ATMEL AT90SC6404RT

General Business Use
AT90SC6404RT Security Target Lite
General Business Use
TPG0053A (24 Nov 04)
Atmel makes no warranty for the use of its products, other than those expressly contained in the Company’s standard warranty which
is detailed in Atmel’s Terms and Conditions located on the Company’s web site. The Company assumes no responsibility for any errors
which may appear in this document, reserves the right to change devices or specifications detailed herein at any time without notice,
and does not make any commitment to update the information contained herein. No licenses to patents or other intellectual property
of Atmel are granted by the Company in connection with the sale of Atmel products, expressly or by implication. Atmel’s products are
not authorized for use as critical components in life support devices or systems.
The security of any system in which the product is used will depend on the system’s security as a whole. Where security or
cryptography features are mentioned in this document this refers to features which are intended to increase the security of the product
under normal use and in normal circumstances.
All products are sold subject to Atmel’s Terms & Conditions of Supply and the provisions of any agreements made between Atmel and
the Customer. In ordering a product covered by this document the Customer agrees to be bound by those Terms & Conditions and
agreements and nothing contained in this document constitutes or forms part of a contract (with the exception of the contents of this
Notice). A copy of Atmel’s Terms & Conditions of Supply is available on request.
 Atmel Corporation 2004
Contents
Section 1
AT90SC6404RT Security Target Lite .......................................................... 9
1.1 Identification................................................................................................. 9
1.2 Overview ...................................................................................................... 9
1.3 Common Criteria Conformance Claim ....................................................... 10
1.4 Document Objective .................................................................................. 10
1.5 Document Structure ................................................................................... 10
1.6 Scope and Terminology ............................................................................. 11
1.7 References ................................................................................................ 11
1.8 Revision History ......................................................................................... 12
Section 2
Target of Evaluation Description................................................................ 13
2.1 Product Type ............................................................................................. 13
2.2 Smartcard Product Life-cycle..................................................................... 15
2.3 TOE Environment ...................................................................................... 17
2.4 TOE Logical Phases .................................................................................. 18
2.5 TOE Intended Usage ................................................................................. 19
2.6 General IT Features of the TOE ................................................................ 21
Section 3
TOE Security Environment ........................................................................ 23
3.1 Assets ........................................................................................................ 23
3.2 Assumptions .............................................................................................. 23
3.3 Threats....................................................................................................... 26
3.4 Organizational Security Policies ................................................................ 30
Section 4
Security Objectives .................................................................................... 31
4.1 Security Objectives for the TOE................................................................. 31
4.2 Security Objectives for the Environment.................................................... 34
TPG0053A (24 Nov 04)
General Business Use
3 of 64
AT90SC6404RT Security Target Lite
Section 5
TOE Security Functional Requirements .................................................... 39
5.1 Functional Requirements Applicable to Phase 3 Only
(Testing Phase) ......................................................................................... 39
5.2 Functional Requirements Applicable to Phases 3 to 7 .............................. 41
5.3 TOE Security Assurance Requirements .................................................... 47
Section 6
TOE Summary Specification...................................................................... 51
6.1 TOE Security Functions ............................................................................. 51
6.2 TOE Assurance Measures ......................................................................... 57
Section 7
Protection Profile Claims ........................................................................... 61
7.1 Protection Profile Reference ...................................................................... 61
7.2 Protection Profile Refinements .................................................................. 61
7.3 Protection Profile Additions........................................................................ 61
Appendix A
4 of 64
Glossary..................................................................................................... 62
General Business Use
TPG0053A (24 Nov 04)
Figures
Figure 2-1
TPG0053A (24 Nov 04)
Smartcard Product Life Cycle ........................................................................... 16
General Business Use
5 of 64
AT90SC6404RT Security Target Lite
6 of 64
General Business Use
TPG0053A (24 Nov 04)
Tables
Table 2-1
Smartcard Product Life-cycle ...................................................................... 15
Table 2-2
Phases 4 to 7 Product Users ...................................................................... 20
Table 3-1
Threats and Phases .................................................................................... 29
Table 5-1
IFCSF-Policy ............................................................................................... 45
Table 6-1
Relationship Between Security Requirements and Security Functions ...... 56
Table 6-2
Relationship Between Assurance Requirements and Measures ................ 59
TPG0053A (24 Nov 04)
General Business Use
7 of 64
AT90SC6404RT Security Target Lite
8 of 64
General Business Use
TPG0053A (24 Nov 04)
Section 1
AT90SC6404RT Security Target Lite
1.1
Identification
1
Title: AT90SC6404RT Security Target Lite [ST_Lite]
2
This Security Target Lite has been constructed with Common Criteria (CC) Version 2.1.
1.2
Overview
3
This Security Target Lite [ST_Lite] is for a microcontroller (MCU) device with security
features. The device is a member of a family of single chip MCU devices which are
intended for use within Smartcard products. The family codename is AVR ASL4 and the
‘parent’ device of the family, from which other family members will be derived, is the
AT90SC19264RC.
4
The AT90SC6404RT MCU device (AT58810) is being evaluated against the CC
Smartcard Integrated Circuit Protection Profile PP/9806 to Evaluation Assurance Level
4 (EAL4) augmented of AVA_VLA.4, ADV_IMP.2 , ALC_DVS.2 under the Common
Criteria maintenance scheme. Atmel Smart Card ICs, a division of ATMEL Corporation,
is the developer and the sponsor for the AVR ASL4 evaluations.
5
The devices in the AVR ASL4 family are based on the AVR RISC family of single-chip
microcontroller devices. The AVR RISC family, with designed-in security features, is
based on the industry-standard AVR low-power HCMOS core and gives access to the
powerful instruction set of this widely used device. AVR ASL4 devices are equipped
with Flash, RAM, ROM and EEPROM, cryptographic coprocessors, and a host of
security features to protect device assets, making them suitable for a wide range of
smartcard applications.
TPG0053A (24 Nov 04)
General Business Use
9 of 64
AT90SC6404RT Security Target Lite
1.3
6
This Security Target Lite is conformant to parts 2 and 3 of the Common Criteria, V2.1,
as follows:
Part 2 conformant: the security functional requirements are based on those
identified in part 2 of the Common Criteria.
Part 3 augmented conformant: the security assurance requirements, including
those used in the augmentation, are based on those in part 3 of the Common
Criteria.
1.4
7
Common Criteria Conformance Claim
Document Objective
The purpose of this document is to satisfy the Common Criteria (CC) requirements for
a Security Target Lite; in particular, to specify the security requirements and functions,
and the assurance requirements and measures, in accordance with Protection Profile
PP/9806, Smartcard Integrated Circuit V2.0, against which the AVR ASL4 devices will
be evaluated.
1.5
Document Structure
8
Section 1 introduces the Security Target Lite, and includes sections on terminology and
references.
9
Section 2 contains the product description and describes the TOE as an aid to the
understanding of its security requirements and addresses the product type, the
intended usage and the general features of the TOE.
10
Section 3 describes the TOE security environment.
11
Section 4 describes the required security objectives.
12
Section 5 describes the TOE security functional requirements and the security
assurance requirements.
13
Section 6 describes the TOE security functions.
14
Section 7 describes the Protection Profile (PP) claims.
15
Appendix A provides a glossary of the terms and abbreviations.
10 of 64
General Business Use
TPG0053A (24 Nov 04)
AT90SC6404RT Security Target Lite
1.6
Scope and Terminology
16
This document is based on the TOE Technical Data Sheet [TD].
17
The term Target of Evaluation (TOE) is standard CC terminology and refers to the
product being evaluated, the AT90SC6404RT MCU device in this case. The TOE is
subject to hardware evaluation only. Downloaded test software will be used for
evaluation purposes but is outside the scope of the TOE. Description of how to use the
security features can be found in [TD].
18
Security objectives are defined herein with labels in the form O.xx_xx. These labels are
used elsewhere for reference. Similarly, threats, assumptions and organizational
security policy are defined with labels of the form T.xx_xx, A.xx_xx, and P.xx_xx
respectively.
19
Hexadecimal numbers are prefixed by $, e.g. $FF is 255 decimal. Binary numbers are
prefixed by %, e.g. %0001 1011 is decimal 27. An integer value may be expressed as
a hexadecimal, binary or decimal number, whichever form is the most convenient.
1.7
20
References
This document refers to the latest issues of the following Atmel documents:
[STI] AT90SC6404RT Test Hardware Specification
[ROMA] AT90SC6404RT Test Software Specification (ROM A)
[RE2D] AT90SC6404RT Test Software Specification (related E2 data)
[TMRE2] AT90SC6404RT Test Software Specification (testmoderun E2 data)
[TD] AT90SC6404RT Technical Data (TPR0125)
[SOF] TOE Strength of Security Functions Analysis
TPG0053A (24 Nov 04)
General Business Use
11 of 64
AT90SC6404RT Security Target Lite
1.8
12 of 64
Revision History
Rev
Date
Description
Originator
A
24 Nov 04
Initial release
Atmel, RFO
General Business Use
TPG0053A (24 Nov 04)
Section 2
Target of Evaluation Description
21
This part of the Security Target Lite [ST_Lite] describes the Target of Evaluation (TOE)
as an aid to the understanding of its security requirements and address the product
type, the intended usage and the general features of the TOE.
2.1
Product Type
22
The TOE is the single chip microcontroller unit to be used in a smartcard product,
independent of the physical interface and the way it is packaged. Specifically, the TOE
is the AT90SC6404RT device from the AVR ASL4 family of smartcard devices.
