manualshive.com logo in svg

HP FIPS 140-2, Supplementary Manual

The HP FIPS 140-2 Supplementary Manual is a comprehensive user guide that provides detailed instructions on how to maximize the performance and security features of your HP FIPS 140-2 product. Download this manual for free from our website to unlock the full potential of your device.

Share
Download
background image

Security Policy, version 1.0 

January 31, 2008 

 

HP StorageWorks Secure Key Manager 

Page 

22

 of 26 

© 2008 Hewlett-Packard Company 

This document may be freely reproduced in its original entirety. 

 

 

Figure 6 – FIPS Compliance in CLI 

In the web administration interface, the Crypto Officer should use the “High Security Configuration” page to enable 
and disable FIPS compliance. To enable the Approved FIPS mode of operation, click on the “Set FIPS Compliant” 
button. See Figure 7 – FIPS Compliance in Web Administration Interface. This will alter various server settings as 
described above.  

 

Figure 7 – FIPS Compliance in Web Administration Interface 

In the web administration interface, the User can review the FIPS mode configuration by reading the “High Security 
Configuration” page. 

The Crypto Officer must zeroize all keys when switching from the Approved FIPS mode of operation to the non-
FIPS mode and vice versa. 

3.3 Physical Security Assurance 

Serialized tamper-evidence labels have been applied at four locations on the metal casing. See Figure 8 – Tamper-
Evidence Labels. The tamper-evidence labels have a special adhesive backing to adhere to the module’s surface. 
The tamper-evidence labels have individual, unique serial numbers. They should be inspected periodically and 
compared to the previously-recorded serial numbers to verify that fresh labels have not been applied to a tampered 
module.  

Summary of Contents for FIPS 140-2

Page 1: ...his document may be freely reproduced in its original entirety HP StorageWorks Secure Key Manager Hardware P N AJ087B Version 1 1 Firmware Version 1 1 FIPS 140 2 Security Policy Level 2 Validation Document Version 0 7 December 4 2008 ...

Page 2: ...Crypto Officer Role 11 2 4 2 User Role 12 2 4 3 HP User Role 13 2 4 4 Cluster Member Role 14 2 4 5 Authentication 14 2 4 6 Unauthenticated Services 15 2 5 PHYSICAL SECURITY 15 2 6 OPERATIONAL ENVIRONMENT 15 2 7 CRYPTOGRAPHIC KEY MANAGEMENT 15 2 7 1 Keys and CSPs 15 2 7 2 Key Generation 19 2 7 3 Key CSP Zeroization 19 2 8 SELF TESTS 19 2 9 MITIGATION OF OTHER ATTACKS 20 3 SECURE OPERATION 21 3 1 IN...

Page 3: ...f Figures FIGURE 1 DEPLOYMENT ARCHITECTURE OF THE HP STORAGEWORKS SECURE KEY MANAGER 6 FIGURE 2 BLOCK DIAGRAM OF SKM 7 FIGURE 3 FRONT PANEL LEDS 9 FIGURE 4 REAR PANEL COMPONENTS 10 FIGURE 5 REAR PANEL LEDS 10 FIGURE 6 FIPS COMPLIANCE IN CLI 22 FIGURE 7 FIPS COMPLIANCE IN WEB ADMINISTRATION INTERFACE 22 FIGURE 8 TAMPER EVIDENCE LABELS 23 FIGURE 9 TAMPER EVIDENCE LABELS OVER POWER SUPPLIES 23 ...

Page 4: ...ENTS DESCRIPTIONS 10 TABLE 5 REAR PANEL LED DEFINITIONS 11 TABLE 6 CRYPTO OFFICER SERVICES 11 TABLE 7 USER SERVICES 13 TABLE 8 HP USER SERVICES 13 TABLE 9 CLUSTER MEMBER SERVICES 14 TABLE 10 ROLES AND AUTHENTICATIONS 14 TABLE 11 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS FOR SSH 15 TABLE 12 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS FOR TLS 16 TABLE 13 C...

Page 5: ...red as part of the Level 2 FIPS 140 2 validation of the HP StorageWorks Secure Key Manager More information about FIPS 140 2 and the Cryptographic Module Validation Program CMVP is available at the website of the National Institute of Standards and Technology NIST http csrc nist gov groups STM cmvp index html In this document the HP StorageWorks Secure Key Manager is referred to as the SKM the mod...

Page 6: ... Client applications can access the SKM via its Key Management Service KMS server Configuration and management can be performed via web administration Secure Shell SSH or serial console Status monitoring interfaces include a dedicated FIPS status interface a health check interface and Simple Network Management Protocol SNMP The deployment architecture of the HP StorageWorks Secure Key Manager is s...

