FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series FIPS 140-2 Non-Proprietary Security Policy Kingston Technology DataTraveler DT4000 Series Document Version 2.2 April 29, 2010 Document Version 2.2 © Kingston Technology Page 1 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Prepared For: Prepared By: Kingston Technology Company, Inc. Apex Assurance Group, LLC 17600 Newhope Street 5448 Apex Peakway Drive, Ste. 101 Fountain Valley, CA 92708 Apex, NC 27502 www.kingston.com www.apexassurance.com Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for the DataTraveler DT4000 Series. Document Version 2.2 © Kingston Technology Page 2 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Table of Contents 1 Introduction ........................................................................................................................................... 5 1.1 About FIPS 140 ................................................................................................................................ 5 1.2 About this Document........................................................................................................................ 5 1.3 External Resources .......................................................................................................................... 5 1.4 Notices ............................................................................................................................................. 5 1.5 Acronyms ......................................................................................................................................... 5 2 Kingston Technology DataTraveler DT4000 Series .......................................................................... 7 2.1 Product Overview ............................................................................................................................. 7 2.2 Validation Level Detail...................................................................................................................... 7 2.3 Cryptographic Algorithms................................................................................................................. 8 2.3.1 Approved Algorithms ................................................................................................................. 8 2.3.2 Algorithm Implementation Certificates....................................................................................... 8 2.3.3 Non-Approved Algorithms ......................................................................................................... 8 2.4 Cryptographic Module Specification................................................................................................. 8 2.5 Module Interfaces............................................................................................................................. 9 2.6 Roles, Services, and Authentication .............................................................................................. 10 2.6.1 Operator Services and Descriptions........................................................................................ 10 2.6.2 Operator Authentication........................................................................................................... 11 2.6.3 Password Strength .................................................................................................................. 11 2.7 Physical Security ............................................................................................................................ 11 2.8 Operational Environment ............................................................................................................... 11 2.9 Cryptographic Key Management.................................................................................................... 11 2.10 Self-Tests ..................................................................................................................................... 14 2.10.1 Power-On Self-Tests ............................................................................................................. 15 2.10.2 Conditional Self-Tests............................................................................................................ 15 2.11 Mitigation of Other Attacks ........................................................................................................... 15 3 Guidance and Secure Operation ....................................................................................................... 16 3.1 Crypto Officer Guidance................................................................................................................. 16 3.1.1 General Guidance ................................................................................................................... 16 3.2 User Guidance ............................................................................................................................... 16 3.2.1 Module Initialization and Configuration ................................................................................... 16 3.2.2 General Guidance ................................................................................................................... 16 Document Version 2.2 © Kingston Technology Page 3 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series List of Tables Table 1 ­ Acronyms and Terms .................................................................................................................... 6 Table 2 ­ Validation Level by DTR Section .................................................................................................. 7 Table 3 ­ Algorithm Certificates.................................................................................................................... 8 Table 4 ­ Operator Services and Descriptions ........................................................................................... 10 Table 5 - Key/CSP Management Details .................................................................................................... 14 Table 6 ­ Keys/CSPs Excluded from Validation ......................................................................................... 14 List of Figures Figure 1 ­ Physical Boundary ....................................................................................................................... 9 Figure 2 ­ Logical Interface / Physical Interface Mapping ............................................................................ 9 Document Version 2.2 © Kingston Technology Page 4 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules specifies requirements for cryptographic products to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Communications Security Establishment of Canada (CSEC) Cryptographic Module Validation Program (CMVP) owns the FIPS 140 program. The CMVP accredits independent testing labs to perform FIPS 140 testing; the CMVP also validates test reports for all products pursuing FIPS 140 validation. Validation is the term given to a product that is documented and tested against the FIPS 140 criteria. More information is available on the CMVP website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.2 About this Document This non-proprietary Cryptographic Module Security Policy for the DataTraveler DT4000 Series from Kingston Technology provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-2. This document contains details on the module's cryptographic keys and critical security parameters. This Security Policy concludes with instructions and guidance on running the module in a FIPS 140-2 mode of operation. The Kingston Technology DataTraveler DT4000 Series may also be referred to as the "module" in this document. 1.3 External Resources The Kingston Technology website (http://www.kingston.com) contains information on the full line of products from Kingston Technology, including a detailed overview of the DataTraveler DT4000 Series solution. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm) contains links to the FIPS 140-2 certificate and Kingston Technology contact information. 1.4 Notices This document may be freely reproduced and distributed in its entirety without modification. 1.5 Acronyms The following table defines acronyms found in this document: Document Version 2.2 © Kingston Technology Page 5 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Acronym Term AES Advanced Encryption Standard ANSI American National Standards Institute CSEC Communications Security Establishment of Canada CSP Critical Security Parameter DTR Derived Test Requirements ECB Electronic Codebook FIPS Federal Information Processing Standard GPC General Purpose Computer GUI Graphical User Interface HMAC Hashed Message Authentication Code KAT Known Answer Test NIST National Institute of Standards and Technology NVRAM Non-Volatile Random Access Memory PRNG Pseudo-Random Number Generator RNG Random Number Generator SHA Secure Hash Algorithm USB Universal Serial Bus Table 1 ­ Acronyms and Terms Document Version 2.2 © Kingston Technology Page 6 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 2 Kingston Technology DataTraveler DT4000 Series 2.1 Product Overview Kingston's DataTraveler DT4000 Series USB Flash drive is assembled in the U.S. for organizations that require a secure way to store and transfer portable data. The stored data is secured by hardware-based 256-bit AES encryption to guard sensitive information in case the drive is lost or stolen. Its durable, aluminium casing provides added protection. The Kingston's DataTraveler DT4000 Series offers unique protection to safeguard critical data even if the drive is lost or stolen. It is an enterprise-grade USB Flash drive with 256-bit on-the-fly encryption. Its strong password rules and lock-down control protect against brute force attacks. Such advanced security features make the Kingston's DataTraveler DT4000 Series drives ideal for corporations and service organizations that require employees to transport large digital files consisting of confidential documents. 2.2 Validation Level Detail The following table lists the level of validation for each area in FIPS 140-2: Validation FIPS 140-2 Section Title Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 3 Operational Environment N/A Cryptographic Key Management 2 Electromagnetic Interference / Electromagnetic 3 Compatibility Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 ­ Validation Level by DTR Section The "Mitigation of Other Attacks" section is not relevant as the module does not implement any countermeasures towards special attacks. Document Version 2.2 © Kingston Technology Page 7 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 2.3 Cryptographic Algorithms 2.3.1 Approved Algorithms In FIPS mode of operation, only the following FIPS approved algorithms are to be used1: · AES encryption/decryption · SHA-256 hashing · ANSI X9.31 Appendix A.2.4 for PRNG 2.3.2 Algorithm Implementation Certificates The module's cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program: Algorithm CAVP Algorithm Standard Use Type Certificate Random ANSI X9.31 ANSI 607 Random Number Number X9.31 Generation Generation A.2.4 (AES) Hashing SHA-256 FIPS 180-3 1016 Message digest Symmetric AES CBC mode FIPS 197 1081 Encryption / decryption Key with 256-bit keys for entire partition AES ECB mode FIPS 197 1081 Obfuscate Data with 128-bit keys Encryption Key Table 3 ­ Algorithm Certificates 2.3.3 Non-Approved Algorithms The module implements the following non-FIPS approved algorithms: · Hardware-based random number generator (HWRNG) o This HWRNG is used only as a seeding mechanism to the FIPS-approved PRNG. 2.4 Cryptographic Module Specification The module is the Kingston Technology DataTraveler DT4000 Series running firmware version 3.00.1 on hardware controller version AE2251. The module is classified as a multi-chip standalone cryptographic module, and the physical cryptographic boundary is defined as the module's case. The physical boundary is pictured in the image below: 1 Note that the module enforces this by default Document Version 2.2 © Kingston Technology Page 8 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Figure 1 ­ Physical Boundary The cryptographic boundary does not include polymer case, and USB cap of the DT4000 series drive. The host application (version 3.0.0.1) is inside the crypto boundary but is excluded from validation. The potting defines the cryptographic boundary and provides sufficient physical security; compromising the exterior metallic casing does not compromise the security of the device. No excluded components process CSPs, plaintext data, or other information that if misused could lead to a compromise. 