VE 03: Difference between revisions

==SECTION 3: ROLES, SERVICES, AND AUTHENTICATION==

AS.03.01Thecryptographic module shall support authorized roles for operators

andcorresponding services within each role.

Note:This assertion is not separately tested.

Assessment:

AS.03.02Ifthe cryptographic module supports concurrent operators, then the

moduleshall internally maintain the separation of the roles assumed by

eachoperator and the corresponding services.

Assessment:

==VE.03.02.01==

VE.03.02.01Thevendor documentation shall specify whether multiple concurrent

operatorsare allowed. The vendor shall describe the method by which

separationof the authorized roles and services performed by each

operatoris achieved. The vendor documentation shall also describe

anyrestrictions on concurrent operators (e.g., one operator in a

maintenancerole and another in a user role simultaneously is not allowed).

Assessment:

AS.03.03Thecryptographic module shall support the following authorized roles

foroperators:

UserRole. The role assumed to perform general security services,

includingcryptographic operations and other Approved security

functions.

CryptoOfficer Role: The role assumed to perform a set of

cryptographicinitialization or management functions (e.g., module

Assessment:

==VE.03.03.01==

VE.03.03.01Inthe documentation required to satisfy VE03.06.01, the vendor shall

includeat least one user role and one crypto-officer role.

Assessment:

AS.03.04Ifthe cryptographic module allows operators to perform maintenance

services,then the module shall support the following authorized role:

*Maintenance Role: The role assumed to perform physical maintenanceand/or logical maintenance services (e.g., hardware/softwarediagnostics).

Assessment:

==VE.03.04.01==

VE.03.04.01Ifthe module has a maintenance interface, the vendor documentation

shallexplicitly state a maintenance role is supported. The

documentationshall completely specify the role by name and allowed services.

Assessment:

AS.03.05Allplaintext secret and private keys and unprotected CSPs shall be

zeroizedwhen entering or exiting the maintenance role.

Assessment:

==VE.03.05.01==

VE.03.05.01Thevendor documentation shall specify how the module's plaintext

secretand private keys and other unprotected critical security

parameters,as defined in Section 2.1 of FIPS PUB 140-2, are actively

zeroizedwhen the maintenance role is entered or exited.

Assessment:

AS.03.06Documentationshall specify all authorized roles supported by the

cryptographicmodule.

Assessment:

==VE.03.06.01==

VE.03.06.01Vendordocumentation shall specify each distinct authorized role,

includingits name and the services that are performed in the role.

Assessment:

AS.03.07Servicesshall refer to all of the services, operations, or functions that

canbe performed by the cryptographic module.

Note:This assertion is not separately tested.

Assessment:

AS.03.08Serviceinputs shall consist of all data or control inputs to the

cryptographicmodule that initiate or obtain specific services,

operations,or functions.

Assessment:

AS.03.09Serviceoutputs shall consist of all data and status outputs that result

fromservices, operations, or functions initiated or obtained by service

inputs.

Assessment:

AS.03.10Eachservice input shall result in a service output.

Note:This assertion is not separately tested.

Assessment:

AS.03.11Thecryptographic module shall provide the following services to

operators:

ShowStatus. Output the current status of the cryptographic module.

PerformSelf-Tests. Initiate and run the self-tests as specified in

Section4.9.

PerformApproved Security Function. Perform at least one Approved

Assessment:

==VE.03.11.01==

VE.03.11.01Thevendor documentation shall describe the output of the current

statusof the module and the initiation and running of user callable

self-tests,along with other services as specified by VE03.14.01 and VE03.15.01.

Assessment:

AS.03.12Ifa cryptographic module implements a bypass capability, where

servicesare provided without cryptographic processing (e.g.,

transferringplaintext through the module without encryption), then two

independentinternal actions shall be required to activate the capability

toprevent the inadvertent bypass of plaintext data due to a singleerror

(e.g.,two different software or hardware flags are set, one of which

Assessment:

==VE.03.12.01==

VE.03.12.01Ifthe module implements a bypass capability, the vendor

documentationshall describe the bypass service as specified in

AS03.12.

Assessment:

==VE.03.12.02==

VE.03.12.02Thefinite state model and other vendor documentation shall indicate,

forall transitions into an exclusive or alternating bypass state, two

independentinternal actions that are required to transition into each bypass state.

Assessment:

AS.03.13Ifthe cryptographic module implements a bypass capability, where

servicesare provided without cryptographic processing (e.g.,

transferringplaintext through the module without encryption), then the

moduleshall show status to indicate whether

1)the bypass capability is not activated, and the module is exclusively

providingservices with cryptographic processing (e.g., the plaintext is

encrypted),

2)the bypass capability is activated and the module is exclusivelyproviding services without cryptographic processing (e.g., plaintextdata is not encrypted), or

3)the bypass capability is alternately activated and deactivated andthe

moduleis providing some services with cryptographic processing and

someservices without cryptographic processing (e.g., for modules with

multiplecommunication channels, plaintext data is or is not encrypted

dependingon each channel configuration).

Assessment:

==VE.03.13.01==

VE.03.13.01Thevendor documentation for the "Show Status" service shallindicate

bypassstatus.

Assessment:

AS.03.14Documentationshall specify:

*the services, operations, or functions provided by the cryptographic

module,both Approved and non-Approved, and

*for each service provided by the module, the service inputs,

correspondingservice outputs, and the authorized role(s) in which the

servicecan be performed.

Assessment:

==VE.03.14.01==

VE.03.14.01Thevendor documentation shall describe each service including

purposeand function.

