Britestream nCipher Asymmetric Module TM CI PHE R Britestream - nCipher Date: 30 June 2006 Version: 1.0.2 © Copyright 2006 Britestream Networks, Inc. All Rights Reserved. © Copyright 2006 BriteStream Networks, Austin Texas and nCipher Corporation Limited, Cambridge, United Kingdom. Reproduction is authorised provided the document is copied in its entirety without modification and including this copyright notice. Britestream Networks and the Britestream Networks logo are trademarks of Britestream Networks, Inc. nCipherTM, nForceTM, nShieldTM, nCoreTM, KeySafeTM, CipherToolsTM, CodeSafeTM, SEETM and the SEE logo are trademarks of nCipher Corporation Limited. nFast® and the nCipher logo are registered trademarks of nCipher Corporation Limited. All other trademarks are the property of the respective trademark holders. WARRANTY DISCLAIMER. THE INFORMATION CONTAINED HEREIN,IS PROVIDED "AS IS, " WITHOUT ANY WARRANTY OF ANY KIND. Because some jurisdictions do not allow disclaimers of warranty, the above limitations may not apply to you. LIMITATION OF LIABILITY. IN NO EVENT SHALL BRITESTREAM BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES OF ANY KIND, HOWEVER CAUSED, ON ANY THEORY OF LIABILITY, BASED ON A WARRANTY OR OTHERWISE, EVEN IF BRITESTREAM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Because some jurisdictions do not allow the exclusion or limitation of liability, the above limitations may not apply to you. nCipher Corporation Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness to a particular purpose. nCipher Corporation Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. Patents: U.S. Patents: 6,738,874; 6,910,095 and pending patent applications UK Patent GB9714757.3. Corresponding patents/applications in USA, Canada, South Africa, Japan and International Patent Application PCT/GB98/00142. TM CI PHER Contents Chapter 1: Britestream nCipher Asymmetric Module 4 Implementation 6 Ports and interfaces 7 Roles 8 Services 9 Keys 15 Rules 18 Self tests 19 Delivery and operation 20 Physical security 22 Strength of functions 23 Algorithms 24 Britestream nCipher Asymmetric Module security policy: v1.0.2 3 4 Britestream nCipher Asymmetric Module security policy: v1.0.2 Interface Control Long-term keys Asymmetric Module Britestream nCipher TCP/IP TCP/IP application PLAINTEXT TLS Proxy server Client TCP/IP stack Server TCP/IP stack Ephemeral keys Britestream Symmetric Module :margaid gniwollof eht ni nwohs sa dedivid yllacigol ,syek cirtemmys laremehpe rof eludo M cirtemmyS maertsetirB 1 level 2-041 SPIF eht dna syek cirtemmysa mret gnol rof eludoM cirtemmysA rehpiCn maertsetirB eludom level 2-041 SPIF ehT .seludom cihpargotpyrc etarapes owt sesu 0102NB eht no revres yxorp ehT .cte ,sYHP tenrehte ,yromem gnidulcni ,stnenopmoc lanoitidda fo rebmun llams a seriuqer pihc sihT .erawdrah detacided sulp seroc rossecorp elpitlum sah hcihw - pihc 0102N B maertsetirB eht - pihc elgnis a no tnediser yllacisyhp era revres yxorp eht fo stnenopmoc niam ehT .sdeeps enil lluf ta noitacinummoc tenretni eruces gnireviled retupmoc tsoh eht morf gnissecorp SLT eht daol ffo yletelpmoc sdrac esehT .trop etarapes yllacisyhp a no noitacinummoc PI/PCT txet nialp dna trop tenrehte eno no noitacinummoc PI/PCT eruces htiw ,srevres yxorp SLT sa tca taht sdrac ICP era sdrac 0521NB maertsetirB ro artlU ecroFn rehpiCn ehT .maertsetirB dna rehpiCn yb depoleved-oc stcudorp artlU ecroFn rehpiCn eht ro 0521NB maertsetirB eht fo trap smrof 2.0.1 noisrev eludoM cirtemmysA rehpi Cn maertsetirB ehT Britestream nCipher Asymmetric Module CI PHER TM 5 Britestream nCipher Asymmetric Module security policy: v1.0.2 .eludoM cirtemmyS maertsetirB eht rof ycilop ytiruces