Store n Go Corporate Secure FIPS Security Policy

Document Version 1.11

Verbatim Americas LLC
Revision Date: 06/05/2008
May be reproduced only in its entirety (without revision) Copyright Verbatim Americas LLC 2008.
Store n Go Corporate Secure FIPS Security Policy Version 1.1 Revision Date 6/05/08
TABLE OF CONTENTS 1. MODULE OVERVIEW.....3 2. SECURITY LEVEL....3 3. MODES OF OPERATION.....4 4. PORTS AND INTERFACES....5 5. IDENTIFICATION AND AUTHENTICATION POLICY...6 6. ACCESS CONTROL POLICY....7 ROLES AND SERVICES....7 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)...8 DEFINITION OF CSPS MODES OF ACCESS....9 7. OPERATIONAL ENVIRONMENT....10 8. SECURITY RULES.....10 9. PHYSICAL SECURITY POLICY.....11 PHYSICAL SECURITY MECHANISMS....11 10. MITIGATION OF OTHER ATTACKS POLICY...11 11. REFERENCES.....11 12. DEFINITIONS AND ACRONYMS....12

Page 2

1. Module Overview
The Store n Go Corporate Secure FIPS (HW P/N# 8A-SFS-0000-09P, Version A and Version 2; FW Versions 6.600 and 6.612) provides FIPS 140-2 Approved security functionality to the DiskOnKey USB flash drives. The Store n Go Corporate Secure FIPS cryptographic module employs validated Federal Information Processing Standard (FIPS 140-2) encryption and key management functionality to ensure the protection of data stored on external DiskOnKey FLASH memory. The module is a multi-chip embedded cryptographic module, as defined by FIPS 140-2, and consists of the controller and 8k of attached EEPROM. Both components are encased in a hard, opaque, production grade integrated circuit packaging. The cryptographic boundary contains the modules microcontroller, 8k of attached EEPROM, and a single interconnect between the two components. The data connection between the components is encapsulated in epoxy and the PCB on which the components are soldered. No hardware or firmware components of the module are excluded from the requirements of FIPS 140-2.
Figure 1 Store n Go Corporate Secure FIPS Crypto-Processor

2. Security Level

The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2.
Security Requirements Section Cryptographic Module Specification Module Ports and Interfaces Level 2 2

Page 3

Security Requirements Section Roles, Services and Authentication Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC Self-Tests Design Assurance Mitigation of Other Attacks Overall

Level 2 N/A N/A 2

Table 1 Module Security Level Specification

3. Modes of Operation

The Store n Go Corporate Secure FIPS module supports both a FIPS Approved mode and nonApproved mode of operation. In order to place the module into FIPS Approved mode, the operator must successfully open the private area by entering a valid password to authenticate to an authorized Role. NOTE: Drives are configured in manufacturing with a private area and no user writable public area. The initial private area password must be supplied by the user on first application of power to the device after manufacturing. The private area is not functional until the initial private area password has been set. Devices are also configured in manufacturing to disallow creation of a user writable public area after manufacturing. Approved mode of operation In FIPS mode, the cryptographic module only supports FIPS Approved algorithms as follows: AES 256 (ECB) Certificate No. 464 o Data Encryption/Decryption RSA PSS 1024 (Certificate No. 200) o Signature Verification SHA-1 for hashing (Certificate No. 555) AES Key generation Furthermore the Store n Go microcontroller in FIPS mode offers key generation services: For random number generation of all cryptographic keys, the S2 microcontroller employs an implemented deterministic random number generator (DRNG) that is compliant with ANSI

Page 4

X9.31 Appendix 2.4. This DRNG is FIPS Approved and has been issued Certificate #263. Non-Approved Algorithms Seed and seed key for the DRNG will be generated by the S2 NDRNG which is implemented in Hardware. The NDRNG is used in FIPS and non-FIPS mode of operation. RSA Encrypt/Decrypt: This algorithm shall not be used in the FIPS mode of operation.
Non-Approved mode of operation The use of the RSA Encrypt/Decrypt algorithm will cause the module to transition into the nonFIPS Approved mode of operation.

4. Ports and Interfaces

The example cryptographic module provides the following physical ports and logical interfaces:
Physical Port USB port Logical Interface Definition Flash Memory Data input Data output Status output Control input Data input Data output The purpose of the Advanced NAND Flash Controller (ANFC) is to provide interface to the NAND Flash memory (Flash) and the crypto module. This interface supports ISO7816 as well as RS232 which is multiplexed over this physical port. External crystal input. Physical port for external power input. Description The purpose of the USB core is to receive and send the data and control information.

