GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 1 FUTUREX GSP3000 Hardware Security Module FIPS 140-2 NON-PROPRIETARY SECURITY POLICY This document may be reproduced only in its original entirety [without revision]. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 1 Table of Contents 1. Module Overview......................................................................................................................................................................3 2. Security Level ..............................................................................................................................................................................4 3. Modes of Operation.................................................................................................................................................................5 3.1. FIPS Approved Mode of Operation ..........................................................................................................................5 3.1.1. AES GCM Considerations....................................................................................................................................8 3.2. PCI HSM Mode of Operation (non-Approved) ....................................................................................................9 3.3. General (non-approved) Mode of Operation....................................................................................................10 4. Installation................................................................................................................................................................................. 11 5. ENABLING FIPS AND PCI HSM MODES.........................................................................................................................11 5.1. ENABLING THROUGH THE WEB INTERFACE......................................................................................................11 5.2. COM SETUP..................................................................................................................................................................... 12 5.3. ENABLING THROUGH EXCRYPT MANAGER.......................................................................................................12 6. Reset to Factory Default......................................................................................................................................................12 6.1. Reset Cryptographic Module ...................................................................................................................................12 6.2. Restore Device to Factory Defaults – Hardware Method.............................................................................. 12 7. Ports and Interfaces...............................................................................................................................................................13 8. Identification and Authentication Policy.......................................................................................................................15 8.1. Assumption of Roles....................................................................................................................................................15 8.2. Roles and Required Identification and Authentication.................................................................................. 15 8.3. Strengths of Authentication Mechanisms...........................................................................................................16 9. Access Control Policy............................................................................................................................................................16 9.1. Unauthenticated Services ..........................................................................................................................................16 9.2. Authenticated Services ...............................................................................................................................................17 9.2.1. Specification of Service Inputs and Outputs............................................................................................19 9.3. Definition of Critical Security Parameters (CSPs)..............................................................................................20 9.4. Definition of Public Keys ............................................................................................................................................22 9.5. Modes of Access for CSPs .........................................................................................................................................23 10. Operational Environment....................................................................................................................................................27 11. Security Rules........................................................................................................................................................................... 27 11.1. Self-Tests.......................................................................................................................................................................... 28 12. Physical Security Policy ........................................................................................................................................................29 12.1. Physical Security Mechanisms..................................................................................................................................29 GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 2 12.2. Environmental Conditions and Partial Environmental Failure Protection............................................... 29 12.3. Operator Recommended Actions...........................................................................................................................30 13. Mitigation of Other Attacks ...............................................................................................................................................31 14. Design Assurance................................................................................................................................................................... 31 14.1. Configuration Management.....................................................................................................................................31 14.2. Guidance Documents..................................................................................................................................................31 14.3. System Identification and Authentication...........................................................................................................31 14.4. Audit Logs and Inspection Frequency .................................................................................................................. 31 15. Key Loading..............................................................................................................................................................................32 15.1. Key Loading (FIPS/PCI-HSM Modes).....................................................................................................................32 16. Product Identification...........................................................................................................................................................32 16.1. Hardware Identification..............................................................................................................................................32 16.2. Firmware Versioning Scheme and Identification..............................................................................................33 17. TLS Protocols............................................................................................................................................................................ 34 17.1. TLS Protocols Supported............................................................................................................................................34 18. References................................................................................................................................................................................. 