HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 1 This document may be reproduced only in its original entirety, without revision.
Hewlett-Packard – Atalla Security Products
Ax160
PCI HSM Security Policy
Version 1.1 22 August 2011
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 2 This document may be reproduced only in its original entirety, without revision.
Table of Contents
1. Introduction ...................................................................................................................................................................... 4
1.1. Glossary .................................................................................................................................................................... 4
2. General Description ......................................................................................................................................................... 5
2.1. Product Overview ..................................................................................................................................................... 5 2.1.1. Physical Security .................................................................................................................................................. 7 2.1.2. Ax160 Memory .................................................................................................................................................... 8
2.2. Ports and Interfaces .................................................................................................................................................. 9 2.2.1. External Ports ....................................................................................................................................................... 9 2.2.2. Power ................................................................................................................................................................. 10
2.3. Supported Algorithms ............................................................................................................................................. 11
3. Self-Tests ......................................................................................................................................................................... 12
3.1. Power-Up Self-Tests ............................................................................................................................................... 12
3.2. Conditional Self-Tests ............................................................................................................................................. 13
3.3. Periodic Self-Tests .................................................................................................................................................. 13
3.4. On-Demand Self-Tests ............................................................................................................................................ 13
3.5. Self-Test Failures .................................................................................................................................................... 14
4. Rules ................................................................................................................................................................................ 15
5. Services ............................................................................................................................................................................ 16
5.1. Loader Services ...................................................................................................................................................... 16 5.1.1. Getstatus............................................................................................................................................................. 16 5.1.2. Version ............................................................................................................................................................... 16 5.1.3. Help .................................................................................................................................................................... 16 5.1.4. Gettime .............................................................................................................................................................. 16 5.1.5. Getsn .................................................................................................................................................................. 16 5.1.6. Setnet ................................................................................................................................................................. 16 5.1.7. Setport ................................................................................................................................................................ 17 5.1.8. Echo ................................................................................................................................................................... 17 5.1.9. Self-Tests ........................................................................................................................................................... 17 5.1.10. Personality Load............................................................................................................................................ 17 5.1.11. Go (Start Personality) .................................................................................................................................... 17 5.1.12. Zeroize .......................................................................................................................................................... 17
5.2. Personality Services ................................................................................................................................................ 17 5.2.1. NSP Management .............................................................................................................................................. 18 5.2.2. Shareholder services .......................................................................................................................................... 18 5.2.3. Banking Commands ........................................................................................................................................... 18
6. Roles ................................................................................................................................................................................ 18
6.1. Loader Crypto-Officer ............................................................................................................................................ 18
6.2. Loader User ............................................................................................................................................................ 18
6.3. Personality Security Administrator ........................................................................................................................ 19
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 3 This document may be reproduced only in its original entirety, without revision.
6.4. Personality Shareholder ......................................................................................................................................... 19
6.5. Personality User ..................................................................................................................................................... 19
6.6. Roles vs. Services Matrix ........................................................................................................................................ 20
7. Key Management ........................................................................................................................................................... 20
7.1. CSPs ....................................................................................................................................................................... 20
7.2. Key Management Techniques ................................................................................................................................. 23
7.3. Key Storage ............................................................................................................................................................. 24
7.4. PIN Management .................................................................................................................................................... 24
8. Power On/Off States....................................................................................................................................................... 24
8.1. PSMCU Security State LED Status Indication (Green) .......................................................................................... 24
8.2. Loader and Personality LED Status Indicator (Amber) ......................................................................................... 25
9. Secure Operation ............................................................................................................................................................ 26
9.1. Initial Setup ............................................................................................................................................................. 26
9.2. Periodic Self-Tests Configuration .......................................................................................................................... 26
9.3. Version .................................................................................................................................................................... 26
9.4. Log .......................................................................................................................................................................... 27
9.5. Commands and Options .......................................................................................................................................... 27
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 4 This document may be reproduced only in its original entirety, without revision.
Revision History
0.4 June 2011 IF Created 0.5 July 2011 IF Incorporated comments 0.6 August 2011 IF Added logging procedures 0.7 August 2011 IF Updated the CSP table 0.8 August 2011 IF Updated the PIN Management section 0.9 August 2011 IF Added Commands and Options section to the
Secure Operation section 1.0 August 2011 IF Minor edits to the Commands and Options
section 1.1 August 2011 IF Minor edits
1. Introduction The HP Atalla Ax160 is a secure cryptographic co-processor designed for use in a variety of high security applications. The Ax160 corresponds to the following Network Security Processors (NSPs): A10160 (HW P/N AJ560A, SW Version 1.21), A9160 (HW P/N AJ558A, SW Version 1.21), and A8160 (HW P/N AJ556A, SW Version 1.21). All three NSPs use the same Firmware and Software, and differ only in the performance capability of the cryptographic subsystem. This document specifies the Ax160 security rules, including the services offered by the Atalla Cryptographic Subsystem (ACS), the roles supported, and all keys and CSPs employed by the ACS. The Ax160 is based on the FIPS140-2 level 3 validated Atalla Cryptographic Subsystem (ACS) (Certificate #1559).
1.1. Glossary
This section contains terms used within this document.