Generally, a smartcard product may include other optional elements (such as specific
hardware components, batteries, capacitors, antennae) but these are not in the scope
of this Security Target Lite.
23
The devices in the AVR ASL4 family are based on ATMEL's AVR RISC family of
single-chip microcontroller devices. The AVR RISC family, with designed-in security
features, is based on the industry-standard AVR RISC low-power HCMOS core and
gives access to the powerful instruction set of this widely used device. Different AVR
ASL4 family members offer various options. The AVR ASL4 family of devices are
designed in accordance with the ISO standard for integrated circuit cards (ISO 7816),
where appropriate.
24
Although the TOE evaluation is hardware only, the TOE requires embedded software
to test the device and demonstrate certain security characteristics during the
development phase. In the end-usage phase there will be no embedded test software
in the TOE. Test software will be downloaded into the device EEPROM and be fully
erased before devices leave the test environment. This test software is only used for
the testing phase of the TOE life cycle and is outwith the scope of the evaluation. Test
mode is disabled by wafer saw.
25
The TOE widely uses ATMEL high density non volatile memories: it features 64K bytes
of AVR ROM program memory, 4K bytes of EEPROM program/data memory, 2K bytes
of static RAM memory.
26
The EEPROM includes 64 bytes of One Time Programmable (OTP) memory (32 bytes
are byte-addressable; 32 bytes are bit-addressable) and a 192-byte bit-addressable
area.
27
The EEPROM contains both ATMEL and customer specific data.
TPG0053A (24 Nov 04)
General Business Use
13 of 64
AT90SC6404RT Security Target Lite
28
The TOE also includes a 32bit Checksum Accelerator, a CRC-16 peripheral, a Random
Number Generator, and a fast hardware DES/3DES peripheral.
29
The TOE includes security logic comprising detectors which monitor voltage, frequency
temperature and UV light.
30
The TOE is equipped with logic peripherals including 2 timers, 1 serial port, an ISO7816
interface and an ISO7816 controller.
31
The TOE includes a powerful Firewall that protects all memories, peripheral and IO
register accesses. This Firewall defines the 3 user modes and many different address
spaces.
14 of 64
General Business Use
TPG0053A (24 Nov 04)
Target of Evaluation Description
2.2
32
Smartcard Product Life-cycle
The smartcard product life-cycle consists of 7 phases where the following authorities
are involved.
Table 2-1
Smartcard Product Life-cycle
Phase 1
Smartcard software
development
The smartcard software developer is in charge of the
smartcard embedded software development and the
specification of IC pre-personalization requirements,
Phase 2
IC Development
The IC designer designs the IC, develops IC dedicated
software, provides information, software or tools to the
smartcard software developer, and receives the software
from the developer, through trusted delivery and
verification procedures. From the IC design, IC dedicated
software and smartcard embedded software, the IC
designer constructs the smartcard IC database,
necessary for the IC photomask fabrication.
Phase 3
IC manufacturing and
testing
The IC manufacturer is responsible for producing the IC
through three main steps:
IC manufacturing
IC testing
IC pre-personalization
Phase 4
IC packaging and
testing
The IC packaging manufacturer is responsible for the IC
packaging and testing.
Phase 5
Smartcard product
finishing process
The smartcard product manufacturer is responsible for the
smartcard product finishing process and testing.
Phase 6
Smartcard
personalization
The personalizer is responsible for the smartcard
personalization and final tests. Other application software
may be loaded onto the chip at the personalization
process.
Phase 7
Smartcard end-usage
The smartcard issuer is responsible for the smartcard
product delivery to the smartcard end-user, and the end of
life process.
33
The limits of the evaluation correspond to phases 2 and 3, including the phase 1
delivery and verification procedures and the TOE delivery to the IC packaging
manufacturer ; procedures corresponding to phases 4, 5, 6 and 7 are outside the scope
of this document.
34
Nevertheless, in certain cases, it would be of great interest to include the phase 4 (IC
packaging and testing), within the limits of the TOE. However, for the time being, this
option remains outside the scope of this document.
TPG0053A (24 Nov 04)
General Business Use
15 of 64
AT90SC6404RT Security Target Lite
Figure 2-1 describes the Smartcard product life-cycle.
35
Phase 1
Development Phase
IC Personalization requirements
Embedded software
Pre-personalization data
(not applicable hardware only)
Smartcard embedded software (not applicable) hardware only
IC sensitive information
software, tools (not
applicable hardware only)
Phase 2
IC Design
Test Libraries
IC Personalization requirements
Product Construction
Smartcard IC Database Construction
Production Phase
IC Dedicated Software
Atmel Design Center
IC Photomask Fabrication
Phase 3
IC Manufacturing
IC Personalization requirements
IC Testing and Security Encoding
IC Packaging
Phase 4
Testing
Phase 5
Testing
Phase 6
Personalization
Testing
Phase 7
Legend
Limits of the
development cycle
Trusted delivery and
verification procedures
Figure 2-1
16 of 64
Smartcard Product End-Usage
End of Life Process
Smartcard Product Life Cycle
General Business Use
TPG0053A (24 Nov 04)
Product Usage
User Phase
Smartcard Product Finishing Process
Target of Evaluation Description
36
37
These different phases may be performed at different sites; procedures on the delivery
process of the TOE shall exist and be applied for every delivery within a phase or
between phases. This includes any kind of delivery performed from phase 1 to phase
7, including:
Intermediate delivery of the TOE or the TOE under construction within a phase
Delivery of the TOE or the TOE under construction from one phase to the next
These procedures shall be compliant with the assumptions [A_DLV] developed in
Section 3.2.2.
2.3
38
TOE Environment
Considering the TOE, three types of environments are defined:
Development environment corresponding to phase 2
Production environment corresponding to phase 3
User environment, from phase 4 to phase 7
2.3.1
TOE Development Environment
39
To assure security, the environment in which the development takes place is made
secure with controllable accesses having traceability. Access to the development
building is strictly monitored by a security person. Visitors must sign a log book and
record the time of arrival and time of departure to the building. All visitors are escorted
by authorized personnel at all times. All authorized personnel involved fully understand
the importance and the rigid implementation of the defined security procedures.
40
The development begins with the TOE's specification. All parties in contact with
sensitive information are required to abide by Non-Disclosure Agreements.
41
Reticles and photomasks are generated from the verified IC database. The reticles and
photomasks are then shipped in a secure manner to the wafer fab processing facilities.
2.3.2
TOE Production Environment
42
Production starts within the ATMEL Wafer Fabrication plant; here the silicon wafers
undergo diffusion processing in 25-wafer lots. Computer tracking at wafer level
throughout the process is achieved by the batch tracking system.
43
The batch tracking system system is an on-line manufacturing tracking system which
monitors the progress of the wafers through the fabrication cycle. After fabrication the
wafers are sent to ATMEL Test Fab where they are thinned to a pre-specified thickness
and tested. ATMEL Test Fab tests the TOE to assure conformance with the device
specification. During the IC testing, security encoding is performed where some of the
TPG0053A (24 Nov 04)
General Business Use
17 of 64
AT90SC6404RT Security Target Lite
EEPROM bytes are programmed with the unique traceability information, and the
customer software is loaded in the EEPROM if required.
44
The wafers are inked to separate the functional ICs from the non-functional ICs. Finally,
the wafers are sawn and then shipped to the customer. Unsawn wafers may be shipped
to the customer if requested.
2.3.3
TOE User Environment
45
The TOE user environment is the environment of phases 4 to 7.
46
At phases 4, 5, and 6, the TOE user environment is a controlled environment.
47
Following the sawing step, the wafers are split into individual dies. The good ICs are
assembled into modules in a module assembly plant.
48
Further testing is carried out followed by the shipment of the modules to the smartcard
product manufacturer (embedder) by means of a secure carrier.
49
Additional testing occurs followed by smartcard personalization, retesting and then
delivery to the smartcard issuer.
End-user environment (Phase 7)
50
Smartcards are used in a wide range of applications to assure authorized conditional
access. Examples of such are Pay-TV, Banking Cards, Portable communication SIM
cards, Health cards, Transportation cards.
51
Therefore, the user environment covers a wide spectrum of very different functions,
thus making it difficult to avoid or monitor any abuse of the TOE.
2.4
52
18 of 64
TOE Logical Phases
During its construction usage, the TOE may be under several life logical phases. These
phases are sorted under a logical controlled sequence. The change from one phase to
the next shall be under the TOE control.
General Business Use
TPG0053A (24 Nov 04)
Target of Evaluation Description
2.5
53
54
TOE Intended Usage
The TOE can be incorporated in several applications such as:
Banking and finance market for credit/debit cards, electronic purse (stored value
cards) and electronic commerce.
Network based transaction processing such as mobile phones (GSM SIM cards),
pay-TV (subscriber and pay-per-view cards), communication highways (Internet
access and transaction processing).
Transport and ticketing market (access control cards).
Governmental cards (ID-cards, healthcards, driver license etc).
Multimedia commerce and Intellectual Property Rights protection.
During the phases 1, 2, 3, the product is being developed and produced. The
administrators are the following:
The IC designer:
Authorized staff who work for the developer, and who design the MCU (such
development staff are trusted and privileged users).
The IC manufacturer:
Authorized staff who work for the developer and who manufacture and test the
MCU (such manufacturing staff are trusted and priviliged users).
