IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 2/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Document Information Release Date July 24, 2024 Trademarks, Copyrights, and Third-Party Software © 2024 Thales. All rights reserved. Thales and the Thales logo are trademarks and service marks of Thales and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Disclaimer All information herein is either public information or is the property of and owned solely by Thales and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Thales’s information. This document can be copied or distributed for informational, non-commercial, internal and personal use only provided that:  The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.  This document shall not be posted on any network computer or broadcast in any media other than on the NIST CMVP validation list and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Thales makes no warranty as to the value or accuracy of information contained herein. Thales hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Thales be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 3/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Thales be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Thales products. Thales disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 4/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. References Acronym Full Specification Name [GlobalPlatform] GlobalPlatform Consortium: GlobalPlatform Card Specification 2.2.1, January 2011, http://www.globalplatform.org [ISO 7816] ISO/IEC 7816-1:1998 Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics ISO/IEC 7816-2:2007 Identification cards -- Integrated circuit cards -- Part 2: Cards with contacts -- Dimensions and location of the contacts ISO/IEC 7816-3:2006 Identification cards -- Integrated circuit cards -- Part 3: Cards with contacts -- Electrical interface and transmission protocols ISO/IEC 7816-4:2005 Identification cards -- Integrated circuit cards -- Part 4: Organization, security and commands for interchange [ISO 14443] Identification cards – Contactless integrated circuit cards – Proximity cards ISO/IEC 14443-1:2008 Part 1: Physical characteristics ISO/IEC 14443-2:2010 Part 2: Radio frequency power and signal interface ISO/IEC 14443-3:2011 Part 3: Initialization and anticollision ISO/IEC 14443-4:2008 Part 4: Transmission protocol [JavaCard] Java Card 3.1.0 Runtime Environment (JCRE) Specification Java Card 3.1.0 Virtual Machine (JCVM) Specification Java Card 3.1.0 Application Programming Interface Published by Sun Microsystems, February 2021. [FIPS 140-3] Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, March 2019 [IG] NIST, Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program, January 2024. [FIPS 180-4] NIST, Secure Hash Standard, FIPS Publication 180-4, August 2015 [FIPS 186-4] NIST, Digital Signature Standard (DSS), FIPS Publication 186-4, July 2013. [FIPS 186-5] NIST, Digital Signature Standard (DSS), FIPS Publication 186-5, February 2023. [FIPS 197] NIST, Advanced Encryption Standard (AES), FIPS Publication 197, November 26, 2001. [FIPS 198-1] Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008. [FIPS 202] Federal Information Processing Standards Publication 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015. [FIPS 113] NIST, Computer Data Authentication, FIPS Publication 113, 30 May 1985. [ISO 19790:2012] ISO/IEC 19790:2012 (Corrected 2015-12-15, IDT) Information technology – Security techniques – Security requirements for cryptographic modules, 2015- 12-15. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 5/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. [ISO 24759:2017] ISO/IEC 24759:2017 (Corrected 2017-03, IDT) Information technology – Security techniques – Test requirements for cryptographic modules, 2017-03. [PKCS#1] PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002 [SP 800-108r1] NIST Special Publication 800-108 Revision 1, Recommendation for Key Derivation Using Pseudorandom Functions, August 2022. [SP 800-131Ar2] NIST Special Publication 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019. [SP 800-132] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation: Part 1: Storage Applications, December 2010. [SP 800-133r2] NIST Special Publication 800-133 Revision 2, Recommendation for Cryptographic Key Generation, June 2020. [SP 800-140Cr2] NIST Special Publication 800-140C Revision 2, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759, July 2023. [SP 800-140Dr2] NIST Special Publication 800-140D Revision 2, CMVP Approved Sensitive Security Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759, July 2023. [SP 800-140E] NIST Special Publication 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790:2012 Annex E and ISO/IEC 24759 Section 6.17, March 2020. [SP 800-140F] NIST Special Publication 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759, March 2020. [SP 800-38A] NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation – Methods and Techniques, December 2001. [SP 800-38B] NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication, May 2005 (with October 2016 updates). [SP 800-38D] NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. [SP 800-38E] NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices, January 2010. [SP 800-38F] NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012. [SP 800-56Ar3] NIST Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, Revision 3, April 2018. [SP 800-56Br2] NIST Special Publication 800-56B, Recommendation for Pair-Wise Key- Establishment Schemes Using Integer Factorization Cryptography, Revision 2, March 2019. [SP 800-56Cr2] NIST Special Publication 800-56C, Recommendation for Key-Derivation Methods in Key-Establishment Schemes, Revision 2, August 2020. [SP 800-67r2] NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Revision 2, November 2017. [SP 800-90Ar1] NIST Special Publication SP 800-90A, Recommendation for Random Number Generation Using Deterministic Bit Generators, Revision 1, June 2015. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 6/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. [SP 800-90B] NIST, SP 800-90B, “Recommendation for the Entropy Sources Used for Random Bit Generation”, January 2018. Table 1 – References Term Definition AES Advanced Encryption Standard API Application Programming Interface CBC Cipher Block Chaining CKG Cryptographic Key Generation CLK CLocK CM Cryptographic Module CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CO Crypto Officer CRC Cyclic Redundancy Check CS Cipher Suite DAP Data Authentication Pattern DES Data Encryption Standard DRBG Deterministic Random Bit Generator DM Delegated Management ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm EDC Error Detection Code EFP Environmental Failure Protection ESV Entropy Source Validation FIPS Federal Information Processing Standards GND Ground (electrical connection) GP Global Platform HKDF HMAC Key Derivation Function IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 7/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. HMAC Hash-based keyed Message Authentication Code HW Hardware I/O Input Output ISO International Standards Organisation JCAPI JavaCard API JCRE JavaCard Runtime Environment KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key Based Key Derivation Function KC Key Confirmation KDF Key Derivation Function MAC Message Authentication Code MMU Memory Management Unit OPACITY Open Protocol for Access Control, Identity, Ticketing with privacY PIN Personal Identification Number PIV Personal Identity Verification PKCS Public Key Cryptographic Standards PRI PRIvate (key) PSS Probabilistic Signature Scheme PST Periodic Self Test PUB PUblic (key) RAM Random Access Memory SCP Secure Channel Protocol SD Security Domain SHA Secure Hash Algorithm SSD Supplementary Security Domain SSP Sensitive Security Parameter SYM SYMmetric (key) RF Radio Frequency RLC Reinforced Low Cost RLT RLC Thin IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 8/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. RSA Rivest Shamir Adleman SCP Secure Channel Protocol TRNG True Random Number Generator UA Unauthenticated User UART Universal Asynchronous Receiver Transceiver USB Universal Serial Bus USR USeR VCC Voltage Common Collector VM Virtual Machine Table 2 – Acronyms and Definitions IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 9/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Table of Contents 1 General ...................................................................................................................................................... 13 2 Cryptographic Module Specification.................................................................................................... 14 2.1 Test Configuration.....................................................................................................................................16 2.1 Tested Operational Environment Physical Perimeter..........................................................................17 2.2 CM Identification........................................................................................................................................17 2.3 Approved Algorithms ...............................................................................................................................21 2.4 Non-Approved Algorithms .......................................................................................................................27 3 Cryptographic Module Interfaces ......................................................................................................... 27 3.1 PIN Assignments and Contact Dimensions ..........................................................................................27 4 Roles, Services, and Authentication .................................................................................................... 