BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.8 Broadcom Ltd. Revision Date: 2016-05-25 Copyright Broadcom 2016. May be reproduced only in its original entirety [without revision]. Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 TABLE OF CONTENTS 1. MODULE OVERVIEW .........................................................................................................................................3 2. SECURITY LEVEL ................................................................................................................................................5 3. MODES OF OPERATION .....................................................................................................................................6 4. PORTS AND INTERFACES .................................................................................................................................7 5. IDENTIFICATION AND AUTHENTICATION POLICY ................................................................................9 6. ACCESS CONTROL POLICY ............................................................................................................................10 DEFINITION OF SERVICES .........................................................................................................................................10 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS) ......................................................................................14 DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................20 7. OPERATIONAL ENVIRONMENT....................................................................................................................22 8. SECURITY RULES .............................................................................................................................................22 9. PHYSICAL SECURITY POLICY ......................................................................................................................25 PHYSICAL SECURITY MECHANISMS .........................................................................................................................25 10. MITIGATION OF OTHER ATTACKS POLICY ...........................................................................................26 11. REFERENCES ....................................................................................................................................................26 12. DEFINITIONS AND ACRONYMS...................................................................................................................26 Page 2 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 1. Module Overview The BCM58100B0 Series Cryptographic Module, a single-chip encased in hard opaque tamper evident IC packaging, is a highly integrated system on a chip. It is marketed in three part numbers. • BCM58101B0 : integrated system on a chip with no NFC capabilities • BCM58102B0 : integrated system on a chip with NFC capabilities • BCM58103B0 : integrated system on a chip with enhanced NFC capabilities All devices use the same physical package. The module runs firmware version rev0. Figure 1 shows that the BCM58100B0 Series is composed of two components, the BCM5810X component and the NFC component. These modules are interconnected with a SPI (Serial Peripheral Interface bus) connection. The NFC component is purely a peripheral block to BCM5810X for NFC communication. No cryptographic implementation is included in this component; all cryptographic capabilities are encapsulated in the BCM5810X component. The interconnect between BCM5810X and NFC is for data communication only, no cryptographic material or key is passed between the modules. Figure 1 BCM58100B0 Top Level Blocks BCM5810X SPI Data Connection NFC 5810x Package For the purpose of FIPS140-2 certification the physical boundary of the chip is used as the security boundary of the cryptographic module. The BCM58100B0 Series Cryptographic Module’s FIPS boundary is defined as: • The external surface of the BCM58100B0 chip including the hard opaque encapsulating material that physically protects all module components. The algorithm boundary is defined as the BCM5810X component. The figures below illustrate the cryptographic module’s physical boundary, interfaces, and logical software execution contexts within the physical boundary. Page 3 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Figure 2 - Image of the Cryptographic Module Physical Boundary BCM58102B0KFBG TAYYWW P20 P083 P1 (Top) (Bottom) Figure 3 - Pictures of the Cryptographic Module Physical Boundary (Top) (Bottom) Page 4 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Figure 4 - Block Diagram of module Interfaces & logical Software Execution Contexts 58100 Cryptographic Module Clock - Control Input - Status output Command Parser USB USB application Host System runs in user mode, - Control Input accessible to Reset Pins - Status output memory region - Control Input - Data input allocated by the - Status output - Data output Memory Protection Unit of M3. Power SPI SCAPI Dedicated IO Flash (Standardized API and core power Secure Boot Image (SBI) layer to access supply pins - Data / Code output module crypto HW separated from or crypto signal pins primitives.) UART - Error Status output Approved Crypto Algorithms 2. Security Level The cryptographic module meets the overall requirements applicable to Level 3 security of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 3 Roles, Services and Authentication 3 Finite State Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Page 5 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks NA 3. Modes of Operation FIPS Approved mode of operation The BCM58100B0 Series cryptographic module supports a single FIPS Approved mode of operation. The user can determine that the cryptographic module is running in FIPS Approved mode of operation when the status output RESET_OUT_L is high. The module does not support a non-Approved mode of operation. Approved Algorithms The module implements the following approved and allowed cryptographic algorithms using a hardware crypto engine called [SMAU - Crypto/Auth] block. The same hardware block is used twice in the Secure Memory Access Unit or SMAU. One instance is being used for offloading generic cryptographic operations. The other instance is being used to support secure caching of instruction and data stored externally in encrypted and integrity-protected format. Individual self-tests are conducted after power-on to test the instantiation for generic cryptographic operations. Each algorithm implementation is used during different scenarios. They are never used simultaneously for the same operation. Each algorithm implementation has its own algorithm certificate and has its own power-on Self-test. Table 2 – Approved Algorithms Cryptographic Algorithm Description Certificate Number [SMAU – Crypto/Auth] block, ECB, CBC, AES CTR #3762 Key size : 128, 192, 256 [SMAU – Crypto/Auth] block AES CCM Key size : 128, Nonce Len 12, Tag Len 4, 8, #3763 12, 16 [SMAU – Crypto/Auth] block HMAC- SHA256 #2462 [SMAU – Crypto/Auth] block SHA256 #3132 Page 6 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 SP800-90 DRBG, SHA-256 is the HASH DRBG functions used #1034 Signature generation, signature verification ECDSA 256-bit key, curve P-256 #807 Signature generation, signature verification DSA 2048-bit key, with SHA-256 for signature #1045 generation Signature generation, signature verification RSA 2048-bit key with SHA-256 #1936 Allowed Non-Approved Algorithms The module implements the following non-approved cryptographic algorithms EC Diffie-Hellman: Non-SP800-56A Compliant ECDH allowed per FIPS 140-2 Implementation Guidance D.8 (key agreement; key establishment methodology provides 128- bits of encryption strength) NDRNG – internal module source utilizing free running oscillators to capture thermal noise as the source of randomness. The NDRNG is used to collect entropy to be fed to the FIPS SP800- 90A DRBG. 4. Ports and Interfaces The BCM58100 Series Cryptographic Module provides physical ports as listed in Table 3 below. Table 3 – Physical Ports Note: the BCM5810X chip has a total of 141 signal pins. Each BCM5810X Interface Group listed in Table 3 contains several BCM58100B0 pins. Unused Interface Groups will be marked as “Non-Available” because they are currently disabled by the cryptographic module. Clock group Control Input Clock - 25MHz clock - 32KHz clock Status Output Clock output - 25MHz clock output Reset group Control input One reset input Page 7 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Status output Reset output : Indicates that system power supply is stable. Secure boot Control Input - one key zeroization request input - Ten external tamper detection (e.g. can be hooked up to a temperature sensor or a voltage Status Output sensor. No claims made for FIPS mode). - One ERROR status. SPI group: Data input (code and data) Code and data from SPI flash All Code/Data Input is (clock, device select, and four authenticated by the module. data I/O) USB group: Data input Service request input Device interface used by the Data output Service response output module’s operators to make Control input (USB differential data bus) service requests. Requests are Status output authenticated via the ECDH secure session. UART group: Status output Status output UART0 port is enabled as (Four UART ports of four error status output. Other UART ports are signals each.) Output UART ports are intended for future use: Intended use in the future: disabled and logic is put in Data input Data received or transmitted for reset state. Data output UART console application Static Memory Interface Non-available Non-available group: Intended use in the future: (chip select, read/write control, 8 Clock to the group block is Data input data bit, 20 address bit) disabled and logic is put in Data output Intended use in the future : reset state. Code and data from SRAM or flash memory. NFC group BCM58102 and (Four antenna connections, two BCM58103: SWP interface ports.): Data input Data received or transmitted for Data output contactless smart card applications. Smart Card group: Non-available Non-available Clock to the group block is (Seven interface signals) disabled and logic is put in Intended use in the future: Intended use in the future: reset state. Data