Professional Documents
Culture Documents
Cryptosec Dekaton Administrator Guide
Cryptosec Dekaton Administrator Guide
Revision: 12.9.3128
Date: 11/08/2017
Contents
1 Introduction 12
2.2 Console 14
4 Initialization 18
2
4.1.5 Smart Cards Enrollment 26
4.1.12 Test 41
4.2 Test 41
5 Production 44
5.5 Test 46
6 Authorization 47
6.1 Module 48
3
6.1.1.3 Get Master Keys KCV 49
6.1.6 Test 51
6.3 Custodians 52
6.9 Smartcards 80
4
6.9.1 New Smart Card Communication Key 81
B.0.1.1 Initialization 91
B.0.1.2 Management 91
B.0.1.3 Termination 92
Bibliography 94
5
List of Figures
4.8 Component 1 of 2 23
6
4.20 Read first administrator card 29
7
5.3 Read first administrator card 45
8
6.28 Insecure Decimalization Table 62
6.37 Component 1 of 1 67
6.50 Component 1 of 2 75
9
6.57 Smart cards menu 81
10
List of Tables
11
Chapter 1
Introduction
12
Chapter 2
Cryptographic Module
Installation
Cryptosec Dekaton is a PCI express 8x board which can be accessible through PCIe interface,
as well as one of the Ethernet ports available on it.
In order to operate, the Cryptosec Dekaton must be installed inside an appliance with a free 8x
PCIe and an smart card reader properly installed.
Debian 8 shall be installed on the appliance. This OS would be used to install and run the services
needed to work as a bridge between the client that is consuming the Cryptographic Module’s
functionalities and the own Cryptographic Module, managing the incoming connections.
13
See the picture below to locate each port:
2.2 Console
The Cryptographic Module presents a local console. This console is used in the Cryptographic
Module’s initialization and in the Cryptographic Module’s administration.
The local console can be established by different means:
Note: The console’s contents are the same despite the communication channel used.
The Cryptographic Module is delivered with a standard USB to mini USB cable. Plug the mini
USB end to the specific mini USB connector of the Cryptographic Module and the USB end
must be connected to any device that emulates an ANSI VT-100 terminal.
ANSI VT-100 is the protocol used for serial communication with the Cryptographic Module.
The device connected at the end of the USB connector must implement this protocol to accept
VT-100 commands. Serial port settings for this device must be:
• 8 bits
• No parity
• 115200 bps
• No control flow
14
2.2.2 SSH Console
Connect one of the Ethernet ports of the Cryptographic Module to the Ethernet port of the SSH
client device. The device’s Ethernet port is to be configured as 169.254.1.5/30.
ssh-keygen -t ecdsa -b 521 -f ssh client.key -C "Put your convenience comment here"
Note: The SSH access is only available in NIST FIPS PUB 140-2-Approved mode.
• Banner
• Menu options
Below the banner, the options depending on the current menu are presented. The whole set of
option will be describe within the following chapters.
To move through the console, the cursor keys can be used, as well as the ”TAB” key to jump into
the next field or the ”ESC” key to exit and return to the previous screen. Pressing the ”space
bar” a check mark among different options within the same field is placed.
15
Chapter 3
This chapter describes module administration using different types of smart cards and their
operations.
All information on the cards is protected using an 8 ASCII characters code called PIN. Any ASCII
printable character is valid. The Cryptographic Module will request the PIN before accessing
the protected data.
The card holder has three consecutive attempts to introduce the correct PIN. Otherwise, the
card will be blocked indefinitely.
The Shamir shared secret scheme allows defining the number of cards (m) necessary to recover
the secret shared among a total of n cards.
In other words, to retrieve the secret it is necessary to use ’m’ of ’n’ cards from a specific set of
cards. The input order or what card is being used is irrelevant. Nevertheless, a card can only be
used once for a specific process.
Maximum value for ’n’ is eight, while the minimum for ’m’ is two, ’m’ must be less or equal to
’n’.
