2/11/02
Security Policy:
Key Management Facility
Crypto Card (KMF CC)
Version 2.0
2/11/02 Page 2 of 13
2/11/02 Page 3 of 13
1.0 Introduction 4
1.1 Scope 4
1.2 Overview 4
1.3 KMF CC Implementation 4
1.4 KMF CC Cryptographic Boundary 5
2.0 FIPS 140-1 Security Level 6
3.0 FIPS 140-1 Approved Operational Modes 6
4.0 Security Rules 7
4.1 FIPS 140-1 Related Security Rules 7
4.2 Motorola Imposed Security Rules 10
5.0 Roles and Services 10
5.1 KMF CC Supported Roles 10
5.2 KMF CC Services 10
6.0 Authentication 11
7.0 Access Control 12
7.1 Security Relevant Data Items (SRDIs) 12
7.2 SRDI Access Types 12
7.3 Services Versus SRDI Access 13
2/11/02 Page 4 of 13
1.0 Introduction
1.1 Scope
This Security Policy specifies the security rules under which the Key
Management Facility Cryptographic Card, herein identified as the KMF CC, must
operate. Included in these rules are those derived from the security requirements of
FIPS 140-1 and additionally, those imposed by Motorola. These rules, in total, define
the interrelationship between the:
1. module operators,
2. module services,
3. and security related data items (SRDIs).
1.2 Overview
The KMF CC provides encryption and decryption services for secure key
management and Over-the-Air-Rekeying (OTAR) for Motorola’s Key Management
Facility (KMF). The KMF and KMF CC combine to provide these cryptographic
services for Motorola’s APCO-25 compliant Astro ™ radio systems.
Figure 1 Key Management Facility Crypto Card
1.3 KMF CC Implementation
The KMF CC is implemented as a multi-chip embedded cryptographic module as
defined by FIPS 140-1. It is comprised of a Crypto Engine, communications controller,
and a PCI interface, all housed on a PCI shortcard.
2/11/02 Page 5 of 13
1.4 KMF CC Cryptographic Boundary
The Crypto Engine, herein identified as the CE, provides all the KMF CC
cryptographic logic and processes. This includes encryption, decryption, and
cryptographic key & critical security parameter storage. The cryptographic boundary is
defined as the boundary between the CE & JTAG factory interface and all other
circuitry on the KMF CC. The CE circuitry is physically grouped together on one
corner of the board and is protected by a metal enclosure. All other circuitry on the
board that is not part of the CE & JTAG factory interface provides an interface to the
host computer where the user interface is implemented.
The CE consists of the Armor cryptographic processor, flash E2
PROM, dual port
RAM, KVL port, and various support components and circuitry.
Figure 2 KMF CC Cryptographic Boundary
PowerQUICCII
CPM
Communications
Controller
PCIBridge
PowerSpan
LocalBus
60xBus(PPCBus)
C
A
M
60xBus
Interface
F
P
G
A
Armor
Crypto
Processor
Tamper
CoreVoltage
Regulator
Voltage
Detectors
CryptoEngine
PowerControl
C
L
O
C
K
BUFFER
Buffers
+
SIU
P
P
C
C
O
R
E
S
D
R
A
M
Scratch
Memory
SDRAM
Main
M
e
m
o
r
y
Buffer/Latch
EEPROM
PCIConfig
Memory
C
E
+3.3VDC
6
6
M
H
z
O
S
C
Bootload
Conn
S
C
I
Interface
UniversalPCIConnector
PQII
JTAG/OnCE
TestConn
K
V
L
L
E
D
FAIL
L
E
D
JTAG
Router
A
r
m
o
r
JTAG/OnCE
TestConn
JTAG_PQII
JTAG_Armor
JTAG_Other
JTAG
Select
ISPConn
PCI
+3.3VDC
I
N O
U
T
PQIICORE
+2.5VDC
D
P
R
A
M
CEComm
Port
Memory
FLASH
App/Algo/
BlkKeys
Memory
ArmorBus
PLD
C
o
n
n
KVL
Interface
PCI
+3.3VDC
P
C
I
+3.3VDC
BATT
+
PCIReset
GPIO
ADD/DATA/MEMCTL
SCI
TAMPER
V
D
D
C
O
N
T
C
E
+3.3VDC
LowBatt
Low
PCI
+3.3VDC
On-board
ResetSw Global
Reset
Erase
Switch
Batt
B
a
t
t
G
P
I
O
ERASE
Tamper
Switch
Silicon
Serial
N
u
m
b
e
r
GPIO
8
M
H
z
O
S
C
CLK
Boot
Select
B
O
O
T
F
L
A
S
H
Memory
RESET
CONT3V
C
O
N
T
3
V
L
o
wC
o
n
t3
V
G
P
I
O
CoreVoltage
Regulator
PCI
+3.3VDC
I
N O
U
T
P
S
P
A
NC
O
R
E
+2.5VDC
S
T
A
T
U
S
LED1
STATUS
LED2
S
T
A
T
U
S
LED3
CRYPTOENGINE
Cryptographic
Boundary
2/11/02 Page 6 of 13
2.0 FIPS 140-1 Security Level
The KMF CC is validated to meet the FIPS 140-1 security requirements for the
levels shown in Table 2.1.