eht ni liated ni debircsed era sdnammoc esehT .eludom siht aiv deretne era yeht sa ­ ycilop ytiruces siht ni detsil era eludoM cirtemmyS maertsetirB eht rof sdnammoc ehT .pihc eht fo stnenopmoc rehto eht ot sdnammoc eseht sdrawrof eludoM cirtemmysA rehpiCn maertsetirB ehT .ecafretni lortnoc sti ta sdnammoc retne neht dna eludoM cirtemmysA rehpiCn maertsetirB eht otni gol tsrif tsum rotarepo na stnenopmoc eseht erugifnoc ot redro nI .eludoM cirtemmysA rehpiCn maertsetirB fo ecafretni lortnoc eht aiv deretne era 0102B eht fo snoitrop cihpargotpyrc-non eht rof dna .eludoM cirtemmyS maertsetirB eht rof sdnammoc noitarugifnoc llA .eludo M cirtemmysA rehpiCn maertsetirB eht hguorht seog rotarepo eht morf noitacinummoc llA .eludoM cirtemmyS maertsetirB eht rof resu rotartsinimda eht sa stca eludoM cirtemmysA rehpi Cn maertsetirB ehT .noitarepo cihpargotpyrc cirtemmys fo sliated rof ,### etacifitrec 2-041 SPIF ,eludom taht rof ycilop ytiruces eht ot refeR .eludoM cirtemmyS maertsetirB eht rof noitadilav 1 level 2-041 SPIF etarapes a si erehT .ylno eludoM cirtemmysA rehpiCn maertsetirB eht rof si noitadilav sihT etoN Britestream - nCipher 6 Britestream nCipher Asymmetric Module security policy: v1.0.2 .0.0.1 41000-016 noisrev erawmriF · 00.a 70000-010 noisrev erawdraH · :srebmun noisrev gniwollof eht sah eludoM cirtemmysA rehpiCn maertsetirB ehT .yletarapes detadilav si hcihw eludoM cirtemmyS maertsetirB eht mrof neerg ni stnenopmoc eht dna srossecorp rehto eht ,eludo M cirtemmysA rehpiCn maertsetirB eht yb desu si - CRA tnemeganam eht - rossecorp eno ylnO .srossecorp CRA lareves sniatnoc - eulb rekrad eht ni nwohs - pihc 0102NB ehT bridge (Server) (Client) Ethernet to PCI Ethernet Phy Ethernet Phy MiniHSM RJ45 components Power port Serial Phy (Mgt) Ethernet SRAM U34 BN2010 Flash Boundary Potting switch FPGA DIP CPLD DDR Socket PCI board layout Figure 1 .eulb ni dethgilhgih yradnuob gnittop eht dna eludoM cirtemmysA rehpiCn maertsetirB eht mrof taht stnenopmoc eht htiw drac 0521NB maertsetirB ro artlU ecroFn rehpiCn eht swohs margaid gniwollof ehT .locotorp SLT eht fo trap sa snoitarepo yek cirtemmysa sedivorp tI .yromem MARS dna yromem hsalf ,pihc 0102NB eht no rossecorp CR A tnemeganam eht fo stsisnoc hcihw ,2-041 SPIF ni denifed sa eludom pihc-itlum deddebme na si eludoM cirtemmysA rehpiCn maertsetir B ehT Implementation Implementation Britestream - nCipher 7 Britestream nCipher Asymmetric Module security policy: v1.0.2 .sehctiws PID eht fo eno ot detcennoc si nip sihT .V5 ot detcennoc nip etats yrotcaf eht htiw pihc eht gnitrats yb etats yrotcaf ot teser eb nac eludom ehT .drac ICP eht fo ecaf eht no nottub hsup a ot detcennoc si nip sihT .nip teser eht gnisu teser eb nac pihc ehT .resu rotartsinimda eht yb tes si gnituor sihT .trop PI/PCT revres eht ot revres yxorp eht hguorht ro ,trop tnemeganam eht ot detuor eb nac noitamrofni sutatS .sehctiws PID yb dellortnoc si sihT .tpurroc si erawmrif dedaol eht erehw sesac ni erawmrif wen da ot desu ylno si trop laires ehT .asrev eciv dna delbasid si ecafretni PI/PCT eht delbane si trop laires eht fI .tuo sutats rof ylelos eno dna tuo sutats dna ni sdnammoc rof eno ,ecafretni PI/P CT a no strop lacigol etarapes owt ot stcennoc 2 sub lanretni ehT .pihc 0102NB eht nihtiw cra PPS eht ot stcennoc 1 sub lanretni ehT snip rewoP Power In: 2 & 1 sesub lanretnI Status Out: nip etats yrotcaf ,nip teser ,trop laires ,2 sub lanretnI Command In: 1 sub lanretnI Data out: 1 sub lanretnI Data in: Logical Port Physical Port :strop gniwollof eht sah eludom ehT Ports and interfaces Ports and interfaces Britestream - nCipher 8 Britestream nCipher Asymmetric Module security policy: v1.0.2 .lairetam yek etavirp ot ssecca