© 2017 Western Digital Corporation or its affiliates. Public Material - May be reproduced only in its original entirety [without revision].
HGST Ultrastar C15K600 TCG Enterprise HDDs
FIPS 140-2 Cryptographic Module
Non-Proprietary Security Policy
Protection of Data at Rest
Version: 1.7
2017-10-24
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 2 of 21
CONTENTS
1 Cryptographic Module Overview ......................................................................................................................4
1.1 Models .................................................................................................................................................................................................. 4
1.2 Security Level........................................................................................................................................................................................ 5
2 Modes of Operation.............................................................................................................................................5
2.1 FIPS Approved Mode of Operation....................................................................................................................................................... 5
2.2 Approved Algorithms............................................................................................................................................................................ 6
3 Ports and Interfaces.............................................................................................................................................6
4 Identification and Authentication Policy..........................................................................................................7
4.1 Cryptographic Officer............................................................................................................................................................................. 7
4.1.1 Secure ID (SID) Authority.................................................................................................................................................... 7
4.1.2 EraseMaster Authority .......................................................................................................................................................... 7
4.2 User...................................................................................................................................................................................................... 7
4.3 Anybody ............................................................................................................................................................................................... 7
4.4 Maker .................................................................................................................................................................................................. 7
5 Access Control Policy..........................................................................................................................................9
5.1 Roles and Services.................................................................................................................................................................................. 9
5.2 Unauthenticated Services...................................................................................................................................................................... 10
5.3 Definition of Critical Security Parameters (CSPs)................................................................................................................................. 10
5.4 Definition of Public Security Parameters............................................................................................................................................... 11
5.5 SP800-132 Key Derivation Function Affirmations.............................................................................................................................. 11
5.6 Definition of CSP Modes of Access...................................................................................................................................................... 12
6 Operational Environment.................................................................................................................................13
7 Security Rules......................................................................................................................................................13
7.1 Invariant Rules ................................................................................................................................................................................... 13
7.2 Initialization Rules.............................................................................................................................................................................. 15
7.3 Zeroization Rules................................................................................................................................................................................ 15
8 Physical Security Policy .....................................................................................................................................15
8.1 Mechanisms......................................................................................................................................................................................... 15
8.2 Operator Responsibility........................................................................................................................................................................ 16
9 Mitigation of Other Attacks Policy..................................................................................................................16
10 Definitions...........................................................................................................................................................16
11 Acronyms ............................................................................................................................................................18
12 References ...........................................................................................................................................................18
12.1 NIST Specifications....................................................................................................................................................................... 18
12.2 Trusted Computing Group Specifications......................................................................................................................................... 19
12.3 HGST Documents ........................................................................................................................................................................ 19
12.4 International Committee on Information Technology Standards T10 Technical Committee Standards ............................................... 19
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 3 of 21
Tables
Table 1 - Ultrastar C15K600 Product Models ..........................................................................................................4
Table 2 - Module Security Level Specification..........................................................................................................5
Table 3 - FIPS Approved Algorithms........................................................................................................................6
Table 4 - Ultrastar C15K600 Pins and FIPS 140-2 Ports and Interfaces..............................................................6
Table 5 - Roles and Required Identification and Authentication...........................................................................8
Table 6 - Authentication Mechanism Strengths........................................................................................................8
Table 7 - Authenticated CM Services.........................................................................................................................9
Table 8 - Unauthenticated Services...........................................................................................................................10
Table 9 - CSPs and Private Keys...............................................................................................................................11
Table 10 - Sensitive Security Parameters..................................................................................................................11
Table 11 - CSP Access Rights within Roles & Services.........................................................................................13
Table 12 - SCSI Commands ......................................................................................................................................21
Figures
Figure 1: Cryptographic Boundary..............................................................................................................................4
Figure 2: Large Tamper-Evident Label Hardware Version (2).............................................................................15
Figure 3: Smaller Tamper-Evident Label Hardware Version (2) .........................................................................15
Figure 4: Tamper Evidence on Large Tamper Label Figure 5: Tamper Evidence on Metal Surface.........16
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 4 of 21
1 Cryptographic Module Overview
HGST Ultrastar C15K600 TCG Enterprise HDDs, hereafter referred to as “Ultrastar C15K600” or “the
Cryptographic Module” are multi-chip embedded modules that comply with FIPS 140-2 Level 2 security.
They also comply with the Trusted Computing Group (TCG) SSC: Enterprise Specification. The drive enclosure is
the cryptographic boundary (see Figure 1).
