manualshive.com logo in svg

Sun Microsystems Sun StorageTek T9840D, Руководство по безопасности


Поделиться
Скачать
background image

Sun Microsystems

 Sun StorageTek ™ T9840D Tape Drive Security Policy

Name of 
Service

Service Description

Available 
on:

Available in 
FIPS mode

Available 
in non-
FIPS 
mode

Role

Access to 

Keys/CSPs

Establish 
TLS 
Session

Establishes a TLS 1.0 
(Transport Layer 
Security) session 
between the ETD and 
a KMS 2.x cluster

RJ45(Ether
net)

Yes

Yes

User

Uses and 
Modifies 
CTR_DRBG;
Generates 
TLS_PM;
Derives TLS_MS, 
TLS_EMK, 
TLS_DMK, 
TLS_ECK, 
TLS_DCK;
Uses CA_Cert;
Uses TDPubKey;
Uses TDPrivKey

Export 
AKWK

Exports the AES Key 
Wrap Key (AKWK) to 
the KMS 2.x cluster, 
protected with RSA 
Encryption

RJ45(Ether
net)

Yes

Yes

User

Uses and Writes 
CTR_DRBG;
Generates 
AKWK;
Uses 
KWKPublicKey;
Uses TLS_EMK;
Uses TLS_ECK;

Input 
KWKPubli
cKey

Inputs the 
KWKPublicKey from a 
KMS 2.x cluster into 
the ETD

RJ45(Ether
net)

Yes

Yes

User

Writes 
KWKPublicKey;
Uses TLS_DMK;
Uses TLS_DCK

Input 
ME_Key 
from KMS 
2.x

Inputs one or more 
ME_Keys (protected 
with AES Key Wrap) 
into the ETD from the 
KMS 2.x cluster

RJ45(Ether
net)

Yes

Yes

User

Writes ME_Key;
Uses TLS_DMK;
Uses TLS_DCK;
Uses AKWK;

ETD 
Configurati
on

Allows configuration of 
the ETD

RJ45(Ether
net)

Yes

Yes

C.O.

Not Applicable

Initial 
Program 
Load (IPL) 

Causes tape drive to 
reinitialize and perform 
Power-Up Self-Tests

RJ45(Ether
net)

Yes

Yes

C.O

Not Applicable

Audit Log

Allows the viewing, 
downloading, deletion 
of the ETD Audit Log

RJ45(Ether
net)

Yes

Yes

C.O.

Not Applicable

View Drive 
Data

Allows read access to 
ETD configuration data

RJ45(Ether
net)

Yes

Yes

C.O.

Not Applicable

Feb 5, 2010

Part 316055201, Rev: AA

Page 16

Содержание Sun StorageTek T9840D

Страница 1: ...ageTekTM T9840D Tape Drive Security Policy Part Number 316055201 Revision AA Sun Microsystems Inc February 5 2010 Copyright Sun Microsystems 2009 May be reproduced only in its original entirety without revision ...

Страница 2: ... 8 4 PORTS AND INTERFACES 10 5 IDENTIFICATION AND AUTHENTICATION POLICY 12 5 1 ASSUMPTION OF ROLES 12 6 DEFINITION OF CRITICAL SECURITY PARAMETERS CSPS 14 6 1 DEFINITION OF PUBLIC KEYS 15 7 ACCESS CONTROL POLICY 15 7 1 ROLES AND SERVICES 15 8 OPERATIONAL ENVIRONMENT AREA 6 18 9 SECURITY RULES 18 9 1 FIPS 140 2 SECURITY REQUIREMENTS 18 10 PHYSICAL SECURITY 19 10 1 PHYSICAL SECURITY MECHANISMS 19 11...

Страница 3: ...ED IDENTIFICATION AND AUTHENTICATION 12 TABLE 4 STRENGTHS OF AUTHENTICATION MECHANISMS 13 TABLE 5 DESCRIPTION OF CRITICAL SECURITY PARAMETERS CSPS 14 TABLE 6 DESCRIPTION OF PUBLIC KEYS WITHIN THE ETD 15 TABLE 7 SERVICES AUTHORIZED FOR ROLES 15 TABLE 8 UNAUTHENTICATED SERVICES 18 Release History Date Rev Description Name 02 05 10 AA Initial version of Security Policy Engineering Change EC001056 Mat...

