beautypg.com

8 self-tests – HP FIPS 140-2 User Manual

Page 19

background image

Security Policy, version 1.0

January 31, 2008

HP StorageWorks Secure Key Manager

Page 19 of 26

© 2008 Hewlett-Packard Company

This document may be freely reproduced in its original entirety.

Key

Key Type

Generation /

Input

Output

Storage

Zeroization

Use

Log signing
keys

1024-bit RSA
public and
private keys

Generated by
ANSI X9.31
DRNG at first-
time
initialization

Never In

non-volatile

memory

When new log
signing keys are
generated on
demand by
Crypto Officer

Sign logs and
verify signature
on logs

ANSI X9.31
DRNG
seed

DRNG seed

Generated by
non-Approved
RNG

Never In

non-volatile

memory

When module is
powered off

Initialize ANSI
X9.31 DRNG

PKEK 256-bit

AES

key

Generated by
ANSI X9.31
DRNG

In encrypted
form for backup
purposes only

In non-volatile
memory

At operator delete
or by zeroize
request

Encrypt client
keys

2.7.2 Key

Generation

The module uses an ANSI X9.31 DRNG with 2-key 3DES to generate cryptographic keys. This DRNG is a FIPS
140-2 approved DRNG as specified in Annex C to FIPS PUB 140-2.

2.7.3 Key/CSP

Zeroization

All ephemeral keys are stored in volatile memory in plaintext. Ephemeral keys are zeroized when they are no longer
used. Other keys and CSPs are stored in non-volatile memory with client keys being stored in encrypted form.

To zeroize all keys and CSPs in the module, the Crypto Officer should execute the reset factory settings
zeroize

command at the serial console interface. For security reasons, this command is available only through the

serial console.

2.8 Self-Tests

The device implements two types of self-tests: power-up self-tests and conditional self-tests.

Power-up self-tests include the following tests:

• Firmware integrity tests

• Known Answer Test (KAT) on 3DES

• KAT on AES

• KAT on SHA-1

• KAT on SHA-256

• KAT on SHA-384

• KAT on SHA-512

• KAT on HMAC SHA-1

• KAT on HMAC SHA-256

• KAT on ANSI X9.31 DRNG

• KAT on Diffie-Hellman

• KAT on SSH Key Derivation Function

• KAT on RSA signature generation and verification

• Pairwise consistency test on DSA signature generation and verification

Conditional self-tests include the following tests:

See also other documents in the category HP Hardware: