Security Policy Postal Revenector FRANCOTYP-POSTALIA FRANCOTYP-POSTALIA Security Policy Postal Revenector Version 1.11 NON-CONFIDENTIAL Francotyp-Postalia GmbH - Development Department - PSD Team Triftweg 21-26 D-16547 Birkenwerder Postal Revenector Security Policy FRANCOTYP-POSTALIA Table of Contents 1 Introduction ..............................................................................................................................3 1.1 Scope.................................................................................................................................3 1.2 Overview ............................................................................................................................3 1.3 Implementation and Cryptographic Boundary ........................................................................3 2 Security Level............................................................................................................................5 3 Security Rules ...........................................................................................................................6 3.1 FIPS 140-2 Related Security Rules ........................................................................................6 3.2 USPS Related Security Rules ................................................................................................7 4 Self Tests..................................................................................................................................8 5 Roles and Services ...................................................................................................................10 5.1 Cryptographic Officer and User...........................................................................................10 5.2 Operator ..........................................................................................................................11 6 Strength of Authentication ........................................................................................................12 7 Critical Security Parameters ......................................................................................................13 8 Service to CSP Access Relationship............................................................................................14 Figures Figure 1-1: View of Postal Revenector ................................................................................................3 Tables Table 2-1: FIPS 140-2 Security Levels ................................................................................................5 Table 4-1: Self-Tests ........................................................................................................................8 Table 4-2: Security Functions ............................................................................................................8 Table 7-1: CSPs protected by the Postal Revenector..........................................................................13 Table 8-1: Modes of CSP Accesses ...................................................................................................14 Table 8-2: Service to CSP Access Relationship...................................................................................14 - page 2 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 1 Introduction 1.1 Scope This is a Cryptographic Module Security Policy for the Francotyp Postalia Postal Revenector. It was written for the purpose of a FIPS 140-2 validation of the Postal Revenector. This Security Policy specifies the security rules under which the Postal Revenector must operate. Included in these rules are those derived from the security requirements of FIPS 140-2 and additionally, those imposed by Francotyp Postalia. These rules, in total, define the interrelationship between · The module operators, · Module services, and · Critical security parameters (CSPs) / postal relevant data items (PRDIs). 1.2 Overview The Postal Revenector, shown in Figure 1-1, consists of a microprocessor controlled custom circuitry which is mounted on a printed circuit board (PCB). The Postal Revenector is typically used in hosting systems of Francotyp Postalia like the Postage Meter MyMail,UltiMail and OptiMail-30. The Postal Revenector performs all of the Postage Meter cryptographic and postal security functions and protects the CSPs and PRDIs from unauthorized access. Figure 1-1: View of Postal Revenector 1.3 Implementation and Cryptographic Boundary The Postal Revenector is implemented as a multi-chip embedded cryptographic module defined by FIPS 140-2. The cryptographic boundary includes all hardware components, with the exception of the battery, - page 3 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA the connector and the LEDs, located on the Postal Revenector. These components are excluded for manufacturing reasons. All excluded components are connected to the circuitry inside of the cryptographic boundary in such a way that: · A malfunction of these excluded components cannot cause a potential release of any critical security Parameters (CSPs), plaintext data, or other information that if misused could lead to such a compromise. · The excluded components do not process CSPs, plaintext data or other information that if misused could lead to compromised security. · The excluded components are not connected with security relevant components of the module in such a way that would allow inappropriate transfer of CSPs, plaintext data, or other information that if misused could lead to a