Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series FIPS 140-3 Non-Proprietary Security Policy Document Version: 1.0 H/W Version: MZWLR1T6HCJR-00AD9, MZWLR1T9HCJR-00AC9, MZWLR1T9HCJR-00AD9, MZWLR3T2HCLS-00AD9, MZWLR3T8HCLS-00AC9, MZWLR3T8HCLS-00AD9, MZWLR3T8HCLS-00AV8, MZWLR3T8HCLS-00AG6, MZWLR15THBLA-00AG6, MZWLR6T4HBLA-00AD9, MZWLR7T6HBLA-00AC9, MZWLR7T6HBLA-00AD9, MZWLR12THBLA-00AD9, MZWLR15THBLA-00AC9, MZWLR30THBLA-00AC9, MZWLR15THBLA-00AD9, MZWLR30THBLA-00AD9 F/W Version: MPP90D3Q, MPP92E5Q, MPP92D3Q, MPP93D3Q, MPP95E5Q, NA50 2 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy Revision History Version Changes 1.0 Initial version 3 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy Table of Contents 1. GENERAL 4 1.1. SCOPE 4 1.2. ACRONYMS 4 2. CRYPTOGRAPHIC MODULE SPECIFICATION 5 2.1. CRYPTOGRAPHIC BOUNDARY 5 2.2. VERSION INFORMATION 6 2.3. CRYPTOGRAPHIC FUNCTIONALITY 7 2.3.1. APPROVED ALGORITHM 7 2.3.2. NON-APPROVED ALGORITHM 7 2.4. APPROVED MODE OF OPERATION 7 3. CRYPTOGRAPHIC MODULE INTERFACES 8 4. ROLES, SERVICES, AND AUTHENTICATION 9 4.1. ROLE 9 4.2. APPROVED SERVICE 9 4.3. AUTHENTICATION 10 5. SOFTWARE/FIRMWARE SECURITY 11 6. OPERATIONAL ENVIRONMENT 12 7. PHYSICAL SECURITY 13 8. NON-INVASIVE SECURITY 14 9. SENSITIVE SECURITY PARAMETER MANAGEMENT 15 10. SELF-TESTS 17 10.1. PRE-OPERATIONAL TEST 17 10.2. CONDITIONAL TEST 17 10.3. ERROR STATES 17 11. LIFE-CYCLE ASSURANCE 18 11.1. SECURE INSTALLATION 18 11.2. OPERATIONAL DESCRIPTION OF MODULE 18 12. MITIGATION OF OTHER ATTACKS 19 4 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 1. General 1.1. Scope This document specifies the security policy for Samsung Electronics Co., Ltd. (“Samsung”) SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series, herein after referred to as a “cryptographic module” or “module”, SSD (Solid State Drive), satisfies all applicable FIPS 140-3 Security Level 2 requirements of a hardware module, supporting TCG Opal SSC based SED (Self-Encrypting Drive) features, designed to protect unauthorized access to the user data stored in its NAND flash memories. The built-in AES hardware engines in the cryptographic module’s controller provide on-the-fly encryption and decryption of the user data without performance loss. The SED’s nature also provides instantaneous sanitization of the user data via cryptographic erase. ISO/IEC 24759 Section 6. [Number Below] FIPS 140-3 Section Title Security Level 1 General 2 2 Cryptographic module specification 2 3 Cryptographic module interfaces 2 4 Roles, services, and authentication 2 5 Software/Firmware security 2 6 Operational environment N/A 7 Physical security 2 8 Non-invasive security N/A 9 Sensitive security parameter management 2 10 Self-tests 2 11 Life-cycle assurance 2 12 Mitigation of other attacks N/A Table 1. Security Levels 1.2. Acronyms Acronym Description CTRL Controller CPU Central Processing Unit (ARM-based) DRAM Dynamic Random Access Memory DRAM I/F Dynamic Random Access Memory Interface ECC Error Correcting Code KAT Known Answer Test LBA Logical Block Address MD/EE Manual Distribution/Electronic Entry MEK Media Encryption Key NAND NAND Flash Memory NAND I/F NAND Flash Interface NVMe Non-Volatile Memory Host Controller Interface Specification ROM Read-only Memory SFR Special Function Register Table 2. Acronyms 5 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 2. Cryptographic Module Specification 2.1. Cryptographic Boundary The following photographs show the cryptographic module’s top and bottom views. The multiple-chip standalone cryptographic module consists of hardware and firmware components that are all enclosed in two aluminum alloy cases, which serve as the cryptographic boundary of the module. Figure 1. Specification of the Samsung SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series Cryptographic Boundary 6 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy The firmware utilizes a single chip controller with an NVMe