input Data received or transmitted For Data output contacted Smart Card applications. JTAG group: Non-available Non-available Completely disabled by HW Page 8 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 in FIPS mode. Module HW\FW\SW enforces that non-volatile plaintext critical security parameters cannot be shared, used, or viewed in FIPS mode. Power group Power is distributed to Over 50 power and ground pins. the chip using designated IO and core power pins that are completely separated from any signal pin groups. Power pins are only connected to the internal power planes of the silicon chip. 5. Identification and Authentication Policy Assumption of roles The BCM58100B0 Series Cryptographic Module supports two operator roles, User and Cryptographic-Officer. Only the authorized user (in either role) could establish a secure session with the cryptographic module. The module is designed to operate with a single entity that is assigned the User and Cryptographic-Officer roles. The user identity is embedded in the module’s SBI during manufacturing (Secure Boot Image: an authenticated software extension of the module’s BOOT ROM. SBI software is part of the BCM58100B0 Series Cryptographic Module). The cryptographic module implements identity-based operator authentication to allow only the authorized user to access cryptographic services. Authentication is accomplished via a 256-bit ECDSA-based signature verification process. A single 256-bit ECDSA public key is embedded in the SBI. The 256-bit ECDSA public key is used to authenticate the operator during the establishment of an ECDH secure session between the module and the operator on the external host system. After an operator is authenticated successfully, the operator can assume either the role of the Cryptographic Officer or the role of the User. The module allows the operator to perform both CO and User services. Page 9 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Table 4 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data • User Identity-based operator 256-bit ECDSA authentication signature verification • Cryptographic-Officer Identity-based operator 256-bit ECDSA authentication signature verification Table 5 - Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism ECDSA Signature Verification (256 bit) The probability that a random attempt will succeed or a false acceptance will occur is 1/2128 which is less than 1/1,000,000. The probability of successfully authenticating to the module within one minute is 3,750/2128 which is less than 1/100,000. The module will only allow one attempt to verify the operator – if that attempt fails the module will be in an error state and must be rebooted to try and become operational again. Please see section “8. Security Rules” below (security rules imposed by the vendor) for the detail supporting this calculation. 6. Access Control Policy Definition of Services The cryptographic module supports the following authenticated services defined in Table 5: Table 6 - Authenticated Services Name of Service Description of Service Generate Key This service generates an AES or HMAC key to be used during operator requested services. AES Encrypt This service encrypts bulk operator supplied data using a Page 10 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 previously generated AES key. AES Decrypt This service decrypts bulk operator supplied data using a previously generated AES key. SHA-256 Hashing This service generates a SHA-256 digest on supplied data. Load Key This service allows an operator to load a key into the module’s key cache. The key being loaded can be a private key or a public key of an asymmetrical key pair, or a symmetrical key for AES or HMAC. All keys loaded via this service are being protected by the ECDH secure session via 128-bit AES-CCM encryption and integrity protection. RSA Signature This service performs RSA Signature Verification on operator Verification supplied data with a previously loaded public key (see service “Load Key”). DSA Signature This service performs DSA Signature Verification on operator Verification supplied data with a previously loaded public key (see service “Load Key”). ECDSA Signature This service performs ECDSA Signature Verification on operator Verification supplied data with a previously loaded public key (see service “Load Key”). RSA Signature This service performs RSA Signature Generation on operator Generation supplied data with a previously loaded private key (see service “Load Key”). DSA Signature This service performs DSA Signature Generation (2048 bit key) Generation on operator supplied data with a previously loaded private key (see service “Load Key”). ECDSA Signature This service performs ECDSA Signature Generation on operator Generation supplied data with a previously loaded private key (see service “Load Key”). Generate Random This service generates a random number with the module’s FIPS Number 800-90A DRBG and outputs the generated random number to the requesting operator. EC Diffie-Hellman Key This service is comprised of several steps which establish a session Page 11 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Exchange key between the module and