16
1. Administrator
2. Master Keys
3. Custodian
The Administrator cards keep a secret (administrator ID) that allows the transition from pro-
duction state to authorization state. Generally, this means the cards identify the set of system
administrators.
Administrator ID is stored under the Administrator cards set with a Shamir sharing scheme as
described in section 3.2.
The Master Keys cards keep the Cryptographic Module’s Master Keys that determine the value
of the keys that are used to protect the operating keys in the system.
Cryptographic Module’s Master Keys are stored under the Master Keys cards set with a Shamir
sharing scheme as described in section 3.2.
Several Cryptographic Modules that have the same Master Keys are indistinguishable in network
operations because they all can share and work with the same operation keys.
A Custodian card identifies a specific custodian to the system. Thus, a custodian can import or
export key components to the Cryptographic Module.
The Cryptographic Module can associate simultaneously a maximum number of eight custodians.
The custodian cards contain other information connected to its card holder that was provided
when the cards were signed up, such as Card holder’s identification string, called login. The
login is composed by 8 ASCII characters. Any ASCII printable character is valid.
17
Chapter 4
Initialization
When the Cryptographic Module is in Initialization state, the options shown will look like the
following picture.
The option ’A’ in the menu performs module initialization. The initialization wizard will guide
the Cryptographic Module’s initizalization, avoiding the introduction of incorrect data.
18
Figure 4.2: Initialization wizard
Current date, hour and location are to be introduced as shown in the following picture.
19
Figure 4.3: Setup Server Time & Date
20
The current parameters can be changed by clicking on ”Edit”, keeping in mind that:
This will configure the Cryptographic Module to work under a certain product. Currently, they
imply:
– LMK17 is the CMM THALES 1 in Non-Approved mode and NIST FIPS PUB 140-
2-Approved mode, for backwards compatibility.
– LMK17 is the CMM PASSWORD ENCRYPTION KEYS in PCI PTS HSM v2.0-
Approved mode.
Once the Cryptographic Module is fully initialized this option cannot be changed later on.
21
4.1.4 Setup SmartCards Communication Key - SCCK
SCCK stands for Smart Card Communication Key. It is used to assure integrity and confiden-
tiality of the information being exchanged between the Cryptographic Module and the given
smart card. Therefore that SCCK must be loaded in the Cryptographic Module and every smart
card in order for them to communicate.
This operation sets up (creates or loads) a new SCCK on the Cryptographic Module.
Please do not confuse the SCCK with the batch key defined in 4.1.5.
If this is the first Cryptographic Module of a future Realsec’s Cryptographic Modules farm, select
the ”Generate” option in order to create the SCCK internally.
Once the SCCK has been generated, the Cryptographic Module will show it divided in the
selected number of components.
Enter the number of components into which the SCCK is going to be split
22
Figure 4.7: Split key into components
Every component and its check value is shown on the screen and must been written down by their
custodian. Pressing ”Accept” button, the following component is shown or the whole process
can be cancel by clicking on ”Refuse”.
If this is not the first Cryptographic Module of a future Realsec’s Cryptographic Modules farm,
choose ”Load” option in order to enter the components of the SCCK returned by the first
Cryptographic Module when the ”Generate” option was selected.
23
Figure 4.9: Setup Smart Cards Communication Key - Load
Enter the number of parts of the split SCCK (must be equal to the number of custodian to enter
each component)
Each custodian must type in its part of the SCCK. If the KCV (Key Check Value) has been
filled in, the Cryptographic Module will verify it. If the Cryptographic Module grants the KCV,
the next custodian will be allowed to fill in its key part, otherwise the key component must be
typed in again.
24
Figure 4.11: Load custodian key part 1 of 2
On the other hand, the KCV can be left blank and the Cryptographic Module will calculate and
show it on the screen.
The calculated KCV is shown on the screen, and it has to match with the KCV that every
custodian must have written down.
25
Figure 4.13: Computed KCV 2 of 2
In both cases, at the end of the process, the SCCK Check Value is shown on the screen and it
has to be written down in order to be checked.