29 4.1 Roles...........................................................................................................................................................29 4.2 Approved Services....................................................................................................................................29 4.3 Authentication Methods............................................................................................................................42 4.3.1 Secure Channel Protocol (SCP) Authentication (CO) ...........................................................................42 4.3.2 Demonstration Applet Authentication Method (USR).........................................................................43 5 Software/Firmware Security................................................................................................................... 44 6 Operational Environment ....................................................................................................................... 45 7 Physical Security ..................................................................................................................................... 46 8 Non-invasive security ............................................................................................................................. 48 9 Sensitive security parameter management......................................................................................... 49 9.1 Sensitive Security Parameters Summary..............................................................................................50 9.2 Random bit generator entropy sources .................................................................................................65 10 Self-tests.................................................................................................................................................... 66 10.1 Pre-Operational Self-Tests ......................................................................................................................66 10.2 Conditional Self-Tests ..............................................................................................................................66 10.2.1 Conditional Cryptographic Algorithm Tests.........................................................................................66 10.2.2 Conditional Pair-wise Consistency Tests..............................................................................................67 10.2.3 Conditional Firmware Load Tests ........................................................................................................67 10.2.4 Conditional Critical Functions Tests.....................................................................................................67 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 10/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 10.3 Periodic Self-tests .....................................................................................................................................68 11 Life-cycle assurance ............................................................................................................................... 69 11.1 Delivery and Operation.............................................................................................................................69 11.2 Guidance Documents...............................................................................................................................69 11.3 Guidance ....................................................................................................................................................69 12 Mitigation of Other Attacks .................................................................................................................... 70 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 11/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Table of Tables Table 1 – References ................................................................................................. 6 Table 2 – Acronyms and Definitions................................................................................. 8 Table 3 – Security Levels ............................................................................................13 Table 4 – Cryptographic Module Tested Configuration ..........................................................16 Table 5 – Tags for Tracking Data (Approved Mode) .............................................................18 Table 6 – Card Production Life Cycle Data........................................................................19 Table 7 – Versions and Operations Indicators ....................................................................19 Table 8 – get data command to output Demonstration applet version (Approved Mode) ...................20 Table 9: Approved Algorithms.......................................................................................26 Table 10 – Ports and Interfaces .....................................................................................27 Table 11 - Voltage and Frequency Ranges........................................................................28 Table 12 – Contactless voltage and Frequency Ranges.........................................................28 Table 13 - Roles, Service Commands, Input and Output ........................................................31 Table 14 –Approved Services .......................................................................................41 Table 15 – Roles and Authentication...............................................................................42 Table 16 - Physical Security Inspection Guidelines ..............................................................46 Table 17 - Voltage and Temperature Ranges.....................................................................46 Table 18 - EFP/EFT ..................................................................................................47 Table 19 - Hardness testing temperature ranges .................................................................47 Table 20 – SSPs ......................................................................................................64 Table 21 – Non-Deterministic Random Number Generation Specification ....................................65 Table 22 –Conditional Algorithm Self-Tests .......................................................................67 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 12/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Table of Figures Figure 1 – Cryptographic Boundary .................................................................................14 Figure 2 - Models......................................................................................................17 Figure 3 - Contact and Contactless Interfaces....................................................................27 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 13/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 1 General This document defines the Security Policy for the Thales IDCore 3230 / 230 Platform cryptographic module, herein denoted the Module. The Module, validated to FIPS 140-3 overall Level 3, is a single-chip “contact” or “contact and contactless” module implementing the Global Platform operational environment, with Card Manager and Demonstration Applet. The Demonstration Applet is available only to demonstrate the complete cryptographic capabilities of the Module for FIPS 140-3 validation and is not intended for general use. The term platform herein is used to describe the chip and operational environment, not inclusive of the Demonstration Applet. The Module has a limited operational environment. The Module includes a firmware load function to support necessary updates. New firmware versions within the scope of this Security Policy and certificate must be validated through the FIPS 140-3 CMVP. Any other firmware loaded onto this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. The FIPS 140-3 security levels for the Module are as follows: ISO/IEC 24759 Section 6. [Number Below] FIPS 140-3 Section Title Security Level 1 General 3 2 Cryptographic Module Specification 3 3 Cryptographic Module Interfaces 3 4 Roles, Services, and Authentication 3 5 Software/Firmware Security 3 6 Operational Environment N/A 7 Physical Security 3 8 Non-Invasive Security N/A 9 Sensitive Security Parameter Management 3 10 Self-Tests 3 11 Life-Cycle Assurance 3 12 Mitigation of Other Attacks N/A Table 3 – Security Levels IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 14/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 2 Cryptographic Module Specification The IDCore 3230/230 platform cryptographic module is a single chip hardware module. The platform is available in both 'contact' or 'contact and contactless' variants implementing the Global Platform operational environment, with Card Manager and a Demonstration Applet. Figure 1 below depicts the Module’s block diagram, with a red outline highlighting the cryptographic boundary. The cryptographic boundary encompasses all the components included on the single chip. Hardware Native / Hardware Abstraction layer Timers Sensors RAM ROM EEPROM MMU CPU Power Mgmt Clock Mgmt HW RNG RSA / ECC Engine CRC ISO 7816 (UART) DES Engine AES Engine CLK VCC, GND Reset Mgmt RST Memory Manager Communication (I/O) Crypto Libraries Virtual Machine JC 2.2.2 Runtime Environment JC 2.2.2 API JavaCard 2.2.2 / Gemalto Proprietary Card Manager GP API 2.1.1 IC Layer IDCore30 Javacard Platform Layer Applet Layer IDPrimeMD Applet Hardware Native / Hardware Abstraction layer Demonstration Applet Timers Sensors RAM FLASH EEPROM MMU CPU (SLC37) Power Mngt Clock Mngt HW RNG RSA / ECC Engine CRC ISO 7816 (UART) DES Engine AES Engine CLK VCC, GND Reset Mngt RST Memory Manager Communication (I/O) Crypto Libraries Virtual Machine JC 3.1.0 Runtime Environment JC 3.1.0 API JavaCard 3.1.0 & Thales Proprietary Card Manager GP API 2.2.1 IC Layer IDCore 3230 Javacard platform layer Applet Layer ISO 14443 (RF) LA, LB (RF) Figure 1 – Cryptographic Boundary IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 15/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. The CM is fully compliant with two major cards industry standards: Oracle Java Card 3.1.0 