Version 1 Revision 7
i
IBM LTO Generation 6
Encrypting Tape Drive
FIPS 140-2 Non-Proprietary
Security Policy
Version 1 Revision 7
Version 1 Revision 7
ii
1 Document History ..................................................................................................................................................1
2 Introduction............................................................................................................................................................2
2.1 References...............................................................................................................................................4
2.2 Document Organization ........................................................................................................................4
3 IBM LTO Generation 6 Encrypting Tape Drive Cryptographic Module Description............................................5
3.1 Overview.................................................................................................................................................5
3.2 Secure Configuration.............................................................................................................................9
3.3 Ports and Interfaces.............................................................................................................................12
3.4 Roles and Services................................................................................................................................14
3.5 Physical Security ..................................................................................................................................20
3.6 Cryptographic Algorithms and Key Management............................................................................21
3.6 Cryptographic Algorithms and Key Management............................................................................22
3.7 Design Assurance .................................................................................................................................26
3.8 Mitigation of other attacks..................................................................................................................26
Version 1 Revision 7
1
1 Document History
Date Author Change
09/26/2012 Said Ahmad Initial Creation
08/23/2013 Christine Knibloe General updates
10/10/2013 Christine Knibloe Corrections, diagrams
11/11/2013 Christine Knibloe Clarifications for bypass mode
and cartridge memory. Added
EC and part numbers.
11/11/2013 Christine Knibloe Correct part numbers
11/21/2013 Christine Knibloe Add hardware part numbers
11/25/2013 Christine Knibloe Update CSP table, add algorithm
certificate numbers
05/21/2014 Said Ahmad Modify the title and fix typo
05/27/2014 Said Ahmad Add key wrapping to AES usage
Version 1 Revision 7
2
2 Introduction
This non-proprietary security policy describes the IBM LTO Generation 6 Encrypting Tape Drive
cryptographic module and the approved mode of operation for FIPS 140-2, security level 1
requirements. This policy was prepared as part of FIPS 140-2 validation of the LTO Gen6. The LTO
Gen6 Encrypting Tape Drive is referred to in this document as the LTO Gen6, the IBM LTO Gen6, and
the encrypting tape drive.
The security policy document is organized in the following sections:
 Introduction
 References
 Document Organization
Table 1: Security Section
Security Section Level
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services, and Authentication 1
Finite State Model 1
Physical Security 1
Operational Environment NA
Cryptographic Key Management 1
EMI/EMC 1
Self-Tests 1
Design Assurance 1
Mitigation of Other Attacks NA
Overall 1
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST web site at:
http://csrc.nist.gov/groups/STM/cmvp/
Version 1 Revision 7
3
LTO Gen6 Encrypting Tape Drive Cryptographic Module Description
 Cryptographic Module Overview
 Secure Configuration
 Cryptographic Module Ports and Interfaces
 Roles and Services
 Physical Security
 Cryptographic Key Management
 Self-Tests
 Design Assurance
 Mitigation of Other Attacks
Version 1 Revision 7
4
2.1 References
This document describes only the cryptographic operations and capabilities of the LTO Gen6 Encrypting
Tape Drive. More information is available on the general function of the LTO Gen6 Encrypting Tape
Drive at the IBM web site:
http://www.ibm.com/storage/tape/
The tape drive meets the T10 SCSI-3 Stream Commands (SSC) standard for the behavior of sequential
access devices.
The LTO Gen6 Encryption Tape Drive supports 2 host interface types: Fibre channel (FC) and serial-
attached SCSI (SAS). The physical and protocol behavior of these ports conforms to their respective
specifications. These specifications are available at the INCITS T10 standards web site:
http://www.T10.org /
A Redbook describing tape encryption and user configuration of the LTO Gen6 drive in various
environments can be found at:
http://www.redbooks.ibm.com/abstracts/sg247320.html?Open
The LTO Gen6 drive format on the tape media is designed to conform to the IEEE P1619.1 committee draft
proposal for recommendations for protecting data at rest on tape media. Details on P1619.1 may be found
at:
http://ieeexplore.ieee.org/servlet/opac?punumber=4413113
2.2 Document Organization
The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this
document, the submission package contains:
 Vendor Evidence Document
 Other supporting documentation and additional references
With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is
proprietary to IBM and is releasable only under appropriate non-disclosure agreements. For access to these
documents, contact IBM.
Version 1 Revision 7
5
3 IBM LTO Generation 6 Encrypting Tape Drive Cryptographic
Module Description
3.1 Overview
The IBM LTO Generation 6 Encrypting Tape Drive, also referred to herein the LTO Gen6 Encrypting
Tape Drive and the module, is a set of hardware, firmware, and interfaces allowing the optional storage
and retrieval of encrypted data to magnetic tape cartridges. The entire “brick” unit of the LTO Gen6 tape
drive is FIPS certified as a multi-chip, standalone cryptographic module. In customer operation the
“brick” unit may be used in conjunction with a computer system or tape library. Some components of the
LTO Gen6 tape drive, such as mechanical components used for tape loading/unloading and actuating the
tape cartridge, labels, cables, connectors, terminals and sensor components, do not have an effect on the
security of the cryptographic module.
