Date of Issue: 2015/03/30 Canon MFP Security Chip FIPS 140-2 Security Policy Version 1.06 2015/03/30 Canon Inc. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 1 Date of Issue: 2015/03/30 Table of Contents 1 Introduction ........................................................................................................................... 4 1.1 Reference ................................................................................................................. 4 1.2 Terms and Abbreviations ........................................................................................ 4 2 Cryptographic Module Description...................................................................................... 5 2.1 Cryptographic Module Overview ............................................................................ 5 2.2 Security Level .......................................................................................................... 7 2.3 Cryptographic Module Specification ....................................................................... 7 2.4 Cryptographic Module Ports and Interfaces........................................................... 9 2.4.1 System............................................................................................................... 9 2.4.2 FR Peripheral I/F.............................................................................................. 9 2.4.3 SATA Host PHY I/F .......................................................................................... 9 2.4.4 SATA Device PHY I/F..................................................................................... 10 2.4.5 SATA PHY I/F (Common)............................................................................... 10 2.4.6 TEST I/F ......................................................................................................... 10 2.4.7 Power Supply .................................................................................................. 11 2.5 Roles, Services, and Authentication ..................................................................... 11 2.5.1 Roles ................................................................................................................ 11 2.5.2 Services ........................................................................................................... 11 2.5.3 Operator Authentication ................................................................................ 15 2.6 Physical Security ................................................................................................... 16 2.7 Operational Environment ..................................................................................... 16 2.8 Cryptographic Key Management .......................................................................... 16 2.8.1 Definition of Critical Security Parameters (CSPs) ........................................ 16 2.9 Self-Tests ............................................................................................................... 18 2.9.1 Power-Up Tests............................................................................................... 18 2.9.2 Conditional Tests ............................................................................................ 18 2.10 Mitigation of Other Attacks .................................................................................. 19 3 Secure Operation................................................................................................................. 20 3.1 Initial Set-Up ......................................................................................................... 20 3.2 Zeroization ............................................................................................................. 20 Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 2 Date of Issue: 2015/03/30 List of Figures Figure 1 Exterior of Canon MFP Security Chip (FK4-1731A) .......................................... 5 Figure 2 Exterior of Canon MFP Security Chip ................................................................. 6 Figure 3 Example operational diagram of Canon MFP Security Chip ............................. 7 Figure 4 Canon MFP Security Chip component diagram .................................................. 8 List of Tables Table 1 Terms and abbreviations ......................................................................................... 4 Table 2 Canon MFP Security Chip security requirements ................................................ 7 Table 3 Role of components of the Canon MFP Security Chip .......................................... 8 Table 4 Pin descriptions (System)........................................................................................ 9 Table 5 Pin descriptions (FR Peripheral I/F) ...................................................................... 