FIPS 140-2 Level 2 Security Policy
                        for FlagStone Core
              (Versions V1.0.1.1a, V1.0.1.2a, V1.0.1.3)
                                         Issue: 1.1




This document may be freely reproduced and distributed only in its entirety without revision.
                               © Stonewood, 2001-2007
                              www.flagstonesecure.com
                                            Contents
     1 Introduction                                                                 5
       1.1 Scope                                                                    5
       1.2 Security Level                                                           6
       1.3 Related Documents                                                        6
     2 Cryptographic Module Specification                                           7
       2.1 Overview                                                                 7
       2.2 Modes of Operation                                                       9
     3 Module Ports and Interfaces                                                 10
     4 Roles, Services, and Authentication                                         12
       4.1 Roles                                                                   12
       4.2 Services                                                                13
       4.3 Authentication                                                          17
     5 Finite State Model                                                          19
     6 Physical Security                                                           20
     7 Operational Environment                                                     21
     8 Cryptographic Key Management                                                22
       8.1 Critical Security Parameters                                            22
       8.2 Non Critical Security Parameters                                        26
       8.3 Access Privileges to Critical Security Parameters                       27
       8.4 Random Number Generator                                                 28
       8.5 Key Derivation                                                          28
       8.6 Key Generation                                                          28
       8.7 Key Entry and Output                                                    28
       8.8 Initialisation Vector Generation                                        28
       8.9 Key Storage                                                             28
     9 Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC)      29
     10    Self-Tests                                                              30
       10.1     Power On Self-Tests                                                31
       10.2     Conditional Self-Tests                                             31
     11    Design Assurance                                                        32
       11.1     Configuration Management                                           32
       11.2     Delivery and Operation                                             32
       11.3     Development                                                        32
       11.4     Guidance Documents                                                 32
     12    Mitigation of Other Attacks Policy                                      33
     13    Security Rules                                                          34
       13.1     Authentication Attempt Counters                                    34
       13.2     Recovery Attempt Counter                                           34




                                            Figures
     Figure 1 FlagStone Corporate (Parallel ATA)                                    5
     Figure 2 FlagStone Corporate (Serial ATA)                                      5
     Figure 3 FlagStone Freedom                                                     5
     Figure 4 FlagStone Core V1.0.1.1a                                              7
     Figure 5 FlagStone Core V1.0.1.2a                                              7
     Figure 6 FlagStone Core V1.0.1.3                                               7
     Figure 7 FlagStone Core Interface Diagram                                      8




FlagStone Core FIPS 140-2 Security Policy                               3600-SP189 Issue 1.1
                                            © Stonewood
                                                2 of 34
                                            Glossary
AES            Advanced Encryption Standard
ATA            AT Attachment
CBC            Cipher Block Chaining
CRC            Cyclic Redundancy Check
CSP            Critical Security Parameter
C-O            Crypto-Officer
ECB            Electronic Code Book
EMC            Electro Magnetic Compatibility
EMI            Electro Magnetic Interference
FCC            Federal Communications Commission
FPGA           Field Programmable Gate Array
FIPS           Federal Information Processing Standards
HDD            Hard Disk Drive
IDE            Integrated Drive Electronics
IV             Initialisation Vector
KAT            Known Answer Test
KCC            Key Check Code
MBR            Master Boot Record
N/A            Not Applicable
NV             Non Volatile
OSC            Oscillator
PAC            Personal Authorisation Code
POST           Power on Self-Test(s)
PUB            Publication
RAM            Random Access Memory
RNG            Random Number Generator
SHS            Secure Hash Standard
TBA            To Be Announced
TBC            To Be Confirmed




FlagStone Core FIPS 140-2 Security Policy                 3600-SP189 Issue 1.1
                                            © Stonewood
                                                3 of 34
                                       References
[1]    FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Information
       Technology Laboratory, National Institute of Standards and Technology,
       Gaithersburg, MD 20899-8900

[2]    FIPS PUB 197, Specification for the Advanced Encryption Standard (AES),
       Information Technology Laboratory, National Institute of Standards and
       Technology, Gaithersburg, MD 20899-8900

[3]    NIST-Recommended Random Number Generator Based on ANSI X9.31 Appendix
       A.2.4. Using the 3-Key Triple DES and AES Algorithms, January 31, 2005, Sharon S.
       Keller

[4]    AT Attachment with Packet Interface ­ 7, Volume 1 ­ Register Delivered
       Command Set, Logical Register Set, ANSI NCITS 397-2005 (Vol. 2), American
       National Standards Institute, Inc., 25 West 43rd Street, New York, NY 10036, USA

[5]    FlagStone (Corporate FIPS 140-2) Security Specification, Stonewood Document
       Number 3600-SS187

[6]    FlagStone (FIPS 140-2) Hardware Design Description (for FlagStone Core
       V1.0.1.x), Stonewood Document Number 3620-DD089

[7]    Flagstone Corporate (FIPS 140-2) User Guide(s)

[8]    FlagStone Freedom (FIPS 140-2) User Guide(s)

[9]    QP200 Product Development, Stonewood Quality Process

[10]   QP500 Customer Interface, Stonewood Quality Process




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                                4 of 34
1        Introduction
1.1      Scope

This security policy applies to the FIPS 140-2 validated cryptographic module deployed
within Flagstone Corporate and FlagStone Freedom Drives referred to as the FlagStone
Core. This document has been written based on the requirements specified in Ref. [1].

Whilst the FlagStone Core is provided as three physical embodiments, V1.0.1.1a,
V1.0.1.2a & V1.0.1.3, the security functionality is identical for all three. The following
table indicates which embodiment is used in each FlagStone Corporate and FlagStone
Freedom Drive.