Adds new smart cards into the Cryptographic Module’s Security Environment. Every smart card
set or every single smart card sent by Realsec must come along with a batch key. This batch
26
key is to be replaced by the SCCK already loaded in the Cryptographic Module, on a per smart
card basis. This process is called Enrollment.
Note that, for security reasons, the previous contents of the smart card(s) are deleted as part of
the process.
Please do not confuse this process with the Update process described in 6.9.2; nor the batch key
with the SCCK key defined in 4.1.4.
The batch key must be loaded into the Cryptographic Module as a first step.
27
Once the batch key is already loaded, the enroll process could happen by clicking on ”Update”
and inserting every brand new smart card.
Every card holder must enter the PIN of the smart card inserted.
Next step during the initialization process is the establishment of the Cryptographic Module’s
administrator.
28
Figure 4.19: Add administrator
Choosing ”Read” option, a sequence of Administrator smart cards reading of an existing set will
happen.
The number of cards to be read depends on how many of them were specified when that set of
cards were recorded, and it will be known right after the first card has been read.
Otherwise, if a new Administrator needs to be created, first, the ’m’ and ’n’ values of the
administrator secret has to be specify as describe in section 3.2.
29
Figure 4.21: Setup an administrator
The new administrator credential will be split into the ’n’ specified parts and a sequence of ’n’
Administrator smart cards writing will happen.
Every Administrator’s card holder must introduce the PIN of its smart card.
At the end of the process in both cases (”Create” and ”Read”), an Administrator will be loaded
into the Cryptographic Module’s Security Environment.
30
Figure 4.23: Information message
Next step during the initialization process is the establishment of one or several application users.
Up to eight users can be defined. They are identified by means of a name and a password. Both
are to be formed by eight printable characters.
This option adds a user to the Cryptographic Modules Security Environment. The maximum
number of users is eight. The Cryptographic Module will ask for user name and password
(alphanumeric char set) and for password confirmation.
31
Figure 4.25: Add new application user
IMPORTANT: For all products except PKCS#11’s one, Username and Password fields must be
fill-in with AUTO-LOG
This option lists the users so one of them can be selected in order to edit a user’s name and/or
password. The operation requires confirmation.
32
Figure 4.27: Edit the selected application’s user
This option lists the users so one of them can be selected in order to be deleted. The operation
requires confirmation.
33
Figure 4.29: Confirm application’s user deletion
Read 6.4.
The Cryptographic Module needs Master Keys in order to be completed and ready to work.
Generate Master Keys Internally The Cryptographic Module generates random Master
Keys and saves them into a Master Keys cards set. The ’m’ and ’n’ values (read 3.2) must be set
and after clicking on ”Generate” a sequence of ’n’ times Master Keys smart cards writing will
begin.
34
Figure 4.31: Generate internal master keys
Import form Master Keys Cards The Cryptographic Module will read the Master Keys
Cards from an already created Master Keys smart cards set.
35
Figure 4.33: Load Master Keys from cards
Load Test Master Keys The Cryptographic Module uses whole zeros Master Key (testing
keys). As these keys are for testing and are known, they shall only to be loaded for testing
purposes.
36
Figure 4.36: Test key loading
Load External Master Keys Shares In case of getting the components of the TDES3 Master
Key from an external source, like in migration from Cryptosec to Cryptosec Dekaton processes,it
can be loaded using this option. The AES Master Key is still internally generated and written
to a Master Keys Cards set.
37
Figure 4.38: Master Key external loading
The Cryptographic Module will ask for ”n” components to be loaded. Each component must be
48 hexadecimal digits.
The four ways to get or load valid Master Keys in the Cryptographic Module, comes along with
a final confirmation screen.
38
Figure 4.40: Generated Master Keys
If previous Master Keys were loaded into the Cryptographic Module, they can be kept an marked
as ”Old Master Keys” to be used for key translation purposes.
