Security Policy: MGEG Secure Card Crypto Engine Cryptographic Module Worldwide Systems Development Division Version R01.02.17 Date: May 22, 2008 Introduction Introduction CP1-TMP-030 page 2 Motorola Document Template Introduction Table of Contents 1. INTRODUCTION................................................................................................................................................................4 1.1. PURPOSE ......................................................................................................................................................................4 1.2. SCOPE ...........................................................................................................................................................................4 1.3. DEFINITIONS ................................................................................................................................................................4 1.4. OVERVIEW ...................................................................................................................................................................5 1.5. MGEG SCCE HARDWARE / SOFTWARE VERSION NUMBERS .................................................................................5 1.6. MGEG SCCE IMPLEMENTATION ...............................................................................................................................5 1.7. MGEG SCCE CRYPTOGRAPHIC BOUNDARY ...........................................................................................................5 2. FIPS 140-2 SECURITY LEVEL.........................................................................................................................................7 3. APPROVED OPERATIONAL MODES ...........................................................................................................................8 4. GUIDANCE DOCUMENTATION ....................................................................................................................................9 4.1. ADMINISTRATION OF THE MGEG SCCE IN A SECURE MANNER (CO) ..................................................................9 4.2. ASSUMPTIONS REGARDING USER BEHAVIOR (CO) ................................................................................................9 4.3. APPROVED SECURITY FUNCTIONS, PORTS, AND INTERFACES AVAILABLE TO USERS ......................................9 4.4. USER RESPONSIBILITIES NECESSARY FOR SECURE OPERATION ..........................................................................9 5. SECURITY RULES...........................................................................................................................................................10 5.1. FIPS PUB 140-2 IMPOSED SECURITY RULES..........................................................................................................10 5.2. MOTOROLA IMPOSED SECURITY RULES ................................................................................................................15 6. PHYSICAL SECURITY....................................................................................................................................................16 6.1. MECHANISMS ............................................................................................................................................................16 6.2. MAINTENANCE ..........................................................................................................................................................16 7. ROLES AND SERVICES..................................................................................................................................................17 7.1. MGEG SCCE SUPPORTED ROLES............................................................................................................................17 7.2. MGEG SCCE SERVICES............................................................................................................................................17 8. AUTHENTICATION.........................................................................................................................................................19 9. ACCESS CONTROL.........................................................................................................................................................20 9.1. SECURITY RELATED DATA ITEMS (CSPS)..............................................................................................................20 9.2. CSP ACCESS TYPES ..................................................................................................................................................20 9.3. ACCESS MATRIX .......................................................................................................................................................21 10. MITIGATION OF ATTACKS.....................................................................................................................................22 CP1-TMP-030 page 3 Introduction Introduction 1. Introduction 1.1. Purpose This Security Policy is the precise specification of the security rules under which the MGEG Secure Card Crypto Engine Cryptographic Module must operate. 