DEP CzamDEP User Manual - Worldline · 2020. 11. 24. · Atos Wordline - Technologies & Products Page: 2/110 DEP CzamDEP User Manual (04.17) Classification: Public. Version Management

Technologies & Products

Version: 04.17 Classification: Public

Haachtsesteenweg 1442 1130 Brussels Belgium

DEP CzamDEP User

Manual

DEP Documentation

Atos Wordline - Technologies & Products Page: 2/110 DEP CzamDEP User Manual (04.17) Classification: Public Version Management Report Version Name(s) Date Comment 04.00 Marc HAEST 04/04/2008 First draft 04.01 Marc HAEST 15/04/2008 Feedback GB, NA, BD 04.02 Marc HAEST 17/04/2008 Minor changes BD 04.03 Marc HAEST 28/04/2008 Integration of first-generation (special) 04.04 Marc HAEST 05/05/2008 Integration 1st gen ‘Customer Authority’ 04.05 Marc HAEST 10/06/2008 Integration 1st gen ‘Keys’ 04.06 Marc HAEST 25/08/2008 Addition of DCS (Init & Components) 04.07 Marc HAEST 23/09/2008 Integration 1st gen ‘Capabilities’ 04.08 Marc HAEST 07/11/2008 Components & Terminate improvement. 04.09 Marc HAEST 07/01/2009 Integration 1st gen ‘Definition List’, PIN

retries & DCC blocked 04.10 Marc HAEST 08/01/2009 Added cable set description 04.11 Marc HAEST 13/01/2009 Integration 1st gen ‘Banksys Authority’.&

Key Reconstruction warning. 04.12 Marc HAEST 19/03/2009 Review comments processed (GM). 04.13 Marc HAEST 30/03/2009 FIPS-compliant Key creation & export.. 04.14 Marc HAEST 07/04/2009 Reviewed CM, PV, DL, BN, FW, ½ MH 04.15 Marc HAEST 09/04/2009 LV, PB, SY, 1/1 MH 04.16 Marc HAEST 16/04/2009 Punctuations, graphics and PDF. 04.17 Anna Papayan 20/10/2010 Minor changes

Atos Wordline - Technologies & Products Page: 3/110 DEP CzamDEP User Manual (04.17) Classification: Public

CONFIDENTIALITY

The information in this document is confidential and shall not be disclosed to any third party in whole or in part without the prior written consent of ATOS WORLDLINE S.A./N.V.

COPYRIGHT

The information in this document is subject to change without notice and shall not be construed as a commitment by ATOS WORLDLINE S.A./N.V. The content of this document, including but not limited to trademarks, designs, logos, text, images, is the property of ATOS WORLDLINE S.A/N.V. and is protected by the Belgian Act of 30.06.1994 related to author’s right and by the other applicable Acts. The contents of this document must not be reproduced in any form whatsoever, by or on behalf of third parties, without the prior written consent of ATOS WORLDLINE S.A./N.V. Except with respect to the limited license to download and print certain material from this document for non-commercial and personal use only, nothing contained in this document shall grant any license or right to use any of ATOS WORLDLINE S.A./N.V.’s proprietary material.

LEGAL DISCLAIMER

While ATOS WORLDLINE S.A./N.V. has made every attempt to ensure that the information contained in this document is correct, ATOS WORLDLINE S.A./N.V. does not provide any legal or commercial warranty on the document that is described in this specification. The technology is thus provided “as is” without warranties of any kind, expressed or implied, included those of merchantability and fitness for a particular purpose. ATOS WORLDLINE S.A./N.V. does not warrant or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. To the fullest extent permitted under applicable law, neither ATOS WORLDLINE S.A./N.V. nor its affiliates, directors, employees and agents shall be liable to any party for any damages that might result from the use of the technology as described in this document (including without limitation direct, indirect, incidental, special, consequential and punitive damages, lost profits).

JURISDICTION AND APPLICABLE LAW

These terms shall be governed by and construed in accordance with the laws of Belgium. You irrevocably consent to the jurisdiction of the courts located in Brussels for any action arising from or related to the use of this document.

sa ATOS WORLDLINE n v – Ch a u ssée d e Ha ech t 1 4 4 2 Ha a ch t se s t een weg

B-1 1 3 0 Bru xe l l e s -Bru sse l - Be lg iu m RPM-RPR Bru xe l l e s -Bru sse l - TVA-BTW BE 0 4 1 8 .5 4 7 .8 7 2


1. TABLE OF CONTENTS

1. TABLE OF CONTENTS .................................................................................... 4

2. SCOPE OF THE DOCUMENT ......................................................................... 7

2.1. REFERENCES ................................................................................................... 7

3. INTRODUCTION ............................................................................................... 8

3.1. WHAT’S NEW ................................................................................................. 8 3.2. BACKWARD COMPATIBILITY ........................................................................... 8 3.3. OPERATING ON BATTERY ................................................................................ 8 3.4. READ-AHEAD ON DCC ................................................................................... 9 3.5. KEY RECONSTRUCTION ENVIRONMENT .......................................................... 9 3.6. INFORMING AND REPORTING ......................................................................... 10

3.6.1. General Displaying.............................................................................. 10 3.6.2. Informal Result Displaying .................................................................. 10 3.6.3. Error Reporting ................................................................................... 10 3.6.4. User Action Guidance ......................................................................... 11 3.6.5. DCC PIN verification retry exhausted ................................................ 11 3.6.6. Activity Displaying .............................................................................. 11 3.6.7. Decision screens .................................................................................. 12

3.7. MENU SYSTEM ............................................................................................. 12

4. GETTING STARTED ....................................................................................... 13

4.1. STARTING THE C-ZAM/DEP ........................................................................ 13 4.2. DEP & PC COMMUNICATIONS ...................................................................... 13 4.3. IDLE SCREEN ............................................................................................... 14

4.3.1. Detailed description ............................................................................ 14 4.3.2. More Power and Battery status ........................................................... 14

4.4. MAIN MENU ................................................................................................. 15

5. INITIALISATION (FIPS 140-2) ...................................................................... 16

5.1. ALARM STATUS ............................................................................................ 17 5.2. ALARM ADMINISTRATION .......................................................................... 17

5.2.1. KALA Load .......................................................................................... 18 5.2.2. Authenticate ......................................................................................... 18 5.2.3. Logoff ................................................................................................... 19 5.2.4. Counters Show ..................................................................................... 19 5.2.5. Log View .............................................................................................. 19 5.2.6. Reset Count+Log ................................................................................. 19 5.2.7. Set Log Mode ....................................................................................... 19

5.3. CUSTOMER ADMINISTRATION ................................................................... 20 5.3.1. Pre-Expired Change ............................................................................ 20 5.3.2. KAWL Load ......................................................................................... 22 5.3.3. Authenticate ......................................................................................... 23 5.3.4. Logoff ................................................................................................... 23 5.3.5. Password Change ................................................................................ 23


5.3.6. KAWL Delete ....................................................................................... 24 5.3.7. Back to Pre-Exp ................................................................................... 24 5.3.8. Groups ................................................................................................. 25

5.3.8.1. Config Group ........................................................................................................ 25 5.3.8.2. Create Member ...................................................................................................... 26 5.3.8.3. Backup .................................................................................................................. 26 5.3.8.4. Restore .................................................................................................................. 27 5.3.8.5. Delete Member ...................................................................................................... 27

5.4. APPLICATION LOAD ...................................................................................... 27 5.4.1. Authenticate ......................................................................................... 27 5.4.2. Logoff ................................................................................................... 28 5.4.3. Password Change ................................................................................ 28

6. C-ZAM/DEP FUNCTIONALITY .................................................................... 28

6.1. SPECIAL FUNCTIONS ..................................................................................... 29 6.1.1. Save & Terminate ................................................................................ 30 6.1.2. Terminate CZD Session ....................................................................... 31 6.1.3. Status ................................................................................................... 32

6.1.3.1. Status C-ZAM/DEP ............................................................................................... 33 6.1.3.2. Status DEP ............................................................................................................ 33 6.1.3.3. Status DCC ............................................................................................................ 34 6.1.3.4. Status Alarm .......................................................................................................... 35

6.1.4. Test ...................................................................................................... 35 6.1.5. Duplicate DCC .................................................................................... 36

