Specifications
91
O.RESIDUAL_
INFORMATION
FDP_RIP.1(1) is used to ensure the contents of resources are not available once the
resource is reallocated. For this TOE it is critical that the memory used to build network
packets is either cleared or that some buffer management scheme be employed to
prevent the contents of a packet being disclosed in a subsequent packet (e.g., if padding
is used in the construction of a packet, it must not contain another user’s data or TSF
data).
FCS_CKM_(EXT).2 places requirements on how cryptographic keys are managed
within the TOE. This requirement places restrictions in addition to FDP_RIP.1(1), in
that when a cryptographic key is moved from one location to another (e.g., calculated in
some scratch memory and moved to a permanent location) that the memory area is
immediately cleared as opposed to waiting until the memory is reallocated to another
subject.
FCS_CKM.4 applies to the destruction of cryptographic keys used by the TSF. This
requirement specifies how and when cryptographic keys must be destroyed. The proper
destruction of these keys is critical in ensuring the content of these keys cannot possibly
be disclosed when a resource is reallocated to a user.
O.SELF_PROTECTION
ADV_ARC.1 provides the security architecture description of the security domains
maintained by the TSF that are consistent with the SFRs. Since self-protection is a
property of the TSF that is achieved through the design of the TOE and TSF, and
enforced by the correct implementation of that design, self-protection will be achieved
by that design and implementation.
FTP_ITT.1 provides self protection by protection communications between TOE
components.
O.TIME_STAMPS
FPT_STM_(EXT).1 requires that the TOE be able to provide reliable time stamps for its
own use and therefore, partially satisfies this objective. Time stamps include date and
time and are reliable in that they are always available to the TOE, and the clock must be
monotonically increasing.