ACS-3 Reporting Security Compliance



Similar documents
ACS Proposal - Device Internal Status Log

03-351r2 SAM-3 SPC-3 Reporting task attribute support 22 January 2004

The Keyed-Hash Message Authentication Code (HMAC)

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS Non-Proprietary Cryptographic Module Security Policy

1 Overview. T10/ revision 9

Announcing Approval of Federal Information Processing Standard (FIPS) 197, Advanced. National Institute of Standards and Technology (NIST), Commerce.

Security Policy for Oracle Advanced Security Option Cryptographic Module

SkyRecon Cryptographic Module (SCM)

Using AES 256 bit Encryption

SecureDoc Disk Encryption Cryptographic Engine

FIPS Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module

NAND Flash Memories. Using Linux MTD compatible mode. on ELNEC Universal Device Programmers. (Quick Guide)

The changes in this proposal are intended to address the following OSD Letter Ballot comments (see T10/04-108): IBM 36), IBM 63), and Panasas 2).

DTCP Volume 1 Supplement B Mapping DTCP to MOST M6 (Informational Version)

Requirements. A feature to return negative acknowledgements (error codes) is under discussion in MQTT-236.

Modbus RTU Communications RX/WX and MRX/MWX

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

SNAPcell Security Policy Document Version 1.7. Snapshield

The NIST SP A Deterministic Random Bit Generator Validation System (DRBGVS)

Programming Interface. for. Bus Master IDE Controller. Revision 1.0

ETSI TS V1.2.1 ( )

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

APPLICATION PROGRAMMING INTERFACE

NEMA Standards Publication PS 3 Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures

Information technology - AT Attachment 8 - ATA/ATAPI Command Set (ATA8-ACS)

A Draft Framework for Designing Cryptographic Key Management Systems

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS Security Policy

Advanced Encryption Standard (AES) User's Guide

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

AN1305. MIFARE Classic as NFC Type MIFARE Classic Tag. Application note COMPANY PUBLIC. Rev October Document information

Randomized Hashing for Digital Signatures

Trusted Computing Basics: Self-Encrypting Drives

Features. SSD370S SATA III 6Gb/s SSD. Advanced Global Wear-Leveling and Block management for reliability

National Security Agency Perspective on Key Management

Network Security Part II: Standards

SeChat: An AES Encrypted Chat

Type 2 Tag Operation Specification. Technical Specification T2TOP 1.1 NFC Forum TM NFCForum-TS-Type-2-Tag_

Recommendation for Cryptographic Key Generation

Pulse Secure, LLC. January 9, 2015

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Secure SCADA Communication Protocol Performance Test Results

Secure Network Communications FIPS Non Proprietary Security Policy

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

The Encryption Technology of Automatic Teller Machine Networks

FIPS Level 1 Security Policy for Cisco Secure ACS FIPS Module

Complying with PCI Data Security

SCSI Commands Reference Manual

128-Bit Versus 256-Bit AES Encryption

Universal Serial Bus Mass Storage Specification For Bootability

I N F O R M A T I O N S E C U R I T Y

Technical Note. SFDP for MT25Q Family. Introduction. TN-25-06: Serial Flash Discovery Parameters for MT25Q Family. Introduction

Security Policy. Trapeze Networks

eztcp Technical Document Modbus/TCP of eztcp Caution: Specifications of this document may be changed without prior notice for improvement.

C O M P U T E R S E C U R I T Y

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

I N F O R M A T I O N S E C U R I T Y

2014 IBM Corporation

Recommendation for Applications Using Approved Hash Algorithms

AN1304. NFC Type MIFARE Classic Tag Operation. Application note PUBLIC. Rev October Document information

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

ARCHIVED PUBLICATION

OFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT

MANAGEMENT OF SECURE SYSTEMS AND SECURITY WITHIN OSI 1

FIPS Documentation: Security Policy 05/06/ :21 AM. Windows CE and Windows Mobile Operating System. Abstract

FIPS Security Policy LogRhythm Log Manager

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

ROYAL REHAB COLLEGE AND THE ENTOURAGE EDUCATION GROUP. UPDATED SCHEDULE OF VET UNITS OF STUDY AND VET TUITION FEES Course Aug 1/2015

Seagate Secure Enterprise Self-Encrypting Drives FIPS 140 Module FIPS Security Policy

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

DRAFT Standard Statement Encryption

ITL BULLETIN FOR AUGUST 2012

Command Specification

KeyStone Architecture Security Accelerator (SA) User Guide

Wireless ATA: A New Data Transport Protocol for Wireless Storage

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Strengths and Weaknesses of Cybersecurity Standards

AN3270 Application note

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

WebSphere DataPower Release FIPS and NIST SP a support.