                                 Drive                           FlagStone Core
               FlagStone Corporate (Parallel ATA Interface)         V1.0.1.1a
               FlagStone Corporate (Serial ATA Interface)           V1.0.1.2a
               FlagStone Freedom                                     V1.0.1.3


The following are images of FlagStone Corporate and FlagStone Freedom Drives
containing the FIPS 140-2 validated FlagStone Core. Further information on the
FlagStone Range can be found on www.flagstonesecure.com




    Figure 1 FlagStone Corporate (Parallel ATA)     Figure 2 FlagStone Corporate (Serial ATA)




                                    Figure 3 FlagStone Freedom




FlagStone Core FIPS 140-2 Security Policy                                   3600-SP189 Issue 1.1
                                            © Stonewood
                                                5 of 34
1.2       Security Level

                         Security Requirements Section                     Level
  Cryptographic Module Specification                                         2
  Cryptographic Module Ports and Interfaces                                  2
  Roles, Services, and Authentication                                        2
  Finite State Model                                                         2
  Physical Security                                                          3
  Operational Environment                                                   N/A
  Cryptographic Key Management                                               2
  Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)       3
  Self-Tests                                                                 2
  Design Assurance                                                           3
  Mitigation of Other Attacks                                               N/A


1.3       Related Documents

      ·   Finite State Model, Ref. [5]
      ·   Cryptographic Boundary, Ref. [6]
      ·   Supported ATA Commands, Ref. [5]




FlagStone Core FIPS 140-2 Security Policy                        3600-SP189 Issue 1.1
                                            © Stonewood
                                                6 of 34
2      Cryptographic Module Specification
2.1    Overview

The FlagStone Core is a multi-chip embedded cryptographic module used within the
FlagStone Corporate and the FlagStone Freedom Drives.




      Figure 4 FlagStone Core V1.0.1.1a                   Figure 5 FlagStone Core V1.0.1.2a




                                Figure 6 FlagStone Core V1.0.1.3


The FlagStone Core and subsequently the FlagStone Drives utilising the FlagStone Core
provide access control and data encryption services to protect access to data stored
on a HDD (Hard Disk Drive). All accessible sectors on a HDD connected to a FlagStone
Core are encrypted.

The FlagStone Core authentication services and security functions can only be
accessed through the use of ATA disk reads and ATA disk writes.

Once authenticated, data can be read and written to the connected HDD just like a
normal HDD. Data written to the HDD is automatically encrypted prior to writing the
data to the HDD; data read from the HDD is automatically decrypted prior to returning
the data to the host.

FlagStone Core FIPS 140-2 Security Policy                                    3600-SP189 Issue 1.1
                                            © Stonewood
                                                7 of 34
Prior to authentication, ATA disk reads and ATA disk writes are entirely handled
internally within the FlagStone Core. Specifically ATA disk reads will return FlagStone
Core status information and disk writes, when targeted at the correct sector number,
will invoke the authentication services within the FlagStone Core.

It is expected that most users will use an external application to communicate with the
FlagStone Core's ATA disk read/write (plain text) interface prior to Authentication. To
avoid the need for users to write their own applications, FlagStone applications are
provided with the FlagStone Corporate and FlagStone Freedom Drives. Since these
applications are not part of the FlagStone Core, they are not covered by this
document. Details of these applications can be found in the user guide for the relevant
FlagStone Corporate and FlagStone Freedom Drive.

The FlagStone applications are provided on Optical Media and embedded within the
FlagStone Corporate and FlagStone Freedom Drives. When embedded, the
application itself may be sourced from within the FlagStone Core prior to
authentication through the use of ATA disk reads. The reading of the application has
no effect on the functionality of the FlagStone Core. Since these applications are not
part of the FlagStone Core, they are not covered by this document.

Figure 7 FlagStone Core Interface Diagram provides a pictorial representation of the
interfaces to the FlagStone Core. Since the FlagStone Core is an embedded
cryptographic module, the cryptographic boundary highlighted is not representative
of the entire FlagStone module.

                                  Power
                                Interface

                          Advance Power              FlagStone
                          Fail Warning (PF)
                                                        Core


                                  EHIReset                       CHIReset

                                ATA Bus On
                                  PATA Bus                        PATA Bus
                                  (Plain text)                     (Cipher)
                                                                              To HDD
                                 ATA Links




                  FIPS 140-2
                Cryptographic
                  Boundary                             MBR
                                                       Store



                           Figure 7 FlagStone Core Interface Diagram




FlagStone Core FIPS 140-2 Security Policy                                         3600-SP189 Issue 1.1
                                                 © Stonewood
                                                     8 of 34
Note: The MBR Store contains an external application that can be executed on a host
processor to facilitate communication with the FlagStone Core's ATA disk read/write
interface during the authentication process. No part of this application can run on, or
alter the configuration of any of the FlagStone Core hardware. This application has no
access to any additional port than is accessible by any other software application that
can operate on the host processor.

2.2       Modes of Operation

The FlagStone Core can only operate in a FIPS-approved mode of operation.

The FlagStone Core implements the following FIPS-approved algorithms:

      ·   128-bit AES CBC Mode for full disk data encryption.
      ·   128-bit AES ECB Mode for Crypto-Officer authentication.
      ·   ANSI X9.31 AES 128 bit RNG for internal Key and IV generation.

The FlagStone Core does not implement any non FIPS -Approved security functions.




FlagStone Core FIPS 140-2 Security Policy                                  3600-SP189 Issue 1.1
                                            © Stonewood
                                                9 of 34
3      Module Ports and Interfaces
The following table provides a brief description of the physical interfaces to the
FlagStone Core. The interfaces specified can be seen in Figure 7 FlagStone Core
Interface Diagram. Further details on these interfaces can be found in Ref. [6].

Physical Interface      Description
PATA Bus (Plain text)   The primary interface for the reception of ATA commands,
                        plaintext data and authentication service requests from the
                        external host ATA controller, and the primary interface for the
                        transmission of data, status information and ATA transfer requests
                        to the external host ATA controller.
PATA Bus (Cipher)       The primary interface for the transmission of ATA commands and
                        enciphered data to the HDD and the primary interface for the
                        reception of ATA transfer requests and enciphered data from
                        the HDD.
Power Interface         Provides power to the FlagStone Core.
Advance Power Fail      Provides a control signal from the local power supply to indicate
Warning (PF)            the imminent loss of power.
ATA Bus On              Provides a status signal to indicate when the FlagStone Core
                        PATA Bus (Plain text) is available for use.
EHIReset                Provides a status signal to indicate when the FlagStone Core is
                        performing a reset of its PATA Bus (Plain text) interface.
CHIReset                Provides a status signal to indicate when the FlagStone Core is
                        performing a reset of its PATA Bus (Cipher) interface.
ATA Links               Provided to allow configuration of the ATA interface within the
                        FlagStone Core including master / slave and cable select
                        options present on Parallel ATA HDDs.