Block diagrams of the LTO Gen6 Encrypting Tape Drive are shown below:
Tape
Deck
Head
Main Card
Ume
(U18)
SDRAM
(U21,U22)
FAS 88SC9210
(U49)
SDRAM
(U31)
Drive
Other
Card
Functions
(U8,U43,U46,
U48,U58,U73)
FH FC Cryptographic Module Block Diagram
RS-
422
FC
Port
0
FC
Port
1
Power
RS-
232
(J37)
(J8)
(J14)
(J32)
Cartridge
Mem
(J10)
(J6,J27)
(J38)
FC
Loop
(J39)
FC
Link
(J40)
BAB
Port
(J24)
Threader
Port
(J30)
(S4)
Write
Protect
(J4)
(J1,SW2,D1,D13)
Front
Panel
Feature
Switches
Ether-
net
(J42)
FLASH
(U16)
Figure 1a: LTO Gen6 Full-High Fibre Channel Drive Block Diagram
Version 1 Revision 7
6
Tape
Deck
Head
Main Card
Ume
(U18)
SDRAM
(U22,U47)
FAS 88SC9210
(U73)
SDRAM
(U32)
Drive
Other
Card
Functions
(U8,U46,
U48,U49,U58)
HH FC Cryptographic Module Block Diagram
RS-
422
FC
Port
0
FC
Port
1
Power
RS-
232
(J17)
(J14)
(J8)
Cartridge
Mem
(J1)
(J2,J12)
(J11)
FC
Loop
(J39)
FC
Link
(J40)
BAB
Port
(J24)
Threader
Port
(J30)
(S4)
(J19)
Front
Panel
Feature
Switches
Ether-
net
(J42)
FLASH
(U40)
Figure 1b: LTO Gen6 Half-High Fibre Channel Drive Block Diagram
Version 1 Revision 7
7
Tape
Deck
Head
Main Card
Ume
(U18)
SDRAM
(U21,U22)
FAS 88SC9210
(U49)
SDRAM
(U31)
Drive
Other
Card
Functions
(U8,U43,U46,
U48,U58,U73)
FH SAS Cryptographic Module Block Diagram
RS-
422
Power
RS-
232
(J37)
(J8)
Cartridge
Mem
(J10)
(J6,J27)
(J38)
BAB
Port
(J24)
Threader
Port
(J30)
(S4)
Write
Protect
(J4)
(J1,SW2,D1,D13)
Front
Panel
Feature
Switches
Ether-
net
(J42)
SAS
Port
0
SAS
Port
1
(J14)
FLASH
(U16)
Figure 1c: LTO Gen6 Full-High SAS Drive Block Diagram
Version 1 Revision 7
8
Tape
Deck
Head
Main Card
Ume
(U18)
SDRAM
(U22,U47)
FAS 88SC9210
(U73)
SDRAM
(U32)
Drive
Other
Card
Functions
(U8,U46,
U48,U49,U58)
HH SAS Cryptographic Module Block Diagram
RS-
422
Power
RS-
232
(J37)
(J14)
Cartridge
Mem
(J1)
(J2,J12)
(J11)
BAB
Port
(J24)
Threader
Port
(J30)
(S4)
(J19)
Front
Panel
Feature
Switches
Ether-
net
(J42)
SAS
Port
0
SAS
Port
1
(J37)
FLASH
(U40)
Figure 1d: LTO Gen6 Half-High SAS Drive Block Diagram
Version 1 Revision 7
9
The LTO Gen6 Encrypting Tape Drive has two major cryptographic functions:
 Data Block Cipher Facility: The tape drive provides functions which provide the ability for
standard tape data blocks as received during SCSI-type write commands to be encrypted
before being recorded to media using AES-GCM block cipher using a provided key, and
decrypted during reads from tape using a provided key.
o Note the AES-GCM block cipher operation is performed after compression of the
host data therefore not impacting capacity and data rate performance of the
compression function
o The LTO Gen6 drive automatically performs a complete and separate decryption
and decompression check of host data blocks after the compression/encryption
process to validate there were no errors in the encoding process
 Secure Key Interface Facility: The tape drive provides functions which allow authentication
of the tape drive to an external IBM key manager, such as the IBM Encryption Key
Manager (EKM), the Tivoli Key Lifecycle Manager (TKLM), or the IBM Security Key
Lifecycle Manager (ISKLM), and allow transfer of protected key material between the key
manager and the tape drive.
3.2 Secure Configuration
This section describes the approved mode of operation for the LTO Gen6 drive to maintain FIPS-140
validation.
