FIPS 140-2 Level 2 Security Policy
for FlagStone Core
(Versions V1.0.1.1a, V1.0.1.2a, V1.0.1.3)
Issue: 1.1
This document may be freely reproduced and distributed only in its entirety without revision.
© Stonewood, 2001-2007
www.flagstonesecure.com
� Contents
1 Introduction 5
1.1 Scope 5
1.2 Security Level 6
1.3 Related Documents 6
2 Cryptographic Module Specification 7
2.1 Overview 7
2.2 Modes of Operation 9
3 Module Ports and Interfaces 10
4 Roles, Services, and Authentication 12
4.1 Roles 12
4.2 Services 13
4.3 Authentication 17
5 Finite State Model 19
6 Physical Security 20
7 Operational Environment 21
8 Cryptographic Key Management 22
8.1 Critical Security Parameters 22
8.2 Non Critical Security Parameters 26
8.3 Access Privileges to Critical Security Parameters 27
8.4 Random Number Generator 28
8.5 Key Derivation 28
8.6 Key Generation 28
8.7 Key Entry and Output 28
8.8 Initialisation Vector Generation 28
8.9 Key Storage 28
9 Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC) 29
10 Self-Tests 30
10.1 Power On Self-Tests 31
10.2 Conditional Self-Tests 31
11 Design Assurance 32
11.1 Configuration Management 32
11.2 Delivery and Operation 32
11.3 Development 32
11.4 Guidance Documents 32
12 Mitigation of Other Attacks Policy 33
13 Security Rules 34
13.1 Authentication Attempt Counters 34
13.2 Recovery Attempt Counter 34
Figures
Figure 1 FlagStone Corporate (Parallel ATA) 5
Figure 2 FlagStone Corporate (Serial ATA) 5
Figure 3 FlagStone Freedom 5
Figure 4 FlagStone Core V1.0.1.1a 7
Figure 5 FlagStone Core V1.0.1.2a 7
Figure 6 FlagStone Core V1.0.1.3 7
Figure 7 FlagStone Core Interface Diagram 8
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
2 of 34
� Glossary
AES Advanced Encryption Standard
ATA AT Attachment
CBC Cipher Block Chaining
CRC Cyclic Redundancy Check
CSP Critical Security Parameter
C-O Crypto-Officer
ECB Electronic Code Book
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference
FCC Federal Communications Commission
FPGA Field Programmable Gate Array
FIPS Federal Information Processing Standards
HDD Hard Disk Drive
IDE Integrated Drive Electronics
IV Initialisation Vector
KAT Known Answer Test
KCC Key Check Code
MBR Master Boot Record
N/A Not Applicable
NV Non Volatile
OSC Oscillator
PAC Personal Authorisation Code
POST Power on Self-Test(s)
PUB Publication
RAM Random Access Memory
RNG Random Number Generator
SHS Secure Hash Standard
TBA To Be Announced
TBC To Be Confirmed
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
3 of 34
� References
[1] FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Information
Technology Laboratory, National Institute of Standards and Technology,
Gaithersburg, MD 20899-8900
[2] FIPS PUB 197, Specification for the Advanced Encryption Standard (AES),
Information Technology Laboratory, National Institute of Standards and
Technology, Gaithersburg, MD 20899-8900
[3] NIST-Recommended Random Number Generator Based on ANSI X9.31 Appendix
A.2.4. Using the 3-Key Triple DES and AES Algorithms, January 31, 2005, Sharon S.
Keller
[4] AT Attachment with Packet Interface 7, Volume 1 Register Delivered
Command Set, Logical Register Set, ANSI NCITS 397-2005 (Vol. 2), American
National Standards Institute, Inc., 25 West 43rd Street, New York, NY 10036, USA
[5] FlagStone (Corporate FIPS 140-2) Security Specification, Stonewood Document
Number 3600-SS187
[6] FlagStone (FIPS 140-2) Hardware Design Description (for FlagStone Core
V1.0.1.x), Stonewood Document Number 3620-DD089
[7] Flagstone Corporate (FIPS 140-2) User Guide(s)
[8] FlagStone Freedom (FIPS 140-2) User Guide(s)
[9] QP200 Product Development, Stonewood Quality Process
[10] QP500 Customer Interface, Stonewood Quality Process
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
4 of 34
�1 Introduction
1.1 Scope
This security policy applies to the FIPS 140-2 validated cryptographic module deployed
within Flagstone Corporate and FlagStone Freedom Drives referred to as the FlagStone
Core. This document has been written based on the requirements specified in Ref. [1].
Whilst the FlagStone Core is provided as three physical embodiments, V1.0.1.1a,
V1.0.1.2a & V1.0.1.3, the security functionality is identical for all three. The following
table indicates which embodiment is used in each FlagStone Corporate and FlagStone
Freedom Drive.
