CR-3396
Revision Level: 21
Document is Uncontrolled When Printed.
Page 23 of 46
The policy is summarized by the following statements:
A subject may perform an allowed operation on an object if the object is in the
partition with which the subject is associated and one of the following two
conditions holds:
1.
The object is a "Public" object, i.e., the PRIVATE attribute is FALSE, or
2. The subject is bound to the Partition User that owns the object.
Allowed operations are those permitted by the object attribute definitions within
the constraints imposed by the module and Partition Capability and Policy
settings.
3.5.1
Object Protection
The module cryptographically protects the values of sensitive objects stored in its
internal flash memory. Sensitive values are protected using AES 256 bit encryption with
three different keys
each having a separate protection role. The three keys used to
protect sensitive object values are the following:
User Storage Key (USK)/Security Officer Master Key (SMK) this key is
created by the cryptographic module when the User or SO is created. It is used
to maintain cryptographic separation between users' keys.
Master Tamper Key (MTK) this key is securely stored in the battery-backed
RAM. It encrypts keys as they are generated to ensure that they can only be
used by the co-processor itself or with authorization from it.
Key Encryption Key (KEK) this key is stored in battery-backed RAM in the
module. It also encrypts all sensitive object values and is used to provide the
"decommissioning" feature. The KEK is erased in response to an external
decommission signal. This provides the capability to prevent access to sensitive
objects in the event that the module has become unresponsive or has lost
access to primary power.
3.5.2
Object Re-use
The access control policy is supported by an object re-use policy. The object re-use
policy requires that the resources allocated to an object be cleared of their information
content before they are re-allocated to a different object.
3.5.3
Privileged Functions
The module shall restrict the performance of the following functions to the SO role only:
Module initialization
Partition creation and deletion