European Digital Tachograph Common Security Guideline

TACHOGRAPH CARD ISSUING GROUP SWG 3

European Digital tachograph Common

Security Guideline

Version 1.0

5 November 2002

European Digital Tachograph Common Security Guideline – v1.0p 1 / 63

Contents

1.Introduction......

1.1Background......

1.2Scope......

1.3Document content......

1.4Origin of the document......

1.5Holder of the document......

1.6Revision......

1.7Abbreviations......

1.8Definitions......

1.9References......

2.Tachograph system security requirements......

3.Tachograph system security architecture......

3.1Tachograph system entities definition and role......

3.2Sensitive information and communication between entities......

4.General security principle......

4.1Security policy application field......

4.1.1European Level......

4.1.2Member State level......

4.2Security Organisation......

4.3Sensitive Assets classification......

4.3.1Sensitive Assets identification......

4.3.2Sensitive assets exchange......

4.4Compliance......

4.4.1Compliance with regulation......

4.4.2Security review of IT systems......

5.Security policy for each entity of the system......

5.1Security policy for ERCA......

5.1.1Specific security requirements......

5.1.2Role of ERCA......

5.1.3Communication between ERCA and the other entities......

5.1.4Recommendations framework......

5.2Security policy for MSCA......

5.2.1Specific security requirements......

5.2.2Role of MSCA......

5.2.3Communication between MSCA and the other entities......

5.2.4Recommendations framework......

5.3Security policy for Card Manufactures......

5.3.1Specific security requirements......

5.3.2Role of Card Manufactures......

5.3.3Communication between Card Manufactures and the other entities......

5.3.4Recommendations framework......

5.4Security policy for Card Key Generation......

5.4.1Specific security requirements......

5.4.2Role of Card Key Generation......

5.4.3Communication between Card Key Generation and the other entities......

5.4.4Recommendations framework......

5.5Security policy for Card Personalisers......

5.5.1Specific security requirements......

5.5.2Role of Card Personalisers......

5.5.3Communication between Card Personalisers and the other entities......

5.5.4Recommendations framework......

5.6Security policy for Card Issuing Authorities......

5.6.1Specific security requirements......

5.6.2Role of Card Issuing Authorities......

5.6.3Communication between Card Issuing Authorities and the other entities......

5.6.4Recommendations framework......

5.7Security policy for Motion Sensor Manufacturers......

5.7.1Specific security requirements......

5.7.2Role of Motion Sensor Manufacturers......

5.7.3Communication between Motion Sensor Manufacturers and the other entities......

5.7.4Recommendations framework......

5.8Security policy for Key Pairing Generation......

5.8.1Specific security requirements......

5.8.2Role of Key Pairing Generation......

5.8.3Communication between Key Pairing Generation and the other entities......

5.8.4Recommendations framework......

5.9Security policy for Vehicle Unit Manufacturers......

5.9.1Specific security requirements......

5.9.2Role of Equipment Vehicle Unit Manufacturers......

5.9.3Communication between Vehicle Unit Manufacturers and the other entities......

5.9.4Recommendations framework......

5.10Security policy for Vehicle Unit Key Generation......

5.10.1Specific security requirements......

5.10.2Role of Equipment Vehicle Unit Key Generation......

5.10.3Communication between Vehicle Unit Key Generation and the other entities......

5.10.4Recommendations framework......

5.11Security policy for workshops......

5.11.1Specific security requirements......

5.11.2Role of workshops......

5.11.3Communication between workshops and the other entities......

5.11.4Recommendations framework......

5.12Security policy for Road Haulage Companies......

5.12.1Specific security requirements......

5.12.2Role of Road Haulage Companies......

5.12.3Communication between Road Haulage Companies and the other entities......

5.12.4Recommendations framework......

5.13Security policy for Vehicle Drivers......

5.13.1Specific security requirements......

5.13.2Role of Vehicle Drivers......

5.13.3Communication between Vehicle Drivers and the other entities......

5.13.4Recommendations framework......

5.14Security policy for Control Bodies......

5.14.1Specific security requirements......

5.14.2Role of Control Bodies......

5.14.3Communication between Control Bodies and the other entities......

5.14.4Recommendations framework......

Annex(e) A Sensitive Assets Inventory......

Annex(e) B Security Requirement and entities......

Annex(e) C Main items of ISO 17799......

Annex(e) D Main items of ETSI 178 T2......

1. Introduction
2. Background

Regulation CCE n° 3820/85 harmonises the social regulations applicable to road transport at European level, placing a focus upon drivers’ working hours.

