Atos Worldline Adyton Cryptographic Module Hardware Part No: 9071000001 Firmware version: 1.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 3 Document Version: 1.2 September 5, 2013 Prepared For: Prepared By: Atos Worldline EWA-Canada, Ltd. Haachtsesteenweg 1442, B-1130 1223 Michael Street, Suite 200 Brussels, Ottawa, Ontario Belgium Canada K1J 7T2 www.atosworldline.com www.ewa-canada.com Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 Introduction ............................................................................................................................ 1 1.1 Purpose ........................................................................................................................... 1 1.2 Background ...................................................................................................................... 1 1.3 Document Organization ................................................................................................... 2 2 Module Overview ................................................................................................................... 2 2.1 Cryptographic Module Specification ................................................................................ 3 2.2 Cryptographic Module Ports and Interfaces .................................................................... 4 2.3 Roles & Services ............................................................................................................. 4 2.3.1 Roles ........................................................................................................................ 4 2.3.2 Services ................................................................................................................... 5 2.4 Authentication Mechanisms ............................................................................................. 8 2.4.1 Fingerprint Authentication ........................................................................................ 8 2.4.2 Smart Card Authentication....................................................................................... 8 2.4.3 Password Authentication ......................................................................................... 9 2.5 Physical Security ............................................................................................................. 9 2.6 Operational Environment ............................................................................................... 10 2.7 Cryptographic Key Management ................................................................................... 10 2.7.1 Approved Algorithm Implementations .................................................................... 10 2.7.2 Non-Approved Algorithm Implementations ............................................................ 10 2.7.3 Key Management Overview................................................................................... 11 2.7.4 Key Generation & Input ......................................................................................... 15 2.7.5 Key Output ............................................................................................................. 15 2.7.6 Storage .................................................................................................................. 15 2.7.7 Zeroization ............................................................................................................. 16 2.8 Electromagnetic Interference / Electromagnetic Compatibility ...................................... 16 2.9 Self Tests ....................................................................................................................... 16 2.9.1 Power Up Self Tests .............................................................................................. 16 2.9.2 Conditional Self Tests ............................................................................................ 17 2.10 Design Assurance.......................................................................................................... 17 2.11 Mitigation of Other Attacks ............................................................................................ 17 3 Secure Operation ................................................................................................................. 18 3.1 Initial Key Loading & Personalization ............................................................................ 18 3.2 Administrator Guidance ................................................................................................. 19 3.3 Security Officer Guidance .............................................................................................. 19 4 Acronyms ............................................................................................................................. 20 i Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. List of Tables Table 1 - FIPS 140-2 Section Security Levels ................................................................................. 1 Table 2 - Module Interface Mappings .............................................................................................. 4 Table 3 - Authenticated Services..................................................................................................... 6 Table 4 - Unauthenticated Services ................................................................................................ 7 Table 5 - Allowed Characters for Password Use ............................................................................. 9 Table 6 – FIPS-Approved Algorithm Implementations .................................................................. 10 Table 7 - Cryptographic Keys, Key Components, and CSPs ........................................................ 14 Table 8 - Acronym Definitions ....................................................................................................... 20 List of Figures Figure 1 – Atos Worldline Adyton Cryptographic Module................................................................ 