EN 50436-6:2015

SLOVENSKI STANDARD
01-september-2015
Alkoholne zapore - Preskusne metode in zahtevane lastnosti - 6. del: Varnost
podatkov
Alcohol interlocks - Test methods and performance requirements - Part 6: Data security
Alkohol-Interlocks - Prüfverfahren und Anforderungen an das Betriebsverhalten - Teil 6:
Datensicherheit
Ethylotests anti-démarrage - Méthodes d’essai et exigences de performance - Partie 6:
Sécurité des données
Ta slovenski standard je istoveten z: EN 50436-6:2015
ICS:
43.040.10 (OHNWULþQDLQHOHNWURQVND Electrical and electronic
RSUHPD equipment
71.040.40 Kemijska analiza Chemical analysis
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 50436-6
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2015
ICS 43.040.10; 71.040.40
English Version
Alcohol interlocks - Test methods and performance requirements
- Part 6: Data security
Éthylotests antidémarrage - Méthodes d'essai et exigences Alkohol-Interlocks - Prüfverfahren und Anforderungen an
de performance - Partie 6: Sécurité des données das Betriebsverhalten - Teil 6: Datensicherheit
This European Standard was approved by CENELEC on 2014-12-29. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2015 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 50436-6:2015 E
Contents Page
Foreword . 5
Introduction . 6
1 Scope . 7
1.1 General . 7
1.2 Conformance claim . 8
2 Normative references . 8
3 Terms and definitions . 9
4 General . 11
4.1 Use of the alcohol interlock . 11
4.2 Major security features . 11
4.3 Hardware, software and firmware not being part of the alcohol interlock and the
service application . 12
5 Alcohol interlock classes . 12
5.1 General . 12
5.2 Class A: transparent service application without broker . 12
5.3 Class B: transparent service application with broker . 13
5.4 Class C: opaque service application . 14
5.5 Class D: service application without broker and without register . 15
6 Security objectives . 15
6.1 General . 15
6.2 Security objectives for the alcohol interlock and the service application. 16
6.3 Security objectives for the operational environment (informative) . 18
6.3.1 Overview . 18
6.3.2 General security objectives for the operational environment . 19
6.3.3 Security objectives for the register . 19
6.3.4 Security objectives for the broker . 20
7 Security requirements. 21
7.1 Terms . 21
7.2 Security Functional Requirements . 22
7.2.1 General . 22
7.2.2 FAU_GEN.1 Audit event records generation . 23
7.2.3 FAU_STG.1 Protected data memory . 24
7.2.4 FAU_STG.3 Action in case of possible event records loss . 24
7.2.5 FAU_STG.4 Prevention of event records loss . 24
7.2.6 FCS_COP.1(1) Cryptographic operation . 24
7.2.7 FCS_COP.1(2) Cryptographic operation . 25
7.2.8 FCS_COP.1(3) Cryptographic operation . 25
7.2.9 FDP_ACC.1 Subset access control . 25
7.2.10 FDP_ACF.1 Security attribute based access control . 25