35 19. Glossary......................................................................................................................................................................................36 20. CSP Abbreviations.................................................................................................................................................................. 36 GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 3 1. MODULE OVERVIEW The GSP3000 (HW P/N 9800-2079 Rev7, Rev8, Rev8C, Rev8D0F 1 , Rev9A.A1F 2 , Rev9B.A, Rev9C.A, Rev9D.A, Rev9A.B, Rev9B.B, Rev9C.B, Rev9D.B2F 3 , Rev11A.A, Rev11B.A, Rev11C.A, or Rev11D.A3F 4 , and FW Version 7.0.0.4) Hardware Security Module (HSM) is a multi-chip embedded cryptographic module that provides secure data storage and processing functionality. All sensitive components of the module are physically protected by a tamper resistant, responsive, and evident casing where all cryptographic operations are performed. Upon tamper detection, normal operations are halted, and critical security parameters are erased. The module is assembled from production quality components and provides high speed interfaces for control and data input, status, and data output. The image below depicts the cryptographic module. The boundary is the entire PCB assembly and protective epoxy, as shown with the red outline. Components not enclosed within the epoxy are non-sensitive and have been excluded from the physical security requirements. Figure 1 – GSP3000 Hardware Security Module None of the components outside the epoxy are relevant to the security of the module. They are excluded from the security requirements of FIPS 140-2. 1 HW P/Ns 9800-2079 Rev7 and Rev8 series uses the Intel i7-620UE processor. HW P/Ns 9800-2079 Rev9 and Rev11 series uses the Intel i3-6102E processor. 2 The non-security relevant changes between the various P/Ns include add/change of components, such as LEDs and amplifier circuitry, moved certain components to either away from boundary edge to improve manufacturability or to clear space for the heat spreader, and documentation changes. 3 DRAM size is as follows: HW P/Ns 9800-2079 Rev7/8 (8GB) Rev9A (4GB), Rev9B (8GB), Rev9C (16GB), Rev9D (32GB). 4 DRAM size is as follows: HW P/Ns 9800-2079 Rev11A (4GB), Rev11B (8GB), Rev11C (16GB), Rev11D (32GB). GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 4 2. SECURITY LEVEL The cryptographic module meets the FIPS 140-2 overall security requirements applicable to Level 3. Security Requirements Section Level Cryptographic Module Specification Module Ports and Interfaces Roles, Services and Authentication Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC Self-Tests Design Assurance Mitigation of Other Attacks 3 3 3 3 3 N/A 3 3 3 3 3 Table 1 - Module Security Level Specification GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 5 3. MODES OF OPERATION The cryptographic module may be configured for FIPS Approved mode, PCI-HSM (Non-Approved for FIPS 140) Mode of Operation, or General (Non-Approved) Mode of Operation by accessing the System tab on the module’s web interface. A drop-down menu is shown for FIPS mode (“On” or “Off”) and another for PCI HSM mode. Once a selection is chosen and confirmed, the module automatically reboots into the chosen mode. The System tab will than show FIPS mode enabled. When used in the Vectera Plus parent device, the mode of operation is also displayed on its LCD screen. When transitioning between modes, the module will zeroize CSPs before entering the selected mode of operation and restart. The user can determine which mode the cryptographic module is in by accessing the Status tab on the module’s web interface. 3.1. FIPS APPROVED MODE OF OPERATION In FIPS Approved mode, the module supports the following algorithms: Approved Functions CAVP Cert Algorithm Standard Mode/Method Key Lengths/Curves/Moduli Use C2004 AES NIST SP 800-38A CTR 128 and 256-bit Encryption NIST SP 800-38A ECB, CBC, CFB1, CFB8, CFB128, OFB 128, 192, and 256-bits Encryption and Decryption NIST SP 800-38B CMAC 128, 192, and 256-bits MAC Generation and Verification NIST SP 800-38D GCM 128, 192, and 256-bits Encryption and Decryption C2005 NIST SP 800-38F AES KWP 128, 192, and 256-bits Key Wrap Vendor Affirmed CKG4F 5 SP 800-133 rev2 N/A N/A Symmetric Key Generation C2004 CVL NIST SP 800-135 TLS v1.0, v1.1 and v1.2 KDF N/A Key Derivation C2004 DRBG NIST SP 800-90A CTR Mode: AES-256 Derivation Function Enabled: Yes Additional Input: 0-256 Entropy Input: 256 Nonce: 128 AES-256 Random Number Generation C2004 ECDSA FIPS 186-4 ECDSA KeyGen (184-4) P-224, P-256, P-384 and P-521 Key generation ECDSA SigGen (186-4) P-224, P-256, P-384 and P-521 Digital signature generation ECDSA SigVer (186-4) P-192, P-224, P-256, P-384 and P-521 Digital signature verification 5 NOTE: In accordance with FIPS 140-2 IG D.12, the cryptographic module performs Cryptographic Key Generation as per scenario 1 of section 4 in SP800-133 rev2. The resulting generated symmetric key and the seed used in the asymmetric key generation are the unmodified output from SP800-90A DRBG. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 6 C2004 HMAC FIPS 198-1 SHA-1, SHA2-224, SHA2-256, SHA2-384 and SHA2-512 Key sizes: minimum 128-bits, maximum 256-bits. Keyed Message Authentication Vendor Affirmed KAS-SSC SP 800-56A rev3 ECC Ephemeral Unified Scheme Key Establishment methodology provides between 112 and 256- bits of encryption strength All NIST Defined ECC Curves except 192 (P-224, P-256, P- 384, and P-521) EC Diffie-Hellman Shared Secret Computation ECC One-Pass Diffie- Hellman scheme FFC dhEphem scheme 2048, 3072, 4096 Safe Primes as defined by SP800-56A Rev3 Appendix D and RFC7919 Key Establishment methodology provides between 112 and 150- bits of encryption strength Diffie-Hellman Shared Secret Computation FCC dhOneFlow scheme C2005 KBKDF SP 800-108 Counter Mode, using AES-CMAC 128, 192, and 256-bits Key Based KDF Vendor Affirmed KDA SP 800-56C rev2 ECC Ephemeral Unified Scheme RFC 8446 (TLS 1.3) and SP800- 56C rev2 Section 5 HKDF Implementation Key Derivation Two-Step Key Derivation using implementation dependent Auxilary PRF based KDF Option A. Used for TLS 1.0-1.2 (Cert#C2004) ECC One-Pass Diffie- Hellman Scheme RFC 8446 (TLS 1.3) and SP800- 56C rev2 Section 5 HKDF Implementation FFC dhEphem Scheme Cert #C2004 Two-Step Key Derivation using implementation-dependent Auxiliary PRF-based KDF Option A FFC dhOneFlow Scheme One-Step Key Derivation Option 1 (Hash (SHS FIPS 180-4) C2005 KTS NIST SP 800-38F AES KWP key establishment methodology provides between 128 and 256 bits of encryption strength Encryption and Decryption C2004 AES CBC / AES CMAC Encryption and Authentication AES CBC / HMAC Encryption and Authentication (See TLS Cipher Suite Listing) C2003 RSA FIPS 186-4 RSA KeyGen (186-4) Modulo 2048 and 3072 Key Generation Mode B.3.3 and B.3.6 GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 7 RSA SigGen (186-4) Modulo 2048, 3072, and 4096* ANSI X9.31, PKCS 1.5 and PKCSPSS, Signature Generation RSA SigVer (186-4) Modulo 1024, 2048, and 3072 ANSI X9.31, PKCS 1.5 and PKCSPSS, Signature C2003 SHS FIPS 180-4 SHA-1, SHA-224, SHA- 256, SHA-384 and SHA- 512 - Message Digest Note: SHA-1 is not available for digital signature creation. Table 2 – Approved Functions * Note: 186-4 RSA 4096 SigGen was not available for CAVP testing; however, per IG G.18, it is approved for use because 186-2 RSA 4096 SigGen was tested. Allowed Non-Approved Functions Algorithm Caveat/Use MD5 Message digest used in TLS 1.0/1.1 ONLY NDRNG Entropy input of 256-bits provided to the DRBG for Seed Data. RSA Key wrapping: key establishment methodology which provides 112-bits of encryption strength. RSA algorithm may be used for encryption or decryption of keys. No claim is made for SP 800-56B compliance, and no CSPs are established into or exported out of the module using these services. Shamir Secret Sharing Split Knowledge Procedures: Polynomial method used only for secret-sharing and recombination. Note: As per NISTIR 8214, Section 6.2, implementation of Shamir Secret Sharing is used to satisfy Section 4.7.4 of the FIPS 140-2 standard which defines security requirements for split-knowledge procedures. Table 3 – Allowed Non-Approved Functions GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 8 3.1.1.AES GCM Considerations AES GCM encryption and decryption are used in the context of the TLS protocol version 1.2 (compliant to Scenario 1 path (i) in FIPS 140-2 A.5). The module is compliant with NIST SP 800-52 rev2 and the mechanism for IV generation is compliant with RFC 5288. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246, or fail. In either case, the module prevents IV duplication and thus enforces the security property. AES GCM encryption and decryption are used in the context of the TLS protocol version 1.3 (compliant to Scenario 5 in FIPS 140-2 IG A.5). The module is compliant with NIST SP 800-52 rev2 and the mechanism for IV generation is compliant with RFC 8446. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 8446, or fail. In either case, the module prevents IV duplication and thus enforces the security property. The module requires there to be a fixed field of 32-bits and defaults a value based on the HSM’s unique serial number. In approved mode, the module shall not allow the user to utilize GCM with an externally generated IV; a fresh key is always used. The module supports internal IV generation by the module’s Approved DRBG. The DRBG seed is generated inside the module’s physical boundary. The minimum IV length is 96-bits per NIST SP 800-38D. On module power on, the next IV available is calculated by taking the previously stored invocation value and adding an additional 8,000,000 to ensure the IV field is not reused, even after power cycling. This is following the guidance of SP800-38D section 9.1 which recommends that after a power loss the stored IV is always one or more values ahead of the operational invocation value. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 9 3.2. PCI HSM MODE OF OPERATION (NON-APPROVED) In PCI HSM Mode of Operation, the module supports the following algorithms in addition to the FIPS Approved Mode algorithms: • AKB/TR-31: key bundling techniques • DUKPT: key management technique • PIN generation: random and derived • RSA with additional, non-compliant key sizes (full selection is 2048 + n*8 [n = 0 to 256], up to 4096 bits) for key generation, digital signature generation, and verification • RSA with additional, non-compliant key sizes (full selection is 2048 + n*8 [n = 0 to 256] up to 4096 bits), encrypt/decrypt for key transport • Triple-DES (keying option 2) for decryption, including key wrapping (non-compliant) • Triple-DES (keying option 1) for encryption and decryption, including key wrapping (non- compliant) Note: The use of two-key Triple-DES for encryption is restricted. The total number of blocks of data encrypted with the same cryptographic key shall not be greater than 2^20. • When configured for operation in an issuer environment* o Clear PIN processing o *The HSM cannot be configured for both PIN processing and clear PIN operations in this mode of operation. • When configured for PIN processing, the following pin block format translation will be allowed or disallowed. Destination Source ISO Format 0 ISO Format 1 ISO Format 2 ISO Format 3 ISO Format 4 IBM3624 PIN Pad ISO Format 0 Yes No No Yes Yes No No ISO Format 1 Yes Yes Yes Yes Yes No No ISO Format 2 No No Yes No No No No ISO Format 3 Yes No No Yes Yes No No ISO Format 4 Yes No No Yes Yes No No IBM3624 Yes Yes Yes Yes Yes Yes Yes PIN Pad Yes Yes Yes Yes Yes Yes Yes Table 4 - PIN Block Translation in PCI Mode of Operation GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 10 3.3. GENERAL (NON-APPROVED) MODE OF OPERATION In General (non-approved) Mode of Operation, the module supports the following algorithms in addition to the FIPS Approved Mode and PCI-HSM Mode algorithms: • DES for encryption and decryption • ECC with 192-bit keys for key generation, digital signature generation and verification (non- compliant) • HMAC MD5, HMAC RIPEMD-160 for keyed message authentication • MD5, RIPEMD-160 for hashing • RSA with additional, non-compliant key sizes (full selection is 512 + n*8 [n = 0 to 256] up to 4096 bits) for key generation, digital signature generation, and verification • RSA with additional, non-compliant key sizes (full selection is 512 + n*8 up to 4096 bits), encrypt/decrypt for key transport • Triple-DES (2-key) for all usages without restriction (non-compliant) • When configured for operation in an issuer environment* o Clear PIN processing o *The HSM cannot be configured for both PIN processing and clear PIN operations in this mode of operation • When configured for PIN processing, the following PIN block format translation will be allowed: Destination Source ISO Format 0 ISO Format 1 ISO Format 2 ISO Format 3 ISO Format 4 IBM3624 PIN Pad ISO Format 0 Yes Yes Yes Yes Yes Yes Yes ISO Format 1 Yes Yes Yes Yes Yes Yes Yes ISO Format 2 Yes Yes Yes Yes Yes Yes Yes ISO Format 3 Yes Yes Yes Yes Yes Yes Yes ISO Format 4 Yes Yes Yes Yes Yes Yes Yes IBM3624 Yes Yes Yes Yes Yes Yes Yes PIN Pad Yes Yes Yes Yes Yes Yes Yes Table 5 - PIN Block Translation in Non-Approved Mode of Operation GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 11 4. INSTALLATION Each Futurex GSP3000 secure cryptographic device (SCD) contains a processor and system memory. The SCD stores keys and performs cryptographic processing tasks. GSP3000 units are FIPS 140-2 Level 3 certified under certificate number 3373. Each SCD arrives with certificates loaded at the point of manufacture. These certificates are unique Certificate Authorities (CAs) specific to the customer, allowing the device to incorporate into that customer's architecture. For security, the SCD comes encased in a hard, opaque epoxy barrier and sensor wires that protect the SCD from a physical attack. If the SCD is physically tampered with, the unit will enter a tampered state. INSTALL PREPARATION To facilitate installation, Futurex recommends that all shipment materials and at least two Administrators/Key Officers be present to maintain dual control. EXCRYPT MANAGER APPLICATION INSTALLATION Note This setup process is not required if the Excrypt Touch will be used to connect to the HSM. This application is needed to load the Master File Key (MFK) and configure the HSM. 1. Power on the setup computer and insert the Excrypt Manager Application CD and run the Excrypt Manager installer. Follow the instructions given by the Excrypt Manager Setup Wizard. 2. Once the Excrypt Manager Application is running on the setup computer, power on the HSM. 3. Locate the power switch on the back of the device and turn it on. 4. Connect the USB setup cable after the HSM has completed the initial power-on process. 5. ENABLING FIPS AND PCI HSM MODES The primary manner to configure the HSM is through the secure web interface. All configuration changes to the device are made through this TLS-secured interface. FIPS and PCI HSM modes disable the non-secure management of the HSM and require that all configuration activity, including firmware updates, are completed using the Excrypt Manager. Note: Port 443 or the HSM IP must be used to connect to the HSM while in PCI mode. 5.1. ENABLING THROUGH THE WEB INTERFACE 1. Connect the HSM to the network and log in the two Crypto Officers. 2. Change either FIPS Mode or PCI HSM Mode to Enabled. 3. Click Update Mode. The HSM will reset, clear all keys, and resetting users to factory defaults. Once the device has rebooted, it is in the selected mode. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 12 Note When switching between modes of operation, all sensitive information will be cleared, including all keys, critical security parameters (CSP), and user credentials. Once PCI HSM mode has been activated, connection to the HSM may only be made via the Securus or through a web browser-based SSL/TLS (https) connection. Anonymous connections are disabled when in FIPS or PCI HSM mode. Settings for these connections may be modified through the SSL/TLS tab in the Web Configuration Panel. 5.2. COM SETUP Once FIPS or PCI Mode of Operations has been activated, all serial ports will be disabled and the HSM must be connected to via a TLS-secured web connection. The COM Setup tab on the Dashboard will automatically have the normal contents removed in this situation. FIGURE 4: WEB INTERFACE - COM SETUP PANEL 5.3. ENABLING THROUGH EXCRYPT MANAGER 1. Log into Excrypt Manager using two Crypto-Officer identities for dual control. 1. Go to the Maintenance tab. 2. Under the Tools heading, use the drop-down menus next to the FIPS Mode and PCI-HSM Mode lines to choose between Off and On. 3. Click the Update Modes button. 