background image

 

 

  

Page 47 of 51 

 

              

© Copyright 2017 Oracle Corporation 

 

                              This document may be freely reproduced and distributed whole and intact including this Copyright notice.  

 

3.2  Cryptographic Officer Guidance (Normal Operation) 

This  section assumes  the  StorageTek T10000D Tape Drive  has  been placed into 
one  of  the  FIPS-Approved  modes  or  the  Mixed  Mode.    Instructions  on  how  to 
place  the  drive  into  another  mode  are  provided  in  this  section.    The  CO  is 
responsible  for  placing  the  ETD  into  one  of  the  Approved  modes  of  operation.  
An  Oracle  Service  Representative  is  not  required  to  be  present  when  switching 
Approved modes. Switching between modes will cause keys to be zeroized. 

3.2.1  Using SSH (all modes) 

The  module  supports  SSH  communications  for  remote  administration.  SSH  is 
available in each mode of operation. When using SSH for remote administration, 
only the following options may be used from an SSH client to establish  a FIPS-
approved session: 
 
1.

 

Protocol Version: SSH v2.0 

2.

 

Encryption: AES 128-bit CTR or AES 128-bit CBC 

3.

 

MAC: HMAC-SHA-1 

4.

 

KEX:  ecdh-sha2-nistp256 or diffie-hellman-group14-sha1 

5.

 

Host Key: ecdsa-sha2-nistp256, ssh-rsa 

 
Using  the  preceding  options  will  allow  a  FIPS-approved  SSH  session  to  be 
established. 

3.2.2  Memory Dump Offload (all modes) 

Memory  dumps  may  only  be  offloaded  using  SFTP  (SSH).  All  other  forms  of 
offload are prohibited. 

3.2.3  Switching To Encryption Disabled Approved Mode 

The  CO  can  place  the  module  into  the  Encryption  Disabled  Mode  from  the 
Encryption  Enabled  Mode  or  the  Mixed  Mode.    The  CO  shall  perform  the 
following steps to place the module into the Encryption Disabled Mode: 

1.

 

Using the “Drive Operations” menu on VOP, reset the ETD

55

 

2.

 

After reboot, use the “Drive Operations” menu to place the drive offline 

3.

 

Navigate  to  the  “Encrypt”  tab  in  the  “Drive  Data”  window  (Configure 

 

Drive Data) 

4.

 

Set the “Turn encryption off” field to “Yes” 

5.

 

Press the “Commit” button 

 

                                                 

55

 Step 1 is not required if the drive is currently operating in the  Mixed Mode 

Содержание StorageTek T10000D

Страница 1: ...Oracle StorageTek T10000D Tape Drive FIPS 140 2 Level 1 Validation Non Proprietary Security Policy Hardware Part 7042136 7314405 Firmware Version RB411111 Security Policy Revision 0 12 ...

Страница 2: ...or information purposes only and the contents hereof are subject to change without notice This document is not warranted to be error free nor subject to any other warranties or conditions whether expressed orally or implied in law including implied warranties and conditions of merchantability or fitness for a particular purpose Oracle specifically disclaim any liability with respect to this docume...

Страница 3: ...MATION 19 2 4 ROLES AND SERVICES 20 2 4 1 CRYPTO OFFICER ROLE 20 2 4 2 NON APPROVED SERVICES 23 2 4 3 USER ROLE 23 2 4 4 ADDITIONAL OPERATOR SERVICES 24 2 4 5 ADDITIONAL STORAGETEK T10000D TAPE DRIVE SERVICES 25 2 5 PHYSICAL SECURITY 25 2 6 OPERATIONAL ENVIRONMENT 26 2 7 CRYPTOGRAPHIC KEY MANAGEMENT 26 2 7 1 ENCRYPTION ENABLED CRYPTOGRAPHIC ALGORITHM IMPLEMENTATIONS 26 2 7 2 ENCRYPTION DISABLED CR...

Страница 4: ...3 ZEROIZATION 49 4 ACRONYMS 50 List of Figures FIGURE 1 STORAGETEK T10000D TAPE DRIVE 9 FIGURE 2 STORAGETEK T10000D TAPE DRIVE DEPLOYMENT SCENARIO 10 FIGURE 3 STORAGETEK T10000D TAPE DRIVE FRONT 14 FIGURE 4 STORAGETEK T10000D TAPE DRIVE REAR 15 FIGURE 5 STORAGETEK T10000D TAPE DRIVE BOTTOM 16 List of Tables TABLE 1 SECURITY LEVEL PER FIPS 140 2 SECTION 11 TABLE 2 MAPPING OF FIPS 140 2 LOGICAL INTE...