-3- EN 50436-6:2015
7.2.11 FDP_ITT.1 Basic internal transfer protection . 26
7.2.12 FDP_ITT.3 Integrity monitoring . 27
7.2.13 FDP_RIP.1 Subset residual information protection . 27
7.2.14 FIA_UAU.2 User authentication before any action (not applicable if the authentication is
done in the operational environment) . 27
7.2.15 FIA_UID.2 User identification before any action (not applicable if the authentication is done
in the operational environment) . 27
7.2.16 FPT_PHP.1(1) Passive detection of physical attack . 28
7.2.17 FPT_PHP.1(2) Passive detection of physical attack . 28
7.2.18 FPT_STM.1 Reliable time stamps . 28
7.3 Cryptographic algorithms . 28
7.4 Security assurance requirements . 29
Annex A (informative) Security problem definition . 30
A.1 General . 30
A.2 Assets . 30
A.3 Threat agents . 30
A.4 Threat overview . 30
A.5 Threats . 32
A.5.1 Interfering with the sensors and the signals to the vehicle (I) . 32
A.5.2 Prevention of detection of events (II) . 33
A.5.3 Prevention of generation of event records or generation of undesirable event records
(III) . 33
A.5.4 Failure to correctly store event records in the alcohol interlock (IV) . 33
A.5.5 Failure to correctly transfer event records between alcohol interlock and service
application (V) . 34
A.5.6 Failure to correctly handle the event records in the service application (VI) . 34
A.5.7 Failure to correctly transfer event records between service application and register
(VII) . 35
A.5.8 Failure to correctly register event records at the register (VIII). 35
A.5.9 Failure to correctly transfer event records between service application and broker
(IX) . 35
A.5.10 Failure to correctly convert event records at the broker (X) . 36
A.5.11 Failure to correctly transfer event records between broker and register (XI) . 36
Annex B (informative) Rationales . 37
B.1 General . 37
B.2 Security objectives rationale . 37
B.2.1 Interfering with the sensors and the signals to the vehicle (I) . 37
B.2.2 Prevention of detection of events (II) . 38
B.2.3 Prevention of generation of event records or generation of undesirable event records
(III) . 38
B.2.4 Failure to correctly store event records in the alcohol interlock (IV) . 39
B.2.5 Failure to correctly transfer event records between alcohol interlock and service
application (V) . 40
B.2.6 Failure to correctly handle the event records in the service application (VI) . 41
B.2.7 Failure to correctly transfer event records between service application and register
(VII) . 42
B.2.8 Failure to correctly register event records at the register (VIII). 44

B.2.9 Failure to correctly transfer event records between service application and broker
(IX) . 44
B.2.10 Failure to correctly convert event records at the broker (X) . 46
B.2.11 Failure to correctly transfer event records between broker and register (XI) . 46
B.3 Security requirements rationale . 47
B.4 Dependencies . 51
Annex C (informative) Security testing . 52
Annex D (informative) Use of this standard . 53
D.1 Additional information required to use this standard . 53
D.2 Additional requirements for the data handling process. 53
Blibliography . 55

-5- EN 50436-6:2015
Foreword
This document (EN 50436-6:2015) has been prepared by CLC/BTTF 116-2 "Alcohol interlocks".
The following dates are fixed:
• latest date by which this document has (dop) 2015-12-29
to be implemented at national level by
publication of an identical national
standard or by endorsement
• latest date by which the national (dow) 2017-12-29
standards conflicting with this
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Introduction
The series of European Standards EN 50436 specifies test methods and essential performance
requirements for alcohol interlocks and gives guidance for decision makers, purchasers and users.
The content and requirements of the European Standard EN 50436-1 "Alcohol interlocks – Test
methods and performance requirements, Part 1: Instruments for drink-driving-offender programs" are
based on the experience and necessities of drink driving offender programmes in different countries
over several decades.
The present document should be used in conjunction with the European Standard EN 50436-1 and
optionally with EN 50436-2. It defines additional requirements for the security of event records which
are stored in the data memory of the alcohol interlock and which may be downloaded, processed and
transferred to supervising persons or organizations.
The security objectives describing how the threats are addressed are divided into security objectives
for the alcohol interlock with the service application and for the operational environment.
The security objectives for the alcohol interlock and the service application describe what is necessary
for the alcohol interlock and the service application to do to address the threats. In the context of this
European Standard, the combination of alcohol interlock and service application are to meet all listed
security objectives, and this is to be assessed as part of determining compliance with this European
Standard.
The security objectives for the operational environment describe what other entities should do to
address the threats. In the context of this European Standard, whether these entities actually achieve
these objectives are not to be assessed as part of determining compliance with this European
Standard. Therefore, in this European Standard these security objectives are informative only.
This European Standard is intended also to be listed as a Protection Profile for alcohol interlocks under
the Common Criteria Recognition Arrangement and the Senior Officials Group - Information Systems
Security (SOG-IS). For the purpose of being a Protection Profile, all sections (including also the
operational environment) are considered normative.

