REVISIONS REV DESCRIPTION ECO DATE APPROVED F Initial Release 2108109 06/02/10 Lee Armstrong Copyright © 2010 by Texas Instruments. May only be reproduced in its entirety without modification. Security Policy, DLP Cinema®, Series 2 Enigma Link Decryptor The data in this specification is preliminary and subject to correction or change as required. TEXAS INSTRUMENTS INCORPORATED (c) COPYRIGHT 2010 TEXAS INSTRUMENTS ALL RIGHTS RESERVED DWN/CHK DATE TITLE Security Policy, ENGR DATE DLP Cinema®, Series 2 Enigma Link Decryptor MANU DATE 314PH QA DATE SIZE DRAWING NO REV NHA Used On A 2510293 F APVD DATE SCALE APPLICATION NONE SHEET 1 OF 21 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Table Of Contents 1 REFERENCE DOCUMENTS...................................................................................................................................4 2 INTRODUCTION ......................................................................................................................................................4 2.1 CRYPTOGRAPHIC BOUNDARY ....................................................................................................................................4 2.2 APPROVED ALGORITHMS...........................................................................................................................................6 2.3 NON-APPROVED ALGORITHMS ..................................................................................................................................7 2.4 PHYSICAL PORTS AND LOGICAL INTERFACES ............................................................................................................7 3 SECURITY RULES ...................................................................................................................................................8 4 IDENTIFICATION AND AUTHENTICATION POLICY ..................................................................................11 5 ACCESS CONTROL POLICY...............................................................................................................................12 6 ROLES, SERVICES, CSPS .....................................................................................................................................13 7 UNAUTHENTICATED SERVICES ......................................................................................................................18 8 PHYSICAL SECURITY POLICY..........................................................................................................................19 9 MITIGATION OF OTHER ATTACKS POLICY ................................................................................................20 10 APPENDIX............................................................................................................................................................21 10.1 GLOSSARY/ACRONYMS ...........................................................................................................................................21 Index of Figures FIGURE 1. ENIGMA CRYPTOGRAPHIC BOUNDARY (TOP VIEW)...............................................................................................5 FIGURE 2. ENIGMA CRYPTOGRAPHIC BOUNDARY (BOTTOM VIEW) .......................................................................................6 DRAWING NO REV 2510293 F SHEET 2 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Index of Tables TABLE 1. REFERENCE DOCUMENTS .......................................................................................................................................4 TABLE 2. MAP OF PHYSICAL PORTS TO LOGICAL INTERFACES ..............................................................................................7 TABLE 3. ROLES AND REQUIRED IDENTIFICATION AND AUTHENTICATION..........................................................................11 TABLE 4. STRENGTHS OF AUTHENTICATION MECHANISMS .................................................................................................11 TABLE 5. MARRIAGE INITIATION SERVICE ..........................................................................................................................13 TABLE 6. MARRIAGE VERIFICATION SERVICE .....................................................................................................................13 TABLE 7. UPDATE TI LOGIN LIST SERVICE .........................................................................................................................14 TABLE 8. UPDATE SECURITY OFFICER LOGIN LIST SERVICE ...............................................................................................14 TABLE 9. TLS SESSIONS FOR CRYPTOGRAPHIC OFFICER SERVICE ......................................................................................15 TABLE 10. ZEROIZE VIA TWO-LAYER COMMAND SERVICE .................................................................................................15 TABLE 11. TLS SESSIONS FOR CINEMA SERVER SERVICE ...................................................................................................16 TABLE 12. SHOW MOVIE SERVICE.......................................................................................................................................16 TABLE 13. LOG RETRIEVAL SERVICE ..................................................................................................................................17 TABLE 14. LOAD NEW CODE SERVICE ................................................................................................................................17 TABLE 15. INSPECTION/TESTING OF PHYSICAL SECURITY MECHANISMS ............................................................................19 TABLE 16. MITIGATION OF OTHER ATTACKS ......................................................................................................................20 DRAWING NO REV 2510293 F SHEET 3 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 1 Reference Documents Document Number Description FIPS 140-2 Security Requirements for Cryptographic Modules FIPS 197 Advance Encryption Standard (AES) FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) ANSI X9.31-1998 Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA) Digital Cinema System Specification (Digital Cinema Initiatives, LLC) 1.2 IETF RFC 2246 The TLS Protocol, Version 1.0 FIPS 180-2 Secure Hash Standard Table 1. Reference Documents 2 Introduction The Texas Instruments Enigma Cryptographic Module [Hardware version 2509488 Rev G; Software version 1.4(19) or 1.5(21); Firmware version 2.12(12)], hereafter referred to as "Enigma" or "cryptographic module", is a multi-chip embedded cryptographic module designed to protect digital movie content in accordance with Digital Cinema Initiatives V1.2. The Enigma is a Link Decryptor module designed to reside within a host cinema projector. 2.1 Cryptographic Boundary The cryptographic boundary is defined as the outer perimeter of the metal enclosure that encompasses all hardware, software, and firmware that support cryptography and security functions with three multi-pin connector ports exposed as interfaces. The following images define the cryptographic boundary: DRAWING NO REV 2510293 F SHEET 4 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Figure 1. Enigma Cryptographic Boundary (top view) DRAWING NO REV 2510293 F SHEET 5 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Figure 2. Enigma Cryptographic Boundary (bottom view) 2.2 Approved Algorithms The cryptographic module supports the following Approved algorithms: · AES CBC Encrypt/Decrypt (Cert# 1014) · AES ECB Encrypt ­ Core 1 (Cert# 999) · AES ECB Encrypt ­ Core 2 (Cert# 1000) · AES ECB Encrypt ­ Core 3 (Cert# 1001) · AES ECB Encrypt ­ Core 4 (Cert# 1002) · SHA-1 (Cert# 971) · ANSI X9.31 DRNG with AES 128 core (Cert# 581) · HMAC-SHA-1 (Cert# 568) · RSA (Cert# 487) DRAWING NO REV 2510293 F SHEET 6 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 2.3 Non-Approved Algorithms The cryptographic module supports the following non-Approved algorithms: · ECDH ­ considered as non-security relevant and only used to interoperate with legacy equipment · TI S-box - considered as non-security relevant data obfuscation (plaintext); only used for status and control. · NDRNG ­ only used to seed the Approved DRNG. · MD5 (within TLS PRF) · RSA key wrap (within TLS): (key wrapping; key establishment methodology provides 112 bits of encryption strength) 2.4 Physical Ports and Logical Interfaces The cryptographic module supports the following physical ports: · J1: 120-Pin 0.8mm QSE Series Hi-Speed Socket · J2: 120-Pin 0.8mm QSE Series Hi-Speed Socket · J3: 3-pin, polarized, 2.5mm pitch, header · 12VDC, FPGA, FIPS, ST, SDMT, VS, DCRPT: a series of traces that extend to seven external light emitting diodes (LEDs) · DC power supply circuit/filter: a series of traces that extend to peripheral power related components that are outside of the cryptographic boundary The following table maps of each physical port to the logical interfaces: Physical Port Logical Interface J1, J2 Data Input J1, J2 Control Input J1, J2 Data Output J1, J2, 12VDC, FPGA, FIPS, ST, SDMT, VS, DCRPT Status Output J1, J2, J3, DC power supply circuit/filter Power Table 2. Map of Physical Ports to Logical Interfaces DRAWING NO REV 2510293 F SHEET 7 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 3 Security Rules The following specifies security rules under which the cryptographic module shall operate in accordance with FIPS 140-2: · The cryptographic module does not support a non-FIPS mode of operation and only operates in an Approved mode of operation. The method used to indicate the Approved mode of operation is the combination of LEDs displayed in the following pattern with main power applied: o 12VDC LED is illuminated green o FPGA LED is illuminated green o FIPS LED is not illuminated o ST LED is illuminated green o SDMT LED is illuminated green o VS LED is not illuminated o DCRPT LED is not illuminated · The cryptographic