HP Atalla Ax160 PCI HSM Security Policy 1 1 Atalla Ax160 PCI... · HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A

HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A

____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 1 This document may be reproduced only in its original entirety, without revision.

Hewlett-Packard – Atalla Security Products

Ax160

PCI HSM Security Policy

Version 1.1 22 August 2011



Table of Contents

1. Introduction ...................................................................................................................................................................... 4

1.1. Glossary .................................................................................................................................................................... 4

2. General Description ......................................................................................................................................................... 5

2.1. Product Overview ..................................................................................................................................................... 5 2.1.1. Physical Security .................................................................................................................................................. 7 2.1.2. Ax160 Memory .................................................................................................................................................... 8

2.2. Ports and Interfaces .................................................................................................................................................. 9 2.2.1. External Ports ....................................................................................................................................................... 9 2.2.2. Power ................................................................................................................................................................. 10

2.3. Supported Algorithms ............................................................................................................................................. 11

3. Self-Tests ......................................................................................................................................................................... 12

3.1. Power-Up Self-Tests ............................................................................................................................................... 12

3.2. Conditional Self-Tests ............................................................................................................................................. 13

3.3. Periodic Self-Tests .................................................................................................................................................. 13

3.4. On-Demand Self-Tests ............................................................................................................................................ 13

3.5. Self-Test Failures .................................................................................................................................................... 14

4. Rules ................................................................................................................................................................................ 15

5. Services ............................................................................................................................................................................ 16

5.1. Loader Services ...................................................................................................................................................... 16 5.1.1. Getstatus............................................................................................................................................................. 16 5.1.2. Version ............................................................................................................................................................... 16 5.1.3. Help .................................................................................................................................................................... 16 5.1.4. Gettime .............................................................................................................................................................. 16 5.1.5. Getsn .................................................................................................................................................................. 16 5.1.6. Setnet ................................................................................................................................................................. 16 5.1.7. Setport ................................................................................................................................................................ 17 5.1.8. Echo ................................................................................................................................................................... 17 5.1.9. Self-Tests ........................................................................................................................................................... 17 5.1.10. Personality Load............................................................................................................................................ 17 5.1.11. Go (Start Personality) .................................................................................................................................... 17 5.1.12. Zeroize .......................................................................................................................................................... 17

5.2. Personality Services ................................................................................................................................................ 17 5.2.1. NSP Management .............................................................................................................................................. 18 5.2.2. Shareholder services .......................................................................................................................................... 18 5.2.3. Banking Commands ........................................................................................................................................... 18

6. Roles ................................................................................................................................................................................ 18

6.1. Loader Crypto-Officer ............................................................................................................................................ 18

6.2. Loader User ............................................................................................................................................................ 18

6.3. Personality Security Administrator ........................................................................................................................ 19



6.4. Personality Shareholder ......................................................................................................................................... 19

6.5. Personality User ..................................................................................................................................................... 19

6.6. Roles vs. Services Matrix ........................................................................................................................................ 20

7. Key Management ........................................................................................................................................................... 20

7.1. CSPs ....................................................................................................................................................................... 20

7.2. Key Management Techniques ................................................................................................................................. 23

7.3. Key Storage ............................................................................................................................................................. 24

7.4. PIN Management .................................................................................................................................................... 24

8. Power On/Off States....................................................................................................................................................... 24

8.1. PSMCU Security State LED Status Indication (Green) .......................................................................................... 24

8.2. Loader and Personality LED Status Indicator (Amber) ......................................................................................... 25

9. Secure Operation ............................................................................................................................................................ 26

9.1. Initial Setup ............................................................................................................................................................. 26

9.2. Periodic Self-Tests Configuration .......................................................................................................................... 26

9.3. Version .................................................................................................................................................................... 26

9.4. Log .......................................................................................................................................................................... 27

9.5. Commands and Options .......................................................................................................................................... 27



Revision History

0.4 June 2011 IF Created 0.5 July 2011 IF Incorporated comments 0.6 August 2011 IF Added logging procedures 0.7 August 2011 IF Updated the CSP table 0.8 August 2011 IF Updated the PIN Management section 0.9 August 2011 IF Added Commands and Options section to the

Secure Operation section 1.0 August 2011 IF Minor edits to the Commands and Options

section 1.1 August 2011 IF Minor edits

1. Introduction The HP Atalla Ax160 is a secure cryptographic co-processor designed for use in a variety of high security applications. The Ax160 corresponds to the following Network Security Processors (NSPs): A10160 (HW P/N AJ560A, SW Version 1.21), A9160 (HW P/N AJ558A, SW Version 1.21), and A8160 (HW P/N AJ556A, SW Version 1.21). All three NSPs use the same Firmware and Software, and differ only in the performance capability of the cryptographic subsystem. This document specifies the Ax160 security rules, including the services offered by the Atalla Cryptographic Subsystem (ACS), the roles supported, and all keys and CSPs employed by the ACS. The Ax160 is based on the FIPS140-2 level 3 validated Atalla Cryptographic Subsystem (ACS) (Certificate #1559).

1.1. Glossary

This section contains terms used within this document.

ACS Atalla Cryptographic Subsystem AES Advanced Encryption Standard CBC Cipher Block Chaining CCM Counter with CBC-MAC CFB Cipher Feedback CMAC Cipher-based MAC CPU Central Processing Unit CRC Cyclic Redundancy Check CSP Critical Security Parameter DMA Direct Memory Access DRAM Dynamic Random Access Memory DRBG Deterministic Random Bit Generator ECB Electronic Code Book



EEPROM Electrically Erasable Programmable Read-Only Memory Flash Programmable read-only (nonvolatile) memory HSM Hardware Security Module HW Hardware IV Initialization Vector LAN Local Area Network LED Light Emitting Diode MD Message Digest MPU Micro processing unit NSP Network Security Processor NVRAM Nonvolatile RAM: General purpose memory maintained as nonvolatile OFB Output Feedback PCI Payment Card Industry Personality Secure software application running inside the secure boundary PSMCU Physical Security MicroController Unit RAM Random Access Memory: General purpose volatile memory RNG Random Number Generator RSA Rivest Shamir Adelman algorithm SCA Secure Configuration Assistant SHA Secure Hash Algorithm TDES Triple Data Encryption Standard USB Universal Serial Bus

2. General Description

2.1. Product Overview

The HP Ax160 provides a complete security solution consisting of the FIPS-validated ACS, financial firmware image and the customized HP Proliant DL180 G6 server. In particular, it consists of a secure hardware platform, a firmware secure Loader, the PSMCU firmware, the Personality software, and the DL180 G6 server. The purpose of the Loader is to load Approved (signed by HP Atalla) application programs, called “Personalities,” in a secure manner. The PSMCU firmware continually monitors the physical security of the ACS. The Personality allows the execution of the financial image commands. The server restricts access to the Network Security Processor via the front interfaces by adopting a front bezel installed with two-pick resistant locks and locking top cover. No security-relevant code runs in the server. The Ax160 operates only in PCI HSM mode. The major components of the Ax160 are:

Front bezel with two pick-resistant locks Top cover locking mechanism – the top cover cannot be removed without having access to the

top cover retention screw located behind the front bezel.



Atalla Cryptographic Subsystem (ACS) consisting of the Loader, PSMCU, and Personality, and providing tamper detection, tamper resistance, and automatic zeroization of Critical Security Parameters

Two USB ports located behind the bezel for attaching the Secure Configuration Assistant (SCA) and USB flash memory device

USB flash memory device for storing the image files, configuration information, and system logs LEDs for status, power, and network activity Power On/Standby button Ethernet Network Interface Connectors (NIC)

The Ax160 system image and default configuration file are provided on a System Image CD-ROM. Prior to powering on the Ax160 these files must be copied to the USB flash memory device and inserted into one of the USB ports located behind the bezel. The Ax160 is initialized, configured, and managed using the SCA. A smartcard needs to be inserted into the SCA in order to authenticate to the NSP. The SCA and its smartcards are not part of this validation effort. The Ax160 is a security co-processor for host applications. The Figure below shows the connectivity to the Ax160 in a typical host system environment.

Figure 1 Typical Host System Environment

In the above Figure, the host system uses a command-response format to communicate with the NSP: <CMDID#FIELD1#FIELD2…#FIELDN#^CONTEXT Tag#>



A command begins with a start-of-command bracket (“<”) and ends with the end-of-command bracket (“>”). The pound sign (“#”) is used to delimit fields within the command. The context tag is optional. If present in the command, the context tag is returned as part of the response. The caret character (“^”) is an ASCII 0x5E. The NSP will process the command and return a response. If an error is encountered, an error response will be returned. The response format is: <RESPID#FIELD1#FIELD2…#FIELDN#^CONTEXT Tag#> [CRLF] By default, a carriage return (CR) and line feed (LF) are appended to the response. The commands are designed for use in financial environments, such as Automated Teller Machine (ATM), Electronic Fund Transfer (EFT), and Point of Sale (POS) networks.

2.1.1. Physical Security

Depending on the states of the PSMCU, two major events are generated within the secured area: 1. A "reset event" is one that forces the Ax160 to become temporarily inoperable. This is a non-

catastrophic event. When the conditions that cause the "reset event" are removed the unit will reboot then continue to operate normally.

2. A "tamper event" is one that forces the Ax160 to become permanently disabled. This is a catastrophic event. In the disabled state all critical security parameters are erased and the Ax160 can only provide status information to users.

Any physical penetration results in a “tamper event”. This event causes active zeroization of all cleartext CSPs. In addition to physical penetration monitoring, the Ax160 detects environmental attacks: 1. Temperature measurement. A "reset event" is generated whenever the temperature drops outside the

range +5 to +63 degrees Celsius. A "tamper event" is generated whenever the temperature drops outside the range of -20 to +100 degree Celsius. Note that the server’s operating temperature range is +10 to +35 degrees Celsius. The server will go into reset shutdown mode if it operates outside of this temperature range. When in this state, no power is provided to the ACS and the ACS continues to run from battery power. Only the PSMCU will be active at this point. The main ACS microprocessor, which runs the Loader and Personality, is idle, as are all communication ports.

