REV EN NO. SECTION DESCRIPTION BY DATE A All Initial Review J.Hurd 10-Nov-14 B All Updates from submission review B. Hannigan 2-Dec-14 C 1, 3, 4, 5 Update from CMVP comments B. Hannigan 20-May-15 D 3, 9 Update from CMVP comments B. Hannigan 1-Sept-15 PRODUCT CODE NO. 4W00 APPROVALS Pitney Bowes BY DATE TITLE MS1 X4 PSD Security Policy PREPARED J. Hurd DATE 1-Sept-15 CHECKED B. Hannigan DATE EN DWG SHEET 1 OF 27 SHEETS NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 TABLE OF CONTENTS 1 MODULE OVERVIEW ......................................................................................................... 3 2 SECURITY LEVEL............................................................................................................... 5 3 MODES OF OPERATION .................................................................................................... 5 3.1 FIPS MODE INDICATOR ................................................................................................ 7 4 PORTS AND INTERFACES ................................................................................................ 7 5 IDENTIFICATION AND AUTHENTICATION POLICY ......................................................... 8 6 ACCESS CONTROL POLICY ............................................................................................. 9 7 SOFTWARE UPDATE ACCESS CONTROL POLICY ...................................................... 15 7.1 PSD SOFTWARE UPDATE ........................................................................................... 15 8 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS) ..................................... 16 9 FUNDS RELEVANT DATA ITEMS .................................................................................... 22 10 OPERATIONAL ENVIRONMENT ...................................................................................... 22 11 SECURITY RULES ............................................................................................................ 23 12 PHYSICAL SECURITY POLICY ........................................................................................ 25 13 MITIGATION OF OTHER ATTACKS POLICY .................................................................. 25 14 REFERENCES ................................................................................................................... 25 15 ACRONYMS ...................................................................................................................... 27 REV REV DATE EN DWG SHEET 2 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 1 Module Overview This document describes the Security Policy for the Pitney Bowes (PB) MS1 X4 Postal Security Device (PSD) Cryptographic Module. Table 1 ­ Pitney Bowes X4MS1 Postal Security Device (PSD) components Item Version Pitney Bowes MS1 X4 Postal Security Device Part # 4W84001 Rev AAA Cryptographic Module Hardware: MAX32590 Secure Microcontroller Revision B4 Firmware components: Device Abstraction Layer (DAL) 01.01.00F4 PRNG Library 01.01.0009 AES Library 01.01.0008 ECDSA Library 01.01.000A DSA Library 01.01.000A HMAC Library 01.01.0008 DESMAC Library 01.01.0008 KAS Library 01.01.0008 DH Library 01.01.0008 RSA Library 01.01.000C Hash Library 01.01.0008 Common Crypto Library 01.01.000A Bootloader Interface Library 00.00.000C PB Bootloader 00.00.0016 PSD Application 21.04.807E Digital postal payment systems, such as the Digital Meter Program, rely on secure accounting of postage funds and printing a cryptographic digital postage evidence mark on a mail piece in the form of an indicium. A PSD provides security services to support the creation of digital postage marks that are securely linked to accounting. A PSD provides two types of data protection: secrecy of critical security parameters (CSPs), such as cryptographic keys, and data integrity protection for funds REV REV DATE EN DWG SHEET 3 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 relevant data items (FRDIs) such as accounting data. CSPs and FRDIs reside inside the physical protections of the PSD. The MS1 X4 PSD is defined as a single chip cryptographic module Figure 1 - MAX32590 Secure Processor The MS1 X4 PSD's cryptographic boundary is defined as the package that comprises the Maxim Integrated MAX32590 secure microcontroller. PB executable code is stored in external memory and copied to internal SRAM to be executed. On each power-up the firmware components listed in Table 1 are authenticated via digital signatures and then copied to internal SRAM for execution: 1. The ROM Bootloader validates the PB Bootloader using RSA-PSS 2048 signature verification. The RSA-PSS 2048 SigVer function part of the ROM Bootloader has been validated (Cert. #1539). 2. Once the PB Bootloader has been authenticated, the PB Bootloader bootstraps and authenticates the Device Abstraction Layer (DAL) and its firmware components using an ECDSA P-256 with SHA-256 signature verification. The ECDSA P-256 SigVer function part of the PB Bootloader has been validated (Cert. #529). 2 Security Level The MS1 X4 PSD cryptographic module meets the overall requirements applicable to Level 3 security of FIPS 140-2. Table 2 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 3 Roles, Services and Authentication 3 Finite State Model 3 REV REV DATE EN DWG SHEET 4 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Physical Security 3 + EFP Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A 3 Modes of Operation The PSD uses FIPS approved algorithms contained in the DAL. The DAL module supports the following FIPS Approved algorithms: Table 3 ­ Approved Algorithms Algorithm Usage FIPS 186-4 DSA Used to generate cryptographic key pairs, generation of digital signatures and (Cert. #871) digital signature verification for L=2048, N=256 & SHA-256. Also, supports legacy systems when used to verify signatures for L=1024, N=160 & SHA-1. FIPS 186-4 ECDSA Used to generate cryptographic key pairs, generation of digital signatures and (Cert. #529) digital signature verification for P-256 curves (SHA-256). Cryptographic key pair generation per FIPS 186-4 Section B.4.2. Also, supports legacy systems when used to verify signatures