-7- EN 50436-6:2015
1 Scope
1.1 General
This European Standard specifies security requirements for the protection and handling of event
records which are stored in the data memory of breath alcohol controlled alcohol interlocks and which
may be downloaded, processed and transferred to supervising persons or organizations.
This European Standard is a supplement to EN 50436-1. It is to be decided by the respective
jurisdiction whether the present standard has to be applied in addition to EN 50436-1.
This European standard may also be used as a supplement to EN 50436-2 if a jurisdiction or a vehicle
fleet operator decides that the data security in his preventive application has to have the same high
level of requirements as for alcohol interlocks used in drink-driving-offender programmes.
This European Standard is mainly directed to test houses, manufacturers of alcohol interlocks,
legislating authorities and organizations which handle and use the alcohol interlock event records.
In this European Standard, the alcohol interlock consists basically of handset and control unit. Optional
accessory devices (e.g. cameras or GPS systems generating data related to event data of the alcohol
interlock, as well as accessory devices handling or transferring data for a drink-driving-offender
programme) authorized by the manufacturer as being part of the alcohol interlock system and which
are intended to be used in the vehicle during operation are also to be considered part of the alcohol
interlock, where applicable.
The service application communicates with the alcohol interlock and sends out the event records to a
register, either directly or alternatively indirectly through a broker.
The scheme is depicted in Figure 1. It also shows which parts are within the scope of this European
Standard and which are outside of the scope.

Figure 1 – Alcohol interlock, service application, broker and register
NOTE In this, and all other figures, the direction of the arrows indicates the flow of event records.
This European Standard applies to
– the alcohol interlock,
– the service application.
This European Standard does not apply to
– data security of the broker,
– data security of the register,
– storage of downloaded data,
– requirements for organizational processes, for example defining rights of access to the data.
1.2 Conformance claim
This European Standard conforms according to the Common Criteria for Information Technology
Security Evaluation as Protection Profile to:
– Common Criteria, Version 3.1, Revision 4, as defined by CCp1, CCp2, CCp3 and CEMe,
– Common Criteria - Part 2 as Common Criteria - Part 2 conformant,
– Common Criteria - Part 3 as Common Criteria - Part 3 conformant.
NOTE 1 An earlier revision of CCp1 is published as ISO/IEC 15408-1.
NOTE 2 An earlier revision of CCp2 is published as ISO/IEC 15408-2.
NOTE 3 An earlier revision of CCp3 is published as ISO/IEC 15408-3.
NOTE 4 An earlier revision of CEMe is published as ISO/IEC 18045.
This European Standard is not based on any other Protection Profile.
This European Standard conforms to the evaluation assurance level EAL3 + ALC_FLR.2 (for
explanation see 7.4).
Protection profiles or security targets that conform to this Protection Profile shall apply "Strict
Protection-Profile-Conformance".
For more information, see CCp1, Annex B5.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
EN 50436-1:2014, Alcohol interlocks – Test methods and performance requirements –
Part 1: Instruments for drink-driving-offender programs
EN 50436-2:2014, Alcohol interlocks – Test methods and performance requirements –
Part 2: Instruments having a mouthpiece and measuring breath alcohol for general preventive use

