SPYRUS USB-3 MODULE FIPS 140-2
Non-Proprietary Security Policy
Revision: 1.3
This document may be freely reproduced and distributed whole and intact,
including this copyright notice.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc i All Rights Reserved
Copyright © 2014-2015 SPYRUS, Inc. All rights reserved.
SPYRUS Document number: 554-490001-04
This document is provided only for informational purposes and is accurate as of the date
of publication. This document may be copied subject to the following conditions:
• All text must be copied without modification and all pages must be included.
• All copies must contain the SPYRUS copyright notices and any other notices
provided herein.
Trademarks
SPYRUS, the SPYRUS logos, SPYCOS, Rosetta, Rosetta Micro®
, are either registered
trademarks or trademarks of SPYRUS, Inc. in the United States and/or other countries.
All other trademarks are the property of their respective owners.
Patents
Rosetta Authentication Products including SPYCOS®
, Rosetta Micro®
, the Rosetta®
Series II Smart Cards and USB Security Devices, Rosetta SDHC™ Card, Rosetta
MicroSD Memory Card, may be covered by one or more of the following patents: U.S.
Patent No. 6,088,802 and U.S. Pat. No. 6,981,149.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc ii All Rights Reserved
Contents
1 INTRODUCTION........................................................................................................... 1
1.1 SPYRUS USB-3 Module Overview .............................................................................. 1
1.2 SPYRUS USB-3 Module Implementation..................................................................... 1
1.3 SPYRUS USB-3 Module Cryptographic Boundary ...................................................... 2
1.4 Approved Mode of Operation........................................................................................ 5
1.5 FIPS 140-2 Security Levels ........................................................................................... 7
2 PORTS AND INTERFACES ............................................................................................ 8
3 ROLES AND SERVICES ................................................................................................ 9
3.1 Services.......................................................................................................................... 9
4 IDENTIFICATION AND AUTHENTICATION ................................................................ 14
4.1 Initialization Overview ................................................................................................ 14
4.2 Authentication.............................................................................................................. 14
4.3 Strength of Authentication........................................................................................... 15
4.3.1 Obscuration of Feedback......................................................................................... 16
4.3.2 Non-weakening Effect of Feedback ........................................................................ 16
4.3.3 Generation of Random Numbers............................................................................. 16
5 KEY MANAGEMENT.................................................................................................. 17
5.1 CSP Management......................................................................................................... 17
5.2 Public Key Management Parameters ........................................................................... 17
5.3 CSP Access Matrix ...................................................................................................... 17
5.4 Destruction of Keys and CSPs..................................................................................... 20
6 SETUP AND INITIALIZATION..................................................................................... 21
7 PHYSICAL SECURITY ................................................................................................ 21
8 SELF-TESTS .............................................................................................................. 22
9 MITIGATION OF OTHER ATTACKS........................................................................... 23
10 APPENDIX A: CRITICAL SECURITY PARAMETERS AND PUBLIC KEYS ................... 24
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 1 All Rights Reserved
1 Introduction
This Security Policy specifies the security rules under which the SPYRUS USB-3
Module operates. Included in these rules are those derived from the security
requirements of FIPS 140-2 and additionally, those imposed by SPYRUS, Inc.
These rules, in total, define the interrelationship between:
1. Operators,
2. Services, and
3. Critical Security Parameters (CSPs).
1.1 SPYRUS USB-3 Module Overview
The SPYRUS USB-3 Module enables security critical capabilities such as
operator authentication, message privacy, integrity, authentication, and non-
repudiation; and secure storage, all within a hard, opaque, tamper-evident potting
material and a strong aluminum metal enclosure. The SPYRUS USB-3 Module
communicates with a host computer via the ports/interfaces defined in Table 2-1
below.
1.2 SPYRUS USB-3 Module Implementation
The SPYRUS USB-3 Module is implemented as a multiple-chip standalone
cryptographic module as defined by FIPS 140-2. The hardware platform physical
embodiment contains multiple IC chips interconnected and physically protected
by a hard opaque potting material covering all ICs and internal circuitry and a
strong aluminum metal enclosure.
All Interfaces have been tested and are compliant with FIPS 140-2. Product
Identification (including unique part number) for the SPYRUS USB-3 Module is
shown in the table below:
Table 1-1
SPYRUS USB-3 Module Product Identification
Form Factor Capacity Part Number FW Version
USB-3 SPYRUS Secure Portable Workplace 32GB SFP100000-1 3.0.2
USB-3 SPYRUS Secure Portable Workplace 64GB SFP100000-2 3.0.2
USB-3 SPYRUS Secure Portable Workplace 128GB SFP100000-3 3.0.2
USB-3 SPYRUS Secure Portable Workplace 256GB SFP100000-4 3.0.2
USB-3 SPYRUS WorkSafe Pro 32GB SFP200000-1 3.0.2
USB-3 SPYRUS WorkSafe Pro 64GB SFP200000-2 3.0.2
USB-3 SPYRUS WorkSafe Pro 128GB SFP200000-3 3.0.2
USB-3 SPYRUS WorkSafe Pro 256GB SFP200000-4 3.0.2
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 2 All Rights Reserved
USB-3 SPYRUS Pocket Vault P-3X 32GB SFP300000-1 3.0.2
USB-3 SPYRUS Pocket Vault P-3X 64GB SFP300000-2 3.0.2
USB-3 SPYRUS Pocket Vault P-3X 128GB SFP300000-3 3.0.2
USB-3 SPYRUS Pocket Vault P-3X 256GB SFP300000-4 3.0.2
1.3 SPYRUS USB-3 Module Cryptographic Boundary
The Cryptographic Boundary is defined to be the physical perimeter of the
SPYRUS USB-3 Module and the metal enclosure it is embedded in (see Figure
3).