Drive FlagStone Core
FlagStone Corporate (Parallel ATA Interface) V1.0.1.1a
FlagStone Corporate (Serial ATA Interface) V1.0.1.2a
FlagStone Freedom V1.0.1.3
The following are images of FlagStone Corporate and FlagStone Freedom Drives
containing the FIPS 140-2 validated FlagStone Core. Further information on the
FlagStone Range can be found on www.flagstonesecure.com
Figure 1 FlagStone Corporate (Parallel ATA) Figure 2 FlagStone Corporate (Serial ATA)
Figure 3 FlagStone Freedom
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
5 of 34
�1.2 Security Level
Security Requirements Section Level
Cryptographic Module Specification 2
Cryptographic Module Ports and Interfaces 2
Roles, Services, and Authentication 2
Finite State Model 2
Physical Security 3
Operational Environment N/A
Cryptographic Key Management 2
Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) 3
Self-Tests 2
Design Assurance 3
Mitigation of Other Attacks N/A
1.3 Related Documents
· Finite State Model, Ref. [5]
· Cryptographic Boundary, Ref. [6]
· Supported ATA Commands, Ref. [5]
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
6 of 34
�2 Cryptographic Module Specification
2.1 Overview
The FlagStone Core is a multi-chip embedded cryptographic module used within the
FlagStone Corporate and the FlagStone Freedom Drives.
Figure 4 FlagStone Core V1.0.1.1a Figure 5 FlagStone Core V1.0.1.2a
Figure 6 FlagStone Core V1.0.1.3
The FlagStone Core and subsequently the FlagStone Drives utilising the FlagStone Core
provide access control and data encryption services to protect access to data stored
on a HDD (Hard Disk Drive). All accessible sectors on a HDD connected to a FlagStone
Core are encrypted.
The FlagStone Core authentication services and security functions can only be
accessed through the use of ATA disk reads and ATA disk writes.
Once authenticated, data can be read and written to the connected HDD just like a
normal HDD. Data written to the HDD is automatically encrypted prior to writing the
data to the HDD; data read from the HDD is automatically decrypted prior to returning
the data to the host.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
7 of 34
�Prior to authentication, ATA disk reads and ATA disk writes are entirely handled
internally within the FlagStone Core. Specifically ATA disk reads will return FlagStone
Core status information and disk writes, when targeted at the correct sector number,
will invoke the authentication services within the FlagStone Core.
It is expected that most users will use an external application to communicate with the
FlagStone Core's ATA disk read/write (plain text) interface prior to Authentication. To
avoid the need for users to write their own applications, FlagStone applications are
provided with the FlagStone Corporate and FlagStone Freedom Drives. Since these
applications are not part of the FlagStone Core, they are not covered by this
document. Details of these applications can be found in the user guide for the relevant
FlagStone Corporate and FlagStone Freedom Drive.
The FlagStone applications are provided on Optical Media and embedded within the
FlagStone Corporate and FlagStone Freedom Drives. When embedded, the
application itself may be sourced from within the FlagStone Core prior to
authentication through the use of ATA disk reads. The reading of the application has
no effect on the functionality of the FlagStone Core. Since these applications are not
part of the FlagStone Core, they are not covered by this document.
Figure 7 FlagStone Core Interface Diagram provides a pictorial representation of the
interfaces to the FlagStone Core. Since the FlagStone Core is an embedded
cryptographic module, the cryptographic boundary highlighted is not representative
of the entire FlagStone module.
Power
Interface
Advance Power FlagStone
Fail Warning (PF)
Core
EHIReset CHIReset
ATA Bus On
PATA Bus PATA Bus
(Plain text) (Cipher)
To HDD
ATA Links
FIPS 140-2
Cryptographic
Boundary MBR
Store
Figure 7 FlagStone Core Interface Diagram
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
8 of 34
�Note: The MBR Store contains an external application that can be executed on a host
processor to facilitate communication with the FlagStone Core's ATA disk read/write
interface during the authentication process. No part of this application can run on, or
alter the configuration of any of the FlagStone Core hardware. This application has no
access to any additional port than is accessible by any other software application that
can operate on the host processor.
2.2 Modes of Operation
The FlagStone Core can only operate in a FIPS-approved mode of operation.
The FlagStone Core implements the following FIPS-approved algorithms:
· 128-bit AES CBC Mode for full disk data encryption.
· 128-bit AES ECB Mode for Crypto-Officer authentication.
· ANSI X9.31 AES 128 bit RNG for internal Key and IV generation.
The FlagStone Core does not implement any non FIPS -Approved security functions.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
9 of 34
�3 Module Ports and Interfaces
The following table provides a brief description of the physical interfaces to the
FlagStone Core. The interfaces specified can be seen in Figure 7 FlagStone Core
Interface Diagram. Further details on these interfaces can be found in Ref. [6].
Physical Interface Description
PATA Bus (Plain text) The primary interface for the reception of ATA commands,
plaintext data and authentication service requests from the
external host ATA controller, and the primary interface for the
transmission of data, status information and ATA transfer requests
to the external host ATA controller.
PATA Bus (Cipher) The primary interface for the transmission of ATA commands and
enciphered data to the HDD and the primary interface for the
reception of ATA transfer requests and enciphered data from
the HDD.
Power Interface Provides power to the FlagStone Core.
Advance Power Fail Provides a control signal from the local power supply to indicate
Warning (PF) the imminent loss of power.
ATA Bus On Provides a status signal to indicate when the FlagStone Core
PATA Bus (Plain text) is available for use.
EHIReset Provides a status signal to indicate when the FlagStone Core is
performing a reset of its PATA Bus (Plain text) interface.
CHIReset Provides a status signal to indicate when the FlagStone Core is
performing a reset of its PATA Bus (Cipher) interface.
ATA Links Provided to allow configuration of the ATA interface within the
FlagStone Core including master / slave and cable select
options present on Parallel ATA HDDs.
The following table details the mapping of the physical interfaces summarised above
to the FIPS 140-2 Logical Interfaces.
