Transcription
nShield Solo XC F3 &nShield Solo XC F3 fornShield Connect XC and fornShield HSMiNon-proprietary Security Policy for FIPS 140-2Level 2
Version: 1.0.1Date: 09 Nov 2021Copyright 2020 nCipher Security Limited. All rights reserved.Copyright in this document is property of nCipher Security Limited. This document may bereproduced and distributed in whole (i.e., without modification) provided that the copyright notice andEntrust branding has not been removed or altered.Words and logos marked with or aretrademarks of nCipher Security Limited or its affiliates in the EU and other countries.Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Information in this document is subject to change without notice.nCipher Security Limited makes no warranty of any kind with regard to this information, including, butnot limited to, the implied warranties of merchantability and fitness for a particular purpose. nCipherSecurity Limited shall not be liable for errors contained herein or for incidental or consequentialdamages concerned with the furnishing, performance or use of this material.Where translations have been made in this document English is the canonical language.nCipher Security LimitedRegistered Office: One Station Square,Cambridge, CB1 2GA, United KingdomRegistered in England No. 11673268nCipher is an Entrust company.Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or servicemarks of Entrust Corporation in the U.S. and/or other countries. All other brand or product names arethe property of their respective owners. Because we are continuously improving our products andservices, Entrust Corporation reserves the right to change specifications without prior notice. Entrustis an equal opportunity employer.2 of 41 nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 2
Contents1 Introduction . 41.1 Scope . 41.2 Security level . 41.3 Cryptographic module description. 51.4 Operational environment . 62 Cryptographic Functionality . 72.1 Security World overview . 72.2 Keys and Critical Security Parameters . 82.3 Supported cryptographic algorithms . 153 Roles and Services. 243.1 Roles . 243.2 Strength of authentication mechanisms . 243.3 Services. 254 Physical Security . 355 Rules . 365.1 Delivery . 365.2 Initialization procedures . 365.3 Creation of new Operators . 366 Self tests . 386.1 Power-up self-tests . 386.2 Conditional self-tests . 396.3 Firmware load test . 39Contact Us . 40nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 23 of 41
1 Introduction1.1 ScopeThis document defines the non-proprietary Security Policy enforced by the nShield HardwareSecurity Module, i.e. the Cryptographic Module, to meet with the security requirements inFIPS 140-2.The following product hardware variants and firmware version(s) are in scope of this SecurityPolicy.Variant nameMarketing modelnumbernShield Solo XC F3nC4035E-000nShield Solo XC F3 for nShield Connect XC and fornShield HSMinC4335N-0001Firmwareversion12.50.11Table 1 Variants1This module is embedded in the nShield Connect XC appliance with model numbersNH2075-x, NH-2089-x (where x is B, M or H) or in the nShield Issuance HSM with modelnumbers NH2089-8k-ISS, NH2089-16k-ISS (where x is B, M or H)All modules are supplied at build standard “A”1.2 Security levelThe Cryptographic Module meets overall FIPS 140-2 Security Level 2. The following tablespecifies the security level in detail.Security requirements sectionLevelCryptographic Module Specification2Module Ports and Interfaces2Roles, Services and Authentication3Finite State Model2Physical Security3Operational EnvironmentN/ACryptographic Key Management2EMI/EMC34 of 41 nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 2