Страница 5: ...reely reproduced and distributed whole and intact including this Copyright notice TABLE 10 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS ENCRYPTION DISABLED MODE 36 TABLE 11 LIST OF CRYPTOGRAPHIC KEYS CRYPTOGRAPHIC KEY COMPONENTS AND CSPS MIXED MODE 38 ...

Страница 6: ...scribes how to run the module in a secure FIPS Approved mode of operation This policy was prepared as part of the Level 1 FIPS 140 2 validation of the module The StorageTek T10000D Tape Drive may also be referred to in this document as the Encrypting Tape Drive the ETD1 the crypto module or the module 1 2 References This document deals only with operations and capabilities of the module in the tec...

Страница 7: ...tation as additional references This Security Policy and the other validation submission documentation were produced by Acumen Security under contract to Oracle With the exception of this Non Proprietary Security Policy the FIPS 140 2 Submission Package is proprietary to Oracle and is releasable only under appropriate non disclosure agreements For access to these documents please contact Oracle ...

Страница 8: ...e encryption and multiple FIPS 140 2 Approved modes of operation Customers can be assured that their data will always be secure in any of these FIPS 140 2 Approved modes The T10000D encrypting tape drive ETD operates with data encryption services permanently enabled temporarily enabled temporarily disabled Each encryption mode provides FIPS 140 2 Approved security services and functionality to ETD...

Страница 9: ...irtual Operator Panel The Virtual Operator Panel VOP is an external software application running on a General Purpose Computer GPC that facilitates operator communication with the StorageTek T10000D Tape Drive through the use of an intuitive and user friendly Graphical User Interface GUI The VOP allows an operator to configure the drive for FIPS Approved operation perform operator services and dis...

Страница 10: ...racle Corporation This document may be freely reproduced and distributed whole and intact including this Copyright notice Service Network Customer Network ELOM ILOM Network Figure 2 StorageTek T10000D Tape Drive Deployment Scenario ...

Страница 11: ...data being stored on magnetic tape The cryptographic boundary of the StorageTek T10000D Tape Drive is defined by the tape drive s commercial grade metallic enclosure The module provides several FIPS Approved modes of operation that each meet overall Level 1 FIPS 140 2 requirements specified in Table 1 above The module also provides one Mixed mode of operation Each of the Approved modes and the Mix...

Страница 12: ...magnetic tape Encryption and decryption are performed using the 256 bit AES cryptographic algorithm This mode operates in the same way as the Permanent Encryption Mode but with the ability to switch to the Permanent Encryption the Encryption Disabled Approved mode and the Mixed mode The ETD will be able to read from unencrypted tape cartridges while operating in this mode but it will be unable to ...

Страница 13: ... non approved key import and export in plaintext These methods of key import and export provide no cryptographic security Any data encrypted with this keying material is considered plaintext Mixed mode is entered when DPKM is enabled through the VOP DPKM allows an operator to use the SCSI9 commands SPIN and SPOUT in order to import and export keying material to and from the module in plaintext Key...

Страница 14: ...y provides the Tape Head and RFID10 Reader Writer as physical interfaces to the tape cartridge The opening at the front of the module is the only opening in the module It does not provide access to the interior of the module Figure 3 StorageTek T10000D Tape Drive Front Figure 4 shows the rear of the StorageTek T10000D Tape Drive It provides the following physical interfaces Tape Transport Interfac...

Страница 15: ...eTek T10000D Tape Drive Figure 5 provides one additional physical interface the Operator Panel Port This port is used to provide general module status as well as additional control input access when the drive is rack mounted The additional port pictured is the Manufacturing Servo Interface This interface is not operational in any of the modes of operation therefore it is not listed in the interfac...

Страница 16: ...0000D Tape Drive Bottom 13 Table 2 provides a mapping of all of the physical interfaces of the StorageTek T10000D Tape Drive listed above to their respective FIPS 140 2 Logical Interfaces The functionality and logical interface mappings of these physical interfaces do not change between Approved modes 13 The security seal shown does not provide additional physical security ...

Страница 17: ...duced length Data 3 VolSafe write once Data 4 Sport VolSafe Data reduced length write once 5 Cleaning 6 Diagnostic used by a service representative TTI connector RS 232 1 Control Input Data Output Status Output Primarily used for tape library communications The operator can review the status output to determine if the module has passed or failed different self tests The status output from this por...

