IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Table of Contents References  .................................................................................................................................................. 4  . Acronyms and definitions ........................................................................................................................ 5  1  Introduction ................................................................................................................................... 6  IDPrime MD Applet ......................................................................................... 7  1.1  2  Cryptographic Module Ports and Interfaces ............................................................................ 8  Hardware and Physical Cryptographic Boundary ................................................... 8  2.1  PIN Assignments and Contact Dimensions............................................................... 8  2.1.1  3  Cryptographic Module Specification ....................................................................................... 10  Firmware and Logical Cryptographic Boundary .................................................... 10  3.1  Versions and mode of operation ....................................................................... 11  3.2  Cryptographic Functionality............................................................................. 16  3.3  4  Platform Critical Security Parameters .................................................................................... 18  IDPrime MD Applet Critical Security Parameters ................................................... 18  4.1  IDPrime MD Applet Public Keys ........................................................................ 20  4.2  5  Roles, Authentication and Services ........................................................................................ 21  5.1  Secure Channel Protocol (SCP) Authentication .................................................... 21  IDPrime MD User Authentication ....................................................................... 22  5.2  5.3  IDPrime MD Card Application Administrator Authentication (ICAA) ........................... 22  Platform Services .......................................................................................... 23  5.4  IDPRIME MD Services ..................................................................................... 25  5.5  6  Finite State Model ..................................................................................................................... 28  7  Physical Security Policy ........................................................................................................... 28  8  Operational Environment ......................................................................................................... 28  9  Electromagnetic Interference and Compatibility (EMI/EMC) .............................................. 28  10  Self-test ....................................................................................................................................... 29  Power-on Self-test ......................................................................................... 29  10.1  Conditional Self-tests ..................................................................................... 29  10.2  11  Design Assurance ..................................................................................................................... 30  Configuration Management .............................................................................. 30  11.1  Delivery and Operation ................................................................................... 30  11.2  Guidance Documents ..................................................................................... 30  11.3  Language Level ............................................................................................ 30  11.4  12  Mitigation of Other Attacks Policy ........................................................................................... 30  13  Security Rules and Guidance .................................................................................................. 30  Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 2/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Table of Tables Table 1 – References ................................................................................................... 5  Table 2 – Acronyms and Definitions .................................................................................. 5  Table 3 – Security Level of Security Requirements ................................................................ 6  Table 4 - Contact Plate Pad List – Interfaces ....................................................................... 9  Table 5 - Voltage and Frequency Ranges ........................................................................... 9  Table 6 –Versions and Mode of Operations Indicators ........................................................... 14  Table 7 – Applet Version and Software Version imput data...................................................... 15  Table 8 –Applet Version returned value ............................................................................ 15  Table 9 –Software Version Returned Values....................................................................... 15  Table 10 – FIPS Approved Cryptographic Functions ............................................................. 16  Table 11 – Non-FIPS Approved But Allowed Cryptographic Functions ........................................ 17  Table 12 - Platform Critical Security Parameters .................................................................. 18  Table 13 – IDPrime MD Applet Critical Security Parameters .................................................... 19  Table 14 – IDPrime MD Applet Public Keys ........................................................................ 20  Table 15 - Role Description ........................................................................................... 21  Table 16 - Unauthenticated Services and CSP Usage........................................................... 23  Table 17 – Authenticated Card Manager Services and CSP Usage ........................................... 