UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 1 UD info Corp. UD info DA-series FIPS SSD HF3-25DA Series M2S-80DA Series M2P-80DA Series FIPS 140-2 Cryptographic Modules Non-Proprietary Security Policy Document Revision: V1.01 UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 2 Revision History Revision Date History Author 1.00 2021/05/07 New release Golden Lee 1.01 2023/12/07 Add cryptographic modules supporting Nand Flash BiCS5 Golden Lee UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 3 1. INTRODUCTION .......................................................................................... 4 2. CRYPTOGRAPHIC BOUNDARY .................................................................... 7 3. ACRONYMS.................................................................................................. 8 4. SECURITY LEVEL SPECIFICATION .............................................................. 9 5. PHYSICAL PORTS AND LOGICAL INTERFACES ......................................... 10 6. SECURITY RULES ...................................................................................... 11 6.1. NON-APPROVED MODE OF OPERATION.............................................................. 11 6.2. SECURITY INITIALIZATION ....................................................................................13 6.3. FIPS-APPROVED MODE OF OPERATION...............................................................14 6.4. CRYPTOGRAPHIC OFFICER GUIDANCE...............................................................15 6.5. USER GUIDANCE........................................................................................................15 6.6. SELF TESTS..................................................................................................................15 6.6.1. POWER UP SELF TESTS.................................................................................16 6.6.2. CONDITIONAL SELF TESTS .........................................................................17 7. CRITICAL SECURITY PARAMETERS, PUBLIC KEYS, AND PRIVATE KEYS. 18 8. IDENTIFICATION AND AUTHENTICATION POLICY .................................. 20 9. ACCESS CONTROL POLICY ........................................................................ 22 9.1. AUTHENTICATED SERVICES ..................................................................................22 9.2. UNAUTHENTICATED SERVICE...............................................................................24 10. APPROVED ALGORITHMS.......................................................................... 26 11. PHYSICAL SECURITY POLICY ................................................................... 29 12. MITIGATION OF OTHER ATTACKS POLICY ............................................... 30 UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 4 1. INTRODUCTION UD info DA-series FIPS SSD, hereafter referred to as “UD info SSD” or the “cryptographic modules” are multi-chip embedded cryptographic modules designed to fulfill FIPS 140-2 level 2 requirements and offer on-the-fly AES encryption and decryption of user data stored on the NAND Flash. UD info SSDs offer both NVMe PCIe as well as SATA III interfaces and are fully compliant with industry standard TCG OPAL SSC protocol. Module Capacity HW P/N and Version FW Version 2.5-inch SATA NAND Flash SSD 128GB HF3-25DA128GB-A8P SCPU13.0 256GB HF3-25DA256GB-A8P SCPU13.0 256GB HF3-25DA256GB-B8P SCQU15.0 512GB HF3-25DA512GB-A8P SCPU13.0 512GB HF3-25DA512GB-B8P SCQU15.0 1024GB HF3-25DA001TB-A8P SCPU13.0 1024GB HF3-25DA001TB-B8P SCQU15.0 2048GB HF3-25DA002TB-A8P SCPU13.0 2048GB HF3-25DA002TB-B8P SCQU15.0 4096GB HF3-25DA004TB-B8P SCQU15.0 M.2 2280 SATA NAND Flash SSD 128GB M2S-80DA128GB-A8P SCPU13.0 256GB M2S-80DA256GB-A8P SCPU13.0 256GB M2S-80DA256GB-B8P SCQU15.0 512GB M2S-80DA512GB-A8P SCPU13.0 512GB M2S-80DA512GB-B8P SCQU15.0 1024GB M2S-80DA001TB-A8P SCPU13.0 1024GB M2S-80DA001TB-B8P SCQU15.0 2048GB M2S-80DA002TB-A8P SCPU13.0 2048GB M2S-80DA002TB-B8P SCQU15.0 M.2 2280 NVMe NAND Flash SSD 256GB M2P-80DA256GB-A8P ECPU13.0 256GB M2P-80DA256GB-BEP ECQU15.0 512GB M2P-80DA512GB-A8P ECPU13.0 512GB M2P-80DA512GB-BEP ECQU15.0 1024GB M2P-80DA001TB-A8P ECPU13.0 1024GB M2P-80DA001TB-BEP ECQU15.0 2048GB M2P-80DA002TB-A8P ECPU13.0 2048GB M2P-80DA002TB-BEP ECQU15.0 Exhibit 1 - Cryptographic Module Configurations. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 5 Exhibit 2 - Specification of the 2.5-inch SATA NAND Flash SSD Cryptographic Boundary (From left to right: top side, bottom side). Exhibit 3 - Specification of the M.2 2280 SATA NAND Flash SSD Cryptographic Boundary (From top to bottom: top side, bottom side). UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 6 Exhibit 4 - Specification of the M.2 2280 NVMe NAND Flash SSD Cryptographic Boundary (From top to bottom: top side, bottom side). UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 7 2. CRYPTOGRAPHIC BOUNDARY The cryptographic boundary of the modules is the physical perimeter of the PCB including the physical connector (SATA/NVMe). The following diagram defines the cryptographic boundary as Exhibit 5. Exhibit 5 - Specification of Cryptographic Boundary. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 8 3. ACRONYMS Term Description AES Advanced Encryption Standard CBC Cipher Block Chaining CMVP Cryptographic Module Validation Program CO Cryptographic Officer CSP Critical Security Parameter DRBG Deterministic Random Bit Generator EMI/EMC Electromagnetic Interference / Electromagnetic Compatibility HMAC (Keyed-) Hash Message Authentication Code KAT Known Answer Test KEK Key Encryption Key NDRNG Non-Deterministic Random Number Generator MEK Media Encryption Key RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm Exhibit 6 - Specification of Acronyms and their Descriptions. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 9 4. SECURITY LEVEL SPECIFICATION This document was prepared as part of the Level 2 FIPS 140-2 validation of the module. The following table lists the module’s FIPS 140-2 security level for each section as Exhibit 7. Security Requirements Area Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 3 Self-tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Exhibit 7 - Security Level Table. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 10 5. PHYSICAL PORTS AND LOGICAL INTERFACES The ports and interfaces of the cryptographic module are as follows: • SATA/NVMe Connector The following ports are disabled during the manufacturing process and physically protected by the module’s physical security mechanisms. Therefore, they are considered latent-functionality and not available when operating in FIPS mode or non-FIPS mode: • JTAG • UART Exhibit 8 shows how the module’s physical interfaces map to the logical interfaces defined in FIPS 140-2. Physical Port Logical Interface SATA/NVMe Connector Data Input SATA/NVMe Connector Control Input SATA/NVMe Connector Data Output SATA/NVMe Connector Status Output SATA/NVMe Connector Power Exhibit 8 - Specification of Cryptographic Module Physical Ports and Logical Interfaces. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 11 6. SECURITY RULES 6.1.NON-APPROVED MODE OF OPERATION The moment the module is shipped from the factory, in this fresh out-of-box state the module is in a non-approved mode of operation. The Cryptographic Officer shall follow the requirements defined in the Security Policy including following the initialization procedures in section 6.2 to initialize the module into a FIPS Approved mode of operation In the non-approved mode of operation, the module supports the following services and algorithms: Role Service Algorithms Unauthenticated Role Power Cycle N/A Unauthenticated Role Generate Random Number DRBG (non-compliant) Unauthenticated Role Show Status N/A Anybody TCG Get MBR N/A Unauthenticated Role Reset N/A Unauthenticated Role Return to uninitialized state (PSID) DRBG (non-compliant) AES-XTS (non-compliant) AES-KW (non-compliant) Unauthenticated Role Show FIPS approve mode state N/A Anybody TCG Get MSID N/A Anybody TCG Session Control HMAC (non-compliant) SHA (non-compliant) PBKDF (non-compliant) Unauthenticated Role SATA Standard N/A Unauthenticated Role NVMe Standard N/A Unauthenticated Role User Data Read/Write AES-XTS (non-compliant) Unauthenticated Role TCG Session Control N/A Unauthenticated Role