3 ii Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This non-proprietary Security Policy for the Adyton hardware cryptographic module by Atos Worldline describes how the Adyton module meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This document was prepared as part of the Level 3 FIPS 140-2 validation of the module. The following table lists the module’s FIPS 140-2 security level for each section. Section Section Title Level 1 Cryptographic Module Specification 3 2 Cryptographic Module Ports and Interfaces 3 3 Roles, Services, and Authentication 3 4 Finite State Model 3 5 Physical Security 4 6 Operational Environment 3 7 Cryptographic Key Management 3 8 EMI/EMC 3 9 Self-Tests 3 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Table 1 - FIPS 140-2 Section Security Levels 1.2 Background Federal Information Processing Standards Publication (FIPS PUB) 140-2 – Security Requirements for Cryptographic Modules details the requirements for cryptographic modules. More information on the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) Cryptographic Module Validation Program (CMVP), the FIPS 140-2 validation process, and a list of validated cryptographic modules can be found on the CMVP website: http://csrc.nist.gov/groups/STM/cmvp/index.html More information about Atos, Atos Worldline, the Atos Worldline Adyton, and the rest of the Atos Worldline product line can be found on the Atos Worldline website: http://www.atosworldline.com 1 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1.3 Document Organization This non-proprietary Security Policy is part of the Adyton hardware cryptographic module FIPS 140-2 submission package. Other documentation in the submission package includes: • Product documentation • Vendor evidence documents • Finite state model • Additional supporting documents The Adyton hardware cryptographic module is also referred to in this document as the cryptographic module, or the module. 2 Module Overview Atos Worldline’s Adyton is an innovative high-performance Hardware Security Module (HSM) platform. The design of the Adyton HSM is based on high security, reliability and robustness, user friendliness, and conformance to international security standards. The Adyton HSM has an integrated color display, full HEX capacitive keyboard, chip card reader, fingerprint reader, and a USB Host connection. With its user-centered design, operators are continuously guided through their operations using on-screen wizards. Dual-factor authentication allows for identity-based authentication of operators without keyboard input. The Adyton HSM can be connected to host systems using its gigabit Ethernet. The Adyton HSM can be integrated into an Adyton HSM rack for installation in standard IT cabinets. Adyton HSM racks extend the Adyton HSM with a second gigabit Ethernet interface for network redundancy or separation, and hot swappable dual power supplies for power redundancy. The Adyton Cryptographic Module within the Adyton HSM is a certified FIPS 140-2 module with an overall security level 3. The Adyton Cryptographic Module detects intrusions, temperature and voltage manipulations, and responds to such attacks by zeroizing its memory where sensitive information is stored by overwriting it. In addition to its ease of use and high reliability, the Adyton Cryptographic Module is also designed for performance and achieves thousands of digital signatures per second (benchmarking on 1024 bit). Symmetric key operations can be performed even faster. With its high security and high reliability, the Adyton HSM is the ideal product for integration into the complete electronic payment chain (from card personalization, to issuing, to acquiring). But the Adyton HSM is more than an HSM for financial transactions — it can easily be integrated in other domains where security is becoming more and more demanding such as Public Key Infrastructure (PKI), document signing, E-Health, Smart Metering, chip personalization (e.g. trusted Platform Modules), key generation facilities, and government and military programs. For more information, please contact: Filip Demaertelaere, Product Manager filip.demaertelaere@atos.net 2 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.1 Cryptographic Module Specification The cryptographic module is a multi-chip embedded hardware module contained within an Adyton device. The physical boundary of the module is the tamper detection and response envelope that surrounds the module’s components and is then covered in resin. Beyond the cryptographic boundary are the other components that comprise the Adyton device. The hardware part number is 9071000001 and the firmware version is 1.2.0. Cryptographic Boundary Figure 1 – Atos Worldline Adyton Cryptographic Module 3 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.2 Cryptographic Module Ports and Interfaces The module’s ports and interfaces that are supported when operating in FIPS mode are as follows: • 2 gigabit Ethernet ports for communication with application hosts (SGMII 1, SGMII 2); • 1 USB port called USB Host for a mass storage device to collect the audit trail and to load a firmware image (USB 2); • a UPEK touch fingerprint scanner for operator authentication (USB); • a Smart Card reader for operator authentication (UART1); • a keyboard that uses two physically separated ports, one for password-based operator authentication and manual key component entry (I2C-secure (I2C1)), and the other for control input (I2C-non-secure (I2C0)); • a QVGA display (SPI), and LEDs for status output; • a 3.6V battery; and • a 12V power supply. Table 2 shows how the module’s physical interfaces map to the logical interfaces defined in FIPS 140-2. FIPS 140-2 Interface Physical Interface Keyboard, UPEK touch fingerprint scanner, Smart Card reader, Data Input Ethernet ports, USB Host port Data Output Ethernet ports, USB Host port Control Input Keyboard Status Output QVGA display, LEDs Power 12V Power Supply, 3.6V battery Table 2 - Module Interface Mappings 2.3 Roles & Services 2.3.1 Roles The module uses identity-based authentication and has two operator roles: Crypto Officer and User. The Crypto Officer role – also known as the Administrator role – is used to manage the module and Adyton device throughout the lifecycle with the customer. Administrators perform the set-up of the module, select the options and settings for the module, and decommission the module. Administrators are also responsible for managing the Administrator account table. The User role – also known as the Security Officer role – is used to import key components into the key table. Security Officers are also responsible for managing the Security Officer account table. 