Common Criteria Evaluation Process
Practical guide to obtaining Common Criteria certification for smart card products: protection profiles, evaluation steps, and timelines.
Common Criteria Evaluation Process
Common CriteriaCommon CriteriaSecurityInternational IT security evaluation standard.Click to view → (CC), formally ISO/IEC 15408, is the international framework for evaluating the security of IT products and systems. For smart card chips, operating systems, and applets, CC evaluation provides independent assurance that a product meets its claimed security functions under adversarial conditions. The resulting Common Criteria certificate is recognised by 31 member nations under the CCRA (Common Criteria Recognition Arrangement).
Use the EAL Comparator to compare assurance levels and understand what each level means for procurement and certification requirements.
Evaluation Assurance Levels (EAL1–7)
The EAL scale describes the rigor of the evaluation, not the strength of the security functions:
| EALEALSecuritySecurity evaluation depth rating (1-7).Click to view → | Name | Description | Typical Use |
|---|---|---|---|
| EAL1 | Functionally tested | Vendor testing, basic documentation | Low-assurance commercial |
| EAL2 | Structurally tested | Vulnerability analysis, independent testing | Simple network devices |
| EAL3 | Methodically tested and checked | Development environment controls | Access control devices |
| EAL4 | Methodically designed, tested and reviewed | Full design documentation, penetration testing | Bank cards, passports |
| EAL5 | Semiformally designed and tested | Formal security policy model | Smart card OSes, HSMs |
| EAL6 | Semiformally verified design and tested | Structured representation, flaw remediation | High-security chips |
| EAL7 | Formally verified design and tested | Full formal verification | Military/classified systems |
Smart card chips routinely target EAL5+ (augmented). JavaCardJavaCardSoftwareJava applet platform for smart cards.Click to view → and MULTOSMULTOSSoftwareHigh-security multi-app card OS.Click to view → operating systems typically achieve EAL4+ to EAL5+. The "+" suffix indicates augmentation with components from a higher level (e.g., AVA_VAN.5 vulnerability analysis).
Protection Profiles and Security Targets
Two key documents anchor every CC evaluation:
Protection ProfileProtection ProfileSecuritySecurity requirements document for CC.Click to view → (PP): A template defining security requirements for a class of products (e.g., "Java Card System" PP, "Security IC Platform" PP). PPsPPsProtocolCard-reader parameter negotiation.Click to view → are developed by communities (e.g., BSI, ANSSI) and allow purchasers to specify minimum requirements without naming a specific product.
Security Target (ST): The vendor's product-specific document that maps the product's security functions to PP requirements or defines them independently. The ST is the evaluation's primary reference.
| Document | Author | Purpose |
|---|---|---|
| Protection Profile (PP) | Community / certifying body | Generic requirements for product category |
| Security Target (ST) | Vendor | Product-specific claims against PP or custom TOE |
| Evaluation Technical Report (ETR) | Lab | Lab's findings, methodology, results |
| Certification Report | Certifying body | Public summary of evaluation outcome |
The Protection Profile for smart cards is maintained jointly by the Smart Card Security Users Group (SCSG) and national bodies.
Evaluation Laboratories and Certifying Bodies
| Country | Certifying Body | Scheme Name |
|---|---|---|
| Germany | BSI | CC Evaluation Scheme |
| France | ANSSI | CSPN / CC Scheme |
| USA | NIAP | CCEVS |
| UK | NCSC | UKCA |
| Netherlands | NLNCSA | NSCIB |
| Japan | IPA | JISEC |
Laboratories must be licensed by the national certifying body. For smart card hardware evaluations, laboratories with specific smart card expertise (e.g., TÜV Informationstechnik, Brightsight, Serma Technologies) handle the embedded hardware penetration testing.
The completed evaluation produces a certificate listed on the Common Criteria Portal — the authoritative public registry.
Evaluation Timeline and Cost
| Phase | Duration | Notes |
|---|---|---|
| Vendor preparation (ST, design docs, test cases) | 3–9 months | Longest phase for first-time vendors |
| Laboratory contract and kick-off | 1–2 months | Includes NDA, price negotiation |
| Laboratory evaluation | 6–18 months | Scales with EAL and product complexity |
| Certifying body review | 1–3 months | BSI typically faster than NIAP queue |
| Certificate issuance | 1 month | Public listing on CC portal |
| Total (EAL4+) | 12–24 months | |
| Total (EAL5+) | 18–36 months |
Laboratory fees for a smart card chip evaluation at EAL5+ typically range from €300,000 to €800,000 depending on complexity and augmentation requirements.
Vulnerability Assessment (AVA_VAN)
The AVA_VAN component is the heart of smart card CC evaluation. It rates the lab's penetration testing effort:
| AVA_VAN Level | Attack Potential Required | Typical EAL |
|---|---|---|
| AVA_VAN.2 | Low | EAL2 |
| AVA_VAN.3 | Moderate | EAL3 |
| AVA_VAN.4 | High | EAL4+ |
| AVA_VAN.5 | Beyond High | EAL5+, EAL6+ |
AVA_VAN.5 requires the lab to attempt side-channel attacks (SPA/DPA), fault injectionfault injectionSecurityPhysical attack inducing errors to bypass security.Click to view →, and invasive probing under conditions that a sophisticated attacker with chip lab equipment could mount.
See the FIPS 140 Guide for the parallel U.S. cryptographic module validation framework, and the PCI PTS Guide for payment terminal certification requirements.
常见问题
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.