Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Momentus® FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.7 – June 29, 2011 Seagate Technology, LLC Copyright Notice Copyright © 2009 Seagate Technology, LLC. May be reproduced only in its original entirety [without revision]. 1 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table of Contents 1  Introduction ............................................................................................................................................................................ 3  1.1  Scope .............................................................................................................................................................................. 3  1.2  Document References .................................................................................................................................................... 3  1.3  Acronyms ....................................................................................................................................................................... 3  2  Cryptographic Module Description ........................................................................................................................................ 4  2.1  Overview ........................................................................................................................................................................ 4  2.2  Hardware and Firmware Versions .................................................................................................................................. 4  2.3  FIPS 140 Approved Mode of Operation ........................................................................................................................ 5  2.4  Services Disabled in Manufacturing .............................................................................................................................. 5  2.5  “Preboot” (LBA Remapping Function) for Data Access Control .................................................................................. 5  2.6  User Data Cryptographic Erase Methods ....................................................................................................................... 6  3  Identification and Authentication (I&A) Policy ..................................................................................................................... 7  3.1  Operator Roles ............................................................................................................................................................... 7  3.1.1  Crypto Officer Roles .............................................................................................................................................. 7  3.1.2  User Roles .............................................................................................................................................................. 7  3.1.3  Unauthenticated Role ............................................................................................................................................. 7  3.2  Authentication ................................................................................................................................................................ 7  3.2.1  Authentication Types ............................................................................................................................................. 7  3.2.2  Authentication in ATA Security Commands.......................................................................................................... 7  3.2.3  Authentication for DriveTrust Commands ............................................................................................................. 8  3.2.4  Authentication Mechanism, Data and Strength ...................................................................................................... 8  3.2.5  Personalizing Authentication Data ......................................................................................................................... 8  4  Access Control Policy ............................................................................................................................................................ 9  4.1  Services .......................................................................................................................................................................... 9  4.2  Cryptographic Keys and CSPs ..................................................................................................................................... 12  5  Physical Security .................................................................................................................................................................. 16  5.1  Mechanisms.................................................................................................................................................................. 16  5.2  Operator Requirements ................................................................................................................................................ 17  6  Operational Environment ..................................................................................................................................................... 