TecSec PIV Eagle Card - Contact FIPS 140-2 Cryptographic Module Security Policy Version: 1.0 Date: 11 March 2009 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) Athena Smartcard Inc., 20380 Town Center Lane, Suite 240, Cupertino, CA 95014 TecSec Inc., 1048 Dead Run Drive McLean, VA 22101 Copyright Athena Smartcard Inc. and TecSec Inc., 2009 TecSec PIV Eagle Card - Contact Security Policy CONTENTS CONTENTS .................................................................................................................... 2 1 CRYPTOGRAPHIC MODULE OVERVIEW ............................................................................. 3 1.1 INTRODUCTION ................................................................................................... 3 1.2 PHYSICAL CRYPTOGRAPHIC MODULE .......................................................................... 3 1.3 CRYPTOGRAPHIC MODULE BOUNDARY ........................................................................ 3 1.4 HARDWARE ........................................................................................................ 3 1.5 FIRMWARE ......................................................................................................... 3 1.6 SOFTWARE......................................................................................................... 3 2 SECURITY LEVEL ...................................................................................................... 3 3 CRYPTOGRAPHIC MODULE SPECIFICATION ........................................................................ 3 3.1 PHYSICAL INTERFACES ........................................................................................... 3 3.2 LOGICAL INTERFACES ............................................................................................ 3 4 MODULE CRYPTOGRAPHIC FUNCTIONS ............................................................................ 3 4.1 RANDOM NUMBER GENERATORS................................................................................ 3 4.2 CRYPTOGRAPHIC ALGORITHMS ................................................................................. 3 4.3 CRITICAL SECURITY PARAMETERS .............................................................................. 3 5 ROLES AND SERVICES ................................................................................................. 3 5.1 ROLES .............................................................................................................. 3 5.2 IDENTIFICATION................................................................................................... 3 5.3 ROLE AUTHENTICATION ......................................................................................... 3 5.3.1 Card Administrator and PIV Application Provider Authentication................................... 3 5.3.2 PIV User Authentication ................................................................................... 3 5.3.3 PIV PIN Administrator Authentication ................................................................... 3 5.3.4 PIV Application Administrator Authentication ......................................................... 3 5.4 SERVICES........................................................................................................... 3 5.4.1 Card Administrator Services .............................................................................. 3 5.4.2 PIV Application Provider Services ........................................................................ 3 5.4.3 PIV User Services............................................................................................ 3 5.4.4 PIV PIN Administrator Services ........................................................................... 3 5.4.5 PIV Application Administrator Services.................................................................. 3 5.4.6 Public Operator Services .................................................................................. 3 5.4.7 Relationship between services and roles ............................................................... 3 5.4.8 Relationship between services and CSPs................................................................ 3 5.5 SETTING MODULE IN APPROVED MODE OF OPERATION ..................................................... 3 5.6 VERIFYING MODULE IS IN APPROVED MODE OF OPERATION................................................ 3 6 SELF-TESTS ............................................................................................................ 3 Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 2 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 6.1 POWER-ON SELF-TESTS .......................................................................................... 3 6.2 CONDITIONAL SELF-TESTS....................................................................................... 3 7 SECURITY RULES ...................................................................................................... 3 7.1 PHYSICAL SECURITY .............................................................................................. 3 7.2 AUTHENTICATION SECURITY RULES............................................................................ 3 7.3 APPLICATION LIFECYCLE SECURITY RULES.................................................................... 3 7.4 ACCESS CONTROL SECURITY RULES............................................................................ 3 7.5 KEY AND PIN MANAGEMENT SECURITY RULES ................................................................ 3 7.6 ELECTROMAGNETIC INTERFERENCE/COMPATIBILITY (EMI/EMC) .......................................... 3 8 MITIGATION OF OTHER ATTACKS ................................................................................... 3 9 SECURITY POLICY CHECK LIST ...................................................................................... 3 9.1 ROLES AND REQUIRED AUTHENTICATION ..................................................................... 3 9.2 STRENGTH OF AUTHENTICATION MECHANISM................................................................ 3 9.3 SERVICES AUTHORIZED FOR ROLES ............................................................................ 3 9.4 MITIGATION OF ATTACKS........................................................................................ 3 10 REFERENCES ........................................................................................................... 3 11 ACRONYMS AND DEFINITIONS ....................................................................................... 3 List of Figures Figure 1 - TecSec PIV Eagle Card - Contact (chip mounted and potted) ........................................... 3 Figure 2 - TecSec PIV Eagle Card - Contact CM and connectors ..................................................... 3 List of Tables Table 1 ­ Supported Cryptographic Services ............................................................................ 3 Table 2 ­ Security Level of Security Requirements .................................................................... 3 Table 3 ­ Physical Interfaces .............................................................................................. 3 Table 4 ­ Logical Interfaces ............................................................................................... 3 Table 5 - Roles description ................................................................................................ 3 Table 6 ­ Identity Authentication......................................................................................... 3 Table 7 - Services and associated roles.................................................................................. 3 Table 8 - Roles and Required Identification and Authentication .................................................... 3 Table 9 - Strengths of Authentication Mechanisms .................................................................... 3 Table 10 - Services Authorized for Roles ................................................................................ 3 Table 11 - Mitigation of Other Attacks .................................................................................. 3 Table 12 - References ...................................................................................................... 3 Table 13 ­ Acronyms and Definitions..................................................................................... 