VE 03: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
< | |||
Revision as of 23:13, 22 November 2006
==SECTION 3: ROLES, SERVICES, AND AUTHENTICATION==
AS.03.01Thecryptographic module shall support authorized roles for operators
andcorresponding services within each role.
Note:This assertion is not separately tested.
Assessment:
AS.03.02Ifthe cryptographic module supports concurrent operators, then the
moduleshall internally maintain the separation of the roles assumed by
eachoperator and the corresponding services.
Assessment:
==VE.03.02.01==
VE.03.02.01Thevendor documentation shall specify whether multiple concurrent
operatorsare allowed. The vendor shall describe the method by which
separationof the authorized roles and services performed by each
operatoris achieved. The vendor documentation shall also describe
anyrestrictions on concurrent operators (e.g., one operator in a
maintenancerole and another in a user role simultaneously is not allowed).
Assessment:
AS.03.03Thecryptographic module shall support the following authorized roles
foroperators:
UserRole. The role assumed to perform general security services,
includingcryptographic operations and other Approved security
functions.
CryptoOfficer Role: The role assumed to perform a set of
cryptographicinitialization or management functions (e.g., module
Assessment:
==VE.03.03.01==
VE.03.03.01Inthe documentation required to satisfy VE03.06.01, the vendor shall
includeat least one user role and one crypto-officer role.
Assessment:
AS.03.04Ifthe cryptographic module allows operators to perform maintenance
services,then the module shall support the following authorized role:
*Maintenance Role: The role assumed to perform physical maintenanceand/or logical maintenance services (e.g., hardware/softwarediagnostics).
Assessment:
==VE.03.04.01==
VE.03.04.01Ifthe module has a maintenance interface, the vendor documentation
shallexplicitly state a maintenance role is supported. The
documentationshall completely specify the role by name and allowed services.
Assessment:
AS.03.05Allplaintext secret and private keys and unprotected CSPs shall be
zeroizedwhen entering or exiting the maintenance role.
Assessment:
==VE.03.05.01==
VE.03.05.01Thevendor documentation shall specify how the module's plaintext
secretand private keys and other unprotected critical security
parameters,as defined in Section 2.1 of FIPS PUB 140-2, are actively
zeroizedwhen the maintenance role is entered or exited.
Assessment:
AS.03.06Documentationshall specify all authorized roles supported by the
cryptographicmodule.
Assessment:
==VE.03.06.01==
VE.03.06.01Vendordocumentation shall specify each distinct authorized role,
includingits name and the services that are performed in the role.
Assessment:
AS.03.07Servicesshall refer to all of the services, operations, or functions that
canbe performed by the cryptographic module.
Note:This assertion is not separately tested.
Assessment:
AS.03.08Serviceinputs shall consist of all data or control inputs to the
cryptographicmodule that initiate or obtain specific services,
operations,or functions.
Assessment:
AS.03.09Serviceoutputs shall consist of all data and status outputs that result
fromservices, operations, or functions initiated or obtained by service
inputs.
Assessment:
AS.03.10Eachservice input shall result in a service output.
Note:This assertion is not separately tested.
Assessment:
AS.03.11Thecryptographic module shall provide the following services to
operators:
ShowStatus. Output the current status of the cryptographic module.
PerformSelf-Tests. Initiate and run the self-tests as specified in
Section4.9.
PerformApproved Security Function. Perform at least one Approved
Assessment:
==VE.03.11.01==
VE.03.11.01Thevendor documentation shall describe the output of the current
statusof the module and the initiation and running of user callable
self-tests,along with other services as specified by VE03.14.01 and VE03.15.01.
Assessment:
AS.03.12Ifa cryptographic module implements a bypass capability, where
servicesare provided without cryptographic processing (e.g.,
transferringplaintext through the module without encryption), then two
independentinternal actions shall be required to activate the capability
toprevent the inadvertent bypass of plaintext data due to a singleerror
(e.g.,two different software or hardware flags are set, one of which
Assessment:
==VE.03.12.01==
VE.03.12.01Ifthe module implements a bypass capability, the vendor
documentationshall describe the bypass service as specified in
AS03.12.
Assessment:
==VE.03.12.02==
VE.03.12.02Thefinite state model and other vendor documentation shall indicate,
forall transitions into an exclusive or alternating bypass state, two
independentinternal actions that are required to transition into each bypass state.
Assessment:
AS.03.13Ifthe cryptographic module implements a bypass capability, where
servicesare provided without cryptographic processing (e.g.,
transferringplaintext through the module without encryption), then the
moduleshall show status to indicate whether
1)the bypass capability is not activated, and the module is exclusively
providingservices with cryptographic processing (e.g., the plaintext is
encrypted),
2)the bypass capability is activated and the module is exclusivelyproviding services without cryptographic processing (e.g., plaintextdata is not encrypted), or
3)the bypass capability is alternately activated and deactivated andthe
moduleis providing some services with cryptographic processing and
someservices without cryptographic processing (e.g., for modules with
multiplecommunication channels, plaintext data is or is not encrypted
dependingon each channel configuration).
Assessment:
==VE.03.13.01==
VE.03.13.01Thevendor documentation for the "Show Status" service shallindicate
bypassstatus.
Assessment:
AS.03.14Documentationshall specify:
*the services, operations, or functions provided by the cryptographic
module,both Approved and non-Approved, and
*for each service provided by the module, the service inputs,
correspondingservice outputs, and the authorized role(s) in which the
servicecan be performed.
Assessment:
==VE.03.14.01==
VE.03.14.01Thevendor documentation shall describe each service including
purposeand function.