The smartcard dedicated software developer:
Authorized staff who work for the developer and who develop the dedicated
test software and crypto libraries (such development staff are trusted and
priviliged users).
TPG0053A (24 Nov 04)
General Business Use
19 of 64
AT90SC6404RT Security Target Lite
55
Table 2-2 lists the users of the product during phases 4 to 7.
Table 2-2
Phase 4
Phase 5
Phase 6
Phase 7
Phases 4 to 7 Product Users
Packaging manufacturer (administrator)
Smartcard embedded software developer
System integrator, such as the terminal software developer
Smartcard product manufacturer (administrator)
Smartcard embedded software developer
System integrator, such as the terminal software developer
Personalizer (administrator)
Customers who, before manufacture, determine the MCU’s mask
options and the initial memory contents (i.e. the application
program), and who, after manufacture, incorporate the MCU into
devices. Customers are trusted and privileged users.
Smartcard issuer (administrator).
Smartcard embedded software developer.
System integrator, such as the terminal software developer.
Smartcard issuer (administrator)
Smartcard end-user, who use devices incorporating the MCU.
End-users are not trusted and may attempt to attack the MCU.
Smartcard software developer.
System integrator, such as the terminal software developer.
Note
56
The IC manufacturer and the smartcard product
manufacturer may also receive ICs for analysis, should
problems occur during the smartcard usage.
The MCU may be used in the following modes:
a) Test mode, in which the MCU runs under the control of dedicated test software
written to EEPROM via a test interface, and in conjunction with stimulus provided
by an external test system. This mode is intended to be used solely by authorized
development staff.
b) User mode, in which the MCU runs under control of the smartcard embedded
software. It is intended that customers and end-users will always use the MCU in
user mode.
20 of 64
General Business Use
TPG0053A (24 Nov 04)
Target of Evaluation Description
57
During the initial part of the manufacturing process, the MCU is set to test mode.
Authorized development staff then test the MCU. After testing, test mode is
permanently disabled and the MCU is set to user mode.
58
If a faulty MCU is returned from the field then analysis can only be done in user mode
because test mode is inhibited by sawing off the critical wires, prior to devices going to
the field.
59
There is no intermediate mode for fault analysis. The only modes of operation are those
stated in paragraph 56.
60
Once manufactured, the MCU operates by executing the smartcard embedded
software, which is stored in AVR ROM. The contents of the AVR ROM cannot be
modified, whereas the contents of the EEPROM can, in general, be written to or erased,
under the control of the smartcard embedded software.
61
The EEPROM includes OTP bytes, which can be used to store security-related
information such as cryptographic keys. The OTP bytes cannot be erased in user
mode.
62
The FireWall (Memories and Peripherals Protection Unit) allows the smartcard
embedded software to prevent read/write/execute access to (parts of) AVR ROM,
EEPROM, RAM and peripherals from EEPROM.
63
After an MCU reset, the contents of the RAM are initialized to a random value (except
32 bytes of protected RAM).
64
The ISO7816 compliant I/O port can be used to pass data to or from the MCU. The
application program determines how to interpret the data.
2.6
65
General IT Features of the TOE
The TOE IT functionalities consist of data storage and processing such as:
Arithmetic functions (e.g. incrementing counters in electronic purses, calculating
currency conversion in electronic purses)
Data communication
Cryptographic operations (e.g. data encryption, digital signature verification)
TPG0053A (24 Nov 04)
General Business Use
21 of 64
AT90SC6404RT Security Target Lite
22 of 64
General Business Use
TPG0053A (24 Nov 04)
TOE Security Environment
Section 3
TOE Security Environment
66
This section describes the security aspects of the environment in which the TOE is
intended to be used, and addresses the description of the assumptions, the assets to
be protected, the threats, and the organizational security policies.
3.1
67
Assets
Assets are security relevant elements of the TOE that include the:
Application data of the TOE comprising the IC pre-personalization requirements,
such as the AVR ROM, EEPROM and OTP contents.
Smartcard embedded software
IC specification, design, development tools and technology
68
Therefore, the TOE itself is an asset.
69
Assets must be protected in terms of confidentiality, integrity and availability.
3.2
70
71
Assumptions
It is assumed that this section concerns the following items:
Due to the definition of the TOE limits, any assumption for the smartcard software
development (phase 1 is outside the scope of the TOE)
Any assumption from phases 4 to 7 for the secure usage of the TOE, including the
TOE trusted delivery procedures
Security is always dependent on the whole system: the weakest element of the chain
determines the total system security. Assumptions described hereafter must be
considered for a secure system using smartcard products:
Assumptions on phase 1
Assumptions on the TOE delivery process (phases 4 to 7)
Assumptions on phases 4-5-6
Assumptions on phase 7
TPG0053A (24 Nov 04)
General Business Use
23 of 64
AT90SC6404RT Security Target Lite
3.2.1
A.SOFT_ARCHI
The smartcard embedded software shall be designed in a
secure manner, that is focusing on integrity of program and
data.
A.DEV_ORG
Procedures dealing with physical, personnel,
organizational, technical measures for the confidentiality
and integrity of smartcard embedded software (e.g. source
code and any associated documents) and IC designer
proprietary information (tools, software, documentation.)
shall exist and be applied in software development.
3.2.2
72
24 of 64
Assumptions on Phase 1
Assumptions on the TOE Delivery Process (Phases 4 to 7)
Procedures shall guarantee the control of the TOE delivery and storage process and
conformance to its objectives as described in the following assumptions.
A.DLV_PROTECT
Procedures shall ensure protection of TOE material and
information under delivery and storage. A procedure shall
ensure protection of the TOE for unsawn wafer delivery.
A.DLV_AUDIT
Procedures shall ensure that corrective actions are taken in
case of improper operation in the delivery process and
storage.
A.DLV_RESP
Procedures shall ensure that people dealing with the
procedure for delivery have got the required skill.
General Business Use
TPG0053A (24 Nov 04)
3.2.3
Assumptions on Phases 4 to 6
A.USE_TEST
It is assumed that appropriate functionality testing of the IC
is used in phases 4, 5 and 6.
A.USE_PROD
It is assumed that security procedures are used during all
manufacturing and test operations through phases 4, 5, 6 to
maintain confidentiality and integrity of the TOE and of its
manufacturing and test data (to prevent any possible copy,
modification, retention, theft or unauthorized use). In the
case when unsawn wafers are delivered, appropriate
guidance on sawing will be known and used by the
customer.
3.2.4
Assumptions on Phase 7
A.USE_DIAG
It is assumed that secure communication protocols and
procedures are used between smartcard and terminal.
A.USE_SYS
It is assumed that the integrity and confidentiality of
sensitive data stored/handled by the system (terminals,
communications...) is maintained.
TPG0053A (24 Nov 04)
General Business Use
25 of 64
AT90SC6404RT Security Target Lite
3.3
Threats
73
The TOE as defined in Section 2 is required to counter the threats described hereafter;
a threat agent wishes to abuse the assets either by functional attacks, environmental
manipulations, specific hardware manipulations or by any other types of attacks.
74
Threats have to be split in:
Threats against which specific protection within the TOE is required (class I),
Threats against which specific protection within the environment is required (class
II).
3.3.1
Unauthorized Full or Partial Cloning of the TOE
T.CLON
Functional cloning of the TOE (full or partial) appears to be
relevant to any phases of the TOE life-cycle, from phase 1
to phase 7.
Generally, this threat is derived from specific threats
combining unauthorized disclosure, modification or theft of
assets at different phases.
3.3.2
75
Threats on Phase 1 (Delivery and Verification Procedures)
During phase 1, three types of threats have to be considered:
a) Threats on the smartcard’s embedded software and its environment of
development, such as:
76
Unauthorized disclosure
Modification or theft of the smartcard embedded software and any additional
data at phase 1.
Considering the limits of the TOE, these previous threats are outside the scope of this
document.
a) Threats on the assets transmitted from the IC designer to the smartcard software
developer during the smartcard development.
b) Threats on the smartcard embedded software and any additional application data
transmitted during the delivery process from the smartcard embedded software
developer to the IC designer.
26 of 64
General Business Use
TPG0053A (24 Nov 04)
TOE Security Environment
77
The previous types b and c threats are described hereafter.
T.DIS_INFO
Unauthorized disclosure of the assets delivered by the IC
designer to the smartcard software developer such as
sensitive information on IC specification, design and
technology, software and tools if applicable.
T.DIS_DEL
Unauthorized disclosure of the smartcard embedded
software and any additional application data (such as IC
pre-personalization requirements) during the delivery
process to the IC designer.
T.MOD_DEL
Unauthorized modification of the smartcard embedded
software and any additional application data (such as IC
pre-personalization requirements) during the delivery
process to the IC designer.
T.T_DEL
Theft of the smartcard embedded software and any
additional application data (such as IC pre-personalization
requirements) during the delivery process to the IC
designer.
3.3.3
78
Threats on Phases 2 to 7
During these phases, the assumed threats could be described in three types:
Unauthorized disclosure of assets
Theft or unauthorized use of assets
Unauthorized modification of assets
Unauthorized disclosure of assets
79
This type of threats covers unauthorized disclosure of assets by attackers who may
possess a wide range of technical skills, resources and motivation. Such attackers may
also have technical awareness of the product.
T.DIS_DESIGN
Unauthorized disclosure of IC design.
