REV EN NO. SECTION DESCRIPTION BY DATE A CO13651 All Initial Release J. Steinmetz Jan 16 2007 B C014623 1 Add BAE configurations J. Steinmetz Feb 9, 2007 C C015292 1 Add BAF configuration. Corrects ECDSA signature J. Steinmetz Apr 25, 2007 verification. PRODUCT CODE NO. 1MEC Pitney Bowes APPROVALS BY DATE TITLE Pitney Bowes Cygnus X-2 PSD Security Policy - Canada PREPARED J. Steinmetz DATE Jan 16 2007 CHECKED D. Clark DATE Jan 16 2007 SHEET 1 OF 23 SHEETS EN NO CO15292 DWG NO. 1M00019 Pitney Bowes Inc. TABLE OF CONTENTS 1 MODULE OVERVIEW ............................................................................................................. 3 1.1 Implementation Architecture ............................................................................................. 3 2 SECURITY LEVEL................................................................................................................... 5 3 MODES OF OPERATION........................................................................................................ 5 4 PORTS AND INTERFACES .................................................................................................... 6 5 IDENTIFICATION AND AUTHENTICATION POLICY.............................................................. 6 6 ACCESS CONTROL POLICY.................................................................................................. 7 7 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS).......................................... 13 8 FUNDS RELEVANT DATA ITEMS ........................................................................................ 18 9 OPERATIONAL ENVIRONMENT .......................................................................................... 19 10 SECURITY RULES ............................................................................................................ 19 11 PHYSICAL SECURITY POLICY ........................................................................................ 20 12 MITIGATION OF OTHER ATTACKS POLICY ................................................................... 21 13 REFERENCES ................................................................................................................... 21 14 DEFINITIONS..................................................................................................................... 22 15 ACRONYMS....................................................................................................................... 22 REV REV DATE EN DWG Sheet 2 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 1 Module Overview This document describes the security policy for the Pitney Bowes Cygnus X-2 Postal Security Device (PSD). It is intended to describe the requirements for the secure processor only and not the entire system. Digital postal payment systems, such as the Digital Meter Program, rely on secure accounting of postage funds and printing a cryptographic digital postage mark on a mail piece. A PSD provides security services to support the creation of digital postage marks that are securely linked to accounting. A PSD provides two types of data protection: secrecy of critical security parameters (CSPs), such as cryptographic keys, and data integrity protection for funds relevant data items (FRDIs) such as accounting data. CSPs and FRDIs reside in the PSD. The Cygnus X-2 PSD cryptographic module consists of a multi-chip standalone module residing within a tamper resistant enclosure. The module's cryptographic boundary is defined as the metal enclosure surrounding the entire module. The module provides a logical USB interface. The module configurations under FIPS 140-2 validation are: ˇ Canada PSD Configurations: 1MEC BAC, 1MEC BAE, 1MEC BAF 1MES BAC, 1MES BAE, 1MES BAF (Specimen) 1.1 Implementation Architecture The User Interface Controller (UIC) is a common component for multiple product lines within Pitney Bowes. The hardware is structured to fit the general requirements for a mailing system controller. Different product control numbers (PCN) will be accommodated by downloading different software into the UIC. Similarly, the Cygnus X-2 PSD will be customized in manufacturing to match the specific PCN. The Cygnus X-2 PSD software is organized into discrete layers as shown in Figure 1 ­ Logical View of Software Architecture. The Control Layer (CL) communicates with the Middle Layer (ML) software which provides low-level functions such as cryptographic functions, file management, communications, etc. It communicates with the Cygnus X-2 PSD host and interfaces with other hardware and firmware elements. Generally, the host is the electronic package of a PB meter installed in a mailing machine, which may be in communication with the computer services of the PB Infrastructure Data Center. The Control Layer accesses the nonvolatile memory (NVM) and the real-time clock via the Middle Layer functions. Both layers co-exist on the same processor with a single thread of control. When the power is applied, the Middle Layer