The following table details the mapping of the physical interfaces summarised above
to the FIPS 140-2 Logical Interfaces.

  FIPS 140-2 Logical                                 Physical Interface
       Interfaces
Data Input Interface         PATA Bus (Plain text), PATA Bus (Cipher)
Data Output Interface        PATA Bus (Plain text), PATA Bus (Cipher)
Control Input Interface      PATA Bus (Plain text), PATA Bus (Cipher),
                             Advance Power Fail Warning (PF), ATA Links
Status Output Interface      PATA Bus (Plain text), PATA Bus (Cipher),
                             ATA Bus On, EHIReset, CHIReset
Power Port                   Power Interface


The PATA Bus (Plain text) provides logical separation between its Data Input, Data
Output, Control Input and Status Output interfaces through the use of the ATA Protocol
and the Flagstone Core's Finite State Machine.




FlagStone Core FIPS 140-2 Security Policy                                 3600-SP189 Issue 1.1
                                            © Stonewood
                                               10 of 34
The PATA Bus (Cipher) provides logical separation between its Data Input, Data
Output, Control Input and Status Output interfaces through the use of the ATA Protocol.

A description of the ATA command set supported by the FlagStone Core is detailed in
Ref. [5]. Details of the ATA protocol can be found in Ref. [4].




FlagStone Core FIPS 140-2 Security Policy                            3600-SP189 Issue 1.1
                                            © Stonewood
                                               11 of 34
4      Roles, Services, and Authentication
4.1    Roles

The FlagStone Core supports the two roles mandated by FIPS PUB 140-2 (Ref. [1]),
namely Crypto-Officer and User. The FlagStone Core only supports a single session,
therefore only one of the roles may be active at any given point.

The following table details the roles:

 Role                                      Description
Crypto- The Crypto-Officer is responsible for User account management.
Officer
        The Crypto-Officer can:
           · Create a User.
           · Delete a User.
           · Recover a User, should a User have been suspended as the result of 5
              consecutive failed User authentications.
           · Change the Recovery and User authentication parameters

          Completion of User account management always results in the Crypto-
          Officer being automatically logged out. Furthermore, if a User has been
          successfully created/recovered, the User is always automatically logged in.
User      The User will utilise the connected HDD for secure data storage.

          Once a User has been authenticated, the data key is loaded into the
          encryption / decryption path and the User has access to the data encryption
          /decryption services. ATA disk read/write data commands will automatically
          utilise the data encryption/decryption services provided by the FlagStone
          Core.

          Furthermore the User is also capable of changing their authentication
          parameter and logging out from the device.




FlagStone Core FIPS 140-2 Security Policy                          3600-SP189 Issue 1.1
                                            © Stonewood
                                               12 of 34
4.2     Services

The following table details the services offered to valid operators based on their role.

 Role        Service                                      Description
Crypto-   Crypto-Officer   This service allows the Crypto-Officer to authenticate them self,
Officer   Authenticate     create a User and generate CSPs for the AES Algorithm.
          & Create User
                           Optionally, the Crypto-Officer can also elect to change the User
                           authentication parameter, thus ensuring that the recovery and
                           current User authentication parameters are different.

                           The FlagStone Core will first authenticate the Crypto-Officer. If
                           unsuccessful the FlagStone Core will immediately terminate the
                           service and inhibit any further operation from occurring, until power
                           cycled.

                           If successful, the FlagStone Core will check that there is no User
                           present. If a User is present, an invalid Crypto-Officer Service Request
                           will be reported and the Crypto-Officer will be automatically logged
                           out.

                           If there is no user present, the FlagStone Core will create a User by
                           generating
                                · the User authentication parameter CSPs, (current and
                                    recovery) from the User authentication parameter received
                                · the User's Data Key and Initialisation Vector using the FIPS
                                    approved RNG, initialised with Date/Time received

                           In the event the FIPS approved RNG reports a Continuous Self-Test
                           error, the Crypto-Officer will be automatically logged out without
                           creating the User.

                           Once the User has been created, if the Crypto-Officer has elected
                           to change the User authentication parameter, the FlagStone Core
                           will regenerate and store the current User authentication parameter
                           CSP using the received updated User authentication parameter.

                           Finally, the FlagStone Core will automatically log out the Crypto-
                           Officer, initialise the AES Algorithm with the Data Key and
                           Initialisation Vector, and log in the User.
          Crypto-Officer   This service allows the Crypto-Officer to authenticate them self and
          Authenticate     delete a User.
          & Delete User
                           The FlagStone Core will first authenticate the Crypto-Officer. If
                           unsuccessful the FlagStone Core will immediately terminate the
                           service and inhibit any further operation from occurring, until power
                           cycled.

                           If successful, the User will be deleted and the User CSPs will be
                           zeroised. Once completed, the Crypto-Officer will be automatically
                           logged out.

                           Note, this service is available when there is a suspended User
                           present and when there is no User present.


FlagStone Core FIPS 140-2 Security Policy                                     3600-SP189 Issue 1.1
                                            © Stonewood
                                               13 of 34
 Role        Service                                      Description
Crypto-   Crypto-Officer   This service allows the Crypto-Officer to authenticate them self and
Officer   Authenticate     recover a suspended User.
          & Recover User
                           Optionally, the Crypto-Officer can also elect to change the current
                           and/or recovery User authentication parameters.

                           The FlagStone Core will first authenticate the Crypto-Officer. If
                           unsuccessful the FlagStone Core will immediately terminate the
                           service and inhibit any further operation from occurring, until power
                           cycled.

                           If successful, the FlagStone Core will check that there is a suspended
                           User present. If there is no User present, an invalid Crypto-Officer
                           Service Request will be reported and the Crypto-Officer will be
                           automatically logged out.

                           If there is a suspended User present, the FlagStone Core will
                           authenticate the recovery of the User using the User authentication
                           parameter received. In the event the recovery was unsuccessful,
                           the Crypto-Officer will be automatically logged out.

                           Providing the recovery authentication is successful the FlagStone
                           Core will copy the recovery User authentication parameter CSP to
                           the current User authentication parameter CSP.

                           Thereafter, if the Crypto-Officer has elected to change the current
                           and/or recovery User authentication parameter, the FlagStone Core
                           will regenerate and store the appropriate User authentication
                           parameter CSPs using the received updated User authentication
                           parameter.

                           Finally, the FlagStone Core will automatically log out the Crypto-
                           Officer, initialise the AES Algorithm with the Data Key and
                           Initialisation Vector, and log in the (recovered) User.

                           Note, there is a limit to the number of unsuccessful User recovery
                           authentications permitted. After 15 unsuccessful User recovery
                           authentications the User will be automatically deleted and the User
                           CSPs will be automatically zeroised.
          Logout           This is an implicit service that is invoked by removing power.




FlagStone Core FIPS 140-2 Security Policy                                    3600-SP189 Issue 1.1
                                            © Stonewood
                                               14 of 34
 Role        Service                                      Description
User      User              This service allows the user to authenticate them self.
          Authenticate
                            The FlagStone Core will attempt to authenticate the User. If
                            successful the FlagStone Core will initialise the AES Algorithm with the
                            Data Key and Initialisation Vector and log in the User.
          User              This service allows the user to authenticate them self and change
          Authenticate      their authentication parameter.
          & Change
          Authentication    The FlagStone Core will attempt to authenticate the User. If
          Parameter         successful the FlagStone Core will regenerate and store the current
                            User authentication parameter CSP using the received updated
                            User authentication parameter, initialise the AES Algorithm with the
                            Data Key and Initialisation Vector and log in the User.
          Encrypt & Write   Given a block of data, this service encrypts the data with AES-128 in
          Data to HDD       CBC mode using the User's Data Key and Initialisation Vector. The
                            resulting cipher text is then written to the HDD using an ATA disk
                            write.

                            This service is initiated by the host performing an ATA disk write.

                            This service is available only after authentication.
          Read &            This service returns plaintext from the enciphered HDD by performing
          Decrypt Data      an ATA disk read from the HDD, and decrypting the retrieved
          from HDD          (cipher text) data with AES-128 in CBC mode using the User's Data
                            Key and Initialisation Vector.

                            The service is initiated by the host PC performing an ATA disk read.
                            The resulting plaintext is returned to the host using the appropriate
                            ATA response.

                            This service is available only after authentication.
          Logout            This is an implicit service that is invoked by removing power.




FlagStone Core FIPS 140-2 Security Policy                                       3600-SP189 Issue 1.1
                                            © Stonewood
                                               15 of 34
The following table details the services that do not require the authentication of an
operator:

          Service                                  Description
      Read MBR         Prior to authentication, ATA disk reads to specific sectors will
      Store            return a buffer of data sourced from the FlagStone Core's MBR
                       store.

                       This service will provide an application that can be executed
                       externally on the host connected to the FlagStone Core. This
                       application can be used to allow users to communicate with the
                       FlagStone Core's ATA disk read/write interface prior to
                       Authentication.
      Supported        This service processes the set of ATA commands that are
      ATA              supported by the FlagStone Core but do not involve
      commands         cryptographic/access control operations. These commands are
      ­ non crypto     processed in accordance with Ref. [4]. The responses given are
                       those that would be expected for a standard HDD. These
                       commands do not output user data.
      Unsupported      This service handles the set of ATA commands that the FlagStone
      ATA              Core does NOT support. In accordance with Ref. [4], these
      commands         commands are aborted.
      Run Self-Test    Following power up the FlagStone Core will perform a number of
                       Self-Tests to ensure correct operation of the device.

                       The service is invoked automatically by the power-up of the
                       FlagStone Core.
      Get Status       This service provides the current status of the FlagStone Core,
                       including the results of self-tests.

                       Status data is output as a sector of data prior to authentication
                       and can be read using an ATA disk read.
      Suspend User     This service is an implicit service that is invoked by deliberately
                       performing 5 consecutive user authentications using an incorrect
                       User Authentication Parameter.
      Purge Unit       This service zeroises all CSPs from the FlagStone Core including
                       those injected during manufacture. Following the activation of
                       this service neither the Crypto-Officer nor User will be able to
                       authenticate with the FlagStone Core.

                       This service can be invoked by performing 5 consecutive invalid
                       Crypto-Officer authentication attempts.




FlagStone Core FIPS 140-2 Security Policy                                    3600-SP189 Issue 1.1
                                            © Stonewood
                                               16 of 34
4.3     Authentication

The FlagStone Core module uses role-based authentication to facilitate access to
cryptographic services. Re-authentication is required following a power cycle of the
FlagStone Core module. The following table summarises the authentication inputs.

 Role               Mechanism
 Crypto-Officer     128 bit factory programmed value
 User               Generation of a CRC32 from the received 256-bit user
                    authentication parameter, followed by an equality test of the
                    generated CRC32 and the Current User Authentication Parameter
                    KCC stored within the FlagStone Core.

Note: The values described in this document are the authentication parameters
received by the FlagStone Core. It is expected that most users will use an external
application to capture and collate these parameters. The FlagStone Range provides a
selection of external applications that users may use to facilitate capture of these
parameters. Further details can be found in the respective Flagstone User Guides (Refs.
[7] & [8]).

4.3.1   Crypto-Officer Authentication

The FlagStone Core limits the number of consecutive failed Crypto-Officer
authentication attempts. Following each failed attempt the FlagStone Core requires
power cycling before another attempt to authenticate can be made.

The Crypto-Officer is authenticated by using the Crypto-Officer PAC as the input to a
128bit AES Known Answer Test; the probability of a false acceptance is therefore 1 in
2128.

