BCM5880 Cryptographic Module Security Policy Document Version 1.1 Broadcom Corporation Revision Date: 2010-02-02 Copyright Broadcom 2008, 2009. May be reproduced only in its original entirety [without revision]. Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 TABLE OF CONTENTS 1. MODULE OVERVIEW ................................................................................................................................3 2. SECURITY LEVEL.......................................................................................................................................5 3. MODES OF OPERATION............................................................................................................................5 4. PORTS AND INTERFACES ........................................................................................................................7 5. IDENTIFICATION AND AUTHENTICATION POLICY......................................................................10 6. ACCESS CONTROL POLICY...................................................................................................................11 DEFINITION OF SERVICES ................................................................................................................................11 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS).............................................................................15 DEFINITION OF CSPS MODES OF ACCESS .......................................................................................................20 7. OPERATIONAL ENVIRONMENT...........................................................................................................23 8. SECURITY RULES .....................................................................................................................................23 9. PHYSICAL SECURITY POLICY .............................................................................................................26 PHYSICAL SECURITY MECHANISMS ................................................................................................................26 10. MITIGATION OF OTHER ATTACKS POLICY..................................................................................26 11. REFERENCES ...........................................................................................................................................26 12. DEFINITIONS AND ACRONYMS..........................................................................................................27 Page 2 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 1. Module Overview The BCM5880 Cryptographic Module (HW P/N BCM5880KFBG, Version C0; FW Version C0; SW Version R0), a single-chip encased in hard opaque tamper evident IC packaging, is a highly integrated system on a chip. The BCM5880 Cryptographic Module's security architecture includes an innovative virtualized Secure/Open Domain execution environment. This innovative environment provides different software execution contexts that allow additional logical separation of the cryptographic operations from IO related operations. For the purpose of FIPS 140-2 validation the physical boundary of the chip is used as the security boundary of the cryptographic module (note that no additional FIPS security claim is made for the different logical software execution contexts located within the physical boundary). The BCM5880 Cryptographic Module's FIPS 140-2 boundary is defined as: · The external surface of the BCM5880 chip including the hard, opaque encapsulating material that physically protects all module components. The figures below picture the cryptographic module's physical boundary, interfaces, and logical software execution contexts within the physical boundary. Figure 1 ­ Image of the Cryptographic Module Physical Boundary Figure 1.a: BCM5880 (Top) Figure 1.b: BCM5880 (Bottom) Page 3 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Figure 2 ­ Block Diagram of module Interfaces & logical Software Execution Contexts BCM5880 Secure Domain BCM5880 Open Domain (secure logical island) (isolated in a sandbox) Secure Service Manager Command Parser SCAPI (standardized API layer Secure USB to access module crypto Service Interface HW or crypto primitives) API Driver USB Port Clock -Control Input Approved Crypto -Status Output Algorithms Host System -Control Input -Status Output -Data Input -Data Output Reset Pins SPI Power -Control Input Flash Dedicated IO and -Status Output Secure Boot -Control Input Secure Boot core power supply -Status Output Image (SBI) pins separated -Data/Code Input from signal pins Page 4 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 2. Security Level The cryptographic module meets the overall requirements applicable to Level 3 security of FIPS 140-2. Table 1 ­ Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 3 Roles, Services, and Authentication 3 Finite State Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A 3. Modes of Operation FIPS Approved mode of operation The BCM5880 Cryptographic Module is configured to run in FIPS Approved mode of operation when the external SECURE_BOOT: CONTROL INPUT: SECURE_BOOT pin is set high. The BCM5880 Cryptographic Module supports a single FIPS Approved mode of operation. The user can determine that the cryptographic module is running in FIPS Approved mode of operation when the SECURE_BOOT: STATUS OUTPUT: TEST_SEC_ BOOT pin is high. Non-FIPS Approved mode of operation The BCM5880 Cryptographic Module is configured to run in non-FIPS Approved mode of operation when the external SECURE_BOOT: CONTROL INPUT: SECURE_BOOT pin is set low. The BCM5880 Cryptographic Module supports a single non-FIPS Approved mode of operation, Software Development Test Mode. The user can determine that the cryptographic module is running in non-FIPS Approved mode of operation when the SECURE_BOOT: STATUS OUTPUT: TEST_SEC_ BOOT pin is low. Page 5 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 In order to switch between FIPS Approved mode of operation and non-FIPS Approved mode of operation the module must be power-cycled. Power-cycling zeroizes all volatile plaintext critical security parameters. Module HW\FW\SW enforces that non-volatile plaintext critical security parameters cannot be shared, used, or viewed between modes of operation. When the module is configured to run in the non-FIPS Approved mode of operation no claim is made for any cryptographic operation. Approved and Allowed Algorithms The module implements the following Approved and allowed cryptographic algorithms using a hardware crypto engine called [SMAU - Crypto/Auth] block. This block is instantiated twice in the Secure Memory Access Unit or SMAU. One instance is being used for offloading generic cryptographic operations. The other instance is being used to support secure caching of instruction and data stored externally in encrypted and integrity-protected format. Individual self-tests are conducted after power-on to test the two instantiations independently. Each algorithm implementation is used during different scenarios. They are never used simultaneously for the same operation. Each algorithm implementation has its own algorithm certificate and has its own power on self-test. AES: [SMAU ­ Crypto/Auth] block ECB, CBC, CTR, CMAC 128, 192, 256 keys Certificate #1070 CCM: [SMAU ­ Crypto/Auth] block 128 key size, Nonce Len 12, Tag Len4, 8, 12, 16 Certificate #1070 HMAC-SHA-1 & HMAC-SHA-256: [SMAU ­ Crypto/Auth] block Certificate #602 SHA-1 & SHA-256: [SMAU ­ Crypto/Auth] block Certificate #1011 PRNG: FIPS 186-2 Appendix 3.1 X-orig and 3.2 K-orig SHA-1 based Certificate #605 ECDSA: Signature generation, signature verification 256-bit key, Certificate #128 DSA: Signature generation, signature verification 1024-bit key, Certificate #354 RSA: Signature generation, signature verification 2048-bit keys Certificate #507 Non-Approved Algorithms The module implements the following non-Approved cryptographic algorithms EC Diffie-Hellman: Module functions implement Diffie-Hellman primitives used for key agreement as allowed by FIPS 140-2 Implementation Guidance 7.1. The functions are implemented following the SP800-56A standard. NDRNG: Internal module source utilizing free running oscillators to capture thermal noise as the source of randomness. The NDRNG is used to collect entropy to be fed to the FIPS 186-2 PRNG. Page 6 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Note that 135MB of entropy data have been tested for strength via MinEntropy and STS testing. The test results reported 7.8952 bits per byte strength. Strength of key generation: · Seed Key: o 505 bits of strength: (Entropy 7.8952 bits per byte strength) X (512 bit length of NDRNG output). · Strongest key the BCM5880 Cryptographic Module will generate: o 256 bits of strength. Key Establishment EC Diffie-Hellman allowed as per FIPS 140-2 Implementation Guidance 7.1. · Strength of key establishment: KECDH-PRIV o 256 bit random number used for ECDH key exchange. Strength = 128 bit since the derived session key is 128-bit. o Ephemeral key generated based on FIPS186-2 Appendix 3.1 PRNG algorithm during the ECDH session establishment. It is erased after the symmetrical session key is derived. · KSS 128-bit AES-CCM mode key o Session key derived during the EC Diffie-Hellman Key Exchange service. Module will use this key for secure communications to/from host system. o Derived during the EC Diffie-Hellman Key Exchange service via SHA256- based KDF function 4. Ports and Interfaces The BCM5880 Cryptographic Module provides physical ports as listed in Table 2 below. Table 2 ­ Physical Ports Note: The BCM5880 chip has a total of 87 pins. Each BCM5880 Interface Group listed in Table 2 contains several BCM5880 pins. Unused Interface Groups will be marked as "Non- Available" because they are currently disabled by the cryptographic module. Clock group: Control Input - Clock. - Clock Output Enabled. Status Output - Clock Output. Reset group: Control Input - Resets. - Indication that the system power supply is stable. Page 7 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Status Output - Reset Output. Secure Boot group: Control Input - Boot source selection. - Reference clock frequency selection. - FIPS mode (Secure Boot) vs. Non-FIPS Approved mode (SW Development Test mode). - Key zeroization request. - External tamper detection (e.g. can be hooked up to a temperature sensor or a voltage sensor. No claims made for FIPS mode). Status Output - FIPS Approved mode or Non-FIPS Approved mode. - Software execution context of the module's processor, Secure Domain or Open Domain. - ERROR status. SPI group: Code/Data Input Code/data from SPI flash All Code/Data Input is authenticated by the module. USB group: Data Input Service request input Device interface used by the Data Output Service response output module's operators to make Control Input service requests. Requests are Status Output authenticated via the ECDH secure session. Static Memory Interface group: Non-Available Non-Available Clock to the group block is disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data Input Code/Data from SRAM or Data Output Flash. - Data to SRAM or Flash. RFID group: Non-Available Non-Available Clock to the group block is disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data Input Data received or transmitted Data Output for contactless Smart Card application Smart Card group: Non-Available Non-Available Clock to the group block is Page 8 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data Input Data received or transmitted Data Output For contacted Smart Card application UART group: Non-Available Non-Available Clock to the group block is disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data Input Data received or transmitted Data Output for UART console application LPC group: Non-Available Non-Available Clock to the group block is disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data Input Data, Control or Status Data Output information exchanged for Control Input TPM application Status Output JTAG group: Non-Available Non-Available Completely disabled by HW in FIPS mode. Module HW\FW\SW enforces that non-volatile plaintext critical security parameters cannot be shared, used, or viewed in Non-FIPS Approved mode. Test Control group: Non-Available Non-Available Completely disabled in FIPS mode. Used during manufacturing to test for defects. Module HW\FW\SW enforces that non-volatile plaintext critical security parameters cannot be shared, used, or viewed in Non-FIPS Approved mode. Power group Power is distributed to the chip using designated IO and core power pins that are completely separated from any signal pin groups. Power pins are only Page 9 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 connected to the internal power planes of the silicon chip. 5. Identification and Authentication Policy Assumption of Roles The BCM5880 Cryptographic Module supports two operator roles, User and Cryptographic- Officer. The cryptographic module implements identity-based operator authentication. Authentication is accomplished via a 256-bit ECDSA-based signature verification process. A single 256-bit ECDSA public key is embedded in the module's SBI during manufacturing (Secure Boot Image: an authenticated software extension of the module's BOOT ROM. SBI software is part of the BCM5880 Cryptographic Module). The 256-bit ECDSA public key is used to authenticate the operator during the establishment of an ECDH secure session between the module and the operator on the external host system. After an operator is authenticated successfully, the operator can assume either the role of the Cryptographic Officer or the role of the User. The module allows the operator to perform both CO and User services. Table 3 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User Identity-based operator · 256-bit ECDSA authentication signature verification Cryptographic-Officer Identity-based operator · 256-bit ECDSA authentication signature verification Table 4 ­ Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism ECDSA Signature Verification (256 bit) The probability that a random attempt will succeed or a false acceptance will occur is 1/2128 which is less than 1/1,000,000. The probability of successfully authenticating to the module within one minute is 3,750/2128 which is less than 1/100,000. The module will only allow one attempt to verify the operator ­ if that attempt fails the module will be in an error Page 10 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 state and must be rebooted to try and become operational again. Please see section "8. Security Rules" below (security rules imposed by the vendor) for the detail supporting this calculation. 6. Access Control Policy Definition of Services The cryptographic module supports the following authenticated services defined in Table 5: Table 5 ­ Authenticated Services Name of Service Description of Service Generate Key This service generates an AES or HMAC key to be used during operator requested services. AES Encrypt This service encrypts bulk operator supplied data using a previously generated AES key. AES Decrypt This service decrypts bulk operator supplied data using a previously generated AES key. SHA-1 Hashing This service generates a SHA-1 digest on operator supplied data. SHA-256 Hashing This service generates a SHA-256 digest on supplied data. Load Key This service allows an operator to load a key into the module's key cache. The key being loaded can be a private key or a public key of an asymmetrical key pair, or a symmetrical key for AES or HMAC. All keys loaded via this service are being protected by the ECDH secure session via 128-bit AES-CCM encryption and integrity protection. RSA Signature This service performs RSA Signature Verification on operator Verification supplied data with a previously loaded public key (see service Page 11 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 "Load Key"). DSA Signature This service performs DSA Signature Verification on operator Verification supplied data with a previously loaded public key (see service "Load Key"). ECDSA Signature This service performs ECDSA Signature Verification on Verification operator