manualshive.com logo in svg

Sun Microsystems Sun StorageTek T9840D, Руководство по безопасности


Поделиться
Скачать
background image

Sun Microsystems

 Sun StorageTek ™ T9840D Tape Drive Security Policy

Name of 
Service

Service Description

Available 
on:

Available in 
FIPS mode

Available 
in non-
FIPS 
mode

Role

Access to 

Keys/CSPs

License 
ETD

This service is used in 
the VOP to enable the 
ETD encryption feature

RJ45(Ether
net)

Yes

Yes

C.O.

Uses PCKey;
Uses VOP 
Login/passsword;

Load 
Firmware

updates the ETD 
firmware.

RJ45(Ether
net), Tape 
Head, 
Host 
Interface

Yes

Yes

C.O.

Writes and Uses 
FSPubKey;
Uses 
FSRootCert;
Writes public 
keys stored in 
firmware

Reset

This service erases all 
keys, other than the 
PCKey, from ETD 
memory (volatile and 
non-volatile).

RJ45(Ether
net)

Yes

Yes

C.O.

Zeroizes all CSPs 
except the PCKey 

Zeroize

This service erases all 
Critical Security 
Parameters (CSPs) 
stored in ETD memory 
(volatile and non-
volatile).

RJ45(Ether
net)

Yes

Yes

C.O.

Zeroizes all CSPs 

VOP Login Log in to the Virtual 

Operator's Panel 
(VOP) and authorizes 
the operator to the 
Crypto-Officer Role, 
providing access too 
all VOP commands

RJ45(Ether
net)

Yes

Yes

C.O.

Accesses VOP 
Password

Encrypt 
Data to 
Tape

Encrypts data from the 
Host Interface on to 
the tape cartridge.

Tape Head,
Host 
Interface

Yes

Yes

User

Uses MEKey

Decrypt 
Data from 
Tape

Decrypts data from the 
tape cartridge

Tape Head,
Host 
Interface

Yes

Yes

User

Uses MEKey

Create 
Dump

Creates an encrypted 
diagnostic dump file 
and saves it to 
EEPROM.  Afterwards, 
the ETD performs an 
Initial Program Load 
(IPL)

RJ45(Ether
net)

Yes

Yes

C.O.

Uses and 
Modifies 
CTR_DRBG;
Generates and 
Uses DEKey;
Uses DEPubKey

Feb 5, 2010

Part 316055201, Rev: AA

Page 15

Содержание Sun StorageTek T9840D

Страница 1: ...ageTekTM T9840D Tape Drive Security Policy Part Number 316055201 Revision AA Sun Microsystems Inc February 5 2010 Copyright Sun Microsystems 2009 May be reproduced only in its original entirety without revision ...

Страница 2: ... 8 4 PORTS AND INTERFACES 10 5 IDENTIFICATION AND AUTHENTICATION POLICY 12 5 1 ASSUMPTION OF ROLES 12 6 DEFINITION OF CRITICAL SECURITY PARAMETERS CSPS 14 6 1 DEFINITION OF PUBLIC KEYS 15 7 ACCESS CONTROL POLICY 15 7 1 ROLES AND SERVICES 15 8 OPERATIONAL ENVIRONMENT AREA 6 18 9 SECURITY RULES 18 9 1 FIPS 140 2 SECURITY REQUIREMENTS 18 10 PHYSICAL SECURITY 19 10 1 PHYSICAL SECURITY MECHANISMS 19 11...

Страница 3: ...ED IDENTIFICATION AND AUTHENTICATION 12 TABLE 4 STRENGTHS OF AUTHENTICATION MECHANISMS 13 TABLE 5 DESCRIPTION OF CRITICAL SECURITY PARAMETERS CSPS 14 TABLE 6 DESCRIPTION OF PUBLIC KEYS WITHIN THE ETD 15 TABLE 7 SERVICES AUTHORIZED FOR ROLES 15 TABLE 8 UNAUTHENTICATED SERVICES 18 Release History Date Rev Description Name 02 05 10 AA Initial version of Security Policy Engineering Change EC001056 Mat...

Страница 4: ...ized key management The Sun StorageTek Crypto Key Management System version 2 1 and higher consists of two or more Key Management Appliances KMAs Key Management Appliances are the individual components within the system and in the context of this FIPS 140 2 Security Policy can be viewed as Key Loaders For more information on these system components please see the website http docs sun com and brow...