There are two configurations for the LTO Gen6 in the approved mode of operation. They are:
 System-Managed Encryption (SME)
 Library-Managed Encryption (LME)
In order to be in an approved mode of operation, the values of the fields Key Path (manager Type) (from
VPD), In-band Key Path (Manager Type) Override, Indirect Key Mode Default, Key Scope, and
Encryption Method must be set according to the table below. More details can be found in the LTO
Ultrium Tape Drive SCSI Reference.
Table 2: Settings for Approved Modes of Operation
Required Fields System-Managed
Encryption (SME)
Library-Managed
Encryption (LME)
Key Path (Manager Type) (from VPD)
Mode Page X’25’, byte 21, bits 7-5
001b 110b
In-band Key Path (Manager Type) Override
Mode Page X’25’, byte 21, bits 4-2
000b or 001b 000b
Indirect Key Mode Default
Mode Page X’25’, byte 22, bit 4
0b 0b
Key Scope
Mode Page X’25’, byte 23, bits 2-0
000b or 001b 000b or 001b
Encryption Method
Mode Page X’25’, byte 27
10h or 1Fh 60h
A user can determine if the LTO Gen6 is in the approved mode of operation by issuing a SCSI Mode Sense
command to Mode Page X’25’ and evaluating the values returned.
Certain commands are prohibited while in the approved modes of operation. The commands vary based on
which configuration is used in the approved mode. In the LME configuration, all Mode Select commands
to Mode Page X’30’, Subpage X’20’ and all subpages of Mode Page X’25’ are prohibited. In the SME
configuration, Mode Select commands to Mode Page X’30’, Subpage X’20’ and the following subpages of
Mode Page X’25’ are prohibited.
Version 1 Revision 7
10
Table 3: Mode Select Eligibility of Mode Page X’30’, Subpage X’20’ and Mode Page X’25’ Subpages
Mode
Page
Mode Subpage System-Managed
Encryption (SME)
Library-Managed
Encryption (LME)
X’25’ X’C0’ – Control/Status Allowed Prohibited
X’25’ X’D0’ – Generate dAK/dAK’
Pair
Prohibited Prohibited
X’25’ X’D1’ – Query dAK Prohibited Prohibited
X’25’ X’D2’ – Update dAK/dAK’
Pair
Prohibited Prohibited
X’25’ X’D3’ – Remove dAK/dAK’
Pair
Prohibited Prohibited
X’25’ X’D5’ – Drive
Challenge/Response
Allowed Prohibited
X’25’ X’D6’ – Query Drive
Certificate
Allowed Prohibited
X’25’ X’D7’ – Query/Setup HMAC Prohibited Prohibited
X’25’ X’D8’ – Install eAK Prohibited Prohibited
X’25’ X’D9’ – Query eAK Prohibited Prohibited
X’25’ X’DA’ – Update eAK Prohibited Prohibited
X’25’ X’DB’ – Remove eAK Prohibited Prohibited
X’25’ X’DF’ – Query dSK Allowed Prohibited
X’25’ X’E0’ – Setup SEDK Allowed Prohibited
X’25’ X’E1’ – Alter DKx Allowed Prohibited
X’25’ X’E2’ – Query DKx (Active) Allowed Prohibited
X’25’ X’E3’ – Query DKx (Needed) Allowed Prohibited
X’25’ X’E4’ – Query DKx (Entire) Allowed Prohibited
X’25’ X’E5’ – Query DKx (Pending) Allowed Prohibited
X’25’ X’EE’ – Request DKx
(Translate)
Allowed Prohibited
X’25’ X’EF’ – Request DKx
(Generate)
Allowed Prohibited
X’25’ X’FE’ – Drive Error Notify Allowed Prohibited
X’30’ X’20’ – Encryption Mode Prohibited Prohibited
Loading a FIPS 140-2 validated drive microcode level and configuring the drive for SME or LME
operation initializes the LTO Gen6 into the approved mode of operation. The FIPS 140-2 validated drive
microcode level should be loaded twice to ensure the firmware occupies both the main and reserved
firmware locations.
The LTO Gen6 supports multi-initiator environments, but only one initiator may access cryptographic
functions at any given time. Therefore the LTO Gen6 does not support multiple concurrent operators.
The LTO Gen6 implements a non-modifiable operational environment which consists of a firmware image
stored in FLASH. The firmware image is copied to, and executed from, RAM. The firmware image can
only be updated via FIPS-approved methods that verify the validity of the image.
The LTO Gen6 drive operates as a stand-alone tape drive and has no direct dependency on any specific
operating system or platform for FIPS approved operating mode, but does have requirements for:
 Key Manager/Key Store attachment
 Drive Configuration
Version 1 Revision 7
11
The following criteria apply to the usage environment:
 Key Manager and Key Store Attachment
o In both SME and LME modes of operation, an IBM key manager, such as the Encryption
Key Manager (EKM), the Tivoli Key Lifecycle Manager (TKLM), or the IBM Security
Key Lifecycle Manager (ISKLM), and a supported key store must be used in a manner
which supports secure import and export of keys with the LTO Gen6 drive :
 Keys must be securely passed into the LTO Gen6 drive. The key
manager must support encryption of the Data Key to form an Session
Encrypted Data Key (SEDK) for transfer to the LTO Gen6 drive using
the LTO Gen6 drive public Session Key and a 2048-bit RSA
encryption method.
