HP FIPS 140-2 Supplementary Manual
© 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. HP StorageWorks Secure Key Manager (Hardware P/N AJ087B, Version 1.1; Firmware Version:1.1) FIPS 140-2 Security Policy Level 2 Validation Document Version 0.7 December 4, 2008
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 2 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Contents 1 INTRODUCTION ................................................................................................................... ............................ 5 1.1 P URPOSE ......................................................................................................................................................... 5 1.2 R EFERENCES ................................................................................................................................................... 5 2 HP STORAGEWORKS SECURE KEY MA NAGER ..................................................................................... 6 2.1 O VERVIEW ...................................................................................................................................................... 6 2.2 C RYPTOGRAPHIC M ODULE S PECIFI CATIO N ....................................................................................................6 2.3 M ODULE I NTERFACES ....................................................................................................................................8 2.4 R OLES, S ERVICES, AND A UTHENTICATION ...................................................................................................11 2.4.1 Crypto Offi cer Role............................................................................................................ .................. 11 2.4.2 User Role ...................................................................................................................... .......................12 2.4.3 HP User Role ................................................................................................................... .................... 13 2.4.4 Cluster Mem ber Role ............................................................................................................ ............... 14 2.4.5 Authentic ation ................................................................................................................. .....................14 2.4.6 Unauthenticated Services ....................................................................................................... .............15 2.5 P HYSICAL S ECURITY ............................................................................................................................... .....15 2.6 O PERATIONAL E NVIRONME NT ......................................................................................................................15 2.7 C RYPTOGRAPHIC K EY M ANAGEMENT ..........................................................................................................15 2.7.1 Keys an d CSPs .................................................................................................................. ................... 15 2.7.2 Key Gene ration ................................................................................................................. ...................19 2.7.3 Key/CSP Zero izati on............................................................................................................ ................19 2.8 S ELF -T ESTS ..................................................................................................................................................19 2.9 M ITIGATION OF O THER A TTACKS .................................................................................................................20 3 SECURE OPERATION ............................................................................................................... ..................... 21 3.1 I NITIAL S ETUP ............................................................................................................................... ............... 21 3.2 I NITIALIZATION AND C ONFIGURAT ION ......................................................................................................... 21 3.2.1 First-Time In itializa tion ...................................................................................................... ................. 21 3.2.2 FIPS Mode Co nfigura tion ........................................................................................................ ...........21 3.3 P HYSICAL S ECURITY A SSURA NCE ................................................................................................................22 3.4 K EY AND CSP Z EROIZATION ........................................................................................................................24 3.5 E RROR S TATE ............................................................................................................................... ................ 24 ACRONYMS..............................................................................................................................................................25
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 3 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Figures F IGURE 1 â D EPLOYMENT A R CHITECTURE O F THE HP S TORAGEW ORKS S ECURE K EY M ANAGER ................................ 6 F IGURE 2 â B LOCK D IAGRAM OF SKM........................................................................................................................... 7 F IGURE 3 â F RONT P ANEL LED S ....................................................................................................................................9 F IGURE 4 â R EAR P ANEL C OMPONE NTS ....................................................................................................................... 10 F IGURE 5 â R EAR P ANEL LED S ............................................................................................................................... .....10 F IGURE 6 â FIPS C OMPLIANCE IN CLI .........................................................................................................................22 F IGURE 7 â FIPS C OMPLIANCE IN W EB A DMINISTRATION I NTERFAC E ......................................................................... 22 F IGURE 8 â T AMPER -E V IDENCE L ABELS ......................................................................................................................23 F IGURE 9 â T AMPER -E V IDENCE L ABELS OVER P OW ER S UPPLIES ................................................................................. 23
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 4 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Tables T ABLE 1 â S ECURITY L EVEL P ER FIPS 140-2 S ECTION ................................................................................................... 6 T ABLE 2 â L OGICAL I NTERFACE AN D P HYSICAL P ORTS M APPING .................................................................................. 8 T ABLE 3 â F RONT P ANEL LED D EFINITIONS .................................................................................................................. 9 T ABLE 4 â R EAR P ANEL C OMPONENT S D ESCRIPTIONS ................................................................................................. 10 T ABLE 5 â R EAR P ANEL LED D EFINITION S .................................................................................................................. 11 T ABLE 6 â C RYPTO O FFICER S ERVICES ........................................................................................................................ 11 T ABLE 7 â U SER S ERVICES ............................................................................................................................... ............13 T ABLE 8 â HP U SER S ERVICES ............................................................................................................................... ...... 13 T ABLE 9 â C LUSTER M EMBER S ERVICES ...................................................................................................................... 14 T ABLE 10 â R OLES AND A UTHENTICATIONS ................................................................................................................14 T ABLE 11 â L IST OF C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMP ONENTS, AND CSP S FOR SSH.................... 15 T ABLE 12 â L IST OF C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMP ONENTS, AND CSP S FOR TLS .................... 16 T ABLE 13 â C IPHER S UITES S UPPORTED BY THE M ODULE â S TLS I MPLEMENTAT ION IN FIPS M ODE ...........................17 T ABLE 14 â O THER C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMPONENTS, AND CSP S ................................... 17 T ABLE 15 â A CRONYMS ............................................................................................................................... ................ 25
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 5 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 1 Introduction 1.1 Purpose This document is a no n-proprietary Cryptographic Mo dule Security Policy for the HP StorageWorks Secur e Key Manager (SK M) from Hewlet t-Packard Com pany. Federal Inf ormation Processing Standa rds (FIPS) 14 0-2, Security Requirements f or Cryptographi c Modules , specifies the U.S. and Canadi an Gove rnmentsâ re quireme nts for cryptographi c modules. The followi ng pages describe how HPâ s SKM meets these requir ements and how to use the SKM in a mode of operation compliant with FIPS 140-2 . This policy was prepar ed as part of the Level 2 FIPS 140 -2 validation of t he HP Stora geWorks Secu re Key Manager . More inform ation about FI PS 140-2 and t he Crypto graphic Mod ule Validati on Program (CM VP) is availa ble at the website of the Nation al Institute of Standards and Techn ology (NIST): http://csrc.nist.gov /groups/STM/cmvp/ind ex.html . In this doc ument, the HP Stor ageWorks Se c ure Key Mana ger is referred to as the SKM , the module , or the device . 1.2 References This document deals only with the operations and capabilities of the module in the techn ical term s of a FIPS 140-2 cryptographi c module secu rity policy. M ore inform ation is avail able on the m odule from t he following s ources: ⢠The HP website ( http://www.hp.com ) contains inform ation on t he full line of products fro m HP. ⢠The CMVP website ( http://csrc.nist.gov /groups/STM/cmvp/ind ex.html ) contains contact information for answers to tec hnical or sales-rel ated questio ns for the m odule.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 6 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 2 HP S torageW orks Secure Key Manager 2.1 Overview HP provides a ra nge of security produ cts for banking, th e Internet, and enterprise s ecurity applications. These products use encryption techn ologyâoften embedded in hardwareâto safeguard sen sitive data, such as financial transactions ov er private and public netwo rks and to offload securit y processing from the server . The HP StorageWorks Secure Key Manager is a hardened server that provide s security policy and key mana gement services to encrypt ing client devices a nd applicat ions. After enrollment, clients, such as storage system s, application servers and databases, ma ke requests to the SKM for cr eation and m anageme nt of cryptograp hic keys and related metadata. Client applicat ions can access the SKM via its Key Managem ent Service (KMS ) server. Configurat ion and management can be perform ed via web ad ministration, S ecure Shell (SSH) , or serial consol e. Status-m onitoring interfaces include a dedicated FIPS status interface, a he alth chec k interface, and Sim ple Network Management Protocol (S NMP). The deploym ent architect ure of the HP StorageWo rks Secure Key Manager i s shown in Fi gure 1 bel ow. Web Server Application Serve r Database Storage System HP StorageWorks Se cure Key Manager Figure 1 â Deployment Architecture o f the HP StorageWorks Secure Key Manager 2.2 Cryptographic Module Specification The HP Storage Works Secure Key Manage r is validated a t FIPS 140-2 section l evels shown in Tabl e 1 â Security Level per FIPS 140-2 Section. Table 1 â Security Level per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Modu le Sp ecification 3 2 Cryptographic Module Ports a nd Interfaces 2 3 Roles, Services, and Authentication 3 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Ke y Management 2 8 EMI/EMC 2 9 Self-Tests 2
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 7 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Section Section Title Level 10 Design Assurance 2 11 Mitigation of Other Attacks N/A The block dia gram of the mod ule is given in Figure 2 â B lock Diagram of SKM. The cry ptographic bo undary is clearly shown in the figure. Figure 2 â Block Diagram of SKM In the FIPS mode of operation, the module implements the following Approved algorithms: ⢠Advanced Enc ryption Standa rd (AES) enc ryption an d decryptio n: 128, 192, and 256 bit s, in Electroni c Codebook (ECB) and Cipher Block Chaining (CBC) modes (certificate # 653) ⢠Triple Data Encryption Standard (3DES) encryption and decryption: 112 and 168 bits, in EC B and CBC modes (certificate # 604) ⢠Secure Hash Algorithm (SHA)-1, SHA-2 56, SH A- 384, SHA-51 2 (ce rtificate # 847) ⢠Keyed-Hash M essage Authenticat ion Code (HM AC) SHA-1 a nd HMAC SH A-256 (certi ficate # 470) ⢠Rivest, Shamir, and Adleman (RSA) American National Standard Institute (ANSI) X9.31 k ey generation, signature ge neration, an d signature veri fication: 1 024 and 204 8 bits (certi ficate # 302)
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 8 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. ⢠Digital Sig nature Al gorithm (DS A) PQG gene ration, ke y generati on, signatu re generati on, and sign ature verification: 10 24 bit s (cert i fi c ate # 244) ⢠ANSI X9.31 Ap pendix A.2 .4 with 2-key 3DES Determinis tic Random Number Generator (D RNG) (certificate # 375) ⢠Diffie-Hellman ke y agr eement (SP 800-56A, vendor affirmed; k ey establishment methodolog y provides 80 bits of encryption strength) In the FIPS mode of operation, the module implements the following non-approved algorithms: ⢠A non-appr oved Rand om Num ber Generator (R NG) to seed t he ANSI X9 .31 DRNG ⢠The following commercially- available protocols for k ey establishment: o Transport Laye r Security (TLS) 1.0/ Secure Socket Layer (SSL ) 3.1 protocol using RSA 1 024 and 2048 bits for k ey transport. Cav eat: The RSA 1024- an d 2048-bit key w rapping and ke y establishment provide 80 and 11 2 bits of encryption strength, respectively. In the non- FIPS mode o f operation, t he module als o implem ents DES, MD5, RC4, and 51 2- and 768- bit RSA fo r signature ge neration and verificati on, and key establishm ent. 2.3 Module Interfaces FIPS 140-2 defines four logical interfaces: ⢠Data Input ⢠Data Output ⢠Control Input ⢠Status Output The module features the following physical ports and LEDs: ⢠Serial port (RS232 DB9) ⢠Ethernet 10/100/1000 RJ-4 5 ports (Netwo rk Interface Card [NIC], quantity: 2) ⢠Mouse port (PS/2) ⢠Keyboard por t (PS/2) ⢠Monitor po rt (VG A DB 1 5) ⢠Power input (115VAC) ⢠LEDs (six on the front pa nel and seven on the rear pa nel) The logical interfaces and t heir physical port mappings ar e described in Table 2 â Logical Interface and Physical Ports Mapping. Table 2 â Logical Interface and Physical Ports Ma pping Logical Interface Physical Ports Data Input Keyboard, serial, Ethernet Data Output Monitor, serial, Ethernet Control Input Keyboard, mouse, serial, Ethernet Status Output Monitor, serial, Ethernet, LEDs There are no buttons or ports on the front panel. There are six LEDs o n the front panel. See Figur e 3 â Front Panel LEDs.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 9 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 3 â Front Panel LEDs Descriptions of the LEDs are given in Table 3 â Front Panel LED Definitions. Table 3 â Front Panel LED Definition s Item Description Status 1 Power On/Standby button and system power LED Green = System is on. Amber = System is shut down, but power is still applied. Off = Power cord is not attached, pow er supply failure has occurred, no power supplies are installe d, facility power is not available, or disconnected po wer button ca ble. 2 Unit Identifier (UID) button/LED Blue = Identificati on is activated. Off = Identification is deactivated. 3 Internal health LED Green = System health is normal. Amber = System health is degraded. T o identif y the component in a degraded state, refer to âHP Systems Insight Displa y and LEDsâ. Red = System health is critical. To identify the component in a critical state, refer to âHP Sy stems Insight Display and LEDsâ. Off = Syste m health is no rmal (when i n standby mod e). 4 External health LED (power supply) Green = Power supply health i s normal. Amber = Power redundancy failure occurr ed. Off = Power supply health is normal when in standby mode. 5 NIC 1 link/activity LED Green = Network link exists. Flashing green = Net work link and activity exist. Off = No link to network exists. If power is off, the front panel LED is not active. View the LEDs on the RJ-45 connector for status by referring to the rear panel LEDs. 6 NIC 2 link/activity LED Green = Network link exists. Flashing green = Net work link and activity exist. Off = No link to network exists. If power is off, the front panel LED is not active. View the LEDs on the RJ-45 connector for status by referring to the rear panel LEDs The components on the rear panel are illustra ted in Figure 4 â Rear Panel Compone nts.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 10 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 4 â Rear Panel Components Descriptions of compone nts on the rea r panel are given in T able 4 â Rear P anel Compone nts Descript ions. Table 4 â Rear Panel Components Descriptions Item Definition 1 PCI Express expansion slot 1 (Blocked) 2 PCI Express expansion slot 2 (Blocked) 3 Power supply bay 2 4 Power supply bay 1 5 NIC connector 1 (Ethernet) 6 NIC connector 2 (Ethernet) 7 Keyboard connector 8 Mouse connector 9 Video connector 10 Serial connector 11 Universal Serial Bus (USB) connector 1 (Bloc ked) 12 USB connector 2 (Blocked) 13 Integrated Lights-Out (iLO) 2 NIC connector (Blocked) The seven LEDs on the rear panel are illustrated in Figure 5 â Rear Panel LEDs. Figure 5 â Rear Panel LEDs
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 11 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Descriptions of LEDs on the r ear panel a re gi ven in Table 5 â Rear Panel LED Defi ni t ions . Table 5 â Rear Panel LED Definitions Item Description Status 1 10/100/1000 NIC 1 activit y LED Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. 2 10/100/1000 NIC 1 link LED Green = Link exists. Off = No link exists. 3 10/100/1000 NIC 2 activit y LED Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. 4 10/100/1000 NIC 2 link LED Green = Link exists. Off = No link exists. 5 UID LED Blue = Identificati on is activated. Off = Identification is deactivated. 6 Power supply 2 LED Green = Normal Off = System is off or pow er supply has failed 7 Power supply 1 LED Green = Normal Off = System is off or pow er supply has failed 2.4 Roles, Services, and Authentication The module supports four au thorized roles: ⢠Crypto Officer ⢠User ⢠HP User ⢠Cluster Member All roles require identity-b ased authenticatio n . 2.4.1 Crypto Officer Role The Crypto Officer accesses the module via the Web Ma nagem ent Console and/or the Command Line Interface (CLI). This rol e provides all servi ces that are necessary for t he secure managem ent of the modul e. Table 6 shows t he services for the Crypto Officer role under the FIPS m ode of operation. T he pu rpose of each service is shown in the first column (âServiceâ), and the c orresponding function is descri bed in the second column (âDescriptionâ ). The keys and Critical Security Parameters (CSPs) in the rightmo st column corresp ond to the keys and CSPs introduced in Section 2. 7.1. Table 6 â Crypto Officer Services Service Description Keys/CSPs Authenticate to SKM Authenticat e to SKM with a usernam e an d the associated password Crypto Officer passwords â read; TLS/SSH keys â read
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 12 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Service Description Keys/CSPs Perform first-time initialization Configure the module when it is used for the first time Crypto Officer (admin) password â write; Kdsa public/private â write; Krsa private â write; Krsa private â write; Log signing RSA key â write; Log signature verification RS A key â write; KRsaPub â write; KRsaPriv â write. Upgrade firmware Upgrade firmware (firm ware must be FIPS- validated) Firmware upgrade key â re ad Configure FIPS mode Enable/disable F I PS mode None Manage keys Manage all client ke ys that are stored within the module. This includes the gen eration, storage, export (only public keys), import, and zeroization of keys. Client keys â write, read, delet e; PKEK â write, read, delete. Manage clusters Manage all cluste rs that are defined within the module. This includes the creatio n, joining, and removal of a cluster from the module. Cluster Member passwords â write, delete Manage services Manage all services supporte d by the module. This includes the starting and stopping of all services. None Manage operators Create, modify, or delete module operat ors (Crypto Officers and Users). Crypto Officer passwords â write, delete; User passwords â write, delete Manage certificates Cr eate/import/revoke certif ic ates KRsaPub â write, read, delete ; KRsaPriv â write, read, delete; CARsaPub â write, read, delet e; CARsaPriv â write, read, delet e; Client RSA public keys â read. Reset factory settings Rollback to the default firmware shipped with the module All keys/CSPs â delete Restore default configuration Delete the current c onfiguration file and restores the default configuration settings None Restore configuration file Restore a previously backed u p config urati on file None Backup configuration file Back up a configuration file None Zeroize all keys/CSPs Zeroize all keys and CSPs in the module All keys and CSPs â delete 2.4.2 User Role The User role is associated with ex ternal applications or clients that c onnect to the KMS via its XML interface. Users in this role may exer cise servicesâsuch as key generatio n and managem entâbased o n configured o r predefined pe rmissions. See Tabl e 7 â User Services for details. The keys and CSPs in the rightmost column correspond to the keys an d CSPs introduced in Section 2.7. 1.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 13 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table 7 â User Services Service Description Keys/CSPs Authenticate to SKM Authenticate to SKM with a username an d the associated password User passwords â read Generate key G enerate a cryptographic ke y Client keys â write ; PKEK â write. Modify key meta data Change the key owner or update/add/ delete the custom attributes None Delete key Delete a cryptograp hic key Client keys â delete ; PKEK â delete. Query key meta data Output ke y names and meta data that the User is allowed to access Client keys â read ; PKEK â read. Import key Import key Client keys â write; PKEK â write. Export key Export a cryptographic key Client keys â read; PKEK â read. Export Certificate Export a cert ificate Client ce rtificate â read Clone Key Clone an existing key under a different key name Client keys â write, read; PKEK â write, read. Generate random number Generate a random number ANSI X9.31 DRNG seed â write, read, delete Manage operators Only users with administration permission c an create, modify, or delete module operat ors User passwords â write, delete 2.4.3 HP User Role The HP User role can reset the module to an uninitialized state in the event that all Cryp to Officer passwords are lost, or when a self-test pe rmanently fails. See Table 8 â HP User Serv ices. T he keys and CSPs in the rightm ost column corres pond to the ke ys and CSPs in troduced in Se ction 2.7. 1. Table 8 â HP User Services Service Description Keys/CSPs Authenticate to the module Authenticate to SKM with a signed token HP User RSA public key â read Reset factory settings Rollback to the default firm ware shipped with the module All keys/CSPs â delete Restore default configuration Delete the current c onfiguration file and restores the default configuration settings None