17  7  Security Rules ...................................................................................................................................................................... 18  7.1  Secure Initialization...................................................................................................................................................... 18  7.2  Ongoing Policy Restrictions......................................................................................................................................... 18  8  Mitigation of Other Attacks Policy ...................................................................................................................................... 18  Page 2 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 1 Introduction 1.1 Scope This security policy applies to the FIPS 140-2 Cryptographic Module (CM), Seagate® Momentus® FDE Attached Storage drives. This document meets the requirements of the FIPS 140-2 standard (Appendix C) and Implementation Guidance (section 14.1). For details needed to develop a compliant application see the referenced technical specifications. 1.2 Document References 1. FIPS PUB 140-2 2. Derived Test Requirements for FIPS PUB 140-2 3. Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program 4. ATA-8 ACS 5. Serial ATA Rev 2.6 (SATA) 6. DriveTrust SDK SeaCOS Command Reference Manual 7. DriveTrust Life Cycle Manual 8. EXTERNAL-FDE dCard Life Cycle Manual 9. ISO/IEC 7816-4 1.3 Acronyms 3DES Triple DES AES Advanced Encryption Standard (FIPS 197) APDU Application Protocol Data Unit (ISO 7816) CM Cryptographic Module CO Crypto-officer CSP Critical Security Parameter dCard disc Card, virtual Smart Card DEK Data encryption key FDE Full Disk Encryption HDA Head and Disk Assembly HDD Hard Disk Drive KAT Known Answer Test LBA Logical Block Address mSID Manufactured SID, public drive-unique PIN PBA Preboot Application POR Power-on reset (ATA defined) POST Power on self-test RNG Random Number Generator SeaCOS Seagate Card Operating System SID Security ID, PIN for Drive Owner CO role SoC System-on-a-Chip TE Trusted Exchange (ATA Trusted Send/Receive sequence) XF Extended Filesystem (of dCards) Page 3 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 2 Cryptographic Module Description 2.1 Overview The Momentus® FDE Attached Storage Drive is a FIPS 140-2 Level 2 module which provides full disk encryption with operator authentication. It is designed to prevent data breaches due to loss or theft on the road, in the office. The cryptographic module provides a wide range of cryptographic services using FIPS approved algorithms in a FIPS-Approved mode. Services include hardware-based data encryption, instantaneous user data disposal with cryptographic erase, device identification, and authenticated FW download. The services are provided through industry-standard ATA / SATA interfaces. The module is a multiple-chip embedded physical embodiment, and the physical boundary of the CM is the entire HDD. The module can be enclosed in external hard drive products with an external case, USB bridge (connector, board and firmware) and software applications, which are all not included in the CM boundary or the scope of this validation. The physical interfaces to the CM are the SATA connector, power connector and jumper block pins. The logical interface is the industry-standard ATA command set (Doc Ref. 4), with vendor-unique extensions, carried on the SATA transport interface (Doc Ref. 5), through the SATA connector. The primary function of the module is to provide data encryption, access control and cryptographic erase of the data stored on the hard drive media. The CM functionality is implemented in the ASIC, Serial Flash, SDRAM and firmware. The drive media provides the non-volatile storage of the keys, CSPs and FW. This storage is in the “system area” of the media which is not logically accessible / addressable from outside the CM and not accessible through any CM service. The ASIC is a SoC which has the following major logical functions: host interface using an industry-standard SATA interface, a RW Channel interface to the HDA, an interface to media motor controller, a data encryption engine, and processing services which execute the firmware. An Approved Security Function, AES-128, is implemented in the data encryption engine. During drive operation, the SDRAM hosts some of the firmware and the encrypted user data being transferred between the media and the ASIC. Security functions of the firmware can be categorized into the following groups: ATA security commands, ATA read / write commands, misc ATA commands and Seagate proprietary security protocol commands (DriveTrust) sent through the ATA Trusted Exchange interface. The Seagate security protocol is implemented by a subsystem called SeaCOS. This protocol is an implementation of the ISO 7816 standard for Smart Cards. The architecture provides virtual Smart Cards, dCards, with file systems in a reserved area of the disc media. The host application interface with the file systems is through a command-response mechanism referred to as APDUs. The FIPS- approved mode in this certification is supported by 3 Seagate provided dCards: Admin, FDE and User. The User dCard is only used to store password hints and track if the drive has been configured (user password changed from default value); it provides no cryptographic services. The drive also includes software applications which run on the host computer to provide a user interface to some of the functions. However, these applications are not within the logical boundary of the FIPS module; they do not execute on the processor of the hard drive. They are host applications which are bundled with (written on) the drive; see section 2.5. Other applications could additionally be used to interact with the CM. This security policy describes the FIPS 140 capabilities available to any application. Any application software included on the disc media (host applications) are considered out of scope and not validated. 