3 Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 3 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 1 CRYPTOGRAPHIC MODULE OVERVIEW 1.1 INTRODUCTION This document defines the Security Policy for the TecSec PIV Eagle Card - Contact cryptographic module (CM). This module is validated to overall FIPS 140-2 Level 2 with Cryptographic Module Specification, Roles, Services, and Authentication, Cryptographic Key Management, EMI/EMC, and Design Assurance Level 3 and Physical Security Level 4. This document contains a description of the CM, its interfaces and services, the intended operators and the security policies enforced in the approved mode of operation. The primary purpose of this device is to enable the creation of a dual-chip PIV smart card as described in [FIPS201] that is fully compliant with the end-point service specified in [SP800-73-1]. The CM is a single Integrated Circuit Chip and is specifically designed to resist non-evident tampering by both physical and electronic means. The CM is physically connected to a smart card contact plate as defined in [7816-1] and [7816-2] and communicates in T=0 and T=1 as specified in [7816-3]. The NPIVP Certificate associated with this module is PIV Card Application Cert. #11. The CM is a hardware module which contains two Java Card applets implementing the PIV functionality (the software) running on a GlobalPlatform Java Card operating system (the firmware). Software: P/N TecSec Contact PIV Applet Version 1.01 JCT Firmware: P/N Athena IDProtect XL Version 010A.7204.0004 Hardware: P/N Atmel AT90SC144144CT Revision G Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 4 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 1.2 PHYSICAL CRYPTOGRAPHIC MODULE Figure 1 - TecSec PIV Eagle Card - Contact (chip mounted and potted) 1.3 CRYPTOGRAPHIC MODULE BOUNDARY The cryptographic boundary is the edge of the chip itself, and not the entire smart card. The CM will typically be embedded into a plastic smart card body and connected to an ISO 7816 compliant contact plate. The CM boundary separates the chip from the card and contact plate. Figure 2 - TecSec PIV Eagle Card - Contact CM and connectors Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 5 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 1.4 HARDWARE The Atmel secureAVR family is a low-power, high-performance, 8-/16-bit microcontroller with ROM program memory, EEPROM code or data memory, based on an enhanced RISC architecture. By executing powerful instructions in a single clock cycle, the Atmel secureAVR family achieves throughputs close to 1 MIPS per MHz. Its Harvard architecture includes 32 general-purpose working registers directly connected to the Arithmetic Logical Unit (ALU), allowing two independent registers to be accessed in one single instruction executed in one clock cycle. The Atmel secureAVR family allows the linear addressing of up to 8M bytes of code and up to 16M bytes of data as well as a number of functional and security features. The Atmel secureAVR family features high-performance EEPROM (fast erase/write time, high endurance). The ability to map the EEPROM in the code space allows parts of the program memory to be reprogrammed in-system. The cryptographic accelerator featured in the Atmel secureAVR family is the new AdvX, an N-bit multiplier-accumulator dedicated to performing fast encryption and authentication functions. All cryptographic routines are executed on the secureAVR core which uses the AdvX accelerator during encryption/ decryption. AdvX is based on a 32-bit technology, thus enabling fast computation and low power operation. AdvX supports standard finite field arithmetic functions (including RSA) and arithmetic functions. Additional security features include power, frequency and temperature protection logic, logical scrambling on program data and addresses, power analysis countermeasures, and memory accesses controlled by a supervisor mode. This product is specifically designed for smart cards and targets ID applications. The CM chip is an Atmel AT90SC144144CT Revision G. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 6 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 1.5 FIRMWARE The embedded operating system is GlobalPlatform and Java Card compliant, is loaded on an Atmel secureAVR family smart card chip and supports communication protocols T=0 and T=1. GlobalPlatform ˇ GlobalPlatform, Card Specification, Version 2.1.1, March 2003 ˇ GlobalPlatform, Card Specification 2.1.1, Amendment A, March 2004 Java Card ˇ Runtime Environment Specification, Java Card Platform, Version 2.2.2, March 2006 ˇ Application Programming Interface, Java Card Platform, Version 2.2.2, March 2006 ˇ Virtual Machine Specification, Java Card Platform, Version 2.2.2, March 2006 Communication ˇ Protocol T=0 with PPS for speed enhancement ˇ Protocol T=1 with PPS for speed enhancement The GlobalPlatform external interface and internal API allows for application loading and unloading and for secure communication between an application and a terminal. In particular, it allows for the loading of a special application called a Supplementary Security Domain that allows an Application Provider to separate their key space from the Card Administrator. The Java Card API provides a large set of cryptographic services. Some of these services rely on hardware. Support for Random Numbers DRNG ANSI X9.31 two key TDES deterministic RNG seeded with the hardware RNG Support for Message Digest SHA-1 FIPS 180-2 Secure Hash Standard compliant hashing algorithms SHA-256 Support for Signature RSA PKCS#1 1024- to 2048-bit in 32-bit increments TDES 112- and 168-bit ECB and CBC TDES MAC Vendor affirmed Support for Cipher AES 128-, 192- and 256-bit ECB and CBC RSA 1024- to 2048-bit in 32-bit increments Support for On-Card Key Generation RSA PKCS#1 1024- to 2048-bit (non-callable) in 32-bit increments Table 1 ­ Supported Cryptographic Services 1.6 SOFTWARE The PIV and PIV SSD applets are written in Java (as limited by the Java Card standards). Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 7 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 2 SECURITY LEVEL This section details the security level met by this Cryptographic Module for each Security Requirement. Security Requirement Security Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 3 Finite State Model 2 Physical Security 4 Operational Environment NA Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks 2 Table 2 ­ Security Level of Security Requirements Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 8 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 3 CRYPTOGRAPHIC MODULE SPECIFICATION This module includes the Issuer Security Domain which allows the Card Issuer to manage the operating system and card content, and the PIV application that provides the end-point services specified in [800-73-1]. The Issuer Security Domain is the on-card representative of the Card Issuer. The ISD has application characteristics such as application AID, application privileges, and Life Cycle State (the Issuer Security Domain inherits the Life Cycle State of the card). The PIV application comprises two Java Card technology applets: the PIV applet itself and the PIV SSD applet that allows personalization of the PIV applet. If additional applications are loaded into this module, then these applications require a separate FIPS 140-2 validation. 3.1 PHYSICAL INTERFACES This module provides a contact interface that is fully compliant with ISO/IEC 7816. Interface Description RST External Reset signal I/O Input/Output External Clock signal CLK 1 ­ 10.1MHz Supply Voltage Power VCC 1.62 ­ 5V GRD Ground Table 3 ­ Physical Interfaces This module supports two transmission half-duplex oriented protocols: T=0 and T=1. Up to 256 bytes of data can be exchanged through one APDU command. 3.2 LOGICAL INTERFACES The cryptographic module functions as a slave processor to process and respond to the reader commands. The I/O ports of the platform provide the following logical interfaces: Interface ISO 7816 Data In I/O Pin Data Out I/O Pin Status Out I/O Pin Control In I/O, CLK and RST Pins Table 4 ­ Logical Interfaces Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 9 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 4 MODULE CRYPTOGRAPHIC FUNCTIONS The purpose of the TecSec PIV Eagle Card - Contact CM is to be integrated into a FIPS 201 end- point compliant dual-chip PIV smart card as the contact chip. 4.1 RANDOM NUMBER GENERATORS The module includes the following Approved random number generators: ˇ An ANSI X9.31 112-bit key TDES deterministic random number generator (DRNG) CAVP RNG Certificate #364. 