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 14 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Service Description Keys/CSPs Zeroize all keys/CSPs Zeroize all keys/CSPs in the module All keys/CSPs â delete 2.4.4 Cluster Member Role The Cluster Member role is associated with othe r SKMs that can connect to this SKM a nd access cluster services. See Table 9 â Cluster Member Services. The keys a nd CSPs in the rightmost column correspond to th e keys and CSPs introd uced in Sectio n 2.7.1. Table 9 â Cluster Member Serv ices Service Description Keys/CSPs Authenticate Cluster Member Authenticate to SKM via TLS Cluster Member passwords â read; Cluster key â read; Cluster Member RsaPub â read Receive Configuration File Update the moduleâs configur ation settin gs None Zeroize Key Delete a specific key Cluster key â delete Backup Configuration File Back up a configuration file None 2.4.5 Authentication The module performs identity-based au thentication for the four roles. Two auth entication schemes are used: authentication with certificate in TLS and authentication with password. See Tabl e 10 â Roles and Authe ntications for a detailed description. Table 10 â Roles and Authentications Role Authentication Crypto Officer Username and password with optional digital certificate User Username and pass word and/or digital certificate HP User Digital certificate Cluster Member Digital certificate over TLS The 1024-bit RSA signature on a digital certificat e provides 80-bits of security. There are 2 80 possibilities. The probability of a successful random guess is 2 -80 . Since 10 -6 » 2 -80 , a random attempt is very unlikely to succeed. At least 80 bits of data must be transmitted for one attempt. (The actual number of bits that need to be transmitted for one attempt is much greater than 80 . We are consideri ng the worst case scenari o.) The processor used by the modul e has a working fre quency of 3.0 gi gabytes, h ence, at most 60Ã3.0à 10 9 bits of data ca n be transm itted in 60 seconds . Since 80 bits are necessary for one attempt, at most (60Ã3.0Ã10 9 )/80 = 2.25à 10 9 attempts are possi ble in 60 seconds . However, there exist 2 80 possibilities. (2.25Ã10 9 )/2 80 = 1.86Ã10 -15 « 10 -5 . The probability of a successful certificate attempt in 60 seconds is con siderably less than 10 -5 . Passwords in t he module m ust consist of eight or more character s from the set of 90 human-reada ble numeri c, alphabetic (upper and lower case), and special character symbols. Excl uding those co mbinations that do n ot meet password cons traints (see Se ction 2.7.1 â Keys and CS Ps), the size of the passwo rd space is ab out 60 8 . The probability of a successf ul random guess is 60 -8 . Since 10 -6 » 60 -8 , a random attem pt is very unlikely to succeed. After six unsuccessful attempts, the m odul e will be locked down for 60 seconds; i.e., at m ost six trials are possible
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 15 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. in 60 seconds. Since 10 -5 » 6Ã60 -8 , the probability of a successf ul password attem pt in 60 seconds is considerably less than 10 -5 . 2.4.6 Unauthenticated Services The following services do not require au thenticatio n: ⢠SNMP statistics ⢠FIPS status services ⢠Health check services ⢠Network Tim e Protocol (NTP) services ⢠Initiation of self-tests by rebooting the SKM ⢠Negotiation of the XML protocol version for communication s with the KMS SNMP is used onl y for sending stat istical inform ation (SNMP trap s). FIPS status and health check are stat us-report services, unrela ted to security or cry ptography. NTP is a date/tim e synchronization se rvice that does not i nvolve keys or CSPs. Initiation of self-tests and negotiation of the XML protocol version do not involve ke ys or CSPs. 2.5 Physical Security The module was tested and found confor m ant to the EMI/EMC requirements specified by Title 47 of the Code of Federal Regulations, Part 15, Subpart B, Unintentional Ra diators, Digital Devi ces, Class A (that is , for business use). The HP StorageWorks Secure Key Man ager is a multi-chip standalon e cryptograph ic modu le. The entire co ntents of the module, incl uding all hardware, s oftware, firm ware, and data, are enclosed in a m etal case. The case is opaque and must be se aled using tam per-evident l abels in order to preve nt the case cover from being removed wi thout signs of tampering. All circuits i n the module are coated with c ommerci al standard passivati on. Once the modul e has been configured to meet FIPS 140-2 Level 2 re quirements, th e m odule cannot be accessed without signs of tampering. See Section 3.3 â Physical Security Assuran ce of this docum ent for more inform ation. 2.6 Operational Environment The operational environment req uirements do not appl y to the HP StorageWor ks Secure Key Manager âthe module does not provi de a general purpose operating syst em and only allows the updating of im age components after checking an RSA signature on the ne w firmware image. Crypto Officers can install a new firmware image on the SKM by downloading the image to the S KM. This im age is signed by an RSA private key (which never e nters the module). The SKM verifies t he signature on the new firmware im age using the p ublic key stored i n the module. If the verificatio n passes, the upgrade is allowe d. Otherwi s e the upgrade process fails a nd the old image is reused. 2.7 Cryptographic Key Management 2.7.1 Keys and CSPs The SSH and TLS protocols employed by the FIPS m ode of the modu le are security-rel ated. Table 11 â List of Cryptograp hic Keys, Cryptogra phic Key Com ponents, and CSPs f or SSH and Table 12 â Li st of Cryptogra phic Keys, Cryptograp hic Key Compone nts, and CSPs for TLS, i ntroduce cryptogra phic keys, key com ponents, an d CSPs involve d in the two protocols , respectively . Table 11 â List of Cry ptographic Key s, Cryptographic Key Components, and CSPs for SSH Key Key Type Generation / Input Output Storage Zeroization Use
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 16 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use DH public param 1024-bit Diffie- Hellman public parameters Generated by ANSI X9.31 DRNG during session initialization In plaintext In volatile memory Upon session termination Negotiate SSH Ks and SSH Khmac DH private param 1024-bit Diffie- Hellman privat e parameters Generated by ANSI X9.31 DRNG during session initialization Never In volatile memory Upon session termination Negotiate SSH Ks and SSH Khmac Kdsa public 1024-bit DSA public keys Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non-volatile memory At operator delete or zeroize request Verify the signature of the serverâs message. Kdsa private 1024-bit DSA private keys Generated by ANSI X9.31 DRNG during first-time initialization Never In non-volatile memory At operator delete or zeroize request Sign the serverâs message. Krsa public 1024-bit RSA public keys Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non-volatile memory At operator delete or zeroize request Verify the signature of the serverâs message. Krsa private 1024-bit RSA private keys Generated by ANSI X9.31 DRNG during first-time initialization Never In non-volatile memory At operator delete or zeroize request Sign the serverâs message. SSH Ks SSH session 168-bit 3DES key, 128-, 192-, 256-bit AES key Diffie-Hellman key agreement Never In volatile memory Upon session termination or when a new Ks is generated (after a certain timeout) Encrypt and decrypt data SSH Khmac SSH session 512- bit HMAC key Diffie-Hellman key agreement Never In volatile memory Upon session termination or when a new Khmac is generated (after a certain timeout) Authenticate data Notice that SSH version 2 is explicitly accepted for use in FIPS m ode, according to section 7.1 of the NIST FIPS 140-2 Im plement ation Gui dance. Table 12 â List of Cry ptographic Key s, Cryptographic Key Components, and CSPs for TLS Key Key Type Generation / Input Output Storage Zeroization Use Pre-MS TLS pre-master secret Input in encrypted form from client Never In volatile memory Upon session termination Derive MS MS TLS master secret Derived from Pre- MS using FIPS Approved key derivation function Never In volatile memory Upon session termination Derive TLS Ks and TLS Khmac
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 17 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use KRsaPub Server RSA public key (1024- or 2048- bit) Generated by ANSI X9.31 DRNG during first-time initialization In plaintext a X509 certificate. In non- volatile memory At operator delete request Client encrypts Pre-MS. Client verifies server signatures KRsaPriv Server RSA private key (1024- or 2048- bit) Generated by ANSI X9.31 DRNG during first-time initialization Never In non- volatile memory At operator delete or zeroize request Server decrypts Pre- MS. Server generates signatures CARsaPub Certificate Authority (CA) RSA public key (1024- or 2048-bit) Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non- volatile memory At operator delete request Verify CA signatures CARsaPriv CA RSA private key (1024- or 2048-bit) Generated by ANSI X9.31 DRNG during first-time initialization never In non- volatile memory At operator delete or zeroize request Sign server certificates Cluster Member RsaPub Cluster Member RSA public key (1024- or 2048-bit) Input in plaintext Never In volatile memory Upon session termination Verify Cluster Member signatures TLS Ks TLS session AES or 3DES symmetric key(s) Derived from MS Never In volatile memory Upon session termination Encrypt and decrypt data TLS Khmac TLS session HMAC key Derived from MS Never In volatile memory Upon session termination Authenticate data Table 13 details all cipher su ites supported by the TLS protocol implemented by the module. The su ite names in the first column match the definitions in RFC 2246 and RFC 4346. Table 13 â Cipher Suites Supported by th e Moduleâs TLS Implementation in FIPS Mode Suite Name Authentication Key Transport Symmetric Cryptography Hash TLS_RSA_WITH_AES_256_CBC_SH A RSA RSA AES (256-bit) SHA-1 TLS_RSA_WITH_AES_128_CBC_SH A RSA RSA AES (128-bit) SHA-1 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA RSA 3DES (168-bit) SHA-1 Other CSPs ar e tabulated in Table 14. Table 14 â Other Cryptographic Key s, Cry ptographic Key Componen ts, and CSPs Key Key Type Generation / Input Output Storage Zeroization Use