Table 2.1
CE Security Levels
FIPS 140-1 Security Requirements Section Level
1. Cryptographic Module 1
2. Module Interfaces 1
3. Roles and Services 1
4. Finite State Machine Model 1
5. Physical Security 1
6. Software Security 3
7. Operating System Security N/A
8. Key Management 1
9. Cryptographic Algorithms 1
10. EMI / EMC 3
11. Self Tests 1
3.0 FIPS 140-1 Approved Operational Modes
The KMF CC includes modes of operation that are not FIPS 140-1 approved.
Documented below are the configuration settings that are required for the module to be
used in a FIPS 140-1 approved mode of operation:
1. Key Loss Key (KLK) generation disabled
2. Keyboard Key Entry disabled
3. DES and 3DES for encryption, decryption, and MACing shall be used in the
following approved modes: ECB, OFB, and CBC
4. Use of the following is not FIPS 140-1 approved: DES-XL, DVI-XL, DVP-XL,
and HCA
2/11/02 Page 7 of 13
4.0 Security Rules
The CE on the KMF CC enforces the following security rules. These rules are
separated into two categories, 1) those imposed by FIPS 140-1 and, 2) those imposed
by Motorola.
4.1 FIPS 140-1 Related Security Rules
1. The CE supports the following interfaces:
• Data input interface
a. Dual Port Ram (DPRAM) - Plaintext Data, Ciphertext Data, Encrypted
Cryptographic Keys
b. Serial Communications Interface (SCI) - Encrypted Software Image
c. Key Variable Loader (KVL) - Key Management Data, Encrypted
Cryptographic Keys, Plaintext Cryptographic Keys, Encrypted Software
Image
• Data output interface
a. Dual Port Ram (DPRAM) - Plaintext Data, Ciphertext Data, Key
Management Data (OTAR), Encrypted Cryptographic Keys (OTAR)
• Control input interface
a. Dual Port RAM (DPRAM) - Input commands
b. Serial Communications Interface (SCI) - Input commands
c. Key Variable Loader (KVL) - Input commands
d. Key Erase Switch - Manual erase input
e. Erase Signal from PowerQUICC II
• Status output interface
a. Dual Port RAM (DPRAM) - Status codes
b. Serial Communications Interface (SCI) - Status codes
c. Key Variable Loader (KVL) - Status codes
d. KVL & FAIL LEDs - On, off, & flashing codes
• Power interface
a. PCI Bus Power - Powers all circuitry except Battery Backed Register and
tamper detection circuitry
b. Continuous (Battery backed) Power - Powers Battery Backed Register
and tamper detection circuitry
2. The CE inhibits all data output via the data output interface whenever a fatal error
state exists and during self-tests.
3. The CE logically disconnects the output data path from the circuitry and
processes when performing key generation, manual key entry, or key zeroization.
4. Plaintext cryptographic keys are entered through the KVL interface only and no
plaintext cryptographic keys are ever output from any interface.
5. The CE supports a User role and a Cryptographic Officer role. These two roles
have the same set of services.
6. The CE provides the following services for all roles:
• Initiate Self Tests
• Zeroize All Keys
• Erase/Reset KMF CC
2/11/02 Page 8 of 13
• Transfer Master Key
• Shutdown KMF CC
• Download RSS
• Inner Layer Encryption
• Inner Layer Decryption
• Outer Layer Encryption
• Outer Layer Decryption
• Random Encryption Key Generation
• Message Authentication Code (MAC) Generation
• Encrypt & Forward
• Recrypt
• Download Configuration Parameter
• Algorithm Request
• Post Request
• Software Version Request
• Soundoff
• KVL Programming
7. The CE implements all software using a high-level language, except the limited
use of low-level languages to enhance performance.
8. The CE protects secret keys and private keys from unauthorized disclosure,
modification and substitution.
9. The CE provides a means to ensure that a key entered into, stored within, or
output from the CE is associated with the correct entities to which the key is
assigned. Each key in the CE is entered and stored with the following
information:
• Key Identifier – 16 bit identifier
• Algorithm Identifier – 8 bit identifier
• Key Type – Traffic Encryption Key or Key Encryption Key
• Physical ID, Common Key Reference (CKR) number, or CKR/Keyset
number – Identifiers indicting storage locations.