2. Voltage measurement. A "reset event" is generated whenever the voltages (except battery) are present and are outside the Operating Host Voltage ranges, as shown below. A "tamper event" is generated whenever the battery voltage is below 2.65V while the ACS is operating on battery power only.

Operating Host Voltage Minimum Maximum

3.3V supply 3.12 VDC 3.47 VDC



5.0V supply 4.65 VDC 5.35 VDC

Table 1 Operating Host Voltage Two (2) serialized tamper-evidence labels, applied to the edges of the ACS covers during manufacturing, provide physical tamper evidence. The tamper labels are located near the fan and wrap around the front and back. The tamper labels should be inspected periodically to verify that fresh labels have not been applied to a tampered ACS. The tamper detection and active zeroization mechanisms described above are provided by the ACS. The ACS resides inside the customized DL180 G6 server and cannot be removed without having access to the top cover retention screw located behind the front bezel. The bezel is protected by two pick-resistant locks. It is not possible to simply disconnect the ACS from the server without resetting the ACS to factory state. The environmental specifications for the DL180 G6 server are provided in the table below:

Table 2 Environmental Specifications for the Server

2.1.2. Ax160 Memory

There are six types of memory within the Ax160:



1. Dynamic Random Access Memory (DRAM). DRAM is used to hold the Loader and Personality and their data during operation.

2. Flash Memory. Non-volatile flash memory is used to hold the Loader and Personality. No sensitive CSPs are stored in flash as cleartext.

3. PSMCU. The security control unit contains non-volatile memory in addition to a microcontroller for storing cleartext CSPs. The IMFK used by the Loader and the PIMFK used by the Personality are stored here. This memory is the first target of zeroization if a “tamper event” occurs.

4. Non-volatile RAM (SRAM). This battery-backed-up static RAM is not used by the Loader. The Personality uses this memory to store the encrypted MFK/PMFK keys and encrypted configuration data. No sensitive CSPs are stored as cleartext in the memory.

5. Volatile RAM (SRAM). This static RAM is not used by the Loader. The Personality uses this memory to store the cleartext MFK/PMFK keys during operation. It is immediately zeroized if a “tamper event” occurs or power is removed.

6. Flash memory. The USB flash memory device is inserted behind the bezel of the server and used to store the image files, configuration file, and system logs.

2.2. Ports and Interfaces

2.2.1. External Ports

The Ax160 has the following interfaces on the rear panel of the server:

RJ45 Ethernet (Qty. 2), compatible with 10/100/1000 Base T IEEE 802.3. – used as the primary communication I/O channel. The Loader only uses the UDP protocol. The Personality only uses the TCP protocol. These ports are directly mounted on the ACS card.

Rear Unit Identification LED/button – provides a visual reference for service personnel. Power supplies (Qty. 2) – for full power redundancy. Serial port – This port is standard RS-232; it is an alternative communication I/O channel.

The front panel of the Ax160 is protected by a customized bezel that is protected by two pick-resistant locks. The front panel with the bezel door closed consists of the following LEDs:

System power LED CRYPTO LED (green) – Security Status Indicator. A connector routes the electrical signals for

this LED from the ACS to the front panel of the chassis enclosure. The LED signal voltage swings through 3.3V DC, active low, and the LED current is limited to 5 mA.

CRYPTO LED (amber) – System Status Indicator. A connector routes the electrical signals for this LED from the ACS to the front panel of the chassis enclosure. The LED signal voltage swings through 3.3V DC, active low, and the LED current is limited to 5 mA.

Unit Identification LED/button The following additional interfaces are available when the bezel door is open:



Power On/Standby button USB ports – the USB flash memory device and SCA are attached to either of these two ports.

The USB flash memory device stores the system image, configuration information (i.e., config.prm), and system logs. The SCA (Version 3.0 or higher) is used to initialize, configure, and manage the Ax160. A connector routes the USB communication from the front panel to the ACS. The Personality only supports the USB flash device class and the custom device class used by the SCA device. The Loader does not use this interface and leaves it in its default disabled state.

The following table shows the relationships among the physical and logical ports: Physical Ports RJ45

Ports Serial Port

USB ports

Unit ID

LEDs

Crypto LEDs

System Power LED

Power Supplies

Power On/ Standby Button

Data Input √ √ √ Data Output

√ √ √

Control Input

√ √ √ √

Status Output

√ √ √ √ √ √

Power √ Table 3 Physical and Logical Ports Mapping

Refer to the Installation and Operations Guide for the Atalla Ax160 for additional information on all the interfaces available on the Ax160.

2.2.2. Power

For the ACS, primary main system power is derived from the 3.3V pins on the PCI/PCI-X connector. In addition, the 5V and 12V pins on the PCI/PCI-X connector also supply additional power for the following purposes:

5V: Power for the USB connections and power for the battery circuit when host power is available.

12V: Fan power. The power requirements are:

3.3V: 8.2 W 5V: 15 mW (with no connection to the USB ports) 12V: 1.2 W Total Power 9.4 watts



Other voltage requirements on the Ax160 are derived from the main power except for the 3V battery backup power source. This battery source is used to maintain the real time clock and to operate the security control unit. The power requirement from the battery is approximately 2.7 milliwatts. The server consists of two 460 Watt power supplies for full power redundancy. Power distribution unit and AC power cords are provided by HP to attach the power supplies to a power distribution unit or to an AC power source, respectively. The table below provides the power supply specifications for the 460 W power supplies.

