Common Criteria

Common Criteria

Common Criteria (CC) is an international framework for evaluating the security of IT products, standardized as ISO/IEC 15408 and ISO/IEC 18045. It provides a structured methodology for defining security requirements, implementing security functions, and having an independent laboratory verify that the product meets those requirements. In the smart card industry, Common Criteria certification is a prerequisite for deploying cards in government identity, payment, and telecom applications.

Evaluation Process

A Common Criteria evaluation involves three parties:

1. Sponsor/Developer — the smart card vendor who submits the product for evaluation
2. ITSEF — an accredited IT Security Evaluation Facility that performs the technical assessment
3. Certification Body — a national authority (BSI in Germany, ANSSI in France, NIAP in the US) that validates the evaluation results and issues the certificate

The developer writes a Security Target (ST) document describing the product's security claims. The ST references a Protection Profile (PP) that defines the baseline requirements for the product category. The ITSEF evaluates the product against the ST at the requested EAL level.

EAL Levels in Smart Cards

The "+" suffix indicates augmentation with additional assurance components beyond the base EAL, typically AVA_VAN.5 (vulnerability analysis) for smart card chips.

Smart Card Protection Profiles

The smart card industry uses well-known Protection Profiles maintained by certification bodies:

• BSI-PP-0084 — Security IC Platform (chip hardware)
• BSI-PP-0075 — JavaCard System (OS + runtime)
• PP-0035 — UICC/SIM platform
• BSI-PP-0056 — ePassport application

These profiles define mandatory security functional requirements including cryptographic key management, access control, and resistance to side-channel attacks and fault injection. Mutual recognition agreements (CCRA and SOGIS-MRA) allow certificates issued in one country to be accepted in other member nations.