Along with the encrypted key data, this information is stored in a key record that
includes a CRC over all of the fields to detect data corruption. When used or
deleted the keys are referenced by Key ID/Algid, Physical ID, or CKR/Keyset.
10. The CE denies access to plaintext secret and private keys contained within the
CE.
11. The CE provides the capability to zeroize all plaintext cryptographic keys and
other unprotected critical security parameters within the CE.
12. The CE supports the following FIPS approved algorithms:
• DES
- OFB for symmetric encryption / decryption of APCO-25 OTAR
- CBC for MACing of APCO-25 OTAR and software upgrades
- ECB for symmetric decryption of APCO-25 OTAR
• 3DES
- 8-bit CFB for symmetric encryption / decryption of keys and parameters
stored in the internal database
2/11/02 Page 9 of 13
- CBC for symmetric decryption of software upgrades
13. The KMF CC, when used in the KMF (Host Computer) conforms to all FCC
Class B requirements.
14. The CE of the KMF CC performs the following self-tests:
• Power-up and on-demand tests
- Cryptographic algorithm test: Each algorithm is tested by using a known
key, known data, and if required a known IV. The data is then encrypted;
the encrypted data is then decrypted. The test passes if the final data
matches the known data; otherwise it fails.
- Software/firmware test: The software firmware test calculates a checksum
over the code. The checksum is calculated by summing over the code in
32 bit words. The code is appended with a value that makes the checksum
value 0. The test passes if the calculated value is 0; otherwise it fails.
- Critical Functions test.
- LFSR Test: The LFSRs are tested by setting the feedback taps to a
known value, loading them with known data, shifting the LFSR 64
times, then comparing the LFSR data to a known answer. The test
passes if the final data matches, otherwise it fails.
- General Purpose RAM Test: The general purpose RAM is tested for
stuck address lines and stuck bits. This is accomplished through a
series of operations that write and read the RAM. The test passes if all
values read from the RAM are correct; otherwise it fails.
- Dual Port RAM Test: The DPRAM is tested for stuck address lines
and stuck bits. This is accomplished through a series of operations that
write and read the DPRAM. The test passes if all values read from the
DPRAM are correct; otherwise it fails.
Powering the module off then on or resetting the module using the Reset
service will initiate the power-up and on-demand self tests.
• Conditional tests
- Software/firmware load test: A MAC is generated over the code when it is
built using DES-CBC. Upon download into the module, the MAC is
verified. If the MAC matches the test passes, otherwise it fails.
- Continuous Random Number Generator test: The continuous random
number generator test is performed on 3 Random Number Generators
(RNG) within the module. The first is a non-deterministic hardware RNG
which is used to seed the ANSI X9.17 deterministic Pseudo Random
Number Generator (PRNG) and the maximal length 64-bit LFSR. The
second is an implementation of Appendix C ANSI X9.17 which is used
for key generation, and the third is a maximal length 64-bit LFSR which
is used for IV generation. For each RNG, an initial value is generated and
stored upon power up. This value is not used for anything other than to
initialize comparison data. Successive calls to any one of the RNGs
generates a new set of data, which is compared to the comparison data. If
a match is detected, this test fails; otherwise the new data is stored as the
comparison data and returned to the caller.
2/11/02 Page 10 of 13
15. The CE enters an error state if the Cryptographic Algorithm Test, LFSR Test,
Continuous Random Number Generator Test, or the General-Purpose RAM Test
fails. This error state is exited after the erase function is requested & performed or
by cycling the power to the KMF CC.
16. The CE enters an error state if the Software/Firmware test fails. This error state is
exited after the erase function is requested & performed or by cycling the power
to the KMF CC.
17. The CE enters an error state if the Software/Firmware Load test fails. This error
state is exited after the erase function is requested & performed or by cycling the
power to the KMF CC.
18. The CE outputs an error indicator via the status interface whenever an error state
is entered due to a failed self-test.
19. The CE does not perform any cryptographic functions while in an error state.
4.2 Motorola Imposed Security Rules
1. The KMF CC does not support a bypass mode.
2. The KMF CC does not support multiple concurrent operators.
3. All cryptographic module services are suspended during key loading.
4. Upon detection of a critically low voltage condition on the PCI bus power supply,
the cryptographic module shall erase all plaintext keys.
5. Upon detection of a critically low voltage condition on the continuous (battery
backed) power supply, the cryptographic module shall erase all Security Related
Data Items (SRDIs).