 The key manager/key store must be able to use the DKi it supplies the
drive to determine the Data Key.
 Drive Configuration requirements
o The LTO Gen6 drive must be configured in SME or LME encryption mode.
o The LTO Gen6 drive must have the FIPS 140-2 validated drive firmware level loaded
and operational.
o Drive must be configured in the approved mode of operation.
o In LME mode, the LTO Gen6 drive must be operated in an automation device which
operates to the LDI or ADI interface specifications provided.
Version 1 Revision 7
12
3.3 Ports and Interfaces
The cryptographic boundary of the LTO Gen6 drive cryptographic module is the drive brick. Tape data
blocks to be encrypted (write operations) or decrypted data blocks to be returned to the host (read
operation) are transferred on the host interface ports using SCSI commands, while protected key material
may be received on the host interface ports or the library port.
The physical ports are separated into FIPS-140-2 logical ports as described below.
Table 4: Ports Common to All Host Interface Types
LTO Gen6 Drive
Physical Ports
FIPS-140-2
Logical Interface
Crypto
Services
Interface Functionality
BAB Port Disabled None  Disabled by FIPS approved firmware levels.
RS-422 Port Data Input
Data Output
Control Input
Status Output
Yes  Inputs data
 Crypto: Inputs protected keys from the key
manager in LME mode.
 Outputs data
 Outputs encrypted key components
 Inputs LDI and LMI protocol commands.
 Outputs LDI and LMI protocol status.
RS-232 Port Disabled None  Disabled by FIPS approved firmware levels.
Ethernet Port Control Input
Status Output
Data Input
None  Inputs controls and image for firmware load
 Outputs status
Threader Power
Port
Power None  Supplies power to threader unit internal to tape
drive brick.
Input Power Port Power None  Inputs power to the LTO Gen6 drive
Write Protect
Switch (FH models
only)
Control Input None  Inputs write protect state of the cartridge
Front Panel Single-
Character Display
(SCD)
Status Output None  Displays status
Front Panel Amber
LED
Status Output None  Displays status
Front Panel Green
LED
Status Output None  Displays status
Front Panel Unload
Button
Control Input None  Inputs unload command
 Places the drive in manual diagnostic mode
 Scrolls through manual diagnostics
 Exits manual diagnostic mode
 Forces drive dump
 Resets the drive
Cartridge Memory
RFID Port
Data Input
Data Output
Yes  Inputs parameters.
 Crypto: Inputs encrypted data indicator
 Outputs parameters.
 Crypto: Outputs encrypted data indicator
Read/Write Head Data Input
Data Output
Control Input
None  Inputs data from tape cartridges
 Outputs data to tape cartridges
 Inputs command to load firmware from special
FMR cartridges
Version 1 Revision 7
13
Table 4a: Fibre Channel-Specific Host Interfaces Ports
LTO Gen6 FC
Drive
Physical Ports
FIPS-140-2
Logical Interface
Crypto
Services
Interface Functionality
Fibre Channel Port
0
Data Input
Data Output
Control Input
Status Output
Yes  Inputs data
 Crypto: Inputs protected keys from the key
manager in SME mode.
 Outputs data
 Outputs encrypted key components
 Inputs SSC-3 SCSI protocol commands
 Outputs SSC-3 SCSI protocol status
Fibre Channel Port
1
Fibre Channel
Loop ID Port
Control Input
Status Output
None  Inputs fibre channel interface control parameters
 Outputs fibre channel interface status
Fibre Channel Link
Characteristics Port
Control Input None  Inputs fibre channel interface control parameters
Feature Switches Control Input None  Inputs RS-422 interface control parameters
 Inputs fibre channel interface control parameters
 Inputs read/write head cleaner brush control
parameters
Table 4b: SAS-Specific Host Interfaces Ports
LTO Gen6 SAS
drive
Physical Ports
FIPS-140-2
Logical Interface
Crypto
Services
Interface Functionality
SAS Connector Data Input
Data Output
Control Input
Status Output
Power
Yes  Inputs data
 Crypto: Inputs protected keys from the key
manager in SME mode
 Outputs data
 Outputs encrypted key components
 Inputs T10 SAS Standards commands
 Outputs T10 SAS Standards status
Feature Switches Control Input None  Inputs RS-422 interface control parameters
 Inputs read/write head cleaner brush control
parameters
Version 1 Revision 7
14
3.4 Roles and Services
The LTO Gen6 drive supports both a Crypto Officer role and a User role, and uses basic cryptographic
functions to provide higher level services. For example, the LTO Gen6 drive uses the cryptographic
functions as part of its data reading and writing operations in order to perform the encryption/decryption of
data stored on a tape.