4.2 CRYPTOGRAPHIC ALGORITHMS The module includes the following Approved cryptographic algorithms: ˇ SHA-1 and SHA-256 CAVP SHS Certificate #674 ˇ TDES CAVP TDES Certificate #592 o Encrypt/decrypt (for confidentiality purposes) o MAC (vendor affirmed, for integrity and authentication purposes) o CBC and ECB modes o 112- and 168-bit key lengths ˇ AES CAVP AES Certificate #639 o Encrypt/decrypt o CBC and ECB modes o 128-, 192- and 256-bit key lengths ˇ RSA CAVP RSA Certificate #292 o PKCS#1 sign/verify o 1024- and 2048-bit key lengths The module supports the following FIPS non-Approved security functions: ˇ RSA PKCS#1 encrypt/decrypt (key wrapping; key establishment methodology provides 80- bits or 112-bits of encryption strength), this functionality is only used for interoperability purposes. This service is only used to authenticate the module to external systems. ˇ A hardware random number generator (HRNG) that is used for seeding the FIPS Approved DRNG. 4.3 CRITICAL SECURITY PARAMETERS This module includes the following CSPs. No interface is provided to retrieve any of these CSPs. TDES Keys Key Secure Storage Key Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 10 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy This CSP (KSSK) is a 16-byte TDES Key used to encrypt all other secret and private keys of this module when stored in EEPROM (that is, all TDES, AES and RSA keys). It is generated at first reset of the card using the DRNG. Keys secured with the KSSK are encrypted when created and decrypted each time they are used. PIN Secure Storage Key This CSP (PSSK) is a 16-byte TDES Key used to encrypt all PINs of this module when stored in EEPROM (that is, Java Card OwnerPIN objects). It is generated at first reset of the card using the DRNG. PIN values are encrypted when created and never decrypted. Candidate PINs are encrypted with PSSK to perform the comparison. CA ISD Key Set This CSP is a set of three TDES keys used to manage GlobalPlatform Secure Channel Sessions between the ISD and the Card Administrator using Secure Channel Protocol 01 option 05: - CA-Kenc: Used to derive CA Session Key that will encrypt command data within a Secure Channel Session with C-DECRYPTION Security Level. - CA-Kmac: Used to derive CA Session Key that will guarantee integrity of any data within a Secure Channel Session with C-MAC Security Level. - CA-Kkek: Key Encryption Key used to encrypt the CA ISD Key Sets that are loaded in the CM with the PUT KEY APDU command within a Secure Channel Session. CA Session Key Set This CSP is a set of two TDES keys derived during the GlobalPlatform Secure Channel Session establishment from a selected CA ISD Key Set using Secure Channel Protocol 01 option 05. These two keys are used to secure exchanges from the Card Administrator to the ISD: - CA-Senc: Encryption Session Key used to encrypt data exchanged within a Secure Channel Session with C-DECRYPTION Security Level. - CA-Smac: MAC Session Key used to guarantee integrity of any data exchanged within a Secure Channel Session with C-MAC Security Level and to authenticate the Card Administrator. PIV SSD Key Set This CSP is a set of three TDES keys used to manage GlobalPlatform Secure Channel Sessions between the SSD and the Application Provider using Secure Channel Protocol 01 option 05: - PIVSSD-Kenc: Used to derive PIVSSD Session Key that will encrypt command data within a Secure Channel Session with C-DECRYPTION Security Level. - PIVSSD-Kmac: Used to derive PIVSSD Session Key that will guarantee integrity of any data within a Secure Channel Session with C-MAC Security Level. - PIVSSD-Kkek: Key Encryption Key used to encrypt the PIVSSD SSD Key Sets that are loaded in the CM with the PUT KEY command within a Secure Channel Session. PIV SSD Session Key Set This CSP is a set of two TDES keys derived during the GlobalPlatform Secure Channel Session establishment from a selected PIV SSD Key Set using Secure Channel Protocol 01 option 05. These two keys are used to secure exchanges from the Application Provider to the PIV SSD: - PIVSSD-Senc: Encryption Session Key used to encrypt data exchanged within a Secure Channel Session with C-DECRYPTION Security Level. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 11 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy - PIVSSD-Smac: MAC Session Key used to guarantee integrity of any data exchanged within a Secure Channel Session with C-MAC Security Level and to authenticate the Application Provider. PIV Card Application Administrator Key This CSP is a TDES key that is used to establish and control access to the data objects and keys within the PIV applet. PINs PIV User PIN This CSP is the PIV User PIN available on the PIV applet API. It is created by the PIV applet (as a Java OwnerPIN object) and is used to authenticate the PIV User. PIV User PIN Unblock PIN (PUK) This CSP is the PIN that is used to unblock the PIV User PIN. It is created by the PIV applet (as a Java OwnerPIN object). RSA Private Keys PIV Card Authentication Private Key This CSP is the RSA Private Key that corresponds to the X.509 Certificate for PIV Authentication as defined in the PIV specifications (see [SP800-73-1]). Only the PIV User can use this key and only PIV Application Provider or PIV Application Administrator can generate or replace this key. PIV Card Application Digital Signature Key This CSP is the RSA Private Key that corresponds to the X.509 Certificate for Digital Signature as defined in the PIV specifications (see [SP800-73-1]). Only the PIV User can use this key and only PIV Application Provider or PIV Application Administrator can generate or replace this key. PIV Card Application Key Management Key This CSP is the RSA Private Key that corresponds to the X.509 Certificate for Key Management as defined in the PIV specifications (see [SP800-73-1]). Only the PIV User can use this key and only PIV Application Provider or PIV Application Administrator can generate or replace this key. PIV Card Authentication Key This CSP is the RSA Private Key that corresponds to the X.509 Certificate for PIV Card Authentication as defined in the PIV specifications (see [SP800-73-1]). Any User can use this key and only PIV Application Provider or PIV Application Administrator can generate or replace this key. The CSP is not retrievable from the CM and is used by external systems to prove the identity of the CM, not the user. It is a CM Identity CSP. RSA Public Keys PIV Authentication Public Key This CSP is the RSA Public key that is generated by the card and used to create the X.509 Certificate for PIV Authentication as defined in the PIV specifications (see [SP800-73-1]). This key is returned by the card when the matching RSA Private Key is generated. Only the PIV Application Provider or PIV Application Administrator can generate this key. This key is not stored on the card when it is generated. No card services can use this key. PIV Card Application Digital Signature Key This CSP is the RSA Public key that is generated by the card and used to create the X.509 Certificate for PIV Card Application Digital Signature as defined in the PIV specifications (see [SP800-73-1]). This key is returned by the card when the matching RSA Private Key is generated. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 12 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy Only the PIV Application Provider or PIV Application Administrator can generate this key. This key is not stored on the card when it is generated. No card services can use this key. PIV Card Application Key Management Key This CSP is the RSA Public key that is generated by the card and used to create the X.509 Certificate for PIV Card Application Key Management as defined in the PIV specifications (see [SP800-73-1]). This key is returned by the card when the matching RSA Private Key is generated. Only the PIV Application Provider or PIV Application Administrator can generate this key. This key is not stored on the card when it is generated. No card services can use this key. PIV Card Authentication Key This CSP is the RSA Public key that is generated by the card and used to create the X.509 Certificate for PIV card authentication as defined in the PIV specifications (see [SP800-73-1]). This key is returned by the card when the matching RSA Private Key is generated. Only the PIV Application Provider or PIV Application Administrator can generate this key. This key is not stored on the card when it is generated. No card services can use this key. RNG Seed Values DRNG Seed and DRNG Seed Key This CSP is an internal value computed using the NDRNG and stored in the processor RAM. These values are not accessible to any user. The hardware processor overwrites all RAM during reset which will destroy any prior values of the DRNG Seed and DRNG Seed Key. The DRNG is the only card service that uses these values. NDRNG Seed This CSP is an internal value computed during the initialization of the operating system. The seed value is initially placed into the NDRNG during the OS start-up and is continually modified as the processor is powered. Therefore it is not possible to recover this value and is cleared during a power cycle. No user has access to this value. 5 ROLES AND SERVICES 5.1 ROLES Cryptographic Officer Roles Card Administrator This role is responsible for managing the security configuration of the module. The Card Administrator authenticates to the module through the GlobalPlatform mutual authentication protocol. This protocol is based on the sharing of a TDES key set between him and the embedded Issuer Security Domain (ISD). Once authenticated, the Card Administrator is able to execute the services provided by the ISD in a Secure Channel Session (see [GP] for more details). Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 13 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy User Roles PIV Application Provider This role is responsible for managing the security configuration of a loaded application. The PIV Application Provider authenticates to the module through the GlobalPlatform mutual authentication protocol. This protocol is based on the sharing of a TDES key set between him and the embedded Security Domain (SD) associated with the application. Once authenticated, the PIV Application Provider is able to execute the services provided by the application in a Secure Channel Session. This includes creating PIV RSA keys, putting PIV objects into the PIV applet and putting PIV RSA Private keys into the PIV applet. PIV User This role has knowledge of the PIV User PIN and can perform cryptographic operations using the keys stored in the PIV applet. The PIV User authenticates to the module through the PIV applet by presenting the PIV User PIN. Once authenticated, the PIV User is able to execute the services provided by the PIV applet. PIV PIN Administrator This role has knowledge of the PIV User PIN Unblock PIN (PUK) and can unblock the PIV User PIN and establish a new PIV User PIN. The PIV PIN Administrator authenticates to the module through the PIV applet by presenting the PUK in the CHANGE REFERENCE DATA or RESET RETRY COUNTER APDU commands. The PIV PIN Administrator is allowed to perform the CHANGE REFERENCE DATA or RESET RETRY COUNTER APDU commands in the PIV applet. PIV Application This role has knowledge of the PIV Card Application Administrator Administrator Key and is allowed to perform PIV applet personalization tasks. The PIV Application Administrator authenticates to the module through the PIV applet by properly completing a challenge/response authentication using the PIV Card Application Administrator Key. This administrator is able to put PIV data objects into the PIV applet and to generate PIV RSA key pairs. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 14 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy No Roles Public Operator No-role operator who does not know any secrets related to the ISD. This non-authenticated operator can only access non-security relevant services provided by the ISD that do not require any prior authentication. In addition the Public Operator can request authentication of the CM card, therefore requiring a signature generation request using the PIV Card Authentication Private Key. The Public Operator does not have the ability to create, modify, substitute, or disclose this key. The PIV Card Authentication Private Key is only used for CM authentication purposes, which is allowed per NIST IG3.1. Maintenance Roles None This CM does not support any maintenance role. Table 5 - Roles description 5.2 IDENTIFICATION This Cryptographic Module performs identity based authentication using cryptographic keys and PINs. A unique identifier is associated with each cryptographic key and PIN to uniquely identify the operator performing the authentication. The ISD cryptographic keys are identified by a two-byte value, Key Version Number (KVN) and Key ID (KID), as defined in the GlobalPlatform standard (see [GP]). The PIV cryptographic keys and PINs are identified by a one-byte value as defined in the PIV standard (see [SP800-73-1]). Identity Authentication CA ISD Key Set KVN, KID PIV SSD Key Set KVN, KID PIV User PIN 80 PIV User PIN Unblock PIN (PUK) 81 PIV Authentication Key (Both public and 9A private keys) PIV Card Application Administrator Key 9B PIV Card Application Digital Signature Key 9C PIV Card Application Key Management Key 9D PIV Card Authentication Key 9E Table 6 ­ Identity Authentication Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 15 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.3 ROLE AUTHENTICATION 5.3.1 Card Administrator and PIV Application Provider Authentication This Cryptographic Module supports identity based authentication of the Card Administrator and PIV Application Provider. For this mechanism, the two following properties stand: A 112 bit TDES key pair is used to authenticate to either of these roles, therefore providing a 1/2^80 probability that a single random authentication attempt will be successful. This mechanism includes a counter of failed authentication and a blocking mechanism. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. The authentication mechanism is blocked when the associated counter reaches zero. The counter threshold is in the range one to 255 with default value 80. This mechanism is called velocity checking (see [GP]). - the probability is less than one in 1,000,000 that a random attempt at authentication will succeed - during any one minute period, the probability is less than 1 in 100,000 that a random authentication attempt will succeed If the authentication mechanism of the ISD is blocked the CM is irreversibly terminated (the KSSK and PSSK are zeroized and the CM enters the GlobalPlatform TERMINATED state in which only the ISD may be selected with the SELECT APDU command and only the GET DATA (ISD) APDU command is available). The Card Administrator and PIV Application Provider authenticate by opening a GlobalPlatform Secure Channel Session with the ISD and PIV SSD respectively. This Secure Channel Session establishment involves two APDU commands as follows: Card Administrator Host, or Issuer Security Domain, or PIV Application Provider Host PIV SSD Generate host challenge INITIALIZE UPDATE Generate card challenge Generate session keys Calculate card cryptogram APDU response Apply Secure Channel Protocol Generate session keys Verify card cryptogram Calculate host cryptogram EXTERNAL AUTHENTICATE Verify host cryptogram Validate authentication Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 16 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.3.2 PIV User Authentication This Cryptographic Module supports identity based authentication of the PIV User. For this mechanism, the two following properties stand: - the probability is less than one in 1,000,000 that a random attempt at authentication will succeed - during any one minute period, the probability is less than 1 in 100,000 that a random authentication attempt will succeed This mechanism includes a counter of failed authentication and a blocking mechanism. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. The authentication mechanism is blocked when the associated counter reaches zero. The counter threshold is in the range one to 15 with default value 5. This mechanism is called velocity checking (see [GP]). The PIV User PIN consists of a minimum of 6 and a maximum of 8 digits. If the authentication mechanism is blocked the PIV PIN Administrator, PIV Application Administrator, or PIV Application Provider must unblock the PIV User PIN before any authentication of the PIV User is allowed to proceed. The PIV User is authenticated to the PIV applet through the use of the PIV VERIFY APDU command or the CHANGE REFERENCE DATA command specifying the PIN. The following diagram illustrates the VERIFY command. PIV User PIV Applet Present PIN VERIFY Verify that the PIN is not blocked Verify that the PIN matches the stored value. APDU response The following diagram illustrates the CHANGE REFERENCE DATA command. PIV User PIV Applet Present old and new PIV CHANGE REFERENCE DATA User PIN Verify that the PIN is not blocked Verify that the PIN matches the stored value. PIV User is authenticated Change the PIV User PIN APDU response Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 17 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.3.3 PIV PIN Administrator Authentication This Cryptographic Module supports identity based authentication of the PIV PIN Administrator. For this mechanism, the two following properties stand: - the probability is less than one in 1,000,000 that a random attempt at authentication will succeed - during any one minute period, the probability is less than 1 in 100,000 that a random authentication attempt will succeed This mechanism includes a counter of failed authentication and a blocking mechanism. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. The authentication mechanism is blocked when the associated counter reaches zero. The counter threshold is in the range one to 15 with default value 5. This mechanism is called velocity checking (see [GP]). The PIV User PIN Unblock PIN (PUK) consists of a minimum of 6 and a maximum of 8 digits. If the authentication mechanism of the PIV PIN Administrator is blocked the PIV Application Administrator or the PIV Application Provider must unblock the PIV User PIN Unblock PIN before any authentication of the PIV PIN Administrator is allowed to proceed. The PIV PIN Administrator is authenticated only during the successful execution of the PIV CHANGE REFERENCE DATA or PIV RESET RETRY COUNTER APDU commands. The following diagram illustrates the CHANGE REFERENCE DATA APDU command. PIV PIN Administrator PIV Applet Present PUK and new PIV CHANGE REFERENCE DATA User PIN Verify that the PUK is not blocked Verify that the PUK matches the stored value. PIV PIN Administrator is authenticated Change the PIV User PIN Revoke the PIV PIN Administrator authentication. APDU response Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 18 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy This diagram illustrates the RESET RETRY COUNTER APDU command. PIV PIN Administrator PIV Applet Present PUK and new PIV RESET RETRY COUNTER User PIN Verify that the PUK is not blocked Verify that the PUK matches the stored value. PIV PIN Administrator is authenticated Change the PIV User PIN Revoke the PIV PIN Administrator authentication. APDU response Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 19 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.3.4 PIV Application Administrator Authentication This Cryptographic Module supports identity based authentication of the Card Administrator and PIV Application Provider. A 112 bit TDES key pair is used to authenticate to either of these roles, therefore providing a 1/2^80 probability that a single random authentication attempt will be successful. This mechanism includes a counter of failed authentication and a blocking mechanism. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. The authentication mechanism is blocked when the associated counter reaches zero. The counter threshold is in the range one to 255 with default value 80. This mechanism is called velocity checking (see [GP]). - the probability is less than one in 1,000,000 that a random attempt at authentication will succeed - during any one minute period, the probability is less than 1 in 100,000 that a random authentication attempt will succeed The PIV Application Administrator authenticates by performing either an EXTERNAL AUTHENTICATE or MUTUAL AUTHENTICATE APDU command sequence. The following diagram illustrates the EXTERNAL AUTHENTICATE APDU command sequence. PIV Application Administrator PIV Applet GENERAL AUTHENTICATE(GET CHALLENGE) Generate card challenge Return card challenge APDU response Encrypt the challenge with the PIV Card Application Administrator Key GENERAL AUTHENTICATE(RESPONSE) Decrypt Response Validate against Challenge Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 20 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy The following diagram illustrates the MUTUAL AUTHENTICATE APDU command sequence. PIV Application Administrator PIV Applet GENERAL AUTHENTICATE(GET WITNESS) Generate card challenge Return card challenge encrypted with the PIV Card Application Administrator Key APDU response Decrypt the challenge with the PIV Card Application Administrator Key Compute the Host challenge GENERAL AUTHENTICATE(WITNESS CHALLENGE) Validate the challenge Encrypt the Host Challenge with the PIV Card Application Administrator Key Return the encrypted Host Challenge APDU response Decrypt the encrypted Host Challenge Verify the Host challenge Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 21 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4 SERVICES 5.4.1 Card Administrator Services This role can only be active when the ISD is currently selected. Authentication CA can initiate a GlobalPlatform Secure Channel Session, setting INITIALIZE UPDATE key set version and index. CA can open a GlobalPlatform Secure Channel Session with the ISD EXTERNAL AUTHENTICATE in order to communicate with it in a secure and confidential way. Card Content Management CA can initiate or perform the various steps required for CM INSTALL content management. LOAD CA can transfer a Load File to the CM. CA can delete a uniquely identifiable object such as an Executable DELETE (card content) Load File (package) or an Application (applet) or an Executable Load File and its related Applications. Regarding ISD keys, CA can either: ˇ Replace an existing ISD key with a new key PUT KEY ˇ Replace multiple existing ISD keys with new keys ˇ Add a single new ISD key ˇ Add multiple new ISD keys DELETE (key) CA can delete an ISD key uniquely identified by the KID and KVN. CA can modify the Card Life Cycle State or an associated SET STATUS Application Life Cycle State. CA can retrieve Life Cycle status information of the ISD, and all GET STATUS Executable Load Files, Executable Modules, Applications or Security Domains. STORE DATA CA can transfer data to the ISD. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 22 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4.2 PIV Application Provider Services This role can only be active when the PIV SSD is currently selected. Authentication AP can initiate a GlobalPlatform Secure Channel Session, setting INITIALIZE UPDATE key set version and index. AP can open a GlobalPlatform Secure Channel Session with the PIV EXTERNAL AUTHENTICATE SSD in order to communicate with it in a secure and confidential way. Card Content Management AP can initiate or perform the various steps required for CM content management if the APDU commands are previously signed INSTALL by the Card Administrator (GlobalPlatform Delegated Management) and the content is associated with the AP. AP can transfer a Load File to the CM if the APDU commands are previously signed by the Card Administrator (GlobalPlatform LOAD Delegated Management) and the content is associated with the AP. AP can delete a uniquely identifiable object such as an Executable Load File (package) or an Application (applet) or an Executable DELETE (card content) Load File and its related Applications if the APDU commands are previously signed by the Card Administrator (GlobalPlatform Delegated Management) if it is associated with the AP. Regarding PIV SSD keys, AP can either: ˇ Replace an existing PIV SSD key with a new key PUT KEY ˇ Replace multiple existing PIV SSD keys with new keys ˇ Add a single new PIV SSD key ˇ Add multiple new PIV SSD keys AP can delete a PIV SSD key uniquely identified by the KID and DELETE (key) KVN. AP can modify the PIV SSD Life Cycle State or an associated SET STATUS Application Life Cycle State. AP can retrieve Life Cycle status information of the PIV SSD, and GET STATUS Executable Load File, Executable Module, Application or Security Domain associated with the AP. STORE DATA AP can transfer data to the PIV SSD. PIV Content Management STORE PIV DATA AP can store PIV data objects into the PIV applet. GENERATE PIV KEY AP can generate PIV RSA key pairs in the PIV applet. AP can replace PIV User PIN, PUK, RSA Private keys and PIV Card PUT PIV KEY Application Administrator Key in the PIV applet. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 23 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4.3 PIV User Services This role can only be active when the PIV applet is currently selected. Authentication PIV User can authenticate by presenting the PIV User PIN in the VERIFY VERIFY APDU command. Card Content Management PIV User can retrieve any of the PIV data objects in the PIV GET DATA (PIV) applet. PIV User can change the PIV User PIN using this APDU command. CHANGE REFERENCE DATA The PIV user is authenticated if the command is successful. Cryptographic Operations PIV User can perform RSA Modular Exponentiation using any of the GENERAL PIV RSA Private keys. AUTHENTICATE(CHALLENGE/NO RESPONSE) PIV User can perform Triple DES Encryption using the PIV Card Application Administrator Key. 5.4.4 PIV PIN Administrator Services This role can only be active when the PIV applet is currently selected. PIV PIN Administration The PIV PIN Administrator can change the PIV User PIN Unblock CHANGE REFERENCE DATA PIN (PUK) using this APDU command. The PIV PIN Administrator can change the PIV User PIN using this RESET RETRY COUNTER APDU command. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 24 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4.5 PIV Application Administrator Services This role can only be active when the PIV applet is currently selected. Authentication PIV Application Administrator can authenticate by performing the GENERAL AUTHENTICATE (EXTERNAL AUTHENTICATE) EXTERNAL AUTHENTICATE APDU command sequence using this service. PIV Application Administrator can authenticate by performing the GENERAL AUTHENTICATE (MUTUAL AUTHENTICATE) MUTUAL AUTHENTICATE APDU command sequence using this service. PIV PIN Administration The PIV Application Administrator can replace the contents of PIV PUT DATA Data objects using this APDU command. The PIV Application Administrator can cause any of the PIV RSA GEN KEY PAIR key pairs (9A, 9C, 9D, 9E) to be created and stored in the PIV applet. 5.4.6 Public Operator Services Public Commands SELECT Operator can select an Application to which subsequent commands are routed. The response contains various data depending on the application that is selected. Operator can retrieve public data from the ISD. GET DATA (ISD) No CSPs can be read using this service. Operator can retrieve public data from the PIV SSD. GET DATA (PIV SSD) No CSPs can be read using this service. Operator can retrieve public data from the PIV applet. GET DATA (PIV) No CSPs can be read using this service. GENERAL AUTHENTICATE Only RSA Modular Exponentiation using the PIV Card Authentication (CHALLENGE/NO RESPONSE) Private Key. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 25 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4.7 Relationship between services and roles PIV PIV Card PIV PIV PIN Public Application Application Administrator User Administrator Operator Provider Administrator DELETE (card content) X X DELETE (key) X X EXTERNAL AUTHENTICATE X X GET DATA (ISD) X GET DATA (PIV SSD) X 1 GET DATA (PIV) X X2 GET STATUS X X INITIALIZE UPDATE X X INSTALL X X LOAD X X PUT KEY X X SELECT X SET STATUS X X STORE DATA X X STORE PIV DATA X GENERATE PIV KEY X PUT PIV KEY X CHANGE REFERENCE DATA X (PIV User PIN) CHANGE REFERENCE DATA X (PUK) GEN KEY PAIR X GENERAL AUTHENTICATE X (EXTERNAL AUTHENTICATE) GENERAL AUTHENTICATE X (MUTUAL AUTHENTICATE) GENERAL AUTHENTICATE X X3 (CHALLENGE/NO RESPONSE) PUT DATA X RESET RETRY COUNTER X VERIFY X Table 7 - Services and associated roles 1 For private PIV data 2 For the following PIV data objects only: Card Capabilities Container, CHUID, Security Object and X.509 Certificates 3 Only RSA Modular Exponentiation using the PIV Card Authentication Private Key Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 26 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.4.8 Relationship between services and CSPs Relationship can be: Create (creation of the CSP object) Write Generate Execute (computation involving the CSP) Delete Zeroize Key Secure Storage Key Service Type of access First Card reset Generate INITIALIZE UPDATE Execute EXTERNAL AUTHENTICATE Execute LOAD Execute PUT KEY Execute SET STATUS (TERMINATED) Zeroize PIN Secure Storage Key Service Type of access First Card reset Generate VERIFY Execute CHANGE REFERENCE DATA Execute RESET RETRY COUNTER Execute SET STATUS (TERMINATED) Zeroize CA ISD Key Set Service Type of access Key INITIALIZE UPDATE Execute CA-Kenc, CA-Kmac EXTERNAL AUTHENTICATE Execute CA-Kenc, CA-Kmac PUT KEY Execute/Write CA-Kenc, CA-Kmac, CA-Kkek DELETE (key) Delete CA-Kenc, CA-Kmac, CA-Kkek Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 27 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy CA Session Key Set Service Type of access Key INITIALIZE UPDATE Generate CA-Senc, CA-Smac Card reset Delete CA-Senc, CA-Smac In a Secure Channel Session with Security Level C-MAC: Service Type of access Key DELETE Execute AP-Smac EXTERNAL AUTHENTICATE Execute AP-Smac GET DATA (ISD) Execute AP-Smac GET STATUS Execute AP-Smac INSTALL Execute AP-Smac LOAD Execute AP-Smac PUT KEY Execute AP-Smac SET STATUS Execute AP-Smac STORE DATA Execute AP-Smac In a Secure Channel Session with Security Level C-DECRYPTION and C-MAC: Service Type of access Key DELETE (card content) Execute AP-Senc, AP-Smac DELETE (key) Execute AP-Senc, AP-Smac EXTERNAL AUTHENTICATE Execute AP-Senc, AP-Smac GET DATA (ISD) Execute AP-Senc, AP-Smac GET STATUS Execute AP-Senc, AP-Smac INSTALL Execute AP-Senc, AP-Smac LOAD Execute AP-Senc, AP-Smac PUT KEY Execute AP-Senc, AP-Smac SET STATUS Execute AP-Senc, AP-Smac STORE DATA Execute AP-Senc, AP-Smac Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 28 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy PIV SSD Key Set Service Type of access Key INITIALIZE UPDATE Execute AP-Kenc, AP-Kmac EXTERNAL AUTHENTICATE Execute AP-Kenc, AP-Kmac PUT KEY Execute/Write AP-Kenc, AP-Kmac, AP-Kkek DELETE (key) Delete AP-Kenc, AP-Kmac, AP-Kkek PIV SSD Session Key Set Service Type of access Key INITIALIZE UPDATE Generate AP-Senc, AP-Smac Card reset Delete AP-Senc, AP-Smac In a Secure Channel Session with Security Level C-MAC: Service Type of access Key DELETE (card content) Execute AP-Smac DELETE (key) Execute AP-Smac EXTERNAL AUTHENTICATE Execute AP-Smac GET DATA (PIV SSD) Execute AP-Smac GET STATUS Execute AP-Smac INSTALL Execute AP-Smac LOAD Execute AP-Smac PUT KEY Execute AP-Smac SET STATUS Execute AP-Smac STORE DATA Execute AP-Smac STORE PIV DATA Execute AP-Smac GENERATE PIV KEY Execute AP-Smac Execute AP-Smac, PIVSSD- PUT PIV KEY Kkek Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 29 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy In a Secure Channel Session with Security Level C-DECRYPTION and C-MAC: Service Type of access Key DELETE (card content) Execute AP-Senc, AP-Smac DELETE (key) Execute AP-Senc, AP-Smac EXTERNAL AUTHENTICATE Execute AP-Senc, AP-Smac GET DATA (PIV SSD) Execute AP-Senc, AP-Smac GET STATUS Execute AP-Senc, AP-Smac INSTALL Execute AP-Senc, AP-Smac LOAD Execute AP-Senc, AP-Smac PUT KEY Execute AP-Senc, AP-Smac SET STATUS Execute AP-Senc, AP-Smac STORE DATA Execute AP-Senc, AP-Smac STORE PIV DATA Execute AP-Senc, AP-Smac GENERATE PIV KEY Execute AP-Senc, AP-Smac Execute AP-Senc, AP-Smac, PUT PIV KEY PIVSSD-Kkek PIV Card Application Administrator Key Service Type of access PIV applet instantiate Generate SET STATUS (TERMINATED) Zeroize PUT PIV KEY Write GENERAL AUTHENTICATE(CHALLENGE/NO RESPONSE) Execute GENERAL AUTHENTICATE (EXTERNAL Execute AUTHENTICATE) GENERAL AUTHENTICATE (MUTUAL AUTHENTICATE) Execute PIV User PIN Service Type of access PIV applet instantiate Generate SET STATUS (TERMINATED) Zeroize PUT PIV KEY Write VERIFY Execute CHANGE REFERENCE DATA(PIV User PIN) Execute/Write RESET RETRY COUNTER Write Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 30 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy PIV User PIN Unblock PIN (PUK) Service Type of access PIV applet instantiate Generate SET STATUS (TERMINATED) Zeroize PUT PIV KEY Write CHANGE REFERENCE DATA(PUK) Execute/Write RESET RETRY COUNTER Execute PIV Authentication Private Key Service Type of access SET STATUS (TERMINATED) Zeroize GENERATE PIV KEY Generate PUT PIV KEY Write GENERAL AUTHENTICATE(CHALLENGE/NO Execute RESPONSE) GEN KEY PAIR Generate PIV Card Application Digital Signature Private Key Service Type of access SET STATUS (TERMINATED) Zeroize GENERATE PIV KEY Generate PUT PIV KEY Write GENERAL AUTHENTICATE(CHALLENGE/NO RESPONSE) Execute GEN KEY PAIR Generate PIV Card Application Key Management Private Key Service Type of access SET STATUS (TERMINATED) Zeroize GENERATE PIV KEY Generate PUT PIV KEY Write GENERAL AUTHENTICATE(CHALLENGE/NO RESPONSE) Execute GEN KEY PAIR Generate Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 31 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy PIV Card Authentication Private Key Service Type of access SET STATUS (TERMINATED) Zeroize GENERATE PIV KEY Generate PUT PIV KEY Write GENERAL AUTHENTICATE(CHALLENGE/NO RESPONSE) Execute GEN KEY PAIR Generate PIV Authentication Public Key Service Type of access GENERATE PIV KEY Generate GEN KEY PAIR Generate PIV Card Application Digital Signature Public Key Service Type of access GENERATE PIV KEY Generate GEN KEY PAIR Generate PIV Card Application Key Management Public Key Service Type of access GENERATE PIV KEY Generate GEN KEY PAIR Generate PIV Card Authentication Public Key Service Type of access GENERATE PIV KEY Generate GEN KEY PAIR Generate Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 32 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy RNG Seed Values Service Type of access Card Reset Generate INITIALIZE UPDATE Execute INSTALL Execute GENERATE PIV KEY Execute GEN KEY PAIR Execute GENERAL AUTHENTICATE (MUTUAL AUTHENTICATE) Execute GENERAL AUTHENTICATE (CHALLENGE/NO RESPONSE) Execute Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 33 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 5.5 SETTING MODULE IN APPROVED MODE OF OPERATION The module is always in the approved mode of operation. 5.6 VERIFYING MODULE IS IN APPROVED MODE OF OPERATION It is possible to verify that a module is in the approved mode of operation. The Card Administrator must: 1. SELECT the ISD and send a GET DATA (ISD) APDU command with the CPLC Data tag `9F7F' and verify that the returned data contains fields as follows (other fields are not relevant here). This verifies the version of the operating system. Data Element Length Value Version IC type 2 `010A' Atmel AT90SC144144CT Revision G Operating system release date 2 `7204' Firmware Version Part 1 Operating system release level 2 `0004' Firmware Version Part 2 2. SELECT the PIV SSD and send a GET DATA (PIV SSD) command with the tag `9F7F' and verify that the returned data contains fields as follows (other fields are not relevant here). This verifies the version of the PIV SSD applet. Data Element Length Position Value Manufacturer code 2 2-3 `5453' Interface Version 2 6-7 `0100' Applet Version 2 8-9 `0100' 3. SELECT the PIV SSD, open a Secure Channel Session, and send the following command sequence. This verifies the version and manufacturer of the PIV applet. Install for Personalization: 80 E6 20 00 11 00 00 0B A0 00 00 03 08 00 00 10 00 01 00 00 00 00 Get Version Info through Store Data 80 E2 80 00 06 82 01 01 41 01 00 The following information shall be returned for the chip. 80 06 54 65 63 53 65 63 81 02 01 00 82 02 01 01 In the data returned, the 80 tag specifies the manufacturer name, the 81 tag is the interface number and the 82 tag is the applet version number. The same information with spaces entered to show the three tags is shown below. 