software has control of the processor until it has successfully completed power up checks, after which the Middle Layer passes control to the CL to perform its power up routines. After the CL has successfully initialized, it returns control REV REV DATE EN DWG Sheet 3 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 to the ML, which waits for host messages. Once a message is received, the Middle Layer firmware calls the Control Layer firmware to process the message. Control Layer Response message to Host Incoming message from Host Command f rom CL to ML Command response Middle Layer Response message to Incoming message Command from ML to GK3 Host Command f rom ML to KLSI Command Response from Host Serial Cry ptographic Temperature/ Serial RTC Memory Engine Voltage USB USB Low Level Hardware message from message to Response Host Incoming Host Figure 1 ­ Logical View of Software Architecture Figure 2 - Photographs of Physical Configuration. The metal enclosure forms the cryptographic boundary. REV REV DATE EN DWG Sheet 4 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 2 Security Level The Cygnus X-2 PSD cryptographic module meets the overall requirements applicable to Level 3 security of FIPS 140-2. Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 3 Roles, Services and Authentication 3 Finite State Model 3 Physical Security 3 + EFP Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A Figure 3 - Module Security Level Specification 3 Modes of Operation The module shall contain no non-FIPS Approved mode of operation. Hence, the module will always be in a FIPS Approved mode of operation. The module supports the following FIPS Approved algorithms: ˇ DSA - FIPS 186-2: This algorithm is used to digitally sign and verify signatures. ˇ ECDSA - FIPS 186-2: This algorithm is used to digitally sign and verify signatures. ˇ HMAC SHA-1 - FIPS 198 ˇ SHA-1 - FIPS 180-2: This hashing algorithm is used as part of the digital signature process for DSA and ECDSA. This same algorithm is used in the HMAC SHA-1 algorithm. REV REV DATE EN DWG Sheet 5 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ Triple-DES - FIPS 46-3, FIPS 81: This encryption algorithm is used to encrypt and decrypt other cryptographic keys for secure storage. The module supports TDES ECB and CBC. ˇ Triple­DES MAC: This algorithm is used to create and verify MACs. ˇ DRNG per FIPS 186-2, Appendix 3 with SHA-1 based G function The module supports the following non-FIPS Approved algorithm: ˇ Diffie-Hellman (key agreement; key establishment methodology provides 80 bits of encryption strength): This algorithm is used as a key agreement method when establishing session keys between the module and the Infrastructure. While Diffie- Hellman is not FIPS Approved, it can be used in a FIPS Approved mode of operation. ˇ Non-Approved RNG: used as a seeding mechanism for the FIPS 186-2 DRNG. 4 Ports and Interfaces The Cygnus X-2 PSD was designed with a single 12-pin physical edge connector where all power input, data input, data output, control input, and status output interfaces are logically assigned. The edge connector was designed as a logical USB interface. Pin Description Interface Type 1 Not Used N/A 2 Ground Power 3 LED Status Output 4 Ground Power 5 Not Used N/A 6 USB Voltage Supply Power 7 Not Used N/A 8 I/O Data Input, Data Output, Control Input, & Status Output 9 LED Status Output 10 I/O Data Input, Data Output, Control Input, & Status Output 11 Not Used N/A 12 Ground Power Figure 4 ­ Interface Table 5 Identification and Authentication Policy There is no login process for an operator for any role in the Cygnus X-2 PSD design. No role or identity is active other than during the processing of a valid authorized transaction. Each request sent to the Cygnus X-2 PSD is signed with a particular key. The Cygnus X-2 PSD authenticates the entity by verifying the digital signature with the associated public REV REV DATE EN DWG Sheet 6 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 certificate. Every transaction requires authentication; no transaction is made "available" to a operator without authentication per transaction. Role Authentication Method Authentication Type Crypto-Officer Digital Signature Verification Identity-based PSD Administrator Digital Signature Verification Identity-based Printhead Administrator Digital Signature Verification Identity-based Financial Officer Digital Signature Verification Identity-based Customer On behalf of the PSD Administrator, None Printhead Administrator, or Financial Officer Figure 5 ­ Roles and Authentication Type Authentication Mechanism Strength Mechanism Digital Signature Based on number of protected bits in key or signature, the probability is 1 in 2^xB tries where x is the number of protected bits. The digital signature algorithm, with the associated cryptographic key, provides 80 bits of key strength or a probability of random success of 1 in 2^80. The module can execute 9.6 transactions per second therefore the probability of a success in a