ACS Atalla Cryptographic Subsystem AES Advanced Encryption Standard CBC Cipher Block Chaining CCM Counter with CBC-MAC CFB Cipher Feedback CMAC Cipher-based MAC CPU Central Processing Unit CRC Cyclic Redundancy Check CSP Critical Security Parameter DMA Direct Memory Access DRAM Dynamic Random Access Memory DRBG Deterministic Random Bit Generator ECB Electronic Code Book
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 5 This document may be reproduced only in its original entirety, without revision.
EEPROM Electrically Erasable Programmable Read-Only Memory Flash Programmable read-only (nonvolatile) memory HSM Hardware Security Module HW Hardware IV Initialization Vector LAN Local Area Network LED Light Emitting Diode MD Message Digest MPU Micro processing unit NSP Network Security Processor NVRAM Nonvolatile RAM: General purpose memory maintained as nonvolatile OFB Output Feedback PCI Payment Card Industry Personality Secure software application running inside the secure boundary PSMCU Physical Security MicroController Unit RAM Random Access Memory: General purpose volatile memory RNG Random Number Generator RSA Rivest Shamir Adelman algorithm SCA Secure Configuration Assistant SHA Secure Hash Algorithm TDES Triple Data Encryption Standard USB Universal Serial Bus
2. General Description
2.1. Product Overview
The HP Ax160 provides a complete security solution consisting of the FIPS-validated ACS, financial firmware image and the customized HP Proliant DL180 G6 server. In particular, it consists of a secure hardware platform, a firmware secure Loader, the PSMCU firmware, the Personality software, and the DL180 G6 server. The purpose of the Loader is to load Approved (signed by HP Atalla) application programs, called “Personalities,” in a secure manner. The PSMCU firmware continually monitors the physical security of the ACS. The Personality allows the execution of the financial image commands. The server restricts access to the Network Security Processor via the front interfaces by adopting a front bezel installed with two-pick resistant locks and locking top cover. No security-relevant code runs in the server. The Ax160 operates only in PCI HSM mode. The major components of the Ax160 are:
Front bezel with two pick-resistant locks Top cover locking mechanism – the top cover cannot be removed without having access to the
top cover retention screw located behind the front bezel.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 6 This document may be reproduced only in its original entirety, without revision.
Atalla Cryptographic Subsystem (ACS) consisting of the Loader, PSMCU, and Personality, and providing tamper detection, tamper resistance, and automatic zeroization of Critical Security Parameters
Two USB ports located behind the bezel for attaching the Secure Configuration Assistant (SCA) and USB flash memory device
USB flash memory device for storing the image files, configuration information, and system logs LEDs for status, power, and network activity Power On/Standby button Ethernet Network Interface Connectors (NIC)
The Ax160 system image and default configuration file are provided on a System Image CD-ROM. Prior to powering on the Ax160 these files must be copied to the USB flash memory device and inserted into one of the USB ports located behind the bezel. The Ax160 is initialized, configured, and managed using the SCA. A smartcard needs to be inserted into the SCA in order to authenticate to the NSP. The SCA and its smartcards are not part of this validation effort. The Ax160 is a security co-processor for host applications. The Figure below shows the connectivity to the Ax160 in a typical host system environment.
Figure 1 Typical Host System Environment
In the above Figure, the host system uses a command-response format to communicate with the NSP: <CMDID#FIELD1#FIELD2…#FIELDN#^CONTEXT Tag#>
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 7 This document may be reproduced only in its original entirety, without revision.
A command begins with a start-of-command bracket (“<”) and ends with the end-of-command bracket (“>”). The pound sign (“#”) is used to delimit fields within the command. The context tag is optional. If present in the command, the context tag is returned as part of the response. The caret character (“^”) is an ASCII 0x5E. The NSP will process the command and return a response. If an error is encountered, an error response will be returned. The response format is: <RESPID#FIELD1#FIELD2…#FIELDN#^CONTEXT Tag#> [CRLF] By default, a carriage return (CR) and line feed (LF) are appended to the response. The commands are designed for use in financial environments, such as Automated Teller Machine (ATM), Electronic Fund Transfer (EFT), and Point of Sale (POS) networks.
2.1.1. Physical Security
Depending on the states of the PSMCU, two major events are generated within the secured area: 1. A "reset event" is one that forces the Ax160 to become temporarily inoperable. This is a non-
catastrophic event. When the conditions that cause the "reset event" are removed the unit will reboot then continue to operate normally.
2. A "tamper event" is one that forces the Ax160 to become permanently disabled. This is a catastrophic event. In the disabled state all critical security parameters are erased and the Ax160 can only provide status information to users.
Any physical penetration results in a “tamper event”. This event causes active zeroization of all cleartext CSPs. In addition to physical penetration monitoring, the Ax160 detects environmental attacks: 1. Temperature measurement. A "reset event" is generated whenever the temperature drops outside the
range +5 to +63 degrees Celsius. A "tamper event" is generated whenever the temperature drops outside the range of -20 to +100 degree Celsius. Note that the server’s operating temperature range is +10 to +35 degrees Celsius. The server will go into reset shutdown mode if it operates outside of this temperature range. When in this state, no power is provided to the ACS and the ACS continues to run from battery power. Only the PSMCU will be active at this point. The main ACS microprocessor, which runs the Loader and Personality, is idle, as are all communication ports.
2. Voltage measurement. A "reset event" is generated whenever the voltages (except battery) are present and are outside the Operating Host Voltage ranges, as shown below. A "tamper event" is generated whenever the battery voltage is below 2.65V while the ACS is operating on battery power only.
