Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for HP FIPS 140-2
Summary of Contents for HP FIPS 140-2
-
Page 1: Security Policy
HP StorageWorks Secure Key Manager (Hardware P/N AJ087B, Version 1.1; Firmware Version:1.1) FIPS 140-2 Security Policy Level 2 Validation Document Version 0.7 December 4, 2008 © 2008 Hewlett-Packard Company This document may be freely reproduced in its original entirety. -
Page 2: Table Of Contents
Security Policy, version 1.0 Table of Contents INTRODUCTION ...5 ...5 URPOSE ...5 EFERENCES HP STORAGEWORKS SECURE KEY MANAGER ...6 ...6 VERVIEW RYPTOGRAPHIC ODULE ...8 ODULE NTERFACES OLES ERVICES UTHENTICATION 2.4.1 Crypto Officer Role...11 2.4.2 User Role ...12 2.4.3 HP User Role...13 2.4.4... - Page 3 8 – T IGURE AMPER VIDENCE ABELS 9 – T IGURE AMPER VIDENCE ABELS OVER HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. HP S TORAGE ORKS ...10 ...22 DMINISTRATION NTERFACE ...23 ...23...
-
Page 4: Fips
UITES UPPORTED BY THE 14 – O ABLE THER RYPTOGRAPHIC 15 – A ...25 ABLE CRONYMS HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety..6 ECTION ...8 HYSICAL ORTS APPING ...9 ...10 ESCRIPTIONS ...11... -
Page 5: Introduction
The following pages describe how HP’s SKM meets these requirements and how to use the SKM in a mode of operation compliant with FIPS 140-2. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the HP StorageWorks Secure Key Manager. -
Page 6: Hp Storageworks Secure Key Manager
Figure 1 – Deployment Architecture of the HP StorageWorks Secure Key Manager 2.2 Cryptographic Module Specification The HP StorageWorks Secure Key Manager is validated at FIPS 140-2 section levels shown in Table 1 – Security Level per FIPS 140-2 Section. -
Page 7: Figure 2 - Block Diagram Of Skm
Rivest, Shamir, and Adleman (RSA) American National Standard Institute (ANSI) X9.31 key generation, signature generation, and signature verification: 1024 and 2048 bits (certificate # 302) HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. -
Page 8: Module Interfaces
80 and 112 bits of encryption strength, respectively. In the non-FIPS mode of operation, the module also implements DES, MD5, RC4, and 512- and 768-bit RSA for signature generation and verification, and key establishment. 2.3 Module Interfaces FIPS 140-2 defines four logical interfaces: • Data Input •... -
Page 9: Figure 3 - Front Panel Leds
Green = System health is normal. Amber = System health is degraded. To identify the component in a degraded state, refer to “HP Systems Insight Display and LEDs”. Red = System health is critical. To identify the component in a critical state, refer to “HP Systems Insight Display and LEDs”. -
Page 10: Figure 4 - Rear Panel Components
Table 4 – Rear Panel Components Descriptions Item The seven LEDs on the rear panel are illustrated in Figure 5 – Rear Panel LEDs. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Figure 4 – Rear Panel Components... -
Page 11: Roles, Services, And Authentication
Service Authenticate to SKM Authenticate to SKM with a username and the associated password HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Table 5 – Rear Panel LED Definitions Green = Activity exists. -
Page 12: User Role
See Table 7 – User Services for details. The keys and CSPs in the rightmost column correspond to the keys and CSPs introduced in Section 2.7.1. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. -
Page 13: Hp User Role
HP User Role The HP User role can reset the module to an uninitialized state in the event that all Crypto Officer passwords are lost, or when a self-test permanently fails. See Table 8 – HP User Services. The keys and CSPs in the rightmost column correspond to the keys and CSPs introduced in Section 2.7.1. -
Page 14: Cluster Member Role
60 After six unsuccessful attempts, the module will be locked down for 60 seconds; i.e., at most six trials are possible HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. -
Page 15: Unauthenticated Services
All circuits in the module are coated with commercial standard passivation. Once the module has been configured to meet FIPS 140-2 Level 2 requirements, the module cannot be accessed without signs of tampering. See Section 3.3 – Physical Security Assurance of this document for more information. -
Page 16: Table 12 - List Of Cryptographic
Table 12 – List of Cryptographic Keys, Cryptographic Key Components, and CSPs for TLS Key Type Pre-MS TLS pre-master secret TLS master secret HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage In volatile plaintext... -
Page 17: Table 13 - Cipher Suitess
Other CSPs are tabulated in Table 14. Table 14 – Other Cryptographic Keys, Cryptographic Key Components, and CSPs Generation / Key Type Input HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Generation / Output Storage... - Page 18 TLS Firmware 1024-bit RSA Input in upgrade public key plaintext at factory HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage Via TLS in Encrypted in encrypted form non-volatile (encrypted with...
-
Page 19: Key Generation
KAT on RSA signature generation and verification • Pairwise consistency test on DSA signature generation and verification Conditional self-tests include the following tests: HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage... -
Page 20: Mitigation Of Other Attacks
This section is not applicable. No claim is made that the module mitigates against any attacks beyond the FIPS 140- 2 Level 2 requirements for this validation. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. -
Page 21: Secure Operation
• Management Port 3.2.2 FIPS Mode Configuration In order to comply with FIPS 140-2 Level 2 requirements, the following functionality must be disabled on the SKM: • Global keys • File Transfer Protocol (FTP) for importing certificates and downloading and restoring backup files •... -
Page 22: Physical Security Assurance
The tamper-evidence labels have individual, unique serial numbers. They should be inspected periodically and compared to the previously-recorded serial numbers to verify that fresh labels have not been applied to a tampered module. HP StorageWorks Secure Key Manager Page 22 of 26 © 2008 Hewlett-Packard Company... -
Page 23: Figure 8 - Tamper-Evidence Labels
Figure 8 – Tamper-Evidence Labels Figure 9 provides a better view of the positioning of the tamper-evidence labels over the power supplies. Figure 9 – Tamper-Evidence Labels over Power Supplies HP StorageWorks Secure Key Manager Page 23 of 26 © 2008 Hewlett-Packard Company... -
Page 24: Key And Csp Zeroization
Soft Error state. The module can recover from the Fatal Error state if power is cycled or if the SKM is rebooted. An HP User can reset the module when it is in the Fatal Error State. -
Page 25: Acronyms
ANSI BIOS CMVP DRNG FIPS HMAC LDAP HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Table 15 – Acronyms Definition Triple Data Encryption Standard Advanced Encryption Standard American National Standard Institute Basic Input/Output System... -
Page 26: Ssh
Security Policy, version 1.0 Acronym NIST PRNG SNMP HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Definition Network Interface Card National Institute of Standards and Technology Network Time Protocol Peripheral Component Interconnect Pseudo Random Number Generator...