9 Table 6 Pin descriptions (SATA Host PHY I/F)................................................................... 9 Table 7 Pin descriptions (SATA Device PHY I/F) ............................................................. 10 Table 8 Pin descriptions (SATA PHY I/F (Common)) ....................................................... 10 Table 9 Pin descriptions (TEST I/F) .................................................................................. 10 Table 10 Pin descriptions (Power supply) ..........................................................................11 Table 11 Roles supported by the Canon MFP Security Chip ............................................11 Table 12 Approved algorithms available on the Canon MFP Security Chip ................ 12 Table 13 Services provided in FIPS140-2 approved mode ............................................... 12 Table 14 Services provided in non-FIPS140-2 approved mode........................................ 14 Table 15 CSP list ................................................................................................................. 16 Table 16 (not applicable here) Table 17 Relationship between access to CSPs and the services .................................... 17 Table 18 Self test ................................................................................................................. 18 Trademark Notice •E Canon and the Canon logo are trademarks of Canon Inc. •E All names of companies and products contained herein are trademarks or registered trademarks of the respective companies. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 3 Date of Issue: 2015/03/30 1 Introduction This security policy (hereinafter referred to as SP) is the security policy for the hardware cryptographic module developed by Canon called the Canon MFP Security Chip. This document describes how the Canon MFP Security Chip meets the FIPS140-2 Level 2 security requirements. This SP is a non-proprietary document. 1.1 Reference This section provides basic information about this SP. Title Canon MFP Security Chip FIPS 140-2 Security Policy Version 1.06 Issuer Canon Inc. Date of issue 2015/03/30 1.2 Terms and Abbreviations The following terms and abbreviations are used throughout this SP. Table 1 Terms and abbreviations Term/abbreviation Description AES Advanced Encryption Standard CBC Cipher Block Chaining CO Crypto Officer CSP Critical Security Parameter FIPS Federal Information Processing Standards Canon A general term that refers to a Canon brand multifunction product or MFP/printer printer. Serial ATA (SATA) A standard for connecting storage devices, based on serial transmission technology. Storage device Refers to the storage device on the Canon MFP/printer such as HDD/SSD. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 4 Date of Issue: 2015/03/30 2 Cryptographic Module Description 2.1 Cryptographic Module Overview The Canon MFP Security Chip handles cryptography for the storage device of the Canon MFP/printer. The Canon MFP Security Chip realizes high-speed data encryption/decryption through a serial ATA interface, using AES CBC mode. This allows the Canon MFP/printer's storage device to be protected against the risk of information leakage, without compromising objectives such as extensibility, flexibility, usability, and high performance. Details of the approved cryptographic module are given below. Title Canon MFP Security Chip Developer Canon Inc. The cryptographic module is a multi-chip embedded module, consisting of the cryptographic chip, the printed circuit board on which the chip is mounted, and the tamper-evident epoxy coating covering the cryptographic chip. The module does not contain the other components on the board. The cryptographic module comes in two types depending on the board on which the chip is mounted, but the chip itself is the same. The hardware and firmware details of the cryptographic module are given below. Hardware version FK4-1731A, FK4-1731B Firmware version 2.10 The cryptographic boundary is defined as the perimeter of the board. The areas of the board not covered by the epoxy coating are explicitly excluded from the requirements of FIPS 140-2, because they are non-security relevant. Figure 1 and Figure 2 show the exterior of the cryptographic module. Figure 1 shows the FK4-1731A module. The red dashed box in the figure shows the security relevant portion covered within the epoxy coating. Figure 1 Exterior of Canon MFP Security Chip (FK4-1731A) Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 5 Date of Issue: 2015/03/30 Figure 2 shows an enlargement of the area boxed in red in the previous figure. The figure shows the top side and bottom side of the FK4-1731A and FK4-1731B modules, respectively. FK4-1731A and FK4-1731B below, differ only in that each has a different board. The red box in the figure of the bottom side shows the area of the cryptographic chip. (FK4-1731A: top side) (FK4-1731A: bottom side) (FK4-1731B: top