At the end of the MasterKey external loading process, the Cryptographic Module will ask for
the smartcards to store the already loaded MasterKey, same process as 4.1.9
• NIST FIPS PUB 140-2-Approved mode: NIST FIPS PUB 140-2 Level 3 + EFP security
constraints are enforced.
• PCI PTS HSM v2.0-Approved: PCI PTS HSM v2.0 Controlled Environment security con-
straints are enforced.
39
Figure 4.41: Set Approved Operation Mode
Be aware of every security constrains related to the selected mode before accept to work with it.
Once the Cryptographic Module is fully initialized this option cannot be changed later on.
This option allows to write client’s ssh public key in order reach the console remotely. Read
section 2.2.2
40
4.1.12 Test
4.2 Test
With this option, the Cryptographic Module performs a self-test to check the processing units.
If this option is selected, the module will run an internal test, printing the result on the screen.
• Module ID: HSM unique identification byte string. There is a bijective relationship between
the Module ID and the Module serial.
• FW version: HSM software version string.
• SW version: Host software version string.
• Host serial: Host unique serial number if the Hardware Security Module is plugged into a
Realsec appliance.
41
• Module serial: HSM unique serial number if the HSM is plugged into a Realsec appliance.
This is the serial number printed in the HSM sticker. There is a bijective relationship
between the Module serial and the Module ID.
• Firmware: Certified with smartcards.
• Operation mode: Non-Approved mode, NIST FIPS PUB 140-2-Approved mode or PCI
PTS HSM v2.0-Approved mode.
Restarts the Cryptographic Module as well as the host where it’s plugged.
42
Figure 4.45: Restart Cryptosec system
Turns off the Cryptographic Module as well as the host where it’s plugged.
43
Chapter 5
Production
When the module is in Production mode, the console will display the following menu.
44
An Administrator authentication must be granted by presenting ’m’ of ’n’ cards that belongs to
the same set of Administrator cards.
If the authentication is granted, the Cryptographic Module will pass into authorization mode.
45
5.3 Restart System
5.5 Test
46
Chapter 6
Authorization
The Authorization mode allows access to the Cryptographic Module’s administrative functions.
Therefore, Administrator authentication is mandatory to access into this mode.
To exit from Authorization State, press ”ESC” key and confirm the action.
47
Figure 6.2: Go back to production mode
6.1 Module
This option gives the opportunity to perform Cryptographic Module’s administrative functions.
48
6.1.1.1 Load/Change Master Keys
After the authentication of the Administrator, the process to update the Master Keys can be
read in section 4.1.9.
Export to Master Keys cards Saves the current Master Keys into a Master Keys cards set,
as described in Generate Master Keys Internally or in Generate Master Keys Internally
in section 4.1.9.
Be sure every working key of the data base has already being translated from the
old Master Keys to the new Master Keys before using this option.
Retrieves the check value of the current Cryptographic Module’s Master Keys.
49
Figure 6.6: Master Keys CV
Retrieves the check values of the old Cryptographic Module’s Master Keys that have been re-
placed when the current Master Keys were loaded. If there are no old Master Keys, this command
will fail.
This option allows for changing the terminal’s baud rate. The command presents the current
value and a list of possible values. Once a new value is set, the speed of the communication of
the Terminal must be changed to the same value.
50
Figure 6.8: Serial Port Settings
6.1.6 Test
51
6.3 Custodians
Manage Cryptographic Module’s custodians. Usually custodians means people that keeps safe a
key component.
This option adds a custodian to the Cryptographic Module’s Security Environment. The maxi-
mum number of custodians is eight. The Cryptographic Module will ask for custodian name, of
8 ASCII characters. Any ASCII printable character is valid.
The custodian card’s name and among other information will be written after PIN authentication.
52
Figure 6.11: Write custodian card
A previous custodian’s cardholder can be enrolled to the Cryptographic Module’s Security En-
vironment.