for P-192 curves (SHA-1). FIPS 186-4 CVL ECDSA component for signature generation. (Cert. #254) SHS SHA-1 provides the hashing algorithm used as part of the digital signature (Cert. #2369) verification process for DSA and ECDSA. It is also used in the generation of HMAC- SHA-1 message authentication codes. SHA-256 provides the hashing algorithm used as part of the digital signature process for RSA, DSA and ECDSA and in the generation of HMAC SHA-256 message authentication codes. FIPS 197 AES Used to encrypt data output from the module and decrypt data input into the (Cert. #2826) module. Key sizes supported are 128 bits and 256 bits. SP800-38F AES Used to protect secret data. Key sizes supported are 128 bits and 256 bits. Key Wrapping (Cert #2936) SP 800-90A DRBG Hash-Based Deterministic Random Bit Generator using SHA-256. (Cert. #487) HMAC Used to generate HMAC-SHA-1 and HMAC-SHA-256 Message Authentication REV REV DATE EN DWG SHEET 5 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 (Cert. #1769) Codes. Minimum key size is 160 bit. KAS Key Agreement Protocol used to establish a session key (Ephemeral Unified Model (Cert. #49) C (2, 0, ECC CDH)) Triple-DES Legacy encryption support 2-key Triple-DES and 3-key Triple-DES keys. Life of (Cert. #1690) the module is designed to perform fewer than 2^20 blocks of data encryption. FIPS 186-4 RSA Used for key generation, digital signature generation and encryption (key (Cert #1539) encapsulation) with key size of 2048. Also, supports legacy systems when used to verify signatures for key size = 1024. Triple-DES MAC Legacy SP 800-57 Part 1 (Revision 3) message authentication. (Cert. #1690, Vendor affirmed) The module supports the following non-Approved but Allowed security functions: Table 4 ­ Non-Approved but Allowed Security Functions Diffie Hellman Key establishment methodology provides 112 bits of security using 2048 bit keys Hardware RNG The hardware RNG is used to initially seed the Approved DRBG The module supports the following non-Approved security functions while operating in non-FIPS mode: Table 5 - Non-Approved Security Functions Diffie Hellman Key Agreement Protocol used to establish a session key. Key agreement using (non-compliant) 1024 bit keys DSA This algorithm is used to generate key pairs and generate signatures for L=1024, (non-compliant) N=160 & SHA-1. ECDSA This algorithm is used to generate key pairs, digital signatures for P-160 (SHA-1) (non-compliant) and P-192 (SHA-1) curves. RSA This algorithm is used to digitally sign using schemes PKCS 1.5, X9.31 and PSS, (non-compliant) PKCS 1 version 2.1 for 1024 bit modulus using SHA-1. 3.1 FIPS Mode Indicator The module supports a single mode of operation in which the module alternates service by service between Approved and non-Approved modes of operation. When the module executes the services not relying on cryptographic functions or relying on Approved algorithms it is said to operate in an Approved mode of operation. Corollary, when the services relying on non-Approved algorithms are executed, the module is said to operate in a non-Approved mode of operation. The MS1 X4 PSD has a Non Fips Mode Parameter that can be set via a Load Parameters message. If the non-FIPS Mode Parameters is set, the most significant bit of the status word in each message response is set, reflecting that the MS1 X4 PSD is operating in a non-FIPS Mode. REV REV DATE EN DWG SHEET 6 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 4 Ports and Interfaces The MAX32590 is supplied in a 324-pin BGA package where all power input, data input, data output, control input, and status output interfaces are supported. Ball Grid Array Pin Horizontal from "x" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 A - - - - - - O - - - - - - - - - - - B - - - - - - I - - - - - - - - - - - C - - P - - - - - - - - - - - - - - - Ball Grid Array Pin Vertical from "x" D - - P - - - - - - - - - - - - - - - E - - - - - - - - - - - - - - - - - - F - - - - - P P P P P P P IO IO - - - - G - - - - S P - - - - - P C - - - - - H - - - - P P - - - - - P S - - - - - J - - - - C P - - - - - P C - - - - - K - - - - C P - - - - - P C - - - - - L - - - - - P - - - - - P - - - - - - M - - - S - P - - - - - P - - - - - - N - - - - - P P P P P P P - S - - S S P - - - O - O O O O O O - O O O O O O R - - - - - - - - - IO IO IO IO O O O O O T - - - - - - - - - IO IO IO IO - O O O O U - - - - - - - - - IO IO IO IO - - O O O V - - - - - - - - - IO IO IO IO - - O O O I = Data In O = Data Out S = Status Out C = Control In P = Power - = Disabled Figure 2 ­ Interface Mapping 5 Identification and Authentication Policy There is no traditional login process for an operator for any role in the MS1 X4 PSD design. No role or identity is active other than during the processing of a valid authorized transaction. Each request sent to the MS1 X4 PSD is digitally signed with a particular key. The MS1 X4 PSD authenticates the entity by verifying the digital signature with the associated public certificate. REV REV DATE EN DWG SHEET 7 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Table 6 - Roles and Authentication Type Role Authentication Method Authentication Type Crypto-Officer Digital Signature Verification Identity-based PSD Administrator Digital Signature Verification Identity-based Printing Administrator Digital Signature Verification Identity-based Financial Officer (User) Digital Signature Verification Identity-based Customer On behalf of the PSD Administrator, None Printhead Administrator, or Financial Officer Table 7 - Authentication Strength Authentication Mechanism Strength of Mechanism Digital Signature Based on number of protected bits in the key or signature, the probability is 1 in 2X tries, where x is the number of protected bits and thus, less than 1 in 1,000,000. External entities are authenticated using digital signatures based on the ECDSA P-256 curve. This provides 128 bits of key strength or a probability of random success in 1 in 2^128. The module can execute 17.85 ECDSA P-256 Signature Verifications per second therefore the probability of a success in a one minute period is 1 in 3.2 X 1035 which is less than 1/100,000. REV REV