2.2 Hardware and Firmware Versions The Momentus® FDE Attached Storage Drive, FIPS 140 Module is identified as HW version (Model #) ST9500326AS, FW version (config) 566. Page 4 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 2.3 FIPS 140 Approved Mode of Operation By following the Security Rules (Section 8) in this document, an operator can operate the CM in FIPS 140 compliant manner (an “Approved mode” of operation). The module’s FIPS mode of operation is enforced both through configuration and through policy. Violating the policy (detailed in Section 8) is equivalent to operating the product in a non-compliant manner. If a FIPS self-test fails, either at power on or during operation, then the CM will enter an error state. From this error state, all services except show status are disabled. The host can reset the CM with a power cycle in attempt to clear the error state. If the POSTs succeed, then the CM has recovered from the error. Otherwise, the drive can no longer operate in FIPS mode. Note that these errors are very rare, but if they occur they will likely be accompanied by other failures. FIPS approved services are provided through industry-standard ATA commands, SeaCOS APDUs addressed to the Admin dCard (resident on the drive), and SeaCOS APDUs addressed to the FDE dCard (resident on the drive). Note, some ATA Security commands are disabled in this product and their functionality is provided through the APDUs. 2.4 Services Disabled in Manufacturing This product shares an architecture with Momentus internal drives which have different use cases. Some of the functionality differences are implemented in firmware while others are provided through different manufacturing processes related to the files on the dCards. Specifically the FDE dCard used for this product is created in the factory and has some differences from an FDE dCard created on internal drives (by applications). These differences are in access control, file activation state, and device file operations. Of particular note is that certain features, while implemented in the firmware, are not accessible because the operator authentication for the FDE dCard Owner role is disabled during manufacturing. Additionally, some files storing key values are deactivated and thus cannot be set to private values or referenced by services. For completeness purposes all functionality possible in the FW is described, independent of the fact that the services are disabled. The following are the services which are disabled in this product (also noted in Services and Key Management sections): • Key Inject • Secure Messaging • Set PIN for FDE dCard Owner: EF-CARD-OWNER • Setting or Referencing private key values used in Key Inject and Secure Messaging: EF-EXCHANGE- KEY, EF-RSA-VERIFY, EF-3DES-DRIVE-TO-HOST, EF-3DES-HOST-TO-DRIVE, and EF-3DES- DL-HASH 2.5 “Preboot” (LBA Remapping Function) for Data Access Control The CM provides several mechanisms for the Lock/Unlock User Data service. One of the methods is an indirect effect of mapping the storage space available for the host from two different areas of the drive: 1) XF space of the dCard filesystem, 2) the “user data area”. The XF that can be addressed is referred to as the “preboot area” because for internal drives an application can be executed under control of a BIOS before the operating system is loaded (“booted”). This capability of the drive firmware to address the preboot area instead of the user area with the same LBA addressing is called “LBA remapping”. When the LBA space is mapped to the preboot area the user area is unavailable and vice versa. This then provides a means for access control of reads and writes (always encrypted) of the user data. The LBA mapping is host controlled by a “device file” on the FDE dCard (EF-USER-LOCK or EF-LBA-REMAPPING-BYPASS). The host application controls this setting by writing to the file. The purpose of this capability is to allow a host to have a read-only application in a secure area of the drive such that a host BIOS or operating system will execute the application automatically upon detection of the connection of the drive. In the case of attached storage drives, the host operating system will often see the drive as a CD and “autorun” the application loaded in the preboot area. The preboot application is typically used to “configure” the security of the drive and unlock the “user area” for access. The “unlock” operation is accomplished by switching the LBA addressing from the preboot area to the user area. Page 5 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 The CM is customized for an attached storage drive product during manufacturing with the placement of a host application in the preboot area and LBA Remapping enabled when the FDE dCard is created. Thus, when the