interface on the system side as well as Samsung NAND flash. The following figure depicts the module operational environment. The firmware within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. Any firmware loaded into this module that is not shown on the module certificate, is out of the scope of this validation and requires a separate FIPS 140-3 validation Figure 2. Block Diagram for Samsung SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series 2.2. Version information Table 3. Cryptographic Module Tested Configuration Model Hardware Version Firmware Version Drive Capacity PM1733a MZWLR3T8HCLS-00AG6 NA50 3.84TB MZWLR3T8HCLS-00AV8 3.84TB MZWLR15THBLA-00AG6 15.36TB MZWLR1T9HCJR-00AC9 MPP92E5Q, MPP95E5Q 1.92TB MZWLR3T8HCLS-00AC9 3.84TB MZWLR7T6HBLA-00AC9 7.68TB MZWLR15THBLA-00AC9 15.36TB MZWLR30THBLA-00AC9 30.72TB MZWLR30THBLA-00AD9 MPP93D3Q 30.72TB MZWLR1T9HCJR-00AD9 MPP90D3Q, MPP92D3Q, MPP93D3Q 1.92TB MZWLR3T8HCLS-00AD9 3.84TB MZWLR7T6HBLA-00AD9 7.68TB MZWLR15THBLA-00AD9 15.36TB PM1735a MZWLR1T6HCJR-00AD9 1.6TB MZWLR3T2HCLS-00AD9 3.2TB MZWLR6T4HBLA-00AD9 6.4TB MZWLR12THBLA-00AD9 12.8TB 7 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 2.3. Cryptographic Functionality 2.3.1. Approved Algorithm The cryptographic module supports the following approved algorithms for secure data storage: CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use / Function C12711 AES / FIPS 197, SP 800-38E XTS 256 bits Data Encryption / Decryption (only used for storage) A1720 DRBG / SP 800-90A Rev. 1 Hash_ DRBG (SHA-256) N/A Deterministic Random Bit Generation A940 RSA / FIPS 186-4 PSS SigVer (SHA-256) 3072 bits Digital Signature Verification C1272 SHS / FIPS 180-4 SHA-256 N/A Message Digest Vendor Affirmed CKG / SP 800-133 Rev2 Section 4 and Section 6.1 N/A Cryptographic Key Generation (Symmetric Keys) N/A ENT (P) / SP800-90B N/A N/A Non-deterministic Random Number Generator (only used for generating seed materials for the Approved DRBG) ENT (P) provides a minimum of 256 bits of entropy for DRBG seed Table 4. Approved Algorithms 2.3.2. Non-Approved Algorithm Following algorithms are not intended to be used as a security function, and not used whatsoever to meet any FIPS 140- 3 requirements. These algorithms are not provided through a non-approved service to an operator. Algorithm Caveat Use / Function AES-XTS / FIPS 197, SP 800-38E No Security Claimed; AES-XTS is only used for firmware removal of obfuscation during ROM initialized. (IG 2.4.A Scenario #2) Firmware Removal of obfuscation AES-CCM / FIPS 197, SP 800-38C No Security Claimed; Non-approved algorithms here are only used for obfuscation and removal of obfuscation the CSP. (IG 2.4.A Scenario #1) Key obfuscation and Removal of obfuscation PBKDF2 Non-SSP Derivation HMAC / SHA-256 (SHS Cert.# C1272) Non-SSP Derivation Table 5. Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed 2.4. Approved Mode of Operation The module only has a single approved mode of operation and does not have a non-approved mode of operation. The cryptographic module shows the approved mode through validated version status by Show Status Service in Table 9 via NVM express Identify Controller command. The non-approved algorithms are allowed in the approved mode of operation with no security claimed in the module. 1 AES-ECB is the pre-requisite for AES-XTS; AES-ECB alone is NOT supported by the cryptographic module in Approved Mode. 8 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 3. Cryptographic Module Interfaces Physical Port Logical Interface Type Data that Passes Over Port/Interface NVMe Connector Data Input plaintext data; signed data; authentication data Data Output plaintext data; Control Input commands input logically via an API (e.g. for the software and firmware components of the cryptographic module); signals input logically or physically via one or more physical ports (e.g. for the hardware components of the cryptographic module); Status Output status