Hardware Version (2)
Figure 1: Cryptographic Boundary
1.1 Models
The Ultrastar C15K600 is available in several models that vary by storage capacity and block size. Table 1
enumerates the models and characteristics and includes the hardware and firmware versions. The number
in parentheses at the end of the Hardware version indicates the tamper seal version used.
Model Number
(Hardware Version)
Firmware Version
Capacity
(GB)
Block Size
(bytes)
Description
HUC156060CS4205 (2)
RAA2, RD02, RDB0
600
4K Native,
512 emulation
SAS 12 Gb/s, 2.5”, 15000 RPM
HUC156045CS4205 (2)
RAA2, RD02, RDB0
450
4K Native,
512 emulation
SAS 12 Gb/s, 2.5”, 15000 RPM
HUC156030CS4205 (2)
RAA2, RD02, RDB0
300
4K Native,
512 emulation
SAS 12 Gb/s, 2.5”, 15000 RPM
HUC156060CSS205 (2) RAA2, RD02, RDB0 600 512 Native SAS 12 Gb/s, 2.5”, 15000 RPM
HUC156045CSS205 (2) RAA2, RD02, RDB0 450 512 Native SAS 12 Gb/s, 2.5”, 15000 RPM
HUC156030CSS205 (2) RAA2, RD02, RDB0 300 512 Native SAS 12 Gb/s, 2.5”, 15000 RPM
Table 1 - Ultrastar C15K600 Product Models
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 5 of 21
1.2 Security Level
The Cryptographic Module meets all requirements applicable to FIPS 140-2 Level 2 Security.
FIPS 140-2 Security Requirements Section FIPS 140-2 Security Level Achieved
Cryptographic Module Specification 2
Module Ports and Interfaces 2
Roles, Services and Authentication 2
Finite State Model 2
Physical Security 2
Operational Environment N/A
Cryptographic Key Management 2
EMI/EMC 2
Self-Tests 2
Design Assurance 2
Mitigation of Other Attacks N/A
Table 2 - Module Security Level Specification
2 Modes of Operation
2.1 FIPS Approved Mode of Operation
The Cryptographic Module has a single FIPS Approved mode of operation that is entered after successful
completion of the Initialize Cryptographic Module service. The FIPS mode bit is set to 1 after the
Cryptographic Officer executes the Set Makers.Enabled = FALSE instruction. The Cryptographic Officer
shall not enable the Maker Authority after the Cryptographic Module enters FIPS Approved mode. If the
Cryptographic Officer enables the Maker Authority after the module enters FIPS Approved mode the
Cryptographic Officer must also zeroize the module by executing the TCG Revert Method.
Once configured to run in FIPS Approved mode, the Cryptographic Module will always run in FIPS-
Approved mode as long as all of the self-tests complete successfully. A value of “1” is returned when the
Cryptographic Module is in FIPS mode. If configured incorrectly, the module will run in the Non-FIPS
Approved mode of operation and the Get FIPS Mode service will return a value of ”0”.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 6 of 21
2.2 Approved Algorithms
The Cryptographic Module supports the following FIPS Approved algorithms. All algorithms and key
lengths are in compliance with NIST SP 800-131A.
FIPS Approved Algorithm CAVP Certificate
SP800-90A CTR-DRBG 302
Hardware AES ECB-128, 256, XTS-1281, 256
Encryption and Decryption
* Note: The length of data unit for AES-XTS does not exceed 2^20
blocks. AES-XTS is only used for storage applications.
2067
AES ECB-256
Encryption, Decryption and Key Wrap
* Note: key wrap is only used internally for storage purposes
2365
RSA 2048 PSS Verify 1220
SHA-256 2037
HMAC-SHA-256
Used in SP 800-132 PBKDF
1468
SP800-132 KDF Vendor Affirmed
Table 3 - FIPS Approved Algorithms
The Cryptographic Module supports the following non-Approved but Allowed algorithm:
 Hardware NDRNG for seeding the Approved SP800-90A DRBG
3 Ports and Interfaces
Table 3 below identifies its ports and interfaces of the Cryptographic Module. A maintenance access
interface is not provided.
FIPS 140-2 Interface Cryptographic Module Ports
Power Power connector [SAS]
Control Input SAS connector [SAS]
Status Output SAS connector [SAS]
Data Input SAS connector [SAS]
Data Output SAS connector [SAS]
Table 4 - Ultrastar C15K600 Pins and FIPS 140-2 Ports and Interfaces
1
AES XTS-128 and AES ECB-128 were tested but are not utilized by the cryptographic module.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 7 of 21
4 Identification and Authentication Policy
The Cryptographic Module enforces the following FIPS140-2 operator roles.