53
Figure 6.13: Import custodian
The Cryptographic Module will read its information and add the custodian identification to
the system. In the picture below, a custodian card holder as ”custodi2” user name is properly
imported to the system.
54
Figure 6.15: Information message
List and delete a custodian from the Cryptographic Module. Its identification must be selected
before clicking on ”Delete”.
55
Figure 6.17: Confirm message
This command is used for fraud detection. When the counter reaches the attack limit value of
PIN verifications failures, the Cryptographic Module will stop verifying PINs, because it could
mean that someone is trying to get clear PIN using brute force.
56
Figure 6.19: PIN Risk Management - PIN Unblock
PIN Verify State. It shows whether the Cryptographic Module can verify PIN blocks (AC-
TIVE) or it is blocked for a fraud detection (DISABLE).
PIN Try Counter. It shows the current PIN verification attack counter. Sets to 0 this value
to reset the fraud detection or to unblock PIN verification commands.
Set PIN Verification Attack Limit. It sets the value of the PIN verification attack counter.
Once the counter exceeds this limit, the Cryptographic Module’s will block the PIN verification
command. The value must be between 0 and 99999, and the default value is set to 99999.
Set PIN Verification Attack Failure Delta It sets the value that will increase the verifi-
cation attack counter each time the verification of a PIN fails. This parameter can be between
0 and 99999, and the default value is set to 0.
Set PIN Verification Attack Success Delta It sets the value that will decrease the ver-
ification attack counter each time the verification of a PIN succeeds. This parameter can be
between 0 and 99999, and the default value is set to 0.
57
6.4.2 Set Enabled PINBlocks
This option indicates which PIN block formats the Cryptographic Module is enabled to work
with.
This option indicates if the system will allow PIN translations from/to ISO1/ISO3 with PAN
change; it will also allow translations to ISO2 from ISO PIN blocks.
58
6.4.4 Set Realsec1’s PIN block length
Set the Realsec1’s PIN block length which must be real PIN’s length plus one. For instance, if
4 digits is the length of the PIN the Cryptographic Module has to work with, Realsec1’s PIN
block length must be set to 5 which is the default value.
It sets the usage of encrypted decimalization tables. If this option is enabled, it will force to use
encrypted decimalization tables in all commands that take a table as parameter.
By default, this option is DISABLED, which means it only works with clear text tables.
59
6.4.6 Import Decimalization Table
This option is used for importing decimalization tables into the Cryptographic Module. These
imported tables will be used later on from some of the network commands, if the Cryptographic
Module is properly setup to use ”Encrypted Decimalization tables”. Read section 6.4.5.
If the Cryptographic Module is not configured to operate in this mode, this command will fail.
The decimalization table to type must be 16 decimal digits and after clicking on ”Import”, the
Cryptographic Module will return the table:
60
Figure 6.25: Encrypted Decimalization Table within Container v0
61
Figure 6.27: Encrypted Decimalization Table within Container v1
If the Decimalization Table to be imported does not meet the minimum requirements to be
consider as a secure decimalization table, the Cryptographic Module will pop up an alert message.
This option performs administrative tasks about DES and AES keys.
62
Figure 6.29: Symmetric keys menu
LMK It must be between 01 and 99 and the value to fill in will depend on its future usage.
The available values can be found in the Key Usage table at the Command Operative manual.
63
Store Key in Cryptographic Module Checking this option the generated key will be stored
inside Cryptographic Module’s memory and a key handle will be shown.
Key output settings Although the key was going to be stored inside the Cryptographic
Module’s memory, it can also be returned for external storage (encrypted or components).
Print key components The key components will be printed out through a printer connected
directly to the Cryptographic Module.
Depending on the ”Operation mode” and the options selected, the Cryptographic Module will
pop up with some error screens due to not permitted configurations.
If ”Store inside Cryptographic Module” is selected, a key handle or index and its KCV will be
returned before the command finishes.
64
Figure 6.32: Cryptographic Module key handle - Internal key storage
Selecting not to store inside the Cryptographic Module, the cryptogram of the key will be shown
(encrypted under the corresponding LMK) with its KCV and according to the encryption version
selected.
65
Figure 6.34: Encrypted key - External V1 key encryption
If ”components” output format is choosen, the System will ask for the number of custodians to
whom the key components are going to be shown.
66
Figure 6.36: Authenticate custodian 1 of 2
each component and its KCV will appear on console and it can be written down until clicking
on ”Accept” or ”Refuse”.
67
Figure 6.38: Import symmetric key components
Key Type Select one of the key types to import, DES or AES Key.
LMK It must be between 01 and 99 and the value to fill in will depend on its future usage.
The available values can be found in the Key Usage table at the Command Operative manual.
Output Key options As the result of the process, the Cryptographic Module will return:
• In Cryptographic Module: Key handle or index of the key inside the Cryptographic
Module.
Clicking on ”Load” the process starts asking for the number of custodians who have to load the
key.
68
Figure 6.39: Number of custodians
Each custodian must type its component and the KCV (optional) and select ”Continue”.
69
Figure 6.41: Load custodian key part 1 of 2
If the custodian is granted, the Cryptographic Module calculates and matches with the KCV, if
it was informed, or returns it in order to be accepted or refused.
70
Figure 6.43: Computed KCV 1 of 2
At the end of the process, the Cryptographic Module returns the encrypted key and its KCV or
the key handle, depending of the output format selected.
71
Figure 6.45: Cryptographic Module key handle
72
LMK It must be between 01 and 99 and the value to fill in will depend on the usage of the
key to export.
Encrypted Key input The cryptogram (key encrypted under the informed LMK) of the key
to export.
Note that V0 storage is neither allowed in NIST FIPS PUB 140-2-Approved mode nor allowed
for AES Keys in PCI PTS HSM v2.0-Approved mode.
In case of select ”Cryptographic Module” key storage, just select the key to be exported from
the list shown on the screen:
In both cases:
Print components Check it if needs to print out the key components through a printer
connected directly to the Cryptographic Module.
Clicking on ”Export”, the exportation process starts and the Cryptographic Module asks for the
number of components to generate.
73
Figure 6.48: Generate symmetric key components
74
Figure 6.50: Component 1 of 2
Show all the key handles which are stored within the Cryptographic Module and allows to delete
them.
75
Figure 6.52: List and delete Symmetric Keys Info
Allowing this option, a RSA Public Key can be imported into the Cryptographic Module’s
Security Environment, using the analogous network command, otherwise the command will be
rejected.
76
Figure 6.53: RSA Public Key import management
When the network command arrives to the Cryptographic Module with the public key to be
imported, the Cryptographic Module generates and presents the SHA-512 of the public key
which must be confirmed as a valid hash result.
Right after checking ”Allow”, pressing on ”Check” the calculated sha1 of the public key is shown
77
on the screen to be confirmed in case of any request is pending.
The printer functionality can be ’ENABLE’ or ’DISABLE’ through this menu, as well as the
speed of the printer can be change, as well as the format string.
78
Figure 6.56: Printer configuration
Before using any printing commands, it is necessary to define the format of the document in
which the information will print out. That ”Format String” will remain in the Cryptographic
Module until it is overwritten.
The ”Printer Format String” may contain any fixed text, although it is recommended to restrict
it to format characters (symbols in the below table). This is due to the fact that it is limited to
400 characters and if fixed text is used, the amount of text will be limited. It is a better choice
to send the fix-strings within the network command. In this case it is possible to have up to 16
fixed text strings, 252 characters each.
Symbols allows for the ”Printer Format String” field are in the following table:
79
Table 6.1: Format Strings Symbols (continued)
Note that, although all symbols are supported, each command details what are the necessary
ones to return the information. A valid example of format string to print out key components
can be as follows:
>Lˆ0ˆPˆ1ˆT>F
6.9 Smartcards
80
Figure 6.57: Smart cards menu
This operation replaces on each smart card a previously set SCCK with the new SCCK created
on the Cryptographic Module see(4.1.4).