Operating Host Voltage Minimum Maximum
3.3V supply 3.12 VDC 3.47 VDC
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 8 This document may be reproduced only in its original entirety, without revision.
5.0V supply 4.65 VDC 5.35 VDC
Table 1 Operating Host Voltage Two (2) serialized tamper-evidence labels, applied to the edges of the ACS covers during manufacturing, provide physical tamper evidence. The tamper labels are located near the fan and wrap around the front and back. The tamper labels should be inspected periodically to verify that fresh labels have not been applied to a tampered ACS. The tamper detection and active zeroization mechanisms described above are provided by the ACS. The ACS resides inside the customized DL180 G6 server and cannot be removed without having access to the top cover retention screw located behind the front bezel. The bezel is protected by two pick-resistant locks. It is not possible to simply disconnect the ACS from the server without resetting the ACS to factory state. The environmental specifications for the DL180 G6 server are provided in the table below:
Table 2 Environmental Specifications for the Server
2.1.2. Ax160 Memory
There are six types of memory within the Ax160:
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 9 This document may be reproduced only in its original entirety, without revision.
1. Dynamic Random Access Memory (DRAM). DRAM is used to hold the Loader and Personality and their data during operation.
2. Flash Memory. Non-volatile flash memory is used to hold the Loader and Personality. No sensitive CSPs are stored in flash as cleartext.
3. PSMCU. The security control unit contains non-volatile memory in addition to a microcontroller for storing cleartext CSPs. The IMFK used by the Loader and the PIMFK used by the Personality are stored here. This memory is the first target of zeroization if a “tamper event” occurs.
4. Non-volatile RAM (SRAM). This battery-backed-up static RAM is not used by the Loader. The Personality uses this memory to store the encrypted MFK/PMFK keys and encrypted configuration data. No sensitive CSPs are stored as cleartext in the memory.
5. Volatile RAM (SRAM). This static RAM is not used by the Loader. The Personality uses this memory to store the cleartext MFK/PMFK keys during operation. It is immediately zeroized if a “tamper event” occurs or power is removed.
6. Flash memory. The USB flash memory device is inserted behind the bezel of the server and used to store the image files, configuration file, and system logs.
2.2. Ports and Interfaces
2.2.1. External Ports
The Ax160 has the following interfaces on the rear panel of the server:
RJ45 Ethernet (Qty. 2), compatible with 10/100/1000 Base T IEEE 802.3. – used as the primary communication I/O channel. The Loader only uses the UDP protocol. The Personality only uses the TCP protocol. These ports are directly mounted on the ACS card.
Rear Unit Identification LED/button – provides a visual reference for service personnel. Power supplies (Qty. 2) – for full power redundancy. Serial port – This port is standard RS-232; it is an alternative communication I/O channel.
The front panel of the Ax160 is protected by a customized bezel that is protected by two pick-resistant locks. The front panel with the bezel door closed consists of the following LEDs:
System power LED CRYPTO LED (green) – Security Status Indicator. A connector routes the electrical signals for
this LED from the ACS to the front panel of the chassis enclosure. The LED signal voltage swings through 3.3V DC, active low, and the LED current is limited to 5 mA.
CRYPTO LED (amber) – System Status Indicator. A connector routes the electrical signals for this LED from the ACS to the front panel of the chassis enclosure. The LED signal voltage swings through 3.3V DC, active low, and the LED current is limited to 5 mA.
Unit Identification LED/button The following additional interfaces are available when the bezel door is open:
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 10 This document may be reproduced only in its original entirety, without revision.
Power On/Standby button USB ports – the USB flash memory device and SCA are attached to either of these two ports.
The USB flash memory device stores the system image, configuration information (i.e., config.prm), and system logs. The SCA (Version 3.0 or higher) is used to initialize, configure, and manage the Ax160. A connector routes the USB communication from the front panel to the ACS. The Personality only supports the USB flash device class and the custom device class used by the SCA device. The Loader does not use this interface and leaves it in its default disabled state.
The following table shows the relationships among the physical and logical ports: Physical Ports RJ45
Ports Serial Port
USB ports
Unit ID
LEDs
Crypto LEDs
System Power LED
Power Supplies
Power On/ Standby Button
Data Input √ √ √ Data Output
√ √ √
Control Input
√ √ √ √
Status Output
√ √ √ √ √ √
Power √ Table 3 Physical and Logical Ports Mapping
Refer to the Installation and Operations Guide for the Atalla Ax160 for additional information on all the interfaces available on the Ax160.
2.2.2. Power
For the ACS, primary main system power is derived from the 3.3V pins on the PCI/PCI-X connector. In addition, the 5V and 12V pins on the PCI/PCI-X connector also supply additional power for the following purposes:
5V: Power for the USB connections and power for the battery circuit when host power is available.
12V: Fan power. The power requirements are:
3.3V: 8.2 W 5V: 15 mW (with no connection to the USB ports) 12V: 1.2 W Total Power 9.4 watts
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 11 This document may be reproduced only in its original entirety, without revision.
Other voltage requirements on the Ax160 are derived from the main power except for the 3V battery backup power source. This battery source is used to maintain the real time clock and to operate the security control unit. The power requirement from the battery is approximately 2.7 milliwatts. The server consists of two 460 Watt power supplies for full power redundancy. Power distribution unit and AC power cords are provided by HP to attach the power supplies to a power distribution unit or to an AC power source, respectively. The table below provides the power supply specifications for the 460 W power supplies.