Page 7: ...on the module implements the following Approved algorithms Advanced Encryption Standard AES encryption and decryption 128 192 and 256 bits in Electronic Codebook ECB and Cipher Block Chaining CBC modes certificate 653 Triple Data Encryption Standard 3DES encryption and decryption 112 and 168 bits in ECB and CBC modes certificate 604 Secure Hash Algorithm SHA 1 SHA 256 SHA 384 SHA 512 certificate 8...

Page 8: ...apping and key establishment provide 80 and 112 bits of encryption strength respectively In the non FIPS mode of operation the module also implements DES MD5 RC4 and 512 and 768 bit RSA for signature generation and verification and key establishment 2 3 Module Interfaces FIPS 140 2 defines four logical interfaces Data Input Data Output Control Input Status Output The module features the following ...

Page 9: ... the component in a degraded state refer to HP Systems Insight Display and LEDs Red System health is critical To identify the component in a critical state refer to HP Systems Insight Display and LEDs Off System health is normal when in standby mode 4 External health LED power supply Green Power supply health is normal Amber Power redundancy failure occurred Off Power supply health is normal when ...

Page 10: ...ar Panel Components Descriptions Item Definition 1 PCI Express expansion slot 1 Blocked 2 PCI Express expansion slot 2 Blocked 3 Power supply bay 2 4 Power supply bay 1 5 NIC connector 1 Ethernet 6 NIC connector 2 Ethernet 7 Keyboard connector 8 Mouse connector 9 Video connector 10 Serial connector 11 Universal Serial Bus USB connector 1 Blocked 12 USB connector 2 Blocked 13 Integrated Lights Out ...

Page 11: ...iled 7 Power supply 1 LED Green Normal Off System is off or power supply has failed 2 4 Roles Services and Authentication The module supports four authorized roles Crypto Officer User HP User Cluster Member All roles require identity based authentication 2 4 1 Crypto Officer Role The Crypto Officer accesses the module via the Web Management Console and or the Command Line Interface CLI This role p...

Page 12: ...vices supported by the module This includes the starting and stopping of all services None Manage operators Create modify or delete module operators Crypto Officers and Users Crypto Officer passwords write delete User passwords write delete Manage certificates Create import revoke certificates KRsaPub write read delete KRsaPriv write read delete CARsaPub write read delete CARsaPriv write read dele...

Page 13: ...ertificate Client certificate read Clone Key Clone an existing key under a different key name Client keys write read PKEK write read Generate random number Generate a random number ANSI X9 31 DRNG seed write read delete Manage operators Only users with administration permission can create modify or delete module operators User passwords write delete 2 4 3 HP User Role The HP User role can reset th...

Page 14: ...gital certificate User Username and password and or digital certificate HP User Digital certificate Cluster Member Digital certificate over TLS The 1024 bit RSA signature on a digital certificate provides 80 bits of security There are 280 possibilities The probability of a successful random guess is 2 80 Since 10 6 2 80 a random attempt is very unlikely to succeed At least 80 bits of data must be ...

Page 15: ... using tamper evident labels in order to prevent the case cover from being removed without signs of tampering All circuits in the module are coated with commercial standard passivation Once the module has been configured to meet FIPS 140 2 Level 2 requirements the module cannot be accessed without signs of tampering See Section 3 3 Physical Security Assurance of this document for more information ...

Page 16: ... during first time initialization In plaintext In non volatile memory At operator delete or zeroize request Verify the signature of the server s message Krsa private 1024 bit RSA private keys Generated by ANSI X9 31 DRNG during first time initialization Never In non volatile memory At operator delete or zeroize request Sign the server s message SSH Ks SSH session 168 bit 3DES key 128 192 256 bit A...

Page 17: ...G during first time initialization never In non volatile memory At operator delete or zeroize request Sign server certificates Cluster Member RsaPub Cluster Member RSA public key 1024 or 2048 bit Input in plaintext Never In volatile memory Upon session termination Verify Cluster Member signatures TLS Ks TLS session AES or 3DES symmetric key s Derived from MS Never In volatile memory Upon session t...

Page 18: ...s Generated by ANSI X9 31 DRNG Via TLS in encrypted form encrypted with TLS Ks per client s request Encrypted in non volatile memory Per client s request or zeroize request Compute keyed MACs Client certificate X 509 certificate Input in ciphertext over TLS Via TLS in encrypted form encrypted with TLS Ks per client s request In non volatile memory Per client s request or by zeroize request Encrypt...

Page 19: ... DRNG is a FIPS 140 2 approved DRNG as specified in Annex C to FIPS PUB 140 2 2 7 3 Key CSP Zeroization All ephemeral keys are stored in volatile memory in plaintext Ephemeral keys are zeroized when they are no longer used Other keys and CSPs are stored in non volatile memory with client keys being stored in encrypted form To zeroize all keys and CSPs in the module the Crypto Officer should execut...