Страница 18: ...2136 the interface can be configured to support one of two protocols 1 Fibre Channel in accordance with the Fibre Channel Protocol 3 FCP 3 SCSI Primary Commands 3 and SCSI Stream Commands SSC 3 specifications 2 FICON18 in accordance with the Fibre Channel Single Byte Command Code Sets 3 Mapping Protocol FC SB 3 Revision 1 6 specification 3 On hardware version 7314405 the interface supports iSCSI19...

Страница 19: ...o obtain information from each tape inserted into the ETD to reduce access times and manage the lifecycle of the cartridge Various statistical data and information of record locations are written to the RFID located on the tape cartridge 2 3 2 StorageTek T10000D Tape Drive VOP Status Information The module outputs status information via the Ethernet Port to the VOP to provide a more detailed drive...

Страница 20: ...ession keys Each role and the services available to them in each Approved mode is detailed in the sections below Please note that the keys and Critical Security Parameters CSPs listed in the tables indicate the type of access required using the following notation R Read The item is read or referenced by the service W Write The CSP is established generated modified or zeroized X Execute The CSP is ...

Страница 21: ... Perform routine module configuration Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None Place drive online offline Add or remove Fibre Channel and iSER connectivity to the ETD Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None Load Firmware Update module firmware Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode FSPubKey RX FS...

Страница 22: ...cryption Encryption Enabled Encryption Disabled Mixed Mode None Download event logs Download the currently stored event logs Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None Download Dump Download the currently stored dump file Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None Download Perm logs Download the currently stored permanent error logs...

Страница 23: ...ed non Approved keys and shall not be used in the Approved mode of operation 2 4 3 User Role The User of the StorageTek T10000D Tape Drive is the everyday user of the module The User is responsible for importing the encryption and decryption keys when operating in one of the Approved modes with encryption enabled Once an encryption key has been obtained the User has the ability to encrypt and decr...

Страница 24: ...d DRBG Key Value WRX DRBG V Value WRX DRBG Seed WRX AKWK W KWKPublicKey X TLS_EMK X TLS_ECK X Import KWKPublicKey Import the KWKPublicKey from the OKM cluster onto the module Permanent Encryption Encryption Enabled KWKPublicKey W TLS_DMK X TLS_DCK X Import ME_Key Import one or more ME_Keys onto the module from the OKM cluster Permanent Encryption Encryption Enabled ME_Key W TLS_DMK X TLS_DCK X AKW...

Страница 25: ...he TTI non security relevant Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None Operator Panel Management Manage the module and retrieve status information through the Operator Panel port non security relevant Permanent Encryption Encryption Enabled Encryption Disabled Mixed Mode None 2 4 5 Additional StorageTek T10000D Tape Drive Services In addition to the services provi...

Страница 26: ...d to operate in several FIPS Approved modes of operation Permanent Encryption Mode Encryption Enabled Mode Encryption Disabled Mode and Mixed Mode The following sections detail which cryptographic algorithms keys and CSPs are available for each FIPS Approved mode 2 7 1 Encryption Enabled Cryptographic Algorithm Implementations The StorageTek T10000D Tape Drive provides access to the same cryptogra...

Страница 27: ...ES CCM encryption with Cert 2760 2760 AES 256 bit CCM mode DCCM hardware implementation AES in CCM mode as used with AES in ECB mode Cert 2760 2760 SHA34 1 Provides hashing for multiple services including digital signature verification Used with HMAC SHA 1 Cert 2636 RSA 2048 bit Cert 2074 User data hashing Used as part of the SSH KDF Cert 866 3330 SHA 1 TLS 1 0 1 1 implementation Used as part of t...

Страница 28: ...5 TLS 1 0 and 1 1 Key Derivation Note The TLS protocol has not been reviewed or tested by the CAVP and CMVP TLS 1 0 and 1 1 Key Derivation SP800 135 rev1 Section 4 2 1 Used with SHA 1 Cert 3331 and DRBG Cert 1209 867 SSH Key Derivation Note The SSH protocol has not been reviewed or tested by the CAVP and CMVP SSH Key Derivation SP800 135 rev1 Section 5 2 866 SP800 90A CTR DRBG Generates random num...