                                  Probability of false accept
                                        1 in 3.40x1038

The FlagStone Core limits the number of Crypto-Officer authentication attempts to five,
see Security Rules section 13 for details. All five attempts may be completed within one
minute; on the 5th failure the purge unit service is automatically invoked.

                           Probability of false accept in 1 minute
                                        1 in 6.81x1037




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                               17 of 34
4.3.2   User Authentication

User authentication is performed by generating a CRC32 from the received user
authentication parameter, followed by an equality test of the generated CRC32 and
the Current User Authentication Parameter KCC. Since false acceptance of a User is
based on a comparison of a 32-bit CRC, the probability of a false acceptance is
therefore 1 in 232.

                                  Probability of false accept
                                        1 in 4.29x109

The FlagStone Core limits the number of User authentication attempts to five, see
Security Rules section 13 for details. Following this only Crypto-Officer authentication is
offered, where by the Crypto-Officer PAC needs to be entered. In the worst case
scenario, the Crypto-Officer PAC is known enabling 15 attempts to recover the user.

User recovery authentication is performed by generating a CRC32 from the received
user authentication parameter, followed by an equality test of the generated CRC32
and the Recovery User Authentication Parameter KCC. Since this is based on a
comparison of a 32-bit CRC, the probability of a false acceptance is 1 in 232, i.e. the
same as for User authentication.

Consequently, in this worst case scenario this provides a total of 20 attempts (5 user
plus 15 recovery authentication attempts), all of which can be completed within one
minute.

                           Probability of false accept in 1 minute
                                         1 in 2.15x108




FlagStone Core FIPS 140-2 Security Policy                               3600-SP189 Issue 1.1
                                            © Stonewood
                                               18 of 34
5      Finite State Model
The Finite State Model for the FlagStone Core is specified in Ref. [5].

All states required for a FIPS 140-2 validation, including Power On / Off states, Crypto
Officer states, CSP Entry states, User states, Self-Test states and Error states have been
included in the Finite State Model.

The FlagStone Core contains no Bypass States and no Maintenance States.




FlagStone Core FIPS 140-2 Security Policy                                 3600-SP189 Issue 1.1
                                            © Stonewood
                                               19 of 34
6      Physical Security
The FlagStone Core is a multi-chip embedded cryptographic module that meets FIPS
140-2 Level 3 for physical security. The FlagStone Core is potted with a hard epoxy resin
that is opaque within the visible spectrum.

There are no access points to the FlagStone Core and there is no maintenance mode.

Damage to the epoxy resin is indicative of a potential violation of the physical security
of the FlagStone Core. Damage to the FlagStone Core may be recognised as serious
scratching, filing or drilling into the epoxy resin. Visibility of the circuit-board or any
chips within the potted boundary may also be indicative of an unauthorised attempt
at physical access or a unit not suitable for use.

Use of the epoxy resin ensures that attempts to penetrate the FlagStone Core will
cause serious damage to the module and it will cease to function correctly, therefore
an unauthorised attempt at physical access may also be determined if the module
begins functioning abnormally, Power On Self-Tests fail, Continuous RNG Self-Test fails or
it is Unusable.

Stonewood recommends that customers ensure themselves that the FlagStone Drive
has not been tampered with when they first receive it. If the FlagStone Drive is
received embedded within a host (e.g. a laptop or PC) the user is recommended to
remove the FlagStone Drive and inspect it prior to first use.

Furthermore, Stonewood recommends that customers inspect the Flagstone Drive if it is
suspected that it may have been in the possession of an unauthorised individual, e.g. if
the FlagStone Drive is lost and subsequently found.




FlagStone Core FIPS 140-2 Security Policy                               3600-SP189 Issue 1.1
                                            © Stonewood
                                               20 of 34
7      Operational Environment
The FlagStone Core module does not contain a modifiable operational environment
and thus the Operational Environment requirements of FIPS PUB 140-2 (Ref. [1]) are not
applicable.




FlagStone Core FIPS 140-2 Security Policy                           3600-SP189 Issue 1.1
                                            © Stonewood
                                               21 of 34
8       Cryptographic Key Management
8.1     Critical Security Parameters

8.1.1   FlagStoneTMID

The FlagStoneTMID is generated using a FIPS validated SHS based RNG from FIPS 186-2,
and injected into the FlagStone Core NV Store during unit manufacture.

The FlagStoneTMID is used for authentication of the Crypto-Officer PAC, and is a fixed
value.

Type:          AES-128 Key
Storage:       FlagStone Core NV Store (Constants)
Zeroisation:   Purge Unit service

8.1.2   FlagStoneTMID Schedule

The FlagStoneTMID Schedule is a set of AES Round Keys computed from the
FlagStoneTMID CSP during the Crypto-Officer Authenticate & Create User service, the
Crypto-Officer Authenticate & Delete User service and the Crypto-Officer Authenticate
& Recover User service. These values are computed in accordance with the key
schedule computation specified in the FIPS 197 Advanced Encryption Standard (AES).

The FlagStoneTMID Schedule is used by the AES Algorithm to authenticate the Crypto-
Officer (section 4.3.1).

Type:          AES-128 Round Keys
Storage:       FPGA-RAM
Zeroisation:   Logout service

8.1.3   Data Key

The Data Key is generated during the Crypto-Officer Authenticate & Create User
service using the FlagStone Core FIPS approved RNG. The result of the operation is
stored in the FlagStone Core NV Store.

The Data Key is used to generate the Data Key Schedule used for
encrypting/decrypting data to/from the connected HDD during the Encrypt & Write
Data to HDD service and the Read & Decrypt Data from HDD service.

Type:          AES-128 Key
Storage:       FlagStone Core NV Store (Variables)
Zeroisation:   Purge Unit service and immediately following User deletion




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                               22 of 34
8.1.4   Data Key Schedule

The Data Key Schedule is a set of AES Round Keys computed from the Data Key CSP,
during the Crypto-Officer Authenticate & Create User service, the Crypto-Officer
Authenticate & Recover User service, the User Authenticate service and the User
Authenticate & Change Authentication Parameter service. These values are
computed in accordance with the key schedule computation specified in the FIPS 197
Advanced Encryption Standard (AES).

