| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/12/2029 |
| Entropy | ENT (P) |
| Caveat | None |
| Vendor | Samsung Electronics Co., Ltd. |
| Hardware versions | MZWLR1T9HCJR-00AC9 [1, 3, 12, 13], MZWLR3T8HCLS-00AC9 [1, 3, 12, 13], MZWLR7T6HBLA-00AC9 [1, 3, 12, 13], MZWLR15THBLA-00AC9 [1, 3, 12, 13], MZWLR30THBLA-00AC9 [1, 3, 12, 13], MZWLR1T9HCJR-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T8HCLS-00AD9 [2, 4, 6, 7, 8, 9], MZWLR7T6HBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR15THBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR30THBLA-00AD9 [6, 7, 8, 9], MZWLR1T6HCJR-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T2HCLS-00AD9 [2, 4, 6, 7, 8, 9], MZWLR6T4HBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR12THBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T8HCLS-00AG6 [5, 10, 16], MZWLR3T8HCLS-00AV8 [5], MZWLR15THBLA-00AG6 [5, 10, 16], MZWLR3T8HCLS-00AGB [11, 14, 15], MZWLR15THBLA-00AGB [11, 14, 15] |
| Algorithm | ACVP Cert |
|---|---|
| AES-XTS | C1271 |
| Hash DRBG | A1720 |
| RSA SigVer (FIPS186-4) | A940 |
| SHA2-256 | C1272 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Roles, Services, and Authentication | 4 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>MPP92E5Q [1], MPP90D3Q [2], MPP95E5Q [3], MPP92D3Q…</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update the firmware8<br/>Error state in Boot</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Error State</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C6 clue;
class I1,I2,I3,I6 infer;
class R1,R2,R3,R6 risk;
class E1,E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>MPP92E5Q [1], MPP90D3Q [2], MPP95E5Q [3], MPP92D3Q…</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Update the firmware8<br/>Error state in Boot</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Error State</i><br/>src: securityPolicy.services"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3 clueHigh;
class C6 clueLow;Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series Document Version: 1.4 H/W Version: MZWLR1T6HCJR-00AD9, MZWLR1T9HCJR-00AC9, MZWLR1T9HCJR-00AD9, MZWLR3T2HCLS-00AD9, MZWLR3T8HCLS-00AC9, MZWLR3T8HCLS-00AD9, MZWLR3T8HCLS-00AV8, MZWLR3T8HCLS-00AG6, MZWLR15THBLA-00AG6, MZWLR6T4HBLA-00AD9, MZWLR7T6HBLA-00AC9, MZWLR7T6HBLA-00AD9, MZWLR12THBLA-00AD9, MZWLR15THBLA-00AC9, MZWLR30THBLA-00AC9, MZWLR15THBLA-00AD9, MZWLR30THBLA-00AD9, MZWLR3T8HCLS-00AGB, MZWLR15THBLA-00AGB F/W Version: MPP90D3Q, MPP92E5Q, MPP92D3Q, MPP93D3Q, MPP95E5Q, MPP95D3Q, MPP96D3Q, MPP97D3Q, MPP96E5Q, MPP97E5Q, NA50(MPPA165Q), NA50(MPP9065Q), NA51(MPP9165Q), NA50(MPP95G5Q), NA51(MPPA6G5Q), and NA52(MPP97G5Q)
| Version | Changes |
|---|---|
| 1.0 | Initial version |
| 1.1 | Update for MPP95D3Q, MPP96D3Q, MPP97D3Q, NA51, NA50 (MPPA165Q) |
| 1.2 | Update for MPP96E5Q |
| 1.3 | Update for MPP97E5Q |
| 1.4 | Update for NA50 (MPP9065Q) |
| 1.5 | Update for NA51 (MPP9165Q) and NA52 (MPP97G5Q) firmware |
Revision History 1.0 1.1 1.2 1.3 1.4 1.5 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| # | Section | Page |
|---|---|---|
| 1 | GENERAL | 4 |
| 1.1 | SCOPE | 4 |
| 1.2 | ACRONYMS | 4 |
| 2 | CRYPTOGRAPHIC MODULE SPECIFICATION | 5 |
| 2.1 | CRYPTOGRAPHIC BOUNDARY | 5 |
| 2.2 | VERSION INFORMATION | 6 |
| 2.3 | CRYPTOGRAPHIC FUNCTIONALITY | 7 |
| 2.3.1 | APPROVED ALGORITHM | 7 |
| 2.3.2 | NON-APPROVED ALGORITHM | 7 |
| 2.4 | APPROVED MODE OF OPERATION | 7 |
| 3 | CRYPTOGRAPHIC MODULE INTERFACES | 8 |
| 4 | ROLES, SERVICES, AND AUTHENTICATION | 9 |
| 4.1 | ROLE | 9 |
| 4.2 | APPROVED SERVICE | 9 |
| 4.3 | AUTHENTICATION | 10 |
| 5 | SOFTWARE/FIRMWARE SECURITY | 11 |
| 6 | OPERATIONAL ENVIRONMENT | 12 |
| 7 | PHYSICAL SECURITY | 13 |
| 8 | NON-INVASIVE SECURITY | 14 |
| 9 | SENSITIVE SECURITY PARAMETER MANAGEMENT | 15 |
| 10 | SELF-TESTS | 17 |
| 10.1 | PRE-OPERATIONAL TEST | 17 |
| 10.2 | CONDITIONAL TEST | 17 |
| 10.3 | ERROR STATES | 17 |
| 11 | LIFE-CYCLE ASSURANCE | 18 |
| 11.1 | SECURE INSTALLATION | 18 |
| 11.2 | OPERATIONAL DESCRIPTION OF MODULE | 18 |
| 12 | MITIGATION OF OTHER ATTACKS | 19 |
| Name | ISO Section | Requirement | Level | ISO/IEC 24759 Section 6. |
|---|---|---|---|---|
| 1 | 1 | General | 2 | |
| 2 | 2 | Cryptographic module specification | 2 | |
| 3 | 3 | Cryptographic module interfaces | 2 | |
| 4 | 4 | Roles, services, and authentication | 2 | |
| 5 | 5 | Software/Firmware security | 2 | |
| 6 | 6 | Operational environment | N/A | |
| 7 | 7 | Physical security | 2 | |
| 8 | 8 | Non-invasive security | N/A | |
| 9 | 9 | Sensitive security parameter management | 2 | |
| 10 | 10 | Self-tests | 2 | |
| 11 | 11 | Life-cycle assurance | 2 | |
| 12 | 12 | Mitigation of other attacks | N/A | |
| Acronym | Description | Acronym | ||
| CTRL | CTRL | Controller | ||
| CPU | CPU | Central Processing Unit (ARM-based) | ||
| DRAM | DRAM | Dynamic Random Access Memory | ||
| DRAM I/F | DRAM I/F | Dynamic Random Access Memory Interface | ||
| ECC | ECC | Error Correcting Code | ||
| KAT | KAT | Known Answer Test | ||
| LBA | LBA | Logical Block Address | ||
| MD/EE | MD/EE | Manual Distribution/Electronic Entry | ||
| MEK | MEK | Media Encryption Key | ||
| NAND | NAND | NAND Flash Memory | ||
| NAND I/F | NAND I/F | NAND Flash Interface | ||
| NVMe | NVMe | Non-Volatile Memory Host Controller Interface Specification | ||
| ROM | ROM | Read-only Memory | ||
| SFR | SFR | Special Function Register |
1.1. Scope This document specifies the security policy for Samsung Electronics Co., Ltd. (“Samsung”) SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series, herein after referred to as a “cryptographic module” or “module”, SSD (Solid State Drive), satisfies all applicable FIPS 140-3 Security Level 2 requirements of a hardware module, supporting TCG Opal SSC based SED (Self-Encrypting Drive) features, designed to protect unauthorized access to the user data stored in its NAND flash memories. The built-in AES hardware engines in the cryptographic module’s controller provide on-the-fly encryption and decryption of the user data without performance loss. The SED’s nature also provides instantaneous sanitization of the user data via cryptographic erase. [Number Below] Table
| Name | Hardware Version | Firmware Version | ||
|---|---|---|---|---|
| PM1733a | MZWLR3T8HCLS-00AG6 | 3.84TB | PM1733a | NA50 (MPP95G5Q), NA51 (MPPA6G5Q) NA52 (MPP97G5Q) |
| MZWLR15THBLA-00AG6 | MZWLR15THBLA-00AG6 | 15.36TB | ||
| MZWLR3T8HCLS-00AV8 | MZWLR3T8HCLS-00AV8 | 3.84TB | NA50 (MPP95G5Q) | |
| MZWLR3T8HCLS-00AGB | MZWLR3T8HCLS-00AGB | 3.84TB | NA50 (MPPA165Q) NA50 (MPP9065Q) NA51(MPP9165Q) | |
| MZWLR15THBLA-00AGB | MZWLR15THBLA-00AGB | 15.36TB | ||