an external entity. HMAC Request Compute an HMAC on an operator supplied blob of data. The cryptographic module supports the following unauthenticated services defined in Table 7: Table 7 - Unauthenticated Services Name of Service Description of Service Self Test This service executes the suite of self-tests required by FIPS 140- 2. Self-tests are invoked by power cycling the module. Show Status This service provides the current status of the cryptographic module. Get Info This service computes and outputs the ECDSA device public key of the cryptographic module Get Version This service returns the version/revision information of the cryptographic module • Zeroize Power-cycle or hard reset will zeroize all volatile critical security parameters including internally generated CSPs or loaded keys. • When the MANU_DEBUG pin within the Secure Boot group physical interface is turned high all volatile and non-volatile plaintext critical security parameters will be zeroized – after this the module will not boot again. Table 8 - Specification of Service Inputs & Outputs Service Control Input Data Input Data Output Status Output Generate Key Key Type N/A Key Handle Success/fail AES Encrypt Length Plaintext Ciphertext Success/fail Key Handle AES Decrypt Length Ciphertext Plaintext Success/fail Key Handle SHA-256 Hash Type Data Blob Digest Success/fail Hashing Load Key Key Type Key N/A Success/fail Key Handle Page 12 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Service Control Input Data Input Data Output Status Output RSA Signature Hash Length Hash Blob N/A Success/fail Verification Key Handle Signature DSA Signature Hash Length Hash Blob N/A Success/fail Verification Key Handle Signature ECDSA Hash Length Hash Blob N/A Success/fail Signature Key Handle Signature Verification RSA Signature Hash Length Hash Blob Signature Success/fail Generation Key Handle DSA Signature Hash Length Hash Blob Signature Success/fail Generation Key Handle ECDSA Hash Length Hash Blob Signature Success/fail Signature Key Handle Generation Generate DRBG Type N/A Random Number Success/fail Random Length Number ECDiffie- Header info. ECDiffie-Hellman ECDiffie-Hellman Success/fail Hellman Key key establishment key establishment Exchange data received from data sent to Host (comprised of Host System System two steps) HMAC Request Length Data Blob MAC Success/fail Hash Type Key Handle Self Test N/A N/A N/A Success/fail (Power cycle) Show Status N/A N/A N/A All the above Status Output (Table 6 Specification of Service Inputs & Outputs) Status Output of Interface groups (Table 2 Physical Ports) Get Info N/A N/A Cryptographic Success/fail Module device public key Page 13 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Service Control Input Data Input Data Output Status Output KDI-EC-PUB Get Version N/A N/A Version and Success/fail Revision information of the Cryptographic Module Zeroize Power-cycle, hard N/A N/A N/A reset, or set MANU_DEBUG pin Definition of Critical Security Parameters (CSPs) The following are the CSPs contained in the module. Table 9 - Secret and Private Keys Key Description/Usage Generation Storage Entry/Output Destruction Used to establish an Ephemeral key Zeroize service. Stored in plaintext Entry: N/A KECDH- ECDH based session generated internally in the Additionally always Entry Key-to- PRIV key. internally via module’s [Scratch destroyed after the entity association: DRBG per RAM] block. 256 bit symmetrical session N/A SP800-90A. random key is established. Key-to-entity Output: N/A number association: used for Output Key-to- associated with a ephemeral entity association: session ID during ECDH key. N/A. the ECDH secure session establishment. Page 14 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Destruction Used to encrypt and Generated Zeroize service. Stored in plaintext Entry: N/A KAES decrypt the Secure internally during internally in OTP. Boot Image (SBI) manufacturing When in use it is Temporary copy in Entry Key-to- 128 bit when the SBI is loaded via DRBG per temporality copied [Scratch RAM] entity association: AES key. (symmetrically). SP800-90A. to the [Scratch block always N/A A unique RAM] block. destroyed after each value for reset cycle. Output: N/A each Key-to-entity module. association: Output Key-to- Key index = 2 in entity association: OTP. N/A. Used to protect and Generated Zeroize service. Stored in plaintext Entry: N/A KHMAC verify the SBI. internally during internally in OTP. manufacturing When in use it is Temporary copy in Entry Key-to- 256 bit via DRBG per temporality copied [Scratch RAM] entity association: HMAC- SP800-90A. to the [Scratch block always N/A SHA-256 RAM] block. destroyed after each key. A reset cycle. Output: N/A unique Key-to-entity value for association: Output Key-to- each Key index = 3 in entity association: module. OTP. N/A. Used to establish the Generated Zeroize service. Stored in plaintext Entry: N/A KDI-EC- mutually authenticated internally during internally in OTP. PRIV ECDH secure session manufacturing When in use it is Temporary copy in Entry Key-to- communication via DRBG per temporality copied [Scratch RAM] entity association: 256 bit channel between the SP800-90A. to the [Scratch block always N/A ECDSA module and an RAM] block. destroyed after each private key. external entity. Used reset cycle. Output: N/A A unique as the identity key of Key-to-entity value for the module in these association: Output Key-to- each authenticated Key index = 4 in entity association: module. communications. OTP. N/A. Page 15 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Destruction Used to Generated Zeroize service. Stored in the Entry: Entered KAPP-AES encrypt/decrypt internally during volatile “key cache” into the module by Load Key service 1 application data when operation via within the [Scratch Temporary copy in 128, 192 or external applications DRBG per RAM] block. [Scratch RAM] 256 bit issue encrypt or SP800-90A. See block always Entry Key-to- AES keys. decrypt service Generate Key destroyed after each Key-to-entity entity association: requests. service. reset cycle. association: Session key “key cache” handle. derived during the Note this handle is ECDiffie-Hellman given by the Key Exchange application that service. requested the creation of the key Output: N/A so that application can request Output Key-to- encryption/ entity association: decryption with the N/A. key at a later point in time. Used to protect and Generated Zeroize service. Stored in the Entry: Entered KAPP- verify application data internally during volatile “key cache” into the module by HMAC when external operation via within the [Scratch Load Key service Temporary copy in applications issue DRBG per RAM] block. [Scratch RAM] 256 bit protection or SP800-90A. See block always Entry Key-to- HMAC verification service Generate Key destroyed after each Key-to-entity entity association: keys requests. service. reset cycle. association: Session key (SHA- “key cache” handle. derived during the 256). Note this handle is ECDiffie-Hellman given by the Key Exchange application that service. requested the creation of the key Output: N/A so that application can request Output Key-to- protection/ entity association: verification with the N/A. key at a later point in time. 1 192 and 256-bit keys entered using the Load Key service only provide 128-bits of security strength. Page 16 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Destruction KAPP-PRIV Used to perform N/A Multiple instances. When the zeroize Entry: Entered signature generation service is requested. into the module by during the RSA, DSA Load Key service Stored in the 2048 bit or ECDSA Signature Always destroyed volatile “key cache” DSA services. after each reset within the [Scratch Entry Key-to- cycle. RAM] block. entity association: 2048 bit This is a private RSA key that is Key-to-entity associated with the association: 256 bit public key “key cache” handle. ECDSA member of a key- Note this handle is pair. given by the application that requested the entry Output: N/A of the key so that the application can Output Key-to- request signature entity association: generation with the N/A. key at a later point in time. Used to derive the Derived using Zeroize service. Stored only Entry: N/A KECDH-SS ECDH key temporarily stored session key Kss Additionally always Entry Key-to- exchange in the scratch RAM, 256 bit destroyed after the entity association: algorithm based erased after Kss is ephemeral symmetrical session N/A on KECDH-PRIV derived ECDH key is established. Output: N/A shared and KECDH-OP- secret. Key-to-entity Output Key-to- PUB association: entity association: associated with a N/A. session ID during the ECDH secure session establishment. Session key derived Generated during Zeroize service. Stored in the Entry: N/A Kss during the ECDiffie- the ECDiffie- volatile “key cache” Hellman Key Hellman Key within the [Scratch Temporary copy in Entry Key-to- 128 bit Exchange service. The Exchange service RAM] block. [Scratch RAM] entity association: AES key. module will use this via SHA256- block always N/A key for secure based KDF destroyed after each Key-to-entity communications function. reset cycle. association: Output: N/A to/from the external Only one session host system. key exists at any Output Key-to- given point in time. entity association: N/A. Page 17 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Destruction Entropy value fed to Gathered from Generated via Reset DRBG or Entry: N/A DRBG the SP800-90A. internal module NDRNG and stored power cycle the Seed NDRNG utilizing in DRBG registers chip. Entry Key-to- free running entity association: 512 bits oscillators to Key-to-entity N/A capture thermal association: noise. Only one DRBG Output: N/A seed key exists at any given point in Output Key-to- time. entity association: N/A. State of the module’s Generated within Reset DRBG or Stored in DRBG Entry: N/A DRBG SP800-90A. the module’s power cycle the registers. State SP800-90A chip. Entry Key-to- (values DRBG. Key-to-entity entity association: V and C) association: N/A The DRBG maintains one state Output: N/A at a given time. Output Key-to- entity association: N/A. Definition of Public Keys: The following are public keys contained in the module. Table 10 - Public Keys Key Description/Usage Generation Storage Entry/Output Used by the operator to Computed Stored only stored