Страница 29: ...ration Cert 905 3330 HMAC SHA 1 Provides integrity during a SSH session Used with SHA 1 Cert 3330 2636 RSA 2048 bit PKCS42 1 v1 5 Signature Verification Verifies the signature of a new firmware image to be loaded onto the ETD Used with SHA 1 Cert 3330 and SHA 256 Cert 3330 2074 RSA 2048 bit PKCS 1 v1 5 Signature Generation Performs session establishment in support of SSH 2074 RSA 2048 bit FIPS 186...

Страница 30: ...HA 1 Cert 2636 RSA 2048 bit Cert 2074 Used as part o the SSH KDF Cert 866 3330 SHA 256 Provides hashing for multiple services including digital signature verification Used with RSA 2048 Cert 2074 and as part of the SSH Key Derivation Function Used with Cert 866 SHA 256 is also used with RSA 2048 Signature Generation and ECDSA Signature Generation Cert 905 3330 HMAC SHA 1 Provides integrity during ...

Страница 31: ...Special Publication 800 131A When operating in the Permanent Encryption and Encryption Enabled Approved Modes the ETD receives data from an OKM cluster wrapped with AES Key Wrap AES Key Wrap as defined in SP 800 38F is an approved key wrapping key establishment methodology AES Cert 4047 Key Wrapping provides 256 bits of encryption strength The following non Approved methods are allowed for use as ...

Страница 32: ... Diffie Hellman key agreement key establishment methodology provides 128 bits of encryption strength Diffie Hellman key agreement key establishment methodology provides 112 bits of encryption strength The module provides a Non Deterministic Random Number Generator NDRNG as the entropy source to the FIPS Approved SP 800 90A CTR DRBG The NDRNG provides a minimum of 384 bits to the DRBG for use in ke...

Страница 33: ...ved DRBG Output encapsulated via KWKPublicKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Decrypt MEKey Dump Encryption Key DEKey AES CCM 256 bit Generated internally via Approved DRBG Output encrypted via DEPubKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Encrypt dump files Dump Encryption Public Key DEPubKey RSA 2048 bit public key Generated externally H...

Страница 34: ...ng the module per TLS 1 0 1 1 TLS_DMK HMAC SHA 1 112 bits Generated internally via TLS 1 0 1 1 PRF Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Authentication key for data entering the module per TLS 1 0 1 1 TLS_ECK AES CBC 256 bit Generated internally via TLS 1 0 1 1 PRF Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Appr...

Страница 35: ... Keys per SSH 2 0 SSH_KEX_PRI ECDH P 256 Curve 128 bits or FFC DH Group 14 112 bits Generated internally via ECDH or FFC DH Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode SSH Key Exchange Private Key per SSH 2 0 SSH_KEX_PUB ECDH P 256 Curve 128 bits or FFC DH Group 14 112 bits Generated internally via ECDH or FFC DH Output encrypted via SSH_SK Plaintext ...

Страница 36: ...ternally Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Generate random values for the CTR_DRBG DRBG V Value Internal DRBG state value integer Generated internally Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Internal state value for the CTR_DRBG DRBG Key Value Internal DRBG state value integer Generated inte...

Страница 37: ...r cycle Switch Approved Mode SSH Authentication SSH_HOST_PUB RSA 2048 bit Public Key ECDSA P256 Curve Public Key Generated internally via Approved DRBG Output plaintext Plaintext in EEPROM Reset service Power cycle Switch Approved Mode SSH Authentication SSH_SK AES CTR 128 bit AES CBC 128 bit Generated internally via SSH PRF Output encrypted via SSH_SK Plaintext in RAM Power cycle Switch Approved ...

Страница 38: ...AM Reset service Power cycle Switch Approved Mode Internal state value for the CTR_DRBG 2 7 6 Mixed Mode Cryptographic Keys and Critical Security Parameters The cryptographic keys key components and other CSPs used by the module while operating in the Mixed Mode are shown in Table 11 Table 11 List of Cryptographic Keys Cryptographic Key Components and CSPs Mixed Mode Key Key Type Generation Input ...

Страница 39: ...F Output encrypted via SSH_SK Plaintext in RAM Power cycle Switch Approved Mode SSH Session Keys per SSH 2 0 SSH_SA HMAC SHA 1 112 bits Generated internally via SSH PRF Output encrypted via SSH_SK Plaintext in RAM Power cycle Switch Approved Mode SSH Session Integrity Keys per SSH 2 0 SSH_KEX_PRI ECDH P 256 Curve 128 bits or FFC DH Group 14 112 bits Generated internally via ECDH or FFC DH Output e...

