manualshive.com logo in svg

Sun Microsystems Sun StorageTek T9840D, Руководство по безопасности


Поделиться
Скачать
background image

Sun Microsystems

 Sun StorageTek ™ T9840D Tape Drive Security Policy

key establishment methodology provides 256 bits of strength)

RSAES-PKCS1-V1_5 supporting 2048-bit keys, for RSA public key encryption used to provide 
FIPS 140-2 allowed key transport within the TLS protocol. Key establishment methodology 
provides 112 bits of security. 

Non-Deterministic Random Number Generator (NDRNG) (provides entropy input to the SP800-90 
DRBG, and random values for use within the TLS protocol)

MD5, as used in the TLS protocol.

3.3 Determining FIPS Mode

The user can determine whether the ETD is operating in FIPS mode by examining the VOP (Virtual 
Operator Panel).  VOP is an external software application and the primary ETD remote management tool. 
VOP utilizes ETD services remotely.  VOP is described in more detail in the document "Virtual Operator 
Panel User's Guide" (see [VOPUG]).

Figure 3.1 shows the "View Current Drive Settings" of the VOP application (Drive Operations → View 
Drive Data).  The user can tell if the ETD has selected an Approved mode of operation by verifying that 
the labels "Encryption active" and "Running in FIPS mode" are both set to "Yes".  If either of these labels 
is set to "No" then the ETD is not in a FIPS Approved mode.

Feb 5, 2010

Part 316055201, Rev: AA

Page 7

Содержание Sun StorageTek T9840D

Страница 1: ...ageTekTM T9840D Tape Drive Security Policy Part Number 316055201 Revision AA Sun Microsystems Inc February 5 2010 Copyright Sun Microsystems 2009 May be reproduced only in its original entirety without revision ...

Страница 2: ... 8 4 PORTS AND INTERFACES 10 5 IDENTIFICATION AND AUTHENTICATION POLICY 12 5 1 ASSUMPTION OF ROLES 12 6 DEFINITION OF CRITICAL SECURITY PARAMETERS CSPS 14 6 1 DEFINITION OF PUBLIC KEYS 15 7 ACCESS CONTROL POLICY 15 7 1 ROLES AND SERVICES 15 8 OPERATIONAL ENVIRONMENT AREA 6 18 9 SECURITY RULES 18 9 1 FIPS 140 2 SECURITY REQUIREMENTS 18 10 PHYSICAL SECURITY 19 10 1 PHYSICAL SECURITY MECHANISMS 19 11...

Страница 3: ...ED IDENTIFICATION AND AUTHENTICATION 12 TABLE 4 STRENGTHS OF AUTHENTICATION MECHANISMS 13 TABLE 5 DESCRIPTION OF CRITICAL SECURITY PARAMETERS CSPS 14 TABLE 6 DESCRIPTION OF PUBLIC KEYS WITHIN THE ETD 15 TABLE 7 SERVICES AUTHORIZED FOR ROLES 15 TABLE 8 UNAUTHENTICATED SERVICES 18 Release History Date Rev Description Name 02 05 10 AA Initial version of Security Policy Engineering Change EC001056 Mat...

Страница 4: ...ized key management The Sun StorageTek Crypto Key Management System version 2 1 and higher consists of two or more Key Management Appliances KMAs Key Management Appliances are the individual components within the system and in the context of this FIPS 140 2 Security Policy can be viewed as Key Loaders For more information on these system components please see the website http docs sun com and brow...

Страница 5: ...f FIPS 140 2 as is detailed in Table 1 Table 1 Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 1 Roles Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment N A Cryptographic Key Management 1 EMI EMC 1 Feb 5 2010 Part 316055201 Rev AA Page 5 Figure 1 2 Back side and bot...

Страница 6: ...part of digital signature verification for the firmware o as part of HMAC SHA 1 HMAC certificate 597 o for hashing passwords used for authentication AES ECB AES Certificate 1060 supporting 256 bit keys Used as part of the AES Key Wrap algorithm to securely establish keying material SP 800 90 CTR DRBG DRBG Certificate 11 for generating random numbers used for nonce values and cryptographic keys AES...