DATE EN DWG SHEET 8 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 6 Access Control Policy Each identity and corresponding services are described in the following section. Crypto-Officer (CO): The CO is responsible for the high level key management within the PSD. The primary functions are to load keys into the MS1 X4 PSD and to authorize the generation and use of a Debit and Operation Keys. The services allocated to this role are as follows: Generate PSD Key: The Crypto Officer sends this block to instruct the PSD to generate a Public/Private key pair that is the PSD Authentication Operation Key OR the PSD Authentication Debit Key. The message contains a Signed Parameter Record with the parameters for use in the generation of the private and public key values. The cryptographic algorithm supported for use as the PSD Authentication Operation Key is ECDSA. The cryptographic algorithms supported for use as the PSD Authentication Debit Key is DSA and ECDSA. The algorithm used is determined by the Key Descriptor in the Signed Parameter Record and is based on postal requirements. Load PRNG Seed: The Crypto Officer sends this block to instruct the PSD initialize the Pseudo Random Bit Generator. The PSD shall retrieve data from the TRNG to create the DRBG-V, Key Encryption Key, Key Authentication Key and DRBG-WS. Load Certificate Key: The Crypto Officer sends this certificate to instruct the PSD to load the Domain MS1 Auth Certificate Key from the host or PB Infrastructure systems in a certificate signed by the Domain MS1 Auth Vendor ECDSA P-256 Key. The key is to be stored in the NVM for later use in verification of signed records. The PSD shall receive the Load Certificate Key message and then validate the message header and data content. If accepted as valid, the PSD shall verify the Domain Auth MS1 Certificate Key Certificate with the Domain MS1 Authentication Vendor Key. If valid, the PSD shall store the Domain MS1 Auth Certificate Key. The Domain MS1 Auth Certificate Key is an ECDSA P-256 Key. Otherwise an error message shall be generated Load Vendor Key: The Crypto Officer sends this certificate to instruct the PSD to load the Domain MS1 Vendor Key from the host or PB Infrastructure systems in a certificate signed by the Domain Comet Auth Sigma Mfg ECDSA FP256 Key. The key is to be stored in the NVM for later use in verification of signed records. The PSD shall receive the Load Vendor Key message and then validate the message header and data content. If accepted as valid, the PSD shall verify the Domain Auth MS1 Vendor Key Certificate with the Domain Comet Auth Sigma Mfg Key. If valid, PSD shall store the Domain MS1 Authentication Vendor Key. Otherwise an error message shall be generated. The Domain MS1 Authentication Vendor Key is an ECDSA P-256 Key. Load CRL: The Crypto Officer sends this message to request the PSD to store the Certificate Revocation List and the CRL version if needed and store the list in internal memory. The CRL is a signed structure, signed by the Domain MS1 Authentication Vendor Key. The version of REV REV DATE EN DWG SHEET 9 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 the CRL must be greater than or equal to any previously loaded otherwise an error will be reported and the PSD will be disabled. The version number of the currently loaded PSD is recorded in Flash memory for future comparison. Once the PSD is out of Manufacturing state, it will require that a CRL be loaded. Prior to loading a CRL, all functions requiring cryptographic operations other than Load CRL will be blocked. Any public key identified by the CRL will be blocked from use in the PSD. Load Encrypted Key: The Crypto Officer sends this certificate to instruct the PSD to load a signed key record containing an encrypted symmetric or private key. The following keys can be loaded with the Load Encrypted Key command: o P'UPsdA-Dbt o P'UPsdP-Dbt o KUPsdA-Dbt PSD Administrator (PSDA): The PSD Administrator manages non-key data used to set internal parameters and settings in the MS1 X4 PSD. The Postage by Phone system and the Manufacturing Systems are the only entities who act as the PSD Administrator. Load Parameters - The PSD Administrator sends this block to load either functional parameters or data parameters to the PSD. The parameter blocks are signed by the Domain MS1 Auth Certificate Key. If the PSD is in the operational state, the first parameter in the parameter block must be the challenge value from the most recent "Get Challenge" command to the PSD. Supported functional parameters are: o Transition to Operational State: The Transition to Operational State parameter shall cause the MS1 X4 PSD to transition to operational state. This shall place the MS1 X4 PSD in the Operational State. o Transition to Base State: Triggers an event to transition the PSD from Manufacturing state to Base state. Should only be sent to PSD after all parameters required for sign on with the Data Center have been successfully loaded o Disable PSD: This command shall place the MS1 X4 PSD in the Disabled state. No indicia shall be generated and no postage value downloads shall be performed. o Enable PSD: This command may transition the MS1 X4 PSD from the Disabled state to the Serial Number Locked state. It shall be valid only if no other lockout states are met. o Reinitialize PSD: Causes PSD to erase all NVM data except for HW Mfg Data and `persistent' data (total device cycles, reinit count) and then invalidates the PSD App. Used in the remanufacturing process, or to `clean' the PSD to retry configuration from scratch. This command zeroizes the Unique PSD Key Encryption Key which results in the loss of all other Private and Secret Keys. REV REV DATE EN DWG SHEET 10 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 o Transaction Start: Triggers event to have the PSD prepare for a multi-message transaction that must be completed successfully as a unit (atomic transaction). This means that if any one of the messages within the transaction fails, all messages must be rolled back. Not all messages sent after start of a transaction are processed to allow commit/rollback. The messages that are handled in the transaction are PVD (one occurrence), Load Parameters (only data parameters), Load Encrypted Key, and Generate PSD Key. o Transaction Commit: Triggers event to `commit' the updates made by PVD, Load Parameters, Load Encrypted Key, and / or Generate PSD Key made after the Transaction Start event was processed. o Transaction Rollback: Triggers event to rollback (cancel) the updates made by PVD, Load Parameters, Load Encrypted Key, and / or Generate PSD Key made after the Transaction Start event was processed. Process Flex Debit Block: The PSD Administrator sends this block to load flex debit templates into the PSD. The flex debit template defines the indicia content for subsequent debit operations. The flex debit template is signed by the Domain MS1 Auth Certificate Key. Generate Session Key: The PSD Administrator sends this block to instruct the PSD to generate a key via Elliptic Curve Diffie-Hellman Key Agreement procedure that will be used for either: o Infrastructure session, where the generated key will be used once for wrapping a secret/private key to be loaded into the PSD via Load Key Request o Printer session where the generated key will be used for applying a MAC to all PSD responses for authentication by the `printer' o The message contains a Key Block with the initiator public key including EC-DH key parameters signed by the Domain MS1 Auth Certificate Key for generating the responder private key and deriving the shared secret key. The response contains the data required for the device doing the key Agreement to compute the shared key. o If a printer session is required (Communication Authentication Type parameter value is 1) then the PSD will restrict the same functions that are blocked prior to loading the CRL, with the exception of Generate Session Key to allow session to be initiated, and Load Parameters to allow session requirement to be toggled. Start Software Update Triggers event to invalidate the current loaded PSD App and jump to the Software Update Utility entry point to allow start of software download with new PSD Application. The Allow SW Updates ­ this parameter must be set to TRUE before this command can be executed. Software Update is described in section 7.1 Software Update REV REV DATE EN DWG SHEET 11 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Printing Administrator (PHA): The Printing Administrator is in charge of downloading information used in conjunction with the Printing such as images and page layouts. Verify Hash Block: The Printing Administrator sends these blocks to instruct the PSD to verify a MS1 binary SHA 256 Hash Block. The PSD shall receive the MS1 Download Certificate and MS1 Binary Hash Block and then validate the message header and data content. If accepted as valid, the PSD shall verify the MS1 Download Certificate with the Domain MS1 Authentication Vendor Key. If valid, the PSD will extract the Domain MS1 Auth Download key from the download certificate. This key will be used in verifying the input MS1 Binary Hash Block. Otherwise, an error message is returned. The PSD shall validate the message header and data content of the I_BLK_MS1_BIN_HASH_BLK binary hash block. If accepted as valid, the PSD shall verify the MS1 Binary Hash Block with the Domain MS1 Auth Download Key that was previously loaded. Otherwise, an error message is returned Financial Officer (FO): Funds transfer into and out of the MS1 X4 PSD is the responsibility of the Financial Officer. This corresponds to the "User" role as identified by FIPS 140-2. Postage by Phone is the Financial Officer. Process Postage Value Download Block: The Funds Officer sends this block to perform a postage value download operation. The PSD will validate the message header and data content and verify the signature of the MS1 PVD Response Block with the Domain MS1 Authentication Certificate Key. Withdraw Request: The Funds Officer sends this message to request the PSD prepare to perform a Withdrawal operation. The PSD will enter a locked state (Withdrawal Pending) that will not permit any debit or credit operations. The PSD creates a Withdraw Request block containging the PSD's register values. The PSD signs the Withdraw Request block with the Unique PSD Operational Key. The only way to exit the locked state is by the Data Center aborting the withdraw operation in the Withdraw Request Process Withdraw Response: The Funds Officer sends this message to complete the withdraw process. The postage is removed from the PSD upon receiving the MS1 Withdraw Response Block. This block is signed to verify the integrity and authenticity of the content using the Domain MS1 Auth Certificate Key The PSD shall receive the message, and then validate the message header and data content. If accepted as valid, the PSD shall verify the MS1 Withdraw Response Block. If valid, the PSD will remove the funds from the funds registers and set the state to the Withdrawn State. If the Data Center status indicates that the refund is to be aborted, the PSD will not reset the descending register and will exit the withdraw pending state and return to Operational State if no other REV REV DATE EN DWG SHEET 12 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 lockout conditions exist. If any other Data Center error is indicated, the PSD will remain in the Withdraw Pending state. Prepare Audit Record: The Funds Officer sends this command to request that the PSD prepare a signed Audit Request Block. The Audit Request Block contains the PSD register values and real time clock value. The record is signed by the Unique PSD Operational Key and sent to the Financial Officer Process Audit Response: The Funds Officer sends this commandto the PSD so that it may process the MS1 Audit Response Block returned from the Pitney Bowes infrastructure in response to the immediate previous Audit Request command. The MS1 PSD shall verify the signature of the MS1 Audit Response Block with the Domain MS1 Auth Certificate Key. Depending on PCN parameter settings, this command may cause clearing of the inspection lockout or the resetting of the next inspection due date. The PSD shall use clock offset correction to update its clock drift correction parameter