© 2022 Western Digital Corporation or its affiliates. Public Material - May be reproduced only in its original entirety [without revision]. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Protection of Data at Rest Document Version: 1.2 2022-08-22 Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 2 of 29 Table of Contents 1. Cryptographic Module Overview.............................................................................................................4 1.1 Models........................................................................................................................................................................4 1.2 Security Level............................................................................................................................................................5 2. FIPS 140 Modes of Operation..................................................................................................................5 2.1 FIPS Approved Mode of Operation.....................................................................................................................5 2.2 TCG Opal Security Mode.......................................................................................................................................5 2.3 Single User Data Ranges.........................................................................................................................................6 2.4 Approved Algorithms..............................................................................................................................................6 2.5 Approved Random Number Generator...............................................................................................................8 3. Ports and Interfaces....................................................................................................................................8 4. Identification and Authentication Policy.................................................................................................8 4.1 Crypto Officer Roles ...............................................................................................................................................8 4.1.1 Secure ID (SID) .................................................................................................................................................................8 4.1.2 Admin SP Admin1.............................................................................................................................................................8 4.1.3 Admin SP Maintenance.....................................................................................................................................................8 4.1.4 Locking SP Admins...........................................................................................................................................................8 4.2 User Roles .................................................................................................................................................................9 4.2.1 Locking SP Users...............................................................................................................................................................9 4.3 Anybody.....................................................................................................................................................................9 4.4 Authentication Method and Strength .................................................................................................................10 5. Access Control Policy ..............................................................................................................................10 5.1 Roles and Authenticated Services........................................................................................................................10 5.2 Unauthenticated Services......................................................................................................................................12 5.3 Critical Security Parameters (CSPs).....................................................................................................................13 5.4 Public Security Parameters....................................................................................................................................15 5.5 SP800-132 Key Derivation Function Affirmations..........................................................................................16 5.6 Critical Security Parameter Modes of Access ....................................................................................................16 5.7 Public Security Parameter Modes of Access......................................................................................................20 6. Operational Environment .......................................................................................................................21 7. Security Rules ............................................................................................................................................21 7.1 Invariant Rules........................................................................................................................................................21 7.2 Initialization Instructions......................................................................................................................................23 7.3 Zeroization Rules...................................................................................................................................................24 8. Physical Security Policy............................................................................................................................24 8.1 Mechanisms.............................................................................................................................................................24 9. Mitigation of Other Attacks Policy ........................................................................................................24 10. Definitions .................................................................................................................................................24 11. Key Words.................................................................................................................................................27 12. Acronyms...................................................................................................................................................27 13. References..................................................................................................................................................28 13.1 NIST Specifications...............................................................................................................................................28 13.2 Trusted Computing Group Specifications.........................................................................................................28 13.3 International Standards .........................................................................................................................................29 13.4 Corporate Documents...........................................................................................................................................29 Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 3 of 29 Tables Table 1 - Ultrastar DC SN640 Model.............................................................................................................5 Table 2 - Module Security Level Specification..............................................................................................5 Table 3 - FIPS Approved Algorithms ............................................................................................................7 Table 4 – Approved Cryptographic Functions Tested with Vendor Affirmation...................................7 Table 5 - Ultrastar DC SN640 Ports and Interfaces.....................................................................................8 Table 6 - Roles and Required Identification and Authentication...............................................................9 Table 7 - Authenticated CM Services ...........................................................................................................11 Table 8 - Unauthenticated Services...............................................................................................................12 Table 9 - Critical Security