Security requirements sectionLevelSelf-Tests2Design Assurance3Mitigation of Other AttacksN/ATable 2 Security level of security requirements1.3 Cryptographic module descriptionThe nShield Hardware Security Module (HSM) is a multi-chip embedded CryptographicModule as defined in FIPS 140-2, which comes in a PCI express board form factor protectedby a tamper resistant enclosure, and performs encryption, digital signing, and keymanagement on behalf of an extensive range of commercial and custom-built applicationsincluding public key infrastructures (PKIs), identity management systems, application-levelencryption and tokenization, SSL/TLS, and code signing.The nShield Solo XC HSM is also embedded inside the nShield Connect XC and the nShieldHSMi, which are network-attached appliance delivering cryptographic services as a sharednetwork resource for distributed applications and virtual machines, giving organizations ahighly secure solution for establishing physical and logical controls for server-basedsystems.The table below shows the nShield Solo XC HSM, the nShield Connect XC and the nShieldHSMi appliances.Table 3 nShield Solo XC (left), nShield Connect XC (centre), and nShield HSMi (right)The cryptographic boundary is delimited in red in the images in the table below. It isdelimited by the heat sink and the outer edge of the potting material on the top and bottom ofthe PCB.The Cryptographic Module provides the following physical ports and interfaces, whichremain outside of the cryptographic boundary: PCIe bus (data input/output, control input, status output and power). The servicesprovided by the module are transported through this interface. Status LED (status output) Mode switch (control input) Clear button (control input)nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 25 of 41
PS/2 serial connector for connecting a smartcard reader (data input/output). 14-way header (data input/output, control input, status output) which providesalternative connections for the mode switch, clear button, status LED and serialconnector. Dual configuration switches (control input), are a set of two jumpers which enable themode switch and enable the remote mode switching. Battery (power), providing power backup. Heat fan control signal.The PCB traces coming from those connectors transport the signals into the module'scryptographic boundary and cannot be used to compromise the security of the module.The top cover, heat fan and the battery are outside the module's cryptographic boundaryand cannot be used to compromise the security of the module.Table 4 Cryptographic module boundary1.4 Operational environmentThe FIPS 140-2 Operational Environment requirements are not applicable because thecryptographic module contains a limited operational environment.6 of 41 nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 2
2 Cryptographic Functionality2.1 Security World overviewThe security model of the module is based around the Security World concept for securemanagement of cryptographic keys.A Security World includes: An Administrator Card Set (ACS), a set of Administrator smart cards used to performadministrative operations, Optionally, one or more Operator Card Sets (OCSs), a set or sets of Operator smartcards used to control access to application keys and to authorise certain operations, Optionally, a set of Softcards used to control access to application keys, Key Blobs, which contain cryptographic keys and their associated Access ControlList (ACL), whose confidentiality and integrity are protected by approved algorithms.They are stored outside the Cryptographic Module.nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietarySecurity Policy for FIPS 140-2 Level 27 of 41