80 06 54 65 63 53 65 63 81 02 01 00 82 02 01 01 Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 34 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 6 SELF-TESTS 6.1 POWER-ON SELF-TESTS Each time this cryptographic module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data have not been damaged. Cryptographic algorithm testing: Known Answer Tests (KATs) are conducted for each cryptographic algorithm in one mode of operation. Known input data and answers are stored in EEPROM. The following KATs are performed in random order: ANSI X9.31 DRNG, SHA-1, SHA-256, TDES (encrypt and decrypt with 112-bit key in CBC mode), AES (encrypt and decrypt with 128-bit key in CBC mode), RSA PKCS#1 (sign and verify with 1024-bit private and public key), KATs are performed prior to the dispatch of the first APDU command for processing. If one of the KATs fails the card goes mute (performs no further data or status input or output and must be reset). Firmware integrity testing: A standard CRC16 checksum is used to verify that no applications present in EEPROM have been modified. It also checks the integrity of all additions and corrections that have been added to the module (patch code and patch table). ROM code is excluded from firmware integrity verification. If a test fails the card is irreversibly terminated (the KSSK and PSSK are zeroized and the CM enters the GlobalPlatform TERMINATED state in which only the ISD may be selected with the SELECT APDU command and only the GET DATA (ISD) APDU command is available). 6.2 CONDITIONAL SELF-TESTS Key Pair-Wise Consistency Test: This test is performed during RSA Key Pair generation once the CM has generated the RSA Key Pair values (both signature generation/verification and encryption/decryption are tested). If the test fails the card goes mute. Continuous RNG Tests: The hardware RNG and DRNG are tested for repetition of serially output 64-bit values. If the test fails the card goes mute. Software Load Test: Application loading follows the GlobalPlatform 2.1.1 specifications: GlobalPlatform Secure Channel Session with TDES MAC (see [GP]). Note that a failed application load rolls back to the state prior to the load starting. Note: Power-on self­tests on demand: resetting the module is an approved self-test on demand function. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 35 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 7 SECURITY RULES This section details the rules that form the policy of the Cryptographic Module. 7.1 PHYSICAL SECURITY The Cryptographic Module (CM) is a single-chip implementation which Cryptographic boundaries encompass the chip. The physical component of the CM is protected by a hard opaque tamper- evident metal active shield. The CM employs physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module (including substitution of the entire module) when installed. All hardware and firmware within the cryptographic boundary are protected. Physical security features meet FIPS-140-2 level 4 requirements with: - Production-grade component including passivation techniques and state-of-the-art physical security features: o Dedicated Hardware for Protection Against SPA/DPA/DEMA Attacks o Advanced Protection Against Physical Attack, Including Active Shield o Environmental Protection Systems o Voltage Monitor o Frequency Monitor o Temperature Monitor o Light Protection o Secure Memory Management/Access Protection (Supervisor Mode) - Opaque coating on chip that deter direct observation within the visible spectrum, - Hard tamper-evident coating that provides evidence of tampering (visible signs on the metal cover), with high probability of causing serious damage to the chip while attempting to probe it or remove it from the module. This IC is designed to meet Common Criteria EAL4+ 7.2 AUTHENTICATION SECURITY RULES Each authentication mechanism includes the verification of the knowledge of a secret shared between the CM and the external operator, and, for each restricted service, verification that the authentication security status is granted. Each of these secrets has a unique object reference that is used by the external operator to identify them: - The CA ISD Key Set represents the role of the Card Administrator - The PIV SSD Key Set represents the role of the PIV Application Provider - The PIV User PIN represents the role of the PIV User - The PIV User PIN Unblock PIN (PUK) represents the role of the PIV PIN Administrator - The PIV Card Application Administrator Key represents the role of the PIV Application Administrator Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 36 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 7.3 APPLICATION LIFECYCLE SECURITY RULES Additional applications can be loaded in the module after card issuance as specified in GlobalPlatform. However, these additional applications must be FIPS 140-2 validated before being loaded. - Application loading is one of the services provided by the operating system that is restricted to the Card Administrator or PIV Application Provider: a Secure Channel Session must be open between the external operator (more precisely the middleware the CA or AP is using to manage card content) and the ISD (or PIV SSD for the AP). Application loading is protected by a TDES MAC on every block of data. - The application loading service is available before and after card issuance. - The AP is responsible for application personalization and lifecycle management following GlobalPlatform. - The AP is responsible for creating as many instances of loaded applets as required, according to card resources. 7.4 ACCESS CONTROL SECURITY RULES This module manages sensitive data and services whose access is controlled by the following rules: - CA ISD Key Set must be loaded through a GlobalPlatform Secure Channel Session ensuring their integrity and confidentiality (112-bit TDES encryption and a TDES based integrity checksum). - PIV SSD Key Set must be loaded through a GlobalPlatform Secure Channel Session ensuring their integrity and confidentiality (112-bit TDES encryption and a TDES based integrity checksum). - The PIV RSA keys are either generated on card or loaded through a GlobalPlatform Secure Channel Session ensuring their integrity and confidentiality (112-bit TDES encryption and a TDES based integrity checksum). - The PIV Card Application Administration key is loaded through a GlobalPlatform Secure Channel Session ensuring its integrity and confidentiality (112-bit TDES encryption and a TDES based integrity checksum). 7.5 KEY AND PIN MANAGEMENT SECURITY RULES Key and PIN Material This CM supports the following CSPs: Key name (CSP) Type Length Strength Key Secure Storage Key PIN Secure Storage Key TDES 112-bits 80-bits CA ISD Key Set PIV SSD Key Set CA Session Key Set TDES session key 112-bits 80-bits PIV SSD Session Key Set PIV User PIN 24- to 32-bits in 4- PIN bit increments PIV User PIN Unblock PIN (PUK) 24- to 32-bits in 4- PIN bit increments Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 37 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy PIV Card Application TDES 168-bits 80-bits Administration Key PIV Authentication Key RSA 1024-bits 80-bits (Both public and private keys) PIV Card Application Digital Signature Key RSA 1024-bits 80-bits (Both public and private keys) PIV Card Application Key Management Key RSA 1024-bits 80-bits (Both public and private keys) PIV Card Authentication Key RSA 1024-bits 80-bits (Both public and private keys) DRNG Seed concatenated with TDES 112-bits 80-bits DRNG Seed Key NDRNG Seed DRNG IVEC 64-bits N/A This card can also support a range of symmetric and asymmetric keys: Key name (CSP) Type Length Strength TDES keys TDES 168-bits 112-bits AES keys 128-, 192- and 256- 128-, 192- and 256- AES bits bits RSA keys RSA 1024- and 2048-bits 80- and 112-bits Key Generation Key Secure Storage Key The KSSK is generated at first reset of the card using the DRNG. PIN Secure Storage Key The PSSK is generated at first reset of the card using the DRNG. Key Derivation CA Session Key Set, PIV SSD Session Key Set [GP] ISD Session keys are derived using Secure Channel Protocol 01 option 05 by the operating system upon opening a Secure Channel Session (successful mutual-authentication): - CA-Smac Session Key: generated from CA-Kmac, used for protecting data integrity in GlobalPlatform Secure Channel Session secure mode (MAC). - CA-Senc Session Key: generated from CA-Kenc, used for protection data confidentiality in GlobalPlatform Secure Channel Session mode (Encryption). - PIVSSD-Smac Session Key: generated from PIVSSD-Kmac, used for protecting data integrity in GlobalPlatform Secure Channel Session secure mode (MAC). - PIVSSD-Senc Session Key: generated from PIVSSD-Kenc, used for protection data confidentiality in GlobalPlatform Secure Channel Session mode (Encryption). Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 38 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy Key and PIN Entry CA ISD Key Set, PIV SSD Key Set These keys are entered in the module using the PUT KEY APDU command for: - Replacing an existing key with a new key - Replacing existing key set with new key set - Adding a single new key - Adding a new key set The CM enforces confidentiality while entering Security Domain secret keys using key encryption following [GP] (FIPS approved algorithms and operation mode). The CM provides no Security Domain secret key output. All secret values of these keys are entered encrypted with the TDES CA- Kkek or PIVSSD-Kkek identified during the GlobalPlatform Secure Channel Session initialization, when one of the Security Domain key sets is selected. PIV User PIN, PIV User PIN Unblock PIN (PUK) These two PINs are entered in plaintext. Key and PIN Storage Key Secure Storage Key (KSSK) PIN Secure Storage Key (PSSK) These two keys are stored plaintext in EEPROM. CA ISD Key Set, PIV SSD Key Set These keys are stored encrypted with the TDES key KSSK in EEPROM. The CM also applies an integrity checksum to these keys. CA Session Key Set, PIV SSD Session Key Set These keys are stored plaintext in RAM. PIV User PIN, PIV User PIN Unblock PIN (PUK) This PIN is stored encrypted with the TDES key PSSK in EEPROM. The CM also applies an integrity checksum to this PIN. Key and PIN Output No keys or PINs can be output from the module. Key and PIN Zeroization The CM offers services to zeroize all the persistent keys and PINs: ˇ The KSSK and PSSK are zeroized when Card lifecycle state is set to TERMINATED. The Card Administrator can achieve this explicitly using the SET STATUS APDU command, or a severe security event may occur (failure of an integrity check on patches, EEPROM code, PINs or keys). By zeroizing the KSSK and the PSSK, all other keys and PINs stored in the module are made irreversibly unusable. The CM offers services to zeroize all the session keys: ˇ When a Secure Channel Session is closed for any reason other than power-off, the CM overwrites the session keys with random data from the DRNG. When a Secure Channel Session is closed due to a power-off, the session keys are lost as they are stored in RAM. The RAM is actively cleared to zero on the next power-on. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 39 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy RNG Seed Values The CM offers services to randomize and overwrite all DRNG and NDRNG seed values and keys: ˇ Every time that the CM is powered up or reset, the NDRNG seed value is overwritten with random data. ˇ Every time that the CM is powered up, the DRNG Seed and DRNG Seed Key are randomized. ˇ During power up initialization, the CM computes new DRNG Seed and DRNG Seed Key values using the NDRNG. Any old seed values (which were randomized) are then overwritten with the new computed values. 7.6 ELECTROMAGNETIC INTERFERENCE/COMPATIBILITY (EMI/EMC) The Cryptographic Module conforms to the EMI/EMC requirements specified by part 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B. 8 MITIGATION OF OTHER ATTACKS Typical smart card attacks are Simple Power Analysis, Differential Power Analysis, Timing Analysis and Fault Induction that may lead to revealing sensitive information such as PINs and keys by monitoring the module power consumption and timing of operations or bypass sensitive operations. This Cryptographic Module is protected against SPA, DPA, Timing Analysis and Fault Induction by combining State of the Art firmware and hardware counter-measures. The Cryptographic Module is protected from attacks on the operation of the IC hardware. The protection features include detection of out-of-range supply voltages, frequencies or temperatures, detection of illegal address or instruction, and physical security. For more information see specification AT90SC Vulnerability Analysis Lite, General Business Use, AT90SC_EVA_Lite_V1.0 (17 Jul 06). All cryptographic computations and sensitive operations provided by the Cryptographic Module are designed to be resistant to timing and power analysis. Sensitive information of the embedded operating system is securely stored and integrity protected. Sensitive operations are performed in constant time, regardless of the execution context (parameters, keys, etc.), owing to a combination of hardware and firmware features. The Cryptographic Module does not operate in abnormal conditions such as extreme temperature, power and external clock, increasing its protection against fault induction. Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 40 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 9 SECURITY POLICY CHECK LIST 9.1 ROLES AND REQUIRED AUTHENTICATION Role Type of Authentication Data Authentication Card Administrator TDES authentication CA ISD Key Set PIV Application Provider TDES authentication PIV SSD Key Set PIV User PIN PIV User PIN PIV PIN Administrator PIN PIV User PIN Unblock PIN (PUK) PIV Application Administrator TDES authentication PIV Card Application Administration Key Table 8 - Roles and Required Identification and Authentication 9.2 STRENGTH OF AUTHENTICATION MECHANISM Authentication Mechanism Strength of Mechanism TDES authentication with CA ISD Key Set 280 TDES authentication with PIV SSD Key Set 280 PIN 106 TDES authentication with PIV Card 280 Application Administration Key Table 9 - Strengths of Authentication Mechanisms All these authentication objects except for the PIV Card Application Administration Key implement a limited retry counter. 9.3 SERVICES AUTHORIZED FOR ROLES Role Authorized Services Card Administrator Section 5.4.1 lists authorized services for this role PIV Application Provider Section 5.4.2 lists authorized services for this role PIV User Section 5.4.3 lists authorized services for this role PIV PIN Administrator Section 5.4.4 lists authorized services for this role PIV Application Administrator Section 5.4.5 lists authorized services for this role Table 10 - Services Authorized for Roles 9.4 MITIGATION OF ATTACKS Other Attacks Mitigation Mechanism Specific Limitations Simple Power Analysis Counter Measures against SPA N/A Differential Power Analysis Counter Measures against DPA N/A Timing Attacks Counter Measures against TA N/A Fault Induction Counter Measures against FI N/A Table 11 - Mitigation of Other Attacks Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 41 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 10 REFERENCES The following standards are referred to in this Security Policy. Acronym Full Specification Name [FIPS140-2] Security Requirements for Cryptographic modules, May 25, 2001 [FIPS201] Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006 Change Notice 1, June 23, 2006 [SP800-73-1] Interfaces for Personal Identity Verification, March 2006 Errata, May 2006 [JCRE] Java CardTM 2.2.1 Runtime Environment Revision 1.0, 18 May 2000 [JCAPI] Java CardTM 2.2.1 Application Programming Interface Revision 1.0, 18 May 2000 [JCVM] Java CardTM 2.2.1 Virtual Machine Revision 1.0, 18 May 2000 [GP] GlobalPlatform Card Specification, Version 2.1.1, March 2003 [7816-1] ISO/IEC 7816-1, First edition 1998-10-15, Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics [7816-2] ISO/IEC 7816-3, First edition 1999-03-01, Identification cards -- Integrated circuit(s) cards with contacts -- Part 2: Dimensions and location of the contacts [7816-3] ISO/IEC 7816-3, Third edition 2006-11-01, Identification cards -- Integrated circuit(s) cards with contacts -- Part 3: Electronic signals and transmission protocols [7816-4] ISO/IEC 7816-4, Second edition 2005-01-15, Identification cards -- Integrated circuit(s) cards with contacts -- Part 4: Interindustry commands for interchange Table 12 - References Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 42 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision) TecSec PIV Eagle Card - Contact Security Policy 11 ACRONYMS AND DEFINITIONS Acronym Definition AdvX Advance Crypto AP PIV Application Provider API Application Programming Interface AVR Automatic Voltage Regulation CA Card Administrator CM Cryptographic Module CSP Critical Security Parameter DRNG Deterministic Random Number Generator GP GlobalPlatform HRNG Hardware Random Number Generator ISD Issuer Security Domain KSSK Key Secure Storage Key KID Key Identifier, see [GP] KVN Key Version Number, see [GP] PIV Personal Identity Verification PKCS Public Key Cryptography Standard PSSK PIN Secure Storage Key PUK PIV User PIN Unblock PIN RNG Random Number Generator SSD Supplementary Security Domain Table 13 ­ Acronyms and Definitions [END OF THE DOCUMENT] Copyright Athena Smartcard Inc. and TecSec Inc., 2009 Version 1.0 Page 43 of 43 Athena and TecSec Public Material ­ may be reproduced only in its original entirety (without revision)