compromise. · The excluded components do not in any way impact the equipment to which the module is connected. The circuitry contained within the cryptographic boundary is enclosed within a tamper detecting hull and potted with hard opaque potting material. These elements both protect the electronic circuitry from unauthorized access and provide tamper evidence, detection and response. All Postal Revenector software/firmware is included within the cryptographic boundary. The hardware configuration is identified under58.0036.0001.00/ 06. The version of Postal Revenector firmware is: 90.0036.0006.00/03. - page 4 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 2 Security Level The Postal Revenector is designed to meet the FIPS 140-2 security level 3 overall as shown in Table 2-1. Table 2-1: FIPS 140-2 Security Levels Section Security Requirement Level 1 Cryptographic Module Specification 3 2 Cryptographic Module Ports and Interfaces 3 3 Roles, Services and Authentication 3 4 Finite State Model 3 5 Physical Security 3 + EFP 6 Operational Environment N/A 7 Cryptographic Key Management 3 8 Electromagnetic Interference/ Electromagnetic 3 Compatibility (EMI/IMC) 9 Self-Tests 3 10 Design Assurance 3 11 Mitigation of Other Attacks N/A - page 5 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 3 Security Rules The Postal Revenector shall enforce the following security rules. These rules are separated into two categories, · Those imposed by FIPS 140-2 and, · Those imposed by the United States Postal Service also referred to as USPS 3.1 FIPS 140-2 Related Security Rules 1. The Postal Revenector shall support the following logically distinct interfaces sharing one physical port: · Data input interface · Data output interface · Control input interface · Status output interface · Power interface 2. The Postal Revenector shall inhibit all output via the data output interface during self-tests and whenever an error state was entered. 3. The Postal Revenector shall logically disconnect the output data path from the processes while performing key generation and zeroization. 4. Critical security Parameters (CSPs) are not permitted to enter the module in an unprotected form. 5. The Postal Revenector shall not permit the output of critical security parameters. 6. The Postal Revenector shall enforce Identity-based authentication. 7. The Postal Revenector shall support the following authorized roles: Operator, User and Cryptographic Officer. 8. The Postal Revenector shall not retain authentication of an operator when it is powered-up after being powered off. 9. The Postal Revenector shall not support a bypass mode. 10. The Postal Revenector shall be protected using a hard opaque potting material as coating. 11. The Postal Revenector shall be protected by a tamper enclosure. 12. The Postal Revenector shall implement environmental failure protection for temperature and voltage. 13. The Postal Revenector shall implement all software using a high-level language, except the limited use of low-level languages to enhance performance. 14. The Postal Revenector shall protect critical security parameters from unauthorized disclosure, modification and substitution. 15. The Postal Revenector shall provide means to ensure that a key entered into or stored within is associated with the correct entities to which the key is assigned. 16. The Postal Revenector shall deny unauthorized access to plaintext secret and private keys contained within the Postal Revenector. 17. The Postal Revenector shall provide the capability to zeroize all critical security parameters contained within the Postal Revenector. 18. The Postal Revenector shall support the following FIPS approved security functions: · Triple DES Encrypt, Decrypt (ECB and CBC mode) · ECDSA Sign, Verify as specified in ANSI X9.62 · RSA Sign, Verify as specified in PKCS#1 · SHA-1 as specified in FIPS 180-2 · HMAC SHA-1 as specified in FIPS 198 19. The Postal Revenector shall support the following non-approved security functions: - page 6 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA · Diffie-Hellman key agreement as specified in ANSI X9.42 20. The Postal Revenector shall support a FIPS approved pseudo random number generator (PRNG) as specified in FIPS 186-2 Appendix 3.1 21. The Postal Revenector shall conform to the EMI/EMC requirements specified in FCC Part 15, Subpart B, Class B. 22. The Postal Revenector shall perform the self tests during power on and on demand listed in section 4 23. The Postal Revenector shall output an error indicator via the status interface whenever an error state is entered due to a failed self-test. 24. The Postal Revenector shall not perform any cryptographic functions while in an error state. 25. The Postal Revenector shall not support multiple concurrent operators. 26. The Postal Revenector shall only provide a FIPS mode of operation. 3.2 USPS Related Security Rules 1. The Postal Revenector shall protect the postal relevant data items (PRDIs) against unauthorized substitution or modification. 2. PRDIs are not security relevant and shall never be zeroized by the Postal Revenector. 3. The Postal Revenector shall comply to the specifications given in the Information Bases Indicia Program of the United States Postal Services. 4. The Postal Revenector shall provide mechanisms to disable the Accounting-Service when it is not connected to its infrastructure on a regular basis. 5. The Postal Revenector shall provide mechanisms to disable the Accounting-Service when it detects its physical removal from its hosting system. 6. The Postal Revenector shall provide a service mode which dumps out the PRDIs even if the microprocessor is inoperable. - page 7 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 4 Self Tests The following section lists the self tests which are performed on power up, on demand and continuously. All FIPS approved and non-approved security functions which are used in the Postal Revenector are listed, too. Table 4-1: Self-Tests Name Type Description Software firmware integrity test Persistent Power Up Try to load all persistent objects from NVRAM into RAM to data check whether their contents, sizes and checksums are consistency correct. System Power Up Check internal system exceptions (tamper event, battery Exceptions power alarm, NVRAM power fail) Software Power Up & On Check CRC16 of internal system software integrity test Demand Critical function test Register Power Up & on Check consistence of the postal registers. consistency Demand & test continuously The function is called continuously before each register manipulation as a precondition of the following manipulation (finance function). Big Number Power Up & on Checks the import/export functionality for big numbers function test demand using known values Cryptographic algorithm test Security Power Up (except For details see Table 4-2. Function statistical PRNG) & tests and on Demand Table 4-2: Security Functions Security Approved SF Type of self-test Conditional test Function (SF) TDES Yes, NIST KAT of all modes on power Odd parity and weak Certificate #391. up and on demand. key check. SHA-1 Yes, NIST KAT on power up and on None. Certificate #400. demand. - page 8 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA Security Approved SF Type of self-test Conditional test Function (SF) RSA Yes, NIST Known answer test (KAT) On key generation: Certificate #109. on power up and on demand. see FIPS 140-2 section Implementation 4.9.2 Pairwise according to consistency test 2. PKCS#1 Diffie No. KAT on power up and on On key generation: Hellman demand. Implementation Key see FIPS 140-2 section according to ANSI Agreement 4.9.2 Pairwise X9.42 consistency test 2. HMAC Yes, NIST KAT on power up and on None Certificate #132. demand. Implementation according to FIPS 198. ECDSA Yes, NIST KAT on power up and on On key generation: Certificate #19. demand. see FIPS 140-2 section Implementation 4.9.2 Pairwise according to ANSI consistency test 2. X9.62 PRNG Yes, NIST KAT on power up and on On usage: Certificate #148. demand. see FIPS 140-2 section Implementation 4.9.2 Continuous RNG according to FIPS test 1. 186-2 Appendix 3.1 - page 9 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 5 Roles and Services The Postal Revenector shall support three distinct roles. These roles are: · Cryptographic Officer · User · Operator All services which do not read, update, modify or generate critical security parameters (CSPs) do not require authentication. These are the following Services: Echo This service receives arbitrary bytes and returns a copy of them back to the sender. Reboot Device This service reboots the module. Get Status This service requests status output (e.g. : PRDIs and selftest result). Invalidate Software This service invalidates the loaded FIPS 140-2 validated software. Creation This service enters initial postal parameters (PRDIs). Scrap This service explicitly zeroizes all CSPs and sets the module out of operation. Self-Test The service runs the self tests and returns the result . Setup Parameters This service allows to enter parameters used by other services. Get Log Information This service requests status (logged events). Lock Out This service explicitly disables the Accounting-Service until the PVD- Service was performed successfully. Reset HS-Loop This service re-enables the Accounting-Service after being moved between host systems Get Certificate This service requests status (stored certificates of public keys) 5.1 Cryptographic Officer and User The Cryptographic Officer and the User are authenticated using an identity based authentication method. This method is based on two pairs of asymmetric keys and distinguished names. The public parts and distinguished names are known to each other party. The Postal Revenector and the Cryptographic Officer are able to identify and authenticate themselves by verifying the exchanged distinguished name and signature of each other. In addition the Diffie-Hellman key agreement protocol can be used to agree secret keys for further key encryption and continuous authentication of data exchange. The Cryptographic Officer and User Role shall provide those services necessary to initialize, authorize and validate the Postal Revenector. Furthermore these roles provide all services which enter, modify or generate critical security parameters. The Francotyp Postalia Infrastructure Server typically acts on behalf of a Cryptographic Officer and the User. The following services are provided in these roles and require authentication: Remote Login This service carries out the Cryptographic Officer authorization process. The subsequently listed services demand an authorized connection established beforehand. Enter PKM Certificate This service enters the country specific infrastructure certificate. PKM stands for Public Key Management. The country specific infrastructure certificate is typically abbreviated as PKM certificate. Renew PKM Certificate This service re-enters the country specific infrastructure certificate. Secure Echo This service is used for authenticated testing purposes. Postage Value Download (PVD) This service audits the PRDIs of