Assessment:

==VE.03.14.02==

VE.03.14.02Thevendor documentation shall specify for each service, the service

inputs,corresponding service outputs, and the authorized role or roles

inwhich the service can be performed. Service inputs shall consist of

alldata or control inputs to the module that initiate or obtain specific

services,operations, or functions. Service outputs shall consist of all

dataand status outputs that result from services, operations or functions

initiatedor obtained by service inputs.

Assessment:

AS.03.15Documentationshall specify any services provided by the cryptographic

modulefor which the operator is not required to assume an authorized

role,and how these services do not modify, disclose, or substitute

cryptographickeys and CSPs, or otherwise affect the security of the

Assessment:

==VE.03.15.01==

VE.03.15.01Thevendor documentation shall describe each service, including its

purposeand function.

Assessment:

==VE.03.15.02==

VE.03.15.02Thevendor documentation shall specify, for each service, the service

inputsand corresponding service outputs. Service inputs shall consist

ofall data or control inputs to the module that initiate or obtainspecific

services,operations, or functions. Service outputs shall consist of all

dataand status outputs that result from the services, operations, or

functionsinitiated or obtained by service inputs.

Assessment:

AS.03.16 (Level 2) Depending on the security level, the cryptographic module shall perform at least one of the following mechanisms to control access to the module: role-based authentication or identity-based authentication.

Note: This assertion is not separately tested.

AS.03.17 (Level 2) If role-based authentication mechanisms are supported by the cryptographic module, the module shall require that one or more roles either be implicitly or explicitly selected by the operator and shall authenticate the assumption of the selected role (or set of roles).

==VE.03.17.01==

VE.03.17.01 (Level 2) The vendor shall document the type of authentication performed for the module. The vendor shall document the mechanisms used to perform the implicit or explicit selection of a role or set of roles and the authentication of the operator to assume the role(s).

Assessment:

AS.03.18 (Level 2) If the cryptographic module permits an operator to change roles, then the module shall authenticate the assumption of any role that was not previously authenticated.

==VE.03.18.01==

VE.03.18.01 (Level 2) The vendor documentation shall describe the ability of an operator to change roles and shall state that verification of an operator to assume a new role is required.

Assessment:

AS.03.21Whenthe cryptographic module is powered off and subsequently

poweredon, the results of previous authentications shall not be retained

andthe module shall require the operator to be re-authenticated.

Assessment:

==VE.03.21.01==

VE.03.21.01Thevendor documentation shall describe how the results of previous

authenticationsare cleared when the module is powered off.

Assessment:

AS.03.22 (Level 2) Authentication data within the cryptographic module shall be protected against unauthorized disclosure, modification, and substitution.

Assessment:

==VE.03.22.01==

VE.03.22.01 Thevendor documentation shall describe the protection of all authentication data to the module. Protection shall include the implementation of mechanisms that protect against unauthorized disclosure, modification, and substitution.

Assessment:

AS.03.23Ifthe cryptographic module does not contain the authentication data

requiredto authenticate the operator for the first time the module is

accessed,then other authorized methods (e.g., procedural controls or

useof factory-set or default authentication data) shall be used tocontrol

accessto the module and initialize the authentication mechanisms.

Assessment:

==VE.03.23.01==

VE.03.23.01Thevendor documentation shall specify means to control access to the

modulebefore it is initialized.

Assessment:

AS.03.25 (Level 2) For each attempt to use the authentication mechanism, the probability shall be less than one in 1,000,000 that a random attempt will succeed or a false acceptance will occur (e.g., guessing a password or PIN, false acceptance error rate of a biometric device, or some combination of authentication methods).

==VE.03.25.01==

VE.03.25.01 (Level 2) The vendor documentation shall specify each authentication method and the associated false acceptance rate or probability that a random access will succeed.

Assessment:

AS.03.26 (Level 2) For multiple attempts to use the authentication mechanism during a one-minute period, the probability shall be less than one in 100,000 that a random attempt will succeed or a false acceptance will occur.

==VE.03.26.01==

VE.03.26.01 (Level 2) The vendor documentation shall specify each authentication method and the associated probability of a successful random attempt during a one-minute period.

Assessment:

AS.03.27 (Level 2) Feedback of authentication data to an operator shall be obscured during authentication (e.g., no visible display of characters when entering a password).

==VE.03.27.01==

VE.03.27.01 (Level 2) The vendor documentation shall specify the method used to obscure feedback of the authentication data to an operator during entry of the authentication data.

Assessment:

AS.03.28 (Level 2) Feedback provided to an operator during an attempted authentication shall not weaken the strength of the authentication mechanism.

==VE.03.28.01==

VE.03.28.01 (Level 2) The vendor documentation shall specify the feedback mechanism that is used when the operator is entering authentication data.

Assessment:

AS.03.29Documentationshall specify:

*the authentication mechanisms supported by the cryptographic

module,

*the types of authentication data required by the module to

implementthe supported authentication mechanisms,

*the authorized methods used to control access to the module for the

firsttime and initialize the authentication mechanisms, and

*the strength of the authentication mechanisms supported by the

module.

Assessment:

AS.03.30Ifauthentication mechanisms are not supported by the cryptographic

module,the module shall require that one or more roles either be

implicitlyor explicitly selected by the operator.

Assessment:

==VE.03.30.01==

VE.03.30.01Thevendor shall document the type of authentication performed for the

module.The vendor shall document the mechanisms used to perform

theimplicit or explicit selection of a role or set of roles and the

authenticationof the operator to assume the role(s).

Assessment:

==VE.03.30.02==

VE.03.30.02Thevendor provided nonproprietary security policy shall provide a

descriptionof the roles, either implicit or explicit, that the operator can

assume.

Assessment:

==VE.03.30.03==

VE.03.30.03Thevendor provided non-proprietary security policy shall provide

instructionsfor the operator to assume either the implicit or explicit

roles.