Copyright Ian Donnelly Systems 2009. May be reproduced only in its original entirety [without revision].
KEY-UP Cryptographic Module
Security Policy
Document Version 0.6
Ian Donnelly Systems
(IDS)
April 20, 2009
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 2
TABLE OF CONTENTS
1. MODULE OVERVIEW .........................................................................................................................................3
2. SECURITY LEVEL................................................................................................................................................4
3. MODES OF OPERATION.....................................................................................................................................5
4. PORTS AND INTERFACES .................................................................................................................................6
5. IDENTIFICATION AND AUTHENTICATION POLICY.................................................................................6
6. ACCESS CONTROL POLICY..............................................................................................................................7
ROLES AND SERVICES................................................................................................................................................7
DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)........................................................................................9
DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................10
7. OPERATIONAL ENVIRONMENT....................................................................................................................14
8. SECURITY RULES ..............................................................................................................................................14
9. PHYSICAL SECURITY POLICY ......................................................................................................................15
PHYSICAL SECURITY MECHANISMS.........................................................................................................................15
10. MITIGATION OF OTHER ATTACKS POLICY...........................................................................................15
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 3
1. Module Overview
The KEY-UP Cryptographic Module (HW P/N KEY-UP Version II-A, FW Version 5.0.1) is a
multiple-chip standalone cryptographic device encased in a hard opaque commercial grade steel
case. The primary purpose for this device is to provide data security for Electronic Funds
Transfer (EFT) transactions. The device provides status output via LEDs. The device provides
network interfaces for data input and output. The diagram below illustrates these interfaces as
well as defining the cryptographic boundary.
Figure 1 – Image of the Cryptographic Module
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 4
2. Security Level
The cryptographic module meets the overall requirements applicable to Level 3 security of
FIPS 140-2.
Table 1 - Module Security Level Specification
Security Requirements Section Level
Cryptographic Module Specification 3
Module Ports and Interfaces 3
Roles, Services and Authentication 3
Finite State Model 3
Physical Security 3
Operational Environment N/A
Cryptographic Key Management 3
EMI/EMC 3
Self-Tests 3
Design Assurance 3
Mitigation of Other Attacks N/A
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 5
3. Modes of Operation
Approved mode of operation
The KEY-UP Cryptographic Module operates in the FIPS mode of operation by default from the
factory. The following FIPS Approved algorithms are supported:
• Triple-DES (ECB modes, two-key) for encryption and decryption
• Triple-DES MAC (ECB) for data integrity
• SHA-1 for hashing
The cryptographic module also supports a deterministic random number generator (DRNG) that
is compliant with ANSI X9.31.
The following non-FIPS Approved algorithms are supported, but are not used to provide any
cryptographic strength to the module’s security (both are further encrypted using Triple-DES):
• Derived Unique Key Per Transaction (DUKPT) for decryption
• DES (ECB) for encryption and decryption
Execute the KEY-UP Show Status service to view which mode the module is operating in.
Non-Approved mode of operation
The KEY-UP Cryptographic Module may also be configured for operation in a non-Approved
mode. In order to configure the module for non-Approved mode, execute the KEY-UP Operating
Mode service and select not to operate in the Approved mode.
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 6
4. Ports and Interfaces
The cryptographic module supports a data input, data output, control input,
status output, and a power interface. The following table describes the physical
ports that the cryptographic module provides and also lists the logical interfaces
associated with these ports:
Physical Port Logical Interface
Asynchronous RS232 (Keys) Data input, Data output, Control Input,
Status Output
Asynchronous RS232 (Data) Data input, Data output,
Control Input, Status Output
Ethernet (Qty. 2, Second one
disabled)
Data input, Data output, Control Input,
Status Output
LED Status Output
Mechanical Lock Control Input
Reset Switch Control Input
Power Switch Control Input, Power
Power Port Power
5. Identification and Authentication Policy
Assumption of roles
The cryptographic module shall support four distinct operator roles (User, Cryptographic-
Officer, Administrator, and Operator). The cryptographic module shall enforce the separation of
roles using identity-based operator authentication. An operator must enter a username and
password to authenticate or must provide a username and prove knowledge of a 128-bit shared
secret to log in. The username is an alphanumeric string of up to eight characters. The password
is an alphanumeric string of eight characters randomly chosen from the 62 alphanumeric
characters: A-Z, a-z, 0-9. No previous authentications are maintained across power downs.