The Crypto Officer role is implicitly assumed when an operator performs key zeroization. The User role is
implicitly assumed for all other services.
The two main services the LTO Gen6 drive provides are:
 Encryption or decryption of tape data blocks using the Data Block Cipher Facility.
 Establishment and use of a secure key channel for key material passing by the Secure Key Interface
Facility.
It is important to note that the Secure Key Interface Facility may be an automatically invoked service when
a user issues Write or Read commands with encryption enabled that require key acquisition by the LTO
Gen6 drive. Under these circumstances the LTO Gen6 drive automatically establishes a secure
communication channel with a key manager and performs secure key transfer before the underlying write
or read command may be processed.
3.4.1 User Guidance
The services table describes what services are available to the User and Crypto Officer roles.
 There is no requirement for accessing the User Role
 There is no requirement for accessing the Crypto Officer Role
Single Operator requirements:
 The LTO Gen6 drive enforces a requirement that only one host interface initiator may have access
to cryptographic services at any given time.
Version 1 Revision 7
15
3.4.2 Provided Services
Available services are also documented in the specified references. All of the service summarized here,
excluding the services expressly prohibited in Table 3, are allowed in the FIPS mode of operation.
Table 5: Provided Services
Service Interface(s) Description Inputs Outputs Role
General SCSI
commands
- Host As documented in the
LTO Ultrium Tape
Drive SCSI Reference
See
description
See
description
User
General Library
Interface commands
- Library As documented in the
Drive Library LDI and
LMI Interface
Specifications
See
description
See
description
User
Unload tape - Host/Library
- Front Panel
Unload
Button
Unload tape can be
performed using unload
button or via commands
over the host or library
interface
Button press Green LED
flashes
while
unload is in
progress.
User
Enter manual
diagnostic mode
- Front Panel
Unload
Button
Place in manual
diagnostic mode via the
unload button
Button press SCD
displays 0.
Amber
LED
becomes
solid.
User
Scrolls through
manual diagnostic
functions
- Front Panel
Unload
Button
Scroll through manual
diagnostic functions via
the unload button
Button press SCD
changes to
indicate
scrolling.
User
Exits manual
diagnostic mode
- Front Panel
Unload
Button
Exit manual diagnostic
mode via the unload
button
Button press SCD
becomes
blank.
Green LED
becomes
solid.
User
Forces drive dump - Front Panel
Unload
Button
Force a drive dump via
the unload button
Button press SCD shows
0, then
becomes
blank.
User
Resets the drive - Front Panel
Unload
Button
Power-cycle the device
via Unload Button
Button press Reboot
occurs.
User
Version 1 Revision 7
16
Service Interface(s) Description Inputs Outputs Role
Encrypting Write-
type Command
- Host The Secure Key
Interface Facility
automatically requests a
key, provides
authentication data,
securely transfers and
verifies the key material.
The Data Block Cipher
Facility encrypts the data
block with the received
Data Key using AES-
GCM block cipher for
recording to media. A
received DKx is
automatically written to
media using the RW
Head Interface.
The decryption-on-the-
fly check performs AES-
GCM decryption of the
encrypted data block and
verifies the correctness
of the encryption process
- Plaintext
data
- SEDK
- DKx
- Encrypted
data on tape
- DKx on
tape
User
Decrypting Read-
type Command
- Host The Secure Key
Interface Facility
automatically requests a
key, provides
authentication data and
DKx information if
available, securely
transfers and verifies the
key material.
The received Data Key
is used by the Data
Block Cipher Facility to
decrypt the data block
with using AES-GCM
decryption and
returning plaintext data
blocks to the host;
Optionally in Raw mode
the encrypted data block
may be returned to the
host in encrypted form
(not supported in
approved configuration)
SEDK - Plaintext
data to host
User
Set Encryption
Control Parameters
(including Bypass
Mode)
- Host
- Library
Performed via Mode
Select to Mode Page
x’25’ and Encryption
Subpage X’C0’
Requested
Mode Page
and Subpage
None User
Query Encryption
Control Parameters
(including Bypass
Mode)
- Host
- Library
Performed via Mode
Sense to Mode Page
x’25’ and Encryption
Subpage X’C0’
Requested
Mode Page
and Subpage
Mode Data User
Version 1 Revision 7
17
Service Interface(s) Description Inputs Outputs Role
Show Status
(Visual Indicators)
- Front Panel
LEDs and
Single-
Character
Display
Visual indicators that an
encryption operation is
currently in progress
may be monitored on the
front panel
From LTO
Gen6 drive
operating
system
Visual
indicators
on front
panel
User
Drive
Challenge/Response
- Host
- Library
Allows programming
challenge data and
reading an optionally)
encrypted, signed
response; not used in
default configuration.
