NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0057:  Update to TD0047 for Non Wear Leveled Flash Memory

Publication Date
2015.08.07

Protection Profiles
PP_MD_v2.0, PP_MDM_AGENT_V2.0, PP_MDM_V2.0

Other References
PP_MD_V2.0, requirement FCS_CKM_EXT.4; PP_MDM_V2.0; PP_MDM_Agent_V2.0

Issue Description

TD0047 MDFPP v2.0 FCS_CKM_EXT.4 Update updated FCS_CKM_EXT.4.1 to add a rule that does not require a read-verify for non-volatile flash memory that is wear-leveled. This edit did not address the case of non-volatile flash that is not wear-leveled; there are cases where, for this type of flash memory, a read-verify after a block erase is not practical and not needed.

Resolution

FCS_CKM_EXT.4.1 will be revised to remove the read-verify after a block erase for non wear-leveled non-volatile flash as follows:

FCS_CKM_EXT.4.1 The TSF shall destroy cryptographic keys in accordance with the specified cryptographic key destruction methods:

  • by clearing the KEK encrypting the target key,
  • in accordance with the following rules:
    • For volatile memory, the destruction shall be executed by a single direct overwrite [selection: consisting of a pseudo-random pattern using the TSF’s RBG, consisting of zeroes].
    • For non-volatile EEPROM, the destruction shall be executed by a single direct overwrite consisting of a pseudo random pattern using the TSF’s RBG (as specified in FCS_RBG_EXT.1), followed by a read-verify.
    • For non-volatile flash memory that is not wear-leveled, the destruction shall be executed [selection: by a single direct overwrite consisting of zeros followed by a read-verify, by a block erase that erases the reference to memory that stores data as well as the data itself].
    • For non-volatile flash memory that is wear-leveled, the destruction shall be executed [selection: by a single direct overwrite consisting of zeros, by a block erase].
    • For non-volatile memory other than EEPROM and flash, the destruction shall be executed by overwriting three or more times with a random pattern that is changed before each write.
Justification

For flash memory that is not wear-leveled, if the act of erasing the data also erases the reference to the memory that stores the data, a read-verify is not required (because it is not possible to address the memory that was just erased).

 
 
Site Map              Contact Us              Home