-9- EN 50436-6:2015
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
alcohol interlock
device which is normally in the blocking state when installed to prevent the starting of a vehicle engine,
and which can be brought into the not-blocking state only after the presentation and analysis of an
accepted breath sample with an alcohol concentration below a limit value
Note 1 to entry: In this European Standard the expression “starting of the vehicle engine” includes provision
of an output signal from the alcohol interlock to the vehicle to enable the starting or operation of the vehicle.
Note 2 to entry: In this European Standard, the alcohol interlock consists of the following parts: handset,
control unit and optional accessory devices.
Note 3 to entry: According to the Common Criteria the alcohol interlock and the service application are the
Target of Evaluation (TOE).
3.2
handset
part of the alcohol interlock which is usually located inside the driver compartment of the vehicle, which
contains an alcohol measuring system, may store event records in a data memory, is connected to the
control unit and is able to interact with the driver
3.3
control unit
part of the alcohol interlock which is usually located under the dashboard of the vehicle, which is
electrically connected to the vehicle to prevent or to allow the starting of the vehicle engine, and which
may store event records in a data memory
Note 1 to entry: The electrical connections to the vehicle are considered to be part of the control unit.
3.4
accessory device
optional supplementary device being part of the alcohol interlock intended to be used in the vehicle
during operation
Note 1 to entry: Accessory devices may for example be a camera or a module for data transmission.
Note 2 to entry: The use of certain accessory devices may be required by national regulations.
3.5
event records
record of breath test results, other events and supporting data with date and time generated by the
alcohol interlock
Note 1 to entry: For this European Standard it is assumed that the event records are stored in the data
memory of the control unit and/or of the handset and optionally of the accessory devices.
Note 2 to entry: This European Standard uses the term “event records" instead of the Common Criteria
term “audit records”.
3.6
service application
computer programme being used for functions such as adjustment of the alcohol interlock,
downloading and optionally viewing the event records and other data of the alcohol interlock, as well as
for uploading event records from the alcohol interlock to a register or broker
Note 1 to entry: A service application may have some or all of these functions, depending on its
implementation and the alcohol interlock class (see Clause 5).
Note 2 to entry: The service application is usually located inside a service centre.
Note 3 to entry: The service application may be used by a technician or an automatic system.
Note 4 to entry: The service application may be either transparent or opaque.
3.7
transparent service application
service application which is not able to decrypt the event records
Note 1 to entry: The functionality of the transparent service application for uploading event records from the
alcohol interlock to a register or broker may be incorporated into the alcohol interlock. In this case the alcohol
interlock uploads the event records to the register or boker.
3.8
opaque service application
service application that is able to decrypt the event records and performs the required conversion of
event records
3.9
adjustment
operation that calibrates and/or adjusts the sensor systems, sets parameters and/or changes the
firmware of the alcohol interlock
3.10
register
central register of event records, which stores the event records for future use
Note 1 to entry: The register is usually operated by the alcohol interlock manufacturer and/or the
authorities.
3.11
broker
processing centre which converts the records into a required format and then sends them to the
register or the service application
Note 1 to entry: The broker is usually operated by the service provider of the alcohol interlock.
3.12
security target
description and analysis of the assets, the threats to those assets, the countermeasures (in the form of
security objectives) and a demonstration that the countermeasures are sufficient to counter the threats
Note 1 to entry: For details see CCp1, clause 7.1.1.
3.13
security objective
concise statement of the intended solution to the problem defined by the security problem definition
Note 1 to entry: For details see CCp1, clause A.7.