Parameters...........................................................................................................15 Table 10 - Public Security Parameters ..........................................................................................................16 Table 11 - CSP Access Rights within Roles & Services.............................................................................18 Table 12 - CSP Access Rights within Roles & Services.............................................................................19 Table 13 - PSP Access Rights within Roles & Services .............................................................................21 Figures Figure 1: Ultrastar DC SN640 Cryptographic Module ................................................................................4 Figure 2: Ultrastar DC SN640 Block Diagram..............................................................................................4 Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 4 of 29 1. Cryptographic Module Overview The self-encrypting Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self Encrypting Drive, solid-state drive, hereafter referred to as Ultrastar DC SN640, Cryptographic Module (CM) is a multiple-chip embedded module that complies with FIPS 140-2 Level 1 security. The drive enclosure defines the cryptographic boundary. See Figure 1: Ultrastar DC SN640 Cryptographic Module. The physical interface to the Cryptographic Module is an EDSFF [16] connector and a 3-pin UART port connector. All components within this boundary satisfy FIPS 140-2 requirements. The Cryptographic Module complies with the Trusted Computing Group (TCG) Storage Security Subsystem Class: Opal Specification [8]. The TCG Storage specifications [1, 2, 3, 4, 5, 6, 7, and 8] define the logical interface. The range of supported services, which utilize NIST approved algorithm, include 256-bit AES hardware-based data encryption, cryptographic erasure of user data, authenticated protection of LBA data ranges and RSA 2048 authenticated firmware download support. The primary function of the module is to provide encrypted data storage, authenticated access control, and cryptographic erasure of the data stored on the solid-state media. The Cryptographic Module operator interfaces with the CM through a host system application. Figure 1: Ultrastar DC SN640 Cryptographic Module Figure 2: Ultrastar DC SN640 Block Diagram 1.1 Models A single hardware version defines the scope of the Cryptographic Module. Table 1 provides the model number, characteristics, and firmware version associated with the validated model. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 5 of 29 Hardware Version Firmware Version Description WUS4AB0A1D9ELE8 R501000Q SSD, BiCS4 TLC NVMe EDSFF-L-9.5mm RI-0.2 DW/D 7% OP 15.36TB Table 1 - Ultrastar DC SN640 Model 1.2 Security Level The Cryptographic Module meets all requirements applicable to FIPS 140-2 Level 1 Security. FIPS 140-2 Security Requirements Section FIPS 140-2 Security Level Achieved Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 2 Finite State Model 1 Physical Security 1 Operational Environment N/A Cryptographic Key Management 1 EMI/EMC 3 Self-Tests 1 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 - Module Security Level Specification 2. FIPS 140 Modes of Operation 2.1 FIPS Approved Mode of Operation The Cryptographic Module has a single FIPS Approved mode of operation. Upon shipment from the vendor's manufacturing site the cryptographic module always operates in FIPS Approved Mode. See Section 7.2 for information on the recommended initialization instructions for the Cryptographic Module. The operator can confirm that the Cryptographic Module is operating in a FIPS Approved mode by invoking the Level 0 Discovery service and confirming that the in FIPS data field returns a value of 1. 2.2 TCG Opal Security Mode The TCG Opal security mode utilizes NVMe commands as well as TCG commands that address the TCG Admin SP and TCG Locking SP to provide services. The Crypto Officer must execute the Activate service to enable the TCG Opal security mode. The TCG Opal security mode allows multiple users with individualized access control to read, write, and erase data within independent data areas, which are referred to as LBA ranges. Access control tables define authorities, the secrets and authentication methods those authorities require, and the access control associations that permit method operation. Credential tables define the available encryption and decryption algorithms, authentication mechanisms, and store associated secrets or keys. Access control defines which authorities are permitted to successfully invoke which methods and modify ACLs. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 6 of 29 The TCG Opal security mode supports administrator functions within the Crypto Officer role to, • Enable and disable Users • Grant LBA range access to Users • Create, configure, lock, and unlock LBA ranges • Cryptographically erase data ranges 2.3 Single User Data Ranges The Crypto Officer my elect to define one or more data ranges as a Single User Data Range (SUDR) when invoking the Activate service. The TCG Storage Opal SSC Feature Set: Single User Mode [5] defines Single User Data Ranges. As specified, the associated User role solely manages its assigned SUDR. Executing the Reactivate service allows an enabled Locking SP Admin to reclassify user data ranges. 2.4 Approved Algorithms The Cryptographic Module supports the following FIPS Approved algorithms. All algorithms and key lengths comply with NIST SP 800-131A. CAVP Cert Algorithm Standards and Function A1184 [FIPS 186-4] RSA Function: Secure Loader digital signature verification with SHA2-256 Mode: PKCS#1 v1.5 Key size: 2048 bits Key Strength: 256 bits Prerequisite: SHS 2942 A1232 [FIPS 186-4] RSA Function: Digital signature verification with SHA2-256 Mode: PKCS#1 v1.5 Key size: 2048 bits Key Strength: 112 bits Prerequisite: SHS 2942 A1232 [SP 800 38F] Key Wrapping Functions: Encryption, decryption, and key wrapping to protect the Root Signing Key Modes: KWP-AE, KWP-AD Key Size: 256 bits Key Strength: 256 bits Prerequisite: AES 3913 A1232 [SP 800-132] PBKDF2 Function: PBKDF2 utilizes a 32-byte PIN (password) and 256-bit KDF Salt to generate 256-bit Derived Authority Keys. Mode: HMAC-SHA2-256 Key size: 256 bits Key Strength: 256 bits Prerequisite: SHS 2942, HMAC 2280 A1232 [SP 800-90A, SP 800-38A, SP 800-38D] DRBG Function: Deterministic random number generator (DRBG) Mode: CTR DRBG with AES-256 Derivation Function Key Size: 256 bits Key Length: 384 bits Key Strength: 256 bits Prerequisite: AES 3580 Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 7 of 29 CAVP Cert Algorithm Standards and Function AES 35801 [FIPS 197, SP 800-38A, SP 800-38E] AES Function: AES-CBC-256 encrypts and decrypts CSPs and PSPs Mode: CBC Key Size: 256 bits Key Strength: 256 bits AES 39132 [FIPS 197] AES Function: AES-ECB-256 encryption and decryption. Supports SP 800-38F key wrapping. Mode: ECB Key Size: 256 bits Key Strength: 256 bits C1973 [FIPS 197, SP 800-38A, SP 800-38E] AES3 Function: Used to encrypt and decrypt data-at-rest in a storage application only Mode: XTS4 • Per IG A.9, an LRK.AESKey/LRK.XTS keyset differs from its associated NSK.AESKey/NSK.XTS keyset Key Size: 256 bits Key Strength: 256 bits ENT (P) [SP800-90B] Function: Hardware entropy noise source seeds the Approved [SP800-90A] DRBG Type: Ring Oscillator DRBG Seed Length: 5120 bits DRBG Seed Entropy: 430.555 bits (2.6910 bits per 32 bits) HMAC 22805 [FIPS 198-1] HMAC Function: Used to sign and verify CSPs and PSPs and derive keys in PBKDF2 Mode: SHA2-256 Key Size: 256 bits Key Strength: 256 bits Prerequisite: SHS 2942 SHS 29426 [FIPS 180-4] SHS Functions: Digital signature verification and in used in the HMAC function Mode: SHA2-256 Key Size: 256 Key Strength: 256 bits Table 3 - FIPS Approved Algorithms Algorithm Description Rationale CKG [SP800 133] Cryptographic Key Generation Function: Generated from the DRBG without further modification or post processing Vendor Affirmed [FIPS140] IG D.12 [SP 800 133] Sections 6.1, 6.2.3 and 6.3 Table 4 – Approved Cryptographic Functions Tested with Vendor Affirmation 1 The cryptographic module does not use the AES ECB-128, AES ECB-256, AES-CBC-128, AES-XTS-128, and AES-XTS-256 capabilities listed under Cert# AES 3580. 2 The cryptographic module does not use the AES-ECB-128, AES-XTS-128 and AES-XTS-256 capabilities listed under Cert# AES 3913. 3 AES ECB-128 and AES-XTS-128 were tested. However, the cryptographic module does not use these algorithms. 