Страница 40: ...ation Use DRBG V Value Internal DRBG state value integer Generated internally Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Internal state value for the CTR_DRBG DRBG Key Value Internal DRBG state value integer Generated internally Output encrypted via DEKey Plaintext in RAM Reset service Power cycle Switch Approved Mode Internal state value for the CTR...

Страница 41: ...are FPGA images as its approved integrity technique Data output is not available while the integrity test is being performed If the test passes the module will continue on to perform the required Known Answer Tests KATs on its cryptographic algorithms If the firmware integrity test fails the module will remain in its initial boot state and create an unencrypted dump file54 The CO will be required ...

Страница 42: ...Generator Test CRNGT on the output from the DRBG each time a new random number is generated In addition a CRNGT is performed on the output from the NDRNG prior to being used as entropy input for the DRBG If any of the CRNGTs fail the module will generate a dump file If the dump file is to be encrypted the module will attempt to perform the CRNGT a second time If the CRNGT passes on the second atte...

Страница 43: ...ctions Tests When operating in the Permanent Encryption and Encryption Enabled Approved Modes critical function self tests are required by the module when operating the SP 800 90A CTR DRBG Critical functions tests are crucial for the proper and secure operation of the DRBG These tests will ensure the DRBG always produces random information The StorageTek T10000D Tape Drive performs the following c...

Страница 44: ...se external software components are required for setting up the ETD for normal operation 3 1 Cryptographic Officer Guidance First Use This section provides instructions on how to place the StorageTek T10000D Tape Drive into each of the FIPS Approved modes after first receiving the drive from Oracle Corporation For first time use these operations shall be performed with an Oracle Service Representa...

Страница 45: ...hall perform the following steps to ensure the module is operating in the Encryption Disabled Mode 1 Follow the steps outlined in Section 3 1 1 Initial Set Up 2 Set the drive to an offline state Drive Operations Set Offline 3 Using VOP navigate to the Encrypt tab in the View Drive Data window Retrieve View Drive Data 4 Verify that the Use OKM or DPKM Field is set to UNKN and the Permanently encryp...

Страница 46: ...ata 5 Set the Use OKM or DPKM Field to OKM 6 Set the Permanently encrypting field to Yes 7 Enter a valid Agent ID Pass Phrase and OKM IP Address 8 Press the Commit button After pressing the Commit button the ETD will reboot to normal operation From this point forward the module will be operating in the Permanent Encryption Approved Mode Once operating in this mode the module will be unable to oper...

Страница 47: ...m an SSH client to establish a FIPS approved session 1 Protocol Version SSH v2 0 2 Encryption AES 128 bit CTR or AES 128 bit CBC 3 MAC HMAC SHA 1 4 KEX ecdh sha2 nistp256 or diffie hellman group14 sha1 5 Host Key ecdsa sha2 nistp256 ssh rsa Using the preceding options will allow a FIPS approved SSH session to be established 3 2 2 Memory Dump Offload all modes Memory dumps may only be offloaded usi...

Страница 48: ...ill reboot to normal operation From this point forward the module will be operating in the Encryption Enabled Approved Mode 3 2 5 Switching To Permanent Encryption Approved Mode The CO can place the module into the Permanent Encryption Mode from the Encryption Disabled Mode or the Encryption Enabled Mode The CO shall perform the following steps to place the module into the Permanent Encryption Mod...

Страница 49: ...d services including 1 Firmware Load 2 Remote Management via SSH Selecting Data Path Key Management DPKM to initialize Mixed Mode establishes keys that are established via non FIPS Approved methods This provides no cryptographic security for the data that is transformed with the keys All tape data is considered plaintext in Mixed Mode of operation 3 3 Zeroization Zeroization of the module s Critic...

Страница 50: ...onically Erasable Programmable Read Only Memory EMC Electromagnetic Compatibility EMI Electromagnetic Interference ETD Encrypting Tape Drive FC SB 3 Fibre Channel Single Byte 3 FCP 3 Fibre Channel Protocol 3 FICON Fibre Connection FIPS Federal Information Processing Standard FPGA Field Programmable Gate Array GUI Graphical User Interface HMAC Keyed Hash based Message Authentication Code Hz Hertz I...

Страница 51: ...rd RSA Rivest Shamir Adleman SCSI Small Computer System Interface sec Second SFTP Secure File Transfer Protocol SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SP Special Publication SSC 3 SCSI Stream Commands 3 SSH Secure Shell TLS Transport Layer Security TTI Tape Transport Interface UNKN Unknown VAC Volts Alternating Current VOP Virtual Operator Panel ...

Отзывы: