Wolfgang Rankl Wolfgang Effing
`
`Smart
`Card
`
`Han
`
`Third Edition
`
`(,_7WILEY
`
`Ex.1008
` Page 1 of 13
`
`GARMIN /
`
`

`

`First published under the title Handbuch der Chipkarten by Carl Hanser Verlag
`First published under the title Handbuch der Chipkarten by Carl Hanser Verlag
`© Carl Hanser Verlag, Munich/FRO, 2002
`© Carl Hanser Verlag, Munich/FRG, 2002
`All rights reserved.
`AU rights reserved.
`Authorized translation from the 4th edition in the original German language
`Authorized translation from the 4th edition in the miginal German language
`published by Carl Hamer Verlag, Munich/FRG.
`published by Carl Hanser Verlag, Munich/FRO.
`
`Copyright © 2003 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester
`John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester
`Copyright© 2003
`West Sussex, PO I 9 8SQ, England
`West Sussex, PO19 8SQ, England
`
`National 01243 779777
`National 01243 779777
`(+44) 1243 779777
`International
`International
`(+44) 1243 779777
`
`Email (for orders and customer service enquiries): cs-boolcs@wiley.co.uk
`Email (for orders and customer service enquiries): cs-books@wiley.co.uk
`Visit our Home Page on www.wileyeurope.com or www.wiley.com
`Visit our Home Page on www.wileyeurope.com or www.wi!ey.com
`
`Reprinted March 2006
`Reprinted March 2006
`
`All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any fonn or by any
`
`means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs
`means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs
`and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road,
`and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road,
`London WIT 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the
`London WIT 4LP. UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the
`Permissions Department,
`Permissions Department,
`John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to
`John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO 19 8SQ, England, or emailed to
`permreq@wiley.co.uk, or faxed to (+44) 1243 770571.
`permreq@wiley.co.uk, or faxed to ( +44) 1243 77057 l.
`
`This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the
`This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the
`understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is
`understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is
`required, the services of a competent professional should be sought.
`required, the services of a competent professional should be sought.
`
`Other Wiley Editorial Offices
`Other Wiley Editorial Offices
`
`John Wiley & Sons Inc., l l l River Street, Hoboken, NJ 07030, USA
`John Wiley & Sons Inc., l ll River Street, Hoboken, NJ 07030, USA
`
`Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA
`Jossey-Bass, 989 Market Street, San Francisco, CA 94103-!741, USA
`
`Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany
`Wiley-VCH Verlag GrnbH, Boschstr. 12, D-69469 Weinheim, Germany
`
`John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia
`John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia
`
`John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01 , Jin Xing Distripark, Singapore 129809
`John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-0I, Jin Xing Distripark, Singapore 129809
`
`John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W l Ll
`John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W ILI
`
`Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic
`Wiley also publishes its books in a variety of electronic fonnats. Some content that appears ih print may not be available in electronic
`books.
`books.
`
`Library of Congress Cataloging-in-Publication Data
`Library of Congress Cataloging-in-Publication Data
`Rank!, W. (Wolfgang)
`Rankl, W. (Wolfgang)
`[Handbuch der Chipkarten. English]
`[Handbuch der Chipkarten. English]
`Smart card handbook / Wolfgang Rankl and Wolfgang Effing. — 3rd ed.
`Smart card handbook / Wolfgang Rank! and Wolfgang Effing. - 3rd ed.
`p.
`p.
`cm.
`cm.
`Includes bibliographical references and index.
`Includes bibliographical references and index.
`ISBN 0-470-85668-8 (alk. paper)
`ISBN 0-470-85668-8 (alk. paper)
`I. Smart cards—Handbooks, manuals, etc.
`I. Smart cards-Handbooks, manuals, etc.
`TK7895.S62R3613 2003
`TK7895.S62R36 l 3 2003
`006 — dc22
`006-dc22
`
`I. Effing, W. (Wolfgang)
`I. Effing, W. (Wolfgang)
`
`II. Title.
`II. Title,
`
`2003062750
`2003062750
`
`British Library Cataloguing in Publication Data
`British Library Cataloguing in Publication Data
`
`A catalogue record for this book is available from the British Library
`A catalogue record for this book is available from the British Library
`
`ISBN-10: 0-470-85668-8 (H/B)
`ISBN-IO: 0-470-85668-8 (H/B)
`ISBN-13: 978-0-470-85668-0 (H/B)
`ISBN-13: 978-0-470-85668-0 (H/B)
`
`Typeset in !O/ l 2pt Times by TechBooks. New Delhi, India
`Typeset in 10/12pt Times by TechBooks, New Delhi, India
`Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham Wiltshire
`Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham Wiltshire
`This book is printed on acid-free paper responsibly manufactured from sustainable forestry
`This book is printed on acid-free paper responsibly manufactured from sustainable forestry
`in which at least two trees are planted for each one used for paper production.
`in which at least two trees are planted for each one used for paper production.
`
`Ex.1008
` Page 2 of 13
`
`GARMIN /
`
`