Table 4 Power Specifications for the Server
Refer to the Ax160 Install and Operations Guide for additional power requirements.
2.3. Supported Algorithms
The Loader includes these FIPS-Approved algorithms, implemented in firmware: Algorithm Certificate # SHA-256 1194
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 12 This document may be reproduced only in its original entirety, without revision.
AES (encrypt, decrypt; ECB and CBC modes; 256-bit keys only) 1305 AES CCM (decrypt, 256-bit keys) 1311 ANSI X9.31 RNG 728 RSA (signature verification; 1024-bit and 4096-bit keys) 625
Table 5 Loader supported Algorithms The Personality includes the following approved and tested algorithms: Algorithm Algorithm Testing AES (encrypt, decrypt; CBC mode; 128-, 192-, 256-bit keys) Passed AES CMAC (generate; 128-, 192-, 256-bit keys) Passed 3DES (encrypt, decrypt; ECB, CBC, 8-bit CFB, 64-bit CFB, and OFB) Passed RSA (sign, verify, encrypt, decrypt; 1024-4096-bit key) Passed NIST SP 800-90 CTR_DRBG Passed SHA-1 Passed SHA-256 Passed
Table 6 Personality supported Algorithms The Personality algorithms were tested using the NIST CAVS tool.
3. Self-Tests There are a number of self-tests performed by the Ax160.
3.1. Power-Up Self-Tests
Loader
1. System Integrity Test: CRC-32 test of Boot and Loader code. 2. Firmware Integrity Test: The integrity of the Loader is verified at startup by checking a 1024-bit
RSA signature. 3. The cryptographic functions are all tested at startup using known answer tests
a. SHA-256 b. AES – ECB and CBC modes (encrypt, decrypt) c. RSA (4096-bit signature verification) d. ANSI X9.31 RNG e. AES – CCM mode (decrypt only)
4. Critical Functions Tests: a. DRAM test b. Key Integrity Check: All keys are stored with integrity check digits, and those check
digits are verified whenever the key is retrieved by the Loader for use. All clear text key values are destroyed immediately after use.
Personality
1. Personality Integrity Test (includes Kernel): The integrity of the Personality is verified by the Loader during Personality Load and when issuing the Go command. In addition, during
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 13 This document may be reproduced only in its original entirety, without revision.
initialization two CRC-32 tests are performed to verify the Personality; these tests are also performed once-a-day and on-demand.
2. Known Answer Tests a. AES – CBC mode (encrypt, decrypt) b. AES – CMAC (generate only) c. 3DES – ECB, CBC, 8-bit CFB, 64-bit CFB, and OFB modes (encrypt, decrypt) d. RSA (encrypt and decrypt) e. RSA (signature generation and verification) f. SHA-1 and SHA-256 g. SP 800-90 DRBG
3.2. Conditional Self-Tests
Loader
1. Continuous RNG Test 2. Firmware Load Test: This is a series of tests used to validate the integrity of the Personality
when it is loaded into the ACS. These tests include CCM for secure and authenticated key transport, Signature test (RSA 4096-bit modulus with SHA-256), AES-256 file decryption, and CRC-32.
3. Critical Functions Tests: a. Key Integrity Check: All keys are stored with integrity check digits, and those check
digits are verified whenever the key is retrieved by the Loader for use. All clear text key values are destroyed immediately after use.
b. “go” command Personality start validation: The “go” command is authenticated using a 1024-bit signature. Following this, the Personality is validated with CRC-32, then decrypted using AES-256, then validated again using SHA-256 prior to passing control to it.
Personality
1. Continuous RNG Test: a. Hardware RNG b. DRBG
2. RSA Pairwise Consistency Test
3.3. Periodic Self-Tests
The Personality allows the power-up self-tests to be performed periodically. To setup the once-a-day self-tests, the DIAGTEST_TIME parameter in the config.prm file needs to be set to a six digit value (HHMMSS). This value specifies the time when the once a day self-tests are performed.
3.4. On-Demand Self-Tests
The Ax160 allows self-tests to be performed on operator demand. These self-tests are identical to the power-up self-tests.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 14 This document may be reproduced only in its original entirety, without revision.
Loader The following commands can be used to perform the on-demand self-tests:
1. Test_aes – tests the AES cryptographic engine 2. Test_ccm – tests the CCM mode of operation of the AES algorithm 3. Test_rng – tests the RNG using a fixed key, beginning context, and result 4. Test_sha – tests the SHA-256 cryptographic engine 5. Test_signature – tests the signature computation algorithm
Note that these self-tests can only be performed when the Loader is running (i.e., prior to loading the Personality). Personality The Personality allows on-demand self-tests to be performed using the Diagtest command <9A#DIAGTEST#Algorithm#RSA Option#> The “Algorithm” field identifies the type of test that will be performed: 0 – All on-demand self-tests 1 – 3DES KAT 2 – DRBG KAT 3 – RSA KAT 4 – MD5 KAT 5 – SHA-1 KAT 6 – SHA-256 KAT 7 – Personality and Kernel Integrity Test 8 – AES KAT “RSA Option” determines if the RSA KAT will be performed when “Algorithm” is set to “0”. The default value for “RSA Option” is “0”. All self-tests, except for the RSA KAT, are performed when “RSA Option” is set to “0”. A non-zero or blank value results in all self-tests to be performed. The NSP also allows on-demand self-tests to be initiated by the SCA. The SCA Crypto Test instructs the NSP to perform all self-tests except for the RSA KAT.