4. A warning window will open to warn the user that enabling these modes will clear all keys and critical security parameters, remove all users, reset to factory defaults, and restart the HSM. To continue, click OK. 5. After enabling PCI or FIPS mode, the HSM will display a visual indicator in the bottom-right corner of the Excrypt Manager application. 6. RESET TO FACTORY DEFAULT Futurex HSMs have two recessed switches, located on either side of the device's front plate. These switches allow users to reset the cryptographic module inside of the device, restore the unit to factory defaults, or to completely decommission the unit. 6.1. RESET CRYPTOGRAPHIC MODULE To reset the cryptographic module located inside the HSM: 1. Ensure the device is powered on. 2. Locate the switch inside the left-hand lock port. 3. Push the switch downwards and hold for one second and then release the switch. 4. After approximately five minutes and multiple automatic restarts, the cryptographic module will be reset. Note During the reset process, the device will stop processing all API calls, including performing cryptographic operations. 6.2. RESTORE DEVICE TO FACTORY DEFAULTS – HARDWARE METHOD To restore the device to its factory default settings: 1. Ensure the device is powered on. 2. Locate the switch inside the left-hand lock port. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 13 3. Push the switch downwards and hold for one second and then push the switch upwards and hold for 60 seconds. 4. After approximately five minutes and multiple automatic restarts, the HSM will reset to the original firmware and factory default settings. 7. PORTS AND INTERFACES The cryptographic module provides the following physical ports and logical interfaces. All physical ports are within the boundary, but outside the epoxy material. • Ethernet ports (x2): Control input, data input, data output, status output  Ethernet ports provide encrypted communication sessions established with the TLS protocol for control input, data input, data output, and status output.  These ports include connection status LEDs. • PCIe connector (x1): Control input, data input, data output, status output  Provides logical signals for x4 additional Ethernet connections. • Single-row 4-pin headers (x7): Disabled in FIPS and PCI-HSM modes.  Provides USB functionality in the General Non-Approved mode. • USB Port (x1): Disabled in FIPS and PCI-HSM modes.  Provides USB functionality by converting the dual-row 5-pin header to USB in the General Non-Approved mode. • DB-9 Serial Port (x1): Disabled in FIPS and PCI-HSM modes.  Provides serial connection in the General Non-Approved mode. • Tamper status LED (x1): Status output  Reports a module tamper. • Dual-row 26-pin header (x1): Control input, Power  RPM signals  Battery sense  Main power supply  Battery power supply  “Power good” signal • Single-row 3-pin header (x1): Control input  Reset signal  Reset default port • Dual-row 5-pin header (x1): Disabled in FIPS and PCI-HSM modes  Provides serial connection in the General Non-Approved mode. • Single-row 2-pin header (x1): Control Input  Case Switch GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 14 The ports and interfaces can be identified as indicated below: Figure 2 – Ports and Interfaces 1. Ethernet Port 2. PCIe Connector 3. 4-pin USB Headers (x7) 4. USB Port 5. DB 9 Serial Port 6. Tamper LED 7. Dual-row 26-pin header 8. Single-row 3-pin header 9. Dual row 5-pin header 10. Single-row 2-pin header GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 15 8. IDENTIFICATION AND AUTHENTICATION POLICY 8.1. ASSUMPTION OF ROLES The cryptographic module shall support Crypto-Officer and Crypto-User Identities. In FIPS or PCI HSM mode, a Crypto-Officer or Crypto-User identity may communicate with the cryptographic module via an established TLS session. The cryptographic module shall enforce the separation of roles using identity-based authentication for all roles. For Crypto-Officer and Crypto-Users, an operator must enter their username and password to log in. The username is an alphanumeric string of 4 to 16 characters, and the password is an alphanumeric string of 8 to 64 characters chosen from the 95 printable and human-readable ASCII characters (0x20 to 0x7E) excluding the following: ‘[ ]<>;’ (thus, 90 characters are possible). Default passwords are only used for the default identities and must be updated upon initial login. An identity that provides a valid username and password will be identified as a Crypto-Officer or Crypto-User and must re-authenticate to change identity or role. The operator may end the session by logging out or power cycling the module, or the session shall automatically timeout after a fixed duration or transaction limit. To re-establish communication, an operator must re- authenticate. All cryptograms used while processing transactions contain authentication data for the Transaction Processing role, which take the form of key parity bits for KWP for AES. In either case, the symmetric key (AES) which is used to encrypt the cryptogram corresponds to the operator’s identity. For AES-wrapped keys, the key is auth-decrypted according to SP800-38F (KWP); if this operation fails, the command is rejected. 8.2. ROLES AND REQUIRED IDENTIFICATION AND AUTHENTICATION Role Type of Authentication Authentication Mechanism Crypto-Officer Identity-based Username and password ID of wrapping key and wrapped key (KWP/Key Parity) Crypto-User Identity-based Username and password ID of wrapping key and wrapped key (KWP/Key Parity) Customizable User Identity Identity-based Username and password ID of wrapping key and wrapped key (KWP/Key Parity) Table 6 - Roles and Required Identification and Authentication GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 16 8.3. STRENGTHS OF AUTHENTICATION MECHANISMS Authentication Mechanism Strength of Mechanism Username and Password The probability that a random attempt will succeed, or a false acceptance will occur is 1 / 4,304,672,100,000,000(1/908 ). The module allows for three (3) failed attempts and then times out for 20 seconds before retrying. The worst-case scenario is that there are nine (9) attempts in a one-minute period. The probability of successful authenticating to the module within one minute is 1 / 478,296,900,000,000 (9/908 ). AES-KWP AES-KWP (SP800-38F) provides 64 bits of authentication strength to a wrapped key. Thus, the probability that a random attempt will succeed, or a false acceptance will occur is 1/18,446,744,073,709,551,616 (1/264 ). The module allows for 50 failed attempts over 24 hours and then times out for 20 seconds before retrying. The worst-case scenario is that there are 150 attempts in a one-minute period. The probability of successfully authenticating to the module within one minute is 1/122,978,293,824,730,344 (150/264 ). Key Parity (3-key Triple-DES) 3-key Triple-DES has 24 parity bits. Thus, the probability that a random attempt will succeed, or a false acceptance will occur is 1/16,777,216 (1/224 ) The module allows for 50 failed attempts over 24 hours and then times out for 20 seconds before retrying. The worst-case scenario is that there are 150 attempts in a one-minute period. The probability of successfully authenticating to the module within one minute is 1/111,848 (150/224 ) *Note: TDES operations are not permitted in FIPS Mode of Operation, likewise Key Parity with 3-key Triple DES is not permitted in FIPS Mode of Operation. Table 7 - Strength of Authentication Mechanisms 9. ACCESS CONTROL POLICY 9.1. UNAUTHENTICATED SERVICES The cryptographic module supports the following unauthenticated services: • Status: This service provides the status of the cryptographic module via the LCD or Ethernet port. • Self-Tests: This service will enable an operator to initiate the suite of self-tests via power cycling the module. • Factory Reset: This service resets the module back to factory default and returns the device to the General (non-approved) Mode of Operation. (Zeroize CSPs, including all username/password combinations and restoring default identities. Firmware is also restored to version shipped with HSM) • Tamper: There are pins on the HSM that will allow the user to force a tamper event by shorting them. This will zeroize all CSPs to include default TLS pairs. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 17 9.2. AUTHENTICATED SERVICES Identity Authorized Service Crypto- Officer: • Create Session: This allows an operator to create a secure session to the HSM. • Authenticate: This service allows an operator to send credentials to be authenticated by the cryptographic module. Sessions will timeout after one minutes of inactivity, fifteen minutes of use, or 7,500 transactions. • Destroy Session: This service allows a Crypto-Officer to transition the cryptographic module into or out of an Approved mode. This service shall zeroize the module and restart. If the module is already in an Approved mode, it will remain in that Approved mode. • Initialization: This service zeroizes and generates Server Private and Public Key • Zeroize: This service shall enable a Crypto-Officer to destroy critical security parameters by zeroization. • Key Loading: This service allows a Crypto-Officer to load keys into the module. • *Update Firmware: This service shall enable the Crypto-Officer to update the cryptographic module’s firmware. Firmware authenticity is verified using an ECC signature. If the authenticity of the firmware is not confirmed, the cryptographic module will reject and delete the update. • General Configuration: This service allows a Crypto-Officer to change all configuration options for the module. • View Configuration: Gives operator the ability to view configuration status to include IP, COM, SSL, Time, Features, Users, IP tools, and Logs. This does not allow configuration changes of these items. • Configuration: Allows operator to change IP address, syslog level, and reboot the device • User Administration: This service will allow the Crypto-Officer to create, manage, and delete users. • Logout: This service will enable the Crypto-Officer to end authentication. • Load Encrypted Key: This service allows a user to send in Encrypted Keys and have the keys translated and stored in the key table or returned as a cryptogram encrypted under the master key. • Process Transactions: This service allows a user to use any of the commands listed in the Futurex TRM. These commands must be unblocked by the Crypto-Officer for Use. *Note: New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of scope of this validation and require a separate FIPS 140-2 validation. Crypto-User • Create Session: This service allows a user to create a secure session to the HSM. • Destroy Session: This allows a user to end the session. • Authenticate: This service allows a user to send credentials to be authenticated by the cryptographic module. • View Configuration: Gives operator the ability to view configuration status to include IP, COM, SSL, Time, Features, Users, IP tools, and Logs. This does not allow configuration changes of these items. • Logout: This service will enable the Crypto-User to end authentication. • Load Encrypted Key: This service allows a user to send in Encrypted Keys and have the keys translated and stored in the key table or returned as a cryptogram encrypted under the master key. • Process Transactions: This service allows a user to use any of the commands listed in Futurex TRM. These commands must be unblocked by the Crypto-Officer for use. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 18 • Configuration: Allows operator to change IP address, syslog level, and reboot the device Customizable User Identity • Configurable Services based on permissions that make up the identities. • This Customizable Identity will always be able to perform the following services: o Create Session: This service allows a user to create a secure session to the HSM. o Destroy Session: This allows a user to end the session. o Authenticate: This service allows a user to send credentials to be authenticated by the cryptographic module. o Logout: This service will enable the Crypto-Officer to end authentication. • These Crypto-User services may be given to the Customizable User Identity by authenticated Crypto-Officers under dual-control. o Load Encrypted Key: This service allows a user to send in Encrypted Keys and have the keys translated and stored in the key table or returned as a cryptogram encrypted under the master key (Commands must be unblocked by Crypto-Officer). o Process Transactions: This service allows a user to use any of the commands listed in Futurex TRM. These commands must be unblocked by the Crypto- Officer for use (Commands must be unblocked by Crypto-Officer. By default, GHSH command for approved SHA security functions available). • If any of the following services are present the Customizable User Identity assumes the responsibility of Crypto Officer: Requiring dual-control, identity-based, authentication. These services may only be given to the Customizable User Identity by authenticated Crypto-Officers under dual-control. o Zeroize: This service shall enable a Crypto-Officer to destroy critical security parameters by zeroization. o Key Loading: This service allows a Crypto-Officer to load keys into the module. o *Update Firmware: This service shall enable the Crypto-Officer to update the cryptographic module’s firmware. Firmware authenticity is verified using an ECC signature. If the authenticity of the firmware is not confirmed, the cryptographic module will reject and delete the update. o General Configuration: This service allows a Crypto-Officer to change all configuration options for the module. o User Administration: This service will allow the Crypto-Officer to create, manage, and delete users. o Configuration: Allows operator to change IP address, syslog level, and reboot the device *Note: New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of scope of this validation and require a separate FIPS 140-2 validation. Table 8 - Authorized Services by Role GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 19 9.2.1. Specification of Service Inputs and Outputs Service Control Input Data Input Data Output Status Output Create Session Header Info Signed Plaintext Data Encrypted Data N/A Authenticate Header Info Username & Password N/A Success / Fail Destroy Session Header Info N/A N/A N/A Process Transactions Header Info Encrypted Data Encrypted Data Plaintext Status Data Logout Header Info N/A N/A N/A Status N/A N/A N/A Plaintext Status Data Initialization Header Info Encrypted Data Encrypted Data Success / Fail Zeroize Header Info N/A N/A Success / Fail Self-Tests N/A N/A N/A Success / Fail User Administration Header Info Encrypted Data Encrypted Data Plaintext Status Data Update Firmware Header Info Encrypted Data Encrypted Data Plaintext Status Data Factory Reset Header Info N/A N/A Success View Configuration Header Info N/A N/A Plaintext Status Data Configuration Header Info N/A N/A Success/Fail General Configuration Header Info and Configuration Options N/A N/A Success/Fail Tamper Tamper Signal N/A N/A Tamper Key Loading Header Info Encrypted Data Encrypted Data Plaintext Status Data Load Encrypted Key Header Info Encrypted Data Encrypted Data Plaintext Status Data Table 9 - Specification of Service Inputs & Outputs GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 20 9.3. DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS) CSPs are secured within the cryptographic boundary. Operators do not have direct access to CSPs within the device. The following are CSPs contained in the module: CSP Type Description Unique Device Keys AES-256 Encryption and Decryption of TLS Private Keys Virtual UDKs AES-256 Encryption and Decryption of TLS Private Keys Global Derivation Key AES-256 Used to derive Master Key Encryption Key and Virtual Firmware Key Virtual Global Derivation Key AES-256 Derivation key Master Key Encryption Key (MKEK) AES-256 Encryption and Decryption of master keys Server Private Keys5F 6 ECC-521 RSA-2048 Sign or Decrypt data sent to the device from an operator during the creation of a TLS session. Used during creation of a TLS session. Session Encryption Key AES-128 AES-256 Encrypts / Decrypts data passed between an operator and the device during an established TLS session Session Hash Key HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 Key size minimum of 128-bits and maximum of 256-bits enforced in secure modes of operation. Used for hashing data passed between an operator and the device during an established TLS session. Pre-Master Secret Keying Material Used to create the TLS session keys Maser Secret AES-256 Used for TLS, destroyed at the end of each TLS Session DHE/ECDHE Private Key ECC-521 DH-2048 Used for DHE/ECDHE TLS exchange Ephemeral Asymmetric Key RSA 2048 or ECC 521 Used to transfer Ephemeral Key between HSM’s for component transfer 6 Server Private Keys in the CSP table represents a combination of Customer Admin, Customer Admin App, Customer Prod App, Customer Prod Excrypt, and Customer Prod International Private Keys in one line item to conserve space/paper. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 21 Ephemeral Symmetric Key AES 256 Used to encrypt key components Crypto-Officer Password Passphrase Used to authenticate the identity of a Crypto-Officer. Crypto-User Password Passphrase Used to authenticate the identity of a Crypto-User Customizable User Identity Password Passphrase Used to authenticate the identity of a Customizable User Identity Platform Master Key AES 256 Used to encrypt User Keys and Ephemeral Asymmetric keys Pending Master File Key AES-256 Used for rotation of master keys. Not used to encrypt/decrypt any data until it is ready to replace master keys. FTK Key AES 256 Used to encrypt AES keys for PKCS #11 Key Exchange Key AES 256 Used to load User Keys as part of Transaction Processing (key transport) Backup Key AES 256 Encrypts the User Keys for backup (key transport) Smart Card Encryption Key AES 256 Wraps smart card fragments (keys and other sensitive data) for storage on smart card. User Keys RSA 1024*, 2048, 3072 AES 128, 192, 256 ECC 192***, 224, 256, 384, 521 HMAC Data encryption, key exchange, CMAC, and HMAC keys used by user These keys are available to Crypto Officer and Crypto-User roles. Seed Value NDRNG value Seed for CTR DRBG. Seed Key (DRBG State) Internal RNG state “V” and “Key” internal values for CTR DRBG. HSM Signing Private Key RSA 2048 Used to sign the logs when output Virtual Firmware Key AES-256 Unique Virtual HSM Firmware Key used to encrypt and decrypt the UDK and GDK of individual virtual HSMs Table 10 - Critical Security Parameters *NOTE: RSA 1024 can only be used for verification. ***NOTE: ECC 192 can only be used for verification. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 22 9.4. DEFINITION OF PUBLIC KEYS The following are the public keys contained in the module: • Firmware Public Keys (ECC 521): These public keys are used for signature verification of the firmware and firmware updates to protect against unauthorized modification. • Customer Admin Public Keys (RSA 2048/ECC 521): The public keys components of the Administration certificates used for verifying signatures. This corresponds to one of the server private keys. • Customer Production Excrypt Public Keys (RSA 2048/ECC 521): The public keys components of the Production Excrypt certificates used for verifying signatures. This corresponds to one of the server private keys. • Customer Production International Public Keys (RSA 2048/ECC 521): The public keys components of the Production International certificates used for verifying signatures. This corresponds to one of the server private keys. • Customer Production Web Public Keys (RSA 2048/ECC 521): The public keys components of the Production Web certificates used for verifying signatures. This corresponds to one of the server private keys. • Customer App Administration Public keys (RSA 2048/ECC 521): The public keys components of the Application Administration certificates used for verifying signatures. This corresponds to one of the server private keys. • Customer App Production Public Keys (RSA 2048/ECC 521): The public keys component of the Application Production certificates used for verifying signatures. This corresponds to one of the server private keys. • User Public Keys (RSA 2048-4096, ECC 192/224/256/384/521): These public keys are always used by the operator. • HSM Signing Public Key (RSA 2048/ECC 521): Output to allow host to verify log signature. • DH Public Key (DH 2048/ECC P-521): Used for TLS key exchange GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 23 9.5. MODES OF ACCESS FOR CSPS Table 11 provides a list of CSP operations supported by the cryptographic module. Per-service access rights are shown in Table 12. Supported CSP operations are defined as follows: • Generate: These operations generate a particular CSP within the cryptographic module. • Load: These operations allow for a particular CSP to be loaded into the cryptographic module. • Wrap: These operations use a CSP to perform key wrapping. • Un-wrap: These operations use a CSP to perform key unwrapping. • Destroy: These operations erase the CSP from the cryptographic module. CSP Operation Generate Load Wrap Un-wrap Destroy Unique Device Keys x x x x Virtual UDKs x x x x Global Derivation Key x x Virtual Global Derivation Key x x Master Key Encryption Key x x x x Server Private Keys x x Session Encryption Key x x x x Session Hash Key x x x x Pre-Master Secret x x Master Secret x x DHE/ECDHE Private Key x x Ephemeral Asymmetric Key x x x x Ephemeral Symmetric Key x x x x GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 24 Crypto-Officer Password x x Crypto-User Password x x Customizable User Identity Password X X Platform Master Key (PMK) x x x x FTK Key x x x x Key Exchange Key (KEK) x x x x Backup Key x x x x Smart Card Encryption Key (SCEK) x x x x User Keys x x x x Seed Value x x HSM Signing Private Key x x Virtual Firmware Key x x x x Seed Key (DRBG State) x x Table 11 - Supported CSP Operations Note: Unique Device Key is generated at time of manufacture or re-generated during tamper recovery and is not associated with any operator roles. Cryptographic Keys and CSPs Access Operation Service Crypto- Officer Crypto- User U/A* Generate Session Encryption and Hash keys (Session Encryption Key, Session Hash Key, Pre-Master Secret, Server Private Keys, DHE/ECDHE Private Keys) Create Session x x Wrap and un-wrap with Session Encryption and Hash keys Process Transactions x x GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 25 (Session Encryption Key, Session Hash Key, Pre-Master Secret, Master Secret) Destroy Session Encryption and Hash keys (Session Encryption Key, Session Hash Key, Pre-Master Secret, Master Secret) Destroy Session x x (No CSP access) Status x Generate Ephemeral Keys; Wrap and un-wrap with Ephemeral Keys (Ephemeral Symmetric, Ephemeral Asymmetric) Key Loading x Destroy Ephemeral Keys (Ephemeral Symmetric, Ephemeral Asymmetric) Key Loading (upon completion) x Destroy Keys (Global Derivation Key, Virtual Global Derivation Key, Master Key Encryption Key, Server Private Keys, DHE/ECDHE Private Keys, Crypto-Officer Password, Crypto-User Password, Customizable User Identity Password, PMK, FTK, KEK, Backup Key, SCEK, User Keys, HSM Signing Private Key, Virtual Firmware Key) Zeroize x Zeroize and generate Server Private and Public Key (Unique Device Key, Virtual UDK, Global Derivation Key, Virtual Global Derivation Key, Master Key Encryption Key, Server Private Keys, DHE/ECDHE Private Keys, Seed Value, Seed Key, HSM Signing Private Key) Initialization x Zeroize all CSPs (All CSPs listed in table 11 are cleared and actively zeroized upon detection of a tamper event) Tamper x (No CSP access) Self-Tests x Load or Destroy Usernames/Passwords (Crypto-Officer Password, Crypto-User Password, Customizable User Identity Password) User Administration x Verify with Firmware Public Key Update Firmware x Zeroize CSPs and restore factory defaults** Factory Reset x GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 26 (Global Derivation Key, Virtual Global Derivation Key, Master Key Encryption Key, Server Private Keys, DHE/ECDHE Private Keys, Crypto-Officer Password, Crypto-User Password, Customizable User Identity Password, PMK, FTK, KEK, Backup Key, SCEK, User Keys, HSM Signing Private Key, Virtual Firmware Key) Send in authentication credentials (Crypto-Officer Password, Crypto-User Password, Customizable User Identity Password) Authenticate x x No CSP access Logout x x No CSP access General Configuration x No CSP access Configuration x No CSP access View Configuration x x Loading of PMK, FTK, KEK, Backup Key, SCEK, User Keys (Global Derivation Key, Virtual Global Derivation Key, Master Key Encryption Key, Crypto-Officer Password, Customizable User Identity Password, PMK, FTK, KEK, Backup Key, SCEK, User Keys) Key Loading x Loading of Encrypted User Keys (Global Derivation Key, Virtual Global Derivation Key, Master Key Encryption Key, Crypto-Officer Password, Crypto-User Password, Customizable User Identity Password, User Keys) Load Encrypted Key x x Table 12 - CSP Access Rights within Roles & Services *NOTE 1: U/A = Unauthenticated services typically available with physical access (e.g., power cycle, view LCD) **NOTE 2: The Factory Reset service does not zeroize the UDK (only a Tamper does that). If the UDK has been previously zeroized by a tamper event, the Factory Reset service generates a new UDK. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 27 10.OPERATIONAL ENVIRONMENT The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the cryptographic module supports a non-modifiable operational environment. 11.SECURITY RULES The cryptographic module’s design corresponds to the cryptographic module’s security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 3 module. 1. The cryptographic module shall provide two distinct operator roles. These are the Crypto-Officer role, and the Crypto-User role. i. Customizable rolls shall assume classification of one of the two roles mentioned above and in section 6.2 2. The cryptographic module shall provide identity-based authentication. 3. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 4. The cryptographic module shall encrypt message data using an approved TLS cipher suite when TLS is used. 5. The cryptographic module shall perform the Power-Up and Conditional self-tests as specified in section 8.1 below. 6. The cryptographic module shall clear previous authentications on power off/cycle. 7. Any time the cryptographic module is in an idle state, the operator shall be capable of commanding the module to perform the Power-Up self-test. 8. Prior to each use, the DRBG shall be tested using the conditional test specified in FIPS 140-2 §4.9.2. 9. Data output shall be logically inhibited during key generation, self-tests, zeroization, and error states using separate system processes. 10. Zeroization shall clear all CSPs in at most one-tenth of a second. 11. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 12. The module shall not support the update of the logical serial number or vendor ID. 13. If the cryptographic module remains inactive in any valid role for a maximum period of five minutes, the module shall automatically log-out the operator. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 28 11.1. SELF-TESTS In all Modes of Operation, the cryptographic module will perform power-up self-tests without operator intervention. Self-tests may also be executed at the request of an operator by power cycling the module. When power cycling the module, no operator intervention is required before self-tests are performed. If a self-test fails, the device will transition to the Fatal Error state and report an error which is observed on the LCD screen of the parent device. If all tests pass, the module powers up normally and reports All Self-Tests Passed on the LCD screen of the parent device. Power-Up and Periodic Self Tests The following tests shall be performed at power-up: • Firmware integrity and authenticity tests (ECDSA P-521 signature) are performed in all modes of operation. • Known answer tests are executed in FIPS and PCI modes of operation for: o AES-KWP (NIST AES-KWP Cert. #C2005)  AES key sizes 128, 192, and 256-bits used for KWP self-tests o AES Encrypt and Decrypt (NIST AES Cert. #C2004)  AES key size of 256-bits used for AES self-tests • Modes Tested: CBC, CFB1, CFB128, CFB8, ECB, OFB  AES key size of 128-bits is used for the AES self-test • Modes Tested: CTR o AES-CMAC Generate and Verify (NIST AES-CMAC Cert. #C2004)  AES key size of 128, 192, and 256-bits used for AES-CMAC self-tests o AES-GCM Encrypt and Decrypt (NIST AES-GCM Cert. #C2004)  AES key size 256-bits used for AES-GCM self-tests o DRBG Known Answer (NIST Counter DRBG Cert. #C2004)  DRBG KAT performed with 256-bit output. o ECC Sign and Verify (NIST ECDSA Cert. #C2004)  ECC key sizes of 224, 256, 384, and 521-bits used for ECC sign/verify self-tests o HMAC SHA1/SHA224/SHA256/SHA384/SHA512 (NIST HMAC Cert.#C2004) o KDF Counter Mode using CMAC (NIST KDF Cert. #C2005)  AES key sizes of 128, 192, 256-bits used for KDF using CMAC self-tests o RSA Sign and Verify (NIST RSA Cert. #C2003)  RSA Modulus of 2048-bits used for self-test o SHA1/SHA224/SHA256/SHA384/SHA512 (NIST SHS Cert. #C2003) GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 29 o Triple-DES CMAC Generate and Verify6F 7 o Triple-DES Keying Option 1 and 2 Encrypt and Decrypt (NIST Triple-DES Cert. #C2003) Conditional Self-Tests The device will perform the following conditional self-tests: • Firmware load test (ECC signature verification) is performed in all modes of operation. • The following conditional self-tests are executed in FIPS and PCI modes of operation o Continuous random number generator tests for NDRNG and DRBG. o DRBG Health Checks (SP800-90A §11.3) o Pair-wise consistency test for RSA, ECC key generation o Firmware load test (ECDSA signature verification) 12.PHYSICAL SECURITY POLICY 12.1. PHYSICAL SECURITY MECHANISMS The multi-chip embedded cryptographic module includes the following physical security mechanisms: • Hard, opaque potting material encapsulates the security relevant portion of the module, and any attempt to physically intrude the device will result in serious damage which will cause the module to stop functioning. • The module is protected by a tamper detecting membrane, which responds to physical tampering by immediately zeroizing CSPs and entering the Tamper State. • Environmental monitoring sensors will trigger a tamper response and CSP zeroization to prevent the module from being compromised from altering certain environmental or operational conditions. 12.2. ENVIRONMENTAL CONDITIONS AND PARTIAL ENVIRONMENTAL FAILURE PROTECTION The following environmental conditions should be maintained for the module: • Operating environment temperature: 10 to 35°C • Storage temperature: -20 to 65°C Partial Environmental Failure Protection will trigger a shutdown or tamper response should the module detect environmental conditions outside of these specifications: • Temperature: -20 to 65°C • Voltage: 2.3 to 4.4 V DC on internal 3V line. 7 Triple-DES algorithms are only performed in FIPS Mode of Operation when executing a power-up, on-demand, or daily self-tests. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 30 12.3. OPERATOR RECOMMENDED ACTIONS The operator may be required to periodically inspect the unit for forced entry. Physical Security Mechanisms Recommended Frequency of Inspection / Test Inspection / Test Guidance Details Tamper Evident Potting Monthly, and prior to module Initialization Inspect hard potting for removal/penetration attempts. Table 13 - Inspection / Testing of Physical Security Mechanisms The figures below show the module with its tamper evident potting intact, and a sample of the potting after a tamper attempt has been made. Figure 3 – GSP3000 with its Tamper Potting Intact Figure 4 – Examples of Tamper Attempts on the GSP3000 Potting GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 31 13.MITIGATION OF OTHER ATTACKS The module mitigates the Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks by emitting compromising emanations through suppression and containment of side channel signals. The module’s physical enclosure functions as a Faraday cage to attenuate such signals. The module also provides Partial Environmental Failure Protection, as described in Section 9. 14.DESIGN ASSURANCE 14.1. CONFIGURATION MANAGEMENT Documentation for the cryptographic module, which includes hardware specifications, firmware source code, guidance and FIPS specific documentation, is maintained using a version control repository. All configuration management items are uniquely identified by a path and filename within the repository. All configuration management items within the version control repository are uniquely identifiable. 14.2. GUIDANCE DOCUMENTS Provided with the cryptographic module are all Crypto-Officer and user guidance documents that specify the following: • Administrative functions, physical ports, and interfaces • Procedures describing how to securely administer the cryptographic module • Approved security functions • User responsibilities for securely operating the cryptographic module 14.3. SYSTEM IDENTIFICATION AND AUTHENTICATION Procedures for system identification and authentication of the module are detailed in the Futurex PCI HSM User Guide Addendum. 