Entry: N/A KDI-EC-PUB authenticate the internally upon temporarily in the cryptographic module in a each get_info scratch RAM Entry Key-to-entity 256 bit ECDSA mutually authenticated request per during the association: N/A public key. A secure session ECDSA processing of the unique value algorithm get_info service Output: as the result for each of get_info service module. Key-to-entity association: Output Key-to-entity Public part of the association: device identity key. embedded in the get_info command response. Page 18 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Used to establish an ECDH Ephemeral public Stored only stored Entry: N/A KECDH-PUB based session. key generated temporarily in the Entry Key-to-entity internally for on scratch RAM 256 bit public association: N/A non- SP800-56A during the process ephemeral compliant ECDH of establishing the Output: as the result ECDH key of ECDH session, of the ECDH key the erased after the exchange cryptographic session key is module Output Key-to-entity established association: embedded in the Key-to-entity command response association: for ECDH key Public key of the exchange. ephemeral ECDH key pair. Used to establish an ECDH Ephemeral public Stored only stored Entry: input of the KECDH-OP- based session. key generated temporarily in the ECDH key exchange PUB and signed by the scratch RAM Entry Key-to-entity operator, pass during the process 256 bit public association: into the of establishing the ephemeral embedded in the cryptographic ECDH session, ECDH key of command for ECDH module during erased after the the operator key exchange. ECDH session session key is key exchange established Output: NA Output Key-to-entity Key-to-entity association: NA association: Associated with the authentication session. Only one session is active. Used to perform signature N/A Stored in the Entry: Entered into KAPP-PUB verification during the RSA, volatile “key cache” the module by the DSA or ECDSA Signature within the [Scratch Load Key service. 2048 bit DSA Verification services. RAM] block on the block diagram. Entry Key-to-entity 2048 bit RSA association: This is a Key-to-entity public key that is 256 bit ECDSA association: associated with the “key cache” handle. private key member of Note this handle is a key-pair. passed back to the application that Output: N/A requested the entry of the key so that Output Key-to-entity the application can association: N/A. request signature verification with the key at a later point in time. Page 19 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 Key Description/Usage Generation Storage Entry/Output Operator’s public key N/A Stored in the on- Entry: Embedded in KOP-PUB chip RAM. the SBI during the manufacturing Used to authenticate the 256 bit ECDSA process. operator during an ECDH Key-to-entity secure session. association: This key is located Entry Key-to-entity at a fixed offset of association: This is a the SBI image public key that is known to the associated with the implementation of private key member of the cryptographic a key-pair. module. Output: N/A Output Key-to-entity association: N/A. Definition of CSPs Modes of Access Table 9 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: • G = Generate: The module generates the CSP. • R = Read: The module reads the CSP. The read access is typically performed before the module uses the CSP. • W = Write: The module writes the CSP. The write access is typically performed after a CSP is imported into the module, or the module generates a CSP, or the module overwrites an existing CSP. • Z = Zeroize: The module zeroizes the CSP. Table 11 - CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User Generate Key G KAPP-AES X X G KAPP-HMAC For each service call a handle to the generated key will be passed back to the operator. AES Encrypt R KAPP-AES X X For each service request the operator will indicate which KAPP-AES key to use by passing in the key’s handle as input. Page 20 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 AES Decrypt R KAPP-AES X X For each service request the operator will indicate which KAPP-AES key to use by passing in the key’s handle as input. SHA-256 N/A X X Hashing Load Key W KAPP-PUB X X W KAPP-AES W KAPP-HMAC For each service request a handle to the loaded key will be passed back to the operator. RSA R KAPP-PUB X X Signature For each service request the operator will indicated which Verification KAPP-PUB RSA key to use by passing in the key’s handle as input. DSA R KAPP-PUB X X Signature For each service request the operator will indicated which Verification KAPP-PUB DSA key to use by passing in the key’s handle as input. ECDSA R KAPP-PUB X X Signature For each service request the operator will indicated which Verification KAPP-PUB ECDSA key to use by passing in the key’s handle as input. RSA R KAPP-PRIV X X Signature For each service request the operator will indicated which Generation KAPP-PRIV RSA key to use by passing in the key’s handle as input. DSA R KAPP-PRIV X X Signature For each service request the operator will indicated which Generation KAPP-PRIV DSA key to use by passing in the key’s handle as input. ECDSA R KAPP-PRIV X X Signature For each service