supplied data with a previously loaded public key (see service "Load Key"). RSA Signature This service performs RSA Signature Generation on operator Generation supplied data with a previously loaded private key (see service "Load Key"). DSA Signature This service performs DSA Signature Generation on operator Generation supplied data with a previously loaded private key (see service "Load Key"). ECDSA Signature This service performs ECDSA Signature Generation on Generation operator supplied data with a previously loaded private key (see service "Load Key"). Generate Random This service generates a random number with the module's Number FIPS 186-2 PRNG and outputs the generated random number to the requesting operator. EC Diffie-Hellman This service is comprised of several steps which establish a Key Exchange session key between the module and an external entity. HMAC Request Compute an HMAC on an operator supplied blob of data with a previously generated or loaded secret key. Page 12 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 The cryptographic module supports the following unauthenticated services defined in Table 6: Table 6 ­ Unauthenticated Services Name of Service Description of Service Self Test This service executes the suite of self-tests required by FIPS 140-2. Self-tests are invoked by power cycling the module. Show Status This service provides the current status of the cryptographic module. Get Info This service computes and outputs the ECDSA device public key of the cryptographic module Get Version This service returns the version/revision information of the cryptographic module Zeroize · Power-cycle or hard reset will zeroize all volatile critical security parameters including internally generated CSPs or loaded keys. · When the ZEROIZE PIN within the Secure Boot group physical interface is turned high all volatile and non- volatile plaintext critical security parameters will be zeroized ­ after this the module will not boot again. Table 7 ­ Specification of Service Inputs & Outputs Service Control Input Data Input Data Output Status Output Generate Key Key Type N/A Key Handle Success/fail AES Encrypt Length Plaintext Ciphertext Success/fail Key Handle AES Decrypt Length Ciphertext Plaintext Success/fail Key Handle SHA-1 Hash Type Data Blob Digest Success/fail Hashing SHA-256 Hash Type Data Blob Digest Success/fail Hashing Load Key Key Type Key N/A Success/fail Key Handle RSA Signature Hash Length Hash Blob N/A Success/fail Verification Key Handle Signature Page 13 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Service Control Input Data Input Data Output Status Output DSA Signature Hash Length Hash Blob N/A Success/fail Verification Key Handle Signature ECDSA Hash Length Hash Blob N/A Success/fail Signature Key Handle Signature Verification RSA Signature Hash Length Hash Blob Signature Success/fail Generation Key Handle DSA Signature Hash Length Hash Blob Signature Success/fail Generation Key Handle ECDSA Hash Length Hash Blob Signature Success/fail Signature Key Handle Generation Generate PRNG Type N/A Random Number Success/fail Random Length Number EC Diffie- Header info. EC Diffie-Hellman EC Diffie-Hellman Success/fail Hellman Key key establishment key establishment Exchange data received from data sent to Host (comprised of Host System System two steps) HMAC Length Data Blob MAC Success/fail Request Hash Type Key Handle Self Test N/A N/A N/A Success/fail (Power cycle) Show Status N/A N/A N/A All the above Status Output (Table 7 Specification of Service Inputs & Outputs) Status Output of Interface groups (Table 2 Physical Ports) Get Info N/A N/A Cryptographic Success/fail Module device public key KDI-EC-PUB Page 14 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Service Control Input Data Input Data Output Status Output Get Version N/A N/A Version and Success/fail Revision information of the Cryptographic Module Zeroize N/A N/A N/A N/A Definition of Critical Security Parameters (CSPs) The following are the CSPs contained in the module. Table 8 ­ Secret and Private Keys Key Description/Usage Generation Storage Entry/Output Destruction KECDH- Used to establish an Ephemeral key Stored in plaintext Entry: N/A Zeroize service. ECDH based session generated internally in the PRIV Entry Key-to- Additionally always key. internally via module's [Scratch entity association: destroyed after the 256 bit PRNG per FIPS RAM] block. N/A symmetrical session random 186-2, appendix key is established. number 3.1. Key-to-entity Output: N/A used for association: Output Key-to- ephemeral Associated with a key index = 1 in entity association: ECDH key. N/A. OTP. KAES Used to encrypt and Generated Stored in plaintext Entry: N/A Zeroize service. decrypt the Secure internally during internally in OTP. 128 bit Boot Image (SBI) manufacturing When in use it is Entry Key-to- Temporary copy in AES key. when the SBI is loaded via PRNG per temporality copied entity association: [Scratch RAM] A unique FIPS 186-2, to the [Scratch N/A block always value for appendix 3.1. RAM] block. destroyed after each each Output: N/A reset cycle. module. Key-to-entity association: Output Key-to- Key index = 2 in entity association: OTP. N/A. Page 15 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Key Description/Usage Generation Storage Entry/Output Destruction KHMAC Used to protect and Generated Stored in plaintext Entry: N/A Zeroize service. verify the