Please do not confuse this process with the Enrollment process described in 4.1.5.
Note that the Cryptographic Module only keeps the former SCCK. It is very important to update
the new SCCK in every card involve in the Cryptographic Module’s management just right after
a new SCCK has been created. Otherwise, future access to the smart card can be compromised.
81
Figure 6.59: Card authentication
Resets smart cards. This includes the stored information zeroization, the PIN (changed to
’00000000’) and the communication key (changed to ’00 .. 00’).
Change the PIN of any smart card that belongs to the Cryptographic Module’s Security Envi-
ronment.
82
Figure 6.61: Change PIN
After that, the old PIN must be required to be granted and changed.
83
6.9.6 Replicate Cards
Replicate the secret kept within a whole set of cards (Master Keys, Administrator or User) or
just copy the information of just one card into another card.
The command starts a sequence of source’s cards reading and continues with a sequence of
destination’s cards writing.
84
Figure 6.67: Write replicated set
At this point, a any new ’m’ of ’n’ scheme can be chosen for the new set of cards.
Although the replicated secret is the same in the new card set, it has been split in a different
way, so both set of cards can work simultaneously but cannot be shuffled.
85
6.9.6.2 Copy Card
The command reads the original card of any type and then write the information in the new
blank card.
86
Figure 6.71: Write card
This command shows the following information from the smart card:
87
Figure 6.73: Show card info
88
Figure 6.75: Log configuration
89
Appendix A
The physical ports and logical interfaces are described in [Security Policy, Module Interfaces].
90
Appendix B
B.0.1.1 Initialization
When the Cryptographic Module is received, the Crypto Officer must check its cases for evidence
of tampering. Such indications include prying, bending, or cutting of the metal casing.
After checking the Cryptographic Module for evidence of tampering, the Crypto Officer must
connect the module to the PCIe port on the computer to be used. The console connection
must also be established. The installation files contain all the setup files needed to access the
Cryptographic Module.
The Cryptographic Module is delivered initialized is such a way that a challenge mechanism
is used to assure that the Cryptographic Module has not been tampered with throughout the
delivery process.
Once the challenge has been solved, the module is to be initialized according to the customer’s
preferences. The initialization process is performed through the terminal console. It is guided
by a wizard.
B.0.1.2 Management
The Cryptographic Module can be administered using the console and the supplied drivers. This
software allows the User to access all the functions supported by the Cryptographic Module, and
check its status. Crypto Officer and User guides are available from Realsec.
Once the initialization process has finished, the module can be operated in its normal way.
91
• Routinely check the Cryptographic Module for signs of physical tampering. If strange
activity or damage to the cases is shown, the Crypto Officer shall take the module off-line
and investigate.
• Keep up to date the Custodian and User lists.
• Encourage the back-up of the smart card sets and individual cards, and that the back-ups
are up to date.
The battery must be changed every 4 years. It can be done, with care, while the module is
working. If it is done in absence of PCIe power supply, the operation should not last more than
a minute.
B.0.1.3 Termination
When the usage of the Cryptographic Module has been completed, it should be zeroized by the
Crypto Officer in order to wipe all data. This zeroization should be done by:
or
Once the Once the data is zeroized, take apart the battery. The module should then be stored
in a secure location. The Cryptographic Module’s smart cards should be destroyed or reset.
The User (User, Custodian or card holder) behavior with respect to the secure operation of the
Cryptographic Module is mainly related to the secret of the smart card password and the keys
or keys components that the User guards. The User should be careful not to provide private
keys and secret keys to other parties, nor provide the smart card password to anyone. The User
should change regularly the card password.
• The Cryptographic Module enforces that the operator secrets (User passwords and smart
card PINs) are formed by eight printable characters.
• It is recommended that for increased security the secret is formed by at least one character
of each the following types:
92
– Lower case letters.
– Upper case letters.
– Numbers.
– Symbols.
93
Bibliography
94