one minute period is 1 in 2,098,829,547,942,060,000,000. Figure 6 ­Authentication Strength 6 Access Control Policy Each identity and corresponding services are described in the following section. Crypto-Officer (CO): The CO is responsible for the high level key management within the box. The primary functions are to load keys into the Cygnus X-2 PSD and to authorize the generation and use of an IBI key. The services allocated to this role are as follows: ˇ Authorize PSD Key: The Authorize PSD Key message shall cause the Cygnus X-2 PSD to complete the Generate PSD Key transaction. This shall place the Cygnus X-2 PSD in Full Postal State. The Authorize PSD Key command shall instruct the Cygnus X-2 PSD to begin using the new key that was created by the previous Generate PSD Key command. The PB Infrastructure Data Center message with a PSD Key Record shall be included in the transaction. This record shall include the PSD public key and the Certificate ID that was received from the certificate authority. The record shall be REV REV DATE EN DWG Sheet 7 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 signed with the PB Infrastructure Data Center authentication certificate private key. The Cygnus X-2 PSD shall validate the message header and data content and then shall make the new key active. The Cygnus X-2 PSD shall also prepare the Authorize PSD record and shall sign it with the unique PSD Authentication Information Based Indicia (IBI) private key. ˇ Delete All Keys and Control Layer: In response to the Host, the Cygnus X-2 PSD shall zeroize all private and secret keys in the system and shall remove the control layer from the system and place the Cygnus X-2 PSD in Transport Mode. ˇ Generate Key Exchange Key: The host shall instruct the Cygnus X-2 PSD to establish a Triple-DES secret key in coordination with the Host via a Diffie-Hellman process. This secret key will be used as a one time Key Exchange Key to load a secret key into the Cygnus X-2 PSD. This key has a deterministic life of 30 minutes from generation before it becomes inactive. It is destroyed immediately upon completion of a Load Secret Key transaction. The Diffie-Hellman process and the Triple-DES key being established are both 80 bits in strength. This process is based on transmission of a parameter set and a `public key' from the host followed by the generation of a `private' key and associated public key and computation (establishment) of the shared secret key by the Cygnus X-2 PSD. The Cygnus X-2 PSD then transmits its `public' key back to the host so the host can compute the shared secret key. ˇ Generate PSD Key: The public and private key pair that is the PSD Authentication Key Pair shall be generated by the Cygnus X-2 PSD, when the Host sends this command message. It shall generate an ECDSA public/private key set. The message shall include the Signed Key Record (SKR), with parameters to be used. The cryptographic algorithm used by the Cygnus X-2 PSD is ECDSA. In this state, the Cygnus X-2 PSD shall verify the signature on the incoming message. It shall use the middle layer key pair generation algorithm, GenerateKeyPair. The key that is generated cannot be used for debit functions, until authorized by the post office, but it may be used for other operations, for example: Audit processing and self-signing of the response message (e.g., public key); retrieve a public key and sign a response back to the Host. ˇ Get Certificate Key: This service shall cause the Cygnus X-2 PSD to output the signed crypto key record that contains the public data included in the specified Certificate key. ˇ Get PSD Certificate: The Host instructs the Cygnus X-2 PSD to send the signed key record that shall contain the public data associated with the PSD Authentication Key. This command provides the PSD public key data. The command is used by the Print Head controller. The middle layer service that is called by the Control Layer software is the Get Public service. REV REV DATE EN DWG Sheet 8 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ Get Public Key Data: After the Load Public Key command has been executed, in order to load the public crypto key data into the Cygnus X-2 PSD, the Host shall use this command to retrieve the public key data from the Cygnus X-2 PSD. ˇ Load Certificate Key: The Load Certificate Key message shall cause the Cygnus X-2 PSD to pass the certificate key to the middle layer for storage. The incoming signed message shall be verified prior to taking action on the request. ˇ Load Public Key: The Cygnus X-2 PSD shall be instructed by the Host to load a public key, which is to be stored in the NVM. In this state, the Cygnus X-2 PSD shall verify the incoming message signature and shall verify that the key that is loaded is signed with the appropriate key. The incoming message shall include the new public key data for storage, key identifier, and the signature. The middle layer service that is called by the software is the StorePublicKey service. Upon successful completion of this