24  Table 18 – IDPrime MD Applet Services and CSP Usage ....................................................... 27  Table 19 – MSPNP applet Services ................................................................................. 28  Table 20 – Power-On Self-Test ...................................................................................... 29  Table of Figures Figure 1 – Contact Module Views..................................................................................... 8  Figure 2 – Contact Plate Example – Contact Physical Interface ................................................. 9  Figure 3 - Module Block Diagram .................................................................................... 10  Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 3/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 References Acronym Full Specification Name NIST, Security Requirements for Cryptographic Modules, May 25, 2001 [FIPS140-2] CHANGE NOTICES (12-03-2002) GlobalPlatform Consortium: GlobalPlatform Card Specification 2.1.1, March 2003, http://www.globalplatform.org [GlobalPlatform] GlobalPlatform Consortium: GlobalPlatform Card Specification 2.1.1 Amendment A, March 2004 GlobalPlatform Consortium: GlobalPlatform Card Specification 2.2 Amendment D, Sept 2009 ISO/IEC 7816-1: 1998 Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics ISO/IEC 7816-2:2007 Identification cards -- Integrated circuit cards -- Part 2: Cards with contacts -- Dimensions and location of the contacts [ISO 7816] ISO/IEC 7816-3:2006 Identification cards -- Integrated circuit cards -- Part 3: Cards with contacts -- Electrical interface and transmission protocols ISO/IEC 7816-4:2005 Identification cards -- Integrated circuit cards -- Part 4: Organization, security and commands for interchange Java Card 2.2.2 Runtime Environment (JCRE) Specification Java Card 2.2.2 Virtual Machine (JCVM) Specification [JavaCard] Java Card 2.2.2 Application Programming Interface Java Card 3.0.1 Application Programming Interface [only for algos ECDSA, SHA2] Published by Sun Microsystems, March 2006 NIST Special Publication 800-131A, Transitions: Recommendation for Transitioning the Use of [SP800-131A] Cryptographic Algorithms and Key Lengths, Revision 1, November 2015 NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm [SP 800-67] (TDEA) Block Cipher, version 1.2, July 2011 NIST, Computer Data Authentication, FIPS Publication 113, 30 May 1985. [FIPS 113] NIST, Advanced Encryption Standard (AES), FIPS Publication 197, November 26, 2001. [FIPS 197] PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002 [PKCS#1] NIST, Digital Signature Standard (DSS), FIPS Publication 186-4, July, 2013 (DSA2, RSA2 and [FIPS 186-4] ECDSA2) NIST Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes [SP 800-56A] Using Discrete Logarithm Cryptography, March 2007 NIST, Secure Hash Standard, FIPS Publication 180-3, August 2015 [FIPS 180-4] NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012. This document defines symmetric key wrapping, [AESKeyWrap] Use of 2-Key TDES in lieu of AES is described in [IG] D.2. NIST, Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation [IG] Program, last updated 20 November 2015. [SP 800-90A] NIST, Recommendation for Random Number Generation Using Deterministic Random Bit Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 4/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Acronym Full Specification Name Generators, Special Publication 800-90A Revision 1, June 2015. NIST, Recommendation for Recommendation for Key Derivation Using Pseudorandom [SP 800-108] Functions, Special Publication 800-108, October 2009. Table 1 – References Acronyms and definitions Acronym Definition GP Global Platform CVC Card Verifiable Certificate MMU Memory Management Unit OP Open Platform RMI Remote Method Invocation Table 2 – Acronyms and Definitions Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 5/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 1 Introduction This document defines the Security Policy for the Gemalto IDCore30-revB platform and the ID Prime MD applet (IAS Classic V4.3.5) card called IDPrime MD 830-revB and herein denoted as Cryptographic Module. The Cryptographic Module or CM, validated to FIPS 140-2 overall Level 3, is a “contact-only” secure controller module implementing the Global Platform operational environment, with Card Manager, the IDPrime MD applet (associated to MSPNP applet V1.2). The CM is a limited operational environment under the FIPS 140-2 definitions. The CM includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-2 validation. The FIPS 140-2 security levels for the Module are as follows: Security Requirement Security Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 3 Roles, Services, and Authentication 3 Finite State Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks 3 Table 3 – Security Level of Security Requirements The CM implementation is compliant with:  [ISO 7816] Parts 1-4  [JavaCard]  [GlobalPlatform] Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 6/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 1.1 IDPrime MD Applet IDPrime MD Applet (called IAS Classic V4.3.5) is a Java applet that provides all the necessary functions to integrate a smart card in a public key infrastructure (PKI) system, suitable for identity and corporate security applications. It is also useful for storing information about the cardholder and any sensitive data. IDPrime MD Applet implements state–of–the–art security and conforms to the latest standards for smart cards and PKI applications. It is also fully compliant with digital signature law. The IDPrime MD Applet, designed for use on JavaCard 2.2.2 and Global Platform 2.1.1 compliant smart cards. The main features of IDPrime MD Applet are as follows:  Digital signatures—these are used to ensure the integrity and authenticity of a message. (RSA, ECDSA)  Storage of sensitive data based on security attributes  PIN management.  Secure messaging based on the AES algorithms.  Public key cryptography, allowing for RSA keys and ECDSA keys  Storage of digital certificates—these are issued by a trusted body known as a certification authority (CA) and are typically used in PKI authentication schemes.  