No hardware or firmware components that comprise the SPYRUS USB-3 Module
are excluded from the requirements of FIPS 140-2.
Figure 1 SPYRUS USB-3 Module (32GB)
Note: the cap is not part of the module’s cryptographic boundary
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 3 All Rights Reserved
Figure 2 SPYRUS USB-3 Module (64GB)
Note: the cap is not part of the module’s cryptographic boundary
Figure 3 SPYRUS USB-3 Module (128GB)
Note: the cap is not part of the module’s cryptographic boundary
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 4 All Rights Reserved
Figure 4 SPYRUS USB-3 Module (256GB)
Note: the cap is not part of the module’s cryptographic boundary
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 5 All Rights Reserved
Figure 5 Block Diagram of the SPYRUS USB-3 Module
1.4 Approved Mode of Operation
The module only operates in an Approved mode of operation.
The SPYRUS USB-3 Module Approved mode of operation is comprised of the
SPYRUS USB-3 Module command set.
Approved mode of operation commands which are successfully completed will
return a standard success return code. The Error return codes are dependent
upon the cause of the failure. Services available under the approved mode of
operations are detailed in Table 3-1 of this Security Policy.
SCSI/CCID
Controller
NAND FLASH Storage
EEPROM
HOST
NDRNG
RAM
Security
Controller
Input
Output
Ciphertext
Function Call
Response
Cryptographic Boundary
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 6 All Rights Reserved
The SPYRUS USB-3 Module supports the following FIPS 140-2 Approved
algorithms:
Table 1-2
SPYRUS USB-3 Module Approved Algorithms
Approved Algorithms Certificate #
Encryption & Decryption
Three-Key Triple-DES 1772
AES (128-bit, 192-bit, 256-bit key) 3028
AES XTS (128-bit, 256-bit) 3406
Digital Signatures and Key Generation
ECDSA (key generation, signature generation and
signature verification) [P-256, P-384, P-521]
578
RSA (key generation, signature generation and
signature verification)
1611
Message Authentication Code
HMAC (Minimum 112 bit key) 1913
Hash
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 2529
Key Agreement / Key Establishment
CVL (Section 5.7.1.2: ECC CDH Primitive) [P-256, P-
384, P-521]
419
KAS [P-256, P-384, P-521] 52
KTS (AES KW with 128-bit, 192-bit, 256-bit key) 3115
Key Derivation
KBKDF (SP 800-108 KDF) 54
Approved Deterministic Random Bit Generator
SP 800-90A DRBG 658
Approved ECDSA (Cert. #578). The Digital Signature will provide between 128-
bits to 256-bits of equivalent computational resistance to attack depending upon
the size of the curves that are used (P-256, P-384, P-521).
Approved RSA (Cert. #1611). The Digital Signature with a 2048 key size will
provide 112 bits of equivalent computational resistance to attack.
Approved SP800-56A, Section 5.7.1.2: ECC CDH Primitive (Cert. #419). The key
establishment process will provide between 128-bits to 256-bits of equivalent
computational resistance to attack depending upon the size of the ECC CDH
curves that are used (P-256, P-384, P-521).
Approved KAS ECC (Cert. #52). The key establishment process will provide
between 128-bits to 256-bits of equivalent computational resistance to attack
depending upon the size of the keys that are used (P-256, P-384, P-521).
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 7 All Rights Reserved
Approved KTS (Cert. #3115; key establishment methodology provides between
128 and 256 bits of encryption strength).
The following services are available as “non-Approved” algorithms but allowed:
Table 1-3
SPYRUS USB-3 Module Non-Approved but allowed Algorithms
Algorithms
RNG
HW NDRNG (Only used for seeding Approved SP800-90A DRBG)
Key Wrap & Unwrap
RSA (key wrapping; key establishment methodology provides 112
bits of encryption strength)
1.5 FIPS 140-2 Security Levels
The SPYRUS USB-3 Module complies with the requirements for FIPS 140-2
validation to the levels defined in Table 1-4. The FIPS 140-2 overall rating of the
SPYRUS USB-3 Module is Level 3.
Table 1-4
FIPS 140-2 Certification Levels
FIPS 140-2 Category Level
1. Cryptographic Module Specification 3
2. Cryptographic Module Ports and Interfaces 3
3. Roles, Services, and Authentication 3
4. Finite State Model 3
5. Physical Security 3
6. Operational Environment N/A
7. Cryptographic Key Management 3
8. EMI/EMC* 3
9. Self-tests 3
10. Design Assurance 3
11. Mitigation of Other Attacks N/A
Overall Security Level 3
*Note: The SPYRUS USB-3 Module conforms to Level 3 EMI/EMC requirements
specified by 47 Code of Federal Regulations, Part 15, Subpart B, Class B.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 8 All Rights Reserved
2 Ports and Interfaces
The pin configuration of the SPYRUS USB-3 Module’s USB physical receptacle
interface is shown in Figure 4. The standard USB 3.0 pins form a set of 9 active
contact points that comprise the physical ports of the cryptographic module.
Table 2-1 shows the mapping of the pins to their functional description and
logical interface description.
Figure 6 USB-3 Receptacle Interface showing head-on view of pin alignment
Table 2-1
SPYRUS USB-3 Module Pins and Logical Interfaces
Pin Function FIPS 140-2 Logical Interface
VBUS Operating voltage Power Interface
D- USB 2.0 Data Input/ Output
(half-duplex)
Data Input / Data Output; Control Input; Status
Output
D+ USB 2.0 Data Input /
Output (half-duplex)
Data Input / Data Output; Control Input; Status
Output
GND Ground for power return Power Interface
SSRX- SuperSpeed Receiver Data Input; Control Input
SSRX+ SuperSpeed Receiver Data Input; Control Input
GND DRAIN Ground for signal return Power Interface
1 2 3 4
5
6
7
8
9
VBUS D+ D- GND
SSTX- SSTX+ GND SSRX+ SSRX-
DRAIN
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 9 All Rights Reserved
SSTX- SuperSpeed Transmitter Data Output; Status Output
SSTX+ SuperSpeed Transmitter Data Output; Status Output
3 Roles and Services
The SPYRUS USB-3 Module supports two roles, Crypto-officer (CO) and User,
and enforces the separation of these roles by restricting the services available to
each one.
Crypto-officer Role: The Crypto-officer is responsible for initializing the
SPYRUS USB-3 Module. Before issuing a SPYRUS USB-3 Module to an end
User, the Crypto-officer initializes the SPYRUS USB-3 Module as described in
section 6. The Crypto-officer cannot use private keys loaded on the module.
The SPYRUS USB-3 Module validates the Crypto-officer identity before
accepting any initialization commands. The Crypto-officer is also referred to as
the Site Security Officer (SSO) or Administrator.
User Role: The User role is available after the SPYRUS USB-3 Module has
been loaded with a User personality by the Crypto-Officer. The User can load,
generate and use private keys.
The SPYRUS USB-3 Module validates the User and SSO identity before access
is granted.
3.1 Services
The following table (Table 3-1) describes the services provided by the SPYRUS
USB-3 Module. The User/SSO column denotes the roles that may execute the
service.
Table 3-1
SPYRUS USB-3 Module Services
Service Description User / SSO
AES UNWRAPKEY Supports key export by using the AES unwrap key
process to decrypt a wrapped key data block, and
then storing it in the internal key register or the key
file.
User
AES WRAPKEY Supports key export by using the AES wrap key
process to encrypt the internal symmetric key data
that is transmitted to the host.
User
AUTHENTICATE SECURE
CHANNEL
Validates the secure channel between the host and
the module.
User,
SSO
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 10 All Rights Reserved
Service Description User / SSO
BLOCK PIN Blocks user PIN access. Resets attempt count for
the User PIN to zero and prohibits User PIN logon
until an UNBLOCK PIN command is executed by
the SSO / Administrator role.
User,
SSO
CHANGE PASSWORD Change the User password or SSO password. User,
SSO
CHECK PASSWORD User / SSO Inputs a password Phrase to
authenticate the SSO or the User.
User,
SSO
CREATE A file of type DF, SF, or EF is created1
. User,
SSO
DECRYPT Performs a decryption process on the input data
and sets up the plaintext data for retrieval.
Supports multiple modes of decryption for user
data.
User
DELETE Deletion of a file or directory. User,
SSO
DIRECTORY Retrieval of directory. User,
SSO
ECC GENERATE KEY Creates an ECC public/private key pair for
signing/verifying or transport.
User
ECDH COMPUTE SECRET Generates a shared secret, Z, and either returns it
to the caller or caches it for use with the KDF
function.
User
ECDSA SIGN Computation of a digital signature using the
ECDSA algorithm using the hash value.
User
ECDSA VERIFY Performs an ECDSA signature verification on the
provided hash data. The signature is returned
using SPYRUS Elliptic Curve RAW encoding.
User,
SSO
ENCRYPT Performs a symmetric encryption process on the
input data and returns the ciphertext data.
Supports multiple modes of encryption for user
data. Get Response must be issued to retrieve the
data.
User
ENVELOPE Sends the APDU commands through the secure
channel established previously between the host
and the SPYCOS 3.0 QFN module. The session
key is generated during the secure channel
establishment (see Manage Secure Channel). The
encryption mode used is the AES CBC mode.
User,
SSO
EXTEND Extension of the length of a file or directory. User,
SSO
FIPS_INFO Returns a value indicating whether the module is in
FIPS Mode (1) or not (0).
User,
SSO
GENERATE HMAC KEY Generates an HMAC key and initializes the
currently selected file for use with the HMAC
commands.
User
1 Refer to ISO/IEC 7816-4 for definition of file types and file system
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 11 All Rights Reserved
Service Description User / SSO
GENERATE IV See Generate Symmetric Key Command User
GENERATE RANDOM Generates a random number and also handles the
generation of Initialization Vectors (IVs) and
Message Encryption Keys (MEKs). Can be invoked
prior to authentication (GET UNAUTHENTICATED
RANDOM)
User
GENERATE SYMMETRIC
KEY
Used to generate Message Encryption Keys
(MEKs). It can also generate random numbers and
IVs.
User
GET PUBLIC Retrieves the public key information of an ECC
key.
User,
SSO
GET RESPONSE Retrieval of the module response. User,
SSO
GET SPYCOS VERSION
Retrieves firmware version of module. User,
SSO
GET STATUS Query on the current status of a File. User,
SSO
HASH FINALIZE Completes the hash operation and returns the
hash value.
User,
SSO
HASH INITIALIZE Initializes internal state to prepare for hashing
operations.
User,
SSO
HASH PROCESS Optional function called to hash a block of data
when its length is an even multiple of the hash
algorithm block size.
User,
SSO
HMAC FINALIZE Processes any remaining bytes in the message
and retrieves the HMAC value.
User
HMAC INITIALIZE Generates a HMAC message authentication code. User
HMAC PROCESS Processes the message in even multiples of the
hash algorithm’s block size.
User
IMPORT HMAC KEY Imports an HMAC key and initialize the currently
selected file for use with the HMAC commands.
User
INIT PIN FILE Used to generate the K of N authentication shared
data to the current selected PIN file. Upon a
successful execution of the Init PIN File command,
two external shared secrets and two logon PINs
are generated with the default values.
SSO
KDFEXTERNAL Passes the external KDF data to the hash function. User
KDFFINAL Completes the generation of the key and queues it
for output to the host.
User
KDFINTERNAL Passes the KDF data found inside the module to
the hash function.
User
KDFSTART Sets up the internal hash engine for hashing the
subsequent data. The hash type is determined by
the settings in specified input parameters.
User
LOAD CRYPTOGRAPHIC
DATA
Supports RSA / ECDSA signature verification or
RSA Wrap Key operation.
User,
SSO
LOAD IV See Load Key. See Load Key
LOAD KEY An overloaded function that performs Load MEK User
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 12 All Rights Reserved
Service Description User / SSO
(Message Encryption Key), Load IV, or Delete Key.
LOAD SECRET Loads one of two authentication codes required for
K of N logon. This is a prerequisite to changing the
Admin/SSO password, User password, or either of
the authentication codes.
User,
SSO
LOCK Disables all operations on this file. The file can still
be selected and the status information can still be
retrieved, but its contents cannot be accessed.
User,
SSO
MANAGE SECURE
CHANNEL
Establishes the secure channel between the host
and the SPYCOS 3.0 QFN module. Specific
codes, sent by the host, initialize and terminate the
secure channel.
User,
SSO
READ BINARY Binary read from a file, given the offset and length. User,
SSO
RSA GENERATE KEYPAIR Creates an RSA key pair to be used for
signing/verifying or transport. The user must have
created the RSA keying file (with appropriate
access controls) prior to issuing the GENERATE
command.
User
RSA SIGN DATA Signing a message or data object using RSA
signature.
User
RSA UNWRAP KEY Enables completion of public key exchange of a
MEK.
User
RSA VERIFY SIGNATURE Verifying an RSA signature on a message. User,
SSO
RSA WRAP KEY Invocation of an RSA Key wrap service. User
SELECT Setting a current file within a logical channel. User,
SSO
SELF TEST Automatically performed at power-up and can be
executed on-demand via power cycling the
module.
User,
SSO
SET KEY Setting one of the 3 key pointers to the key
registers to be used for encryption and decryption
using the following symmetric encryption
algorithms: AES, 3TDES.
User
UNBLOCK PIN Used by an SSO to restore User PIN logon access. SSO
UNLOCK Enable a previously Locked file. User,
SSO
UPDATE BINARY Update of the data in the currently selected EF2
with the data provided.
User,
SSO
XAUTH ENROLL Set up the shared symmetric key for use with the
challenge and response authentication process.
User,
SSO
XAUTH EXTERNAL
AUTHENTICATION
Submits the encrypted result of the challenge data
retrieved from the XAUTH Get Challenge
command.
User,
SSO
2 Refer to ISO/IEC 7816-4 for definition of file types
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 13 All Rights Reserved
Service Description User / SSO
XAUTH GET CHALLENGE Establishes the challenge and response
authentication process by first requesting the
random challenge for the current session. The
resulting challenge data is output to the host to
calculate the encrypted response for use in
comparison with the XAUTH External
Authentication command.
User,
SSO
ZEROIZE Zeroization of the module. Performed using
DELETE FILE with recursive argument.
User,
SSO
CCID_Mount Mounts or un-mounts the encrypted drive. User
CCID_SetAdminSettings Sets the Admin Settings of the initialized USB 3.0
device.
SSO
CCID_FirmwareUpdate Loads new firmware and verifies the signature. SSO
Authenticated_SCSI_Read Reading operations to the encrypted compartment User
Authenticated_SCSI_Write Writing operations to the encrypted compartment User
In addition to the services listed above in table 3-1, the following non-security
relevant services may be executed while the operator is unauthenticated:
• CREATE
• DELETE
• DIRECTORY
• EXTEND
• FIPS INFO
• GET UNAUTHENTICATED RANDOM
• GET RESPONSE
• GET SPYCOS VERSION
• GET STATUS
• READ BINARY
• SELECT
• SELF TEST
• UPDATE BINARY
• CCID_GetIDData
• CCID_GetFactorySettings
• CCID_GetAdminSettings
• USB Mass Storage Commands
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 14 All Rights Reserved
4 Identification and Authentication
4.1 Initialization Overview
The SPYRUS USB-3 Module is initialized at the factory with a Default SSO
Password Phrase. The SSO (Site Security Officer) must change the default
value during logon to make the module ready for initialization. During
initialization, the module only allows the execution of the commands that are
required to complete the initialization process.
Before a User can access or operate the module, the SSO must initialize it with
the User Password Phrase. The SSO is authorized to log on to the module any
time after initialization to change parameters. The module allows 10 consecutive
failed SSO logon attempts before it zeroizes all key material and initialization
values. In the zeroized state, the SSO must use the Default SSO Password
Phrase to log on to the module and must reinitialize all module parameters.
A User must log on to a module to access any on-board cryptographic functions.
To log on the User must provide the correct User Password Phrase. The module
allows 10 consecutive failed logon attempts before it blocks the stored User
Password Phrase. User information stored in the module in non-volatile memory
remains resident.
4.2 Authentication
The SPYRUS USB-3 Module implements identity-based authentication which is
accomplished by PIN or Password Phrase3 entry by the operator. On invocation
by the operator, the SPYRUS USB-3 Module waits for authentication of the User
or SSO role by entry of a Password Phrase. There is only one User and one
SSO Password Phrase allowed per module. Multiple User and SSO accounts
are not permitted. The authentication password strength available for each
supported role is indicated in Table 4.1 below.
Table 4-1
Identification and Authentication Roles and Data
Role
Type of
Authentication
Authentication Data
(Strength)
Crypto-officer
(SSO)
Identity-based Password Phrase (6 - 20
Bytes)
User Identity-based Password Phrase (6 - 20
Bytes)
3 The terms PIN and Password Phrase are used synonymously in this document.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 15 All Rights Reserved
Once a valid Password Phrase has been accepted the SPYRUS USB-3 Module
cryptographic services may be accessed. The CHECK PASSWORD command
includes either the User Password Phrase as a parameter (or) the SSO
Password Phrase as a parameter. If successful, either the User or SSO gains
access to the module.
The SPYRUS USB-3 Module stores the number of logon attempts in non-volatile
memory. The count is reset after every successful entry of a User Password
Phrase by a User and after every successful entry of the SSO Password Phrase
by the SSO. If the User fails to logon to the SPYRUS USB-3 Module in 10
consecutive attempts, the SPYRUS USB-3 Module will zeroize the User
Password Phrase, block all of the User Private Keys and Public Keys, block all of
the User Key Registers and disallow User access. The SPYRUS USB-3 Module
then transitions to a state that is initialized only for the SSO to perform restorative
actions. Restorative actions performed by the SSO may include reloading of
initialization parameters, unblocking the User Password Phrase, or zeroization of
the module. When the SPYRUS USB-3 Module is powered up after a zeroize, it
will transition to the Zeroized State, where it will only accept the Default SSO
Password Phrase. After the Default SSO Password Phrase has been accepted,
the SPYRUS USB-3 Module transitions to the Uninitialized State and must be
reinitialized, as described in section 6.
4.3 Strength of Authentication
The strength of the authentication mechanism conforms to the following
specifications in Table 4-2. The calculations are based on the enforced minimum
Password Phrase size of 6 bytes.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 16 All Rights Reserved
Table 4-2
Strength of Authentication
Authentication Mechanism Strength of Mechanism
Single Password-entry attempt / False Acceptance
Rate
The probability that a random 6-byte Password-entry
(using only 93 keyboard characters4
) attempt will
succeed or a false acceptance will occur is
1.5456185 x 10-12
. The requirement for a single–
attempt / false acceptance rate of no more than 1 in
1,000,000 (i.e. less than a probability of 10-6
) is
therefore met.
Multiple Password-entry attempt in one minute There is also a maximum bound of 10 successive
failed authentication attempts before zeroization
occurs. The probability of a successful attack of
multiple attempts in a one minute period is no more
than 1.5456185 x 10-11
due to the enforced
maximum number of logon attempts. This is less
than one in 100,000 (i.e., 1 x10-5
), as required.
4.3.1 Obscuration of Feedback
Feedback of authentication data to an operator is obscured during authentication
(e.g., no visible display of characters result when entering a password). The
Password Phrase value is input to the CHECK PASSWORD command as a
parameter by the calling application. No return code or pointer to a return value
that contains the Password Phrase is provided.
4.3.2 Non-weakening Effect of Feedback
Feedback provided to an operator during an attempted authentication shall not
weaken the strength of the authentication mechanism. The only feedback
provided by the CHECK PASSWORD command is a return code denoting
success or failure of the operation. This information in no way affects the
probability of success or failure in either single or multiple attacks.
4.3.3 Generation of Random Numbers
The Generate Random Number command can be invoked before or after
authentication of the user. The SP 800-90A DRBG algorithm is used for all
authenticated RNG calls.
4 The character set available for PINs is at least all alphanumeric characters (upper and lower
cases) and 31 special keyboard characters comprising the set {~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] |
\ : ; ” ’ < , > . ? /}.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 17 All Rights Reserved
5 Key Management
5.1 CSP Management
Table 5-1
SPYRUS USB-3 Module CSPs
CSP Designation Use
ECDSA Private Key The Private Key of the User employed in Elliptic Curve digital signing
operations.
EC-keypair Used in ECC CDH key agreement.
Hash DRBG Seed Used only in generating the initial state of the SP800-90A Hash_DRBG.
HMAC Key Used to generate HMAC message authentication code.
Message Encryption Key
(MEK)
AES Key or Three-Key Triple-DES Key for User data encryption/decryption.
RSA Private Key for Digital
Signatures
The Private Key of the User employed in RSA digital signing operations.
RSA Private Key for Key
Establishment
The Private Key of the User employed in RSA Key Unwrapping.
Secure Channel Session
Key
ECDH / AES key used to encrypt and decrypt Password data transmitted to
the module.
SSO Password Phrase A secret 20-byte value used for SSO authentication.