FIPS 140-2 Logical Physical Interface
Interfaces
Data Input Interface PATA Bus (Plain text), PATA Bus (Cipher)
Data Output Interface PATA Bus (Plain text), PATA Bus (Cipher)
Control Input Interface PATA Bus (Plain text), PATA Bus (Cipher),
Advance Power Fail Warning (PF), ATA Links
Status Output Interface PATA Bus (Plain text), PATA Bus (Cipher),
ATA Bus On, EHIReset, CHIReset
Power Port Power Interface
The PATA Bus (Plain text) provides logical separation between its Data Input, Data
Output, Control Input and Status Output interfaces through the use of the ATA Protocol
and the Flagstone Core's Finite State Machine.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
10 of 34
�The PATA Bus (Cipher) provides logical separation between its Data Input, Data
Output, Control Input and Status Output interfaces through the use of the ATA Protocol.
A description of the ATA command set supported by the FlagStone Core is detailed in
Ref. [5]. Details of the ATA protocol can be found in Ref. [4].
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
11 of 34
�4 Roles, Services, and Authentication
4.1 Roles
The FlagStone Core supports the two roles mandated by FIPS PUB 140-2 (Ref. [1]),
namely Crypto-Officer and User. The FlagStone Core only supports a single session,
therefore only one of the roles may be active at any given point.
The following table details the roles:
Role Description
Crypto- The Crypto-Officer is responsible for User account management.
Officer
The Crypto-Officer can:
· Create a User.
· Delete a User.
· Recover a User, should a User have been suspended as the result of 5
consecutive failed User authentications.
· Change the Recovery and User authentication parameters
Completion of User account management always results in the Crypto-
Officer being automatically logged out. Furthermore, if a User has been
successfully created/recovered, the User is always automatically logged in.
User The User will utilise the connected HDD for secure data storage.
Once a User has been authenticated, the data key is loaded into the
encryption / decryption path and the User has access to the data encryption
/decryption services. ATA disk read/write data commands will automatically
utilise the data encryption/decryption services provided by the FlagStone
Core.
Furthermore the User is also capable of changing their authentication
parameter and logging out from the device.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
12 of 34
�4.2 Services
The following table details the services offered to valid operators based on their role.
Role Service Description
Crypto- Crypto-Officer This service allows the Crypto-Officer to authenticate them self,
Officer Authenticate create a User and generate CSPs for the AES Algorithm.
& Create User
Optionally, the Crypto-Officer can also elect to change the User
authentication parameter, thus ensuring that the recovery and
current User authentication parameters are different.
The FlagStone Core will first authenticate the Crypto-Officer. If
unsuccessful the FlagStone Core will immediately terminate the
service and inhibit any further operation from occurring, until power
cycled.
If successful, the FlagStone Core will check that there is no User
present. If a User is present, an invalid Crypto-Officer Service Request
will be reported and the Crypto-Officer will be automatically logged
out.
If there is no user present, the FlagStone Core will create a User by
generating
· the User authentication parameter CSPs, (current and
recovery) from the User authentication parameter received
· the User's Data Key and Initialisation Vector using the FIPS
approved RNG, initialised with Date/Time received
In the event the FIPS approved RNG reports a Continuous Self-Test
error, the Crypto-Officer will be automatically logged out without
creating the User.
Once the User has been created, if the Crypto-Officer has elected
to change the User authentication parameter, the FlagStone Core
will regenerate and store the current User authentication parameter
CSP using the received updated User authentication parameter.
Finally, the FlagStone Core will automatically log out the Crypto-
Officer, initialise the AES Algorithm with the Data Key and
Initialisation Vector, and log in the User.
Crypto-Officer This service allows the Crypto-Officer to authenticate them self and
Authenticate delete a User.
& Delete User
The FlagStone Core will first authenticate the Crypto-Officer. If
unsuccessful the FlagStone Core will immediately terminate the
service and inhibit any further operation from occurring, until power
cycled.
If successful, the User will be deleted and the User CSPs will be
zeroised. Once completed, the Crypto-Officer will be automatically
logged out.
Note, this service is available when there is a suspended User
present and when there is no User present.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
13 of 34
� Role Service Description
Crypto- Crypto-Officer This service allows the Crypto-Officer to authenticate them self and
Officer Authenticate recover a suspended User.
& Recover User
Optionally, the Crypto-Officer can also elect to change the current
and/or recovery User authentication parameters.
The FlagStone Core will first authenticate the Crypto-Officer. If
unsuccessful the FlagStone Core will immediately terminate the
service and inhibit any further operation from occurring, until power
cycled.
If successful, the FlagStone Core will check that there is a suspended
User present. If there is no User present, an invalid Crypto-Officer
Service Request will be reported and the Crypto-Officer will be
automatically logged out.
If there is a suspended User present, the FlagStone Core will
authenticate the recovery of the User using the User authentication
parameter received. In the event the recovery was unsuccessful,
the Crypto-Officer will be automatically logged out.
Providing the recovery authentication is successful the FlagStone
Core will copy the recovery User authentication parameter CSP to
the current User authentication parameter CSP.
Thereafter, if the Crypto-Officer has elected to change the current
and/or recovery User authentication parameter, the FlagStone Core
will regenerate and store the appropriate User authentication
parameter CSPs using the received updated User authentication
parameter.
Finally, the FlagStone Core will automatically log out the Crypto-
Officer, initialise the AES Algorithm with the Data Key and
Initialisation Vector, and log in the (recovered) User.