CVC verification  Decryption RSA , ECDH  On board key generation (RSA, ECDSA)  Mutual authentication between IDPrime MD Applet and the terminal (ECDH)  Support of integrity on data to be signed.  Secure Key Injection according to Microsoft scheme.  Touch Sense feature (not available on smart card, only on Token)  PIN Single Sign On (PIN SSO) MSPNP applet is associated to IDPrime MD applet and offers:  GUID tag reading, defined in Microsoft Mini Driver specification. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 7/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 2 Cryptographic Module Ports and Interfaces 2.1 Hardware and Physical Cryptographic Boundary The CM is designed to be embedded into plastic card bodies, with a contact plate connection. The physical form of the CM is depicted in Figure 1 (to scale), with the cryptographic boundary indicated by the red outline. The module is a single integrated circuit die wire-bonded to a frame connected to a contact plate, enclosed in epoxy and mounted in a card body. The cryptographic boundary is the contact plate surface on the top side, and the surface of the epoxy on the bottom side. The Module relies on [ISO7816] card readers as input/output devices. WORLD RLT module   Rectangular punching   Oblong punching Bottom View – Black Epoxy Top View – Contact Plate Figure 1 – Contact Module Views 2.1.1 PIN Assignments and Contact Dimensions The CM conforms to the ISO 7816-1 and ISO 7816-2 specifications for physical characteristics, dimensions and contact location. The contact plate pads are assigned as shown below, with the corresponding interfaces given in Table 4. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 8/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Figure 2 – Contact Plate Example – Contact Physical Interface Contact No. Logical interface type Contact No. Logical interface type C1 VCC (Supply voltage) C5 GND (Ground) C2 RST (Reset signal) C6 Not connected C3 CLK (Clock signal) C7 I/O : Data in, data out, control in, status out C4 Not connected C8 Not connected Table 4 - Contact Plate Pad List – Interfaces The CM conforms to the ISO 7816-3 specifications for electrical signals and transmission protocols, with voltage and frequency operating ranges as shown in Table 5. Conditions Range Voltage 1.62 V and 5.5 V Frequency 1MHz to 10MHz Table 5 - Voltage and Frequency Ranges Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 9/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 3 Cryptographic Module Specification 3.1 Firmware and Logical Cryptographic Boundary Figure 3 below depicts the Module operational environment and applets. IDPrimeMD Applet Layer Applet API Card Manager JavaCard 2.2.2 / GP API Gemalto Proprietary 2.1.1 Runtime Environment JC 2.2.2 Javacard Platf orm Layer Virtual Machine JC 2.2.2 IDCore30 Native / Hardware Abstraction layer Memory Communication Crypto Libraries Manager (I/O) Hardware Power DES VCC, GND RAM CRC Mgmt Engine Clock CLK MMU AES Engine Timers Mgmt CPU IC Layer RSA / ECC ISO 7816 Sensors EEPROM Engine (UART) RST Reset Mgmt ROM HW RNG Figure 3 - Module Block Diagram The CM supports [ISO7816] T=0 and T=1 communication protocols. The CM provides services to both external devices and internal applets as the IDPrime MD. Applets, as IDPrime MD, access module functionalities via internal API entry points that are not exposed to external entities. External devices have access to CM services by sending APDU commands. The CM provides an execution sandbox for the IDPrime MD Applet and performs the requested services according to its roles and services security policy. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 10/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 The CM inhibits all data output via the data output interface while the module is in error state and during self-tests. The JavaCard API is an internal interface, available to applets. Only applet services are available at the card edge (the interfaces that cross the cryptographic boundary). The Javacard Runtime Environment implements the dispatcher, registry, loader, logical channel and RMI functionalities. The Virtual Machine implements the byte code interpreter, firewall, exception management and byte code optimizer functionalities. The Card Manager is the card administration entity – allowing authorized users to manage the card content, keys, and life cycle states. The Memory Manager implements services such as memory access, allocation, deletion, garbage collector. The Communication handler deals with the implementation of ATR, PSS, T=0 and T=1 protocols. The Cryptography Libraries implement the algorithms listed in Section 2. 3.2 Versions and mode of operation Hardware: SLE78CFX3000PH Firmware: IDCore30-revB - Build 06, IDPrime MD Applet version V4.3.5.D and MSPNP Applet V1.2 The CM is always in the approved mode of operation. To verify that a CM is in the approved mode of operation, select the Card Manager and send the GET DATA commands shown below: Le (Expected response Field CLA INS P1-P2 (Tag) Purpose length) Get CPLC data 9F-7F 2A Value 00 CA Identification information (proprietary tag) 01-03 1D Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 11/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 The CM responds with the following information: IDC30-revB - CPLC data (tag 9F7F) Byte Description Value Value meaning 1-2 IC fabricator Infineon 4090h 7901 3-4 IC type SLE78CFX3000PH 5-6 Operating system identifier Gemalto 1291 Operating system release date 5356 7-8 Operating System release Date (YDDD) – Y=Year, DDD=Day in the year 9-10 Operating system release level V2.0 0200h xxxxh 11-12 IC fabrication date Filled in during IC manufacturing xxxxxxxxh 13-16 IC serial number Filled in during IC manufacturing xxxxh 17-18 IC batch identifier Filled in during IC manufacturing xxxxh 19-20 IC module fabricator Filled in during module manufacturing xxxxh 21-22 IC module packaging date Filled in during module manufacturing xxxxh 23-24 ICC manufacturer Filled in during module embedding xxxxh 25-26 IC embedding date Filled in during module embedding xxxxh 27-28 IC pre-personalizer Filled in during smartcard preperso xxxxh 29-30 IC pre-personalization date Filled in during smartcard preperso xxxxxxxxh 31-34 IC pre-personalization equipment identifier Filled in during smartcard preperso xxxxh 35-36 IC personalizer Filled in during smartcard personalization xxxxh 37-38 IC personalization