Classic Edition and GlobalPlatform (GP) Card Specification version 2.2.1. The CM supports [ISO7816] T=0, T=1 and T=CL communication protocols. The CM provides an execution sandbox for Applets, performing the requested services as described in this security policy. Applets access module functionality via internal API entry points that are not exposed to external entities. External devices have access to CM services by sending APDU commands. The CM inhibits all data output via the data output interface while the module is in error state and during self-tests. The JavaCard API (JCAPI) is an internal interface, available to applets. Only applet services are available at the card edge (the interfaces that cross the cryptographic boundary). The Javacard Runtime Environment (JCRE) implements the dispatcher, registry, loader, and logical channel functionalities. The Virtual Machine (VM) implements the byte code interpreter, firewall, exception management and byte code optimizer functionalities. The Card Manager is the card administration entity, allowing authorized users to manage the card content, keys, and life cycle states. The Card Manager behaves similarly to an applet but is properly represented as a constituent of the platform. In case of delegated management (DM), the Supplementary Security Domain (SSD) behaves similarly to the Card Manager in term of card content, keys and life cycle states. The Memory Manager implements functions such as memory access, allocation, deletion and garbage collection. The Communication handler implements the ISO 7816 and ISO 14443 communications protocols in contactless mode and dual mode. The Cryptography Libraries implement the Approved services listed in Section 2.2. The Module is designed to be embedded into a plastic card body, passport, USB key, secure element etc., with a contact plate connection and/or RF antenna. The Module’s single chip is the SLC37GDA512. It can be presented in three different form factors: - WORLD RLT module (contact) - WORLD Combi RLT module (contact and contactless) - PICO RLV module (contact) IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 16/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 2.1 Test Configuration The following tested configurations are covered in this security policy: Model Hardware [Part Number and Version] Firmware Version Distinguishing Features World RLT module Hardware: SLC37GDA512 Mask number: G322 Part Number: A2848377 Firmware: IDCore 230-BUILD6.11 Demonstration Applet version V1.D Java Card 3.1.0 GlobalPlatform (GP) 2.2.1 Interface: contact with protocol communication T=0 and T=1 World Combi RLT module Hardware: SLC37GDA512 Mask number: G322 Part Number: A2848344 Firmware: IDCore 3230-BUILD6.11 Demonstration Applet version V1.D Java Card 3.1.0 GlobalPlatform (GP) 2.2.1 Interface: contact with protocol communication T=0 and T=1 Contactless with protocol communication T=CL PICO RLV Module Hardware: SLC37GDA512 Mask number: G322 Part Number: A3138921 Firmware: IDCore 230-BUILD6.11 Demonstration Applet version V1.D Java Card 3.1.0 GlobalPlatform (GP) 2.2.1 Interface: contact with protocol communication T=0 and T=1 Table 4 – Cryptographic Module Tested Configuration IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 17/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 2.1 Tested Operational Environment Physical Perimeter The physical form of the Module is depicted in Figure . The Tested Operational Environment’s Physical Perimeter (TOEPP) is defined as the surfaces and edges of the packages. The Module relies on [ISO 7816] and/or [ISO 14443] card readers as input/output devices. WORLD RLT module (SLC37GDA512) Oblong punching Top View – Contact Plate Bottom View – Black Epoxy with RLT technology WORLD Combi RLT module (SLC37GDA512) Oblong punching Top View – Combi Plate Bottom View – Black Epoxy with RLT technology PICO RLV module (SLC37GDA512) Top View – Contact Plate Bottom View – Black Epoxy with RLV technology Figure 2 - Models 2.2 CM Identification The CM is always in the approved mode of operation, it does not support a non-approved mode of operation To verify that a CM is in the approved mode of operation, select the Card Manager and send the GET DATA commands shown below: IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 18/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Value 00 CA 9F-7F 2Dh Get CPLC data (tag 9F 7F) 01-03 1Dh Get Identification data (tag 01 03) 01-2F 10h Get Approved mode parameters (tag 01 2F): Table 5 – Tags for Tracking Data (Approved Mode) The CM production life cycle data can be checked using GET DATA command with tag ‘9F7F’. The Module responds with 42 bytes composed of: IDCore 3230/230 - CPLC data (tag 9F7F) Byte Description Value Value meaning 1-2 IC fabricator 4090h Infineon 3-4 IC type 0039h SLC37GDA512 5-6 Operating system identifier 1291h Thales 7-8 Operating system release date (YDDD) – Y=Year, DDD=Day in the year YDDDh Operating System release Date 9-10 Operating system release level 0100h V1.0 11-12 IC fabrication date xxxxh Filled in during IC manufacturing 13-16 IC serial number xxxxxxxxh Filled in during IC manufacturing 17-18 IC batch identifier xxxxh Filled in during IC manufacturing 19-20 IC module fabricator xxxxh Filled in during module manufacturing 21-22 IC module packaging date xxxxh Filled in during module manufacturing 23-24 ICC manufacturer xxxxh Filled in during module embedding 25-26 IC embedding date xxxxh Filled in during module embedding 27-28 IC pre-personalizer xxxxh Filled in during smartcard preperso 29-30 IC pre-personalization date xxxxh Filled in during smartcard preperso 31-34 IC pre-personalization equipment identifier xxxxxxxxh Filled in during smartcard preperso IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 19/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 35-36 IC personalizer xxxxh Filled in during smartcard personalization 37-38 IC personalization date xxxxh Filled in during smartcard personalization 39-42 IC personalization equipment identifier xxxxxxxxh Filled in during smartcard personalization Table 6 – Card Production Life Cycle Data The CM identification data can be checked using GET DATA command with tag ‘0103’. The Module responds with 29 bytes composed of: IDCORE 3230/230 - Identification data (tag 0103) Byte Description Value Value meaning 1 Thales Family Name B0 Javacard 2 Thales OS Name 84 IDCore family 3 Thales Mask Number 66 G322 4 Thales Product Name 6B IDCore3230 / 230 5 Thales Version 06 Major Version 6 Thales Version (Minor) 11 Minor Version1 7-8 Chip Manufacturer 4090 Infineon 9-10 Chip Version 7305 SLC37GDA512 11-12 Operational Mode 8900 Approved mode 13 FIPS Level for product 03 03 = FIPS Level 3 14-15 Specific chip ID 32 30 32 30 = Contact and Contactless 2 30 = Contact 16-29 RFU xx..xxh RFU Table 7 – Versions and Operations Indicators The status of the Approved mode of operation can be checked using GET DATA command with tag ‘012F’. The Module responds with 16 bytes composed of: • 4 bytes for CAST status 1 Bytes 5 and 6, as indicated in Table 7 above collective indicate the validated Firmware version number, “IDCore 3230-BUILD6.11”. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 20/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. • 2 bytes for Error log • 4 bytes for Periodic Self-Test counter • 4 bytes for Periodic Self-Test maximum counter value • 1 byte for Operational Mode • 1 byte for Flag The Demonstration Applet version can be checked using GET VERSION command, after having selected the applet: Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Value 00 AA 00 00 01 1Dh (version) Table 8 – get data command to output Demonstration applet version (Approved Mode) IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 21/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 2.3 Approved Algorithms The CM implements the following approved services: CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: AES-CBC Standard: [SP 800- 38A] Mode: CBC Method: encryption and decryption Key size: 128, 192 and 256-bits Manage Content Module Info (Auth) Secure Channel Symmetric Cipher Opacity Secure Channel Cert. #A2877 Algorithm: AES-CMAC Standard: [SP 800- 38B] Method: generation and verification Key size: 128, 192 and 256-bits MAC Length: 128 Message Length: 128-256 Increment 8 Life cycle Manage Content Module Info (Auth) Secure channel Symmetric Cipher Message Authentication Opacity Secure Channel Cert. #A2877 Algorithm: AES-ECB Standard: [SP 800- 38A] Mode: ECB Method: encryption and decryption Key size: 128, 192 and 256-bits Manage Content Symmetric Cipher Verify OS-GLOBALPIN IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 22/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: Counter DRBG Standard: [SP 800- 90Ar1] Mode: Counter mode based on AES-256. Security strength: 256-bits Derivation Function Enabled: Yes Additional Input: 0 Entropy Input: 1024 Nonce: 384 Personalization String Length: 0 Returned Bits: 128. Secure Channel Digital Signature Generate Key Pair Opacity Secure Channel Cert #E107 Algorithm: ESV Standard: [SP 800- 90B] Method: Hardware TRNG includes conditioning (based on compression) and SP 800-90B required health tests. Security strength: min-entropy is 13.376 per 32-bit blocks Entropy source for DRBG [SP 800- 90Ar1] Cert. #A2877 Algorithm: ECDSA KeyGen Standard: [FIPS 186-5] Method: Key Generation Secret Generation Mode: Extra Bits Key pair generation using P-224, P- 256, P-384, P-521 curves. Security Strength: between 112 bits (P- 224) and 256 bits (P-521) Generate Key Pair Cert. #A2877 Algorithm: ECDSA SigGen Standard: [FIPS 186-5] Method: Signature Generation Hash options: SHA2-224, SHA2-256, SHA2-384, SHA2- 512 Capabilities: Curve: P-224, P-256, P-384, P-521 Hash Algorithm: SHA2-224, SHA2- 256, SHA2-384, SHA2-512 Digital Signature Cert. #A2877 Algorithm: ECDSA SigVer. Standard: [FIPS 186-5] Method: Signature Verification. Hash options: SHA2-224, SHA2-256, SHA2-384, SHA2- 512 Capabilities: Curve: P-224, P-256, P-384, P-521 Hash Algorithm: SHA2-224, SHA2- 256, SHA2-384, SHA2-512 Security Strength: between 112 bits (P- 224) and 256 bits (P-521) Digital Signature IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 23/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: HMAC- SHA2-256 Standard: [FIPS 198-1] Method: HMAC-SHA2-256 Key size: 16 bytes MAC: 256 Key Length: 128, 256 Compute HashMac Cert. #A2877 Algorithm: KAS-ECC Standard: [SP 800- 56Ar3] Method: OnePassDH is a One Step KDF with partial key validation and Unilateral key confirmation (KC) using CMAC-AES Curves: P-256 using SHA-256 with KC CMAC-AES128 bits Key length: 512 bits Curves: P-384, using SHA-384, with KC CMAC-AES 256 bits Key length: 1024 bits Opacity Secure Channel Cert. #A2877 Algorithm: KAS-ECC- SSC Standard: [SP 800- 56Ar3] Method: ephemeralUnified KAS Role: initiator, responder Curves: P-224, P-256, P-384, P-521. ECC CDH Primitive Cert. #A2877 Algorithm: KDA OneStep Standard: [SP800- 56Cr2] Method: One Step Key derivation using approved hash (SHA2-256) Fixed Info Pattern: uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation Derived Key Length: 256 Shared Secret Length: 256 Key-Derivation Functions (KDF) Opacity Secure Channel Cert. #A2877 Algorithm: KDA HKDF Standard: [SP800- 56Cr2] Method: HMAC -based KDF (RFC5869) Fixed Info Pattern: uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation Derived Key Length: 512 Shared Secret Length: 256 HMAC Algorithm: SHA2-256 Key-Derivation Functions (KDF) IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 24/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: KBKDF Standard: [SP 800- 108r1] Mode: Counter KDF MAC Mode: CMAC-AES128, CMAC- AES192, CMAC-AES256 Description: Derive session key from existing static secret key for SCP03 establishment Key size: 128, 192 and 256-bits Supported Lengths: 128-256 Increment 64 Fixed Data Order: In the Middle of Fixed Data Counter Length: 8 Custom Key In Length: 0 Secure Channel Cert. #A2877 Algorithm: KTS Standards: [SP 800-38F] AES ENC + AES CMAC Mode: AES (CBC or ECB) encryption with AES CMAC authentication Method: Key Transport Scheme/Key Wrapping AES Description: Use of approved AES encryption method (SP 800-38A) with the combination of approved Authentication method AES CMAC [SP 800-38B] Key size: 128, 192 and 256-bits. Secure Channel Cert. #A2877 Algorithm: RSA KeyGen (CRT) Standard: [FIPS 186-5] Method: Key Generation Mode probable Hash options: SHA2-224, SHA2-256, SHA2-384, SHA2- 512 Key sizes: 2048, 3072, 4096 bit keys Private Key Format: crt Generate Key Pair Cert. #A2877 Algorithm: RSA KeyGen Standard: [FIPS 186-5] Method: Key Generation Mode probable Hash options: SHA2-224, SHA2-256, SHA2-384, SHA2- 512 Key sizes: 2048 bit keys Private Key Format: std Generate Key Pair IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 25/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: RSA SigGen Standard: [FIPS 186-5] Method: Signature Generation Signature Type: PKCS #1-v1.5, PKCS- PSS. Hash options: (PKCS #1-v1.5 and PKCS-PSS): SHA2- 224, SHA2-256, SHA2-384, SHA2-512 Key sizes: 2048, 3072, 4096 bit keys Private Key Format: crt and std Digital Signature Cert. #A2877 Algorithm: RSA SigVer Standard: [FIPS 186-5] Method: Signature Verification Signature Type: PKCS #1-v1.5 1.5, PKCS-PSS. Hash options: (PKCS #1-v1.5 and PKCS-PSS): SHA2- 224, SHA2-256, SHA2-384, SHA2-512 Key sizes: 2048, 3072, 4096 bit keys Digital Signature Manage Content Cert. #A2877 Algorithm: SHA2 Standard: [FIPS 180-4] Method: SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Message Length: 8-65536 Increment 8 N/A. Digital Signature Compute Hash Key Derivation Functions Manage Content Cert. #A2877 Algorithm: SHA3 Standard: [FIPS 202] Methods: SHA3-224, SHA3-256, SHA3- 384, SHA3-512. Message Length: 0-65536 Increment 8 N/A. Compute Hash Cert. #A2877 Algorithm: TDES-CBC Standard: [SP 800- 67r2] Mode: CBC Method: Decrypt (legacy use) Description: The Module supports the 3-Key, with CBC decrypt mode for legacy use only. Key size: 168-bits (3-key). Symmetric Cipher (decrypt only) IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 26/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. CAVP Cert Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function Cert. #A2877 Algorithm: TDES-ECB Standard: [SP 800- 67r2] Mode: ECB Method: Decrypt (legacy use) Description: The Module supports the 3-Key, with ECB decrypt mode for legacy use only. Key size: 168-bits (3-key). Symmetric Cipher (decrypt only) Vendor Affirmed Algorithm: CKG Standard: [SP 800- 133r2] Method: Sections 4, 5.1 and 5.2 Description: The seeds used for asymmetric key pair generation are produced using the unmodified/direct output of the DRBG. Security Strength: 256-bits Generate Key Pair Table 9: Approved Algorithms NOTE The following algorithms are present in the module and have completed CAVP testing (under CAVP #A2877) but this code is not executed for the validated configuration of the module. • ECDSA KeyGen (FIPS 186-4), ECDSA SigGen (FIPS 186-4), ECDSA SigVer (FIPS 186-4), KTS-IFC (KTS-OAEP-basic, rsa std 2048), KTS-IFC (KTS-OAEP-basic, rsa CRT 2048, 3072, 4096), RSA KeyGen (FIPS 186-4), RSA SigGen (FIPS 186-4), RSA SigVer (FIPS 186- 4), RSA Decryption Primitive (SP 800-56B), SHA1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 27/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 2.4 Non-Approved Algorithms The module only implements approved services/algorithms and does not support any non- approved algorithms. 3 Cryptographic Module Interfaces The Module is designed to be embedded into a plastic card body, passport, USB key, secure element etc., with a contact plate connection and/or RF antenna. 3.1 PIN Assignments and Contact Dimensions The WORLD Combi RLT module has access to contact and contactless interfaces. The WORLD RLT module and the PICO RLV module have only access to a contact interface. The contact interface is the same for all the module variants. Figure 3 - Contact and Contactless Interfaces The Module does not support a Control Output interface. Physical port Logical interface Data that passes over port/interface VCC Supply voltage Power RST Reset signal Control in CLK Clock signal Control in GND Ground Power I/O Input/output Data in, data out, control in, status out LA Antenna coil connection Power, Data in, Data out, Control in, Status out LB Antenna coil connection Power, Data in, Data out, Control in, Status out Table 10 – Ports and Interfaces IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 28/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. For contact interface operation, the Module conforms to [ISO 7816] part 1 and part 2. The electrical signals and transmission protocols follow the [ISO 7816] part 3. The operating conditions for the contact interfaces of this module are: Conditions Range Voltage 1.8V, 3 V and 5.5 V DC Frequency2 1MHz to 10MHz Table 11 - Voltage and Frequency Ranges For contactless interface operation, the Module conforms to [ISO 14443] part 1 for physical connections, and to [ISO 14443] parts 2, 3 and 4 for radio frequencies and transmission protocols. The operating conditions for the contactless interfaces of this module are: Conditions Range Supported bit rate 106 Kbits/s, 212 Kbits/s, 424 Kbits/s, 848 Kbits/s Operating field Between 1.5 A/m and 7.5 A/m rms Frequency 13.56 MHz +- 7kHz Table 12 – Contactless voltage and Frequency Ranges 2 Frequency of the internal clock as supplied by the CLK physical interface. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 29/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 4 Roles, Services, and Authentication 4.1 Roles The module supports two authenticated roles, the Cryptographic Officer (CO) and the User (USR). The CO is responsible for card issuance and management of card data via the Card Manager Authenticated using the SCP authentication method with SD-SENC. The USR is for FIPS 140-3 validation purposes, authenticated as described in Demonstration Applet Authentication below. The module also supports unauthenticated services, which are implicitly invoked by the Unauthenticated Role (UA). Authentication of each operator and their access to roles and services is as described below, independent of logical channel usage. Only one operator at a time is permitted on a channel. Applet deselection (including Card Manager), card reset, or power down terminates the current authentication; re-authentication is required after any of these events for access to authenticated services. Applet reselection (except Card Manager that close systematically the GlobalPlatform secure channel) is leaving the secure channel unchanged and it is up to the applet policy to close it or not. The module clears previous authentications on each power cycle. It also supports Global Platform SCP logical channels, allowing concurrent operators in a limited fashion. 