Generate Finalizing Franking Record: The Funds Officer sends this command to request that the PSD prepare a signed Finalizing Franking Record. This message is valid only for Germany FrankIt and includes a hash implemented according the FrankIt specification. The IndiciaSecurityType parameter must be set to Germany FrankIt. Data items include Indicia Serial Number, ascending register, descending register, piece count, and other defined data items. Customer (CU): This role performs services on behalf of the PSD Administrator, Financial Officer and Printing Administrator; services allocated to this role require other authorized transactions to occur in conjunction with the service being invoked. Precompute r for Debit: The Host sends this message to the PSD to have it pre-compute the `r' signature component for the PSD Auth Key signature (DSA or ECDSA). This message is used for countries whose debit certificate is signed by a DSA or ECDSA key. Create Debit Certificate: The Host sends this message to the PSD to have it create a debit certificate in the format defined by the Flex Debit Certificate Template. Input to this command is defined by the Flex Debit Templates. The data included in this command is dependent on the country requirements. Typical data includes Debit Value, Mail Date and Data Capture Recovery Data. The definitions of the data input and output by the Debit command is provided in the Flex Debit Templates that are loaded by the host device on each power up or when debit certificate format is updated. Based on PCN parameter settings, invocation of this command will cause required cryptographic calculations to create the debit certificate. This command will return an error if REV REV DATE EN DWG SHEET 13 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 input data is out of allowable ranges and if Origin Postal Code is NULL, indicating that the postal code data was never set.This is done on behalf of the Financial Officer. Finalize Debit: The Host sends this message to have the PSD perform post-debit housekeeping and prepare for the next Debit operation by precomputing the `r' signature parameter if necessary Unauthenticated Services: Miscellaneous functions that do not require the MS1 X4 PSD authentication of the entity; Unauthenticated Services are available to all roles, both authenticated and unauthenticated. Get Challenge: The Host shall instruct the MS1 X4 PSD to output an eight byte nonce (random number), which shall be used in a subsequent command that requires that nonce word for authentication. This is always done in conjunction with another authorized transaction, and is then considered as being done on behalf of any role that requires a nonce value. Get Key List: Instructs the PSD to return a list of all active keys stored in the PSD. Set Clock: The Host sends this command to setup the real time clock in the PSD. The real time clock can only be programmed when the PSD is in manufacturing state. It cannot be changed once the PSD is `locked'. It is assumed that the clock is set to GMT. Get Clock Offsets: Returns the MS1 X4 PSD clock offset values Get Local Time: This command shall cause the MS1 X4 PSD to return the value of the real time clock with all of the offsets calculated, including the GMT offset and drift correction. Get GMT Time: Returns the clock value with the drift correction added (GMT Time if clock is set correctly). Set GMT Offset: The Host sends this command to set the GMT offset in the PSD. The GMT offset is a combination of offsets (daylight savings time offset, time zone offset, etc.) that need to be set by the customer. Get Parameters: The Host sends this message to the PSD to retrieve parameter values from the PSD. The Host can request individual parameter IDs or all of the Parameters in the PSD. Perform Full Diagnostics: The Host device sends this command to the PSD to request the PSD perform its diagnostic processing. The PSD will run its power up tests as well perform other maintenance activities. Perform Diagnostic Test: The Host sends this message to request that the MS1 X4 PSD perform a diagnostic test. Read Log File: The Host device sends this message to the PSD to get Log Data. The number of available entries, the size of each entry, and the data contained in each entry will depend on the log that is being requested. Get PSD Status: The Host device sends this message to the PSD to request PSD status information. Included in the status information is the PSD Application status word (32 bits), REV REV DATE EN DWG SHEET 14 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 the HW Status word (32 bits), current PSD State (16 bits) and the current PSD internal state (16 bits). The Get PSD Status command is also used to invoke transition of the PSD state from a state where a specific message is expected (i.e. Process Audit Response) to the normal idle state where most PSD commands are processed.the MS1 X4 PSD is in a state where a specified command is expected, this command is used to return the MS1 X4 PSD to its Idle state and provide status. Get PSD Attributes: The Host requires that the PSD to request its attribute data. Reboot: The Host sends this command to reboot the PSD application. 7 Software Update Access Control Policy The PSD supports a secure software update process. In order to achieve this, the PSD must relinquish control to DAL. The DAL contains a Software Update Utility which is used to update the PSD application in a safe manner. This layer is referred to as the Software Update Utility. 