2.2 Keys and Critical Security ParametersThe Cryptographic Module uses and protects the following keys and Critical Security Parameters (CSPs):CSPTypeDescriptionKRE - RecoveryConfidentialityKeyRSA 3072-bit Key used to protect recovery keys (KR).KR - RecoveryKeyAES 256-bitKey used to derive (using SP 800-108 KDF incounter mode) the keys Ke (AES 256-bit) andKm (HMAC-SHA256) that protect an archivecopy of an application key. DRBGLoad Blob - Make Blob - Ephemeral, Initialize Unitencrypted encrypted stored inwith LTwith LTvolatile RAM.DRBGLoad Blob - Make Blob - Ephemeral, Initialize Unit,encrypted encrypted stored inClear Unit,with KREwith KREvolatile RAM. power cycle orreboot.3072-bit DH key Noexchange withone-step KDFwith SHA-1between twomodules.StorageZeroizationNoEphemeral, Clear Unit,stored innew session,volatile RAM. power cycle orreboot.HMAC cert #C1105DSA 3072-bit nShield Junior Security Officer key used with its DRBGassociated certificate to perform theoperations allowed by the NSO. OutputAES cert #C1105AES 256-bit in Used for secure channel between twoCBC mode.modules. It consists of a set of four sessionkeys used in an Impath session for encryption,Integrity withdecryption, MAC generation and MACHMAC SHAvalidation.256. AES cert #C1105 KJSO - JSO keyInputKTS (vendor affirmed) Impath sessionkeysGenerationDSA cert #C1105Load Blob - Make Blob - Ephemeral, Destroy,encrypted encrypted stored inInitialize Unit,with LTwith LTvolatile RAM. Clear Unit,
izationpower cycle orreboot.KA - Application AES 128, 192, Keys associated with a user to performDRBGkey256 bitscryptographic operations, that can be usedwith one of the following validated algorithms:TDES 192 bits AES and KTS cert #C1105HMAC withkey sizes 112 bitsRSA with keysizes 2048bitsDSA, DH withkey sizes 2048 bitsECDSA, ECDH,EC MQV withcurves: HMAC cert #C1105 RSA cert #C1105 DSA cert #C1105 ECDSA cert #C1105 Key Agreement (KAS) cert #C1105 KBKDF cert #C1105 KTS (vendor affirmed)Load Blob encryptedwith LT orKRMake Blob - Ephemeral, Destroy,encrypted stored inInitialize Unit,with LT or volatile RAM. Clear Unit,KRpower cycle orrebootP224,P256,P384,P-521nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 9 of 41
CSPKM - ModuleKeyType K233,K283,K409,K-571 B233,B283,B409,B-571AES 256-bitDescriptionGenerationInputKey used to protect logical tokens andassociated module Key Blobs.DRBGLoad Blob - Make Blob - Non-volatile Initialize Unitencrypted encrypted memorywith LTwith LT KML - ModuleSigning KeyAES cert #C1105DSA 3072-bit Module Signing Key used by the module to sign DRBGkey generation and module state certificates.NoOutputNoStorageNon-volatile Initialize UnitmemoryWhen the nShield module is initialized, itautomatically generates this key that it uses tosign certificates using DSA with SHA-256. Thiskey is only ever used to verify that a certificatewas generated by a specific module. ZeroizationDSA cert #C110510 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
CSPTypeDescriptionKNSO - NSO key DSA 3072-bit nShield Security Officer key used for NSOauthorisation and Security World integrity.Used to sign Delegation Certificates and todirectly authorize commands during recoveryoperations LT - LogicalTokenShare KeyAES 256-bitAES Load Blob - Make Blob - Ephemeral, Destroy,encrypted encrypted stored inInitialize Unit,with LTwith LTvolatile RAM. Clear Unit,power cycle orreboot.DSA cert #C1105Key used to derive the keys that are used toDRBGprotect token protected key blobs. LogicalTokens are split in shares (encrypted withShare Key) between one or more smartcards ora softcard, using the Shamir Secret Sharingscheme. AES cert #C1105 KDF cert #C1105 HMAC cert #C1105Protects a share when written to a smartcard DRBGor softcard. This key is used to derive (using SP800-108 AES CTR KDF) the keys Ke (AES 256-bit)and Km (HMAC-SHA256) that wrap the share. AES cert #C1105 KDF cert #C1105 HMAC cert #C1105ReadShare encryptedwith ShareKeyWrite Share Ephemeral, Destroy,- encrypted stored inInitialize Unit,with Share volatile RAM. power cycle orKeyrebootNoNoEphemeral, N/Astored involatile RAM.nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 11 of 41
CSPTypeDescriptionRemoteAdministrationsession keysAES 256-bit in Used for secure channel between the module ECDH P-521 key NoCBC modeand a smartcard. This is a set of four AES 256- agreement withbit session keys, namely Km-e (for encryptingSP 800-108 KDFIntegrity withdata send to the smartcard), Kc-e (for decrypting in counter mode.CMACdata from the smartcard), Km-a (for CMACgeneration) and Kc-a (for CMAC verification). GenerationHash DRBGDRBG entropyinput344 bitsDRBGThe module uses the Hash DRBG with SHA-256 Entropy sourcecompliant with SP800-90A. OutputStorageZeroizationNoEphemeral, Clear Unit,stored innew session,volatile RAM. power cycle orreboot.NoNoNon-volatile Initialize UnitmemoryNoNoEphemeral, Clear Unit,stored inpower cycle orvolatile RAM. reboot.NoNoEphemeral, Clear Unit,stored inpower cycle orvolatile RAM. reboot.AES cert #C1105KAL - Key Audit DSA 3072-bit Used for signing the log trail.Logging DSA cert #C1105DRBG internalstateInputHash DRBG cert #C1105Entropy input string used to initialize and reseed the DRBG.Entropy sourceTable 5 CSP tableThe following table describes the public keys handled by the module:Public KeyTypeFirmwareECDSA PIntegrity key (KFI) 521DescriptionGenerationInputOutputStoragePublic key used to ensure the integrity ofthe firmware during boot. The modulevalidates the signature before newAt nCipherFirmware updateNoIn firmware12 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
Public KeyTypeDescriptionGenerationInputOutputStorageAt nCipherFirmware updateNonePersistentstorage inplaintext insidethe module(EEPROM)At creation of Load Blob - encrypted with LTtheapplicationkeyKeyexportStored in the keyblob of theapplication keyAt creation of Load Blob - encrypted with LTthe KJSOKeyexportPublic key hashstored in themodulepersistentstorageAt creation of Load Blob - encrypted with LTthe KNSOKeyexportPublic key hashstored in themodulefirmware is written to non-volatilestorage. KJWARECDSA P521ECDSA 805nCipher root warranting public keyfor Remote Administrator Cards andRemote Operator Cards ECDSA cert #C1105Application keys SeePublic keys associated with privatepublic keydescription Application keys:KJSO public key RSA cert #C1105 DSA cert #C1105 ECDSA cert #C1105 Key Agreement (KAS) #C1105 KTS (vendor affirmed)DSA 3072- Public key associated to KJSObit DSA cert #C1105KNSO public key DSA 3072- Public key associated to KNSObit DSA cert #C1105nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 13 of 41
Public istentstorageKML public keyDSA 3072- Public key associated to KMLbit DSA cert #C1105At creation of NoKMLKeyexportKAL public keyDSA 3072- Public key associated to KALbit DSA cert #C1105At creation of NoKALIncluded Public key hashin thestored in theaudit trail modulepersistentstorageKRE public keyRSA 3072- Public key associated to KREbit KTS (vendor affirmed)At creation of Load Blob - encrypted with LTthe KNSOKeyexportStored in a keyblobFET public keyDSA 1024- Feature Enable Tool (FET) public key used At nCipherbitto verify FET certificatesFirmware updateNoPersistentstorage inplaintext insidethe module(EEPROM)Loaded with Cmd ImpathKXFinishNoEphemeral,stored in volatileRAM. Impath DH public DH 3072keybitDSA cert #C1105Public key from peer used in the ImpathDH key agreement. NoKAS-FFC cert #C110514 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2Public key hashstored in themodulepersistentstorage
Public KeyTypeDescriptionRemoteAdministrationECDH public keyNIST P-521 Public key from peer used in the RemoteAdministration ECDH key agreement. GenerationInputOutputStorageNoLoaded withCmd DynamicSlotExchangeAPDUsNoEphemeral,stored in volatileRAM.KAS-ECC cert #C1105Table 6 Public key table2.3 Supported cryptographic algorithms2.3.1 FIPS Approved or Allowed AlgorithmsThe following tables describe the Approved or allowed cryptographic algorithms supported by the Cryptographic Module.Cert #AlgorithmStandard DetailsBoot LoaderSHS 3130 SHAFIPS 180- SHA-256 (BYTE-only)4SHA-512 (BYTE-only)ECDSA805FIPS 186- SigVer: CURVES( P-521: (SHA-512) )4SHS: SHS 3130ECDSAFirmwarenShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 15 of 41
Cert #AlgorithmStandard DetailsC1105AESFIPS 197 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CTR ( int only; 256 MAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0Max:2 16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0Max: 2 16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0Max: 2 16 ;Tag Len(s) Min: 16 Max: 16 )GCM (KS: AES 128 ( e/d ) Tag Length(s): 128 120 112 104 96 64 32 ) (KS:AES 192 (e/d ) Tag Length(s): 128 120 112 104 96 64 32 ) (KS: AES 256 ( e/d ) Tag Length(s):128 120 112 104 96 64 32 )IV Generated: ( Internal (using Section 8.2.2 ) ) ; PT Lengths Tested: ( 0 , 1024 ,1024) ; AAD Lengths tested: ( 1024 , 1024 ) ; 96BitIV Supported ;OtherIVLen SupportedDRBG: Val#C1105GCM (KS: AES 128 ( e/d ) Tag Length(s): 128 120 112 104 96 64 32 ) (KS:AES 192 (e/d ) Tag Length(s): 128 120 112 104 96 64 32 ) (KS: AES 256 ( e/d ) Tag Length(s):128 120 112 104 96 64 32 )IV Generated: ( Internal (using Section 8.2.2 ) ) ; PT Lengths Tested: ( 0 , 1024 ,1024) ; AAD Lengths tested: ( 1024 , 1024 ) ; 96BitIV Supported ;OtherIVLen SupportedDRBG: Val#C1105KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 4096 )C1105Triple-DESSP800-67 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, )Note: The user is responsible to comply with themaximum use of the same key for encryptionencryption operations, limited to 2 20 or 2 16, as16 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
Cert #AlgorithmStandard Detailsdefined in Implementation Guidance A.13 SP 80067rev1 Transition.C1105SHAFIPS 180- SHA-1 (BYTE-only)4SHA-224 (BYTE-only)SHA-256 (BYTE-only)SHA-384 (BYTE-only)SHA-512 (BYTE-only)Implementation does not support zero-length (null) messages.C1105HMAC with SHAFIPS 198- HMAC-SHA1 (Key Sizes Ranges Tested: KS BS KS BS KS BS )1HMAC-SHA224 ( Key Size Ranges Tested: KS BS KS BS KS BS )HMAC-SHA256 ( Key Size Ranges Tested: KS BS KS BS KS BS )HMAC-SHA384 ( Key Size Ranges Tested: KS BS KS BS KS BS )HMAC-SHA512 ( Key Size Ranges Tested: KS BS KS BS KS BS )SHS Val#C1105C1105RSAFIPS 186- FIPS186-4:4186-4KEY(gen): FIPS186-4 Random ePGM(ProbRandom: ( 2048 , 3072 , 4096) PPTT:( C.3 )ALG[RSASSA-PKCS1 V1 5]SIG(gen) (2048 SHA( 224 , 256 , 384 , 512 )) (3072 SHA( 224 , 256 , 384 , 512 ))(4096 SHA( 224 , 256 , 384 , 512 )SIG(Ver) (1024 SHA( 1 , 224 , 256 , 384 , 512 )) (2048 SHA( 1 , 224 , 256 , 384 , 512)) (3072 SHA( 1 , 224 , 256 , 384 , 512 )) (4096 SHA( 1 , 224 , 256 , 384 , 512 ))[RSASSA-PSS]:Sig(Gen): (2048 SHA( 224 SaltLen( 28 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512SaltLen( 64 ) )) (3072 SHA( 224 SaltLen( 28 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 17 of 41