4.2 Approved Services All approved services implemented by the Module are listed in the tables below. The module does not support any non-approved services. Role Service Input Output CO Lifecycle: Modify the card or applet life cycle status Set / Get Status: life cycle state to update/ empty return Status Word / life cycle state and package list CO Manage Content: -Load, install, and delete application packages and associated keys and data -Manage keys: SD-KENC, SD-KDEK,SD- KMAC, DAP-SYM, DAP-ASYM, DM-TOKEN- SYM, DM-TOKEN-ASYM, DM-RECEIPT- SYM (Put key) -Update Pin to change the OS-GLOBALPIN - applications and associated data - keys - OS-GLOBALPIN return Status Word CO Module Info (Auth): Read module configuration or status information (privileged data objects). Tags and module information module configuration status information return Status Word IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 30/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Role Service Input Output CO Secure Channel: Establish and use a secure communications channel (AES CMAC with KBKDF) random, diversification data authentication data, return Status Word USR Digital Signature: Demonstrate RSA and ECDSA digital signature generation and verification session, algorithm, algorithm parameters, data to sign. signature, return Status Word USR Generate Key Pair: Demonstrate RSA and ECC key generation None public and private key generated return Status Word USR ECC CDH Primitive: Demonstrate ECC Diffie-Hellman primitive Generate a shared secret from ECC-CDH scheme algorithm, algorithm parameters, Ecc public key shared secret, return Status Word USR Symmetric Cipher: Demonstrate use of AES for encryption and decryption.. Demonstrate use of Triple-DES for decryption only. session, algorithm, algorithm parameters, data to encrypt/decrypt encrypted / decrypted data, return Status Word. USR Message Authentication: Demonstrate AES CMAC Data CMAC return Status Word USR Key-Derivation Functions (KDF): Demonstrate use of Keys diversification service • KDA HKDF • KDA OneStep ikm (“input key material”) salt, fixed info counter, shared secret and Other info okm: Output keys material return Status Word USR Compute Hash: compute the hash value message Hash return Status Word USR Compute HashMac: compute the hashmac value Message Key HashMac return Status Word UA Context – Select an applet or manage logical channels. data return Status Word UA Module Info - Read unprivileged data objects, e.g., module configuration or status information. Data return Status Word IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 31/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Role Service Input Output UA Module Reset - Power cycle or reset the Module. Includes Integrity Self-Test, periodic self-test counter set up and self-test flag is reset N/A ATR (Answer To Reset) UA Run Cryptographic KAT - Sets a flag to that a specific cryptographic KATs has been performed on demand via Module Reset. Data return Status Word UA Get Approved mode parameters - Get information of the approved mode of operation N/A data return Status Word UA Verify the OS-GLOBALPIN OS-GLOBALPIN return Status Word UA OPACITY Secure Channel - Establishes a secure channel based on opacity to protect confidentiality and integrity of transmitted information and allows the off-card entity initiating the Opacity Secure Messaging to authenticate the module Data control byte + nonce + cryptogram + cert return Status Word Table 13 - Roles, Service Commands, Input and Output Opacity Secure Channel service: OPACITY (Open Protocol for Access Control Identification and Ticketing with privacY) is a compact flexible secure and fast authentication protocol with secure messaging capability. This secure messaging is based on symmetric session keys derived using the key establishment protocol. The key establishment protocol authenticates the card application to the client application and establishes a set of session keys that may be subsequently used to protect the communication channel between the two parties. Once session keys are established and the card is authenticated, subsequent communication with the card can be performed using secure messaging. This is a one way authentication protocol. The reader is not authenticated by the card. This secure channel is based on the card key: DEM-OPACITY-PRI and an ephemeral key generated by the host. The section 4.1 of SP 800-73-4 specification describes the key establishment protocol used to support secure messaging in the PIV Card Application. The strength depends on cipher suite CS2 and CS7: • Cipher Suite 2 (AES 128, ECDSA with SHA-256 using an ECDSA (Curve P-256) key) provides 128 bits of channel strength. • Cipher Suite 7 (AES 256, ECDSA with SHA-384 using an ECDSA (CurveP-384) key) provides 192 bits of channel strength. All usage of SSPs by the services implemented by the Module are listed in the table below: IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 32/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. All of the above commands use the SD-SENC and SD-SMAC keys for secure channel communications, and SD-SMAC for firmware load integrity. The card life cycle state determines which modes are available for the secure channel. In the SECURED card life cycle state, all command data must be secured by at least a MAC. As specified in the GP specification, there exist earlier states (before card issuance) in which a MAC might not be necessary to send Issuer Security Domain commands. Note that the LOAD service enforces MAC usage. The provided demonstration applet enforces the restrictions of algorithms, modes, and key sizes per NIST SP 800-131A Revision 1. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 33/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. In the ‘Access Rights to Keys and/or SSPs’ column: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. In the ‘Indicator Column’: IND_1: The status conditions for successfully completed execution is 90 00 Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Lifecycle Modify the card or applet life cycle status AES-CMAC OS-DRBG-EI OS-DRBG-S OS-DRBG-V OS-DRBG-KEY OS-GLOBALPIN OS-MKDK SD-KENC SD-KMAC SD-KDEK SD-SENC SD-SMAC DAP-SYM CO Z : for all SSPs When setting the card state to terminated IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 34/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator DM-TOKEN-SYM DM-RECEIPT-SYM DAP-ASYM DM-TOKEN-ASYM DEM-EDK DEM-MAC DEM-COM-EDK DEM-COM-MAC DEM-SGV-PRI DEM-KAP-PRI DEM-KGS-PRI DEM-DEM-SGV-PUB DEM-KAP-PUB DEM-KGS-PUB Manage Content1 Load, install, and delete application packages and associated keys and data AES-CBC AES-CMAC AES-ECB RSA SigVer SHA2 SD-KENC SD-KMAC OS-MKDK SD-KDEK SD-SENC SD-SMAC DAP-SYM DM-TOKEN-SYM CO W : SD-KENC, SD- KMAC, SD-KDEK, DAP-SYM, DM- TOKEN-SYM, DM- RECEIPT-SYM, DAP-ASYM, DM- TOKEN-ASYM, DEM-COM-EDK, DEM-COM-MAC E : IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 35/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator DM-RECEIPT-SYM DAP-ASYM DM-TOKEN-ASYM DEM-COM-EDK DEM-COM-MAC OS-MKDK, SD- KMAC, SD-KDEK, SD-SENC, SD- SMAC, DAP-SYM, DM-TOKEN-SYM, DM-RECEIPT-SYM, DAP-ASYM, DM- TOKEN-ASYM Z: DEM-COM-EDK, DEM-COM-MAC Manage Content2 Manage keys: SD-KENC, SD-KDEK, SD-KMAC, DAP-SYM, DAP-ASYM, DM-TOKEN-SYM, DM- TOKEN-ASYM, DM- RECEIPT-SYM (Put key) AES-CBC AES-CMAC AES-ECB SD-KENC SD-KDEK SD-KMAC DAP-SYM DAP-ASYM DM-TOKEN-SYM DM-TOKEN-ASYM DM-RECEIPT-SYM OS-MKDK CO W : SD-KENC, SD- KMAC, SD-KDEK, DAP-SYM, DAP- ASYM; DM-TOKEN- SYM, DM-TOKEN- ASYM, DM- RECEIPT-SYM E : OS-MKDK, SD- KMAC, SD-KDEK, SD-SENC, SD- SMAC IND_1 Manage Content3 Update Pin to change the OS-GLOBALPIN AES-CBC AES-CMAC OS-GLOBALPIN OS-MKDK CO W : OS-GLOBALPIN E : IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 36/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator AES-ECB DEM-COM-EDK DEM-COM-MAC OS-MKDK, DEM- COM-EDK, DEM- COM-MAC Module Info (Auth) Read module configuration or status information (privileged data objects). AES-CBC AES-CMAC SD-SENC SD-SMAC CO E : SD-SENC, SD- SMAC IND_1 Secure Channel Establish and use a secure communications channel (AES CMAC with KBKDF) AES-CBC AES-CMAC KTS Counter DRBG ESV KBKDF OS-DRBG-EI OS-DRBG-S OS-DRBG-V OS-DRBG-KEY SD-KENC SD-KMAC SD-SENC SD-SMAC CO E : OS-DRBG-EI, OS- DRBG-S, OS-DRBG- V, OS-DRBG-KEY, SD-KENC, SD- KMAC, , SD-SENC, SD-SMAC G: SD-SENC, SD- SMAC W: OS-DRBG-V, OS- DRBG-KEY IND_1 Digital Signature Demonstrate RSA and ECDSA digital signature generation and verification SHA2 RSA SigGen RSA SigVer ECDSA SigGen ECDSA SigVer Counter DRBG OS-GLOBALPIN OS-DRBG-EI OS-DRBG-S OS-DRBG-V OS-DRBG-KEY OS-MKDK USR E : OS-DRBG-EI, OS- DRBG-S, OS-DRBG- V, OS-DRBG-KEY, OS-GLOBALPIN OS-MKDK DEM-SGV-PRI DEM-SGV-PUB IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 37/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator ESV DEM-SGV-PRI DEM-SGV-PUB W :, OS-DRBG-S, OS-DRBG-V R: DEM-SGV-PRI DEM-SGV-PUB Generate Key Pair Demonstrate RSA and ECC key generation RSA KeyGen RSA KeyGen (CRT) ECDSA KeyGen Counter DRBG ESV CKG OS-GLOBALPIN DEM-KGS-PUB DEM-KGS-PRI OS-DRBG-EI OS-DRBG-S OS-DRBG-V OS-DRBG-KEY OS-MKDK USR E : OS-GLOBALPIN DEM-KGS-PUB DEM-KGS-PRI OS-DRBG-KEY OS-MKDK OS-DRBG-EI, OS- DRBG-S, OS-DRBG- V, OS-DRBG-KEY G : DEM-KGS-PUB DEM-KGS-PRI R : DEM-KGS-PUB DEM-KGS-PRI W: DEM-KGS-PUB DEM-KGS-PRI OS-DRBG-S, OS- DRBG-V IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 38/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Z : DEM-KGS-PUB DEM-KGS-PRI ECC CDH Primitive Demonstrate ECC Diffie- Hellman primitive KAS-ECC-SSC OS-GLOBALPIN DEM-KAP-PUB DEM-KAP-PRI OS-MKDK USR E : OS-GLOBALPIN DEM-KAP-PUB DEM-KAP-PRI OS-MKDK OS-DRBG-KEY R : DEM-KAP-PUB DEM-KAP-PRI : IND_1 Symmetric Cipher Demonstrate use of AES for encryption and decryption Demonstrate use of Triple- DES 3k for decryption for legacy AES-CBC AES-ECB AES-CMAC TDES-CBC TDES-ECB OS-GLOBALPIN OS-MKDK DEM-EDK USR E : OS-GLOBALPIN DEM-EDK OS-MKDK R : DEM-EDK Z : DEM-EDK IND_1 Message Authentication Demonstrate AES CMAC AES CMAC OS-GLOBALPIN OS-MKDK DEM-MAC USR E : OS-GLOBALPIN OS-MKDK DEM-MAC IND_1 Key-Derivation Functions (KDF) Demonstrate use of Keys diversification service KDA HKDF SHA2 OS-GLOBALPIN USR E : OS-GLOBALPIN IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 39/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator KDA HKDF KDA OneStep KDA OneStep OS-MKDK OS-MKDK Compute HASH Compute the hash value SHA2 SHA3 OS-GLOBALPIN OS-MKDK USR E : OS-GLOBALPIN OS-MKDK IND_1 Compute HashMac Compute the hash mac value HMAC-SHA2- 256 OS-GLOBALPIN OS-MKDK USR E : OS-GLOBALPIN OS-MKDK IND_1 Context Select an applet or manage logical channels. N/A N/A UA N/A IND_1 Module Info (Unauth) Read unprivileged data objects, e.g., module configuration or status information. N/A N/A UA N/A IND_1 Module Reset Power cycle or reset the Module. Includes Integrity Self-Test, periodic self-test counter set up and self-test flag is reset N/A SD-SENC SD-SMAC UA Z : SD-SENC, SD- SMAC IND_1 Run Cryptographic KAT Sets a flag to that a specific cryptographic KATs has been performed on demand via Module Reset. N/A N/A UA N/A IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 40/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Get Approved mode parameters Get information on the approved mode of operation N/A N/A UA N/A IND_1 Verify OS- GLOBALPIN Verify the OS-GLOBALPIN AES-ECB OS-GLOBALPIN OS-MKDK UA E : OS-GLOBALPIN OS-MKDK IND_1 Opacity Secure Channel Establish a secure communications channel based on opacity AES-CBC AES-CMAC SHA2 KDA OneStep KAS-ECC Counter DRBG OS-DRBG-EI OS-DRBG-S OS-DRBG-V