IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 2/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Table of Contents References................................................................................................................................................... 5 Acronyms and definitions ........................................................................................................................ 6 1 Introduction................................................................................................................................... 7 1.1 IDPrime Applet ............................................................................................. 8 1.2 FIDO Applet 8 2 Cryptographic Module Ports and Interfaces.......................................................................... 10 2.1 Hardware and Physical Cryptographic Boundary................................................. 10 2.1.1 PIN Assignments and Contact Dimensions.............................................................10 3 Cryptographic Module Specification....................................................................................... 12 3.1 Firmware and Logical Cryptographic Boundary .................................................. 12 3.2 Versions and mode of operation ..................................................................... 13 3.3 Cryptographic Functionality........................................................................... 18 4 Module Critical Security Parameters...................................................................................... 21 4.1 Platform Critical Security Parameters ............................................................... 21 4.2 IDPrime Applet Critical Security Parameters....................................................... 22 4.3 FIDO Applet Critical Security Parameters .......................................................... 23 4.4 IDPrime Applet Public Keys ........................................................................... 23 4.5 FIDO Applet Public Keys ............................................................................... 24 5 Roles, Authentication and Services........................................................................................ 25 5.1 Secure Channel Protocol (SCP) Authentication (CO) ............................................ 25 5.2 IDPrime User Authentication (IUSR) ................................................................. 26 5.3 IDPrime Card Application Administrator Authentication (ICAA) ............................... 26 5.4 IDPrime Init Key Authentication (Initialization Officer Role) .................................... 27 5.5 FIDO User Authentication (FUSR) .................................................................... 27 5.6 Platform Services........................................................................................ 27 5.7 IDPRIME Services ....................................................................................... 29 5.8 FIDO Services 35 6 Finite State Model ..................................................................................................................... 36 7 Physical Security Policy............................................................................................................ 36 8 Operational Environment.......................................................................................................... 37 9 Electromagnetic Interference and Compatibility (EMI/EMC) .............................................. 37 10 Self-test....................................................................................................................................... 38 10.1 Power-on Self-test....................................................................................... 38 10.2 Conditional Self-tests................................................................................... 39 10.3 Reducing the number of Known Answer Tests.................................................... 39 11 Design Assurance ..................................................................................................................... 39 11.1 Configuration Management............................................................................ 39 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 3/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 11.2 Delivery and Operation ................................................................................. 39 11.3 Guidance Documents................................................................................... 39 11.4 Language Level .......................................................................................... 39 12 Mitigation of Other Attacks Policy ........................................................................................... 40 13 Security Rules and Guidance.................................................................................................. 40 Table of Tables Table 1 – References ................................................................................................. 6 Table 2 – Acronyms and Definitions................................................................................. 6 Table 3 – Security Level of Security Requirements ............................................................... 7 Table 4 – World Combi RLT Module - Physical Ports and Corresponding Logical Interfaces ..............11 Table 5 – DFN8 Contact Module - Physical Ports and Corresponding Logical Interfaces...................11 Table 6 - Voltage and Frequency Ranges .........................................................................11 Table 7 – Contactless voltage and Frequency Ranges ..........................................................11 Table 8 – Tags for tracking data (Approved Mode)...............................................................13 Table 9 – Card Production Life Cycle data ........................................................................14 Table 10 – Versions and Mode of Operations Indicators ........................................................16 Table 11 – IDPrime Applet Version and Software Version imput data .........................................17 Table 12 – IDPrime Applet Version returned value...............................................................17 Table 13 – IDPrime Software Version returned Values ..........................................................17 Table 14 – FIDO Applet Version ....................................................................................17 Table 15 – FIDO Applet Version returned value ..................................................................18 Table 16 – List of the algorithms/modes utilized by the module ................................................19 Table 17 – Non-FIPS Approved But Allowed Cryptographic Functions........................................20 Table 18 - Platform Critical Security Parameters .................................................................21 Table 19 – IDPrime Applet Critical Security Parameters.........................................................22 Table 20 – FIDO Applet Critical Security Parameters............................................................23 Table 21 – IDPrime Applet Public Keys............................................................................24 Table 22 – FIDO Applet Public Keys ...............................................................................24 Table 23 - Role Description..........................................................................................25 Table 24 - Unauthenticated Services ..............................................................................27 Table 25 – Authenticated Card Manager Services...............................................................28 Table 26 – Platform CSP Access by Service......................................................................29 Table 27 – IDPrime Applet Services and CSP Usage............................................................32 Table 28 – MSPNP applet Services ................................................................................32 Table 29 – IDPrime CSP Access by Service ......................................................................34 Table 30 – FIDO applet Services ..................................................................................35 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 4/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Table 31 – FIDO CSP Access by Service .........................................................................36 Table 32 – Power-On Self-Test .....................................................................................38 Table of Figures Figure 1– Physical form and Cryptographic Boundary ...........................................................10 Figure 2 - Module Block Diagram...................................................................................12 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 5/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. References Acronym Full Specification Name [FIPS140-2] NIST, Security Requirements for Cryptographic Modules, May 25, 2001 [GlobalPlatform] GlobalPlatform Consortium: GlobalPlatform Card Specification 2.2.1, January 2011, http://www.globalplatform.org [ISO 7816] ISO/IEC 7816-1:1998 Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics ISO/IEC 7816-2:2007 Identification cards -- Integrated circuit cards -- Part 2: Cards with contacts -- Dimensions and location of the contacts ISO/IEC 7816-3:2006 Identification cards -- Integrated circuit cards -- Part 3: Cards with contacts -- Electrical interface and transmission protocols ISO/IEC 7816-4:2005 Identification cards -- Integrated circuit cards -- Part 4: Organization, security and commands for interchange [ISO 14443] Identification cards – Contactless integrated circuit cards – Proximity cards ISO/IEC 14443-1:2008 Part 1: Physical characteristics ISO/IEC 14443-2:2010 Part 2: Radio frequency power and signal interface ISO/IEC 14443-3:2011 Part 3: Initialization and anticollision ISO/IEC 14443-4:2008 Part 4: Transmission protocol [JavaCard] Java Card 3.0.5 Runtime Environment (JCRE) Specification Java Card 3.0.5 Virtual Machine (JCVM) Specification Java Card 3.0.5 Application Programming Interface Published by Sun Microsystems, October 2015. [SP800-131A] NIST Special Publication 800-131A revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019 [SP 800-133] NIST Special Publication 800-133, revision 2, Recommendation for Cryptographic Key Generation, June 2020 [SP 800-38B] NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication, May 2005 [SP 800-90A] NIST Special Publication 800-90A revision 1, Recommendation for the Random Number Generation Using Deterministic Random Bit Generators (Revised), June 2015 [SP 800-67] NIST Special Publication 800-67 revision 2, Recommendation for the Triple Data Encryption Algorithm (Triple-DES) Block Cipher, November 2017 [FIPS113] NIST, Computer Data Authentication, FIPS Publication 113, 30 May 1985. [FIPS 197] NIST, Advanced Encryption Standard (AES), FIPS Publication 197, November 26, 2001. [PKCS#1] PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002 [FIPS 186-4] NIST, Digital Signature Standard (DSS), FIPS Publication 186-4, July, 2013 [SP 800-56A] NIST Special Publication 800-56A revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 [SP 800-56B] NIST Special Publication 800-56B revision 2, Recommendation for Pair-Wise Key- Establishment Schemes Using Integer Factorization Cryptography, March 2019 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 6/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Acronym Full Specification Name [FIPS 180-4] NIST, Secure Hash Standard, FIPS Publication 180-4, August 2015 [SP 800-38F] NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012 [IG] NIST, Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program, last updated Nov 5, 2021 [MD] Microsoft, MD – Smart Card Mini Driver v7.07, April 20th , 2017 [CTAP] Fido Alliance, CTAP – Client to Authenticator Protocol (CTAP), January 30th , 2019 [U2F] Fido Alliance, U2F– Universal 2nd Factor, July 11th , 2017 Table 1 – References Acronyms and definitions Acronym Definition GP Global Platform CVC Card Verifiable Certificate CTAP Client To Authenticator Protocol U2F Universal 2nd Factor Table 2 – Acronyms and Definitions IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 7/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 1 Introduction This document defines the Security Policy for the Thales IDCore3130 platform and the IDPrime3930 (v4.5) with FIDO2 (v2.0) applets, IDPrime 3930 FIDO (contact and contactless) and herein denoted as Cryptographic Module, Module, or CM. The Cryptographic Module or CM, validated to FIPS 140-2 overall Level 2, is a “contact and contactless” secure controller module implementing the Global Platform operational environment, with Card Manager, the IDPrime applet (associated to MSPNP applet V1.2) and FIDO applet. The Module is a limited operational environment under the FIPS 140-2 definitions. The Module includes a firmware load function to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-2 validation. The FIPS 140-2 security levels for the Module are as follows: Security Requirement Security Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 3 Finite State Model 2 Physical Security 3 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 3 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks 2 Table 3 – Security Level of Security Requirements The CM implementation is compliant with:  [ISO 7816] Parts 1-4  [JavaCard]  [GlobalPlatform]  [MD]  [CTAP]  [U2F] IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 8/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 1.1 IDPrime Applet IDPrime Applet (V4.5) is a Java applet that provides all the necessary functions to integrate a smart card in a public key infrastructure (PKI) system, suitable for identity and corporate security applications. It is also useful for storing information about the cardholder and any sensitive data. IDPrime Applet implements state–of–the–art security and conforms to the latest standards for smart cards and PKI applications. It is also fully compliant with digital signature law. The IDPrime Applet, designed for use on JavaCard 3.0.5 and Global Platform 2.2.1 compliant smart cards. The main features of IDPrime Applet are as follows:  Digital signatures—these are used to ensure the integrity and authenticity of a message. (RSA, ECDSA)  Storage of sensitive data based on security attributes  PIN management.  Secure messaging based on the AES algorithms.  Public key cryptography, allowing for RSA keys and ECDSA keys  Storage of digital certificates—these are issued by a trusted body known as a certification authority (CA) and are typically used in PKI authentication schemes.  CVC verification  Decryption RSA , ECDH  On board key generation (RSA, ECDSA)  Mutual authentication between IDPrime Applet and the terminal (ECDH)  Support of integrity on data to be signed.  Secure Key Injection according to Microsoft scheme.  Touch Sense feature (not available on smart card, only on Token)  PIN Single Sign On (PIN SSO)  Reinit feature  Extended APDU support MSPNP applet is associated to IDPrime applet and offers:  GUID tag reading, defined in Microsoft Mini Driver specification. 1.2 FIDO Applet FIDO Applet (V2.0) is a Java applet that provides all the necessary functions for an authenticator device, suitable for identity and corporate security applications. FIDO Applet implements state–of–the–art security and conforms to the latest standards for smart cards and FIDO Certification (Level 1). The FIDO Applet is designed for use on JavaCard 3.0.5 and Global Platform 2.2.1 compliant smart cards. The main features of FIDO Applet are as follows:  Multi-factor authenticator  Digital signatures - used to ensure integrity and authenticity of sensitive date - (ECDSA)  PIN & Key Handle management. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 9/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision].  Session Keys based on the AES algorithm.  Public key cryptography, allowing for ECDSA keys  Storage of digital certificates (Attestation Certificate)  On board key generation (ECDH)  Test of User Presence and verification  Cloning Detection  Extended APDU support IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 10/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 2 Cryptographic Module Ports and Interfaces 2.1 Hardware and Physical Cryptographic Boundary The Module is designed to be embedded into a plastic card body, passport, USB key, secure element etc., with a contact plate connection and/or RF antenna. The physical form of the Module is depicted in Figure 1 (to scale). The cryptographic boundary is defined as the surfaces and edges of the packages as shown in Table 4 and figure 1. The Module relies on [ISO 7816] and/or [ISO 14443] card readers as input/output devices. WORLD Combi RLT module (SLE78CLFX400VPH - A1714221) Oblong punching Top View – Combi Plate Bottom View – Black Epoxy with RLT technology SMDR DFN8 - MFF module (SLE78CLFX400VPH - A1633310) Top View – DFN8 Plate Bottom View – DFN8 Plate Figure 1– Physical form and Cryptographic Boundary 2.1.1 PIN Assignments and Contact Dimensions WORLD Combi RLT module has access to contact and contactless interfaces. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 11/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Contact No. Description Logical interface type VCC Supply voltage Power RST Reset signal Control in CLK Clock signal Control in GND Ground Power I/O Input/output Data in, data out, control in, status out LA Antenna coil connection Power, Data in, Data out, Control in, Status out LB Antenna coil connection Power, Data in, Data out, Control in, Status out Table 4 – World Combi RLT Module - Physical Ports and Corresponding Logical Interfaces SMDR DFN8 module has only access to contact interfaces. Contact No. Description Logical interface type VCC Supply voltage Power RST Reset signal Control in CLK Clock signal Control in GND Ground Power I/O Input/output Data in, data out, control in, status out Table 5 – DFN8 Contact Module - Physical Ports and Corresponding Logical Interfaces For contact interface operation, the Module conforms to [ISO 7816] part 1 and part 2. The electrical signals and transmission protocols follow the [ISO 7816] part 3. The conditions of use are the following: Conditions Range Voltage 1.8V, 3 V and 5.5 V Frequency 1MHz to 10MHz Table 6 - Voltage and Frequency Ranges For contactless interface operation, the Module conforms to [ISO 14443] part 1 for physical connections, and to [ISO 14443] parts 2, 3 and 4 for radio frequencies and transmission protocols. The conditions of use are the following: Conditions Range Supported bit rate 106 Kbits/s, 212 Kbits/s, 424 Kbits/s, 848 Kbits/s Operating field Between 1.5 A/m and 7.5 A/m rms Frequency 13.56 MHz +- 7kHz Table 7 – Contactless voltage and Frequency Ranges IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 12/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 3 Cryptographic Module Specification 3.1 Firmware and Logical Cryptographic Boundary Figure 2 below depicts the Module operational environment and applets. Hardware Native / Hardware Abstraction layer Timers Sensors RAM ROM EEPROM MMU CPU Power Mgmt Clock Mgmt HW RNG RSA / ECC Engine CRC ISO 7816 (UART) DES Engine AES Engine CLK VCC, GND Reset Mgmt RST Memory Manager Communication (I/O) Crypto Libraries Virtual Machine JC 2.2.2 Runtime Environment JC 2.2.2 API JavaCard 2.2.2 / Gemalto Proprietary Card Manager GP API 2.1.1 IC Layer IDCore30 Javacard Platform Layer Applet Layer IDPrimeMD Applet Hardware Native / Hardware Abstraction layer IDPrime3930 Timers Sensors RAM FLASH EEPROM MMU CPU (SLE78) Power Mgmt Clock Mgmt HW RNG RSA / ECC Engine CRC ISO 7816 (UART) DES Engine AES Engine CLK VCC, GND Reset Mgmt RST Memory Manager Communication (I/O) Crypto Libraries Virtual Machine JC 3.0.5 Runtime Environment JC 3.0.5 API JavaCard 3.0.5 / Gemalto Proprietary Card Manager GP API 2.2.1 IC Layer IDCore 3130 Javacard platform layer Applet Layer ISO 14443 (RF) LA, LB (RF) FIDO MsPnP Figure 2 - Module Block Diagram The CM supports [ISO7816] T=0 and T=1, and also [ISO14443] T=CL communication protocols. The CM provides services to both external devices and internal applets as the IDPrime, MsPnP and FIDO. Applets, as IDPrime and FIDO, access module functionalities via internal API entry points that are not exposed to external entities. External devices have access to CM services by sending APDU commands. The CM provides an execution sandbox for the IDPrime and FIDO applets and performs the requested services according to its roles and services security policy. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 13/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. The CM inhibits all data output via the data output interface while the module is in error state and during self-tests. The JavaCard API is an internal interface, available to applets. Only applet services are available at the card edge (the interfaces that cross the cryptographic boundary). The Javacard Runtime Environment implements the dispatcher, registry, loader, logical channel and RMI functionalities. The Virtual Machine implements the byte code interpreter, firewall, exception management and byte code optimizer functionalities. The Card Manager is the card administration entity – allowing authorized users to manage the card content, keys, and life cycle states. The Memory Manager implements services such as memory access, allocation, deletion, garbage collector. The Communication handler deals with the implementation of ATR/ATS, PSS, T=0 T=1 and T=CL protocols. The Cryptography Libraries implement the algorithms listed in Table 16 – List of the algorithms/modes utilized by the module. 3.2 Versions and mode of operation Hardware: SLE78CLFX400VPH (A1714221), SLE78CLFX400VPH (A1633310) Firmware: IDCore3130 - Build12G, IDPrime 3930 Applet V4.5.0F, MSPNP Applet V1.2, FIDO V2.0.4B Applet. The CM is always in the approved mode of operation. To verify that a CM is in the approved mode of operation, select the Card Manager and send the GET DATA commands shown below: Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Value 00 CA 9F-7F 2A Get CPLC data 01-03 1D Identification information (proprietary tag) Table 8 – Tags for tracking data (Approved Mode) IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 14/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. The CM responds with the following information: IDPrime 3930 FIDO - CPLC data (tag 9F7F) Byte Description Value Value meaning 1-2 IC fabricator 4090h Infineon 3-4 IC type 7861 SLE78CLFX400VPH 5-6 Operating system identifier 1291 Thales 7-8 Operating system release date (YDDD) – Y=Year, DDD=Day in the year 7334 Operating System release Date 9-10 Operating system release level 0100h V1.0 11-12 IC fabrication date xxxxh Filled in during IC manufacturing 13-16 IC serial number xxxxxxxxh Filled in during IC manufacturing 17-18 IC batch identifier xxxxh Filled in during IC manufacturing 19-20 IC module fabricator xxxxh Filled in during module manufacturing 21-22 IC module packaging date xxxxh Filled in during module manufacturing 23-24 ICC manufacturer xxxxh Filled in during module embedding 25-26 IC embedding date xxxxh Filled in during module embedding 27-28 IC pre-personalizer xxxxh Filled in during smartcard preperso 29-30 IC pre-personalization date xxxxh Filled in during smartcard preperso 31-34 IC pre-personalization equipment identifier xxxxxxxxh Filled in during smartcard preperso 35-36 IC personalizer xxxxh Filled in during smartcard personalization 37-38 IC personalization date xxxxh Filled in during smartcard personalization 39-42 IC personalization equipment identifier xxxxxxxxh Filled in during smartcard personalization Table 9 – Card Production Life Cycle data IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 15/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. IDPrime 3930 FIDO - Identification data (tag 0103) Byte Description Value Value meaning 1 Thales Family Name B0 Javacard 2 Thales OS Name 84 IDCore family 3 Thales Mask Number 65 G286 4 Thales Product Name 66 IDCore3130 for IDPrime 3930 FIDO 5 Thales Flow Version XX XX is the version of the flow:  01h for flow version 01 6 Thales Filter Set 00  Major nibble: filter family = 00h  Lower nibble: version of the filter = 00h 7-8 Chip Manufacturer 4090 Infineon 9-10 Chip Version 7861 SLE78CLFX400VPH 11-12 FIPS configuration 8F00 MSByte: b8 : 1 = conformity to FIPS certificate b7 : 0 = not applicable b6 : 0 = not applicable b5 : 0 = not applicable b4 : 1 = ECC supported b3 : 1 = RSA CRT supported b2 : 1 = RSA STD supported b1 : 1 = AES supported LSByte: b8 .. b5 : 0 = not applicable b4 : 0 = not applicable (ECC in contactless) b3 : 0 = not applicable (RSA CRT in contactless) b2 : 0 = not applicable (RSA STD in contactless) b1 : 0 = not applicable (AES in contactless) For instance: 8F 00 = FIPS enable (CT only)–AES-RSA CRT/STD-ECC (Full FIPS) 8D 00 = FIPS enable (CT only)–AES-RSA CRT-ECC (FIPS PK CRT) * 85 00 = FIPS enable (CT only)–AES-RSA CRT (FIPS RSA CRT) 00 00 = FIPS disable (CT only)–No FIPS mode (No FIPS) (* default configuration) IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 16/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 13 FIPS Level for IDPrime product 02 02 = FIPS Level 2 14-15 Specific chip ID 31 30 31 30 = Combi (IDPrime 3930 FIDO product) 16-29 RFU xx..xxh - Table 10 – Versions and Mode of Operations Indicators IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 17/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. The IDPrime 3930 is identified with an applet version and a software version as follow: Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Value 00 CA DF-30 07 Get Applet Version 7F-30 19 Get Software Version Table 11 – IDPrime Applet Version and Software Version imput data The Applet version is returned without any TLV format as follows: IDPrime 3930 – Applet Version Data (tag DF30) Value Value Meaning 34 2E 35 2E 30 2E 46 Applet Version Display value = ‘4.5.0.F’ Table 12 – IDPrime Applet Version returned value The Software Version is returned in TLV format as follows: IDPrime 3930 – Software Version Data (tag 7F30) Tag Length 7F30 17 Tag Length Value Value meaning C0 0E 34 2E 35 2E 30 2E 46 Software Version Display value = ‘4.5.0.F’ C1 07 49 41 53 20 43 6C 61 73 73 69 63 20 76 34 Applet Label Display value = ‘IAS Classic v4’ Table 13 – IDPrime Software Version returned Values The FIDO is identified with an applet version as follow: Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Value 00 CA DF-4F 07 Get Applet Version Table 14 – FIDO Applet Version IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 18/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. The Applet version is returned without any TLV format as follows: FIDO – Applet Version Data (tag DF4F) Value Value Meaning 32 2E 30 2E 34 2E 42 Applet Version Display value = ‘2.0.4.B’ Table 15 – FIDO Applet Version returned value 3.3 Cryptographic Functionality The Module operating system implements the FIPS Approved and Non-FIPS Approved cryptographic function listed in Tables below. Algorithm Description Cert # AES [FIPS 197] Advanced Encryption Standard algorithm. The Module supports 128-, 192- and 256-bit key lengths with ECB and CBC encrypt/ decrypt modes. A1930 AES CMAC [SP 800-38B] The Module supports generation and verification with 128-, 192- and 256-bit key lengths. A1930 CKG [SP 800-133] Section 6.1, Section 7.1: The Module generates symmetric keys and seeds to be used in asymmetric key generation directly from unmodified DRBG output. Vendor Affirmed DRBG [SP 800-90A] Deterministic Random Bits Generator (256-bit security strength CTR-DRBG based on AES). A1930 ECDSA [FIPS 186-4] Elliptic Curve Digital Signature Algorithm using the NIST defined curves.  Key pair generation: P-224, P-256, P-384 and P-521 curves.  Signature generation: P-224, P-256, P-384 and P-521 curves with SHA-2.  Signature verification: P-224, P-256, P-384 and P-521 curves (approved SHA sizes of the CM). A1930 KBKDF [SP 800-108] The Module supports AES CMAC 128-, 192- and 256-bit key lengths. A1930 KTS Use of approved [FIPS 197] AES encryption method with the combination of approved Authentication method [SP 800-38B] AES CMAC The Module supports 128-, 192- and 256-bit key lengths. The Module supports 256-bit key length for Applet Secure Messaging. A1930 SHA-1 SHA-2 [FIPS 180-4] Secure Hash Standard compliant one-way (hash) algorithms. The Module supports the SHA-1 (160 bits), SHA-2 (224- bit, 256-bit, 384-bit, 512-bit) variants. A1930 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 19/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Triple-DES [SP 800-67] Triple Data Encryption Algorithm. The Module supports the 3- Key options; CBC and ECB decrypt modes. The CM restricts Triple-DES decryptions to 2^16 per key. After a counter for a given key reach 2^16, the key is blocked. A1930 RSA [FIPS 186-4] [PKCS#1 v1.5 and PSS] RSA algorithms.  Key pair generation using 2048-bit keys.  Signature generation using 2048-bit keys with SHA-2.  Signature verification using 1024, 2048-bit keys (approved SHA sizes of the CM). Note that RSA-1024 verification and the use of SHA-1 for any RSA verification is allowed for legacy-use only. A1930 RSA CRT [FIPS 186-4] [PKCS#1 v1.5 and PSS] RSA CRT algorithm.  Key pair generation using 2048-, 3072- and 4096-bit keys;  Signature generation using 2048-, 3072- and 4096-bit keys with SHA-2;  Signature verification using 1024-, 2048-, 3072- and 4096-bit keys (approved SHA sizes of the CM). Note that RSA-1024 verification and the use of SHA-1 for any RSA verification is allowed for legacy- use only. A1930 KAS SSC ECC [SP 800-56A] standalone Key Agreement Scheme SSC (section 5.7.1.2: ephemeral Unified) using the NIST defined curves: P-521. A1930 KTS-RSA [SP 800-56B] RSA key transport scheme (section 9.2.3 KTS-OAEP-basic) using 2048-, 3072- and 4096-bit keys. A1930 DP RSA (CVL) [SP 800-56B] RSA decryption primitive (section 9.2.3 KTS-OAEP-basic) using 2048-bit keys. A1930 KDA [SP 800-56C] Key Agreement Scheme Key Derivation function (section 4: One-step Key Derivation – Option 1 with approved hash function) using the NIST defined curve: P-521, and SHA-256. A1930 KAS Use of [SP 800-56A] KAS SSC ECC with the combination of key derivation function [SP 800-56C] KAS KDF. Provides 128 bits of encryption strength. A1930 HMAC [FIPS198-1] Keyed-hash message authentication code using approved SHA-256 algorithm. A1930 Table 16 – List of the algorithms/modes utilized by the module Note: Not all algorithms/modes that appear on the module’s CAVP certificates are utilized by the module. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 20/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Algorithm Description RSA key wrap Key unwrapping using 2048, 3072 or 4096 bit keys. Key establishment methodology provides between 112 and 150 bits of strength (for PKCS1 v1.5) Table 17 – Non-FIPS Approved But Allowed Cryptographic Functions The CM includes an uncallable DES implementation. This algorithm is not used and no security claims are made for its presence in the Module. FIPS approved security functions used specifically by the IDPrime Applet are:  DRBG  AES CMAC  AES  Triple-DES  RSA  ECDSA  SHA-1, SHA-224, SHA-256, SHA-384, SHA-512  KAS SSC ECC  KAS KDF one-step (Note: no security function is used in MSPNP applet) FIPS approved security functions used specifically by the FIDO Applet are:  DRBG  AES  ECDSA  SHA-256  KAS SSC ECC  HMAC SHA-256 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 21/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 4 Module Critical Security Parameters All CSPs used by the CM are described in this section. All usages of these CSPs by the CM are described in the services detailed in Section 5. In addition, all keys stored in RAM are zeroized upon power-cycle of the CM. 4.1 Platform Critical Security Parameters Key Description / Usage OS-DRBG-EI 1664-bit random drawn by an external entropy source populated during CM initialization and used as entropy input for the [SP800-90A] DRBG implementation. Provides at least 256 bits of entropy. OS-DRBG-STATE 16-byte AES state V and 32-byte AES key (or Nonce) used in the [SP800-90A] CTR DRBG implementation. OS-GLOBALPIN 4 to 16 byte Global PIN value managed by the ISD. Character space is not restricted by the OS. The PIN Policy is managed by applet. OS-MKDK AES-128 (SCP03) key used to encrypt OS-GLOBALPIN value. SD-KENC AES-128/192/256 (SCP03) master key used by the CO role to derive SD-SENC. SD-KMAC AES-128/192/256 (SCP03) master key used by the CO role to derive SD-SMAC. SD-KDEK AES-128/192/256 (SCP03) decryption key used by the CO role to decrypt secure channel data. SD-SENC AES-128/192/256 (SCP03) Session encryption key used by the CO role to encrypt / decrypt secure channel data. SD-SMAC AES-128/192/256 (SCP03) Session MAC key used by the CO role to verify secure channel data integrity. DAP-SYM AES-128 (DAP) key optionally loaded in the field and used to verify the MAC signature of packages loaded into the Module. DAP-ASYM 2048-bit public part of RSA key pair used for Asymmetric Signature verification used to verify the signature of packages loaded into the Module. DM-TOKEN-SYM AES-128 Delegate Management Token Symmetric key. DM-RECEIPT-SYM AES-128 Delegate Management Receipt Symmetric key. DM-TOKEN-ASYM 2048-bit public part of RSA key pair used for Delegated Management Token Table 18 - Platform Critical Security Parameters Keys with the “SD-“ prefix pertain to a Global Platform Security Domain key set. The module supports the Issuer Security Domain at minimum, and can be configured to support Supplemental Security Domains. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 22/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 4.2 IDPrime Applet Critical Security Parameters Key Description / Usage IDP-SC-SMAC-AES AES 256 Session key used for Secure Messaging (MAC) IDP-SC-SENC-AES AES 256 Session key used for Secure Messaging (Decryption) IDP-AS-RSA 2048/3072/4096- private part of the RSA key pair used for Asymmetric Signature IDP-AS-ECDSA P-224, P-256, P-384, P-521 private part of the ECDSA key pair used for Asymmetric signature IDP-AC-RSA 2048/3072/4096- private part of the RSA key pair used for Asymmetric Cipher (key wrap, key unwrap) IDP-ECDH-ECC P-224, P-256, P-384, P-521 private part of the ECDH key pair used for shared key mechanism IDP-KG-AS-RSA 2048/3072/4096- private part of the RSA generated key pair used for Asymmetric signature IDP-KG-AS-ECDSA P-224, P-256, P-384, P-521 private part of the ECDSA generated key pair used for Asymmetric signature IDP-KG-AC-RSA 2048/3072/4096- private part of the RSA generated key pair used for Asymmetric cipher (key unwrap) IDP-KG-AC-ECDH P-224, P-256, P-384, P-521 private part of the ECDSA generated key pair used for shared key mechanism IDP-ECDSA-AUTH- ECC P-224, P-256, P-384, P-521 private part of the ECDSA private key used to Authenticate the card IDP-SC-DES3 3-Key Triple-DES key used for Admin (ICAA Role) authentication. IDP-SC-P-SKI-AES AES 128/192/256 Session key used for Secure Key Injection IDP-SC-T-SKI-AES AES 128/192/256 Session key used for Secure Key Injection IDP-SC-PIN-TDES 3-Key Triple-DES key used for PIN encryption (PIN History) IDP-OWNERPIN 4 to 64 byte PIN value managed by the Applet. IDP-INITK-AES 256bits AES key used to authenticate in IO Role Table 19 – IDPrime Applet Critical Security Parameters IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 23/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 4.3 FIDO Applet Critical Security Parameters Key Description / Usage FID-SC-SMAC-AES AES 256-bit Session key used for Secure Messaging (MAC) FID-SC-SENC-AES AES 256-bit Session key used for Secure Messaging (Decryption) FID-KG-AS-ECDSA P-256 private part of the user key pair FID-AT-ECDSA P-256 private part of the of the authenticator attestation key pair. The public part is stored in the device attestation certificate FID-SC-ENC-AES AES authenticator secret key used for encryption and decryption of key handles with AES CBC FID-SC-AUTH-HMAC HMAC 128-bit authenticator secret key used for authentication of key handles with HMAC- SHA256 FID-UV-PIN The reference user verification data (4 to 63 bytes) used to authenticate the user FID-ECDH-ECC P-256 private part of the ECDH key pair used for shared secret mechanism FID-TOKEN-NONCE 128 bits nonce used to authenticator client commands in the Client PIN protocol V1 (equivalent to a session PIN) FID-HMAC-NONCE 256 bits nonce, used to process the hmac-secret extension (for non-Resident Credential) FID-KG-RK-ECDSA P-256 private part of the user key pair ECDSA for Resident Credential FID-RK-HMAC- NONCE 256 bits nonce, used to process the hmac-secret extension for Resident Credential Table 20 – FIDO Applet Critical Security Parameters 4.4 IDPrime Applet Public Keys Key Description / Usage IDP-KA-ECDH P-224, P-256, P-384, P-521 ECDH key pair used for Key Agreement (Session Key computation) IDP-AS-CA-ECDSA- PUB P-224, P-256, P-384, P-521 CA ECDSA Asymmetric public key entered into the module used for CA Certificate Verification. IDP-AS-IFD-ECDSA- PUB P-224, P-256, P-384, P-521 IFD ECDSA Asymmetric public key entered into the module used for IFD Authentication. IDP-AS-RSA-PUB 2048- public part of RSA key pair used for Asymmetric Signature IDP-AS-ECDSA-PUB P-224, P-256, P-384, P-521 public part of ECDSA key pair used for Asymmetric signature IDP-AC-RSA-PUB 2048/3072/4096 public part of the RSA key pair used for Asymmetric Cipher (key wrap, key unwrap) IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 24/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. IDP-ECDH-ECC-PUB P-224, P-256, P-384, P-521 public part of the ECDH key pair used for shared key mechanism IDP-KG-AS-RSA-PUB 2048/3072/4096- public part of the RSA generated key pair used for Asymmetric signature IDP-KG-AS-ECDSA- PUB P-224, P-256, P-384, P-521 public part of the ECDSA generated key pair used for Asymmetric signature IDP-KG-AC-RSA-PUB 2048/3072/4096- public part of the RSA generated key pair used for Asymmetric cipher IDP-KG-AC-ECDH- PUB P-224, P-256, P-384, P-521 public part of the ECDSA generated key pair used for shared key mechanism IDP-ECDSA-AUTH- ECC-PUB P-224, P-256, P-384, P-521 public part of the ECDSA key pair used to Authenticate the card Table 21 – IDPrime Applet Public Keys 4.5 FIDO Applet Public Keys Key Description / Usage FID-KG-AS-ECDSA-PUB P-256 public part of the user key pair FID-AT-ROOT-PUB Root key attestation certificate shared by at least 100k units of the same authenticator model FID-ECDH-ECC-PUB P-256 public part of the ECDH key pair used for shared key mechanism FID-KG-RK-ECDA-PUB P-256 public part of the user key pair ECDSA for Resident Credential Table 22 – FIDO Applet Public Keys IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 25/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 5 Roles, Authentication and Services The Module supports Identity-based authentication. Table 23 lists all operator roles supported by the Module. This Module does not support a maintenance role. The Module clears previous authentications on power cycle. The Module supports GP logical channels, allowing multiple concurrent operators. Authentication of each operator and their access to roles and services is as described in this section, independent of logical channel usage. Only one operator at a time is permitted on a channel. Applet de-selection (including Card Manager), card reset or power down terminates the current authentication; re-authentication is required after any of these events for access to authenticated services. Authentication data is encrypted during entry (by SD-SDEK), is stored encrypted (by OS-MKDK) and is only accessible by authenticated services. Role ID Role Description CO (Cryptographic Officer) This role is responsible for card issuance and management of card data via the Card Manager applet. Authenticated using the SCP authentication method with SD-SENC. IUSR (User) The IDPrime User, authenticated by the IDPrime applet – see below for authentication mechanism. ICAA (Card Application Administrator) The IDPrime Card Application Administrator authenticated by the IDPrime applet – see below for authentication mechanism. IO Initialization Officer. This role is responsible for recycling/reinitializing the card using Reinit Authentication - see below for authentication mechanism. FUSR (User) The FIDO user role is allowed to perform cryptographic authentication operation with the PIN (key handles) when user verification is required by the Relaying Party. This role is responsible for changing the PIN as well. UA Unauthenticated role Table 23 - Role Description 5.1 Secure Channel Protocol (SCP) Authentication (CO) The Open Platform Secure Channel Protocol authentication method is performed when the EXTERNAL AUTHENTICATE service is invoked after successful execution of the INITIALIZE UPDATE command. These two commands operate as described next. The SD-KENC and SD-KMAC keys are used along with other information to derive the SD-SENC and SD- SMAC keys, respectively. The SD-SENC key is used to create a cryptogram; the external entity participating in the mutual authentication also creates this cryptogram. Each participant compares the received cryptogram to the calculated cryptogram and if this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the Module in the CO role). For SCP03, AES-128, AES-192 or AES-256 keys are used for Global Platform secure channel operations, in which the Module derives session keys from the master keys and a handshake process, performs mutual IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 26/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. authentication, and decrypts data for internal use only. The Module encrypts a total of one block (the mutual authentication cryptogram) over the life of the session encryption key; no decrypted data is output by the Module. AES key establishment provides a minimum of 128 bits of security strength. The Module uses the SD-KDEK key to decrypt critical security parameters, and does not perform encryption with this key or output data decrypted with this key. The strength of GP mutual authentication relies on AES key length, and the probability that a random attempt at authentication will succeed is:          128 2 1 for AES 16-byte-long keys;          192 2 1 for AES 24-byte-long keys;          256 2 1 for AES 32-byte-long keys; Based on the maximum count value of the failed authentication blocking mechanism, the minimum probability that a random attempt will succeed over a one minute period is 255/2^128. 5.2 IDPrime User Authentication (IUSR) This authentication method compares a PIN value sent to the Module to the stored PIN values if the two values are equal, the operator is authenticated. This method is used in the IDPrime Applet services to authenticate to the IUSR role. There can be several OWNER PIN and one GlobalPIN. Both kind are User PINs. The module enforces string length of 4 bytes minimum (16 bytes maximum for Global PIN / 64 bytes maximum for OWNER PIN). For the User PIN, an embedded PIN Policy allows at least a combination of Numeric value (‘30’ to ‘39’) or alphabetic upper case (‘A’ to ‘Z’) or alphabetic lower case (‘a’ to z’), so the possible combination of value for the User PIN is at minimum 62^4 ,greater than 10^7. Consequently the strength of this authentication method is as follow:  The probability that a random attempt at authentication will succeed is lower than 1/10^6  Based on a maximum count of 15 for consecutive failed service authentication attempts, the probability that a random attempt will succeed over a one minute period is lower than 15/10^7 5.3 IDPrime Card Application Administrator Authentication (ICAA) The 3-Key Triple-DES key establishment provides 168 bits of security strength. The Module uses the IDP- SC-DES3 to authenticate the ICAA role.  The probability that a random attempt at authentication will succeed is 1/2^64 (based on challenge size)  Based on the maximum count value of the failed authentication blocking mechanism, the probability that a random attempt will succeed over a one minute period is 255/2^64 IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 27/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 5.4 IDPrime Init Key Authentication (Initialization Officer Role) The AES-256 key provides 256 bits of security strength. The Module uses the IDP-INITK-AES to authenticate the IO role.  The probability that a random attempt at authentication will succeed is 1/2^256 (based on challenge size)  Based on the maximum count value of the failed authentication blocking mechanism, the probability that a random attempt will succeed over a one minute period is 15/2^256 5.5 FIDO User Authentication (FUSR) This authentication method compares a PIN value sent to the Module to the stored FID-UV-PIN.if the two values are equal, the operator is authenticated. This method is used in the FIDO Applet services to authenticate to the FUSR role. The module enforces string length of 4 bytes minimum and 63 bytes at maximum. Consequently the strength of this authentication method is as follow:  The probability that a random attempt at authentication will succeed is lower than 1/2^32  Based on a maximum count of 8 for consecutive failed service authentication attempts, the probability that a random attempt will succeed over a one minute period is 8/2^32. 5.6 Platform Services All services implemented by the Module are listed in the tables below. Each service description also describes all usage of CSPs by the service. Service Description Context Select an applet or manage logical channels. Module Info (Unauth) Read unprivileged data objects, e.g., module configuration or status information. Module Reset Power cycle or reset the Module. Includes Power-On Self-Test if self-test flag is set. Run Cryptographic KATs Resets a flag so that cryptographic KATs may be performed on demand via Module Reset. Table 24 - Unauthenticated Services IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 28/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Service Description CO Lifecycle Modify the card or applet life cycle status. X Manage Content Load and install application packages and associated keys and data. X Module Info (Auth) Read module configuration or status information (privileged data objects). X Secure Channel Establish and use a secure communications channel. X Table 25 – Authenticated Card Manager Services All of the above commands use the SD-SENC and SD-SMAC keys for secure channel communications, and SD-SMAC for firmware load integrity. The card life cycle state determines which modes are available for the secure channel. In the SECURED card life cycle state, all command data must be secured by at least a MAC. As specified in the GP specification, there exist earlier states (before card issuance) in which a MAC might not be necessary to send Issuer Security Domain commands. Note that the LOAD service enforces MAC usage. 1 “E” for Secure Channel keys is included for situations where a Secure Channel has been established and all traffic is received encrypted. The Secure Channel establishment includes authentication to the module. CSPs Service OS-DRBG-SEI OS-DRBG-STATE OS-GLOBALPIN OS-MKDK SD-KENC SD-KMAC SD-KDEK SD-SENC SD-SMAC DAP-SYM DAP-ASYM DM-TOKEN-SYM DM-RECEIPT-SYM DM-TOKEN-ASYM Module Reset ZE W ZE G W -- -- -- -- -- Z Z -- -- -- -- -- Run Cryptographic KATs -- -- -- -- -- -- -- -- -- -- -- -- -- -- Module Info (Unauth) -- -- -- -- -- -- -- E1 E1 -- -- -- -- -- Context -- -- -- -- -- -- -- Z Z -- -- -- -- -- Secure Channel -- EW -- E E E E GE 1 GE 1 -- -- -- -- -- Manage Content -- -- W E W W W E1 E1 E E E E E IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 29/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Table 26 – Platform CSP Access by Service  G = Generate: The Module generates the CSP.  R = Read: The Module reads the CSP (read access to the CSP by an outside entity).  E = Execute: The Module executes using the CSP.  W = Write: The Module writes the CSP. The write access is typically performed after a CSP is imported into the Module or when the module overwrites an existing CSP.  Z = Zeroize: The Module zeroizes the CSP. For the Context service, SD session keys are destroyed on applet deselect (channel closure)  -- = Not accessed by the service. 5.7 IDPRIME Services All services implemented by the IDPrime applet are listed in the table below. Service Description ICAA IUSR UA IO EXTERNAL AUTHENTICATE Authenticates the external terminal to the card. Sets the secure channel mode. X X X X INTERNAL AUTHENTICATE Authenticates the card to the terminal X X X X SELECT Selects a DF or an EF by its file ID, path or name (in the case of DFs). X X X X CHANGE REFERENCE DATA Changes the value of a PIN. (Note : User Auth is always done within the command itself by providing previous PIN) Secure Messaging is enforced for this command. X X RESET RETRY COUNTER Unblocks and changes the value of a PIN Secure Messaging is enforced for this command. X X CSPs Service OS-DRBG-SEI OS-DRBG-STATE OS-GLOBALPIN OS-MKDK SD-KENC SD-KMAC SD-KDEK SD-SENC SD-SMAC DAP-SYM DAP-ASYM DM-TOKEN-SYM DM-RECEIPT-SYM DM-TOKEN-ASYM E E W W W W W Lifecycle Z Z Z Z Z Z Z Z Z Z Z Z Z Z Module Info (Auth) -- -- -- -- -- -- -- E1 E1 -- -- -- -- -- IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 30/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Service Description ICAA IUSR UA IO CREATE FILE Creates an EF under the root or the currently selected DF or creates a DF under the root. X X X DELETE FILE Deletes the current DF or EF. X X X DELETE ASYMMETRIC KEY PAIR Deletes an RSA or ECDSA Asymmetric Key Pair X X X ERASE ASYMMETRIC KEY Erases an RSA or ELC Asymmetric Key Pair X X X GET DATA (IDPrime Applet Specific) Retrieves the following information: ■ CPLC data ■ Applet version ■ Software version (includes applet version - BER-TLV format) ■ Available EEPROM memory ■ Additional applet parameters ■ PIN Policy Error ■ Applet install parameter (DF0Ah tag) X X X X GET DATA OBJECT Retrieves the following information: ■ Public key elements ■ KICC ■ The contents of a specified SE ■ Information about a specified PIN ■ Key generation flag ■ Touch Sense flag X X X X PUT DATA (IDPrime Applet Specific) Creates or updates a data object ■ Create container2 ■ Update public/private keys(2) X X PUT DATA (IDPrime Applet Specific) Creates or updates a data object ■ Access Conditions ■ Applet Parameters (Admin Key, Card Read Only and Admin Key Try Limit ) ■ PIN Info X X 2 Secure Messaging in Confidentiality is mandatory IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 31/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Service Description ICAA IUSR UA IO PUT DATA (IDPrime Applet Specific) Creates or updates a data object ■ Update DES or AES Secret keys(2) X X X READ BINARY Reads part of a binary file. X X X X ERASE BINARY Erases part of a binary file. X X X UPDATE BINARY Updates part of a binary file. X X X GENERATE AUTHENTICATE Used to generate secure messaging session keys between both entities (IFD and ICC) as part of elliptic curve asymmetric key mutual authentication. X X X X GENERATE KEY PAIR Generates an RSA or ECDSA key pair and stores both keys in the card. It returns the public part as