User Password Phrase A secret 20-byte value used for User authentication.
Drive Encryption Key A pair of AES-256 keys used for SP 800-38E XTS-AES encryption of User
data on the encrypted drive.
5.2 Public Key Management Parameters
Table 5-2
SPYRUS USB-3 Module Public Key Management Parameters
Key Management
Parameter
Use
ECDSA Public Key The Public Key of the User employed in Elliptic Curve digital signing operations.
RSA Public Key for
Digital Signatures
The Public Key of the User employed in RSA digital signature verification
operations.
RSA Public Key for
Key Establishment
The Public Key of the User employed in RSA Key Wrapping.
Firmware Load
Public Key
ECDSA P-384 SHA-384 Public Key used for Firmware Loading
5.3 CSP Access Matrix
The following table (Table 5-3) shows the services (see section 3.1) of the
SPYRUS USB-3 Module, the roles (see section 3) capable of performing the
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 18 All Rights Reserved
service, the CSPs (see section 5.1) that are accessed by the service and the
mode of access (see next paragraph) required for each CSP. The following
convention is used: If only one of the roles applies to the service, that role
appears alone. If both roles may execute the service, then “User, SSO” is
indicated. If either one (but not the other) then “User or SSO” is indicated. In the
last option it is a matter of organizational policy which of the roles may execute
the service.
Access modes are R (read), W (write) and E (execute). Destruction is
represented as a W.
Table 5-3
SPYRUS USB-3 Module Access Matrix
Service User / SSO Access Type CSP Access
AES UNWRAPKEY User R,E AES Secret Key
AES WRAPKEY User R,E AES Secret Key
AUTHENTICATE SECURE
CHANNEL
User,
SSO
R,W,E Secure Channel Session Key
BLOCK PIN User,
SSO
E User Password, SSO Password
CHANGE PASSWORD User,
SSO
W User Password, SSO Password
CHECK PASSWORD User,
SSO
R User Password, SSO Password
CREATE User,
SSO
N/A N/A
DECRYPT User R AES/TDES Secret Key
DELETE User,
SSO
N/A N/A
DIRECTORY User,
SSO
N/A N/A
ECC GENERATE KEY User W EC-keypair
ECDH COMPUTE SECRET User N/A N/A
ECDSA SIGN User R ECDSA Private Key
ECDSA VERIFY User,
SSO
R ECDSA Private Key
ENCRYPT User R AES/TDES Secret Key
ENVELOPE User,
SSO
R,E Secure Channel Session Key
EXTEND User,
SSO
N/A N/A
FIPS_INFO User,
SSO
N/A N/A
GENERATE HMAC KEY User R,E HMAC Key
GENERATE IV User N/A N/A
GENERATE RANDOM User R HASH DRBG Seed
GENERATE SYMMETRIC
KEY
User W MEK
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 19 All Rights Reserved
Service User / SSO Access Type CSP Access
GET PUBLIC User,
SSO
N/A N/A
GET RESPONSE User,
SSO
N/A N/A
GET SPYCOS VERSION User,
SSO
N/A N/A
GET STATUS User,
SSO
N/A N/A
HASH FINALIZE User,
SSO
N/A N/A
HASH INITIALIZE User,
SSO
N/A N/A
HASH PROCESS User,
SSO
N/A N/A
HMAC FINALIZE User W HMAC Key
HMAC INITIALIZE User W HMAC Key
HMAC PROCESS User W HMAC Key
IMPORT HMAC KEY User R,W HMAC Key
INIT PIN FILE SSO R,W User Password, SSO Password
KDFEXTERNAL User N/A N/A
KDFFINAL User W AES/TDES Secret Key
KDFINTERNAL User N/A N/A
KDFSTART User N/A N/A
LOAD CRYPTOGRAPHIC
DATA
User,
SSO
N/A N/A
LOAD IV User N/A N/A
LOAD KEY User W,D MEK
LOAD SECRET User,
SSO
R User Password, SSO Password
LOCK User,
SSO
N/A N/A
MANAGE SECURE
CHANNEL
User,
SSO
W,D Secure Channel Session Key
READ BINARY User,
SSO
N/A N/A
RSA GENERATE KEYPAIR User W RSA Private Key
RSA SIGN DATA User R,E RSA Private Key
RSA UNWRAP KEY User R
R
RSA Private Key
MEK
RSA VERIFY SIGNATURE User,
SSO
R,E RSA Private Key
RSA WRAP KEY User R,
W,D
RSA Private Key
MEK
SELECT User,
SSO
N/A N/A
SELF TEST User,
SSO
N/A N/A
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 20 All Rights Reserved
Service User / SSO Access Type CSP Access
SET KEY User N/A N/A
UNBLOCK PIN SSO W User Password, SSO Password
UNLOCK User,
SSO
N/A N/A
UPDATE BINARY User,
SSO
N/A N/A
XAUTH ENROLL User,
SSO
N/A N/A
XAUTH EXTERNAL
AUTHENTICATION
User,
SSO
N/A N/A
XAUTH GET CHALLENGE User,
SSO
N/A N/A
ZEROIZE User,
SSO
ECDSA Private Key
EC-keypair
Hash DRBG Seed
HMAC Key
Message Encryption Key (MEK)
RSA Private Key for Digital
Signatures
RSA Private Key for Key
Establishment
Secure Channel Session Key
SSO Password Phrase
Storage Key
User Password Phrase
CCID_Mount User N/A N/A
CCID_SetAdminSettings SSO N/A N/A
CCID_FirmwareUpdate SSO N/A N/A
Authenticated_SCSI_Read User R,E Drive Encryption Key
Authenticated_SCSI_Write User W,E Drive Encryption Key
5.4 Destruction of Keys and CSPs
The module has the ability to destroy all keys and CSPs by a recursive DELETE
command. The contents of the file(s) being recursively deleted are erased and
over written. Should a power-down occur during the execution of the recursive
DELETE, the action of zeroization will resume on a subsequent power-on event,
ensuring that access to zeroized information is prevented.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 21 All Rights Reserved
6 Setup and Initialization
The uninitialized module has only a root directory with minimal version and
manufacturing information in specific files. There is no information pertaining to
the User or SSO or their authentication data, such as Passwords, stored on the
uninitialized module as shipped to the customer.