This threat covers the unauthorized disclosure of proprietary
elements such as IC specification, IC design, IC technology
detailed information, IC hardware security mechanisms
specifications.
T.DIS_SOFT
TPG0053A (24 Nov 04)
Unauthorized disclosure of smartcard embedded software
and data such as access control, authentication system,
data protection system, memory partitioning, cryptographic
programs.
General Business Use
27 of 64
AT90SC6404RT Security Target Lite
T.DIS_DSOFT
Unauthorized disclosure of IC dedicated software.
This threat covers the unauthorized disclosure of IC
dedicated software including security mechanisms
specifications and implementation.
T.DIS_TEST
Unauthorized disclosure of test information such as full
results of IC testing including interpretations.
T.DIS_TOOLS
Unauthorized disclosure of development tools.
This threat covers potential disclosure of IC development
tools and testing tools (analysis tools, microprobing tools).
T.DIS_PHOTOMASK
Unauthorized disclosure of photomask information, used for
photoengraving during the silicon fabrication process.
Theft or unauthorized use of assets
80
Potential attackers may gain access to the TOE and perform operations for which they
are not authorized. For example, such attackers may personalize the product in an
unauthorized manner, or try to gain fraudulous access to the smartcard system.
T.T_SAMPLE
Theft or unauthorized use of TOE silicon samples, for
example, bond out chips.
T.T_PHOTOMASK
Theft or unauthorized use of TOE photomasks.
T.T_PRODUCT
Theft or unauthorized use of smartcard products.
Unauthorized modification of assets
81
The TOE may be subjected to different types of logical or physical attacks which may
compromise security. Due to the intended usage of the TOE (the TOE environment may
be hostile), the TOE security parts may be bypassed or compromised reducing the
integrity of the TOE security mechanisms and disabling their ability to manage the TOE
security. This type of threat includes the implementation of malicious trojan horses.
T.MOD_DESIGN
Unauthorized modification of IC design.
This threat covers the unauthorized modification of IC
specification, IC design including IC hardware security
mechanisms specifications and realization.
28 of 64
T.MOD_PHOTOMASK
Unauthorized modification of TOE photomasks.
T.MOD_DSOFT
Unauthorized modification of IC dedicated software
including modification of security mechanisms.
T.MOD_SOFT
Unauthorized modification of smartcard embedded
software and data.
General Business Use
TPG0053A (24 Nov 04)
TOE Security Environment
82
Table 3-1 indicates the relationships between the smartcard phases and the threats.
Table 3-1
Threats and Phases
Threats
Phase 1
Phase 2 Phase 3
Phase 4 Phase 5 Phase 6 Phase 7
Class II
Class II
Class I/II Class I
Class I
Class I
Class I
T.DIS_SOFT
Class II
Class I/II Class I
Class I
Class I
Class I
T.DIS_DSOFT
Class II
Class I/II Class I
Class I
Class I
Class I
T.DIS_DESIGN
Class II
Class I/II Class I
Class I
Class I
Class I
Class I/II Class I
Class I
Class I
Class I
Functional cloning
T.CLON
Unauthorized disclosure of assets
T.DIS_INFO
Class II
T.DIS_DEL
Class II
T.DIS_TOOLS
Class II
Class II
T.DIS_PHOTOMASK
Class II
Class II
T.DIS_TEST
Theft or unauthorized use of assets
T.T_DEL
Class II
T.T_SAMPLE
Class II
Class I/II Class I
T.T_PHOTOMASK
Class II
Class II
T.T_PRODUCT
Class I/II Class I
Class I
Class I
Class I
Unauthorized modification threats
T.MOD_DEL
Class II
T.MOD_SOFT
Class II
Class I/II Class I
Class I
Class I
Class I
T.MOD_DSOFT
Class II
Class I/II Class I
Class I
Class I
Class I
Class I
Class I
Class I
T.MOD_DESIGN
Class II
Class I/II Class I
T.MOD_PHOTOMASK
Class II
Class II
TPG0053A (24 Nov 04)
General Business Use
29 of 64
AT90SC6404RT Security Target Lite
3.4
Organizational Security Policies
83
An organizational security policy is mandatory for the smartcard product usage. The
specifications of organizational security policies essentially depend on the applications
in which the TOE is incorporated.
84
However, it was found relevant to address the following organizational security policy
with the TOE because most of the actual Smart Card secure applications make use of
cryptographic standards.
P.CRYPTO
Cryptographic entities, data authentication, and
approval functions must be in accordance with ISO,
associated industry, or organizational standards or
requirements.
Various cryptographic algorithms and mechanisms, such as
triple DES, AES, RSA, MACs, and Digital Signatures, are
accepted international standards. These, or others in
accordance with industry or organizational standards of
similar maturity and definition, should be used for all
cryptographic operations in the TOE.
These cryptographic operations are used for instance to
support establishment and control of a trusted channel
between the TOE and the outside environment.
To support these cryptographic functions, the TOE should
supply Random Number Generation (RNG) with sufficient
unpredictability and entropy. The TOE shall ensure that no
information about the produced random numbers is
available to an attacker since they might be used for
instance to generate cryptographic keys.
30 of 64
General Business Use
TPG0053A (24 Nov 04)
Security Objectives
Section 4
Security Objectives
85
The security objectives of the TOE cover principally the following aspects:
Integrity and confidentiality of assets
Protection of the TOE and associated documentation during development and
production phases
4.1
86
Security Objectives for the TOE
The TOE shall use state of art technology to achieve the following IT security
objectives:
O.TAMPER
The TOE must prevent physical tampering with its
security critical parts.
The TOE must provide protection against disclosure of User
data, against disclosure/reconstruction of the Smartcard
Embedded Software or against disclosure of other critical
operational information.
This includes protection against direct micro-probing of
signals not connected to bonding pads, but also other
contact or contactless probing techniques such as laser
probing or electromagnetic sensing. Most of these
techniques require a prior reverse engineering of parts of
the device to understand its architecture and its security
functions.
This also includes protection against inherent information
leakage (for example shape of signals, power consumption)
on the device external interfaces (for example clock, supply,
I/O lines) that could be used to disclose confidential data, as
well as forced information leakage caused by induced
malfunction or physical manipulation
TPG0053A (24 Nov 04)
General Business Use
31 of 64
AT90SC6404RT Security Target Lite
O.CLON
The TOE functionality needs to be protected from
cloning.
The TOE must include means to prevent an attacker from
reproducing the smartcard functionality. Most of these
techniques require a prior reverse engineering of parts of
the device to understand its architecture and its security
functions.
O.OPERATE
The TOE must ensure the continued correct operation
of its security functions.
The TOE must include protection against the use of stolen
silicon samples or products that would ease an attacker
gaining fraudulous access to the smartcard system.
The TOE must also provide mechanisms to avoid the
unauthorized modification of the security functions or
software and data, by using the device test commands for
instance, or by using uncontrolled/unauthentified software
access to memories.
The TOE must prevent its operation outside the normal
operating conditions where reliability and secure operation
has not been proven or tested. This is to prevent errors. The
environmental conditions may include voltage, clock
frequency, temperature, or external energy fields
O.FLAW
The TOE must not contain flaws in design,
implementation or operation.
The TOE design must include protection against
modification of its security mechanisms (for example
detectors or memory protections) that would lead to bypass
or reduce their integrity, and therefore open security holes
that could be used to access embedded software and data.
The TOE design must also provide protection against
modification of its embedded software that would lead to
bypass or reduce the integrity of some software controlled
security mechanisms (for example memory areas
definition), and therefore open security holes that could be
used to access embedded software and data.
O.DIS_MECHANISM
The TOE shall ensure that the hardware security
mechanisms are protected against unauthorized
disclosure.
The TOE must be designed and fabricated so that it requires
a high combination of complex equipment, knowledge, skill
and time to derive detailed designed information or other
information which could be used to compromise security
through physical attacks.
32 of 64
General Business Use
TPG0053A (24 Nov 04)
O.DIS_MEMORY
The TOE shall ensure that sensitive information stored
in memories is protected against unauthorized access.
The TOE must provide protection against unauthorized
access to embedded software and data stored in memories,
either using test commands, or by some embedded
software (for instance a non-supervisor user application)
that would try to dump the memories protected by the
Firewall programmation (for instance the supervisor
program and/or data), or even by some physical attacks.
O.MOD_MEMORY
The TOE shall ensure that sensitive information stored
in memories is protected against any corruption or
unauthorized modification.
The TOE must provide protection against unauthorized
access to embedded software and data stored in memories,
either using test commands, or by some embedded
software (for instance a non-supervisor user application)
that would try to modify the memories protected by the
Firewall programmation (for instance the supervisor
program and/or data), or even by some physical attacks.
O.CRYPTO
Cryptographic capability shall be available for users to
maintain integrity and confidentiality of sensitive data.
The TOE must provide hardware implementation of some
cryptographic algorithms that can be used by the embedded
software in conjunction with appropriate counter-measure to
achieve cryptographic operations (for instance encryption,
decryption, integrity checking, signature, key generation, for
algorithms such as DES, TDES, RSA, SHA-1, DSA, Elliptic
Curves, ...).
These cryptographic operations are used for instance to
support establishment and control of a trusted channel
between the TOE and the outside environment, or protect
confidential data stored in the TOE memories.
The TOE must also provide random number generation and
ensure the cryptographic quality of random number
generation. For example, random numbers shall not be
predictable and shall have a sufficient entropy.
