Transcription
Pure Storage, Inc.Purity Encryption ModuleFIPS 140-2 Cryptographic Module Non-ProprietarySecurity PolicyVersion: 1.6Date: 10/17/2018Pure Storage, Inc.650 Castro StreetMountain View, CA 94041800-379-7873 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 1 of 17
Table of Contents1Introduction1.1 Cryptographic Boundary1.2 Mode of Operation2Cryptographic Functionality2.1 Critical Security Parameters3Roles, Authentication and Services3.1 Assumption of Roles3.2 Services4Self-tests5Physical Security Policy6Operational Environment7Mitigation of Other Attacks Policy8Security Rules and Guidance9References and Definitions 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 2 of 17
List of TablesTable 1 –Cryptographic Module ConfigurationsTable 2 – Security Level of Security RequirementsTable 3 – Physical Ports and InterfacesTable 4 – Approved and CAVP Validated Cryptographic FunctionsTable 5 – Non-Approved but Allowed Cryptographic FunctionsTable 6 – Critical Security Parameters (CSPs)Table 7 – Roles DescriptionTable 8 – ServicesTable 9 – CSP Access Rights within ServicesTable 10 – Power Up Self-testsTable 11 – Conditional Self-testsTable 12 – Critical Functions TestsTable 13 – ReferencesTable 14 – Acronyms and DefinitionsList of FiguresFigure 1 – Module 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 3 of 17
1 IntroductionThis document defines the Security Policy for the Purity Encryption Module, hereafter denoted the Module.The Module is a multi-chip standalone software-hybrid module (within the FlashArray product) and is run ona General Purpose Computer (GPC) with a modifiable operational environment. The Module meets FIPS 1402 overall Level 1 requirements.Table 1 –Cryptographic Module ConfigurationsModule NameSW VersionOperational EnvironmentPurity Encryption Module1.1.0Operating System: Purity//FA 4CPU / HW Version: Intel Xeon CPU with AES-NI (E5Family – 26XX v2)Purity Encryption Module1.2.0Operating System: Purity//FA 4CPU / HW Version: Intel Xeon CPU with AES-NI (E5Family - 26XX v2)Purity Encryption Module1.2.0Operating System: Purity//FA 5CPU / HW Version: Intel Xeon CPU with AES-NI (E5Family - 26XX v4)Purity Encryption Module1.2.0Operating System: Purity//FA 5CPU / HW Version: Intel Xeon CPU with AES-NI (ScalableProcessor Family: Silver (41XX) and Gold (61XX))The Module is intended for use by US Federal agencies and other markets that require FIPS 140-2 validatedData Storage. The Module is a multi-chip standalone, software-hybrid embodiment; the cryptographicboundary is the dynamically linked library libcrypto.so, the configuration file libcrypto.hash, and the IntelXeon CPU.The FIPS 140-2 security levels for the Module are as follows:Table 2 – Security Level of Security RequirementsSecurity RequirementSecurity LevelCryptographic Module Specification1Cryptographic Module Ports and Interfaces1Roles, Services, and Authentication1Finite State Model1Physical Security1Operational Environment1Cryptographic Key Management1EMI/EMC1Self-Tests1Design Assurance2 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 4 of 17
1.1Mitigation of Other Attacks1Overall Level1Cryptographic BoundaryThe cryptographic boundaries of the Module are depicted in Figure 1; the blue outline depicts the physicalcryptographic boundary, and the red outline depicts the logical cryptographic boundary. The module isimplemented on a General Purpose PC with the following standard components:1. Processors: Intel Xeon x64 CPU with AES-NI and RDRAND (E5 Family)2. Read-only memory (ROM) integrated circuits for program executable code and data consistent with aGPC platform3. Random access memory (RAM) integrated circuits for temporary data storage consistent with a GPCplatform4. Other active electronic circuit elements consistent with a GPC platform5. Power supply components consistent with a GPC platform6. Circuit boards or other component mounting surfaces consistent with a GPC platform7. Enclosures, including any removable access doors or covers consistent with a GPC platform8. Physical connectors for devices outside of the module consistent with a GPC platform9. Software/firmware modules that are unlikely to be modified consistent with a GPC platformPure Storage bundles both the hardware and software together for customers, and also includes severaladditional network and storage interfaces that are documented in the figure below: 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 5 of 17
Figure 1 – Module DiagramThe table below contains the physical ports on the GPC, and a mapping to the FIPS logical interfacetypes. The module itself does not rely on any physical PC interfaces, and instead only provides a logicalAPI interface to the calling application. The module’s logical API interfaces, and their FIPS logicalinterface types, are listed in User Guidance.Table 3 – Physical Ports and InterfacesPortDescriptionFIPS Logical Interface TypeEthernet PortsGigabit Ethernet interfaces for replication,management, and iSCSI. The callingapplication will pass data coming fromreplication and iSCSI protocols to the module.Data in Data out Control in Statusout 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 6 of 17