its response. X X PSO – VERIFY CERTIFICATE Sends the IFD certificate C_CV.IFD.AUT used in asymmetric key mutual authentication to the card for verification. No real reason to use it in the personalization phase, but it is allowed. X X X X PSO - HASH Entirely or partially hashes data prior to a PSO– Compute Digital Signature command or prepares the data if hashed externally X X PSO - DECIPHER (RSA) Deciphers an encrypted message using a decipher key stored in the card. (ECDSA) Generates a shared symmetric key. Secure Messaging is enforced for this command. X X PSO – COMPUTE DIGITAL SIGNATURE Computes a digital signature. X X PUT SECURE KEY Secure Key Injection Scheme from Microsoft Minidriver spec V7 X UNAUTHENTICATE EXT Breaks a secure messaging session, or invalidates an MS3DES3 External Authentication. X X X X CHECK RESET AND APPLET SELECTION Tells the terminal if the card has been reset or the applet has been reselected since the previous time that the command was performed. X X X X GET CHALLENGE Generates an 8, 16 or 32-byte random number. X X X X IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 32/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. Service Description ICAA IUSR UA IO MANAGE SECURITY ENVIRONMENT Supports two functions, Restore and Set. ■ Restore: replaces the current SE by an SE stored in the card. ■ Set: sets or replaces one component of the current SE. X X X X VERIFY Authenticates the user to the card by presenting the User PIN. The User Authenticated status is granted with a successful PIN verification. Secure Messaging is enforced for this command. X EXTERNAL AUTHENTICATION (ADMIN) Performs external authentication for ADMIN role (using Triple-DES challenge response) X REINIT (Authenticate) Command used to grand the IO role using a challenge based AES256 authentication. X REINIT (Key Update) Updates the Init Key used for IO role authentication and its ratification counter. X REINIT (Reinit) Process the reinit command, actions depends on options (in any cases, erase of all user keys). During reinit process IO can process all the commands for which he has rights. X REINIT (End Reinit) End the reinit process X X X X REINIT (Get Counters) Get ratification and retry counters for Init Key X X X X PUT DATA (PIN) Creates PIN objects on card (only possible if the PIN was not existing, or erased during reinit process) X Table 27 – IDPrime Applet Services and CSP Usage All services implemented by the MSPNP applet are listed in the table below. Service Description ICAA IUSR UA GET DATA (MSPNP applet specific) Retrieves the following information: ■ GUID X Table 28 – MSPNP applet Services IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 33/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. CSP Service IDP-SC-SMAC-AES IDP-SC-SENC-AES IDP-AS-RSA IDP-AS-ECDSA IDP-AC-RSA IDP-ECDH-ECC IDP-KG-AS-RSA IDP-KG-AS-ECDSA IDP-KG-AC-RSA IDP-KG-AC-ECDH IDP-ECDSA-AUTH- ECC IDP-SC-DES3 IDP-SC-P-SKI-AES IDP-SC-T-SKI-AES IDP-SC-PIN-TDES IDP-OWNERPIN / OS- GLOBALPIN IDP-INITK-AES EXTERNAL AUTHENTICATE E E -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- INTERNAL AUTHENTICATE E E -- -- -- -- -- -- -- -- E -- -- -- -- -- -- SELECT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- CHANGE REFERENCE DATA E E -- -- -- -- -- -- -- -- -- -- -- -- E E W Z -- RESET RETRY COUNTER E E -- -- -- -- -- -- -- -- -- E -- -- E E W Z -- CREATE FILE -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- DELETE FILE -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- DELETE ASYMMETRIC KEY PAIR -- -- Z Z Z Z Z Z Z -- Z -- -- -- -- -- -- ERASE ASYMMETRIC KEY -- -- Z Z Z Z Z Z Z -- Z -- -- -- -- -- -- GET DATA (IDPrime MD Applet Specific) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- GET DATA OBJECT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- PUT DATA (IDPrime MD Applet Specific) E E WZ WZ WZ WZ WZ WZ WZ -- WZ -- -- -- -- -- -- PUT DATA (IDPrime MD Applet Specific) -- -- -- -- -- -- -- -- -- -- -- W Z -- -- -- -- -- READ BINARY -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ERASE BINARY -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- UPDATE BINARY -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 34/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. CSP Service IDP-SC-SMAC-AES IDP-SC-SENC-AES IDP-AS-RSA IDP-AS-ECDSA IDP-AC-RSA IDP-ECDH-ECC IDP-KG-AS-RSA IDP-KG-AS-ECDSA IDP-KG-AC-RSA IDP-KG-AC-ECDH IDP-ECDSA-AUTH- ECC IDP-SC-DES3 IDP-SC-P-SKI-AES IDP-SC-T-SKI-AES IDP-SC-PIN-TDES IDP-OWNERPIN / OS- GLOBALPIN IDP-INITK-AES GENERATE AUTHENTICATE G G -- -- -- E -- -- -- GE -- -- -- -- -- -- -- GENERATE KEY PAIR E E -- -- -- -- G G G -- -- -- -- -- -- -- -- PSO – VERIFY CERTIFICATE E E -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- PSO - HASH -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- PSO – DECIPHER -- -- -- -- E -- -- -- E -- -- -- -- -- -- -- -- PSO – COMPUTE DIGITAL SIGNATURE -- -- E E -- -- E E -- -- -- -- -- -- -- -- -- PUT SECURE KEY -- -- WZ WZ WZ WZ WZ WZ WZ -- WZ -- E EWZ -- -- -- UNAUTHENTICATE EXT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- CHECK RESET AND APPLET SELECTION -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- GET CHALLENGE E E -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- MANAGE SECURITY ENVIRONMENT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- VERIFY E E -- -- -- -- -- -- -- -- -- -- -- -- -- E -- EXTERNAL AUTHENTICATION (ADMIN) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- E -- REINIT (Authenticate) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- E REINIT (Key Update) E E -- -- -- -- -- -- -- -- -- -- -- -- -- -- W Z REINIT (Reinit) E E Z Z Z -- Z Z Z -- -- -- W Z -- -- -- -- REINIT (End Reinit) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- REINIT (Get Counters) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- PUT DATA (PIN) E E -- -- -- -- -- -- -- -- -- -- -- -- E WZ -- Table 29 – IDPrime CSP Access by Service IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 35/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 5.8 FIDO Services All services implemented by the FIDO applet are listed in the table below. Service Description CO FUSR UA Context Select an applet. X X Personalize Content Create Files, store keys and certificates. X Applet Info Read applet info, capabilities and version X X Secure Channel Establish and use a secure communication channel. X U2F protocol Register and authenticate with U2F protocol X U2F protocol info Get U2F protocol version X CTAP2 protocol Register and authenticate with CTAP2 protocol X CTAP2 protocol info Get CTAP2 protocol version X CTAP2 Client PIN protocol Manage Client PIN and PIN Token X X Applet Reset Reset or Deactivate the applet X Table 30 – FIDO applet Services CSP Service FID-SC-SMAC-AES FID-SC-SENC-AES FID-KG-AS-ECDSA FID-AT-ECDSA FID-SC-ENC-AES FID-SC-AUTH-HMAC FID-UV-PIN FID-ECDH-ECC FID-TOKEN-NONCE FID-HMAC-NONCE FID-KG-RK6ECDSA FID-RK-HMAC-NONCE Context -- -- -- -- -- -- -- G G -- -- -- Personalize Content -- -- -- W W W -- -- -- -- -- -- Applet Info -- -- -- -- -- -- -- -- -- -- -- -- Secure Channel E E -- -- -- -- -- -- -- -- -- -- IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 36/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. CSP Service FID-SC-SMAC-AES FID-SC-SENC-AES FID-KG-AS-ECDSA FID-AT-ECDSA FID-SC-ENC-AES FID-SC-AUTH-HMAC FID-UV-PIN FID-ECDH-ECC FID-TOKEN-NONCE FID-HMAC-NONCE FID-KG-RK6ECDSA FID-RK-HMAC-NONCE U2F protocol -- -- G/ E E E E -- -- -- -- -- -- U2F protocol info -- -- -- -- -- -- -- -- -- -- -- -- CTAP2 protocol -- -- G/ E E E E E -- E E/ G E/ G E/ G CTAP2 protocol info -- -- -- -- -- -- -- -- -- -- -- -- CTAP2 Client PIN protocol -- -- -- -- -- -- E E E -- -- -- Applet Reset -- -- -- -- W W Z -- -- -- -- -- Table 31 – FIDO CSP Access by Service 6 Finite State Model The CM is designed using a finite state machine model that explicitly specifies every operational and error state. The CM includes Power on/off states, Cryptographic Officer states, User services states, applet loading states, Key/PIN loading states, Self-test states, Error states, and the GP life cycle states. An additional document (Finite State Machine document) identifies and describes all the states of the module including all corresponding state transitions. 7 Physical Security Policy The CM is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The CM uses standard passivation techniques and is protected by passive shielding (metal layer coverings opaque to the circuitry below) and active shielding (a grid of top metal layer wires with tamper response). A tamper event detected by the active shield places the Module permanently into the Card Is Killed error state. The CM is mounted in a plastic smartcard; physical inspection of the Module boundaries is not practical after mounting. Physical inspection of modules for tamper evidence is performed using a lot sampling IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 37/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. technique during the card assembly process. The Module also provides a key to protect the Module from tamper during transport and the additional physical protections listed in Section 12 below. 8 Operational Environment This section does not apply to CM. No code modifying the behavior of the CM operating system can be added after its manufacturing process. Only authorized applets can be loaded at post-issuance under control of the Cryptographic Officer. Their execution is controlled by the CM operating system following its security policy rules. 9 Electromagnetic Interference and Compatibility (EMI/EMC) The Module conforms to the EMI/EMC requirements specified by part 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 38/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 10 Self-test 10.1 Power-on Self-test On power-on or reset, the CM performs the self-tests described in table below. All KATs must be completed successfully prior to any other use of cryptography by the Module. If one of the KATs fails, the Module enters the Card Is Mute error state or Card is Killed error state, depending on number of failures. Test Target Description Firmware Integrity 16 bit CRC performed over all code located in FLASH and EEPROM memory (for OS, Applets). AES Performs decrypt KAT using an AES 128-bit key in ECB mode. AES encrypt is self-tested as an embedded algorithm of AES-CMAC. DRBG Performs DRBG SP 800-90A Section 11.3 instantiate and generate health test KAT with fixed inputs (derivation function and no reseeding supported). KAS SSC ECC Performs a KAS SSC ECC KAT using an ECC P-224 key. ECDSA Performs separate ECDSA signature and verification KATs using an ECC P- 224 key. KBKDF AES-CMAC Performs a KDF AES-CMAC KAT using an AES 128 key and 32-byte derivation data. The KAT computes session keys and verifies the result. Note that KDF KAT is identical to an AES-CMAC KAT; the only difference is the size of input data. RSA Performs separate RSA PKCS#1 v1.5 signature and verification KATs using an RSA 2048 bit key, and a RSA PKCS#1 v1.5 signature KAT using the RSA CRT implementation with a 2048 bit key. RSA CRT signature verification is tested as part of the RSA signature verification KAT as described above. RSA PKCS#1 v1.5 decryption KAT with a 2048 bit key is also performed. SHA-1, SHA-2 Performs separate KATs for SHA-1 and SHA-512. Triple-DES Performs separate encrypt and decrypt KATs using 3-Key TDEA in ECB mode. HMAC Performs KAT using HMAC 16-byte Key with SHA-256. KAS KDF Performs a KAS KDF KAT using “One-step key derivation” scheme as in SP800- 56C rev2. The KAT uses a 4-byte counter, a 32-byte shared secret and 1-byte fixedInfo, and computes a SHA-256 of the input data, then compared the result with the expected one. Table 32 – Power-On Self-Test IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 39/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. 10.2 Conditional Self-tests On every call to the [SP 800-90A] DRBG, the CM performs the FIPS 140-2 Continuous RNG test (CRNGT) to assure that the output is different than the previous value. Note that the DRBG is seeded only once per power cycle and therefore a CRNGT is not required to be performed on the NDRNG per IG 9.8. When any asymmetric key pair is generated (for RSA or ECC keys) the CM performs a pairwise consistency test. When new firmware is loaded into the CM using the Manage content service, the CO verifies the integrity and authenticity of the new firmware (applet) using the SD-SMAC key for MAC process. Optionally, the CO may also verify a MAC or a signature of the new firmware (applet) using the DAP-SYM key or DAP-ASYM key respectively. The signature or MAC block in this scenario is generated by an external entity using the key corresponding to the asymmetric key DAP-ASYM or the secret key DAP-SYM. The CM also performs the required assurances from [SP800-56A-rev3] (public Key Validation). 10.3 Reducing the number of Known Answer Tests The CM implements latest [IG], reducing the number of Known Answer tests (KAT) described at chapter 9.11. On the 1st reset of the CM, it performs “Firmware Integrity” test and all Cryptographic KATs. On each next reset of the CM, it performs only “Firmware Integrity test” as permitted by [IG]] document. The cryptographic KATs are also available on demand and can be played by any operator with the Run Cryptographic KATs service (see Section 5.6– Platform Services). 11 Design Assurance The CM meets the Level 3 Design Assurance section requirements. 11.1 Configuration Management An additional document (Configuration Management Plan document) defines the methods, mechanisms and tools that allow to identify and place under control all the data and information concerning the specification, design, implementation, generation, test and validation of the card software throughout the development and validation cycle. 11.2 Delivery and Operation Some additional documents (‘Delivery and Operation’, ‘Reference Manual’, ‘Card Initialization Specification’ documents) define and describe the steps necessary to deliver and operate the CM securely. 11.3 Guidance Documents The Guidance document provided with CM is intended to be the ‘Reference Manual’. This document includes guidance for secure operation of the CM by its users as defined in the section: Roles, Authentication and Services. 11.4 Language Level The CM operational environment is implemented using a high level language. A limited number of software modules have been written in assembler to optimize speed or size. IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 40/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision]. The IDPrime Applet is a Java applet designed for the Java Card environment. 12 Mitigation of Other Attacks Policy The Module implements defenses against:  Fault attacks  Side channel analysis (Timing Analysis, SPA/DPA, Simple/Differential Electromagnetic Analysis)  Probing attacks  Card tearing 13 Security Rules and Guidance The Module implementation also enforces the following security rules:  No additional interface or service is implemented by the Module which would provide access to CSPs.  Data output is inhibited during key generation, self-tests, zeroization, and error states.  There are no restrictions on which keys or CSPs are zeroized by the zeroization service.  The Module does not support manual key entry, output plaintext CSPs or output intermediate key values.  Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module. At the time the card is issued, the IDPrime Applet shall be personalized with the appropriate data in order to be initialized into the Approved mode. Personalization includes IDPrime keys and PIN values, as listed below:  IDP-AS-RSA: RSA key pair used for Asymmetric Signature  IDP-AS-ECDSA: ECDSA key pair used for Asymmetric signature  IDP-AC-RSA: RSA key pair used for Asymmetric Cipher (key wrap, key unwrap)  IDP-ECDH-ECC: ECDH key pair used for shared key mechanism  IDP-ECDSA-AUTH-ECC: ECDSA key used to Authenticate the card  IDP-SC-DES3: 3-Key Triple-DES key used for authentication.  IDP-SC-P-SKI-AES: AES session key used for Secure Key Injection  IDP-OWNERPIN: PIN value managed by the Applet.  IDP-INITK-AES: AES key used to authenticate IO Role The following rules must be observed for conformance to FIPS 140-2, when used with a PIN Pad reader:  The PIN shall be at least 6 bytes composed of numeric characters. At the time the card is issued, the FIDO Applet shall be personalized with the appropriate data in order to be initialized into the Approved mode. Personalization includes attestation certificate private key, wrap & mac keys, as listed below: IDPrime 3930 FIDO FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 2 Ref: R1R29508_IDPrime3930-FIDO_001_SP_L2 Rev: 1.2 23/11/2021 Page 41/41 © Copyright Thales 2021. May be reproduced only in its entirety [without revision].  FID-AT-ROOT-ECDSA: P-256 authenticator attestation key pair. The public part is stored in the device attestation certificate  FID-SC-ENC-AES: AES 128-bit authenticator secret key used for encryption and decryption of key handles with AES CBC  FID-SC-AUTH-HMAC: HMAC 128-bit authenticator secret key used for authentication of key handles with HMAC-SHA256 END OF DOCUMENT