Table 4 Power Specifications for the Server

Refer to the Ax160 Install and Operations Guide for additional power requirements.

2.3. Supported Algorithms

The Loader includes these FIPS-Approved algorithms, implemented in firmware: Algorithm Certificate # SHA-256 1194



AES (encrypt, decrypt; ECB and CBC modes; 256-bit keys only) 1305 AES CCM (decrypt, 256-bit keys) 1311 ANSI X9.31 RNG 728 RSA (signature verification; 1024-bit and 4096-bit keys) 625

Table 5 Loader supported Algorithms The Personality includes the following approved and tested algorithms: Algorithm Algorithm Testing AES (encrypt, decrypt; CBC mode; 128-, 192-, 256-bit keys) Passed AES CMAC (generate; 128-, 192-, 256-bit keys) Passed 3DES (encrypt, decrypt; ECB, CBC, 8-bit CFB, 64-bit CFB, and OFB) Passed RSA (sign, verify, encrypt, decrypt; 1024-4096-bit key) Passed NIST SP 800-90 CTR_DRBG Passed SHA-1 Passed SHA-256 Passed

Table 6 Personality supported Algorithms The Personality algorithms were tested using the NIST CAVS tool.

3. Self-Tests There are a number of self-tests performed by the Ax160.

3.1. Power-Up Self-Tests

Loader

1. System Integrity Test: CRC-32 test of Boot and Loader code. 2. Firmware Integrity Test: The integrity of the Loader is verified at startup by checking a 1024-bit

RSA signature. 3. The cryptographic functions are all tested at startup using known answer tests

a. SHA-256 b. AES – ECB and CBC modes (encrypt, decrypt) c. RSA (4096-bit signature verification) d. ANSI X9.31 RNG e. AES – CCM mode (decrypt only)

4. Critical Functions Tests: a. DRAM test b. Key Integrity Check: All keys are stored with integrity check digits, and those check

digits are verified whenever the key is retrieved by the Loader for use. All clear text key values are destroyed immediately after use.

Personality

1. Personality Integrity Test (includes Kernel): The integrity of the Personality is verified by the Loader during Personality Load and when issuing the Go command. In addition, during



initialization two CRC-32 tests are performed to verify the Personality; these tests are also performed once-a-day and on-demand.

2. Known Answer Tests a. AES – CBC mode (encrypt, decrypt) b. AES – CMAC (generate only) c. 3DES – ECB, CBC, 8-bit CFB, 64-bit CFB, and OFB modes (encrypt, decrypt) d. RSA (encrypt and decrypt) e. RSA (signature generation and verification) f. SHA-1 and SHA-256 g. SP 800-90 DRBG

3.2. Conditional Self-Tests

Loader

1. Continuous RNG Test 2. Firmware Load Test: This is a series of tests used to validate the integrity of the Personality

when it is loaded into the ACS. These tests include CCM for secure and authenticated key transport, Signature test (RSA 4096-bit modulus with SHA-256), AES-256 file decryption, and CRC-32.

3. Critical Functions Tests: a. Key Integrity Check: All keys are stored with integrity check digits, and those check

digits are verified whenever the key is retrieved by the Loader for use. All clear text key values are destroyed immediately after use.

b. “go” command Personality start validation: The “go” command is authenticated using a 1024-bit signature. Following this, the Personality is validated with CRC-32, then decrypted using AES-256, then validated again using SHA-256 prior to passing control to it.

Personality

1. Continuous RNG Test: a. Hardware RNG b. DRBG

2. RSA Pairwise Consistency Test

3.3. Periodic Self-Tests

The Personality allows the power-up self-tests to be performed periodically. To setup the once-a-day self-tests, the DIAGTEST_TIME parameter in the config.prm file needs to be set to a six digit value (HHMMSS). This value specifies the time when the once a day self-tests are performed.

3.4. On-Demand Self-Tests

The Ax160 allows self-tests to be performed on operator demand. These self-tests are identical to the power-up self-tests.



Loader The following commands can be used to perform the on-demand self-tests:

1. Test_aes – tests the AES cryptographic engine 2. Test_ccm – tests the CCM mode of operation of the AES algorithm 3. Test_rng – tests the RNG using a fixed key, beginning context, and result 4. Test_sha – tests the SHA-256 cryptographic engine 5. Test_signature – tests the signature computation algorithm

Note that these self-tests can only be performed when the Loader is running (i.e., prior to loading the Personality). Personality The Personality allows on-demand self-tests to be performed using the Diagtest command <9A#DIAGTEST#Algorithm#RSA Option#> The “Algorithm” field identifies the type of test that will be performed: 0 – All on-demand self-tests 1 – 3DES KAT 2 – DRBG KAT 3 – RSA KAT 4 – MD5 KAT 5 – SHA-1 KAT 6 – SHA-256 KAT 7 – Personality and Kernel Integrity Test 8 – AES KAT “RSA Option” determines if the RSA KAT will be performed when “Algorithm” is set to “0”. The default value for “RSA Option” is “0”. All self-tests, except for the RSA KAT, are performed when “RSA Option” is set to “0”. A non-zero or blank value results in all self-tests to be performed. The NSP also allows on-demand self-tests to be initiated by the SCA. The SCA Crypto Test instructs the NSP to perform all self-tests except for the RSA KAT.