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 18 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use Client AES key 128, 192 or 256-bit AES key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Encrypt plaintexts/decrypt ciphertexts Client 3DES key 3DES key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Encrypt plaintexts/decrypt ciphertexts Client RSA public keys RSA public key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory At operator delete Sign messages/verify signatures Client RSA keys RSA private keys Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Sign messages/verify signatures Client HMAC keys HMAC keys Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Compute keyed- MACs Client certificate X.509 certificate Input in ciphertext over TLS Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request In non-volatile memory Per clientâs request or by zeroize request Encrypt data/verify signatures Crypto Officer passwords Character string Input in plaintext Never In non-volatile memory At operator delete or by zeroize request Authenticate Crypto Officer User passwords Character string Input in plaintext Never In non-volatile memory At operator delete or by zeroize request Authenticate User Cluster Member password Character string Input in ciphertext over TLS Never In non-volatile memory At operator delete or zeroize request When a device attempts to become a Cluster Member HP User RSA public key 2048-bit RSA public key Input in plaintext at factory Never In non-volatile memory At installation of a patch or new firmware Authenticate HP User Cluster key Character string Input in ciphertext over TLS Never In non-volatile memory At operator delete or by zeroize request Authenticate Cluster Member Firmware upgrade key 1024-bit RSA public key Input in plaintext at factory Never In non-volatile memory When new firmware upgrade key is input Used in firmware upgrade integri ty test
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 19 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use Log signing keys 1024-bit RSA public and private keys Generated by ANSI X9.31 DRNG at first- time initialization Never In non-volatile memory When new log signing keys are generated on demand by Crypto Officer Sign logs and verify signature on logs ANSI X9.31 DRNG seed DRNG seed Generated by non-Approved RNG Never In non-volatile memory When module is powered off Initialize ANSI X9.31 DRNG PKEK 256-bit AES key Generated by ANSI X9.31 DRNG In encrypted form for backup purposes only In non-volatile memory At operator delete or by zeroize request Encrypt client keys 2.7.2 Key Generation The module uses an A NSI X9.31 DR NG with 2-key 3D ES to generate cry ptographic key s. This DRNG is a FIP S 140-2 approved DRNG as specified in Annex C to FIPS PUB 140 -2. 2.7.3 Key/CSP Zeroization All ephemeral keys are stored in v olatile memory in plain t ext. Eph emeral keys are zeroized when they are no long er used. Other keys and CSPs are stored in non-volatile memo ry with client keys being stored in encrypted form. To zeroize all key s and CSPs in the m odule, the Crypt o Officer should ex ecute the reset factory settings zeroize command at the serial console inte rface. For security reasons, this command is av ailable only through the serial console. 2.8 Self-Tests The device im plements two t ypes of sel f-tests: power-up self-tests and conditional self-tests. Power-up self-tests include the following tests: ⢠Firmware integrity tests ⢠Known Answ er Test (KAT) on 3DES ⢠KAT on AE S ⢠KAT on SHA -1 ⢠KAT on SH A-256 ⢠KAT on SH A-384 ⢠KAT on SH A-512 ⢠KAT on HM AC SHA-1 ⢠KAT on HM AC SHA-2 56 ⢠KAT on ANSI X9.3 1 DRN G ⢠KAT on Diffie-Hellm an ⢠KAT on SSH Key Derivation Function ⢠KAT on RSA signature generation a nd verifi cation ⢠Pairwise consi stency test o n DSA signat ure generatio n and verificat ion Conditional self-tests include the following tests:
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 20 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. ⢠Pairwise consi stency test for new DSA keys ⢠Pairwise consistency test for new RSA keys ⢠Continuous random num ber generator test o n AN SI X 9. 31 DR N G ⢠Continuous random number g enerator test on non-A pproved RN G ⢠Firmware upgrade integrity test ⢠Diffie-Hellman primitive test The module has t wo error states: a Soft Error state and a Fata l Error state. When one or more powe r-up self-test s fail, the modul e may enter either the Fata l Error state or t he Soft Error State. When a conditional self-t est fails, the module enter s the Soft E rror state. See Secti on 3 of thi s docum ent for more inf ormation. 2.9 Mitigation of Other Attacks This section is not app licable. No claim is made th at the module mitig ates again st any attacks beyon d the FIPS 140- 2 Level 2 requirements for this validation.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 21 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 3 Secure Operation The HP Storage Works Secure Key M anager m eets Level 2 requirem ents for FIPS 14 0-2. The secti ons below describe how to place and keep the m odule in the FIPS mode of operation. 3.1 Initial Setup The device shoul d be unpacked a nd inspected acc ording to the User Guide . The User G uide also contains installation and configu ration instructions, maintenance info rmation, safety tips, a nd other i nformation . The device itself must be affi xed with tam per-evident la bels that are included i n the packaging. See Figure 8 â Tamper- Evidence Label s for locations o f tamper-evi dence labels. 3.2 Initialization and Configur ation 3.2.1 First-Time Initialization When the module is turned on fo r the first time, it will prompt the operator for a password for a default Cryp to Officer. The module cannot proceed to th e next state until the operator provide s a password that conforms to the password polic y descri bed in Secti on 2. 7.1. The default us er name associa ted with the entered password is âadm inâ. During the first-time initialization , the operator must configure minimum settin gs for the module to operate correctly. The operator will be prom pted to configure the following settings via the serial interface: ⢠Date, Time, Time zone ⢠IP Address/Netmask ⢠Hostname ⢠Gateway ⢠Management Port 3.2.2 FIPS Mode Configuration In order to comply with FIPS 140-2 Level 2 requirements, the following functionality mu st be disabled on the SKM: ⢠Global keys ⢠File Transfer P rotocol (FT P) for im porting cert ificates and do wnloading a nd restoring ba ckup files ⢠Lightweight Directory Access Pr otocol (LDAP) authe ntication ⢠Use of the following algorithms: RC4, MD5, DES, RSA-512, RSA-768 ⢠SSL 3.0 ⢠Hot-swappable drive capab ilit y ⢠RSA encryptio n and decrypti on operatio ns (note, however , that RSA encry ption and dec ryption associa ted with TLS handshakes and Sign and Sign Verify are permitted) These function s need not be disabled in dividually. T here are two a pproaches t o configuring t he module suc h that it works in the Approved FIPS mode of operation: Through a command line interface, such as SSH or se rial console, the Crypto Officer should use the fips compliant command to enab le the FIPS mode of operation. Th is will alter various server settings as described above. See Figure 6 â FI PS Compliance in CLI. The fips server c ommand is used for the FIPS status server configuration. The show fips status command returns the current FIPS mode co nfiguration.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 22 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 6 â FIPS Compliance in CLI In the web administration interface, the Crypto Officer s hould use the âHigh Secu rity Configurationâ page to enable and disable FIPS compliance. To enable the Approv ed FIPS mode of operation, click on the âSet FIPS Com pliantâ button. See Figure 7 â FIPS Com pliance in W eb Administrati on Interface. This will alter various server setting s as described above. Figure 7 â FIPS Compliance in Web Administration Interface In the web administration interface, the User can review the FIPS m ode configur ation by reading t he âHigh Security Configurati onâ page. The Crypto Officer must zeroize all keys whe n switchin g from the Ap proved FIPS mode of opera tion to the non- FIPS mode a nd vice versa. 3.3 Physical Security Assurance Serialized tamper-evi dence labels have bee n applied at four l ocations on the met al casing. See Figure 8 â Tam per- Evidence Label s. The tamper-evi dence label s have a speci al adhesive backi ng to adhe re to the m oduleâs surface . The tamper-e vidence label s have indi vidual, uni que se ria l numbers . They shoul d be inspected periodically and compared to t he previously-recorde d seri al numbers to verify that fresh labels have not been applied to a tampered module.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 23 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 8 â Tamper-Evidence Lab els Figure 9 pr ovides a better view of t he positioni ng of the ta mper-evide nce labels over the p ower suppli es. Figure 9 â Tamper-Evidence Labels ov er Power Supplies
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 24 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 3.4 Key and CSP Zeroization To zeroize all keys and CSPs in the m o dule, the Crypto Officer should exec ute reset factory settings zeroize command in the serial console interface. Notice th at, for security reas ons, the comm and cannot be initiated from the SSH interface. When switchi ng between diff erent modes of operations (FI PS and non-FIPS), t he Crypto Officer m ust zeroize all CSPs. 3.5 Error State The module has two error states: a Soft Error state and a Fatal Error state. When a power -up self-test fail s, the module m ay enter either t he Fatal Error state or t he Soft Error St ate. When a conditional self-test fails, the module will enter the Soft Er ror state. The m odule can recover from the Fatal Error state if power i s cycled or if the SKM is re booted. An HP User can reset the m odule when it is i n the Fatal Error State. No other services are available in the Fatal Error state. The m odule can recover fro m the Soft Error state if power is cycled. With the ex ception of the firmware upgra de integrity test and Diffie-Hellman primitive test, the only service that is available in the So ft Error state is the FIPS status output via port 9081 (de fault). A User can connect to por t 9081 and fin d the error message in dicating the failure o f FIPS self-tests. Access t o port 9081 does not require aut henti cat i o n.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 25 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Acronyms Table 15 â Acronyms Acr on ym Definition 3DES Triple Data Encryption Standard AES Advanced Encryption Standard ANSI American National Standard Institute BIOS Basic Input/Output System CA Certificate Authority CBC Cipher Block Chaining CLI Command Line Interface CMVP Cryptographic Module Val idation Program CPU Central Processing Unit CRC Cyclic Redundanc y Check CRL Certificate Revocation List CSP Critical Security Parameter DES Data Encryption Standard DRNG Deterministic Rand om Number Generator DSA Digital Signature Algorithm ECB Electronic Codebook EMC Electromagnetic Compati bility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol HDD Hard Drive HMAC Keyed- Hash Message Authentication C ode HP Hewlett-Packard IDE Integrated Drive Electronics iLO Integrated Lights-Out I/O Input/Output IP Internet Protocol ISA Instruction Set Architecture KAT Known Answer Test KMS Key Management Service LDAP Lightweight Directory Access Protocol LED Light Emitting Diode MAC Message Authentication Code N/A Not Applicable
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 26 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Acr on ym Definition NIC Network Interface Card NIST National Institute of Standards and T echnology NTP Network Time Protocol PCI Peripheral Component Interconn ect PRNG Pseudo Random Number Generator RFC Request for Comments RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SKM Secure Key Manager SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Socket Layer TLS T ransport Layer Securit y UID Unit Identifier USB Universal Serial Bus VGA Video Graphics Array XML Extensible Mark up La nguage