SBI. internally during internally in OTP. 256 bit manufacturing When in use it is Entry Key-to- Temporary copy in HMAC- via PRNG per temporality copied entity association: [Scratch RAM] SHA-256 FIPS 186-2, to the [Scratch N/A block always key. A appendix 3.1. RAM] block. destroyed after each unique Output: N/A reset cycle. value for Key-to-entity each association: Output Key-to- module. Key index = 3 in entity association: OTP. N/A. KDI-EC- Used to establish the Generated Stored in plaintext Entry: N/A Zeroize service. mutually authenticated internally during internally in OTP. PRIV ECDH secure session manufacturing When in use it is Entry Key-to- Temporary copy in 256 bit communication via PRNG per temporality copied entity association: [Scratch RAM] ECDSA channel between the FIPS 186-2, to the [Scratch N/A block always private key. module and an appendix 3.1. RAM] block. destroyed after each A unique external entity. Used Output: N/A reset cycle. value for as the identity key of Key-to-entity each the module in these association: Output Key-to- module. authenticated Key index = 4 in entity association: communications. OTP. N/A. KAPP-AES Used to Generated Stored in the Entry (optional): Zeroize service. encrypt/decrypt (optional): volatile "key cache" Entered into the 128, 192 or application data when internally during within the [Scratch module by Load Temporary copy in 256 bit external applications operation via RAM] block. Key service [Scratch RAM] AES keys. issue encrypt or PRNG per FIPS block always decrypt service 186-2, appendix Key-to-entity Entry Key-to- destroyed after each requests. 3.1. See Generate association: entity association: reset cycle. Key service. "key cache" handle. Session key Note this handle is derived during the given by the EC Diffie- application that Hellman Key requested the Exchange service. creation of the key so that application Output: N/A can request encryption/ Output Key-to- decryption with the entity association: key at a later point N/A. in time. Page 16 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Key Description/Usage Generation Storage Entry/Output Destruction KAPP- Used to protect and Generated Stored in the Entry (optional): Zeroize service. verify application data (optional) volatile "key cache" Entered into the HMAC when external internally during within the [Scratch module by Load Temporary copy in 160 bit applications issue operation via RAM] block. Key service [Scratch RAM] HMAC protection or PRNG per FIPS block always keys verification service 186-2, appendix Key-to-entity Entry Key-to- destroyed after each (SHA-1). requests. 3.1. See Generate association: entity association: reset cycle. Key service. "key cache" handle. Session key 256 bit Note this handle is derived during the HMAC given by the EC Diffie- keys application that Hellman Key (SHA- requested the Exchange service. 256). creation of the key so that application Output: N/A can request protection/ Output Key-to- verification with the entity association: key at a later point N/A. in time. KAPP-PRIV Used to perform N/A Multiple instances. Entry: Entered When the zeroize signature generation into the module by service is requested. 1024 bit during the RSA, DSA Stored in the Load Key service DSA or ECDSA Signature volatile "key cache" Always destroyed services. within the [Scratch Entry Key-to- after each reset 2048 bit RAM] block. entity association: cycle. RSA This is a private Key-to-entity key that is 256 bit association: associated with the ECDSA "key cache" handle. public key Note this handle is member of a key- given by the pair. application that requested the entry Output: N/A of the key so that the application can Output Key-to- request signature entity association: generation with the N/A. key at a later point in time. Page 17 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Key Description/Usage Generation Storage Entry/Output Destruction KECDH-SS Used to derive the Derived using Stored only Entry: N/A Zeroize service. session key Kss ECDH key temporarily in the Entry Key-to- Additionally always 256 bit exchange scratch RAM, entity association: destroyed after the ephemeral algorithm based erased after Kss is N/A symmetrical session ECDH on KECDH-PRIV derived key is established. shared and KECDH-OP- Output: N/A secret. Key-to-entity Output Key-to- PUB association: entity association: Associated with a N/A. session ID during the ECDH secure session establishment. Kss Session key derived Generated during Stored in the Entry: N/A Zeroize service. during the EC Diffie- the EC Diffie- volatile "key cache" 128 bit Hellman Key Hellman Key within the [Scratch Entry Key-to- Temporary copy in AES key. Exchange service. The Exchange service RAM] block. entity association: [Scratch RAM] module will use this via SHA256- N/A block always key for secure based KDF Key-to-entity destroyed after each communications function. association: Output: N/A reset cycle. to/from the external Only one session host system. key exists at any Output Key-to- given point in time. entity association: N/A. PRNG Entropy value fed to Gathered from Generated via Entry: N/A Reset PRNG or Seed the FIPS 186-2 PRNG. internal module NDRNG and stored power cycle the NDRNG utilizing in PRNG registers Entry Key-to- chip. Key free running entity association: oscillators to Key-to-entity N/A 512 bits capture thermal association: with 505 noise. Only one PRNG Output: N/A