on sah ti - xedni yb syek ot srefer elor resu ehT .snoitarepo yfirev dna ngis etaitini nac elor resu SLT ehT .resu SLT devorppa na sa noitacilppa eht smrifnoc erutangis ASR a fo noitacifirev s'eludom ehT .lennahc lanretni detacided eht no edam era ,elor resu SLT eht aiv ,eludom eht ot snoitcennoC .erutangis latigid ASR a htiw noitacilppa resu SLT eht gnitacitnehtua yb demussa si elor resu SLT ehT TLS user role .segassem sutats niatbo dna revres yek a morf syek daol ,revres yek a ot snoitcennoc etaitini ,revres yek a ot snoitcennoc erugifnoc ,pihc ytiruces SLT eht no snoitcnuf cihpargotpyrc -non erugifnoc ,eludom eht erugifnoc nac elor noitartsinimdA roinuJ ehT .sdrowssap egnahc tonnac segelivirp rotartsinimda roinuj htiw resu A .esarhp ssap rieht pu tes sah resu rotartsinimda eht litnu tcennoc tonnac rotartsinimda roinuj A .egelivirp rotartsinimda roinuj htiw resu a rof drowssap dna di resu a ylppus dna trop tnemeganam lanretxe eht no tcennoc tsum uoy elor noitartsinimdA roinuJ eht ni tcennoc oT Junior administration role .segassem sutats niatbo dna revres yek a morf syek daol ,revres yek a ot snoitcennoc etaitini ,revres yek a ot snoitcennoc erugifnoc ,pihc ytiruces SLT eht no snoitcnuf cihpargotpyrc-non erugifnoc ,eludom eht erugifnoc nac elor noitartsinimdA ehT .resu rotartsinimda roinuj dna rotartsinimda eht rof drowssap eht egnahc nac rotartsinimda ehT .segelivirp rotartsinimda htiw resu a rof drowssap dna di resu a ylppus dna trop tnemeganam lanretxe eht no tcennoc tsum uoy elor noitartsinimdA eht ni tcennoc oT Administration role .selor gniwollof eht stroppus eludom ehT Roles Roles Britestream - nCipher Britestream - nCipher Services Services desu era smret gniwollof eht ,elbaliava secivres eht fo noitpircsed gniwollof eht nI .sretemarap ytiruces lacitirc ot ssecca ebircsed ot Key access Description Create Creates a in-memory object, but does not reveal value. Erases the object from memory, smart card or non-volatile memory without Erase revealing value Export Discloses a value, but does not allow value to be changed. Generates a new value for a CSP and writes this value in the same location as Regenerate the existing value, thus erasing the original values; this operation does not reveal either the new or the old value. Set Changes a CSP to a given value Performs an operation with an existing CSP - without revealing or changing Use the CSP Unauthenticated commands on evah yehT .noitacitnehtua tuohtiw elbaliava era sdnammoc gniwollof ehT .sPSC ro syeK ot ssecca Service Description Opens a connection to a specific module identified by IP connect address and port. exit Closes an open connection. Authentication command emussa ot meht ezirohtua dna resu a yfitnedi ot desu si dnammoc gniwollof ehT .elor rotartsinimda roinuj ro rotartsinimda eht Description Service Access to CSPs Key Types used Login into the module establishing identity and opening login a session. Uses password Britestream nCipher Asymmetric Module security policy: v1.0.2 9 Britestream - nCipher Services Administrator and junior administrator roles rotartsinimda roinuj dna rotartsinimda eht ot elbaliava era secivres gniwollof ehT .ni deggol dna detcennoc evah yeht retfa selor Description Service Access to CSPs Key Types used Logs out ending a session. logout No access to CSPs Changes the password for a user - administration user passwd only. Sets password Starts the level 3 module and level 1 module. run No access to CSPs Stops the TLS security firmware - preventing access to all halt ports, other than management port. No access to CSPs Resets the level 3 module, clearing all keys and causing softReset all self tests to be run and disconnecting all users. Clears all