`

`Preface o the Third Editio
`Preface to the Third Edition
`
`The English version of the Smart Card Handbook has now reached its third edition. In com-
`The English version of the Smart Card Handbook has now reached its third edition. In com(cid:173)
`parison with the previous edition, it has been considerably expanded and thoroughly updated
`parison with the previous edition, it has been considerably expanded and thoroughly updated
`to represent the current state of the technology. In this book, we attempt to cover all aspects
`to represent the current state of the technology. In this book, we attempt to cover all aspects
`of smart card technology, with the term 'technology' intentionally being understood in a very
`of smart card technology, with the term `technology' intentionally being understood in a very
`broad sense.
`broad sense.
`As in previous editions, we have remained true to our motto, 'better one sentence too many
`As in previous editions, we have remained true to our motto, `better one sentence too many
`than one word too few'. We have described this ever-expanding subject in as much detail as
`than one word too few'. We have described this ever-expanding subject in as much detail as
`possible. Even more examples, drawings and photographs have been added to make it easier
`possible. Even more examples, drawings and photographs have been added to make it easier
`to understand complicated relationships. The glossary has been enlarged to include many new
`to understand complicated relationships. The glossary has been enlarged to include many new
`terms covering all essential co9cepts related to smart cards, and it has been enhanced with
`terms covering all essential concepts related to smart cards, and it has been enhanced with
`cross-references. In many cases, it can provide a quick introduction to a particular subject.
`cross-references. In many cases, it can provide a quick introduction to a particular subject.
`Altogether, these additions, extensions and improvements have resulted in a book that is more
`Altogether, these additions, extensions and improvements have resulted in a book that is more
`than three times as large as the first edition.
`than three times as large as the first edition.
`Here we can make a small comparison. Modern smart card operating systems cuJTently
`Here we can make a small comparison. Modem smart card operating systems currently
`comprise 120,000 lines of source code, which roughly corresponds to two books the size of
`comprise 120,000 lines of source code, which roughly corresponds to two books the size of
`the present edition. Even if you are not familiar with programming, you can readily appreciate
`the present edition. Even if you are not familiar with programming, you can readily appreciate
`how sophisticated these operating systems have become.
`how sophisticated these operating systems have become.
`These small, colorful plastic cards with their semiconductor chips continue to spread from
`These small, colorful plastic cards with their semiconductor chips continue to spread from
`their original countries, Germany and France, throughout the world. In the coming years, this
`their original countries, Germany and France, throughout the world. In the coming years, this
`technology can be expected to outstrip all others, especially since it is still in its infancy and
`technology can be expected to outstrip all others, especially since it is still in its infancy and
`there is no end or consolidation in sight.
`there is no end or consolidation in sight.
`Smart card technology progresses in leaps and bounds, and we attempt to keep pace by
`Smart card technology progresses in leaps and bounds, and we attempt to keep pace by
`publishing a new edition of the Smart Card Handbook every two to three years. The Smart
`publishing a new edition of the Smart Card Handbook every two to three years. The Smart
`Card Handbook represents the present state of technical knowledge, and in areas that are
`Card Handbook represents the present state of technical knowledge, and in areas that are
`presently undergoing rapid change, we indicate possible paths of evolution. If certain things
`presently undergoing rapid change, we indicate possible paths of evolution. If certain things
`come to be seen differently at a later date, we can only remark that no one knows what the
`come to be seen differently at a later date, we can only remark that no one knows what the
`future will bring. Despite this, or perhaps just because of this, we welcome all comments,
`future will bring. Despite this, or perhaps just because of this, we welcome all comments,
`suggestions and proposed improvements, so that this book can continue to cover the subject of
`suggestions and proposed improvements, so that this book can continue to cover the subject of
`smart cards as completely as possible. Here we would like to explicitly thank the many attentive
`smart cards as completely as possible. Here we would like to explicitly thank the many attentive
`and interested readers who have pointed out unclear or ambiguous passages and errors. Once
`and interested readers who have pointed out unclear or ambiguous passages and errors. Once
`again, an errata list for this edition will be made available atwww.wiley.co.uk/commstech/.
`again, an errata list for this edition will be made available at www.wiley.co.uk/commstech/.
`We would also like to thank our many friends and colleagues who have repeatedly offered
`We would also like to thank our many friends and colleagues who have repeatedly offered
`valuable (and occasionally somewhat uncomfortable) suggestions for making this book better
`valuable (and occasionally somewhat uncomfortable) suggestions for making this book better
`
`Ex.1008
` Page 3 of 13
`
`GARMIN /
`
`