Страница 5: ...f FIPS 140 2 as is detailed in Table 1 Table 1 Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 1 Roles Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment N A Cryptographic Key Management 1 EMI EMC 1 Feb 5 2010 Part 316055201 Rev AA Page 5 Figure 1 2 Back side and bot...

Страница 6: ...part of digital signature verification for the firmware o as part of HMAC SHA 1 HMAC certificate 597 o for hashing passwords used for authentication AES ECB AES Certificate 1060 supporting 256 bit keys Used as part of the AES Key Wrap algorithm to securely establish keying material SP 800 90 CTR DRBG DRBG Certificate 11 for generating random numbers used for nonce values and cryptographic keys AES...

Страница 7: ...FIPS Mode The user can determine whether the ETD is operating in FIPS mode by examining the VOP Virtual Operator Panel VOP is an external software application and the primary ETD remote management tool VOP utilizes ETD services remotely VOP is described in more detail in the document Virtual Operator Panel User s Guide see VOPUG Figure 3 1 shows the View Current Drive Settings of the VOP applicati...

Страница 8: ... it will remain in either FIPS mode or non FIPS compliant mode FIPS 140 2 configuration of ETD with VOP requires the presence of both a Sun service representative and the customer In addition they will need to follow the licensing process as outlined in KMS2IM KMS 2 x Installation and Service Manual under License and Enroll the Tape Drives in Chapter 3 T Series Tape Drives Feb 5 2010 Part 31605520...

Страница 9: ...pe drive for encryption using the process from KMS2IM 5 The service representative shall set the drive offline by selecting Drive Operations Set Offline 6 The service representative shall add the ETD to the KMS 2 x cluster see KMS2IM 7 The service representative shall bring up the Configure Drive Parameters Window see Figure 3 2 by selecting Drive Data from the Configure menu of the main VOP windo...

Страница 10: ...vides a listing of the following physical ports and logical interfaces see ETDOG for details Table 2 Ports and Interfaces Description Physical Port Qty Logical interface definition Technical Specification DB15 RS232 1 data output status output control input Primarily used for tape library communications Feb 5 2010 Part 316055201 Rev AA Page 10 Figure 3 2 VOP Configure Drive Parameters Window ...

Страница 11: ... Command Code Sets 3 Mapping Protocol FC SB 3 Revision 1 6 specification see FC SB 3 Tape head 1 data input data output Provides the interface to the magnetic tape media where the user data to be encrypted is written to and where the data to be decrypted is read from Tape media resides in six possible cartridge types 1 Standard Data 2 SPORT reduced length Data 3 VolSafe write once Data 4 Sport Vol...

Страница 12: ...Officer C O Table 3 shows these roles Table 3 Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User Role based operator authentication The following Authentication Mechanism see Error Reference source not found is allowed for authenticating to the User Role 1 CA_Cert Private Key 2048 bit RSA Private key Note No authentication mechanism is claimed...

Страница 13: ...ey used to protect the ME_Keys with AES Key Wrap as they enter the ETD Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Dump Encryption Key DEKey A Dump file encryption key is a 256 bit AES CCM key used for encrypting the dump files during generation and storage Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Tape Dri...

Страница 14: ...8 bit RSA public key used to wrap the DEKey It is stored stored in an X 509 certificate Firmware Signature Public Key FSPubKey The Firmware Signature Public Key is a 2048 bit RSA key used to validate any uploaded firmware Firmware Signature Root Certificate Key FSRootCert The Firmware Signature Root Certificate Key is a 2048 bit RSA key within a PEM encoded certificate used to validate the certifi...

Страница 15: ...y Zeroize This service erases all Critical Security Parameters CSPs stored in ETD memory volatile and non volatile RJ45 Ether net Yes Yes C O Zeroizes all CSPs VOP Login Log in to the Virtual Operator s Panel VOP and authorizes the operator to the Crypto Officer Role providing access too all VOP commands RJ45 Ether net Yes Yes C O Accesses VOP Password Encrypt Data to Tape Encrypts data from the H...

Страница 16: ...s TLS_EMK Uses TLS_ECK Input KWKPubli cKey Inputs the KWKPublicKey from a KMS 2 x cluster into the ETD RJ45 Ether net Yes Yes User Writes KWKPublicKey Uses TLS_DMK Uses TLS_DCK Input ME_Key from KMS 2 x Inputs one or more ME_Keys protected with AES Key Wrap into the ETD from the KMS 2 x cluster RJ45 Ether net Yes Yes User Writes ME_Key Uses TLS_DMK Uses TLS_DCK Uses AKWK ETD Configurati on Allows ...

