Security Policy, version 1.0 Table of Contents INTRODUCTION ...5 ...5 URPOSE ...5 EFERENCES HP STORAGEWORKS SECURE KEY MANAGER ...6 ...6 VERVIEW RYPTOGRAPHIC ODULE ...8 ODULE NTERFACES OLES ERVICES UTHENTICATION 2.4.1 Crypto Officer Role...11 2.4.2 User Role ...12 2.4.3 HP User Role...13 2.4.4...
Page 3
8 – T IGURE AMPER VIDENCE ABELS 9 – T IGURE AMPER VIDENCE ABELS OVER HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. HP S TORAGE ORKS ...10 ...22 DMINISTRATION NTERFACE ...23 ...23...
UITES UPPORTED BY THE 14 – O ABLE THER RYPTOGRAPHIC 15 – A ...25 ABLE CRONYMS HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety..6 ECTION ...8 HYSICAL ORTS APPING ...9 ...10 ESCRIPTIONS ...11...
The following pages describe how HP’s SKM meets these requirements and how to use the SKM in a mode of operation compliant with FIPS 140-2. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the HP StorageWorks Secure Key Manager.
Figure 1 – Deployment Architecture of the HP StorageWorks Secure Key Manager 2.2 Cryptographic Module Specification The HP StorageWorks Secure Key Manager is validated at FIPS 140-2 section levels shown in Table 1 – Security Level per FIPS 140-2 Section.
Rivest, Shamir, and Adleman (RSA) American National Standard Institute (ANSI) X9.31 key generation, signature generation, and signature verification: 1024 and 2048 bits (certificate # 302) HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety.
80 and 112 bits of encryption strength, respectively. In the non-FIPS mode of operation, the module also implements DES, MD5, RC4, and 512- and 768-bit RSA for signature generation and verification, and key establishment. 2.3 Module Interfaces FIPS 140-2 defines four logical interfaces: • Data Input •...
Green = System health is normal. Amber = System health is degraded. To identify the component in a degraded state, refer to “HP Systems Insight Display and LEDs”. Red = System health is critical. To identify the component in a critical state, refer to “HP Systems Insight Display and LEDs”.
Table 4 – Rear Panel Components Descriptions Item The seven LEDs on the rear panel are illustrated in Figure 5 – Rear Panel LEDs. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Figure 4 – Rear Panel Components...
Service Authenticate to SKM Authenticate to SKM with a username and the associated password HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Table 5 – Rear Panel LED Definitions Green = Activity exists.
See Table 7 – User Services for details. The keys and CSPs in the rightmost column correspond to the keys and CSPs introduced in Section 2.7.1. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety.
HP User Role The HP User role can reset the module to an uninitialized state in the event that all Crypto Officer passwords are lost, or when a self-test permanently fails. See Table 8 – HP User Services. The keys and CSPs in the rightmost column correspond to the keys and CSPs introduced in Section 2.7.1.
60 After six unsuccessful attempts, the module will be locked down for 60 seconds; i.e., at most six trials are possible HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety.
All circuits in the module are coated with commercial standard passivation. Once the module has been configured to meet FIPS 140-2 Level 2 requirements, the module cannot be accessed without signs of tampering. See Section 3.3 – Physical Security Assurance of this document for more information.
Table 12 – List of Cryptographic Keys, Cryptographic Key Components, and CSPs for TLS Key Type Pre-MS TLS pre-master secret TLS master secret HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage In volatile plaintext...
Other CSPs are tabulated in Table 14. Table 14 – Other Cryptographic Keys, Cryptographic Key Components, and CSPs Generation / Key Type Input HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Generation / Output Storage...
Page 18
TLS Firmware 1024-bit RSA Input in upgrade public key plaintext at factory HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage Via TLS in Encrypted in encrypted form non-volatile (encrypted with...
KAT on RSA signature generation and verification • Pairwise consistency test on DSA signature generation and verification Conditional self-tests include the following tests: HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Output Storage...
This section is not applicable. No claim is made that the module mitigates against any attacks beyond the FIPS 140- 2 Level 2 requirements for this validation. HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety.
• Management Port 3.2.2 FIPS Mode Configuration In order to comply with FIPS 140-2 Level 2 requirements, the following functionality must be disabled on the SKM: • Global keys • File Transfer Protocol (FTP) for importing certificates and downloading and restoring backup files •...
Soft Error state. The module can recover from the Fatal Error state if power is cycled or if the SKM is rebooted. An HP User can reset the module when it is in the Fatal Error State.
ANSI BIOS CMVP DRNG FIPS HMAC LDAP HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Table 15 – Acronyms Definition Triple Data Encryption Standard Advanced Encryption Standard American National Standard Institute Basic Input/Output System...
Security Policy, version 1.0 Acronym NIST PRNG SNMP HP StorageWorks Secure Key Manager This document may be freely reproduced in its original entirety. Definition Network Interface Card National Institute of Standards and Technology Network Time Protocol Peripheral Component Interconnect Pseudo Random Number Generator...