`

`xiv
`xiv
`
`Preface
`Preface
`
`and more complete. We would particularly like to thank Hermann Altschafl, Peter van Elst,
`and more complete. We would particularly like to thank Hermann Altschafl, Peter van Elst,
`Klaus Finkenzeller, Thomas GraBl, Michael Schnellinger, Harald Yater and Dieter WeiB, as
`Klaus Finkenzeller, Thomas Grail, Michael Schnellinger, Harald Vater and Dieter Wei8, as
`well as Kathryn Sharples at Wiley for her helpful support and Kenneth Cox for the translation.
`well as Kathryn Sharples at Wiley for her helpful support and Kenneth Cox for the translation.
`
`Munich, June 2002
`Munich, June 2002
`
`Wolfgang Rankl
`Wolfgang Rankl
`[Rankl@gmx.net], [www.wiley.co.uk/commstech/]
`[Rankl @ gmx.net], [www.wiley.co.uk/commstech/]
`
`Wolfgang Effing
`Wolfgang Effing
`[WEffing@gmx.net]
`[WEffing@gmx.net]
`
`Ex.1008
` Page 4 of 13
`
`GARMIN /
`
`

`

`1
`Introduction
`Introduction
`
`This book has been written for students, engineers and technically minded persons who want
`This book has been written for students, engineers and technically minded persons who want
`to learn more about smart cards. It attempts to cover this broad topic as completely as possible,
`to learn more about smart cards. It attempts to cover this broad topic as completely as possible,
`in order to provide the reader with a general understanding of the fundamentals and the current
`in order to provide the reader with a general understanding of the fundamentals and the current
`state of the technology.
`state of the technology.
`We have put great emphasis on a practical approach. The wealth of pictures, tables and refer(cid:173)
`We have put great emphasis on a practical approach. The wealth of pictures, tables and refer-
`ences to real applications is intended to help the reader become familiar with the subject rather
`ences to real applications is intended to help the reader become familiar with the subject rather
`more quickly than would be possible with a strictly technical presentation. This book is thus
`more quickly than would be possible with a strictly technical presentation. This book is thus
`intended to be useful in practice, rather than technically complete. For this reason, descriptions
`intended to be useful in practice, rather than technically complete. For this reason, descriptions
`have been kept as concrete as possible. In places where we were faced with a choice between
`have been kept as concrete as possible. In places where we were faced with a choice between
`technical accuracy and ease of understanding, we have tried to strike a happy medium. When(cid:173)
`technical accuracy and ease of understanding, we have tried to strike a happy medium. When-
`ever this proved to be impossible, we have always given preference to ease of understanding.
`ever this proved to be impossible, we have always given preference to ease of understanding.
`The book has been written so that it can be read in the usual way, from front to back.
`The book has been written so that it can be read in the usual way, from front to back.
`We have tried to avoid forward references as much as possible. The designs of the individual
`We have tried to avoid forward references as much as possible. The designs of the individual