4.1 Cryptographic Officer
4.1.1 Secure ID (SID) Authority
This TCG authority initializes the Cryptographic Module. TCG SSC: Enterprise Section 11.3.1 defines this
role.
4.1.2 EraseMaster Authority
This TCG authority zeroizes the Cryptographic Module. TCG SSC: Enterprise Section 11.4.1 defines this
role. It may also disable User roles and erase LBA bands (user data regions).
4.2 User
User roles correspond to Bandmaster Authorities; they are defined in TCG SSC: Enterprise Section 11.4.1.
They are authorized to lock/unlock and configure LBA bands (user data regions) and to issue read/write
commands to the SED. The TCG EraseMaster authority can disable Users.
4.3 Anybody
Services are provided that do not require authentication. With one exception, these do not disclose,
modify, or substitute Critical Security Parameters, use an Approved security function, or otherwise affect
the security of the Cryptographic Module. The excepted service is the Generate Random service, which
provides output from an instance of the SP800-90A DRBG.
4.4 Maker
For failure analysis purposes, out of scope services are provided for the vendor to configure and perform
failure analysis within the vendor’s facilities. Maker authentication data shall not leave the vendor’s
facilities. Maker is disabled when the Cryptographic Officer invokes the Initialize Cryptographic Module
service.
The following table maps TCG authorities to FIPS 140-2 roles.
TCG
Authority
Description
Authentication
Type
Authentication Data
SID Authority
A Cryptographic Officer role which
initializes the Cryptographic Module and
authorizes Firmware download.
Role-based
CO Identity (TCG SID Authority)
and PIN (TCG SID Authority
PIN)
EraseMaster
A Cryptographic Officer role which
zeroizes Media Encryption keys and
disables Users.
Role-based
CO Identity (TCG EraseMaster
Authority) and PIN (TCG
EraseMaster PIN)
BandMasterN
(N = 0 to 5)
A User role which controls read/write
access to LBA Bands.
Role-based
User Identity (TCG BandMaster
Authority) and PIN (TCG
BandMaster PIN)
Anybody
A role that does not require
authentication.
Unauthenticated N/A
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 8 of 21
TCG
Authority
Description
Authentication
Type
Authentication Data
Maker
A TCG Authority which is not available
upon completion of the Initialize
Cryptographic Module service
Role-based
User Identity (TCG Maker
Authority) and PIN (HGST
Maker PIN)
Table 5 - Roles and Required Identification and Authentication
The Cryptographic Module enforces role separation by requiring a role identifier and an authentication
credential (Personal Identification Number or PIN).
Authentication Mechanism Mechanism Strength
TCG Credential (PIN)
TCG Credentials are 256 bits, which provides 2256 possible
values. The probability that a random attempt succeeds is 1
chance in 2256 (approximately (8.64 x 10-78) which is significantly
less than 1/1,000, 000 (1x 10-6).
Multiple, successive authentication attempts can only occur
sequentially (one at a time) and only when the failed
authentication Tries count value does not exceed the associated
TriesLimit value. Any authentication attempt consumes at least
approximately 750 microseconds. Hence, at most,
approximately 80,000 authentication attempts are possible in one
minute. Thus, the probability that a false acceptance occurs a
one minute interval is approximately 6.91 x 10-73 which is
significantly less than 1 chance in 100,000 (1 x 10-5).
Table 6 - Authentication Mechanism Strengths
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 9 of 21
5 Access Control Policy
5.1 Roles and Services
The services available between the Approved and Non-Approved Modes are identical aside from the
following exception:
– While in the Non-Approved Mode, services associated with the Maker role are also available (see Table 7
below).
Service Description Role(s)
Initialize Cryptographic
Module
Cryptographic Officer provisions the Cryptographic Module
from organizational policies
CO
(SID Authority)
Authenticate Input a TCG Credential for authentication
CO, Users,
Maker
(SID Authority,
EraseMaster,
BandMasters)
Lock/Unlock Firmware
Download Control
Deny/Permit access to Firmware Download service
CO
(SID Authority)
Firmware Download
Load and verify by RSA2048 an entire firmware image. If
the new self-tests complete successfully, the SED executes
the new code. The Firmware Download Control shall be
unlocked before Firmware can be downloaded.