2.5 Module Interfaces The interfaces for the cryptographic boundary include physical and logical interfaces. The physical interfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces: Data Input, Data Output, Control Input, and Status Output. The mapping of logical interfaces to module physical interfaces is provided in the following table: FIPS 140-2 Logical Interface Module Physical Interface Data Input Data pins within the USB Port Data Output Data pins within the USB Port Control Input Data pins within the USB Port Status Output Data pins within the USB Port LED Power Power pin within the USB Port Figure 2 ­ Logical Interface / Physical Interface Mapping The USB 2.0 protocol ensures these logical interfaces are distinct. Document Version 2.2 © Kingston Technology Page 9 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 2.6 Roles, Services, and Authentication As required by FIPS 140-2, there are two roles (a Crypto Officer role and User role) in the module that operators may assume. The module supports role-based authentication, and the respective services for each role are described in the following sections. 2.6.1 Operator Services and Descriptions The services available to the User and Crypto Officer roles in the module are as follows: Service Description Service Input Service Output Roles Decommission Zeroize all keys and CSPs Password Keys/CSPs Crypto Device and decommission the Authentication zeroized and Officer module module decommissioned Initialize Create password and Enter Password User generate keys to place the password stored, self tests module in FIPS 140 mode run, and keys of operation generated Show Status Verify self test Password Status output via User success/failure Authentication LED and alert to host machine GUI Encrypt Encrypt partition with AES Password Partition User Authentication encrypted Decrypt Decrypt AES-encrypted Password Partition User partition when reading Authentication decrypted and from the device files are readable Format Drive Erase all files stored on Zeroization Partition User the module and zeroizes command formatted and keys and CSPs keys/CSPs overwritten with new values Run Self Tests Performs power on self Password Status output of User tests; invoked by inserting Authentication results / module module into the host disabled in tests machine fail, allows authentication if tests pass Table 4 ­ Operator Services and Descriptions Document Version 2.2 © Kingston Technology Page 10 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 2.6.2 Operator Authentication The Crypto Officer and User roles authenticate via host machine over the module's USB port. Other than status functions available by viewing LEDs, the services described in Table 4 ­ Operator Services and Descriptions are available only to authenticated operators. The module ensures there is no visible display of Crypto Officer or User authentication data during data entry. 2.6.3 Password Strength User Passwords must be a minimum of 6 characters, which is enforced by the module. Crypto Officer passwords must be 6 characters as specified in the Guidance and Secure Operation section of this document. The password must contain three of the following four characters: lower case letters, upper case letters, numeric characters and/or special characters. Assuming a mix of lower case letters, upper case letters, numeric characters, the password can consist of the following set: {a-zA-Z0-9], yielding 62 choices per character. The probability of a successful random attempt is 1/626, which is less than 1/1,000,000. Assuming 10 attempts per second via a scripted or automatic attack, the probability of a success with multiple attempts in a one- minute period is 600/626, which is less than 1/100,000. The module will lock an account after 10 consecutive failed authentication attempts; thus, the maximum number of attempts in one minute is 10. Therefore, the probability of a success with multiple consecutive attempts in a one-minute period is 10/626 which is less than 1/100,000. 2.7 Physical Security The module is a multiple-chip standalone module and conforms to Level 3 requirements for physical security. The module is composed of production-grade components and is completely covered with a hard, opaque potting material. Any attempts to remove the potting will result in permanent damage to the module. 2.8 Operational Environment The module operates in a limited operational environment and does not implement a General Purpose Operating System. The module meets the requirements of 47 CFR PART 15 regulation & ANSI C63.4 and ICES- 003 for the evaluation of Class B of electromagnetic compatibility. This device complies with Part 15 of FCC Class B rules for home or office use. 2.9 Cryptographic Key Management The table below provides a complete list of Critical Security Parameters used within the module: Document Version 2.2 © Kingston Technology Page 11 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Key/CSP Description / Establishment Privileg Generation Storage Destruction Name Use / Export es Data AES 256-bit Internal Storage: Agreement: Zeroization Crypto Encryption key for generation NVRAM NA command Officer Key encryption / by X9.31 plaintext decryption of PRNG. (obfuscated Entry: NA The Crypto D all files on the with AES Officer drive 128-bit Output: None decommissions password- the drive to User derived securely wipe key2). the contents RWD Associatio n: The system is the one and only owner. Relationshi p is maintained by the controller via protected memory. Only a single AES- 256 data key to encrypt a whole partition content. PRNG HWRNG Internal Storage: Agreement: Reset / reboot Crypto Seed providing 256- generation RAM NA the module Officer bit entropy to by HWRNG plaintext seed the Entry: NA Generate a new D 2 Not considered a key/CSP per FIPS 140 requirements Document Version 2.2 © Kingston Technology Page 12 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Key/CSP Description / Establishment Privileg Generation Storage Destruction Name Use / Export es X9.31 PRNG Associatio value User n: The Output: NA system is Zeroization None the one and command only owner. The Crypto Officer decommissions the drive to securely wipe the contents PRNG HWRNG