Note, there is a limit to the number of unsuccessful User recovery
authentications permitted. After 15 unsuccessful User recovery
authentications the User will be automatically deleted and the User
CSPs will be automatically zeroised.
Logout This is an implicit service that is invoked by removing power.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
14 of 34
� Role Service Description
User User This service allows the user to authenticate them self.
Authenticate
The FlagStone Core will attempt to authenticate the User. If
successful the FlagStone Core will initialise the AES Algorithm with the
Data Key and Initialisation Vector and log in the User.
User This service allows the user to authenticate them self and change
Authenticate their authentication parameter.
& Change
Authentication The FlagStone Core will attempt to authenticate the User. If
Parameter successful the FlagStone Core will regenerate and store the current
User authentication parameter CSP using the received updated
User authentication parameter, initialise the AES Algorithm with the
Data Key and Initialisation Vector and log in the User.
Encrypt & Write Given a block of data, this service encrypts the data with AES-128 in
Data to HDD CBC mode using the User's Data Key and Initialisation Vector. The
resulting cipher text is then written to the HDD using an ATA disk
write.
This service is initiated by the host performing an ATA disk write.
This service is available only after authentication.
Read & This service returns plaintext from the enciphered HDD by performing
Decrypt Data an ATA disk read from the HDD, and decrypting the retrieved
from HDD (cipher text) data with AES-128 in CBC mode using the User's Data
Key and Initialisation Vector.
The service is initiated by the host PC performing an ATA disk read.
The resulting plaintext is returned to the host using the appropriate
ATA response.
This service is available only after authentication.
Logout This is an implicit service that is invoked by removing power.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
15 of 34
�The following table details the services that do not require the authentication of an
operator:
Service Description
Read MBR Prior to authentication, ATA disk reads to specific sectors will
Store return a buffer of data sourced from the FlagStone Core's MBR
store.
This service will provide an application that can be executed
externally on the host connected to the FlagStone Core. This
application can be used to allow users to communicate with the
FlagStone Core's ATA disk read/write interface prior to
Authentication.
Supported This service processes the set of ATA commands that are
ATA supported by the FlagStone Core but do not involve
commands cryptographic/access control operations. These commands are
non crypto processed in accordance with Ref. [4]. The responses given are
those that would be expected for a standard HDD. These
commands do not output user data.
Unsupported This service handles the set of ATA commands that the FlagStone
ATA Core does NOT support. In accordance with Ref. [4], these
commands commands are aborted.
Run Self-Test Following power up the FlagStone Core will perform a number of
Self-Tests to ensure correct operation of the device.
The service is invoked automatically by the power-up of the
FlagStone Core.
Get Status This service provides the current status of the FlagStone Core,
including the results of self-tests.
Status data is output as a sector of data prior to authentication
and can be read using an ATA disk read.
Suspend User This service is an implicit service that is invoked by deliberately
performing 5 consecutive user authentications using an incorrect
User Authentication Parameter.
Purge Unit This service zeroises all CSPs from the FlagStone Core including
those injected during manufacture. Following the activation of
this service neither the Crypto-Officer nor User will be able to
authenticate with the FlagStone Core.
This service can be invoked by performing 5 consecutive invalid
Crypto-Officer authentication attempts.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
16 of 34
�4.3 Authentication
The FlagStone Core module uses role-based authentication to facilitate access to
cryptographic services. Re-authentication is required following a power cycle of the
FlagStone Core module. The following table summarises the authentication inputs.
Role Mechanism
Crypto-Officer 128 bit factory programmed value
User Generation of a CRC32 from the received 256-bit user
authentication parameter, followed by an equality test of the
generated CRC32 and the Current User Authentication Parameter
KCC stored within the FlagStone Core.
Note: The values described in this document are the authentication parameters
received by the FlagStone Core. It is expected that most users will use an external
application to capture and collate these parameters. The FlagStone Range provides a
selection of external applications that users may use to facilitate capture of these
parameters. Further details can be found in the respective Flagstone User Guides (Refs.
[7] & [8]).
4.3.1 Crypto-Officer Authentication
The FlagStone Core limits the number of consecutive failed Crypto-Officer
authentication attempts. Following each failed attempt the FlagStone Core requires
power cycling before another attempt to authenticate can be made.
The Crypto-Officer is authenticated by using the Crypto-Officer PAC as the input to a
128bit AES Known Answer Test; the probability of a false acceptance is therefore 1 in
2128.
Probability of false accept
1 in 3.40x1038
The FlagStone Core limits the number of Crypto-Officer authentication attempts to five,
see Security Rules section 13 for details. All five attempts may be completed within one
minute; on the 5th failure the purge unit service is automatically invoked.
Probability of false accept in 1 minute
1 in 6.81x1037
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
17 of 34
�4.3.2 User Authentication
User authentication is performed by generating a CRC32 from the received user
authentication parameter, followed by an equality test of the generated CRC32 and
the Current User Authentication Parameter KCC. Since false acceptance of a User is
based on a comparison of a 32-bit CRC, the probability of a false acceptance is
therefore 1 in 232.
Probability of false accept
1 in 4.29x109
The FlagStone Core limits the number of User authentication attempts to five, see
Security Rules section 13 for details. Following this only Crypto-Officer authentication is
offered, where by the Crypto-Officer PAC needs to be entered. In the worst case
scenario, the Crypto-Officer PAC is known enabling 15 attempts to recover the user.