drive is connected to a host, the operating system will automatically execute the preboot application and will not have access to the user data. The first time the drive is connected to the host the application will present a user interface to set the authentication data (drive owner, master and user passwords) for the CM. Subsequently the application will present a user interface to authenticate the user and “bypass” the LBA Remapping setting, thus unlocking the user data. However, as described in the overview section above, the host applications are not part of the CM and thus the operator interface to the drive may vary. 2.6 User Data Cryptographic Erase Methods All user data is internally encrypted / decrypted by the CM for storage / retrieval on the drive media. As a result, the data can be effectively erased by changing the encryption key, DEK, and discarding the previous value. Thus, the FIPS 140 key management capability “zeroization” of the key erases all the user data. Of course the user data can also be erased by overwriting, but this can be a long operation on high capacity drives. The Cryptographic Erase feature is available with 2 methods (device files) each with different access controls: one is available to the Master role, the other is for the Secure Erase Master role. The 2nd method can be provided as an unauthenticated service depending on the module setup; i.e. if the default PIN for the role is set to a private value. Page 6 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 3 Identification and Authentication (I&A) Policy 3.1 Operator Roles Note: The following identifies the CO roles with a general description of the purposes. For further details of the Approved Security services performed by each role, as well as security related services which do not require an operator role, see section 4.1 3.1.1 Crypto Officer Roles 3.1.1.1 Drive Owner This role has the ability to enable or disable the FW download service. 3.1.1.2 FDE dCard Owner This role is disabled during manufacturing. To authenticate to this role, a random value needs to be supplied. However, this random value is generated and discarded at manufacturing, effectively disabling this role. As such, the end user has no knowledge of this value and cannot authenticate to this role. This role has the ability to enable or disable the Key Inject Service. This service allows the operator to optionally inject (electronically input) a data encryption key (DEK). As described above, though implemented in the firmware, the CM is manufactured with this role and the services provided to this role disabled. See section 2.4. 3.1.1.3 Masters (4) This role is used to enable/disable Master, User and Secure Erase Master IDs with the Set PIN service. It is also used to erase data that has been written to the drive by zeroizing the DEK with the Cryptographic Erase service. There are 4 Master IDs. 3.1.2 User Roles 3.1.2.1 Users (4) This role can unlock (and also lock) the drive so that an operator can read and write data to the drive. There are 4 User IDs. 3.1.2.2 Secure Erase Master This role can erase data that has been written to the user area of the drive by zeroizing the DEK. Note that if the default authentication data for this role is not changed at Secure Initialization then this role is effectively unauthenticated (by virtue that the default value is printed on the drive label; identified as “SID”). 3.1.3 Unauthenticated Role This role can perform Show Status services and Device Identification. If this operator has physical access to the drive, this role can also power cycle the drive as well as configure the jumper block to control the interface speed between the host and drive (a non-security relevant service). 3.2 Authentication 3.2.1 Authentication Types The CM supports role-based and identity-based authentication. The Drive Owner and Secure Erase Master role use role-based authentication as there is only one ID and one PIN. There are 4 Master and User operators. Each of these operators is assigned a unique ID to which a PIN is associated, thus this provides identity-based authentication. 3.2.2 Authentication in ATA Security Commands Authentication supplied for certain ATA Security commands is provided through a PIN provided in the ATA Security command parameters, as defined in Doc. Ref. 4. In the event of authentication failure, the ATA Page 7 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 command will abort. A password attempt counter is implemented as specified in ATA, which when reached, blocks User service authentication (with command abort), until the module is reset (Unblock PIN service). 3.2.3 Authentication for DriveTrust Commands Authentication for services provided through DriveTrust commands is provided through a PIN provided in the Verify PIN APDU command, as defined in Doc. Ref.6. In the event of authentication failure, the response message will indicate the failure. If the operator role does not have access to the subsequent service then the command will similarly fail. A password attempt counter is implemented, which when reached, blocks User service authentication (with corresponding response indication), until the module is reset (Unblock PIN service). Depending on a module setting (FDE dCard file EF-ATA-SECURITY-INTERFACE-ACCESS), the ATA Security Unlock command can also be used to authenticate as Master or User for the User Data Read / Write service. For the DEK Key Input (Inject) service, the Card Owner authentication is provided through a Challenge- Response APDU sequence using an RSA key pair and a CM generated random value. The public key, “RSAVerify” is provided by the host to the CM during module setup. See section 2.4 for limitations. Per the Security Rules of this Security Policy, to switch operator roles, the host application must clear a previous authentication using the Warm Reset APDU command. This command should be addressed to the applicable dCard. For services with indirect access control (authentication with a separate enable / unlock service) the host may choose to disable/lock services for access control. 