14.4. AUDIT LOGS AND INSPECTION FREQUENCY Understanding of the operation and initialization of the module is requisite to configure logging. Procedures to configure audit logging are detailed in the Futurex PCI HSM User Guide Addendum. • The module supports secure logging of transactions, data, and events to enable auditing. • Operator restrictions for accessing, archiving, or deleting logs are configured by settings and policies established by system administrators. • Logs should be audited daily, and an appropriate notification tree should be established for escalating and investigating any suspicious log activity GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 32 15.KEY LOADING 15.1. KEY LOADING (FIPS/PCI-HSM MODES) When operating in FIPS or PCI-HSM Modes, all key loading traffic to HSM must be encrypted. This is accomplished by using a Futurex Excrypt Touch. The Excrypt Touch is a fully functional TRSM that will encrypt all data between it and the HSM using TLS. 16.PRODUCT IDENTIFICATION 16.1. HARDWARE IDENTIFICATION To identify a GSP3000 refer to the product identification label, as seen in Figure 4 Figure 5 - Product Identification Label The GSP3000 is typically sold as an embedded component inside of other Futurex devices and its product identification label is not visible without opening the chassis. Internal inspection is not possible without specialized tools only available to authorized service technicians. As such, Futurex places product identification labels on the exterior of the chassis that supports the GSP3000. Figure 6 shows an example of a chassis label that references the existence of an embedded GSP3000. Figure 6 - Chassis Label GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 33 Figure 7 and Figure 8 show typical placements of chassis labels. Figure 7 - 1U Chassis Label Location Figure 8 - 2U Chassis Label Location 16.2. FIRMWARE VERSIONING SCHEME AND IDENTIFICATION The firmware version is made of four components concatenated with periods in the form of Major.Audit.Branch.Release where: • Major - The major number shall only be incremented when large scale changes have been made to the release in question. Its value will be updated when Futurex believes the scope of the changes warrants an update. • Audit - The audit number shall only be incremented when changes have been made that require a full 3rd party security audit. This would typically be necessary when new security features are added or when branches are merged. • Branch - This is incremented when a new branch is created. Branches are typically used to distinguish unique packaging of existing security features, introduction of low-impact security changes, or the introduction of new non-security features. • Release - This is incremented when a new release happens off a branch. Changes to this component represents either bug fixes or refinements to the functionality of existing features. Releases typically represent non-impactful security changes but may have a low impact. The firmware version can be found on the LCD screen, web portal, or in Excrypt Manager. Please refer to Figure 8 and Figure 9 for reference. Also provided in this view is the enabled feature identifier that may be concatenated to the end of the firmware version and indicated by one or more of the following characters: ‘i’ International Restriction Crypto, ‘c’ Clear PIN Support, or ‘k’ RSA Support. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 34 Figure 9 - Firmware Version through Web Portal Figure 10 - Firmware Version through Excrypt Manager 17.TLS PROTOCOLS 17.1. TLS PROTOCOLS SUPPORTED The list below contains all the TLS Protocols supported. • TLS_AES_128_GCM_SHA256 • TLS_AES_256_GCM_SHA384 • TLS_DHE_RSA_WITH_AES_128_CBC_SHA • TLS_DHE_RSA_WITH_AES_256_CBC_SHA • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 • TLS_DHE_RSA_WITH_AES_128_GMC_SHA256 • TLS_DHE_RSA_WITH_AES_256_GMC_SHA256 • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Note: The TLS protocol, other than the KDF, have not been tested by the CMVP or CAVP as per FIPS 140-2 Implementation Guidance D.11 Note: TLS ciphers that utilize FFC key agreement use the following Safe Prime Groups: ffdhe2048 (ID = 256), ffdhe3072 (ID = 257), ffdhe4096 (ID = 258) as specified in SP800-56A rev3 Appendix D and RFC 7919 GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 35 18.REFERENCES 1. FIPS PUB 140-2, Security Requirements for Cryptographic Modules, National Institute of Standards and Technology, 2001 May 25. 2. Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Draft, National Institute of Standards and Technology, 2019 June 10. 3. Annex B: Approved Protection Profiles for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Draft, National Institute of Standards and Technology, 2019 June 10. 4. Annex C: Approved Random Number Generators for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Draft, National Institute of Standards and Technology, 2019 June 10. 5. Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Draft, National Institute of Standards and Technology, 2020 August 10. 6. Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Draft, National Institute of Standards and Technology, 2004 March 24. 7. Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program, National Institute of Standards and Technology, 2020 August 28 8. NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, National Institute of Standards and Technology, November 2007 9. NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, National Institute of Standards and Technology, December 2012 10. NIST Special Publication 800-52 Rev2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, National Institute of Standards and Technology, August 2019 11. NIST Special Publication 800-56A Rev3, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography, National Institute of Standards and Technology, April 2018 12. NIST Special Publication 800-56C Rev2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography, National Institute of Standards and Technology, April 2018 13. NIST Special Publication 800-90A Rev.1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, National Institute of Standards and Technology, June 2016 14. ANSI X9.31-1998, Digital Signature using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), Accredited Standards Committee X9, Inc., 1998. 15. The RSA Validation System (RSAVS), National Institute of Standards and Technology, 2004 November 09. 16. FIPS PUB 180-2 with Change Notice 1, Secure Hash Standard (SHS), National Institute of Standards and Technology, 2004 February 25. 17. The Secure Hash Algorithm Validation System (SHAVS), National Institute of Standards and Technology, 2004 July 22. 18. FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC), National Institute of Standards and Technology, 2002 March 06. 19. The Keyed-Hash Message Authentication Code Validation System (HMACVS), National Institute of Standards and Technology, 2004 December 03. GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 36 19.GLOSSARY Term Definition ANSI American National Standards Institute CA Certificate Authority CO Cryptographic Officer CRC Cyclic Redundancy Check CSP Critical Security Parameter DES Data Encryption Standard DRBG Deterministic Random Bit Generator ECC Elliptic Curve Cryptography (i.e. ECDH, ECDSA) EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FIPS PUB Federal Information Processing Standards Publication GCM Galois/Counter Mode HMAC-SHA-1 Keyed-Hash Message Authentication Code using SHA-1 I2 C Inter-Integrated Circuit IP Internet Protocol LCD Liquid Crystal Display MD5 Message Digest 5 NDRNG Non-Deterministic Random Number Generator NIST National Institute of Standards and Technology RNG Random Number Generator RSA Rivest-Shamir-Adelman public key algorithm SHA Secure Hash Algorithm SHS Secure Hash Standard Table 14 - Glossary 20.CSP ABBREVIATIONS Term Definition KEK Key Exchange Key PMK Platform Master Key MKEK Master Key Encryption Key GDK Global Derivation Key BEK Backup Encryption Key SCEK Smart Card Encryption Key Table 15 - Abbreviations GSP3000 HSM FIPS 140-2 Non-Proprietary Security Policy Document Version 1.19– January 2023 Futurex GSP3000 HSM Non-Proprietary Security Policy – Page 37 OFFICE: +1 830 - 980 - 9782 TOLL FREE: 800 - 251 - 5112 864 OLD BOERNE ROAD, BULVERDE, TEXAS, USA 78163