3.5. Self-Test Failures
Loader Failure of any of the self-tests results in an error state. Recovery from the error state requires power cycling. Personality Failure of any power-up, periodic, and on-demand self-tests results in an error state. In this state, all commands, except for the status commands 9A, 1101, 1110, 1120, and 1223, will return the error <00#080012#0717#>. Recovery from the error state requires power cycling. Failure of the RSA pairwise consistency test results in a soft error. Only the affected command will be affected by the error. The Ax160 will create another RSA key pair if the test fails.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 15 This document may be reproduced only in its original entirety, without revision.
Failure of the continuous RNG test results in a soft error. The calling command and other commands that use the random number generator function will return error <00#080012#0716#>. Commands that do not use the random number generator are not affected by the error. Recovery from the error requires power cycling.
4. Rules Rule 1: HP Atalla maintains no databases of device secrets and has no “backdoor access” to customer’s secrets. Rule 2: All functions requiring the use of sensitive data shall be performed within the security area. This rule is enforced by the Ax160 physical design. All the critical circuits and components are within the secure area, which is continuously monitored to detect tampering. Rule 3: All sensitive data shall be zeroized upon tamper detection. Zeroization, when controlled by hardware, is a process that effectively erases the previous content. This rule is enforced by the tamper detection circuits, switches, and the software. Rule 4: Personality software and cryptographic keys, when loaded outside of manufacturing site shall be cryptographically protected. The actual key names and their uses are described in section 7 of this document. Personalities are signed by HP. The corresponding signature keys (i.e., the GSK private key and the PSK private key) remain solely under the control of HP and the knowledge of those keys are not distributed or divulged outside the manufacturer’s control. Rule 5: Clear cryptographic keys in the security area shall never be exported. Rule 6: Keys should be replaced with new keys whenever the compromise of the original key is known or suspected, and whenever the time deemed feasible to determine the key by exhaustive attack elapses as defined in ISO 9564. Rule 7: The Ax160 does not support maintenance and bypass modes. Rule 8: Failure of self-tests result in the Ax160 entering an error state. Rule 9: Power-up self-tests initiated after power up or power cycle do not require input or operator intervention.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 16 This document may be reproduced only in its original entirety, without revision.
5. Services
5.1. Loader Services
The following services provide user authentication and/or cryptographic functionality as well as diagnostics capabilities. The available services depend on the defined roles. Note that these Loader services can only be performed when the Loader is running (i.e., prior to loading the Personality).
5.1.1. Getstatus
Limited status information shall always be available. This command is used to read and display the status of the ACS, such as tamper information, Personality application load status, and mode of operation (Approved versus non-Approved). The status output is broken into four parts: basic status, which customers can use for simple problem diagnosis; network status, for diagnosing network issues; extended status, which is used by HP Atalla for problem analysis; and event status, which is a date-and-time stamped record of all events which have taken place with the ACS, also for use by HP Atalla for problem analysis. There is an optional parameter for basic getstatus service to display the other status information. None of the status information can compromise the security of the Ax160 in any way.
5.1.2. Version
The version command is used to retrieve the Loader name, product type, software version, and build date and time.
5.1.3. Help
The help command simply returns a list of the available commands. Help is context sensitive; i.e., it shows only the commands valid at the current time, so the responses are different in normal, error, and tamper states. It does not provide any syntax help.
5.1.4. Gettime
This command is used to read the contents of the real time clock. The date and time are a 12-character formatted ASCII string with the format: YYMMDDHHMMSS (year-month-day-hour-minute-second).
5.1.5. Getsn
This command reads the value of the serial number field stored in the EEPROM. If the serial number has not been set, an error is returned. The serial number is at most a 15-character ASCII string.
5.1.6. Setnet
This command is used to set the user-manageable network parameters for the unit. These parameters include the IP address, netmask, and gateway for each Ethernet port. The parameters are stored in the
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 17 This document may be reproduced only in its original entirety, without revision.
serial EEPROM. Other network parameters are set either automatically as part of the UDP protocol with the host server or by the factory prior to deployment.
5.1.7. Setport
This command is used to configure the serial port. The port can be configured for all supported data rates and with or without character echo. The valid data rates include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200 bits per second.
5.1.8. Echo
The echo command is used to test the I/O connection to the Loader.
5.1.9. Self-Tests
Instructions requesting the ACS to perform self-test operations are available. There are individual instructions for testing specific functions, e.g. AES and SHA-256. These tests are identical to the power-up self-tests and are listed in the On-Demand Self-Tests section.
5.1.10. Personality Load
Personality load instructions, when successful, result in updating the flash memory. This service is authenticated as described in section 6.
5.1.11. Go (Start Personality)
The start Personality service passes control from the Loader to the Personality. This service must be authenticated by an operator in the Loader User role.
5.1.12. Zeroize
The zeroize service is not a command. It occurs automatically following any tamper event. An operator can choose to invoke this service by the physical removal of the batteries. This results in the battery low event, which zeroizes non-volatile RAM, and forces the unit into the ALARM state. The time required for the PSMCU to perform the zeroization is less than 500 microseconds from the time of detection. The first half of this time, less than 250 microseconds, is used for the primary CSP erasure, while the second half is used for extended CSP erasure.
