Security Policy Postal Revenector Canada FRANCOTYP-POSTALIA FRANCOTYP-POSTALIA Security Policy Postal Revenector Canada Version 1.11 Hardware P/N: 58.0036.0001.00 Version 06 Firmware Version: 90.0036.0009.00/00 Francotyp-Postalia GmbH - Development Department - Clemens Heinrich Triftweg 21-26 D-16547 Birkenwerder Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA Table of Contents 1 Introduction ..............................................................................................................................3 1.1 Scope.................................................................................................................................3 1.2 Overview ............................................................................................................................3 1.3 Implementation and Cryptographic Boundary ........................................................................3 2 Security Level............................................................................................................................3 3 Security Rules ...........................................................................................................................6 3.1 FIPS 140-2 Related Security Rules ........................................................................................6 3.2 Postal Related Security Rules ...............................................................................................7 4 Self-Tests..................................................................................................................................8 5 Roles and Services ...................................................................................................................10 5.1 Cryptographic Officer and User...........................................................................................10 5.2 Operator ..........................................................................................................................11 6 Strength of Authentication ........................................................................................................13 7 Critical Security Parameters ......................................................................................................14 8 Service to CSP Access Relationship............................................................................................15 9 References ..............................................................................................................................16 Figures Figure 1-1: View of Postal Revenector Canada ....................................................................................3 Tables Table 2-1: FIPS 140-2 Security Levels ................................................................................................5 Table 4-1: Self-Tests ........................................................................................................................8 Table 4-2: Security Functions ............................................................................................................8 Table 7-1: CSPs protected by the Postal Revenector Canada ..............................................................14 Table 8-1: Modes of CSP Accesses ...................................................................................................15 Table 8-2: Service to CSP Access Relationship...................................................................................15 - page 2 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 1 Introduction 1.1 Scope This is a Cryptographic Module Security Policy for the Postal Revenector Canada as part of the FIPS 140-2 validation. This Security Policy specifies the security rules under which the Postal Revenector Canada must operate. Included in these rules are those derived from the security requirements of FIPS 140-2 and additionally, those imposed by Francotyp-Postalia. These rules, in total, define the interrelationship between · The module operators, · Module services, and · Critical security parameters (CSP) / postal relevant data items (PRDI). 1.2 Overview The Postal Revenector Canada, shown in Figure 1-1, consists of a microprocessor controlled custom circuitry which is mounted on a printed circuit board (PCB). The Postal Revenector Canada is typically used in hosting systems of Francotyp Postalia like the Postage Meter mymail, ultimail and optimail. The Postal Revenector Canada performs all of the Postage Meter cryptographic and postal security functions and protects both CSPs and PRDIs from unauthorized access. Figure 1-1: View of Postal Revenector Canada 1.3 Implementation and Cryptographic Boundary The Postal Revenector Canada is implemented as a multi-chip embedded cryptographic module defined by FIPS 140-2. The cryptographic boundary includes all hardware components, with the exception of the battery, the connector and the LEDs, located on the Postal Revenector Canada. These components are - page 3 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA excluded for manufacturing reasons. All excluded components are connected to the circuitry inside of the cryptographic boundary in such a way that: · A malfunction of these excluded components cannot cause a potential release of any critical security Parameters (CSPs), plaintext data, or other information that if misused could lead to such a compromise. · The excluded components do not process CSPs, plaintext data or other information that if misused could lead to compromised security. · The excluded components are not connected with security relevant components of the module in such a way that would allow inappropriate transfer of CSPs, plaintext data, or other information that if misused could lead to a compromise. · The excluded components do not in any way impact the equipment to which the module is connected. The circuitry contained within the cryptographic boundary is enclosed within a tamper detecting hull and potted with hard opaque potting material. These elements both protect the electronic circuitry from unauthorized access and provide tamper evidence, detection and response. All Postal Revenector Canada software/firmware is included within the cryptographic boundary. - page 4 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 2 Security Level The Postal Revenector Canada is designed to meet the FIPS 140-2 security level 3 overall as shown in Table 2-1. Table 2-1: FIPS 140-2 Security Levels Section Security Requirement Level 1 Cryptographic Module Specification 3 2 Cryptographic Module Ports and Interfaces 3 3 Roles, Services and Authentication 3 4 Finite State Model 3 5 Physical Security 3 + EFP 6 Operational Environment N/A 7 Cryptographic Key Management 3 8 Electromagnetic Interference/ Electromagnetic 3 Compatibility (EMI/IMC) 9 Self-Tests 3 10 Design Assurance 3 11 Mitigation of Other Attacks N/A - page 5 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 3 Security Rules The Postal Revenector Canada shall enforce the following security rules. These rules are separated into two categories, · Those imposed by FIPS 140-2 and, · Those imposed by Canadian Postal Corporation (CPC) through the digital meter indicia specification [1]. 3.1 FIPS 140-2 Related Security Rules 1. The Postal Revenector Canada shall support the following logically distinct interfaces sharing one physical port: · Data input interface · Data output interface · Control input interface · Status output interface · Power interface 2. The Postal Revenector Canada shall inhibit all output via the data output interface during self- tests and whenever an error state was entered. 3. The Postal Revenector Canada shall logically disconnect the output data path from the processes while performing key generation and zeroization. 4. Critical security Parameters (CSPs) are not permitted to enter the module in an unprotected form. 5. The Postal Revenector Canada shall not permit the output of critical security parameters in unprotected form. 6. The Postal Revenector Canada shall enforce identity-based authentication. 7. The Postal Revenector Canada shall support the following authorized roles: Operator, User and Cryptographic Officer. 8. The Postal Revenector Canada shall not retain authentication of an operator when it is powered- up after being powered off. 9. The Postal Revenector Canada shall not support a bypass mode. 10. The Postal Revenector Canada shall be protected using a hard opaque potting material as coating. 11. The Postal Revenector Canada shall be protected by a tamper enclosure. 12. The Postal Revenector Canada shall implement environmental failure protection for temperature and voltage. 13. The Postal Revenector Canada shall implement all software using a high-level language, except the limited use of low-level languages to enhance performance. 14. The Postal Revenector Canada shall protect critical security parameters from unauthorized disclosure, modification and substitution. 15. The Postal Revenector Canada shall provide means to ensure that a key entered into or stored within is associated with the correct entities to which the key is assigned. 16. The Postal Revenector Canada shall deny unauthorized access to plaintext secret and private keys contained within the Postal Revenector Canada. 17. The Postal Revenector Canada shall provide the capability to zeroize all critical security parameters contained within the Postal Revenector Canada. 18. The Postal Revenector Canada shall support the following FIPS approved security functions: · Triple DES Encrypt, Decrypt (ECB and CBC mode) · RSA Sign, Verify as specified in PKCS#1 · SHA-1 as specified in FIPS 180-2 · HMAC SHA-1 as specified in FIPS 198 - page 6 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA · ECDSA using domain parameters for curve NIST P-192 as specified in FIPS 186-2 19. The Postal Revenector Canada shall support the following non-approved security functions: · Diffie-Hellman key agreement as specified in ANSI X9.42 20. The Postal Revenector Canada shall support a FIPS approved pseudo random number generator (PRNG) as specified in FIPS 186-2 Appendix 3.1 21. The Postal Revenector Canada shall conform to the EMI/EMC requirements specified in FCC Part 15, Subpart B, and Class B. 22. The Postal Revenector Canada shall perform the self tests during power on and on demand listed in section 4 23. The Postal Revenector Canada shall output an error indicator via the status interface whenever an error state is entered due to a failed self-test. 24. The Postal Revenector Canada shall not perform any cryptographic functions while in an error state. 25. The Postal Revenector Canada shall not support multiple concurrent operators. 26. The Postal Revenector Canada shall only provide a FIPS mode of operation. 3.2 Postal Related Security Rules The Postal Revenector Canada shall protect the postal relevant data items (PRDIs) against unauthorized substitution or modification. 1. PRDIs are not security relevant and shall never be zeroized by the Postal Revenector Canada. 2. The Postal Revenector Canada shall comply with the specifications given in the digital meter indicia specification [1]. 3. The Postal Revenector Canada shall provide mechanisms to disable the Accounting-Service when it is not connected to its infrastructure on a regular basis. 4. The Postal Revenector Canada shall provide mechanisms to disable the Accounting-Service when it detects its physical removal from its hosting system. 5. The Postal Revenector Canada shall provide a service mode which dumps out the PRDIs even if the microprocessor is inoperable. - page 7 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 4 Self-Tests The following section lists self-tests, which are performed on power up, on demand and continuously. All FIPS approved and non-approved security functions that are used in the Postal Revenector Canada are listed, too. Table 4-1: Self-Tests Name Type Description Software firmware integrity test Persistent Power Up Try to load all persistent objects from NVRAM into RAM to check data whether their contents, sizes and checksums are correct. consistency System Power Up Check internal system exceptions (tamper event, battery power Exceptions alarm, NVRAM power fail) Software Power Up & On Check CRC16 of internal system software integrity test Demand Critical function test Register Power Up & on Check the consistency of the postal registers. consistency Demand & test continuously The function is called continuously before each register manipulation as a precondition of the following manipulation (finance function). Big Number Power Up & on Checks the import/export functionality for big numbers using function test demand known values Cryptographic algorithm test Security Power Up (except For details see Table 4-2. Function statistical PRNG) & tests and on Demand Table 4-2: Security Functions Security Approved SF Type of self-test Conditional test Function (SF) TDES Yes, NIST KAT of all modes on power up and Odd parity and weak key certificate #391 on demand. check. - page 8 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA Security Approved SF Type of self-test Conditional test Function (SF) SHA-1 Yes, NIST KAT on power up and on demand. None. certificate #400 RSA Yes, NIST Known answer test (KAT) on power On key generation: certificate #109 up and on demand. See FIPS 140-2 section 4.9.2 pair wise consistency test 3. ECDSA, NIST P- Yes, NIST KAT of all modes on power up and On key generation 192 certificate #20 on demand. Diffie-Hellman No. KAT on power up and on demand. On key generation: Key Agreement Implementation See FIPS 140-2 section according to ANSI 4.9.2 pair wise X9.42 consistency test 2. HMAC Yes, NIST KAT on power up and on demand. None certificate #132 PRNG Yes, NIST KAT on power up and on demand. On usage: certificate #148 See FIPS 140-2 section 4.9.2 Continuous RNG test 1. - page 9 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 5 Roles and Services The Postal Revenector Canada shall support three distinct roles. These roles are: · Cryptographic Officer · User · Operator All services which do not read, update, modify or generate critical security parameters (CSPs) do not require authentication. These are the following Services: Echo This service receives arbitrary bytes and returns a copy of them back to the sender. Reboot Device This service reboots the module. Get Status This service requests status output (e.g., PRDIs and self-test result). Invalidate Software This service invalidates the loaded FIPS 140-2 validated software. During the next start-up of the device the device enters the FIPS approved Revenector mode (see. FIPS 140-2 Validation Certificate 361). In the Revenector mode the Postal Revenector Canada firmware can be updated according to the rules of the Revenector mode. Creation This service enters initial postal parameters (PRDIs). Scrap This service explicitly zeroizes all CSPs and sets the module out of operation. Self-Test The service runs the self tests and returns the result. Setup Parameters This service allows entering parameters used by other services. Get Log Information This service requests status (logged events). Lock Out This service explicitly disables the Accounting-Service until the PVD- Service was performed successfully. Reset HS-Loop This service re-enables the Accounting-Service after being moved between host systems Get Certificate This service requests status (stored certificates of public keys) 5.1 Cryptographic Officer and User The Cryptographic Officer is authenticated using an identity based authentication method. This method is based on two pairs of asymmetric keys and distinguished names. The public parts and distinguished names are known to each other party. The Postal Revenector Canada and the Cryptographic Officer are able to identify and authenticate themselves by verifying the exchanged distinguished name and signature of each other. In addition the Diffie-Hellman key agreement protocol can be used to agree on secret keys for further key encryption and continuous authentication of data exchange. The User is also authenticated using an identity based authentication method. This method is based on two pairs of asymmetric keys and distinguished names. The public parts and distinguished names are known to each other party. The Postal Revenector Canada and the User are able to identify and authenticate themselves by verifying the exchanged distinguished name and signature of each other. In addition the Diffie-Hellman key agreement protocol can be used to agree on secret keys for further key encryption and continuous authentication of data exchange. - page 10 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA The Cryptographic Officer and User Role shall provide those services necessary to initialize, authorize and validate the Postal Revenector Canada. Furthermore these roles apply to all services that enter, modify or generate critical security parameters. The Francotyp Postalia Infrastructure Server assumes the Cryptographic Officer and User roles. The following services are provided in these roles and require authentication: Remote Login This service carries out the Cryptographic Officer authorization process. The subsequently listed services demand an authorized connection established beforehand. Enter PKM This service enters the country specific infrastructure certificate. PKM stands Certificate for Public Key Management. The country specific infrastructure certificate is typically abbreviated as PKM certificate. Initialization This service performs the postal Initialization-Function as specified by the postal authority (setup of PRDIs). It initially prepares the Postal Revenector Canada for operation in a Host System. Authorization This service performs the postal Authorization-Function as specified by the postal authority (setup of PRDIs). It prepares the Postal Revenector Canada for operation at a customer site by entering customer specific PRDIs and disables the Authorization-Service. Postage Value This service audits the PRDIs of the module and on success downloads Download postage from the country specific infrastructure. Postage Value This service audits the PRDIs of the module and on success refunds the Refund remaining postage of the module back to the country specific infrastructure. Re-Initialization This service changes the internal lifecycle state of the module (PRDI). It re- enables the module for another postal Authorization-Function. Re-Authorize This service updates postal parameters in the security device (registration postal code and province). Renew PKM This service re-enters the country specific infrastructure certificate. Certificate Reenter FP-MAC This service enters the FP-MAC Verification Key in encrypted format. Key Rekey PSD1 Key This service re-keys the Postal Revenector Canada Key inside of the module. Secure Echo This service is used for authenticated testing purposes. Secure Get Status This service requests authenticated status output. Secure Set Time This service updates the internal time in the security device. Secure Set This service updates postal parameters in the security device (minimum and Parameter maximum accounting amount) 5.2 Operator The Operator performs services on behalf-of the User and Cryptographic Officer role. The Operator is the end user of the postal meter that shall perform postal related services. 1 PSD is the abbreviation for Postal Security Device. The term PSD is typically used by the postal authorities. - page 11 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA The following services are provided to the Operator Role: Account Administration This service supports customer privilege levels to access postal specific services as listed below. Accounting This service requests to perform postal indicia creation by modifying the PRDIs in accordance to the requirements of the postal authority. Redate This service requests to perform postal indicia creation without modifying the PRDIs in accordance to the requirements of the postal authority. Verify MAC This service performs verification of data which was provided to the module. - page 12 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 6 Strength of Authentication To meet the requirements for strength of authentication, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur. This requirement is met by the above-specified authentication methods as follows: The size of the RSA key used to authenticate each role is at least 1024 bits. For multiple attempts to use the authentication mechanism during a one-minute period the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. In order to satisfy this requirement, the module must enforce a limit of 1667 attempts per second or a minimum time delay of 0,6 ms between two attempts. This time is granted by the implementation by a time delay of 0,6 ms after a false attempt. - page 13 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 7 Critical Security Parameters The Postal Revenector Canada protects several critical security parameters described in Table 7-1. Table 7-1: CSPs protected by the Postal Revenector Canada Name Abbr. Type of Key Purpose PSD1 Transport Signing TSK 1024 bit RSA key Serves to properly recognize devices of type Postal (private) Key Revenector Canada after they have been shipped to their destination country and establish initial secure session (Crypto Officer Login) to upload the first PSD1 Key certificate. PSD1 Signing (private) PSK 1024 bit RSA key Serves to setup regular secure sessions (Crypto Key Officer Login) for communication between the Postal Revenector Canada and the FP Data Center. MAC Verification Key MVK 112 bit TDES key Serves to derive a Record Verification Key. Ephemeral Diffie- EDH 2048 bit DH key Serves to derive session keys for the Cryptographic Hellman agreement Officer (secure session) Session Authentication SAK 160 bit HMAC SHA-1 Serves to authenticate data during a secure session. Key key Session Encryption Key SEK 112 bit TDES key Serves to encrypt and decrypt data during a secure session. State of Pseudo Random RNGS N/A Internal state of the Pseudo RNG. The value is Number Generator changed by every random generation of the Postal Revenector Canada. Indicia Signing Key ISK 192 bit ECDSA key Used as specified in the postal specification [1]. (NIST P-192) Security Code Secret SCS 160 bit HMAC-SHA-1 Serves to derive the human readable security code in key the indicia. - page 14 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 8 Service to CSP Access Relationship The Postal Revenector Canada distinguishes between the following modes of access: Table 8-1: Modes of CSP Accesses Mode Description I The CSP will be initialized U The CSP will be internally used (optional on demand) M The CSP will be modified and written E The CSP will be entered G The CSP will be generated Z The CSP will be zeroized D The CSP will be derived using other CSPs Table 8-2 shows the authorized service in relation to the modes of access of critical security parameters. Table 8-2: Service to CSP Access Relationship CSP User Role Operator CO Role Authorized RNGS MVK EDH Service SAK PSK SEK TSK SCS ISK R l Renew PKM Certificate U x Enter PKM Certificate x Secure Echo U U x Secure Set Time U x Secure Set Parameter U U x Postage Value Download G,M G,M U U M x Postage Value Refund U U x Reenter FP-MAC Key M U U x Re-key PSD1 Key M,U U M x Initialization U G,U E U U M x Authorization U U x Re-Initialization U U x Re-Authorize U U x Accounting U U M x Redate U U M x Verify MAC U x Get Secure Status U U x Scrap Z Z Z Z Z Z x x x Remote Login U D,G,U D D M x Logoff Z Z Z x x x - page 15 of 16 - Version 1.111 NON-CONFIDENTIAL Postal Revenector Canada Security Policy FRANCOTYP-POSTALIA 9 References [1] Digital Meter Indicia Specification, Canada Post Specification 3457, V1.2, 2003 - page 16 of 16 - Version 1.111 NON-CONFIDENTIAL