Страница 4: ...ized key management The Sun StorageTek Crypto Key Management System version 2 1 and higher consists of two or more Key Management Appliances KMAs Key Management Appliances are the individual components within the system and in the context of this FIPS 140 2 Security Policy can be viewed as Key Loaders For more information on these system components please see the website http docs sun com and brow...

Страница 5: ...f FIPS 140 2 as is detailed in Table 1 Table 1 Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 1 Roles Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment N A Cryptographic Key Management 1 EMI EMC 1 Feb 5 2010 Part 316055201 Rev AA Page 5 Figure 1 2 Back side and bot...

Страница 6: ...part of digital signature verification for the firmware o as part of HMAC SHA 1 HMAC certificate 597 o for hashing passwords used for authentication AES ECB AES Certificate 1060 supporting 256 bit keys Used as part of the AES Key Wrap algorithm to securely establish keying material SP 800 90 CTR DRBG DRBG Certificate 11 for generating random numbers used for nonce values and cryptographic keys AES...

Страница 7: ...FIPS Mode The user can determine whether the ETD is operating in FIPS mode by examining the VOP Virtual Operator Panel VOP is an external software application and the primary ETD remote management tool VOP utilizes ETD services remotely VOP is described in more detail in the document Virtual Operator Panel User s Guide see VOPUG Figure 3 1 shows the View Current Drive Settings of the VOP applicati...

Страница 8: ... it will remain in either FIPS mode or non FIPS compliant mode FIPS 140 2 configuration of ETD with VOP requires the presence of both a Sun service representative and the customer In addition they will need to follow the licensing process as outlined in KMS2IM KMS 2 x Installation and Service Manual under License and Enroll the Tape Drives in Chapter 3 T Series Tape Drives Feb 5 2010 Part 31605520...

Страница 9: ...pe drive for encryption using the process from KMS2IM 5 The service representative shall set the drive offline by selecting Drive Operations Set Offline 6 The service representative shall add the ETD to the KMS 2 x cluster see KMS2IM 7 The service representative shall bring up the Configure Drive Parameters Window see Figure 3 2 by selecting Drive Data from the Configure menu of the main VOP windo...

Страница 10: ...vides a listing of the following physical ports and logical interfaces see ETDOG for details Table 2 Ports and Interfaces Description Physical Port Qty Logical interface definition Technical Specification DB15 RS232 1 data output status output control input Primarily used for tape library communications Feb 5 2010 Part 316055201 Rev AA Page 10 Figure 3 2 VOP Configure Drive Parameters Window ...

Страница 11: ... Command Code Sets 3 Mapping Protocol FC SB 3 Revision 1 6 specification see FC SB 3 Tape head 1 data input data output Provides the interface to the magnetic tape media where the user data to be encrypted is written to and where the data to be decrypted is read from Tape media resides in six possible cartridge types 1 Standard Data 2 SPORT reduced length Data 3 VolSafe write once Data 4 Sport Vol...

Страница 12: ...Officer C O Table 3 shows these roles Table 3 Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User Role based operator authentication The following Authentication Mechanism see Error Reference source not found is allowed for authenticating to the User Role 1 CA_Cert Private Key 2048 bit RSA Private key Note No authentication mechanism is claimed...

Страница 13: ...ey used to protect the ME_Keys with AES Key Wrap as they enter the ETD Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Dump Encryption Key DEKey A Dump file encryption key is a 256 bit AES CCM key used for encrypting the dump files during generation and storage Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Tape Dri...

Страница 14: ...8 bit RSA public key used to wrap the DEKey It is stored stored in an X 509 certificate Firmware Signature Public Key FSPubKey The Firmware Signature Public Key is a 2048 bit RSA key used to validate any uploaded firmware Firmware Signature Root Certificate Key FSRootCert The Firmware Signature Root Certificate Key is a 2048 bit RSA key within a PEM encoded certificate used to validate the certifi...

Страница 15: ...y Zeroize This service erases all Critical Security Parameters CSPs stored in ETD memory volatile and non volatile RJ45 Ether net Yes Yes C O Zeroizes all CSPs VOP Login Log in to the Virtual Operator s Panel VOP and authorizes the operator to the Crypto Officer Role providing access too all VOP commands RJ45 Ether net Yes Yes C O Accesses VOP Password Encrypt Data to Tape Encrypts data from the H...

Страница 16: ...s TLS_EMK Uses TLS_ECK Input KWKPubli cKey Inputs the KWKPublicKey from a KMS 2 x cluster into the ETD RJ45 Ether net Yes Yes User Writes KWKPublicKey Uses TLS_DMK Uses TLS_DCK Input ME_Key from KMS 2 x Inputs one or more ME_Keys protected with AES Key Wrap into the ETD from the KMS 2 x cluster RJ45 Ether net Yes Yes User Writes ME_Key Uses TLS_DMK Uses TLS_DCK Uses AKWK ETD Configurati on Allows ...

Страница 17: ... new CSP or the modification of an existing Generates Generates the CSP using the FIPS Approved SP800 90 DRBG Derives The CSP is derived using the Allowed TLS1 0 Key Derivation Function The ETD supports the unauthenticated services listed below in Table 7 None of the services modify disclose or substitute cryptographic keys and CSPs or otherwise affect the security of the ETD Table 7 Unauthenticat...

Страница 18: ...pto Officer role 2 When the module has not been placed in a valid role the operator does not have access to any cryptographic services 3 The cryptographic module shall encrypt and decrypt sensitive data using the AES 256 CCM algorithm 4 The cryptographic module shall perform the following tests a Power up Self tests i Cryptographic algorithm tests 1 AES ECB KAT Encrypt Decrypt 2 AES Key Wrap KAT W...

Страница 19: ...dule has not been designed to mitigate any specific attacks 12 References 1619 1 IEEE Std 1619 1 2007 IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices May 2008 CCM NIST Special Publication 800 38C Recommendation for Block Modes of Operation The CCM Mode for Authentication and Confidentiality U S DoC NIST May 2004 Available at http csrc nist gov publications nist...

Страница 20: ...est in the context of the EDRS system is data stored on magnetic tape EDRS Encrypted Data at Rest Solution ETD The Sun StorageTekTM T9840D Encrypting Tape Drive IPL Initial Program Load The process that brings up the ETD after a power on or reset KMA Key Management Applicance KMS Key Management System which consists of two or more KMAs TLS Transport Layer Security v1 0 as defined by IETF RFC 2246 ...

Отзывы:

Нет отзывов

Похожие инструкции для Sun StorageTek T9840D

LaCie LITTLE BIG DISK THUNDERBOLT 2 Getting Connected preview
LITTLE BIG DISK THUNDERBOLT 2
Бренд: LaCie Страницы: 6
Seagate ST31230N/ND Installation Manual preview
ST31230N/ND
Бренд: Seagate Страницы: 36
IBM SAN64B-6 Installation, Service And User Manual preview
SAN64B-6
Бренд: IBM Страницы: 122
Denios HazMat station EPO-2 Operation Manual And Spare Parts List preview
HazMat station EPO-2
Бренд: Denios Страницы: 6
Forest garden OPATSFP Quick Start Manual preview
OPATSFP
Бренд: Forest garden Страницы: 4
Western Digital My Book World Edition WDH1NC10000 Specifications preview
My Book World Edition WDH1NC10000
Бренд: Western Digital Страницы: 2
Apricorn Aegis Bio User Manual preview
Aegis Bio
Бренд: Apricorn Страницы: 36
Impediment RS-1600-X24 User Manual preview
RS-1600-X24
Бренд: Impediment Страницы: 256
SAJ HS2/AS2 Series User Manual preview
HS2/AS2 Series
Бренд: SAJ Страницы: 43
Kimball Footprint Radius Profile Undersurface Storage Assembly Instructions Manual preview
Footprint Radius Profile Undersurface Storage
Бренд: Kimball Страницы: 6
Kreg PRS2100 Owner'S Manual preview
PRS2100
Бренд: Kreg Страницы: 32
PowerTec WB-MS14 Manual preview
WB-MS14
Бренд: PowerTec Страницы: 40
Dedicated Micros MSUA1T25 Setup And Maintenance Manual preview
MSUA1T25
Бренд: Dedicated Micros Страницы: 12
Cisco C880 M4 Hardware Installation Manual preview
C880 M4
Бренд: Cisco Страницы: 23
Cisco Linksys NAS200 Quick Installation preview
Linksys NAS200
Бренд: Cisco Страницы: 75
Cisco C880 M4 Service Manual preview
C880 M4
Бренд: Cisco Страницы: 132
Cisco C880 M4 Operating Manual preview
C880 M4
Бренд: Cisco Страницы: 58
Cisco UCS 6400 Series Hardware Installation Manual preview
UCS 6400 Series
Бренд: Cisco Страницы: 68

Бренды по названию

Популярные бренды

Загрузить еще бренды