side) (FK4-1731B: bottom side) Figure 2 Exterior of Canon MFP Security Chip Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 6 Date of Issue: 2015/03/30 2.2 Security Level The Canon MFP Security Chip is a cryptographic module designed and implemented to meet the FIPS140-2 Level 2 security requirements. Table 2 below shows the security level met by the Canon MFP Security Chip for each of the specified areas. Table 2 Canon MFP Security Chip security requirements Security requirements section Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Role, Service, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A 2.3 Cryptographic Module Specification In addition to cryptography, the Canon MFP Security Chip implements the SATA HOST and SATA DEVICE interfaces. Figure 3 is an example operational diagram of the Canon MFP Security Chip. Canon MFP/Printer Main board Data encryption board SATA Storage Cryptogra device phic SATA Chip SATA Storage device Figure 3 Example operational diagram of Canon MFP Security Chip The "main board" in Figure 3 is the Canon MFP/printer's own board. The Canon MFP Security Chip is located on a different board (data encryption board), and connects to the main board. The "storage device" contains the data that is encrypted by the Canon MFP Security Chip. The Canon MFP Security Chip features the mirroring function, and allows two storage devices to be connected. However, the second storage device is optional, and only one Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 7 Date of Issue: 2015/03/30 is required for normal operation. The interface between the main board and the Canon MFP Security Chip, and between the Canon MFP Security Chip and the storage device, is Serial ATA. The diagram in Figure 3 is provided as an example only, and not meant to restrict where the cryptographic module may be mounted. Hereinafter, the system that is served by the Canon MFP Security Chip ("main board" in Figure 3), is referred to as host system. The following is a component diagram of the Canon MFP Security Chip, consisting of two dies. The FlashROM sits on one die, with all other components on another die. All of these elements are enclosed in a single package, making up the cryptographic chip. Register CPU FlashROM Work memory Cryptographic engine Disk I/O Canon MFP Security Chip Figure 4 Canon MFP Security Chip component diagram The role of each component is described below. Table 3 Role of components of the Canon MFP Security Chip Component Role Register Temporarily stores program instructions and calculations. Work memory Volatile memory that stores data and programs. Cryptographic keys are stored here. CPU Executes programs stored in memory. FlashROM Non-volatile memory that stores the firmware controlling the Canon MFP Security Chip. Authentication ID and DRBG internal state are stored here. Disk I/O Interface that handles I/O requests to the Canon MFP Security Chip. Cryptographic Handles AES encryption and decryption. engine When the Canon MFP Security Chip is powered on, a cryptographic key is automatically calculated using a key seed, and stored in work memory. The authentication ID is the information that allows the Canon MFP Security Chip to uniquely identify the connected host system or Canon MFP/printer. This authentication ID, initially received from the Canon MFP/printer when the Canon MFP Security Chip is first installed, is preserved in FlashROM. Since the cryptographic key is stored in volatile 'work' memory, stored keys are lost (or zeroized) upon power loss. Therefore, at each power up, the above process is repeated, and the cryptographic key is recalculated and stored in work memory. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 8 Date of Issue: 2015/03/30 2.4 Cryptographic Module Ports and Interfaces This section describes the physical ports of the cryptographic module, and how they relate to the data input/output and power supply interfaces. In terms of the logical interface, the Canon MFP Security Chip operates upon ATA commands that are input from the host system. Each ATA command is associated with a different interface, namely Data Input, Data Output, Control Input, and Status Output. 2.4.1 System Table 4 Pin descriptions (System) Pin symbol Description Interface type SYS_CLKIN External clock input Control input SYS_INITXI Reset input for configuration Control input initialization 2.4.2 FR Peripheral I/F Table 5 Pin descriptions (FR Peripheral I/F) Pin symbol Description Interface type FR_SIN Serial data input for debug log Control input FR_SOUT Serial data output for debug log Status output FR_GPIO GPIO input/output Control input/ Status output 2.4.3 SATA Host PHY I/F Table 6 Pin descriptions (SATA Host PHY I/F) Pin symbol Description Interface type REFCLK_H External clock input Control input RXPLUSA_H High-speed serial receive data pin Data input RXMINUSA_H High-speed serial receive data pin Data input TXPLUSA_H High-speed serial