker (X) A.5.11 Failure to correctly transfer event records between broker and register (XI) |
| 39 | Annex B (informative) Rationales B.1 General B.2 Security objectives rationale B.2.1 Interfering with the sensors and the signals to the vehicle (I) |
| 40 | B.2.2 Prevention of detection of events (II) B.2.3 Prevention of generation of event records or generation of undesirable event records (III) |
| 41 | B.2.4 Failure to correctly store event records in the alcohol interlock (IV) |
| 42 | B.2.5 Failure to correctly transfer event records between alcohol interlock and service application (V) |
| 43 | B.2.6 Failure to correctly handle the event records in the service application (VI) |
| 44 | B.2.7 Failure to correctly transfer event records between service application and register (VII) |
| 46 | B.2.8 Failure to correctly register event records at the register (VIII) B.2.9 Failure to correctly transfer event records between service application and broker (IX) |
| 48 | B.2.10 Failure to correctly convert event records at the broker (X) B.2.11 Failure to correctly transfer event records between broker and register (XI) |
| 49 | B.3 Security requirements rationale |
| 53 | B.4 Dependencies |
| 54 | Annex C (informative) Security testing |
| 55 | Annex D (informative) Use of this standard D.1 Additional information required to use this standard D.2 Additional requirements for the data handling process |
| 57 | Blibliography |