bits of seed key exists at entropy any given point in Output Key-to- strength time. entity association: N/A. PRNG State of the module's Generated within Stored in PRNG Entry: N/A Reset PRNG or State FIPS 186-2 PRNG. the module's registers. power cycle the FIPS 186-2 Entry Key-to- chip. PRNG. Key-to-entity entity association: association: N/A The PRNG maintains one state Output: N/A at a given time. Output Key-to- entity association: N/A. Page 18 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Definition of Public Keys: The following are public keys contained in the module. Table 9 ­ Public Keys Key Description/Usage Generation Storage Entry/Output KDI-EC-PUB Used by the operator to Computed Stored only Entry: N/A authenticate the internally upon temporarily in the 256 bit cryptographic module in a each get_info scratch RAM Entry Key-to-entity ECDSA public mutually authenticated request per during the association: N/A key. A unique secure session ECDSA processing of the value for each algorithm get_info service Output: as the result module. of get_info service Key-to-entity association: Output Key-to- Public part of the entity association: device identity embedded in the key. get_info command response. KECDH-PUB Used to establish an ECDH Ephemeral Stored only stored Entry: N/A based session. public key temporarily in the Entry Key-to-entity 256 bit public generated scratch RAM association: N/A ephemeral internally based during the process ECDH key of on ECDH of establishing the Output: as the result the algorithm ECDH session, of the ECDH key cryptographic defined in erased after the exchange module SP800-56A session key is established Output Key-to- entity association: Key-to-entity embedded in the association: command response Public key of the for ECDH key ephemeral ECDH exchange. key pair. KECDH-OP- Used to establish an ECDH Ephemeral Stored only stored Entry: input of the based session. public key temporarily in the ECDH key exchange PUB generated and scratch RAM Entry Key-to-entity 256 bit public signed by the during the process association: ephemeral operator, pass of establishing the embedded in the ECDH key of into the ECDH session, command for ECDH the operator cryptographic erased after the key exchange. module during session key is ECDH session established Output: N/A key exchange Key-to-entity Output Key-to- association: entity association: Associated with N/A the authentication session. Only one session is active. Page 19 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Key Description/Usage Generation Storage Entry/Output KAPP-PUB Used to perform signature N/A Stored in the Entry: Entered into verification during the volatile "key the module by the 1024 bit DSA RSA, DSA or ECDSA cache" within the Load Key service. Signature Verification [Scratch RAM] 2048 bit RSA services. block on the block Entry Key-to-entity diagram. association: This is 256 bit a public key that is ECDSA Key-to-entity associated with the association: private key member "key cache" of a key-pair. handle. Note this handle is passed Output: N/A back to the application that Output Key-to- requested the entry entity association: of the key so that N/A. the application can request signature verification with the key at a later point in time. KOP-PUB Operator's public key N/A Stored in the on- Entry: Embedded in chip RAM. the SBI during the 256 bit Used to authenticate the manufacturing ECDSA operator during an ECDH Key-to-entity process. secure session. association: This key is located Entry Key-to-entity at a fixed offset of association: This is the SBI image a public key that is known to the associated with the implementation of private key member the cryptographic of a key-pair. module. Output: N/A Output Key-to- entity association: N/A. Definition of CSPs Modes of Access Table 10 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: · G = Generate: The module generates the CSP. · R = Read: The module reads the CSP. The read access is typically performed before the module uses the CSP. · W = Write: The module writes the CSP. The write access is typically performed Page 20 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 after a CSP is imported into the module, or the module generates a CSP, or the module overwrites an existing CSP. · Z = Zeroize: The module zeroizes the CSP. Table 10 ­ CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User X X Generate Key G KAPP-AES G KAPP-HMAC For each service call a handle to the generated key will be passed back to the operator. X X AES Encrypt R KAPP-AES For each service request the operator will indicate which KAPP-AES key to use by passing in the key's handle as input. X X AES Decrypt R KAPP-AES For each service request the operator will indicate which KAPP-AES key to use by passing in the key's handle as input. X X SHA-1 N/A Hashing X X SHA-256 N/A Hashing X X Load Key W KAPP-PUB W KAPP-AES W KAPP-HMAC For each service request a handle to the loaded key will be passed back to the operator. X X RSA R KAPP-PUB Signature Verification For each service request the operator will indicate which KAPP-PUB RSA key to use by passing in the key's handle as input. X X DSA R KAPP-PUB Signature Verification For each service request the operator will indicate which KAPP-PUB DSA key to use by passing in the key's handle as input. X X ECDSA R KAPP-PUB Signature For each service request the operator will indicate which Page 