request the operator will indicated which Generation KAPP-PRIV ECDSA key to use by passing in the key’s handle as input. Generate R DRBG Seed (note: a new Seed is generated for each call X X Random to service Generate Random Number). Number R DRBG Internal State The DRBG is seeded with the Seed. The random number Page 21 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 generated by the DRBG is returned to the operator requesting the service. ECDiffie- R KDI-EC-PRIV X X Hellman Key R K ECDH-PRIV Exchange R KOP-PUB G KECDH-PUB R KECDH-OP-PUB G KECDH-SS G Kss The operator establishes a secure ECDH key exchange session with a derived session key Kss HMAC Request R KAPP-HMAC X X For each service request the operator will indicated which key to use by passing in key handles as input. N/A X X Self Test N/A X X Show Status R KDI-EC-PUB X X Gen Info NA X X Gen Version 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the module does not contain a modifiable operational environment. 8. Security Rules This section documents the security rules enforced by the BCM58100 Series Cryptographic Module to implement the security requirements for a FIPS 140-2 Level 3 module. 1. The module indicates when the device is in the Approved mode of operation. 2. The module implements one approved mode of operation. Power-cycling zeroizes all volatile plaintext critical security parameters. 3. Prior to completion of all FIPS power-on self-tests the module performs several special initialization period functions (e.g., RAM Memory BIST Read/Write, and OTP Checksum). Failure during these special initialization period functions causes a chip reset. Subsequent to the special initialization period functions any failure in a FIPS power-on self-test cause the ERROR status to be issued followed by a chip reset. 4. No hardware, software, or firmware components of the cryptographic module are excluded from the security requirements of FIPS 140-2. Page 22 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 5. The module restricts all information flow and physical access points to physical ports and logical interfaces that define all entry and exit points to and from the module. 6. All data output via the data output interface are inhibited when an error state exists and during self-tests. 7. The output data paths are logically disconnected from the circuitry and processes that perform key generation, and key zeroization. 8. The module never outputs plaintext cryptographic keys or CSPs or sensitive data. 9. Status information never contains CSPs or sensitive data that if misused could lead to a compromise of the module 10. The module provides two operator roles. These are the User role, and the Cryptographic-Officer role. 11. The module does not support concurrent operators. 12. The module does not support a maintenance role. 13. The module does not support a bypass capability. 14. The module supports identity-based authentication. 15. When the module is powered off and subsequently powered on, the results of previous authentications are not retained and the module requires the operator to be re-authenticated. 16. Authentication data within the module is protected against unauthorized disclosure, modification, and substitution. 17. The module contains the authentication data required to authenticate the operator for the first time. 18. For each attempt to use the authentication mechanism the probability is less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur. 19. For multiple attempts to use the authentication mechanism during a one-minute period the probability is less than one in 100,000 that a random attempt will succeed or a false acceptance will occur. 20. The module’s authentication mechanism does not supply any feedback information to the operator. 21. Recovery from “soft” error states is possible via power-cycling. Recovery from “hard” error states is not possible. 22. The module is physically protected with a production-grade hard opaque tamper evident encapsulating material. 23. The module does not contain any doors or removable covers. 24. Secret keys, private keys, and CSPs within the module are protected from unauthorized disclosure, modification, and substitution. 25. Public keys within the module are protected against unauthorized modification and Page 23 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 substitution. 26. Cryptographic keys generated by the module are generated using Approved key generation methods: FIPS 186-4 Appendix 3.1. 27. Compromising the security of the key generation methods requires as least as many operations as determining the value of the generated keys. 28. Seed keys are not entered into the module during the key generation process, they are gathered internally. 29. Intermediate key generation values are not output from the module. 30. Key establishment is performed via non-SP 800-56A ECDH (allowed as per FIPS 140-2 Implementation Guidance D.8). 31. Compromising the security of the key establishment method (2128) requires as many operations as determining the value of the cryptographic key being agreed upon (2128). 32. The module does not support manual key entry. 