7.1 PSD Software Update The Start Software Update event triggers the software update process. This event instructs the PSD relinquish control to the Software Download Utility in the DAL. PSD Software applications are loaded in chunks. Each chunk is signed by the Domain MS1 Authentication PSD Software Key (ECDSA 256). In addition a record containing a signed SHA 256 Hash of the entire application is verified by the PSD prior to accepting the new application. This record is also signed by the Domain MS1 Authentication PSD Software Key. The Software Download Utility supports the following messages: PSD Administrator (PSDA): Setup Download Data: The Host sends this signed record to make the Software Download Utility aware of the parameters of the software (application) to be downloaded. This message is signed by the Domain MS1 Authentication PSD Software Key. Receipt of this message triggers a transition to the state required to load chunk information. The Setup Download Data message is only valid if the SDU is idle and waiting to begin a download. Setup Download Chunk: The Host sends this signed record to make the Software Download Utility aware of the parameters of the software (application) chunk to be sent in the following message. Receipt of this message triggers a transition to the state required to load the chunk. The Setup Download Chunk message is only valid if the SDU has received a valid Setup Download Data message. Download Chunk: This message contains the data referenced in the Setup Download Chunk message. REV REV DATE EN DWG SHEET 15 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Utility Functions The following utility functions are unauthenticated and intended to aid the host application in managing the software update process. Get PSD Attributes: This function is invoked using the same command ID as the PSD Application. It returns a `PSD Attributes' response message with all fields set to `0' except for the SDU Version, which is set appropriately, and the HW Version Number (PB SMR) and Device Serial Number which are retrieved from the Manufacturing Data written by the HW manufacturer. The structure and memory location of the Manufacturing Data is defined in X4 Manufacturing DAL Interface Specification (refer to mfgdata.h in PSD Application project for structure used to parse the Manufacturing Data). Reboot: This function is invoked using the same command ID as the PSD Application. It returns a `Reboot' response message, waits for 1 second, then resets the MAX32590. Get PSD Status: The Host device sends this message to the PSD to request PSD status information. Included in the status information is the PSD Application status word (32 bits), the HW Status word (32 bits), current PSD State (16 bits) and the current PSD internal state (16 bits). 8 Definition of Critical Security Parameters (CSPs) The following table describes the CSPs contained in the module: Table 8 ­ CSPs Key Key Name Description / Generation / Storage Entry / Destruction Usage Agreement Output KEK Unique HSM Key AES256 Key Internally by cleartext in Entry: N/A Zeroized on Encryption Key Encryption Key FIPS approved BBREG, Output: N/A Tamper or DRBG ciphertext Reinitialize or in BRAM removal of all power KAK Unique HSM Key HMAC256 Key Internally by Ciphertext Entry: N/A Encrypting Authentication Authentication FIPS approved in BRAM Output: N/A key zeroized Key Key DRBG on Tamper or Reinitialize or removal of all power P'UPsdA-Dbt Unique PSD ECDSA or DSA key Internally by a cleartext in Entry: N/A Encrypting Authentication used sign debit FIPS Approved SRAM Output: N/A key zeroized Debit Private records DRBG on Tamper or Key Reinitialize or removal of all power REV REV DATE EN DWG SHEET 16 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Key Key Name Description / Generation / Storage Entry / Destruction Usage Agreement Output KUPsdA-DBT Unique PSD AES, TDES, HMAC External cleartext in Entry: Encrypting Authentication key used to SRAM Encrypted key zeroized Debit Secret Key generate Message Output: N/A on Tamper or Authentication Reinitialize or codes on debit removal of all Records power P'UPSDA-Op Unique PSD ECDSA keys used Internally by a cleartext in Entry: N/A Encrypting Authentication to communicate FIPS Approved SRAM Output: N/A key zeroized Operational with the DRBG on Tamper or Private Key infrastructure Reinitialize or removal of all power P'UPSDP-Dbt Unique PSD RSA public keys External cleartext in Entry: Encrypting Privacy Debit used to SRAM Encrypted key zeroized Key encapsulate postal Output: N/A on Tamper or generated debit Reinitialize or keys removal of all power KUPSDP-Dbt Unique PSD TDES key used to External cleartext in Entry: Encrypting Privacy Debit encrypt postal SRAM Encrypted key zeroized Key security related Output: N/A on Tamper or parameters to the Reinitialize or PSD removal of all power KSPSDA-Prt Session PSD HMAC Key used to Key cleartext in Entry: N/A End of Authentication authenticate Agreement SRAM Output: N/A session or Printer Key messages sent to per SP 800- zeroized on the system 56A Tamper or controller Reinitialize or removal of all power KUSPDP-Op Session PSD AES Key used to Key cleartext in Entry: N/A End of Privacy wrap secret or Agreement SRAM Output: N/A session or Operation Key private key data per SP 800- zeroized on sent from the 56A Tamper or infrastructure Reinitialize or removal of all power DRBG WS DRBG Working Values for V and C Updated ciphertext Entry: N/A Encrypting State of the DRBG during each in BRAM Output: N/A key zeroized internal call to on Tamper or the DRBG Reinitialize or removal of all power REV REV DATE EN DWG SHEET 17 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Key Key Name Description / Generation / Storage Entry / Destruction Usage Agreement Output DRBG V DRBG Entropy Random bits Hardware ciphertext Entry: N/A Encrypting Input obtained from the RNG in BRAM Output: N/A key zeroized Hardware RNG on Tamper or Reinitialize or removal of all power The following table describes the public keys contained in the module: Table 9 - Public Keys Key Key Name Description / Usage Generation / Storage Entry / Output Agreement MRK Maxim Root Key RSA PSS 2048 public Externally cleartext in Entry: Hard key used to validate OTP Coded in CRK when it is loaded. MAX32590 ROM Output: N/A CRK Customer Root RSA PSS 2048 public Externally cleartext in Entry: Key key used to validate PB OTP Authenticated Bootloader Output: N/A SWAK HSM Software ECDSA P-256 public key Externally cleartext in Entry: Hard Authentication used to validate SRAM coded in BL SDU Download Key firmware Output: N/A PDCmtA- Domain Comet ECDSA used to validate Externally cleartext in Entry: Certificate SigMfg Authentication Software Download SRAM form Sigma Utility and Vendor Output: N/A Manufacturing Certificate Key PDMS1A-C