session keys Displays the status of the level 3 module. readOpStatus No access to CSPs Regenerate KDC and KDI. nResetKDP Regenerates KDI, KDC DSA, Diffie-Hellman Zeroize all the secure certificates and keys in memory nClearKDP and flash. Clears keys Read KDP enrollment information. getKDPEnrollInfo Exports public halves of KDI and KDC DSA, Diffie-Hellman Display current FIPS mode. getFIPSMode No access to CSPs View the certificate details including the SHA-1 hash of the key. viewCertificate Uses a server key SHA-1 Britestream nCipher Asymmetric Module security policy: v1.0.2 10 Britestream - nCipher Services Description Service Access to CSPs Key Types used List all existing X.509 certificates, does not list key material. getAllCert Uses a server key SHA-1 Delete the certificate and associated keys delCertificate Erases server key Set the EKM key identifier for the certificate/key. Causes module to fetch encrypted key from KDCP proxy server. loadSecureCertificate Uses KDI, KDC, and session keys, sets server key DSA, Diffie Hellman, AES, SHA-1 Download firmware to BN2010. The module will only accept firmware if it can verify the RSA signature on the firmware image. upgradeFW Uses KBS, replaces firmware. RSA readFWInfo Read firmware information Save the current operational configuration writing a HMAC to validate. saveOpConfig HMAC SHA-1 eraseOpConfig Delete the saved operational configuration. dna eludoM cirtemmyS maertsetirB eht erugifnoc sdnammoc gniwollof ehT .pihc 0102NB eht fo snoitrop cihpargotpyrc-non eht hguorht dessecca eb ylno nac yeht sa ereh dedulcni era snoitcnuf esehT eht otni gol tsum resu eht dna eludoM cirtemmysA rehpiCn maertsetirB .sdnammoc eseht gniussi erofeb eludoM cirtemmysA rehpiCn maertsetirB .sPSC ot ssecca evah ton od sdnammoc esehT Service Description setPassThru En/Disable passthrough traffic - see level 1 security policy getPassThru Passthrough traffic setting - see level 1 security policy syncClock Set BN2010 clock to the system clock getClock Get BN2010 clock getSystemInfo Read system information setWatchDog En/Disable watchdog feature getWatchDog Watchdog feature setting Britestream nCipher Asymmetric Module security policy: v1.0.2 11 Britestream - nCipher Services Service Description setProxy Setup a TCP proxy setBackChProxyID Set up a backchannel proxy getProxy List the TCP proxy delProxy Delete the TCP proxy getAllProxy List all existing proxies setProxySSL Set up SSL attribute for the proxy getProxySSL Display SSL attribute for the proxy setSessionIDTimeout Set session ID timeout getSessionIDTimeout Get session ID timeout setPortBlocking Setup a blocked TCP/IP address entry getPortBlocking Get a blocked TCP/IP address entry delPortBlocking Delete the blocked TCP/IP address entry getAllBlocking List all existing blocked TCP/IP address entries setRehandshakeMaxTimeOut Set maximum time before SSL rehandshake getRehandshakeMaxTimeOut Get maximum time before SSL rehandshake setRehandshakeMaxSeqNum Set maximum sequence number before SSL rehandshake Get maximum sequence number before SSL getRehandshakeMaxSeqNum rehandshake setMgmtTCPIP Set mgmt port TCP/IP address at next powerup getMgmtTCPIP Display mgmt port TCP/IP address getMgmtTCPIPStored Display mgmt port TCP/IP address at next powerup getTCPMaxConn Display maximum TCP connection setup setICMP En/Disable ICMP getICMP Get ICMP setting setIPFragment Pass-through or discard IP fragments getIPFragment IP fragment setting setLBMode Set Load Balancing Mode getLBMode Get Load Balancing Mode setTCPOption Set TCP option getTCPOption Get TCP option setMACAddr Set MAC address for ports at next powerup getMACAddr Get MAC address for ports getMACAddrStored Get MAC