Performed via mode
select and mode sense
to Mode Page x’25’ and
Encryption Subpage
x’D5’; not used in
default configuration
Requested
Mode Page
and Subpage
Mode Data User
Query Drive
Certificate
- Host
- Library
Allows reading of the
Drive Certificate public
key. Performed via
mode sense to Mode
Page x’25’ and
Encryption Subpage
x’D6’; the provided
certificate is signed by
the IBM Tape Root CA.
Requested
Mode Page
and Subpage
Mode Data User
Query dSK - Host
- Library
Allows reading of the
Drive Session (Public)
Key Performed via
mode sense to Mode
Page x’25’ and
Encryption Subpage
X’DF’ .
Requested
Mode Page
and Subpage
Mode Data User
Setup SEDK
structure (a
protected key
structure)
- Host
- Library
This is the means to
import a protected
private key to the LTO
Gen6 drive for use in
writing and encrypted
tape or in order to read a
previously encrypted
tape. Performed via
mode select to Mode
Page x’25’ and
Encryption Subpage
x’E0’.
In this service, the
module generates a drive
session key pair. The
module then sends the
dSK to the key manager
where it is used to create
an SEDK. Then, the key
manager sends the
SEDK back to the
module.
Requested
Mode Page
and Subpage
Mode Data User
Version 1 Revision 7
18
Service Interface(s) Description Inputs Outputs Role
Query DKx(s) –
active, needed,
pending , entire (all)
- Host
- Library
Allows the reading from
the drive of DKx
structures in different
categories for the
medium currently
mounted. Performed by
Mode Select commands
to Mode Page x25’ and
various subpages.
Requested
Mode Page
and Subpage
Mode Data User
Request DKx(s)
Translate
- Host
- Library
This status command is
used when the drive has
already notified the Key
Manager that is has read
DKx structures from a
mounted, encrypted tape
and needs them
translated to an SEDK
and returned for the
drive to read the tape.
The key manager issues
this command to read
DKx structures which
the drive requires to be
translated by the Key
Manager and
subsequently returned to
the drive as an SEDK
structure to enable
reading of the currently
active encrypted area of
tape. Performed via
mode sense to Mode
Page x’25’ and
Encryption Subpage
X’EE’.
Requested
Mode Page
and Subpage
Mode Data User
Request DKx(s)
Generate
- Host
- Library
This status command is
used when the drive has
already notified the Key
Manager that it requires
new SEDK and DKx
structures to process a
request to write an
encrypted tape. This
page provides
information about the
type of key the drive is
requesting. Performed
via mode sense to Mode
Page x’25’ and
Encryption Subpage
X’EF’.
Requested
Mode Page
and Subpage
Mode Data User
Version 1 Revision 7
19
Service Interface(s) Description Inputs Outputs Role
Alter DKx(s) - Host
- Library
This command is used to
modify the DKx
structures stored to tape.
The LTO Gen6 drive
will write the modified
structures out to the tape
as directed.
Performed via mode
sense to Mode Page
x’25’ and Encryption
Subpage x’E1’.
Requested
Mode Page
and Subpage
Mode Data User
Drive Error Notify
and Drive Error
Notify Query
- Host
- Library
These status responses
are the means used by
the drive to notify the
Key Manager that an
action is required, such
as a Key generation or
Translate, to proceed
with an encrypted write
or read operation. These
status responses are read
via Mode Sense
commands to Mode
Page x’25’ subpage ‘EF”
and ‘FF’.
Requested
Mode Page
and Subpage
Mode Data User
Power-Up Self-Tests - Power
- Host
- Library
Performs integrity and
cryptographic algorithm
self-tests, firmware
image signature
verification
None
required
Failure
status, if
applicable
User,
Crypto
Officer
Configure Drive
Vital Product Data
(VPD) settings
- Host
- Library
Allows controlling of
default encryption mode
and other operating
parameters
From LTO
Gen6 drive
operating
system
Vital
Product
Data (VPD)
User
Key Path Check
diagnostic
- Host As documented in the
LTO Ultrium Tape
Drive SCSI Reference
Send
Diagnostic
command
specifying
the Key Path
diagnostic
Send
Diagnostic
command
status
User
Key Zeroization - Host Zeroes all private
plaintext keys in the
LTO Gen6 drive via a
Send Diagnostic
command with
Diagnostic ID EFFFh, as
documented in the IBM
TotalStorage LTO
Ultrium Tape Drive
SCSI Reference.
Send
Diagnostic
command
specifying
the Key
Zeroization
Send
Diagnostic
command
status
Crypto
Officer
Firmware Load - Host Load new firmware to
the module
New
firmware
Load test
indicator
Crypto
Officer
Version 1 Revision 7
20
3.5 Physical Security
The LTO Gen6 drive cryptographic boundary is the drive “brick” unit. The drive brick unit has industrial
grade covers, and all the drive’s components are production grade. The LTO Gen6 drive requires no
preventative maintenance, and field repair is not performed for the unit. The drive brick covers are not
removed in the field in the approved configuration. All failing units must be sent intact to the factory for
repair.