OS-DRBG-KEY OPACITY-SENC OPACITY-SMAC OPACITY-SRMAC OPACITY- SCONFIRMATION UA E : OS-DRBG-EI, OS- DRBG-S, OS-DRBG- V, OS-DRBG-KEY, OPACITY-SENC OPACITY-SMAC OPACITY-SRMAC OPACITY- SCONFIRMATION G: OPACITY-SENC OPACITY-SMAC OPACITY-SRMAC OPACITY- SCONFIRMATION W: OS-DRBG-S, OS- DRBG-V Z : IND_1 IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 41/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator OPACITY- SCONFIRMATION Table 14 –Approved Services IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 42/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 4.3 Authentication Methods The module provides Identity-based authentication using either the Security Channel Protocol Authentication or the Demonstration Applet Authentication Method below. The following table lists the roles supported by the cryptographic module as well as how they are authenticated: Role ID Authentication Method Authentication Strength CO Secure Channel Protocol authentication method (Identity-based) See below USR Demonstration applet Authentication Method (Identity-based) See below UA N/A N/A Table 15 – Roles and Authentication The Module does not support a maintenance role. 4.3.1 Secure Channel Protocol (SCP) Authentication (CO) The CO role is authenticated to the module by an Open Platform Secure Channel Protocol authentication method. This method is performed when the EXTERNAL AUTHENTICATE command is invoked after successful execution of the INITIALIZE UPDATE command. The CO is individually and uniquely identified. The SD-KENC and SD-KMAC keys are used along with other information to derive the SD-SENC and SD- SMAC keys, respectively. The SD-SENC key is used to create a cryptogram; the external entity participating in the mutual authentication also creates this cryptogram. Each participant compares the received cryptogram to the calculated cryptogram and if this succeeds, the two participants are mutually authenticated). In accordance with SP 800-63B, this Authenticator type is best described as Single-Factor Cryptographic Software (Section 5.1.6). The strength of Global Platform mutual authentication relies on AES key length, and the probability that a random attempt at authentication will succeed is: •         128 2 1 for AES 16-byte-long keys •         192 2 1 for AES 24-byte-long keys •         256 2 1 for AES 32-byte-long keys IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 43/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. The probability that a single random attempt will succeed with the smallest (16-byte long key) is 1/(2128). Additionally, the module also enforces a maximum count of 15 consecutive failed authentication attempts. After 15 consecutive unsuccessful attempts, the secure channel authentication is permanently blocked. All services that require the secure channel authentication return the status word: SW_SECURITY_STATUS_NOT_SATISFIED. 4.3.2 Demonstration Applet Authentication Method (USR) The USR role is authenticate to the module by verifying a PIN value. This authentication method compares a PIN value sent to the Module over an encrypted channel to the stored OS-GLOBALPIN value; if the two values are equal, the operator is authenticated. In accordance to SP 800-63B, this Authenticator type is best described as Memorized Secrets (Section 5.1.1). The module enforces OS-GLOBALPIN string length of 8 bytes minimum (16 bytes maximum), allowing all characters, so the strength of this authentication method is as follows: • The probability that a random attempt at authentication will succeed is 1/2568. • Additionally, the module also enforces a maximum count of 15 consecutive failed authentication attempts of the Global PIN. After 15 consecutive unsuccessful attempts, the Global PIN verification is blocked permanently. All services that require the Global PIN verification will return the status word: SW_AUTHENTICATION_METHOD_BLOCKED. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 44/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 5 Software/Firmware Security The CM’s firmware integrity is checked on startup and when periodic self-test period is over. Periodic Self-Tests (PST) are performed and run the firmware integrity tests. The integrity technique is based on EDC (CRC-16), which is approved for a hardware module. The firmware image size covered by the integrity technique is roughly 200 KB. The integrity test can be triggered on demand by setting the specific flag with the proprietary command “autotest management”. Failure of firmware integrity self-tests during Periodic Self-Tests (PST) will trigger a module halt. Recovery from this state will require the module to be restarted and for the detected fault to have cleared. Otherwise, the module will re-halt during POST following restart. The module’s FIPS error log is updated regarding the encountered issue and the card goes into an error state. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 45/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 6 Operational Environment The module includes a limited Operating Environment. Only authorized applets can be loaded at post-issuance under control of the Cryptographic Officer. Their execution is controlled by the CM operating system following its security policy rules. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 46/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 7 Physical Security The module is a hardware module claiming level 3 physical security and of embodiment single-chip. The CM meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The CM uses standard passivation techniques and is protected by passive shielding (metal layer coverings opaque to the circuitry below) and active shielding (a grid of top metal layer wires with tamper response). A tamper event detected by the active shield places the Module permanently into the Card Is Killed error state. The Module is designed to be mounted in a plastic smartcard or similar package; physical inspection of the epoxy side of the Module is not practical after mounting. Module Inspection: Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Physical inspection of module surfaces for signs of tamper. On receipt of module following transport. Before each module use In the event of any observed damage, photograph the card and contact Thales to confirm whether observed anomalies are to be expected or are confirmed signs of potential tampering Table 16 - Physical Security Inspection Guidelines The normal operating conditions of use are the following: Conditions Range Voltage 1.8V-5V Temperature -25°C/+85°C Table 17 - Voltage and Temperature Ranges The module’s hardware is designed to sense and respond to out-of-range temperature conditions as well as out-of-range voltage conditions. The temperature and voltage conditions are only monitored in the powered-on state. The module supports an EFP mechanism that will trigger module shutdown if low or high temperature extremes and out-of-range voltage conditions are detected whilst the module is active. In the event that the module senses an out-of-range temperature or over voltage the module will reset itself, clearing all working memory. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 47/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. The module can be reset and placed back into operation when in-bound operating conditions have been restored . The following table covers the limits enforced by the module: Temperature or voltage measurement Specify EFP or EFT Specify if this condition results in a shutdown or zeroisation Low Temperature -45°C EFP Shutdown High Temperature +130°C EFP Shutdown Low Voltage 1.6 V EFP Shutdown High Voltage 5.5 V EFP Shutdown Table 18 - EFP/EFT The following table lists the temperature tested during the assessment of the module: Hardness tested temperature measurement Low Temperature -45°C, -25°C High Temperature +85ºC, +130°C Table 19 - Hardness testing temperature ranges IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 48/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 8 Non-invasive security No assured mitigations to ‘other attacks’ are covered in this security policy. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 49/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 9 Sensitive security parameter management All SSPs used by the CM are described in this section. All usages of these SSPs by the CM are described in the services. In addition, all keys stored in RAM are zeroized upon power-cycle of the CM. The following table lists Sensitive Security Parameters (SSP) used to perform approved security function supported by the cryptographic module. The following notes should be observed when reading the table: • Keys with the “SD” prefix pertains to a Global Platform Security Domain key set. The module supports the Issuer Security Domain at minimum, and can be configured to support Supplemental Security Domains • The “PRI” suffix indicates that this is a private key • The “PUB” suffix indicates that this is a public key • The “SYM” suffix indicates that this is a symmetric key • The “ASYM” suffix indicates that this is an asymmetric key • Keys with the “DEM” prefix are used by the demonstration applet The methods to zeroise SSPs, using the relevant CM services, are described below: -Power-cycling the module: Explicit zeroization method using the Module Reset service, the CM is able to destroy the SSPs by overwriting with zero values (in RAM memory). -Closing SCP secure channel: Explicit zeroization method using the Secure Channel service of the CO, the CM is able to destroy the SSPs of this service, at the closing of SCP secure channel by overwriting with zero values. -Module entering TERMINATED state: Explicit zeroization method using the Manage Content / Lifecycle service of the CO, the CM is able to enter the TERMINATED state, through the Set Status command, destroying the SSPs by overwriting with zero values. -Uninstallation of demonstration applet: Explicit zeroization method using the Manage Content / Delete service of the CO, the CM is able to destroy the SSPs of the demonstration applet, through the Delete command (uninstall method). Indication of success is determined by the status response 90 00. As per FIPS 140-3 IG D.L, the DRBG parameters Entropy Input String (“OS-DRBG-EI”), Seed (“OS-DRBG- S”), DRBG Internal State values V and Key (“OS-DRBG-V” and “OS-DRBG-KEY”) are considered CSPs by the module. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 50/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 9.1 Sensitive Security Parameters Summary Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys OS-DRBG-EI / Entropy Input / CSP 256 bits ESV Cert. #E107 Generated on module using ESV N/A N/A plaintext in RAM Module entering TERMINATED state 1024-bit random drawn by the approved entropy source described in section 9.2 of the SP and used as entropy input for the [SP 800-90A] DRBG implementation Used by the SCP authentication OS-DRBG-S / Seed / CSP 256 bits DRBG Cert. #A2877 Constructed as per SP 800-90A N/A N/A plaintext in RAM Power-cycling the module Module entering TERMINATED state 48 byte seed output from AES_DF used for instantiation of the [SP800- 90A] DRBG implementation Used by the SCP authentication IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 51/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys OS-DRBG-V / DRBG “V” value / CSP 128 bits DRBG Cert. #A2877 Constructed as per SP 800-90A N/A N/A plaintext in RAM Power-cycling the module Module entering TERMINATED state 16-byte AES state V used in the [SP 800-90A] CTR DRBG implementation Used by the SCP authentication OS-DRBG- KEY / DRBG “Key” value / CSP 256 bits DRBG Cert. #A2877 Constructed as per SP 800-90A N/A N/A plaintext in RAM Power-cycling the module Module entering TERMINATED state 32-byte AES key used in the [SP 800-90A] CTR DRBG implementation Used by the SCP authentication IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 52/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys OS- GLOBALPIN / global PIN / CSP N/A N/A Pre-loaded during manufacturin g Input using Manage Content service, encrypted by SD- KDEK N/A Stored encrypted (AES-ECB) by OS-MKDK in FLASH Module entering TERMINATED state by OS-MKDK zeroisation 8 to 16 byte Global PIN value managed by the CO. Character space is not restricted by the module. The PIN Policy is managed by the applet. Used by the Demonstration Applet Authentication Method (USR role) OS-MKDK / Encryption key / CSP 128 bits AES- ECB Cert. #A2877 Pre-loaded during manufacturin g using chip- internal data N/A N/A Stored in plaintext in FLASH Module entering TERMINATED state Encrypts OS-GLOBALPIN Used by the Demonstration Applet Authentication Method (USR role) IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 53/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys SD-KENC / Decryption Key / CSP 128, 192, 256 bits AES- CBC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 master key used by the CO role to derive SD-SENC Used by the SCP authentication SD-KMAC / Signature verification Key / CSP 128, 192, 256 bits AES- CMAC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 master key used by the CO role to derive SD-SMAC Used by the SCP authentication IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 54/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys SD-KDEK / Encryption Decryption Key / CSP 128, 192, 256 bits AES- CBC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 decryption encryption key used by the CO role to decrypt/encrypt sensitive data Can be used to wrap SD- KENC, SD-KDEK, SD- KMAC, DAP-SYM, DM- TOKEN-SYM, DM- RECEIPT-SYM, DAP- ASYM and DM-TOKEN- ASYM SSPs SD-SENC / Session Decryption Key / CSP 128, 192, 256 bits AES- CBC Cert. #A2877 Derived on module using KBKDF, in accordance with SCP03 specification N/A N/A plaintext in RAM Power-cycling the module Closing SCP secure channel AES-128/192/256 (SCP03) Session encryption key used by the CO role to encrypt / decrypt secure channel data Used by the SCP authentication IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 55/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys SD-SMAC / Session Signature verification Key / CSP 128, 192, 256 bits AES- CMAC Cert. #A2877 Derived on module using KBKDF, in accordance with SCP03 specification N/A N/A plaintext in RAM Power-cycling the module Closing SCP secure channel AES-128/192/256 (SCP03) Session MAC key used by the CO role to verify secure channel data integrity Used by the SCP authentication DAP-SYM / Signature verification key / CSP 128, 192, 256 bits AES- CMAC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 DAP key optionally loaded in the field and used to verify the CMAC signature of packages loaded into the Module DM-TOKEN- SYM / Delegate Management Signature verification key / CSP 128, 192, 256 bits AES- CMAC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 Delegate Management Token symmetric key IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 56/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DM- RECEIPT- SYM / Delegate Management Signature generation Key / CSP 128, 192, 256 bits AES- CMAC Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state AES-128/192/256 Delegate Management symmetric key to compute receipt DAP-ASYM / Signature verification Key / PSP 112 bits (2048 bits length) RSA SigVer Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value (if necessary) is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state 2048-bit public part of RSA key pair used for Asymmetric Signature verification used to verify the signature of packages loaded into the Module IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 57/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys OPACITY- SENC / OPACITY session Encryption Decryption Key / CSP 128 bits AES- CBC Cert. # A2877 Derived using KDA OneStep N/A N/A Stored in plaintext in RAM Power-cycling the module Closing SCP secure channel Card OPACITY Secure Messaging Session Encryption Key: Symmetric AES-128/256 used during Secure Messaging session for data encryption OPACITY- SMAC / OPACITY session Signature verification key/ CSP 128 bits 256 bits AES CMAC Cert. # A2877 Derived using KDA OneStep N/A N/A Stored in plaintext in RAM Power-cycling the module Closing SCP secure channel Card OPACITY Secure Messaging Session MAC Key: Symmetric AES-128/256 used during Secure Messaging session for input MAC verification IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 58/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys OPACITY- SRMAC / OPACITY session Signature generation key / CSP 128 bits 256 bits AES- CMAC Cert. # A2877 Derived using KDA OneStep N/A N/A Stored in plaintext in RAM Power-cycling the module Closing SCP secure channel Card OPACITY Secure Messaging Session Response MAC Key: Symmetric AES-128/256 used during Secure Messaging session for response MAC computation OPACITY- SCONFIRM ATION / OPACITY session Signature generation confirmation key / CSP 128 bits 256 bits AES- CMAC Cert. # A2877 Derived using KDA OneStep N/A N/A Stored in plaintext in RAM Power-cycling the module Automatically zeroised after cryptogram computation occurring during secure channel establishment Card OPACITY Secure Messaging Session Confirmation Key: Symmetric AES-128/256 used during Secure Messaging session establishment. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 59/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DM-TOKEN- ASYM / Delegate Management Signature verification Key / CSP 112 bits (2048 bits length) RSA SigVer Cert. #A2877 N/A Entered using PUT KEY, encrypted by SD-KDEK; key identifier entity association. An initial value (if necessary) is loaded during manufacturing N/A Stored in plaintext in FLASH Module entering TERMINATED state RSA 2048-bit Asymmetric key for Delegate Management for token verification IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 60/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DEM-EDK / Demonstratio n Applet Encryption Decryption Key / CSP 128, 192, and 256 bits 168-bits for TDES (decrypt only) AES- ECB AES- CBC TDES- ECB (decrypt only) TDES- CBC (decrypt only) Cert. #A2877 N/A SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration Applet: AES-128 encryption / decryption key, or Triple- DES decryption key used by the Demonstration Applet for Symmetric Cipher service used to encrypt/decrypt DEM-EDK, DEM-MAC, DEM-SGV-PRI, DEM-KAP- PRI, DEM-KGS-PRI, DEM- KAP-PUB, DEB-KGS-PUB and DEM-SGV-PUB IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 61/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DEM-MAC / Demonstratio n Applet Signature & Verification key / CSP 128, 192, and 256 bits AES- CMAC Cert. #A2877 N/A SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration Applet: AES-128 key used by Demonstration Applet for Message Authentication service. used to authenticate SSPs encrypted using DEM- EDK, like DEM-EDK, DEM- MAC, DEM-SGV-PRI, DEM-KAP-PRI, DEM-KGS- PRI, DEM-KAP-PUB, DEB- KGS-PUB and DEM-SGV- PUB DEM-COM- EDK / Demonstratio n Applet Secure Channel Encryption & Decryption Key / CSP 128, 192, and 256 bits AES- ECB AES- CBC Cert. #A2877 N/A SP 800-38F KTS. Entered during manufacturing (initial value), using Manage Content service. Not exported N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration Applet: AES-128 encryption / decryption key used by the Demonstration Applet for secure communication IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 62/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DEM-COM- MAC / Demonstratio n Applet Secure Channel Signature & Verification key / CSP 128, 192, and 256 bits AES- CMAC Cert. #A2877 N/A SP 800-38F KTS. Entered during manufacturing (initial value), using Manage Content service. Not exported N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet: AES-128 key used by Demonstration Applet to compute signature for secure communication DEM-SGV- PRI / Demonstratio n Applet Signature generation – Private key/ CSP RSA: 112, 128, 150 bits (2048-, 3072- , 4096-bit length) ECDSA: 112, 128, 192, 256 bits (P- 224, P-256, P-384, P- 521) RSA SigGen, ECDSA SigGen Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet: 2048-, 3072-, 4096-bit RSA or P-224, P-256, P- 384, P-521 ECDSA private key used by Demonstration Applet