CR-4056
Rev 5
Page 10 of 22
Exercise cryptographic services with Private objects in his or her Token
Create, destroy, import, export, generate, derive Public objects in his or her Token
Create, destroy, import, export, generate, and derive Private objects in his or her Token
May change his/her own PIN
Power-up self-test on demand
2.3.6 Unauthenticated Operators
Certain services are available to operators who have not (yet) authenticated to the adapter:
Exercise status querying services
Authenticate to a Token
Force session terminate, restart adapter by setting a register which is memory mapped to the
PCI bus. The host application can force a restart by writing a certain value to the register
through the PSI-E2 device driver. The transparent PCI chip will then generate a bus cycle
restart which in turn will restart the adapter.
All of the services available to the Unauthenticated Operators are also available to all
authenticated operators.
2.4
Physical Security
The adapter provides tamper evidence and tamper response mechanisms. A metal casing
covers the epoxy-covered PCB board. The epoxyprovides a strong tamper evident enclosure.
The Administrator should perform routine visual inspection of the module for evidence of tamper
such as scratches.
The module is actively protected through a combination of an external tamper jumper switch and
a voltage monitor. The PSI-E2 protection can also be activated by removal of the adapter from
the host machine or via an external alarm input capability. In the event of a tamper the PSI-E2
enters a Tamper state in which all processing is halted and the Non-Volatile secure memory is
zeroized.
Hardness testing of the epoxy was performed from a low of -50° to +60° Celsius. No assurance is
provided for Level 3 hardness conformance at any other temperature.
2.5
Operational Environment
This section does not apply. The PSI-E2 does not provide a modifiable operational environment.
2.6
Cryptographic Key Management
The PSI-E2 is a general-purpose cryptographic management device and thus securely
administers both cryptographic keys and other critical security parameters (CSPs) such as
passwords.
2.6.1 Key Generation
The PSI-E2 Module supports the generation of DSA, RSA, ECDSA (also known as ECC), and DH
public and private keys. The module also supports the generation of three-key Triple-DES keys
as well as AES 128-bit, 192-bit, and 256-bit keys. The module implements a FIPS approved
AES-CTR DRBG specified in NIST SP 800-90A