NIAP: U.S. Government Approved Protection Profile - collaborative Protection Profile for Full Drive Encryption - Encryption Engine ...
NIAP/CCEVS

Short Name: cpp_fde_ee_v2.0

Technology Type: Encrypted Storage

CC Version: 3.1

Date: 09 September 2016

Transition End Date: 09 March 2017

Preceded By: cpp_fde_ee_v1.0

Conformance Claim: None

 

PP OVERVIEW

The purpose of the Collaborative Protection Profiles (cPPs) for Full Drive Encryption (FDE): Authorization Acquisition (AA) and Encryption Engine (EE) is to provide requirements for Data-at-Rest protection for a lost device that contains storage. These cPPs allow FDE solutions based in software and/or hardware to meet the requirements. The form factor for a storage device may vary, but could include: system hard drives/solid state drives in servers, workstations, laptops, mobile devices, tablets, and external media. A hardware solution could be a Self-Encrypting Drive or other hardware-based solutions; the interface (USB, SATA, etc.) used to connect the storage device to the host machine is outside the scope of this cPP.
     
Full Drive Encryption encrypts all data (with certain exceptions) on the storage device and permits access to the data only after successful authorization to the FDE solution. The exceptions include the necessity to leave a portion of the storage device (the size may vary based on implementation) unencrypted for such things as the Master Boot Record (MBR) or other AA/EE pre-authentication software. These FDE cPPs interpret the term “full drive encryption” to allow FDE solutions to leave a portion of the storage device unencrypted so lo71ng as it contains plaintext user or plaintext authorization data.

The FDE cPP - Encryption Engine describes the requirements for the Encryption Engine piece and details the necessary security requirements and assurance activities for the actual encryption/decryption of the data by the DEK. Each cPP will also have a set of core requirements for management functions, proper handling of cryptographic keys, updates performed in a trusted manner, audit and self-tests.      

Assigned to the following Validated Products

Related Technical Decisions

  • 0345 – FIT Technical Decision for Key Destruction and KMD Documentation
  • 0312 – FIT Technical Decision for Key and Key Material Protection
  • 0311 – FIT Technical Decision on CC Conformance Claims
  • 0310 – FIT Technical Decision for Firmware Update Authentication
  • 0309 – FIT Technical Decision for Random Bit Generation
  • 0308 – FIT Technical Decision for Cryptographic Operation Signature Verification and Hash Algorithm
  • 0233 – FIT Technical Decision for Contents in Selected Long Message Test – Bit-oriented Mode
  • 0229 – FIT Technical Decision for Validation attemp threshold config.

Please forward any questions or comments to pp-comments@niap-ccevs.org

Site Map              Contact Us              Home