4 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The module supports concurrent operators and requires dual-operator control for most Administrator and Security Officer services. Single-operator control services are limited to an operator updating their own account information. To perform dual-control Administrator services, two or more Administrators must be logged on to the module. The creation of the first two Administrator accounts can be performed freely during initial module configuration without any operator logon. Once two Administrator accounts are in the user account table, additional Administrators can only be enrolled under dual Administrator control. Dual-control Security Officer services have additional restrictions on the combination of simultaneous Security Officer logons that will satisfy the dual-control requirements. All Security Officer accounts are assigned to one of two Security Officer Groups; Security Officers select whether to enroll to Security Officer Group A or Security Officer Group B during account creation. At least one Security Officer from each Security Officer Group must be logged on to perform dual- control Security Officer services with the exception that two or more Security Officers from Group A can enroll additional Group A Security Officers without requiring the logon of a Security Officer from Group B and two or more Security Officers from Group B can enroll additional Group B Security Officers without requiring the logon of a Security Officer from Group A. The creation of the first Security Officer Group A and first Security Officer Group B accounts can be performed freely during initial module configuration without any operator logon. Once one Security Officer Group A account and one Security Officer Group B account are in the user account table, additional Security Officers can only be enrolled under dual Security Officer control. When a Security Officer from Group A and a Security Officer from Group B are logged on, all dual control Security Officer services are available. When two or more Security Officers from Group A are logged on (and there is no Security Officer from Group B logged on to satisfy the main dual control requirement), new Security Officers can be enrolled to Group A only. Likewise, two or more Security Officers from Group B can enroll new Security Officers to Group B but not Group A. 2.3.2 Services The module supports authenticated services as well as services that do not require authentication. Most authenticated services require the dual control of two authenticated operators. A description of all authenticated services and the operator or combination of operators required to perform the service can be found in Table 3 – Authenticated Services. Dual Administrator services require at least two Administrators to be logged on. Dual Security Officer services require at least one Security Officer from each Security Officer Group (A and B) to be logged on. Owner services are single control services that an authenticated operator (Administrator or Security Officer from either Security Officer Group) can perform on their own account. A description of all unauthenticated services can be found in Table 4 – Unauthenticated Services. 5 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Operator Description Input Output Key\CSP Adds a new entry to the Administrator Control and Data Input Operator Password – W Create Administrator account table that includes user name, role, including user name, role, Dual Administrator Status Operator Fingerprint Template – W Account password, smart card unique identifier, and fingerprint, smart card, Smart Card Unique Identifier – W fingerprint template and password credentials Control and Data Input Dual Security Officer Adds a new entry to the Security Officer Operator Password – W including user name, Create Security Officer OR account table that includes user name, role, Security Officer Group, Status Operator Fingerprint Template – W Group A Account password, smart card unique identifier, and At least two Group A fingerprint, smart card, Smart Card Unique Identifier – W fingerprint template Security Officers and password credentials Control and Data Input Dual Security Officer Adds a new entry to the Security Officer Operator Password – W including user name, Create Security Officer OR account table that includes user name, role, Security Officer Group, Status Operator Fingerprint Template – W Group B Account password, smart card unique identifier, and At least two Group B fingerprint, smart card, Smart Card Unique Identifier – W fingerprint template Security Officers and password credentials Operator Password – W Account Owner Updates the password, smart card unique Control and Data Input via Update Account identifier, or fingerprint template of an Status Operator Fingerprint Template – W (Administrator or Keyboard command Administrator or Security Officer account Security Officer) Smart Card Unique Identifier – W Imports a 256-bit AES key into the key table Data Input of key Import Key Dual Security Officer by 2 or 3 key components entered on the Status AES 256-bit Imported Key – W components via keyboard keyboard and defines the name of the key All keys and CSPS except Atos Root CA Public Key – Z Status RSA 4096-bit Atos Root CA Public Deletes all keys, operator accounts, Key – R Control Input via Keyboard Decommission Dual Administrator firmware binary, application binary and command RSA 4096-bit Factory Intermediate Data license, exports audit trails to a USB device CA Public Key – R Output RSA 4096-bit Module Signature Public Key – R Control Input via Keyboard Set Date, Time, Timezone Dual Administrator Sets the date, time, timezone Status None command Control Input via Keyboard Load Firmware Dual Administrator Loads firmware update package Status None command Administrator OR Performs all self-tests listed in §2.9.1 Power Control Input via Keyboard Self-Test On Demand Status None Up Self Tests command Security Officer (from either Group) Administrator OR Control Input via Keyboard