Domain MS1 ECDSA used to validate Externally cleartext in Entry: Certificate Authentication Authority Data SRAM form Certificate Key Output: N/A PDMS1A-Dl Domain MS1 ECDSA used to validate Externally cleartext in Entry: Certificate Authentication data blocks for the SRAM form Download Key Trusted Printer from Output: N/A the infrastructure PDMS1A-PsdS Domain MS1 ECDSA key used to Externally cleartext in Entry: Embedded Authentication authenticate PSD SRAM with DAL PSD Software application Software Software Update Key Utility form Output: N/A PDMS1A-V Domain MS1 ECDSA vendor Externally cleartext in Entry: Certificate Authentication authentication SRAM form Vendor Key Output: N/A REV REV DATE EN DWG SHEET 18 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Key Key Name Description / Usage Generation / Storage Entry / Output Agreement PUMS1KA-B Unique MS1 Key ECDH Key used in key Externally cleartext in Entry: Certificate Agreement Base agreement between the SRAM form Key Base an PSD Output: N/A PUMS1KA-Op Unique MS1 Key ECDH Key used in Key Externally cleartext in Entry: Certificate Agreement Agreement between SRAM Form Operation Key Infrastructure and PSD Output: N/A PUPsdA-Dbt Unique PSD ECDSA or DSA key used Internally by a cleartext in Entry: N/A Authentication sign debit records FIPS Approved SRAM Output: Debit Key DRBG Certificate Form PUPSDA-Op Unique PSD ECDSA keys used to Internally by a cleartext in Entry: N/A Authentication communicate with the FIPS Approved SRAM Output: Operational Key infrastructure DRBG Certificate Form The following table describes the modes of access for each key to each role supported by the module. The modes of access are defined as: Zeroize: The module zeros the key memory location. Generates: The module generates the key using the FIPS Approved PRNG. Establishes: A key agreement process is used to establish the specified key. Load: Inputs the key. Decrypt: Decrypts something with the specified key. Sign: Signs with the specified key. Revokes: Revokes a key based on identifiers in the CRL. Table 10 ­ Modes of Access Roles Services CSP Modes of Access PSDA PHA CO CU FO Generate PSD Generates P'UPsdA-Op and P'UPsdA-Dbt corresponding public key X Key is output signed by current version of P'UPsdA-Op P'UPsdA-I, Encrypt with KEK X Load CRL Revokes the key(s) identified in the CRL X Load Vendor Key Verifies and loads PDMS1A-V Load Certificate Verifies and loads PDMS1A-C X Key REV REV DATE EN DWG SHEET 19 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO Load Encrypted Verifies and loads KUPsdA-DBT, P'UPSDP-Dbt, KUPSDP-Dbt, PDCmtA-SigMfg, X Key PDMS1A-Dl, PDMS1A-PsdS, PUMS1KA-B, PUMS1KA-Op, Load PRNG Seed Triggers generation of DRBG V, KEK, KAK and intial DRBG X WS Withdraw Sign with P'UPSDA-Op X Request Process Postage N/A X Value Download Block Process N/A X Withdraw Response: Process Audit N/A X Response Prepare Audit Sign with P'UPSDA-Op X Record Generate N/A X Finalizing Franking Record Verify Hash N/A X Block X Load Parameters N/A Process Flex N/A X Debit Block X Disable PSD N/A X Enable PSD N/A X Reinitialize PSD Zeroizes all Secret and Private key data Transition to N/A X Base State Transition to N/A X Operational State X Generate Session Loads PUMS1KA-Op, generates KUSPDP-Op REV REV DATE EN DWG SHEET 20 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO Key or Loads PUMS1KA-B, generates KSPSDA-Prt Start Software N/A X Update Setup Download N/A X Data Setup Download N/A X Chunk X Download Chunk N/A X Finalize Debit Sign with P'UPsdA-I Precompute r for N/A X Debit X Create Debit Sign with P'UPsdA-Dbt Certificate X Finalize Debit N/A X X X X X Get Challenge N/A X X X X X Get Key List N/A X X X X X Get Parameters N/A X X X X X Reboot N/A Get PSD N/A X X X X X Attributes X X X X X Get PSD Status N/A X X X X X Get Clock Offsets N/A X X X X X Get GMT Time N/A X X X X X Get Local Time N/A Perform N/A X X X X X Diagnostic Test Perform Full N/A X X X X X Diagnostics X X X X X Read Log File N/A REV REV DATE EN DWG SHEET 21 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO X X X X X Set GMT Offset N/A 9 Funds Relevant Data Items FRDIs are data items (reflecting financial data) whose authenticity and integrity are critical; however, are not CSPs and should not be zeroized. All FRDIs are stored in nonvolatile memory in the module. FRDIs include: Indicia Serial Number is the identification number associated with the meter license. Ascending Register. This register contains the total amount of funds spent over the lifetime of the module. Descending Register: This register contains the amount of funds currently available in the module. Control Sum: This register contains the total amount of funds credited to the module over the lifetime of the module. The Control Sum must equal the sum of the Ascending Register and the Descending Register values. PSD Piece Count: The number of indicia plus the number of correction indicia dispensed by the MS1 X4 PSD. Zero Piece Count: The number of indicia containing zero for the postage value. 10 Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements for the module are not applicable because the device does not contain a modifiable operational environment. REV REV DATE EN DWG SHEET 22 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 11 Security Rules This section documents the security rules enforced by the module to implement the security requirements of this FIPS 140-2 Level 3 module. The module shall not process more than one request at a time (i.e., single threaded). While processing a transaction, prior to returning a response, the module will ignore all other inputs to the module. No output is performed until the transaction is completed, and the only output is the transaction response. The module shall validate identities using digital signatures. All keys generated in the module shall have at least 112 bits of strength for FIPS Approved operation All methods of key generation shall be at least as strong as the key being generated. All methods of key establishment shall be at least as strong as the key being established. Signed digital indicium data shall not be output unless the proper funds accounting has