-11- EN 50436-6:2015
3.14
security problem definition
statement which in a formal manner defines the nature and scope of the security that the alcohol
interlock and the service application are intended to address, consisting of a combination of threats to
be countered by the alcohol interlock and the service application, the organizational security policies
enforced by the alcohol interlock and the service application, and the assumptions that are upheld for
the alcohol interlock and the service application and their operational environment
Note 1 to entry: For details see CCp1, clause A.6.
3.15
operational environment
environment in which the alcohol interlock and the service application are operated, containing all
entities that the alcohol interlock and the service application interact with, such as broker, register
service centre, vehicle, driver
4 General
4.1 Use of the alcohol interlock
Before the engine of the vehicle can start, the driver has to deliver an accepted breath sample into the
handset. If the measured alcohol concentration is equal to or above the limit value, the control unit
does not allow the vehicle engine to start.
At random intervals while driving, the driver may have to deliver an additional accepted breath sample
into the handset. Passing or failing a breath alcohol test generates event records. Additionally, other
events may generate event records (e.g. interruption of power to the control unit, or vehicle motion
without starting of the motor, indicating bypass of the alcohol interlock).
At set intervals, when the memory of the alcohol interlock fills up, or after certain events the handset
instructs the driver to go to a service centre. These service centres (which are for drink-driving-
offender programmes normally certified by the government) possess a service application. Service
centre personnel can use the service application to read out (download) the encrypted event records
from the alcohol interlock.
NOTE The service application may or may not decrypt these event records (see Clause 5).
The service application sends out the event records:
– directly to the register, or
– to the broker which sends the event records to the register, or
– to the broker which sends the event records back to the service application and which then sends
it to the register.
The service application requires a confirmation from the register and/or broker that it has received the
event records. Upon reception of this confirmation, the service centre personnel may use the service
application to delete the event records by erasing the data memory in the alcohol interlock.
4.2 Major security features
The alcohol interlock has the following major security features:
– The alcohol interlock is able to detect events (for example starting the vehicle engine or failed
breath test) and store these events;

– Authenticated service personnel can use the service application to read out these event records
and send them onwards. The service personnel can also use the service application to delete the
event records and erase the data memory;
– All parts of the alcohol interlock protect the event records against unauthorized modification,
deletion, insertion and disclosure.
4.3 Hardware, software and firmware not being part of the alcohol interlock and the
service application
The alcohol interlock requires installation in a vehicle.
The service application may require an operating system and computer or similar setup in order to
function. The security target shall clarify the required hardware, software or firmware (if applicable)
required for the service application.
NOTE This depends on the class of the alcohol interlock (see Clause 5).
5 Alcohol interlock classes
5.1 General
This European Standard defines different classes of alcohol interlocks with their service application
(A, B1, B2, C1, C2 and D), each of which has slightly different requirements and objectives.
The security target shall define the class of the alcohol interlock (as part of the alcohol interlock
overview).
This difference in classes is caused by the following facts.
– The register has a strictly defined format in which it wishes to store event records. As there is no
standard for this format yet, each country or organization tends to use its own proprietary format.
– The alcohol interlock may not be able to support all of these formats.
If the alcohol interlock does not support the required format, the files have to be converted somewhere:
– either in the service application, or
– at the broker.
As event records can only be converted when they are not encrypted, they are very vulnerable to
unauthorized reading or modification at that point, so special care shall be taken to prevent this.
There may also be alcohol interlocks only using the service application, but not using a register and/or
broker, or alcohol interlocks not storing event records at all.
5.2 Class A: transparent service application without broker
Transparent refers to the fact that the service application is not able to decrypt the event records.
This class of alcohol interlocks is characterized by end-to-end encryption between the alcohol interlock
and the register. The alcohol interlock already generates the event records in the correct format
required by the register. This is depicted in Figure 2.