6.1.5.1. DCC STOrage duplication .................................................................................... 36 6.1.5.2. DCC DEF List duplication .................................................................................... 38 6.1.5.3. Dual Control Storage duplication .......................................................................... 38

6.1.6. Change DCC PIN ................................................................................ 38 6.1.7. Calculate SW Certificate ..................................................................... 40 6.1.8. Authenticate Boot/Alarm ..................................................................... 40 6.1.9. Create Random .................................................................................... 41

6.2. KEYS ............................................................................................................ 41 6.2.1. Read DCC Local .................................................................................. 42 6.2.2. Read DCC Global ................................................................................ 46 6.2.3. Send Keys to DEP ................................................................................ 46

6.2.3.1. Send All Keys to DEP ........................................................................................... 47 6.2.3.2. Send One Key to DEP ........................................................................................... 48 6.2.3.3. Send Key Component to DEP ............................................................................... 49

6.2.4. Show Keys ............................................................................................ 53 6.2.4.1. Show Keys in CZD ................................................................................................ 54 6.2.4.2. Show Keys in DEP ................................................................................................ 54 6.2.4.3. Show Keys on DCC .............................................................................................. 55

6.2.5. Create Key ........................................................................................... 56 6.2.5.1. Philosophy: FIPS-compliant .................................................................................. 56 6.2.5.2. Create in DEP & export (FIPS-compliant) ............................................................ 56

6.2.5.2.1. Viewing XOR components .............................................................................. 58 6.2.5.2.2. DCS-Writing: XOR components ...................................................................... 59 6.2.5.2.3. Combined viewing and DCS-Writing .............................................................. 60 6.2.5.2.4. DCS-Writing: Secret Sharing components ....................................................... 60 6.2.5.2.5. Interrupted or explicit SSH group export ......................................................... 62

6.2.5.3. Philosophy: Backward compatible ........................................................................ 63 6.2.5.4. Reconstruction in C-ZAM/DEP (backward) ......................................................... 64

6.2.6. Save Local Key on DCC ...................................................................... 66


6.2.7. Save Global Key on DCC .................................................................... 67 6.2.8. Erase a Key from DEP ........................................................................ 68 6.2.9. Erase a Key from DCC ........................................................................ 69 6.2.10. DS2 Backup ......................................................................................... 70

6.3. CAPABILITIES ................................................................................................ 71 6.3.1. Activate in DEP ................................................................................... 72 6.3.2. Activate (in) CZD Capability ............................................................... 76 6.3.3. Show Capabilities ................................................................................ 77

6.3.3.1. Show CAP CZD .................................................................................................... 77 6.3.3.2. Show CAP DEP .................................................................................................... 78 6.3.3.3. Show CAP DCC .................................................................................................... 78

6.3.4. Create DEP Capability (Create for DEP) ........................................... 79 6.3.5. Save (DEP capability) on DCC ........................................................... 80 6.3.6. Erase (a capability) from DEP ............................................................ 81 6.3.7. Erase (a capability) from DCC ........................................................... 82

6.4. DEFINITION LISTS ......................................................................................... 83 6.4.1. Show Lists ............................................................................................ 84

6.4.1.1. Show Key Def List in CZD ................................................................................... 85 6.4.1.2. Show Key Def List on DCC .................................................................................. 85 6.4.1.3. Show Cap Def List in CZD ................................................................................... 86 6.4.1.4. Show Cap Def List on DCC .................................................................................. 87

6.4.2. Read Lists from DCC ........................................................................... 87 6.4.3. Save Lists on DCC ............................................................................... 89 6.4.4. Transfer Lists to/from PC (Exchange PC) .......................................... 90

6.4.4.1. Send Lists to PC .................................................................................................... 90 6.4.4.2. Read Lists from PC ............................................................................................... 91

6.4.5. Erase Lists from DCC ......................................................................... 91 6.5. CUSTOMER AUTHORITY ................................................................................ 92

6.5.1. Restore CUST Authority ...................................................................... 92 6.5.2. Define CUST Authority ........................................................................ 94 6.5.3. Save CUST Authority ........................................................................... 97 6.5.4. Customer Init DEP .............................................................................. 97 6.5.5. Customer Init DCC .............................................................................. 98 6.5.6. Change CUST Version Num ................................................................ 99 6.5.7. Erase CUST Authority ......................................................................... 99

6.6. BANKSYS AUTHORITY ................................................................................ 100 6.6.1. Restore BKS Authority ....................................................................... 100 6.6.2. Define BKS Authority ........................................................................ 103 6.6.3. Save BKS Authority ........................................................................... 104 6.6.4. Banksys Init DCC .............................................................................. 104 6.6.5. Create CZD Capability ...................................................................... 104 6.6.6. Save CZD CAP on DCC .................................................................... 105 6.6.7. Change BKS Version Num ................................................................. 105 6.6.8. Change INIT Version Nbr ................................................................. 106 6.6.9. Erase from C-ZAM/DEP ................................................................... 106

6.7. CONFIGURATION ......................................................................................... 106

7. APPENDICES .................................................................................................. 107

7.1. ALPHANUMERIC ENTRY .............................................................................. 107 7.2. C-ZAM/DEP MENU STRUCTURE OVERVIEW ............................................... 110


2. SCOPE OF THE DOCUMENT The C-ZAM/DEP device is used to set up a secure communication link to the DEP Crypto Module. In general the C-ZAM/DEP could be seen as the secure keyboard, chip card reader and display of the DEP Crypto Module. Typically, the C-ZAM/DEP is a personal device for the Security Officers managing the DEPs. This document explains the complete functionality of the C-ZAM/DEP. However, some common and/or recurring aspects are described in a general chapter 3, instead of copy/paste every time. Although we cover the complete functionality, this document will not show every possible single screen in all available menus at all times. Of course for most functions, the C-ZAM/DEP should be used in connection with the DEP Crypto Module, and DCC (DEP Control Card) availability is assumed. The user manual is a result of adding new items to a reworked version of the previous generation. Sample screens have been generated in different periods of development as well. Therefore, any C-ZAM/DEP version numbers shown should be seen as purely informative.

2.1. REFERENCES

This document contains references to other documents about the DEP. This paragraph gives a list of all the documents referred to.

• DEP Introduction to DEP • DEP Security Mechanism • DEP Secret Sharing Mechanism • DEP PC-AUX Program User Manual • DEP Key Backup Conversion Guide • DEP Customer’s Security Officer’s Guide • DEP Key Entry Guide • DEP/PCI Security Policy (for FIPS)

There are no references made to the following documents, but they could be useful to understand this document.

• DEP Glossary It is assumed that the reader is already familiar with the concepts described in these documents.


3. INTRODUCTION

3.1. WHAT’S NEW

The second generation C-ZAM/DEP is built on a new platform that has several advantages over its predecessor:

• Several hours of full-operational battery power (really portable). • Larger display, allowing 4+2 lines of 20 characters each. • Complete C-ZAM/DEP status view in the idle screen. No need to scroll or use

menu system. • Three soft-keys just below the display for flexible and dedicated guidance. • One-number easy menu item access, even when off-display (experienced users). • While in menu, showing complete menu hierarchy. • Scrolling by (or showing) three or four items at once per keystroke in long lists. • Read-ahead of DCC information (non-secure parts). • As from version 3.20 (internal) Key Reconstruction in DEP is supported, while

earlier versions only supported Key Reconstruction in C-ZAM/DEP.

Please read carefully the important remark in section 3.5 on page 9.

The upper display line is used as title bar in most screens, especially menu screens, showing complete menu hierarchy, while the lower display line will show soft-key functionality in most cases. The remaining four main display lines are available for menu contents, to show lists, report results, etc.

3.2. BACKWARD COMPATIBILITY

The way functionality is grouped in menus, and the order within the menus is kept exactly the same as in the previous generation. Although the idle screen is already showing full C-ZAM/DEP status (see section 4.3 on page 14), the earlier way of getting the information by using the menu is still available.

3.3. OPERATING ON BATTERY

Operation on battery is possible for several hours, and depending on battery charging history, it could very well last for nearly a complete working day. With the internal operating battery, there is no more risk for accidental loss of sequence and/or data in case of power connector or mains adapter problems. As soon as battery capacity comes below 30% of nominal value, an intermittent series of audible alarm is sounded about every minute. See section 4.3.1 on page 14 for visual battery capacity indication. As soon as battery capacity drops below 20% of nominal value, the intermittent series of audible alarm bursts double in duration, encouraging the connection of a mains adapter. Finally, for security reasons, when battery capacity drops below 10% of nominal value, the C-ZAM/DEP will automatically perform a ‘terminate session’ without save!!! Also see sections 6.1.1 and 6.1.2 from page 30 onwards for visual battery capacity indication after voluntary session termination.