Non User Data Output N/A Unauthenticated Role Non User Data Input N/A Unauthenticated Role Configuration N/A Unauthenticated Role Self-Test N/A Unauthenticated Role Show Status(DAS) N/A UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 12 Role Service Algorithms Cryptographic Officer (Drive Owner) TCG Activate AES-KW (non-compliant) Cryptographic Officer, User TCG Set PIN SHA (non-compliant) Cryptographic Officer, User TCG Gen Key DRBG (non-compliant) Cryptographic Officer TCG Enable/Disable Authority N/A Cryptographic Officer TCG Set/Get LBA Range N/A Cryptographic Officer, User TCG Lock / Unlock LBA Range AES-XTS (non-compliant) AES-KW (non-compliant) Cryptographic Officer Return to uninitialized state DRBG (non-compliant) AES-XTS (non-compliant) AES-KW (non-compliant) Cryptographic Officer TCG Set MBR N/A Cryptographic Officer TCG SET/GET DataStore N/A Cryptographic Officer TCG SET ACE N/A Cryptographic Officer TCG Enable/Disable MBR Mode N/A Exhibit 9 - Non-Approved Mode Services. NOTE: Unauthenticated Role is a role who is eligible for making use of non-TCG OPAL commands. Anybody is a role who is able to use the TCG OPAL command based services (as listed in Exhibit 9) without password UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 13 6.2.SECURITY INITIALIZATION Cryptographic Officer (Drive Owner) needs to follow these steps to initialize the cryptographic module into FIPS approved mode after having received the UD info SSD drive. 1. Examine the tamper evidence and check the module has not been tampered. 2. StartSession SID of AdminSP with MSID password, and then set new password for SID password. The new password shall be at least 20 bytes. 3. Disable AdminSP “Makers” Authority. 4. Execute TCG activate command to have the module enter TCG active mode. 5. StartSession Admin1 of LockingSP with new password of SID in Step2, and then set new password for Admin1-4 passwords and User1-9 passwords of LockingSP. The new passwords shall be at least 20 bytes. 6. Configure all LockingRanges of LockinSP by setting ReadLockEnabled and WriteLockEnabled columns to TRUE. 7. Power cycle the module. 8. Check if the module is in the FIPS approved mode by using the Identify command response data byte 506 bit1 (SATA) or the Identify controller command response data byte 4093 bit1 (NVMe). The bit1 shall be set to 1. 9. Check the module’s firmware version using the Identify command response data dword 23-26 (SATA) or the Identify controller command response data byte 64- 71 (NVME). The firmware version shall be an approved version as per Exhibit 1 above. NOTE: New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module that is not reflected in Exhibit 1 above is out of the scope of this validation and requires a separate FIPS 140-2 validation. After following these steps the drive is in the FIPS approved mode of operation. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 14 6.3.FIPS-APPROVED MODE OF OPERATION Once the Cryptographic Officer has followed the initialization procedures in section 6.2, the module is in a FIPS-approved mode of operation. Any violation of section 6.2 or other requirements specified in the Security Policy will place this module in a non- approved mode of operation. In the FIPS-approved mode of operation the module shall adhere to the following rules: 1. Operators shall not use passwords less than 20 bytes. 2. The module generates at a minimum 256 bits of entropy for use in key generation. 3. The cryptographic module satisfies the requirements of FIPS 140-2 IG A.9 (ex:. key_1 ≠ key_2). 4. The cryptographic module shall not output CSPs in any form. 5. The cryptographic module enters the FIPS Error State upon failure of self-tests and the module ceases to provide cryptographic services and inhibits all data outputs. 6. The approved DRBG shall be used for generating cryptographic keys. 7. The cryptographic module shall enforce role-based authentication for security relevant services. 8. The cryptographic module shall enforce a limited operational environment by the secure firmware load test using RSA-2048 with SHA-256. 9. An operator can invoke on demand power-on self tests by power cycling the module. 