The Answer to the 14 Most Frequently Asked Modbus Questions

Advanced Access Content System (AACS)

Securing IP Networks with Implementation of IPv6

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Samsung SSD 840 PRO Series.

Parallax Serial LCD 2 rows x 16 characters Non-backlit (#27976) 2 rows x 16 characters Backlit (#27977) 4 rows x 20 characters Backlit (#27979)

TA Document AV/C Disc Media Specification - DVD

McAfee Firewall Enterprise 8.2.1

Binary Numbers. Binary Octal Hexadecimal

Compliance and Industry Regulations

BBM Protected Secure mobile

Healthcare Compliance Solutions

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3

Athena Smartcard Inc. IDProtect Key with LASER PKI FIPS Cryptographic Module Security Policy. Document Version: 1.0 Date: April 25, 2012

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Assignment 4 CPSC 217 L02 Purpose. Important Note. Data visualization

Transcription:

October 5, 2010 T13/e09151r2 October 5, 2010 Revision 2 Technical Editor: Jim Hatfield 389 Disc Drive Longmont, CO 80503 720-684-2120 James.C.Hatfield@Seagate.com Page 1 of 8

T13/e09151r2 October 5, 2010 Document Status Revision History Rev Date Description 0 Dec. 1, 2009 1) Initial Revision 1 July 14, 2010 1) Complete rewrite 2 October 5, 2010 1) Added FIPS 140 status indicator 2) Added FIPS 197 status indicator 3) Applied comments from Aug. 2010 plenary Page 2 of 8

October 5, 2010 T13/e09151r2 1 Introduction As the embedded security market matures, more vendors will affirm conformance with various security standards. It is becoming important that devices be able to indicate to a host compliance with security standards. This proposal adds this capability. 2 Scope Security compliance reporting may be applicable on devices that support advanced security interfaces like IEEE 1667 or TCG. Even devices that only support the ATA security feature set may have certifications. This proposal creates the ability to provide security compliance information to the host. 3 Overview These changes are being proposed: a) add references for some FIPS standards: e.g. FIPS 140-2, FIPS 140-3, and FIPS 197 b) define a data structure containing security compliance information c) return that data structure via a new function of TRUSTED RECEIVE, for Security Protocol 00h 4 Changes to ACS-2 [editors note: add these to 2.4 Other References] For these FIPS Publications, contact NIST at http://www.nist.gov a) FIPS PUB 140-2, SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES, May 25, 2001 b) FIPS PUB 140-3 (Revised DRAFT 09/11/09), SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES, 09/11/09 c) FIPS PUB 197, Advanced Encryption Standard (AES), Nov. 26, 2001 4.1 Changes to Clause 7 - Command Descriptions Page 3 of 8

T13/e09151r2 October 5, 2010 4.2 TRUSTED RECEIVE - 5Ch, PIO Data-In (section 7.59) 4.2.1 Feature Set This 28-bit command is mandatory for devices implementing the Trusted Computing feature set. 4.2.2 Description 4.2.3 Inputs 4.2.3.1 Overview Name Description Feature Security Protocol (see 4.2.3.2) Count Transfer Length (7:0) - See 4.2.3.4 LBA Bit Description 27:24 Reserved 23:8 SP Specific - Security Protocol Specific (word) (see 4.2.3.3) 7:0 Transfer Length (15:8) - See 4.2.3.4 Device Bit Description 7 Obsolete 6 N/A 5 Obsolete 4 Transport Dependent - See 6.2.12 3:0 Reserved Command 7:0 5Ch 4.2.3.2 Security Protocol 4.2.3.3 SP Specific 4.2.3.4 Transfer Length 4.2.4 Normal outputs 4.2.5 Error outputs 4.2.6 Security Protocol 00h Description 4.2.6.1 Overview The purpose of Security Protocol 00h is to return basic information about the device. A TRUSTED RECEIVE using Security Protocol field set to 00h is not linked to an earlier TRUSTED SEND command. Page 4 of 8

