FIPS 140‐2 Non-Proprietary Security Policy for: Toshiba TCG Enterprise SSC Self-Encrypting Solid State Drive (PX model) Type A TOSHIBA CORPORATION Rev 2.0.0 Aug 9, 2016 1 OVERVIEW ................................................................................................................................................ 3 ACRONYMS ............................................................................................................................................... 3 SECTION 1 – MODULE SPECIFICATION............................................................................................... 5 SECTION 1.1 – PRODUCT VERSION ...................................................................................................... 5 SECTION 2 – ROLES SERVICES AND AUTHENTICATION .................................................................. 5 SECTION 2.1 – SERVICES ....................................................................................................................... 6 SECTION 3 – PHYSICAL SECURITY ...................................................................................................... 7 SECTION 4 – OPERATIONAL ENVIRONMENT ..................................................................................... 8 SECTION 5 – KEY MANAGEMENT ......................................................................................................... 9 SECTION 6 – SELF TESTS ....................................................................................................................... 9 SECTION 7 – DESIGN ASSURANCE ..................................................................................................... 10 SECTION 8 – MITIGATION OF OTHER ATTACKS............................................................................... 10 APPENDIX A – EMI/EMC ....................................................................................................................... 10 Aug 9, 2016 2 Overview The Toshiba TCG Enterprise SSC Self-Encrypting Solid State Drive (listed in Section1.1 Product Version) is used for solid state drive data security. This Cryptographic Module (CM) provides various cryptographic services using FIPS approved algorithms. Services include hardware-based data encryption, cryptographic erase, and FW download. This CM is multiple-chip embedded, and the physical boundary of the CM is the entire SSD. The logical boundary is SAS interface (same as the physical boundary). The physical interface for power-supply and for communication is one SAS connector. The CM is connected with host system by SAS cable. The logical interface is the SAS, TCG SWG, and Enterprise SSC. The CM has the non-volatile storage area for not only user data but also the keys, CSPs, and FW. The latter storage area is called the “system area”, which is not logically accessible / addressable by the host application. The CM is intended to meet the requirements of FIPS140-2 Security Level 2 Overall. The Table below shows the security level detail. Section Level 1. Cryptographic Module Specification 2 2. Cryptographic Module Ports and Interfaces 2 3. Roles, Services, and Authentication 2 4. Finite State Model 2 5. Physical Security 2 6. Operational Environment N/A 7. Cryptographic Key Management 2 8. EMI/EMC 2 9. Self‐Tests 2 10. Design Assurance 2 11. Mitigation of Other Attacks N/A Overall Level 2 Table 1 ‐ Security Level Detail Interface Ports Data Input SAS connector Control Input SAS connector Data Output SAS connector Status Output SAS connector Power Input SAS connector Table 1-1 ‐ Physical/Logical Port Mapping This document is non-proprietary and may be reproduced in its original entirety. Acronyms AES Advanced Encryption Standard CM Cryptographic Module CSP Critical Security Parameter DRBG Deterministic Random Bit Generator Aug 9, 2016 3 EDC Error Detection Code FW Firmware HMAC Keyed-Hashing for Message Authentication code KAT Known Answer Test LBA Logical Block Address MSID Manufactured SID NDRNG Non-Deterministic Random Number Generator PCB Printed Circuit Board POST Power on Self-Test PSID Printed SID SED Self-Encrypting Drive SHA Secure Hash Algorithm SID Security ID Aug 9, 2016 4 Section 1 – Module Specification The CM has one FIPS 140 approved mode of operation and CM is always in approved mode of operation. The CM provides services defined in Section 2.1 and other non-security related services. Section 1.1 – Product Version The following models are validated with the following FW version and HW version: HW version: A0 with PX04SVQ080B, PX04SVQ160B, PX04SRQ384B [1] A1 with PX04SVQ080B, PX04SVQ160B, PX04SRQ384B [2] FW version: ZZ01 [1], NA01 [2] The PX04SxQxxxB with ZZ01 and NA01 varies “Product ID” value of INQUIRY command according to customer requirements. These “Product ID” values are X440_TPM3V800AMD, X577_TPM3V800AMD, X365_TPM3V1T6AMD, X366_TPM3V1T6AMD, X358_TPM3V3T8AME and X359_TPM3V3T8AME. Section 2 – Roles Services and Authentication This section describes roles, authentication method, and strength of authentication. Role Name Role Type Type of Authentication Authentication Multi Attempt strength Authentication Strength EraseMaster Crypto Officer Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 SID Crypto Officer Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 BandMaster0 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 BandMaster1 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 … … … … … … BandMaster8 User Role PIN 1/248 < 1/1,000,000 15,000 / 248 < 1 / 100,000 Table 2 ‐ Identification and Authentication Policy Per the security policy rules, the minimum PIN length is 6 bytes. Therefore the probability that a random attempt will succeed is 1/248 < 1/1,000,000 (the CM accepts any value (0x00-0xFF) as each byte of PIN). The CM waits 4msec when authentication attempt fails, so the maximum number of authentication attempts is 15,000 times in 1 min. Therefore the probability that random attempts in 1min will succeed is 15,000 / 248 < 1 / 100,000. Even if TryLimit1 is infinite, the probability that random attempts is same. TryLimit is the upper limit of failure of authentication of each role. 1 Aug 9, 2016 5 Section 2.1 – Services This section describes services which the CM provides. Service Description Role(s) Keys & CSPs Algorithm(CAV RWX(Read,Wr Method P Certification ite,eXecute) Number) Block or allow read (decrypt) / BandMaster0 Table MAC X HMAC-SHA256 SECURITY Band write (encrypt) of user data in … Key (#2231) PROTOCOL IN(TCG Lock/Unlock a band. Locking also requires BandMaster8 Set Method Result) read/write locking to be enabled Erase user data (in EraseMaster MEK(s) W Hash_DRBG(#8 SECURITY Cryptographic cryptographic means) by 67) PROTOCOL IN(TCG Erase changing the data encryption Erase Method Result) RKey X AES256-CBC(#3 key 485) Table MAC X HMAC-SHA256 Key (#2231) Encryption / decryption of None2 MEKs X AES256-XTS-R( SCSI READ/WRITE Data unlocked user data to/from #3487) Commands read/write(decr band AES256-XTS-W ypt/encrypt) (#3486) Enable / Disable firmware SID PubKey X RSASSA-PKCS SECURITY Firmware download and load a complete #1-v1_5(#1795) PROTOCOL IN(TCG Download firmware image, and save it. Set Method Result), If the code passes “Firmware SCSI WRITE Table MAC X HMAC-SHA256 load test”, the device is reset BUFFER Key (#2231) and will run with the new code. Provide a random number None Seed R Hash_DRBG(#8 SECURITY RandomNumbe generated by the CM 67) PROTOCOL IN(TCG r generation Random Method Result) Runs POSTs and delete None N/A N/A N/A Power on reset Reset(run CSPs in RAM POSTs) Set the location and size of BandMaster0 Table MAC X HMAC-SHA256 SECURITY Set band the LBA range … Key (#2231) PROTOCOL IN(TCG position and BandMaster8 Set Method Result) size Setting PIN (authentication EraseMaster, RKey X AES256-CBC(#3 SECURITY Set PIN data) SID, Table MAC X 485) PROTOCOL IN(TCG BandMaster0 Key Set Method Result) HMAC-SHA256 … (#2231) BandMaster83 SHA256(#2879) Report status of the CM None N/A N/A N/A SCSI REQUEST Show Status SENSE Erase user data in all bands None4 RKey X,W AES256-CBC(#3 SECURITY Zeroization by changing the data 485) PROTOCOL IN(TCG encryption key, initialize RevertSP Method Table MAC X,W HMAC-SHA256 range settings, and reset Result) KEY (#2231) PINs for TCG MEKs W Hash_DRBG(#8 67) PIN W Table 3 ‐ FIPS Approved services Algorithm CAVP Certification Number AES256-CBC #3485 AES256-XTS-R #3487 AES256-XTS-W #3486 SHA256 (SEC CPU) #2879 HMAC-SHA256 (SEC CPU) #2231 RSASSA-PKCS#1-v1_5 #1795 Hash_DRBG #867 Table 4 ‐ FIPS Approved Algorithms The band has to be unlocked by corresponding BandMaster beforehand. 2 For PIN of themselves. 