4 The length of the XTS-AES data unit does not exceed 220 blocks 5 The cryptographic module does not use the HMAC-SHA1 and HMAC-SHA2-224 capabilities listed under Cert# HMAC 2280. 6 The cryptographic module does not use the SHA-1 and SHA2-224 capabilities listed under Cert# SHS 2942. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 8 of 29 2.5 Approved Random Number Generator A validated [SP 800-90B] hardware NDRNG seeds the Approved [SP800-90A] DRBG. Available entropy does not modify the security strength of the cryptographic keys generated by the module. Each 32-bit sample block contains at least 2.6910 bits of entropy. Each time the DRBG is instantiated or reseeded, one hundred sixty (160) 32-bit samples seed the DRBG. This equates to 5120 bits of entropy data and translates to at least 430.555 bits of entropy. The nonce consumes approximately 143.5 bits. Therefore, approximately 287.0 bits of entropy remain to determine the bit strength of the keys generated by the DRBG. This exceeds the 384 bits (256-bit entropy input and 128-bit nonce) of min-entropy needed to seed the DRBG with 256-bits of security. 3. Ports and Interfaces The drive uses the EDSFF connector that conforms to the mechanical requirements within SFF-TA-1002 [16]. Table 5 identifies the Cryptographic Module’s ports and interfaces. The UART port is a three-wire port that consists of transmit (Tx), receive (Rx) and ground. The Cryptographic Module does not provide a removeable maintenance access panel. FIPS 140-2 Interface Cryptographic Module Port Connector Pins Power Power connector Control Input EDSFF connector, UART connector Status Output EDSFF connector, UART connector Data Input EDSFF connector, UART connector Data Output EDSFF connector, UART connector Table 5 - Ultrastar DC SN640 Ports and Interfaces 4. Identification and Authentication Policy The Cryptographic Module enforces role separation by requiring a role identifier and an authentication credential in the form of a Personal Identification Number (PIN). The Cryptographic Module enforces the following FIPS140-2 operator roles. Table 6 maps TCG authorities to FIPS 140-2 roles. 4.1 Crypto Officer Roles 4.1.1 Secure ID (SID) This Crypto Officer role corresponds to the authority that represents the TPer owner within the Admin SP as defined in the TCG Storage Security Subsystem Class: Opal [2] specification. The Crypto Officer uses this role to transition the Cryptographic Module to the TCG Opal security mode . The Cryptographic Mode actively rejects firmware images that do not comply with FIPS 140 security requirements. 4.1.2 Admin SP Admin1 This Crypto Officer role corresponds to the Admin SP Admin1 authority defined in the TCG Storage Security Subsystem Class: Opal [2] specification. The Admin SP Admin1 authority can enable and disable a Locking SP Admin. 4.1.3 Admin SP Maintenance For failure analysis purposes, the Crypto Officer authenticates to the Admin SP Maintenance authority, enables the diagnostic service, and issues Vendor Unique Commands to gather drive health and failure data. Power cycling the module automatically negates authentication to Admin SP Maintenance authority. While authenticated to the Admin SP Maintenance authority, modification of the operational environment is blocked. 4.1.4 Locking SP Admins Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 9 of 29 This Crypto Officer role corresponds to the Locking SP Admin Authority as defined in the TCG Storage Security Subsystem Class: Opal[2] specification . The CM enables Locking SP Admin1 by default. The CM can enable at most four (4) separate Locking SP Admins. By default, the CM disables Locking SP Admins beyond Admin1. When the Single User Data Range (SUDR) feature is disabled, a Locking SP Admin can enable and disable Users, create, and delete data ranges, set data range attributes, lock, unlock, and erase data ranges. A Locking SP Admin executes the Erase service to cryptographically erase a SUDR, by invoking TCG Erase. A Locking SP Admin executes the Erase service to cryptographically erase a non-SUDR, by invoking TCG GenKey. Both methods accomplish the same end by regenerating and replacing the Media Encryption Key (MEK) assigned to the data range. 4.2 User Roles 4.2.1 Locking SP Users This user role corresponds to the Locking SP User Authorities as defined in the TCG Storage Security Subsystem Class: Opal[2] specification. This role can lock and unlock LBA ranges to control the ability of an operator to read and write data to and from the CM. By default, all Locking SP Users are disabled. The CM can enable at most nine (9) separate Users. Enabled Locking SP Admins enable Locking SP Users and assign them read/write/erase access to LBA data ranges. A Locking SP User cryptographically erases a SUDR by invoking TCG Erase or TCG GenKey within the Erase service. A Locking SP User cryptographically erases a non-SUDR by invoking TCG GenKey within the Erase service. Both methods accomplish the same end by regenerating replacing the Media Encryption Key (MEK) assigned to the data range. 4.3 Anybody The Anybody role can access services that do not require authentication. Apart from the Generate Random service, which provides output from an instance of the SP800-90A DRBG, unauthenticated services do not disclose, modify, or substitute Critical Security Parameters, use Approved security functions, or otherwise affect the security of the Cryptographic Module. If the operator has physical access to the drive, the Anybody role can use a power cycle to reset the Cryptographic Module, which results in the execution all the Power on Self-Tests (POST). TCG Authority Description Authentication Type Authentication Data SID The TCG Storage Security Subsystem Class: Opal[2] specification defines the SID authority. Role-based SID PIN Admin SP Admin1 The TCG Storage Security Subsystem Class: Opal[2] specification defines the Admin SP Admin1 authority. Role-based Admin SP Admin1 PIN Admin SP Maintenance Maintenance role for the diagnostic service. Role-based Admin SP Maintenance PIN Locking SP Admin The TCG Storage Security Subsystem Class: Opal[2] specification defines Locking SP Admin authority. Role-based Locking SP Admin PIN Locking SP User The TCG Storage Security Subsystem Class: Opal[2] specification defines the Locking SP User authority. Role-based Locking SP User PIN Anybody Anybody is a role that does not require authentication. The TCG Storage Security Subsystem Class: Opal[2] specification defines the Anybody authority. Unauthenticated N/A Table 6 - Roles and Required Identification and Authentication Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 10 of 29 4.4 Authentication Method and Strength Operator authentication occurs within a TCG session. At any one time, only a single session can be open. After opening an Admin SP session or a Locking SP session, an operator uses the Authenticate method to authenticate to a role. Authentications persist until the session closes or the Cryptographic Module powers down. Operators utilize an Authority PIN to authenticate to a Crypto Officer or User role. Authority PINs are 32-byte TCG credentials. For a 32-byte PIN, there are 2256 possible values. Each byte position contains a value from 0x00 to 0xFF. Assuming all possible values have an equal chance of use, the probability of guessing the correct PIN is one chance in 2256 or approximately 8.64 x 10-78, which is significantly less than 1/1,000,000. The TCG Opal security model includes a TryLimit attribute for each TCG Authority, which if reached, locks out further attempts to authenticate to the TCG Authority . Assuming the TryLimit is non-zero7, an Authority_Locked_Out state exists if the Tries count value equals the TryLimit value associated with a TCG Authority. Each authentication attempt consumes approximately 198 microseconds. Hence, at most, approximately 30,287 authentication attempts can occur within one minute when the TryLimit equals zero (0). Thus, the probability that a false acceptance occurs within a one-minute interval is approximately 2.62 x 10-73 (8.64 x 10-78 x 30,287), which is significantly less than 1/100,000. 