date Filled in during smartcard personalization xxxxxxxxh 39-42 IC personalization equipment identifier Filled in during smartcard personalization Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 12/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 IDC30-revB - Identification data (tag 0103) Byte Description Value Value meaning 1 Gemalto Family Name Javacard B0 2 Gemalto OS Name IDCore family (OA) 84 56 3 Gemalto Mask Number G286 51 4 Gemalto Product Name IDCore30-revB X is the type of SCP: 2xh for SCP0300 flows   3xh for SCP0310 flows Y: is the version of the flow (x=1 for version 01). XY 5 Gemalto Flow Version For instance: 21h = SCP0300 - flow 01 (version 01)  31h = SCP0310 - flow 01 (version 01)  Major nibble: filter family = 00h  00 6 Gemalto Filter Set Lower nibble: version of the filter = 00h  4090 7-8 Chip Manufacturer Infineon 9-10 Chip Version SLE78CFX3000PH 7901 MSByte: b8 : 1 = conformity to FIPS certificate b7 : 0 = not applicable b6 : 0 = not applicable b5 : 0 = not applicable b4 : 1 = ECC supported b3 : 1 = RSA CRT supported b2 : 1 = RSA STD supported 8D00 11-12 FIPS configuration b1 : 1 = AES supported LSByte: b8 .. b5 : 0 = not applicable b4 : 0 = not applicable (ECC in contactless) b3 : 0 = not applicable (RSA CRT in contactless) b2 : 0 = not applicable (RSA STD in contactless) b1 : 0 = not applicable (AES in contactless) For instance: Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 13/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 8F 00 = FIPS enable (CT only)–AES-RSA CRT/STD-ECC (Full FIPS) 8D 00 = FIPS enable (CT only)–AES-RSA CRT-ECC (FIPS PK CRT) * 85 00 = FIPS enable (CT only)–AES-RSA CRT (FIPS RSA CRT) 00 00 = FIPS disable (CT only)–No FIPS mode (No FIPS) (* default configuration) 03 = FIPS Level 3 FIPS Level for IDPrime 03 13 MD product 14-29 RFU - xx..xxh Table 6 –Versions and Mode of Operations Indicators Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 14/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 The IDPrime MD 830 is identified with an applet version and a software version as follow: Field CLA INS P1-P2 (Tag) Le (Expected response length) Purpose Get Applet Version DF-30 07 Value 00 CA Get Software Version 7F-30 19 Table 7 – Applet Version and Software Version imput data The Applet version is returned without any TLV format as follows: IDPrimeMD 830 – Applet Version Data (tag DF30) Value Value Meaning Applet Version 34 2E 33 2E 35 2E 44 Display value = ‘4.3.5.D’ Table 8 –Applet Version returned value The Software Version is returned in TLV format as follows: IDPrimeMD 830 – Software Version Data (tag 7F30) Tag Length 7F30 17 Tag Length Value Value meaning Software Version C0 0E 34 2E 33 2E 35 2E 44 Display value = ‘4.3.5.D’ Applet Label 49 41 53 20 43 6C 61 73 73 C1 07 69 63 20 76 34 Display value = ‘IAS Classic v4’ Table 9 –Software Version Returned Values Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 15/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 3.3 Cryptographic Functionality The Module operating system implements the FIPS Approved and Non-FIPS Approved cryptographic function listed in Tables below. Algorithm Description Cert # [SP 800-90] Deterministic Random Number Generators [CTR_DRBG DRBG 1045 mode based on AES] [SP 800-67] Triple Data Encryption Algorithm. The Module supports the 3- Key options; CBC and ECB modes. Note that the Module does not support Triple-DES 2100 a mechanism that would allow collection of plaintext / ciphertext pairs aside from authentication, limited in use by a counter. [FIPS 197] Advanced Encryption Standard algorithm. The Module supports AES 3779 128-, 192- and 256-bit key lengths with ECB and CBC modes. AES CMAC AES CMAC The Module supports 128-, 192- and 256-bit key lengths. 3779 [SP 800-108] KDF for AES CMAC. The Module supports 128-, 192- and KBKDF 81 256-bit key lengths. [FIPS 186-4] RSA signature generation, verification, and key pair generation. The Module follows PKCS#1 and is CAVP validated for 2048 RSA 1946 bit key length. [FIPS 186-4] RSA signature generation, verification, CRT key pair generation. The Module follows PKCS#1 and is CAVP validated for 2048 RSA CRT 1947 bit key length. SP 800-56B Key wrapping using 2048 bit keys. Key establishment methodology provides 112 bits of strength Vendor RSA Key Wrap Affirmed Vendor affirmed, based on OAEP scheme as described in SP800-56B for PKCS1 v2.1. ( Unwrapped output provided under Secure Messaging ) [FIPS 186-4] Elliptic Curve Digital Signature Algorithm: signature generation, verification and key pair generation. The Module is CAVP ECDSA 814 validated for the NIST defined P-224, P-256, P-384 and P-521 curves. [SP 800-56A] The Section 5.7.1.2 ECC CDH Primitive. The Module is CAVP validated for the NIST defined P-224, P-256, P-384 and P-521 ECC-CDH 719 curves. SHA-1, SHA-224, SHA- [FIPS 180-4] Secure Hash Standard compliant one-way (hash) algorithms. 3146 256, SHA-384, SHA-512 Table 10 – FIPS Approved Cryptographic Functions Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 16/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Algorithm Description Key wrapping using 128, 192, or 256 bit keys (based on AES Cert. #3779). AES key wrap Key establishment methodology provides 128, 192, or 256 bits of strength. Key wrapping using 2048 bit keys. Key establishment methodology provides 112 bits of strength; non-compliant less than RSA key wrap 112 bits of encryption strength) (for PKCS1 v1.5) NIST defined, P-224, P-256, P-384 and P-521 curves. EC Diffie-Hellman key Key establishment methodology provides 112, 128, or 192 bits of strength. agreement Used to seed the [SP800-90A] DRBG. NDRNG Table 11 – Non-FIPS Approved But Allowed Cryptographic Functions The CM includes an uncallable DES implementation. This algorithm is not used and no security claims are made for its presence in the Module. FIPS approved security functions used specifically by the IDPrime MD Applet are:  DRBG  AES CMAC  AES  TDES  RSA  ECDSA  SHA-1, SHA-224, SHA-256, SHA-384, SHA-512  ECC-CDH (Note: no security function is used in MSPNP applet) Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 17/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 4 Platform Critical Security Parameters All CSPs used by the CM are described in this section. All usages of these CSPs by the CM are described in the services detailed in Section 5. Key Description / Usage 256-bit random drawn by the TRNG HW chip (AIS-31PTG.2), used as a seed key for OS-RNG-SEED-KEY the [SP 800-90A] DRBG implementation. 