# FIPS 140 - 2 Security Policy for:

# Toshiba TCG Enterprise SSC Self-Encrypting Hard Disk Drive



TOSHIBA CORPORATION  ${\rm Rev} \ 1.4.0$ 

| TOSHIBA TCG ENTERPRISE SSC SELF-ENCRYPTING HARD DISK DRIVE | . 1 |
|------------------------------------------------------------|-----|
| OVERVIEW                                                   | . 3 |
| ACRONYMS                                                   | . 3 |
| SECTION 1 – MODULE SPECIFICATION                           | . 4 |
| SECTION 1.1 – PRODUCT VERSION                              | . 4 |
| SECTION 2 – ROLES SERVICES AND AUTHENTICATION              | . 4 |
| SECTION 2.1 – SERVICES                                     | . 4 |
| SECTION 3 – PHYSICAL SECURITY                              | . 5 |
| SECTION 4 – OPERATIONAL ENVIRONMENT                        | . 7 |
| SECTION 5 – KEY MANAGEMENT                                 | . 7 |
| SECTION 6 – SELF TESTS                                     | . 7 |
| SECTION 7 – DESIGN ASSURANCE                               | . 8 |
| SECTION 8 _ ΜΙΤΙCΑΤΙΟΝ ΟΕ ΟΤΉΕΡ ΑΤΤΑCKS                    | Q   |

#### Overview

The Toshiba TCG Enterprise SSC Self-Encrypting Hard Disk Drive (AL13SXQ300/450/600NB) is used for hard disk drive data security. This Cryptographic Module (CM) provides various cryptographic services using FIPS approved algorithms. Services include hardware-based data encryption, cryptographic erase, and FW download.

This CM is a multiple-chip embedded, and the physical boundary of the CM is the entire HDD. The physical interface for power-supply and communication is one SAS connector. The CM is connected with host system by SAS cable. The logical interface is the SAS, TCG SWG, and Enterprise SSC.

The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the "system area", which is not logically accessible / addressable by the host application.

| Section                                      | Level |
|----------------------------------------------|-------|
| 1. Cryptographic Module Specification        | 2     |
| 2. Cryptographic Module Ports and Interfaces | 2     |
| 3. Roles, Services, and Authentication       | 2     |
| 4. Finite State Model                        | 2     |
| 5. Physical Security                         | 2     |
| 6. Operational Environment                   | N/A   |
| 7. Cryptographic Key Management              | 2     |
| 8. EMI/EMC                                   | 2     |
| 9. Self - Tests                              | 2     |
| 10. Design Assurance                         | 2     |
| 11. Mitigation of Other Attacks              | N/A   |
| Overall Level                                | 2     |

Table 1 - Security Level Detail

This document is non-proprietary and may be reproduced in its original entirety.

#### **Acronyms**

| AES                    | Advanced Encryption Standard           |
|------------------------|----------------------------------------|
| $\mathbf{C}\mathbf{M}$ | Cryptographic Module                   |
| CSP                    | Critical Security Parameter            |
| DRBG                   | Deterministic Random Bit Generator     |
| EDC                    | Error Detection Code                   |
| FW                     | Firmware                               |
| KAT                    | Known Answer Test                      |
| LBA                    | Logical Block Address                  |
| MSID                   | Manufactured SID                       |
| NRBG                   | Non-deterministic random bit generator |
| PCB                    | Printed Circuit Board                  |
| POST                   | Power on Self-Test                     |
| PSID                   | Printed SID                            |
|                        |                                        |

 ${\bf SED} \qquad {\bf Self\text{-}Encrypting\ Drive}$ 

SHA Secure Hash Algorithm

SID Security ID

### Section 1 - Module Specification

The CM has one FIPS 140 approved mode of operation and CM is always in approved mode of operation. The CM provides services defined in Section 2.1 and other non-security related services.