The Data Key Schedule is used by the AES Algorithm to encrypt/decrypt data to/from
the connected HDD during the Encrypt & Write Data to HDD service and the Read &
Decrypt Data from HDD service.

Type:          AES-128 Round Keys
Storage:       FPGA-RAM
Zeroisation:   Logout service

8.1.5   Recovery User Authentication Parameter KCC

The Recovery User Authentication Parameter KCC is generated from the User
Authentication Parameter during the Crypto-Officer Authenticate & Create User
service and can be generated from the Updated User Authentication Parameter
during the Crypto-Officer Authenticate & Recover User service. It is the result of a
CRC32 calculation of the appropriate User authentication parameter and is stored in
the FlagStone Core NV Store.

The Recovery User Authentication Parameter KCC is used during the Crypto-Officer
Authenticate & Recover User service for authenticating the User's recovery
authentication parameter.

Type:          32-bit CRC
Storage:       FlagStone Core NV Store (Variables)
Zeroisation:   Purge Unit service and immediately following User deletion




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                               23 of 34
8.1.6   Current User Authentication Parameter KCC

The Current User Authentication Parameter KCC is generated from the User
Authentication Parameter during the Crypto-Officer Authenticate & Create User
service, is generated from the Updated User Authentication Parameter during the User
Authenticate & Change Authentication Parameter service and can also be generated
from the Updated User Authentication Parameter during the Crypto-Officer
Authenticate & Recover User service. It is the result of a CRC32 calculation of the
appropriate User authentication parameter and is stored in the FlagStone Core NV
Store.

The Current User Authentication Parameter KCC is used during the User Authenticate
service and the User Authenticate & Change Authentication Parameter service for
authenticating the User's authentication parameter.

Type:          32-bit CRC
Storage:       FlagStone Core NV Store (Variables)
Zeroisation:   Purge Unit service and immediately following User deletion

8.1.7   RNG Seed

The RNG Seed is generated at the same time as the RNG Seed Key, see Section 8.1.8,
using a FIPS validated SHS based RNG from FIPS 186-2, and injected into the FlagStone
Core NV Store during unit manufacture. Prior to injection, the generating software
compares the RNG Seed and the RNG Seed Key and verifies that they are not the
same.

The RNG Seed is used by FlagStone Core's FIPS approved RNG and is a fixed value.

Type:          128-bit value
Storage:       FlagStone Core NV Store (Constants)
Zeroisation:   Purge Unit service

8.1.8   RNG Seed Key

The RNG Seed Key is generated at the same time as the RNG Seed, see Section 8.1.7,
using a FIPS validated SHS based RNG from FIPS 186-2, and injected into the FlagStone
Core NV Store during unit manufacture. Prior to injection, the generating software
compares the RNG Seed and the RNG Seed Key and verifies that they are not the
same.

The RNG Seed Key is used by FlagStone Core's FIPS approved RNG and is a fixed value.

Type:          AES-128 Key
Storage:       FlagStone Core NV Store (Constants)
Zeroisation:   Purge Unit service




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                               24 of 34
8.1.9   RNG Seed Key Schedule

The RNG Key Schedule is a set of AES Round Keys computed from the RNG Seed Key
CSP once a Crypto-Officer has been authenticated during the Crypto-Officer
Authenticate & Create User service. These values are computed in accordance with
the key schedule computation specified in the FIPS 197 Advanced Encryption
Standard (AES).

The RNG Key Schedule is used by the RNG's AES Algorithm when generating random
numbers.

Type:          AES-128 Round Keys
Storage:       FPGA-RAM
Zeroisation:   Logout service and immediately following successful User creation

8.1.10 User Authentication Parameter

An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Recover User service, the User Authenticate
service and the User Authenticate & Change Authentication Parameter service.

This is a transient value and is never persistently stored within the FlagStone Core.

Type:          256-bit value
Storage:       FPGA-RAM (during authentication only)
Zeroisation:   N/A

8.1.11 Updated User Authentication Parameter

An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Recover User service, and the User
Authenticate & Change Authentication Parameter service.

This is a transient value and is never persistently stored within the FlagStone Core.

Type:          256-bit value
Storage:       FPGA-RAM (during authentication only)
Zeroisation:   N/A

8.1.12 Crypto-Officer PAC

An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Delete User service, and the Crypto-Officer
Authenticate & Recover User service.

The Crypto-Officer PAC is a transient value and is never persistently stored in the
FlagStone Core.

Type:          128-bit value
Storage:       FPGA-RAM (during authentication only)
Zeroisation:   N/A

FlagStone Core FIPS 140-2 Security Policy                                3600-SP189 Issue 1.1
                                            © Stonewood
                                               25 of 34
8.2     Non Critical Security Parameters

8.2.1   Initialisation Vector

The Initialisation Vector is generated during the Crypto-Officer Authenticate & Create
User service using the FlagStone Core FIPS approved RNG. The result of the operation is
stored in the FlagStone Core NV Store.

The Initialisation Vector is used by the AES Algorithm for CBC encrypting/decrypting
data to/from the connected HDD during the Encrypt & Write Data to HDD service and
the Read & Decrypt Data from HDD service.

Type:          128-bit value
Storage:       FlagStone Core NV Store (Variables)
Zeroisation:   Purge Unit service and immediately following User deletion

8.2.2   RNG Date/Time

An externally sourced value used during the Crypto-Officer Authenticate & Create User
service.

The RNG Date/Time is a transient value and is never persistently stored in the FlagStone
Core.