Cert #AlgorithmStandard Details512 SaltLen( 64 ) 4096 SH( 224 SaltLen( 28 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,512 SaltLen( 64 ) ))Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 224 SaltLen( 28 ) , 256 SaltLen( 32 ) , 384SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 224 SaltLen( 28 ) , 256 SaltLen( 32 ) , 384SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 224 SaltLen( 28 ) , 256SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (4096 SHA( 1 SaltLen( 20 ) , 224SaltLen( 28 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))SHA Val#C1105DRBG: Val#C1105Vendor KTSaffirmedSP 80056BKTS-OAEP-basic with SHA-224, SHA-256, SHA-384, SHA-512 (key establishmentmethodology provides between 112 and 256 bits of encryption strength)C1105DSAFIPS 186- FIPS186-4:4PQG(gen)PARMS TESTED: [ (2048, 224)SHA( 224 ); (2048,256)SHA( 256 );(3072,256) SHA( 256 ) ]PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); (2048,224) SHA( 224 ); (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]KeyPairGen: [ (2048,224) ; (2048,256) ; (3072,256) ]SIG(gen)PARMS TESTED: [ (2048,224) SHA( 224 , 256 , 384 , 512 ); (2048,256) SHA(256 , 384 , 512 ); (3072,256) SHA( 256 , 384 , 512 ); ]SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 , 224 , 256 , 384 , 512 ); (2048,224)SHA( 224 , 256 , 384 , 512 ); (2048,256) SHA( 256 , 384 , 512 ); (3072,256) SHA( 256, 384 , 512 ) ]SHS: Val#C1105DRBG: Val#C1105C1105ECDSAFIPS 186- FIPS186-4:4PKG: CURVES( P-224 P-256 P-384 P-521 K-233 K-283 K-409 K-571 B-233 B-283 B409 B-571 ExtraRandomBits )18 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
Cert #AlgorithmStandard DetailsPKV: CURVES( ALL-P ALL-K ALL-B )SigGen: CURVES( P-224: (SHA-224, 256, 384, 512) P-256: (SHA-256, 384, 512) P384: (SHA-384, 512) P-521: (SHA-512) K-233: (SHA-224, 256, 384, 512) K-283: (SHA256, 384, 512) K-409: (SHA-384, 512) K-571: (SHA-512) B-233: (SHA-224, 256, 384,512) B-283: (SHA-256, 384, 512) B-409: (SHA-384, 512) B-571: (SHA-512) )SigVer: CURVES( P-192: (SHA-1, 224, 256, 384, 512) P-224: (SHA-224, 256, 384,512) P-256: (SHA-256, 384, 512) P-384: (SHA-384, 512) P-521: (SHA-512) K-163:(SHA-1, 224, 256, 384, 512) K-233: (SHA-224, 256, 384, 512) K-283: (SHA-256, 384,512) K-409: (SHA-384, 512) K-571: (SHA-512) B-163: (SHA-1, 224, 256, 384, 512) B233: (SHA-224, 256, 384, 512) B-283: (SHA-256, 384, 512) B-409: (SHA-384, 512) B571: (SHA-512) )SHS: Val#C1105DRBG: Val#C1105C1105Key Agreement ComponentSP80056AKAS-FFC-Component: (FUNCTIONS INCLUDED IN IMPLEMENTATION: KPG PartialValidation)SCHEMES: Ephem: (KARole: Initiator / Responder) FB FC OneFlow: (KARole:Initiator / Responder) FB FC Static: (KARole: Initiator / Responder) FB FC DSAVal#C1105, SHS Val#C1105, DRBG Val#C1105KAS-ECC-Component: (FUNCTIONS INCLUDED IN IMPLEMENTATION: KPG PartialValidation)SCHEMES: FullMQV: (KARole: Initiator / Responder) EB: P-224 EC: P-256 ED: P-384EE: P-521 EphemUnified: (KARole: Initiator / Responder) EB: P-224 EC: P-256 ED: P384 EE: P-521OnePassDH: (KARole: Initiator) EB: P-224 EC: P-256 ED: P-384 EE: P-521StaticUnified: (KARole: Initiator / Responder) EB: P-224 EC: P-256 ED: P-384 EE: P521ECDSA Val#C1105, SHS Val#C1105, DRBG Val#C1105nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 19 of 41