#### Section 1.1 – Product Version

The Toshiba Enterprise SSC Self-Encrypting Hard Disk Drive has been validated:

Hardware version: A0 with AL13SXQ300NB(2.5-inch, SAS Interface, 300GB),
 AL13SXQ450NB(2.5-inch, SAS Interface, 450GB), or AL13SXQ600NB(2.5-inch, SAS Interface, 600GB)

- Firmware version: 0101

#### Section 2 – Roles Services and Authentication

This section describes roles, authentication method, and strength of authentication.

| Role Name   | Role Type      | Type of<br>Authentication | Authentication | Authentication<br>Strength | Multi Attempt strength     |
|-------------|----------------|---------------------------|----------------|----------------------------|----------------------------|
| EraseMaster | Crypto Officer | Role                      | PIN            | 1/248 < 1/1,000,000        | 15,000 / 248 < 1 / 100,000 |
| SID         | Crypto Officer | Role                      | PIN            | 1/248 < 1/1,000,000        | 15,000 / 248 < 1 / 100,000 |
| BandMaster0 | User           | Role                      | PIN            | 1/248 < 1/1,000,000        | 15,000 / 248 < 1 / 100,000 |
| BandMaster1 | User           | Role                      | PIN            | 1/248 < 1/1,000,000        | 15,000 / 248 < 1 / 100,000 |
|             |                | •••                       |                | •••                        |                            |
| BandMaster8 | User           | Role                      | PIN            | 1/248 < 1/1,000,000        | 15,000 / 248 < 1 / 100,000 |

**Table 2** Identification and Authentication Policy

Per the security policy rules, the minimum PIN length is 6 bytes. Therefore the probability that a random attempt will succeed is  $1/2^{48} < 1,000,000$  (the CM accepts any value (0x00-0xFF) as each byte of PIN). The CM waits 5msec when authentication attempt fails, so the maximum number of authentication attempts is 12,000 times in 1 min. Therefore the probability that random attempts in 1min will succeed is  $12,000 / 2^{48} < 1 / 100,000$ .

#### Section 2.1 - Services

This section describes services which the CM provides.

| Service             | Description                                                                                                                                | Role(s)                 | Keys &<br>CSPs | $\begin{array}{c} RWX(\underline{R}ead,\\ \underline{W}rite, \underline{e}\underline{X}ecute\\ )\end{array}$ | Algorithm(CAVP<br>Certification<br>Number) | Method                                            |
|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|---------------------------------------------------|
| Band<br>Lock/Unlock | Block or allow read (decrypt) /<br>write (encrypt) of user data in<br>a band. Locking also requires<br>read/write locking to be<br>enabled | BandMaster0 BandMaster8 | N/A            | N/A                                                                                                          | N/A                                        | SECURITY<br>PROTOCOL IN(TCG<br>Set Method Result) |

4

Dec 12, 2014

| Cryptographic                           | Erase user data (in                                                                                                                                                                                | EraseMaster                    | MEK(s)              | W        | Hash_DRBG(#519)                     | SECURITY                                                       |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------------------|----------|-------------------------------------|----------------------------------------------------------------|
| Erase                                   | cryptographic means) by<br>changing the data encryption<br>key                                                                                                                                     |                                | RKey                | X        | AES256CBC(#2877)                    | PROTOCOL IN(TCG<br>Erase Method Result)                        |
| Data<br>read/write(decr<br>ypt/encrypt) | Encryption / decryption of<br>unlocked user data to/from<br>band                                                                                                                                   | None                           | MEKs                | X        | XTS-AES256(#2877)                   | SCSI READ/WRITE<br>Commands                                    |
| Firmware<br>Download                    | Enable / Disable firmware<br>download and load a complete<br>firmware image, and save it.<br>If the code passes "Firmware<br>load test", the device is reset<br>and will run with the new<br>code. | SID                            | PubKey              | X        | RSASSA-PKCS-v1_5<br>(#1515)         | SECURITY PROTOCOL IN(TCG Set Method Result), SCSI WRITE BUFFER |
| RandomNumbe<br>r generation             | Provide a random number generated by the CM                                                                                                                                                        | None                           | Seed                | R        | Hash_DRBG(#519)                     | SECURITY PROTOCOL IN(TCG Random Method Result)                 |
| Reset(run<br>POSTs)                     | Runs POSTs and delete<br>CSPs in RAM                                                                                                                                                               | None                           | N/A                 | N/A      | N/A                                 | Power on reset                                                 |
| Set band<br>position and<br>size        | Set the location and size of the LBA range                                                                                                                                                         | BandMaster0<br><br>BandMaster8 | N/A                 | N/A      | N/A                                 | SECURITY<br>PROTOCOL IN(TCG<br>Set Method Result)              |
| Set PIN                                 | Setting PIN (authentication data)                                                                                                                                                                  | All for their<br>PIN           | RKey                | X        | AES256CBC(#2877)<br>SHA256(#2418)   | SECURITY PROTOCOL IN(TCG Set Method Result)                    |
| Show Status                             | Report status of the CM                                                                                                                                                                            | None                           | N/A                 | N/A      | N/A                                 | SCSI REQUEST<br>SENSE                                          |
| Zeroization                             | Erase user data in all bands<br>by changing the data<br>encryption key, initialize<br>range settings, and reset<br>PINs for TCG                                                                    | None <sup>1</sup>              | RKey<br>MEKs<br>PIN | X,W<br>W | AES256CBC(#2877)<br>Hash_DRBG(#519) | SECURITY PROTOCOL IN(TCG RevertSP Method Result)               |