3.2.4 Authentication Mechanism, Data and Strength Operator authentication with PINs is implemented in the CM by hashing the host supplied value and comparing to the stored hash of the assigned PIN. The PINs have a retry attribute that controls the number of unsuccessful attempts before the authentication is blocked. The various PINs have maximum lengths of 16 to 32 bytes. Per the policy security rules, the minimum PIN length is 4 bytes (32 bits) to meet FIPS 140 authentication strength requirements for a single random attempt; i.e. 1/232, which is less than 1/1,000,000. The PIN blocking feature limits the number of random attempts to 5 (it “unblocks” with module reset) and the minimum time for a module reset is 4 seconds (15/min). Thus the probability of multiple random attempts to succeed is (5*15)/232. which is less than the FIPS requirement of 1/100,000. 3.2.5 Personalizing Authentication Data The initial value for some operator PINs is a manufactured value (mSID). This is a device-unique, 25-byte, public value. The value is printed on the drive label (identified as SID). The security rules (section 7) for the CM require that the PIN values must be “personalized” to private values using the “Set PIN” service. In some cases the factory-installed data is an unknown random value that must be changed with the Set PIN service to enable the operator. Page 8 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 4 Access Control Policy 4.1 Services The following table represents the FIPS 140-2 services in terms of the Approved Security Functions and operator access control. Note the following: • Personalization of PINs and keys as required by the Security Rules and described in the I&A Policy section are not described here. • Underlying security functions used by higher level algorithms are not represented (e.g. hashing as part of asymmetric key) • See the technical specification references for the command/response input and output details. • Unauthenticated services (e.g. Show Status, Reset, Device Identification) do not provide access to private keys or CSPs. • * Some services have indirect access control provided through enable / disable or lock / unlock services used by an authenticated operator; e.g. User data read / write. • ** Some services are disabled in Manufacturing; see section 2.4 for details. Table 1 - FIPS 140 Services Service Name Description Operator Access Control Security Command(s) / dCard Function dev file Set PIN Change operator authentication All Hashing, Change PIN APDU data. Symmetric Note: Any Master can set the Key PIN for any Master or User. Secure Erase Master PIN is set with any Master Unblock PIN Reset password attempt All None POR, counter. Note: Any Master can Unblock PIN APDU Unblock the PIN for any Master, User or Secure Erase Master. Drive Owner PIN can only be unblocked with POR. Enable / Enable / Disable FW Download Drive Owner None Update Binary Device Disable FW Service File APDU on Download Admin: /dev/EF- DOWNLOAD- MICROCODE bit 0 Firmware Load complete firmware image. None (* FW Download Asymmetric ATA DOWNLOAD Download If the self-test of the code load enabled) Key MICROCODE passes then the device is reset and will run with the new code. Page 9 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table 1 - FIPS 140 Services Service Name Description Operator Access Control Security Command(s) / dCard Function dev file Lock / Unlock Enable / Disable User Data Any Master or Any User Symmetric ATA SECURITY User Data Read / Write service. Key (to UNLOCK unwrap Note: POR or COMRESET Update Binary Device DEK) (SSP disabled) disables (locks) File APDU on FDE: the User Data service. /dev/EF-USER- LOCK, (or /dev/EF- LBA-REMAPPING- BYPASS) User Data Encryption / decryption of user None (* User Data Symmetric ATA Read / Write Read / Write data. Unlocked) Key Commands Cryptographic Erase user data by Any Master, Secure Erase RNG, Update Binary Device Erase cryptographic means: changing Master Symmetric File APDU on FDE: the encryption key. Key /dev/EF-SECURE- ERASE, /dev/EF- Note: Some PINs are reset to SECURE-ERASE- default values. See Secure WITH-SECURE- Initialization. ERASE-PIN Note: The use of Secure Erase Master may be an unauthenticated key zeroization operation. See section 2.6. Generate Generate, store and return Depends on ACL for RNG, Get Challenge + Symmetric (encrypted) a private key value. specified key Symmetric Generate Symmetric Key ** Key Key APDU Device CM cryptographically identifies Depends on ACL for Symmetric Internal Authenticate Identification to host using encryption of specified key Key, APDU ** random challenge with Asymmetric specified key. Key Show Status Reports if Security System is None None Read Record (6) operational. APDU on Admin dCard file EF-CARD- Operational != 0x0020 STATUS (bytes 2-3) DEK Key Key Management: Electronic Master/User or Drive Owner Symmetric Update Binary Device Inject ** input of (encrypted) data + Card Owner (with Key File APDU on FDE: encryption key to CM. RSAVerify credential) /dev/EF- ENCRYPTION-KEY Note: PINs are reset and must be reinitialized. Reset Module Runs POSTs and zeroizes keys None None Power cycle (POR) & CSPs RAM storage. Page 10 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table 1 - FIPS 140 Services Service Name Description Operator Access Control Security Command(s) / dCard Function dev file Disable Disables ATA Security Unlock None None ATA SECURITY Services or DriveTrust APDUs and ATA FREEZE LOCK, Security Unlock until Reset Update Binary Device Master or User File APDU on FDE: /dev/EF-FREEZE- LOCK Perform General purpose cryptographic Varies depending on key Hashing, Perform Security Security services. references. Symmetric Operation APDU Operation Key, Asymetric Note: Excluded by policy. See Key Section 7.2. RSA Sig gen is non-compliant. Page 11 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 4.2 Cryptographic Keys and CSPs The following table defines the keys / CSPs and the operators / services which use them. It also describes the lifecycle of these data items in terms of generation, input / output, storage and zeroization. Note the following: • The use of PIN CSPs for authentication is implied by the operator access control. • The Set PIN service is represented in this table even though generally it is only used at module setup. • All non-volatile storage of keys and CSPs is in the system area of the drive media to which there is no logical or physical access from outside of the module. • Read access of private values are internal only to the CM. • There is no security-relevant audit feature. • ** Some Keys and CSPs cannot be used or changed in the field because the authentication data to control them is discarded during manufacturing. • The Access column indicates R=Read, W=Write, X=Execute, Z=Zeroize. Table 2 - Key Management Lifecycle Type (Pub Access / Priv, key Operator Storage Form Name dCard Description Services Used In (R,W,X, Initial Value / CSP (e.g. Role (Plaintext / Z) or PIN)), size Storage Encrypted / Entry / Output Zeroization Initialization Logically Method Protected) Master, Public, Media None, Public mSID (EF- Drive-unique default value for Secure Cryptographic Random value Entry: None Admin PIN, 25 R (System Plaintext Value MFG-SID) secure initialization Erase Erase created at Mfg Output: none bytes Area) Master Drive Set PIN W Owner Entry: SID (Secure Private, Electronic Media Electronic Cryptographic ID), aka Drive Admin Auth. Data PIN, 25 Input at (System SHA Digest Input from Erase Owner chars Module Setup Area) Host Master / Cryptographic Output: none Z User Erase FDE dCard DEK Key Inject ** Z Owner 12 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table 2 - Key Management Lifecycle Type (Pub Access / Priv, key Operator Storage Form Name dCard Description Services Used In (R,W,X, Initial Value / CSP (e.g. Role (Plaintext / Z) or PIN)), size Storage Encrypted / Entry / Output Zeroization Initialization Logically Method Protected) Entry: FDE dCard Private, FDE Media Electronic Electronic Input Mfg, Random, Owner FDE Auth. Data PIN, 16 dCard Set PIN ** W (System SHA Digest Input from from Host unknown Password bytes Owner Area) Host Output: none Entry: Master, Public/Priv Media Electronic Secure Erase FDE Cryptographic FDE Auth. Data ate, PIN, Set PIN W Mfg, mSID (System SHA Digest Input from Master PIN dCard Erase 25 bytes Area) Host Owner Output: none Any Set PIN W Master Entry: Any Cryptographic Private, Electronic Media Electronic Z Master0-3 Cryptographic Master Erase FDE Auth. Data PIN, 32 Input at (System SHA Digest Input from Passwords Erase bytes Module Setup Area) Host FDE Output: none dCard DEK Key Inject ** Z Owner Any Master, Set PIN W User Entry: Any Cryptographic Private, Electronic Media Electronic Z User0-3 Cryptographic Master Erase FDE Auth. Data PIN, 32 Input at (System SHA Digest Input from Passwords Erase bytes Module Setup Area) Host Output: none FDE dCard DEK Key Inject ** Z Owner Page 13 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table 2 - Key Management Lifecycle Type (Pub Access / Priv, key Operator Storage Form Name dCard Description Services Used In (R,W,X, Initial Value / CSP (e.g. Role (Plaintext / Z) or PIN)), size Storage Encrypted / Entry / Output Zeroization Initialization Logically Method Protected) Master/Us er or Drive Owner + DEK Key Inject ** W FDE dCard Owner Electronic Encrypted Key Input through Private, Media Master0-3, Any Cryptographic Mfg, Random, Write Binary of Cryptographic FDE DEK mixed with PINs AES Key, Z (System Plaintext User0-3 DEKs Master Erase Unknown EF- Erase 128 bits Area) ENCRYPTION -KEY device file Any Master or Security Unlock R User Services which Private, use the RNG (e.g. Seed Key None RNG Key Hash Key, None cryptographic X, W Mfg RAM None None Reset (XKEY) 64 bytes erase, operator authentication) Page 14 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 Table 2 - Key Management Lifecycle Type (Pub Access / Priv, key Operator Storage Form Name dCard Description Services Used In (R,W,X, Initial Value / CSP (e.g. Role (Plaintext / Z) or PIN)), size Storage Encrypted / Entry / Output Zeroization Initialization Logically Method Protected) Private, Entropy Hash 1st RNG use after Seed None RNG seed (entropy) None X collected at RAM None None Reset seed, 536 POST power up bytes None subject to Public, FW Media ORG0-0 - Firmware Load Test Signature None RSA Key, download FW Download X Mfg (System Plaintext None None (Public) ORG0-3 Verify Key 1024 bits enabled Area) (Drive Owner) Public, FDE DEK Key Inject ** Electronic Media Read / Update EF-RSA- FDE Auth. Data, Encryption Key RSA Key, dCard (Card Owner X Input at (System Plaintext Binary BER None (Public) VERIFY ** 1024 bits Owner Authentication) Module Setup Area) TLV ** Private, FDE RNG Media Read / Update EF-3DES- Update Binary FDE Key Encryption Key 3DES Key, dCard DEK Key Inject ** X Generated at (System Plaintext Binary BER EXCHANGE ** BER TLV ** 16 bytes Owner Module Setup Area) TLV ** EF-3DES- DRIVE-TO- Encryption Keys for protecting Private, FDE RNG Media Read / Update Secure Update Binary HOST, EF- FDE message payloads between 3DES Key, dCard X Generated at (System Plaintext Binary BER messaging ** BER TLV ** 3DES-HOST- host and drive 16 bytes Owner Module Setup Area) TLV ** TO-DRIVE ** Private, FDE RNG Media Read / Update EF-3DES-DL- Key for generating HMAC of Secure Update Binary FDE Hash Key, dCard X Generated at (System Plaintext Binary BER HASH ** message payload. messaging ** BER TLV ** 16 bytes Owner Module Setup Area) TLV ** Page 15 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 5 Physical Security 5.1 Mechanisms The CM has the following physical security: • Production-grade components with standard passivation, • Exterior of the drive is opaque, • Opaque, tamper-evident security labels which cannot be penetrated or removed and reapplied without tamper-evidence. • Security labels cannot be easily replicated with a low attack time. • Security label on the exposed (back) side of the PCBA protects physical access to the electronics by board removal, • Security labels on side of drive to provide tamper-evidence of HDA cover removal, 16 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 5.2 Operator Requirements The operator is required to inspect the CM periodically for one or more of the following tamper evidence: • Checkerboard pattern on security label or substrate, • Security label over screws at indicated locations is missing or penetrated, • Text (including size, font, orientation) on security label does not match original, • Security label cutouts do not match original, Upon discovery of tamper evidence, the module should be removed from service. 6 Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the CM operates in a “non-modifiable operational environment”. That is, while the module is in operation the operational environment cannot be modified and no code can be added or deleted. FW can be upgraded (replaced) with a signed FW download operation. If the code download is successfully authenticated then the module will reset and operate with the new code image. Page 17 Momentus FDE Attached Storage Drives FIPS 140 Module Security Policy Rev. 1.67 7 Security Rules 7.1 Secure Initialization The CM remains in FIPS mode across module resets and all services. The following are the security rules for initialization and operation of the CM in a FIPS 140 compliant manner. Reference the appropriate sections of this document for details. 1. COs: At receipt of the product examine the shipping packaging and the product packaging to ensure it has not been accessed during shipping by the trusted courier. 2. At installation and periodically examine the physical security mechanisms for tamper evidence. 3. At installation, set all operator PINs to private values of at least 4 bytes length (CHANGE PIN APDU) 4. COs: Ensure EF-LBA-REMAPPING is enabled as this will provide access control after a module reset, to the User Data Read / Write service. The access control to this setting is any Master. The command to set this value is the UPDATE BINARY DEVICE FILE APDU applied to the specified device file on the FDE dCARD. 5. COs: Ensure EF-DOWNLOAD-MICROCODE bits 0 and 1 are set to 0 to enable access control for the Download Microcode service. The access control to this setting is Drive Owner. The command to set this value is the UPDATE BINARY DEVICE FILE APDU applied to the Admin dCARD /dev/EF- DOWNLOAD-MICROCODE file. 6. COs: If it is desirable to only provide Cryptographic Erase as an authenticated service then set the Secure Erase Master PIN to a private value(CHANGE PIN APDU). The access control to this setting is any Master. 7. After all the above settings have been made then perform a power-on reset. 7.2 Ongoing Policy Restrictions 1. Operators must clear authentication prior to assuming a new role. This is accomplished via power-on reset or the Warm Reset APDU. 2. COs must not modify EF-LBA-REMAPPING and EF-DOWNLOAD-MICROCODE (bit 1) after the Secure Initialization process. 3. After use of the Cryptographic Erase service all operator PINs must be set to private values as described in Secure Initialization. 4. DES is a non-Approved algorithm and shall not be used for encryption/decryption. 5. Do not use the Perform Security Operation APDU as this is unauthenticated (except through access control to the referenced key). 8 Mitigation of Other Attacks Policy The CM does not make claims to mitigate against other attacks beyond the scope of FIPS 140-2. Page 18