CO
(SID Authority)
Set
Write data structures; access control enforcement occurs per
data structure field. PINs can be changed using this service.
CO, Users,
Maker
(SID Authority,
EraseMaster,
BandMasters)
Set LBA Band
Set the starting location, size, and attributes of a set of
contiguous Logical Blocks
Users
(BandMasters)
Lock/Unlock
LBA Band
Deny/Permit access to a LBA Band
Users
(BandMasters)
Write Data
Transform plaintext user data to ciphertext and write in a
LBA band
Users
(BandMasters)
Read Data
Read ciphertext from a LBA band and output user plaintext
data
Users
(BandMasters)
Set Data Store Write a stream of bytes to unstructured storage
Users
(BandMasters)
Erase LBA Band
Band cryptographic-erasure by changing LBA band
encryption keys to new values. When the EraseMaster
erases a LBA band, the TCG Credential is set to the default
value.
CO
(EraseMaster)
Set Vendor Data
A Non-Approved service that is unavailable after the
Initialize Cryptographic Module service completes
Maker
Table 7 - Authenticated CM Services
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 10 of 21
5.2 Unauthenticated Services
The Cryptographic Module provides these unauthenticated services via the Anybody role.
Service Description
Reset Module Power on Reset
Self-Test The Cryptographic Module performs self-tests when it powers up
Status Output TCG (IF-RECV) protocol
Get FIPS Mode
TCG ‘Level 0 Discovery’ method outputs the FIPS mode of the Cryptographic
Module.
Start Session Start TCG session
End Session End a TCG session by clearing all session state
Generate Random TCG Random method generates a random number from the SP800-90A DRBG
Get Reads data structure; access control enforcement occurs per data structure field
Get Data Store Read a stream of bytes from unstructured storage
Zeroize
TCG Revert method to return the Cryptographic Module to its original
manufactured state; authentication data (PSID) is printed on the external label
SCSI
[SCSI Core] and [SCSI Block] commands to function as a standardized storage
device. See Table 12 - SCSI Commands
Table 8 - Unauthenticated Services
5.3 Definition of Critical Security Parameters (CSPs)
The Cryptographic Module contains the following CSPs:
Key Name Type Description
Cryptographic Officer PIN -
TCG Credential (2 total)
256-bit authentication data Authenticates the Cryptographic Officer role
User PIN –TCG Credential
(6 total)
256-bit authentication data Authenticates the User role
MEK - Media Encryption Key
(6 total - 1 per LBA band)
XTS-AES-256 (512 bits)
Encrypts and decrypts LBA Bands
Note: This key is only associated with one key
scope.
KEK – Key Encrypting Key
(6 total)
SP 800-132 PBKDF (256
bits)
Keys derived from BandMaster PINs that
wrap the MEKs
Note: Keys protected by this SP 800-132
PBKDF derived key shall not leave the
module.
NDRNG
Entropy data (256 bits of
strength)
Entropy source for DRBG
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 11 of 21
Key Name Type Description
DRBG
Internal CTR_DRBG state
(384 bits)
All properties and state associated with the
SP800-90A Deterministic Random Bit
Generator that includes the values V and the
Key.
Table 9 - CSPs and Private Keys
5.4 Definition of Public Security Parameters
The Cryptographic Module contains the following public key:
Key Name Type Description
RSAFW RSA 2048 public key Verify firmware download
Table 10 - Sensitive Security Parameters
5.5 SP800-132 Key Derivation Function Affirmations
The Cryptographic Module deploys a [SP800-132] Key Derivation Function (KDF).
 The KEKs (SP800-132 Master Keys) are derived from the User PINs (SP800-132 Password) with
SP800-132 Option 2a.
 Security policy rules set the minimum PIN length at 32 bytes. The cryptographic module allows
values from 0x00 to 0xFF for each byte of a PIN
o The security strength of a PIN is 128 bits.
o The upper bound for the probability of guessing a PIN is 2^-256.
 The difficulty of guessing the PIN is equivalent to a brute force attack.
 The KEKs (SP800-132 Master Keys) are only used to wrap the Media Encryption Keys (MEKs).
The cryptographic module creates a unique KEK for each LBA Band.
In accordance with SP 800-132, the Cryptographic Module permits keys derived from passwords to be
used only for storage applications.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 12 of 21
5.6 Definition of CSP Modes of Access
Table 11 defines the relationship between access to Critical Security Parameters (CSPs) and the different
Cryptographic Module services. The modes of access shown in the table are defined as:
G = Generate: The Cryptographic Module generates a CSP from the SP800-90A DRBG, derives a CSP
with the Key Derivation Function or hashes authentication data with SHA-256.