| MZWLR1T9HCJR-00AC9 | MZWLR1T9HCJR-00AC9 | 1.92TB | MPP92E5Q, MPP95E5Q, MPP96E5Q MPP97E5Q | |
| MZWLR3T8HCLS-00AC9 | MZWLR3T8HCLS-00AC9 | 3.84TB | ||
| MZWLR7T6HBLA-00AC9 | MZWLR7T6HBLA-00AC9 | 7.68TB | ||
| MZWLR15THBLA-00AC9 | MZWLR15THBLA-00AC9 | 15.36TB | ||
| MZWLR30THBLA-00AC9 | MZWLR30THBLA-00AC9 | 30.72TB | ||
| MZWLR30THBLA-00AD9 | MZWLR30THBLA-00AD9 | 30.72TB | MPP93D3Q, MPP95D3Q, MPP96D3Q MPP97D3Q | |
| MZWLR1T9HCJR-00AD9 | MZWLR1T9HCJR-00AD9 | 1.92TB | MPP90D3Q, MPP92D3Q, MPP93D3Q, MPP95D3Q, MPP96D3Q MPP97D3Q | |
| MZWLR3T8HCLS-00AD9 | MZWLR3T8HCLS-00AD9 | 3.84TB | ||
| MZWLR7T6HBLA-00AD9 | MZWLR7T6HBLA-00AD9 | 7.68TB | ||
| MZWLR15THBLA-00AD9 | MZWLR15THBLA-00AD9 | 15.36TB | ||
| PM1735a | MZWLR1T6HCJR-00AD9 | 1.6TB | PM1735a | |
| MZWLR3T2HCLS-00AD9 | MZWLR3T2HCLS-00AD9 | 3.2TB | ||
| MZWLR6T4HBLA-00AD9 | MZWLR6T4HBLA-00AD9 | 6.4TB | ||
| MZWLR12THBLA-00AD9 | MZWLR12THBLA-00AD9 | 12.8TB |
The firmware utilizes a single chip controller with an NVMe interface on the system side as well as Samsung NAND flash. The following figure depicts the module operational environment. The firmware within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. Any firmware loaded into this module that is not shown on the module certificate, is out of the scope of this validation and requires a separate FIPS 140-3 validation Figure 2. Block Diagram for Samsung SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series 2.2. Version information Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | CAVP Cert | Mode Method | Key Size | Use Function | Description/ Key Size(s)/ Key Strength(s) |
|---|---|---|---|---|---|
| AES / FIPS 197, SP 800-38E | C12711 | XTS | 256 bits | Data Encryption / Decryption (Only used for storage) | |
| DRBG / SP 800-90A Rev. 1 | A1720 | Hash_ DRBG (SHA-256) | N/A | Deterministic Random Bit Generation | |
| RSA / FIPS 186-4 | A940 | PSS SigVer (SHA-256) | 3072 bits | Digital Signature Verification | |
| SHS / FIPS 180-4 | C1272 | SHA-256 | N/A | Message Digest | |
| CKG / SP 800-133 Rev2 | Vendor Affirmed | Section 4 and Section 6.1 | N/A | Cryptographic Key Generation (Symmetric Keys) | |
| ENT (P) / SP800-90B | N/A | N/A | N/A | Non-deterministic Random Number Generator (Only used for generating seed materials for the Approved DRBG) ENT (P) provides a minimum of 256 bits of entropy for DRBG seed | |
| AES-XTS / FIPS 197, SP 800-38E | AES-XTS / FIPS 197, SP 800-38E | No Security Claimed; AES-XTS is only used for firmware removal of obfuscation during ROM initialized. (IG 2.4.A Scenario #2) | Firmware Removal of obfuscation | ||
| AES-CCM / FIPS 197, SP 800-38C | AES-CCM / FIPS 197, SP 800-38C | No Security Claimed; Non-approved algorithms here are only used for obfuscation and removal of obfuscation the CSP. (IG 2.4.A Scenario #1) | Key obfuscation and Removal of obfuscation | ||
| PBKDF2 | PBKDF2 | Non-SSP Derivation | |||
| HMAC / SHA-256 (SHS Cert.# C1272) | HMAC / SHA-256 (SHS Cert.# C1272) | Non-SSP Derivation |
