FIPS 1402 Security Policy for: Toshiba TCG Enterprise SSC Self-Encrypting Solid State Drive (PX model NA02) TOSHIBA CORPORATION Rev 1.2 1 Jul 14, 2015 OVERVIEW ................................................................................................................................................ 3 ACRONYMS ............................................................................................................................................... 3 SECTION 1 ­ MODULE SPECIFICATION............................................................................................... 4 SECTION 1.1 ­ PRODUCT VERSION ...................................................................................................... 4 SECTION 2 ­ ROLES SERVICES AND AUTHENTICATION .................................................................. 4 SECTION 2.1 ­ SERVICES ....................................................................................................................... 5 SECTION 3 ­ PHYSICAL SECURITY ...................................................................................................... 6 SECTION 4 ­ OPERATIONAL ENVIRONMENT ..................................................................................... 8 SECTION 5 ­ KEY MANAGEMENT ......................................................................................................... 8 SECTION 6 ­ SELF TESTS ....................................................................................................................... 9 SECTION 7 ­ DESIGN ASSURANCE ....................................................................................................... 9 SECTION 8 ­ MITIGATION OF OTHER ATTACKS............................................................................... 10 2 Jul 14, 2015 Overview The Toshiba TCG Enterprise SSC Self-Encrypting Solid State Drive (listed in Section1.1 Product Version) is used for solid state drive data security. This Cryptographic Module (CM) provides various cryptographic services using FIPS approved algorithms. Services include hardware-based data encryption, cryptographic erase, and FW download. This CM is multiple-chip embedded, and the physical boundary of the CM is the entire SSD. The logical boundary is SAS interface (same as the physical boundary). The physical interface for power-supply and for communication is one SAS connector. The CM is connected with host system by SAS cable. The logical interface is the SAS, TCG SWG, and Enterprise SSC. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the "system area", which is not logically accessible / addressable by the host application. Section Level 1. Cryptographic Module Specification 2 2. Cryptographic Module Ports and Interfaces 2 3. Roles, Services, and Authentication 2 4. Finite State Model 2 5. Physical Security 2 6. Operational Environment N/A 7. Cryptographic Key Management 2 8. EMI/EMC 2 9. SelfTests 2 10. Design Assurance 2 11. Mitigation of Other Attacks N/A Overall Level 2 Table 1 Security Level Detail Interface Ports Data Input SAS connector Control Input SAS connector Data Output SAS connector Status Output SAS connector Power Input SAS connector Table 1-1 Physical/Logical Port Mapping This document is non-proprietary and may be reproduced in its original entirety. Acronyms AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EDC Error Detection Code FW Firmware 3 Jul 14, 2015 HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address MSID Manufactured SID NDRNG Non-Deterministic Random Number Generator PCB Printed Circuit Board POST Power on Self-Test PSID Printed SID SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID Section 1 ­ Module Specification The CM has one FIPS 140 approved mode of operation and CM is always in approved mode of operation. The CM provides services defined in Section 2.1 and other non-security related services. Section 1.1 ­ Product Version The Toshiba Enterprise SSC Self-Encrypting Solid State Drive has been validated: HW version: A0 with PX02SMU020, PX02SMU040, PX02SMU080, or PX02SMQ160 FW version: NA02 The PX02SMU080 with NA02 varies "Product ID" value of INQUIRY command according to customer requirements. These "Product ID" values are X440_PHM2800MCTO and X577_PHM2800MCTO. Section 2 ­ Roles Services and Authentication This section describes roles, authentication method, and strength of authentication. Role Name Role Type Type of Authentication Authentication Multi Attempt strength Authentication Strength EraseMaster Crypto Officer Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 SID Crypto Officer Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 BandMaster0 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 BandMaster1 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 ... ... ... ... ... ... BandMaster8 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 Table 2 Identification and Authentication Policy Per the security policy rules, the minimum PIN length is 6 bytes. Therefore the probability that a random attempt will succeed is 1/248 < 1,000,000 (the CM accepts any value (0x00-0xFF) as each 4 Jul 14, 2015 byte of PIN). The CM waits 4msec when authentication attempt fails, so the maximum number of authentication attempts is 15,000 times in 1 min. Therefore the probability that random attempts in 1min will succeed is 15,000 / 248 < 1 / 100,000. Section 2.1 ­ Services This section describes services which the CM provides. Service Description Role(s) Keys & CSPs RWX(Read,Wr Algorithm(CAV Method ite,eXecute) P Certification Number) Band Block or allow read (decrypt) / BandMaster0 Table MAC X HMAC-SHA256 SECURITY Lock/Unlock write (encrypt) of user data in ... Key (#1611) PROTOCOL IN(TCG a band. Locking also requires BandMaster8 Set Method Result) read/write locking to be enabled Cryptographic Erase user data (in EraseMaster MEK(s) W Hash_DRBG(#3 SECURITY Erase cryptographic means) by 97) PROTOCOL IN(TCG changing the data encryption RKey X AES256CBC(#2 Erase Method Result) key 598) Table MAC X HMAC-SHA256 Key (#1611) Data Encryption / decryption of None MEKs X XTS-AES256(#2 SCSI READ/WRITE read/write(decr unlocked user data to/from 598) Commands band ypt/encrypt) Download Port Enable / Disable Firmware SID Table MAC X HMAC-SHA256 SECURITY Lock/Unlock Download service Key (#1611) PROTOCOL IN(TCG Set Method Result) Firmware Load complete firmware None PubKey X RSASSA-PKCS- SCSI WRITE Download image. The device is reset and v1_5(#1331) BUFFER will run with the new code RandomNumbe Provide a random number None Seed R Hash_DRBG(#3 SECURITY r generation generated by the CM 97) PROTOCOL IN(TCG Random Method Result) Reset(run Runs POSTs and delete None N/A N/A N/A Power on reset POSTs) CSPs in RAM Set band Set the location and size of BandMaster0 Table MAC X HMAC-SHA256 SECURITY position and the LBA range ... Key (#1611) PROTOCOL IN(TCG BandMaster8 Set Method Result) size Set PIN Setting PIN (authentication All for their RKey X AES256CBC(#2 SECURITY data) PIN Table MAC X 598) PROTOCOL IN(TCG Key HMAC-SHA256 Set Method Result) (#1611) SHA256(#2183) Show Status Report status of the CM None N/A N/A N/A SCSI REQUEST SENSE Zeroization Erase user data in all bands AdminSP.PSI RKey X,W AES256CBC(#2 SECURITY by changing the data D(using 598) PROTOCOL IN(TCG encryption key, initialize PSID1) Table MAC X HMAC-SHA256 RevertSP Method range settings, and reset KEY (#1611) Result) PINs for TCG MEKs W Hash_DRBG(#3 97) PIN W Table 3 FIPS Approved services Algorithm CAVP Certification Number AES256CBC #2598 XTS-AES256 #2598 SHA256 #2183 HMAC-SHA256 #1611 RSASSA-PKCS-v1_5 #1331 Hash_DRBG #397 1 PSID (Printed SID) is public drive-unique value which is used for the TCG Revert AdminSP method. 5 Jul 14, 2015 Table 4 FIPS Approved Algorithms Section 3 ­ Physical Security The CM has the following physical security: Production-grade components with standard passivation Exterior of the drive is opaque In PX02SMU020/040/080 : Four tamper-evident security seals (CORNER SEAL A, CORNER SEAL B, CORNER SEAL C, and CORNER SEAL D) are applied to the CM in factory. These opaque and tamper-evident security seals are applied to top cover of the CM. These seals prevent top cover removal In PX02SMQ160: Three tamper-evident security seals are applied to the CM in factory One opaque and tamper-evident security seal (BASE SEAL) is applied to base of the CM. This seal prevents an attacker to access the PCB Two opaque and tamper-evident security seals (SIDE SEAL A and SIDE SEAL B) is applied to side of the CM. These seals prevent cover removal The tamper-evident security seals cannot be penetrated or removed and reapplied without tamper-evidence CORNER SEAL A CORNER SEAL B CORNER SEAL C CORNER SEAL D (PX02SMU020/040/080) 6 Jul 14, 2015 OVERVIEW OF TOP COVER (PX02SMU020/040/080) BASE SEAL(PX02SMQ160) SIDE SEAL A SIDE SEAL B (PX02SMQ160) 7 Jul 14, 2015 OVERVIEW OF BASE (PX02SMQ160) The operator is required to inspect the CM periodically for one or more of the following tamper evidence. If the operator discovers tamper evidence, the CM should be removed. Message "VOID" on security seal or enclosure Text on security seals does not match original A scratch on security seals covered screws Security seal cutouts do not match original Section 4 ­ Operational Environment Operational Environment requirements are not applicable because the CM operates in a "non-modifiable", that is the CM cannot be modified and no code can be added or deleted. Section 5 ­ Key Management The CM uses keys and CSPs in the following table. 8 Jul 14, 2015 Key/CSP Length Type Zeroize Method Establishment Output Persistence/Storage BandMaster/Erase 256 PIN Zeroization service Electronic input No SHA digest/System Area Master/SID PINs Encrypted by RKey / MEKs 512 Symmetric Zeroization service DRBG No System Area Output: Host can MSID 256 Public N/A(Public) Manufacturing Plain / System Area retrieve PubKey 2048 Public N/A(Public) Manufacturing No Plain / System Area Obfuscated(Plain in FIPS RKey 256 Symmetric Zeroization service DRBG No means) / System Area Entropy collected Seed 440 DRBG seed Power-Off from NDRNG at No Plain/RAM instantiation Encrypted by RKey / Table MAC Key 256 HMAC Key Zeroization service DRBG No System Area Note that there is no security-relevant audit feature and audit data. Section 6 ­ Self Tests The CM runs self-tests in the following table. Function Self-Test Type Abstract Firmware Integrity Check Power-On EDC 32-bit SHA256 Power-On Digest KAT FW HMAC SHA256 Power-On Digest KAT AES(AES CBC) Power-On Encrypt and Decrypt KAT AES(AES XTS) Power-On Encrypt and Decrypt KAT FW Hash_DRBG Power-On DRBG KAT FW RSASSA-PKCS-v1_5 Power-On Signature verification KAT FW Hash_DRBG Conditional Verify newly generated random number not equal to previous one NDRNG Conditional Verify newly generated random number not equal to previous one When the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error state. Section 7 ­ Design Assurance Initial operations to setup this module are following: 1. Get MSID from SAS interface. 2. Set range configurations with BandMaster authority by using MSID as PIN. 9 Jul 14, 2015 3. Change BandMaster(s)/EraseMaster PINs. To get more details, refer to the guidance document provided with the CM. Section 8 ­ Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of FIPS 140-2 requirements. 10 Jul 14, 2015