10.Data output interface is inhibited when module is performing self-test and when the module is in an Error State. 11.Data output interface is logically disconnected when module is performing key generation or zeroization processes. 12.Caveat: The module generates cryptographic keys whose strengths are modified by available entropy. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 15 6.4.CRYPTOGRAPHIC OFFICER GUIDANCE 1. Periodically examine tamper evidence, if evidence of tamper has been detected then the device must be put out of service and the Cryptographic Officer (Drive Owner) shall be notified. 2. When first executing StartSession with the password provided by Cryptographic Officer (Drive Owner), the Cryptographic Officer (CO) needs to change to a new password for the CO himself and the password must contain at least 20 bytes. 6.5.USER GUIDANCE 1. When first executing StartSession with the password which was provided by CO, user needs to change to a new user password and the password must contain at least 20 bytes. 6.6.SELF TESTS When self tests fail, module either enters the Boot Code Fail Loop State or the FIPS error state in which it ceases to provide any services to the host and where the error can only be cleared by power-cycling of the module. FIPS Error State: When module enters FIPS Error State, the module can’t service any host commands and the DAS signal pin will toggle at a 1Hz frequency. (The DAS signal default is high.) Boot Code Fail Loop State: When module enters Boot Code Fail Loop State, the module is not accessible by the host. This is an implicit status as no service nor command input will be processed and the data output and status output interfaces are inhibited. Note: For different form factor, the assigned DAS PIN number is: 2.5-inch SATA NAND Flash SSD (PIN#18) M.2 2280 SATA NAND Flash SSD (PIN#10) M.2 2280 NVMe NAND Flash SSD (PIN#10) UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 16 6.6.1.POWER UP SELF TESTS Function Description Failure Handle Rom Code SHA 256 bit KAT Mode: SHA-256 Boot Code Fail Loop State Rom Code RSA 2048 bit KAT Mode: RSA 2048 SHA-256 PSS Signature Verification Boot Code Fail Loop State Boot Loader Integrity Firmware Integrity Test Mode: RSA 2048 SHA-256 PSS Signature Verification Boot Code Fail Loop State Firmware Integrity Firmware Integrity Test Mode: RSA 2048 SHA-256 PSS Signature Verification FIPS Error State Firmware AES XTS 256 bit Encrypt KAT Mode: AES-XTS-256 FIPS Error State Firmware AES XTS 256 bit Decrypt KAT Mode: AES-XTS-256 FIPS Error State Firmware SHA 256 bit KAT Mode: SHA-256 FIPS Error State Firmware SHA 512 bit KAT Mode: SHA-512 FIPS Error State Firmware HMAC SHA 256 bit KAT Mode: HMAC SHA-256 FIPS Error State Firmware AES Key Wrap KAT Mode: AES-KW-256 FIPS Error State Firmware AES Key Unwrap KAT Mode: AES-KW-256 FIPS Error State Firmware DRBG KAT Mode: HMAC-SHA-256-DRBG FIPS Error State Firmware DRBG Health Tests SP 800-90A Section 11.3 Health Tests Mode: HMAC-SHA-256-DRBG FIPS Error State Firmware AES CBC 256 bit Encrypt KAT Mode: AES-CBC-256 FIPS Error State Firmware AES CBC 256 bit Decrypt KAT Mode: AES-CBC-256 FIPS Error State UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 17 Function Description Failure Handle Firmware SP 800-132 PBKDF KAT Mode: HMAC-SHA-256 FIPS Error State Exhibit 10 - Power Up Self Tests. 6.6.2.CONDITIONAL SELF TESTS Function Description Failure Handle DRBG Conditional: Continuous RNG test for DRBG FIPS Error State NDRNG Conditional: Continuous RNG test for NDRNG FIPS Error State Firmware Download Check Conditional: RSA 2048 SHA-256 PSS Signature Verification Abort the Microcode Download command and discard the new image. FW will perform an additional RSA 2048 SHA-256 PSS KAT to attempt error recovery. If the KAT fails, module immediately enters the FIPS error state. If the KAT succeeds module is operational. Exhibit 11 - Conditional Self Tests. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 18 7. CRITICAL SECURITY PARAMETERS, PUBLIC KEYS, AND PRIVATE KEYS The module supports the following CSPs and Public Keys as defined in Exhibit 12 below. CSP or Public Key Type Generation Storage Zeroization Data Encryption Key (DEK) AES-XTS-256 SP800-90A HMAC-SHA- 256-DRBG Encrypted by Key Encryption Key and stored in NAND Plaintext in DRAM and registers Actively overwritten in all storage locations via “Return to uninitialized state” and “TCG Gen Key” services User Key Encryption Key (UKEK) AES-KW-256 SP800-90A HMAC- SHA256-DRBG Encrypted by PBKDF Master Key with AES- KW-256 and stored in NAND Plaintext in DRAM and registers Actively overwritten in all storage locations via “Return to uninitialized state” service PBKDF Master Key Keying Material for AES-KW-256 SP800-132 PBKDF Plaintext in DRAM and registers Actively overwritten in DRAM and registers after each use and by “Return to uninitialized state” service Operator Password (Crypto Officer Password/ User Password 20 - 32 byte Password N/A – Generated outside of the module SHA-512 stored in NAND Plaintext in DRAM and registers Plaintext values are actively overwritten when executing “TCG Session Control” service with End of Session command PBKDF Internal State SP800-132 PBKDF with HMAC-SHA- 256 SP800-132 PBKDF with HMAC-SHA- 256 Plaintext in DRAM and registers Actively overwritten in DRAM and registers after each use and by “Return to uninitialized state” service UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 19 CSP or Public Key Type Generation Storage Zeroization Seed Material of SP800-90A Entropy Input and Nonce for SP800-90A HMAC-SHA- 256-DRBG NDRNG Plaintext in DRAM and registers Actively overwritten in DRAM and registers after each use and by “Return to uninitialized state” service Internal State of SP800-90A V and Key for SP800-90A HMAC-SHA- 256-DRBG SP800-90A HMAC-SHA- 256-DRBG Plaintext in DRAM and registers Actively overwritten in DRAM and registers after each use and by “Return to uninitialized state” service RSA Code Sign Public Key RSA-2048 N/A – Generated outside of the module Plaintext in DRAM and registers SHA-256 message digest value is stored in OTP-ROM N/A Exhibit 12 - List of CSPs. Note: In accordance with FIPS 140-2 IG D.12, the cryptographic module performs Cryptographic Key Generation (CKG) as per SP 800-133 (Vendor Affirmed). The resulting generated symmetric keys are the unmodified output from SP 800-90A DRBG. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 20 8. IDENTIFICATION AND AUTHENTICATION POLICY The module supports the following CSPs and Public Keys as defined in Exhibit 12 below. Role Authentication Type Authentication Data Cryptographic Officer (Drive Owner) Role Base Password Cryptographic Officer Role Base Password User Role Base Password Firmware Download Role Identity Base RSA-PSS-2048 with SHA-256 Unauthenticated Role N/A N/A Anybody N/A N/A Exhibit 13 - Identification and Authentication Policy. Note: To assume the “Anybody” role the operator needs to execute “TCG Session Control” service with a TCG StartSession command, supplying the Anybody UID and does not need a password. “Anybody” is a TCG authority who can only perform TCG methods which are unauthenticated services but still need to use the TCG StartSession command. Hence, this role is also considered as an unauthenticated role. For reference here is a mapping between the applicable FIPS 140-2 Roles and the corresponding TCG Authorities: Role TCG Authority Cryptographic Officer (Drive Owner) SID Cryptographic Officer Admin1~Admin4 User User1~User9 Anybody Anybody Exhibit 14 - TCG Authority and Role Mapping. Minimum password length for Cryptographic Officers and Users shall be 20 bytes with maximum password length supported being 32 bytes. Using the minimum password length, the probability of a single random attempt to succeed is 1/(2160 ) which is much less than FIPS 140-2 requirement of 1/1,000,000. Each authentication attempt takes about 2ms to complete, so within one minute UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 21 ((60*1000)/2) = 30,000 attempts can be conducted. The probability of multiple random attempts to succeed is 30,000/(2160 ) which is much less than FIPS 140-2 requirement of 1/100,000. Both single as well as multiple random attempt probabilities meet FIPS 140-2 requirement. The authentication mechanism for Firmware Download Role