5. Access Control Policy 5.1 Roles and Authenticated Services Service Description Role(s) Activate The Activate method allows the TPer owner to “turn on” a Security Provider (SP) that was created in manufacturing. LBA ranges are configured, and data encryption and access control credentials (re)generated and/or set within the Cryptographic Module. Access control is configured for LBA range unlocking. CO (SID, Admin SP Admin1) Authenticate Input a TCG Credential for authentication CO (SID, Admin SP Admin1, Admin SP Maintenance, Locking SP Admins), Users (Locking SP Users) Diagnostic For failure analysis purposes, the operator can enable a logical diagnostic port to perform diagnostics and gather failure data. CO (Admin SP Maintenance) Disable User Set PIN This service disables the ability of a non-SUDR User to modify its own PIN. CO (Locking SP Admins) Enable/Disable Admin SP Admin This service enables and disables the Admin SP Admin1 authority. CO (SID) Enable/Disable Locking SP Admin This service enables and disables a Locking SP Admin authority. CO (Locking SP Admin1) Enable/Disable Locking SP User This service enables and disables a Locking SP User authority. CO (Locking SP Admins) Enable/Disable SUDR This service enables and disables the classification of a data range as a SUDR. CO (Locking SP Admins) Erase non-SUDR A cryptographic erasure service that utilizes the TCG GenKey method to generate and replace the MEK assigned to an LBA data range CO (Locking SP Admins) Users (Locking SP Users) 7 When TryLimit is set to zero (0), the CM places no limit on the number of authentication attempts. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 11 of 29 Service Description Role(s) Erase SUDR A cryptographic erasure service that utilizes the TCG GenKey or TCG Erase method to generate and replace the MEK assigned to an LBA data range CO (Locking SP Admins)8 Users (Locking SP Users)9 Field FA This service provides basic drive health analysis testing and media verification. The service does not leak any clear text user data to the host interface. This service is limited to performing the following functions: • Basic health tests • Media verification All Host Read/Write Commands are inhibited. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Initialize Cryptographic Module10 Crypto Officer provisions the Cryptographic Module from the organizational policies CO (SID, Admin SP Admin1) Lock/Unlock Data Range This service denies or permits read and write access to an LBA range CO (Locking SP Admins)11 Users (Locking SP Users) Reactivate In Single User Mode, the reactivate service allows the host to define which ranges are under the control of a single User authority. In addition, it allows the host to define range ownership within non-Global Range Locking objects. CO (Locking SP Admins) SecureDrive Command TCG IF-SEND and IF-RECV transport secure commands to and from the Cryptographic Module. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Set Write data structures; access control enforcement occurs per data structure field. This service can change PINs. CO (SID, Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Set Data Range Attributes for a non-SUDR This service sets the starting location, size, and locking attributes for a SUDR. CO (Locking SP Admins) Users (Locking SP Users) Set Data Range Attributes for a SUDR This service sets the starting location, size, and locking attributes as well as the User access rights for a non-SUDR. CO (Locking SP Admins) Users (Locking SP Users) Zeroize This service utilizes the TCG Revert method to zeroize the CM and return the CM to its original manufactured state. Execution of this service requires the operator to authenticate to the Cryptographic Module’s PSID12 or SID PIN. SID use case: CO (SID) PSID use case: CO(Admin SP Admin1, Locking SP Admins) Users (Locking SP Users) Anybody Table 7 - Authenticated CM Services 8 TCG Erase 9 TCG GenKey or TCG Erase 10 See the Cryptographic Module Acceptance and Provisioning section within 7.2 Initialization Rules. 11 Applies only to non-SUDRs 12 See TCG Storage Opal SSC Feature Set: PSID [3] Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 12 of 29 5.2 Unauthenticated Services Table 8 - Unauthenticated Services lists the unauthenticated services the Cryptographic Module provides. Service Description End Session End a TCG session by clearing all session state FIPS 140 Compliance Descriptor13 This service reports the FIPS 140 revision as well as the Cryptographic Module’s overall security level, hardware revision, firmware revision and module name. Firmware Download RSA2048 PKCS#1 v1.5 and SHA-256 verify the entire firmware image. Format NVM This service changes an LBA data size and/or metadata size. The low-level format operation may cryptographically erase all data and metadata associated with all namespaces or specific namespaces. Generate Random TCG Random method generates a random number from the SP800-90A DRBG Get Reads data structure; access control enforcement occurs per data structure field Get Data Store14 Read a stream of bytes from unstructured storage. The host uses the DataStore to securely store generic data. Level 0 Discovery TCG ‘Level 0 Discovery’ method outputs the FIPS mode of the Cryptographic Module NVMe Admin Commands The NVMe admin commands are defined in the NVM Express v1.3.c [10]and NVM Express™ Management Interface [11]specifications NVMe I/O Commands The NVMe admin commands are defined in the NVM Express v1.3.c [10]and NVM Express™ Management Interface [11]specifications Read Data This service decrypts user data when reading the data from a data range. The data range must be unlocked to enable reads from the data range. Reset Module Power on Reset SecureDrive Command TCG IF-SEND and IF-RECV transport secure commands to and from the Cryptographic Module. Security Receive The Security Receive command transfers the status and data result of one or more Security Send commands that were previously submitted to the controller. Security Send The Security Send command is used to transfer security protocol data to the controller. Self-Test The Cryptographic Module performs self-tests when it powers up Set DataStore15 Write a stream of bytes to unstructured storage. The host uses the DataStore to securely store generic data. SoC Rebuild The SoC Rebuild service utilizes the SecureDrive Command service to zeroize and regenerate the Root Keyset and the Global Active Keyset Start Session Start TCG session Status Output TCG (IF-RECV) protocol Write Data This service encrypts user data when writing the data from a data range. The data range must be unlocked to enable writes to the data range. Table 8 - Unauthenticated Services 13 See §5.1.5.3 FIPS 140 Compliance Descriptor within the Security Features for SCSI Commands [14]. 14 The access control for the retrieval of data in the DataStore initially requires Admin SP Admin1 or an Locking SP Admin to enable access 15 The access control for the modification of data in the DataStore initially requires the Admin SP Admin1 or an Locking SP Admin to enable access. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 13 of 29 5.3 Critical Security Parameters (CSPs) The Cryptographic Module contains the CSPs listed in Table 9 -– Critical Security Parameters. Zeroization of CSPs complies with the purge requirements for SCSI Hard Disk drives within [SP800-88], Guidelines for Media Sanitization. Name Type Description NDRNG 5120-bit Entropy output Entropy source for DRBG DRBG.Seed 256-byte Entropy input Internal state associated with the [SP800-90A] CTR_DRBG using AES-256 Sourced from the NDRNG DRBG.Key 256-bit value Internal state associated with the [SP800-90A] CTR_DRBG using AES-256 DRBG.V 128-bit value Internal state associated with the [SP800-90A] CTR_DRBG using AES-256. Authority Digest 256-bit digest An HMAC-SHA2-256 digest of an Authority PIN and its associated SED Admin SP key or SED Locking SP key. Authority PIN 32-byte value Values from 0x00 to 0xFF are allowed for each byte position. A PBKDF2 algorithm uses an Authority PIN to authenticate to the credential of a TCG Authority. SID PIN Authority PIN A 32-byte data value used to authenticate to the SID Authority’s TCG credential. Admin SP Admin1 PIN Authority PIN A 32-byte data value used to authenticate to Admin SP Admin1 Authority’s TCG credential. Admin SP Maintenance PIN Authority PIN A 32-byte data value used to authenticate to Admin SP Maintenance Authority’s TCG credential. Locking SP Admin PIN (Maximum of 4) Authority PIN A 32-byte data value used to authenticate to each Locking SP Admin Authority’s TCG credential. Locking SP User PIN (Maximum of 9) Authority PIN A 32-byte data value used to authenticate to each Locking SP User Authority’s TCG credential. Root Encryption Key 256-bit keys The Root Encryption Key encrypts and decrypts the Global Active Keyset. The [SP 800-38F] KWP algorithm uses the Root Encryption Key to wrap and unwrap the Root Signing Key. The Cryptographic Module’s DRBG generates each key without modification. Root Signing Key 256-bit key An HMAC-SHA-256 digest of the concatenated Root Signing Key and encrypted Global Active Keyset signs the Global Active Keyset. The Cryptographic Module’s DRBG generates each key without modification. Global Active