address for ports at next powerup getMACStatus Get MAC status for ports Britestream nCipher Asymmetric Module security policy: v1.0.2 12 Britestream - nCipher Services Service Description setProxyState En/Disable proxy processing getProxyState Current proxy processing status setAllProxyState En/Disable processing for all proxies getAllProxyState Current processing status for all proxies setBlockState En/Disable port blocking processing getBlockState Current port blocking processing status setAllBlockState En/Disable processing for all blockings getAllBlockState Current processing status for all blockings getEthernetStats Ethernet statistics info getNetworkStats Network statistics info getSSLTLSStats SSL/TLS statistics info setStatsControl Set up statistics refreshing getStatsControl Display statistics refreshing setup setAlertControl En/Disable alert messaging getAlertControl Display alert messaging setting setBackChTCPIP Set back channel TCP/IP address getBackChTCPIP Display back channel TCP/IP address readThermal Read the thermal sensor clearThermal Clear all thermal records setThermalWatch Set thermal watch config getThermalWatch Get thermal watch config setThermalAlert En/Disable thermal alert getThermalAlert Get thermal alert setting setGlobalCipher Set up global cipher suites for the level 1 module getGlobalCipher Display global cipher suites for the level 1 module Britestream nCipher Asymmetric Module security policy: v1.0.2 13 Britestream - nCipher Services TLS user Role .elor resu SLT eht ot elbaliava era secivres gniwollof ehT Description Service Access to CSPs Key types Uses a key, loaded by the administrator user, for TLS setup. TLS Uses a server key RSA private key Britestream nCipher Asymmetric Module security policy: v1.0.2 14 15 Britestream nCipher Asymmetric Module security policy: v1.0.2 .)PDK( locotorP noitubirtsiD yeK rehpiCn eht gnisu eludoM cirtemmysA rehpiCn maertsetirB eht ot revres yek eht morf derrefsnart era syeK .yek gnipparw cirtemmys a hsilbatse ot segnahcxe yek ni desu yek namlleH eiffiD tib-8402 A KDC .ytitnedi sti evorp ot yek etavirp eht htiw egassem a sngis ti ,revres yek eht ot stcennoc eludom 3 level eht revenehW .revres yek eht ot tnes dna detropxe si siht ,resu noitartsinimdA eht yb deveirter eb nac flah cilbup ehT .delaever reven si riap siht fo flah etavirp ehT .eludom siht yfitnedi ot desu riap yek ASD a si ehT KDI .eulav yek cilbup eht ot ssecca on si erehT .erutcafunam pihc ta MOR eludom eht ni derots edoc redaoltoob eht otni nettirw si flah cilbup ehT .delaever reven si dna maertsetirB ta yleruces derots si flah etavirp ehT .resu SLT eht etacitnehtua ot dna noitacitnehtua erawmrif rof desu si hcihw ,yek ASR tib-6904 a si sihT .erawmrif eludom eht ngis ot desu ,yek etavirp maertsetirB ehT KBS .yek eht esu ot tpecxe ,lairetam yek ssecca ro syek tropxe ot msinahcem on si ereht eludom eht edisni detpyrced neeb sah yek etavirp AS R a ecnO .revres yek eht ot meht tropsnart dna syek eseht fo flah cilbup eht tropxe tsum resu rotartsinimda ehT .resu rotartsinimdA eht fo noitcurtsni eht rednu eludom 3 level eht yb detareneg era hcihw ,yek egnahcxe-yek namlleH eiffiD dna yek erutangis ASD a yb deifitnedi si eludom 3 level ehT .resu rotartsinimdA eht fo lortnoc eht rednu slocotorp PCDK/PDK s'rehpiCn gnisu etacinummoc revres yek eht dna eludom 3 level ehT .eludom dleihSn rehpi Cn na yllausu si sihT .revres yek a sa gnitca eludom lanretxe na morf - mrof detpyrcne ni - detropmi eb tsum syek esehT .locotorp SLT eht rof desu syek etavirp ASR eht etareneg ton seod eludoM cirtemmysA rehpiCn maertsetirB ehT Keys Keys Britestream - nCipher 16 Britestream nCipher Asymmetric Module security policy: v1.0.2 .noisses