21 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 Verification KAPP-PUB ECDSA key to use by passing in the key's handle as input. X X RSA R KAPP-PRIV Signature Generation For each service request the operator will indicate which KAPP-PRIV RSA key to use by passing in the key's handle as input. X X DSA R KAPP-PRIV Signature Generation For each service request the operator will indicate which KAPP-PRIV DSA key to use by passing in the key's handle as input. X X ECDSA R KAPP-PRIV Signature Generation For each service request the operator will indicate which KAPP-PRIV ECDSA key to use by passing in the key's handle as input. X X Generate R PRNG Seed Key (note: a new Seed Key is generated for Random each call to service Generate Random Number). Number R PRNG State The PRNG is seeded with the PRNG Seed Key. The random number generated by the PRNG is returned to the operator requesting the service. X X EC Diffie- R KDI-EC-PRIV Hellman Key R K ECDH-PRIV Exchange R KOP-PUB G KECDH-PUB R KECDH-OP-PUB G KECDH-SS G Kss The operator establishes a secure ECDH key exchange session with a derived session key Kss X X HMAC Request R KAPP-HMAC For each service request the operator will indicate which key to use by passing in key handles as input. X X Self Test N/A X X Show Status N/A X X Gen Info R KDI-EC-PUB X X Gen Version N/A X X Zeroize N/A Page 22 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the module does not contain a modifiable operational environment. 8. Security Rules This section documents the security rules enforced by the BCM5880 Cryptographic Module to implement the security requirements for a FIPS 140-2 Level 3 module. 1. The module shall indicate when an Approved mode of operation is selected. 2. The module implements one Approved mode of operation and one non-FIPS Approved mode of operation. In order to switch between FIPS Approved mode of operation and non-FIPS Approved mode of operation the module must be powered off, the external SECURE_BOOT: CONTROL INPUT: SECURE_BOOT pin moved from high to low, and then the module must be powered on again. Power-cycling zeroizes all volatile plaintext critical security parameters. Module HW\FW\SW enforces that non-volatile plaintext critical security parameters cannot be shared, used, or viewed between modes of operation. 3. Prior to completion of all FIPS power on self-tests the module will perform several special initialization period functions (e.g., RAM Memory BIST Read/Write, and BootROM 32-bit Checksum). Failure during these special initialization period functions causes a chip reset. Subsequent to the special initialization period functions any failure in a FIPS power-on self-test cause the ERROR pin to go high followed by a chip reset. 4. No hardware, software, or firmware components of the cryptographic module are excluded from the security requirements of FIPS 140-2. 5. The module restricts all information flow and physical access points to physical ports and logical interfaces that define all entry and exit points to and from the module. 6. All data output via the data output interface shall be inhibited when an error state exists and during self-tests. 7. The output data path shall be logically disconnected from the circuitry and processes that perform key generation and key zeroization. 8. The module never outputs plaintext cryptographic keys, CSPs, or sensitive data. 9. Status information never contains CSPs or sensitive data that if misused could lead to a compromise of the module 10. The module provides two operator roles. These are the User role and the Cryptographic-Officer role. 11. The module does not support concurrent operators. Page 23 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 12. The module does not support a maintenance role. 13. The module does not support a bypass capability. 14. The module supports identity-based authentication. 15. When the module is powered off and subsequently powered on, the results of previous authentications are not retained and the module requires the operator to be re-authenticated. 16. Authentication data within the module is protected against unauthorized disclosure, modification, and substitution. 17. The module contains the authentication data required to authenticate the operator for the first time. 18. For each attempt to use the authentication mechanism the probability is less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur. 19. For multiple attempts to use the authentication mechanism during a one-minute period the probability is less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. 20. The module's authentication mechanism does not supply any feedback information to the operator. 21. Recovery from "soft" error states is possible via power-cycling. Recovery from "hard" error states is not possible. 22. The module is physically protected with a production-grade hard opaque tamper evident encapsulating material. 23. The module does not contain any doors or removable covers. 24. Secret keys, private keys, and CSPs within the module are protected from unauthorized disclosure, modification, and substitution. 25. Public keys within the module are protected against unauthorized modification and substitution. 26. Cryptographic keys generated by the module are generated using Approved key generation methods: FIP186-2 Appendix 3.1. 