transmit data pin Data output TXMINUSA_H High-speed serial transmit data pin Data output RXPLUSB_H High-speed serial receive data pin Data input RXMINUSB_H High-speed serial receive data pin Data input TXPLUSB_H High-speed serial transmit data pin Data output TXMINUSB_H High-speed serial transmit data pin Data output VDDSATA_H Digital 1.2V power source pin Power input VSSSATA_H Digital GND pin Power input VDD1IO_H Analog 1.2V power supply pin for Power input high-speed IO VSS1IO_H Analog GND pin for high-speed IO Power input VDD1ANA_H Analog 1.2V power source pin for PLL Power input VDD33ANA_H Analog 3.3V power supply pin for bias Power input VDD33PLL_H Analog 3.3V power source pin for PLL Power input VSS1ANA_H Analog GND pin for PLL Power input Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 9 Date of Issue: 2015/03/30 VSSRESREF_H Analog GND pin for securing external Power input resistor RESREF_H Input pin for securing external Control input resistor 2.4.4 SATA Device PHY I/F Table 7 Pin descriptions (SATA Device PHY I/F) Pin symbol Description Interface type REFCLK_D External clock input Control input RXPLUSA_D High-speed serial receive data pin Data input/ Control input RXMINUSA_D High-speed serial receive data pin Data input/ Control input TXPLUSA_D High-speed serial transmit data pin Data output/ Status output TXMINUSA_D High-speed serial transmit data pin Data output/ Status output VDDSATA_D Digital 1.2V power source pin Power input VSSSATA_D Digital GND pin Power input VDD1IO_D Analog 1.2V power supply pin for Power input high-speed IO VSS1IO_D Analog GND pin for high-speed IO Power input VDD1ANA_D Analog 1.2V power source pin for PLL Power input VDD33ANA_D Analog 3.3V power supply pin for bias Power input VDD33PLL_D Analog 3.3V power source pin for PLL Power input VSS1ANA_D Analog GND pin for PLL Power input VSSRESREF_D Analog GND pin for securing external Power input resistor RESREF_D Input pin for securing external Control input resistor 2.4.5 SATA PHY I/F (Common) Table 8 Pin descriptions (SATA PHY I/F (Common)) Pin symbol Description Interface type REFCLK_HD Reference clock input Control input 2.4.6 TEST I/F Table 9 Pin descriptions (TEST I/F) Pin symbol Description Interface type TEST Test pin Control input VPD Feedthrough current prevention pin Control input TCK JTAG test clock input Control input TMS TAP controller mode select input Control input TRST JTAG test reset input Control input TDI JTAG test data input Data input TDO JTAG test data output Data output Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 10 Date of Issue: 2015/03/30 2.4.7 Power Supply Table 10 Pin descriptions (Power supply) Pin symbol Description Interface type VDE 3.3V power supply pin Power input VDD 1.2V power supply pin Power input VSS GND pin Power input PLLVDD APLL dedicated 1.2V power supply Power input pin PLLVSS APLL dedicated GND pin Power input FLVDE FLASH 3.3V power supply pin Power Input 2.5 Roles, Services, and Authentication 2.5.1 Roles The Canon MFP Security Chip supports two distinct operator roles, USER and CO (Cryptographic Officer). The following table shows each role and its associated services. The Canon MFP Security Chip does not provide the maintenance service, so no MAINTENANCE role is supported. Table 11 Roles supported by the Canon MFP Security Chip Description Authentication Authentication Role Type Data USER USER represents users of the Role-based Shared secret encryption/decryption service of the Canon MFP Security Chip. USER is allowed use of the AES encryption/decryption services as described in Table 13. CO CO performs configuration of secret Role-based Shared secret information of the Canon MFP Security Chip. CO is allowed use of the services associated with CO as described in Table 13. CO authentication is required prior to use of these services. 2.5.2 Services This section describes the cryptographic services provided by the Canon MFP Security Chip. The Canon MFP Security Chip supports FIPS140-2 approved mode of operation implementing the security functions validated by CMVP, as well as non-FIPS140-2 approved mode of operation implementing no cryptography. The Canon MFP Security Chip in FIPS140-2 approved mode provides the approved algorithms described in the following table. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 11 Date of Issue: 2015/03/30 Table 12 Approved algorithms available on the Canon MFP Security Chip Spec CAVP Usage Approved Algorithm Certificate AES Encryption/Decryption FIPS PUB #2907 Used in encryption/decryption of Mode: CBC 197 data stored in storage device. Key Length: 128bit,256bit SHA-256 FIPS PUB #2601 Used in Hash_DRBG random bit 180-4 generation, and response generation for Device Identification and Authentication. Hash_DRBG SP #638 Used in cryptographic key 800-90A generation, and challenge generation for Device Identification and Authentication. The Canon MFP Security Chip in FIPS140-2 approved mode additionally provides one other non-approved but allowed algorithm, NDRNG. NDRNG is used in generating the seed value for approved DRBG. Table 13 and Table 14 below describe the services provided on the Canon MFP Security Chip. Table 13 describes the services provided in FIPS140-2 approved mode, and Table 14 describes those provided in non-FIPS140-2 approved mode. Table 13 Services provided in FIPS140-2 approved mode Role Service Description Algorithm Input Output USER AES Encrypts and writes AES ATA write Encrypted encryption data to the storage Encryption command data is device. transmitted to the storage device. If mirroring is enabled, encrypted data is sent to both storage devices. USER AES decryption Reads data from the AES ATA read Decrypted storage device and Decryption command data is decrypts. transmitted to the host system Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 12 Date of Issue: 2015/03/30 None Process ATA Supported* ATA ATA command, Result is command commands received excluding ATA transmitted from the host system write/read to the host are analyzed and commands and system. transmitted to storage. extended ATA Unsupported commands. commands are not transmitted. * ATA write/read commands are excluded. None Initialization Initializes the Canon Reset signal - Hash_DRBG MFP Security Chip. The cryptographic key is calculated using the key seed, and stored in work memory within the module. None Zeroize AES Clears the Power off - key cryptographic key stored in volatile memory. None Behavior Configures the Extended ATA Result is settings behavior settings of the command for transmitted Canon MFP Security behavior to the host Chip. settings system. None Output status Outputs status of the Extended ATA Status is Canon MFP Security command for transmitted Chip. status output to the host system. CO Configure Configures the Extended ATA Result is Hash_DRBG secret authentication ID, and command for transmitted information generates the key seed setting secret to the host for AES cryptographic information system. key generation. None Zeroize secret Clears (zeroizes) secret Extended ATA Result is information information. command for transmitted clearing secret to the host information system. CO Output secret Key seed is output in Extended ATA Secret information plaintext form from the command for information cryptographic module. output of is secret transmitted information to the host system. CO Input secret Replaces the key seed, Extended ATA Result is information with the one received command for transmitted from the host system in input of secret to the host plaintext form. information system. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 13 Date of Issue: 2015/03/30 CO Change CO Modifies CO Extended ATA Result is authentication authentication command for transmitted information information. modifying CO to the host authentication system. information None Change mode Clears (zeroizes) all Extended ATA Result is CSPs and transitions to command for transmitted non-FIPS140-2 changing mode to the host approved mode. system. USER Device Uses Extended ATA Result is Hash_DRBG SHA-256 Identification challenge-response command for transmitted and authentication to controlling the to the host Authentication identify/authenticate authentication system. that the connection is function with the correct host system. The Canon MFP Security Chip provides services such as encryption/decryption, only when authentication succeeds. None Perform Executes a self test. Reset signal Interrupt self-test notification to the host system, plus extended ATA command for status output. Table 14 Services provided in non-FIPS140-2 approved mode Role Service Description Algorithm Input Output None Process ATA Supported ATA ATA command Result is command commands received transmitted from the host system to the host are analyzed and system. transmitted to storage. Unsupported commands are not transmitted. ATA write/read commands are included in this service, handling data in plaintext form. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 14 Date of Issue: 2015/03/30 None Behavior Configures the Extended ATA Result is settings behavior settings of the command for transmitted Canon MFP Security behavior to the host Chip. settings system. None Output status Outputs status of the Extended ATA Status is Canon MFP Security command for transmitted Chip. status output to the host system. CO Configure Configures the Extended ATA Result is Hash_DRBG secret authentication ID, command for transmitted information generates the key seed setting secret to the host for AES cryptographic information system. key generation, then transitions to FIPS140-2 approved mode. None Perform Executes a self test. Reset signal Interrupt self-test notification to the host system, plus extended ATA command for status output. The Canon MFP Security Chip operates in non-FIPS140-2 approved mode in its initial state. It makes the transition to FIPS140-2 approved mode by using the configure secret information service. Output status service can be used to determine the current operating mode: FIPS140-2 approved mode or non-FIPS140-2 approved mode. Conversely, the Canon MFP Security Chip makes the transition back to non-FIPS140-2 approved mode by using the change mode service. 