hcae fo dne eht ta dedracsid era syek gnipparW .eludoM cirtemmysA rehpiCn maertsetirB eht ot revres yek eht morf tisnart ni syek etavirP revreS tcetorp ot desu era syek gnipparW noisseS .noisses PDK eht fo trats eht ta detaitogen yek gnipparw eht sa tamrof emas eht syawla si yek gnipparw noisses ehT .htgnerts noitpyrcne fo stib 211 gnidivorp yek SED elpirT yek eerht a · ro htgnerts noitpyrcne fo stib 821 gnidivorp yek SEA tib-821 a · :rehtie si yek gnipparw noisses A Session wrapping key .noisses hcae fo dne eht ta dedracsid era syek PDK noisseS .noisses eht ni segassem tneuqesbus ni desu yek gnipparw noisses a hsilbatse ot desu si yek noisses PDK ehT .eludoM cirtemmysA rehpiCn maertsetirB eht ot siht sdnes dna yek noisses PDK a setareneg revres yek ehT .segassem fo egnahcxe laitini eht rof desu ylno si CDK ,revres yek eht no ytiruces erusne ot dna CDK fo esu eht eziminim oT .noisses PDK a nihtiw egnahcxe yek nihtiw desu yek etavirp namlleH-eiffiD tib-8402 a si yek noisses PDK A KDP Session keys .noisses hcae fo dne eht ta dedracsid era syek gnipparW .eludoM cirtemmysA rehpiCn maertsetirB eht ot revres yek eht morf tisnart ni syeK noisseS PDK tcetorp ot desu era syek gnipparW .htgnerts noitpyrcne fo stib 211 gnidivorp yek SED elpirT yek eerht a · ro htgnerts noitpyrcne fo stib 821 gnidivorp yek SEA tib-821 a · :rehtie si yek gnipparw A Wrapping key .seludom tcerroc eht ot dereviled reve ylno era syek erusne ot stniop dne eht yfitnedi ot )IDK( syek gningis sesu dna yalper tsniaga tcetorp ot secnon suoirav sedulcni locotorp ehT .egassem eht tpyrcne ot desu si taht yek gnipparw cirtemmys a eerga ot syek namlle H eiffiD sesu locotorp PDK ehT .reyal noitacinummoc eht slortnoc )PCDK( locotorP lortnoC yrevileD yeK locotorp etarapes A .refsnart eht ni desu yhpargotpyrc eht seificeps PDK Keys Britestream - nCipher 17 Britestream nCipher Asymmetric Module security policy: v1.0.2 .yek tib­6904a gnikaerb ot tnelaviuqe si hcihw erutangis dilav a si taht kcolb etyb modnar a gnitaerc fo ecnahc eht yek etavirp eht fo egdelwonk tuohtiW .deifirev ylmodnar taht erutangis ekaf a evah ot evah dluow ti ,elor siht emussa ot noitacilppa dezirohtuanu na rof redro nI .51 no SBK ees , yek eht gnisu noitacilppa KBS eht no edam erutangis a skcehc eludom ehT .snoisses resuSLT pu gnittes ot roirp eludom eht ot gnitacitnehtua noitacilppa SLT eht yb demussa si elor resu SLT ehT Authentication of TLS User .noillib 2:1 yletamixorppa si etunim a ni sseccus fo ecnahc eht dna sdrowssap retcarahc xis elbissop 468,083,248,588 era ereht ,depyt yltcerid yb nac taht sretcarahc 69 eht ot retcarahc fo eciohc tcirtser uoy fi nevE etunim/noillib 996:1 = noillirt262:573 .laitneuqes era stpmetta nigol llA .etunim rep stpmetta nigol 573 = 06 *)61.0/1( naht erom on ekam nac rekcatta na erofereht .ces 61.0~ sekat nigol enO .eulav tcerroc eht gnitteg ecnahc noillirt 262:1 ni tluser dluow sseug modnar enO .dap yek ciremun eht no eulav xeh eht gniretne dna yek Alt eht nwod gnidloh yb deretne eb nac draobyek eht morf yltcerid depyt eb tonnac taht seulaV .seulav 552 fo eno eb nac retcarahc hcaE .MARVN ni derots era sdrowssap esehT .sresu reciff9O ytiruceS roinuJ dna reciffO ytiruceS eht yfitnedi ot sdrowssap sesu eludom ehT Passwords .revres eht morf dedaoler eb tsum ro hsalf ni derots eb nac yeht rehtehw dna ,tuoemit a evah fi setacidni taht atadatem htiw detropsnart era syek etavirp revreS .syek rehto parw ot desu ton era syek etavirp revreS .yek gnipparw a ro CDK gnisu dehsilbatse yek gnipparw cirtemmys rednu detpyrcne revres yek a morf detropsnart era syek etavirp revreS .locotorp SLT eht nihtiw desu syek etavirp ASR eht era syek etavirp revreS Server private keys Keys Britestream - nCipher 