User recovery authentication is performed by generating a CRC32 from the received
user authentication parameter, followed by an equality test of the generated CRC32
and the Recovery User Authentication Parameter KCC. Since this is based on a
comparison of a 32-bit CRC, the probability of a false acceptance is 1 in 232, i.e. the
same as for User authentication.
Consequently, in this worst case scenario this provides a total of 20 attempts (5 user
plus 15 recovery authentication attempts), all of which can be completed within one
minute.
Probability of false accept in 1 minute
1 in 2.15x108
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
18 of 34
�5 Finite State Model
The Finite State Model for the FlagStone Core is specified in Ref. [5].
All states required for a FIPS 140-2 validation, including Power On / Off states, Crypto
Officer states, CSP Entry states, User states, Self-Test states and Error states have been
included in the Finite State Model.
The FlagStone Core contains no Bypass States and no Maintenance States.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
19 of 34
�6 Physical Security
The FlagStone Core is a multi-chip embedded cryptographic module that meets FIPS
140-2 Level 3 for physical security. The FlagStone Core is potted with a hard epoxy resin
that is opaque within the visible spectrum.
There are no access points to the FlagStone Core and there is no maintenance mode.
Damage to the epoxy resin is indicative of a potential violation of the physical security
of the FlagStone Core. Damage to the FlagStone Core may be recognised as serious
scratching, filing or drilling into the epoxy resin. Visibility of the circuit-board or any
chips within the potted boundary may also be indicative of an unauthorised attempt
at physical access or a unit not suitable for use.
Use of the epoxy resin ensures that attempts to penetrate the FlagStone Core will
cause serious damage to the module and it will cease to function correctly, therefore
an unauthorised attempt at physical access may also be determined if the module
begins functioning abnormally, Power On Self-Tests fail, Continuous RNG Self-Test fails or
it is Unusable.
Stonewood recommends that customers ensure themselves that the FlagStone Drive
has not been tampered with when they first receive it. If the FlagStone Drive is
received embedded within a host (e.g. a laptop or PC) the user is recommended to
remove the FlagStone Drive and inspect it prior to first use.
Furthermore, Stonewood recommends that customers inspect the Flagstone Drive if it is
suspected that it may have been in the possession of an unauthorised individual, e.g. if
the FlagStone Drive is lost and subsequently found.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
20 of 34
�7 Operational Environment
The FlagStone Core module does not contain a modifiable operational environment
and thus the Operational Environment requirements of FIPS PUB 140-2 (Ref. [1]) are not
applicable.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
21 of 34
�8 Cryptographic Key Management
8.1 Critical Security Parameters
8.1.1 FlagStoneTMID
The FlagStoneTMID is generated using a FIPS validated SHS based RNG from FIPS 186-2,
and injected into the FlagStone Core NV Store during unit manufacture.
The FlagStoneTMID is used for authentication of the Crypto-Officer PAC, and is a fixed
value.
Type: AES-128 Key
Storage: FlagStone Core NV Store (Constants)
Zeroisation: Purge Unit service
8.1.2 FlagStoneTMID Schedule
The FlagStoneTMID Schedule is a set of AES Round Keys computed from the
FlagStoneTMID CSP during the Crypto-Officer Authenticate & Create User service, the
Crypto-Officer Authenticate & Delete User service and the Crypto-Officer Authenticate
& Recover User service. These values are computed in accordance with the key
schedule computation specified in the FIPS 197 Advanced Encryption Standard (AES).
The FlagStoneTMID Schedule is used by the AES Algorithm to authenticate the Crypto-
Officer (section 4.3.1).
Type: AES-128 Round Keys
Storage: FPGA-RAM
Zeroisation: Logout service
8.1.3 Data Key
The Data Key is generated during the Crypto-Officer Authenticate & Create User
service using the FlagStone Core FIPS approved RNG. The result of the operation is
stored in the FlagStone Core NV Store.
The Data Key is used to generate the Data Key Schedule used for
encrypting/decrypting data to/from the connected HDD during the Encrypt & Write
Data to HDD service and the Read & Decrypt Data from HDD service.
Type: AES-128 Key
Storage: FlagStone Core NV Store (Variables)
Zeroisation: Purge Unit service and immediately following User deletion
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
22 of 34
�8.1.4 Data Key Schedule
The Data Key Schedule is a set of AES Round Keys computed from the Data Key CSP,
during the Crypto-Officer Authenticate & Create User service, the Crypto-Officer
Authenticate & Recover User service, the User Authenticate service and the User
Authenticate & Change Authentication Parameter service. These values are
computed in accordance with the key schedule computation specified in the FIPS 197
Advanced Encryption Standard (AES).
The Data Key Schedule is used by the AES Algorithm to encrypt/decrypt data to/from
the connected HDD during the Encrypt & Write Data to HDD service and the Read &
Decrypt Data from HDD service.
Type: AES-128 Round Keys
Storage: FPGA-RAM
Zeroisation: Logout service
8.1.5 Recovery User Authentication Parameter KCC
The Recovery User Authentication Parameter KCC is generated from the User
Authentication Parameter during the Crypto-Officer Authenticate & Create User
service and can be generated from the Updated User Authentication Parameter
during the Crypto-Officer Authenticate & Recover User service. It is the result of a
CRC32 calculation of the appropriate User authentication parameter and is stored in
the FlagStone Core NV Store.