1.2. Scope This Security Policy specifies the security rules under which the Motorola Gold Elite Gateway Secure Card Crypto Engine Cryptographic Module, herein identified as the MGEG Secure Card Crypto Engine or MGEG SCCE, must operate. Included in these rules are those derived from the security requirements of FIPS 140-2 and additionally, those imposed by Motorola. These rules, in total, define the interrelationship between the: 1. module operators 2. module services 3. security related data items (CSPs). 1.3. Definitions ALGID Algorithm Identifier CBC Cipher Block Chaining SCCE Secure Card Crypto Engine CFB Cipher Feedback CKR Common Key Reference (interchangeable with SLN) CO Crypto Officer DES Data Encryption Standard DPRAM Dual Port RAM ECB Electronic Code Book KEK Key Encryption Key KID Key Identifier KLK Key Loss Key KMM Key Management Message KPK Key Protection Key KVL Key Variable Loader MAC Message Authentication Code MGEG Motorola Gold Elite Gateway OFB Output Feedback OTAR Over The Air Rekeying PRNG Pseudo Random Number Generator RNG Random Number Generator CP1-TMP-030 page 4 Motorola Document Template Introduction SLN Serial Location Number (interchangeable with CKR) CSP Security Related Data Item TEK Traffic Encryption Key QUICC Quad Communications Controller 1.4. Overview As Motorola radio systems migrate from traditional circuit switched infrastructure to packet based infrastructure, new cryptographic modules are needed to replace those in the current system. X.4/Astro 6.0 represents the first Astro release to use a packet-based infrastructure. For backwards compatibility, the Motorola Gold Elite Gateway (MGEG), will be released as part of Astro 6.0, so that customers who currently have circuit switched consoles can replace or upgrade their infrastructure without replacing their consoles. The MGEG will be the packet based equivalent of the Digital Interface Unit (DIU). As with the DIU, the MGEG will need to provide voice coding and cryptographic services for the console. The MGEG Secure Card is a multiprocessor card that can handle up to 120 audio streams providing encryption services for the MGEG. It consists of 1 Motorola MPC8260 Power QUICC II processor, 1 Master Crypto Engine, and 12 Slave Crypto Engines. Each MGEG contains two Secure Cards providing 120 simultaneous, full duplex calls. 1.5. MGEG SCCE Hardware / Software version numbers Module Name FIPS Validated FIPS Validated Hardware Version Firmware Version Numbers Numbers MGEG SCCE R01.00.00 R01.00.00, R01.03.07, R01.04.02, R01.07.05, R01.07.06 1.6. MGEG SCCE Implementation The MGEG SCCE is implemented as a multi-chip embedded module as defined by FIPS PUB 140-2. 1.7. MGEG SCCE Cryptographic Boundary The MGEG SCCE is defined as the portion of the MGEG cPCI printed circuit board containing the following hardware: 13 ARMOR ICs, 1 Flash, 24 SRAMS, 13 DPRAMs, KVL interface and the associated power and tamper circuitry. CP1-TMP-030 page 5 Introduction Introduction Figure 1: MGEG SCCE front w/o tamper shield. Crypto boundary defined by dashed `line'. Figure 2: MGEG SCCE back w/o tamper shield. Crypto boundary defined by dashed `line'. NOTE: In the above photographs the tamper shield has been removed to allow the reader to view the internals of the card. The shipped product will include a tamper shield covering both sides of the board that secures to itself through the elliptical holes (appears as a dashed line in the photos) in the board. CP1-TMP-030 page 6 Motorola Document Template FIPS 140-2 Security Level 2. FIPS 140-2 Security Level The MGEG SCCE is designed to meet FIPS 140-2 security at the levels indicated in the table below. Table 2-1 FIPS 140-2 Security Requirements Section Level Cryptographic Module Specification 1 Ports and Interfaces 1 Roles Services and Authentication 2 Finite State Machine Model 1 Physical Security 1 Operational Environment N/A Cryptographic Key Management 1 EMI / EMC 1 Self Tests 1 Design Assurance 1 Mitigation of Other Attacks 1 CP1-TMP-030 page 7 Approved Operational Modes Approved Operational Modes 3. Approved Operational Modes The MGEG SCCE provides modes of operation that are not Approved. Below is a list of configuration settings that are required to provide FIPS 140-2 approved operation. To run the MGEG SCCE in Approved mode the following three steps must be taken (note: 1 and 2 default to FIPS approved settings at initial power up): 1. Key Loss Key (KLK) generation must be disabled. 