for Digital Signature service IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 63/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DEM-KAP- PRI / Demonstratio n Applet – Key generation – Private key / CSP 112, 128, 192, 256 bits (P-224, P- 256, P-384, P-521) KAS- ECC Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet: P-224, P-256, P-384, P- 521 ECC private key used by the Demonstration Applet Generate Key Pair and Key Agreement Primitive Services DEM-KGS- PRI / Demonstratio n Applet Key generation – Private key / CSP 112 bits (2048-bit length) RSA SigGen Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet: 2048-bit RSA used by Demonstration Applet Generate Key Pair DEM-KAP- PUB / Demonstratio n Applet Key generation – Public key / PSP 112, 128, 150 bits (P- 224, P-256, P-384, P- 521) KAS- ECC Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Entered or exported encrypted by DEM- EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet : P-224, P-256, P-384, P- 521 ECC public key used by the Demonstration Applet Key Agreement Service IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 64/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Key / SSP Name / Type Strength Security Function and Cert Number Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys DEM-KGS- PUB / Demonstratio n Applet Key generation – Public key / PSP 112 bits (2048-bit length) RSA SigVer Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Exported from the module encrypted by DEM-EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet : 2048-bit RSA public key used by Demonstration Applet Generate Asymmetric Key Pair DEM-SGV- PUB / Demonstratio n Applet Signature generation – Public key / PSP RSA: 112, 128, 150 bits (2048-, 3072- , 4096-bit length); ECDSA: 112, 128, 192, 256 bits (P- 224, P-256, P-384, P- 521) RSA SigVer, ECDSA SigVer Cert. #A2877 Generated on module using approved Key Generation SP 800-38F KTS. Exported from the module encrypted by DEM-EDK and authenticated with DEM-MAC N/A Stored in plaintext in FLASH Uninstallation of demonstration applet Demonstration applet: 2048-, 3072-, 4096-bit RSA or P-224, P-256, P- 384, P-521 ECDSA public key used by Demonstration Applet Asymmetric Signature service Table 20 – SSPs IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 65/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 9.2 Random bit generator entropy sources The module includes a non-deterministic Random Number Generator within the cryptographic boundary. This non-deterministic RNG (also called TRNG) is used exclusively to feed the approved DRBG with entropy: Table 21 – Non-Deterministic Random Number Generation Specification ESV certificate (#E107) has been procured for this entropy source. As per the Public Use Document for #E107, the settings under the Configuration Settings section are followed to by the factory prior to delivery of the module for operating the entropy source in a compliant manner. The output of the entropy source is used to directly feed the DRBG. The DRBG uses CTR_DRBG from [SP800-90Ar1] with Derivation Function (DF) enabled. 1024-bits of entropy at 13.376 bits per 32-bits min-entropy are fed to the DF which accounts for 428.032 -bits of entropy which exceed the 256-bits required by CTR_DRBG to claim full entropy output of the DRBG. A separate nonce is created for the DRBG based on output from entropy source. Entropy sources Minimum number of bits of entropy Details SLC37 32-bit Security Controller Min-entropy claimed: 13.376 bits per 32-bit blocks. Provided by the hardware TRNG of the SLC37 chip from Infineon. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 66/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 10 Self-tests 10.1 Pre-Operational Self-Tests On power-on or reset, the Module performs integrity testing using an EDC (16-bit CRC) performed over all code located in FLASH and EEPROM memory (for OS and Applets). All flags for cryptographic algorithm self-tests are cleared. 10.2 Conditional Self-Tests 10.2.1 Conditional Cryptographic Algorithm Tests The module maintains a flag in RAM memory that stores the state (self-test passed or not) for each Cryptographic algorithm that is approved. This flag indicates if an algorithm has been already self-tested. The Module performs self-test of an algorithm prior the first operational use (corresponding flag is not set) and if the self-test succeeds, the corresponding flag is set otherwise the card logs the self-test error and entered into a Card Is Mute error state or Card is Killed error state, depending on number of failures. On each reset of the CM, it performs only “Firmware Integrity test”. The cryptographic KATs are executed automatically, in a mode named “on demand”, when a cryptographic service is requested. Self-tests can be also played by any operator using the “autotests management” APDU command, corresponding to the “Run Cryptographic KAT” service. The operator can choose the list of self-test execution giving in data of the APDU the self-test flag. Self-Tests are based on known answer tests (KATs): Test Target Description AES ECB decrypt KAT with 128-bit key. Encrypt is self-tested as a part of KBKDF KAT. DRBG Counter DRBG KAT as per SP 800-90A section 11.3 with nonce (48 bytes) and entropy (128 bytes). ECDSA Signature Generation Signature generation KAT using an ECC P-224 key. ECDSA Signature Verification Signature verification KAT using an ECC P-224 key. ESV SP 800-90B Repetition Count Test and Adaptive Proportion Test HMAC-SHA2-256 HMAC-SHA2-256 KAT. KAS-ECC OnePassDH CS2 shared secret computation KAT using an ECC P-256 key with SHA2- 256. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 67/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. Test Target Description KAS-ECC OnePassDH CS7 shared secret computation KAT using an ECC P-384 key with SHA2- 384. KAS-ECC-SSC Primitive ‘Z’ Computation KAT using an ECC P-224 key. KBKDF KBKDF KAT using AES-CMAC 128-bit key and 32-byte derivation data. KDA OneStep SP 800-56Cr2 One Step KDF KAT. KDA HKDF SP 800-56Cr2/RFC5869 HKDF KAT. RSA Signature Generation RSA PKCS#1 v1.5 signature generation KAT using an RSA 2048-bit key RSA PKCS#1 v1.5 signature generation KAT using the RSA CRT implementation with a 2048-bit key. RSA Signature Verification RSA PKCS#1 v1.5 signature verification KAT using an RSA 2048-bit key RSA PKCS#1 v1.5 signature verification KAT using the RSA CRT implementation with a 2048-bit key. RSA PKCS#1 v1.5 decryption KAT with a 2048-bit key is also performed SHA2-256 SHA2-256 KAT. SHA2-512 SHA2-512 KAT. SHA3-224 SHA3-224 KAT. Triple-DES ECB decrypt KAT. Table 22 –Conditional Algorithm Self-Tests 10.2.2 Conditional Pair-wise Consistency Tests When any asymmetric key pair is generated, the CM performs a pairwise consistency test. For RSA keys, the pairwise consistency test is based on keys encryption / decryption. For ECC keys, the pairwise consistency test is based on signature / verify. 10.2.3 Conditional Firmware Load Tests When new firmware (applet) is loaded into the CM (or into a SSD having the Delegated Management privilege) using the Manage content service, the CM (or the SSD) verifies the authenticity (MAC or signature) of the new firmware (applet) using respectively the DAP-SYM key or DAP-ASYM key. The signature or MAC in this scenario is generated by an external entity using the key corresponding to the asymmetric key DAP-ASYM or the secret key DAP-SYM. 10.2.4 Conditional Critical Functions Tests The module performs a validity check of the public static key and the ephemeral keys according to the SP 800-56Ar3 specification. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 68/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 10.3 Periodic Self-tests The Module supports an internal counter and an associated maximum value. The counter is set to its maximum value on power on and it is decremented when receiving an APDU. When the counter reaches its zero, the integrity test is executed (see 10.1), the counter is reset to its maximum value again and the flag for on-demand tests is also reset so that at next cryptographic algorithm usage, the self-tests are executed again (see 10.2.1). No interruption to the module’s operation is expected while the self-tests are executed. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 69/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 11 Life-cycle assurance The CM meets the Level 3 Design Assurance section requirements. 11.1 Delivery and Operation Some additional documents (‘Delivery and Operation’, ‘Reference Manual’, ‘Card Initialization Specification’ documents) define and describe the steps necessary to deliver and operate the CM securely. Once the module has been delivered outside of the factory, the CM is always in the Compliant state. Once the module has been powered on, it always functions in the approved mode of operation. There are no additional steps for installation, initialization, and configuration required for the CM after delivery. The configuration cannot be changed outside the factory. 11.2 Guidance Documents The Guidance document provided with CM is intended to be the ‘Reference Manual’. This document includes guidance for secure operation of the CM by its users as defined in the Roles, Services, and Authentication chapter. 11.3 Guidance The Module implementation also enforces the following security rules: • No additional interface or service is implemented by the Module which would provide access to SSPs. • Data output is inhibited during key generation, self-tests, zeroisation, and error states. • The zeroisation service is applied with no restrictions on all keys or SSPs of the CM. • The Module does not support manual key entry, output plaintext SSPs or output intermediate key values. • Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the Module. IDCore 3230 / 230 Platform FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Level 3 Ref: R1R29781_IDC3230_SP Rev: G Page 70/70 © Copyright Thales 2024. May be reproduced only in its entirety [without revision]. 12 Mitigation of Other Attacks No assured mitigations to ‘other attacks’ are covered in this security policy. END OF DOCUMENT