Get FIPS 140 Status Displays FIPS 140-2 status Status None command Security Officer (from either Group) R=Read, W=Write, Z=Zeroize Table 3 - Authenticated Services 6 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The following table lists the supported services that do not require any operator authentication. An authenticated Administrator or Security Officer from either Security Officer Group can also perform these services. Service Operator Description Input Output Key\CSP Operator Password – Z Removes an Administrator or Security Control Input via Keyboard Delete Account Unauthenticated Status Operator Fingerprint Template – Z Officer account from the account table command Smart Card Unique Identifier – Z Output from account table: username, role, smart card unique identifier, indication if Control Input via Keyboard Query Accounts Unauthenticated Status Smart Card Unique Identifier – R operator is currently logged on and date/time command of enrollment Displays a list of all logged on operators and Control Input via Keyboard Operator Logoff Unauthenticated allows an operator to explicitly log off 1 or Status None command more operators Control Input via Keyboard Set IP Configuration Unauthenticated Sets the IP configuration Status None command Displays the serial number of the Control Input via Keyboard Get Serial Number Unauthenticated Status None Dallas/Maxim chip command Control Input via Keyboard Get Name Unauthenticated Displays the name of Adyton device Status None command Displays the firmware version of the Adyton Control Input via Keyboard Get Firmware Version Unauthenticated Status None device command Sets device name (typically during Control Input via Keyboard Set Name Unauthenticated initialization to identify one Adyton from a command Status None pool of devices) Create Administrator Adds a new entry to the Administrator Control and Data Input Operator Password – W Account account table that includes user name, role, including user name, role, Unauthenticated Status Operator Fingerprint Template – W (when fewer than 2 password, smart card identifier, and fingerprint, smart card, Administrator accounts Smart Card Unique Identifier – W fingerprint template and password credentials already exist) Create Security Officer Control Input and Data Adds a new entry to the Security Officer Operator Password – W Group A Account including user name, account table that includes user name, role, Unauthenticated Security Officer Group, Status Operator Fingerprint Template – W (when no Security Officer password, smart card identifier, and fingerprint, smart card, Group A accounts already Smart Card Unique Identifier – W fingerprint template and password credentials exist) Create Security Officer Control and Data Input Adds a new entry to the Security Officer Operator Password – W Group B Account including user name, account table that includes user name, role, Unauthenticated Security Officer Group, Status Operator Fingerprint Template – W (when no Security Officer password, smart card identifier, and fingerprint, smart card, Group B accounts already Smart Card Unique Identifier – W fingerprint template and password credentials exist) R=Read, W=Write, Z=Zeroize Table 4 - Unauthenticated Services 7 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.4 Authentication Mechanisms The Adyton employs three different authentication mechanisms: fingerprint authentication, smart card authentication, and password authentication. When a new operator is enrolled, they must register credentials for each form of authentication. Once enrolled, an operator logs on to the Adyton by entering two of their three credentials. An operator must use either fingerprint or smart card as the first form of authentication entered to log on; the second authentication mechanism can be the password or either the fingerprint or smart card: whichever credential was not used as the first form of authentication. 2.4.1 Fingerprint Authentication Fingerprint authentication is performed with a fingerprint scanner that complies with FIPS-201. An operator must enroll a fingerprint with the Adyton; the choice of which finger to use is up to the operator. An operator can change their registered fingerprint template using the Update Account service, but fingerprint templates cannot be deleted as an operator must have credentials for -7 each form of authentication. The false acceptance rate of the fingerprint sensor is 8.4x10 (or about 1 in 1,190,476). Assuming that a repeated attack could attempt up to 10 fingerprint entries in a one minute period, the chance that the attack would be successful during a one minute period is 10 in 1,190,476 (or 1 in 119,048) which is less than 1 in 100,000. 2.4.2 Smart Card Authentication Each smart card has a static digital signature that is generated with the smart card authentication private key over a unique identifier of the smart card; the digital signature and unique identifier are written in the smart card file system during its personalization by the personalization bureau. The smart card authentication RSA key pair is generated by the personalization bureau and the public key is certified by the Atos Technology Provider Intermediate CA; the resulting X.509 certificate is loaded in all smart cards. An operator is assigned a smart card during enrollment. Once a smart card has been entered in the smart card reader, the Adyton reads the digital signature, the X.509 certificate, and unique identifier from the smart card and verifies it with the smart card authentication public key. After the card has been verified, the unique identifier is stored in the user account of the operator being enrolled. The Adyton refuses to enroll with a smart card that has already been linked to an account. An operator can change their smart card identifier using the Update Account service, but the smart card identifier cannot be deleted as an operator must have credentials for each form of authentication. To authenticate using a smart card, an operator enters their smart card into the reader where the Adyton will read the digital signature, the X.509 certificate, and unique identifier and verify the card with the smart card authentication public key. If the operator’s identity is known (i.e. fingerprint authentication has already been performed), the Adyton will confirm that the unique identifier of the smart card matches that of the operator and log the operator in. If a smart card is entered as the first method of authentication, the Adyton will search its user accounts for a match with the card’s unique identifier and if found, will display the user name. The RSA 4096-bit Smart Card Authentication Public Key can be considered to have the equivalent bits of security as a 150-bit symmetric key. The chance that a random attempt will be 150 45 successful is therefore 1 in 2 (or 1 in 1.427 x 10 ) which is less than 1 in 1,000,000. Assuming 8 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. that a repeated attack could attempt up to 100 entries in a one minute period, the chance that the 150 43 attack would be successful during a one minute period is 100 in 2 (or 1 in 1.427 x 10 ) which is less than 1 in 100,000. 