Table 3. Cryptographic Module Tested Configuration 2.3. Cryptographic Functionality 2.3.1. C1271 1 N/A N/A N/A N/A N/A N/A 2.3.2. Following algorithms are not intended to be used as a security function, and not used whatsoever to meet any FIPS 1403 requirements. These algorithms are not provided through a non-approved service to an operator. #1) 2.4. The module only has a single approved mode of operation and does not have a non-approved mode of operation. The cryptographic module shows the approved mode through validated version status by Show Status Service in Table 9 via NVM express Identify Controller command. AES-ECB is the pre-requisite for AES-XTS; AES-ECB alone is NOT supported by the cryptographic module in Approved Mode. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| NVMe Connector | NVMe Connector | Data Input | plaintext data; signed data; authentication data |
| Data Output | Data Output | plaintext data; | |
| Control Input | Control Input | commands input logically via an API (e.g., for the software and firmware components of the cryptographic module); signals input logically or physically via one or more physical ports (e.g., for the hardware components of the cryptographic module); | |
| Status Output | Status Output | status information output logically via an API; signal outputs logically or physically via one or more physical ports; | |
| Power Input | Power Input | Power input |
Table 6. Ports and Interfaces Note: The module does not implement the Control Output Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output | W | Z | G |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Lock/Unlock an LBA Range | Cryptographic Officer (CO) and User | LBA Range | Status | ||||||||
| Erase an LBA Range’s Data | LBA Range | Status | |||||||||
| Change the Password. | CO | CO Password | Status | ||||||||
| Set User Password | User | User Password | Status | ||||||||
| Change the Password. | Change CO password | CO | CO Password | SHA-256 | O | UID: AdminSP_SID_C_PIN / AdminSP_Admin1_C_PIN TCG Method: Set Result: TCG status code | O | O | |||
| Hashed CO Authentication Data | Hashed CO Authentication Data | O | O | O | |||||||
| Set User Password | Set User Password | User | User Password | SHA-256 | O | UID: LockingSP_Admin1~4_C_PIN / LockingSP_User1~9_C_PIN TCG Method: Set Result: TCG status code | O | O | |||
| Hashed User Authentication Data | Hashed User Authentication Data | O | O | O | |||||||
| Lock/Unlock an LBA Range4 | Block or allow read (decrypt) / write (encrypt) of user data. | CO, User | MEK | N/A | UID: Locking_GlobalRange / Locking_RangeNNNN TCG Method: Set Result: TCG status code | O | O | ||||
| Erase an LBA Range’s Data | Erase user data by changing the data encryption key. | DRBG Internal State | Hash_ DRBG (SHA-256) | O | UID: K_AES_256_GlobalRange_Key / K_AES_256_RangeNNNN_Key TCG Method: GenKey Result: TCG status code | O | O | O | |||
| MEK | MEK | O | O | O |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output | W | Z | G |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Lock/Unlock an LBA Range | Cryptographic Officer (CO) and User | LBA Range | Status | ||||||||
| Erase an LBA Range’s Data | LBA Range | Status | |||||||||
| Change the Password. | CO | CO Password | Status | ||||||||
| Set User Password | User | User Password | Status | ||||||||
| Change the Password. | Change CO password | CO | CO Password | SHA-256 | O | UID: AdminSP_SID_C_PIN / AdminSP_Admin1_C_PIN TCG Method: Set Result: TCG status code | O | O | |||
| Hashed CO Authentication Data | Hashed CO Authentication Data | O | O | O | |||||||