ISO7816 Interface

Data input Data Output Status output Control input Control input Power Input

Clock Power Interface

Table 2 Physical Ports and Logical Interfaces

Page 5

5. Identification and Authentication Policy

Assumption of roles

Type of Authentication Role-based operator authentication
Role Cryptographic Officer
Authentication Data Password Only: The module persistently stores the password hashed and AES encrypted in FLASH, which is outside of the cryptographic boundary. Password Only: The module persistently stores the password hashed and AES encrypted in FLASH, which is outside of the cryptographic boundary. RSA 1024 signature.
Description The Cryptographic Officer has access to the zeroization command. The Cryptographic Officer does not have access to the private User domains. The User has full Access to all services except the zeroize service.

Role-based operator authentication

Firmware Update Officer

The Firmware Update Officers sole responsibility is the external loading of new firmware updates. All firmware is signed by SanDisk.
Table 3 Roles and Required Identification and Authentication
Authentication Mechanism Username and Password
Strength of Mechanism The probability that a random attempt will succeed or a false acceptance will occur is 1/62^4, which is less than 1/1,000,000. The user is locked out after no more than 100 contiguous login failures, therefore the random success rate for multiple retries is 1/62^4 divided by a customer specified number 1001, which is less than 1/100,000.

RSA Signature

The probability that a random attempt will succeed or a false acceptance will occur is 1/2^80, which is less than 1/1,000,000. The module only allows one attempt every 10 seconds. Therefore, the probability that a random attempt will be successful within a one minute period is 6/2^80, which is less than 1/100,000. Table 4 Strengths of Authentication Mechanisms
This is a configuration setting that is set in manufacturing. The maximum number of attempts configurable is 100.

Page 6

6. Access Control Policy
Roles and Services The S2 microcontroller supports three distinct separate Roles, a User, Cryptographic Officer, and Firmware Update Officer. The role selected is explicitly selected during authentication and is determined by the interface used to authenticate. The cryptographic module does not support concurrent operators. The User and Cryptographic Officer roles shall enter a username and its password to log in, whereas the Firmware Update Officer must enter a valid RSA signature. The operator to service mapping is shown below is shown Table 5 below.
Operator User Role Services o o o o Cryptographic Officer Role Firmware Update Officer Unauthenticated Services (No Role) o o o o o Open Private Area: Allows read/write to secure area Close Private Area: Closes Private area to disallow read/write Change User Private Area Password Read/Write Protected Area Zeroize Keys: Zeroizes all FIPS keys Change Cryptographic officer password Externally Load FW: Load RSA signed Firmware. This firmware will only be loaded if the RSA 1024 bit signature is verified. Self-tests: This service executes the suite of self-tests required by FIPS 140-2. Device Reset: Reformats specific Private Area of the User currently selected when the user password can not be remembered. Once this is performed a User must reinitialize the device for their use. All data and keys associated with that particular User Role have been zeroized. CD Emulation: Provides a CD emulation service Get Error status: Provides the operator with the error state indicator Get Version: This allows the operator to retrieve the module versioning information Show status: Provides current module status

o o o o

Table 5 Services Authorized for Roles

Page 7

Definition of Critical Security Parameters (CSPs) The following CSPs are contained within the module:
Key AES default key User Private Area 1 AES key User Private Area 2 AES key Crypto Officer Password User Password DRNG Seed Key DRNG Seed Description/Usage Used to encrypt on-the-fly all data stored on the public area on the flash memory. User AES-256 key to encrypt private data on private area 1. User AES-256 key to encrypt private data on private area 2. Password to authenticate an operator to the Crypto Officer Role. Password to authenticate an operator to the User Role. NDRNG generated output used to seed the Approved ANSI X9.31 DRNG NDRNG output used as the seed into the ANSI X9.31 DRNG Table 6 CSPs
Definition of Public Keys The following Keys are contained within the module:
Key RSA Source Code Integrity public key Description/Usage Used for digital signature source code verification and Firmware Update Officer authentication. Table 7 Public Keys

Page 8

Definition of CSPs Modes of Access Table 8 defines the relationship between access to CSPs and the different module services. The type access to each data object is identical for each role. The modes of access shown in the table are defined as follows: I - Input: the CSP is input into the module. O - Output: the CSP is output from the module. E - Encrypt: The CSP item is used to encrypt plaintext data. D - Decrypt: The CSP is used to decrypt ciphertext data. A Authenticate: CSP is used to authenticate. U Used: Used in the Random Number Generator. Z - Zeroize: the CSP is zeroized. G - Generate: the CSP is generated using the FIPS approved ANSI X9.31 DRNG. L - the CSP is generated using LFSR hardware

User Role

CO Role
Firmware Update Officer Role
Read/Write Protected Area
Change Cryptographic Officer Password

Close Private Area

Open Private Area

Zeroize Keys

Change User Private Area Password

AES default key

User Private Area 1 AES key User Private Area 2 AES key Cryptographic Officer Password User Password

I, O, G*

I, A, Z

DRNG Seed Key

DRNG Seed
Table 8 Services to CSP Access mapping
* Generated only if it does not currently exist

Page 9

Externally Load FW
7. Operational Environment
The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the module has a limited operational environment.