The Recovery User Authentication Parameter KCC is used during the Crypto-Officer
Authenticate & Recover User service for authenticating the User's recovery
authentication parameter.
Type: 32-bit CRC
Storage: FlagStone Core NV Store (Variables)
Zeroisation: Purge Unit service and immediately following User deletion
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
23 of 34
�8.1.6 Current User Authentication Parameter KCC
The Current User Authentication Parameter KCC is generated from the User
Authentication Parameter during the Crypto-Officer Authenticate & Create User
service, is generated from the Updated User Authentication Parameter during the User
Authenticate & Change Authentication Parameter service and can also be generated
from the Updated User Authentication Parameter during the Crypto-Officer
Authenticate & Recover User service. It is the result of a CRC32 calculation of the
appropriate User authentication parameter and is stored in the FlagStone Core NV
Store.
The Current User Authentication Parameter KCC is used during the User Authenticate
service and the User Authenticate & Change Authentication Parameter service for
authenticating the User's authentication parameter.
Type: 32-bit CRC
Storage: FlagStone Core NV Store (Variables)
Zeroisation: Purge Unit service and immediately following User deletion
8.1.7 RNG Seed
The RNG Seed is generated at the same time as the RNG Seed Key, see Section 8.1.8,
using a FIPS validated SHS based RNG from FIPS 186-2, and injected into the FlagStone
Core NV Store during unit manufacture. Prior to injection, the generating software
compares the RNG Seed and the RNG Seed Key and verifies that they are not the
same.
The RNG Seed is used by FlagStone Core's FIPS approved RNG and is a fixed value.
Type: 128-bit value
Storage: FlagStone Core NV Store (Constants)
Zeroisation: Purge Unit service
8.1.8 RNG Seed Key
The RNG Seed Key is generated at the same time as the RNG Seed, see Section 8.1.7,
using a FIPS validated SHS based RNG from FIPS 186-2, and injected into the FlagStone
Core NV Store during unit manufacture. Prior to injection, the generating software
compares the RNG Seed and the RNG Seed Key and verifies that they are not the
same.
The RNG Seed Key is used by FlagStone Core's FIPS approved RNG and is a fixed value.
Type: AES-128 Key
Storage: FlagStone Core NV Store (Constants)
Zeroisation: Purge Unit service
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
24 of 34
�8.1.9 RNG Seed Key Schedule
The RNG Key Schedule is a set of AES Round Keys computed from the RNG Seed Key
CSP once a Crypto-Officer has been authenticated during the Crypto-Officer
Authenticate & Create User service. These values are computed in accordance with
the key schedule computation specified in the FIPS 197 Advanced Encryption
Standard (AES).
The RNG Key Schedule is used by the RNG's AES Algorithm when generating random
numbers.
Type: AES-128 Round Keys
Storage: FPGA-RAM
Zeroisation: Logout service and immediately following successful User creation
8.1.10 User Authentication Parameter
An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Recover User service, the User Authenticate
service and the User Authenticate & Change Authentication Parameter service.
This is a transient value and is never persistently stored within the FlagStone Core.
Type: 256-bit value
Storage: FPGA-RAM (during authentication only)
Zeroisation: N/A
8.1.11 Updated User Authentication Parameter
An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Recover User service, and the User
Authenticate & Change Authentication Parameter service.
This is a transient value and is never persistently stored within the FlagStone Core.
Type: 256-bit value
Storage: FPGA-RAM (during authentication only)
Zeroisation: N/A
8.1.12 Crypto-Officer PAC
An externally sourced value used during the Crypto-Officer Authenticate & Create User
service, the Crypto-Officer Authenticate & Delete User service, and the Crypto-Officer
Authenticate & Recover User service.
The Crypto-Officer PAC is a transient value and is never persistently stored in the
FlagStone Core.
Type: 128-bit value
Storage: FPGA-RAM (during authentication only)
Zeroisation: N/A
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
25 of 34
�8.2 Non Critical Security Parameters
8.2.1 Initialisation Vector
The Initialisation Vector is generated during the Crypto-Officer Authenticate & Create
User service using the FlagStone Core FIPS approved RNG. The result of the operation is
stored in the FlagStone Core NV Store.
The Initialisation Vector is used by the AES Algorithm for CBC encrypting/decrypting
data to/from the connected HDD during the Encrypt & Write Data to HDD service and
the Read & Decrypt Data from HDD service.
Type: 128-bit value
Storage: FlagStone Core NV Store (Variables)
Zeroisation: Purge Unit service and immediately following User deletion
8.2.2 RNG Date/Time
An externally sourced value used during the Crypto-Officer Authenticate & Create User
service.
The RNG Date/Time is a transient value and is never persistently stored in the FlagStone
Core.