information output logically via an API; signal outputs logically or physically via one or more physical ports; Power Input Power input Table 6. Ports and Interfaces Note: The module does not implement the Control Output 9 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 4. Roles, Services, and Authentication 4.1. Role The following table defines the roles, and associated services supported by the each role: Role Service Input Output Cryptographic Officer(CO) and User Lock/Unlock an LBA Range LBA Range Status Erase an LBA Range’s Data LBA Range Status CO Change the Password. CO Password Status User Set User Password User Password Status Table 7. Roles, Service Commands, Input and Output 4.2. Approved Service E: EXECUTE; W: WRITE; G: GENERATE; Z: ZEROISE Service Description Approved Security Functions SSPs Role Type(s) of Access2 Indicator3 E W G Z Change the Password. Change CO password SHA-256 CO Password CO O O O UID: AdminSP_SID_C_PIN / AdminSP_Admin1_C_PIN TCG Method: Set Result: TCG status code Hashed CO Authentication Data O O O Set User Password Set User Password SHA-256 User Password User O O O UID: LockingSP_Admin1~4_C_PIN / LockingSP_User1~9_C_PIN TCG Method: Set Result: TCG status code Hashed User Authentication Data O O O Lock/Unlock an LBA Range4 Block or allow read (decrypt) / write (encrypt) of user data. N/A MEK CO, User O O UID: Locking_GlobalRange / Locking_RangeNNNN TCG Method: Set Result: TCG status code Erase an LBA Range’s Data Erase user data by changing the data encryption key. Hash_ DRBG (SHA-256) DRBG Internal State O O O O UID: K_AES_256_GlobalRange_Key / K_AES_256_RangeNNNN_Key TCG Method: GenKey Result: TCG status code MEK O O O Table 8. Authenticated Services 2 It means that “Write” and “Zeroise” perform in each storage of SSPs that is described in Table 13. The (R)ead column, which is specified in NIST SP 800-140B, is not applicable to the module. 3 The result of NVMe or TCG command is used as an indicator. 4 The CO can grant Users the authority to utilize this service via updating the “Locking SP ACE Table”, in accordance with the TCG specification (included in the Lock/Unlock an LBA Range service). Initially, only the CO can perform this service. This module provides an indicator which shows when Self-Initiated Cryptographic Output Capability is activated or inactivated. The operator can check whether the target range is locked or unlocked through the ‘getLockingTable’ query per the TCG specification. 10 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy - Following table shows unauthenticated services. It is initially possible to use the services in following table without authentication. The operator can be configured setting that complied with NVM, TCG spec. Service Description Approved Security Functions SSPs Role Type(s) of Access Indicator5 E W G Z Show Status6 Show approved version status of the module / FIPS fail mode N/A N/A N/A NVM Command: Identify Controller command Result : Status Code Authentication Authenticate to the module SHA-256 CO Password O O UID: AdminSP_SID / AdminSP_Admin1 / LockingSP_Admin1~4 / LockingSP_User1~9 TCG Method: Authenticate Result: TCG status code User Password O O Get Random Number Provide a random number generated by the CM. Hash_ DRBG (SHA-256) DRBG Internal State O O UID: ThisSP TCG Method: Random Result: TCG status code IO Command7 Read/Write user data AES-XTS MEK O NVM Command: Write / Read Result : Status Code Revert Erase user data in all Range by changing the data encryption key and clearing the authentication data Hash_ DRBG (SHA-256) DRBG Internal State O O UID: SPObj(AdminSP) TCG Method: Revert Result: TCG status code MEK O O O Hashed CO Authentication Data O Hashed User Authentication Data O FormatNVM / Sanitize / DeleteNS Erase user data by changing the data encryption key. Hash_ DRBG (SHA-256) DRBG Internal State O O O O Admin Command: Format NVM / Sanitize / Namespace Management Result : Status Code MEK