| Set User Password | Set User Password | User | User Password | SHA-256 | O | UID: LockingSP_Admin1~4_C_PIN / LockingSP_User1~9_C_PIN TCG Method: Set Result: TCG status code | O | O | |||
| Hashed User Authentication Data | Hashed User Authentication Data | O | O | O | |||||||
| Lock/Unlock an LBA Range4 | Block or allow read (decrypt) / write (encrypt) of user data. | CO, User | MEK | N/A | UID: Locking_GlobalRange / Locking_RangeNNNN TCG Method: Set Result: TCG status code | O | O | ||||
| Erase an LBA Range’s Data | Erase user data by changing the data encryption key. | DRBG Internal State | Hash_ DRBG (SHA-256) | O | UID: K_AES_256_GlobalRange_Key / K_AES_256_RangeNNNN_Key TCG Method: GenKey Result: TCG status code | O | O | O | |||
| MEK | MEK | O | O | O |
4 The CO can grant Users the authority to utilize this service via updating the “Locking SP ACE Table”, in accordance with the TCG specification
(included in the Lock/Unlock an LBA Range service). Initially, only the CO can perform this service. This module provides an indicator which shows when Self-Initiated Cryptographic Output Capability is activated or inactivated. The operator can check whether the target range is locked or unlocked through the ‘getLockingTable’ query per the TCG specification. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | Description | Roles | Csps Accessed | Approved Functions | Indicator | Role | |||
|---|---|---|---|---|---|---|---|---|---|
| Show Status6 | Show approved version status of the module / FIPS fail mode | N/A | N/A | NVM Command: Identify Controller command Result: Status Code | N/A | ||||
| Authentication | Authenticate to the module | O | CO Password | SHA-256 | UID: AdminSP_SID / AdminSP_Admin1 / LockingSP_Admin1~4 / LockingSP_User1~9 TCG Method: Authenticate Result: TCG status code | O | |||
| User Password | O | User Password | O | ||||||
| Get Random Number | Provide a random number generated by the CM. | O | DRBG Internal State | Hash_ DRBG (SHA-256) | UID: ThisSP TCG Method: Random Result: TCG status code | O | |||
| IO Command7 | Read/Write user data | O | MEK | AES-XTS | NVM Command: Write / Read Result: Status Code | ||||
| Revert | Erase user data in all Range by changing the data encryption key and clearing the authentication data | O | DRBG Internal State | Hash_ DRBG (SHA-256) | UID: SPObj(AdminSP) TCG Method: Revert Result: TCG status code | O | |||
| MEK | MEK | O | O | O | |||||
| Hashed CO Authentication Data | Hashed CO Authentication Data | O | |||||||
| Hashed User Authentication Data | Hashed User Authentication Data | O | |||||||
| FormatNVM / Sanitize / DeleteNS | Erase user data by changing the data encryption key. | O | DRBG Internal State | Hash_ DRBG (SHA-256) | Admin Command: Format NVM / Sanitize / Namespace Management Result: Status Code | O | O | O | |
| MEK | MEK | O | O | O | |||||
| Update the firmware8 | Update the firmware | O | Firmware Verification Key | RSA | Admin Command: Firmware Commit Result: Status Code | O | |||
| Perform Self-tests | Power cycling the module to perform self-tests | N/A | N/A | N/A |
| Role | Authentication Method | Authentication Strength | |||
|---|---|---|---|---|---|
| CO | Password (Min: 8 bytes, Max: 32 bytes) | Probability of 1/264 in a single random attempt Probability of 80/264 in multiple random attempts in a minute | |||
| User |
