Version: 1, Published: 2025-05-19

Impacted Documents

  • CPP_HCD_V1.0e

References

CPP:

  • B.1.1 FPT_KYP_EXT.1 Extended: Protection of Key and Key Material

  • D.5.3.1 FPT_KYP_EXT.1 Extended: Protection of Key and Key Material

Issue Description

The appropriate option for the case of the start point of the key chain being protected by a TPM-like device is not clear.

The last sentence (*) in Application Note appears to conflict with the intention of the option "the key is protected by another key that is not part of the key chain as specified in FCS_KYC_EXT.1" which was intended to avoid cryptographic verification of the cryptographic functions provided by a TPM-like device.

(*) "In the case where a encrypted key is stored on media that is decrypted by a key stored in a protected storage device, the selection for encrypting or wrapping a key that is already encrypted or wrapped should be used."

We need to clarify which option should be selected for the case of the start point of the key chain is protected by a TPM-like device.

Resolution

  • Modify FPT_KYP_EXT.1 SFR with updated selections and update Application Note to provide clarification.

CPP_HCD_V1.0e

  • Modify FPT_KYP_EXT.1 and Application Note (Appendix B, Appendix D):

FPT_KYP_EXT.1.1 The TSF shall [selection:

  • not store keys in non-volatile memory,

  • only store keys in non-volatile memory when [selection: " wrapped, as specified in FCS_COP.1/KeyWrap, or encrypted, as specified in FCS_COP.1/KeyEnc or FCS_COP.1/KeyTransport ", "encrypted or wrapped within a protected storage device using a key stored within that device”],

  • only store plaintext keys that meet any one of the following criteria [selection:

    • the key is protected by another key that is not part of the key chain as specified in FCS_KYC_EXT.1,

    • the key will no longer provide access to the encrypted data after initial provisioning,

    • the key is a key split that is combined as specified in FCS_SMC_EXT.1, and the other half of the key split is [selection:

      • wrapped as specified in FCS_COP.1/KeyWrap,

      • encrypted as specified in FCS_COP.1/KeyEnc or FCS_COP.1/KeyTransport,

      • derived and not stored in non-volatile memory],

    • the key is [selection: used to wrap a key as specified in FCS_COP.1/KeyWrap, used to encrypt a key as specified in FCS_COP.1/KeyEnc or FCS_COP.1/KeyTransport] that is already [selection: wrapped as specified in FCS_COP.1/KeyWrap, encrypted as specified in FCS_COP.1/KeyEnc or FCS_COP.1/KeyTransport],

    • the non-volatile memory where the key is stored on is located in a protected storage device]

].

Application Note:

The keys must be protected from unauthorized access and must not be stored on any nonvolatile storage device without protection. If the keys exist within protected memory that is not user accessible on the TOE or OE, the key can be used to protect the BEV or the DEK only if the key is:

  1. a key that is protected by another key that is not a part of the key chain or;

  2. a key split or a key provides additional layers of wrapping or encryption on keys that have already been protected or

  3. the nonvolatile memory the key is stored on is located in a protected storage device and the key is protected from unauthorized access.

The selection “the non-volatile memory the key is stored on is located in a protected storage device” and “the key is protected by another key that is not part of the key chain as specified in FCS_KYC_EXT.1” should be applied to the start (or root) of a key chain, not for intermediate of the key chain. If "the key is protected by another key that is not part of the key chain as specified in FCS_KYC_EXT.1" selection option is selected, vendors will need to explain what the other key is that is not in the key chain and how the “other key” is used to protect the key (for example, a public key used for encryption, keys only used within a protected storage device or separate coprocessor).

An example of another key that is not a part of the key chain is as follows. In a protected storage device or separate co-processor, if the key is generated, stored, used, protected from disclosure, and the key is not exportable as a plaintext key, then the key is considered as not belonging to the key chain.

The protected storage device can protect stored data from unauthorized access and the nonvolatile memory in it is not accessible from outside of the TOE. Examples of protected storage devices include Secure Elements (SE), Trusted Platform Modules (TPM), Hardware Security Modules (HSM), Trusted Execution Environments (TEE), Secure Enclave Processors (SEP), and so on.

In the case where a encrypted key is stored on media that is decrypted by a key stored in a protected storage device, the selection for encrypting or wrapping a key that is already encrypted or wrapped within a protected storage device using a key stored within that device should be used. In this case, the key that the protected storage device generates and stores internally is considered to be the starting point of the key chain, so “the non-volatile memory where the key is stored on is located in a protected storage device” must also be selected as a means of protecting that key.

Testing of cryptographic functions implemented in the protected storage device may not be feasible and independent testing may not be available. In this situation, contact the CC Scheme.

Tracking

Issue #29