2.4.3 Password Authentication Password entry to an Adyton is performed using a keyboard. An operator can change their password using the Update Account service, but a password cannot be deleted as an operator must have credentials for each form of authentication. The minimum length for a password is 4 characters. The 133 alphanumeric characters and symbols available for use are listed in Table 5. The chance that a random password attempt will 4 be successful is 1 in 133 (or 1 in 312,900,721) which is less than 1 in 1,000,000. Assuming that a repeated password attack could attempt up to 100 password entries in a one minute period, 4 the chance that the attack would be successful during a one minute period is 100 in 133 (or 1 in 31,290,72) which is less than 1 in 100,000. 1.,!"#$%&’()*+/:;<=>?@[\]^_‘{|}~¡€£¤¥¦§¨©ª«¬−®¯°±²³´µ¶·¸¹º»¼½¾¿Ð×ØÞ ðøþabc2àáâãäåæçdef3èéêëghi4ìíîïjkl5mno6ñòóôõöpqrs7tuv8ùúûüwxyz9ýÿ0 Table 5 - Allowed Characters for Password Use During password entry, characters are masked by an asterisk. 2.5 Physical Security The Adyton is a hardware multi-chip embedded cryptographic module that meets the requirements of FIPS 140-2 Level 4 Physical Security. The module’s tamper detection and response mechanism is provided by an opaque tamper detection envelope that completely encapsulates the module. After the tamper detection envelope is in place around the module, the envelope itself is covered with hard, opaque potting. The envelope detects tamper attempts by penetration (cutting, drilling by conducting or non- conducting drills), removal (unwrapping the envelope, removing the outer coating of the envelope by erosion, milling, or grinding), or chemical attack. The removal of the module's battery or the module's battery voltage going outside the range of 2.5V to 4.4V are also considered to be tamper events and will trigger the module's tamper response. When tamper detection occurs, the module responds with the immediate zeroization of the Internal Key Wrapping Key (IKWK) that is used to wrap other keys and CSPs stored in non- volatile memory, thus rendering them useless. The module also zeroizes all keys and CSPs stored in volatile memory. The module protects against unusual environmental conditions or fluctuations that could compromise the module’s security. The normal voltage for the module is 12V. The normal operating temperature range for the module is -50°C to 90°C (-58°F to 194°F). If the module detects that the voltage or temperature has fallen outside of its normal operating range, the module responds by zeroizing all plaintext secret and private cryptographic keys and CSPs. 9 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.6 Operational Environment The Adyton uses the QNX operating system to provide a limited operational environment with no underlying general purpose operating system. The FIPS 140-2 requirements for a modifiable operating environment do not apply. 2.7 Cryptographic Key Management 2.7.1 Approved Algorithm Implementations A list of FIPS-Approved algorithms implemented by the module can be found in Table 6. The module does not implement any Non-Approved algorithms. Algorithm Modes and Key Sizes Validation Number ECB mode with 128, 192, and 256-bit keys and CBC AES 1810 mode with 128 and 256-bit keys HMAC SHA-256 1068 CMAC Generate/verify with 256-bit AES 1810 ANSI X9.31 key generation, PKCS v1.5 and PSS RSA 907 sign/verify with 2048 and 4096-bit modulus sizes SHA 256-bit 1589 DRBG SP 800-90 Hash SHA-256-based 138 KBKDF SP 800-108 KDF in feedback mode 2 Table 6 – FIPS-Approved Algorithm Implementations 2.7.2 Non-Approved but Allowed Algorithm Implementations The module implements a non-Approved but allowed NDRNG which is used once at module power-on to provide input to the Approved RNG. The module also employs AES key wrapping using the Approved AES algorithm. AES (Cert. #1810, key wrapping; key establishment methodology provides 256 bits of encryption strength). 10 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2013 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.7.3 Key Management Overview Key or CSP Usage Storage Generation Input Output Zeroization AES 256-bit Internal Key Used to encrypt/decrypt Volatile memory in Internally using No Never Upon tamper detection or Wrapping Key (Master Key) secret keys and private keys plaintext Approved DRBG decommissioning (IKWK) during hardware manufacturing AES 256-bit Internal Key Used in CBC mode to Volatile Memory Derived from the No Never Upon tamper detection, Wrapping Key (Encryption perform encryption of a key AES 256-bit IKWK decommissioning, or power off Session Key) Master Key using (IKWK_ENC_SK) Approved KBKDF AES 256-bit Internal Key Used in CMAC mode to Volatile Memory Derived from the No Never Upon tamper detection, Wrapping Key (MAC calculate message digest of AES 256-bit IKWK decommissioning, or power off Session Key) a key Master Key using (IKWK_MAC_SK) Approved KBKDF AES 128-bit Application Used to decrypt Application NVM encrypted with Outside module During Never From NVM at decommissioning Encryption Key (Master Key) binaries from Application IKWK, and plaintext in hardware or rendered useless by IKWK (AEK) Provider volatile memory during manufacturing zeroization at tamper detection runtime From volatile memory upon tamper detection, power off, or decommissioning AES 128-bit Application Used in CBC