2. Encryption keys for non-approved algorithms must not be loaded into the crypto module. A non-approved algorithm may be invoked only when an encryption key for that algorithm has been loaded. The module supports the following approved algorithms: · AES-256 for encryption, decryption, and authentication (authentication, AES MAC, is approved when used for Project 25 OTAR. Note: key establishment provides 256 bits of encryption strength) may be used in the following approved modes: OFB, ECB, and CBC. The module supports the following non-approved algorithms: · DES (ECB, OFB, CFB, and CBC modes) · DES-XL · DVI-XL · DVI-SPFL · DVP-XL · ADP · HW RNG · LFSR CP1-TMP-030 page 8 Motorola Document Template Guidance Documentation 4. Guidance Documentation 4.1. Administration of the MGEG SCCE in a secure manner (CO) The MGEG SCCE can be shipped already installed in the cPCI chassis. In this case, the MGEG SCCE requires no special administration for secure use assuming settings 1 and 2 in section 3 of this document have not been modified from the default (FIPS approved state) and only FIPS approved encryption algorithms are being used. If the settings have been modified, they must be returned to the FIPS approved state to place the module in FIPS approved mode of operation. If the Secure Card is sent not installed in the cPCI chassis upon shipment (i.e. MGEG upgrade to secure) the user must install the cards in a secure manner. With the MGEG powered off, the cards must be placed in the cPCI chassis without removing the tamper shield. At initial power up the cards will come up in FIPS approved mode of operation (assuming FIPS approved algorithms are purchased). If the configuration settings in section 3 of this document are modified, the card is no longer in FIPS approved mode. To return to FIPS approved mode, follow the guidelines in section 3 of this document. 4.2. Assumptions regarding User Behavior (CO) The MGEG SCCE has been designed in such a way that very few assumptions regarding User Behavior have been made that are relevant to the secure operation of the module. It has been assumed that the user will keep all CSPs private. It has also been assumed that the user will deny use of the module to unapproved personal while the user is logged in as the User or CO. 4.3. Approved Security Functions, Ports, and Interfaces available to Users All MGEG SCCE services are available to the MGEG SCCE user assuming the appropriate role. These are listed in section 7 of this document. Only the KVL port (used for electronic key entry and OTAR store and forward) is directly available to the MGEG SCCE user. This interface is logically disconnected when the user is not logged in with the appropriate role. 4.4. User Responsibilities necessary for Secure Operation The User and CO must keep all CSPs private. The User and CO must not allow unapproved operation of the module while logged in. The user must ensure the module is operating in the FIPS approved mode as discussed in section 3 of this document. CP1-TMP-030 page 9 Security Rules Security Rules 5. Security Rules This section lists the security rules enforced by the MGEG SCCE. The rules are separated into two categories, 5.1) those imposed by FIPS PUB 140-2 and, 5.2) those imposed by Motorola. 5.1. FIPS PUB 140-2 Imposed Security Rules 1. The MGEG SCCE supports the following interfaces. · Data input interface a. DPRAM ­ Plaintext Data, Ciphertext Data, OTAR KMMs, Authentication b. KVL - Key Management Data, Encrypted Cryptographic Keys, Plaintext Cryptographic Keys, OTAR (Store & Forward) c. SCI ­ used to flash program the master crypto engine in the factory · Data output interface a. DPRAM- - Plaintext Data, Ciphertext Data, OTAR KMMs · Control input interface a. DPRAM ­ Input Commands, Programming Upgrade b. KVL - Input Commands, Programming Upgrade c. Tamper1 ­ in addition to the tamper switches beneath the tamper shield, a tamper switch is physically available to the user to cause a tamper response on demand. · Status output interface a. DPRAM ­ Status Codes b. KVL ­ Status Codes c. KVL LED ­ KVL interface state d. Power up LED ­ Indicates the MGEG SCCE is powering up. · Power interface 1 The tamper mechanisms are not tested or part of the FIPS 140-2 validation CP1-TMP-030 page 10 Motorola Document Template Security Rules a. SW_3.3 ­ Switched power supply powers all circuitry except Battery Backed Register b. CONT_3.3 ­ Continuous power supply powers Battery Backed Register 2. The MGEG SCCE inhibits all data output via the data output interface whenever an error state exists and during self-tests. 3. The MGEG SCCE logically disconnects the output data path from the circuitry and processes when performing key generation, electronic key entry, or key zeroization. 4. Authentication data (e.g. PINs) and other critical security parameters are entered / output in plaintext form. AND Secret cryptographic keys are entered / output over a physically separate port. 5. The MGEG SCCE supports a User role and a Cryptographic Officer role. These two roles have the same set of services. 6. The MGEG SCCE re-authenticates a role when it is powered-up after being powered-off. 7. The MGEG SCCE provides the following services requiring a role: · Transfer Key Variable · Privileged APCO OTAR · Change Password · Encrypt · Decrypt · Zeroize Selected Keys · Programming Upgrade 8. The MGEG SCCE provides the following services not requiring a role: · Validate Password 2 · Tamper Response 2 The tamper mechanisms are not tested or part of the FIPS 140-2 validation. CP1-TMP-030 page 11 Security Rules Security Rules · Non-Privileged APCO OTAR · Reset Crypto Module · Shutdown Crypto Module · Download Config Parameters · Query Config Parameters · Initiate Self Tests · Zeroize all keys · Zeroize All Keys and Password 9. The MGEG SCCE enforces Role-Based identification. 10. The MGEG SCCE implements all software using high-level language except the limited use of low-level language to enhance performance. 11. The MGEG SCCE protects secret keys and private keys from unauthorized disclosure, modification and substitution. 12. The MGEG SCCE provides a means to ensure that a key entered into, stored within, or output from the MGEG SCCE is associated with the correct entities to which the key is assigned. Each key in the MGEG SCCE is entered and stored with the following information: · Key Identifier (KID) ­ 16 bit identifier · Algorithm Identifier (ALGID) ­ 8 bit identifier · Key Type ­ Traffic Encryption Key or Key Encryption Key · Common Key Reference (CKR)/Keyset number ­ Identifiers indicting storage locations. Along with the encrypted key data, this information is stored in a key record that includes a CRC over all of the fields to detect data corruption. When used or deleted the keys are referenced by KID/ALGID or CKR/Keyset. 13. The MGEG SCCE denies access to plaintext secret and private keys contained within the MGEG SCCE. 14. The MGEG SCCE provides the capability to zeroize all plaintext cryptographic keys and other unprotected critical security parameters within the MGEG SCCE. CP1-TMP-030 page 12 Motorola Document Template Security Rules 15. The MGEG SCCE supports the following FIPS approved algorithms: · AES - OFB for symmetric encryption / decryption of digital voice and data - CBC for authentication of Project 25 OTAR - ECB for symmetric decryption of Project 25 OTAR · 3DES - 8-bit CFB for symmetric encryption / decryption of keys and parameters stored in the internal database - TDES MAC (CBC mode) for symmetric decryption and authentication of software upgrades · SHA-1 - Password hashing for internal storage · Appendix 2.4 ANSI X9.31 PRNG - IV and KPK generation 16. The MGEG SCCE performs the following self-tests: · Power-up and on-demand tests - Cryptographic Algorithm Test: Each algorithm (SHA-1, RNG, 3DES in the CFB8 and CBC modes, and AES in the OFB, CBC, and ECB modes) is tested using a known key, known data and, if required, known IV. The known, clear data is encrypted with the known key and tested against the known, encrypted data. The encrypted data is then decrypted and tested against the original known clear data. The test passes if both the encrypted and the decrypted known data match their corresponding counterparts, otherwise the test fails. - Software/Firmware Test: The software firmware test calculates a checksum over the code. The checksum is calculated by summing over the code in 32 bit words. The code is appended with a value that makes the checksum value 0. The test passes if the calculated value is 0, otherwise it fails. - Critical Functions Test: - LFSR Test: The LFSRs are tested by setting the feedback taps to a known value, loading them with known data, shifting the LFSR 64 times, and then comparing the LFSR data to a known answer. The test passes if the final data matches, otherwise it fails. CP1-TMP-030 page 13 Security Rules Security Rules - General Purpose RAM Test: The general purpose RAM is tested for stuck address lines and stuck bits. This is accomplished through a series of operations that write and read the RAM. The test passes if all values read from the RAM are correct, otherwise it fails. - DPRAM Test: The DPRAM is tested for stuck address lines and stuck bits. This is accomplished through a series of operations that write and read the DPRAM. The test passes if all values read from the DPRAM are correct, otherwise it fails. Powering the module off then on or resetting the module using the Reset service will initiate the power-up and on-demand self tests. · Conditional Tests - Software/Firmware Load Test: A MAC is generated over the code when it is built using 3DES-CBC. Upon download into the module, the MAC is verified. If the MAC matches the test passes, otherwise it fails. - Continuous Random Number Generator Test: The continuous random number generator test is performed on 3 RNGs within the module. The first is a hardware RNG which is used to seed the ANSI X9.31 PRNG and the maximal length 64-bit LFSR. The second is an implementation of Appendix 2.4 ANSI X9.31 which is used for key generation, and the third is a maximal length 64-bit LFSR which is used for IV generation. For each RNG, an initial value is generated and stored upon power up. This value is not used for anything other than to initialize comparison data. Successive calls to any one of the RNGs generates a new set of data, which is compared to the comparison data. If a match is detected, this test fails, otherwise the new data is stored as the comparison data and returned to the caller. 