18 Britestream nCipher Asymmetric Module security policy: v1.0.2 .revres yek eht ot noitcennoc eruces a hsilbatse ot namlleH eiffiD dengis ASD sesu eludom 3 level ehT .yek detpyrcne eht tseuqer dna revres yek eht htiw etacinummoc ot eludom eht sesuac sihT .dnammoc etacifitreCeruceSdaoL eht sesu rotartsinimdA eht ,yek a daol oT .revreS yeK eht ot tcennoc ot woh eludom eht llet taht sretemarap tropsnart PI/PCT eht era esehT .sretemarap PCDK eht serugifnoc rotartsinimdA ehT .revres yek a htiw eludom eht llorne dna riap CDK/IDK a etareneg tsum rotartsinimdA eht ,desu eb nac eludom eht erofeB .tisnart ni syek eht tcetorp dna eludom eht yfitnedi ot desu syeK eht etareneg seod eludom ehT .revres yek etarapes a ni detareneg eb tsum syek esehT .SLT ni yltcerid desu syek ASR eht etareneg tonnac eludom ehT Rules Rules Britestream - nCipher 19 Britestream nCipher Asymmetric Module security policy: v1.0.2 .detseuqer si rebmun modnar a revenehw tuptuo GNRp eht no tset suounitnoc a smrofrep osla eludom ehT .kcehc ycnetsisnoc esiwriap a smrofrep ti ,riap yek namlleH-eiffiD ro ASD wen a setareneg eludom eht nehW Conditional self tests .tset rewsna nwonk GNRp · CA MH dna 1- AHS ,SED elpirT ,SEA ,noitacifirev dna erutangis ASR ,ASD ,stset rewsna nwonk mhtirogla · noitacifirev erutangis ASR - ytirgetni erawmrif · stset erawdrah draob · :stset gniwollof eht smrofrep eludom eht pu rewop tA Power up self test .gniliaf tset a fo tluser a sa etats rorre na sretne ti fi ro stset fles gnimrofrep si eludom eht elihw detibihni si tuptuo atad llA .stset fles lanoitidnoc dna pu rewop smrofrep eludom ehT Self tests Self tests Britestream - nCipher 20 Britestream nCipher Asymmetric Module security policy: v1.0.2 .MPK apptype eht evah tsum eludoM cirtemmysA rehpiCn maertsetirB eht htiw esu rof syeK .rehpiCn yb dedivorp sloot dradnats eht fo yna gnisu ,eludoM cirtemmysA rehpiCn maertsetirB eht yb esu rof yek a etareneg nac uoY .sserdda krowten na ot meht dnib dna seulav eseht lorne ot ytilitu s' revres yek eht esu neht dna elif a ot CDK dna IDK fo flah cilbup eht etirw ot dnammoc getenrolmentinfo eht esU .revres yek eht htiw eludoM cirtemmysA rehpiCn maertsetirB eht llorne tsum uoY .eludo M cirtemmysA rehpiCn maertsetirB eht dna MS Hini M eht neewteb noitacinummoc eht seganam noitacilppa siht ,noitacilppa revres yek rehpiCn eht nur osla tsum uoY .sliated rof eludom esoht rof ycilop ytiruces eht ees ,dlrow ytiruces rehpiCn na htiw derugifnoc eb tsum revres yek ehT .lennahc detpyrcne na revo syek etavirp revres eht ylppus ot revres yek a seriuqer tI .syek etavirp revres etareneg ton seod eludom 3 level ehT Configuring the key server .71 no sdrowssaP ees :sretcarahc 6 tsael ta fo gnirts na si drowssap ehT .drowssap eht degnahc sah rotartsinimda eht litnu snoitarepo rehto yna wolla ton lliw eludom ehT .eulav eruces a ot drowssap eht egnahc ot dnammoc drowssap eht esu neht dna drowssap tluafed eht gnisu no gol ,drac eht ot tcennoc tsum rotartsinimdA ehT .drowssap tluafed a htiw deilppus si eludom ehT Changing password .sliated lluf rof ediug noitallatsni eht eeS .srevird dna erawtfos tsoh eht llatsni tsum uoy ,dellatsni yllacisyhp neeb sah drac eht ecnO .tekcos zH M66 tib-66 a ylbareferp hguoht - tekcos CIP dradnats yna otni stif draob ehT .draob ICP a si artlU ecroFn ro 0521 maertsetirB ehT Installing the card .yek etavirp eno tsael ta daol dna revres yek a ot noitcennoc eht erugifnoc ,drowssap eruces a ot drowssap tluafed eht egnahc ,eludom eht otni gol ,revres a ni drac eht llatsni tsum rotartsinimda eht ,edom SPIF ni eludom eht esu ot redro nI .noitarugifnoc tluafed a htiw deilppus si eludom ehT Delivery and operation Delivery and operation Britestream - nCipher 21 