module provides logical separation between all of the data input, control input, data output, status output interfaces. The module receives external power inputs through the defined power interface. · The cryptographic module supports identity based authentication for all services that utilize CSPs and Approved security functions. · The data output interface is inhibited during self tests, zeroization, and when error states exist. · When the cryptographic module is in an error state it ceases to provide cryptographic services, inhibits all data outputs, and provides status of the error. · The cryptographic module maintains internal separation of concurrent operators. · When the cryptographic module is powered off and subsequently powered on, the results of previous authentications are not be retained and the cryptographic module requires the operator to be re-authenticated in an identity based fashion. · The cryptographic module protects CSPs from unauthorized disclosure, unauthorized modification, and unauthorized substitution. · The cryptographic module protects public keys from unauthorized modification, and unauthorized substitution. · The cryptographic module satisfies the FCC EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B (i.e., for home use). · The cryptographic module implements the following self-tests: Power-up self-tests o AES CBC Encrypt/Decrypt KAT o AES ECB Encrypt KAT on each of the 4 FPGA cores o SHA-1 KAT o HMAC-SHA-1 KAT o RSA-SHA-1 KAT (signature generation/verification) o DRNG KAT o Firmware integrity test (32-bit checksum verification) DRAWING NO REV 2510293 F SHEET 8 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Critical functions tests · MD5 KAT · TLS PRF KAT · RSA decryption KAT Conditional self-test o Continuous DRNG test o Continuous NDRNG test o Firmware load test (RSA 2048 bit signature verification). · Manual key entry is not supported and the cryptographic module does not implement manual key entry tests. · The cryptographic module does not support bypass capability and does not implement bypass tests. · The module does not support RSA key generation, and does not implement conditional pair-wise consistency tests. · Key generation and split-knowledge processes are not supported. · All maintenance related services (i.e. maintenance role, physical maintenance interface, logical maintenance interface) are not applicable. · There are no components within the cryptographic boundary that are excluded from the requirements of FIPS 140-2. · Plaintext CSP input/output is not supported. · The cryptographic module does not contain dedicated physical ports for CSP input/output · The continuous comparison self-tests related to twin implementations are not applicable. · Upon authenticating into a particular role, it is not possible to switch into another role without re- authenticating. · The cryptographic module does not provide the means to feedback authentication data. · The finite state machine does not support the following states: maintenance, key generation, CSP output. · The requirements of FIPS 140-2 Section 4.6 are not applicable; there exists no support for the execution of untrusted code. All coded loaded from outside the cryptographic boundary is cryptographically authenticated via RSA 2048 bit digital signatures. · The cryptographic module is not a radio, does not support any wireless interfaces or OTAR. · The EFP and EFT requirements are not applicable. · The requirements of FIPS 140-2 Section 4.11 are not applicable; the cryptographic module was not designed to mitigate specific attacks beyond the scope of FIPS 140-2. Following are the additional security rules imposed by the Texas Instruments. · The cryptographic module shall conform to the DCI version 1.2. · The cryptographic module shall support electrical and logical marriage to its host cinema projector. The cryptographic module continuously monitors its electrical connection to the host cinema projector via J1 and J2 connector. The cryptographic module maintains its logical marriage via verification of RSA 2048 bit digital signatures. In the event that the marriage is broken (for example through removal of the cryptographic module from the host cinema DRAWING NO REV 2510293 F SHEET 9 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification projector or failed User role authentication attempts during Marriage Verification service) the Show Movies AES keys are zeroized. Additionally, the cryptographic module rejects all attempts to enter Show Movie AES Keys until such a time as the Cryptographic Officer performs another Marriage Initiation service. · The cryptographic module shall continuously monitor the service doors of the projector via the J1 and J2 connectors and respond to the opening of multiple external doors within the host cinema projector. The external doors are not included within the cryptographic module boundary and opening of said doors does not constitute a breach of the cryptographic boundary. When the external doors are opened, the