mode to Volatile Memory Derived from the No Never Upon tamper detection, Encryption Key (Session perform AES 128-bit decommissioning, or power off Key) (AEK_SK) encryption/decryption of an Application application binary Encryption Key Master Key using Approved KBKDF AES 128-bit Firmware Used to decrypt firmware NVM encrypted with Outside module During Never From NVM at decommissioning Encryption Key (Master Key) and bootloader binaries IKWK, and plaintext in hardware or rendered useless by IKWK (FEK) volatile memory during manufacturing zeroization at tamper detection runtime From volatile memory upon tamper detection, power off, or decommissioning 11 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key or CSP Usage Storage Generation Input Output Zeroization AES 128-bit Firmware Used in CBC mode to Volatile Memory Derived from the No Never Upon tamper detection, Encryption Key (Session perform AES 128-bit decommissioning, or power off Key) (FEK_SK) encryption/decryption of a Firmware firmware binary Encryption Key Master Key using Approved KBKDF RSA 4096-bit Atos Root CA Used to verify certificates Plaintext in NVM Outside module During Yes, at Never Public Key hardware decommission, manufacturing during export of audit trails RSA 4096-bit Technology Used to verify certificates Plaintext in NVM Outside module During Never At decommissioning Provider Intermediate CA hardware Public Key manufacturing RSA 4096-bit Application Used to verify certificates Plaintext in NVM Outside module During Never At decommissioning Provider Intermediate CA hardware Public Key manufacturing RSA 4096-bit Factory Used to verify certificates Plaintext in NVM Outside module During Yes, at At decommissioning Intermediate CA Public Key hardware decommission manufacturing during export of audit trails RSA 4096-bit Firmware Used to verify signatures on Plaintext in NVM Outside module During Never At decommissioning Authentication Public Key firmware binaries hardware manufacturing or via firmware binary RSA 4096-bit Bootloader Used to verify signatures on Plaintext in NVM Outside module During Never At decommissioning Authentication Public Key bootloader binaries hardware manufacturing RSA 4096-bit Application Used to verify signatures on Plaintext in NVM Outside module During Never At decommissioning Authentication Public Key Application binaries hardware manufacturing RSA 4096-bit KLD Signature Used in challenge/response Plaintext in NVM Outside module During Never At decommissioning Public Key between Adyton and KLD hardware during hardware manufacturing manufacturing 12 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key or CSP Usage Storage Generation Input Output Zeroization RSA 4096-bit Perso Device Used in challenge/response Plaintext in NVM Outside module During Never At decommissioning Signature Public Key between Adyton and a hardware Perso Device during manufacturing hardware manufacturing RSA 4096-bit Smart Card Used to verify signatures on Plaintext in NVM Outside module During Never At decommissioning Authentication Public Key unique smart card identifiers hardware manufacturing Smart Card Digital Signature Used during smart card Plaintext in NVM Outside module During Never From volatile memory upon authentication authentication tamper detection, power off, or process decommissioning Smart Card Unique Identifier Used during smart card Plaintext in NVM Outside module During Never From volatile memory upon authentication authentication tamper detection, power off, or process decommissioning RSA 4096-bit Module Used to sign Adyton internal Encrypted in NVM with Internally using No Never From NVM at decommissioning Signature Private Key data IKWK, and plaintext in Approved DRBG or rendered useless by IKWK volatile memory during during hardware zeroization at tamper detection runtime manufacturing From volatile memory upon tamper detection, power off, or decommissioning RSA 4096-bit Module Used by external entities to Plaintext in NVM Internally using No Yes, at At decommissioning Signature Public Key verify signature Approved DRBG decommission during hardware during export of manufacturing audit trails RSA 4096-bit Module Decrypt Application Encrypted in NVM with Internally using No Never From NVM at decommissioning Encryption Private Key Encryption Key and IKWK, and plaintext in Approved DRBG or rendered useless by IKWK Firmware Encryption Key volatile memory during during hardware zeroization at tamper detection runtime manufacturing From volatile memory upon tamper detection, power off, or decommissioning RSA 4096-bit Module Used to load the Plaintext in NVM Internally using No Never At decommissioning Encryption Public Key Application Encryption Key Approved DRBG and the Firmware during hardware Encryption Key manufacturing 13 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key or CSP Usage Storage Generation Input Output Zeroization SP 800-90 Hash DRBG Used during internal Plaintext in volatile By module’s No Never Upon tamper detection, CSPs (C, V, entropy input, generation of keys memory NDRNG decommissioning, or power off nonce and personalization string) Imported AES 256-bit Key Optionally entered during Key component values Outside module Manual key Never From NVM at decommissioning the Initial Wizard (initial are XORed before entry in 2 or 3 or rendered useless by IKWK module configuration at first being stored key zeroization at tamper detection power-on) components via keyboard NVM encrypted with From volatile memory upon IKWK, and plaintext in tamper detection, power off, or volatile memory during decommissioning runtime SHA-256 ROM Integrity Test Used to perform the ROM NVM During hardware No Never At decommissioning Hash integrity test at power up manufacturing process Operator Passwords Used as one of three Protected in NVM with Created by By account Never Overwritten using Update methods of operator Approved SHA-256 account owner owner via Account service; zeroized at authentication. Can only be algorithm keyboard decommissioning used after fingerprint or smart card authentication has occurred Operator Fingerprint Used as one of three Plaintext in NVM Compiled from By account Never Overwritten using Update Templates methods of operator multiple fingerprint owner via Account service; zeroized