manualshive.com logo in svg

HP FIPS 140-2, Supplementary Manual

The HP FIPS 140-2 Supplementary Manual is a comprehensive user guide that provides detailed instructions on how to maximize the performance and security features of your HP FIPS 140-2 product. Download this manual for free from our website to unlock the full potential of your device.

Share
Download
background image

Security Policy, version 1.0 

January 31, 2008 

 

HP StorageWorks Secure Key Manager 

Page 

25

 of 26 

© 2008 Hewlett-Packard Company 

This document may be freely reproduced in its original entirety. 

 

Acronyms 

Table 15 – Acronyms 

Acronym 

Definition 

3DES 

Triple Data Encryption Standard 

AES 

Advanced Encryption Standard 

ANSI 

American National Standard Institute 

BIOS 

Basic Input/Output System 

CA Certificate 

Authority 

CBC 

Cipher Block Chaining  

CLI 

Command Line Interface 

CMVP 

Cryptographic Module Validation Program 

CPU 

Central Processing Unit 

CRC 

Cyclic Redundancy Check 

CRL 

Certificate Revocation List 

CSP 

Critical Security Parameter 

DES 

Data Encryption Standard 

DRNG 

Deterministic Random Number Generator 

DSA 

Digital Signature Algorithm 

ECB Electronic 

Codebook 

EMC Electromagnetic 

Compatibility 

 

EMI Electromagnetic 

Interference 

FIPS 

Federal Information Processing Standard 

FTP 

File Transfer Protocol 

HDD Hard 

Drive 

HMAC 

Keyed-Hash Message Authentication Code 

HP Hewlett-Packard 

IDE 

Integrated Drive Electronics 

iLO Integrated 

Lights-Out 

I/O Input/Output 

IP Internet 

Protocol 

ISA 

Instruction Set Architecture 

KAT Known 

Answer 

Test 

KMS 

Key Management Service 

LDAP 

Lightweight Directory Access Protocol 

LED 

Light Emitting Diode 

MAC 

Message Authentication Code 

N/A Not 

Applicable 

Summary of Contents for FIPS 140-2

Page 1: ...his document may be freely reproduced in its original entirety HP StorageWorks Secure Key Manager Hardware P N AJ087B Version 1 1 Firmware Version 1 1 FIPS 140 2 Security Policy Level 2 Validation Document Version 0 7 December 4 2008 ...

Page 2: ...Crypto Officer Role 11 2 4 2 User Role 12 2 4 3 HP User Role 13 2 4 4 Cluster Member Role 14 2 4 5 Authentication 14 2 4 6 Unauthenticated Services 15 2 5 PHYSICAL SECURITY 15 2 6 OPERATIONAL ENVIRONMENT 15 2 7 CRYPTOGRAPHIC KEY MANAGEMENT 15 2 7 1 Keys and CSPs 15 2 7 2 Key Generation 19 2 7 3 Key CSP Zeroization 19 2 8 SELF TESTS 19 2 9 MITIGATION OF OTHER ATTACKS 20 3 SECURE OPERATION 21 3 1 IN...

Page 3: ...f Figures FIGURE 1 DEPLOYMENT ARCHITECTURE OF THE HP STORAGEWORKS SECURE KEY MANAGER 6 FIGURE 2 BLOCK DIAGRAM OF SKM 7 FIGURE 3 FRONT PANEL LEDS 9 FIGURE 4 REAR PANEL COMPONENTS 10 FIGURE 5 REAR PANEL LEDS 10 FIGURE 6 FIPS COMPLIANCE IN CLI 22 FIGURE 7 FIPS COMPLIANCE IN WEB ADMINISTRATION INTERFACE 22 FIGURE 8 TAMPER EVIDENCE LABELS 23 FIGURE 9 TAMPER EVIDENCE LABELS OVER POWER SUPPLIES 23 ...

Page 4: ...ENTS DESCRIPTIONS 10 TABLE 5 REAR PANEL LED DEFINITIONS 11 TABLE 6 CRYPTO OFFICER SERVICES 11 TABLE 7 USER SERVICES 13 TABLE 8 HP USER SERVICES 13 TABLE 9 CLUSTER MEMBER SERVICES 14 TABLE 10 ROLES AND AUTHENTICATIONS 14 TABLE 11 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS FOR SSH 15 TABLE 12 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS FOR TLS 16 TABLE 13 C...

Page 5: ...red as part of the Level 2 FIPS 140 2 validation of the HP StorageWorks Secure Key Manager More information about FIPS 140 2 and the Cryptographic Module Validation Program CMVP is available at the website of the National Institute of Standards and Technology NIST http csrc nist gov groups STM cmvp index html In this document the HP StorageWorks Secure Key Manager is referred to as the SKM the mod...