Type:          128-bit value
Storage:       FPGA-RAM (during authentication only)
Zeroisation:   N/A




FlagStone Core FIPS 140-2 Security Policy                             3600-SP189 Issue 1.1
                                            © Stonewood
                                               26 of 34
8.3    Access Privileges to Critical Security Parameters

      CSP             Role                           Service                      Access
FlagStoneTMID    Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
                                  Crypto-Officer Authenticate & Delete User    Read
                                  Crypto-Officer Authenticate & Recover User   Read
                 No Role          Purge Unit                                   Zeroise
FlagStoneTMID    Crypto-Officer   Crypto-Officer Authenticate & Create User    Write
Schedule                          Crypto-Officer Authenticate & Delete User    Write
                                  Crypto-Officer Authenticate & Recover User   Write
                                  Logout                                       Zeroise
Data Key         Crypto-Officer   Crypto-Officer Authenticate & Create User    Read/Write
                                  Crypto-Officer Authenticate & Delete User    Zeroise
                                  Crypto-Officer Authenticate & Recover User   Read
                 User             User Authenticate                            Read
                                  User Authenticate & Change Authentication    Read
                                  Parameter
                 No Role          Purge Unit                                   Zeroise
Data Key         Crypto-Officer   Crypto-Officer Authenticate & Create User    Write
Schedule                          Crypto-Officer Authenticate & Recover User   Write
                                  Logout                                       Zeroise
                 User             User Authenticate                            Write
                                  User Authenticate & Change Authentication    Write
                                  Parameter
                                  Encrypt & Write Data to HDD                  Read
                                  Read & Decrypt Data from HDD                 Read
                                  Logout                                       Zeroise
Recovery User    Crypto-Officer   Crypto-Officer Authenticate & Create User    Write
Authentication                    Crypto-Officer Authenticate & Delete User    Zeroise
KCC                               Crypto-Officer Authenticate & Recover User   Read/Write
                 No Role          Purge Unit                                   Zeroise
Current User     Crypto-Officer   Crypto-Officer Authenticate & Create User    Write
Authentication                    Crypto-Officer Authenticate & Delete User    Zeroise
KCC                               Crypto-Officer Authenticate & Recover User   Write
                 User             User Authenticate                            Read
                                  User Authenticate & Change Authentication    Read/Write
                                  Parameter
                 No Role          Purge Unit                                   Zeroise
RNG Seed         Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
                 No Role          Purge Unit                                   Zeroise
RNG Seed Key     Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
                 No Role          Purge Unit                                   Zeroise
RNG Seed Key     Crypto-Officer   Crypto-Officer Authenticate & Create User    Write/Zeroise
Schedule                          Logout                                       Zeroise
User             Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
Authentication                    Crypto-Officer Authenticate & Recover User   Read
Parameter        User             User Authenticate                            Read
                                  User Authenticate & Change Authentication    Read
                                  Parameter




FlagStone Core FIPS 140-2 Security Policy                              3600-SP189 Issue 1.1
                                            © Stonewood
                                               27 of 34
     CSP              Role                           Service                     Access
Updated User     Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
Authentication                    Crypto-Officer Authenticate & Recover User   Read
Parameter        User             User Authenticate & Change Authentication    Read
                                  Parameter
Crypto-Officer   Crypto-Officer   Crypto-Officer Authenticate & Create User    Read
PAC                               Crypto-Officer Authenticate & Delete User    Read
                                  Crypto-Officer Authenticate & Recover User   Read



8.4     Random Number Generator

The FlagStone Core contains a FIPS approved Deterministic Random Number
Generator based on ANSI X9.31 Appendix A.2.4 Using the AES 128 bit Algorithm, Ref.
[3]. The Seed and Seed Key are held secret and are never released from the FlagStone
Core.

8.5     Key Derivation

There are no Key Derivation techniques employed by the FlagStone Core.

8.6     Key Generation

The FlagStone Core contains an approved AES security function that requires a single
key, the Data Key, which is generated each time a User is created. The FlagStone Core
uses a FIPS 140-2 approved internal key generation technique to generate the key
using the random number generator detailed in section 8.4.

8.7     Key Entry and Output

No keys are entered into the FlagStone Core after manufacture. Only the date/time
and the authentication CSPs can be entered from an external source once the
FlagStone Core has been potted in the hard opaque epoxy resin.

All CSPs are loaded into the FlagStone Core in plaintext form, both during manufacture
and during normal operation.

Keys cannot be exported from the FlagStone Core in any form.

8.8     Initialisation Vector Generation

The FlagStone Core contains an approved AES security function that requires a single
IV, the Initialisation Vector, which is generated each time a User is created. The
FlagStone Core uses a FIPS 140-2 approved internal IV generation technique to
generate the IV using the random number generator detailed in section 8.4.

8.9     Key Storage

The FlagStone Core stores all keys in plain text form.




FlagStone Core FIPS 140-2 Security Policy                              3600-SP189 Issue 1.1
                                            © Stonewood
                                               28 of 34
9      Electromagnetic Interference / Electromagnetic Compatibility
       (EMI/EMC)
The FlagStone Core has been tested and meets applicable Federal Communications
Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic
Compatibility (EMC) requirements as defined in Subpart B of FCC Part 15, (Class B for
home use).




FlagStone Core FIPS 140-2 Security Policy                          3600-SP189 Issue 1.1
                                            © Stonewood
                                               29 of 34
10     Self-Tests
The FlagStone Core performs self-tests during its power-on sequence and on demand
to ensure all security critical functions are functioning correctly. Two types are
implemented, Power On Self-Tests (section 10.1), which are performed when the
FlagStone Core is powered up, and Conditional Self-Tests (section 10.2), which are
performed when ever the relevant security function is invoked.

The status of Self-Tests can be retrieved, via the status output interface, using the Get
Status service. This service returns a set of Self-Test Boolean Flags, as shown in the table
below, which indicates whether the Self-Test(s) have passed or failed. A Self-Test Flag
that represents more than one Self-Test result, e.g. Red ATA Controller, will indicate
passed only if all Self-Tests grouped for that particular Self-Test Flag have passed.

   Self-Test Boolean Flag        Self-Test Type               Reports overall result for:
  Red ATA Controller          Power On Self-Test       1.   ATA Bus On Signal Test
                                                       2.   Status Input Test
  Non Volatile Store          Power On Self-Test       1.   Non-volatile store variable Test
                                                       2.   Non-volatile store constants Test
  Key Manager                 Power On Self-Test       1.   Cryptographic Algorithm Test
                                                       2.   RNG KAT Test
  Black ATA Controller        Power On Self-Test       1.   Hardware Integrity Check
  RNG Status                  Conditional Self-Test    1.   Continuous RNG Test

In addition to the Self-Test Flags, the Get Status service will return a general boolean
"Error" flag. This "Error" flag is set to error state when any Self-Test has failed else it is set
to no error state.