E = Execute: The module executes using the CSP.
W = Write: The Cryptographic Module writes a CSP. The write access is performed after the
Cryptographic Module generates a CSP.
Z = Zeroize: The Cryptographic Module zeroizes a CSP.
Service CSPs and Keys
Type of
CSP Access
Initialize Cryptographic Module
CO PIN E, W
User PIN E, W
DRBG, NDRBG E
KEK G
MEK G, W
Authenticate
CO PIN E
User PIN E
Lock/Unlock Firmware Download Control CO PIN E
Firmware Download
CO PIN E
RSAFW E
Set
CO PIN E
User PIN E
Maker PIN E
Set LBA Band User PIN E
Lock/Unlock LBA Band
User PIN E
KEK G
MEK E
Write Data
User PIN E
MEK E
Read Data
User PIN E
MEK E
Set Data Store User PIN E
Erase LBA Band
CO PIN E
User PIN Z
KEK G
MEK Z, G, W
Reset Module None
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 13 of 21
Service CSPs and Keys
Type of
CSP Access
Self-Test
NDRNG E
DRBG W
Status Output None
Get FIPS mode None
Start Session None
End Session None
Generate Random DRBG E
Get Data Store None
Get None
Set Vendor Data None
Zeroize (TCG Revert)
CO PIN W
User PIN W
DRBG G
KEK G
MEK Z, G, W
SCSI None
Table 11 - CSP Access Rights within Roles & Services
6 Operational Environment
The Cryptographic Module operating environment is non-modifiable. While the Cryptographic Module is
operational, the environment cannot be modified; the code working set cannot be added, deleted or
modified. Firmware can be upgraded (replaced in entirety) with an authenticated download service. If the
download operation is successfully authorized and verified, then the Cryptographic Module will begin
operating with the new code working set. Firmware loaded into the module that is not on the certificate is
out of the scope of this validation and requires a separate FIPS 140-2 validation.
7 Security Rules
Ultrastar C15K600 enforces applicable FIPS 140-2 Level 2 security requirements. This section documents
the security rules that the Cryptographic Module enforces.
7.1 Invariant Rules
 The Cryptographic Module supports two distinct types of operator roles: Cryptographic Officer
and User. The module also supports an additional role, the Maker role. Initialization disables the
Maker role.
 Cryptographic Module power cycles clear all existing authentications.
 When the Cryptographic Module has successfully completed self-tests and has been initialized, it is
in FIPS mode, and the FIPS mode indicator is set to 1.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 14 of 21
 When the Cryptographic Module is unable to authenticate TCG Credentials, operators do not have
access to any cryptographic service other than the unauthenticated Generate Random service.
 The Cryptographic Module performs the following tests. Upon failure of any test, the
Cryptographic Module enters a soft error state; the error condition is reported via the [SCSI]
protocol. Functional commands are not permitted until a reset or power on reset occurs.
Power up Self-Tests
o Firmware Integrity 32-bit EDC
o DRBG Health Test, Cert. #302
o Firmware AES Encrypt KAT, Cert #2365
o Firmware AES Decrypt KAT, Cert #2365
o RSA Verify KAT, Cert #1220
o DRBG KAT, Cert. #302
o SHA-256 KAT, Cert #2037
o HMAC-SHA-256 KAT, Cert #1468
o Hardware AES Encrypt KAT, Cert #2067
o Hardware AES Decrypt KAT, Cert #2067
Conditional Tests
o Continuous Random Number Generator test is performed on the DRBG and the hardware
NDRNG entropy source.
o The Cryptographic Module performs a key comparison test on XTS-AES Key1 and XTS-
AES Key2 that satisfies IG A.9 XTS-AES Key Generation Requirements.
o Firmware Download Check, RSA 2048 PSS (Cert#1220), SHA-256 (Cert#2037)
 An operator can command the Cryptographic Module to perform the power-up self-test by power
cycling the device.
 If a power-up self-tests fails, the drive will report a UEC that shows which test failed. After
reporting the failure data, the drive will transition to a soft error state.
 Power-up self-tests do not require operator action.
 Data output is inhibited during key generation, self-tests, zeroization, and error states.
 Status information does not contain CSPs or sensitive data that if misused, could compromise the
Cryptographic Module.