Page 6: ... Client applications can access the SKM via its Key Management Service KMS server Configuration and management can be performed via web administration Secure Shell SSH or serial console Status monitoring interfaces include a dedicated FIPS status interface a health check interface and Simple Network Management Protocol SNMP The deployment architecture of the HP StorageWorks Secure Key Manager is s...

Page 7: ...on the module implements the following Approved algorithms Advanced Encryption Standard AES encryption and decryption 128 192 and 256 bits in Electronic Codebook ECB and Cipher Block Chaining CBC modes certificate 653 Triple Data Encryption Standard 3DES encryption and decryption 112 and 168 bits in ECB and CBC modes certificate 604 Secure Hash Algorithm SHA 1 SHA 256 SHA 384 SHA 512 certificate 8...

Page 8: ...apping and key establishment provide 80 and 112 bits of encryption strength respectively In the non FIPS mode of operation the module also implements DES MD5 RC4 and 512 and 768 bit RSA for signature generation and verification and key establishment 2 3 Module Interfaces FIPS 140 2 defines four logical interfaces Data Input Data Output Control Input Status Output The module features the following ...

Page 9: ... the component in a degraded state refer to HP Systems Insight Display and LEDs Red System health is critical To identify the component in a critical state refer to HP Systems Insight Display and LEDs Off System health is normal when in standby mode 4 External health LED power supply Green Power supply health is normal Amber Power redundancy failure occurred Off Power supply health is normal when ...

Page 10: ...ar Panel Components Descriptions Item Definition 1 PCI Express expansion slot 1 Blocked 2 PCI Express expansion slot 2 Blocked 3 Power supply bay 2 4 Power supply bay 1 5 NIC connector 1 Ethernet 6 NIC connector 2 Ethernet 7 Keyboard connector 8 Mouse connector 9 Video connector 10 Serial connector 11 Universal Serial Bus USB connector 1 Blocked 12 USB connector 2 Blocked 13 Integrated Lights Out ...

Page 11: ...iled 7 Power supply 1 LED Green Normal Off System is off or power supply has failed 2 4 Roles Services and Authentication The module supports four authorized roles Crypto Officer User HP User Cluster Member All roles require identity based authentication 2 4 1 Crypto Officer Role The Crypto Officer accesses the module via the Web Management Console and or the Command Line Interface CLI This role p...

Page 12: ...vices supported by the module This includes the starting and stopping of all services None Manage operators Create modify or delete module operators Crypto Officers and Users Crypto Officer passwords write delete User passwords write delete Manage certificates Create import revoke certificates KRsaPub write read delete KRsaPriv write read delete CARsaPub write read delete CARsaPriv write read dele...

Page 13: ...ertificate Client certificate read Clone Key Clone an existing key under a different key name Client keys write read PKEK write read Generate random number Generate a random number ANSI X9 31 DRNG seed write read delete Manage operators Only users with administration permission can create modify or delete module operators User passwords write delete 2 4 3 HP User Role The HP User role can reset th...

Page 14: ...gital certificate User Username and password and or digital certificate HP User Digital certificate Cluster Member Digital certificate over TLS The 1024 bit RSA signature on a digital certificate provides 80 bits of security There are 280 possibilities The probability of a successful random guess is 2 80 Since 10 6 2 80 a random attempt is very unlikely to succeed At least 80 bits of data must be ...

Page 15: ... using tamper evident labels in order to prevent the case cover from being removed without signs of tampering All circuits in the module are coated with commercial standard passivation Once the module has been configured to meet FIPS 140 2 Level 2 requirements the module cannot be accessed without signs of tampering See Section 3 3 Physical Security Assurance of this document for more information ...

Page 16: ... during first time initialization In plaintext In non volatile memory At operator delete or zeroize request Verify the signature of the server s message Krsa private 1024 bit RSA private keys Generated by ANSI X9 31 DRNG during first time initialization Never In non volatile memory At operator delete or zeroize request Sign the server s message SSH Ks SSH session 168 bit 3DES key 128 192 256 bit A...

Page 17: ...G during first time initialization never In non volatile memory At operator delete or zeroize request Sign server certificates Cluster Member RsaPub Cluster Member RSA public key 1024 or 2048 bit Input in plaintext Never In volatile memory Upon session termination Verify Cluster Member signatures TLS Ks TLS session AES or 3DES symmetric key s Derived from MS Never In volatile memory Upon session t...

Page 18: ...s Generated by ANSI X9 31 DRNG Via TLS in encrypted form encrypted with TLS Ks per client s request Encrypted in non volatile memory Per client s request or zeroize request Compute keyed MACs Client certificate X 509 certificate Input in ciphertext over TLS Via TLS in encrypted form encrypted with TLS Ks per client s request In non volatile memory Per client s request or by zeroize request Encrypt...

Page 19: ... DRNG is a FIPS 140 2 approved DRNG as specified in Annex C to FIPS PUB 140 2 2 7 3 Key CSP Zeroization All ephemeral keys are stored in volatile memory in plaintext Ephemeral keys are zeroized when they are no longer used Other keys and CSPs are stored in non volatile memory with client keys being stored in encrypted form To zeroize all keys and CSPs in the module the Crypto Officer should execut...