Initialization of the module is accomplished by setting up a security domain by
way of the following actions:
• The SSO creates a new application directory on the module;
• The SSO creates a PIN file that is associated with the SSO and User;
• The SSO initializes the PIN files;
• The SSO may optionally set a default Password or set the User Password
Phrase:
o If the User Password Phrase is set by the SSO, the User will not be
able to change their Password.
• The SSO uses FIPS_INFO command to confirm FIPS mode
The module is now in FIPS mode and operators may logon with the CHECK
PASSWORD command. See Section 4.2 for a description of the CHECK
PASSWORD process.
7 Physical Security
The module is designed to meet FIPS 140-2 Level 3 Security. The Module is
designed with physical security mechanisms such that attempts at removal or
penetration of the strong aluminum metal enclosure will have a high probability of
causing serious damage to the module to the extent that it will no longer function.
This is achieved using a hard, opaque, tamper-evident potting material and a
strong aluminum metal enclosure.
The module hardness testing was only performed at a single temperature and no
assurance is provided for Level 3 hardness conformance at any other
temperature.
Table 7-1
Inspection of Physical Security Mechanisms
Physical Security
Mechanisms
Recommended Frequency of
Inspections
Inspection/Test Guidance
Details
Hard, opaque,
tamper-evident
potting material
As often as feasible, based
upon organization security
policy.
Inspect the cryptographic
boundary for scratches,
scrapes, divots and other
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 22 All Rights Reserved
Physical Security
Mechanisms
Recommended Frequency of
Inspections
Inspection/Test Guidance
Details
and strong
aluminum metal
enclosure.
suspicious markings or
indicators of malice and
tampering. If any signs of
suspicious activity are
observed, return the
cryptographic module to
SPYRUS.
8 Self-Tests
The module performs both power-on and conditional self-tests. The power-on
self-tests run automatically when power is restored to the module, without
requiring any actions or inputs from the operator.
The module performs the following power-on self-tests:
• Firmware Integrity Test with 160-bit Error Detection Code and 32-bit
checksum
• Cryptographic algorithm known answer tests (KAT) for:
• Three-key Triple-DES KAT (encrypt)
• Three-key Triple-DES KAT (decrypt)
• AES KAT (encrypt)
• AES KAT (decrypt)
• AES-XTS KAT (encrypt)
• AES-XTS KAT (decrypt)
• ECDSA KAT (sign)
• ECDSA KAT (verify)
• ECC CDH (Primitive “Z” Computation) KAT
• RSA KAT (sign)
• RSA KAT (verify)
• HMAC (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) KAT
• SP800-90A DRBG KAT
• SP800-108 KDF KAT
Power cycling allows either the User or SSO to perform any or all of the above
tests on demand.
The module performs the following conditional tests:
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 23 All Rights Reserved
• ECDSA Pairwise Consistency Test
• ECC CDH Pairwise Consistency Test
• RSA Pairwise Consistency Test
• Continuous test for Approved SP800-90A DRBG
• Continuous test for non-Approved NDRNG
• Firmware Load Test: ECDSA P-384 SHA-384 Signature
Verification
• Bypass test: N/A
• Manual key entry test: N/A
9 Mitigation of Other Attacks
The module is not claimed to mitigate against any specific attacks outside the
scope of FIPS 140-2.
Table 9-1
Mitigation of Other Attacks
Other Attacks Mitigation Mechanism Specific limitations
Not applicable. Not applicable. Not applicable.
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 24 All Rights Reserved
10 Appendix A: Critical Security Parameters and
Public Keys
The Modules supports the following CSPs:
1. ECDSA Private Key
- Type: X9.62
- Use: The Private Key of the User employed in Elliptic Curve digital signing
operations.
- Generation: As per SP800-133 Section 6.1, key generation is performed as per FIPS
186-4 which is an Approved key generation method.
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; stored in EEPROM
- Key-to-Entity: User
- Zeroization: Actively overwritten during ZEROIZE service
2. EC-keypair
- Type: SP 800-56A
- Use: Used in ECC CDH key agreement.
- Generation: As per SP800-133 Section 6.2, the random value (K) needed to generate
key pairs for the elliptic curve is the output of the SP800-90A DRBG; this is Approved
as per SP800-56A.
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; transient in RAM
- Key-to-Entity: User
- Zeroization: Actively overwritten after channel closure; actively overwritten during
ZEROIZE service
3. Hash DRBG Seed
- Type: SP800-90A
- Use: Used only in generating the initial state of the SP800-90A DRBG
- Generation: Internally generated using the NDRNG
- Establishment: N/A
- Entry: N/A
- Output: N/A
- Storage: N/A
- Key-to-entity: Process
- Zeroization: Actively overwritten during ZEROIZE service
4. HMAC Key
- Type: FIPS 198 HMAC Key
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 25 All Rights Reserved
- Use: Used to generate HMAC message authentication code
- Generation: As per SP800-133 Section 7.1, key generation is performed as per the
“Direct Generation” of Symmetric Keys which is an Approved key generation method.