2.5.3 Operator Authentication Before providing any of the services associated with USER and CO respectively, the Canon MFP Security Chip performs role-based authentication by shared secret. The authentication mechanism differs for each role, as follows. •E CO authentication Authentication is based on CO authentication information defined in section 2.8.1. •E USER authentication Uses challenge-response authentication based on Authentication ID defined in 2.8.1. USER authentication is referred to as Device Identification and Authentication. In Device Identification and Authentication, the challenge generated from the DRBG and a response value derived from the challenge and the authentication ID, are used to mutually identify/authenticate the host system and the Canon MFP Security Chip. For the shared secret, CO authentication uses a 4 byte random number, and USER authentication uses a 30 byte random number, so the probability that a random attempt will Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 15 Date of Issue: 2015/03/30 succeed is 1/232 and 1/2240 respectively, both of which are less than 1/1,000,000 as required by FIPS 140-2. The module is capable of performing CO authentication every 100 milliseconds, and USER authentication every 3 milliseconds. Therefore, the probability that multiple consecutive random authentication attempts will be successful during a one-minute period is 600/232 and 20000/2240 respectively, both of which are less than 1/100,000 as required by FIPS 140-2. As such, in terms of the strength of the authentication mechanism, the Canon MFP Security Chip provides sufficient level of strength. 2.6 Physical Security The Canon MFP Security Chip is a multi-chip embedded module, consisting of the cryptographic chip and the board on which the chip is mounted. The cryptographic chip is covered within an opaque, hard, tamper-evident epoxy coating (shown in Figure 2). Attempts to gain access to the internal components of the cryptographic module will require removal of at least one part of the coating, so that no attempt to remove the coating can succeed without physically deforming the coating, showing evidence of tampering. 2.7 Operational Environment The Canon MFP Security Chip has no firmware update utility, and runs in a single operating environment only. 2.8 Cryptographic Key Management 2.8.1 Definition of Critical Security Parameters (CSPs) The tables below list the CSPs handled by the Canon MFP Security Chip. The key seed, authentication ID, and CO authentication information are collectively termed Secret Information. Table 15 CSP list CSP Description AES cryptographic key Key for encryption/decryption. Cryptographic key is stored in volatile work memory in plaintext form. Key seed Seed value used for AES cryptographic key calculation. This information is stored in Flash ROM in plaintext form. Authentication ID ID for mutually authenticating the Canon MFP Security Chip and the host system, for Device Identification and Authentication. This information is stored in FlashROM in plaintext form. CO authentication Information for CO authentication. This information information is stored in Flash ROM in plaintext form. DRBG internal state Internal state used for challenge generation, for Device Identification and Authentication. Updated each time random bit generation takes place. This information is stored in FlashROM. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 16 Date of Issue: 2015/03/30 Table 16 (not applicable here) Table 17 defines the relationship between access to CSPs and the services available on the Canon MFP Security Chip. The types of access shown in the table are defined as follows: R=Read, W=Write, and Z=Zeroize. Read access is internal only, contained within the module itself. In other words, there is no direct access from outside of this module. Table 17 Relationship between access to CSPs and the services Service CSP Type AES encryption AES cryptographic key R AES decryption AES cryptographic key R Process ATA command N/A N/A Initialization AES cryptographic key W Key seed R Zeroize AES key AES cryptographic key Z Behavior settings N/A N/A Output status N/A N/A Configure secret information Authentication ID, key seed, W AES cryptographic key CO authentication information, R/W DRBG internal state Zeroize secret information Key seed, authentication ID, Z AES cryptographic key Output secret information Key seed R CO authentication information R Input secret information Key seed, AES cryptographic W key CO authentication information R Change CO authentication CO authentication