The TOE must ensure that no information about the
produced random numbers is available to an attacker since
they might be used for instance to generate cryptographic
keys.
TPG0053A (24 Nov 04)
General Business Use
33 of 64
AT90SC6404RT Security Target Lite
4.2
4.2.1
Security Objectives for the Environment
Objectives on Phase 1
O.DEV_DIS
The smartcard IC designer must have procedures to control
the sales, distribution, storage and usage of the software and
hardware development tools and classified documents,
suitable to maintain the integrity and the confidentiality of the
assets of the TOE.
It must be ensured that:
34 of 64
Tools are only delivered to the parties authorized
personnel.
Confidential information such as data sheets and
general information on defined assets are only delivered
to the parties authorized personnel on the basis of
need-to-know.
O.SOFT_DLV
The smartcard embedded software must be delivered from
the smartcard embedded software developer (Phase 1) to
the IC designer through a trusted delivery and verification
procedure that shall be able to maintain the integrity of the
software and its confidentiality, if applicable.
O.SOFT_MECH
To achieve the level of security required by this Security
Target Lite, the smartcard embedded software shall use IC
security features and security mechanisms (for example,
sensors) as specified in the smartcard IC documentation
[TD].
O.DEV_TOOLS
The smartcard embedded software shall be designed in a
secure manner, by using exclusively software development
tools (compilers, assemblers, linkers, simulators etc.) and
software-hardware integration testing tools (emulators) that
will grant the integrity of program and data.
General Business Use
TPG0053A (24 Nov 04)
Security Objectives
4.2.2
Objectives on Phase 2 (Development Phase)
O.SOFT_ACS
Embedded software shall be accessible only by authorized
personnel within the IC designer on the basis of
need-to-know.
O.DESIGN_ACS
IC specifications, detailed design, IC databases,
schematics/layout or any further design information shall be
accessible only by authorized personnel within the IC
designer on the basis of need-to-know (physical, personnel,
organizational, technical procedures).
O.DSOFT_ACS
Any IC dedicated software specification, detailed design,
source code or any further information shall be accessible
only by authorized personnel within the IC designer on the
basis of need-to-know.
O.MASK_FAB
Physical, personnel, organizational, technical procedures
during photomask fabrication (including deliveries between
photomasks manufacturer and IC manufacturer) shall
ensure the integrity and confidentiality of the TOE.
O.MECH_ACS
Details of hardware security mechanisms shall be
accessible only by authorized personnel within the IC
designer on the basis of need-to-know.
O.TI_ACS
Security relevant technology information shall be accessible
only by authorized personnel within the IC designer on the
basis of need-to-know.
TPG0053A (24 Nov 04)
General Business Use
35 of 64
AT90SC6404RT Security Target Lite
4.2.3
Objectives on Phase 3 (Manufacturing Phase)
O.TOE_PRT
The manufacturing process shall ensure that protection of
the TOE from any kind of unauthorized use such as
tampering or theft.
During the IC manufacturing and test operations, security
procedures shall ensure the confidentiality and integrity of:
TOE manufacturing data (to prevent any possible copy,
modification, retention, theft or unauthorized use).
TOE security relevant test programs, test data,
databases and specific analysis methods and tools.
These procedures shall define a security system applicable
during the manufacturing and test operations to maintain
confidentiality and integrity of the TOE by control of:
O.IC_DLV
36 of 64
Packaging and storage.
Traceability.
Storage and protection of manufacturing process
specific assets (such as manufacturing process
documentation, further data, or samples)
Access control and audit to tests, analysis tools,
laboratories, and databases.
Change/modification in the manufacturing equipment,
management of rejects.
The delivery procedures from the IC manufacturer shall
maintain the integrity and confidentiality of the TOE and its
assets.
General Business Use
TPG0053A (24 Nov 04)
Security Objectives
4.2.4
Objectives on the TOE Delivery Process (Phases 4 to 7)
O.DLV_PROTECT
Procedures shall ensure protection of TOE material
(including sawn and unsawn wafers) and information under
delivery, including the following objectives:
Non-disclosure of any security relevant information.
Identification of the elements under delivery.
Meet confidentiality rules (confidentiality level,
transmittal form, reception acknowledgement).
Physical protection to prevent external damage.
Secure storage and handling procedures are
applicable for all TOEs (including rejected TOEs).
Traceability of TOE during delivery including the
following parameters:
Origin and shipment details.
Reception, reception acknowledgement.
Location material and information.
O.DLV_AUDIT
Procedures shall ensure that corrective actions are taken in
the event of improper operation in the delivery process
(including, if applicable any non-conformance to the
confidentiality convention) and highlight all non
conformance to this process.
O.DLV_RESP
Procedures shall ensure that people (shipping department,
carrier, reception department) dealing with the procedure for
delivery get the required skill, training and knowledge to
meet the procedure requirements, and to act in full
accordance with the above expectations.
4.2.5
Objectives on Phase 4 to 6
O.TEST_OPERATE
Appropriate functionality testing of the IC shall be used in
phases 4 to 6.
During all manufacturing and test operations, security
procedures shall be used through phases 4, 5, 6, to maintain
confidentiality and integrity of the TOE and of its
manufacturing and test data. This objective applies to both
sawn and unsawn wafers.
TPG0053A (24 Nov 04)
General Business Use
37 of 64
AT90SC6404RT Security Target Lite
4.2.6
38 of 64
Objectives on Phase 7
O.USE_DIAG
Secure communication protocols and procedures shall be
used between smartcard and terminal.
O.USE_SYS
The integrity and the confidentiality of sensitive data stored
or handled by the system (terminals, communications....)
shall be maintained.
General Business Use
TPG0053A (24 Nov 04)
TOE Security Functional Requirements
Section 5
TOE Security Functional Requirements
87
The TOE security functional requirements define the functional requirements for the
TOE using only functional requirements components drawn from the Common Criteria
part 2.
88
The minimum strength of function level for the TOE security requirements is SOF-high.
5.1
Functional Requirements Applicable to Phase 3 Only
(Testing Phase)
5.1.1
89
The TOE security functions shall require each user to be successfully authenticated
before allowing any other TOE security functions-mediated actions on behalf of that
user.
5.1.2
90
User Identification Before any Action (FIA_UID.2)
The TOE security functions shall require each user to identify itself before allowing any
other TOE security functions mediated actions on behalf of that user.
5.1.3
91
User Authentication Before any Action (FIA_UAU.2)
User Attribute Definition (FIA_ATD.1)
The TOE security functions shall maintain the following list of security attributes
belonging to individual users:
Test mode access right
Read AVR ROM access right
Write AVR ROM access right
Execute AVR ROM access right
Read EEPROM access right
Write EEPROM access right
Execute EEPROM access right
Read RAM access right
Write RAM access right
TPG0053A (24 Nov 04)
General Business Use
39 of 64
AT90SC6404RT Security Target Lite
Execute RAM access right
Read access right to peripherals and IO registers
Write access right to peripherals and IO registers
Execute access right to peripherals and IO registers
5.1.4
92
The TOE security functions shall:
Run a suite of self tests at the request of the authorized user to demonstrate the
correct operation of the TOE security functions.
Provide authorized users with the capability to verify the integrity of TOE security
functions data.
Provide authorized users with the capability to verify the integrity of stored TOE
security functions executable code.
5.1.5
93
40 of 64
TOE Security Functions Testing (FPT_TST.1)
Stored Data Integrity Monitoring (FDP_SDI.1)
The TOE security functions shall monitor user data stored within the TOE scope of
control for integrity errors on all objects, based on the following attributes:
Test signatures from AVR ROM
Test signatures from AVR RAM
Test signatures from EEPROM
General Business Use
TPG0053A (24 Nov 04)
5.2
Functional Requirements Applicable to Phases 3 to 7
5.2.1
Management of Security Functions Behaviour (FMT_MOF.1)
94
The TOE security functions shall restrict the ability to enable the functions available in
Test Mode to the Test Mode Entry (TME) administrator.
95
The TOE security functions shall restrict the ability to disable the functions available in
Test Mode to the Test Mode Entry (TME) administrator.
5.2.2
96
Management of Security Attributes (FMT_MSA.1)
The TOE security functions shall enforce the ACSF_Policy (Access Control Security
Functions Policy) and IFCSF_Policy (Information Flow Control Security Functions
Policy) to restrict the ability to access the security attributes to TME administrator and
Firewall supervisor/non-supervisor modes.
The ACSF_Policy is not described in this document. See Table 5-1 for further
information on the IFCSF_Policy.
Note
5.2.3
97
98
Security Roles (FMT_SMR.1)
The TOE security functions shall maintain the role of:
TME administrator
Firewall supervisor/non-supervisor modes
The TOE security functions shall be able to associate users with roles.
TPG0053A (24 Nov 04)
General Business Use
41 of 64
AT90SC6404RT Security Target Lite
5.2.4
Specification of Management Functions (FMT_SMF.1)
The TOE security functions shall be capable of performing the following security
management functions:
Control entry into and disabling of test mode, and entry into user mode.
Define the user modes, (Firewall supervisor/non-supervisor modes) address
space parameters. Which controls the software access between each program
user regions, but also between the program user and the data user regions.
