Page 6

background image

Oct 01, 2015

6

Section 2.1

Services

This section describes services which the CM provides.

Service

Description

Role(s)

Keys

&

CSPs

RWX(Read,

Write,eXecute

)

Algorithm(CAVP

Certification

Number)

Method

Band

Lock/Unlock

Block or allow read (decrypt) /

write (encrypt) of user data in

a band. Locking also requires

read/write

locking

to

be

enabled

BandMaster0

...

BandMaster8

N/A

N/A

N/A

SECURITY

PROTOCOL IN(TCG

Set Method Result)

Cryptographic

Erase

Erase

user

data

(in

cryptographic means)

by

changing the data encryption

key

EraseMaster

MEK(s)

W

Hash_DRBG(#895)

SECURITY

PROTOCOL IN(TCG

Erase Method Result)

RKey

X

AES256-CBC(#3537)

Data

read/write(decr

ypt/encrypt)

Encryption / decryption of

unlocked user data to/from

band

None

MEKs

X

AES256-XTS(#3538)

SCSI

READ/WRITE

Commands

Firmware

Download

Enable / Disable firmware

download and load a complete

firmware image, and save it.

If the code passes "Firmware

load test", the device is reset

and will run with the new

code.

SID

PubKey

X

RSASSA-PKCS#-v1_

5(#1818)

SECURITY

PROTOCOL IN(TCG

Set Method Result),

SCSI

WRITE

BUFFER

RandomNumbe

r generation

Provide a random number

generated by the CM

None

Seed

R

Hash_DRBG(#895)

SECURITY

PROTOCOL IN(TCG

Random

Method

Result)

Reset(run

POSTs)

Runs

POSTs

and

delete

CSPs in RAM

None

N/A

N/A

N/A

Power on reset

Set

band

position

and

size

Set the location and size of

the LBA range

BandMaster0

...

BandMaster8

N/A

N/A

N/A

SECURITY

PROTOCOL IN(TCG

Set Method Result)

Set PIN

Setting PIN (authentication

data)

All for their

PIN

RKey

X

AES256-CBC(#3537)

SECURITY

PROTOCOL IN(TCG

Set Method Result)

SHA256(#2916)

Show Status

Report status of the CM

None

N/A

N/A

N/A

SCSI

REQUEST

SENSE

Zeroization

Erase user data in all bands

by

changing

the

data

encryption

key,

initialize

range settings, and reset

PINs for TCG

None1

RKey

X,W

AES256-CBC(#3537)

SECURITY

PROTOCOL IN(TCG

RevertSP

Method

Result)

MEKs

W

Hash_DRBG(#895)

PIN

W

Table 3 FIPS Approved services

Algorithm

CAVP Certification Number

AES256-CBC

#3537

AES256-XTS

#3538

SHA256

#2916

RSASSA-PKCS#1-v1_5

#1818

Hash_DRBG

#895

Table 4 FIPS Approved Algorithms

Algorithm

Description

NDRNG

Software RNG used to seed the approved Hash_DRBG.

Minimum entropy of 8 bits is 7.28.

Table 4-1 Non-FIPS Approved Algorithms

1

Need to input PSID, which is public drive-unique value used for the TCG RevertSP method.