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 2 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Contents 1 INTRODUCTION ................................................................................................................... ............................ 5 1.1 P URPOSE ......................................................................................................................................................... 5 1.2 R EFERENCES ................................................................................................................................................... 5 2 HP STORAGEWORKS SECURE KEY MA NAGER ..................................................................................... 6 2.1 O VERVIEW ...................................................................................................................................................... 6 2.2 C RYPTOGRAPHIC M ODULE S PECIFI CATIO N ....................................................................................................6 2.3 M ODULE I NTERFACES ....................................................................................................................................8 2.4 R OLES, S ERVICES, AND A UTHENTICATION ...................................................................................................11 2.4.1 Crypto Offi cer Role............................................................................................................ .................. 11 2.4.2 User Role ...................................................................................................................... .......................12 2.4.3 HP User Role ................................................................................................................... .................... 13 2.4.4 Cluster Mem ber Role ............................................................................................................ ............... 14 2.4.5 Authentic ation ................................................................................................................. .....................14 2.4.6 Unauthenticated Services ....................................................................................................... .............15 2.5 P HYSICAL S ECURITY ............................................................................................................................... .....15 2.6 O PERATIONAL E NVIRONME NT ......................................................................................................................15 2.7 C RYPTOGRAPHIC K EY M ANAGEMENT ..........................................................................................................15 2.7.1 Keys an d CSPs .................................................................................................................. ................... 15 2.7.2 Key Gene ration ................................................................................................................. ...................19 2.7.3 Key/CSP Zero izati on............................................................................................................ ................19 2.8 S ELF -T ESTS ..................................................................................................................................................19 2.9 M ITIGATION OF O THER A TTACKS .................................................................................................................20 3 SECURE OPERATION ............................................................................................................... ..................... 21 3.1 I NITIAL S ETUP ............................................................................................................................... ............... 21 3.2 I NITIALIZATION AND C ONFIGURAT ION ......................................................................................................... 21 3.2.1 First-Time In itializa tion ...................................................................................................... ................. 21 3.2.2 FIPS Mode Co nfigura tion ........................................................................................................ ...........21 3.3 P HYSICAL S ECURITY A SSURA NCE ................................................................................................................22 3.4 K EY AND CSP Z EROIZATION ........................................................................................................................24 3.5 E RROR S TATE ............................................................................................................................... ................ 24 ACRONYMS..............................................................................................................................................................25
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 3 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Figures F IGURE 1 â D EPLOYMENT A R CHITECTURE O F THE HP S TORAGEW ORKS S ECURE K EY M ANAGER ................................ 6 F IGURE 2 â B LOCK D IAGRAM OF SKM........................................................................................................................... 7 F IGURE 3 â F RONT P ANEL LED S ....................................................................................................................................9 F IGURE 4 â R EAR P ANEL C OMPONE NTS ....................................................................................................................... 10 F IGURE 5 â R EAR P ANEL LED S ............................................................................................................................... .....10 F IGURE 6 â FIPS C OMPLIANCE IN CLI .........................................................................................................................22 F IGURE 7 â FIPS C OMPLIANCE IN W EB A DMINISTRATION I NTERFAC E ......................................................................... 22 F IGURE 8 â T AMPER -E V IDENCE L ABELS ......................................................................................................................23 F IGURE 9 â T AMPER -E V IDENCE L ABELS OVER P OW ER S UPPLIES ................................................................................. 23
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 4 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table of Tables T ABLE 1 â S ECURITY L EVEL P ER FIPS 140-2 S ECTION ................................................................................................... 6 T ABLE 2 â L OGICAL I NTERFACE AN D P HYSICAL P ORTS M APPING .................................................................................. 8 T ABLE 3 â F RONT P ANEL LED D EFINITIONS .................................................................................................................. 9 T ABLE 4 â R EAR P ANEL C OMPONENT S D ESCRIPTIONS ................................................................................................. 10 T ABLE 5 â R EAR P ANEL LED D EFINITION S .................................................................................................................. 11 T ABLE 6 â C RYPTO O FFICER S ERVICES ........................................................................................................................ 11 T ABLE 7 â U SER S ERVICES ............................................................................................................................... ............13 T ABLE 8 â HP U SER S ERVICES ............................................................................................................................... ...... 13 T ABLE 9 â C LUSTER M EMBER S ERVICES ...................................................................................................................... 14 T ABLE 10 â R OLES AND A UTHENTICATIONS ................................................................................................................14 T ABLE 11 â L IST OF C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMP ONENTS, AND CSP S FOR SSH.................... 15 T ABLE 12 â L IST OF C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMP ONENTS, AND CSP S FOR TLS .................... 16 T ABLE 13 â C IPHER S UITES S UPPORTED BY THE M ODULE â S TLS I MPLEMENTAT ION IN FIPS M ODE ...........................17 T ABLE 14 â O THER C RYPTOGRAPHIC K EYS, C RYPTOGRAPHIC K EY C OMPONENTS, AND CSP S ................................... 17 T ABLE 15 â A CRONYMS ............................................................................................................................... ................ 25
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 5 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 1 Introduction 1.1 Purpose This document is a no n-proprietary Cryptographic Mo dule Security Policy for the HP StorageWorks Secur e Key Manager (SK M) from Hewlet t-Packard Com pany. Federal Inf ormation Processing Standa rds (FIPS) 14 0-2, Security Requirements f or Cryptographi c Modules , specifies the U.S. and Canadi an Gove rnmentsâ re quireme nts for cryptographi c modules. The followi ng pages describe how HPâ s SKM meets these requir ements and how to use the SKM in a mode of operation compliant with FIPS 140-2 . This policy was prepar ed as part of the Level 2 FIPS 140 -2 validation of t he HP Stora geWorks Secu re Key Manager . More inform ation about FI PS 140-2 and t he Crypto graphic Mod ule Validati on Program (CM VP) is availa ble at the website of the Nation al Institute of Standards and Techn ology (NIST): http://csrc.nist.gov /groups/STM/cmvp/ind ex.html . In this doc ument, the HP Stor ageWorks Se c ure Key Mana ger is referred to as the SKM , the module , or the device . 1.2 References This document deals only with the operations and capabilities of the module in the techn ical term s of a FIPS 140-2 cryptographi c module secu rity policy. M ore inform ation is avail able on the m odule from t he following s ources: ⢠The HP website ( http://www.hp.com ) contains inform ation on t he full line of products fro m HP. ⢠The CMVP website ( http://csrc.nist.gov /groups/STM/cmvp/ind ex.html ) contains contact information for answers to tec hnical or sales-rel ated questio ns for the m odule.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 6 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 2 HP S torageW orks Secure Key Manager 2.1 Overview HP provides a ra nge of security produ cts for banking, th e Internet, and enterprise s ecurity applications. These products use encryption techn ologyâoften embedded in hardwareâto safeguard sen sitive data, such as financial transactions ov er private and public netwo rks and to offload securit y processing from the server . The HP StorageWorks Secure Key Manager is a hardened server that provide s security policy and key mana gement services to encrypt ing client devices a nd applicat ions. After enrollment, clients, such as storage system s, application servers and databases, ma ke requests to the SKM for cr eation and m anageme nt of cryptograp hic keys and related metadata. Client applicat ions can access the SKM via its Key Managem ent Service (KMS ) server. Configurat ion and management can be perform ed via web ad ministration, S ecure Shell (SSH) , or serial consol e. Status-m onitoring interfaces include a dedicated FIPS status interface, a he alth chec k interface, and Sim ple Network Management Protocol (S NMP). The deploym ent architect ure of the HP StorageWo rks Secure Key Manager i s shown in Fi gure 1 bel ow. Web Server Application Serve r Database Storage System HP StorageWorks Se cure Key Manager Figure 1 â Deployment Architecture o f the HP StorageWorks Secure Key Manager 2.2 Cryptographic Module Specification The HP Storage Works Secure Key Manage r is validated a t FIPS 140-2 section l evels shown in Tabl e 1 â Security Level per FIPS 140-2 Section. Table 1 â Security Level per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Modu le Sp ecification 3 2 Cryptographic Module Ports a nd Interfaces 2 3 Roles, Services, and Authentication 3 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Ke y Management 2 8 EMI/EMC 2 9 Self-Tests 2