Figure 2a: Front View of LTO Gen6 Full-High Drive Brick
Figure 2b: Rear View of LTO Gen6
Full-High Fibre Channel Drive Brick
Figure 2c: Rear View of LTO Gen6
Full-High SAS Drive Brick
Version 1 Revision 7
21
3.6
Figure 2d: Front View of LTO Gen6 Half-High Drive Brick
Figure 2e: Rear View of LTO Gen6
Half-High Fibre Channel Drive Brick
Figure 2f: Rear View of LTO Gen6
Half-High SAS Drive Brick
Version 1 Revision 7
22
Cryptographic Algorithms and Key Management
3.6.1 Cryptographic Algorithms
The LTO Gen6 drive supports the following basic cryptographic functions. These functions are used by the
Secure Key Interface Facility or the Data Block Cipher Facility to provide higher level user services.
Table 6: Basic Cryptographic Functions
Algorithm Type /Usage Specification Approved? Used by Algorithm
Certificate
AES-ECB mode
encryption/decryption
(256-bit keys)
Symmetric cipher
provides underlying
AES encryption.
AES key wrapping
AES: FIPS
197
Yes Firmware #2694
AES-GCM mode
encryption / decryption
(256-bit keys)
Symmetric Cipher
Encrypts data blocks
while performing
decrypt-on-the-fly
verification
Decrypts data blocks
AES: FIPS-
197
GCM:
SP800-38D
Yes ASIC #2692,
#2693
DRBG IV generation for
AES-GCM, Drive
Session Key
generation
SP800-90
using SHA-
512
Yes Firmware #440
SHA-1 Hashing algorithm.
Multiple uses
FIPS-180-4 Yes Firmware #2261
SHA-256 Hashing algorithm
digest checked on
key manager
messages, digest
appended on
messages to key
manager
FIPS-180-4 Yes Firmware #2261
SHA-512 Hashing algorithm
supports DRBG
FIPS 180-4 Yes Firmware #2261
RSA Sign/Verify Digital signature
generation and
verification to sign
the session key and
to verify firmware
image signature on
firmware load
FIPS 186-2 Yes Firmware #1392
RSA Key Generation
(2048-bit keys)
Key Generation
Session key
generation
- No, but
allowed in
FIPS mode1
Firmware N/A
RSA Key Transport
(2048-bit keys)
Decryption of
transported SEDK
key material
(provides 112 bits of
encryption strength)
- No, but
allowed in
FIPS mode
Firmware N/A
TRNG (Custom) Seeding DRBG - No2
ASIC N/A
1
Allowed for generation of keys used by the RSA Key Transport mechanism
2
Allowed in FIPS mode for seeding approved DRBG
Version 1 Revision 7
23
3.6.2 Security Parameters
This table lists LTO Gen6 drive critical security parameters (CSPs) and non-critical security parameters.
Table 7: Security Parameters
Security
Parameter
CSP Key
Type
Input into
Module
Output
from
Module
Generation
Method
Storage
Location
Storage
Form
Zeroized
Drive
Certificate
Public Key
(dCert)
No RSA
2048-bit
Yes -
at time of
manufacture
Yes N/A Drive Vital
Product Data
(VPD)
Non-volatile
Plaintext
N/A
Drive
Certificate
Private Key
(dCert’)
Yes RSA
2048-bit
Yes -
at time of
manufacture
No N/A Drive VPD Non-volatile
X.509
certificate
signed with
the IBM Tape
root CA
Yes
Drive Session
Public Key
(dSK)
No RSA
2048-bit
No –
Generated by
module
Yes Non-
approved,
allowed in
FIPS mode
Drive RAM Ephemeral
Plaintext
N/A
Drive Session
Private Key
(dSK’)
Yes RSA
2048-bit
No –
Generated by
module
No Non-
approved,
allowed in
FIPS mode
Drive RAM Ephemeral
Plaintext
Yes
Data Key
(DK)
Yes AES
256-bit
symmetric
key
Yes –
(Received in
encrypted
form)
No N/A Before Use:
Drive RAM
Ephemeral
Plaintext
Yes
When in use:
Stored In
ASIC;
(unreadable
register)
Cryptographic
Data Key
(cDK)
Yes AES
256-bit
symmetric
key
No –
Generated by
module
No PRNG Before Use:
Drive RAM
Ephemeral
plaintext
Yes
When in use:
Stored in
ASIC
(unreadable
register)
Ephemeral
encrypted
form as wDK
DRBG
Entropy Input
String
Yes 256-bit
input
string
No –
Generated by
module
No TRNG Drive RAM Ephemeral
Plaintext
Yes
DRBG value,
V
Yes 256 bits No –
Generated by
module
No Internal state
value of
DRBG
Drive RAM Ephemeral
Plaintext
Yes
DRBG
constant, C
Yes 256 bits No –
Generated by
module
No Internal state
value of
DRBG
Drive RAM Ephemeral
Plaintext
Yes
Additional notes on key management:
 Secret and private keys are never output from the LTO Gen6 drive in plaintext form.