Show Movie AES Keys are zeroized. Additionally, the cryptographic module rejects all attempts to enter Show Movie AES Keys until such a time as the external doors are closed and the cryptographic module receives the Service Door Tamper Termination command. DRAWING NO REV 2510293 F SHEET 10 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 4 Identification and Authentication Policy The following constitutes the cryptographic modules identification and authentication policy including an itemization of the roles, type of authentication, and corresponding authentication data. Additionally the strength of each authentication mechanism is specified for random attempts and multiple consecutive attempts within a one-minute period. Type of Role Authentication Data Authentication Cryptographic Officer (Security Officer) Identity-Based Username & Password User (ICP) Identity-Based RSA signature verification TI Login List Updater Identity-Based RSA signature verification Security Officer Login List Updater Identity-Based RSA signature verification TI Code Signer Identity-Based RSA signature verification Table 3. Roles and Required Identification and Authentication Authentication Mechanism Strength of Mechanism Username & Password Random attempt: 1 in 92 ^ 10 Multiple attempts during one minute period: 3 in 92 ^ 10. The Enigma will refuse login attempts for one minute after 3 unsuccessful login attempts. RSA signature verification Random attempt: 1 in 2 ^ 112 Multiple attempts during one minute period: 6000 in 2 ^ 112 Table 4. Strengths of Authentication Mechanisms DRAWING NO REV 2510293 F SHEET 11 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 5 Access Control Policy Following is a listing of the authorized roles with a description of responsibilities. · Cryptographic Officer (Security Officer) role: this role is responsible for the initialization and administration of the cryptographic module. This role is also responsible for inspection of the implemented physical security mechanisms during marriage initiation. · User role (ICP): this role is responsible for playing movies and periodically checking status. · TI Login List Updater role: this role is responsible for updating the TI Login List. · Security Officer Login List Updater role: this role is responsible for updating the Security Officer Login List. · TI Code Signer role: this role is responsible for updating the executable code that is encrypted with AES and cryptographically authenticated via 2048 bit RSA digital signatures. DRAWING NO REV 2510293 F SHEET 12 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 6 Roles, Services, CSPs Following is listing of roles, services, cryptographic keys & CSPs, and types of access to the cryptographic keys & CSPs that are available to each of the authorized roles via the corresponding services. Role Service Cryptographic Keys & CSPs Type(s) of Access Cryptographic Marriage Initiation: binding the Enigma Public Key (RSA 2048) Output Officer (Security identity of the cryptographic Officer) module (Link Decryptor) to the external Integrated Cinema Enigma Private Key (RSA 2048) Use for signature Processor both electronically and generation logically via RSA signatures. Security Officer TLS Public Key (RSA Input, Use for TLS 2048) session establishment Security Officer Login List (Usernames Input, Use for and Passwords) authentication via TLS · TLS HMAC Key (160-bit) Established via · TLS AES Key (128-bit) commercially available · TLS PRF State (takes the TLS Pre- key establishment master Secret, 64-byte random protocol TLS 1.0 number, 13-byte label ­ converts to (protocol version = 3.1); TLS Master Secret) Used with Cipher-Suite · TLS Pre-master Secret (48-byte) "RSA_WITH_AES_128 · TLS Master Secret (48-byte) _CBC_SHA" = {0x00, 0x2F} (RFC 3268). DRNG State (16-byte) Use for random number generation for use in TLS Integrated Cinema Processor Public Key Input; Use for signature (RSA 2048) verification of future marriage verification services Table 5. Marriage Initiation Service Role Service Cryptographic Keys & CSPs Type(s) of Access User Marriage Verification: verify a Integrated Cinema Processor Public Key Input, Use for signature digital signature from the User to (RSA 2048) verification to confirm that the logical marriage authenticate the User is still intact. role Table 6. Marriage Verification Service DRAWING NO REV 2510293 F SHEET 13 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Roles Service Cryptographic Keys & CSPs Type(s) of Access TI Login List Update TI Login List: Verify TI Login List Update AES Key (128-bit) Use for decryption of TI Updater RSA signature, decrypt the login Login List list received, update the list. TI Login List Update Public Key (RSA Use for signature 2048) verification TI Login List (Usernames and Passwords) Input and update CSP AES Key Use for storage Table 7. Update TI Login List Service Roles Service Cryptographic Keys & CSPs Type(s) of Access Security Officer Update Security Officer Login Security Officer Login List