5.2.5
99
The TOE security functions shall:
Enforce the ACSF_Policy and IFCSF_Policy to provide restrictive default values
for security attributes that are used to enforce the security functions policy
Allow the TME administrator to specify alternate initial values to override the
default values when an object or information is created
5.2.6
100
101
42 of 64
Complete Access Control (FDP_ACC.2)
The TOE security functions shall enforce the ACSF_Policy on:
TME administrator, Firewall supervisor, non-supervisor modes.
AVR ROM, EEPROM, RAM, peripheral and IO registers.
And all operations among subjects and objects covered by the security functions
policy.
The TOE security functions shall ensure that all operations between any subject in the
TOE scope of control and any object within the TOE scope of control are covered by an
access control security functions policy.
5.2.7
102
Static Attribute Initialization (FMT_MSA.3)
Security Attribute Based Access Control (FDP_ACF.1)
The TOE security functions shall enforce the ACSF_Policy to objects based on:
Read AVR ROM access right
Write AVR ROM access right
Execute AVR ROM access right
Read EEPROM access right
Write EEPROM access right
Execute EEPROM access right
Read RAM access right
Write RAM access right
General Business Use
TPG0053A (24 Nov 04)
TOE Security Functional Requirements
Execute RAM access right
Read peripheral and IO registers access right
Write peripheral and IO registers access right
Execute peripheral and IO registers access right
103
The TOE security functions shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed.
104
Firewall rules, that are not disclosed in this ST-Lite document.
105
The TOE security functions shall explicitly authorize access of subjects to objects
based on the following additional rules: no additional rules.
TPG0053A (24 Nov 04)
General Business Use
43 of 64
AT90SC6404RT Security Target Lite
5.2.8
106
Subset Information Flow Control (FDP_IFC.1)
The TOE security functions will enforce the IFCSF_Policy on TME administrator, test
commands and test operations that cause controlled information to flow between the:
AVR ROM and the Test Mode Entry administrator
EEPROM and the Test Mode Entry administrator
RAM and the Test Mode Entry administrator
Peripheral and IO registers and the Test Mode administrator
5.2.9
Simple Security Attributes (FDP_IFF.1)
107
The TOE security functions shall enforce the IFCSF_Policy based on the following
types of subject and information security attributes: test command syntax.
108
The TOE security functions will:
Permit an information flow between a controlled subject and controlled information
via a controlled operation if the following rules hold: test command syntax rules.
Provide no additional information flow control security functions policy rules.
Enforce no additional security functions policy capabilities.
109
The TOE security functions shall explicitly authorize an information flow based on the
following rules:
110
Test command syntax rules, based on test command syntax, that explicitly authorize
information flows between TME administrator and:
AVR ROM
EEPROM
RAM
Peripheral and IO registers
111
The TOE security functions shall explicitly deny an information flow based on the
following rules:
112
Test command syntax rules, based on test command syntax, that explicitly deny
information flows between TME administrator and:
44 of 64
AVR ROM
EEPROM
RAM
Peripheral and IO registers
General Business Use
TPG0053A (24 Nov 04)
TOE Security Functional Requirements
IFCSF-Policy
Table 5-1
IFCSF-Policy
Rules
Test command syntax rules
Attribute
Test command syntax
TME Administrator
Data flow (1)
(1)
5.2.10
All information about possible data flow and Test command
syntax can be found in [STI], [ROMA], [RE2D] and [TMRE2].
Potential Violation Analysis (FAU_SAA.1)
113
The TOE Security Functions shall be able to apply a set of rules in monitoring the
audited events and based upon these rules indicate a potential violation of the TOE
Security Policy.
114
The TOE security functions shall enforce the following rules for monitoring audited
events:
a) Accumulation or combination of abnormal environmental conditions (Supply
voltage, clock input frequency, temperature, UV light) known to indicate a potential
security violation,
b) Accumulation or combination of physical tampering (Micro-probing, critical FIB
modification) known to indicate a potential security violation,
c) Accumulation or combination of Firewall violations (user trying to illegally access
controlled memories or objects, user trying to execute illegal opcodes) known to
indicate a potential security violation.
d) Accumulation of watchdog violations known to indicate a potential security
violation.
e) No other rules.
5.2.11
115
Unobservability (FPR_UNO.1)
The TOE security functions shall ensure that any users are unable to observe the
operation of TOE internal activity on TOE objects by authorized users or subjects.
TPG0053A (24 Nov 04)
General Business Use
45 of 64
AT90SC6404RT Security Target Lite
5.2.12
116
117
The TOE security functions shall:
Provide unambiguous detection of physical tampering that might compromise the
TOE security functions.
Provide the capability to determine whether physical tampering with the TOE
security functions’s devices or TOE security functions’s elements has occurred.
For values of voltage, clock input frequency, temperature and UV light which go outside
acceptable bounds, for micro-probing and critical FIB modification, for Firewall rules
violations (including illegal opcodes), and for watchdog violations, the TOE security
functions shall monitor the devices and elements and notify the supervisor mode when
physical tampering with the TOE security functions’ devices or TOE security functions’
elements has occurred.
5.2.13
118
46 of 64
Resistance to Physical Attack (FPT_PHP.3)
The TOE security functions shall resist tampering of voltage, clock input frequency,
temperature, UV light, micro-probing, critical FIB modification, Firewall rules violations
(including illegal opcodes), and watchdog violations to the TOE and its security
functions by responding automatically such that the TOE security policy is not violated.
5.2.14
119
Notification of Physical Attack (FPT_PHP.2)
Cryptographic Operation (FCS_COP.1)
The TSF shall perform hardware data encryption and decryption in accordance with
the:
DES cryptographic algorithm using 56-bit cryptographic key sizes that meets the
Data Encryption Standard (DES), FIPS PUB 46-3, 25th October, 1999.
Triple Data Encryption Standard (TDES) cryptographic algorithm using 112-bit
cryptographic key sizes that meets the E-D-E two-key triple-encryption
implementation of the Data Encryption Standard, FIPS PUB 46-3, 25th October,
1999.
General Business Use
TPG0053A (24 Nov 04)
TOE Security Functional Requirements
5.3
TOE Security Assurance Requirements
120
The assurance requirement is EAL4 augmented of additional assurance components
listed in the following sections.
121
Some of these components are hierarchical ones to the components specified in EAL4.
122
All the components are drawn from Common Criteria Part 3, V2.1.
5.3.1
ADV_IMP.2 Implementation of the TSF
Developer actions elements
123
The developer shall provide the implementation representation for the entire TOE
security functions.
Content and presentation of evidence elements
124
The implementation representation shall:
Unambiguously define the TOE security functions to a level of detail such that the
TOE security functions can be generated without further design decisions
Be internally consistent
Describe the relationships between all portions of the implementation
Evaluator actions elements
125
The evaluator shall:
Confirm that the information provided meets all requirements for content and
presentation of evidence.
Determine that the implementation representation is an accurate and complete
instantiation of the TOE security functional requirements.
TPG0053A (24 Nov 04)
General Business Use
47 of 64
AT90SC6404RT Security Target Lite
5.3.2
ALC_DVS.2 Sufficiency of Security Measures
Developer actions elements
126
The developer shall produce development security documentation.
Content and presentation of evidence elements
127
128
The development security documentation shall:
Describe all the physical, procedural, personnel, and other security measures that
are necessary to protect the confidentiality and integrity of the TOE design and
implementation in its development environment.
Provide evidence that these security measures are followed during the
development and maintenance of the TOE.
The evidence shall justify that the security measures provide the necessary level of
protection to maintain the confidentiality and integrity of the TOE.
Evaluator actions elements
129
48 of 64
The evaluator shall confirm that the:
Information provided meets all requirements for content and presentation of
evidence
Security measures are being applied
General Business Use
TPG0053A (24 Nov 04)
TOE Security Functional Requirements
5.3.3
AVA_VLA.4 Highly Resistant
Developer actions elements
130
The developer shall:
Perform a vulnerability analysis
Provide vulnerability analysis documentation
Content and presentation of evidence elements
131
The vulnerability analysis documentation shall:
describe the analysis of the TOE deliverables performed to search for ways in
which a user can violate the TSP.
describe the disposition of identified vulnerabilities.
show, for all identified vulnerabilities, that the vulnerability cannot be exploited in
the intended environment for the TOE.
justify that the TOE, with the identified vulnerabilities, is resistant to obvious
penetration attacks.
show that the search for vulnerabilities is systematic.
provide a justification that the analysis completely addresses the TOE
deliverables.
Evaluator actions elements
132
The evaluator shall:
Confirm that the information provided meets all requirements for content and
presentation of evidence
Conduct penetration testing, building on the developer vulnerability analysis, to
ensure the identified vulnerabilities have been addressed.
Perform independent vulnerability analysis
Perform independent penetration testing, based on the independent vulnerability
analysis, to determine the exploitability of additional identified vulnerabilities in the
intended environment.
Determine that the TOE is resistant to penetration attacks performed by an
attacker possessing a high attack potential.
TPG0053A (24 Nov 04)
General Business Use
49 of 64
AT90SC6404RT Security Target Lite
50 of 64
General Business Use
TPG0053A (24 Nov 04)
TOE Summary Specification
Section 6
TOE Summary Specification
133
This section defines the TOE security functions, and Figure 6-1 on page 56 specifies
how they satisfy the TOE security functional requirements.
6.1
6.1.1
TOE Security Functions
Test Mode Entry (SF1)
134
SF1 shall ensure that only authorized users will be permitted to enter Test Mode. This
is provided by Test Mode Entry conditions that are required to enable the TOE to enter
Test Mode.