8. Security Rules

The Store n Go Corporate Secure FIPS modules design corresponds to the cryptographic modules security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 2 module. 1. The cryptographic module shall provide three distinct operator roles. These are the User role, Cryptographic-Officer, and Firmware Update Officer roles. 2. The cryptographic module shall provide role-based authentication. 3. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 4. The cryptographic module shall perform the following tests: A. Power up Self-Tests: 1. Cryptographic algorithm tests: a. AES Known Answer Test b. SHA-1 Known Answer Test c. RSA Pairwise Consistency Test d. DRNG Known Answer Test 2. Firmware Integrity Test (RSA 1024 signature verification) Conditional Self-Tests: 3. Continuous Random Number Generator (RNG) test a. Non Approved HW RNG. b. Approved RNG ANSI X9.31 Appendix 2.4 4. Firmware load test RSA signature verification of externally loaded code. 5. The operator shall be capable of commanding the module to perform the power-up selftest at any time by power cycling the module. 6. Prior to each use, the internal RNG shall be tested using the conditional test specified in

Page 10

FIPS 140-2 4.9.2. 7. Data output shall be inhibited during key generation, self-tests, zeroization, and error states. 8. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. The RSA Encrypt/Decrypt algorithm shall not be used in the FIPS mode of operation. Use of this algorithm will cause the module to transition into the non-FIPS mode of operation.
9. Physical Security Policy
Physical Security Mechanisms The example multi-chip embedded cryptographic module includes the following physical security mechanisms: Production-grade components (S2, EEPROM). Data path between S2 and EEPROM is completely covered by epoxy and has no vias. Opaque Epoxy encapsulation of all components within the boundary.

The operator should on a periodic basis visually inspect the module to determine if it has been compromised. The epoxy and PCB should not show any evidence of tampering including scratches, chips, and holes.
10. Mitigation of Other Attacks Policy
The module not has been designed to mitigate attacks not addressed by the security requirements of FIPS 140-2.

11. References

Reference Number [1] [2] [3] [4] Reference Title
FIPS PUB 140-2, Security Requirements for Cryptographic Modules / National Institute of Standards and Technology (NIST), May 2001 PAN ASIC Top-Level Specification Version 0.2 / M-Systems, March 2005 PKCS#1: RSA Encryption Standard v1.5, November 1993 / RSA Laboratories, http://www.rsasecurity.com/rsalabs/pkcs ANSI X9.31-1998: Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA) / American Bankers Association, 1998

Page 11

12. Definitions and Acronyms
AES Advanced Encryption Standard CSP Critical Security Parameter DRNG Deterministic Random Number Generator ECB Electronic Code Book FIPS Federal Information Processing Standard NDRNG Non-deterministic Random Number Generator RNG Random Number Generator RSA Rivest, Shamir and Adleman Algorithm SHA Secure Hash Algorithm

Page 12

Store n Go Corporate Secure
Designed for the information security and regulatory compliance needs of the corporate enterprise market, Verbatims Store n Go Corporate Secure USB drive ves provide a secure means to transport sensitive company data, and mitigate the nancial and legal risk of lost or stolen data. Store n Go Corporate Secure USB d drives active security features safeguard all device contents, removing the risk of dependence on users to take precautions to protect company data. With the mandatory protection of a strong password, all data is secured from d i f d ll d i df unauthorized access. Security measures include 256 bit AES hardware data encryption, password hashing algorithm, and a hack-resistant password entry entr try r that foils unauthorized attempts to gain access. Optimized for maximum performance, Store n Go Corporate re Secure USB drives offer read and write speeds of up to 160X te (24MB/sec) and 133X (20MB/sec) sec). e
Security Features Mandatory User Logon - Complex Password Required - 6 - 16 characters 256-bit AES Hardware Encryption SHA-1 Password Hashing Algorithm Device Locks Down After 10 Failed Logon Attempts 100% of Files Are Password Protected Performance Up to 24MB/sec Read (160X) Up to 20MB/sec Write (133X) Additional Features Owner Identity Feature Device Can Be Centrally Managed Compatibility Windows 2000 SP4, XP, Server 2003, Vista Warranty Limited Lifetime Corporate Secure 1GB - 95399 2GB - 95400 4GB - 95401 8GB - 96718

www.verbatim.com

Stock # 28-0003 Specications subject to change without notice (6/2008) 2008 Verbatim Americas, LLC. Microsoft, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. All other trademarks are the property of their respective holders. 1MB = 1,000,000 bytes / 1GB = 1,000,000,000 bytes. Some of the capacity is used for formatting and other functions, and thus is not available for data storage. As a result, your operating system may report as fewer megabytes (gigabytes)