Controls applied by the regulation are based mainly on requirements to record and store data about driver and vehicle activities.

European regulation 3821/85, in its technical annex 1B, defines tachograph equipment i.e. equipment that records and stores driving data.

It recognises that any large-scale fraud or falsification perpetrated on this equipment would enable drivers or enterprises to circumvent directive 3820/85.

European regulation [2135/98] introduces a new concept of tachograph based upon the electronic recording of driving data, and utilising three components:

• Tachograph cards
• Vehicle Unit
• Motion Sensor

The introduction of the new tachograph needs to include security features that dissuade and protect against fraudulent activity and thereby give positive support for:

• social regulations,
• road safety,
• harmonious compliance between enterprises.

Security is therefore an important factor for the system.

1.2Scope

It is the responsibility of each MemberState to set up the means of guaranteeing the security of this new system. Each MemberState is therefore required to define its own tachograph organisation and to establish its own national security policy containing the security requirements for each entity involved within its organisation.

This document is a framework to which Member States are advised to refer when defining their organisation and developing their security policies. Compliance with this document is considered by the MemberStates and the Commission to be an acceptable proof of being in accord with the regulation when asking the European Root Certification Authority for certification of MemberState keys.

This compliance underpins the need for consistency across Member States if confidence in all tachograph systems is to be inspired.

This security guideline is inspired by the standard ISO 17799 “Information technology –code of practice for information security management” and ESTI 102042 “Policy requirements for certification authorities issuing public key certificates”.

The system security architecture defined in this document must be understood as a generic and modular scheme that allows compliance with the different implementations and organisations that will be chosen by Member States.

1.3Document content

The security requirements defined in annex 1B with a focus on the environment of the system products (Tachograph Card, Vehicle Unit, Motion Sensor) and the legal requirements (European directives 95/46) are presented in chapter 2.

The system security architecture is described in a third chapter and focuses upon the different entities of the system, their inter-relationships and the sensitive information exchanged.

The general security principle is presented in a chapter 4 in a set of recommendations derived from the ISO 17799 standard and presented in the context of the Tachograph system.

The specific security requirements, security architecture and the recommendations framework for the security policy of each entity are presented in a fourth chapter.

In the annexes, the sensitive assets inventory, the rational between the security requirements and the entities, the main item of the ISO 17799 and ETSI standard are listed.

1.4Origin of the document

This document has been provided by the EU member states representatives in the framework of the card issuing working group partly granted by the commission and coordinated by Urba 2000.

1.5Holder of the document

The Commission holds this document.

1.6Revision

Member States can submit proposals for modifications to the Commission. The Commission will inform the other Member States of the proposed modifications. If necessary, the Commission shall arrange a meeting of Member States representatives to consider revisions of the document.

1.7Abbreviations

CA / Certification Authority
CB / Control Body
CBC / Control Body card
CIA / Card Issuing Authorities
CID / CardHolder Identification Data
CKG / Card Key Generation
CM / Card manufacturers
CP / Card Personalisers
CR ID / Certificate Request identification
DC / Divers Card
EQT.C / Equipment Certificate (for card or vehicle unit)
EQT.PK / Equipment Public Key (for card or vehicle unit)
EQT.SK / Equipment Secret Key (for card or vehicle unit)
ERCA / European Root Certification Authority
EUR.PK / European Public Key
EUR.SK / European Secret Key
IDE / Intelligent Dedicated Equipment
IT / Information Technology
KPG / Kp Generation (pairing key)
MO / MOtion sensor
MOM / MOtion sensor Manufacturers
MS / MemberState
MSA / MemberState Authority
MS.C / MemberState Certificate
MS.PK / MemberState Public Key
MS.SK / MemberState Secret Key
MSCA / MemberState Certification Authority
PKI / Public Key Infrastructure
RE / Recording Equipment
RHC / Road Haulage Companies
RHCC / Road Haulage Companies Card
RSA / Rivest, Shamir, Adelmann (asymmetric encryption scheme)
TC / Tachograph Card
TDES / Triple DES (Date Encryption Standard)
TS / Tachograph System
VU / Vehicle Unit
VUKG / Vehicle Unit Key Generation
VUM / Vehicle Unit Manufacturers
W / vehicle manufacturers, fitters or Workshops
WC / Workshops card