3.5. Self-Test Failures

Loader Failure of any of the self-tests results in an error state. Recovery from the error state requires power cycling. Personality Failure of any power-up, periodic, and on-demand self-tests results in an error state. In this state, all commands, except for the status commands 9A, 1101, 1110, 1120, and 1223, will return the error <00#080012#0717#>. Recovery from the error state requires power cycling. Failure of the RSA pairwise consistency test results in a soft error. Only the affected command will be affected by the error. The Ax160 will create another RSA key pair if the test fails.



Failure of the continuous RNG test results in a soft error. The calling command and other commands that use the random number generator function will return error <00#080012#0716#>. Commands that do not use the random number generator are not affected by the error. Recovery from the error requires power cycling.

4. Rules Rule 1: HP Atalla maintains no databases of device secrets and has no “backdoor access” to customer’s secrets. Rule 2: All functions requiring the use of sensitive data shall be performed within the security area. This rule is enforced by the Ax160 physical design. All the critical circuits and components are within the secure area, which is continuously monitored to detect tampering. Rule 3: All sensitive data shall be zeroized upon tamper detection. Zeroization, when controlled by hardware, is a process that effectively erases the previous content. This rule is enforced by the tamper detection circuits, switches, and the software. Rule 4: Personality software and cryptographic keys, when loaded outside of manufacturing site shall be cryptographically protected. The actual key names and their uses are described in section 7 of this document. Personalities are signed by HP. The corresponding signature keys (i.e., the GSK private key and the PSK private key) remain solely under the control of HP and the knowledge of those keys are not distributed or divulged outside the manufacturer’s control. Rule 5: Clear cryptographic keys in the security area shall never be exported. Rule 6: Keys should be replaced with new keys whenever the compromise of the original key is known or suspected, and whenever the time deemed feasible to determine the key by exhaustive attack elapses as defined in ISO 9564. Rule 7: The Ax160 does not support maintenance and bypass modes. Rule 8: Failure of self-tests result in the Ax160 entering an error state. Rule 9: Power-up self-tests initiated after power up or power cycle do not require input or operator intervention.



5. Services

5.1. Loader Services

The following services provide user authentication and/or cryptographic functionality as well as diagnostics capabilities. The available services depend on the defined roles. Note that these Loader services can only be performed when the Loader is running (i.e., prior to loading the Personality).

5.1.1. Getstatus

Limited status information shall always be available. This command is used to read and display the status of the ACS, such as tamper information, Personality application load status, and mode of operation (Approved versus non-Approved). The status output is broken into four parts: basic status, which customers can use for simple problem diagnosis; network status, for diagnosing network issues; extended status, which is used by HP Atalla for problem analysis; and event status, which is a date-and-time stamped record of all events which have taken place with the ACS, also for use by HP Atalla for problem analysis. There is an optional parameter for basic getstatus service to display the other status information. None of the status information can compromise the security of the Ax160 in any way.

5.1.2. Version

The version command is used to retrieve the Loader name, product type, software version, and build date and time.

5.1.3. Help

The help command simply returns a list of the available commands. Help is context sensitive; i.e., it shows only the commands valid at the current time, so the responses are different in normal, error, and tamper states. It does not provide any syntax help.

5.1.4. Gettime

This command is used to read the contents of the real time clock. The date and time are a 12-character formatted ASCII string with the format: YYMMDDHHMMSS (year-month-day-hour-minute-second).

5.1.5. Getsn

This command reads the value of the serial number field stored in the EEPROM. If the serial number has not been set, an error is returned. The serial number is at most a 15-character ASCII string.

5.1.6. Setnet

This command is used to set the user-manageable network parameters for the unit. These parameters include the IP address, netmask, and gateway for each Ethernet port. The parameters are stored in the



serial EEPROM. Other network parameters are set either automatically as part of the UDP protocol with the host server or by the factory prior to deployment.

5.1.7. Setport

This command is used to configure the serial port. The port can be configured for all supported data rates and with or without character echo. The valid data rates include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200 bits per second.

5.1.8. Echo

The echo command is used to test the I/O connection to the Loader.

5.1.9. Self-Tests

Instructions requesting the ACS to perform self-test operations are available. There are individual instructions for testing specific functions, e.g. AES and SHA-256. These tests are identical to the power-up self-tests and are listed in the On-Demand Self-Tests section.

5.1.10. Personality Load

Personality load instructions, when successful, result in updating the flash memory. This service is authenticated as described in section 6.

5.1.11. Go (Start Personality)

The start Personality service passes control from the Loader to the Personality. This service must be authenticated by an operator in the Loader User role.