O O O Update the firmware8 Update the firmware RSA Firmware Verification Key O O Admin Command: Firmware Commit Result : Status Code Perform Self-tests Power cycling the module to perform self-tests N/A N/A N/A Table 9. Unauthenticated Services 4.3. Authentication This module provides the role-based authentication. The authentication mechanism allows a minimum 8-byte length or longer (up to 32-byte) Password, where each byte can be any of 0x00 to 0xFF, for every Cryptographic Officer and User role supported by the module, which means a single random attempt can succeed with the probability of 1/264 or lower. Each Password authentication attempt takes at least 750ms. It means, the number of attempts possible in a minute period is maximum 80 attempts (60000ms/750ms). Role Authentication Method Authentication Strength CO Password (Min: 8 bytes, Max: 32 bytes) Probability of 1/264 in a single random attempt Probability of 80/264 in multiple random attempts in a minute User Table 10. Roles and Authentication 5 The module only supports approved services in an approved manner. The module uses implicit indicators through the result of the NVMe or TCG commands. 6 The cryptographic module shows the hardware version and firmware version through the ‘Model Number (MN)’ and ‘Firmware Revision (FR)’ of Identify Controller Data Structure. If the module enters the FIPS Fail Mode, this service indicates “ERRORMOD” in Firmware Revision (FR). 7 The I/O command itself is the approved service where Self-Initiated Cryptographic Output Capability occurs, while the unlock request (via Lock/Unlock an LBA range” service) is the authorized enablement of this capability. 8 This service is exempted from being authenticated by exception clause (c) of IG 4.1.A. 11 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 5. Software/Firmware Security - The cryptographic module employs the 428-byte parity for firmware integrity test. - The firmware integrity test is performed when power on reset. 12 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 6. Operational Environment - The cryptographic module operates in a limited operational environment that is consist of the module’s firmware. This operational environment does not require any specific security rules, settings, configurations or restrictions to be set. - The cryptographic module does not provide any general-purpose operating system to the operator. - Unauthorized modification of the firmware is prevented by the pre-operational firmware integrity test and conditional firmware load test. 13 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 7. Physical Security The following physical security mechanisms are implemented in a cryptographic module: • The module consists of production-grade components enclosed in an aluminum alloy enclosure, which is opaque within the visible spectrum. The top panel of the enclosure can be removed by unscrewing screws. However, the module is sealed with tamper-evident labels in accordance with FIPS 140-3 Level 2 Physical Security requirements so that tampering is easily detected when the top and bottom cases are detached. • 2 tamper-evident labels are applied over both top and bottom cases of the module at the factory. The tamper-evident labels are not removed and reapplied without tamper evidence. • The tamper-evident labels are applied by Samsung at Manufacturing. The following table summarizes the actions required by the Cryptographic Officer Role to ensure that physical security is maintained: Physical Security Mechanisms Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Production grade cases As often as feasible Inspect the entire perimeter for cracks, gouges, lack of screw(s) and other signs of tampering. Remove from service if tampering found. Tamper-evident Sealing Labels Inspect the sealing labels for scratches, gouges, cuts and other signs of tampering. Remove from service if tampering found. Table 11. Inspection/Testing of Physical Security Mechanisms Figure 3. Tamper Evident Label Placement Figure 4. Example of Signs of Tamper 14 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 8. Non-Invasive Security - Non-invasive security has not applicable for this cryptographic module. 