3.4. READ-AHEAD ON DCC

DCC communications is serial and relatively slow. The previous generation of C-ZAM/DEP required fresh DCC insertion nearly at all times, and in all cases, started reading/searching on DCC only after user confirmation for a specific action. This new generation reads the complete non-secure contents of DCC (List, Storage and DCS) at the moment of DCC insertion. Lots of operations initiated by the user will start using the information already read-ahead. This makes some operations or tasks a lot faster. The time it takes to read the non-secure contents of the DCC depends on the amount of effective information present on a particular DCC. When reading-ahead is terminated, an intermittent and clear triple-beep will be sounded. In case of inability to read, or reading problems, nothing at all will happen, in order not to interfere with the current and active screen at those particular moments. Furthermore, some other DCC actions are faster than before as well. Compare the time it takes to write an Authority Key …

3.5. KEY RECONSTRUCTION ENVIRONMENT

Prior to C-ZAM/DEP version 3.20, there was only ‘Key Reconstruction in C-ZAM/DEP’, and secrets entered in the C-ZAM/DEP could be stored on Storage DCC using the Secret Sharing system. More recent C-ZAM/DEP versions support Key Reconstruction in DEP. Clear keypad-entered components, as well as Secret Sharing components generated by the DEP Crypto Module, can be written to DCS (Dual Control Storage). Therefore, in a Key Reconstruction migration program, as well as in a voluntary mixed environment, different variants of DCC List (KR flag) can exist, and the possibility exists that a KEY (say TAG) appears on both STO and DCS types DCC.

It is up to the customer’s (key ceremony) procedures to guarantee that the different DCC are managed and treated correctly.

As far as a difference in KR flag is concerned, the only type of support that the C-ZAM/DEP will give in this context is raise a warning when reading DCC List that differ in KR flag (see section 6.4.2 on page 87, and the sample warning screen below). NO secrets will be cleared in the C-ZAM/DEP, neither in the DEP Crypto Module.

Please refer to the DEP PC-AUX Program User Manual for more information on the KR flag.


3.6. INFORMING AND REPORTING

3.6.1. General Displaying

Below is a first screenshot of the new generation C-ZAM/DEP.

Top line shows menu hierarchy Four lines are available to show many types of information. Bottom line shows soft-key functionality. In this case, the middle soft-key is required to resume

This type of ‘General Displaying’ is done until the OK soft-key is pressed.

3.6.2. Informal Result Displaying

In these cases when a screen is no more than a simple confirmation of a clear choice or status, an info-OK screen might be shown. This type of screen disappears automatically after about four seconds, but the experienced user that wants to work fast could wipe the screen with the OK (soft-) key. Below is a first sample of informational displaying:

No title shown. Fall-back to previous menu immediately after timeout. The OK (soft-) Key will terminate displaying before timeout.

3.6.3. Error Reporting

In some cases error(s) occurs or certain conditions are not met, and the risk for a user to miss the reporting of it is too important, manual and explicit confirmation will be mandatory.

The CONFIRM (soft-) Key is mandatory to continue.


3.6.4. User Action Guidance

Sometimes the user must take corrective action before continuing. In such case, the C-ZAM/DEP will prompt with a screen as shown below, and will resume after such corrective action.

No (soft-) Key escape possible. Corrective action must be done to continue.

3.6.5. DCC PIN verification retry exhausted

If ever a DCC has three successive non-successful PIN verifications, it will become blocked and useless, and the C-ZAM/DEP will indicate this with the following screen:

Indeed, exhaustive PIN verification should be considered dangerous and a security violation. The user should consult his organization’s security procedures, in order to properly destroy the DCC. During normal PIN verification retries, see the guidance in this document. The screen above is valid throughout this document, and will not be shown systematically in this document’s user guidance.

3.6.6. Activity Displaying

Activity Displaying is no more than a simple confirmation of a clear user’s choice, or to indicate some background activity that takes a relatively long time to execute. Typically DEP communications (especially in Remote mode) might take somewhat longer when relatively large information blocks are exchanged:

Top line shows menu hierarchy. Might not always be there. Current activity shown


3.6.7. Decision screens

At some points the user should decide whether or not he wants to continue, overwrite already existing records, or some other comparable choice. Whenever this possibility exists, or choice is necessary, a screen like below will be shown, offering the YES and NO soft-keys as in the following sample screen:

Top line shows menu hierarchy Description of decision to be made. Yes and No soft-keys

3.7. MENU SYSTEM

Below is sample screen shot of the Main Menu.

Top line shows menu title (top of hierarchy here) Four menu lines are shown on this screen. The first item is highlighted in this sample screen. Pressing the ‘OK’ soft-key in the middle will activate the highlighted item, while the left & right soft-keys (arrows) can be used to move the highlight to another item in the list. Small pointing-down arrow in line four indicates ‘more below’. Bottom line shows soft-key functions.

Any menu item in the list can be selected, either: • By moving the highlight on to it with the Up & Down soft-keys, and then press

OK. • By pressing the numeric key that corresponds to the number of menu item. In this

sample screen, when the ‘3’ numeric key is pressed, the Capabilities menu will be activated. Selecting an item by numeric key works for off-display items in the list as well, which is extremely useful and fast for experienced users.

Pressing the Down soft-arrow key when the last visible item is highlighted will scroll up the menu. Similar scrolling down will happen with the Up arrow key when the first visible item is highlighted. Scrolling will only happen when there is more available in the scrolling direction, and scrolling will stop when the first (or last) item is reached. Scrolling with OK, and direct numeric key selection are not related to one another. Scrolling does not influence direct numeric key selection at all. At whatever level in the menu system, provided the C-ZAM/DEP is showing the menu, pressing the red STOP key will transfer to the next higher level menu (e.g. where the user came from). In this higher level (displayed) menu, the item previously selected will be highlighted, independent of the last selection method, allowing for fast re-selection with the OK (soft-) key.


4. GETTING STARTED

4.1. STARTING THE C-ZAM/DEP

There are two ways of starting/powering the C-ZAM/DEP, either by: • Connecting the power supply. • By pressing the yellow Corr/On key, provided the battery is present and charged. There is no real ON/OFF (toggle) switch available. In order to start/work correctly, the presence of a battery is mandatory, even if it is not charged at all. Remember to only use the correct power supply adapter delivered with the C-ZAM/DEP, having the following characteristics:

• Input : A.C. 230 V @ 50 Hz (105 mA) • Output : 6 VDC / 1.8 A max

The use of other power supplies could damage the C-ZAM/DEP, or result in battery damage or poor battery charging.

4.2. DEP & PC COMMUNICATIONS

The figure above shows the cable set that is delivered with every C-ZAM/DEP. The set consists of one long and one short cable. When both are connected together by their matching DB9 connector, the compound cable can be used to connect a C-ZAM/DEP with a DEP Crypto Module (upper figure part). The same compound cable is used to connect to either the ‘C-ZAM’ or ‘Alarm’ serial port of the DEP Crypto Module. The longest cable of both can be used separately to connect the C-ZAM/DEP to a PC, as can be seen in the lower part of the figure.


4.3. IDLE SCREEN

4.3.1. Detailed description

After the boot sequence of the C-ZAM/DEP the idle screen will appear. This idle screen shows the complete C-ZAM/DEP status, as the sample screenshot shown below.

Power Supply Charging indicator shown is empty: No supply & not charging (working on battery). Figure Explanation

Battery Level indicator shows actually charged for 30% (one bar for each 10%). Overall Software Package version is 2.0a. When powering a C-ZAM/DEP, the usage is always ‘Unknown’. Menu will be active only after selection. When starting a ‘virgin’ C-ZAM/DEP, Mode/Level/CustID is always as shown. Erasing CUST and BKS levels will return to this ‘virgin’ combination. Every time a C-ZAM/DEP is powered, the ‘Usage’ is unknown, and should be selected first by either the middle or rightmost soft-key. Only after such selection, the ‘Menu’ soft-key will allow to start the Main Menu. Whenever the Idle Screen is visible, the Local & Remote soft-keys allow to switch between the two Usages. One can always go back to the idle screen by escaping from the menus with the red STOP key (one STOP for every menu level escape). Since both Local and Remote modes have their restrictions, a short warning will be shown after selection of each one (or when switching).

Local (left) and Remote (right) warning screens.

4.3.2. More Power and Battery status

In the Idle screen shots below, one can see that several things have changed since the previous one. The left one shows that the battery is charging (star) and the battery charge level increased to 40%. The right one shows charging stopped (no more star)

Power Supply &Charging indicator

Battery Levelindicator

Overall SoftwarePackage version

Usage(local or remote)

Capabilities Versionat current level

CUST IDMode (DEV/TST/LIV) Level(INIT/BKS/CUST)

Atos Wordline - Technologies & Products Page: 15/110 DEP CzamDEP User Manual (04.17) Classification: Public while battery is full, and the C-ZAM/DEP is working on external power supply (bold dot replaced star).

In the mean time, the operator also has chosen the LOCAL usage.

4.4. MAIN MENU

Once the ‘Usage’ has been defined (warning if not) the Main Menu can be available by pressing the Menu key (just above the red STOP key). Just for information, the small arrow printed in white on the Menu key serves for Capital Letter entry in alphanumeric entry mode(s). The Main Menu currently consists of eight (8) items, which are visualized below. The second screenshot has been taken either after navigating down with the arrow keys, or after direct selection with the numeric 8 key.

Users who are familiar with the first-generation of C-ZAM/DEP device will immediately recognize the first six Menu items as being full compatible in exactly the same sequence. Two new items have been added. The Configuration item is new, and will serve mainly for future development extensions. The Initialisation item is new as well and is fully implemented already. It serves the DEP/PCI v4 card’s FIPS 140-2 compliance. Although this item should be used first in the FIPS context, it was added as new (and last) item, in order to keep compatibility for experienced users. Nevertheless, this new Initialisation item is described below, in the next chapter. For the purpose of procedure writing and auditing, the C-ZAM/DEP menu structure overview in appendix 7.2 on page 110 clearly states the FIPS-compliant items.


5. INITIALISATION (FIPS 140-2) This Main Menu item serves the purpose of full dual control, and FIPS 140-2 compliance for DEP/PCI v4 cards, and it covers regular application loading, as well as BOOT and ALARM firmware upgrade. In this entire functional chapter, the C-ZAM/DEP is merely acting as a simple terminal, and adds no intelligence whatsoever. There is only one small exception in order to help prevent redoing long sequences: it verifies the minimum length requirements during ‘credentials’ input, and asks to re-enter a particular part if necessary. Furthermore, any verification (like authentication) is done in the DEP Crypto Module itself. The first level of Initialisation menu looks as shown below.

Because of the rather time-consuming and frustrating (each time, each DEP) manual data entry in this menu, a shorter method is provided. The Dual Control Storage (DCS) cards are used to fasten the initialization process. Part of the DCS card is reserved for Credentials & Key Part storage, protected for both read and write by a user PIN. Pre-expired credentials and KAWL parts are communicated to customers in secured envelopes. Everyone is given the opportunity to enter these data on the C-ZAM/DEP keyboard only once in a lifetime, even without needing a DEP, and write them on a PIN-protected DCS. The same opportunity is given for new (free to define) credentials for all roles. The general principle that applies to the entire ‘Initialisation’ menu is as follows: Whenever the user is supposed to enter data supported by the DCS, and a DCS is present in the reader of the C-ZAM/DEP, the latter will investigate whether (part of, see 5.3.2) the data is present on the DCS. If so, the C-ZAM/DEP will ask for the user PIN, read and use the part(s) present, and skip manual entry for the parts found. Required input not found on the DCS will be asked for by manual entry. Once all data for a menu item has been entered, and the final OK is pressed to send to the DEP, the C-ZAM/DEP will again check for DCS presence. If present, and (some part of) the data was entered manually, the C-ZAM/DEP will update the DCS before sending to the DEP. This also means that preparing DCS in a quiet environment is possible without a DEP. If the DCS was freshly entered just before writing (or nothing was read before), the C-ZAM/DEP will ask for the user PIN just before writing. In all cases, the PIN remains valid for the entire period that the DCS remains powered without interruption, which means that the user PIN introduction is required only once during entire DCS preparation.

Atos Wordline - Technologies & Products Page: 17/110 DEP CzamDEP User Manual (04.17) Classification: Public This icon will be used in the individual menu items descriptions to indicate

special behavior (shortcut) when proper DCS is present in the C-ZAM/DEP DCC reader at an appropriate and specific moment.

A typical example of combined DCS data re-use and manual entry is ‘KAWL Load’ (section 5.3.2 on page 22). Typical PIN entry at DCS write time is when Pre-expired credentials are first modified with a virgin DCS in the C-ZAM/DEP reader (section 5.3.1 on page 20). Although it is technically possible to combine both Admin and SWL roles on one DCS, the manual has been written in the assumption that a separate DCS is prepared for each individual role, conform ‘FIPS DEP Security Policy’.

5.1. ALARM STATUS

This ordinary straightforward command (no menu behind) has been provided to allow any kind of operator to easily verify whether there is an alarm (tamper) situation, without leaving this ‘Initialisation’ menu. In most cases the C-ZAM/DEP will be physically connected (see section 4.2 on page 13) to the Main CPU. In some products integrating the DEP/PCI card, the Alarm CPU communications port may not be even accessible from the outside directly (DEP/T6). The command behind is supported by both Main & Alarm CPU’s. The C-ZAM/DEP may be connected to whatever of both C-ZAM/DEP communications ports on the DEP/PCI card. The C-ZAM/DEP will attempt with the Main CPU device code first, and retry with Alarm CPU device code if necessary. Below is a screenshot of the Main CPU status. In case of connected to Alarm CPU, some fields are meaningless and will show ‘-‘.

This screen when the C-ZAM/DEP is connected to the Main CPU. The real alarm situation (if any) is reported identically for both. No more Pre-Expired (pp), both Authenticated (AA), and both Key Parts loaded (KK). Only two out of six Software Loading group members defined + none Authenticated (0A).

This screen when the C-ZAM/DEP is connected to the Alarm CPU. The real alarm situation (if any) is reported identically for both. Pre-Expiry(--) does not apply for Alarm CPU.

5.2. ALARM ADMINISTRATION

Alarm Administration is reserved for ATOS Worldline, and therefore this complete section 6.2 and sub-sections do not apply for regular customers. However, for the sake of completeness, a minimum is described here, since the menu is visible to any regular user.

Atos Wordline - Technologies & Products Page: 18/110 DEP CzamDEP User Manual (04.17) Classification: Public In the rare case that the Alarm CPU would need a firmware upgrade, the following ‘ALA Admin’ submenu provides the means to do so in a secure ‘dual control’ way. The reconstructed KALA 128 bit AES key should be present in the Alarm CPU, and both Alarm Administrators should be authenticated. The transfer of the encrypted and signed firmware itself is out of scope here. A separate serial communications tool is required. Below is the complete ‘ALA Admin’ submenu.

5.2.1. KALA Load

The first item serves the purpose of loading two AES 128 bit key parts. After recombination by the Alarm CPU, this key will serve to decrypt the firmware upgrade and verify its MAC. For both key parts, the Alarm Administrators must supply full credentials (user name and password), along with the key part value & key check value. Because the sequence is nearly identical with Main CPU administration, and the Alarm Administration is reserved for ATOS Worldline, only the first screen is shown here. For the complete sequence, please consult the KAWL equivalent section 5.3.2 on page 22.

Because full credentials are supplied with key part loading, the administrator concerned will be automatically authenticated as well.

5.2.2. Authenticate

This item is for ALA Administrator Authentication only. Since key part values have to be entered only once, and are kept and protected by the DEP/PCI secure module afterwards, authentication-only will be sufficient when key loading and firmware upgrade is done in different sessions. The same remarks as in previous section apply here, and furthermore, the authentication screens (credentials only) are identical. So please refer to section 5.3.3 on page 23 for sample screenshots.


5.2.3. Logoff

Obviously, Alarm Administrators should logoff as soon as possible after their intervention. After Alarm Software upgrade, logoff is automatic.

5.2.4. Counters Show

The Alarm processor keeps counters for every type of alarm. This item allows to visualize these counters on the C-ZAM/DEP. Upon selection of this menu item, and after a short communication with the Alarm CPU, a screen as shown below will appear on the C-ZAM/DEP:

The Alarm CPU maintains nine counters. The remaining counters not shown here can be visualized by navigating with the ‘Next’ soft key. The STOP soft key will go back to the ALA Admin menu.

5.2.5. Log View

The Alarm CPU not only keeps the Alarm counters as explained in the previous section, but also keeps track of the different events (alarms) that make the counters advance. Selecting this submenu item will show all events, the most recent one first (on top). Since only four lines are available to view these events, scrolling with soft keys is supported as well. Furthermore, only three lines (entries) are shown at a particular time, and the first line just below the menu title shows current/total entry numbering.

Simulated event log sample screen, not related to counters in previous section. First 3 events of total 20 shown in next three lines. Youngest (last but first shown) event is on top. Navigation soft keys permit to scroll through the entire event log, while the STOP soft key is needed to regain menu control.

5.2.6. Reset Count+Log

Supposing that both ALA Administrators are authenticated (and that communications is working), this item will just show a confirmation screen that the counters and log are cleared. Admin authentication verification is a pure DEP Crypto Module matter, and any problem arising will result in a general Error Reporting screen.

5.2.7. Set Log Mode

Supposing that both ALA Administrators are authenticated (and that communications is working), this item allows to set both Event Log and Trace modes.

Atos Wordline - Technologies & Products Page: 20/110 DEP CzamDEP User Manual (04.17) Classification: Public FIFO (first in first out) mode for the Event Log means that only the last 128 events are kept, and that older events are overwritten. FINO (never out) means that event logging will stop when the Log is full (but counting will continue of course). When Trace Mode is enabled, the Alarm CPU will output a single ASCII character for every and any new and disappearing alarm. Just select one of four combinations in the selection screen that will be shown:

Admin authentication verification is a pure DEP Module matter, and any problem arising will result in a general Error Reporting screen.

5.3. CUSTOMER ADMINISTRATION

Customer Administration is intended for real CUST administrators, and supports all that is necessary to personalize the DEP/PCI card, enter key for software decryption, and define the Software Load operators. The final load authorization for the application is done in another menu in the next section (5.4 on page 27). Below is the complete ‘CUST Admin’ submenu. The detailed discussion of the individual items will follow immediately after.

However, because the third item (Groups) is again a sub-menu, it will be discussed at the end.

5.3.1. Pre-Expired Change

DEP/PCI cards leave the factory with pre-expired administrator credentials, which means that the customer must change to his own administrator credentials before the card can be used. Both initial sets of credentials will be sent in two different envelopes to different destinations. The complete sequence of screens to change one set of the pre-expired credentials is shown below. (The DEP will determine which of both sets is to be changed by comparing the ‘Login Name’).

One of the pre-expired login names from the envelopes …


The password corresponding to the pre-expired login name from the same envelope …

The two screens above will be skipped (or replaced by a PIN introduction screen) when a DCS containing pre-expired data is present.

The administrators must define their own login names. They should both be different, and have at least 2 characters. The administrators must also define their own administrator passwords. They must both be different, and have at least 10 characters. Passwords must be entered twice for confirmation (to avoid password change to something that cannot be reproduced any more …)

The three last screens above will be skipped (or replaced by a PIN introduction

screen) when a DCS containing administrator credentials is present. Supposing a virgin DCS is present in the reader, the C-ZAM/DEP will now ask

to enter the DCS user PIN before attempting to save all data entered on the DCS.

Atos Wordline - Technologies & Products Page: 22/110 DEP CzamDEP User Manual (04.17) Classification: Public After changing the pre-expired passwords, we still need some Software Loading operators defined and authenticated, and a key KAWL.

5.3.2. KAWL Load

KAWL is a 256 bit AES key from which some variants are derived, used for software decryption and MAC verification, as well as encryption of the group & member backup. The dual control principle requires the KAWL to be entered as two parts that will be recombined in the secured FIPS-certified device, which is the DEP/PCI Crypto Module in this case. To guarantee the dual control principle, full administrator (Customer, not pre-expired) credentials are required for both parts.

Customer administrator login name (one of both)

Corresponding Customer administrator password

The two screens above will be skipped (or replaced by a PIN introduction screen) when a DCS containing administrator credentials is present. In our earlier supposition of preparing DCS, the latter is still present, data will be read, but no PIN will be asked if the DCS was left in the reader.

Each of both Customer administrators owns one of both KAWL parts. Number of hex digits to be entered is 64. The corresponding Key Check Value (6 hex digits).

In our earlier supposition of preparing DCS, the latter still being present, and fresh data being entered from the keyboard, no PIN will be asked but the DCS will nevertheless be updated with KAWL part data.


5.3.3. Authenticate

Whenever credentials are supplied, the corresponding security officer becomes authenticated automatically. But because such an officer (especially administrators) does not necessarily perform all of his tasks in one and the same session, it might be required to logoff (see next section 5.3.4) in one session and to re-authenticate in the beginning of the next session. This section shows the input screens that appear during authentication. It is clear that input is limited to simple basic credentials supplying.

Customer administrator login name.

Corresponding Customer administrator password.

In our earlier supposition of preparing DCS, this menu would not be used. However, when trying to Authenticate in the field with a DCS (with data) present in the reader, the C-ZAM/DEP would just ask for the user PIN, read user name and password from DCS, and send them to the DEP.

5.3.4. Logoff

Customer administrators can perform their (part of) jobs in different sessions. A session obviously must be terminated by a logoff sequence, so that nobody else can act as such in their absence. This means of course that a new (next) session must start with full-credential authentication (see previous section 5.3.3). Logoff is just a simple menu command without additional screens. It is the DEP/PCI card itself that will verify whether conditions are met to accept the logoff. If not, the C-ZAM/DEP will show the error. DCS presence does not change behavior at all of course.

5.3.5. Password Change

Obviously full credentials must be supplied first in order to change ones password. The input screens used are much the same as previous ones (merely title difference)


The two screens above will be skipped (replaced by a PIN introduction screen)

when a DCS containing administrator credentials is present.

These two screens are then followed by two more, asking for ‘New Password’ and ‘Confirm New Password’. Effectively showing those screens here would not have any real advantage. A variant of these screens for Application Loaders (SWL group) is shown in section 5.4.3 on page 28. Here as well, it is the DEP/PCI card that will evaluate all input. An individual can change his/her password without needing other members or full group authentication, on any DEP where he/she is known and no other group is currently authenticated. Administrators should have changed their pre-expired passwords previously.

5.3.6. KAWL Delete

KAWL deletion is the easiest way for Customer administrators to inhibit Software Loading in a particular DEP/PCI card, while leaving the remainder of card initialization intact. KAWL delete is just a simple command to the DEP/PCI card. It is the DEP/PCI card itself that will verify whether conditions are met (admin authenticated) to accept the delete request. If not, the C-ZAM/DEP will show the error.

5.3.7. Back to Pre-Exp

Customer administrators can reset a DEP/PCI card into an identical state as it was first received. It is the easiest way of DEP/PCI card reconditioning when DEP/PCI card ‘ownership’ changes, and as a consequence, particular card management changes from one administrator pair to another. Imagine an organization with different business units that share a common IT and HSM infrastructure. Each business unit could easily have their own dedicated DEP/PCI cards and their own pairs of security officers. Back to Pre-Exp is just a simple command to the DEP/PCI card. It is the DEP/PCI card itself that will verify whether conditions are met (admin authenticated) to accept this request. If not, the C-ZAM/DEP will show the error.


5.3.8. Groups

Security officers other than administrators are organized in groups. The groups need to be defined by the Customer Administrators before they can be practically used. Part of this job is also to create the individual members in each group. The few screens below show the complete Groups sub-menu. Remark that three of the four lines are common to both screens. They are all implemented only once of course, but the screens show a non-scrolled and scrolled menu view.

5.3.8.1. Config Group

In fact, the administrators cannot just configure any group they like. It is the DEP/PCI firmware (boot) or software (application) that dictates the particular groups they support. Therefore, the C-ZAM/DEP will first try to communicate with the DEP in order to find out the supported group names. If only one group is supported, a selection procedure does not apply. However consider the simulated case of three groups supported, then the user will have to select one particular group as shown below.