 There are no restrictions on which plaintext keys or CSPs the zeroization service deletes.
 The Cryptographic Module does not support a maintenance interface or maintenance role.
 The Cryptographic Module does not support manual key entry.
 The Cryptographic Module does not have any external input/output devices used for entry/output
of data.
 The Cryptographic Module does not output plaintext CSPs.
 The Cryptographic Module does not output intermediate key values.
 The Cryptographic Module does not support concurrent operators.
 The End Session service deletes the current operator authentication. The Cryptographic Module
requires operators to re-authenticate upon execution of the End Session service.
 The Crypto Officer shall assure that all host issued User PINs are 32-bytes in length.
 The host shall authenticate to LBA Bands after a power cycle.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 15 of 21
7.2 Initialization Rules
The Cryptographic Officer shall follow the instructions in the Delivery & Operation (Cryptographic
Officer) Manual for acceptance and end of life procedures. Acceptance instructions include:
 Establish authentication data for the TCG Authorities by replacing the MSID (default PIN values).
 Establish the LBA Bands, which causes the Cryptographic Module to generate Media Encryption
Keys
 Disable Maker Authority
 Lock the Firmware Download service control
7.3 Zeroization Rules
Zeroization is performed by the Cryptographic Officer with the TCG Revert Method. Revert includes
zeroization of all Critical Security Parameters.
8 Physical Security Policy
8.1 Mechanisms
The Cryptographic Module does not make claims in the Physical Security area beyond FIPS 140-2 Security
Level 2:
 All components are production-grade materials with standard passivation.
 The enclosure is opaque.
 Engineering design supports opacity requirements.
 Tamper-evident security labels are applied by HGST during manufacturing.
 The tamper-evident security labels cannot be penetrated or removed and reapplied without
evidence of tampering.
The tamper evident security labels cannot be easily replicated.
Figure 2: Large Tamper-Evident Label Hardware
Version (2)
Figure 3: Smaller Tamper-Evident Label
Hardware Version (2)
1 2
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 16 of 21
8.2 Operator Responsibility
The Cryptographic Officer and/or User shall inspect the Cryptographic Module enclosure for evidence of
tampering a minimum of once a year. If the inspection reveals evidence of tampering, the Cryptographic
Officer should return the module to HGST, a Western Digital company.
Figure 4: Tamper Evidence on Large Tamper Label Figure 5: Tamper Evidence on Metal Surface
9 Mitigation of Other Attacks Policy
The Cryptographic Module is not designed to mitigate any attacks beyond FIPS 140-2 Security Level 2
requirements.
10 Definitions
 Allowed: NIST approved, i.e., recommended in a NIST Special Publication, or acceptable, i.e., no
known security risk as opposed to deprecated, restricted and legacy-use. [SP800-131A] for terms
 Anybody: A formal TCG term for a role that is not authenticated. [TCG Core]
 Approved: [FIPS140] approved or recommended in a NIST Special Publication.
 Approved mode of operation: A mode of the cryptographic module that employs only Approved
security functions. [FIPS140]
 Authenticate: Prove the identity of an Operator or the integrity of an object.
 Authorize: Grant an authenticated Operator access to a service or an object.
 Confidentiality: A cryptographic property that sensitive information is not disclosed to unauthorized
parties.
 Credential: A formal TCG term for data that is used to authenticate an Operator. [TCG Core]
 Critical Security Parameter (CSP): Security-related information (e.g., secret and private
cryptographic keys, and authentication data such as credentials and PINs) whose disclosure or
modification can compromise the security of a cryptographic module. [FIPS140]
 Cryptographic Boundary: An explicitly defined continuous perimeter that establishes the physical
bounds of a cryptographic module and contains all the hardware, software, and/or firmware
components of a cryptographic module. [FIPS140]
 Cryptographic key (Key): An input parameter to an Approved cryptographic algorithm
 Cryptographic Module: The set of hardware, software, and/or firmware that an implement
Approved security functions and is contained within the cryptographic boundary. [FIPS140]
 Cryptographic Officer: An Operator performing cryptographic initialization and management
functions. [FIPS140]
 Ciphertext: Encrypted data transformed by an Approved security function.
 Data at Rest: User data residing on the storage device media where the storage device is powered off.
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 17 of 21
 Discovery: A TCG method that provides the properties of the TCG device. [TCG Enterprise]
 Integrity: A cryptographic property that sensitive data has not been modified or deleted in an
unauthorized and undetected manner.