Table 2 - Roles and Required Identification and Authentication
Role Type of Authentication Authentication Data
User Identity-based operator
authentication
User ID, Shared Secret
(128-bit shared secret)
Cryptographic-Officer Identity-based operator
authentication
User ID, Password
Administrator Identity-based operator
authentication
User ID, Password
Operator Identity-based operator
authentication
User ID, Password
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 7
Table 3 – Strengths of Authentication Mechanisms
Authentication Mechanism Strength of Mechanism
Password Entry The IDS KEY-UP passwords are 8 characters
in length composed of the 62 characters 0-9,
A-Z, a-z. The probability of guessing a
password on one attempt is 1 / 628
or
1/218,340,105,584,896 which is less than
1/1,000,000.
KEY-UP is configured using a serial
connection at a speed of 9600 bps. There could
at the very most be 75 attempts at password
entry in one minute. Therefore, probability of
guessing the password in one minute is (75 *
1/628),
which is less than 1/100,000.
Shared Secret The shared secret is a 128-bit Triple-DES key.
The probability of guessing the shared secret
on one attempt is 1 / 2128
which is less than
1/1,000,000.
KEY-UP is configured using a serial
connection at a speed of 9600 bps. There could
at the very most be 75 authentication attempts
in one minute. Therefore, the probability of
guessing the password in one minute is (75 *
1/2128),
which is less than 1/100,000.
6. Access Control Policy
Roles and Services
Table 4 – Services Authorized for Roles
Role Authorized Services
User: • PIN Translation: Decrypt Personal Identification Number
(PIN) using PIN Encryption Key and encrypt it using
another specified encryption key.
• PIN Verification: Verify an encrypted PIN block.
• PIN Change: Change a PIN and optionally verify the PIN.
• PIN Offset Generation: Generate a PIN offset for use in
PIN verification.
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 8
• VISA PVV Generation: Generate a Visa PIN Verification
Value (PVV) for use in PVV Verification.
• Data Encrypt: Encrypt data using Triple-DES.
• Data Decrypt: Decrypt data using Triple-DES.
• CVV/CVC Generation: Generate a Card Verification Value
(CVV) or Card Verification Code (CVC) for the purpose of
verifying a credit card.
• CVV/CVC Verification: Verify a CVV or CVC of a credit
card.
• MAC Generation: Generate a Message Authentication
Code (MAC) for the purpose of providing data integrity.
• MAC Verification: Verify a MAC.
• Generate “Working” Key: Generate a Triple-DES key for
the encryption of various data.
• Key Translation: Decrypt a key using one key and re-
encrypt using another key.
• Change ATM Key: Generate a Triple-DES key and encrypt
it with the ATM A or B Key.
Key
Custodian/Cryptographic-
Officer:
• Key Entry: Manually establish, electronically enter a split-
knowledge key.
• KEY-UP Show Status: Show the status of the module (i.e.,
version of the module, state of the keys, checksums, etc.)
• Install Key: Install the entered key into persistent memory.
(This service is only available when a MFK or KEK has
been entered.)
• Display Cryptogram: Triple-DES encrypt the last key
entered with the MFK and output to console.
• Generate Random Value: Generate a random value
• KEY-UP Show Status: Show the status of the module (i.e.,
version of the module, state of the keys, checksums, etc.)
• Log out
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 9
Operator • KEY-UP Show Status: Show the status of the module (i.e.,
version of the module, state of the keys, checksums, etc.)
• Log out
Administrator • All of the functions listed for Cryptographic Officer and
Operator in addition to those listed below:
• Configure TCP/IP: Configure the TCP/IP settings.
• Configure KEY-UP Operating Mode: Configure the baud
rate and protocol in use for communication. Select or de-
select the FIPS mode of Operation
• User Maintenance: Add user, list user, delete user, update
user.
• Clear KEY-UP Security Keys: FIPS140-2 Zeroization
service. This service actively zeroizes all keys, both
persistently stored and non-persistently stored CSPs, from
memory
• Log out
Unauthenticated Services:
The cryptographic module supports the following unauthenticated services:
• LED Show status: This service provides the current status of the cryptographic
module via the LED.
• Self-tests: This service executes the suite of self-tests required by FIPS 140-2 and
is invoked by power-cycling the module.
Definition of Critical Security Parameters (CSPs)
The following are CSPs contained in the module:
Key Description/Usage
Master File Key (MFK) 128-bit TDES key used to encrypt all keys used by the KeyUp
module. All key data entering/exiting the module is
decrypted/encrypted by the module.
Key Exchange Key 128-bit TDES key used to encrypt/decrypt outgoing/incoming
session keys.