service, the key attributes shall be retained. ˇ Load Secret Key: This command from the Host shall cause the Cygnus X-2 PSD to load the signed key record that contains an encrypted secret key. In this state, the Cygnus X-2 PSD shall verify the signature on the incoming message and shall verify that the key that is being loaded is signed with the appropriate key. The incoming message shall include the encrypted secret key for storage, key identifiers, and the signature. The middle layer service that is called by the embedded program is the StoreSecretKey service. Upon successful completion of data processing by this service, which included decrypting the secret key with the Key Exchange Key and then re-encrypting it with the Key Encryption Key for storage, the key attributes shall be retained. The HMAC SHA-1 Key is loaded using this transaction. ˇ Load Secret Key Response: The Load Secret Key Response message is output from the PSD in response to a Load Secret Key message. The response from the PSD shall contain signed data generated from the key loaded during the Load Secret Key message. The Host shall verify the signature in the response message to ensure that the key has been properly loaded into the PSD. ˇ Revoke Key: The revoke key message is a signed message that instructs the Cygnus X-2 PSD to remove a key from the key table. PSD Administrator (PSDA): The PSD Administrator manages non-key data used to set internal parameters and settings in the Cygnus X-2 PSD. The Postage by Phone system and the Manufacturing Systems are the only entities who act as the PSD Administrator. ˇ Disable PSD: This command shall place the Cygnus X-2 PSD in the Disabled state. No indicia shall be generated and no postage value downloads shall be performed. REV REV DATE EN DWG Sheet 9 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ Enable PSD: This command may transition the Cygnus X-2 PSD from the Disabled state to the Serial Number Locked state. It shall be valid only if no other lockout states are met. ˇ Reinitialize PSD: Immediately before this command is issued, the Get Challenge command function must have been executed. When the Host instructs the Cygnus X-2 PSD to reinitialize, the file system shall be cleared. Except for the Key Encryption Key, software and transport crypto keys, all keys shall be cleared. The Cygnus X-2 PSD shall be placed in the Transport Mode by the command. The command will not be accepted if there are any funds in the Cygnus X-2 PSD. Printhead Administrator (PHA): The Printhead Administrator is in charge of downloading information used in conjunction with the Printhead such as postage critical and non-critical graphics bit-maps. ˇ Verify and Sign Hash: The Cygnus X-2 PSD shall be instructed to verify the signature on the cryptographic hash that is in a signed data record and then to re-sign the hash with the PSD key and output a new SDR. The embedded program call is for the VerifySignature service. Financial Officer (FO): Funds transfer into and out of the Cygnus X-2 PSD is the responsibility of the Financial Officer. This corresponds to the "User" role as identified by FIPS 140-2. Postage by Phone is the Financial Officer. ˇ Create Postage Value Refund Request: Requests a return of funds from the Cygnus X- 2 PSD to the PbP account. ˇ Generate Postage Value Download Request: This command shall initiate a Postage Value Download (PVD) request. ˇ Load Postal Configuration Data: For the Cygnus X-2 PSD to load configuration information that is specific for the postal application, it must receive this command. The specific Postal Configuration Data shall be contained in a signed data record (SDR). ˇ Perform Postage Value Download: To perform a download of postage value (PVD), the Host sends the message to the Cygnus X-2 PSD, which shall verify the signature on the incoming signed data record. The SDR can be an IBI PVD record or it can be an IBI PVD Error record ˇ Perform Postage Value Refund: This command shall be required to complete the postage refunding operation that was started with the Create Postage Value Refund Request command. The Cygnus X-2 PSD shall verify the signature of the included SDR. ˇ Process Audit Results: The PCN parameter settings shall cause the Cygnus X-2 PSD to clear inspection lockout or to reset the next inspection due date in response to this command. The Prepare Audit Record command must immediately precede this REV REV DATE EN DWG Sheet 10 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 command in order for the Cygnus X-2 PSD to process the signed data record that is returned from the PB Infrastructure Data Center. ˇ Prepare Audit Record: At the time that Cygnus X-2 PSD is manufactured, the Message Definition File shall be created and written with information that is appropriate for a specific country. The Cygnus X-2 PSD shall use the data in this file to prepare a signed Audit Record, in response to this command from the Host. Customer (CU): This role performs services on behalf of the PSD Administrator, Financial