October 5, 2010 T13/e09151r2 The Transfer Length field contains the number of 512-byte blocks of data to be transferred (e.g., one means 512 bytes, two means 1 024 bytes). A transfer length of zero is invalid. The total data length shall conform to the Transfer Length field requirements (e.g., the total data length shall be a multiple of 512). Pad bytes shall be added as needed to meet this requirement. Pad bytes shall have a value of 00h. If the length of the TRUSTED RECEIVE parameter data is greater than the Transfer Length, then the device shall return the TRUSTED RECEIVE parameter data truncated to the requested Transfer Length. When the Security Protocol field is set to 00h, the SP Specific field is shown in table 1. Table 1 Security Protocol 00h - SP Specific field descriptions for Protocol 00h SP Specific Description Support 0000h Return supported security protocol list (see 4.2.6.2) Mandatory 0001h Return a certificate (see 4.2.6.3) Mandatory 0002h Return security compliance reporting data (see Optional 4.2.6.4) 0003h Reserved 0002h-FFFFh If the SP Specific field is set to a reserved value, then the command shall be aborted. Each time a TRUSTED RECEIVE command with Security Protocol field set to 00h is received, the device shall transfer the data starting with byte 0. 4.2.6.2 Supported security protocols list description 4.2.6.3 Certificate data description Page 5 of 8

T13/e09151r2 October 5, 2010 4.2.6.4 Security compliance reporting 4.2.6.4.1 Security compliance reporting overview The security compliance reporting data lists information about security-related standards that the device claims compliance to. Table 2 defines the security compliance data. The security compliance data is a variable length, unsorted list of security compliance descriptors. The amount of data returned is one or more 512-byte data blocks, with pad bytes after the Compliance descriptor. at the end of the last data block returned. Pad bytes shall have the value 00h. Table 2 TRUSTED RECEIVE parameter data for SP Specific=0002h Bit Byte 7 6 5 4 3 2 1 0 0 Reserved 1 Reserved 2 (MSB) Compliance Descriptor Length (M - 3) 3 (LSB) 4 Compliance descriptor bytes M M+1 (1 less Pad bytes (if any) than 4.2.6.4.1.1 Compliance Descriptor Length The length of the Compliance descriptors fieldthe number of bytes (including the 8-byte header) that are available to be transferred. 4.2.6.4.1.2 Compliance Descriptor Bytes This field shall contain zero or more compliance descriptors. The format of each descriptor varies according to type. The header of each descriptor contains a type identifier. Table 3 defines the compliance descriptor types. There may be more than one compliance descriptor with the same compliance descriptor type. Compliance descriptors may be placed in any order. Table 3 Compliance Descriptor Type Compliance Descriptor Type Description Reference Compliance Descriptor 0000h 0001h Reserved Security Requirements for Cryptographic Modules FIPS 140-2, FIPS 140-3 4.2.6.4.2 0002h Advanced Encryption Standard (AES) FIPS 197 4.2.6.4.3 0003h.. FFFFh Reserved Page 6 of 8

October 5, 2010 T13/e09151r2 4.2.6.4.2 FIPS 140 Compliance Descriptor 4.2.6.4.2.1 Revision For FIPS 140-2, the Revision shall be 2. For FIPS 140-3, the Revision shall be 3. 4.2.6.4.2.2 Overall security level For FIPS 140-2, the Overall security level shall be 1, 2, 3 or 4. For FIPS 140-3, the Overall security level shall be 1, 2, 3 or 4. 4.2.6.4.2.3 Status Indicator If bit 0 is set to one, then the device is operating in an approved FIPS 140 mode. If bit 0 is cleared to zero, then the device is not operating in an approved FIPS mode. If bit 1 is set to one, then the device has failed a FIPS 140 self-test. If bit 0 is cleared to zero, then the device has not failed a FIPS 140 self-test. 4.2.6.4.2.4 Hardware version The Hardware version field shall contain the version number of the hardware in the module (if appropriate). 4.2.6.4.2.5 Software/Firmware version The Software/Firmware version field shall contain the version number of the software/firmware in the module (if appropriate). 4.2.6.4.2.6 Module name Table 4 FIPS 140 Compliance Descriptor Byte Offset Type Length Description 0..1 Word 2 Compliance Descriptor Type (0001h) (see table 3) 2..3 Word 2 Number of bytes of compliance descriptor data that follow 4 ATA 1 Revision (e.g., 2-3) 5 ATA 1 Overall security level (e.g., 1-4) 6 Byte 1 Status Indicators Bit Description 7:2 Reserved 1 Self-test failed 0 Operating in approved FIPS 140 mode 7 Byte 1 Reserved 8..39 ATA 40..71 ATA 72..327 ATA 32 Hardware version 32 Software/Firmware version 256 Module name The Module name field shall contain the name or identifier of the cryptographic module. Page 7 of 8

T13/e09151r2 October 5, 2010 4.2.6.4.3 FIPS 197 Compliance Descriptor 4.2.6.4.3.1 Revision For FIPS 197, the Revision shall be TBD. Table 5 FIPS 197 Compliance Descriptor Byte Offset Type Length Description 0..1 Word 2 Compliance Descriptor Type (0002h) (see table 3) 2..3 Word 2 Number of bytes of compliance descriptor data that follow 4 ATA TBD Revision Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information