Страница 7: ...FIPS Mode The user can determine whether the ETD is operating in FIPS mode by examining the VOP Virtual Operator Panel VOP is an external software application and the primary ETD remote management tool VOP utilizes ETD services remotely VOP is described in more detail in the document Virtual Operator Panel User s Guide see VOPUG Figure 3 1 shows the View Current Drive Settings of the VOP applicati...

Страница 8: ... it will remain in either FIPS mode or non FIPS compliant mode FIPS 140 2 configuration of ETD with VOP requires the presence of both a Sun service representative and the customer In addition they will need to follow the licensing process as outlined in KMS2IM KMS 2 x Installation and Service Manual under License and Enroll the Tape Drives in Chapter 3 T Series Tape Drives Feb 5 2010 Part 31605520...

Страница 9: ...pe drive for encryption using the process from KMS2IM 5 The service representative shall set the drive offline by selecting Drive Operations Set Offline 6 The service representative shall add the ETD to the KMS 2 x cluster see KMS2IM 7 The service representative shall bring up the Configure Drive Parameters Window see Figure 3 2 by selecting Drive Data from the Configure menu of the main VOP windo...

Страница 10: ...vides a listing of the following physical ports and logical interfaces see ETDOG for details Table 2 Ports and Interfaces Description Physical Port Qty Logical interface definition Technical Specification DB15 RS232 1 data output status output control input Primarily used for tape library communications Feb 5 2010 Part 316055201 Rev AA Page 10 Figure 3 2 VOP Configure Drive Parameters Window ...

Страница 11: ... Command Code Sets 3 Mapping Protocol FC SB 3 Revision 1 6 specification see FC SB 3 Tape head 1 data input data output Provides the interface to the magnetic tape media where the user data to be encrypted is written to and where the data to be decrypted is read from Tape media resides in six possible cartridge types 1 Standard Data 2 SPORT reduced length Data 3 VolSafe write once Data 4 Sport Vol...

Страница 12: ...Officer C O Table 3 shows these roles Table 3 Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User Role based operator authentication The following Authentication Mechanism see Error Reference source not found is allowed for authenticating to the User Role 1 CA_Cert Private Key 2048 bit RSA Private key Note No authentication mechanism is claimed...

Страница 13: ...ey used to protect the ME_Keys with AES Key Wrap as they enter the ETD Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Dump Encryption Key DEKey A Dump file encryption key is a 256 bit AES CCM key used for encrypting the dump files during generation and storage Transported wrapped with the KWKPublicKey which provides 112 bits of encryption strength Tape Dri...

Страница 14: ...8 bit RSA public key used to wrap the DEKey It is stored stored in an X 509 certificate Firmware Signature Public Key FSPubKey The Firmware Signature Public Key is a 2048 bit RSA key used to validate any uploaded firmware Firmware Signature Root Certificate Key FSRootCert The Firmware Signature Root Certificate Key is a 2048 bit RSA key within a PEM encoded certificate used to validate the certifi...

Страница 15: ...y Zeroize This service erases all Critical Security Parameters CSPs stored in ETD memory volatile and non volatile RJ45 Ether net Yes Yes C O Zeroizes all CSPs VOP Login Log in to the Virtual Operator s Panel VOP and authorizes the operator to the Crypto Officer Role providing access too all VOP commands RJ45 Ether net Yes Yes C O Accesses VOP Password Encrypt Data to Tape Encrypts data from the H...

Страница 16: ...s TLS_EMK Uses TLS_ECK Input KWKPubli cKey Inputs the KWKPublicKey from a KMS 2 x cluster into the ETD RJ45 Ether net Yes Yes User Writes KWKPublicKey Uses TLS_DMK Uses TLS_DCK Input ME_Key from KMS 2 x Inputs one or more ME_Keys protected with AES Key Wrap into the ETD from the KMS 2 x cluster RJ45 Ether net Yes Yes User Writes ME_Key Uses TLS_DMK Uses TLS_DCK Uses AKWK ETD Configurati on Allows ...