33. All secret and private keys entered into the module must be encrypted with an ECDH session key, 128-bit AES-CCM mode key. 34. The module does not support key entry via split knowledge procedures. 35. The module does not support a SW/FW Load service. 36. The module provides a method to zeroize all plaintext secret and private cryptographic keys and CSPs within the module (ZEROIZE PIN within the Secure Boot group physical interface turned high). 37. The module conforms to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B (i.e., for home use). 38. The module performs the following self-tests: a. Power up Self-Tests: i. Cryptographic algorithm tests: • AES [SMAU – Generic Crypto/Auth] block KAT; encryption and decryption are done. • HMAC SHA256 [SMAU – Generic Crypto/Auth] block KAT, covers SHA256. • DRBG SP800-90A KAT. • RSA, signature generation and signature verification KATs. Key size of 2048 bit; hash size of 256 bit. • DSA, signature generation and signature verification PCT. Key size of 2048 bit; hash size of 256 bit. • ECDSA signature generation and signature verification KATs. Key size of 256 bit. • Non-SP SP800-56A ECDH: Page 24 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 • DLC primitives KAT. • Key Agreement KAT. • Key Derivation Function KAT. ii. Firmware Integrity Test: • BootROM: 32 bit checksum. • Secure Boot Image, SBI the authenticated software extension of the module’s Secure Boot Loader, is authenticated by Secure Boot Loader code when Secure Boot Loader code loads the SBI. Authentication is accomplished via 256 HMAC verification (the module also decrypts the SBI image with its 128 bit AES CSP, KAES). iii. Critical Functions Tests: • Memory BIST (Read/Write) • OTP Checksum Verification b. Conditional Self-Tests: i. Continuous Random Number Generator test – performed on NDRNG and DRBG. Block size for NDRNG test is 32 bytes. ii. Pair-wise consistency test for generated ECDH key pair. 39. The operator is capable of commanding the module to perform the power-up self-test via power cycling. 40. After a secure session is established, all data transfer between the operator and the cryptographic module is encrypted. Any key and secure material that enters and exits the cryptographic module is encrypted. This section documents the security rules imposed by the vendor: 1. The module does not support the update of the logical serial number or vendor ID. 2. Each 256-bit ECDSA operation takes > 8ms to perform. For each authentication attempt, the cryptographic module has to perform two ECDSA operations, one for ECDSA signature generation and the other for ECDSA signature verification before the operator can be authenticated. The operator can make no more than 3750 attempts in every minute even if attempts were made continuously. 9. Physical Security Policy Physical Security Mechanisms The BCM58100 Series Cryptographic Module includes the following physical security mechanisms: Page 25 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 • Production-grade hard opaque tamper evident potting encapsulating material. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attack beyond the requirements of FIPS 140-2. 11. References • National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, January 27, 2000 – o http://csrc.nist.gov/publications/drafts.html • National Institute of Standards and Technology, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, Special Publication 800-56A, March 2006. o http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-56-A-1 12. Definitions and Acronyms Advanced Encryption Standard as defined by FIPS197 and SP800-38A to AES: SP800-38D ECB, CBC, CTR, CCM Application Programming Interface API Built-In Self Test BIST A FIPS Critical Security Parameter CSP Discrete Logarithm Cryptography DLC Digital Signature Algorithm as defined by FIPS186-2 DSA Deterministic Random Bit Generator DRBG Elliptic-curve Diffie-Hellman algorithm ECDH Elliptic-curve Digital Signature Algorithm as defined by FIPS186-2 ECDSA Electromagnetic Interference/Electromagnetic Compatibility EMI/EMC Federal Information Processing Standard FIPS Firmware FW Page 26 Broadcom Ltd. BCM58100B0 Series Cryptographic Module Security Policy Version 0.8 2016-05-25 A keyed-Hash Message Authentication Code HMAC Hardware HW Joint Test Action Group – refer to the test interface standard as defined by JTAG IEEE 1149.1 Standard Low Pin Count interface LPC One Time Programmable memory. OTP Random Access Memory RAM Pseudorandom Number Generator RFID Read Only Memory ROM Rivest, Shamir, and Adleman algorithm for public key encryption RSA Secure Boot Image. Authenticated software extension of the module’s BOOT SBI ROM (note: SBI software is part of the BCM5880 Cryptographic Module). Simple Cryptographic Application Programming Interface (refer to the crypto SCAPI library of BCM5880 firmware that utilizes the cryptographic hardware of the BCM5880) Secure Hash Algorithm SHA Secure Memory Access Unit SMAU Synchronous Peripheral Interface SPI Static Random Access Memory SRAM Statistical Testing STS TESTING Software SW Trusted Platform Module TPM Non-Deterministic Random Number Generator NDRNG Universal Asynchronous Receiver/Transmitter UART Universal Serial Bus USB Page 27