at authentication scans by the fingerprint decommissioning fingerprint reader scanner for the finger template Audit trail log signature An RSA signature of the No At No Yes, at At decommissioning Audit trail log generated and decommissioning decommission output at decommission to a during export of USB token. audit trails Table 7 - Cryptographic Keys, Key Components, and CSPs 14 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.7.4 Key Generation & Input Keys and CSPs that can be input into the module by the customer include: • Operator Passwords • Operator Fingerprint Templates • Imported AES 256-bit Key • Smart Card Digital Signature • Smart Card Unique Identifier Keys that are generated or derived by the module include: • AES 256-bit Internal Key Wrapping Key (Master Key) (IKWK) • AES 256-bit Internal Key Wrapping Key (Encryption Session Key) (IKWK_ENC_SK) • AES 256-bit Internal Key Wrapping Key (MAC Session Key) (IKWK_MAC_SK) • RSA 4096-bit Module Signature Private Key • RSA 4096-bit Module Signature Public Key • RSA 4096-bit Module Encryption Private Key • RSA 4096-bit Module Encryption Public Key Operator Passwords and Operator Fingerprint Templates are entered into the module by the operator (account owner) via the keyboard or fingerprint scanner. The module’s Approved RNG (SP 800-90 DRBG) is seeded once with entropy input and a nonce provided by the module’s NDRNG at module initialization. The module’s DRBG is also seeded with a personalization string that uses the serial number of the module and a value from the real time clock. The Imported AES 256-bit Key is manually entered in 2 or 3 plaintext key components via the keyboard using the I2C-secure channel. 2.7.5 Key Output The following keys are output from the module during decommission: • RSA 4096-bit Atos Root CA Public Key • RSA 4096-bit Factory Intermediate CA Public Key • RSA 4096-bit Module Signature Public Key No other keys are ever output from the module. 2.7.6 Storage All Public keys are stored in read/write non-volatile memory (NVM). Secret and Private keys are stored in NVM encrypted with the IKWK, and in plaintext in volatile memory during runtime. The non-volatile memory is erased after tamper detection, power off, or decommissioning. The Internal Key Wrapping Key is stored in non-imprinting volatile memory and is rapidy erased after tamper detection. A SHA-256 hash on Operator Passwords is stored in NVM. Operator Fingerprint Templates are stored in plaintext in NVM. 15 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.7.7 Zeroization Public Keys are rendered useless when their corresponding Private Key is zeroized. Public keys are zeroized at decommissioning. The Internal Key Wrapping Key (IKWK) is zeroized upon tamper detection or decommissioning. When the IKWK is zeroized, all keys that were stored encrypted with the IKWK are rendered useless regardless of whether they are zeroized themselves. Secret and Private keys are stored in non-volatile memory encrypted with the IKWK and become useless when the IKWK is zeroized. These keys are also stored in plaintext in volatile memory during runtime and are zeroized in volatile memory upon tamper detection, power off, or decommissioning. Operator Passwords and Operator Fingerprint Templates can be changed by the account owner using the Update Account service, but cannot be deleted from an account in the user table as an account must always have each of the three forms of authentication credentials (fingerprint, smart card, and password) associated with it. The user account table is zeroized at decommissioning. 2.8 Electromagnetic Interference / Electromagnetic Compatibility The cryptographic module conforms to the FCC EMI/EMC requirements in 47 Code of Federal Regulation, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B. 2.9 Self Tests 2.9.1 Power Up Self Tests The module performs the following tests upon power up and do not require operator input: • Integrity Tests: o ROM image integrity test using SHA-256 o Bootloader image signature verification using RSA o Firmware image signature verification using RSA • Self-tests for all validated algorithms: o AES ECB encrypt/decrypt KATs o AES CBC encrypt/decrypt KATs o SHA-256 KAT o HMAC-SHA-256 KAT o AES CMAC generate/verify o RSA ANSI X9.31 key generation o RSA RSASSA-PKCS#1 v1.5 signature generation/verification o RSA RSASSA-PSS signature generation/verification o DRBG SP 800-90 Hash SHA-256 based • Verification that read only partition in non-volatile memory is fused • Atos Root CA self-signed public key certificate verification using RSA • Technology Provider Intermediate CA Public Key Certificate verification using RSA 16 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. • Bootloader Authentication Public Key Certificate verification using RSA • Firmware Authentication Public Key Certificate verification using RSA • Operator Table integrity verification using SHA-256 • Key Table integrity verification using SHA-256 • Audit Trail integrity verification using SHA-256 The powers up self-tests are all rerun automatically after every 24 hours of runtime. These self- tests can also be performed on demand by power cycling the module. Each message digest algorithm implements a known answer test separately from any other message digest algorithm. Failure of the main bootloader authenticity verification will result in the module rebooting continuously. Failure of any other power up self-test will put the module into the Non- Recoverable Error state. 2.9.2 Conditional Self Tests The module performs the following conditional self-tests: • A pairwise consistency test is performed when an RSA key pair is generated • A digital signature check using the module’s Approved RSA algorithm is performed on the loaded firmware when the load firmware service is initiated • A manual key entry test is performed with a key check value when manual entry of key components occurs • A continuous DRBG test is performed whenever the use of a random number is required Failure of a pairwise consistency test will result in the module rebooting. Failure of the digital signature check will result in the module displaying a message indicating so and refusal to load the firmware. Failure of a manual key entry test will result in the key component not being accepted. Failure of a continuous DRBG test will result in a new random number being generated until the test passes. 