Officer and Printhead Administrator; services allocated to this role require other authorized transactions to occur in conjunction with the service being invoked. ˇ Complete Debit: Completes the update of all information based on the last Perform Debit request. This is done on behalf of the Financial Officer. ˇ Complete Debit With Parameters: Completes the update of all information based on the last Perform Debit request. Then, based upon the PCN parameter setting, the invocation of this command shall cause the required cryptographic calculations to be made in preparation for use in the upcoming accounting debit. Typical data included in the command are Postage Value, Mail Date and Rate Category. However, these are variables that are PCN specific. At the time that the Cygnus X-2 PSD is manufactured, these data items are defined in the Message Definition File. This command shall only function in Full Postal state. This is done on behalf of the Financial Officer. ˇ Non-Secure Print Head ID Data: This service is used by the Authenticate to PHC services as part of one of the optional authentication procedures. This is done on behalf of the Printhead Administrator. ˇ Perform Debit: Based upon the Pre-Debit command, cryptographic functions that were required and that were not computed shall be completed in accordance with the PCN parameter settings. The Cygnus X-2 PSD shall deduct the postage value in the Pre- Debit message from the Descending register and shall update the Ascending Register, Control Sum and Piece Count registers appropriately. These functions shall only be performed in Full Postal state. The indicia record is signed with the UNIQUE_PSD_AUTH_IBI_ECDSA_FP160_PRIVATE key. This is done on behalf of the Financial Officer. ˇ Pre-Debit: Based upon the PCN parameter setting, the invocation of this command shall cause the required cryptographic calculations to be made in preparation for use in the upcoming accounting debit. Typical data included in the command are Postage Value, Mail Date and Rate Category. However, these are variables that are PCN specific. At the time that the Cygnus X-2 PSD is manufactured, these data items are defined in the Message Definition File. This command shall only function in Full Postal state. This is done on behalf of the Financial Officer. ˇ Get Challenge: The Host shall instruct the Cygnus X-2 PSD to output an eight byte nonce (random number), which shall be used in a subsequent command that requires that nonce word for authentication. This is always done in conjunction with another REV REV DATE EN DWG Sheet 11 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 authorized transaction, and is then considered as being done on behalf of any role that requires a nonce value. ˇ Toggle Out of Service Lockout: This command shall toggle the Cygnus X-2 PSD to enter or exit its Out of Service Lockout state. This is done on behalf of the PSD Administrator to manage the PSD state. Unauthenticated Services: Miscellaneous functions that do not require the Cygnus X-2 PSD authentication of the entity; Unauthenticated Services are available to all roles, both authenticated and unauthenticated. ˇ Class Support Request: Used to determine whether the Cygnus X-2 PSD supports a particular class of messages. ˇ General Class Support Request: Used to get information from the Cygnus X-2 PSD on all supported message classes via a single message. ˇ Get Real Time Clock with Offsets: This command shall cause the Cygnus X-2 PSD to return the value of the real time clock with all of the offsets calculated, including the GMT offset and drift correction. ˇ Get Real Time Clock Value with no Offsets: Returns the real time clock, with no offsets. ˇ Get Real Time Clock Offsets: Returns the Cygnus X-2 PSD clock offset values. ˇ Set Clock Drift Correction: The Host shall use this command to set the clock drift correction factor into the Cygnus X-2 PSD. ˇ Set GMT Offset: The user may apply time zone and daylight savings time offsets to produce the Greenwich Mean Time (GMT) offset in the Cygnus X-2 PSD, by using this command from the Host. ˇ Perform Diagnostic Test: This command shall cause the Cygnus X-2 PSD to perform the diagnostic test specified in the message. ˇ Perform Full Diagnostics: The Cygnus X-2 PSD shall perform its full diagnostics routines when the Host issues this command. ˇ Get File Attributes: Causes the Cygnus X-2 PSD to get and output the attributes from a specified file. ˇ Read Cyclic File: Causes the Cygnus X-2 PSD to read an output a specified record from a cyclic file. ˇ Read Linear File: Causes the Cygnus X-2 PSD to read and output the next record from a linear file. ˇ Setup Cyclic File for Read: Sets up the parameters for a cyclic file so a specified record can be read. REV REV DATE EN DWG Sheet 12 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ Write Cyclic File: Causes the Cygnus X-2 PSD to write the specified record into a cyclic file. ˇ Write Linear File: Causes the Cygnus X-2 PSD to write a record into the end