Security Policy FrankIT Postal Revenector FRANCOTYP-POSTALIA FRANCOTYP-POSTALIA Security Policy FrankIT Postal Revenector Version 1.3 Hardware Version: 58.0036.0001.00/05 Firmware Version: 90.0036.0007.00/00 Francotyp-Postalia AG & Co. - Development Department - V. Baum Triftweg 21-26 D-16547 Birkenwerder FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA Table of Contents 1 Introduction ..............................................................................................................................3 1.1 Scope.................................................................................................................................3 1.2 Overview ............................................................................................................................3 1.3 Implementation and Cryptographic Boundary ........................................................................3 2 Security Level............................................................................................................................4 3 Security Rules ...........................................................................................................................5 3.1 FIPS 140-2 Related Security Rules ........................................................................................5 3.2 Postal Related Security Rules ...............................................................................................6 4 Self-Tests..................................................................................................................................7 5 Roles and Services .....................................................................................................................9 5.1 Cryptographic Officer and User.............................................................................................9 5.2 Operator ..........................................................................................................................10 6 Strength of Authentication ........................................................................................................12 7 Critical Security Parameters ......................................................................................................13 8 Service to CSP Access Relationship............................................................................................14 Figures Figure 1-1: View of FrankIT Postal Revenector....................................................................................3 Tables Table 2-1: FIPS 140-2 Security Levels ................................................................................................4 Table 4-1: Self-Tests ........................................................................................................................7 Table 4-2: Security Functions ............................................................................................................7 Table 7-1: CSPs protected by the FrankIT Postal Revenector..............................................................13 Table 8-1: Modes of CSP Accesses ...................................................................................................14 Table 8-2: Service to CSP Access Relationship...................................................................................14 - page 2 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 1 Introduction 1.1 Scope This is a Cryptographic Module Security Policy for the FrankIT Postal Revenector. It was written for the purpose of a FIPS 140-2 validation of the FrankIT Postal Revenector. This Security Policy specifies the security rules under which the FrankIT Postal Revenector must operate. Included in these rules are those derived from the security requirements of FIPS 140-2 and additionally, those imposed by Francotyp Postalia. These rules, in total, define the interrelationship between · The module operators, · Module services, and · Critical security parameters (CSPs) / postal relevant data items (PRDIs). 1.2 Overview The FrankIT Postal Revenector, shown in Figure 1-1, consists of a microprocessor controlled custom circuitry which is mounted on a printed circuit board (PCB). The FrankIT Postal Revenector is typically used in hosting systems of Francotyp Postalia like the Postage Meter MyMail and UltiMail. The FrankIT Postal Revenector performs all of the Postage Meter cryptographic and postal security functions and protects the CSPs and PRDIs from unauthorized access. Figure 1-1: View of FrankIT Postal Revenector 1.3 Implementation and Cryptographic Boundary The FrankIT Postal Revenector is implemented as a multi-chip embedded cryptographic module defined by FIPS 140-2. The cryptographic boundary includes all hardware components, with the exception of the battery, the connector and the LEDs, located on the FrankIT Postal Revenector. The circuitry contained within the cryptographic boundary is enclosed within a tamper detecting hull and potted with hard opaque potting material. These elements both protect the electronic circuitry from unauthorized access and provide tamper evidence, detection and response. All FrankIT Postal Revenector software/firmware is included within the cryptographic boundary. - page 3 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 2 Security Level The FrankIT Postal Revenector is designed to meet the FIPS 140-2 security level 3 overall as shown in Table 2-1. Table 2-1: FIPS 140-2 Security Levels Section Security Requirement Level 1 Cryptographic Module Specification 3 2 Cryptographic Module Ports and Interfaces 3 3 Roles, Services and Authentication 3 4 Finite State Model 3 5 Physical Security 3 + EFP 6 Operational Environment N/A 7 Cryptographic Key Management 3 8 Electromagnetic