-13- EN 50436-6:2015
Figure 2 – Class A alcohol interlock:
the alcohol interlock generates the correct format for the register
In class A alcohol interlocks:
– the service application never gets access to the unencrypted event records and therefore the
service application itself requires relatively little protection;
– there is no broker, so threats for the broker are not relevant and there are no security objectives
for the broker.
5.3 Class B: transparent service application with broker
Transparent refers to the fact that the service application is not able to decrypt the event records.
For this class of alcohol interlocks, the broker performs the required conversion. This means that the
broker has access to unencrypted event records, and should therefore protect them.
Two subclasses of class B alcohol interlocks are to be distinguished:
– Class B1 alcohol interlocks:
The service application sends the event records to the broker. The broker converts the event
records, and sends the converted event records onwards to the register. This is depicted in
Figure 3.
Figure 3 – Class B1 alcohol interlock:
the broker converts and sends to the register
– Class B2 alcohol interlocks:
The service application sends the event records to the broker. The broker converts the event
records, and sends the converted event records back to the service application. The service
application then sends the converted event records onwards to the register. This is depicted in
Figure 4.
Figure 4 – Class B2 alcohol interlock:
the broker converts and sends to the service application
In class B alcohol interlocks:
– the service application never gets access to the unencrypted event records and therefore the
service application itself requires relatively little protection;
– a broker is required, so there are threats and objectives for the broker.
5.4 Class C: opaque service application
Opaque refers to the fact that the service application performs the required conversion.
This means that the service application has access to unencrypted event records, and shall therefore
be able to protect them.
It is distinguished between two subclasses of alcohol interlocks:
Two subclasses of class C alcohol interlocks are to be distinguished:
– Class C1 alcohol interlocks:
The service application itself shall provide the protection. This means that the service application
shall partly consist of some sort of tamper-evident and/or tamper-responsive hardware.
– Class C2 alcohol interlocks:
The environment of the service application shall provide the protection. The service application
may then be a simple software application running on a non-alcohol interlock workstation, but the
environment of that workstation shall meet stringent requirements to be able to protect the event
records.
This is depicted in Figure 5.
Figure 5 – Class C1 and C2 alcohol interlock:
the service application converts the event records
In class C alcohol interlocks:
– there is no broker utilized;

-15- EN 50436-6:2015
– so threats for the broker are not relevant and there are no security objectives for the broker.
5.5 Class D: service application without broker and without register
This class of alcohol interlocks uses only a service application.
There are no broker and no register involved. The event records may be stored in and seen with the
service application. This is depicted in Figure 6.

Figure 6 – Class D alcohol interlock:
the event records are transferred to the service application
In class D alcohol interlocks:
– there is no broker and no register utilized;
– so threats for the broker and register are not relevant and there are no security objectives for the
broker and the register.
6 Security objectives
6.1 General
These security objectives describe how the threats described in Annex A are addressed. It is divided
into (see Figure 7):
– The security objectives for the alcohol interlock and the service application ("O"), describing what
the alcohol interlock and the service application shall do to address the threats. In the context of
this European Standard, the combination of alcohol interlock and service application shall meet all
security objectives that are listed for their class, and this shall be assessed as part of determining
compliance with this European Standard.
– The security objectives for the operational environment ("OE"), describing what other entities
should do to address the threats. In the context of this European Standard, whether these entities
actually achieve these objectives are not to be assessed as part of determining compliance with
this European Standard. Therefore, these security objectives are informative only.
A rationale that the combination of all of these security objectives indeed addresses the threats is
found in Annex B of this standard.