Страница 17: ... new CSP or the modification of an existing Generates Generates the CSP using the FIPS Approved SP800 90 DRBG Derives The CSP is derived using the Allowed TLS1 0 Key Derivation Function The ETD supports the unauthenticated services listed below in Table 7 None of the services modify disclose or substitute cryptographic keys and CSPs or otherwise affect the security of the ETD Table 7 Unauthenticat...

Страница 18: ...pto Officer role 2 When the module has not been placed in a valid role the operator does not have access to any cryptographic services 3 The cryptographic module shall encrypt and decrypt sensitive data using the AES 256 CCM algorithm 4 The cryptographic module shall perform the following tests a Power up Self tests i Cryptographic algorithm tests 1 AES ECB KAT Encrypt Decrypt 2 AES Key Wrap KAT W...

Страница 19: ...dule has not been designed to mitigate any specific attacks 12 References 1619 1 IEEE Std 1619 1 2007 IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices May 2008 CCM NIST Special Publication 800 38C Recommendation for Block Modes of Operation The CCM Mode for Authentication and Confidentiality U S DoC NIST May 2004 Available at http csrc nist gov publications nist...

Страница 20: ...est in the context of the EDRS system is data stored on magnetic tape EDRS Encrypted Data at Rest Solution ETD The Sun StorageTekTM T9840D Encrypting Tape Drive IPL Initial Program Load The process that brings up the ETD after a power on or reset KMA Key Management Applicance KMS Key Management System which consists of two or more KMAs TLS Transport Layer Security v1 0 as defined by IETF RFC 2246 ...

Отзывы:

Нет отзывов

Похожие инструкции для Sun StorageTek T9840D

D-Link DSN-4100 Series Quick Start Manual preview
DSN-4100 Series
Бренд: D-Link Страницы: 2
DANE-ELEC SO MOBILE Datasheet preview
SO MOBILE
Бренд: DANE-ELEC Страницы: 2
SanDisk Mobile Ultra Memory Stick Micro User Manual preview
Mobile Ultra Memory Stick Micro
Бренд: SanDisk Страницы: 1
DataWhale RS-M2BF User Manual preview
RS-M2BF
Бренд: DataWhale Страницы: 31
Qsan XCUBESAN XS5226S XCUBESAN XS3224D Hardware Manual preview
XCUBESAN XS5226S XCUBESAN XS3224D
Бренд: Qsan Страницы: 138
U-Line H-7209 Quick Start Manual preview
H-7209
Бренд: U-Line Страницы: 6
MCE Technologies Xcaret Pro-99 Installation Manual preview
Xcaret Pro-99
Бренд: MCE Technologies Страницы: 9
KEHUA TECH iStoragE B5-S1 User Manual preview
iStoragE B5-S1
Бренд: KEHUA TECH Страницы: 51
ulsonix DOUBLE BIN ULX-240-1 User Manual preview
DOUBLE BIN ULX-240-1
Бренд: ulsonix Страницы: 9
Excalibur Do It Yourself Workbench EI-PT1013 User Manual preview
Do It Yourself Workbench EI-PT1013
Бренд: Excalibur Страницы: 2
Stardom ST5610-4S-WB Quick Installation Manual preview
ST5610-4S-WB
Бренд: Stardom Страницы: 108
SanDisk 80-11-01543 Specifications preview
80-11-01543
Бренд: SanDisk Страницы: 2
morse 400A-72-124 Operator'S Manual preview
400A-72-124
Бренд: morse Страницы: 5
morse 400A-60-124 Operator'S Manual preview
400A-60-124
Бренд: morse Страницы: 6
Atlas LiFePO4 User Manual preview
LiFePO4
Бренд: Atlas Страницы: 38
Seagate ST625211CF Installation Manual preview
ST625211CF
Бренд: Seagate Страницы: 2
G-Technology G-Play Install Manual preview
G-Play
Бренд: G-Technology Страницы: 24
Promise Technology Smartstor NS4600 Product Manual preview
Smartstor NS4600
Бренд: Promise Technology Страницы: 370

Бренды по названию

Популярные бренды

Загрузить еще бренды