Britestream nCipher Asymmetric Module security policy: v1.0.2 .eludom 1 level eht yb desu sepyt yek eht enifed lliw hcihw ,yxorp eht rof sgnittes LSS eht tes ot esU SetProxySSL .sserdda PCT cificeps a rof esu ot reifitnedi yek eht enifed ot dnammoc SetProxyeht esU .yek siht esu ot revres yxorp eht pu tes tsum uoy dedaol si yek etavirp eht ecnO Configure the proxy .niahc etacifitrec 905.X detaicossa eht dna yek eht fo hsah 1-AHS eht syalpsid dnammoc sihT .syek dedaol eht tsil ot dnammoc readAllCertificates eht esu ,dedaol era syek hcihw enimreted oT .teser si eludom eht fi revres yek eht morf dehctefer eb tsum dna yromem laremehpe ot nettirw ylno si yek eht ,gnihcac wolla ton seod yek eht htiw atadatem eht fI .detadilav neeb sah ytitnedi s' resu eht ecno resu a ot elbaliava neht era syek eseht ,hsalf morf syek dehcac yna sdaol ti teser si eludom eht fI .yromem hsalf sti otni atad yek eht fo ypoc a setirw eludom eht ,elbaehcac si yek eht taht setacidni yek eht htiw tnes atad atem eht fI .edoc rorre na snruter eludom eht ,sliaf snoitarepo eseht fo yna fI .yromem gnikrow ni ti serots dna yek noitacilppa eht stpyrced eludom ehT .yek noisses siht htiw depparw eludom eht ot atad atem dna etacifitrec 905.X eht ,yek etavirp ASR deriuqer sdnes dna yek noisses a hsilbatse ot eludom eht htiw egnahcxe yek namlle H eiffiD a smrofrep revres yek ehT .eludom siht ot tropxe swolla LCA s'yek eht taht seifirev osla dna ,IDK gnisu edam erutangis ASD a - erutangis s'eludom eht seifirev revres yek eht taht gnimussA .yek deman eht rof tseuqer a dnes dna revres yek eht ot ,CDK gnisu egnahcxe yek namlleH eiffiD gnisu dehsilbatse yek SEA na yb detcetorp ,lennahc eruces a nepo ot eludom eht sesuac dnammoc siht gnittimbuS .yek eht fo eman eht dna revres yeK eht ro trop dna sserdda PI eht ylppus tsum uoY .yek a daol ot dnammoc loadSecureCertificate eht esU Loading a private key Delivery and operation Britestream - nCipher Britestream - nCipher Physical security Physical security .niser yxope yb derevoc era eludom eht fo stnenopmoc lacitirc ytiruces llA Britestream nCipher Asymmetric Module security policy: v1.0.2 22 23 Britestream nCipher Asymmetric Module security policy: v1.0.2 .syek erutangis ASD tib-4201 gnisu sevlesmeht yfitnedi revres dna eludom ehT .egnahcxe yek namlleH eiffiD tib-8402 a yb detcetorp era revres yek eht morf detropsnart syeK .erawmrif noitacilppa eht no erutangis 1-AHS - ASR tib 6904 a seifirev eludom eht ,sub lanretni eht no tcennoc nac rotarepo SLT eht erofeB .ytitnedi rieht evorp ot drowssap a edivorp tsum trop tnemeganam eht no gnitcennoc sresU Strength of functions Strength of functions Britestream - nCipher 24 Britestream nCipher Asymmetric Module security policy: v1.0.2 67 etacifitreC HMAC 643 etacifitreC Triple DES 462 etacifitreC AES 69 etacifitreC RNG 343 etacifitreC SHA-1 ylno noitacifirev erutangis ASR rof 301 etacifitreC RSA .htgnerts noitpyrcne fo stib 211 sedivorp ygolodohtem tnemhsilbatse yek ,tnemeerga yeK Diffie Hellman 831 etacifitreC DSA :smhtirogla gniwollof eht sesu eludom ehT Algorithms Algorithms Britestream - nCipher TM CI PHER Addresses Britestream Networks, Inc. nCipher Corporation Ltd. Cambridge, UK 12401 Research Boulevard, Jupiter House Bldg 2, Station Road Suite 275 Cambridge Austin, TX 78759 CB1 2JD USA UK Tel: +1 (512) 250 2129 Tel: +44 (0) 1223 723600 Sales: +1 (888) 926 8857 Fax: +44 (0) 1223 723601 Fax: +1 (512) 250 8369 Boston Metro Region, USA 92 Montvale Avenue, Suite 4500 Stoneham, MA 02180 USA Tel: 800-NCIPHER +1 (781) 994 4000 Fax: +1 (781) 994 4001 E-mail: sales@britestream.com E-mail: sales@ncipher.com support@britestream.com support@ncipher.com Web http://www.britestream.com Web http://www.ncipher.com