Internal Storage: Agreement: Reset / reboot Crypto Seed Key providing AES generation RAM NA the module Officer 256-bit seed by HWRNG plaintext key for the Entry: NA Generate a new D X9.31 PRNG Associatio value n: The Output: NA system is Zeroization the one and command User only owner. None The Crypto Officer decommissions the drive to securely wipe the contents Crypto Alphanumeric Not Storage: Agreement: The Crypto Crypto Officer passwords for generated NVRAM NA Officer Officer Password authentication by the hashed with decommissions to the module. module; SHA-256 Entry: Manual the drive to RWD defined by securely wipe Kingston Associatio Output: NA the contents technical n: support controlled by the controller Document Version 2.2 © Kingston Technology Page 13 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series Key/CSP Description / Establishment Privileg Generation Storage Destruction Name Use / Export es User Alphanumeric Not Storage: Agreement: Zeroization Crypto Password passwords generated NVRAM NA command Officer externally by the hashed with generated by module; SHA-256 Entry: Manual The Crypto D a human user defined by Officer for the human Associatio Output: NA decommissions authentication user of the n: the drive to User to the module. host controlled securely wipe machine by the the contents RWD controller R = Read W = Write D = Delete Table 5 - Key/CSP Management Details The module does not support key entry. The module supports entry of passwords for authentication, and these parameters are not distributed outside the cryptographic boundary. The module will overwrite all keys and CSPs with new values when it receives the zeroization command. Data encrypted with the overwritten Data Encryption Key cannot be decrypted. When the Crypto Officer authenticates and issues a command to zeroize the device, all keys and CSPs will be zeroized, and the module will be decommissioned. The following keys are excluded from the validation: Key Description Rationale DEK Encryption Key 128-bit AES key for encrypting Not considered a key/CSP per the Data Encryption Key FIPS 140 requirements Password Encryption 128-bit AES key for encrypting Not considered a key/CSP per Key the User password FIPS 140 requirements Table 6 ­ Keys/CSPs Excluded from Validation 2.10 Self-Tests The module includes an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to ensure all components are functioning correctly. In the event of any self-test failure, the module will output an error dialog and will shutdown. No keys or CSPs will be output when the module is in an error state. The module does not support a bypass function. The following sections discuss the module's self-tests in more detail. Document Version 2.2 © Kingston Technology Page 14 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 2.10.1 Power-On Self-Tests Power-on self-tests are run upon every initialization of the module and if any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the users. The module implements the following power-on self-tests: · Module integrity check via CRC-16 · AES KAT (encryption and decryption) · SHA-256 KAT · PRNG KAT The module performs all power-on self-tests automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The Power-on self-tests can be run on demand by rebooting the module in FIPS approved Mode of Operation. An operator can discern that all power-on self-tests have passed via normal operation of the module and presentation of the GUI interface. Additionally, the LED will blink slowly at 3 hertz. If the module fails a POST, a Microsoft Windows error message will display on the screen. In this case the module will not be initialized, and no critical security parameters will be available. The LED will blink rapidly at 16 hertz. 2.10.2 Conditional Self-Tests Conditional self-tests are test that run continuously during operation of the module. If any of these tests fail, the module will enter an error state. The module can be re-initialized to clear the error and resume FIPS mode of operation. No services can be accessed by the operators. The module performs the following conditional self-tests: · Continuous RNG test run on output of ANSI X9.31 PRNG o Because there is 16-byte random number output after calling RNG each time, there are two calls to generate the AES 256 key. The test is run with each call. · Continuous test on output of ANSI X9.31 PRNG seed mechanism (HW RNG) If the module fails a conditional self test, a Microsoft Windows error message will display on the screen. 2.11 Mitigation of Other Attacks The module does not mitigate other attacks. Document Version 2.2 © Kingston Technology Page 15 of 16 This document may be reproduced only in its original entirety [without revision]. FIPS 140-2 Non-Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series 3 Guidance and Secure Operation This section describes how to configure the module for FIPS-approved mode of operation. Operating the module without maintaining the following settings will remove the module from the FIPS-approved mode of operation. 3.1 Crypto Officer Guidance 3.1.1 General Guidance The Crypto Officer must not disclose passwords and must store passwords in a safe location and according to his/her organization's systems security policies for password storage. 3.2 User Guidance 3.2.1 Module Initialization and Configuration The User must configure and enforce the following initialization procedures: 1. Verify that the firmware version is 3.00.1. No other version is allowed to be used in FIPS mode of operation. 2. Do not disclose passwords and store passwords in a safe location and according to the organization's systems security policies for password storage. Note that when the module is plugged into to a host machine for the first time, the User will create a password, and the module will be formatted. 3.2.2 General Guidance The User must configure and enforce the following initialization procedures in order to operate in FIPS approved mode of operation: · Verify that the firmware version of the module is Version 3.00.1. No other version can be loaded or used in FIPS mode of operation. · All operator passwords must be a minimum of 6 characters in length. Document Version 2.2 © Kingston Technology Page 16 of 16 This document may be reproduced only in its original entirety [without revision].