16-byte random value and 16-byte counter value used in the [SP 800-90] DRBG implementation. OS-RNG-STATE 16-byte AES state V and 16-byte AES key used in the [SP800-90A] CTR DRBG implementation. 4 to 16 bytes Global PIN value managed by the ISD. Character space is not restricted OS-GLOBALPIN by the module. OS-MKDK AES-128/192/256 (SCP03) key used to encrypt OS-GLOBALPIN value SD-KENC AES-128/192/256 (SCP03) Master key used by the CO role to generate SD-SENC AES-128/192/256 (SCP03) Master key used by the CO role operator to generate SD- SD-KMAC SMAC AES-128/192/256 (SCP03) Sensitive data decryption key used by the USR role to SD-KDEK decrypt CSPs for SCP03. AES-128/192/256 (SCP03) Session encryption key used by the CO role to encrypt / SD-SENC decrypt secure channel data. AES-128/192/256 (SCP03) Session MAC key used by the CO role to verify inbound SD-SMAC secure channel data integrity. SD-SDEK AES-128/192/256 (SCP03) Session DEK key used by the CO role to decrypt CSPs. AES-128/192/256 (SCP03) key optionally loaded in the field and used to verify the DAP-SYM signature of packages loaded into the Module. Table 12 - Platform Critical Security Parameters Keys with the “SD-“ prefix pertain to a Global Platform Security Domain key set. The module supports the Issuer Security Domain at minimum, and can be configured to support Supplemental Security Domains. 4.1 IDPrime MD Applet Critical Security Parameters Key Description / Usage IAS-SC-SMAC-AES AES 128/192/256 Session key used for Secure Messaging (MAC) IAS-SC-SENC-AES AES 128/192/256 Session key used for Secure Messaging (Decryption) IAS-AS-RSA 2048- private part of the RSA key pair used for Asymmetric Signature Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 18/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 IAS-AS-ECDSA P-224, P-256, P-384, P-512, P-521 private part of the ECDSA key pair used for Asymmetric signature IAS-AC-RSA 2048- private part of the RSA key pair used for Asymmetric Cipher (key wrap, key unwrap) IAS-ECDH-ECC P-224, P-256, P-384, P-512, P-521 private part of the ECDH key pair used for shared key mechanism IAS-KG-AS-RSA 2048- private part of the RSA generated key pair used for Asymmetric signature IAS-KG-AS-ECDSA P-224, P-256, P-384, P-512, P-521 private part of the ECDSA generated key pair used for Asymmetric signature IAS-KG-AC-RSA 2048- private part of the RSA generated key pair used for Asymmetric cipher (key wrap, key unwrap) IAS-KG-AC-ECDH P-224, P-256, P-384, P-512, P-521 private part of the ECDSA generated key pair used for shared key mechanism IAS-ECDSA-AUTH- P-224, P-256, P-384, P-512, P-521 private part of the ECDSA private key used to ECC Authenticate the card IAS-SC-DES3 3-Key Triple-DES key used for authentication. IAS-SC-P-SKI-AES AES 128/192/256 Session key used for Secure Key Injection IAS-SC-T-SKI-AES AES 128/192/256 Session key used for Secure Key Injection IAS-SC-PIN-TDES 3-Key Triple-DES key used for PIN encryption (PIN History) IAS-OWNERPIN 4 to 64 byte PIN value managed by the Applet. Table 13 – IDPrime MD Applet Critical Security Parameters Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 19/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 4.2 IDPrime MD Applet Public Keys Key Description / Usage P-224, P-256, P-384, P-512, P-521 ECDH key pair used for Key Agreement (Session Key IAS-KA-ECDH computation) IASAS-CA-ECDSA- P-224, P-256, P-384, P-512, P-521 CA ECDSA Asymmetric public key entered into the PUB module used for CA Certificate Verification. IASAS-IFD-ECDSA- P-224, P-256, P-384, P-512, P-521 IFD ECDSA Asymmetric public key entered into the PUB module used for IFD Authentication. IAS-AS-RSA-PUB 2048- public part of RSA key pair used for Asymmetric Signature P-224, P-256, P-384, P-512, P-521 public part of ECDSA key pair used for Asymmetric IAS-AS-ECDSA-PUB signature IAS-AC-RSA-PUB 2048 public part of the RSA key pair used for Asymmetric Cipher (key wrap, key unwrap) P-224, P-256, P-384, P-512, P-521 public part of the ECDH key pair used for shared key IAS-ECDH-ECC-PUB mechanism IAS-KG-AS-RSA-PUB 2048- public part of the RSA generated key pair used for Asymmetric signature IAS-KG-AS-ECDSA- P-224, P-256, P-384, P-512, P-521 public part of the ECDSA generated key pair used for PUB Asymmetric signature 2048- public part of the RSA generated key pair used for Asymmetric cipher (key wrap, key IAS-KG-AC-RSA-PUB unwrap) IAS-KG-AC-ECDH- P-224, P-256, P-384, P-512, P-521 public part of the ECDSA generated key pair used for PUB shared key mechanism IAS-ECDSA-AUTH- P-224, P-256, P-384, P-512, P-521 public part of the ECDSA key pair used to Authenticate ECC-PUB the card Table 14 – IDPrime MD Applet Public Keys Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 20/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 5 Roles, Authentication and Services Table 15 lists all operator roles supported by the Module. This Module does not support a maintenance role. The Module clears previous authentications on power cycle. The Module supports GP logical channels, allowing multiple concurrent operators. Authentication of each operator and their access to roles and services is as described in this section, independent of logical channel usage. Only one operator at a time is permitted on a channel. Applet de-selection (including Card Manager), card reset or power down terminates the current authentication; re-authentication is required after any of these events for access to authenticated services. Authentication data is encrypted during entry (by SD-SDEK), is stored encrypted (by OS-MKDK) and is only accessible by authenticated services. Role ID Role Description CO (Cryptographic Officer) This role is responsible for card issuance and management of card data via the Card Manager applet. Authenticated using the SCP authentication method with SD-SENC. IUSR (User) The IDPrime MD User, authenticated by the IDPrime MD applet – see below for authentication mechanism. ICAA (Card Application Administrator) The IDPrime MD Card Application Administrator authenticated by the IDPrime MD applet – see below for authentication mechanism. UA Unauthenticated role Table 15 - Role Description 5.1 Secure Channel Protocol (SCP) Authentication The Open