5.2. Personality Services
These services can be split into three categories: NSP management/configuration, shareholder services, and banking commands. The first two categories are performed using the Atalla Secure Configuration Assistant (SCA) under dual-control. The banking commands are designed for use in financial environments and use the command-and-response format as described in Section 2.1.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 18 This document may be reproduced only in its original entirety, without revision.
5.2.1. NSP Management
Services include initializing and managing the NSP. These include the creation of a security association, management of key components, NSP Command and Option configuration, audit log management, and updating the firmware. Refer to the SCA User Guide for the complete list of available services.
5.2.2. Shareholder services
Services include the creation of and initialization from shareholder smartcards. Refer to the SCA User Guide for the complete list of Shareholder services.
5.2.3. Banking Commands
The Ax160 supports a number of commands that are available to the Personality User. Standard commands and options are available by default and, if required, can be disabled using the SCA. Premium Value commands and options are disabled by default and need to be purchased prior to enabling them. Utility commands are enabled by default and cannot be disabled. These are status commands and are not security-relevant. Refer to the NSP Atalla Key Block Banking Command Reference Manual for the complete list of available banking commands.
6. Roles
6.1. Loader Crypto-Officer
The Loader Crypto-Officer (LCO) is responsible for the overall security of the Loader Platform. In particular, only an operator in the Loader Crypto-Officer role can load a Personality into the Ax160. The Loader Crypto-Officer is required to be properly authenticated and its authentication mechanism is controlled by the PSK (private key), which is used to sign Personality images. The LCO uses the PSK (private key) to create signed Personality images for download to the unit. The Loader Crypto-Officer authenticates using the PSK.
6.2. Loader User
The Loader User can perform a limited number of the services available on the Ax160. The Loader User is required to be properly authenticated and his authentication mechanism is controlled by the GSK (private key), which is used to sign the ‘go’ command. The Loader User uses the GSK (private key) to sign the ‘go’ command which allows the Loader to exit and start the Personality. The Loader User authenticates using the GSK.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 19 This document may be reproduced only in its original entirety, without revision.
6.3. Personality Security Administrator
The Personality Security Administrator configures and manages the NSP. Configuration changes are only allowed under dual control. The Personality Security Administrator is authenticated by the 1024-bit Smartcard Identity key. This key has a certificate signed by the Atalla Root Authentication Key.
6.4. Personality Shareholder
Limited services are available to the Personality Shareholder. The main purpose of this role is to bring up a clone of a second NSP under dual control. The Personality Shareholder is authenticated by the 1024-bit Smartcard Identity key. This key has a certificate signed by the Atalla Root Authentication Key.
6.5. Personality User
The Personality User can perform the banking commands and options specified in the NSP Atalla Key Block Banking Command Reference Manual. The type of commands and options that are available depends on the Security Policy defined by the Security Administrator.
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 20 This document may be reproduced only in its original entirety, without revision.
6.6. Roles vs. Services Matrix
Acronyms: A – available, √ – unauthenticated command.
Commands / Services Loader
CO Loader
User Personality
Security Administrator
Personality Shareholder
Personality User
Status GetStatus √ √ Version √ √ Help √ √ Gettime √ √ Getsn √ √ Setnet √ √ Setport √ √ Echo √ √
Self-test Test_signature √ √ Test_sha √ √ Test_aes √ √ Test_rng √ √ Test_ccm √ √
Loader Zeroize √ √ Personality Load A
Go (Start Personality) A
NSP Management A Shareholder Services A Banking Commands A
Table 7 Roles vs. Services Matrix
7. Key Management This section identifies all CSPs stored and used in the ACS and the supported key management techniques.
7.1. CSPs
Key Name Algorith
m Size (Bits)
Purpose/ Usage
Stored in Stored as Destroyed
Loader Keys
IMFK AES 256 Encrypting all Loader keys
PSMCU RAM In the clear with ECC bits for error detection
Actively by tamper and passively by
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 21 This document may be reproduced only in its original entirety, without revision.
battery failure
PIMFK (Personality code refers to this as LSK)
AES 256 Encrypting MFK/PMFK, Device Identity Public Keys
PSMCU RAM, Loaded into crypto-hardware key cache register
In the clear with ECC bits for error detection
Actively by tamper and passively by battery failure
LSK Public Key RSA 1024 Verify Loader download signature
Incorporated in Loader image and stored in Flash ROM
Cleartext Only destroyed if replaced with a new LSK as part of Loader replacement
FFK, FFK_IV AES 256 Encrypting Personality stored in flash
Flash ROM Encrypted by IMFK
When the IMFK is destroyed (as a result of IMFK zeroization) or when a new Personality image is downloaded
PSK Public Key RSA 4096 Loader Crypto-Officer authentication key. Verify image download signature
Incorporated in Loader image and stored in Flash ROM
Encrypted by IMFK
When the IMFK is destroyed (as a result of IMFK zeroization) or replaced with new PSK as part of Loader replacement
PDEK AES 256 Decrypting CCM envelope of image download
Incorporated in Loader image and stored in Flash ROM
Encrypted by IMFK
When the IMFK is destroyed (as a result of IMFK zeroization) or replaced with new PDEK as part of Loader replacement
PRNGK AES 256 PRNG seed General purpose EEPROM
Encrypted by IMFK
When the IMFK is destroyed (as a result of IMFK zeroization)
GSK Public Key
RSA 1024 Loader user authentication key. Verify “go” command signature
Incorporated in Loader image and stored in Flash ROM
Cleartext Only destroyed if replaced with a new GSK as part of Loader replacement
IDFK, IDFK_IV
AES 256 Decrypting download image
Volatile SDRAM
Cleartext and encrypted by PDEK in CCM envelope
Following completion or interruption of the image download
Personality Keys
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 22 This document may be reproduced only in its original entirety, without revision.