The Self-Tests results will be available once all the Power On Self-Test routines have
been completed.

If an external application supplied with FlagStone/FlagStone Freedom is being used,
then retrieval of the Self-Test results using the Get Status service is performed
automatically. When an error is detected the external application will display an error
message with the appropriate error code (refer to the relevant User Guides, Refs. [7] &
[8], for further information).




FlagStone Core FIPS 140-2 Security Policy                                    3600-SP189 Issue 1.1
                                            © Stonewood
                                               30 of 34
10.1   Power On Self-Tests

The following table details the tests performed by the FlagStone Core during the
power-on sequence. The Power On Self-Tests can only be initiated on demand by
power cycling.

     Power On                                        Description
      Self-Test
ATA Bus On Signal      Ensures that the ATA Bus On signal can be switched on and off.
Non-volatile store     The FlagStone Core NV Store holds two copies of variable data to
variable Test          ensure that if a power-down event occurs during an update at
                       least one copy is valid. This test fails if both the primary and
                       secondary copies fail CRC32 verification. A failure of this kind will
                       render the unit permanently in-operable by automatically
                       invoking the Purge Unit service, see section 4.2 for service details.
Non-volatile store     This test fails if the system constants fail a CRC32 verification.
constants Test
Cryptographic          Performs a 128-bit KAT test on the encrypt and decrypt path of
Algorithm Test         the AES Algorithm.
RNG KAT Test           Performs a KAT test on the X9.31 AES 128 bit RNG.
Hardware Integrity     Ensures that communications can occur between the FlagStone
Check                  Core and the connected HDD and ensures that the HDD has
                       passed its own Self-Test.
Static Input Test      This ensures that the static input configuration pins have been
                       configured correctly.


10.2   Conditional Self-Tests

The following table details the conditional test performed by the FlagStone Core; it is
performed each time the security function is invoked.

  Conditional                                        Description
    Self-Test
Continuous           This conditional Self-Test ensures that the RNG security function
RNG Test             does not generate two identical numbers in succession. In the
                     event this conditional test fails, the FlagStone Core will inhibit all
                     authentication services and security functions until power is cycled.




FlagStone Core FIPS 140-2 Security Policy                                 3600-SP189 Issue 1.1
                                            © Stonewood
                                               31 of 34
11      Design Assurance
11.1   Configuration Management

All elements of the FlagStone Core, including hardware and documentation are
revision controlled according to Stonewood Electronics Ltd ISO 9001:2000 accredited
quality management system.

All documents are assigned unique document numbers and subsequently version
controlled using issues numbers of the form: 3600-SP189 Issue 1.0. Document numbers
are formed by the project code, followed by the document type and a unique one-up
value for the remainder of the document number.

All hardware components are assigned individual part numbers and issue characters of
the form: 600051-P12 Issue A.

Details of the Stonewood Electronics Quality Process for product development are
documented in Ref. [9].

11.2   Delivery and Operation

The FlagStone Core is manufactured and integrated into FlagStone Corporate and
FlagStone Freedom Drives within the same secure environment and does not leave the
secure environment prior to the FlagStone Core being potted in the hard opaque
epoxy resin.

Once integrated into the FlagStone Drive, it will be shipped via courier. The delivery
process is detailed in the Stonewood Electronics Ltd ISO 9001:2000 accredited Quality
Management System and documented in Ref. [10].

11.3   Development

All elements of the FlagStone Core are developed in accordance with the Stonewood
Electronics Ltd. ISO 9001:2000 accredited Quality Management System and
documented in Ref. [9].

All documentation required for the FIPS accreditation of the FlagStone Core has been
submitted for FIPS validation including PCB layouts, schematics, source code and
specifications. Ref. [5] provides the functional specification of the FlagStone Core.

All FPGA code has been written in a high-level description language.

11.4   Guidance Documents

A combination of the relevant FlagStone User Guides (Ref. [7] for FlagStone Corporate
and Ref. [8] for FlagStone Freedom) and this document provide all the guidance
required for a Crypto-Officer and a User of the FlagStone Core. This Security Policy and
the relevant user guide will be supplied on CD supplied with the end-product.




FlagStone Core FIPS 140-2 Security Policy                              3600-SP189 Issue 1.1
                                            © Stonewood
                                               32 of 34
12     Mitigation of Other Attacks Policy
The FlagStone Core does not mitigate against other attacks beyond the scope of the
FIPS 140-2 requirements.




FlagStone Core FIPS 140-2 Security Policy                        3600-SP189 Issue 1.1
                                            © Stonewood
                                               33 of 34
13     Security Rules
13.1   Authentication Attempt Counters

The FlagStone Core limits the number of consecutively failed authentication attempts
for both the User and the Crypto-Officer through the use of two attempt counters
stored in the FlagStone Core NV Store.

Whilst the unit has a valid User created, failure to authenticate with the unit will result in
the User authentication counter being decremented. Once the counter reaches zero
the User will be suspended. The User can be recovered using the Crypto-Officer
Authenticate & Recover User service.

If no valid users are present in the unit, failure to provide the valid Crypto-Officer PAC
code will result in the Crypto-Officer authentication counter being decremented.
Once the counter reaches zero the Purge Unit service will be automatically invoked.

At any point, if a successful authentication attempt is made the respective counter will
be reset to its maximum value.

The current number of authentication attempts remaining can be determined using
the Get Status service.

13.2   Recovery Attempt Counter

The FlagStone Core limits the number of failed recovery attempts within the Crypto-
Officer Authenticate & Recover User service by maintaining a recovery attempt
counter, which is decremented if the Crypto-Officer is authenticated but User
Recovery is not. Once the counter reaches zero, the User is deleted. Whenever a user is
created or recovered then this counter will be reset to its maximum value.

The current number of recovery attempts remaining can be determined by using the
Get Status service.




FlagStone Core FIPS 140-2 Security Policy                                 3600-SP189 Issue 1.1
                                            © Stonewood
                                               34 of 34