Assessment:
==VE.03.14.02==
VE.03.14.02Thevendor documentation shall specify for each service, the service
inputs,corresponding service outputs, and the authorized role or roles
inwhich the service can be performed. Service inputs shall consist of
alldata or control inputs to the module that initiate or obtain specific
services,operations, or functions. Service outputs shall consist of all
dataand status outputs that result from services, operations or functions
initiatedor obtained by service inputs.
Assessment:
AS.03.15Documentationshall specify any services provided by the cryptographic
modulefor which the operator is not required to assume an authorized
role,and how these services do not modify, disclose, or substitute
cryptographickeys and CSPs, or otherwise affect the security of the
Assessment:
==VE.03.15.01==
VE.03.15.01Thevendor documentation shall describe each service, including its
purposeand function.
Assessment:
==VE.03.15.02==
VE.03.15.02Thevendor documentation shall specify, for each service, the service
inputsand corresponding service outputs. Service inputs shall consist
ofall data or control inputs to the module that initiate or obtainspecific
services,operations, or functions. Service outputs shall consist of all
dataand status outputs that result from the services, operations, or
functionsinitiated or obtained by service inputs.
Assessment:
AS.03.16 (Level 2) Depending on the security level, the cryptographic module shall perform at least one of the following mechanisms to control access to the module: role-based authentication or identity-based authentication.
Note: This assertion is not separately tested.
AS.03.17 (Level 2) If role-based authentication mechanisms are supported by the cryptographic module, the module shall require that one or more roles either be implicitly or explicitly selected by the operator and shall authenticate the assumption of the selected role (or set of roles).
==VE.03.17.01==
VE.03.17.01 (Level 2) The vendor shall document the type of authentication performed for the module. The vendor shall document the mechanisms used to perform the implicit or explicit selection of a role or set of roles and the authentication of the operator to assume the role(s).
Assessment:
AS.03.18 (Level 2) If the cryptographic module permits an operator to change roles, then the module shall authenticate the assumption of any role that was not previously authenticated.
==VE.03.18.01==
VE.03.18.01 (Level 2) The vendor documentation shall describe the ability of an operator to change roles and shall state that verification of an operator to assume a new role is required.
Assessment:
AS.03.21Whenthe cryptographic module is powered off and subsequently
poweredon, the results of previous authentications shall not be retained
andthe module shall require the operator to be re-authenticated.
Assessment:
==VE.03.21.01==
VE.03.21.01Thevendor documentation shall describe how the results of previous
authenticationsare cleared when the module is powered off.
Assessment:
AS.03.22 (Level 2) Authentication data within the cryptographic module shall be protected against unauthorized disclosure, modification, and substitution.
Assessment:
==VE.03.22.01==
VE.03.22.01 Thevendor documentation shall describe the protection of all authentication data to the module. Protection shall include the implementation of mechanisms that protect against unauthorized disclosure, modification, and substitution.
Assessment:
AS.03.23Ifthe cryptographic module does not contain the authentication data
requiredto authenticate the operator for the first time the module is
accessed,then other authorized methods (e.g., procedural controls or
useof factory-set or default authentication data) shall be used tocontrol
accessto the module and initialize the authentication mechanisms.
Assessment:
==VE.03.23.01==
VE.03.23.01Thevendor documentation shall specify means to control access to the
modulebefore it is initialized.
Assessment:
AS.03.25 (Level 2) For each attempt to use the authentication mechanism, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur (e.g., guessing a password or PIN, false acceptance error rate of a biometric device, or some combination of authentication methods).
==VE.03.25.01==
VE.03.25.01 (Level 2) The vendor documentation shall specify each authentication method and the associated false acceptance rate or probability that a random access will succeed.
Assessment:
AS.03.26 (Level 2) For multiple attempts to use the authentication mechanism during a one-minute period, the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur.
==VE.03.26.01==
VE.03.26.01 (Level 2) The vendor documentation shall specify each authentication method and the associated probability of a successful random attempt during a one-minute period.
Assessment:
AS.03.27 (Level 2) Feedback of authentication data to an operator shall be obscured during authentication (e.g., no visible display of characters when entering a password).
==VE.03.27.01==
VE.03.27.01 (Level 2) The vendor documentation shall specify the method used to obscure feedback of the authentication data to an operator during entry of the authentication data.
Assessment:
AS.03.28 (Level 2) Feedback provided to an operator during an attempted authentication shall not weaken the strength of the authentication mechanism.
==VE.03.28.01==
VE.03.28.01 (Level 2) The vendor documentation shall specify the feedback mechanism that is used when the operator is entering authentication data.
Assessment:
AS.03.29Documentationshall specify:
*the authentication mechanisms supported by the cryptographic
module,
*the types of authentication data required by the module to
implementthe supported authentication mechanisms,
*the authorized methods used to control access to the module for the
firsttime and initialize the authentication mechanisms, and
*the strength of the authentication mechanisms supported by the
module.
Assessment:
AS.03.30Ifauthentication mechanisms are not supported by the cryptographic
module,the module shall require that one or more roles either be
implicitlyor explicitly selected by the operator.
Assessment:
==VE.03.30.01==
VE.03.30.01Thevendor shall document the type of authentication performed for the
module.The vendor shall document the mechanisms used to perform
theimplicit or explicit selection of a role or set of roles and the
authenticationof the operator to assume the role(s).
Assessment:
==VE.03.30.02==
VE.03.30.02Thevendor provided nonproprietary security policy shall provide a
descriptionof the roles, either implicit or explicit, that the operator can
assume.
Assessment:
==VE.03.30.03==
VE.03.30.03Thevendor provided non-proprietary security policy shall provide
instructionsfor the operator to assume either the implicit or explicit
roles.