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 7 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Section Section Title Level 10 Design Assurance 2 11 Mitigation of Other Attacks N/A The block dia gram of the mod ule is given in Figure 2 â B lock Diagram of SKM. The cry ptographic bo undary is clearly shown in the figure. Figure 2 â Block Diagram of SKM In the FIPS mode of operation, the module implements the following Approved algorithms: ⢠Advanced Enc ryption Standa rd (AES) enc ryption an d decryptio n: 128, 192, and 256 bit s, in Electroni c Codebook (ECB) and Cipher Block Chaining (CBC) modes (certificate # 653) ⢠Triple Data Encryption Standard (3DES) encryption and decryption: 112 and 168 bits, in EC B and CBC modes (certificate # 604) ⢠Secure Hash Algorithm (SHA)-1, SHA-2 56, SH A- 384, SHA-51 2 (ce rtificate # 847) ⢠Keyed-Hash M essage Authenticat ion Code (HM AC) SHA-1 a nd HMAC SH A-256 (certi ficate # 470) ⢠Rivest, Shamir, and Adleman (RSA) American National Standard Institute (ANSI) X9.31 k ey generation, signature ge neration, an d signature veri fication: 1 024 and 204 8 bits (certi ficate # 302)
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 8 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. ⢠Digital Sig nature Al gorithm (DS A) PQG gene ration, ke y generati on, signatu re generati on, and sign ature verification: 10 24 bit s (cert i fi c ate # 244) ⢠ANSI X9.31 Ap pendix A.2 .4 with 2-key 3DES Determinis tic Random Number Generator (D RNG) (certificate # 375) ⢠Diffie-Hellman ke y agr eement (SP 800-56A, vendor affirmed; k ey establishment methodolog y provides 80 bits of encryption strength) In the FIPS mode of operation, the module implements the following non-approved algorithms: ⢠A non-appr oved Rand om Num ber Generator (R NG) to seed t he ANSI X9 .31 DRNG ⢠The following commercially- available protocols for k ey establishment: o Transport Laye r Security (TLS) 1.0/ Secure Socket Layer (SSL ) 3.1 protocol using RSA 1 024 and 2048 bits for k ey transport. Cav eat: The RSA 1024- an d 2048-bit key w rapping and ke y establishment provide 80 and 11 2 bits of encryption strength, respectively. In the non- FIPS mode o f operation, t he module als o implem ents DES, MD5, RC4, and 51 2- and 768- bit RSA fo r signature ge neration and verificati on, and key establishm ent. 2.3 Module Interfaces FIPS 140-2 defines four logical interfaces: ⢠Data Input ⢠Data Output ⢠Control Input ⢠Status Output The module features the following physical ports and LEDs: ⢠Serial port (RS232 DB9) ⢠Ethernet 10/100/1000 RJ-4 5 ports (Netwo rk Interface Card [NIC], quantity: 2) ⢠Mouse port (PS/2) ⢠Keyboard por t (PS/2) ⢠Monitor po rt (VG A DB 1 5) ⢠Power input (115VAC) ⢠LEDs (six on the front pa nel and seven on the rear pa nel) The logical interfaces and t heir physical port mappings ar e described in Table 2 â Logical Interface and Physical Ports Mapping. Table 2 â Logical Interface and Physical Ports Ma pping Logical Interface Physical Ports Data Input Keyboard, serial, Ethernet Data Output Monitor, serial, Ethernet Control Input Keyboard, mouse, serial, Ethernet Status Output Monitor, serial, Ethernet, LEDs There are no buttons or ports on the front panel. There are six LEDs o n the front panel. See Figur e 3 â Front Panel LEDs.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 9 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 3 â Front Panel LEDs Descriptions of the LEDs are given in Table 3 â Front Panel LED Definitions. Table 3 â Front Panel LED Definition s Item Description Status 1 Power On/Standby button and system power LED Green = System is on. Amber = System is shut down, but power is still applied. Off = Power cord is not attached, pow er supply failure has occurred, no power supplies are installe d, facility power is not available, or disconnected po wer button ca ble. 2 Unit Identifier (UID) button/LED Blue = Identificati on is activated. Off = Identification is deactivated. 3 Internal health LED Green = System health is normal. Amber = System health is degraded. T o identif y the component in a degraded state, refer to âHP Systems Insight Displa y and LEDsâ. Red = System health is critical. To identify the component in a critical state, refer to âHP Sy stems Insight Display and LEDsâ. Off = Syste m health is no rmal (when i n standby mod e). 4 External health LED (power supply) Green = Power supply health i s normal. Amber = Power redundancy failure occurr ed. Off = Power supply health is normal when in standby mode. 5 NIC 1 link/activity LED Green = Network link exists. Flashing green = Net work link and activity exist. Off = No link to network exists. If power is off, the front panel LED is not active. View the LEDs on the RJ-45 connector for status by referring to the rear panel LEDs. 6 NIC 2 link/activity LED Green = Network link exists. Flashing green = Net work link and activity exist. Off = No link to network exists. If power is off, the front panel LED is not active. View the LEDs on the RJ-45 connector for status by referring to the rear panel LEDs The components on the rear panel are illustra ted in Figure 4 â Rear Panel Compone nts.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 10 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 4 â Rear Panel Components Descriptions of compone nts on the rea r panel are given in T able 4 â Rear P anel Compone nts Descript ions. Table 4 â Rear Panel Components Descriptions Item Definition 1 PCI Express expansion slot 1 (Blocked) 2 PCI Express expansion slot 2 (Blocked) 3 Power supply bay 2 4 Power supply bay 1 5 NIC connector 1 (Ethernet) 6 NIC connector 2 (Ethernet) 7 Keyboard connector 8 Mouse connector 9 Video connector 10 Serial connector 11 Universal Serial Bus (USB) connector 1 (Bloc ked) 12 USB connector 2 (Blocked) 13 Integrated Lights-Out (iLO) 2 NIC connector (Blocked) The seven LEDs on the rear panel are illustrated in Figure 5 â Rear Panel LEDs. Figure 5 â Rear Panel LEDs
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 11 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Descriptions of LEDs on the r ear panel a re gi ven in Table 5 â Rear Panel LED Defi ni t ions . Table 5 â Rear Panel LED Definitions Item Description Status 1 10/100/1000 NIC 1 activit y LED Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. 2 10/100/1000 NIC 1 link LED Green = Link exists. Off = No link exists. 3 10/100/1000 NIC 2 activit y LED Green = Activity exists. Flashing green = Activity exists. Off = No activity exists. 4 10/100/1000 NIC 2 link LED Green = Link exists. Off = No link exists. 5 UID LED Blue = Identificati on is activated. Off = Identification is deactivated. 6 Power supply 2 LED Green = Normal Off = System is off or pow er supply has failed 7 Power supply 1 LED Green = Normal Off = System is off or pow er supply has failed 2.4 Roles, Services, and Authentication The module supports four au thorized roles: ⢠Crypto Officer ⢠User ⢠HP User ⢠Cluster Member All roles require identity-b ased authenticatio n . 2.4.1 Crypto Officer Role The Crypto Officer accesses the module via the Web Ma nagem ent Console and/or the Command Line Interface (CLI). This rol e provides all servi ces that are necessary for t he secure managem ent of the modul e. Table 6 shows t he services for the Crypto Officer role under the FIPS m ode of operation. T he pu rpose of each service is shown in the first column (âServiceâ), and the c orresponding function is descri bed in the second column (âDescriptionâ ). The keys and Critical Security Parameters (CSPs) in the rightmo st column corresp ond to the keys and CSPs introduced in Section 2. 7.1. Table 6 â Crypto Officer Services Service Description Keys/CSPs Authenticate to SKM Authenticat e to SKM with a usernam e an d the associated password Crypto Officer passwords â read; TLS/SSH keys â read
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 12 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Service Description Keys/CSPs Perform first-time initialization Configure the module when it is used for the first time Crypto Officer (admin) password â write; Kdsa public/private â write; Krsa private â write; Krsa private â write; Log signing RSA key â write; Log signature verification RS A key â write; KRsaPub â write; KRsaPriv â write. Upgrade firmware Upgrade firmware (firm ware must be FIPS- validated) Firmware upgrade key â re ad Configure FIPS mode Enable/disable F I PS mode None Manage keys Manage all client ke ys that are stored within the module. This includes the gen eration, storage, export (only public keys), import, and zeroization of keys. Client keys â write, read, delet e; PKEK â write, read, delete. Manage clusters Manage all cluste rs that are defined within the module. This includes the creatio n, joining, and removal of a cluster from the module. Cluster Member passwords â write, delete Manage services Manage all services supporte d by the module. This includes the starting and stopping of all services. None Manage operators Create, modify, or delete module operat ors (Crypto Officers and Users). Crypto Officer passwords â write, delete; User passwords â write, delete Manage certificates Cr eate/import/revoke certif ic ates KRsaPub â write, read, delete ; KRsaPriv â write, read, delete; CARsaPub â write, read, delet e; CARsaPriv â write, read, delet e; Client RSA public keys â read. Reset factory settings Rollback to the default firmware shipped with the module All keys/CSPs â delete Restore default configuration Delete the current c onfiguration file and restores the default configuration settings None Restore configuration file Restore a previously backed u p config urati on file None Backup configuration file Back up a configuration file None Zeroize all keys/CSPs Zeroize all keys and CSPs in the module All keys and CSPs â delete 2.4.2 User Role The User role is associated with ex ternal applications or clients that c onnect to the KMS via its XML interface. Users in this role may exer cise servicesâsuch as key generatio n and managem entâbased o n configured o r predefined pe rmissions. See Tabl e 7 â User Services for details. The keys and CSPs in the rightmost column correspond to the keys an d CSPs introduced in Section 2.7. 1.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 13 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Table 7 â User Services Service Description Keys/CSPs Authenticate to SKM Authenticate to SKM with a username an d the associated password User passwords â read Generate key G enerate a cryptographic ke y Client keys â write ; PKEK â write. Modify key meta data Change the key owner or update/add/ delete the custom attributes None Delete key Delete a cryptograp hic key Client keys â delete ; PKEK â delete. Query key meta data Output ke y names and meta data that the User is allowed to access Client keys â read ; PKEK â read. Import key Import key Client keys â write; PKEK â write. Export key Export a cryptographic key Client keys â read; PKEK â read. Export Certificate Export a cert ificate Client ce rtificate â read Clone Key Clone an existing key under a different key name Client keys â write, read; PKEK â write, read. Generate random number Generate a random number ANSI X9.31 DRNG seed â write, read, delete Manage operators Only users with administration permission c an create, modify, or delete module operat ors User passwords â write, delete 2.4.3 HP User Role The HP User role can reset the module to an uninitialized state in the event that all Cryp to Officer passwords are lost, or when a self-test pe rmanently fails. See Table 8 â HP User Serv ices. T he keys and CSPs in the rightm ost column corres pond to the ke ys and CSPs in troduced in Se ction 2.7. 1. Table 8 â HP User Services Service Description Keys/CSPs Authenticate to the module Authenticate to SKM with a signed token HP User RSA public key â read Reset factory settings Rollback to the default firm ware shipped with the module All keys/CSPs â delete Restore default configuration Delete the current c onfiguration file and restores the default configuration settings None