Page 20: ...Approved RNG Firmware upgrade integrity test Diffie Hellman primitive test The module has two error states a Soft Error state and a Fatal Error state When one or more power up self tests fail the module may enter either the Fatal Error state or the Soft Error State When a conditional self test fails the module enters the Soft Error state See Section 3 of this document for more information 2 9 Miti...

Page 21: ...t time initialization the operator must configure minimum settings for the module to operate correctly The operator will be prompted to configure the following settings via the serial interface Date Time Time zone IP Address Netmask Hostname Gateway Management Port 3 2 2 FIPS Mode Configuration In order to comply with FIPS 140 2 Level 2 requirements the following functionality must be disabled on ...

Page 22: ...liance in Web Administration Interface In the web administration interface the User can review the FIPS mode configuration by reading the High Security Configuration page The Crypto Officer must zeroize all keys when switching from the Approved FIPS mode of operation to the non FIPS mode and vice versa 3 3 Physical Security Assurance Serialized tamper evidence labels have been applied at four loca...

Page 23: ... of 26 2008 Hewlett Packard Company This document may be freely reproduced in its original entirety Figure 8 Tamper Evidence Labels Figure 9 provides a better view of the positioning of the tamper evidence labels over the power supplies Figure 9 Tamper Evidence Labels over Power Supplies ...

Page 24: ...tal Error state When a power up self test fails the module may enter either the Fatal Error state or the Soft Error State When a conditional self test fails the module will enter the Soft Error state The module can recover from the Fatal Error state if power is cycled or if the SKM is rebooted An HP User can reset the module when it is in the Fatal Error State No other services are available in th...

Page 25: ... Cyclic Redundancy Check CRL Certificate Revocation List CSP Critical Security Parameter DES Data Encryption Standard DRNG Deterministic Random Number Generator DSA Digital Signature Algorithm ECB Electronic Codebook EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol HDD Hard Drive HMAC Keyed Hash Message Authe...

Page 26: ...ndards and Technology NTP Network Time Protocol PCI Peripheral Component Interconnect PRNG Pseudo Random Number Generator RFC Request for Comments RNG Random Number Generator RSA Rivest Shamir and Adleman SHA Secure Hash Algorithm SKM Secure Key Manager SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Socket Layer TLS Transport Layer Security UID Unit Identifier USB Universal Se...

Reviews:

No comments

Related manuals for FIPS 140-2

IBM DS3500 Quick Start Manual preview
DS3500
Brand: IBM Pages: 18
IBM DS3500 Installation, User & Maintenance Manual preview
DS3500
Brand: IBM Pages: 180
G-Technology G-DRIVE mobile USB Manual preview
G-DRIVE mobile USB
Brand: G-Technology Pages: 18
G-Technology G DRIVE User Manual preview
G DRIVE
Brand: G-Technology Pages: 34
OEM Tools 24739 Operating Instructions And Parts Manual preview
24739
Brand: OEM Tools Pages: 4
Seagate ST31000333AS - Barracuda 7200.11 1 TB SATA 32 MB Cache Bulk/OEM Hard Drive Datasheet preview
ST31000333AS - Barracuda 7200.11 1 TB SATA 32 MB Cache Bulk/OEM Hard Drive
Brand: Seagate Pages: 2
Dancover ProShed Owner'S Manual/ Instructions For Assembly preview
ProShed
Brand: Dancover Pages: 30
Tabernus Enterprise Erase E2400 User Manual preview
Enterprise Erase E2400
Brand: Tabernus Pages: 24
Supero SUPERSERVER 6027TR-H71FRF User Manual preview
SUPERSERVER 6027TR-H71FRF
Brand: Supero Pages: 118
Quantum ValueLoader LTO-2 User Manual preview
ValueLoader LTO-2
Brand: Quantum Pages: 94
FDiSK SecurePRO User Manual preview
SecurePRO
Brand: FDiSK Pages: 25
Toshiba HDD2149 User Manual preview
HDD2149
Brand: Toshiba Pages: 11
OWIM HG02137A Assembly And Safety Advice preview
HG02137A
Brand: OWIM Pages: 13
OWC THUNDERBAY Assembly Manual & User Manual preview
THUNDERBAY
Brand: OWC Pages: 8
NetApp DS2246 Installation And Service Manual preview
DS2246
Brand: NetApp Pages: 74
Targus X-MeM User Manual preview
X-MeM
Brand: Targus Pages: 24
Fantom Drives TFD1000U16 Quick Start Installation Manual preview
TFD1000U16
Brand: Fantom Drives Pages: 10
Fantom Drives GreenDrive Quick Start Installation Manual preview
GreenDrive
Brand: Fantom Drives Pages: 8

Brands by name

Popular brands

Load more brands