information R/W information Change mode CO authentication information, Z key seed, authentication ID, DRBG internal state, AES cryptographic key Device Identification and Authentication ID R Authentication DRBG internal state R/W Perform self-test N/A N/A Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 17 Date of Issue: 2015/03/30 2.9 Self-Tests The Canon MFP Security Chip performs various self-tests (power-up self-tests and conditional self-tests). The self-tests are detailed in Table 18 below. Table 18 Self test Test item Test method Test type AES Encryption Known answer test Power-Up AES Decryption Known answer test Power-Up Hash_DRBG Known answer test Power-Up SHA-256 Known answer test Power-Up Firmware Integrity Test Firmware integrity Power-Up test using 32 bit CRC Hash_DRBG Continuous random Conditional bit generator test NDRNG Continuous random Conditional number generator test CSP Integrity Test Integrity tests of Conditional secret information and DRBG internal state by 32 bit CRC 2.9.1 Power-Up Tests When the Canon MFP Security Chip is powered up, it automatically performs the power-up self-tests. The power-up self-tests performed by the Canon MFP Security Chip are detailed in Table 18. If any of the tests returns an error, the Canon MFP Security Chip immediately enters the error state and can no longer read from or write to any storage device. Error status may be acquired using the output status service. Recovery from error state will require repair of the Canon MFP Security Chip by notifying/contacting your vendor. The power-up self-tests can be invoked on-demand by resetting the Canon MFP Security Chip. 2.9.2 Conditional Tests The Canon MFP Security Chip implements the conditional self-tests shown in Table 18. The Hash_DRBG and NDRNG continuous random number generator tests are performed before each use of the Hash_DRBG pseudo-random bit generator. Also, as a critical security function, the Canon MFP Security Chip performs management of secret information and DRBG internal state, and therefore implements the CSP Integrity Test in Table 18 as a critical function test. The CSP Integrity Test uses 32bit CRC to test the integrity of the secret information and DRBG internal state, before reading secret information or DRBG internal state stored in FlashROM. If any of the conditional self-tests returns an error, the Canon MFP Security Chip immediately enters the error state and can no longer read from or write to any storage device. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 18 Date of Issue: 2015/03/30 Error status may be acquired using the output status service. Recovery from error state will require repair of the Canon MFP Security Chip by notifying/contacting your vendor. The Canon MFP Security Chip does not support a bypass capability, so no bypass test is available. 2.10 Mitigation of Other Attacks The Canon MFP Security Chip does not provide any other additional mechanisms to mitigate attacks. Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 19 Date of Issue: 2015/03/30 3 Secure Operation 3.1 Initial Set-Up The Canon MFP Security Chip operates in non-FIPS140-2 approved mode in its initial state. To use the Canon MFP Security Chip in FIPS140-2 approved mode, the CO shall perform the following. The CO uses the configure secret information service, to set secret information to the Canon MFP Security Chip. The Canon MFP Security Chip, in its initial state, does not have default CO authentication information and default authentication ID. In the service, CO should set both CO authentication information and authentication ID at the same time. The CO authentication information should be a 4 byte value that cannot easily be guessed and the authentication ID should be a 30 byte value that cannot easily be guessed. Upon receiving a request for this service, the Canon MFP Security Chip writes the authentication ID to FlashROM, and generates the key seed for AES cryptographic key generation. Afterwards, it makes the transition to FIPS140-2 approved mode. Output status service can be used to determine the current operating mode. In response, the CO receives data from the Canon MFP Security Chip indicating either FIPS140-2 approved mode or non-FIPS140-2 approved mode. The operator shall periodically perform tamper evidence inspection of the Canon MFP Security Chip. Physical access to the contents of the module cannot be gained without removing at least one part of the coating that covers the cryptographic chip. The operator shall inspect the coating for any signs of tampering. If the operator discovers tamper evidence, the cryptographic module should not be used. 3.2 Zeroization The Canon MFP Security Chip zeroizes all CSPs when it switches to non-FIPS140-2 approved mode. The change mode service is used to cause the module to transition to non-FIPS140-2 approved mode. END Copyright© 2015 Canon Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. 20