Keyset (AEK) Set of 256-bit keys: Global Active Key, Global Active Signing Key The Global Active Key encrypts and decrypts the SED Active Keyset, UAKa, and the Namespace Keys. An HMAC-SHA2-256 digest of the Global Active Signing Key and the UAKa signs the UAKa. An HMAC-SHA2-256 digest of the Global Active Signing Key and a Namespace Key, signs a Namespace Key. The Cryptographic Module’s DRBG generates each key without modification Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 14 of 29 Name Type Description SED Active Keyset Set of 256-bit keys: SED Active Key SED Active Signing Key The SED Active Key encrypts/decrypts the SED Admin SP Keyset and the SED Locking SP Keyset. An HMAC-SHA2-256 digest of the SED Active Signing Key and the SED Admin SP Keyset signs the SED Admin SP Keyset. An HMAC-SHA2-256 digest of the SED Active Signing Key and the SED Locking SP Keyset signs the SED Locking SP Keyset. The Cryptographic Module’s DRBG generates each key without modification SED Admin SP Keyset Set of 256-bit keys: SED Admin SP Key SED Admin SP Signing Key The SED Admin SP Key encrypts/decrypts TCG table data associated with an Admin SP. An HMAC-SHA-256 digest of the SED Admin SP Signing Key and an Admin SP authority’s table data, signs the associated table. The Cryptographic Module’s DRBG generates each key without modification SED Locking SP Keyset Set of 256-bit keys: SED Locking SP Key SED Locking SP Signing Key The SED Locking SP Key encrypts/decrypts TCG table data associated with a Locking SP authority. An HMAC-SHA-256 digest of the SED Locking SP Signing Key and a Locking SP authority’s table data, signs the associated table. The Cryptographic Module’s DRBG generates each key without modification SED Volatile Keyset Set of 256-bit keys: SED Volatile Key SED Volatile Signing Key The SED Volatile Key encrypts/decrypts keys stored in IRAM. An HMAC-SHA-256 digest of the SED Volatile Signing Key and the encrypted key stored in IRAM signs the encrypted key. The Cryptographic Module’s DRBG generates each key without modification. Admin Authority Key (Ka) (Maximum of 5) 256-bit key PBKDF2 derived Ka keys encrypt and decrypt UAK0 and the UMK. The Cryptographic Module derives a unique Ka for Admin SP Admin1 and each enabled Locking SP Admin. Ka keys are destroyed after use. Non-Admin Authority Key (Ku) (Maximum of 9) 256-bit key PBKDF2 derived Ku keys encrypt and decrypt their associated UAK. The Cryptographic Module derives a unique Ku for each Locking SP User. Ku keys are destroyed after use. User Access Key (UAK) (Maximum of 9) 256-bit key UAKs encrypt and decrypt RAKs. The Cryptographic Module generates a unique UAK for each enabled Locking SP User. The Cryptographic Module’s DRBG generates each key without modification. Admin User Access Key (UAK0) 256-bit key UAK0 encrypts and decrypts RAKs. All Locking SP Admins share UAK0. The Cryptographic Module’s DRBG generates the key without modification. Anybody User Access Key (UAKa) 256-bit key The Anybody Authority uses UAKa to encrypt and decrypt RAKs. The Cryptographic Module’s DRBG generates the key without modification. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 15 of 29 Name Type Description User Management Key (UMK) 256-bit key The UMK encrypts and decrypts UAKs. All enabled Locking SP Admins and Admin SP Admin1 share the UMK. The Cryptographic Module’s DRBG generates each key without modification. Range Access Key (RAK) (16 total – 1 per LBA range) 256-bit key RAKs encrypt and decrypt their associated LRK. The Cryptographic Module’s DRBG generates each key without modification. Locking Range Key (LRK) (16 total - 1 per LBA range) Set of 256-bit keys: AES Key, XTS Key An LRK in combination with its associated NSK creates an MEK. The Cryptographic Module’s DRBG generates each LRK.AES Key and LRK.XTS Key without modification. Namespace Key (NSK) (16 total - 1 per LBA range) Set of 256-bit keys: AES Key, XTS Key An NSK in combination with its associated LRK creates an MEK. The Cryptographic Module’s DRBG generates each NSK.AES Key and NSK.XTS Key without modification. MEK - Media Encryption Keyset (16 total - 1 per LBA range) Derived set of 256-bit keys: AES Encryption Key, AES Decryption Key XTS Tweak Key The MEK encrypts and decrypts LBA ranges. The MEK.AESEnc Key is an XOR of an LRK.AES Key and an NSK.AES Key. The MEK.XTS.Tweak Key is an XOR of an LRK.XTS Key and an NSK.XTS Key. Table 9 - Critical Security Parameters 5.4 Public Security Parameters The Cryptographic Module utilizes RSA public key cryptography to verify that firmware downloaded to the module is authentic and to verify specific steps in the secure boot process. The Cryptographic Module uses RSA 2048 PKCS#1 v1.5 to verify each signature within the asymmetric key tree to establish a chain of trust. The RSA Public/Private key pairs used in this process are generated and stored within a Western Digital controlled Hardware Security Module (HSM). The Cryptographic Module rejects the downloaded firmware image if the digital signature verification process fails. Key Name Type Description PSID16 32-character alphanumeric string The PSID derives from a 32-byte value generated by the Cryptographic Module’s DRBG. An Alphanumeric Character Conversion process derives the alphanumeric string from the 32-byte value. The module’s product label displays the PSID. The PSID provides authentication data and proof of physical presence for the Zeroize service. MSID17 32-character alphanumeric string The MSID derives from a 32-byte value generated by the Cryptographic Module’s DRBG. An Alphanumeric Character Conversion process derives the alphanumeric string from the 32-byte value. KDF Salt 256-bit key The PBKDF2 implementation, using HMAC-SHA2-256, utilizes unique KDF Salts to derive each Ka and Ku key. The Cryptographic Module’s DRBG generates KDF Salts without modification. Storage Device Certification Authority Key (SD_CA Key) RSA 2048 PKCS#1 v1.5 public key The SD_CA Key is the Master RSA Public Key used to verify the Secure Loader image. 16 The SED Active Key encrypts the PSID. An HMAC SHA2-256 digest of the PSID is store in the Reserved Area. The TCG Revert method regenerates the digest. 17 An HMAC SHA2-256 digest of the MSID is store in the Reserved Area. The TCG Revert method regenerates the digest. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 16 of 29 Key Name Type Description Storage Device Boot FW Key (SD_BFW Key) RSA 2048 PKCS#1 v1.5 public key The SD_BFW Key is public key used to verify all boot flash images. Storage Device Secure Message Key (SD_SM Key) RSA 2048 PKCS#1 v1.5 public key The SD_SM Key verifies secure messages used for manufacturing, development, and failure analysis Product Group Key (PROD GROUP Key) RSA 2048 PKCS#1 v1.5 public key The PROD GROUP Key verifies OEM Key certificates. OEM Firmware Key (OEM FW Key) RSA 2048 PKCS#1 v1.5 public key The OEM FW Key verifies OEM firmware images and packages. OEM Original Factory State Key (OEM_OFS Key) RSA 2048 PKCS#1 v1.5 public key The OEM_OFS Key verifies the OEM Original Factory Settings files. Table 10 - Public Security Parameters 5.5 SP800-132 Key Derivation Function Affirmations • The Cryptographic Module utilizes an HMAC-SHA-256 based [SP800 132] Password Based Key Derivation Function (PBKDF2) that complies with Option 2a of SP800-132. • Security Policy rules set the minimum Authority PIN length at 32-bytes. The Cryptographic Module allows values from 0x00 to 0xFF for each byte of the Authority PIN. • The upper bound for the probability of guessing an Authority PIN is 2-256. The difficulty of guessing the Authority PIN is equivalent to a brute force attack. • Derived Authority Keys, Ka, and Ku ([SP800 132] Master Keys) are derive by processing a 32-byte Authority PIN ([SP800 132] Password) and a 256-bit KDF Salt though an PBKDF2 algorithm [SP800 132], using HMAC-SHA2-256. Each KDF Salt associated with a Ka or Ku key is unique. Therefore, each Ka and Ku key is unique. Each Ka and Ku has a security strength of 256 bits. • The Cryptographic Module’s [SP800 90A] DRBG generates each 256-bit KDF Salt without modification. 5.6 Critical Security Parameter Modes of Access Table 11 and Table 12 define the relationship between access to Critical Security Parameters (CSPs) and the listed Cryptographic Module services. The definitions shown below define the access modes listed in each table. • G = Generate: The Cryptographic Module generates a CSP from the [SP800-90A] DRBG, derives a CSP with the PBKDF2 Key Derivation Function or generates an HMAC-SHA-256 hash to sign a CSP. • I = Input: The Cryptographic Module imports a CSP from outside the cryptographic boundary. • O = Output: The Cryptographic Module does not support the output of CSPs outside the cryptographic boundary. • E = Execute: The module executes a service that uses the CSP. • S = Store: The Cryptographic Module stores a CSP persistently on media within the Cryptographic Module. • Z = Zeroize: The Cryptographic Module zeroizes a CSP that is stored in volatile or non-volatile memory. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 17 of 29 Service Authority Digest SID PIN Admin SP Admin1 PIN Admin SP Maintenance PIN Locking SP Admin PINs Locking SP User PINs DRBG.Seed DRBG.Key DRBG.V NDRNG MEK K a K u LRK Activate GS Z E GE GE GS GS GS GS Authenticate E IE IE IE E E Diagnostics Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non-SUDR) Enable/Disable SUDR Erase non-SUDR GSZ GSZ Erase SUDR GSZ GSZ End Session Field FA FIPS 140 Compliance Descriptor Firmware Download Format NVM18 GSZ E Generate Random E GE GE Get Get Data Store E E E Initialize Cryptographic Module GS IE IE IE GE GE GE GE GS GS GS GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate GS Z E GE GE GS Read Data E E Reset Module GEZ GEZ GEZ GE S S SecureDrive Command Security Receive 18 18 If a range is write locked the execution of Format NVM is blocked. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 18 of 29 Service Authority Digest SID PIN Admin SP Admin1 PIN Admin SP Maintenance PIN Locking SP Admin PINs Locking SP User PINs DRBG.Seed DRBG.Key DRBG.V NDRNG MEK K a K u LRK Security Send Self-Test (KATs) Set I I I Set Data Range Attributes for a non-SUDR Set Data Range Attributes for a SUDR Set Data Store E E SoC Rebuild Start Session Status Output Write Data E E Zeroize GZ Z Z Z GE GE GE GSZ Z Z GSZ Table 11 - CSP Access Rights within Roles & Services Service RAK UAK UAK 0 UAKa UMK NSK Root Keyset Global Active Keyset (AEK) SED Active Keyset SED Admin SP Keyset SED Locking SP Keyset SED Volatile Keyset Activate GS GS GS GS GS GS E E E GE Authenticate Diagnostics Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non-SUDR) Enable/Disable SUDR Erase non-SUDR E E GSZ Erase SUDR E E GSZ Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 19 of 29 Service RAK UAK UAK 0 UAKa UMK NSK Root Keyset Global Active Keyset (AEK) SED Active Keyset SED Admin SP Keyset SED Locking SP Keyset SED Volatile Keyset End Session Field FA FIPS 140 Compliance Descriptor Firmware Download Format NVM EGSZ E Generate Random Get Get Data Store E E E E E E E E E E E E Initialize Cryptographic Module EGS GS GS GS GS GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate GS GS E E E GE Read Data E E E E E E E E E E E E Reset Module S S S S S G SecureDrive Command Self-Test (KATs) Security Receive Security Send Set Set Data Range Attributes for a non-SUDR Set Data Range Attributes for a SUDR Set Data Store E E E E E E E E E E E E SoC Rebuild GSZ GSZ Start Session Status Output Write Data E E E E E E E E E E E E Zeroize EGSZ GSZ GSZ GSZ GSZ GSZ GSZ GSZ GSZ GZ Table 12 - CSP Access Rights within Roles & Services Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 20 of 29 5.7 Public Security Parameter Modes of Access Table 13 defines the relationship between access to Public Security Parameters (PSP) and the listed Cryptographic Module services. The definitions shown below define the access modes listed in the table. • G = Generate: The Cryptographic Module generates a PSP from the [SP800-90A] DRBG, derives a PSP with the Key Derivation Function or hashes authentication data with SHA-256 or HMAC-SHA-256. • I = Input: The Cryptographic Module imports a PSP from outside the cryptographic boundary. • O = Output: The Cryptographic module outputs the value of selective PSPs. • E = Execute: The module executes a service that uses the PSP. • S = Store: The Cryptographic Module stores a PSP persistently on media within the Cryptographic Module. • Z = Zeroize: The Cryptographic Module zeroizes a PSP that is stored in volatile or non-volatile memory. Service MSID PSID KDF Salt SD_CA Key SD_BFW Key SD_SM Key PROD_GROUP Key OEM_FW Key OEM_OFS Key Activate EGS Authenticate E E Diagnostics Disable User Set PIN Enable/Disable Admin SP Admin Enable/Disable Locking SP Admin or User (non-SUDR) Enable/Disable SUDR Erase non-SUDR Erase SUDR End Session Field FA E FIPS 140 Compliance Descriptor Firmware Download IS IS Format NVM Generate Random Get Get Data Store Initialize Cryptographic Module OE GS Level 0 Discovery Lock/Unlock Data Range NVMe Admin Commands NVMe I/O Commands Reactivate EGS Read Data Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 21 of 29 Service MSID PSID KDF Salt SD_CA Key SD_BFW Key SD_SM Key PROD_GROUP Key OEM_FW Key OEM_OFS Key Reset Module E E E E SecureDrive Command E Security Receive Security Send Self-Test (KATs) Set Set Data Range Attributes for a non-SUDR Set Data Range Attributes for a SUDR Set Data Store SoC Rebuild Start Session Status Output Write Data Zeroize I GSZ Table 13 - PSP Access Rights within Roles & Services 6. Operational Environment The Cryptographic Module operating environment is non-modifiable. Therefore, the FIPS 140-2 operational environment requirements are not applicable to this module. When operational, the Cryptographic Module prohibits additions, deletions, or modification of the code working set. For firmware upgrades, the Cryptographic Module uses the Firmware Download service to verify the digital signature of the firmware image and save a complete firmware image. If the download operation is successful, authorized, and verified, the Cryptographic Module may begin operating with the new code working set. Firmware loaded into the module that is not on the FIPS 140-2 certificate is out of the scope of this validation and requires a separate FIPS 140-2 validation. 7. Security Rules The Cryptographic Module enforces applicable FIPS 140-2 Level 2 security requirements. This section documents the security rules that the Cryptographic Module enforces. 7.1 Invariant Rules 1. The Cryptographic Module supports three distinct types of operator roles: Crypto Officer, User, and Maintenance. 2. Power cycling the Cryptographic Module or exiting a TCG sessions clears active authentications. 3. The Cryptographic Module requires operators to re-authenticate to TCG Authorities after power cycling the module or upon execution of the End Session service. 4. The Cryptographic Module powers up in FIPS Approved mode. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 22 of 29 5. When the Cryptographic Module is unable to authenticate TCG Credentials, operators do not have access to any cryptographic service other than the unauthenticated Generate Random service. 6. The Cryptographic Module performs the following tests. Upon failure of any test, the Cryptographic Module enters a soft error state. A failing Cryptographic Module reports the error condition by transmitting an UEC to the host over the EDSFF interface. After entering the soft error state, the Cryptographic Module cannot execute security services unless a power cycle clears the error state. a. Power up Self-Tests i. RSA 2048 PKCS#1 v1.5 Verify KAT, Cert# A1184 ii. Firmware Integrity, RSA 2048 PKCS#1 v1.5 2048 Digital Signature, Cert# A1184 iii. AES ECB Encrypt KAT, Cert# AES 3913 iv. AES ECB Decrypt KAT, Cert# AES 3913 v. SHA-256 KAT, Cert# SHS 2942 vi. HMAC-SHA-256 KAT, Cert# HMAC 2280 vii. AES ECB Encrypt KAT, Cert# AES 3580 viii. AES ECB Decrypt KAT, Cert# AES 3580 ix. RSA 2048 PKCS#1 v1.5 Verify KAT, Cert# A1232 x. Key Wrap KAT, KW-AE, Cert# A123219 xi. Key Wrap KAT, KW-AD, Cert# A123219 xii. DRBG KAT20, Cert# A1232 xiii. PBKDF2 KAT, Cert# A1232 xiv. SP 800-90B Entropy Source Health Test xv. AES ECB Encrypt KAT, DEE, Cert# C1973 xvi. AES ECB Decrypt KAT, DEE, Cert# C1973 b. Conditional Tests i. The Cryptographic Module performs a Repetition Count Test and Adaptive Proportion Test on the hardware NDRNG entropy source. These entropy source health tests are executed each time the DRBG is reseeded at powered up and as the result of DRBG reseed event, which occurs after the DRBG consumes 232 bits of seed data. ii. The Cryptographic Module performs a key comparison test on each LRK.AESKey/LRK.XTS keyset and its associated NSK.AESKey/NSK.XTS keyset to assure compliance with IG A.9 XTS-AES Key Generation Requirements. iii. Firmware Download Test, RSA 2048 PKCS#1 v1.5 (Cert# A1232), SHA-256 (Cert# SHS 2942) 7. An operator can command the Cryptographic Module to perform the power-up self-test by power cycling the device. 8. Power-up self-tests do not require operator action. 9. Data output is inhibited during key generation, self-tests, zeroization, and error states. 10. Status information does not contain CSPs or sensitive data that if misused, could compromise the Cryptographic Module. 