Atalla Root Authentication Public Key (1024)
RSA 1024 Signing device identity certs
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Atalla Root Authentication Public Key (2048)
RSA 2048 Signing device identity certs
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Device Identity Public Key (1024)
RSA 1024 Used to establish a secure session between the NSP and the smartcard
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Device Identity Private Key (1024)
RSA 1024 Used to establish a secure session between the NSP and the smartcard
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Device Identity Public Key (2048)
RSA 2048 Used to establish a secure session between the NSP and the smartcard
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Device Identity Private Key (2048)
RSA 2048 Used to establish a secure session between the NSP and the smartcard
Flash ROM Encrypted by PIMFK
When the PIMFK is destroyed (as a result of PIMFK zeroization)
Smartcard Identity Public Keys
RSA 1024 Authenticates the Personality Security Administrator and Shareholder
Volatile SDRAM
Certificate signed by the Atalla Root Authentication key
Erased at end of session
Secure Channel Session Key (encrypt)
TDES 128 Protects the communication between the smartcard and NSP
Volatile SDRAM
Cleartext Erased at the end of session
Secure Channel Session Key
TDES (CBC-
128 Protects the communicat
Volatile SDRAM
Cleartext Erased at the end of session
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 23 This document may be reproduced only in its original entirety, without revision.
(MAC) MAC) ion between the smartcard and NSP
Master File Key (MFK)
TDES 128, 192
Encryption of all user keys
External SRAM / Internal SRAM
Encrypted by PIMFK / Cleartext
When the PIMFK is destroyed (as a result of PIMFK zeroization) and zeroized upon tamper detection
Pending Master File Key (PMFK)
TDES 128, 192
Encryption of all keys used for input/output
External SRAM / Internal SRAM
Encrypted by PIMFK / Cleartext
When the PIMFK is destroyed (as a result of PIMFK zeroization) and zeroized upon tamper detection
User Key Encryption Key (KEK)
TDES 64, 128, 192
Encryption of Working keys
Volatile SDRAM
Encrypted by MFK/PMFK
When the MFK is destroyed
TDES User Keys
TDES 64, 128, 192
Used to encrypt PIN blocks and other types of data
Volatile SDRAM
Encrypted by MFK/PMFK or KEK
When the MFK or KEK is destroyed
DRBGK AES 256 Key used by Personality to run NIST SP 800-90 DRBG
Volatile SDRAM
Cleartext When the unit is powered-off
Table 8 Critical Security Parameters
7.2. Key Management Techniques
The Ax160 supports the following key management techniques:
ANS X9.24 parts 1 and 2 Derived Unique Key Per Transaction (DUKPT) Master-Session ANS TR-31 EMV key derivation techniques – master key derivation and session key techniques that include
tree-based derivation, common session (SU-46), and American Express AS 2805 Country and/or issuer-specific session key derivation algorithms
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 24 This document may be reproduced only in its original entirety, without revision.
7.3. Key Storage
The CSP table above specifies how keys are stored inside the Ax160. Internal (key tables) and external (application/host database) keys are stored encrypted and MACed in accordance with ANS x9.24 part 1. All internal keys are stored encrypted in fixed position with error detection. The root keys cannot be explicitly accessed, modified, or exported and are subject to zeroization during a tamper event. These protection mechanisms protect keys against unauthorized disclosure and substitution and ensure key separation. The Personality Security Administrators and Shareholders are advised to securely store the smart cards required for authenticating to the Ax160.
7.4. PIN Management
The Ax160 meets the PIN requirements specified in PCI HSM requirement A6 by enabling Option 46. Enabling Option 46 limits all standard Atalla PIN translation commands to either ISO-0 or ISO-3 PIN blocks (input and output) and prevents any change of the PAN. Refer to the NSP Atalla Key Block Banking Command Reference Manual for additional guidance.
8. Power On/Off States The Ax160 is idle when there is no external power applied. The following states are the power off states of the Ax160 during this idle condition:
State Description Personality This is a state when Personality application is loaded in Flash
ROM and ready to run. Download Personality
This is a state when actual Personality application download is being performed.
Alarm This is the state after the ACS secure envelope has been active and a tamper attempt has been detected
Table 9 Power off States during Idle Condition
8.1. PSMCU Security State LED Status Indication (Green)
A second LED is used to indicate the state of the PSMCU, which is the security monitoring subsection. This LED is green. The following LED states are defined:
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 25 This document may be reproduced only in its original entirety, without revision.