PIN Encryption Key 128-bit TDES key used to encrypt PINs
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 10
Key Description/Usage
Data Encryption Key 128-bit TDES key used to encrypt data.
Message Authentication Key 128-bit TDES key used to generate/verify TDES message
authentication codes of 32, 48, or 64 bits in length.
ATM A Key 128-bit TDES key used to facilitate the generation of ATM
encryption keys. (encrypts the ATM B key OR is encrypted by the
ATM B key).
ATM B Key 128-bit TDES key used to facilitate the generation of ATM
encryption keys. (may encrypt the ATM A key OR is encrypted by
the ATM A key).
Seed Key 128-bit value used by the ANSI X9.31 DRNG for the creation of
random numbers and cryptographic keys.
Passwords Used to authenticate operators to the module.
Definition of Public Keys:
The module does not support Public Keys.
Definition of CSPs Modes of Access
Table 6 defines the relationship between access to CSPs and the different module services. The
modes of access shown in the table are defined as follows:
• Generate
• Read
• Write
• Destroy
Table 6 – Service to CSP Access Rights
Service Cryptographic Keys and CSPs Accessed
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
PIN Translation
Destroy
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 11
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
PIN Verification
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
PIN Change
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
PIN Offset
Generation
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
VISA PVV
Generation
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
Data Encrypt
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
Data Decrypt
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
CVV/CVC
Generation
Destroy
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 12
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
CVV/CVC
Verification
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
MAC Generation
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
MAC Verification
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate X X X X X X X
Read X X
Write
Generate “Working
Key”
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X X X X X X
Write
Key Translation
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate X X
Read X X X
Write
Change ATM Key
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X X X X X X X
Write X X X X X X X X
Key Entry
Destroy
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 13
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write X X
Install Key
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X
Write
KEY-UP Show
Status
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read
Write
Configure of
TCP/IP
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X X X X X X X
Write
Display Cryptogram
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read
Write
Clear KEY-UP
Security Keys
Destroy X X X X X X X X X
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read X
Write X
Generate Random
Value
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read
Write
Clear KEY-UP
Security Keys
Destroy X X X X X X X X
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 14
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read
Write
Logout
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate
Read
Write
Configure KEY-UP
Operating Mode
Destroy
MFK KEK PEK DEK MAK ATM A ATM B
Seed
Key
Passwords
Generate X
Read
Write
User Maintenance
Destroy
7. Operational Environment
The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the
KEY-UP Cryptographic Module is a non-modifiable environment.
8. Security Rules
The cryptographic module’s design corresponds to the cryptographic module’s security rules.
This section documents the security rules enforced by the cryptographic module to implement
the security requirements of this FIPS 140-2 Level 3 module.
1. The cryptographic module shall provide four distinct operator roles. These are the User
role, Administrator role, Operator role, and the Cryptographic-Officer role.
2. The cryptographic module shall provide identity-based authentication.
3. When the module has not been placed in a valid role, the operator shall not have access to
any cryptographic services.
4. The cryptographic module shall perform the following tests:
A. Power up Self-Tests:
1. Cryptographic algorithm tests:
a. TDES Known Answer Test
b. DRNG Known Answer Test
Ian Donnelly Systems KEY-UP Security Policy Version 0.6 April 20, 2009
Page 15
c. SHA-1 Known Answer Test
2. Software Integrity Test: 16-bit CRC
3. Critical Functions Tests
a. BB-SRAM Read/Write Test
B. Conditional Self-Tests:
1. Continuous Random Number Generator (RNG) Test
2. Split-Knowledge Key Integrity Test
5. At any time the cryptographic module may be commanded to perform power-up self-tests
by power-cycling the module.
6. Data output shall be inhibited during key generation, self-tests, zeroization, and error
states.
7. The module shall not support concurrent operators.
8. Split key entry is required for all plaintext keys entered into the module, whether they are
loaded into the module, or used externally. The module supports from 2 to 9 key parts
which are combined to create the key. The only possible way to ascertain the final key is
to know all parts entered to create the key. There is no way to obtain the resulting key
with only one key component.
9. Physical Security Policy
Physical Security Mechanisms
The multiple-chip standalone cryptographic module includes the following physical security
mechanisms:
• Production-grade components and production-grade opaque enclosure with pick-resistant
locks.
• Automatic zeroization when enclosure is opened.
• Tamper response and zeroization circuitry.
• Protected vents.
10. Mitigation of Other Attacks Policy
The module has not been designed to mitigate any specific attacks beyond the scope of FIPS140-
2 requirements.