5.1.12. Zeroize

The zeroize service is not a command. It occurs automatically following any tamper event. An operator can choose to invoke this service by the physical removal of the batteries. This results in the battery low event, which zeroizes non-volatile RAM, and forces the unit into the ALARM state. The time required for the PSMCU to perform the zeroization is less than 500 microseconds from the time of detection. The first half of this time, less than 250 microseconds, is used for the primary CSP erasure, while the second half is used for extended CSP erasure.

5.2. Personality Services

These services can be split into three categories: NSP management/configuration, shareholder services, and banking commands. The first two categories are performed using the Atalla Secure Configuration Assistant (SCA) under dual-control. The banking commands are designed for use in financial environments and use the command-and-response format as described in Section 2.1.



5.2.1. NSP Management

Services include initializing and managing the NSP. These include the creation of a security association, management of key components, NSP Command and Option configuration, audit log management, and updating the firmware. Refer to the SCA User Guide for the complete list of available services.

5.2.2. Shareholder services

Services include the creation of and initialization from shareholder smartcards. Refer to the SCA User Guide for the complete list of Shareholder services.

5.2.3. Banking Commands

The Ax160 supports a number of commands that are available to the Personality User. Standard commands and options are available by default and, if required, can be disabled using the SCA. Premium Value commands and options are disabled by default and need to be purchased prior to enabling them. Utility commands are enabled by default and cannot be disabled. These are status commands and are not security-relevant. Refer to the NSP Atalla Key Block Banking Command Reference Manual for the complete list of available banking commands.

6. Roles

6.1. Loader Crypto-Officer

The Loader Crypto-Officer (LCO) is responsible for the overall security of the Loader Platform. In particular, only an operator in the Loader Crypto-Officer role can load a Personality into the Ax160. The Loader Crypto-Officer is required to be properly authenticated and its authentication mechanism is controlled by the PSK (private key), which is used to sign Personality images. The LCO uses the PSK (private key) to create signed Personality images for download to the unit. The Loader Crypto-Officer authenticates using the PSK.

6.2. Loader User

The Loader User can perform a limited number of the services available on the Ax160. The Loader User is required to be properly authenticated and his authentication mechanism is controlled by the GSK (private key), which is used to sign the ‘go’ command. The Loader User uses the GSK (private key) to sign the ‘go’ command which allows the Loader to exit and start the Personality. The Loader User authenticates using the GSK.



6.3. Personality Security Administrator

The Personality Security Administrator configures and manages the NSP. Configuration changes are only allowed under dual control. The Personality Security Administrator is authenticated by the 1024-bit Smartcard Identity key. This key has a certificate signed by the Atalla Root Authentication Key.

6.4. Personality Shareholder

Limited services are available to the Personality Shareholder. The main purpose of this role is to bring up a clone of a second NSP under dual control. The Personality Shareholder is authenticated by the 1024-bit Smartcard Identity key. This key has a certificate signed by the Atalla Root Authentication Key.

6.5. Personality User

The Personality User can perform the banking commands and options specified in the NSP Atalla Key Block Banking Command Reference Manual. The type of commands and options that are available depends on the Security Policy defined by the Security Administrator.



6.6. Roles vs. Services Matrix

Acronyms: A – available, √ – unauthenticated command.

Commands / Services Loader

CO Loader

User Personality

Security Administrator

Personality Shareholder

Personality User

Status GetStatus √ √ Version √ √ Help √ √ Gettime √ √ Getsn √ √ Setnet √ √ Setport √ √ Echo √ √

Self-test Test_signature √ √ Test_sha √ √ Test_aes √ √ Test_rng √ √ Test_ccm √ √

Loader Zeroize √ √ Personality Load A

Go (Start Personality) A

NSP Management A Shareholder Services A Banking Commands A

Table 7 Roles vs. Services Matrix

7. Key Management This section identifies all CSPs stored and used in the ACS and the supported key management techniques.

7.1. CSPs

Key Name Algorith

m Size (Bits)

Purpose/ Usage

Stored in Stored as Destroyed

Loader Keys

IMFK AES 256 Encrypting all Loader keys

PSMCU RAM In the clear with ECC bits for error detection

Actively by tamper and passively by



battery failure

PIMFK (Personality code refers to this as LSK)

AES 256 Encrypting MFK/PMFK, Device Identity Public Keys

PSMCU RAM, Loaded into crypto-hardware key cache register

In the clear with ECC bits for error detection

Actively by tamper and passively by battery failure

LSK Public Key RSA 1024 Verify Loader download signature

Incorporated in Loader image and stored in Flash ROM

Cleartext Only destroyed if replaced with a new LSK as part of Loader replacement

FFK, FFK_IV AES 256 Encrypting Personality stored in flash

Flash ROM Encrypted by IMFK

When the IMFK is destroyed (as a result of IMFK zeroization) or when a new Personality image is downloaded

PSK Public Key RSA 4096 Loader Crypto-Officer authentication key. Verify image download signature


Encrypted by IMFK

When the IMFK is destroyed (as a result of IMFK zeroization) or replaced with new PSK as part of Loader replacement

PDEK AES 256 Decrypting CCM envelope of image download


Encrypted by IMFK

When the IMFK is destroyed (as a result of IMFK zeroization) or replaced with new PDEK as part of Loader replacement