Interference/ Electromagnetic 3 Compatibility (EMI/IMC) 9 Self-Tests 3 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Additionally the module meets FIPS 140-2 Level 4, Environmental Failure Protection (EFP). - page 4 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 3 Security Rules The FrankIT Postal Revenector shall enforce the following security rules. These rules are separated into two categories, · Those imposed by FIPS 140-2 and, · Those imposed by the "FrankIT - New Generation Digital Franking" specification from the Deutsche Post AG also referred to as DPAG 3.1 FIPS 140-2 Related Security Rules 1. The FrankIT Postal Revenector shall support the following logically distinct interfaces sharing one physical port: · Data input interface · Data output interface · Control input interface · Status output interface · Power interface 2. The FrankIT Postal Revenector shall inhibit all output via the data output interface during self- tests and whenever an error state was entered. 3. The FrankIT Postal Revenector shall logically disconnect the output data path from the processes while performing key generation and zeroization. 4. Critical security Parameters (CSPs) are not permitted to enter the module in an unprotected form. 5. The FrankIT Postal Revenector shall not permit the output of critical security parameters. 6. The FrankIT Postal Revenector shall enforce identity-based authentication. 7. The FrankIT Postal Revenector shall support the following authorized roles: Operator, User and Cryptographic Officer. 8. The FrankIT Postal Revenector shall not retain authentication of an operator when it is powered- up after being powered off. 9. The FrankIT Postal Revenector shall not support a bypass mode. 10. The FrankIT Postal Revenector shall be protected using a hard opaque potting material as coating. 11. The FrankIT Postal Revenector shall be protected by a tamper enclosure. 12. The FrankIT Postal Revenector shall implement environmental failure protection for temperature and voltage. 13. The FrankIT Postal Revenector shall implement all software using a high-level language, except the limited use of low-level languages to enhance performance. 14. The FrankIT Postal Revenector shall protect critical security parameters from unauthorized disclosure, modification and substitution. 15. The FrankIT Postal Revenector shall provide means to ensure that a key entered into or stored within is associated with the correct entities to which the key is assigned. 16. The FrankIT Postal Revenector shall deny unauthorized access to plaintext secret and private keys contained within the FrankIT Postal Revenector. 17. The FrankIT Postal Revenector shall provide the capability to zeroize all critical security parameters contained within the FrankIT Postal Revenector. 18. The FrankIT Postal Revenector shall support the following FIPS approved security functions: · Single DES (CBC-MAC and ECB mode; for legacy systems only) · Triple DES Encrypt, Decrypt (ECB and CBC mode) · RSA Sign, Verify as specified in PKCS#1 · SHA-1 as specified in FIPS 180-2 - page 5 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA · HMAC SHA-1 as specified in FIPS 198 19. The FrankIT Postal Revenector shall support the following non-approved security functions: · Diffie-Hellman key agreement as specified in ANSI X9.42 · RSA Decrypt as specified in PKCS #1 20. The FrankIT Postal Revenector shall support a FIPS approved pseudo random number generator (PRNG) as specified in FIPS 186-2 Appendix 3.1 21. The FrankIT Postal Revenector shall conform to the EMI/EMC requirements specified in FCC Part 15, Subpart B, Class B. 22. The FrankIT Postal Revenector shall perform the self tests during power on and on demand listed in section 4 23. The FrankIT Postal Revenector shall output an error indicator via the status interface whenever an error state is entered due to a failed self-test. 24. The FrankIT Postal Revenector shall not perform any cryptographic functions while in an error state. 25. The FrankIT Postal Revenector shall not support multiple concurrent operators. 26. The FrankIT Postal Revenector shall only provide a FIPS mode of operation. 3.2 Postal Related Security Rules The FrankIT Postal Revenector shall protect the postal relevant data items (PRDIs) against unauthorized substitution or modification. 1. PRDIs are not security relevant and shall never be zeroized by the FrankIT Postal Revenector. 2. The FrankIT Postal Revenector shall comply to the specifications given in the "FrankIT-New Generation Digital Franking" specification from the DPAG. 3. The FrankIT Postal Revenector shall provide mechanisms to disable the Accounting-Service when it is not connected to its infrastructure on a regular basis. 4. The FrankIT Postal Revenector shall provide mechanisms to disable the Accounting-Service when it detects its physical removal from its hosting system. 5. The FrankIT Postal Revenector shall provide a service mode which dumps out the PRDIs even if the microprocessor is inoperable. - page 6 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 4 Self-Tests The following section lists the self-tests which are performed on power up, on demand and continuously. All FIPS approved and non-approved security functions that are used in the FrankIT Postal Revenector are listed, too. Table 4-1: Self-Tests Name Type Description Software firmware integrity test Persistent Power Up Try to load all persistent objects from NVRAM into RAM data to check whether their contents, sizes and checksums are consistency correct. System Power Up Check internal system exceptions (tamper event, battery Exceptions power alarm, NVRAM power fail) Software Power Up & On Check CRC16 of internal system software integrity test Demand Critical function test Register Power Up & on Check the consistency of the postal registers. consistency Demand & test continuously The function is called continuously before each register manipulation as a precondition of the following manipulation (finance function). Big Number Power Up & on Checks the import/export functionality for big numbers function test demand using known values Cryptographic algorithm test Security Power Up (except For details see Table 4-2. Function statistical PRNG) & tests and on Demand Table 4-2: Security Functions Security Approved SF Type of self-test Conditional test Function (SF) TDES Yes, NIST KAT of all modes on power Odd parity and weak Certificate #39 up and on demand. key check. - page 7 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA Security Approved SF Type of self-test Conditional test Function (SF) SHA-1 Yes, NIST KAT on power up and on None. Certificate #43 demand. DES Yes, NIST KAT of all modes on power up Odd parity and weak key Certificate #108 and on demand. check. RSA Yes. Known answer test (KAT) on On key generation: Vendor affirmed. power up and on demand. see FIPS 140-2 section Implementation 4.9.2 pairwise consistency according to test 3. PKCS#1 Diffie-Hellman No. KAT on power up and on On key generation: Key Agreement Implementation demand. see FIPS 140-2 section according to 4.9.2 pairwise consistency ANSI X9.42 test 2. HMAC Yes. KAT on power up and on None Vendor affirmed. demand. Implementation according to FIPS 198. PRNG Yes. KAT on power up and on On usage: Implementation demand. see FIPS 140-2 section according to FIPS FIPS 140-2 (section 4.9.1) 4.9.2 Continuous RNG 186-2 Appendix compliant test on demand test 1. 3.1 - page 8 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 5 Roles and Services The FrankIT Postal Revenector shall support three distinct roles. These roles are: · Cryptographic Officer · User · Operator All services which do not read, update, modify or generate critical security parameters (CSPs) do not require authentication. These are the following Services: Echo This service receives arbitrary bytes and returns a copy of them back to the sender. Reboot Device This service reboots the module. Get Status This service requests status output (e.g., PRDIs and self-test result). Invalidate Software This service invalidates the loaded FIPS 140-2 validated software. During the next start-up of the device the device enters the FIPS approved Revenector mode (see. FIPS 140-2 Validation Certificate 361). In the Revenector mode the FrankIT Postal Revenector firmware can be updated according to the rules of the Revenector mode. Creation This service enters initial postal parameters (PRDIs). Scrap This service explicitly zeroizes all CSPs and sets the module out of operation. Self-Test The service runs the self tests and returns the result. Setup Parameters This service allows to enter parameters used by other services. Get Log Information This service requests status (logged events). Lock Out This service explicitly disables the Accounting-Service until the PVD-Service was performed successfully. Reset HS-Loop This service re-enables the Accounting-Service after being moved between host systems Get Certificate This service requests status (stored certificates of public keys) 5.1 Cryptographic Officer and User The Cryptographic Officer is authenticated using an identity based authentication method. This method is based on two pairs of asymmetric keys and distinguished names. The public parts and distinguished names are known to each other party. The FrankIT Postal Revenector and the Cryptographic Officer are able to identify and authenticate themselves by verifying the exchanged distinguished name and signature of each other. In addition the Diffie-Hellman key agreement protocol can be used to exchange secret keys for further key encryption and continuous authentication of data exchange. The User is also authenticated using an identity based authentication method. This method is based on two pairs of asymmetric keys and distinguished names. The public parts and distinguished names are known to each other party. The FrankIT Postal Revenector and the User are able to identify and authenticate themselves by verifying the exchanged distinguished name and signature of each other. In addition the Diffie-Hellman key agreement protocol can be used to exchange secret keys for further key encryption and continuous authentication of data exchange. - page 9 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA The Cryptographic Officer and User Role shall provide those services necessary to initialize, authorize and validate the FrankIT Postal Revenector. Furthermore these roles are provided all services that enter, modify or generate critical security parameters. The Francotyp Postalia Infrastructure Server assumes the Cryptographic Officer and User roles. The following services are provided in these roles and require authentication: Enter PKM Certificate This service enters the country specific infrastructure certificate and therewith introduces the Cryptographic Officer and the User. PKM stands for Public Key Management. The country specific infrastructure certificate is typically abbreviated as PKM certificate. Renew PKM Certificate This service re-enters the country specific infrastructure certificate. Generate DPAG Key Pair This service performs the first-time generation of a DPAG1 key pair inside the FrankIT Postal Revenector. Rekey DPAG Key Pair This service performs a replacement for an existing DPAG key pair. Secure Echo This service is used for authenticated testing purposes. Postage Value Download This service audits the PRDIs of the module and on success downloads (PVD) postage from the country specific infrastructure. Withdraw This service audits the PRDIs of the module and on success refunds the remaining postage of the module back to the country specific infrastructure. Reenter FP-MAC Key This service enters the FP-MAC Verification Key in encrypted format. Rekey PSD2 Key This service rekeys the FrankIT Postal Revenector Key inside of the module. Initialization This service performs the postal Initialization-Function as specified by the postal authority (setup of PRDIs). It initially prepares the FrankIT Postal Revenector for operation in a Host System. Authorization This service performs the postal Authorization-Function as specified by the postal authority (setup of PRDIs). It prepares the FrankIT Postal Revenector for operation at a customer site by entering customer specific PRDIs and disables the Authorization-Service. Re-Initialization This service changes the internal lifecycle state of the module (PRDI). It re-enables the module for another postal Authorization-Function. Secure Get Status This service requests authenticated status output. 5.2 Operator The Operator performs services on behalf-of the User and Cryptographic Officer role. The Operator is the end user of the postal meter that shall perform postal related services. The following services are provided to the Operator Role: 1 DPAG is the abbreviation for Deutsche Post AG, the German postal authority. 2 PSD is the abbreviation for Postal Security Device. The term PSD is typically used by the postal authorities. - page 10 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA Account Administration This service supports customer privilege levels to access postal specific services as listed below. Accounting This service requests to perform postal indicium creation by modifying the PRDIs in accordance to the requirements of the postal authority. Verify MAC This service performs verification of data which was provided to the module. - page 11 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 6 Strength of Authentication To meet the requirements for strength of authentication, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur. This requirement is met by the above-specified authentication methods as follows: The size of the RSA key used to authenticate each role is at least 1024 bits. For multiple attempts to use the authentication mechanism during a one-minute period, the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. In order to satisfy this requirement, the module must enforce a limit of 1667 attempts per second or a minimum time delay of 6 ms between two attempts. This time is granted by the implementation by a time delay of 6 ms after a false attempt. - page 12 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 7 Critical Security Parameters The FrankIT Postal Revenector protects several critical security parameters described in Table 7-1. Table 7-1: CSPs protected by the FrankIT Postal Revenector Name Abbreviation Type of Key Purpose 2 PSD Transport Signing TSK 1024 bit RSA key Serves to properly recognize FrankIT (private) Key Postal Revenectors after they have been shipped to their final country and establish initial secure session (Crypto Officer Login) to upload the first PSD2 Key certificate. PSD2 Signing (private) PSK 1024 bit RSA key Serves to setup regular secure sessions Key (Crypto Officer Login) for communication between the FrankIT Postal Revenector and the FP Data Center. MAC Verification Key MVK 112 bit TDES key Serves to derive a Record Verification Key. Record Verification Key RVK 56 bit DES key Serves to authenticate FP specific data records from an existing legacy infrastructure system. Ephemeral Diffie- EDH 2048 bit DH key Serves to derive session keys for the Hellman agreement Cryptographic Officer (secure session) Session Authentication SAK 160 bit HMAC SHA-1 Serves to authenticate data during a Key key secure session. Session Encryption Key SEK 112 bit TDES key Serves to encrypt and decrypt data during a secure session. State of Pseudo RNGS N/A Internal state of the Pseudo RNG. The Random Number value is changed by every random Generator generation of the FrankIT Postal Revenector. Indicia Key (msecret) ISK 112 bit TDES key Used as specified in the FrankIT (effective strength of specification. this key is only 80 bits) DPAG Decryption Key DPAGDK 1024 bit RSA key Serves for key un-wrapping - page 13 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA 8 Service to CSP Access Relationship The FrankIT Postal Revenector distinguishes between the following modes of access: Table 8-1: Modes of CSP Accesses Mode Description I The CSP will be initialized U The CSP will be internally used (optional on demand) M The CSP will be modified and written E The CSP will be entered G The CSP will be generated Z The CSP will be zeroized D The CSP will be derived using other CSPs Table 8-2: Service to CSP Access Relationship CSP User-Role Operator DPAGDK CO-Role Authorized RNGS MVK Role EDH RVK SAK PSK SEK TSK ISK Service Renew PKM Certificate U D,U,Z U,Z M x Enter PKM Certificate x Generate DPAG Key Pair G Rekey DPAG Key Pair U,G Secure Echo U D,U,Z U,Z M x Postage Value Download U E U D,U,Z U,Z M x Withdraw U E D,U,Z U,Z M x Reenter FP-MAC Key U M D,U,Z U,Z U,Z M x 2 Re-key PSD Key U,G D,U,Z U,Z M x Initialization U G M D,U,Z U,Z U,Z M x Authorization U D,U,Z U,Z M x Re-Initialization U D,U,Z U,Z M x Accounting U M x Account Administration x Verify MAC U D,U x Get Secure Status D,U,Z U,Z U M x Scrap Z Z Z Z Z Z Z x x x Echo x x x Reboot Device x x x Get Status x x x Invalidate Software x x x Creation x x x - page 14 of 15 - Version 1.3 NON-CONFIDENTIAL FrankIT Postal Revenector Security Policy FRANCOTYP-POSTALIA Self-Test x x x Setup Parameters x x x Get Log Information x x x Lock Out x x x Reset HS-Loop x x x Get Certificate x x x - page 15 of 15 - Version 1.3 NON-CONFIDENTIAL