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 14 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Service Description Keys/CSPs Zeroize all keys/CSPs Zeroize all keys/CSPs in the module All keys/CSPs â delete 2.4.4 Cluster Member Role The Cluster Member role is associated with othe r SKMs that can connect to this SKM a nd access cluster services. See Table 9 â Cluster Member Services. The keys a nd CSPs in the rightmost column correspond to th e keys and CSPs introd uced in Sectio n 2.7.1. Table 9 â Cluster Member Serv ices Service Description Keys/CSPs Authenticate Cluster Member Authenticate to SKM via TLS Cluster Member passwords â read; Cluster key â read; Cluster Member RsaPub â read Receive Configuration File Update the moduleâs configur ation settin gs None Zeroize Key Delete a specific key Cluster key â delete Backup Configuration File Back up a configuration file None 2.4.5 Authentication The module performs identity-based au thentication for the four roles. Two auth entication schemes are used: authentication with certificate in TLS and authentication with password. See Tabl e 10 â Roles and Authe ntications for a detailed description. Table 10 â Roles and Authentications Role Authentication Crypto Officer Username and password with optional digital certificate User Username and pass word and/or digital certificate HP User Digital certificate Cluster Member Digital certificate over TLS The 1024-bit RSA signature on a digital certificat e provides 80-bits of security. There are 2 80 possibilities. The probability of a successful random guess is 2 -80 . Since 10 -6 » 2 -80 , a random attempt is very unlikely to succeed. At least 80 bits of data must be transmitted for one attempt. (The actual number of bits that need to be transmitted for one attempt is much greater than 80 . We are consideri ng the worst case scenari o.) The processor used by the modul e has a working fre quency of 3.0 gi gabytes, h ence, at most 60Ã3.0à 10 9 bits of data ca n be transm itted in 60 seconds . Since 80 bits are necessary for one attempt, at most (60Ã3.0Ã10 9 )/80 = 2.25à 10 9 attempts are possi ble in 60 seconds . However, there exist 2 80 possibilities. (2.25Ã10 9 )/2 80 = 1.86Ã10 -15 « 10 -5 . The probability of a successful certificate attempt in 60 seconds is con siderably less than 10 -5 . Passwords in t he module m ust consist of eight or more character s from the set of 90 human-reada ble numeri c, alphabetic (upper and lower case), and special character symbols. Excl uding those co mbinations that do n ot meet password cons traints (see Se ction 2.7.1 â Keys and CS Ps), the size of the passwo rd space is ab out 60 8 . The probability of a successf ul random guess is 60 -8 . Since 10 -6 » 60 -8 , a random attem pt is very unlikely to succeed. After six unsuccessful attempts, the m odul e will be locked down for 60 seconds; i.e., at m ost six trials are possible
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 15 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. in 60 seconds. Since 10 -5 » 6Ã60 -8 , the probability of a successf ul password attem pt in 60 seconds is considerably less than 10 -5 . 2.4.6 Unauthenticated Services The following services do not require au thenticatio n: ⢠SNMP statistics ⢠FIPS status services ⢠Health check services ⢠Network Tim e Protocol (NTP) services ⢠Initiation of self-tests by rebooting the SKM ⢠Negotiation of the XML protocol version for communication s with the KMS SNMP is used onl y for sending stat istical inform ation (SNMP trap s). FIPS status and health check are stat us-report services, unrela ted to security or cry ptography. NTP is a date/tim e synchronization se rvice that does not i nvolve keys or CSPs. Initiation of self-tests and negotiation of the XML protocol version do not involve ke ys or CSPs. 2.5 Physical Security The module was tested and found confor m ant to the EMI/EMC requirements specified by Title 47 of the Code of Federal Regulations, Part 15, Subpart B, Unintentional Ra diators, Digital Devi ces, Class A (that is , for business use). The HP StorageWorks Secure Key Man ager is a multi-chip standalon e cryptograph ic modu le. The entire co ntents of the module, incl uding all hardware, s oftware, firm ware, and data, are enclosed in a m etal case. The case is opaque and must be se aled using tam per-evident l abels in order to preve nt the case cover from being removed wi thout signs of tampering. All circuits i n the module are coated with c ommerci al standard passivati on. Once the modul e has been configured to meet FIPS 140-2 Level 2 re quirements, th e m odule cannot be accessed without signs of tampering. See Section 3.3 â Physical Security Assuran ce of this docum ent for more inform ation. 2.6 Operational Environment The operational environment req uirements do not appl y to the HP StorageWor ks Secure Key Manager âthe module does not provi de a general purpose operating syst em and only allows the updating of im age components after checking an RSA signature on the ne w firmware image. Crypto Officers can install a new firmware image on the SKM by downloading the image to the S KM. This im age is signed by an RSA private key (which never e nters the module). The SKM verifies t he signature on the new firmware im age using the p ublic key stored i n the module. If the verificatio n passes, the upgrade is allowe d. Otherwi s e the upgrade process fails a nd the old image is reused. 2.7 Cryptographic Key Management 2.7.1 Keys and CSPs The SSH and TLS protocols employed by the FIPS m ode of the modu le are security-rel ated. Table 11 â List of Cryptograp hic Keys, Cryptogra phic Key Com ponents, and CSPs f or SSH and Table 12 â Li st of Cryptogra phic Keys, Cryptograp hic Key Compone nts, and CSPs for TLS, i ntroduce cryptogra phic keys, key com ponents, an d CSPs involve d in the two protocols , respectively . Table 11 â List of Cry ptographic Key s, Cryptographic Key Components, and CSPs for SSH Key Key Type Generation / Input Output Storage Zeroization Use
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 16 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use DH public param 1024-bit Diffie- Hellman public parameters Generated by ANSI X9.31 DRNG during session initialization In plaintext In volatile memory Upon session termination Negotiate SSH Ks and SSH Khmac DH private param 1024-bit Diffie- Hellman privat e parameters Generated by ANSI X9.31 DRNG during session initialization Never In volatile memory Upon session termination Negotiate SSH Ks and SSH Khmac Kdsa public 1024-bit DSA public keys Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non-volatile memory At operator delete or zeroize request Verify the signature of the serverâs message. Kdsa private 1024-bit DSA private keys Generated by ANSI X9.31 DRNG during first-time initialization Never In non-volatile memory At operator delete or zeroize request Sign the serverâs message. Krsa public 1024-bit RSA public keys Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non-volatile memory At operator delete or zeroize request Verify the signature of the serverâs message. Krsa private 1024-bit RSA private keys Generated by ANSI X9.31 DRNG during first-time initialization Never In non-volatile memory At operator delete or zeroize request Sign the serverâs message. SSH Ks SSH session 168-bit 3DES key, 128-, 192-, 256-bit AES key Diffie-Hellman key agreement Never In volatile memory Upon session termination or when a new Ks is generated (after a certain timeout) Encrypt and decrypt data SSH Khmac SSH session 512- bit HMAC key Diffie-Hellman key agreement Never In volatile memory Upon session termination or when a new Khmac is generated (after a certain timeout) Authenticate data Notice that SSH version 2 is explicitly accepted for use in FIPS m ode, according to section 7.1 of the NIST FIPS 140-2 Im plement ation Gui dance. Table 12 â List of Cry ptographic Key s, Cryptographic Key Components, and CSPs for TLS Key Key Type Generation / Input Output Storage Zeroization Use Pre-MS TLS pre-master secret Input in encrypted form from client Never In volatile memory Upon session termination Derive MS MS TLS master secret Derived from Pre- MS using FIPS Approved key derivation function Never In volatile memory Upon session termination Derive TLS Ks and TLS Khmac
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 17 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use KRsaPub Server RSA public key (1024- or 2048- bit) Generated by ANSI X9.31 DRNG during first-time initialization In plaintext a X509 certificate. In non- volatile memory At operator delete request Client encrypts Pre-MS. Client verifies server signatures KRsaPriv Server RSA private key (1024- or 2048- bit) Generated by ANSI X9.31 DRNG during first-time initialization Never In non- volatile memory At operator delete or zeroize request Server decrypts Pre- MS. Server generates signatures CARsaPub Certificate Authority (CA) RSA public key (1024- or 2048-bit) Generated by ANSI X9.31 DRNG during first-time initialization In plaintext In non- volatile memory At operator delete request Verify CA signatures CARsaPriv CA RSA private key (1024- or 2048-bit) Generated by ANSI X9.31 DRNG during first-time initialization never In non- volatile memory At operator delete or zeroize request Sign server certificates Cluster Member RsaPub Cluster Member RSA public key (1024- or 2048-bit) Input in plaintext Never In volatile memory Upon session termination Verify Cluster Member signatures TLS Ks TLS session AES or 3DES symmetric key(s) Derived from MS Never In volatile memory Upon session termination Encrypt and decrypt data TLS Khmac TLS session HMAC key Derived from MS Never In volatile memory Upon session termination Authenticate data Table 13 details all cipher su ites supported by the TLS protocol implemented by the module. The su ite names in the first column match the definitions in RFC 2246 and RFC 4346. Table 13 â Cipher Suites Supported by th e Moduleâs TLS Implementation in FIPS Mode Suite Name Authentication Key Transport Symmetric Cryptography Hash TLS_RSA_WITH_AES_256_CBC_SH A RSA RSA AES (256-bit) SHA-1 TLS_RSA_WITH_AES_128_CBC_SH A RSA RSA AES (128-bit) SHA-1 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA RSA 3DES (168-bit) SHA-1 Other CSPs ar e tabulated in Table 14. Table 14 â Other Cryptographic Key s, Cry ptographic Key Componen ts, and CSPs Key Key Type Generation / Input Output Storage Zeroization Use