135
All test entry requirements occur while the TOE is held in reset and failure in any one
will prevent Test Mode Entry. It is required that the TOE satisfies the test entry
conditions during any internal reset condition.
136
It is not possible to move from User Mode to Test Mode. Any attempt to do this, for
example, by forcing internal nodes will be detected and the security functions will
disable the ability to enter Test Mode.
137
The Strength of Function claimed for the Test Mode Entry security function is high.
TPG0053A (24 Nov 04)
General Business Use
51 of 64
AT90SC6404RT Security Target Lite
6.1.2
Protected Test Memory Access (SF2)
138
SF2 shall ensure that, although authenticated users can have access to memories
using commands in test mode, they cannot access directly their contents.
139
Only authorized design and production engineers running test on the TOE have access
to the TME conditions.
140
The Strength of Function claimed for the Protected Test Memory Access security
function is high.
6.1.3
141
Test Mode Disable (SF3)
SF3 shall make provision for wafer sawing which, once done, shall ensure that none of
the test features are available, not even to authenticated users in test mode.
6.1.4
TOE Testing (SF4)
142
SF4 shall provide embedded hardware test circuitry with high fault coverage to prevent
faulty devices being released in the field. Devices with manufacturing problems (short
circuits, open nets, ...) could lead to a poor level of security by disabling some security
functions.
143
Testing of security functions is dependent on a fault free and fully functional TOE. The
RAM, ROM, and standard cell logic (including the MCU) is tested by functional tests
under the control of the test interface circuit. EEPROM is tested through the test
interface circuit by external stimulus. CPU to EEPROM data flow will also be tested by
functional tests, run from the EEPROM, using test software loaded under the control of
the test interface circuit.
144
To conform with ISO 7816 standards the TOE embedded software will always return an
Answer-To-Reset command via the serial I/O port. This contains messages with
information on the integrity and identification of the device. An ATR also verifies
significant portions of device hardware (CPU, ROM, EEPROM and logic).
6.1.5
Data Error Detection (SF5)
145
SF5 shall provide means for performing data error detection.
146
Means of performing checksum error detection and parity error detection is provided.
The 32-bit Checksum Accelerator or the CRC-16 hardware peripheral can be used by
the embedded software to compute fast data error detection on the program and/or
data memories before starting any operation.
52 of 64
General Business Use
TPG0053A (24 Nov 04)
TOE Summary Specification
6.1.6
147
FireWall (SF6)
SF6 shall enforce access control based on the FireWall rules as defined in the
ACSF_Policy.
Memory protection
148
The FireWall defines different modes to execute embedded software (supervisor/nonsupervisor).
149
The different modes provide restricted access privilege to the memories, and to the
MCU peripheral registers. In case of illegal accesses performed by the embedded
software, a security action is invoked.
Illegal address
150
If an illegal address is accessed, then a security action is invoked.
Illegal opcode
151
If an attempt is made to execute any opcode that is not implemented in the instruction
set, a security action is invoked.
6.1.7
Event Audit (SF7)
152
The TOE shall provide an Event Audit security function (SF7) to enforce the following
rules for monitoring audited events.
153
Accumulation or combination of the following auditable events would indicate a
potential security violation.
1. The external voltage supply goes outside acceptable bounds.
2. The external clock signal goes outside acceptable bounds.
3. The ambient temperature goes outside acceptable bounds.
4. Application program abnormal runaway.
5. Attempts to physically probe the device.
6. Attempts to gain illegal access to reserved RAM memory locations.
7. Attempts to gain illegal access to reserved EEPROM memory locations.
8. Attempts to gain illegal access to reserved peripheral or IO register locations.
9. Attempts to execute instruction to read the program memory from the nonsupervisor program location.
10. Attempts to move the RAM stack to an illegal RAM memory location.
TPG0053A (24 Nov 04)
General Business Use
53 of 64
AT90SC6404RT Security Target Lite
11. Attempts to execute an AVR opcode that is not implemented.
12. Attempts to illegally write access the device’s EEPROM.
13. Attempts to gain illegal access to supervisor modes.
14. The exposure to UV light goes outside acceptable bounds.
154
The Strength of Function claimed for the Event audit security function is high.
6.1.8
155
156
SF8 shall provide an Event Action security function to register occurrences of audited
events and take appropriate action. Detection of such occurrences will cause an
information flag to be set, and may cause one of the following to occur if warranted by
the violation:
Memory wiping actions
Different levels of immediate resets
Different levels of security interrupt
Event Action depends on the type of Event (see [TD] for more information).
6.1.9
157
Event Action (SF8)
Unobservability (SF9)
SF9 shall ensure that users/third parties will have difficulty observing the following
operations on the TOE by the described means.
1. Extracting information, relating to any specific resource or service being used, by
monitoring power consumption
2. Extracting information, relating to any specific resource or service being used, by
carrying out timing analyses on cryptographic functions
3. Extracting information, relating to any specific resource or service being used, by
using mechanical, electrical or optical means, in order to examine the topology of
the TOE, including address and data buses and regular structures
158
54 of 64
The Strength of Function claimed for the Unobservability security function is high.
General Business Use
TPG0053A (24 Nov 04)
TOE Summary Specification
6.1.10
159
Cryptography (SF10)
The TSF shall provide:
A cryptographic algorithm to be able to transmit and receive objects in a manner
protected from data retrieval or modification.
Hardware DES, TDES data encryption/decryption capability.
160
Those may be used by the smartcard embedded software to support data encryption
and decryption for maintaining data integrity, and protect against sensitive data
unauthorized disclosure.
161
The TSF shall provide a Random Number Generator (RNG) to support security
operations performed by cryptographic applications. This RNG shall not be predictable,
have sufficient entropy, and not leaking information related to the value of the
generated random numbers as this leakage could be used to retrieve cryptographic
keys for instance.
162
The Strength of Function claimed for the cryptography security function is high.
163
An assessment of the strength of the following algorithms does not form part of the
evaluation:
DES algorithm
TDES algorithm
6.1.11
Security Functions Based on Permutations/combinations
164
The description of security functions using permutation and/or combination properties
is not disclosed in this document.
165
Further details on these mechanisms and on the Strength of Function Analysis
performed by ATMEL can be found in [SOF].
TPG0053A (24 Nov 04)
General Business Use
55 of 64
AT90SC6404RT Security Target Lite
Table 6-1
Relationship Between Security Requirements and Security Functions
56 of 64
Test Mode Disable
TOE Testing
Data Error Detection
FireWall
Event Audit
Event Action
Unobservability
SF3
SF4
SF5
SF6
SF7
SF8
SF9
x
O1
x
FIA_UID.2
O2
x
FIA_ATD.1
O3
x
FPT_TST.1
O4
x
x
x
FDP_SDI.1
O5
FMT_MOF.1
O6
x
FMT_MSA.1
O7
x
FMT_SMR.1
O8
x
x
x
FMT_SMF.1
O9
x
x
x
FMT_MSA.3
O10
x
x
x
FDP_ACC.2
O11
x
x
FDP_ACF.1
O12
x
x
FDP_IFC.1
O13
x
x
FDP_IFF.1
O14
x
x
FAU_SAA.1
O15
FPR_UNO.1
O16
FPT_PHP.2
O17
x
x
FPT_PHP.3
O18
x
x
FCS_COP.1
O19
General Business Use
Cryptography
Protected Test Memory Access
SF2
x
FIA_UAU.2
SF10
Test Mode Entry
Security
Requirement
SF1
Security Functions
x
x
x
x
x
x
x
x
x
x
x
x
TPG0053A (24 Nov 04)
6.2
166
This section defines the TOE assurance measures and Figure 6-2 on page 59 specifies
how they satisfy the TOE security assurance requirements.
6.2.1
167
Life Cycle Support (SA6)
SA6 shall provide the “AT90SC6404RT CC Life Cycle Support (ALC)” interface
document plus its references.
6.2.7
173
Guidance (SA5)
SA5 shall provide the “AT90SC6404RT CC Guidance (AGD)” interface document plus
its references.
6.2.6
172
Development Activity (SA4)
SA4 shall provide the “AT90SC6404RT CC Development Activity (ADV)” interface
document plus its references.
6.2.5
171
Delivery and Operation (SA3)
SA3 shall provide the “AT90SC6404RT CC Delivery and Operation (ADO)” interface
document plus its references.
6.2.4
170
Configuration Management (SA2)
SA2 shall provide the “AT90SC6404RT CC Configuration Management (ACM)”
interface document plus its references.
6.2.3
169
Security Target (SA1)
SA1 shall provide the “AT90SC6404RT Security Target” document plus its references.
6.2.2
168
TOE Assurance Measures
Test Activity (SA7)
SA7 shall provide the “AT90SC6404RT CC Test Activity (ATE)” interface document
plus its references, and undertaking of testing described therein.
TPG0053A (24 Nov 04)
General Business Use
57 of 64
AT90SC6404RT Security Target Lite
6.2.8
174
SA8 shall provide the “AT90SC6404RT CC Vulnerability Assessment (AVA)” interface
document plus its references, and undertaking of vulnerability assessment described
therein.
6.2.9
175
58 of 64
Manufacturing Site (SA12)
SA12 shall provide access to the manufacturing site.
6.2.13
179
Test Site (SA11)
SA11 shall provide access to the test sites.
6.2.12
178
Development Site (SA10)
SA10 shall provide access to the development site.