Страница 17: ... new CSP or the modification of an existing Generates Generates the CSP using the FIPS Approved SP800 90 DRBG Derives The CSP is derived using the Allowed TLS1 0 Key Derivation Function The ETD supports the unauthenticated services listed below in Table 7 None of the services modify disclose or substitute cryptographic keys and CSPs or otherwise affect the security of the ETD Table 7 Unauthenticat...

Страница 18: ...pto Officer role 2 When the module has not been placed in a valid role the operator does not have access to any cryptographic services 3 The cryptographic module shall encrypt and decrypt sensitive data using the AES 256 CCM algorithm 4 The cryptographic module shall perform the following tests a Power up Self tests i Cryptographic algorithm tests 1 AES ECB KAT Encrypt Decrypt 2 AES Key Wrap KAT W...

Страница 19: ...dule has not been designed to mitigate any specific attacks 12 References 1619 1 IEEE Std 1619 1 2007 IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices May 2008 CCM NIST Special Publication 800 38C Recommendation for Block Modes of Operation The CCM Mode for Authentication and Confidentiality U S DoC NIST May 2004 Available at http csrc nist gov publications nist...

Страница 20: ...est in the context of the EDRS system is data stored on magnetic tape EDRS Encrypted Data at Rest Solution ETD The Sun StorageTekTM T9840D Encrypting Tape Drive IPL Initial Program Load The process that brings up the ETD after a power on or reset KMA Key Management Applicance KMS Key Management System which consists of two or more KMAs TLS Transport Layer Security v1 0 as defined by IETF RFC 2246 ...

Отзывы:

Нет отзывов

Похожие инструкции для Sun StorageTek T9840D

Quantum LTO 3 Reference Manual preview
LTO 3
Бренд: Quantum Страницы: 78
Yardmaster 83 GEYZ Assembly Instructions Manual preview
83 GEYZ
Бренд: Yardmaster Страницы: 20
IBM SAN64B-6 Installation, Service And User Manual preview
SAN64B-6
Бренд: IBM Страницы: 122
Soyntec HDD Box 250 User Manual preview
HDD Box 250
Бренд: Soyntec Страницы: 8
IBM TS7650 PROTECTIER DEDUPLICATION APPLIANCE Installation Roadmap Manual preview
TS7650 PROTECTIER DEDUPLICATION APPLIANCE
Бренд: IBM Страницы: 218
garofalo V06.01.002 User Manual preview
V06.01.002
Бренд: garofalo Страницы: 12
Eaton Cutler Hammer SRAM PC104 Instruction Manual preview
Cutler Hammer SRAM PC104
Бренд: Eaton Страницы: 2
Seagate BARRACUDA ST32000542AS Datasheet preview
BARRACUDA ST32000542AS
Бренд: Seagate Страницы: 2
Yardmaster 1013 WGY Assembly Instructions Manual preview
1013 WGY
Бренд: Yardmaster Страницы: 24
Cavalry Passio CAXH3701T0 Specifications preview
Passio CAXH3701T0
Бренд: Cavalry Страницы: 1
Cavalry CAXM Series User Manual preview
CAXM Series
Бренд: Cavalry Страницы: 16
Discovery Kids WOODEN WORK BENCH Instruction Manual preview
WOODEN WORK BENCH
Бренд: Discovery Kids Страницы: 9
TerraMaster NAS F2-221 Fundamentals And Preliminaries preview
NAS F2-221
Бренд: TerraMaster Страницы: 13
Atmel AT49BV160D Manual preview
AT49BV160D
Бренд: Atmel Страницы: 29
nimble 60-40 Assembly Instructions Manual preview
60-40
Бренд: nimble Страницы: 10
ABSCO SHEDS 3060HK Manual preview
3060HK
Бренд: ABSCO SHEDS Страницы: 55
ECOSAFE A2T Instruction Manual preview
A2T
Бренд: ECOSAFE Страницы: 8
Acnodes DAS 316SSA Specifications preview
DAS 316SSA
Бренд: Acnodes Страницы: 1

Бренды по названию

Популярные бренды

Загрузить еще бренды