`chapters, in terms of structure and content, allow them to be read individually without any loss
`chapters, in terms of structure and content, allow them to be read individually without any loss
`of understanding. The comprehensive index and the glossary allow this book to be used as a
`of understanding. The comprehensive index and the glossary allow this book to be used as a
`reference work. If you want to know more about a specific topic, the references in the text and
`reference work. If you want to know more about a specific topic, the references in the text and
`the annotated directory of standards will help you find the relevant documents.
`the annotated directory of standards will help you find the relevant documents.
`Unfortunately, a large number of abbreviations have become established in smart card
`Unfortunately, a large number of abbreviations have become established in smart card
`technology, as in so many other areas of technology and everyday life. This makes it particularly
`technology, as in so many other areas of technology and everyday life. This makes it particularly
`difficult for newcomers to become familiar with the. subject. We have tried to minimize the
`difficult for newcomers to become familiar with the subject. We have tried to minimize the
`use of these cryptic and frequently illogical abbreviations. Nevertheless, we have often had
`use of these cryptic and frequently illogical abbreviations. Nevertheless, we have often had
`to choose a middle way between internationally accepted smart card terminology used by
`to choose a middle way between internationally accepted smart card terminology used by
`specialists and common terms more easily understood by laypersons. If we have not always
`specialists and common terms more easily understood by laypersons. If we have not always
`succeeded, the extensive list of abbreviations at the front of the book should at least help
`succeeded, the extensive list of abbreviations at the front of the book should at least help
`overcome any barriers to understanding, which we hope will be short-lived. An extensive
`overcome any barriers to understanding, which we hope will be short-lived. An extensive
`glossary in the final chapter of the book explains the most important technical concepts and
`glossary in the final chapter of the book explains the most important technical concepts and
`supplements the list of abbreviations.
`supplements the list of abbreviations.
`An important feature of smart cards is that their properties are strongly based on interna(cid:173)
`An important feature of smart cards is that their properties are strongly based on interna-
`tional standards. This is fundamentally important with regard to the usually compulsory need
`tional standards. This is fundamentally important with regard to the usually compulsory need
`for interoperability. Unfortunately, these standards are often difficult to understand, and in
`for interoperability. Unfortunately, these standards are often difficult to understand, and in
`
`Smart Card Handbook, Third Edition. W. Rankl and W. Effing
`Smart Card Handbook, Third Edition. W. Rank! and W. Effing
`© 2004 John Wiley & Sons, Ltd ISBN: 0-470-85668-8
`© 2004 John Wiley & Sons, Ltd ISBN: 0-470-85668-8
`
`Ex.1008
` Page 5 of 13
`
`GARMIN /
`
`

`

`486
`486
`
`Smart Card Commands
`Smart Card Commands
`
`7.14 COMMANDS FOR ELECTRONIC PURSES
`7.14 COMMANDS FOR ELECTRONIC PURSES
`
`Part 3 of the European standard for universal electronic purses, EN 1546, defines six commands
`Part 3 of the European standard for universal electronic purses, EN 1546, defines six commands
`for electronic purses and 12 commands for the security module in the terminal, which itself
`for electronic purses and 12 commands for the security module in the terminal, which itself
`may be a smart card. The basic structures of the four most important commands used with
`may be a smart card. The basic structures of the four most important commands used with
`smart card electronic purses8 are described here. These commands can be utilized to run an
`smart card electronic purses8 are described here. These commands can be utilized to run an
`application in a smart card for making 'cashless' payments from a prepaid purse and refilling
`application in a smart card for making `cashless' payments from a prepaid purse and refilling
`the purse. The commands for error recovery, currency conversion, parameter modification and
`the purse. The commands for error recovery, currency conversion, parameter modification and
`canceling a payment are not described here, nor are those for the security module. The Common
`canceling a payment are not described here, nor are those for the security module. The Common
`European Purse System (CEPS) specification for electronic purses defines commands that are
`European Purse System (CEPS) specification for electronic purses defines commands that are
`very similar to those defined by EN 1546.
`very similar to those defined by EN 1546.
`The commands described here would fit just as well under `Application-Specific Commands'
`The commands described here would fit just as well under 'Application-Specific Commands'
`· (Section 7.16), since they are defined specifically for this one application. They can never be
`(Section 7.16), since they are defined specifically for this one application. They can never be
`used for any other purpose than electronic purses, since they have been optimized for this
`used for any other purpose than electronic purses, since they have been optimized for this
`application. However, we dedicate a section to them because electronic purses are one of the
`application. However, we dedicate a section to them because electronic purses are one of the
`main future applications for smart cards, besides telecommunications.
`main future applications for smart cards, besides telecommunications.
`All electronic purse transactions are divided into three steps according to EN 1546. In the
`All electronic purse transactions are divided into three steps according to EN 1546. In the
`first step, the card is initialized using the command INITIALT7F IEP for Load / for Purchase.
`first step, the card is initialized using the command INITIALIZE IEP for Load / for Purchase.
`In the second step, a command is executed to perform the actual transaction, such as filling
`In the second step, a command is executed to perform the actual transaction, such as filling
`the purse or paying with the purse. In the optional third step, the transaction just performed
`the purse or paying with the purse. In the optional third step, the transaction just performed
`is confirmed. All purse commands directly access files in the purse application of the smart
`is confirmed. All purse commands directly access files in the purse application of the smart
`card for both writing and reading. These files hold the purse balance, log entries and various
`card for both writing and reading. These files hold the purse balance, log entries and various
`parameters.
`parameters.
`The individual steps of a purse transaction are executed using the commands described
`The individual steps of a purse transaction are executed using the commands described
`below. The EN 1546 standard precisely defines the internal processes of each command with
`below. The EN 1546 standard precisely defines the internal processes of each command with
`regard to functionality and the sequence of the individual steps. All implementations thus have
`regard to functionality and the sequence of the individual steps. All implementations thus have
`at least the same general processes.
`at least the same general processes.
`The INITIALIZE IEP command can be used for several purposes. A parameter is used to
`The INITIALIZE IEP command can be used for several purposes. A parameter is used to
`select initialization of a purse loading transaction, a purchase transaction or another type of
`select initialization of a purse loading transaction, a purchase transaction or another type of
`transaction.
`transaction.
`Loading (crediting) the purse in the smart card is initiated by the command INITIALIZE
`Loading ( crediting) the purse in the smart card is initiated by the command INITIALIZE
`IEP for Load. The transferred data, such as a currency code and amount to be loaded, are
`IEP for Load. The transferred data, such as a currency code and amount to be loaded, are
`checked in the card to see whether they match prescribed values in the parameter files. Freely
`checked in the card to see whether they match prescribed values in the parameter files. Freely
`definable data (user-determined data) can also be stored in a log file. Next, a transaction counter
`definable data (user-determined data) can also be stored in a log file . Next, a transaction counter
`is incremented and a signature S1 is generated for various data (such as the current balance
`is incremented and a signature S1 is generated for various data (such as the current balance
`and expiry date), so that this information can be transferred to the terminal without risk of
`and expiry date), so that this information can be transferred to the terminal without risk of
`manipulation.
`-
`manipulation.
`In the second step of the load transaction, the card essentially receives information about
`In the second step of the load transaction, the card essentially receives information about
`the keys to be used and a signature S2 via the CREDIT IEP command. This information
`the keys to be used and a signature S2 via the CREDIT IEP command. This information
`comes from the security module in the terminal, and besides protecting the data, it allows
`comes from the security module in the terminal, and besides protecting the data, it allows
`the card to authenticate the security module. The smart card has already been authenticated
`the card to authenticate the security module. The smart card has already been authenticated
`with respect to the security module in the terminal by the previous INITIALIZE IEP for Load
`with respect to the security module in the terminal by the previous INITIALIZE IEP for Load
`
`8 Command sequences and general system structures of electronic purse systems are described in detail in Section
`8 Command sequences and general system structures of electronic purse systems are described in detail in Section
`12.3.1, `The CEN EN 1546 standard'
`12.3.1, 'The CEN EN 1546 standard'
`
`Ex.1008
` Page 6 of 13
`
`GARMIN /
`
`