Figure 7 – Relations between threats and security objectives
6.2 Security objectives for the alcohol interlock and the service application
Clause 5 defines several classes of alcohol interlocks, which differ from each other in various aspects.
This chapter describes a number of security objectives, but not all security objectives are valid for all
classes. This is indicated in Table 1.
Table 1 - Objectives for different classes of alcohol interlocks
Objective A B1 B2 C1 C2 D
O.DETECT_EVENTS
X X X X X X
O.PROTECT_EVENTS_BETWEEN_HANDSET_AND_
X X X X X X
CONTROL_UNIT_AND_ACCESSORY_DEVICE
O.RECORD_AND_ENCRYPT_EVENTS_IN_ALCOHOL_I
X X X X X X
NTERLOCK
O.TAMPER_EVIDENT_HANDSET_AND_CONTROL_UNI
X X X X X X
T_AND_ACCESSORY_DEVICE
O.TAMPER_EVIDENT_SERVICE_APPLICATION
X
O.NO_OVERFLOW_IN_DATA_MEMORY X X X X X X
O.ALCOHOL_INTERLOCK_AND_SERVICE_APPLICATI
X X X X X X
ON
O.SERVICE_APPLICATION_AUTHENTICATION
X X X X X X
O.SERVICE_APPLICATION_PROTECT_EVENT_RECO
X X X X X X
RDS
O.SEND_TO_CORRECT_PARTY X X X X X
O.DETECT_EVENTS
The alcohol interlock shall detect:
– all events required by the applicable laws and regulations,
– adjustment of the alcohol interlock,
– other events and supporting data,
– deletion of event records.
-17- EN 50436-6:2015
O.PROTECT_EVENTS_BETWEEN_HANDSET_AND_CONTROL_UNIT_AND_
ACCESSORY_DEVICE
The handset, control unit and accessory devices shall protect information about detected events as this
is exchanged between them against insertion, deletion and modification.
O.RECORD_AND_ENCRYPT_EVENTS_IN_ALCOHOL_INTERLOCK
The alcohol interlock shall store all required information for each event in event records in the data
memory of the alcohol interlock.
Each event record shall contain at least:
– the information required by the applicable laws and regulations,
– a unique consecutive number for each event record.
The alcohol interlock shall not store event records on events that are not allowed to be recorded.
The alcohol interlock shall store all event records in such a way that they cannot be read or modified by
unauthorized entities.
The alcohol interlock shall encrypt all event records before allowing them to be read out in such a way
that they cannot be read or modified by unauthorized entities.
NOTE 1 The consecutive numbers may solve part of the protection against modification, but other measures
(for example MAC, CRC inside the encryption or CBC-mode) may also be necessary, depending on the
implementation.
The event records shall be encrypted before storing them.
O.TAMPER_EVIDENT_HANDSET_AND_CONTROL_UNIT_AND_ACCESSORY_DEVICE
The handset, control unit, accessory devices and connections from the control unit to the vehicle shall
be tamper-evident. Evidence of tampering shall be field-detectable under close scrutiny of a trained
person.
O.TAMPER_EVIDENT_SERVICE_APPLICATION
The service application shall be tamper-evident. Evidence of tampering shall be field-detectable under
close scrutiny of a trained person.
O.NO_OVERFLOW_IN_DATA_MEMORY
When the memory of the alcohol interlock is filled with event records for:
– 90 %, the alcohol interlock shall issue an early recall warning to the driver,
– 100 %, the alcohol interlock shall no longer allow the vehicle engine to start.
O.ALCOHOL_INTERLOCK_AND_SERVICE_APPLICATION
The alcohol interlock shall only allow the service application to:
– read out event records from the alcohol interlock,
– delete event records from the alcohol interlock,
– adjust the alcohol interlock.

NOTE 2 This does not preclude the access to the alcohol interlock by specific programmes used for example
during production and/or maintenance of the alcohol interlock by the manufacturer on his premises or during
verification.
O.SERVICE_APPLICATION_AUTHENTICATION
Before service personnel can use the service application, this service personnel shall first be identified
and authenticated.
NOTE 3 “Be identified and authenticated” does not mandate that the service application shall perform
identification and authentication itself. It is allowed for the environment (the operation system, a remote web
server or other entity) to perform this identification and authentication.
O.SERVICE_APPLICATION_PROTECT_EVENT_RECORDS
The service application shall not allow its service personnel (or other entities) to insert or modify event
records. The service application shall not allow unauthorized service personnel to read event records
from the service application.
O.SEND_TO_CORRECT_PARTY
The service application shall send the event records only to the correct party in the correct manner in
such a way that they cannot be read or modified by unauthorized entities.
The service application shall be able to receive a confirmation that the event records have been
correctly received and shall record the confirmation in the alcohol interlock.
– For class B1 alcohol interlocks, the event records shall be sent to the broker, using the method
specified by the broker, and the confirmation should be received from the broker.
– For class B2 alcohol interlocks, the event records shall be sent to the broker, using the method
specified by the broker, then the event records received by the broker should be sent to the
register, using the method specified by the register, and the conformation shall be received by the
service application from the register.
– For all other classes of alcohol interlocks, the event records shall be sent to the register, using the
method specified by the register, and the confirmation shall be received by the service application
from the register.
6.3 Security objectives for the operational environment (informative)
6.3.1 Overview
Clause 5 defines several classes of alcohol interlocks, which differ from each other in vari
...