Update AES Use for decryption of Login List Updater List: Verify RSA signature, Key (128-bit) Security Officer login decrypt the login list received, list update the list. Security Officer Login List Update Public Use for signature Key (RSA 2048) verification Security Officer Login List (Usernames Input and update and Passwords) CSP AES Key Use for storage Table 8. Update Security Officer Login List Service DRAWING NO REV 2510293 F SHEET 14 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Roles Service Cryptographic Keys & CSPs Type(s) of Access Cryptographic TLS Sessions for Cryptographic Security Officer TLS Public Key (RSA Input, Use for signature Officer (Security Officer: Establish a TLS session 2048) verification Officer) with RSA client certificates, Login (open) by authenticating to the cryptographic module via username, and password. Logout (close) by terminating Security Officer Login List (Usernames Input, Use for login via the session upon completion. and Passwords) TLS · TLS HMAC Key (160-bit) Established via · TLS AES Key (128-bit) commercially available · TLS PRF State (takes the TLS Pre- key establishment master Secret, 64-byte random protocol TLS 1.0 number, 13-byte label ­ converts to (protocol version = 3.1); TLS Master Secret) Used with Cipher-Suite · TLS Pre-master Secret (48-byte) "RSA_WITH_AES_128 · TLS Master Secret (48-byte) _CBC_SHA" = {0x00, 0x2F} (RFC 3268). DRNG State (16-byte) Use for random number generation for use in TLS Enigma Public Key (RSA 2048). Output Enigma Private Key (RSA 2048) Use for TLS establishment. Self-Test Via Command Over TLS: Allow the Cryptographic N/A N/A Officer to execute self-tests Table 9. TLS Sessions for Cryptographic Officer Service Role Service Cryptographic Keys & CSPs Type(s) of Access Cryptographic Zeroize via Two-Layer All plaintext CSPs. Zeroization (i.e. active Officer (Security Command overwrite of all memory Officer) locations where the CSPs reside) Table 10. Zeroize via Two-Layer Command Service DRAWING NO REV 2510293 F SHEET 15 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Role Service Cryptographic Keys & CSPs Type(s) of Access User TLS Sessions for Cinema Server · TLS HMAC Key (160-bit) Established via (port #0x0495): · TLS AES Key (128-bit) commercially available cryptographically process I/O · TLS PRF State (takes the TLS Pre- key establishment via the TLS protocol and process master Secret, 64-byte random protocol TLS 1.0 SMPTE ASM commands via the number, 13 byte label ­ converts to (protocol version = 3.1); TLS protocol: TLS Master Secret) Used with Cipher-Suite - GetTime · TLS Pre-master Secret (48-byte) "RSA_WITH_AES_128 - QuerySPB · TLS Master Secret (48-byte) _CBC_SHA" = {0x00, - LEKeyLoad 0x2F} (RFC 3268). - LEKeyQueryID DRNG State (16-byte) Use for random number - LEKeyQueryAll generation for use in - LEKeyPurgeID TLS - LEKeyPurgeAll - PurgeLEKeyID Input, use for AES ECB, - PurgeAllLEKey Show Movie AES key (128-bit) Zeroize. - GetEventID Input, Use for signature - GetEventList Cinema Server Public Key (RSA 2048) verification - BadRequest Enigma Public Key (RSA 2048) Output Use for TLS Enigma Private Key (RSA 2048) establishment. Table 11. TLS Sessions for Cinema Server Service Role Service Cryptographic Keys & CSPs Type(s) of Access User Show Movie: Cryptographically Show Movie AES Key (128-bit) Use for AES ECB. process data with AES ECB using the Show Movie AES key. Table 12. Show Movie Service DRAWING NO REV 2510293 F SHEET 16 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification Role Service Cryptographic Keys & CSPs Type(s) of Access User Log Retrieval: obtain forensic · TLS HMAC Key (160-bit) Use existing session log of public identifiers per DCI · TLS AES Key (128-bit) parameters. Spec v1.2. · TLS PRF State (takes the TLS Pre- master Secret, 64-byte random number, 13-byte label ­ converts to TLS Master Secret) · TLS Pre-master Secret (48-byte) · TLS Master Secret (48-byte) DRNG State (16-byte) Use for random number generation for use in TLS Table 13. Log Retrieval Service Role Service Cryptographic Keys & CSPs Type(s) of Access TI Code Signer Load New Code: update the TI Code Update Public Key (RSA 2048) Input, Use for signature executable code via RSA verification of code signature verification. TI Code Update AES Key (128-bit) Input; Use for decryption of code TI Login List Update AES Key (128-bit) Input and store TI Login List Update Public Key (RSA Input and store 2048) Security Officer Login List Update AES Input and store Key (128-bit) Security Officer Login List Update Public Input and store Key (RSA 2048) CSP AES Key Use for storage Table 14. Load New Code Service DRAWING NO REV 2510293 F SHEET 17 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 7 Unauthenticated Services The cryptographic module supports unauthenticated services that do not use Approved security functions, disclose, modify, substitute CSPs or otherwise affect the security of the module as follows: · Show Status: obtain non-security relevant status items. · Self-tests: perform the full suite of power-on self tests by power cycling the cryptographic module. Note that the following unauthenticated services are accessible by connecting to the cryptographic module through ECDH and TI S-box, the use of which is considered non-security relevant data obfuscation from FIPS 140-2 perspective as related to this cryptographic module; this does not provide any security relevant functions and is not used to protect sensitive unclassified data. The I/O therein is obfuscated to support interoperability with existing legacy equipment and is only used to set and retrieve non-security relevant items. Note that all such services are considered to be plaintext with respect to FIPS 140-2, and do not use the Approved security functions, disclose, modify, or substitute CSPs or otherwise affect the security of the module as follows: · RGB Status output: the cryptographic module outputs status of red-green-blue signal. · Black Status output: the cryptographic module outputs a constant signal of black status. · Read Status: output non-security relevant status information. · Run self-tests via command: perform the full suite of power-on self tests on demand. · Ethernet Port Configuration: used to define the MAC address associated with the Ethernet port · Version: used to read the software, firmware, and login list version information. · Set RTC Time: used to read and write the date and time information. · Serial Number: used to read the serial number of the module. · System Reset: used to reset the module. · Input Data Packing Format: used to configure the module's video input. · Power Mode Select: used to place the module into a low-power mode (or exit a low-power mode). · Security Log: used to retrieve plaintext security log information. · Service Door Tamper Terminate: used to resume monitoring of the service door tamper inputs. DRAWING NO REV 2510293 F SHEET 18 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 8 Physical Security Policy The following table describes: · Physical security mechanisms that are implemented in the cryptographic module · Actions required by the operators to ensure that physical security is maintained Recommended Frequency of Physical Security Mechanisms Inspection/Test Guidance Details Inspection/Test Hard, opaque, tamper evident, Each time the Marriage Inspect all sides of the cryptographic production grade, non-removable Initiation service is performed boundary under a bright light for metal enclosure scratches, gouges, scrapes, and other signs of malice. Tamper evident fasteners (opaque Each time the Marriage Inspect each of the fasteners at the four potting material covering screws) Initiation service is performed corners of the cryptographic boundary, top and bottom, under a bright light for scratches, gouges, scrapes, and other signs of malice. Tamper detection and response N/A Obtain status from the cryptographic zeroization circuitry module during each use. If a tamper event has occurred send the cryptographic module to the manufacturer. Marriage connection Each time the Marriage Inspect the physical connection Initiation service is performed between the cryptographic module and the external host cinema projector. Ensure that no intervening systems are present at the physical connection (e.g. protruding wires, unauthorized components). External Service door connection Prior to each closure of the Inspect the physical connection external service door. between the cryptographic module and the external host cinema projector. Ensure that no intervening systems are present at the physical connection (e.g. protruding wires, unauthorized components). Table 15. Inspection/Testing of Physical Security Mechanisms DRAWING NO REV 2510293 F SHEET 19 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 9 Mitigation of Other Attacks Policy The cryptographic module was not designed to mitigate any specific attacks beyond the scope of FIPS 140-2. Other Mitigation Specific Attacks Mechanism Limitations N/A N/A N/A Table 16. Mitigation of Other Attacks DRAWING NO REV 2510293 F SHEET 20 DLP Cinema® Products Copyright 2010, Texas Instruments ® Security Policy, DLP Cinema , Series 2 Enigma Link Decryptor May only be reproduced in its entirety without modification 10 Appendix 10.1 Glossary/Acronyms AES Advanced Encryption Standard ASM Auditorium Security Messages CO Cryptographic Officer CSP Critical Security Parameter DCI Digital Cinema Initiatives, LLC DRNG Deterministic Random Number Generator ECDH Elliptic Curve Diffie-Hellman EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standard HMAC Hashed Message Authentication Code ICP Integrated Cinema Processor I/O Input/Output KAT Known Answer Test MAC Media Access Control NDRNG Non-deterministic Random Number Generator RGB Red-green-blue RSA Rivest-Shamir-Adleman (public key cryptography algorithm) RTC Real time clock SHA Secure Hash Algorithm SMPTE The Society of Motion Picture and Television Engineers TLS Transport Layer Security DRAWING NO REV 2510293 F SHEET 21