of a linear file. ˇ Get Key List: Instructs the Cygnus X-2 PSD to return a list of all active keys stored in the Cygnus X-2 PSD. ˇ Modify ACK Timeout Request: Provides a means of modifying the timeout period, prior to the retransmission of an unacknowledged message. ˇ Product Code Number (PCN) Request: Commands the postal security device to return its PCN. ˇ Set Unsolicited Message Capability Request: Tells the Cygnus X-2 PSD whether or not it can send unsolicited message. ˇ Get PSD Status: If the Cygnus X-2 PSD is in a state where a specified command is expected, this command is used by the Cygnus X-2 PSD to its Idle state. ˇ Get PSD Attributes: The Host requires that the Cygnus X-2 PSD identify itself by its attributes. ˇ Get Middle Layer Attributes: The command shall call the Cygnus X-2 PSD to report the attributes of the Middle Layer. ˇ Get Low Level PSD Status: The Host shall get low level Cygnus X-2 PSD status information with this command. ˇ Get Middle Layer Error Log: Returns the Middle Layer Error/Event log. 7 Definition of Critical Security Parameters (CSPs) The following table describes the CSPs contained in the module: Key Description Generation / Storage Entry / Destruction / Usage Agreement Output KUPsdP- TDES 2key Internally by Clear text Entry: N/A On tamper KY3DESCBC Key Encryption FIPS approved event and Output: N/A Key PRNG Delete All Keys and Control Layer service KSPsdP-KECB TDES 2key Diffie Hellman Ciphertext Entry: N/A Delete All Keys CBC session process with and Control Output: N/A key exchange Infrastructure Layer service key REV REV DATE EN DWG Sheet 13 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 Key Description Generation / Storage Entry / Destruction / Usage Agreement Output KUPsdA-IDHM HMAC SHA-1 Externally Ciphertext Entry: Delete All Keys key used in Encrypted via and Control Indicia KSPsdP-KECB Layer service Output: N/A P'UPsdA-IBE1 ECDSA IBI Internally by a Ciphertext Entry: N/A Delete All Keys authorization FIPS Approved and Control Output: N/A key that is also PRNG Layer service used to authenticate the Cygnus X-2 PSD P'UPsdP- DH1024 Internally by a N/A Entry: N/A End of KEDH private key FIPS Approved transaction Output: N/A PRNG Figure 7 ­ CSP Table The following table describes the public keys contained in the module: Key Description / Usage Generation / Storage Entry / Agreement Output PDInfA-CD DSA Certificate Authentication Externally Plaintext Entry: Certificate form Output: Certificate form PDInfA-GCD DSA Postal Critical Graphics Externally Plaintext Entry: Authentication Certificate form Output: Certificate form PDInfA-KUD DSA Key Update Authentication Externally Plaintext Entry: Certificate form Output: Certificate form PDInfA-PVD DSA Postage Value Download Externally Plaintext Entry: authentication Certificate form Output: Certificate form PDInfA-RootD DSA root authentication Externally Plaintext Entry: Certificate form Output: Certificate form REV REV DATE EN DWG Sheet 14 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 Key Description / Usage Generation / Storage Entry / Agreement Output PDInfA-VD DSA vendor authentication Externally Plaintext Entry: Certificate form Output: Certificate form PDInfC- DSA verifying signature on non- Externally Plaintext Entry: NPcGD postal critical graphics Certificate form Output: Certificate form PUPsdA-IBE1 ECDSA public IBI authorization Internally Plaintext Entry: N/A key Output: Certificate form PUPsdP-KEDH DH1024 public key Internally N/A Entry: N/A Output: Certificate form Figure 8 ­ Public Key Table The following table describes the modes of access for each key to each role supported by the module. The modes of access are defined as: ˇ Zeroize: The Cygnus X-2 PSD zeros the key memory location. ˇ Generates: The Cygnus X-2 PSD generates the key using the FIPS Approved PRNG. ˇ Establishes: A key agreement process is used to establish the specified key. ˇ Load: Inputs the key. ˇ Decrypt: Decrypts something with the specified key. ˇ Sign: Signs with the specified key. ˇ MAC: Performs a MAC with the specified key. Roles Services CSP Modes of Access PSDA PHA CO CU FO X Authorize PSD Key N/A Delete All Keys and Zeroizes all CSPs in Figure 7 X Control Layer Generate Key Generates P'UpsdP-KEDH X Exchange Key REV REV DATE EN DWG Sheet 15 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO Establishes KSPsdP-KECB X Generate PSD Key Generates P'UPsdA-IBE1 X Get Certificate Key N/A X Get PSD Certificate N/A Get Public Key N/A X Data Load Certificate N/A X Key X Load Public Key N/A Load Secret Key Load KUPsdsA-IDHM X Decrypt with KSPsdP-KECB Load Secret Key Sign with P'UPsdA-IBE X Response X Revoke Key N/A Create Postage Sign with P'UPsdA-IBE1 X Value Refund Request Generate Postage Sign with P'UPsdA-IBE1 X Value Download Request Load Postal N/A X Configuration Data Perform Postage Verify with PDInfA-PVD X Value Download Perform Postage N/A X Value Refund Process Audit N/A X Results Prepare Audit Sign with P'UPsdA-IBE1 X Record Verify and Sign Sign with P'UPsdA-IBE1 