Type: 128-bit value
Storage: FPGA-RAM (during authentication only)
Zeroisation: N/A
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
26 of 34
�8.3 Access Privileges to Critical Security Parameters
CSP Role Service Access
FlagStoneTMID Crypto-Officer Crypto-Officer Authenticate & Create User Read
Crypto-Officer Authenticate & Delete User Read
Crypto-Officer Authenticate & Recover User Read
No Role Purge Unit Zeroise
FlagStoneTMID Crypto-Officer Crypto-Officer Authenticate & Create User Write
Schedule Crypto-Officer Authenticate & Delete User Write
Crypto-Officer Authenticate & Recover User Write
Logout Zeroise
Data Key Crypto-Officer Crypto-Officer Authenticate & Create User Read/Write
Crypto-Officer Authenticate & Delete User Zeroise
Crypto-Officer Authenticate & Recover User Read
User User Authenticate Read
User Authenticate & Change Authentication Read
Parameter
No Role Purge Unit Zeroise
Data Key Crypto-Officer Crypto-Officer Authenticate & Create User Write
Schedule Crypto-Officer Authenticate & Recover User Write
Logout Zeroise
User User Authenticate Write
User Authenticate & Change Authentication Write
Parameter
Encrypt & Write Data to HDD Read
Read & Decrypt Data from HDD Read
Logout Zeroise
Recovery User Crypto-Officer Crypto-Officer Authenticate & Create User Write
Authentication Crypto-Officer Authenticate & Delete User Zeroise
KCC Crypto-Officer Authenticate & Recover User Read/Write
No Role Purge Unit Zeroise
Current User Crypto-Officer Crypto-Officer Authenticate & Create User Write
Authentication Crypto-Officer Authenticate & Delete User Zeroise
KCC Crypto-Officer Authenticate & Recover User Write
User User Authenticate Read
User Authenticate & Change Authentication Read/Write
Parameter
No Role Purge Unit Zeroise
RNG Seed Crypto-Officer Crypto-Officer Authenticate & Create User Read
No Role Purge Unit Zeroise
RNG Seed Key Crypto-Officer Crypto-Officer Authenticate & Create User Read
No Role Purge Unit Zeroise
RNG Seed Key Crypto-Officer Crypto-Officer Authenticate & Create User Write/Zeroise
Schedule Logout Zeroise
User Crypto-Officer Crypto-Officer Authenticate & Create User Read
Authentication Crypto-Officer Authenticate & Recover User Read
Parameter User User Authenticate Read
User Authenticate & Change Authentication Read
Parameter
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
27 of 34
� CSP Role Service Access
Updated User Crypto-Officer Crypto-Officer Authenticate & Create User Read
Authentication Crypto-Officer Authenticate & Recover User Read
Parameter User User Authenticate & Change Authentication Read
Parameter
Crypto-Officer Crypto-Officer Crypto-Officer Authenticate & Create User Read
PAC Crypto-Officer Authenticate & Delete User Read
Crypto-Officer Authenticate & Recover User Read
8.4 Random Number Generator
The FlagStone Core contains a FIPS approved Deterministic Random Number
Generator based on ANSI X9.31 Appendix A.2.4 Using the AES 128 bit Algorithm, Ref.
[3]. The Seed and Seed Key are held secret and are never released from the FlagStone
Core.
8.5 Key Derivation
There are no Key Derivation techniques employed by the FlagStone Core.
8.6 Key Generation
The FlagStone Core contains an approved AES security function that requires a single
key, the Data Key, which is generated each time a User is created. The FlagStone Core
uses a FIPS 140-2 approved internal key generation technique to generate the key
using the random number generator detailed in section 8.4.
8.7 Key Entry and Output
No keys are entered into the FlagStone Core after manufacture. Only the date/time
and the authentication CSPs can be entered from an external source once the
FlagStone Core has been potted in the hard opaque epoxy resin.
All CSPs are loaded into the FlagStone Core in plaintext form, both during manufacture
and during normal operation.
Keys cannot be exported from the FlagStone Core in any form.
8.8 Initialisation Vector Generation
The FlagStone Core contains an approved AES security function that requires a single
IV, the Initialisation Vector, which is generated each time a User is created. The
FlagStone Core uses a FIPS 140-2 approved internal IV generation technique to
generate the IV using the random number generator detailed in section 8.4.
8.9 Key Storage
The FlagStone Core stores all keys in plain text form.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
28 of 34
�9 Electromagnetic Interference / Electromagnetic Compatibility
(EMI/EMC)
The FlagStone Core has been tested and meets applicable Federal Communications
Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic
Compatibility (EMC) requirements as defined in Subpart B of FCC Part 15, (Class B for
home use).
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
29 of 34
�10 Self-Tests
The FlagStone Core performs self-tests during its power-on sequence and on demand
to ensure all security critical functions are functioning correctly. Two types are
implemented, Power On Self-Tests (section 10.1), which are performed when the
FlagStone Core is powered up, and Conditional Self-Tests (section 10.2), which are
performed when ever the relevant security function is invoked.
The status of Self-Tests can be retrieved, via the status output interface, using the Get
Status service. This service returns a set of Self-Test Boolean Flags, as shown in the table
below, which indicates whether the Self-Test(s) have passed or failed. A Self-Test Flag
that represents more than one Self-Test result, e.g. Red ATA Controller, will indicate
passed only if all Self-Tests grouped for that particular Self-Test Flag have passed.
Self-Test Boolean Flag Self-Test Type Reports overall result for:
Red ATA Controller Power On Self-Test 1. ATA Bus On Signal Test
2. Status Input Test
Non Volatile Store Power On Self-Test 1. Non-volatile store variable Test
2. Non-volatile store constants Test
Key Manager Power On Self-Test 1. Cryptographic Algorithm Test
2. RNG KAT Test
Black ATA Controller Power On Self-Test 1. Hardware Integrity Check
RNG Status Conditional Self-Test 1. Continuous RNG Test
In addition to the Self-Test Flags, the Get Status service will return a general boolean
"Error" flag. This "Error" flag is set to error state when any Self-Test has failed else it is set
to no error state.