17. The MGEG SCCE enters an error state if the Cryptographic Algorithm Test, LFSR Test, Continuous Random Number Generator Test, or the General Purpose RAM Test fails. This error state may be exited by powering the module off then on. 18. The MGEG SCCE enters a non-fatal error state if the Software/Firmware test fails. This state is exited as soon as an error indicator is output via the status interface and the module enters programming mode. 19. The MGEG SCCE enters an error state if the Software/Firmware Load test fails. This state is exited as soon as an error indicator is output via the status interface. 20. The MGEG SCCE outputs an error indicator via the status interface whenever an error state is entered due to a failed self-test. 21. The MGEG SCCE does not perform any cryptographic functions while in an error state. CP1-TMP-030 page 14 Motorola Document Template Security Rules 5.2. Motorola Imposed Security Rules The MGEG SCCE: 1. does not support a bypass mode. 2. does not support multiple concurrent operators. 3. will continue to provide User Role and Crypto Officer Role services until the module has been powered down. 4. will suspend all services during key loading. 5. will zeroize all keys from the Key Database after a sufficient number (15) of consecutive, unsuccessful user login attempts. 6. shall erase all plaintext keys upon detection of a critically low voltage on the switched (SW_3.3) power supply. 7. shall erase all security related data items (CSPs, see section 9.1) upon detection of a critically low voltage condition on both the switched (SW_3.3) and continuous (CONT_3.3) power supply. 3 8. shall erase all CSPs upon detection of tamper . 9. shall at no time output any CSPs. 3 The tamper mechanisms are not tested or part of the FIPS 140-2 validation. CP1-TMP-030 page 15 Physical Security Physical Security 6. Physical Security 6.1. Mechanisms The MGEG SCCE is production grade and does not use any FIPS approved physical security mechanisms. 6.2. Maintenance No maintenance is required to ensure physical security. CP1-TMP-030 page 16 Motorola Document Template Roles and Services 7. Roles and Services 7.1. MGEG SCCE Supported Roles The MGEG SCCE supports two (2) roles: · User Role · Crypto Officer (CO) Role 7.2. MGEG SCCE Services · Transfer Key Variable: Transfer Key variables to the Key Data Base (KDB) via a Key Variable Loader (KVL) or zeroize key variables from the KDB via a KVL. Avaliable to User and CO roles Service input: KMM. Service output: KMM. · Change Password: Modify the current password used to identify and authenticate the User and CO Roles. Available to User and CO Roles. . Service input: DPRAM message (opcode; old password; new password). Service output: DPRAM message (opcode; status). · Validate Password: Provides a method of controlling use of CSPs. Available to all roles. Service Input: DPRAM message. · Encrypt Digital: Encrypt digital voice or data. Available to User and CO Roles. Service input: DPRAM message (opcode, red data). Service output: DPRAM message (opcode, black data, status). · Decrypt Digital: Decrypt digital voice or data. Available to User and CO Roles. Service input: DPRAM message (opcode, black data). Service output: DPRAM message (opcode, red data, status). · Initiate Self Tests: Performs module self tests comprised of cryptographic algorithms test, software firmware test, and critical functions test. Initiated by module reset or transition from power off state to power on state. Available without a Role. Service input: power applied. Service output: DPRAM message (opcode). · Privileged APCO OTAR: Modify and query the Key Database via APCO OTAR Key Management Messages (KMMs). Available to User and CO Roles. Service input: KMM. Service output: KMM. · Zeroize Selected Keys: Marks the selected encrypted keys in the Key Database as invalid. Available to User and CO Roles. Service input: KMM. Service output: KMM. CP1-TMP-030 page 17 Roles and Services Roles and Services · Zeroize all keys: Marks all encrypted keys in the Key Database as invalid. Available without a Role. (Module can be reinitialized using KVL). Service input: KMM. Service output: KMM. · Zeroize All Keys and Password: Actively zeroizes all plaintext CSPs and marks encrypted keys in the key database as invalid. Resets the password to the factory default. Allows user to gain controlled access to the module if the password is forgotten. Available without a Role. (Module can be reinitialized using KVL). Service input: 15 consecutive Failed Passsword Validation attempts. 