is RSA-PSS-2048 with SHA-256 digital signature verification, which means a single random attempt, can succeed with the probability of 1/2112 . Each RSA signature verification attempt takes at least 330ms. So within one minute ((60*1000)/330) = 181 attempts can be conducted. Therefore, the probability of multiple random attempts to succeed in one minute is 181/2112 , which is much less than the FIPS 140-2 requirement 1/100,000. Authentication Mechanism Strength of Mechanism Password (Min : 20 bytes, Max: 32 Bytes) The probability of successful single random attempt is 1/(2160) The probability of successful multiple random attempts is 30,000/(2160) in one minute RSA-PSS-2048 with SHA-256 digital signature verification The probability of successful single random attempt is 1/2112 The probability of successful multiple random attempts is 181/2112 in one minute Exhibit 15 - Strengths of Authentication Mechanisms. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 22 9. ACCESS CONTROL POLICY 9.1.AUTHENTICATED SERVICES Type(s) of access R – read access W – write access E – execute access Z – zeroize Role Service CSPS and Public Keys Security Functions Type(s) of Access Cryptographic Officer (Drive Owner) TCG Activate UKEK PBKDF Master Key PBKDF Internal State Operator Password KTS (AES-KW) SHS (SHA-512) PBKDF E Cryptographic Officer User TCG Set PIN PBKDF Master Key PBKDF Internal State Operator Password KTS (AES-KW) SHS (SHA-512) PBKDF W Cryptographic Officer User TCG Gen Key Seed Material of SP800-90A Internal State of SP800-90A PBKDF Master Key PBKDF Internal State DEK KTS (AES-KW) SHS (SHA-512) DRBG (HMAC_DRBG) PBKDF E DEK DRBG (HMAC_DRBG) Z Cryptographic Officer TCG Enable/Disable Authority N/A N/A N/A Cryptographic Officer TCG Set/Get LBA Range N/A N/A N/A Cryptographic Officer User TCG Lock / Unlock LBA Range UKEK DEK KTS (AES-KW) PBKDF E Cryptographic Officer Return to uninitialized state DEK UKEK PBKDF Master Key KTS (AES-KW) SHS (SHA-512) DRBG (HMAC_DRBG) E Z UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 23 Role Service CSPS and Public Keys Security Functions Type(s) of Access PBKDF Internal State Seed Material of SP800-90A Internal State of SP800-90A Operator Password PBKDF Cryptographic Officer TCG Set MBR N/A N/A N/A Cryptographic Officer TCG SET/GET DataStore N/A N/A N/A Cryptographic Officer TCG SET ACE N/A N/A N/A Cryptographic Officer TCG Enable/Disable MBR Mode N/A N/A N/A Cryptographic Officer User Authenticated User Data Read/Write DEK AES (XTS) R W E Firmware Download Role Update Firmware RSA Code Sign Public Key RSA (RSA-2048-PSS) SHS (SHA-256) E Exhibit 16 - Authenticated Services Table. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 24 9.2.UNAUTHENTICATED SERVICE The following services are available to unauthenticated roles. They are also available to authenticated roles upon successful authentication. Role Service CSPS and Public Keys Type(s) of Access Unauthenticated Role Power Cycle N/A N/A Unauthenticated Role Generate Random Number Seed Material of SP800-90A Internal State of SP800-90A E Unauthenticated Role Show Status N/A N/A Anybody TCG Get MBR N/A N/A Unauthenticated Role Reset N/A N/A Unauthenticated Role Return to uninitialized state (PSID) DEK UKEK PBKDF Master Key PBKDF Internal State Seed Material of SP800-90A Internal State of SP800-90A Z Unauthenticated Role Show FIPS approve mode state N/A N/A Anybody TCG Get MSID N/A N/A Anybody Unauthenticated Role TCG Session Control Operator Password1 E Z Unauthenticated Role SATA Standard N/A N/A Unauthenticated Role NVMe Standard N/A N/A Unauthenticated Role Non-User Data Read/Write N/A N/A Unauthenticated Role Non-User Data Output N/A N/A Unauthenticated Role Non-User Data Input N/A N/A Unauthenticated Role Configuration N/A N/A Unauthenticated Role Self-Test N/A N/A Unauthenticated Role Show Status (DAS) N/A N/A Exhibit 17 - Unauthenticated Services Table. Note: UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 25 1. In order to perform TCG Session Control with Start Session command, the Operator Password must be entered into the module to successfully authenticate into the proper Role. The service is unauthenticated until such a time that a successful authentication occurs. When, TCG Session Control with End Session command is issued, the plaintext Operator Password is zeroized. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 26 10. APPROVED ALGORITHMS CAVP Cert # Algorithm Standard Mode/Method Key Length Use C1356 AES FIPS 197 SP 800-38A CBC1 256 Prerequisite C1356 AES FIPS 197 SP800-38E XTS2 256 User Data Encrypt/ Decrypt Vendor Affirmed CKG SP800-133 unmodified output from SP 800-90A DRBG Cryptographic Key Generation C1356 DRBG SP800-90A HMAC_DRBG (SHA-256) Deterministic Random Bit Generation C1356 HMAC FIPS 198-1 HMAC-SHA2563 256 Prerequisite C1356 KTS (AES Cert #1356) SP800-38F AES-KW 256 Key Wrapping Vendor Affirmed PBKDF SP800-132 (option 2a) HMAC-SHA256 160 Deriving Keys for Storage Application C1355 C1356 RSA FIPS 186-4 RSA-2048-PSS With SHA-256 2048 Digital Signature Verification C1355 C1356 SHS FIPS 180-4 SHA 2564 N/A Prerequisite C1356 SHS FIPS 180-4 SHA 512 N/A Password Protection Exhibit 18 - Table of Approved Algorithms for the <> family. Note: 1. AES-CBC is only used as a pre-requisite; AES-CBC standalone is not utilized in the FIPS Approved Mode. 2. AES-XTS-256 algorithm can only be used for storage applications in the FIPS approved mode. 3. HMAC-SHA-256 is only used as a pre-requisite; HMAC-SHA-256 standalone is not utilized in the FIPS Approved Mode. 4. SHA-256 is only used as a pre-requisite; SHA-256 standalone is not utilized in the FIPS Approved Mode. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 27 CAVP Cert # Algorithm Standard Mode/Method Key Length Use C1358 AES FIPS 197 SP 800-38A CBC1 256 Prerequisite C1358 AES FIPS 197 SP800-38E XTS2 256 User Data Encrypt/ Decrypt Vendor Affirmed CKG SP800-133 unmodified output from SP 800-90A DRBG Cryptographic Key Generation C1358 DRBG SP800-90A HMAC_DRBG (SHA-256) Deterministic Random Bit Generation C1358 HMAC FIPS 198-1 HMAC-SHA2563 256 Prerequisite C1358 KTS (AES Cert #1358) SP800-38F AES-KW 256 Key Wrapping Vendor Affirmed PBKDF SP800-132 (option 2a) HMAC-SHA256 160 Deriving Keys for Storage Application C1357 C1358 RSA FIPS 186-4 RSA-2048-PSS With SHA-256 2048 Digital Signature Verification C1357 C1358 SHS FIPS 180-4 SHA-2564 N/A Prerequisite C1358 SHS FIPS 180-4 SHA-512 N/A Password Protection Exhibit 19 - Table of Approved Algorithms for the << NVMe PCIe>> family. Note: 1. AES-CBC is only used as a pre-requisite; AES-CBC standalone is not utilized in the FIPS Approved Mode. 2. AES-XTS-256 algorithm can only be used for storage applications in the FIPS approved mode. 3. HMAC-SHA-256 is only used as a pre-requisite; HMAC-SHA-256 standalone is not utilized in the FIPS Approved Mode. 4. SHA-256 is only used as a pre-requisite; SHA-256 standalone is not utilized in the FIPS Approved Mode. The following are Non-Approved but allowed Algorithms: Algorithm Use NDRNG Seed of DRBG (256 bit) Exhibit 20 - Table of Non-Approved but allowed Algorithms for all modules. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 28 UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 29 11. PHYSICAL SECURITY POLICY Following physical security mechanisms are implemented by the module: 1. Production grade components 2. The complete module is covered with an opaque epoxy resin, leaving only the host interface connector (NVMe/SATA data and power ports) exposed. When checking the module for tamper evidence the following actions are mandatory: Physical Security Mechanisms Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Opaque epoxy resin As often as possible Inspection of the epoxy resin for any evidence of scratches, gouges, cuts and other deficiencies. In any case of evidence of tampering the module shall be removed from service Exhibit 21 - Inspection/Testing of Physical Security Mechanisms. UD info CORP. TEL: +886-2-7713-6050 FAX: +886-2-8511-3151 3F-4, No.8, Ln. 609, Sec. 5, Chongxin Rd., Sanchong Dist., New Taipei City 241, Taiwan (R.O.C.) 30 12. MITIGATION OF OTHER ATTACKS POLICY The cryptographic module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-2. Other Attacks Mitigation Mechanism Specific Limitations N/A N/A N/A Exhibit 22 - Table of Mitigation of Other Attacks.