At the time of documentation release, SWL is the only group supported by the Boot. Multiple group support in C-ZAM/DEP is for future extension. A group is selected either by moving the highlight to it with the soft up/down keys, or pressing its number on the numeric keypad. Then pressing the OK soft key twice (focus + confirmation).

Next, the number of members wanted in that group needs to be specified

Assuming the first group has been selected in the above screen.

The number of members should be minimum 2 and maximum 6. Trying to specify out of this range will result in error reporting.

This error is generated by the C-ZAM/DEP locally to avoid unnecessary DEP Crypto Module communications.

A correct value acceptance on the other hand will be confirmed as well, but only after successful DEP Crypto Module communication and verification.


This is reporting of successful group configuration. Of course, an error could be reported, such as communications problems, or administrator authentication problems, …

5.3.8.2.Create Member

A group can only be effectively used after creating a sufficient number of members. A group member is a member of a specific security officer team with a specific role. In order to create a group member, full credentials have to be provided. This means that a group member must be physically present at that particular time. In order not to overload this document, the screens are provided as is. Although a bit different due to the second password entry for confirmation, the credentials entry should be rather familiar by now.

In order not to interfere with administrator DCS, and not to combine roles on

DCS by accident, automatic SWL credentials input from DCS is currently only available in the ‘Application Load’ menu (see section 5.4 on page 27).

Some of the possible reporting, other than communications problems:

Obviously, the left screen is the success behavior, while the right screen says excess member creation was refused.

5.3.8.3.Backup

Both Backup & Restore sub-menu items are for quick and easy duplication of groups and members all together in several DEP/PCI cards. The backup is encrypted by a variant of KAWL by the DEP/PCI card, and stored in the C-ZAM/DEP memory, in such a way that it survives a power recycle. No user input is required, but after the DEP communications & evaluation, an error can be reported of course

When KAWL has not been loaded, the variant to encrypt the value with cannot be calculated.

Atos Wordline - Technologies & Products Page: 27/110 DEP CzamDEP User Manual (04.17) Classification: Public But in most cases, all will go probably just fine

5.3.8.4.Restore

Restore is somehow the reverse operation of Backup. The encrypted (group) configuration backup file stored in the C-ZAM/DEP can be duplicated to several DEP/PCI cards. It is the Boot firmware that will verify whether all requirements are met before restoring a configuration. No user input is required, and feedback comparable to the previous section can be expected.

5.3.8.5.Delete Member

As organization’s models and priorities do change sometimes, security officer’s roles and responsibilities can change as well. One can think about lots of different reasons why sometimes a group member should be deleted. Because every member, irregardless of the group he/she belongs to, must have a unique login name, there is no need to ask for a group name. The credentials themselves are sufficient for the member to be determined by the DEP/PCI card (either boot or application, if the latter supports groups). Screens, except for the title on top, are identical to authentication (section 5.3.3 on page 23), and therefore it does not make a lot of sense to include them here. If all conditions are met, and credentials supplied are OK, the C-ZAM/DEP will report

5.4. APPLICATION LOAD

This sub-menu is for the members of the SWL group.

5.4.1. Authenticate

In order to make the Boot firmware load an application, at least two members of the SWL group must be authenticated. The authentication guidance (screens) is exactly as previous authentication credentials supplying. So please refer to section 5.3.3 on page 23 for sample screen shots.


5.4.2. Logoff

It must be clear that the safest way to do is logoff every time the SWL group members terminate their attendance of the not yet completely loaded DEP/PCI cards. Normally, all SWL member authentications are automatically removed at the end of the Application Loading. However, this is a characteristic of each group individually, and therefore, the logoff feature needs to be there. No user input must be supplied. See also section 5.3.4 on page 23.

5.4.3. Password Change

A password change feature is offered for group members. Full credentials need to be supplied, as well as a double new password introduction, the second of which serves to defend against typing mistakes.

Section 5.3.5 on page 23 describes a similar feature for the customer administrators. Remark that only the title in the screens is different. An individual can change his/her password without needing other members or full group authentication, on any DEP where he/she is known and no other group is currently authenticated. SWL members should have been added to the SWL group previously. It might be wise to use the backup feature (see section 5.3.8.3 on page 26) to update other DEP Crypto modules at an appropriate time).

6. C-ZAM/DEP FUNCTIONALITY The remainder of the Main Menu (all except the previous chapter Error! Reference source not found.) serves the purpose of full backward compatibility with the former C-ZAM/DEP terminal, and can be used for any version of DEP/PCI card. It is the combination of firmware & software loaded on the card that will either allow or refuse certain mechanisms. However, some functions provided on the previous platform have never been used as initially foreseen, and some were replaced by some other tooling (signing applications), or discontinued by a change in philosophy (no more delivery of CAP_AUTH_BKS). Whenever this is the case, the menu items are still there and the summaries still contain the items, but the functionality behind the items is no longer there, and the summary in this manual clearly shows that the item has been discontinued. Furthermore, the discontinued items will appear in italics in the C-ZAM/DEP menu structure overview in appendix 7.2 on page 110.

Atos Wordline - Technologies & Products Page: 29/110 DEP CzamDEP User Manual (04.17) Classification: Public This has an advantage for the more experienced user. Instead of showing a functional User Interface, the screen as below will be shown for a few seconds upon selection of these discontinued items.

On the other hand, some items planned but not implemented yet will show:

The general structure for describing functional (sub-)menu selections is as follows:

X.y.z Section Title Text block covering purpose, general description, … Indented (with icon) block specifying the conditions of use, like minimum state

of device(s), secrets that should have been loaded beforehand, … Indented (with icon) but optional, attracting attention on a change in device

generation. Indented (with icon) but optional, attracting attention to DCS support (Dual

Control Storage DCC).

Text block with screenshots in most cases describing the user interface of the selected menu item.

6.1. SPECIAL FUNCTIONS

The Special Functions menu item can be selected to perform miscellaneous operations such as:

• Terminating the C-ZAM/DEP session • Reading the status of a device • Copying DCCs • Modifying PINs of DCCs • Calculating software certificates (discontinued) • Authenticating devices (discontinued)

No special conditions should be met to access this menu. The complete Special Functions menu is shown below. Remark that the items 7, 8 and 9 are not implemented (discontinued) in this second generation.


6.1.1. Save & Terminate

Save & Terminate terminates the C-ZAM/DEP session. All available (loaded) keys and capabilities will remain in the security processor’s non-volatile memory, so that they can be used in the next session. The Save & Terminate is valid for one (next) session only, and should be repeated at the end of all sessions except the last one. Typically, this function is used when different DEP Crypto Modules available in different physical environments must be (re-)loaded (or when a C-ZAM/DEP power-off is required). After having loaded/activated all the required capabilities and keys in the C-ZAM/DEP, they could be stored (Save & Terminate) in order to use them during the (re-)load of another DEP Crypto Module. After having loaded the last DEP Crypto Module the more secure Terminate CZD Session function should be used (see section 6.1.2 on page 31). Of course, the new C-ZAM/DEP platform being capable of running on battery for several hours will require such power-off (with save) less frequently. Also in order to gain time during a DEP Crypto Module loading session, some preparation operations could be done in advance (without a connection to the DEP Crypto Module). Save & Terminate keeps this information after the power-off so that it could be re-used during the real DEP Crypto Module loading session. Practical guidelines how to use the C-ZAM/DEP to administer a DEP Environment can be found in document DEP Customer’s Security Officer’s Guide. Be aware that measures should be taken that such a C-ZAM/DEP (having capabilities and keys in non-volatile memory) is not placed in the hands of unauthorized persons! This function should only be used temporarily for facility reasons (or in test environment). No special conditions should be met to execute this function. When executing the function the following temporary screens will be displayed (about 4 seconds each) while the C-ZAM/DEP saves its keys and capabilities. After that, the C-ZAM/DEP switches itself OFF. Together with both screens, an audible sound will be produced.