4 · Tamper Response: Actively zeroizes all plaintext CSP's including the KPK but excluding the password upon detection of tamper. Encrypted keys (encrypted on the KPK) are marked invalid in the key database. Available without a Role. Service Input: Hardware Tamper switch. · Non-Privileged APCO OTAR: Hello and Capabilities KMMs may be performed without a Role. Service input: KMM. Service output: KMM. · Reset Crypto Module: Soft reset of module to remove module from error states. Available without a Role. Service input: DPRAM message (opcode). Service output: DPRAM message (opcode). · Shutdown Crypto Module: Prepares module for removal of power. Available without a Role. Service input: DPRAM message (opcode). Service output: DPRAM message (opcode). · Download Configuration Parameters: Download configuration parameters used to specify module behavior. For example enable/disable APCO OTAR etc. 5 Modification of some security related parameters (single key mode, tamper mode) causes key erasure. Available without a Role. Service input: DPRAM message (opcode, parameter ID, parameter value). Service output: DPRAM message (opcode, parameter ID, parameter status). · Query Configuration Parameters: module supplies a list of the current configuration parameter settings. Available without a Role. · Programming Upgrade: Allows users to upgrade CE software. Available to User and CO Roles. Service Input: Programming messages via the KVL or DPRAM. 4 The tamper mechanisms are not tested or part of the FIPS 140-2 validation. 5 The tamper mechanisms are not tested or part of the FIPS 140-2 validation. CP1-TMP-030 page 18 Motorola Document Template Authentication 8. Authentication The MGEG SCCE uses a 40-bit password to implicitly authenticate the User and CO roles. The password is initialized to a default value during manufacturing. After authenticating, the password may be changed at any time. Fifteen consecutive invalid authentication attempts erases all keys from the Key Database. The probability of a successful, random, 40-bit password attempt is one in 1,099,511,627,776. It would require 10,995,116 attempts in one minute to increase the random attempt success rate to one in 100,000 which is impossible to perform in that timeframe at internal MGEG SCCE clock speeeds. In addition 15 failed password attempts will result in erasure of all CSPs. CP1-TMP-030 page 19 Access Control Access Control 9. Access Control 9.1. Security Related Data Items (CSPs) Table 9-1 CSP Identifier Description Key Protection Key (KPK) Key used to encrypt the database and other non- volatile parameters Plaintext Traffic Encryption Keys used for voice and data encryption Keys (TEKs) Plaintext Key Encryption Keys Keys used for encryption of keys in OTAR Plaintext MAC Key Key used for authentication of software upgrade. Stored in non-volatile memory Plaintext Password Operator password entered during user authentication 9.2. CSP Access Types Table 9-2 CSP Access Type Description Retrieve key Decrypts encrypted TEKs or KEKs in the database using the KPK and returns plaintext version Store key Encypts plaintext TEKs or KEKs using the KPK and stores the encrypted version in the database Erase Key Marks encrypted TEK or KEK data in key database as invalid Create KPK Generates and stores new KPK Store Password Hashes user password and stores it in the database CP1-TMP-030 page 20 Motorola Document Template Access Control 9.3. Access Matrix Applicable CSP Access Operation Role Crypto Officer Role No Role Required Store Password Retrieve Key Create KPK Erase Key User Role Store Key User Service 1. Transfer Key Variable X X X X 2. Privileged APCO OTAR X X X X X 3. Validate Password X X X 4. Change Password X X X X X 5. Encrypt X X X 6. Decrypt X X X 7. Initiate Self Tests X X X 8. Zeroize Selected Keys X X X 9. Zeroize All Keys X X X X 10. Zeroize All Keys and Password X X X X X 6 11. Tamper Response X X X X 12. Non-Privileged APCO OTAR X X X 13. Reset X X X 14. Shutdown X X X 15. Download Config Parameters X X X X X 16. Query Config Parameters X X X 17. Programming Upgrade X X 6 The tamper mechanisms are not tested or part of the FIPS 140-2 validation. CP1-TMP-030 page 21 Mitigation of Attacks Mitigation of Attacks 10. Mitigation of Attacks The MGEG SCCE provides tamper detection and response circuitry to prevent unauthorized physical access to the crypto module within the tamper shield. The tamper detection and response circuitry remains active even while the Secure Card is powered off. In addition to the tamper switch beneath the tamper shield, a tamper switch is physically available to the user to cause a tamper response on demand. Tamper mode must be enabled through the Download Configuration Parameters service in order to enable tamper response functionality. The MGEG SCCE erases all CSPs with the exception of the password upon detection of tamper. The tamper detection and response circuitry has been tested and proven to function as specified. CP1-TMP-030 page 22