Infiniband / NTB CommunicationbetweentwoPCs(Non-Transparent (primary/secondary) for High AvailabilityBridge)purposes.Control in Status outFiber ChannelHosts storage services for other Fiberchannel devices on the SAN. The callingapplication will pass data comingfrom/destined to SAN devices to/from themodule.Control in Data in Data out StatusoutVGAConnects video for local administration of the Control in Status outPC.RS-232Offers local administration of the PC.Control in Status outUSB (mice andConnects mice and keyboard devices for local Power Control inkeyboard devices) administration of the PC.USB (smart carddevices)Connects Spyrus Rosetta Series II Smart Cardto the calling application.Power Control in Data in Dataout Status outPower Supply2x 110VPowerSAS(Serial Attached SCSI) Communicationbetween PC and storage shelves.Control in Data in Data out StatusoutLEDsStatus indicators including: Pure Storage Logo Status outLED, power LED, boot drive LEDPush ButtonPower on push button1.2Control InMode of OperationThe module contains a single FIPS approved mode of operation. To verify that a module is in theapproved mode of operation, the user can verify the cryptographic module version matches thevalidated version in the Security Policy through the “pureversion -c” command offered by theoperational environment which accesses the Show Version service of the module. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 7 of 17
2 Cryptographic FunctionalityThe Module implements the FIPS Approved and Non-Approved but Allowed cryptographic functionslisted in the table(s) below.Table 4 – Approved and CAVP Validated Cryptographic FunctionsAlgorithmDescriptionCert #AES[FIPS 197, SP 800-38A]Functions: Encryption, DecryptionModes: ECB, CTRKey sizes: 128, 256 bits348848445481AES Key Wrapping[SP 800-38F]Functions: Encryption, Decryption (Wrap, Unwrap)Modes: KWKey sizes: 128, 256 bits348848445481CKG[SP 800-133]Section 7.1 Direct symmetric key generation using unmodified DRBGoutputNADRBG[SP 800-90A]Modes: CTR DRBGSecurity Strengths: 256 bits86217012157HMAC-SHA-256[FIPS 198-1]Functions: Verification222732443635SHA-256[FIPS 180-4]Functions: Used within HMAC Verification288139854398Table 5 – Non-Approved but Allowed Cryptographic FunctionsAlgorithmDescriptionNDRNG[Annex C]Hardware Non-Deterministic RNG; minimum of 64 bits per access. The NDRNGoutput is used to seed the FIPS Approved DRBG. The implementation uses the IntelXeon CPU instruction RDRAND, along with post-processing, to ensure 8 bits ofentropy per byte.The module does not implement any non-FIPS-allowed algorithms. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 8 of 17
2.1Critical Security ParametersAll CSPs used by the Module are described in this section. All usage of these CSPs by the Module(including all CSP lifecycle states) is described in the services detailed in Section 4.Table 6 – Critical Security Parameters (CSPs)CSPDescription / UsagePurpose: Used to encrypt and decrypt storage data destined for SAS drivesor SAN protocols.Algorithm: AESSize: 128 or 256 bitsData Encryption Key (DEK)Mode: CTRGeneration / Entry:1. Generated internally by DRBG on product initialization2. Imported as wrapped by DEKEK on productstartup Output: Output in encrypted form(with /decryption services for storage data.providingAlgorithm: AESData Encryption Key (DEK)AES CounterSize: 32 bitsMode: CTRGeneration / Entry: Imported as plaintext over electronic APIOutput: N/APurpose: Used to wrap the DEK.Algorithm: AESSize: 128 or 256 bitsMode: ECBGeneration / Entry:DataEncryptionKeyEncryption Key (DEKEK)1. Generated internally by DRBG on product initialization and/orcustomer rekey request2. Imported as split-knowledge for key recovery3. Imported as plaintext on product startup overelectronic APIOutput:1. As split-knowledge2. As plaintext over the API (for RDL function) 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 9 of 17
DRBG entropy inputPurpose: Internally used to provide entropy for DEK and DEKEKgeneration.Algorithm: SP 800-90ASize: 256 bitsMode: CTRGeneration / Entry: Generated internally via RDRAND callsOutput: N/APurpose: Internally used to provide entropy for DEK and DEKEKgeneration.Algorithm: SP 800-90ADRBG personalization stringSize: Max 1024 bitsMode: CTRGeneration / Entry: Generated internally based on versioning information.Output: N/APurpose: Internally used as a state value for the SP800-90A CTR DRBG.Size: 128 bitsDRBG Counter valueMode: CTRGeneration / Entry: Generated internallyOutput: N/A3 Roles, Authentication and Services3.1Assumption of RolesThe module supports two distinct operator roles, User and Cryptographic Officer (CO). Thecryptographic module enforces the separation of roles using implicit mapping between services androles.The Module does not support a maintenance role and/or bypass capability. The Module does notsupport concurrent operators. On each power cycle, all state is cleared. The module is a Level 1software-only module and does not support authentication.Table 7 – Roles DescriptionRole IDRole DescriptionCOCryptographic Officer – The calling process which powers on/off the module.UserUser – The calling process which accesses any API functionality.3.2ServicesAll services implemented by the Module are listed in the table(s) below. Each service description alsodescribes all usage of CSPs by the service. In addition, each service is mapped to a specific role, shownby the “X” in the appropriate column. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 10 of 17
Table 8 –ServicesServiceDescriptionData StorageDecryptEncrypt/COUProvides data encryption / decryption for callingapplication.XDEKEK Import/ExportplaintextinThe DEKEK is exported by the module, transformed bythe calling application, and re-imported.XDEKImport/Exportencrypted forminWhen the configuration is changed, the DEK is wrappedby the DEKEK and exported. The wrapped DEK isimported (by the calling application) on module's powerup.XDEKEK Import/Export assplit-knowledgeAfter a new DEKEK is generated, the keys are exported insplit-knowledge form. They are stored by the callingapplication. On demand, the DEKEK is imported in splitknowledge form, (provided by the calling application).XSP 800-90A DRBGProvides random numbers to the calling application, alsoserves to generate keys such as DEKEK and DEK andexport them immediately.XThe module runs all self-tests implicitly at power-up.XShow StatusThe module automatically calls the FOEd logging serviceas events, such as power-up, occur.XShow VersionDisplay the version of the moduleXZeroizeDestroys all CSPs by powering down the physical GPC.Module Power-onself-tests)(RunXTable 14 defines the relationship between access to CSPs and the different module services. The modes ofaccess shown in the table are defined as: G Generate: The module generates the CSP. R Read: The module reads the CSP. The read access is typically performed before the moduleuses the CSP. E Execute: The module executes using the CSP. W Write: The module writes the CSP. The write access is typically performed after a CSP isimported into the module, when the module generates a CSP, or when the module overwrites anexisting CSP. Z Zeroize: The module zeroizes the CSP. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 11 of 17
Table 9 – CSP Access Rights within ServicesServiceCSPsDEKData Storage Encrypt/ DecryptDEKEKplaintextImport/ExportRinDEK Import/Export in DRBGEntropyGRGRGWZZZDRBGCounterRWRWDEKEK Import/Export as splitknowledgeSP 800-90A DRBGDEKEKRWGGZZModule Power-on (Run selftests)Show StatusShow VersionZeroizeZZ 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 12 of 17
4 Self-testsEach time the Module is powered up it tests that the cryptographic algorithms still operate correctly andthat sensitive data have not been damaged. Power up self–tests are available on demand by powercycling the module.On power up or reset, the Module performs the self-tests described in Table 15 below. All KATs must becompleted successfully prior to any other use of cryptography by the Module. If one of the KATs fails,the Module enters the FIPS error state. Recovery from the FIPS error state is accomplished by reinvoking the module, which creates a new instance. Successful completion of self-tests is indicated by astatus message and returning control to the calling application from the Default Entry Point successfully.Table 10 – Power Up Self-testsTest TargetDescriptionFirmwareIntegrityAESHMAC-SHA-256 of the executable code.DRBGSHAKATs: Encryption, DecryptionModes: ECB, CTRKey sizes: 128 bits, 256 bitsKATs: CTR DRBG per SP800-90A Section 11.3 RequirementsSecurity Strength: 256 bitsKATs: HashSHA sizes: SHA-256Table 11 – Conditional Self-testsTest TargetDescriptionNDRNGNDRNG Continuous Test performed when a random value is requested from theNDRNG.DRBGDRBG Continuous Test performed when a random value is requested from the DRBG.Table 12 – Critical Functions TestTest TargetDescriptionShamir-secretsplittingPerforms a secret-splitting and joining, and verifies the result of each step.5 Physical Security PolicyThe module is a multi-chip standalone, software hybrid embodiment module with a specific CPU family(Intel Xeon CPU with AES-NI and RDRAND - E5 Family or Scalable Processor Family) installed within aGPC. The module utilizes a production grade hardware component with standard passivation applied toit. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 13 of 17