15 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 9. Sensitive Security Parameter Management - Temporary SSPs are zeroised when power on reset. - Firmware integrity temporary values are zeroised after the firmware integrity test is complete. - The zeroisation is performed before overwriting to the target SSP with random value which is generated from the DRBG. - SSP’s are not exported outside the module. Key/SSP Name/ Type Strength Security Function and Cert. Number Generation Import /Export Establis hment Storage Zeroisation Use & Related Keys DRBG Internal State9 256-bit A1720 Hash_ DRBG (SHA-256) SP 800-90A HASH_DRBG (SHA-256) N/A N/A Plaintext in RAM Power on Reset MEK DRBG Seed 256-bit A1720 Hash_ DRBG (SHA-256) ENT (P) N/A N/A Plaintext in RAM Power on Reset MEK DRBG Entropy Input String 256-bit A1720 Hash_ DRBG (SHA-256) ENT (P) N/A N/A Plaintext in RAM Power on Reset MEK CO Password Min. 64- bit N/A N/A MD/EE N/A Plaintext in RAM Via “Authentication ” service N/A User Password Min. 64- bit N/A N/A MD/EE N/A Plaintext in RAM Via “Authentication ” service N/A Hashed CO Authenticati on Data 128-bit C1272 SHA-256 Hashed from Password as per SHA-256 N/A N/A Plaintext in Flash Via “Change the Password” and Revert” service N/A Hashed User Authenticati on Data 128-bit C1272 SHA-256 Hashed from Password as per SHA-256 N/A N/A Plaintext in Flash Via “Set User Password” and Revert” service N/A MEK 256-bit C1271 AES-XTS SP 800-90A HASH_DRBG (SHA-256) N/A N/A Plain Text in RAM, Flash Via “Unlock an LBA Range”, “Erase an LBA Range’s Data”, “Revert” and “FormatNVM / Sanitize / DeleteNS” service N/A Firmware Verification Key 128-bit A940 RSA N/A Entered during manufacturi ng N/A Plaintext in Hardware SFR Right after FW load test Firmwa re load test Plaintext in Flash N/A Table 12. SSPs 9 The values of V and C are the “secret values” of the internal state 16 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy The module contains an entropy source, compliant with SP 800-90B, within the module’s cryptographic boundary. Entropy Sources Minimum Number of Bits of Entropy Details ENT (P) - 0.5 entropy per bit - Minimum of 256 bits of entropy for DRBG seed (total seed size of 512 bits). Entropy source for Hash_DRBG Table 13. Non-Deterministic Random Number Generation Specification 17 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 10. Self-Tests While executing the following self-tests, all data output is inhibited until self-test completion. To execute the pre- operational tests on-demand, the operator may power-cycle the module. If a cryptographic module fails a self-test, the module will enter an error state. While in this state, all data output is inhibited. 10.1. Pre-operational Test • Firmware integrity check - Firmware integrity check is performed by using 428-byte parity at power-on. 10.2. Conditional Test • Cryptographic Algorithm Tests Algorithm Type Description DRBG Cryptographic algorithm self-test KATs for Hash_DRBG (SHA-256) described in SP 800-90A Section 11.3.1, 11.3.2, 11.3.3, 11.3.4 KAT performed with 512-bit entropy input AES-XTS Cryptographic algorithm self-test Encrypt and Decrypt KAT performed with 512-bit key size SHA Cryptographic algorithm self-test Hash Digest KAT performed with 256-bit message size RSA Cryptographic algorithm self-test Verify KAT performed with 3072 Modulus (3072-bit key size) and SHA-256. RSA Firmware load test Perform using RSA-3072 with SHA-256 when new firmware is downloaded. ENT (P) Cryptographic algorithm self-test Perform the below 2 types of tests and each test includes the Repetition Count test and Adaptive Proportion test described in SP800-90B. • Start-up test is performed for Entropy