 Secret keys may only be imported to the LTO Gen6 drive in encrypted form.
 Zeroization behavior outlines in Table 8.
Version 1 Revision 7
24
Table 8: CSP Access Table
Drive
Certificate
Public
Key
(
dCert)
Drive
Certificate
Private
Key
(dCert’)
Drive
Session
Public
Key
(dSK)
Drive
Session
Private
Key
(dSK’)
Data
Key
(DK)
Cryptographic
Data
Key
cDK
DRBG
Entropy
Input
Key
DRBG
value
,V
DRBG
Constant,
C
General SCSI commands
General Library Interface commands R R
Service Panel Configuration
Service Panel Diagnostics X X X X X
Service Panel Status Display
Front Panel Interface Status
Front Panel Interface Unload W W W W
Front Panel Interface Reset W W W W W W W
Encrypting Write-type Command X X
Decrypting Read-type Command X X
Set Encryption Control Parameters
(including Bypass Mode)
Query Encryption Control Parameters
(including Bypass Mode)
“Show Status”
Drive Challenge/Response X X X X
Query Drive Certificate R
Query dSK X R
Setup an SEDK structure (a protected
key structure)
X W W
Drive Error Notify and Drive Error
Notify Query
Power-Up Self-Tests X X X X X
Configure Drive Vital Product Data
(VPD) settings
W W
Key Path Check diagnostic X X RX X
Key Zeroization W W W W W W W W W
Firmware Load Test
Version 1 Revision 7
25
3.6.3 Self-Test
The LTO Gen6 drive performs both Power On Self Tests and Conditional Self tests as follows.
The operator shall power cycle the device to invoke the Power On Self tests.
Table 9: Self-Tests
Function
Tested
Self-Test Type Implementation Failure Behavior
AES-ECB Power-up KAT performed for Encrypt and Decrypt FSC 0x1130
posted
AES-GCM
(256-bit keys)
Power-Up KAT performed for Encrypt and Decrypt
(256-bit)
FSC 0x1130
posted
DRBG Power-Up KAT performed FSC 0x1133
posted
SHA-1 Power-Up KAT performed FSC 0x1131
posted
SHA-256 Power-Up KAT performed FSC 0x1131
posted
SHA-512 Power-Up KAT performed FSC 0x1131
posted
RSA Sign
KAT and
Verify KAT
Power-Up KAT performed FSC 0x1131
posted
Firmware
Integrity
Check
Power-Up RSA digital signature verification of
application firmware; CRC check of SH
vital product data (VPD); CRC check of
FPGA image.
Drive reboot
VPD Integrity
Check
Power-Up CRC check of vital product data (VPD) FSC 0x112E
posted
DRBG Conditional:
When a random
number is generated
Continuous random number generator test
performed.
FSC 0x1133
posted
TRNG
(Custom)
Conditional:
When a random
number is generated
Continuous random number generator test
performed.
Drive reboot
Firmware
Load Check
Conditional:
When new firmware is
loaded or current
firmware is re-booted
RSA signature verification of new
firmware image before new image may
be loaded
Drive rejects code
load with FSC
0x5902
Exclusive
Bypass Test
Conditional:
When switching
between encryption
and bypass modes
Ensure the correct output of data after
switching modes.
Check to ensure the key is properly
loaded.
Drive reboots and
rejects failure
injection code
level.
Version 1 Revision 7
26
3.6.4 Bypass States
The LTO Gen6 drive supports a single static bypass mode. Bypass entry, exit, and status features are
provided to meet approved methods for use of bypass states.
Two independent internal actions are required to activate bypass mode. First, the LTO Gen6 drive checks
the host interface on which the bypass request was received for transmission errors. Then the LTO Gen6
drive checks the value of the Encryption State field within the Encryption Control 1 field of Mode Page
X’25’ to determine if the bypass capability is enabled.
3.7 Design Assurance
LTO Gen6 drive release parts are maintained under the IBM Engineering Control (EC) system. All
components are assigned a part number and EC level and may not be changed without re-release of a new
part number or EC level.
The following table shows the certified configuration for each host interfaces of the LTO Gen6 encrypting
tape drive:
Table 9: Certified Configurations
IBM LTO Generation 6
Encrypting Tape Drive
Hardware
Part
Number
Firmware
Part
Number
EC
Level
Firmware Image
Full-High Fibre Channel
Interface
00V7133 12X5118 M12977 LTO6_DA86.fcp_fh_f.fmrz
Half-High Fibre Channel
Interface
00V7137 12X5116 M12977 LTO6_DA86.fcp_hh_f.fmrz
Full-High SAS Interface 00V7135 12X5119 M12977 LTO6_DA86.sas_fh_f.fmrz
Half-High SAS Interface 00V7139 12X5117 M12977 LTO6_DA86.sas_hh_f.fmrz
3.8 Mitigation of other attacks
The LTO Gen6 drive does not claim to mitigate other attacks.