 Interface: A logical entry or exit point of a cryptographic module that provides access to the
cryptographic module for logical information flows. [FIPS140]
 Key Derivation Function (KDF): An Approved cryptographic algorithm by which one or more keys
are derived from a shared secret and other information.
 Key Encrypting Key (KEK): A cryptographic key that is used to encrypt or decrypt other keys.
 Key management: The activities involving the handling of cryptographic keys and other related
security parameters (e.g., authentication data) during the entire life cycle of the Cryptographic Module.
 Key Wrap: An Approved cryptographic algorithm that uses a KEK to provide Confidentiality and
Integrity.
 LBA Band: A formal [TCG Core] term that defines a contiguous logical block range (sequential
LBAs) to store encrypted User Data; bands do not overlap and each has its own unique encryption
key and other settable properties.
 Method: A TCG command or message. [TCG Core]
 Manufactured SID (MSID): A unique, default value that vendors assign to each SED during
manufacturing; it is typically printed on an external label and is readable with the TCG protocol; it is
the initial and default value for all TCG credentials. [TCG Core]
 Operator: A consumer, either human or automation, of cryptographic services that is external to the
Cryptographic Module. [FIPS140]
 Personal Identification Number (PIN): A formal TCG term designating a string of octets that is
used to authenticate an identity. [TCG Core]
 Plaintext: Data that is not encrypted.
 Port: A physical entry or exit point of a cryptographic module that provides access to the
Cryptographic Module for physical signals. [FIPS140]
 Public Security Parameters (PSP): Public information whose modification can compromise the
security of the cryptographic module (e.g., a public key of a key pair).
 Read Data: An external request to transfer User Data from the SED. [SCSI Block]
 Reserved Area: Private data on the Storage Medium that is not accessible outside the Cryptographic
Boundary.
 Session: A formal TCG term that envelops the lifetime of an Operator’s authentication. [TCG Core]
 Security Identifier (SID): A TCG authority used by the Cryptographic Officer. [TCG Core]
 Self-Encrypting Drive (SED): A storage device that provides data storage services.
 Storage Medium: The non-volatile, persistent storage location of a SED; it is partitioned into two
disjoint sets, a User Data area and a Reserved Area.
 User: An Operator that consumes cryptographic services. [FIPS140]
 User Data: Data that is transferred from/to a SED using the Read Data and Write Data commands.
[SCSI Block]
 Write Data: An external request to transfer User Data to a SED. [SCSI Block]
 Zeroize: Invalidate a Critical Security Parameter. [FIPS140]
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 18 of 21
11 Acronyms
 CO: Cryptographic Office [FIPS140]
 CSP: Critical Security Parameter [FIPS140]
 DRBG: Deterministic Random Bit Generator
 DRAM: Dynamic Random Access Memory
 HDD: Hard Disk Drive
 EMI: Electromagnetic Interference
 FIPS: Federal Information Processing Standard
 KAT: Known Answer Test
 LBA: Logical Block Address
 MEK: Media Encryption Key
 MSID (Manufactured Security Identifier): a public, drive-unique value that is created during
manufacturing and is used as default PIN credential values
 NDRNG: Non-deterministic Random Number Generator that is the source of entropy for the
DRBG
 NIST: National Institute of Standards and Technology
 PIN: Personal Identification Number
 PSID (Physical Security Identifier): a SED unique value that is printed on the Cryptographic
Module’s label and is used as authentication data and proof of physical presence for the Zeroize
service
 PSP: Public Security Parameter
 SAS: Serial Attached SCSI
 SCSI: Small Computer System Interface
