TD0644: FCS_CKM_EXT.4 test applicability
The statement immediately before the "Test" activities for FCS_CKM_EXT.4 states:
These tests are only for key destruction provided by the application, test 2 does not apply to any keys using the selection "new value of a key":
Test 1 states: Applied to each key held in volatile memory and subject to destruction by overwrite by the TOE. This implies that this test is not applicable for TOEs that request "destruction of the reference followed by a request for garbagae collection" since it is not an overwrite operation.
Similarly for non-volatile storage, the statement above implies that the test is not applicable for TOEs that "instructs the underlying platform to destroy the abstraction that represents the key".
Test 1 is not marked as conditional, and the applicability for these selections is not explicitly stated when it comes to situations where the application does not perform the zeroization (ie. garbage collecting). Test 2 is not clear whether it is requied when instructing the underlying platform to destroy the key.
Tests 1 and 2 for FCS_CKM_EXT.4 in MOD_FE_V1.0-sd are modified as follows, with underlines denoting additions:
Test 1: [Conditional; applies when the application does not perform the zeroization (ie. garbage collecting) for each key held in volatile memory for FCS_CKM_EXT.4.1 (assuming the selection "destruction of the reference followed by a request for garbage collection")] Applied to each key held in volatile memory and subject to destruction by overwrite by the TOE (whether or not the value is subsequently encrypted for storage in volatile or non-volatile memory). In the case where the only selection made for the key destruction method was removal of power, then this test is unnecessary.
The evaluator shall:
1. Record the value of the key in the TOE subject to clearing.
2. Cause the cause the TOE or the underlying platform to dump to perform a normal cryptographic processing with the key from Step #1.
3. Cause the TOE to clear the key.
4. Cause the TOE to stop the execution but not exit.
5. Cause the TOE to dump the entire memory of the TOE into a binary file.
6. Search the content of the binary file created in Step #5 for instances of the known key value from Step #1.
Steps #1-6 ensure that the complete key does not exist anywhere in volatile memory. If a copy is found, then the test fails.
Test 2: [Conditional; applies when instructing the underlying platform to destroy the key] If new value of a key is selected this test does not apply.
Applied to each key held in non-volatile memory and subject to destruction by the TOE.
The evaluator shall use special tools (as needed), provided by the TOE developer if necessary, to ensure the tests function as intended.
1. Identify the purpose of the key and what access should fail when it is deleted. (e.g. the file encryption key being deleted would cause data decryption to fail.)
2. Cause the TOE to clear the key.
3. Have the TOE attempt the functionality that the cleared key would be necessary for.
4. The test succeeds if Step #3 fails.
See issue description