6 Operational EnvironmentThe Module is designated as a modifiable operational environment under the FIPS 140-2 definitions. Theoperational environment is the Purity Operating Environment for FlashArray 4 or 5 (Purity//FA 4 or Purity//FA5), which is based off of Ubuntu Linux 14.04. The operational environment implicitly enforces single mode ofoperation by managing process memory of the module and ensuring each calling process is logicallyseparated and protected.The module was tested on the following platform: The module was tested with Purity//FA 4 running on a Dell PowerEdge R620 with an Intel Xeon CPU (E5Family – 26XX v2) with PAA (single-user mode).The module was tested with Purity//FA 5 running on a //M70R2 with an Intel Xeon CPU (E5 Family –26XX v4) with PAA (single-user mode).The module was tested with Purity//FA 5 running on a //X90R2 with an Intel Xeon CPU (ScalableProcessor Family: Silver (41XX) and Gold (61XX)) with PAA (single-user mode).The module is also supported on the following platforms for which operational testing was not performed: The module is also supported with Purity//FA 4 and Purity//FA 5 on all supported FlashArray modelsrunning on Intel Xeon with AES-NI (E5 Family or Scalable Processor Family). Note: The CMVP makes no claim as to the correct operation of the module on theseoperational environments.7 Mitigation of Other Attacks PolicyThe module implements Shamir-secret splitting to export the DEKEK in a manner that requires n/2 2 partsin order to recover the DEKEK for all n parts. Each part is stored on an externally connected SAS by thecalling application. Therefore, the DEKEK is recoverable only when sufficient parts of the DEKEK are supplied.The reference for the original article describing this method is: "How to share a secret", Communications ofthe ACM 22 (11): 612–613, doi:10.1145/359168.3591768 Security Rules and GuidanceThe Module design corresponds to the Module security rules. This section documents the security rulesenforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1module.1. The module provides two distinct operator roles: User and Cryptographic Officer.2. The module does not provide authentication, and implicitly maps the services offered to the respectiverole.3. The operator is capable of commanding the module to perform the power up self-tests by cycling poweror resetting the module.4. Power up self-tests do not require any operator action.5. Data output is inhibited during key generation, self-tests, zeroization, and error states.6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise ofthe module. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 14 of 17
7. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.8. The module does not support concurrent operators.9. The module does not support a maintenance interface or role.10. The module does not support manual key entry.11. The module does not have any external input/output devices used for entry/output of data.12. The module does not enter or output plaintext CSPs from the physical boundary.13. The module does not output intermediate key values. 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 15 of 17
9 References and DefinitionsThe following standards are referred to in this Security Policy.Table 13 – ReferencesAbbreviationFull Specification Name[FIPS140-2]Security Requirements for Cryptographic Modules, May 25, 2001[SP800-131A]Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithmsand Key Lengths, January 2011[SP800-90A]Recommendation for Random Number Generation Using Deterministic Random BitGenerators, January 2012[SP800-38A]Recommendation for Block Cipher Modes of Operation, Methods and Techniques,2001 EditionTable 14 – Acronyms and DefinitionsAcronymDefinitionAESAdvanced Encryption StandardAES-NIAdvanced Encryption Standard (Intel x86 Instruction)APIApplication Programming InterfaceCAVPCryptographic Algorithm Validation ProgramCMVPCryptographic Module Validation ProgramCOCryptographic OfficerCPUCentral Processing UnitCSPCritical Security ParameterCTRCounter ModeDEKData Encryption KeyDEKEKData Encryption Key Encryption KeyDRBGDeterministic Random Number GeneratorECBElectronic Code BookEMI / EMCElectromagnetic Interference / Electromagnetic CompatibilityFIPSFederal Information Processing StandardGPCGeneral Purpose ComputerHMACHashed Message Authentication CodeiSCSISCSI protocol over TCP/IP (IETF draft standard)KATKnown Answer TestKEKKey Encryption Key 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 16 of 17
LEDLight Emitting DiodeNDRNGNon-Deterministic Random Number GeneratorNTBNon-Transparent BridgeOSOperating systemPCPersonal ComputerRAMRandom Access MemoryRDRANDDeterministic Random Number Generator (Intel x86 Instruction)ROMRead Only MemoryRS-232Recommended Standard 232 (computer serial interface, IEEE)SANStorage Area NetworkSASSerial-Attached SCSI (Small Computer System Interface)SHASecure Hash AlgorithmUSBUniversal Serial BusVGAVideo Graphics Adapter 2015-2018 Pure Storage, Inc.Version 1.6Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).Page 17 of 17
Pure Storage Inc. Public Material - May be reproduced only in its original entirety (without revision). Pure Storage, Inc. Purity Encryption Module . FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy . Version: 1.6 . Date: 10/17/2018 . Pure Storage, Inc. 650 Castro Street . Mountain View, CA 94041 . 800-379-7873
