The following changes are made to MOD_FEEM_V1.0:
Section 4.1
FCS_COP.1(7) is deleted from O.KEY_MATERIAL_SERVER
Section 5.2.1
FCS_COP.1(5) is modified as shown below, with underlines denoting additions:
FCS_COP.1.1(5) The TSF shall [selection:
- not perform key wrapping,
- use platform-provided functionality to perform Key Wrapping,
- implement functionality to perform Key Wrapping in accordance with a specified cryptographic algorithm [AES] in the following modes [selection:
- Key Wrap,
- Key Wrap with Padding,
- GCM mode,
- CCM mode,
- CBC mode
] and the cryptographic key size [selection: 128 bits (AES), 256 bits (AES)] that meet the following: [selection:
- “NIST SP 800-38C”,
- “NIST SP 800-38D”,
- “NIST SP 800-38F”,
- “NIST SP 800-38A”
] and no other standards
].
FCS_COP.1(7) is deleted.
FCS_KYC_EXT.1.1: The bullets that refer to FCS_COP.1(7) are deleted
Section 5.2.4
FPT_KYP_EXT.1.1: The SFR is modified as follows, with strikethroughs denoting deletions:
FPT_KYP_EXT.1.1 The TSF shall store keys in non-volatile memory only when [selection:
- wrapped, as specified in FCS_COP.1(5),
- encrypted, as specified in FCS_COP.1(1) (from [AppPP]),
- the plaintext key is stored in the underlying platform's keystore as specified by FCS_STO_EXT.1.1 (from [AppPP]),
- the plaintext key is stored in a SQL database in the Operational Environment,
- the plaintext key is not part of the key chain as specified in FCS_KYC_EXT.1.,
- the plaintext key will no longer provide access to the encrypted data after initial provisioning,
- the plaintext key is a key split that is combined as specified in FCS_SMC_EXT.1 and another contribution to the split is [selection: wrapped as specified in FCS_COP.1(5) or
encrypted as specified in FCS_COP.1(7), derived and not stored in non-volatile memory] ,
- the plaintext key is stored on an external storage device for use as an authorization factor.,
- the plaintext key is used to encrypt a key as specified in FCS_COP.1(7) or wrap a key as specified in FCS_COP.1(5) that is already encrypted as specified in FCS_COP.1(7)
or wrapped as specified in FCS_COP.1(5)
].
Section 6.1.4
The entry for FCS_COP.1(7) is deleted
Section D.2
FCS_KYC_EXT.1.1: The bullets that refer to FCS_COP.1(7) are deleted
FPT_KYP_EXT.1.1: The SFR is modified as follows, with strikethroughs denoting deletions:
FPT_KYP_EXT.1.1 The TSF shall store keys in non-volatile memory only when [selection:
- wrapped, as specified in FCS_COP.1(5),
- encrypted, as specified in FCS_COP.1(1) (from [AppPP]),
- the plaintext key is stored in the underlying platform's keystore as specified by FCS_STO_EXT.1.1 (from [AppPP]),
- the plaintext key is stored in a SQL database in the Operational Environment,
- the plaintext key is not part of the key chain as specified in FCS_KYC_EXT.1.,
- the plaintext key will no longer provide access to the encrypted data after initial provisioning,
- the plaintext key is a key split that is combined as specified in FCS_SMC_EXT.1 and another contribution to the split is [selection: wrapped as specified in FCS_COP.1(5) or
encrypted as specified in FCS_COP.1(7), derived and not stored in non-volatile memory] ,
- the plaintext key is stored on an external storage device for use as an authorization factor.,
- the plaintext key is used to encrypt a key as specified in FCS_COP.1(7) or wrap a key as specified in FCS_COP.1(5) that is already encrypted as specified in FCS_COP.1(7)
or wrapped as specified in FCS_COP.1(5)
].
The following changes are made to MOD_FEEM_V1.0 SD:
Section 2.1.3
FCS_COP.1(5): The following sentence is added to the Tests Evaluation Activities just before the AES Key Wrap test:
The assurance activity tests specified for AES in CBC mode in the underlying [AppPP] shall be performed in the case that "CBC" is selected in the requirement.
FCS_COP.1(7) is deleted.