PRNGK AES 256 PRNG seed General purpose EEPROM

Encrypted by IMFK

When the IMFK is destroyed (as a result of IMFK zeroization)

GSK Public Key

RSA 1024 Loader user authentication key. Verify “go” command signature


Cleartext Only destroyed if replaced with a new GSK as part of Loader replacement

IDFK, IDFK_IV

AES 256 Decrypting download image

Volatile SDRAM

Cleartext and encrypted by PDEK in CCM envelope

Following completion or interruption of the image download

Personality Keys



Atalla Root Authentication Public Key (1024)

RSA 1024 Signing device identity certs

Flash ROM Encrypted by PIMFK

When the PIMFK is destroyed (as a result of PIMFK zeroization)

Atalla Root Authentication Public Key (2048)

RSA 2048 Signing device identity certs



Device Identity Public Key (1024)

RSA 1024 Used to establish a secure session between the NSP and the smartcard



Device Identity Private Key (1024)




Device Identity Public Key (2048)




Device Identity Private Key (2048)




Smartcard Identity Public Keys

RSA 1024 Authenticates the Personality Security Administrator and Shareholder

Volatile SDRAM

Certificate signed by the Atalla Root Authentication key

Erased at end of session

Secure Channel Session Key (encrypt)

TDES 128 Protects the communication between the smartcard and NSP

Volatile SDRAM

Cleartext Erased at the end of session

Secure Channel Session Key

TDES (CBC-

128 Protects the communicat

Volatile SDRAM

Cleartext Erased at the end of session



(MAC) MAC) ion between the smartcard and NSP

Master File Key (MFK)

TDES 128, 192

Encryption of all user keys

External SRAM / Internal SRAM

Encrypted by PIMFK / Cleartext

When the PIMFK is destroyed (as a result of PIMFK zeroization) and zeroized upon tamper detection

Pending Master File Key (PMFK)

TDES 128, 192

Encryption of all keys used for input/output

External SRAM / Internal SRAM

Encrypted by PIMFK / Cleartext

When the PIMFK is destroyed (as a result of PIMFK zeroization) and zeroized upon tamper detection

User Key Encryption Key (KEK)

TDES 64, 128, 192

Encryption of Working keys

Volatile SDRAM

Encrypted by MFK/PMFK

When the MFK is destroyed

TDES User Keys

TDES 64, 128, 192

Used to encrypt PIN blocks and other types of data

Volatile SDRAM

Encrypted by MFK/PMFK or KEK

When the MFK or KEK is destroyed

DRBGK AES 256 Key used by Personality to run NIST SP 800-90 DRBG

Volatile SDRAM

Cleartext When the unit is powered-off

Table 8 Critical Security Parameters

7.2. Key Management Techniques

The Ax160 supports the following key management techniques:

ANS X9.24 parts 1 and 2 Derived Unique Key Per Transaction (DUKPT) Master-Session ANS TR-31 EMV key derivation techniques – master key derivation and session key techniques that include

tree-based derivation, common session (SU-46), and American Express AS 2805 Country and/or issuer-specific session key derivation algorithms



7.3. Key Storage

The CSP table above specifies how keys are stored inside the Ax160. Internal (key tables) and external (application/host database) keys are stored encrypted and MACed in accordance with ANS x9.24 part 1. All internal keys are stored encrypted in fixed position with error detection. The root keys cannot be explicitly accessed, modified, or exported and are subject to zeroization during a tamper event. These protection mechanisms protect keys against unauthorized disclosure and substitution and ensure key separation. The Personality Security Administrators and Shareholders are advised to securely store the smart cards required for authenticating to the Ax160.

7.4. PIN Management

The Ax160 meets the PIN requirements specified in PCI HSM requirement A6 by enabling Option 46. Enabling Option 46 limits all standard Atalla PIN translation commands to either ISO-0 or ISO-3 PIN blocks (input and output) and prevents any change of the PAN. Refer to the NSP Atalla Key Block Banking Command Reference Manual for additional guidance.

8. Power On/Off States The Ax160 is idle when there is no external power applied. The following states are the power off states of the Ax160 during this idle condition:

State Description Personality This is a state when Personality application is loaded in Flash

ROM and ready to run. Download Personality

This is a state when actual Personality application download is being performed.

Alarm This is the state after the ACS secure envelope has been active and a tamper attempt has been detected

Table 9 Power off States during Idle Condition

8.1. PSMCU Security State LED Status Indication (Green)

A second LED is used to indicate the state of the PSMCU, which is the security monitoring subsection. This LED is green. The following LED states are defined:



Underlined values are LED off Bold values are LED on

The states indicated by the PSMCU are shown in the following table:

State or Alarm LED operation (pattern in ms)

Appearance

Secure State, no alarms ON solid ON solid Test State 1000 1000 Slow, regular

blink Secure State, Operating Temperature out of range

200 200 200 1000 2 short blinks

Secure State, Voltage out of range

200 200 200 200 200 600 3 short blinks

Zeroized State 250 250 Fast, regular blink

Software integrity test failure OFF solid OFF solid Table 10 Green LED

8.2. Loader and Personality LED Status Indicator (Amber)

The states indicated by the Loader and Personality are shown in the following table:

State or Alarm LED operation (pattern in ms)

Appearance

NSP is not able to initialize ON solid ON solid Three possible sources for this state:

- The USB drive is not inserted in the Ax160

- The config .prm file is not present on the USB device, or is corrupted

- ACS is unable to initialize

1000 1000 Slow, regular blink

Busy 200 200 200 600 2 short blinks ‘Go’ command failed 600 200 200 200 200 200 1 long followed

by 2 short blinks Zeroized State 250 250 Fast, regular

blink Normal operation if powered on OFF solid OFF solid

Table 11 Amber LED



9. Secure Operation The Ax160 manuals provide guidance on how to securely setup, configure, and operate the Ax160.

9.1. Initial Setup

The device should be unpacked and inspected according to the Ax160 Install and Operations Guide. Customers are required to inspect the shipping container, compare the packing list with the purchase order, examine the content, and inspect each item (including damaged tamper labels). If damage is evident, notify HP Technical Support immediately. Refer to the Installation and Operations Guide for the Atalla Ax160 for installation and configuration instructions, maintenance information, safety tips, and other information.

9.2. Periodic Self-Tests Configuration

During the initial setup, the Ax160 system image file and config.prm file must be copied to the HP provided USB flash memory device from the CD-ROM that ships with the Ax160. The config.prm file defines the startup, TCP/IP, and log parameters, and is accessed during the Ax160 power on sequence. These parameters must be modified. One of the parameters that need to be added to the STARTUP settings is DIAGTEST_TIME to setup the required periodic self-tests. To set this parameter, DIAGTEST_TIME needs to be set to the value HHMMSS, where: HH = hour (valid values are 00 through 23) MM = minute (valid values are 00 through 59) SS = second (valid values are 00 through 59) The NSP’s system clock is set to Coordinated Universal Time (UTC) and cannot be changed to a local time. The default value is 000000 (midnight UTC time). Refer to the Ax160 Install and Operations Guide for additional information and guidance on the config.prm file.

9.3. Version

The Ax160 model number is located in the lower right corner of the front panel. The Ax160 Hardware Part Number is displayed on the top cover right above the caution label. It is also displayed on the packaging of the server. Once the Personality is running, the software version and PCI mode can be verified by using commands 1101 or 1110, as shown in the examples below: Command:



<1101#> Response: <2101#HP Atalla A10160-AKB PCI-HSM Version: 1.21, Date: Jun 13 2011, Time: 11:08:03#B021#1#> Command: <1110#> Response: <2110#Axx160, Version: 1.21, Date: Jun 13 2011, Time: 11:15:07#HP Atalla A10160-AKB PCI-HSM Version: 1.21, Date: Jun 13 2011, Time: 11:08:03#B021#1#>

9.4. Log

Security administrators are advised to frequently review the logs. The Ax160 maintains three different types of logs. For the Loader, events are logged to an EEPROM device. These events can only be viewed when the Loader is running (i.e., prior to loading the Personality). The getstatus command can be used to display the events. The Loader EEPROM log cannot be modified or deleted. For the Personality, all Ax160 events are logged in the system log in NVRAM and copied to the USB flash memory device. They are optionally output to the serial port and/or status port. The USB flash memory device is located behind the front bezel and is protected by two pick-resistant locks. The system log cannot be erased without removing the USB drive from the unit. The command <9A#CLEAR_LOG#> closes the current system log on the USB drive, clears the system log that is stored in NVRAM, and then uses the current date and time to create a new system log on the USB flash memory device. The command will not erase the old system log files from the USB device. When removing the USB drive for archiving purposes, the USB drive shall be replaced with another USB drive to avoid potentially losing system log events. To ensure that self-test events are being logged in the system log, the FILE_LEVEL must be set to 4. All dual-control operations are stored in the internal security audit log. The security audit log data is stored in flash memory, which is not physically accessible without tampering the device. All dual-control operations are stored in the internal security audit log. The security audit log can be viewed and managed by the SCA, or viewed remotely if the Ax160 is configured appropriately. The security audit log can only be cleared using dual-control authentication. Refer to the Ax160 manuals for additional information on the supported logging mechanisms.

9.5. Commands and Options

A couple of mechanisms exist to determine the list of enabled and disabled commands and options. The Personality Security Administrator is able to use the SCA to view the list of enabled and disabled commands by going to NSP Management and clicking on NSP Configuration Management. The NSP



Command Configuration screen contains a list of disabled commands on the left and a list of enabled commands on the right. Similarly, the NSP Option Configuration screen contains a list of disabled options on the left and a list of enabled options on the right. The Personality User can view the list of enabled commands and options by sending command <9A#CONFIG-ON#> and the list of disabled commands and options by sending <9A#CONFIG-OFF#>. When operating in PCI mode, the following commands must not be enabled: 90 and 120 When operating in PCI mode, the following options should be enabled: 46, 48, 49, 4B, 4C, and 4E All other commands and options do not impact the PCI compliance.

Documents

HP Atalla Ax160 PCI HSM Security Policy 1 1 Atalla Ax160 PCI... · HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A