`

`576
`576
`
`Quality Assurance and Testing
`Quality Assurance and Testing
`
`a limited degree, since the provider usually does not have all the necessary technical expertise
`a limited degree, since the provider usually does not have all the necessary technical expertise
`and capabilities. The second option, which is assigning the tests to another party, is currently
`and capabilities. The second option, which is assigning the tests to another party, is currently
`regarded by all concerned as an acceptable solution.
`regarded by all concerned as an acceptable solution.
`This same problem has existed for many years with software and systems developed for
`This same problem has existed for many years with software and systems developed for
`military use. It is thus not something that is new in the smart card world. In order to establish
`military use. It is thus not something that is new in the smart card world. In order to establish
`metrics for the trustworthiness of software products, which means to make it objectively
`metrics for the trustworthiness of software products, which means to make it objectively
`measurable, the US National Computer Security Center (NCSC) issued a catalog of criteria
`measurable, the US National Computer Security Center (NCSC) issued a catalog of criteria
`for evaluating the trustworthiness of information technology systems in 1983. NCSC was
`for evaluating the trustworthiness of information technology systems in 1983. NCSC was
`founded in 1981 by the American Department of Defense (DoD). The publication of 'Trusted
`founded in 1981 by the American Department of Defense (DoD). The publication of `Trusted
`Computer System Evaluation Criteria' (TCSEC) followed in 1985. This book had an orange
`Computer System Evaluation Criteria' (TCSEC) followed in 1985. This book had an orange
`binding, so it has come to be generally known as the 'Orange Book'. These criteria serve as
`binding, so it has come to be generally known as the `Orange Book'. These criteria serve as
`guidelines to the NCSC for the certification of information technology systems.
`guidelines to the NCSC for the certification of information technology systems.
`The TCSEC has become an international model for practically all criteria catalogs in the
`The TCSEC has become an international model for practically all criteria catalogs in the
`information technology field. In Europe, specifically European criteria have been defined,
`information technology field. In Europe, specifically European criteria have been defined,
`although they are based on the TCSEC. They were first published in 1990 as the 'Informa(cid:173)
`although they are based on the TCSEC. They were first published in 1990 as the 'Informa-
`tion Technique System Evaluation Criteria' (ITSEC), and a revised version was issued in
`tion Technique System Evaluation Criteria' (ITSEC), and a revised version was issued in
`1991.
`1991.
`The Common Criteria (CC) were created in order to provide a uniform standard for testing
`The Common Criteria (CC) were created in order to provide a uniform standard for testing
`the correctness of software. They can be regarded as representing the essential elements of the
`the correctness of software. They can be regarded as representing the essential elements of the
`TCSEC and the ITSEC. The Common Criteria are also better organized for the evaluation of
`TCSEC and the ITSEC. The Common Criteria are also better organized for the evaluation of
`software than the TCSEC or the ITSEC. Although the first version of the Common Criteria was
`software than the TCSEC or the ITSEC. Although the first version of the Common Criteria was
`published as early as 1996, it has not yet supplanted the TCSEC or the ITSEC.2 The Common
`published as early as 1996, it has not yet supplanted the TCSEC or the ITSEC.2 The Common
`Criteria have also been published as an international standard (ISO 15408). In contrast to the
`Criteria have also been published as an international standard (ISO 15408). In contrast to the
`ITSEC, which has six levels, the Common Criteria have seven levels of trustworthiness. It is
`ITSEC, which has six levels, the Common Criteria have seven levels of trustworthiness. It is
`relatively easy to make the transition from an evaluation based on the TCSEC or the ITSEC to
`relatively easy to make the transition from an evaluation based on the TCSEC or the ITSEC to
`one based on the Common Criteria, since all of these catalogs have many features in common.
`one based on the Common Criteria, since all of these catalogs have many features in common.
`However, since in the smart card field in particular the ITSEC is still used as the essential basis
`However, since in the smart card field in particular the ITSEC is still used as the essential basis
`for software evaluation, we refer only to this catalog in the following description.
`for software evaluation, we refer only to this catalog in the following description.
`Occasionally, the requirements of the PIPS 140-2 standard are taken into account in per(cid:173)
`Occasionally, the requirements of the FIPS 140-2 standard are taken into account in per-
`forming evaluations, in addition to the ITSEC and the CC. This standard specifies four possible
`forming evaluations, in addition to the ITSEC and the CC. This standard specifies four possible
`security levels for security modules, which can be considered to include smart cards, and pro(cid:173)
`security levels for security modules, which can be considered to include smart cards, and pro-
`vides detailed descriptions of seven requirement areas related to security. The contents of this
`vides detailed descriptions of seven requirement areas related to security. The contents of this
`standard are very practically oriented.and also deal with details of technical implementation,
`standard are very practically oriented and also deal with details of technical implementation,
`such as criteria for the quality of random-number generators.
`such as criteria for the quality of random-number generators.
`Regardless of the method used, an evaluation process has four characteristics. First, it must
`Regardless of the method used, an evaluation process has four characteristics. First, it must
`be unbiased, which means that the evaluator must not have any preconceived ideas regarding
`be unbiased, which means that the evaluator must not have any preconceived ideas regarding
`the item to be evaluated or its producer. The second characteristic is that the evaluation process
`the item to be evaluated or its producer. The second characteristic is that the evaluation process
`must be objective and structured to minimize the significance of personal opini