X Hash X Disable PSD N/A X Enable PSD N/A X Reinitialize PSD N/A REV REV DATE EN DWG Sheet 16 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO X Complete Debit Sign with P'UPsdA-IBE1 Complete Debit Sign with P'UPsdA-IBE1 X with Parameters X Get Challenge N/A X Perform Debit Sign with P'UPsdA-IBE1 MAC with KUPsdA-IDHM X Pre Debit Sign with P'UPsdA-IBE1 Non Secure N/A X Printhead ID Data Toggle Out of N/A X Service Lockout Class Support N/A X X X X X Request General Class N/A X X X X X Support Request X X X X X Get File Attributes N/A X X X X X Get Key List N/A Get Low Level PSD N/A X X X X X Status Get Middle Layer N/A X X X X X Attributes Get Middle Layer N/A X X X X X Error Log X X X X X Get PSD Attributes N/A X X X X X Get PSD Status N/A Get Real Time N/A X X X X X Clock Offsets Get Real Time N/A X X X X X Clock Value with No Offsets Get Real Time N/A X X X X X Clock with Offsets Modify ACK N/A X X X X X Timeout Requests X X X X X PCN Request N/A REV REV DATE EN DWG Sheet 17 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 Roles Services CSP Modes of Access PSDA PHA CO CU FO Perform Diagnostic N/A X X X X X Test Perform Fully N/A X X X X X Diagnostics X X X X X Read Cyclic File N/A X X X X X Read Linear File N/A Set Clock Drift N/A X X X X X Correction X X X X X Set GMT Offset N/A Set Unsolicited N/A X X X X X Msg Capability Request Setup Cyclic File N/A X X X X X for Read X X X X X Write Cyclic File N/A X X X X X Write Linear File N/A Figure 9 ­ CSP Modes of Access 8 Funds Relevant Data Items FRDIs are data items whose authenticity and integrity are critical to the protection of postage funds, but which are not CSPs and should not be zeroized. In Cygnus X-2 PSD, all FRDIs are stored in nonvolatile memory in the Cygnus X-2 PSD. FRDIs include: ˇ Indicia Serial Number is the identification number associated with the meter license. ˇ Ascending Register. This register contains the total amount of funds spent over the lifetime of the module. ˇ Descending Register: This register contains the amount of funds currently available in the module. ˇ Control Sum: This register contains the total amount of funds credited to the module over the lifetime of the module. The Control Sum must equal the sum of the Ascending Register and the Descending Register values. ˇ PSD Piece Count: The number of indicia plus the number of correction indicia dispensed by the Cygnus X-2 PSD. REV REV DATE EN DWG Sheet 18 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 9 Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements for the Cygnus X-2 PSD are not applicable because the device does not contain a modifiable operational environment. 10 Security Rules This section documents the security rules enforced by the Cygnus X-2 PSD to implement the security requirements of this FIPS 140-2 Level 3 module. ˇ The Cygnus X-2 PSD shall not process more than one request at a time (i.e., single threaded). While processing a transaction, prior to returning a response, the Cygnus X- 2 PSD will ignore all other inputs to the Cygnus X-2 PSD. No output is performed until the transaction is completed, and the only output is the transaction response. ˇ The Cygnus X-2 PSD shall validate identities using digital signature. ˇ All keys generated in the module shall have 80-bits of strength. ˇ All methods of key generation shall be at least as strong as the key being generated. ˇ All methods of key establishment shall be at least as strong as the key being established. ˇ Signed digital indicium data shall not be output unless the proper funds accounting has been performed. ˇ The Cygnus X-2 PSD shall sign digital indicium data using an approved IPMAR signature method. ˇ The Cygnus X-2 PSD shall not provide a bypass state where plaintext information is just passed through the module. ˇ The Cygnus X-2 PSD shall not support a maintenance mode. ˇ The Cygnus X-2 PSD shall not support a safety state. ˇ The Cygnus X-2 PSD shall not output any secret or private key in plaintext form. ˇ The Cygnus X-2 PSD shall not accept any secret or private key in plaintext form. ˇ There shall be no seed keys entered into the system. ˇ There shall be no manual entry of keys into the system. ˇ There shall be no entry or output of split keys from the system. ˇ There shall be no key archiving. ˇ Keys shall be either generated via an Approved method or entered into the system through valid processes (i.e., Load Secret Key, etc.). ˇ Only those keys necessary for the domain specified by the PCN shall be loaded during manufacturing or generated during operation REV REV DATE EN DWG Sheet 19 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ The Cygnus X-2 PSD shall support the following conditional tests: o Pairwise consistency test for ECDSA key pair generation o Continuous RNG test for both the FIPS approved RNG and the non-FIPS approved RNG ˇ The Cygnus X-2 PSD shall support power up self-tests, which include: o Software/Firmware Integrity Tests: Middle Layer Verification (SHA-1 and DSA) Control Layer Verification (SHA-1) o GK3 Power On Self-Tests (POST) (Critical functions test) o Application Code Self-Tests: After successful completion of the GK2S POST and prior to execution of the first service request, the Cygnus X-2 PSD shall perform the following additional tests via the middle layer code in FLASH memory. The tests are listed in order of execution. The tests performed are: o Critical functions tests: SRAM Databus Test SRAM Address Bus Test SRAM Pattern Test BRAM pattern test Timer Test RTC Test o Cryptographic Algorithm Known Answer Tests: SHA-1 Known Answer Test HMAC SHA-1 Known Answer Test Triple-DES Known Answer Test Triple-DES MAC Known Answer Test DSA Known Answer Test ECDSA Known Answer Test Diffie-Hellman Known Answer Test DRNG Known Answer Test (FIPS 186-2) 11 Physical Security Policy The Cygnus X-2 PSD includes the following physical security mechanisms: REV REV DATE EN DWG Sheet 20 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ Upon detecting a tamper event, the Cygnus X-2 PSD shall execute a zeroize activity that completely eliminates its ability to perform any operation requiring authentication. ˇ Upon detecting a tamper event, the Cygnus X-2 PSD shall abort any transaction in process. The module shall protect two types of data items: Funds relevant data items (FRDIs) and critical security parameters (CSPs). Physical Security Recommended Inspection/Test Guidance Mechanisms Frequency of Details Inspection/Test Tamper Barrier N/A Periodic remote data communications Battery Power Continuous Internal SW Temperature Sensing N/A Proof of Design Test, Manufacturing Sampling Voltage Sensing N/A Proof of Design Test, Manufacturing Sampling Figure 10 ­ Inspection/Testing of Physical Security Mechanisms 12 Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2. 13 References The following documents are referenced by this document, are related to it, or provide background material related to it: ˇ Data Encryption Standard ­ FIPS PUB 46-3, October 25, 1999 ˇ Financial Institution Retail Message Authentication ­ ANSI X9 .19, 1996 ˇ Digital Signature Standard (DSA) ­ FIPS PUB 186-2, January 27, 2000, including change notice of October 5, 2001 ˇ International Postage Meter Approval Requirements (IPMAR) - S30 UPU Standard ˇ Secure Hash Standard ­ FIPS PUB 180-2, August 26, 2002 ˇ Security Requirements for Cryptographic Modules ­ FIPS PUB 140-2, Change Notices December 3, 2002 REV REV DATE EN DWG Sheet 21 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 ˇ 1M97002 Cygnus X-2 Multi-Chip PSD Hardware Requirements, Rev A, August 30, 2004. 1L97006 Cygnus PSD Middle Layer / Control Layer Interface Specification, Rev A, October 3, 2003. 14 Definitions ˇ Diffie-Hellman: A process where two secure facilities may establish a shared secret key using unsecured communications. ˇ Key Establishment: There are three methods for the establishment of a key within the Cygnus X-2 PSD. These are internal generation, load from external source, and the Diffie-Hellman process. ˇ Key Transaction Processor: The Key Transaction Processor or KTP is a master database system that contains and manages key material in encrypted data records. It is the repository for all meter related keys at Pitney Bowes and is the start or end point of a large number of secure transactions involving the distribution of keys. ˇ Secure Configuration Trusted Coprocessor: The secure box used in conjunction with Postage by PhoneŽ for configuration management. ˇ Secure Financial Trusted Coprocessor: The secure box used in conjunction with Postage by PhoneŽ for funds management. ˇ Secure Manufacturing Trusted Coprocessor: The secure box used in manufacturing a Cygnus X-2 PSD. 15 Acronyms 3DES Triple Data Encryption Standard ANSI American National Standards Institute CL Control Layer CM Cryptographic Module CSP Critical Security Parameter DEA Data Encryption Algorithm DES Data Encryption Standard DSA Digital Signature Algorithm DSS Digital Signature Standards ECDSA Elliptic Curve Digital Signature Algorithm EFP Environmental Failure Protection EFT Environmental Failure Testing EMC Electromagnetic Compatibility REV REV DATE EN DWG Sheet 22 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019 EMI Electromagnetic interference FIPS Federal Information Processing Standards FRDI Funds Relevant Data Items GK3 Gate Keeper 3 SRAM ASIC HMAC A hashing algorithm used for message authentication IPMAR International Postal Meter Approval Requirements ISO International Standards Organization MAC Message Authentication Code ML Middle Layer NVM Nonvolatile Memory PB Pitney Bowes PbP Postage by PhoneŽ PCN Product Code Number PHC Print Head Controller PKCS Public Key Cryptography Systems PSD Postal Security Device PSN Postal Serial Number (Indicia Serial Number) PVD Postage Value Download SDR Signed Data Record SHA Secure Hash Algorithm SKR Signed Key Record TDEA Triple Data Encryption Algorithm UIC User Interface Controller REV REV DATE EN DWG Sheet 23 of 23 C Apr 25 07 NO. CO15292 NO. 1M00019 Pitney Bowes Inc. 55019