6. Upon detection of tamper, the cryptographic module shall erase all SRDIs.
7. The module shall at no time output any SRDIs.
5.0 Roles and Services
5.1 KMF CC Supported Roles
The CE supports two (2) roles. These roles are defined to be:
• User Role
• Cryptographic Officer (CO) Role
All services are available to all roles.
5.2 KMF CC Services
• Initiate Self Tests: Performs module self tests comprised of cryptographic
algorithms test, software firmware test, and critical functions test. Initiated by
module reset or transition from power off state to power on state.
• Zeroize All Keys: Zeroize all keys from the Key Database (Module can be
reinitialized using KVL).
• Erase/Reset KMF CC: Hard signal erase & reset of module to erase plaintext
critical security parameters and remove the module from error states.
• Transfer Master Key: Transfer key variables and/or zeroize key variables
to/from the Key Database via a Key Variable Loader (KVL).
• Shutdown Crypto Module: Prepares module for removal of power.
2/11/02 Page 11 of 13
• Download RSS: Download configuration parameters used to specify module
behavior. Examples include enable/disable keyboard key entry, enable/disable
KLK generation, etc.
• Inner Layer Encryption: Encrypts keys for insertion into Key Management
Message (KMM).
• Inner Layer Decryption: Decrypts keys in Key Management Message
(KMM).
• Outer Layer Encryption: Encrypts Key Management Message (KMM).
• Outer Layer Decryption: Decrypts Key Management Message (KMM).
• Random Encryption Key Generation: Creates keys to put in KMF's key kettle.
• Message Authentication Code (MAC) Generation: Generation of a
sophisticated checksum for Key Management Messages (KMM).
• Encrypt & Forward: Encrypt key loaded from KVL with master key & send
to PowerQUICC II via DPRAM.
• Recrypt: Decrypt keys with one key and encrypt result with another key.
• Download Configuration Parameter: Provides means to enable/disable
configuration parameters.
• Algorithm Request: Provides list of algorithms currently loaded in the CE.
• Post Request: Provides status of KMF CC.
• Software Version Request: Provides version of software currently loaded on
KMF CC.
• Soundoff: Provides basic KMF CC on status with simple message response.
• KVL Programming: Places CE in state to accept software updates through the
KVL interface.
6.0 Authentication
The operating system running on the KMF host computer provides a standard
user login/password authentication but the KMF CC does not provide authentication as
defined in FIPS 140-1, therefore all cryptographic services are available to all roles.
The Crypto Officer role is assumed by attempting to load keys into the module with the
KVL. The User role is assumed by attempting to use the encryption and decryption
services.
2/11/02 Page 12 of 13
7.0 Access Control
7.1 Security Relevant Data Items (SRDIs)
Table 7.1
SRDI Definition
SRDI Identifier Description
Key Protection Key
(KPK)
Key used to encrypt/decrypt the master key. It is internally
generated and unique each time generated.
Plaintext Traffic
Encryption Keys ( TEK)
Keys used for Key Management Message (KMM)
encryption/decryption.
Plaintext Key Encryption
Keys (KEK)
Keys used for encryption of keys in OTAR.
Plaintext MAC Key Key used for authentication of software upgrade.
Master Key Key used to encrypt keys in KMF database. It is stored in
Flash encrypted with the KPK.
7.2 SRDI Access Types
Table 7.2
SRDI Access Types
SRDI Access Type Description
Retrieve key Decrypts encrypted Master keys in the database using the KPK
and returns plaintext version
Store key Encypts plaintext Master keys using the KPK and stores the
encrypted version in the database
Erase Key Marks encrypted Master keys data in key database as invalid
Create KPK Generates and stores new KPK
2/11/02 Page 13 of 13
7.3 Access Matrix
Table 7.3
SRDI versus SRDI Access
SRDI Access
Operation
Applicable
Role
User Service
Retrieve
Key
Store
Key
Erase
Key
Create
KPK
User
Role
Crypto
Officer
Role
1. Initiate Self Tests X X X
2. Zeroize All Keys X X X
3. Erase/Reset KMF CC X X
4. Transfer Master Key X X X X
5. Shutdown KMF CC X X
6. Download RSS X X
7. Inner Layer Encryption X X X
8. Inner Layer Decryption X X X
9. Outer Layer Encryption X X X
10. Outer Layer Decryption X X X
11. Random Encryption Key Generation X X X
12. MAC Generation X X X
13. Encrypt & Forward X X X
14. Recrypt X X X X X
15. Download Configuration Parameter X X
16. Algorithm Request X X
17. Post Request X X
18. Software Version X X
19. Soundoff X X
20. KVL Programming X X