1.8Definitions

Control Body / Control authorities who take charge of checking the driver activities data
Card Issuing Authorities / Entities which manage card holders and issue Tachograph cards (In annexe 1B term “card issuing MemberState code” is used)
Card Key Generation / Entities which generate the RSA key pair for the card (Card.SK and card.PK)
CARD Manufacturers / Entities which manufacture Tachograph cards with the integrated circuit and the embedded software
CARD Personalisers / Entities which personalise Tachograph cards with card holders identification data, keys and certificates (In annexe 1B “ term card Personalisers ID” is used)
Drivers / Vehicle drivers whose activity must be checked
Driver Activities Data / Data regarding driver activities recorded for checking purposes (included vehicle data).
European Root Certification Authority / The authority designed by the commission for European keys creation (management), for certifying the MemberState keys and distributing the certificates
KP Generation / Entities which generate the TDES paring key (Kp) for the motion sensor (description in ISO/CD 16844-3.8 motion sensor interface)
MemberState Authority / The authority designated by a MemberState to have responsibility for the tachograph system security within its jurisdiction
MemberState Certification Authority / The authority designated by the Member State Authority for Member State key creation (management), for certifying the equipment and card keys and for distributing the certificates
(CSM_008)
Motion sensor / The part of the recording equipment that provides the signal representing speed and distance travelled
Motion sensor manufacturers / Entities which manufacture/repair motion sensor equipment and “personalise” them with data
Security Label / An attribute given to a sensitive asset to allow “partitioning” of information, such that relevant “partitions” may be accessed by only those who need such access to carry out their work.
Sensitive assets / Information or products which, if their confidentiality, availability or integrity is infringed, will result in a compromise of tachograph system security
Recording Equipment / The recording equipment defined in [annex 1B] and consisting of the vehicle unit and motion sensor
Road Haulage Companies / Entities that operates vehicles (MS, VU) and whose activity must be checked
Smart card / Credit card sized plastic card which has a non volatile memory and a processing unit embedded within it
Tachograph Card / A Smart card carrying the application intended for use with the recording equipment, and defined in [annex 1B]
Tachograph System / The equipment, people and organisations involved in any way with the recording equipment and tachograph card.
Vehicle manufacturers, fitters or Workshops / Entities that provide installation and calibration of the equipment (MS, VU) in the vehicle
Vehicle Unit / The recording equipment unit consisting of all the relevant hardware and software except the sensor and the cables
Vehicle Unit Key Generation / Entities which generate the RSA key pair for the vehicle unit (VU.SK and VU.PK)
Vehicle Unit Manufacturers / Entities which manufacture/repair vehicle unit equipment and “personalise” them with keys and certificates

1.9References

ITSEC / ITSEC Information Technology Security Evaluation Criteria 1991.
IC PP / Smartcard Integrated Circuit Protection Profile – version 2.0 – issued September 1998. Registered at French certification body under the number PP/9806.
ES PP / Smartcard Integrated Circuit With Embedded Software Protection Profile – version 2.0 – issue June 99. Registered at French certification body under the number PP/9911.
Annex 1B / Annex 1B of the council Regulation (EEC) n° 3821/85
2135/98 / Council Regulation (EEC) n° 3821/85 of 20 November 1985 modified, about the control system in the road transport domain.
95/46/CE / Directive 95/46/CE of the European Council & Parliament on the principle of protection of physical persons face to treatment of personal data and free circulation of these data
ISO 17799 / Information technology –code of practice for information security management
First edition 2000-12-01
ISO/CD 16844-3.8 / WD 16844-3.8 “Road vehicles – Tachograph systems – part 3: Motion Sensor Interface
ETSI 102 042 V1.1.1 / Policy requirements for certification authorities issuing public key certificates

1. Tachograph system security requirements

These security requirements issued from European legislation concern all organisations and people involved in the Tachograph system. Part of these requirements issued from regulation 2135/98 (see point three) have been defined after a risk analysis stated in the security targets of Tachograph card, Vehicle Unit and Motion Sensor.

1)MemberState must ensure that organisations in their jurisdiction satisfy security requirements defined in:

• European directive [95/46/CE] relating to the protection of persons in respect to treatment of their personal data, and the transmission of these data,
• European regulation [2135/98] of 20 December 1985 modified, about control systems in the road transport domain.

2)In accordance with European regulation [2135/98] and with agreed standards and interpretations for implementation, security measures set-up by the different organisations involved in tachograph system must comply with the following requirements:

• Article 5 (extract): The system’s security must comply with the technical requirements laid down in annex IB.
  The Commission, acting in accordance with the procedure laid down in article 18, shall ensure that the said Annex stipulates that recording equipment may not be granted EC component type-approval until the whole system (the recording equipment itself, driver card and electrical gearbox connections) has demonstrated its capacity to resist attempts to tamper with or alter the data on driving times. the tests necessary to establish this shall be carried out by experts, familiar with up to date tampering techniques.
  