 SED: Self encrypting Drive
 SID: TCG Security Identifier, the authority representing the Cryptographic Module owner
 TCG: Trusted Computing Group
 UEC: Universal Error Code
 XTS: A mode of AES
12 References
12.1NIST Specifications
 [AES] Advanced Encryption Standard, FIPS PUB 197, NIST, 2001, November
 [DSS] Digital Signature Standard, FIPS PUB 186-4, NIST, 2013 July
 [FIPS140] Security Requirements for Cryptographic Modules, FIPS PUB 140-2, NIST, 2002
December
 [HMAC] The Keyed-Hash Message Authentication Code, FIPS PUB 198-1, 2008 July
 [SHA] Secure Hash Standard (SHS), FIPS PUB 180-4, NIST, 2015 August
 [SP800-38E] Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for
Confidentiality on Storage Devices, SP800-38E, NIST, 2010 January
 [SP800-38F] Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping,
NIST, 2012 December
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 19 of 21
 [SP800-57] Recommendation for Key Management – Part I General (Revision 4), NIST, 2016 January
 [SP800-90A] Recommendation for Random Number Generation Using Deterministic Random Bit
Generators, NIST, 2015 June
 [SP800-131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms
and Key Lengths (Revision 1), NIST, 2015 November
 [SP800-132] Recommendation for Password-Based Key Derivation, NIST, 2010 December
12.2Trusted Computing Group Specifications
 [TCG Core] TCG Storage Architecture Core Specification, Version 2.0 Revision 1.0 (April 20, 2009)
 [Enterprise] TCG Storage Security Subsystem Class: Enterprise Specification, Version 1.00 Revision 3.00
(January 10, 2011)
 [TCG App Note] TCG Storage Application Note: Encrypting Storage Devices Compliant with SSC: Enterprise,
Version 1.00 Revision 1.00 Final
 [TCG Opal] TCG Storage Security Subsystem Class: Opal Specification, Version 2.00 Final Revision 1.00
(February 24, 2012)
12.3HGST Documents
 [Product Specification] HGST Ultrastar C15K600 Hard Disk Drive Specification, version 1.6 (July 27,
2016), http://www.hgst.com/products/hard-drives/ultrastar-c15k600
 [D&O] Delivery & Operation (Cryptographic Officer) Manual, version 0.6 (Nov, 31 2014)
12.4International Committee on Information Technology Standards T10 Technical
Committee Standards
 [SCSI Core] SCSI Primary Commands-4 Rev 15 (SPC-4)
 [SCSI Block] SCSI Block Commands Rev15 (SBC-3)
 [SAS] Serial Attached SCSI-2 Rev 13 (SAS-2)
Description Code
FORMAT UNIT 04h
INQUIRY 12h
LOG SELECT 4Ch
LOG SENSE 4Dh
MODE SELECT 15h
MODE SELECT 55h
MODE SENSE 1Ah
MODE SENSE 5Ah
PERSISTENT RESERVE IN 5Eh
PERSISTENT RESERVE OUT 5Fh
PRE-FETCH (16) 90h
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 20 of 21
Description Code
PRE-FETCH (10) 34h
READ (6) 08h
READ (10) 28h
READ (12) A8h
READ (16) 88h
READ (32) 7Fh/09h
READ BUFFER 3Ch
READ CAPACITY (10) 25h
READ CAPACITY (16) 9Eh/10h
READ DEFECT DATA 37h
READ DEFECT DATA B7h
READ LONG (16) 9Eh/11h
READ LONG 3Eh
REASSIGN BLOCKS 07h
RECEIVE DIAGNOSTICS RESULTS 1Ch
RELEASE 17h
RELEASE 57h
REPORT DEVICE IDENTIFIER A3h/05h
REPORT LUNS A0h
REPORT SUPPORTED OPERATION CODES A3h/0Ch
REPORT SUPPORTED TASK MANAGEMENT
FUNCTIONS
A3h/0Dh
REQUEST SENSE 03h
RESERVE 16h
RESERVE 56h
REZERO UNIT 01h
SANITIZE 48h
SEEK (6) 0Bh
SEEK (10) 2Bh
SEND DIAGNOSTIC 1Dh
SET DEVICE IDENTIFIER A4h/06h
HGST Ultrastar C15K600 TCG Enterprise HDD
FIPS 140- 2 Security Policy Page 21 of 21
Description Code
START STOP UNIT 1Bh
SYNCHRONIZE CACHE (10) 35h
SYNCHRONIZE CACHE (16) 91h
TEST UNIT READY 00h
UNMAP 42h
VERIFY (10) 2Fh
VERIFY (12) AFh
VERIFY (16) 8Fh
VERIFY (32) 7Fh/0Ah
WRITE (6) 0Ah
WRITE (10) 2Ah
WRITE (12) AAh
WRITE (16) 8Ah
WRITE (32) 7Fh/0Bh
WRITE AND VERIFY (10) 2Eh
WRITE AND VERIFY (12) AEh
WRITE AND VERIFY (16) 8Eh
WRITE AND VERIFY (32) 7Fh/0Ch
WRITE BUFFER 3Bh
WRITE LONG (10) 3Fh
WRITE LONG (16) 9Fh/11h
WRITE SAME (10) 41h
WRITE SAME (16) 93h
WRITE SAME (32) 7Fh/0Dh
Table 12 - SCSI Commands