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 18 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use Client AES key 128, 192 or 256-bit AES key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Encrypt plaintexts/decrypt ciphertexts Client 3DES key 3DES key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Encrypt plaintexts/decrypt ciphertexts Client RSA public keys RSA public key Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory At operator delete Sign messages/verify signatures Client RSA keys RSA private keys Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Sign messages/verify signatures Client HMAC keys HMAC keys Generated by ANSI X9.31 DRNG Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request Encrypted in non-volatile memory Per clientâs request or zeroize request Compute keyed- MACs Client certificate X.509 certificate Input in ciphertext over TLS Via TLS in encrypted form (encrypted with TLS Ks) per clientâs request In non-volatile memory Per clientâs request or by zeroize request Encrypt data/verify signatures Crypto Officer passwords Character string Input in plaintext Never In non-volatile memory At operator delete or by zeroize request Authenticate Crypto Officer User passwords Character string Input in plaintext Never In non-volatile memory At operator delete or by zeroize request Authenticate User Cluster Member password Character string Input in ciphertext over TLS Never In non-volatile memory At operator delete or zeroize request When a device attempts to become a Cluster Member HP User RSA public key 2048-bit RSA public key Input in plaintext at factory Never In non-volatile memory At installation of a patch or new firmware Authenticate HP User Cluster key Character string Input in ciphertext over TLS Never In non-volatile memory At operator delete or by zeroize request Authenticate Cluster Member Firmware upgrade key 1024-bit RSA public key Input in plaintext at factory Never In non-volatile memory When new firmware upgrade key is input Used in firmware upgrade integri ty test
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 19 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Key Key Type Generation / Input Output Storage Zeroization Use Log signing keys 1024-bit RSA public and private keys Generated by ANSI X9.31 DRNG at first- time initialization Never In non-volatile memory When new log signing keys are generated on demand by Crypto Officer Sign logs and verify signature on logs ANSI X9.31 DRNG seed DRNG seed Generated by non-Approved RNG Never In non-volatile memory When module is powered off Initialize ANSI X9.31 DRNG PKEK 256-bit AES key Generated by ANSI X9.31 DRNG In encrypted form for backup purposes only In non-volatile memory At operator delete or by zeroize request Encrypt client keys 2.7.2 Key Generation The module uses an A NSI X9.31 DR NG with 2-key 3D ES to generate cry ptographic key s. This DRNG is a FIP S 140-2 approved DRNG as specified in Annex C to FIPS PUB 140 -2. 2.7.3 Key/CSP Zeroization All ephemeral keys are stored in v olatile memory in plain t ext. Eph emeral keys are zeroized when they are no long er used. Other keys and CSPs are stored in non-volatile memo ry with client keys being stored in encrypted form. To zeroize all key s and CSPs in the m odule, the Crypt o Officer should ex ecute the reset factory settings zeroize command at the serial console inte rface. For security reasons, this command is av ailable only through the serial console. 2.8 Self-Tests The device im plements two t ypes of sel f-tests: power-up self-tests and conditional self-tests. Power-up self-tests include the following tests: ⢠Firmware integrity tests ⢠Known Answ er Test (KAT) on 3DES ⢠KAT on AE S ⢠KAT on SHA -1 ⢠KAT on SH A-256 ⢠KAT on SH A-384 ⢠KAT on SH A-512 ⢠KAT on HM AC SHA-1 ⢠KAT on HM AC SHA-2 56 ⢠KAT on ANSI X9.3 1 DRN G ⢠KAT on Diffie-Hellm an ⢠KAT on SSH Key Derivation Function ⢠KAT on RSA signature generation a nd verifi cation ⢠Pairwise consi stency test o n DSA signat ure generatio n and verificat ion Conditional self-tests include the following tests:
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 20 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. ⢠Pairwise consi stency test for new DSA keys ⢠Pairwise consistency test for new RSA keys ⢠Continuous random num ber generator test o n AN SI X 9. 31 DR N G ⢠Continuous random number g enerator test on non-A pproved RN G ⢠Firmware upgrade integrity test ⢠Diffie-Hellman primitive test The module has t wo error states: a Soft Error state and a Fata l Error state. When one or more powe r-up self-test s fail, the modul e may enter either the Fata l Error state or t he Soft Error State. When a conditional self-t est fails, the module enter s the Soft E rror state. See Secti on 3 of thi s docum ent for more inf ormation. 2.9 Mitigation of Other Attacks This section is not app licable. No claim is made th at the module mitig ates again st any attacks beyon d the FIPS 140- 2 Level 2 requirements for this validation.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 21 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 3 Secure Operation The HP Storage Works Secure Key M anager m eets Level 2 requirem ents for FIPS 14 0-2. The secti ons below describe how to place and keep the m odule in the FIPS mode of operation. 3.1 Initial Setup The device shoul d be unpacked a nd inspected acc ording to the User Guide . The User G uide also contains installation and configu ration instructions, maintenance info rmation, safety tips, a nd other i nformation . The device itself must be affi xed with tam per-evident la bels that are included i n the packaging. See Figure 8 â Tamper- Evidence Label s for locations o f tamper-evi dence labels. 3.2 Initialization and Configur ation 3.2.1 First-Time Initialization When the module is turned on fo r the first time, it will prompt the operator for a password for a default Cryp to Officer. The module cannot proceed to th e next state until the operator provide s a password that conforms to the password polic y descri bed in Secti on 2. 7.1. The default us er name associa ted with the entered password is âadm inâ. During the first-time initialization , the operator must configure minimum settin gs for the module to operate correctly. The operator will be prom pted to configure the following settings via the serial interface: ⢠Date, Time, Time zone ⢠IP Address/Netmask ⢠Hostname ⢠Gateway ⢠Management Port 3.2.2 FIPS Mode Configuration In order to comply with FIPS 140-2 Level 2 requirements, the following functionality mu st be disabled on the SKM: ⢠Global keys ⢠File Transfer P rotocol (FT P) for im porting cert ificates and do wnloading a nd restoring ba ckup files ⢠Lightweight Directory Access Pr otocol (LDAP) authe ntication ⢠Use of the following algorithms: RC4, MD5, DES, RSA-512, RSA-768 ⢠SSL 3.0 ⢠Hot-swappable drive capab ilit y ⢠RSA encryptio n and decrypti on operatio ns (note, however , that RSA encry ption and dec ryption associa ted with TLS handshakes and Sign and Sign Verify are permitted) These function s need not be disabled in dividually. T here are two a pproaches t o configuring t he module suc h that it works in the Approved FIPS mode of operation: Through a command line interface, such as SSH or se rial console, the Crypto Officer should use the fips compliant command to enab le the FIPS mode of operation. Th is will alter various server settings as described above. See Figure 6 â FI PS Compliance in CLI. The fips server c ommand is used for the FIPS status server configuration. The show fips status command returns the current FIPS mode co nfiguration.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 22 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 6 â FIPS Compliance in CLI In the web administration interface, the Crypto Officer s hould use the âHigh Secu rity Configurationâ page to enable and disable FIPS compliance. To enable the Approv ed FIPS mode of operation, click on the âSet FIPS Com pliantâ button. See Figure 7 â FIPS Com pliance in W eb Administrati on Interface. This will alter various server setting s as described above. Figure 7 â FIPS Compliance in Web Administration Interface In the web administration interface, the User can review the FIPS m ode configur ation by reading t he âHigh Security Configurati onâ page. The Crypto Officer must zeroize all keys whe n switchin g from the Ap proved FIPS mode of opera tion to the non- FIPS mode a nd vice versa. 3.3 Physical Security Assurance Serialized tamper-evi dence labels have bee n applied at four l ocations on the met al casing. See Figure 8 â Tam per- Evidence Label s. The tamper-evi dence label s have a speci al adhesive backi ng to adhe re to the m oduleâs surface . The tamper-e vidence label s have indi vidual, uni que se ria l numbers . They shoul d be inspected periodically and compared to t he previously-recorde d seri al numbers to verify that fresh labels have not been applied to a tampered module.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 23 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Figure 8 â Tamper-Evidence Lab els Figure 9 pr ovides a better view of t he positioni ng of the ta mper-evide nce labels over the p ower suppli es. Figure 9 â Tamper-Evidence Labels ov er Power Supplies
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 24 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. 3.4 Key and CSP Zeroization To zeroize all keys and CSPs in the m o dule, the Crypto Officer should exec ute reset factory settings zeroize command in the serial console interface. Notice th at, for security reas ons, the comm and cannot be initiated from the SSH interface. When switchi ng between diff erent modes of operations (FI PS and non-FIPS), t he Crypto Officer m ust zeroize all CSPs. 3.5 Error State The module has two error states: a Soft Error state and a Fatal Error state. When a power -up self-test fail s, the module m ay enter either t he Fatal Error state or t he Soft Error St ate. When a conditional self-test fails, the module will enter the Soft Er ror state. The m odule can recover from the Fatal Error state if power i s cycled or if the SKM is re booted. An HP User can reset the m odule when it is i n the Fatal Error State. No other services are available in the Fatal Error state. The m odule can recover fro m the Soft Error state if power is cycled. With the ex ception of the firmware upgra de integrity test and Diffie-Hellman primitive test, the only service that is available in the So ft Error state is the FIPS status output via port 9081 (de fault). A User can connect to por t 9081 and fin d the error message in dicating the failure o f FIPS self-tests. Access t o port 9081 does not require aut henti cat i o n.
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 25 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Acronyms Table 15 â Acronyms Acr on ym Definition 3DES Triple Data Encryption Standard AES Advanced Encryption Standard ANSI American National Standard Institute BIOS Basic Input/Output System CA Certificate Authority CBC Cipher Block Chaining CLI Command Line Interface CMVP Cryptographic Module Val idation Program CPU Central Processing Unit CRC Cyclic Redundanc y Check CRL Certificate Revocation List CSP Critical Security Parameter DES Data Encryption Standard DRNG Deterministic Rand om Number Generator DSA Digital Signature Algorithm ECB Electronic Codebook EMC Electromagnetic Compati bility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol HDD Hard Drive HMAC Keyed- Hash Message Authentication C ode HP Hewlett-Packard IDE Integrated Drive Electronics iLO Integrated Lights-Out I/O Input/Output IP Internet Protocol ISA Instruction Set Architecture KAT Known Answer Test KMS Key Management Service LDAP Lightweight Directory Access Protocol LED Light Emitting Diode MAC Message Authentication Code N/A Not Applicable
Security Policy, version 1.0 January 31, 2008 HP StorageWorks Secure Key Manager Page 26 of 26 © 2008 Hewlett-Packard Com pany This document may be freely repro duced in its original entir et y. Acr on ym Definition NIC Network Interface Card NIST National Institute of Standards and T echnology NTP Network Time Protocol PCI Peripheral Component Interconn ect PRNG Pseudo Random Number Generator RFC Request for Comments RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SKM Secure Key Manager SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Socket Layer TLS T ransport Layer Securit y UID Unit Identifier USB Universal Serial Bus VGA Video Graphics Array XML Extensible Mark up La nguage