Underlined values are LED off Bold values are LED on
The states indicated by the PSMCU are shown in the following table:
State or Alarm LED operation (pattern in ms)
Appearance
Secure State, no alarms ON solid ON solid Test State 1000 1000 Slow, regular
blink Secure State, Operating Temperature out of range
200 200 200 1000 2 short blinks
Secure State, Voltage out of range
200 200 200 200 200 600 3 short blinks
Zeroized State 250 250 Fast, regular blink
Software integrity test failure OFF solid OFF solid Table 10 Green LED
8.2. Loader and Personality LED Status Indicator (Amber)
The states indicated by the Loader and Personality are shown in the following table:
State or Alarm LED operation (pattern in ms)
Appearance
NSP is not able to initialize ON solid ON solid Three possible sources for this state:
- The USB drive is not inserted in the Ax160
- The config .prm file is not present on the USB device, or is corrupted
- ACS is unable to initialize
1000 1000 Slow, regular blink
Busy 200 200 200 600 2 short blinks ‘Go’ command failed 600 200 200 200 200 200 1 long followed
by 2 short blinks Zeroized State 250 250 Fast, regular
blink Normal operation if powered on OFF solid OFF solid
Table 11 Amber LED
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 26 This document may be reproduced only in its original entirety, without revision.
9. Secure Operation The Ax160 manuals provide guidance on how to securely setup, configure, and operate the Ax160.
9.1. Initial Setup
The device should be unpacked and inspected according to the Ax160 Install and Operations Guide. Customers are required to inspect the shipping container, compare the packing list with the purchase order, examine the content, and inspect each item (including damaged tamper labels). If damage is evident, notify HP Technical Support immediately. Refer to the Installation and Operations Guide for the Atalla Ax160 for installation and configuration instructions, maintenance information, safety tips, and other information.
9.2. Periodic Self-Tests Configuration
During the initial setup, the Ax160 system image file and config.prm file must be copied to the HP provided USB flash memory device from the CD-ROM that ships with the Ax160. The config.prm file defines the startup, TCP/IP, and log parameters, and is accessed during the Ax160 power on sequence. These parameters must be modified. One of the parameters that need to be added to the STARTUP settings is DIAGTEST_TIME to setup the required periodic self-tests. To set this parameter, DIAGTEST_TIME needs to be set to the value HHMMSS, where: HH = hour (valid values are 00 through 23) MM = minute (valid values are 00 through 59) SS = second (valid values are 00 through 59) The NSP’s system clock is set to Coordinated Universal Time (UTC) and cannot be changed to a local time. The default value is 000000 (midnight UTC time). Refer to the Ax160 Install and Operations Guide for additional information and guidance on the config.prm file.
9.3. Version
The Ax160 model number is located in the lower right corner of the front panel. The Ax160 Hardware Part Number is displayed on the top cover right above the caution label. It is also displayed on the packaging of the server. Once the Personality is running, the software version and PCI mode can be verified by using commands 1101 or 1110, as shown in the examples below: Command:
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 27 This document may be reproduced only in its original entirety, without revision.
<1101#> Response: <2101#HP Atalla A10160-AKB PCI-HSM Version: 1.21, Date: Jun 13 2011, Time: 11:08:03#B021#1#> Command: <1110#> Response: <2110#Axx160, Version: 1.21, Date: Jun 13 2011, Time: 11:15:07#HP Atalla A10160-AKB PCI-HSM Version: 1.21, Date: Jun 13 2011, Time: 11:08:03#B021#1#>
9.4. Log
Security administrators are advised to frequently review the logs. The Ax160 maintains three different types of logs. For the Loader, events are logged to an EEPROM device. These events can only be viewed when the Loader is running (i.e., prior to loading the Personality). The getstatus command can be used to display the events. The Loader EEPROM log cannot be modified or deleted. For the Personality, all Ax160 events are logged in the system log in NVRAM and copied to the USB flash memory device. They are optionally output to the serial port and/or status port. The USB flash memory device is located behind the front bezel and is protected by two pick-resistant locks. The system log cannot be erased without removing the USB drive from the unit. The command <9A#CLEAR_LOG#> closes the current system log on the USB drive, clears the system log that is stored in NVRAM, and then uses the current date and time to create a new system log on the USB flash memory device. The command will not erase the old system log files from the USB device. When removing the USB drive for archiving purposes, the USB drive shall be replaced with another USB drive to avoid potentially losing system log events. To ensure that self-test events are being logged in the system log, the FILE_LEVEL must be set to 4. All dual-control operations are stored in the internal security audit log. The security audit log data is stored in flash memory, which is not physically accessible without tampering the device. All dual-control operations are stored in the internal security audit log. The security audit log can be viewed and managed by the SCA, or viewed remotely if the Ax160 is configured appropriately. The security audit log can only be cleared using dual-control authentication. Refer to the Ax160 manuals for additional information on the supported logging mechanisms.
9.5. Commands and Options
A couple of mechanisms exist to determine the list of enabled and disabled commands and options. The Personality Security Administrator is able to use the SCA to view the list of enabled and disabled commands by going to NSP Management and clicking on NSP Configuration Management. The NSP
HP Ax160 PCI HSM Security Policy Part Number AJ556-9011A
____________________________________________________________________________________ © 2011 Hewlett-Packard Company Page 28 This document may be reproduced only in its original entirety, without revision.
Command Configuration screen contains a list of disabled commands on the left and a list of enabled commands on the right. Similarly, the NSP Option Configuration screen contains a list of disabled options on the left and a list of enabled options on the right. The Personality User can view the list of enabled commands and options by sending command <9A#CONFIG-ON#> and the list of disabled commands and options by sending <9A#CONFIG-OFF#>. When operating in PCI mode, the following commands must not be enabled: 90 and 120 When operating in PCI mode, the following options should be enabled: 46, 48, 49, 4B, 4C, and 4E All other commands and options do not impact the PCI compliance.