Atos Wordline - Technologies & Products Page: 31/110 DEP CzamDEP User Manual (04.17) Classification: Public The above screens supposing that the C-ZAM/DEP was working on battery. In case the C-ZAM/DEP is still powered from his mains supply adapter, the second screen is somewhat different:

In this mode, from here onward, the C-ZAM/DEP will appear to be ‘dead’. Even the keyboard will not work anymore. In fact, the only thing that can be done is disconnecting the power cable, after which the C-ZAM/DEP will switch itself OFF immediately. However, as already initiated in section 3.3 on page 8, there have been some battery (and display) management improvements. The above screen will remain for about 4 seconds, and if after that period the mains adapter is still present, the display will show as below:

This screen looks very similar to the idle screen, except that there are no command (soft) keys at all. However, battery charging and management are maintained, providing for a visual mains adapter presence and battery capacity indication. Just as described in section 4.3 from page 14 onwards, the left top line graphical icon will indicate either mains adapter presence or effective battery charging. The right top line graphical icon shows the battery capacity level. Once the battery has been completely charged, a charge/discharge mode commences between about 95 and 100% of battery capacity. Also, once the battery has been completely charged once in this mode, the backlights will be switched off. This allows keeping batteries optimally fit all the time, while preventing unnecessary resources use (backlight wear down). Remember however that leaving your C-ZAM/DEP unattended could mean security policy violation.

6.1.2. Terminate CZD Session

Terminate CZD Session terminates the C-ZAM/DEP session as well. Difference with the Save & Terminate is that the C-ZAM/DEP erases all the keys and capabilities it contains before terminating.

Atos Wordline - Technologies & Products Page: 32/110 DEP CzamDEP User Manual (04.17) Classification: Public Because Definition Lists cause no security threat, they are saved in a non-volatile memory to remain available for future C-ZAM/DEP sessions, until they are changed or extended. Typically, this function is used when all the required DEP Crypto Modules are loaded and when the C-ZAM/DEP will not be used for a period of time. The Customer’s Security Officer should define the length of the ‘period of time’ individually. It is highly recommended that this function is used for terminating properly the C-ZAM/DEP before putting it away. After all, this function guarantees that all the sensitive information is erased from the memory. This means in practice:

• Only the Mode, Cust ID, Authority keys and Definition Lists are kept. • Applicative (DEP) Keys and Capabilities are erased, as well as C-ZAM/DEP

Capabilities. No special conditions should be met to execute this function. The behavior of the C-ZAM/DEP and the screens shown are exactly the same as in the previous section. Of course, the “Temporary data staying in memory“ one does not apply. Only the title is somewhat different, and will show “Spec:Term” instead of “Spec:Save”. Exactly the same battery maintenance monitoring as described in the previous section is provided.

6.1.3. Status

The Status sub-menu contains functions to show the status of the C-ZAM/DEP, DEP Crypto Module (DEP/PCI card), DCC or the DEP Crypto Module’s alarm processor. The status function shows some dedicated information (depending on the device that is selected) and information about the Operation Mode, Authority Level and Customer Identification. Because in an operational environment, the C-ZAM/DEP, DEP Crypto Module and DCC should have the same Operation Mode, Authority Level and Customer Identification (there are some exceptions), this menu could be used for the verification of these criteria. No special conditions should be met to access this menu. Below is a screenshot of the Status sub-menu:


6.1.3.1.Status C-ZAM/DEP

This Status C-ZAM/DEP function shows the C-ZAM/DEP release and the Banksys Version Number, together with the Operation Mode, Authority Level and Customer Identification of the C-ZAM/DEP. Status CZD has only an information function. The Banksys Version Number could be changed with Change BKS Version Num. The Operation Mode and the Customer Identification are defined during the Restore Banksys Authority or Define Banksys Authority. The Authority Level depends on the execution of the functions Restore/Define Banksys Authority and Restore/Define Customer Authority (see section 6.5.1/6.5.2 on page 92/94). No special conditions should be met to execute this function. It has been implemented for compatibility reasons with the first generation, as the idle screen (at power-up, or when exiting the menu system) will show exactly the same screen. Only the title is different, and reflects only the menu hierarchy and nothing on the battery and charging status.

The status display of the C-ZAM/DEP contains the following information: • CZD identifies the C-ZAM/DEP • 3.0a is the release number of the C-ZAM/DEP • (01) defines the Banksys Version Number • Local identifies the Usage (as opposed to ‘Remote’) • DEV identifies the Operation Mode (‘NONE’, ‘DEV’, ‘TST’ or ‘LIV’) • NONE identifies the Authority Level (‘NONE’, ‘BKS’ or ‘CUST’) • 0000 is the Customer Identification (4-digit hex value)

6.1.3.2.Status DEP

This Status DEP function shows the alarm status of the DEP Crypto Module, together with the Operation Mode, Authority Level and Customer Identification of the DEP Crypto Module. Status DEP has only an information function. The alarm status of the DEP Crypto Module is managed internally in the DEP Crypto Module and, as a consequence, cannot be changed. The Operation Mode, Authority Level and Customer Identification are defined during the execution of the function Customer Init DEP (see section 6.5.4 on page 97).

Atos Wordline - Technologies & Products Page: 34/110 DEP CzamDEP User Manual (04.17) Classification: Public The C-ZAM/DEP should be connected to the ‘C-ZAM/DEP’ serial port of the

DEP Crypto Module (DEP/PCI card) before starting the operation (see section 4.2 on page 13).

The DEP Status display on the C-ZAM/DEP contains the following information:

• DEP identifies the DEP Crypto Module (DEP/PCI card) • (80) is the alarm status of the DEP Crypto Module (hexadecimal value - see

DEP/NT DEP Handler Supervision User Manual) • Local identifies the Usage (as opposed to ‘Remote’) • DEV identifies the DEP Operation Mode (‘NONE’, ‘DEV’, ‘TST’ or ‘LIV’) • NONE identifies the DEP Authority Level (‘NONE’, ‘BKS’ or ‘CUST’) • 0000 is the Customer Identification (4-digit hex value)

6.1.3.3.Status DCC

This Status DCC function shows the type of DCC, together with the Operation Mode, Authority Level and Customer Identification of the DCC. Status DCC has only an information function. The type of the DCC, the Operation Mode and the Customer Identification are defined during the personalization phase of the DCC and cannot be modified. The Authority Level of the DCC depends on the execution of the functions Banksys Init DCC and Customer Init DCC (see section 6.5.5 on page 98). A DCC should be inserted prior to executing this function. This behavior is different with the previous generation of C-ZAM/DEP, where

the user was asked to insert the card after choosing this status function (see general section 3.4 on page 9).

The status display of the DCC contains the following information: • DCC identifies the DEP Control Card • (Storage) defines the type of DCC (‘Storage’, ‘Def List’ or ‘Dual Ctl’) • DEV identifies the Operation Mode (‘NONE’, ‘DEV’, ‘TST’ or ‘LIV’) • NONE identifies the Authority Level (‘NONE’, ‘BKS’ or ‘CUST’) • 0000 is the Customer Identification (4-digit hex value)


6.1.3.4.Status Alarm

This Status Alarm function shows the alarm status of the DEP Crypto Module. It is a textual description of the alarm status that is displayed when reading the status of the DEP Crypto Module (see section 6.1.3.2 on page 33). But where for the Status DEP, the alarm information is read through the main CPU of the DEP Crypto Module, the alarm information is read directly from the alarm processor section when using Status Alarm. This information is also available in the DEP/NMS (see DEP/NMS User Manual for more information) The C-ZAM/DEP should be connected to the ‘Alarm’ serial port of the DEP

Crypto Module (DEP/PCI card Alarm port) before starting this operation (see section 4.2 on page 13).

Depending on the type of alarm, another text can be displayed:

• NO alarm situation No alarm is detected • WIRING ALARM active Alarm processor detected intrusion • BACKPLANE ALARM active DEP/PCI card disconnected from PCI • TEMPERATURE ALARM active Exceptional temperature detected • PIC ALARM active Alarm processor problem detected • RAM ALARM active Main board problem is detected • EXTERNAL ALARM active Motion detected by the alarm board • BATTERY LOW alarm active Batteries not sufficiently charged • MIXED ALARM situation More than one alarm simultaneously

Press for confirmation and to return to the Status menu.

6.1.4. Test

This is a submenu only present in a special development version. It is not present in a real Release version of the product.