the module and on success - page 10 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA downloads postage from the country specific infrastructure. Postage Value Refund (PVR) This service audits the PRDIs of the module and on success refunds the remaining postage of the module back to the country specific infrastructure and deletes all customer specific PRDIs and zeroizes all customer specific CSPs. Reenter FP-MAC Key This service enters the FP-MAC Verification Key in encrypted format. Rekey PSD1 Key This service rekeys the Postal Revenector Key inside of the module. Rekey Indicia Key This service rekeys the Postal Revenector Indicia Key inside of the module. Initialization This service performs the postal Initialization-Function as specified by the postal authority (setup of PRDIs). It initially prepares the Postal Revenector for operation in a Host System. Authorization This service performs the postal Authorization-Function as specified by the postal authority (setup of PRDIs). It prepares the Postal Revenector for operation at a customer specific site by entering customer specific PRDIs and disables the Authorization-Service. Re-Initialization This service changes the internal lifecycle state of the module (PRDI). It re-enables the module for another postal Authorization- Function. Re-Authorization This service supports modifying customer specific PRDIs. Get Secure Status This service requests authenticated status output. Logoff This service finishes the Cryptographic Officer authorization process. 5.2 Operator The Operator is authenticated on-behalf-off the User and Cryptographic Officer role. The Operator is the end user of the postal meter that shall perform postal related services. The Operator Role shall provide the following services: Account Administration This service supports customer privilege levels to access postal specific services as listed below. Accounting This service requests to perform postal indicium creation by modifying the PRDIs in accordance to the requirements of the postal authority and sign several PRDIs to give evidence of the successfully performed operation. Verify MAC This service performs verification of data which was provided to the module. 1 PSD is the abbreviation for Postal Security Device. The word PSD is typically used by the postal authorities. - page 11 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 6 Strength of Authentication To meet the requirements for strength of authentication, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur. This requirement is met by the above-specified authentication methods as follows: The size of the key used to authenticate each role is 1024 bits. For multiple attempts to use the authentication mechanism during a one-minute period, the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. This requirement equals with 1667 attempts per second or a minimum time delay of 0,6 ms between two attempts. This time is granted by the implementation by a time delay of 0,6 ms after a false attempt. - page 12 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 7 Critical Security Parameters The Postal Revenector protects several critical security parameters described in Table 7-1. Table 7-1: CSPs protected by the Postal Revenector Name Abbreviation Type of Key Purpose PSD1 Transport Signing TSK 1024 bit RSA key Serves to properly recognize Postal (private) Key Revenectors after they have been shipped to their final country and establish initial secure session (Crypto Officer Login) to upload the first PSD1 Key certificate. PSD1 Signing (private) PSK 1024 bit RSA key Serves to setup regular secure sessions Key (Crypto Officer Login) for communication between the Postal Revenector and the FP Data Center. Indicia Signing (private) ISK 163 bit ECDSA Serves to sign the indicia printed by the Host Key key System. MAC Verification Key MVK 112 bit TDES key Serves to derive a Record Verification Key. Ephemeral Diffie- EDH 2048 bit DH key Serves to derive session keys for the Hellman agreement Cryptographic Officer (secure session) Session Authentication SAK 160 bit HMAC Serves to authenticate data during a secure Key SHA-1 key session. Session Encryption Key SEK 112 bit TDES key Serves to encrypt and decrypt data during a secure session. State of Pseudo RNGS N/A Internal state of the Pseudo RNG. The value Random Number is changed by every random generation of Generator the Postal Revenector. - page 13 of 14 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Security Policy FRANCOTYP-POSTALIA 8 Service to CSP Access Relationship The Postal Revenector distinguishes between the following modes of access: Table 8-1: Modes of CSP Accesses Mode Description I The CSP will be initialized U The CSP will be internally used (optional on demand) M The CSP will be modified and written E The CSP will be entered G The CSP will be generated Z The CSP will be zeroized D The CSP will be derived using other CSPs Table 8-2: Service to CSP Access Relationship CSP User-Role Operator CO-Role Authorized RNGS Service MVK EDH SAK PSK SEK TSK ISK R l Renew PKM Certificate U U x x Enter PKM Certificate x x Secure Echo U U U x x Postage Value Download U U U x x Postage Value Refund U U U x x Reenter FP-MAC Key U M U U x x Re-key PSD1 Key U,M U M x x Re-key Indicia Key U U,M U M x x Initialization U U,G E U U M x x Authorization U U,G U M x x Re-Initialization U U x x Re-Authorization U U x x Accounting U M x Verify MAC U x Get Secure Status U x x Scrap Z Z Z Z x x x Remote Login D,U,Z D D M x x Logoff Z Z x x - page 14 of 14 - Version 1.111 NON-CONFIDENTIAL