27. Compromising the security of the key generation method requires as least as many operations as determining the value of the generated keys. 28. Seed keys are not entered into the module during the key generation process, they are gathered internally. 29. Intermediate key generation values are not output from the module. 30. Key establishment is performed via ECDH SP800-56A (allowed as per FIPS 140-2 Implementation Guidance 7.1). 31. Compromising the security of the key establishment method (2128) requires as many operations as determining the value of the cryptographic key being agreed Page 24 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 upon (2128). 32. The module does not support manual key entry. 33. All secret and private keys entered into the module must be encrypted with an ECDH session key. 34. The module does not support key entry via split knowledge procedures. 35. The module does not support a SW/FW Load service. 36. The module provides a method to zeroize all plaintext secret and private cryptographic keys and CSPs within the module (ZEROIZE PIN within the Secure Boot group physical interface turned high). 37. The module conforms to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B (i.e., for home use). 38. The module performs the following self-tests: a. Power up Self-Tests: i. Cryptographic algorithm tests: · AES [SMAU - Secure Cache] block KAT. · AES [SMAU ­ Generic Crypto/Auth] block KAT. · HMAC-SHA-1 & HMAC-SHA-256 [SMAU - Secure Cache] block KAT, covers SHA-1 & SHA-256. · HMAC-SHA-1 & HMAC-SHA-256 [SMAU ­ Generic Crypto/Auth] block KAT, covers SHA-1 & SHA-256. · PRNG FIPS 186-2 Appendix 3.1 KAT and Appendix 3.2 KAT. · RSA, DSA, ECDSA signature generation and signature verification KAT. · SP800-56A ECDH: · DLC primitives KAT. · Key Agreement KAT. · Key Derivation Function KAT. ii. Software Integrity Test: · BootROM: 32 bit checksum. · Secure Boot Image (SBI) the authenticated software extension of the module's Secure Boot Loader, is authenticated by Secure Boot Loader code when Secure Boot Loader code loads the SBI. Authentication is accomplished via 256-bit HMAC verification (the module also decrypts the SBI image with its 128-bit AES key). iii. Critical Functions Tests: · Memory BIST (Read/Write) Page 25 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 · OTP Checksum Verification b. Conditional Self-Tests: i. Continuous Random Number Generator test ­ performed on NDRNG and PRNG 39. The operator is capable of commanding the module to perform the power-up self-test via power cycling. This section documents the security rules imposed by the vendor: 1. The module shall not support the update of the logical serial number or vendor ID. 2. Each 256-bit ECDSA operation takes > 8ms to perform. For each authentication attempt, the cryptographic module has to perform two ECDSA operations, one for ECDSA signature generation and the other for ECDSA signature verification before the operator can be authenticated. The operator can make no more than 3750 attempts in every minute even if attempts were made continuously. 9. Physical Security Policy Physical Security Mechanisms The BCM5880 Cryptographic Module includes the following physical security mechanisms: · Production-grade hard opaque tamper evident encapsulating material. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks beyond the requirements of FIPS 140-2. 11. References · National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, January 27, 2000 ­ o http://csrc.nist.gov/publications/drafts.html · National Institute of Standards and Technology, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, Special Publication 800-56A, March 2006. o http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-56-A-1 Page 26 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 12. Definitions and Acronyms AES: Advanced Encryption Standard as defined by FIPS197 and SP800-38A to SP800-38D ECB, CBC, CTR, CMAC, CCM API Application Programming Interface BIST Built-In Self Test CSP A FIPS Critical Security Parameter DLC Discrete Logarithm Cryptography DSA Digital Signature Algorithm as defined by FIPS186-2 ECDH Elliptic-curve Diffie-Hellman algorithm ECDSA Elliptic-curve Digital Signature Algorithm as defined by FIPS186-2 EMI/EMC Electromagnetic Interference/Electromagnetic Compatibility FIPS Federal Information Processing Standard FW Firmware HMAC A keyed-Hash Message Authentication Code HW Hardware JTAG Joint Test Action Group ­ refer to the test interface standard as defined by IEEE 1149.1 Standard LPC Low Pin Count interface NDRNG Non Deterministic Random Number Generator OTP One Time Programmable memory. PRNG Pseudo Random Number Generator RAM Random Access Memory RFID Pseudorandom Number Generator ROM Read Only Memory RSA Rivest, Shamir, and Adleman algorithm for public key encryption SBI Secure Boot Image. Authenticated software extension of the module's BOOT ROM (note: SBI software is part of the BCM5880 Cryptographic Module). SCAPI Simple Cryptographic Application Programming Interface (refer to the crypto library of BCM5880 firmware that utilizes the cryptographic hardware of the BCM5880) Page 27 Broadcom Corporation BCM5880 Cryptographic Module Security Policy Version 1.1 2010-02-02 SHA Secure Hash Algorithm SMAU Secure Memory Access Unit SPI Synchronous Peripheral Interface SRAM Static Random Access Memory STS Statistical Testing TESTING SW Software TPM Trusted Platform Module UART Universal Asynchronous Receiver/Transmitter USB Universal Serial Bus Page 28