Table 3 – FIPS Approved services

#### Section 3 - Physical Security

The CM has the following physical security:

- Production-grade components with standard passivation
- Three tamper-evident security seals are applied to the CM in factory
  - > One opaque and tamper-evident security seal (PCB SEAL) is applied to PCB of the CM.
    This seal prevents an attacker to remove the PCB and survey electronic design
  - > Two tamper-evident security seals (TOP SEAL 1 and TOP SEAL 2) are applied to top cover of the CM. These seals prevent top cover removal
- Exterior of the drive is opaque
- The tamper-evident security seals cannot be penetrated or removed and reapplied without tamper-evidence



Dec 12, 2014

<sup>&</sup>lt;sup>1</sup> Need to input PSID, which is public drive-unique value used for the TCG RevertSP method.



The operator is required to inspect the CM periodically for one or more of the following tamper evidence. If the operator discovers tamper evidence, the CM should be removed.

- Message "VOID" on security seal or top plate
- Text on security seals does not match original
- Cutting line on security seal
- Security seal cutouts do not match original







Mark of alphabetic character(s) which constitute a word "VOID" (Tamper Evidences of removal)







Mark of alphabetic character(s) which constitute a word "VOID" (Tamper Evidences of reapplied)







**Cutting line (Tamper Evidences of cutting)** 

### Section 4 - Operational Environment

Operational Environment requirements are not applicable because the CM operates in a "non-modifiable", that is the CM cannot be modified and no code can be added or deleted.

#### Section 5 - Key Management

The CM uses keys and CSPs in the following table.

| Key/CSP                           | Length | Туре      | Zeroize Method      | Establishment                                  | Output           | Persistence/Storage                           |
|-----------------------------------|--------|-----------|---------------------|------------------------------------------------|------------------|-----------------------------------------------|
| BandMaster/Erase  Master/SID PINs | 256    | PIN       | Zeroization service | Electronic input                               | No               | SHA digest/System Area                        |
| MEKs                              | 512    | Symmetric | Zeroization service | DRBG                                           | No               | Encrypted by RKey / System Area               |
| MSID                              | 256    | Public    | N/A(Public)         | Manufacturing                                  | Output: Host can | Plain / System Area                           |
| PubKey                            | 2048   | Public    | N/A(Public)         | Manufacturing                                  | No               | Plain / System Area                           |
| RKey                              | 256    | Symmetric | Zeroization service | DRBG                                           | No               | Obfuscated(Plain in FIPS means) / System Area |
| Seed                              | 440    | DRBG seed | Power-Off           | Entropy collected<br>from NDRNG at<br>Power-On | No               | Plain/RAM                                     |

Note that there is no security-relevant audit feature and audit data.

#### Section 6 - Self Tests

The CM runs self-tests in the following table.

| Function                 | Self-Test Type | Abstract                |
|--------------------------|----------------|-------------------------|
| Firmware Integrity Check | Power-On       | EDC 32-bit              |
| FW SHA256                | Power-On       | Digest KAT              |
| AES(AES CBC)             | Power-On       | Encrypt and Decrypt KAT |

7

Dec 12, 2014

| AES(AES XTS)        | Power-On    | Encrypt and Decrypt KAT                                               |
|---------------------|-------------|-----------------------------------------------------------------------|
| FW Hash_DRBG        | Power-On    | DRBG KAT                                                              |
| FW RSASSA-PKCS-v1_5 | Power-On    | Signature verification KAT                                            |
| FW Hash_DRBG        | Conditional | Verify newly generated random number not equal to previous one        |
| NDRNG               | Conditional | Verify newly generated random number not equal to previous one        |
| Firmware load test  | Conditional | Verify signature of downloaded firmware image by RSASSA-PKCS-v1 $\_5$ |

When the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error state.

# Section 7 - Design Assurance

Refer to the guidance document provided with the CM.

# **Section 8 – Mitigation of Other Attacks**

The CM does not mitigate other attacks beyond the scope of FIPS 140-2 requirements.