19 Utilizes AES-ECB-256 (Cert# AES 3913) 20 The DRBG KAT is inclusive of the instantiate, generate and reseed function health tests required in [SP 800-90A] Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 23 of 29 11. The Zeroize service deletes all plaintext keys and CSPs. 12. The operator must execute the TCG Revert Method to zeroize the Cryptographic Module before entering and exiting the Admin SP Maintenance role. 13. The SoC Rebuild service deletes the Root Keyset and Global Active Keyset. 14. The Cryptographic Module does not support manual key entry. 15. The Cryptographic Module does not have any external input/output devices used for entry/output of data. 16. The Cryptographic Module does not output plaintext CSPs. 17. The Cryptographic Module does not output intermediate key values. 18. The Cryptographic Module does not support concurrent operators. 19. The Crypto Officer shall assure that all host issued Authority PINs are 32-bytes in length. 7.2 Initialization Instructions The MSID value is set at manufacturing time by the storage device. It represents the default TCG Credential for the SID and the Locking SP Admin1 authorities. This value is electronically readable, by the host, over the host interface. During enrollment, the host reads the MSID value from the Cryptographic Module and uses it to authenticate and change TCG Credential values within the Cryptographic Module. Having the MSID Credential value electronically available to the host constitutes a risk to the overall security of the Cryptographic Module. Therefore, as best practice, the host should execute a Take-Ownership scenario the first time the Cryptographic Module is inserted into a system. Recommended Take-Ownership Scenario 1. StartSession to ‘Admin SP’ a. Get MSID b. Use the MSID to authenticate to the SID authority. i. An authentication failure indicates that a tamper event has occurred for the Cryptographic Module. c. Set the SID PIN to a new 32-byte value. d. Use the MSID to authenticate to the Admin SP Maintenance authority. i. An authentication failure indicates that a tamper event has occurred for the Cryptographic Module. e. Set the Admin SP Maintenance PIN to a new 32-byte value. f. Optional: i. Enable Admin SP Admin1. ii. Set the Admin SP Admin1 PIN to a non-MSID 32-byte value. g. Execute the TCG Activate command. h. EndSession 2. Optional: a. StartSession to ‘Locking SP’ i. Use the SID PIN established at step 1.c to authenticate to the Locking SP Admin1 authority. ii. Set the Locking SP Admin1 PIN to a new 32-byte value. iii. Enable Locking SP Admin2. iv. Set the Locking SP Admin2 PIN to a non-MSID 32-byte value. v. Repeat steps 2.a.iii and 2.a.iv for Locking SP Admin[3-4]. vi. Enable Locking SP User1. vii. Set the Locking SP User1 PIN to a non-MSID 32-byte value. Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 24 of 29 viii. Repeat steps 2.a.vi and 2.a.vii for Locking SP User[2-9]. b. EndSession If any of the above-mentioned steps fail, the Crypto Officer should remove the device from the system, as malicious behavior may have compromised the Cryptographic Module. 7.3 Zeroization Rules The Crypto Officer shall use the Zeroize service, which utilizes the TCG Revert Method, to zeroize all CSPs, apart from the Root Keyset and the Global Active Keyset. After successfully executing TCG Revert, the Crypto Officer should, as a best practice, power cycle the Cryptographic Module.. The SoC Rebuild service zeroizes and regenerates the Root Keyset and the Global Active Keyset. Executing this process exhausts an SoC life. The module is inoperable when the life count reaches zero. The Crypto Officer shall assure that SoC Rebuild service is never execute unless necessary to protect the integrity of the Cryptographic Module. 8. Physical Security Policy 8.1 Mechanisms The Cryptographic Module does not make claims in the Physical Security area beyond FIPS 140-2 Security Level 1. • All components are production-grade materials with standard passivation. • The Cryptographic Module enclosure is opaque and enclosed within the host system. 9. Mitigation of Other Attacks Policy The Cryptographic Module lacks features to mitigate any specific attacks beyond the scope of the requirements within FIPS 140-2. 10. Definitions • Access Control Element: A boolean expression of authorities. • Access Control List: A list of access control elements. • Allowed: NIST approved, i.e., recommended in a NIST Special Publication, or acceptable, i.e., no known security risk as opposed to deprecated, restricted, and legacy use. [SP800-131A] • Anybody: A formal TCG term for an unauthenticated role [1]. • Approved mode of operation: A mode of the Cryptographic Module that employs only approved security functions. [FIPS140] • Approved: [FIPS140] approved or recommended in a NIST Special Publication. • Authenticate: Prove the identity of an Operator or the integrity of an object. • Authorize: Grant an authenticated Operator access to a service or an object. • Ciphertext: Encrypted data transformed by an Approved security function. • Confidentiality: A cryptographic property that sensitive information is not disclosed to unauthorized parties. • Credential: A formal TCG term for data used to authenticate an Operator [1]. • Critical Security Parameter (CSP): Security-related information (e.g., secret, and private cryptographic keys, and authentication data such as credentials and PINs) whose disclosure or modification can compromise the security of a Cryptographic Module. [FIPS140] Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 25 of 29 • Cryptographic Boundary: An explicitly defined continuous perimeter that establishes the physical bounds of a Cryptographic Module and contains all the hardware, software, and/or firmware components of a Cryptographic Module. [FIPS140] • Cryptographic key (Key): An input parameter to an Approved cryptographic algorithm • Cryptographic Module: The set of hardware, software, and/or firmware used to implement approved security functions contained within the cryptographic boundary. [FIPS140] • Crypto Officer: An Operator performing cryptographic initialization and management functions. [FIPS140] • Data at Rest: User data residing on the storage device media when the storage device is powered off. • Discovery: A TCG method that provides the properties of the TCG device. [TCG Enterprise] • Drive Writes per Day (DWPD): Drive Writes per Day defines how many times the entire capacity of the HDD can be overwrite every single day of its usable life without failure during the warranty period. • Hardware Security Module (HSM): A hardware security module is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. • Integrity: A cryptographic property to assure sensitive data has not been modified or deleted in an unauthorized and undetected manner. • Interface: A logical entry or exit point of a Cryptographic Module that provides access to the Cryptographic Module for logical information flows. [FIPS140] • Key Derivation Function (KDF): An Approved cryptographic algorithm by which one or more keys are derived from a shared secret and other information. • Key Encrypting Key (KEK): A cryptographic key used to encrypt or decrypt other keys. • Key management: The activities involving the handling of cryptographic keys and other related security parameters during the entire life cycle of the Cryptographic Module. The handling of authentication data is representative of a key management activity. • Key Wrap: An Approved cryptographic algorithm that uses a KEK to provide Confidentiality and Integrity. • LBA Range: A formal TCG SWG [1] term that defines a contiguous logical block range (sequential LBAs) to store encrypted User Data; ranges do not overlap, and each has its own unique encryption key and other settable properties. • Manufactured SID (MSID): A unique default value assigned to each SED during manufacturing. An externally visible MSID value is not required if the user can derive the MSID from other information printed on the drive. The MSID is readable with the TCG protocol. It is the initial and default value for all TCG credentials [1]. • Method: A remote procedure call to an SP that initiates an action on the SP [1]. • Namespace: A namespace is a collection of logical blocks that range from zero (0) to the capacity of the namespace. • Namespace Identifier (NSID): A namespace identifier is an identifier used by a controller to provide access to a namespace. • OFS file: OFS files are used to reset the Cryptographic Module’s configuration back to its original factory setting during the Revert operations (e.g., TCG Revert). • Operator: A consumer, either human or automation, of cryptographic services that is external to the Cryptographic Module. [FIPS140] Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 26 of 29 • Personal Identification Number (PIN): A formal TCG term designating a string of octets used to authenticate an identity [1]. • Plaintext: Unencrypted data. • Port: A physical entry or exit point of a Cryptographic Module that. A port provides access to the Cryptographic Module’s physical signals. [FIPS140] • PSID (Physical Security Identifier): A SED unique value printed on the Cryptographic Module’s label used as authentication data and proof of physical presence for the Zeroize service. • Public Security Parameters (PSP): Public information, that if modified can compromise the security of the Cryptographic Module (e.g., a public key). • Read Data: An external request to transfer User Data from the SED. [13] • Reserved Area: Private data on the Storage Medium that is not accessible outside the Cryptographic Boundary. • Sanitize: Sanitization cryptographically erases all user data in the NVM subsystem such that recovery of any previous user data from any cache, non-volatile media, or any controller memory buffer is not possible. • SD_CA Key: Storage Device Certification Authority Key (X509v3). This key serves as the Cryptographic Module’s Master RSA Public Key and is the root source of verification for all other key certificates. The SD_CA Key signs the SecureLoader. This key is injected at manufacturing time and a hash of this key is stored as OTP bits. • Security Identifier (SID): The authority that represents the TPer owner [1]. Crypto Officer serves in this role. • Security Provider (SP): A TCG term used to define a collection of Tables and Methods with access control. • Self-Encrypting Drive (SED): A storage device that provides data storage services, which automatically encrypts all user data written to the device and automatically decrypts all user data read from the device. • Session: A formal TCG term that envelops the lifetime of an Operator’s authentication [1]. • Small Form Factor (SFF): Small form factor is a computer form factor designed to minimize the volume and footprint of a desktop computer • Storage Medium: The non-volatile, persistent storage location of a SED; it is partitioned into two disjoint sets, a User Data area, and a Reserved Area. • Table: The basic data structures within a Security Provider (SP). The tables store persistent SP state data defined in TCG Storage Core specification [1]. • TPer: A Trusted Peripheral. The Trusted Peripheral (TPer) resides in a Storage Device. The TPer manages trusted storage-related functions and data structures as defined in TCG Storage Core specification [1]. • Triple Level Cell (TLC): Triple level cells refer to NAND flash devices that store three bits of information per cell, with eight total voltage states. • User Data: Data transferred from/to a SED using the Read Data and Write Data commands. [13] • User: An Operator that consumes cryptographic services. [FIPS140] • Write Data: An external request to transfer User Data to a SED. [13] • Zeroize: Invalidate a Critical Security Parameter. [FIPS140] Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 27 of 29 11. Key Words The Key Words “SHALL”, “SHALL NOT”, “SHOULD,” and “MAY” if used in this document are to be interpreted as described in [9]. 12. Acronyms • ACL: Access Control List • AEK: Active Encryption Key • AES: Advanced Encryption Standard (FIPS 197) • BLRE: Boot Loader • CAC: Cryptographic Assist Controller • CBC: Cipher Block Chaining, an operational mode of AES • CM: Cryptographic Module • CO: Crypto Officer [FIPS140] • CRC: Cyclic Redundancy Check • CSP: Critical Security Parameter [FIPS140] • DEE: Data Encryption Engine • DRAM: Dynamic Random Access Memory • DRBG: Deterministic Random Bit Generator • DW/D: Drive Writes per Day • EDC: Error Detection Code • EMI: Electromagnetic Interference • FSEC: Flash Security Data • FID: Flash Internal Data • FIPS: Federal Information Processing Standard • HDD: Hard Disk Drive • IV: Initialization Vector • KAT: Known Answer Test • KDF: Key Derivation Function • LBA: Logical Block Address • MEK: Media Encryption Key • MSID: Manufactured Security Identifier • NAND: Negative AND, Flash Memory technology • NOR: Negative OR, Flash Memory technology • NDRNG: Non-deterministic Random Number Generator • NIST: National Institute of Standards and Technology • NSID: Namespace Identifier • NVM: Non-volatile Memory • NVMe: NVM Express • OFS: Original Factory Setting • PBKDF2: Password Base Key Derivation Function • PCIe: Peripheral Component Interconnect Express • PIN: Personal Identification Number • POR: Power on Reset • PSID: Physical Security Identifier • PSP: Public Security Parameter • RID: Reserved Area Internal Data • SAS: Serial Attached SCSI • SECD: Security Data • SED: Self-Encrypting Drive • SCSI: Small Computer System Interface • SD_CA: Storage Device Certification Authority • SED: Self Encrypting Drive • SFF: HDD Form Factor or Small Form Factor • SID: Security Identifier, The TCG authority representing the Cryptographic Module owner • SIO: Serial Input/Output • SOC: System-on-a-Chip • SP: Security Provider or Security Partition (TCG), also Security Policy (FIPS 140) • SSC: Subsystem Class Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 28 of 29 • SSD: Solid-state Drive • SWG: Storage Work Group • TCG: Trusted Computing Group • TLC: Triple Level Cell • UEC: Universal Error Code • XTS: A mode of AES that utilizes "Tweakable" block ciphers 13. References 13.1 NIST Specifications • [AES] Advanced Encryption Standard, FIPS PUB 197, NIST, November 2001 • [DSS] Digital Signature Standard, FIPS PUB 186-4, NIST, July 2013 • [FIPS140] Security Requirements for Cryptographic Modules, FIPS PUB 140-2, NIST, December 2002 • [HMAC] The Keyed-Hash Message Authentication Code, FIPS PUB 198-1, July 2008 • [SHA] Secure Hash Standard (SHS), FIPS PUB 180-4, NIST, August 2015 • [SP800 38A] Recommendation for Block Cipher Modes of Operation: Methods and Techniques, NIST, December 2001 • [SP800 38E] Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, SP800-38E, NIST, January 2010 • [SP800 38F] Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, NIST, December 2012 • [SP800 57] Recommendation for Key Management – Part I General (Revision 4), NIST, January 2016 • [SP800 90A] Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revision 1), NIST, June 2015 • [SP800 90B] Recommendation for the Entropy Sources Used for Random Bit Generation, NIST, January 2018 • [SP800 131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (Revision 2), NIST, March 2019 • [SP800 132] Recommendation for Password-Based Key Derivation, NIST, December 2010 • [SP800 133] Recommendation for Cryptographic Key Generation (Revision 2), NIST, June 2020 13.2 Trusted Computing Group Specifications • [1] TCG Storage Architecture Core Specification, Specification Version 2.01 Revision 1.00 (August 5, 2015) • [2] TCG Storage Security Subsystem Class: Opal, Specification Version 2.01, Final Revision 1.00 (August 5, 2015) • [3] TCG Storage Opal SSC Feature Set: PSID, Specification Version 1.00, Final Revision 1.00 (August 5, 2015) • [4] TCG Storage Opal SSC Feature Set: Configurable Namespace Locking, Specification Version 1.00, Final Revision 1.33 (February 22, 2019) • [5] TCG Storage Opal SSC Feature Set: Single User Mode, Specification Version 1.00, Final Revision 1.00 (February 24, 2012) • [6] TCG Storage Opal Integration Guidelines, Version 1.00, Final Revision 1.00 (March 16, 2016) • [7] TCG Storage Interface Interactions Specification (SIIS), Version 1.07, (January 30, 2018) Ultrastar® DC SN640 NVMe™ PCIe 3.0 Self-Encrypting Drive Cryptographic Module Non-Proprietary Security Policy © 2022 Western Digital Technologies, Inc. Page 29 of 29 • [8] TCG Storage Security Subsystem Class: Ruby, Version 1.00, Revision 1.00 (January 7, 2020) 13.3 International Standards • [9] IETF RFC 2119, 1997, “Key words for use in RFCs to Indicate Requirement Levels” • [10] NVM Express™, Revision 1.3.c, May 24, 2018 • [11] NVM Express™ Management Interface, Revision 1.1, April 29, 2019 • [12] PCI Express® Base Specification, Revision 3.0, November 10 ,2010 • [13] SCSI Block Commands - 3, Revision 22, March 29, 2010 • [14] Security Features for SCSI Commands, Revision 2, September 25, 2015 • [15] SCSI Primary Commands - 5, Revision 22, April 19, 2019 • [16] Protocol Agnostic Multi-Lane High Speed Connector, Revision 1.3, February 19, 2020 13.4 Corporate Documents • [Datasheet] Ultrastar DC SN640 Datasheet, 02-05-WW-04-00228-A00, July 2020, https://www.westerndigital.com/support