Cert #AlgorithmStandard DetailsC1105KBKDFSP800108CTR Mode: ( Llength( Min16 Max16 ) MACSupported( [CMACAES256] )LocationCounter( [BeforeFixedData] ) rlength( [8] ) )AES Val#C1105DRBG Val#C1105C1105DRBGVendor CKGaffirmedSP80090AHash Based DRBG: [ Prediction Resistance Tested: Not Enabled ( SHA-256 ) (SHS Val#C1105 ) ]SP800133Symmetric keys are generated using the unmodified output of the approved DRBG.Table 7 Approved algorithmsAlgorithmDiffie-Hellman (CVL Cert. C1105, key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength)EC Diffie-Hellman (CVL Cert. C1105, key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength)EC MQV (CVL Cert. C1105, key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength)Allowed Non-deterministic Random Number Generator (NDRNG). NDRNG is used to seed the approved DRBG.The module generates a minimum of 256 bits of entropy for key generation.Table 8 Allowed algorithms2.3.2 Non-Approved AlgorithmsThe following table describes the non-approved cryptographic algorithms supported by the Cryptographic Module in non-Approved mode.20 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
AlgorithmSymmetric encryption and decryptionDESTwo-key Triple DES encryption, MAC generationAES GCM with externally generated IVAES CBC MACAriaCamelliaArc Four (compatible with RC4)CAST 256 (RFC2612)SEED (Korean Data Encryption Standard)AsymmetricRaw RSA data encryption and decryptionKTS-OAEP-basic with SHA-256 with key size less than 2048 bitsElGamal (encryption using Diffie-Hellman keys)KCDSA (Korean Certificate-based Digital Signature Algorithm)RSA digital signature generation with SHA-1 or key size less than 2048 bitsDSA digital signature generation with SHA-1 or key size less than 2048 bitsECDSA digital signature generation with SHA-1 or curves P-192, K-163 , B-163, BrainpoolnShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 21 of 41
AlgorithmDH with key size p 2048 bits or q 224 bitsECDH with curves P-192, K-163, B-163, BrainpoolEC MQV with curves P-192, K-163 or B-163Deterministic DSA compliant with RFC6979Ed25519 public-key signatureX25519 key exchangeHashHAS-160MD5RIPEMD-160TigerMessage Authentication CodesHMAC with MD5, RIPEMD-160 and TigerHMAC with key size less than 112 bitsOtherTLS 1.0 and SSL 3.0 KDF(The protocols SSL, TLS shall not be used when operated in the Approved mode. In particular, none of the keys derived using this key derivation functioncan be used in the Approved mode).22 of 41nShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2
AlgorithmPKCS#8 paddingEMV support:Cryptogram (ARQC) generation and verification (includes EMV2000, M/Chip 4 and Visa Cryptogram Version 14, EMV 2004, M/Chip 2.1, Visa CryptogramVersion 10)Watchword generation and verificationHyperledger client side KDFTable 9 Non-approved algorithmsnShield Solo XC F3 & nShield Solo XC F3 for nShield Connect XC and for nShield HSMi Non-proprietary Security Policy for FIPS 140-2 Level 2 23 of 41
3 Roles and Services3.1 RolesThe Cryptographic Module supports the following roles: nShield Security Officer (NSO) Junior Security Officer (JSO) UsernShield Security Officer (NSO)This role is represented by Administrator Card holders, which have access to KNSO and areresponsible for the overall management of the Cryptographic Module.To assume this role, an operator or group of operators need to present a quorum m of N ofsmartcards, and the KNSO Key Blob. Each operator is identified by its individual smartcard,which contains a unique logical token share.Junior Security Officer (JSO)This role is represented by either Administrator Card or Operator Card holders with a KJSOand an associated Delegation Certificate s
The Cryptographic Module meets overall FIPS 140-2 Security Level 2. The following table specifies the security level in detail. Security requirements section Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services and Authentication 3 Finite State Model 2 Physical Security 3 Operational Environment N/A