2.10 Design Assurance Configuration management for the module is provided by Concurrent Versions Systems (CVS) which uniquely identifies each configuration item and the version of each configuration item. Documentation version control is performed manually by updating the document date as well as the major and minor version numbers in order to uniquely identify each version of a document. 2.11 Mitigation of Other Attacks The module does not claim to mitigate any attacks outside the requirements of FIPS 140-2. 17 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 Secure Operation The Adyton cryptographic module does not support a Non-Approved mode of operation. Upon arrival and first power-up the module is in a FIPS Approved mode of operation and will display “Mode: FIPS” on the General Information screen. No additional configuration is required in order to place the module into a FIPS Approved mode. The FIPS Approved mode status can also be displayed at any time by accessing the General Information screen through the main menu. 3.1 Initial Key Loading & Personalization The module arrives to the Application Provider in a FIPS Approved mode of operation. This section provides additional background information about the initial key loading and personalization of the module that occurs at the manufacturing facility, the Atos Key Management Facility, and the Application Provider Key Management Facility, all before the module is delivered to the customer. Many of the module’s keys are generated and loaded onto the module by the manufacturer before the module is delivered to the customer. Key generation and input that occurs after the module is delivered to the customer is discussed in section 2.7.3. The initial key loading process takes place at the manufacturing facility in a secure room with operational procedures that guarantee the module’s authenticity. A separate module connected to a PC acts as a Key Loading Device (KLD) to commission modules for customer use. The KLD performs the loading of keys onto the module via the module’s Ethernet port. The following steps are performed during initial key loading: • generate Internal Key Wrapping Key • generate and certify Module Signature Key Pair • generate and certify Module Encryption Key Pair • write Factory Intermediate CA Public Key • write Application Provider Intermediate CA Public Key • write Application Encryption key • write Firmware Encryption key The Internal Key Wrapping Key, Module Signature Private and Public Keys, and Module Encryption Private and Public Keys are all generated internally using the FIPS-Approved DRBG. The Atos Root CA Key Pair is generated in the Atos Key Management Facility. The public key is loaded in ROM during the manufacturing of the module. The private key is never loaded into the module and does not leave the Key Management Facility. The Firmware Authentication Key Pair, Bootloader Authentication Key Pair, and Technology Provider Intermediate CA Key Pair are also generated in the Atos Key Management Facility. The Application Authentication Key Pair is generated in the Application Provider Key Management Facility. The Bootloader Authentication Public Key and Technology Provider Intermediate CA Public Key are included in the bootloader binary, and the Firmware Authentication Public Key and Application Authentication Public Key are included in the firmware binary and application binary, respectively, and they are all loaded in the module when the binaries are installed. The private keys are never loaded into the module and do not leave the Key Management Facility. 18 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. One instance of the KLD Signature Key Pair and Perso Device Signature Key Pair are generated for each Key Loading Device and Perso Device instance. The manufacturer operates the Key Loading Devices and generates the KLD Signature Key Pair. An Application Provider operates the Perso Devices and generates the Perso Device Signature Key Pair. The KLD Signature Private Key and Perso Device Private Key are never loaded into the module. 3.2 Administrator Guidance Administrators manage the module and Adyton device throughout the lifecycle with the customer. Administrators perform the initialization of the module, select the options and settings for the module, enroll other Administrator accounts, load firmware and application software, and decommission the module. All logged on Administrators are responsible to check the actions that are triggered on the module. 3.3 Security Officer Guidance Security Officers enroll other Security Officer accounts and perform tasks with the keys in the key table including the importing of key components. All logged on Security Officers are responsible to check the actions that are triggered on the module. 19 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 4 Acronyms Acronym Definition AES Advanced Encryption Standard CA Certificate Authority CBC Cipher Block Chaining CMVP Cryptographic Module Validation Program CO Crypto Officer CSEC Communications Security Establishment Canada CSP Critical Security Parameter CVS Concurrent Versions System DRBG Deterministic Random Bit Generator ECC Elliptic Curve Cryptography EFP Environmental Failure Protection EMI/EMC Electromagnetic Interference / Electromagnetic Compatibility FCC Federal Communications Commission FIPS Federal Information Processing Standards HMAC (Keyed-) Hash Message Authentication Code IKWK Internal Key Wrapping Key KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KLD Key Loading Device KMF Key Management Facility LED Light Emitting Diode NIST National Institute of Standards and Technology NDRNG Non-Deterministic Random Number Generator NVM Non-Volatile Memory QNX QUNIX or Quick UNIX QVGA Quarter Video Graphics Array ROM Read Only Memory RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SPI Serial Peripheral Interface TDES Triple Data Encryption Standard UART Universal Asynchronous Receiver/Transmitter USB Universal Serial Bus Table 8 - Acronym Definitions 20 Atos Worldline Adyton Cryptographic Module Security Policy © Atos Worldline 2012 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.