3 4 Need to input PSID, which is public drive-unique value used for the TCG RevertSP method. The PSID is printed on identification label of the module. Aug 9, 2016 6 Algorithm Description NDRNG Hardware RNG used to seed the approved Hash_DRBG. Minimum entropy of 8 bits is 7.53. Table 4-1 ‐ Non-FIPS Approved Algorithms Section 3 – Physical Security The CM has the following physical security: Production-grade components with standard passivation  Exterior of the drive is opaque  Five tamper-evident security seals are applied to the CM in factory  Three opaque and tamper-evident security seals (VOID LABEL H, VOID LABEL J and  VOID LABEL K) are applied to side of the CM and edge of OUTER SHEET5. These seals prevent cover removal and an attacker to access the PCB Two opaque and tamper-evident security seals (VOID LABEL F and VOID LABEL G) are  applied to side of the CM. These seals prevent cover removal The tamper-evident security seals cannot be penetrated or removed and reapplied without  tamper-evidence 5 OUTER SHEET is an opaque seal covering some holes of the top cover. It cannot leave "VOID" message, but leaves the evidence of the cut. Aug 9, 2016 7 The operator is required to inspect the CM periodically (every month or every two months) for one or more of the following tamper evidence. If the operator discovers tamper evidence, the CM should be removed. Message “VOID” on security seal or the CM  Text on security seals do not match original  Cutting line on security seal or OUTER SHEET  Security seal cutouts do not match original  Mark of alphabetic character(s) which constitute a word “VOID” Cutting line (Security seals and OUTER SHEET) Section 4 – Operational Environment Operational Environment requirements are not applicable because the CM operates in a “non-modifiable”, that is the CM cannot be modified and no code can be added or deleted. Aug 9, 2016 8 Section 5 – Key Management The CM uses keys and CSPs in the following table. Key/CSP Length Type Zeroize Method Establishment Output Persistence/Storage BandMaster/Erase 256 PIN Zeroization service Electronic input No SHA digest/System Area Master/SID PINs Encrypted by RKey / MEKs 512 Symmetric Zeroization service DRBG No System Area Output: Host can MSID 256 Public N/A(Public) Manufacturing Plain / System Area retrieve PubKey 2048 Public N/A(Public) Manufacturing No Plain / System Area Obfuscated(Plain in FIPS RKey 256 Symmetric Zeroization service DRBG No means) / System Area Entropy collected from NDRNG at Seed 440 DRBG seed Power-Off instantiation No Plain/RAM (Minimum entropy of 8 bits: 7.53) Encrypted by RKey / Table MAC Key 256 HMAC Key Zeroization service DRBG No System Area Note that there is no security-relevant audit feature and audit data. Section 6 – Self Tests The CM runs self-tests in the following table. Function Self-Test Type Abstract Failure Behavior Firmware Integrity Check Power-On EDC 32-bit Enters Boot Error State. SHA256 (F.E CPU) Power-On Digest KAT Enters Boot Error State. SHA256 (SEC CPU) Power-On Digest KAT Enters Boot Error State. HMAC-SHA256 (F.E CPU) Power-On Digest KAT Enters Boot Error State. HMAC-SHA256 (SEC CPU) Power-On Digest KAT Enters Boot Error State. AES256-CBC Power-On Encrypt and Decrypt KAT Enters Boot Error State. AES256-XTS-R Power-On Decrypt KAT Enters Boot Error State. AES256-XTS-W Power-On Encrypt KAT Enters Boot Error State. Hash_DRBG Power-On DRBG KAT Enters Boot Error State. RSASSA-PKCS#1-v1_5 Power-On Signature verification KAT Enters Boot Error State. Hash_DRBG Conditional Verify newly generated random Enters Error State. number not equal to previous one Aug 9, 2016 9 NDRNG Conditional Verify newly generated random Enters Error State. number not equal to previous one Firmware load test Conditional Verify signature of downloaded Incoming firmware image is firmware image by not loaded and is not saved. RSASSA-PKCS#1-v1_5 When the CM continuously enters in error state in spite of several trials of reboot, the CM may be sent back to factory to recover from error state. Section 7 – Design Assurance Initial operations to setup this module are following: 1. Get MSID from SAS interface. 2. Set range configurations with BandMaster(s) authority by using MSID as PIN. 3. Change BandMaster(s)/EraseMaster/SID PINs. 4. Set PortLocked in Download port to “TRUE”. To get more details, refer to the guidance document provided with the CM. Section 8 – Mitigation of Other Attacks The CM does not mitigate other attacks beyond the scope of FIPS 140-2 requirements. Appendix A – EMI/EMC FIPS 140-2 requires the Federal Communications Commission (FCC) ID, but this CM does not have FCC ID. Because this CM is a device described in Subpart B, Class A of FCC 47 Code of Federal Regulations Part 15. However, all systems using this CM and sold in the United States must meet these applicable FCC requirements. Aug 9, 2016 10