Platform Secure Channel Protocol authentication method is performed when the EXTERNAL AUTHENTICATE service is invoked after successful execution of the INITIALIZE UPDATE command. These two commands operate as described next. The SD-KENC and SD-KMAC keys are used along with other information to derive the SD-SENC and SD-SMAC keys, respectively. The SD-SENC key is used to create a cryptogram; the external entity participating in the mutual authentication also creates this cryptogram. Each participant compares the received cryptogram to the calculated cryptogram and if this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the Module in the CO role). For SCP03, AES-128, AES-192 or AES-256 keys are used for Global Platform secure channel operations, in which the Module derives session keys from the master keys and a handshake process, performs mutual authentication, and decrypts data for internal use only. The Module encrypts a total of one block (the mutual authentication cryptogram) over the life of the session encryption key; no decrypted data is output by the Module. AES key establishment provides a minimum of 128 bits of security strength. The Module uses the SD-KDEK key to decrypt critical security parameters, and does not perform encryption with this key or output data decrypted with this key. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 21/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 The strength of GP mutual authentication relies on AES key length, and the probability that a random attempt at authentication will succeed is: 1    for AES 16-byte-long keys;   128  2  1    for AES 24-byte-long keys;   192  2  1    for AES 32-byte-long keys;   256  2  Based on the maximum count value of the failed authentication blocking mechanism, the minimum probability that a random attempt will succeed over a one minute period is 255/2^128. 5.2 IDPrime MD User Authentication This authentication method compares a PIN value sent to the Module to the stored PIN values if the two values are equal, the operator is authenticated. This method is used in the IDPrime MD Applet services to authenticate to the IUSR role. The module enforces string length of 4 bytes minimum (16 bytes maximum) for the Global PIN and 8 bytes for the Session PIN. For the Global PIN, an embedded PIN Policy allows at least a combination of Numeric value (‘30’ to ‘39’) or alphabetic upper case (‘A’ to ‘Z’) or alphabetic lower case (‘a’ to z’), so the possible combination of value for the Global PIN is greater than 10^6. Then the strength of this authentication method is as follow:  The probability that a random attempt at authentication will succeed is lower than 1/10^6  Based on a maximum count of 15 for consecutive failed service authentication attempts, the probability that a random attempt will succeed over a one minute period is lower than 15/10^6 5.3 IDPrime MD Card Application Administrator Authentication (ICAA) a) The 3-Key Triple-DES key establishment provides 168 bits of security strength. The Module uses the IAS-SC-DES3 to authenticate the ICAA role.  The probability that a random attempt at authentication will succeed is 1/2^64 (based on block size)  Based on the maximum count value of the failed authentication blocking mechanism, the probability that a random attempt will succeed over a one minute period is 255/2^64 b) PIN Authentication This authentication method compares a PIN value sent to the Module to the stored OWNERPIN values if the two values are equal, the operator is authenticated. This method is used in the IDPrime MD Applet services to authenticate the ICAA role. The module enforces string length of 4 bytes minimum (64 bytes maximum). An embedded PIN Policy allows at least a combination of Numeric value (‘30’ to ‘39’) or alphabetic Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 22/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 upper case (‘A’ to ‘Z’) or alphabetic lower case (‘a’ to z’), so the possible combination of value for the Global PIN is greater than 10^6. Then the strength of this authentication method is as follow:  The probability that a random attempt at authentication will succeed is lower than1/10^6  Based on a maximum count of 15 for consecutive failed service authentication attempts, the probability that a random attempt will succeed over a one minute period is lower than 15/10^6 5.4 Platform Services All services implemented by the Module are listed in the tables below. Each service description also describes all usage of CSPs by the service. Service Description Power cycle the Module by removing and reinserting it into the contact reader slot, or by reader assertion of the RST signal. The Card Reset service will invoke the power on self-tests described in Section §10-Self-test. Moreover, on any card reset, the Module overwrites with zeros the RAM copy of, Card Reset OS-RNG-STATE, SD-SENC, SD-SMAC and SD-SDEK. (Self-test) The Module can also write the values of all CSPs stored in EEPROM as a consequence of restoring values in the event of card tearing or a similar event. During the self-tests, the module generates the RAM copy of OS-RNG-STATE and updates the EEPROM copy of OS-RNG-STATE. Authenticates the operator and establishes a secure channel. Must be preceded by EXTERNAL a successful INITIALIZE UPDATE. Uses SD-SENC and SD-SMAC. AUTHENTICATE Initializes the Secure Channel; to be followed by EXTERNAL AUTHENTICATE. INITIALIZE UPDATE Uses the SD-KENC, SD-KMAC and SD-KDEK master keys to generate the SD- SENC, SD-SMAC and SD-SDEK session keys, respectively. GET DATA Retrieve a single data object. Optionally uses SD-SENC, SD-SMAC (SCP). Open and close supplementary logical channels. Optionally uses SD-SENC, SD- MANAGE CHANNEL SMAC (SCP). SELECT Select an applet. Does not use CSPs. Table 16 - Unauthenticated Services and CSP Usage Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 23/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Service CO Description Delete an applet from EEPROM. This service is provided for the situation where an applet exists on the DELETE X card, and does not impact platform CSPs. Optionally uses SD-SENC, SD-SMAC (SCP). Retrieve information about the card. Does not use CSPs. Optionally GET STATUS X uses SD-SENC, SD-SMAC (SCP). Perform Card Content management. Optionally uses SD-SENC, SD- INSTALL X SMAC (SCP). Optionally, the