• Article 12 (extract): Member States shall take any measure necessary to prevent the cards distributed to approved fitters and workshops from being falsified.
  
• Article 14 point 4f : Member States take all necessary measures to prevent any possibility of driver cards being falsified.
  
• Requirement 182 of Annex 1B: In order to achieve the system security, the tachograph cards shall meet the security requirements defined in the tachograph cards generic security target (Appendix 10).

• Requirement 012 of Annex 1B: In order to achieve the requisite system security, the recording equipment shall meet the security requirements specified in the motion sensor and vehicle unit generic security targets (Appendix 10).

• Requirement 270 of Annex 1B: Type approval of MS, VU and TC shall include security related tests, functional tests and interoperability tests. Positive results to each of these tests are stated by an appropriate certificate.

• Requirement 288 of Annex 1B: The type approval authority of the MemberState may deliver the type approval certificate as soon as it holds the three required certificates

3)In compliance with appendix 10 of Annex 1B, security measures set up by the different organisations involved in tachograph systems must comply with the following requirements:

M.ActivationVehicle manufacturers and fitters or workshops must activate the VU after its installation and before the vehicle leaves the premises where installation took place.

M.Approved_WorkshopsInstallation, calibration and repair of recording equipment must be carried by trusted and approved fitters or workshops.

M.Card_AvailabilityTachograph cards must be available and delivered to authorised persons only.

M.Card_TraceabilityCard delivery must be traceable (white lists, black lists), and black lists must be used during security audits.

M.ControlsLaw enforcement controls must be performed regularly and randomly, and must include security audits.

M.DeliveryMotion sensor (resp. VU) manufacturers, vehicle manufacturers and fitters or workshops must ensure that handling of the motion sensor (resp. VU) is done in a manner which maintains IT security.

M.DevelopmentMotion sensor (Resp VU) developers must ensure that the assignment of responsibilities during development is done in a manner which maintains IT security.

M.Driver_Card_UniquenessDrivers must possess, at one time, only one valid driver card.

M.Faithful_CalibrationApproved fitters and workshops must enter proper vehicle parameters in recording equipment during calibration.

M.Faithful_DriversDrivers must play by the rules and act responsibly (e.g. use their driver cards, properly select their activity for those that are manually selected, …).

M.ManufacturingMotion sensor (resp VU) manufacturers must ensure that the assignment of responsibilities during manufacturing is done in a manner which maintains IT security, and that during the manufacturing process the motion sensor (resp. VU) is protected from physical attacks which might compromise IT security.

M.Mechanical_InterfaceMeans of detecting physical tampering with the mechanical interface must be provided (e.g. seals)

M.Regular_InpectionsRecording equipment must be periodically inspected and calibrated.

M.Sec_Data_GenerationSecurity data generation algorithms must be accessible only to authorised and trusted persons.

M.Sec_Data_TransportSecurity data must be generated, transported, and inserted into the motion sensor (Resp VU), in such a way to preserve its appropriate confidentiality and integrity.

M.Software_UpgradeSoftware revisions must be granted security certification before they can be implemented in a motion sensor (resp VU).

O.DLV_DATAThe Application Data must be delivered from the Smart card embedded software developer (phase 1) either to the IC Packaging manufacturer, the Finishing Process manufacturer or the Personalisers through a trusted delivery and verification procedure that shall be able to maintain the integrity and confidentiality of the Application Data.

O.TEST_OPERATEAppropriate functionality testing of the TOE shall be used in phases 4 to 6. During all manufacturing and test operations, security procedures shall be used through phases 4, 5 and 6 to maintain confidentiality and integrity of the TOE and its manufacturing and test data.

O.USE_DIAGSecure communication protocols and procedures shall be used between the Tachograph card and the card reader terminal.

O.USE_SYSThe integrity and the confidentiality of sensitive data stored / handled by the system (terminals, communications...) shall be maintained

O.EnvICESPP_CMThe other physical, personal or procedural requirements upon environment that contribute to the security of tachograph card which are listed in [IC PP] and [ES PP] (chapters security objectives for the environment) and concern the card manufacturers. See annexe B of this document for more detail.

1. Tachograph system security architecture

The security functions and mechanisms specified in the Appendices 10 and 11 of Annexe 1B for this system need an environment mainly made up of:

• a three-level Public Key Infrastructure (PKI): a European level, a MemberState level and an equipment level. The two last levels are under the supervision of the respective MemberState.
• MemberState centres for cards management and issue.
• MemberState workshops for installation and calibration of the recording equipment
• MemberState control systems for driver activities data.

3.1Tachograph system entities definition and role