Selection of this item will show error:


6.1.5. Duplicate DCC

Duplicate DCC is used to make copies of a DCC (any DEF, STO or DCS). This function copies all the keys/capabilities/components or Definition Lists from one DCC to another. Be aware that this function copies only the keys/capabilities and Definition Lists and it does not copy the structure of one DCC to another. The structure is created by a Perso Device prior to sending DCCs to customers. Duplicate DCC can be used to make duplicates of DCCs for safety reasons. Once a DCC gets defective, it could be rather disastrous if no backup duplicate is available. Of course, duplicate DCCs should be kept by the same Customer’s Security Officer as the originals, and the same procedures should apply. In order to avoid unauthorized copies of DCC, some dedicated requirements

should be met before the copy can be made. The Operation Mode, Authority Level and Customer Identification of the C-

ZAM/DEP should comply with the following requirements : • The same Operation Mode as the source DCC • The Customer Authority Level • The same Customer Identification as the source DCC

Also the destination DCC should meet some requirements : • Have the same Operation Mode as the source DCC • Have the same Customer Identification as the source DCC • The destination DCC should be empty

Depending on the DCC type (DCC Storage or DCC List) the DCC should have a dedicated Authority Level. Dual Control does not have any Authority Level.

• DCC Storage should be initialized up to CUST Authority Level (see 6.5.5). • DCC List should be initialized only at BKS Authority Level (default OK)

A DCC should be inserted prior to executing this function. This behavior is different with the previous generation of C-ZAM/DEP, where

the user was asked to insert the card after choosing this status function (see general section 3.4 on page 9).

Starting from version 3.26 (which was an internal non-distributed version), DCS duplication is supported as well.

6.1.5.1.DCC STOrage duplication

As soon as the PIN is entered, the C-ZAM/DEP will start reading the complete DCC contents, after which he will ask to remove the source DCC:


Depending on the type of the source DCC, the C-ZAM/DEP asks to insert the destination DCC of the same type.

Although the C-ZAM/DEP asks for a blank DCC, it will erase all data present if the DCC is not blank. The prompting merely is a warning that previous information will be lost. After insertion of the correct DCC type, writing of the data to DCC will commence. The writing progress is shown with six different screens, of which only the first and last one are shown here:

Remark that the writing will be a lot slower than the reading earlier. When the entire set of data has been written, the C-ZAM/DEP will ask:

Answering No with the soft key will show a confirmation screen for a while and return to the menu again.

Answering Yes will prompt to remove the DCC (if the user did not already do so) with exactly the same screen as after the PIN entry earlier, and the cycle starts again from there.


6.1.5.2.DCC DEF List duplication

DEFinition List DCC duplication goes more or less the same as STOrage DCC duplication, but the PIN entry does not apply. Furthermore, both DEF List DCC reading and writing go a lot faster than STOrage.

Here again DCC contents is erased if not blank. The copy progress is shown in six phases as well. The first and last phases are shown below:

6.1.5.3.Dual Control Storage duplication

The same principles apply for Dual Control Storage DCC duplication, but the PIN entry is required for both source and destination DCC. DCS DCC copying also goes faster than STO DCC copying.

For DCS as well, a card contents is erased if not blank. The copy progress is shown in two phases as can be seen below:

6.1.6. Change DCC PIN

Change DCC PIN is used to modify the PIN code of a DCC. Only DCC STOrage and Dual Control Storage (DCS) support a user (card holder) PIN.

Atos Wordline - Technologies & Products Page: 39/110 DEP CzamDEP User Manual (04.17) Classification: Public A PIN is required to avoid unauthorized access to the DCC. Functions reading sensitive information from a DCC (e.g. keys or capabilities) require a PIN introduction to authenticate the DCC holder. The PIN is verified by the DCC before allowing access to the DCC. In the case of incorrect PIN, the access is denied. In case of three wrong PIN entry trials (verify old PIN), the DCC gets blocked for security reasons and can no longer be used (see general section 3.6.5 on page 11). Typically the PIN is changed when the DCC is handed over from one Security Officer to another (e.g. successor, reorganization of secrets, …). The DCC for which the PIN needs to be changed should have the same

Operation Mode and Customer Identification as the C-ZAM/DEP. Furthermore, a new PIN can only be assigned to a DCC when the actual PIN is presented and verified beforehand.

A STOrage or Dual Control DCC should be inserted prior to executing this function.

This behavior is different with the previous generation of C-ZAM/DEP, where the user was asked to insert the DCC after choosing this function (see section 3.4 on page 9).

Originally, the PIN could only be changed once in the lifetime of the DCC. With second generation C-ZAM/DEP and DCC produced since start 2008, the PIN can be changed six times.

If the inserted DCC is not a STOrage or DCS the following message will be shown:

When on the other hand the correct type of DCC was in the reader when initiating Change DDC PIN, the user needs to enter a PIN three times. The first entry is for card holder authentication, while the two remaining entries are for new PIN and confirmation. For all PIN entries, only four digits are required, and NO confirmation. The three screens are shown below:

Below is a screenshot of correct PIN change, in the particular case where the PIN was changed for the first time:


If the user wants to know how many PIN changes are left, the procedure to find out is supply correct PIN, but type two different first/confirm PINs. Then the

Change DCC PIN will not succeed of course, but a variant of the screen will be shown

This way of finding out the number of PIN changes left does not influence that number of future available changes.

6.1.7. Calculate SW Certificate

Before an Application Software can be loaded into the DEP Crypto Module, a Software Authentication Code (SW Certificate) must be generated on basis of a hash code delivered by the developer. Calc SW AC function is used to generate this SW Certificate. The Software Authentication Code guarantees the authenticity of the Application Software during transport from AWL security department to the destination DEP Crypto Module. The Software Authentication is delivered to the DEP Crypto Module during the load procedure. Refer to the DEP/NMS User Manual, DEP/NT DEP Handler Supervision User Manual or DEP/Linux User Manual documents for more information. This operation can only be performed when the C-ZAM/DEP capability

CAP_BKS_SW_AC is available in the C-ZAM/DEP. When it is not yet available, it shall be requested by the C-ZAM/DEP during the operation.

Since it was decided not to deliver CAP_BKS_SW_AC to customers (owned by the AWL Security Officer), and to calculate the Certificates with a dedicated tool, the implementation of this item has been discontinued.

6.1.8. Authenticate Boot/Alarm

Auth BOOT/ALA function is used to verify whether the boot application and/or the alarm application of the DEP Crypto Module (DEP/PCI card) are still authentic. During this procedure, there is thus an exchange of certificates between the DEP Crypto Module and the C-ZAM/DEP. The C-ZAM/DEP has the possibility to verify the certificate.

Atos Wordline - Technologies & Products Page: 41/110 DEP CzamDEP User Manual (04.17) Classification: Public Although a small sub-menu still exists for this function, the implementation of

both BOOT/ALA authentications has been discontinued.

6.1.9. Create Random

Create Random generates a strong random value of 16 digits and shows it on the display of the C-ZAM/DEP. A Security Officer can –possibly – use the random value as key material. Because the value is visible on the display, there is no automatic link with the keys that can be created inside the C-ZAM/DEP. When a Security Officer wants to use this value as a key, it has to be re-entered by using the Keys - Create Key menu. Although second generation C-ZAM/DEP has improved tamper resistance and

stronger random generation, only the possibility to generate random keys (without displaying them) is retained. See section 6.2.5 on page 56. In the FIPS context, with key reconstruction in the DEP, the latter is capable of generating and exporting full FIPS-compliant random key components. As a consequence, this special Create Random function has been discontinued.

6.2. KEYS

The Keys menu item can be selected to perform operations with secret keys. Following Key functions are available in the C-ZAM/DEP:

• Exchange of keys between a DCC and the C-ZAM/DEP considering a defined secret sharing mechanism (save keys and read keys).

• Read keys into the memory of the C-ZAM/DEP from a key backup file of AWL’s previous generation Host Security Module (discontinued).

• Manual entry of key values into the memory of the C-ZAM/DEP through its keyboard (create key).

• Transfer of keys available in the memory of the C-ZAM/DEP to the DEP Crypto Module.

• Erase a key from DEP Crypto Module or C-ZAM/DEP memories. • Show the list of available keys in the C-ZAM/DEP, DEP Crypto Module or DCC.

From version 3.20 on, sending a key component to the DEP Crypto Module, with

full DCS support, is also available. Also listing DCS components is possible. The graphic below gives a schematic overview how

Documents

DEP CzamDEP User Manual - Worldline · 2020. 11. 24. · Atos Wordline - Technologies & Products Page: 2/110 DEP CzamDEP User Manual (04.17) Classification: Public. Version Management