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: Encrypted with AES-256
- Storage: Plaintext; stored in key register
- Key-to-entity: User
- Zeroization: Actively overwritten during ZEROIZE service
5. Message Encryption Key (MEK)
- Type: AES 128, 192, 256 ECB/CBC/CTR, Three-key Triple-DES ECB/CBC
- Use: Used for data encryption
- Generation: As per SP800-133 Section 7.1, key generation is performed as per the
“Direct Generation” of Symmetric Keys which is an Approved key generation method.
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: Encrypted with RSA 2048
- Storage: Plaintext; stored in key register
- Key-to-entity: User
- Zeroization: Actively overwritten during ZEROIZE service
6. RSA Private Key for Digital Signature
- Type: FIPS 186-4
- Use: The Private Key of the User employed in RSA digital signing operations
- Generation: As per SP800-133 Section 6.1, key generation is performed as per FIPS
186-4 which is an Approved key generation method.
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; stored in EEPROM
- Key-to-entity: User
- Zeroization: Actively overwritten during ZEROIZE service
7. RSA Private Key for Key Establishment
- Type: FIPS 186-4
- Use: The Private Key of the User employed in RSA Key Unwrapping
- Generation: As per SP800-133 Section 6.2, key generation is performed as per FIPS
186-4; this is an allowed method as per FIPS 140-2 IG D.9
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; stored in EEPROM
- Key-to-entity: User
- Zeroization: Actively overwritten during ZEROIZE service
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 26 All Rights Reserved
8. Secure Channel Session Key
- Type: AES-256 CBC
- Use: AES-256 CBC key used to encrypt and decrypt data transmitted to the module
- Generation: N/A
- Establishment: ECC CDH key agreement as per SP800-56A; allowed method as per
FIPS 140-2 IG D.8 Scenario 1
- Entry: N/A
- Output: N/A
- Storage: Plaintext; Transient in RAM
- Key-to-entity: User
- Zeroization: Actively overwritten after channel closure; actively overwritten during
ZEROIZE service
9. SSO Password Phrase
- Type: 6 - 20 byte Password Phrase
- Use: A secret 6 - 20 byte value used for Cyrpto-officer (SSO) authentication that is
externally - created by SSO during initialization
- Generation: N/A
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; stored in EEPROM
- Zeroization: Actively overwritten when CHECK PASSWORD and CHANGE
PASSWORD services are executed by the SSO; actively overwritten during ZEROIZE
service
10. User Password Phrase
- Type: 6 - 20 byte Password Phrase
- Use: A secret 6 - 20 byte value used for User authentication that is externally created
by SSO during initialization
- Generation: N/A
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: N/A
- Storage: Plaintext; stored in EEPROM
- Zeroization: Actively overwritten when CHECK PASSWORD and CHANGE
PASSWORD services are executed by the User; Actively overwritten during ZEROIZE
service
11. Drive Encryption Key
- Type: AES-XTS
- Use: A pair of AES-256 keys used for SP 800-38E AES-XTS encryption of User data
on the encrypted drive
- Generation: As per SP800-133 Section 7.4, derived using SP800-108 KBKDF
- Establishment: N/A
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 27 All Rights Reserved
- Entry: N/A
- Output: N/A
- Storage: Plaintext; Transient in RAM and stored in PLX ROM
- Zeroization: Actively overwritten during ZEROIZE service
The module supports the following public keys:
1. ECDSA Public Key:
- Type: X9.62
- Use: The Public Key of the User employed in Elliptic Curve digital signing operations
- Generation: As per SP800-133 Section 6.1, key generation is performed as per FIPS
186-4 which is an Approved key generation method
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: Encrypted with AES-256
- Storage: Encrypted; stored in EEPROM
- Key-to-entity: User
2. RSA Public Key for Digital Signatures
- Type: FIPS 186-4
- Use: The Public Key of the User employed in RSA digital signature verification
operations
- Generation: As per SP800-133 Section 6.1, key generation is performed as per FIPS
186-4 which is an Approved key generation method
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: Encrypted with AES-256
- Storage: Encrypted; stored in EEPROM
- Key-to-entity: User
3. RSA Public Key for Key Establishment
- Type: FIPS 186-4
- Use: The Public Key of the User employed in RSA Key Wrapping
- Generation: As per SP800-133 Section 6.2, key generation is performed as per FIPS
186-4; this is an allowed method as per FIPS 140-2 IG D.9
- Establishment: N/A
- Entry: Encrypted with AES-256
- Output: Encrypted with AES-256
- Storage: Encrypted; stored in EEPROM
- Key-to-entity: User
4. Firmware Load Public Key
- Type: X9.62
- Use: ECDSA P-384 SHA-384 Public Key used for Firmware Loading
- Generation: N/A; installed during manufacturing
- Establishment: N/A
SPYRUS, Inc. SPYRUS USB-3 Module FIPS 140-2 Non-Proprietary Security Policy
SPYRUS, Inc 28 All Rights Reserved
- Entry: N/A
- Output: N/A
- Storage: Plaintext; Transient in RAM and stored in PLX ROM
- Key-to-Entity: Process