Source after power on reset. • Continuous test is performed for Entropy Source while the module is operating Table 14. Self-tests 10.3. Error States Name Description Conditions Recovery Method Indicator Error state in Boot The module does not provide any crypto operation. Integrity test or SP 800-90B start-up failure during boot Power cycle Hang state. No action Error State Any other self-test failure If the module enters the FIPS Fail Mode, Show Status service indicates “ERRORMOD” in Firmware Revision (FR). Table 15. Error States 18 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 11. Life-Cycle Assurance The following specifies the security rules under which the cryptographic module shall operate in accordance with FIPS 140-3: • The cryptographic module operates always in Approved Mode once shipped from the vendor's manufacturing site. • The steps necessary for the secure installation, initialization and start-up of the cryptographic module as per FIPS 140-3 VE11.33.01 are as follows: 11.1. Secure Installation • [Step1] User should examine the tamper evidence. - Inspect the entire perimeter for cracks, gouges, lack of screw(s) and other signs of tampering including the tamper evident sealing label. - If there is any sign of tampering, do not use the product and contact Samsung. • [Step2] Identify the firmware version in the device. - Confirm that the firmware version is equivalent to the version(s) listed in this document via NVM express Identify Controller command. • [Step3] Take the drive’s ownership. - Change SID’s PIN by setting a new PIN. - Activate the Locking SP by using the Activate method. Note: If required to enable the additional Admin authorities in Locking SP, new PINs must be set by the Cryptographic Officer. • [Step4] Periodically examine the tamper evidence - If there is any sign of tampering, stop using the product to avoid potential security hazards or information leakage. 11.2. Operational Description of Module • The cryptographic module shall maintain logical separation of data input, data output, control input, control output, and power. • The cryptographic module shall not output CSPs in any form. • The cryptographic module shall use the Approved DRBG for generating all cryptographic keys. • The cryptographic module shall enforce a limited operational environment by the secure firmware load test using RSA PSS-3072 with SHA-256. • The cryptographic module shall provide a production-grade cryptographic boundary. • The cryptographic module enters the error state upon failure of self-tests. most commands except for supported command from the Host (General Purpose Computer (GPC) outside the cryptographic boundary) are rejected in the error state and the IO command returns Namespace Not Ready (SC=0x82, SCT=0x0), the other commands return Internal Error (SC=0x6, SCT=0x0) defined in NVMe specification via the status output. Cryptographic services and data output are explicitly inhibited when in the error state. When module fails firmware integrity checks performed by Mask ROM, the module will fail to boot; module will not service any requests or provide any status output (module hangs). • The cryptographic module satisfies the requirements of FIPS 140-3 IG C.I (i.e. key_1 ≠ key_2). • The module generates at a minimum 256 bits of entropy for use in key generation. • Bypass capability is not applicable to the cryptographic module. • Critical functions are not applicable to the cryptographic module. • The module generates symmetric keys which are unmodified outputs from the DRBG. • If you require the “Samsung SED Product Manual”, kindly reach out to the vendor contact information that is posted in certification. 19 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy 12. Mitigation of Other Attacks The cryptographic module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-3. Other Attacks Mitigation Mechanism Specific Limitations N/A N/A N/A Table 16. Mitigation of Other Attacks