been performed. The module shall not provide a bypass state where plaintext information is just passed through the module. The module shall not support a maintenance mode. The module shall not support a safety state. The module shall not output any secret or private key in plaintext form. The module shall not accept input of any secret or private key in plaintext form. There shall be no manual entry of keys into the system. There shall be no entry or output of split keys from the system. There shall be no key archiving. Keys shall be either generated via an Approved method or entered into the system through valid processes. Only those keys necessary for the domain specified by the PCN shall be loaded during manufacturing or generated during operation The module shall support the following conditional tests: o Pairwise consistency test for DSA2048 key pair generation o Pairwise consistency test for ECDSA P-256 key pair generation o Continuous RNG test for the DBRG ­ Stuck Seed, Stuck Number REV REV DATE EN DWG SHEET 23 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 o Continuous RNG test for internal hardware Random Number Generator o ECDSA P-256 Signature Verification - Firmware Load Test o ECDSA P-256 Public Key Validation as part of SP 800-56A Key Agreement Protocol The module shall support power up self-tests, which can also be run as requested by the user, include: o Firmware Integrity Tests: Digital Signature - ECDSA P-256 o Bootloader Power On Self-Tests (POST) ECDSA P-256 Verification Known Answer Test SHA-256 Known Answer Test o Critical functions tests: RTC Test Bootloader Test BRAM Pattern Test o Cryptographic Algorithm Known Answer Tests: (DAL POST) 2-key and 3-key Triple DES Known Answer Test DSA1024 and DSA2048 Verification Known Answer Test SHA-1 and SHA-256 Known Answer Test AES256 Key Wrap / Unwrap Known Answer Test AES256 Encrypt / Decrypt Known Answer Test RSA2048 Sign/Verify Known Answer Test DSA2048 Pairwise Consistency Test ECDSA P-256 Pairwise consistency HMAC SHA-1 Known Answer Test HMAC SHA-256 Known Answer Test KAS SP800-56A (C(2, 0, ECC CDH)) Known Answer Test HASH DRBG SP800-90 Known Answer Test REV REV DATE EN DWG SHEET 24 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Self-tests may be initiated by the following means: o Perform Diagnostic Test service o Perform Full Diagnostics service o Physically recycling the module's power The status of self-tests shall be available via the Get Low Level Status service. 12 Physical Security Policy The MAX32590 is a single chip cryptographic module which protects key material from unauthorized disclosure. The security features in the module include real time environmental monitoring (temperature, battery, voltage) and tamper detection. Triggering the environmental monitors or damaging the tamper shield results in a destructive result, which halts the processor and automatically zeroizes the internal encrypting key. The module shall protect two types of data items: Funds Relevant Data Items (FRDIs) Critical Security Parameters (CSPs). 13 Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2. 14 References The following documents are referenced by this document, are related to it, or provide background material related to it: Financial Institution Retail Message Authentication ­ ANSI X9.19, 1996 Digital Signature Standard (DSA) ­ FIPS PUB 186-4, July, 2013 Performance Criteria for Information-Based Indicia and Security Architecture for Closed IBI Postage Metering Systems, PCIBI-C, Draft January 12, 1999 Advanced Encryption Standard (AES) FIPS PUB 197, November 26, 2001 Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001. Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, Jan 2012. The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July 2008 REV REV DATE EN DWG SHEET 25 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, January 2012. AES Key Wrap ­ NIST Special Publication 800-38F - December 21, 2012 International Postage Meter Approval Requirements (IPMAR) - S30 UPU Standard Secure Hash Standard ­ FIPS PUB 180-4, March 2012 NIST SP 800-56A Rev 2., Recommendation for Pair-Wise Key Establishment SchemesUsing Discrete Logarithm Cryptography ­ May 2013 Security Requirements for Cryptographic Modules ­ FIPS PUB 140-2, Change Notices December 3, 2002 REV REV DATE EN DWG SHEET 26 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 15 Acronyms AES Advanced Encryption Standard ANSI American National Standards Institute BBREG Internal Battery-backed Key Register (auto zeroizable). BRAM Internal Battery-backed Random Access Memory CM Cryptographic Module CRL Certificate Revocation List CSP Critical Security Parameter DSA Digital Signature Algorithm DSS Digital Signature Standards EFP Environmental Failure Protection EMC Electromagnetic Compatibility EMI Electromagnetic interference FIPS Federal Information Processing Standards FRDI Funds Relevant Data Items GMT Greenwich Mean Time IPMAR International Postal Meter Approval Requirements ISOInternational Standards Organization NVM Nonvolatile Memory OTP One-Time Programmable Memory PB Pitney Bowes PCN Product Code Number PHC Print Head Controller PSD Postal Security Device PSS Probabilistic Signature Scheme PVD Postage Value Download SDR Signed Data Record SDU Software Download Utility SHA Secure Hash Algorithm SKR Signed Key Record SRAM Internal Random Access Memory TDEA Triple Data Encryption Algorithm TDES Triple Data Encryption Standard UIC User Interface Controller *** End of Document *** REV REV DATE EN DWG SHEET 27 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019 This page not part of the document itself (discard paper copy of it when printed). The following items are, however, bookmarked into the footer used throughout the document. Note that the bookmark includes the spaces on either side to make modification of the content easier. Be careful not to delete the spaces, as this screws up the bookmark stuff. DocNum: 4W000xx DocRev D DocDate 2-Dec-14 DocEN COxxxx REV REV DATE EN DWG SHEET 28 D 1-Sep-15 NO. NO. © Copyright 2015 Pitney Bowes Inc. May be reproduced only in its original entirety (without revision) including this copyright notice. 55019