6.2.11
177
Smart Card Devices (SA9)
SA9 shall provide functional AT90SC6404RT smart card devices.
6.2.10
176
Vulnerability Assessment (SA8)
Sub-contractor Sites (SA13)
SA13 shall provide access to the sub-contractor sites.
General Business Use
TPG0053A (24 Nov 04)
TOE Summary Specification
Sub-contractor Site
Smartcard Devices
SA9
SA13
Vulnerability assessment
SA8
Manufacturing Site
Test Activity
SA7
SA12
Life Cycle Support
SA6
Test Sites
Guidance
SA5
SA11
Development Activity
SA4
Development Site
Delivery and Operation
SA3
ACM_AUT.1
x
x
x
x
x
ACM_CAP.4
x
x
x
x
x
ACM_SCP.2
x
x
x
x
x
ASE_xxx
SA1
SA10
Configuration Management
Assurance
Requirement
SA2
Relationship Between Assurance Requirements and Measures
Security Target
Table 6-2
x
ADO_DEL.2
x
x
x
x
x
ADO_IGS.1
x
x
x
x
x
ADV_FSP.2
x
ADV_HLD.2
x
ADV_IMP.2
x
ADV_LLD.1
x
ADV_RCR.1
x
ADV_SPM.1
x
AGD_ADM.1
x
AGD_USR.1
x
ALC_DVS.2
x
x
x
x
x
ALC_LCD.1
x
x
x
x
x
ALC_TAT.1
x
x
x
x
x
ATE_COV.2
x
x
x
ATE_DPT.1
x
x
x
ATE_FUN.1
x
x
x
ATE_IND.2
x
x
x
AVA_MSU.2
x
x
AVA_SOF.1
x
x
AVA_VLA.4
x
x
TPG0053A (24 Nov 04)
General Business Use
59 of 64
AT90SC6404RT Security Target Lite
60 of 64
General Business Use
TPG0053A (24 Nov 04)
Protection Profile Claims
Section 7
Protection Profile Claims
7.1
180
This Security Target Lite is compliant with CC Smartcard Integrated Circuit Protection
Profile PP/9806, Version 2.0, Issue September 1998, and has been registered at the
French Certification Body.
7.2
181
Protection Profile Reference
Protection Profile Refinements
Refinements to assumptions A.DLV_PROTECT, A.USE_PROD and objectives
O.DLV_PROTECT, O.TEST_OPERATE relate to unsawn wafers and corresponding
procedures and guidance.
7.3
7.3.1
Protection Profile Additions
Cryptographic Capability
182
In addition to conforming to PP/9806, this Security Target Lite specifies an additional
Organizational Security Policy P.CRYPTO in Section 3.4, and an additional Security
Objective O.CRYPTO in Section 4.1.
183
The CC security functional requirement to meet this Organizational Security Policy is
Cryptographic Operation (FCS_COP.1) , which is specified in Section 5.
184
The security function to satisfy the FCS_COP.1 requirements is SF10 and is specified
in Section 6.
7.3.2
Specification of Security Management Functions
This is an addition to the Security Management Class (FMT).
The security functions that satisfy the FMT_SMF.1 requirements are SF1, SF3, and
SF6. These security functions are described in Section 6.
TPG0053A (24 Nov 04)
General Business Use
61 of 64
AT90SC6404RT Security Target Lite
Appendix A
Glossary
A.1
Terms
Control Bytes
Reserved bytes of EEPROM which can be
programmed with traceability information.
CRC-16
Algorithm used to compute powerful checksum on
memory blocks
HASH
Transformation of a string of characters into a usually
shorter fixed length value or key that represents the
original string.
IC Dedicated Software
IC Proprietary software which is required for testing
purposes and to implement special functions. For
AT90SC6404RT this includes the embedded test
software and additional test programmes which are
run from outside of the IC.
The Crypto libraries also form part of the IC dedicated
software.
62 of 64
IC Designer
Institution (or its agent) responsible for the IC
Development. Atmel is the institution in respect of the
TOE.
IC Manufacturer
Institution (or its agent) responsible for the IC
manufacturing, testing and pre-personalization. Atmel
is the institution in respect of the TOE.
IC Packaging
Manufacturer
Institution (or its agent) responsible for the IC
packaging and testing.
IC Pre-personalization
Data
Required information to enable the smartcard IC to be
configured by means of ROM options and to enable
programming of the EEPROM with customer specified
data.
Integrated Circuit (IC)
Electronic component(s) designed to perform
processing and/or memory functions.
General Business Use
TPG0053A (24 Nov 04)
Glossary
Personalizer
Institution (or its agent) responsible for the smartcard
personalization and final testing.
Smartcard
A credit sized plastic card which has a non volatile
memory and a processing unit embedded within it.
Smartcard Embedded
Software
Software embedded in the smartcard application
(smartcard application software). This software is
provided by smartcard embedded software developer
(customer). Embedded software may be in any part of
User ROM or EEPROM.
Smartcard Embedded software is not applicable in the
case of the TOE since it is a hardware evaluation only.
Smartcard Embedded
Software Developer
Institution (or its agent) responsible for the smartcard
embedded software development and the
specification of pre-personalization requirements.
Smartcard Issuer
Institution (or its agent) responsible for the smartcard
product delivery to the smartcard end-user.
Smartcard Product
Manufacturer
Institution (or its agent) responsible for the smartcard
product finishing process and testing.
UNIX
Interactive Time Sharing Operating System.
TPG0053A (24 Nov 04)
General Business Use
63 of 64
AT90SC6404RT Security Target Lite
A.2
64 of 64
Abbreviations
ACSF
Access Control Security Functions
AVR
8-bit RISC processor developed and produced by Atmel
CC
Common Criteria
CPU
Central Processing Unit
CRC
Cyclic Redundancy Check
DES
Data Encryption Standard
DPA
Differential Power Analysis
EEPROM
Electrically Erasable Programmable ROM
EKB
East Kilbride
HCMOS
High Speed Complementary Metal Oxide Semiconductor
I/O
Input/Output
IC
Integrated Circuit
IFCSF
Information Flow Control Security Functions
ISO
International Standards Organization
LFSR
Linear Feedback Shift Register
MAC
Master Authentication Key
MCU
Microcontroller
NTS
North Tyneside
NVM
Non Volatile Memory
OTP
One Time Programmable
PP
Protection Profile
RAM
Random-Access Memory
RFO
Rousset France Operations
RISC
Reduced Instruction Set Core
RNG
Random Number Generator
ROM
Read-Only Memory
SPA
Simple Power Analysis
TD
Technical Data
TME
Test Mode Entry
TOE
Target of Evaluation
VFO
Variable Frequency Oscillator
General Business Use
TPG0053A (24 Nov 04)
General Business Use
Atmel Corporation
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 487-2600
Regional Headquarters
Europe
Atmel Sarl
Route des Arsenaux 41
Case Postale 80
CH-1705 Fribourg
Switzerland
Tel: (41) 26-426-5555
Fax: (41) 26-426-5500
Asia
Room 1219
Chinachem Golden Plaza
77 Mody Road Tsimshatsui
East Kowloon
Hong Kong
Tel: (852) 2721-9778
Fax: (852) 2722-1369
Japan
9F, Tonetsu Shinkawa Bldg.
1-24-8 Shinkawa
Chuo-ku, Tokyo 104-0033
Japan
Tel: (81) 3-3523-3551
Fax: (81) 3-3523-7581
Atmel Operations
Memory
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 436-4314
RF/Automotive
Theresienstrasse 2
Postfach 3535
74025 Heilbronn, Germany
Tel: (49) 71-31-67-0
Fax: (49) 71-31-67-2340
Microcontrollers
2325 Orchard Parkway
San Jose, CA 95131, USA
Tel: 1(408) 441-0311
Fax: 1(408) 436-4314
La Chantrerie
BP 70602
44306 Nantes Cedex 3, France
Tel: (33) 2-40-18-18-18
Fax: (33) 2-40-18-19-60
ASIC/ASSP/Smart Cards
1150 East Cheyenne Mtn. Blvd.
Colorado Springs, CO 80906, USA
Tel: 1(719) 576-3300
Fax: 1(719) 540-1759
Biometrics/Imaging/Hi-Rel MPU/
High Speed Converters/RF Datacom
Avenue de Rochepleine
BP 123
38521 Saint-Egreve Cedex, France
Tel: (33) 4-76-58-30-00
Fax: (33) 4-76-58-34-80
Zone Industrielle
13106 Rousset Cedex, France
Tel: (33) 4-42-53-60-00
Fax: (33) 4-42-53-60-01
1150 East Cheyenne Mtn. Blvd.
Colorado Springs, CO 80906, USA
Tel: 1(719) 576-3300
Fax: 1(719) 540-1759
Scottish Enterprise Technology Park
Maxwell Building
East Kilbride G75 0QR, Scotland
Tel: (44) 1355-803-000
Fax: (44) 1355-242-743
Literature Requests
www.atmel.com/literature
Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any
intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL’S TERMS AND CONDITIONS OF SALE LOCATED ON ATMEL’S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY
WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT
OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no
representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications
and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided
otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’s products are not intended, authorized, or warranted for use
as components in applications intended to support or sustain life.
© Atmel Corporation 2004. All rights reserved. Atmel®, logo and combinations thereof, Everywhere You Are ® and others, are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others.
Printed on recycled paper.
TPG0053A–SMIC–24Nov04