Module uses the DAP-SYM key to verify the package signature. Load a load file (e.g. an applet). Optionally uses SD-SENC, SD-SMAC LOAD X (SCP). Transfer data to an application during command processing. Optionally PUT DATA X uses SD-SENC, SD-SMAC (SCP). Load Card Manager keys X PUT KEY The Module uses the SD-KDEK key to decrypt the keys to be loaded. Optionally uses SD-SENC, SD-SMAC (SCP). Modify the card or applet life cycle status. Optionally uses SD-SENC, SET STATUS X SD-SMAC (SCP). Transfer data to an application or the security domain (ISD) processing X the command. STORE DATA Optionally, updates OS-GLOBALPIN. Optionally uses SD-SENC, SD-SMAC (SCP). Monitor the memory space available on the card. Optionally uses SD- X GET MEMORY SPACE SENC, SD-SMAC (SCP). SET ATR Change the card ATR. Optionally uses SD-SENC, SD-SMAC (SCP). X Table 17 – Authenticated Card Manager Services and CSP Usage All of the above commands use the SD-SENC and SD-SMAC keys for secure channel communications, and SD-SMAC for firmware load integrity. The card life cycle state determines which modes are available for the secure channel. In the SECURED card life cycle state, all command data must be secured by at least a MAC. As specified in the GP specification, there exist earlier states (before card issuance) in which a MAC might not be necessary to send Issuer Security Domain commands. Note that the LOAD service enforces MAC usage. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 24/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 5.5 IDPRIME MD Services All services implemented by the IDPrime MD applet are listed in the table below. Service Description ICAA IUSR UA EXTERNAL Authenticates the external terminal to the card. X X X AUTHENTICATE Sets the secure channel mode. INTERNAL Authenticates the card to the terminal X X X AUTHENTICATE Selects a DF or an EF by its file ID, path or SELECT X X X name (in the case of DFs). Changes the value of a PIN. (Note : User Auth is always done within the CHANGE command itself by providing previous PIN) X X REFERENCE DATA Secure Messaging is enforced for this command. Unblocks and changes the value of a PIN RESET RETRY X X Secure Messaging is enforced for this COUNTER command. Creates an EF under the root or the currently CREATE FILE X X selected DF or creates a DF under the root. DELETE FILE Deletes the current DF or EF. X X DELETE Deletes an RSA or ECDSA Asymmetric Key Pair X X ASYMMETRIC KEY PAIR ERASE Erases an RSA or ELC Asymmetric Key Pair X X ASYMMETRIC KEY Retrieves the following information: ■ CPLC data ■ Applet version GET DATA ■ Software version (includes applet version - BER-TLV format) X X X (IDPrime MD Applet Specific) ■ Available EEPROM memory ■ Additional applet parameters ■ PIN Policy Error ■ Applet install parameter (DF0Ah tag) Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 25/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Service Description ICAA IUSR UA Retrieves the following information: ■ Public key elements ■ KICC GET DATA OBJECT ■ The contents of a specified SE X X X ■ Information about a specified PIN ■ Key generation flag ■ Touch Sense flag Creates or updates a data object PUT DATA ■ Create container1 X (IDPrime MD Applet Specific) ■ Update public/private keys(1) Creates or updates a data object PUT DATA ■ Access Conditions X (IDPrime MD Applet ■ Applet Parameters (Admin Key, Card Read Specific) Only and Admin Key Try Limit ) ■ PIN Info PUT DATA Creates or updates a data object X X (IDPrime MD Applet ■ Update DES or AES Secret keys(1) Specific) READ BINARY Reads part of a binary file. X X X ERASE BINARY Erases part of a binary file. X X UPDATE BINARY Updates part of a binary file. X X Used to generate secure messaging session GENERATE keys between both entities (IFD and ICC) as X X X AUTHENTICATE part of elliptic curve asymmetric key mutual authentication. Generates an RSA or ECDSA key pair and GENERATE KEY stores both keys in the card. It returns the public X PAIR part as its response. Sends the IFD certificate C_CV.IFD.AUT used in PSO – VERIFY asymmetric key mutual authentication to the CERTIFICATE X card for verification. No real reason to use it in the personalization phase, but it is allowed. 1 Secure Messaging in Confidentiality is mandatory Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 26/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Service Description ICAA IUSR UA Entirely or partially hashes data prior to a PSO– PSO - HASH X Compute Digital Signature command or prepares the data if hashed externally (RSA) Deciphers an encrypted message using a decipher key stored in the card. PSO - DECIPHER X (ECDSA) Generates a shared symmetric key. Secure Messaging is enforced for this command. PSO – COMPUTE Computes a digital signature. X DIGITAL SIGNATURE Secure Key Injection Scheme from Microsoft PUT SECURE KEY X Minidriver spec V7 Breaks a secure messaging session, or X UNAUTHENTICATE invalidates an MS3DES3 External EXT Authentication. Tells the terminal if the card has been reset or CHECK RESET AND the applet has been reselected since the X X X APPLET SELECTION previous time that the command was performed. GET CHALLENGE Generates an 8 or 16-byte random number. X Supports two functions, Restore and Set. ■ Restore: replaces the current SE by an SE MANAGE SECURITY stored in the card. X ENVIRONMENT ■ Set: sets or replaces one component of the current SE. Authenticates the user to the card by presenting the User PIN. The User Authenticated status is granted with a successful PIN verification. VERIFY X Secure Messaging is enforced for this command. Table 18 – IDPrime MD Applet Services and CSP Usage All services implemented by the MSPNP applet are listed in the table below. Service Description ICAA IUSR UA GET DATA X Retrieves the following information: (MSPNP applet ■ GUID specific) Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 27/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 Table 19 – MSPNP applet Services 6 Finite State Model The CM is designed using a finite state machine model that explicitly specifies every operational and error state. The CM includes Power on/off states, Cryptographic Officer states, User services states, applet loading states, Key/PIN loading states, Self-test states, Error states, and the GP life cycle states. An additional document (Finite State Machine document) identifies and describes all the states of the module including all corresponding state transitions. 