The Self-Tests results will be available once all the Power On Self-Test routines have
been completed.
If an external application supplied with FlagStone/FlagStone Freedom is being used,
then retrieval of the Self-Test results using the Get Status service is performed
automatically. When an error is detected the external application will display an error
message with the appropriate error code (refer to the relevant User Guides, Refs. [7] &
[8], for further information).
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
30 of 34
�10.1 Power On Self-Tests
The following table details the tests performed by the FlagStone Core during the
power-on sequence. The Power On Self-Tests can only be initiated on demand by
power cycling.
Power On Description
Self-Test
ATA Bus On Signal Ensures that the ATA Bus On signal can be switched on and off.
Non-volatile store The FlagStone Core NV Store holds two copies of variable data to
variable Test ensure that if a power-down event occurs during an update at
least one copy is valid. This test fails if both the primary and
secondary copies fail CRC32 verification. A failure of this kind will
render the unit permanently in-operable by automatically
invoking the Purge Unit service, see section 4.2 for service details.
Non-volatile store This test fails if the system constants fail a CRC32 verification.
constants Test
Cryptographic Performs a 128-bit KAT test on the encrypt and decrypt path of
Algorithm Test the AES Algorithm.
RNG KAT Test Performs a KAT test on the X9.31 AES 128 bit RNG.
Hardware Integrity Ensures that communications can occur between the FlagStone
Check Core and the connected HDD and ensures that the HDD has
passed its own Self-Test.
Static Input Test This ensures that the static input configuration pins have been
configured correctly.
10.2 Conditional Self-Tests
The following table details the conditional test performed by the FlagStone Core; it is
performed each time the security function is invoked.
Conditional Description
Self-Test
Continuous This conditional Self-Test ensures that the RNG security function
RNG Test does not generate two identical numbers in succession. In the
event this conditional test fails, the FlagStone Core will inhibit all
authentication services and security functions until power is cycled.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
31 of 34
�11 Design Assurance
11.1 Configuration Management
All elements of the FlagStone Core, including hardware and documentation are
revision controlled according to Stonewood Electronics Ltd ISO 9001:2000 accredited
quality management system.
All documents are assigned unique document numbers and subsequently version
controlled using issues numbers of the form: 3600-SP189 Issue 1.0. Document numbers
are formed by the project code, followed by the document type and a unique one-up
value for the remainder of the document number.
All hardware components are assigned individual part numbers and issue characters of
the form: 600051-P12 Issue A.
Details of the Stonewood Electronics Quality Process for product development are
documented in Ref. [9].
11.2 Delivery and Operation
The FlagStone Core is manufactured and integrated into FlagStone Corporate and
FlagStone Freedom Drives within the same secure environment and does not leave the
secure environment prior to the FlagStone Core being potted in the hard opaque
epoxy resin.
Once integrated into the FlagStone Drive, it will be shipped via courier. The delivery
process is detailed in the Stonewood Electronics Ltd ISO 9001:2000 accredited Quality
Management System and documented in Ref. [10].
11.3 Development
All elements of the FlagStone Core are developed in accordance with the Stonewood
Electronics Ltd. ISO 9001:2000 accredited Quality Management System and
documented in Ref. [9].
All documentation required for the FIPS accreditation of the FlagStone Core has been
submitted for FIPS validation including PCB layouts, schematics, source code and
specifications. Ref. [5] provides the functional specification of the FlagStone Core.
All FPGA code has been written in a high-level description language.
11.4 Guidance Documents
A combination of the relevant FlagStone User Guides (Ref. [7] for FlagStone Corporate
and Ref. [8] for FlagStone Freedom) and this document provide all the guidance
required for a Crypto-Officer and a User of the FlagStone Core. This Security Policy and
the relevant user guide will be supplied on CD supplied with the end-product.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
32 of 34
�12 Mitigation of Other Attacks Policy
The FlagStone Core does not mitigate against other attacks beyond the scope of the
FIPS 140-2 requirements.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
33 of 34
�13 Security Rules
13.1 Authentication Attempt Counters
The FlagStone Core limits the number of consecutively failed authentication attempts
for both the User and the Crypto-Officer through the use of two attempt counters
stored in the FlagStone Core NV Store.
Whilst the unit has a valid User created, failure to authenticate with the unit will result in
the User authentication counter being decremented. Once the counter reaches zero
the User will be suspended. The User can be recovered using the Crypto-Officer
Authenticate & Recover User service.
If no valid users are present in the unit, failure to provide the valid Crypto-Officer PAC
code will result in the Crypto-Officer authentication counter being decremented.
Once the counter reaches zero the Purge Unit service will be automatically invoked.
At any point, if a successful authentication attempt is made the respective counter will
be reset to its maximum value.
The current number of authentication attempts remaining can be determined using
the Get Status service.
13.2 Recovery Attempt Counter
The FlagStone Core limits the number of failed recovery attempts within the Crypto-
Officer Authenticate & Recover User service by maintaining a recovery attempt
counter, which is decremented if the Crypto-Officer is authenticated but User
Recovery is not. Once the counter reaches zero, the User is deleted. Whenever a user is
created or recovered then this counter will be reset to its maximum value.
The current number of recovery attempts remaining can be determined by using the
Get Status service.
FlagStone Core FIPS 140-2 Security Policy 3600-SP189 Issue 1.1
© Stonewood
34 of 34