Page 20: ...Approved RNG Firmware upgrade integrity test Diffie Hellman primitive test The module has two error states a Soft Error state and a Fatal Error state When one or more power up self tests fail the module may enter either the Fatal Error state or the Soft Error State When a conditional self test fails the module enters the Soft Error state See Section 3 of this document for more information 2 9 Miti...

Page 21: ...t time initialization the operator must configure minimum settings for the module to operate correctly The operator will be prompted to configure the following settings via the serial interface Date Time Time zone IP Address Netmask Hostname Gateway Management Port 3 2 2 FIPS Mode Configuration In order to comply with FIPS 140 2 Level 2 requirements the following functionality must be disabled on ...

Page 22: ...liance in Web Administration Interface In the web administration interface the User can review the FIPS mode configuration by reading the High Security Configuration page The Crypto Officer must zeroize all keys when switching from the Approved FIPS mode of operation to the non FIPS mode and vice versa 3 3 Physical Security Assurance Serialized tamper evidence labels have been applied at four loca...

Page 23: ... of 26 2008 Hewlett Packard Company This document may be freely reproduced in its original entirety Figure 8 Tamper Evidence Labels Figure 9 provides a better view of the positioning of the tamper evidence labels over the power supplies Figure 9 Tamper Evidence Labels over Power Supplies ...

Page 24: ...tal Error state When a power up self test fails the module may enter either the Fatal Error state or the Soft Error State When a conditional self test fails the module will enter the Soft Error state The module can recover from the Fatal Error state if power is cycled or if the SKM is rebooted An HP User can reset the module when it is in the Fatal Error State No other services are available in th...

Page 25: ... Cyclic Redundancy Check CRL Certificate Revocation List CSP Critical Security Parameter DES Data Encryption Standard DRNG Deterministic Random Number Generator DSA Digital Signature Algorithm ECB Electronic Codebook EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol HDD Hard Drive HMAC Keyed Hash Message Authe...

Page 26: ...ndards and Technology NTP Network Time Protocol PCI Peripheral Component Interconnect PRNG Pseudo Random Number Generator RFC Request for Comments RNG Random Number Generator RSA Rivest Shamir and Adleman SHA Secure Hash Algorithm SKM Secure Key Manager SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Socket Layer TLS Transport Layer Security UID Unit Identifier USB Universal Se...

Reviews:

No comments

Related manuals for FIPS 140-2

Qsan Technology XCubeSAN XS5224D Hardware Manual preview
XCubeSAN XS5224D
Brand: Qsan Technology Pages: 143
LaCie 4big Spare Drive Quick Install Manual preview
4big Spare Drive
Brand: LaCie Pages: 24
Seagate Barracuda 7200.7 ST3120025A Product Manual preview
Barracuda 7200.7 ST3120025A
Brand: Seagate Pages: 58
U-Line H-6405 Assembly Instructions Manual preview
H-6405
Brand: U-Line Pages: 6
IBM DTLA-305040 - Deskstar 41.1 GB Hard Drive Specifications preview
DTLA-305040 - Deskstar 41.1 GB Hard Drive
Brand: IBM Pages: 212
Muscle Rack MRWB-3 Assembly Instructions preview
MRWB-3
Brand: Muscle Rack Pages: 2
Hama 104389 Operating Instructions Manual preview
104389
Brand: Hama Pages: 8
OWC MERCURY ELITE PRO MINI Manual preview
MERCURY ELITE PRO MINI
Brand: OWC Pages: 8
Buffalo TERASTATION HS-D1.0TGL/R5 Technical Specifications preview
TERASTATION HS-D1.0TGL/R5
Brand: Buffalo Pages: 2
Geekworm NASPi-Gemini User Manual preview
NASPi-Gemini
Brand: Geekworm Pages: 13
Western Digital WD Elements WDE1UBK10000 Quick Manual preview
WD Elements WDE1UBK10000
Brand: Western Digital Pages: 2
Displays2go SMMMRC Assembly Instructions preview
SMMMRC
Brand: Displays2go Pages: 2
Verbatim Store 'n' Go Quick Start Manual preview
Store 'n' Go
Brand: Verbatim Pages: 72
GARDEN MASTER GM2323 Assembly Instructions Manual preview
GM2323
Brand: GARDEN MASTER Pages: 8
Fantec MR-35US3R Manual preview
MR-35US3R
Brand: Fantec Pages: 19
Enhace E400 IP User Manual preview
E400 IP
Brand: Enhace Pages: 6
Fantec SQ-35U3e User Manual preview
SQ-35U3e
Brand: Fantec Pages: 73
Draper Tool Storage Instructions preview
Tool Storage
Brand: Draper Pages: 3

Brands by name

Popular brands

Load more brands