7 Physical Security Policy The CM is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The CM uses standard passivation techniques and is protected by passive shielding (metal layer coverings opaque to the circuitry below) and active shielding (a grid of top metal layer wires with tamper response). A tamper event detected by the active shield places the Module permanently into the Card Is Killed error state. The CM is mounted in a plastic smartcard; physical inspection of the Module boundaries is not practical after mounting. Physical inspection of modules for tamper evidence is performed using a lot sampling technique during the card assembly process. The Module also provides a key to protect the Module from tamper during transport and the additional physical protections listed in Section 12 below. 8 Operational Environment This section does not apply to CM. No code modifying the behavior of the CM operating system can be added after its manufacturing process. Only authorized applets can be loaded at post-issuance under control of the Cryptographic Officer. Their execution is controlled by the CM operating system following its security policy rules. 9 Electromagnetic Interference and Compatibility (EMI/EMC) The Module conforms to the EMI/EMC requirements specified by part 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class B. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 28/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 10 Self-test 10.1 Power-on Self-test Each time the CM is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data have not been damaged. Power-on self–tests are available on demand by power cycling the CM. On power-on or reset, the CM performs the self-tests described in table below. All KATs must be completed successfully prior to any other use of cryptography by the CM. If one of the KATs fails, the CM enters the Card Is Mute error state. Test Target Description 16 bit CRC performed over all code located in Flash memory (for OS, Applets and Firmware Integrity filters). Performs DRBG SP 800-90 KAT with fixed inputs (no derivation function and no DRBG reseeding) Triple-DES Performs separate encrypt and decrypt KATs using 3-Key Triple-DES in ECB mode. Performs decrypt KAT using an AES 128 key in ECB mode. AES encrypt is self-tested AES as an embedded algorithm of AES-CMAC. Performs a KDF AES-CMAC KAT using an AES 128 key and 32-byte derivation data. KBKDF AES- The KAT computes session keys and verifies the result. Note that KDF KAT is identical CMAC to an AES-CMAC KAT; the only difference is the size of input data. Performs separate RSA PKCS#1 signature and verification KATs using an RSA 2048 RSA bit key, and a RSA PKCS#1 signature KAT using the RSA CRT implementation with a 2048 bit key. Performs an ECC CDH KAT using an ECC P-224 key.(same crypto engine than for ECC CDH ECDSA KAT) SHA-1 Performs a SHA-1 KAT. SHA-256 Performs a SHA-256 KAT. SHA-512 Performs a SHA-512 KAT. Table 20 – Power-On Self-Test 10.2 Conditional Self-tests On every call to the [SP 800-90] DRBG, the FIPS 140-2 Continuous RNG test to assure that the output is different than the previous value. When any asymmetric key pair is generated (for RSA or ECC keys) the CM performs a pair-wise consistency test. When new firmware is loaded into the CM using the LOAD command, the CM verifies the integrity and authenticity of the new firmware (applet) using the SD-SMAC key for MAC process. Optionally, the CM Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 29/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3 may also verify a signature of the new firmware (applet) using the DAP-AES key; the signature block in this scenario is signed by an external entity using the DAP-AES key. When any new RSA asymmetric key pair generated or pushed into the CM is used for first time to perform a key unwrap, CM performs a pair-wise consistency test before allowing unwrapping operation. 11 Design Assurance The CM meets the Level 3 Design Assurance section requirements. 11.1 Configuration Management An additional document (Configuration Management Plan document) defines the methods, mechanisms and tools that allow to identify and place under control all the data and information concerning the specification, design, implementation, generation, test and validation of the card software throughout the development and validation cycle. 11.2 Delivery and Operation Some additional documents (‘Delivery and Operation’, ‘Reference Manual’, ‘Card Initialization Specification’ documents) define and describe the steps necessary to deliver and operate the CM securely. 11.3 Guidance Documents The Guidance document provided with CM is intended to be the ‘Reference Manual’. This document includes guidance for secure operation of the CM by its users as defined in the section: Roles, Authentication and Services. 11.4 Language Level The CM operational environment is implemented using a high level language. A limited number of software modules have been written in assembler to optimize speed or size. TheIDPrime MD Applet is a Java applet designed for the Java Card environment. 12 Mitigation of Other Attacks Policy The Module implements defenses against:  Fault attacks  Side channel analysis (Timing Analysis, SPA/DPA, Simple/Differential Electromagnetic Analysis)  Probing attacks  Card tearing 13 Security Rules and Guidance The Module implementation also enforces the following security rules:  No additional interface or service is implemented by the Module which would provide access to CSPs.  Data output is inhibited during key generation, self-tests, zeroization, and error states.  There are no restrictions on which keys or CSPs are zeroized by the zeroization service.  The Module does not support manual key entry, output plaintext CSPs or output intermediate key values. Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 30/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision]. IDPrime MD 830-revB FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Level 3  Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module. END OF DOCUMENT Ref: R0R25436_IDPrimeMD830-revB_001_SP Rev: 1.4 8/2/2016 Page 31/31 © Copyright Gemalto 2016. May be reproduced only in its entirety [without revision].