Following table shows unauthenticated services. It is initially possible to use the services in following table without authentication. The operator can be configured setting that complied with NVM, TCG spec. N/A E W G Z N/A O O O O N/A N/A N/A O Indicator 5 O O O O O O O O O O O O O O N/A Table
6 The cryptographic module shows the hardware version and firmware version through the ‘Model Number (MN)’ and ‘Firmware Revision (FR)’
7 The I/O command itself is the approved service where Self-Initiated Cryptographic Output Capability occurs, while the unlock request (via
Lock/Unlock an LBA range” service) is the authorized enablement of this capability.
8 This service is exempted from being authenticated by exception clause (c) of IG 4.1.A.
Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
5. Software/Firmware Security The cryptographic module employs the 428-byte parity for firmware integrity test. The firmware integrity test is performed when power on reset. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
6. Operational Environment The cryptographic module operates in a limited operational environment that is consist of the module’s firmware. This operational environment does not require any specific security rules, settings, configurations or restrictions to be set. The cryptographic module does not provide any general-purpose operating system to the operator. Unauthorized modification of the firmware is prevented by the pre-operational firmware integrity test and conditional firmware load test. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Physical Security Mechanisms | Recommended Frequency of Inspection/Test | Inspection/Test Guidance Details |
|---|---|---|
| Production grade cases | As often as feasible | Inspect the entire perimeter for cracks, gouges, lack of screw(s) and other signs of tampering. Remove from service if tampering found. |
| Tamper-evident Sealing Labels | Inspect the sealing labels for scratches, gouges, cuts and other signs of tampering. Remove from service if tampering found. |
The following physical security mechanisms are implemented in a cryptographic module:
2 tamper-evident labels are applied over both top and bottom cases of the module at the factory. The tamper-evident
labels are not removed and reapplied without tamper evidence. The tamper-evident labels are applied by Samsung at Manufacturing. The following table summarizes the actions required by the Cryptographic Officer Role to ensure that physical security is maintained: Figure 3. Tamper Evident Label Placement Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
8. Non-Invasive Security Non-invasive security has not applicable for this cryptographic module. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | Strength | Security Function | Generation | Establishment | Storage | Import Export | Key/SSP Name/ Type | Zeroisation |
|---|---|---|---|---|---|---|---|---|
| MEK | 256-bit | A1720 Hash_ DRBG (SHA-256) | SP 800-90A HASH_DRBG (SHA-256) | N/A | Plaintext in RAM | N/A | DRBG Internal State9 | Power on Reset |
| MEK | 256-bit | A1720 Hash_ DRBG (SHA-256) | ENT (P) | N/A | Plaintext in RAM | N/A | DRBG Seed | Power on Reset |
| MEK | 256-bit | A1720 Hash_ DRBG (SHA-256) | ENT (P) | N/A | Plaintext in RAM | N/A | DRBG Entropy Input String | Power on Reset |
| N/A | Min. 64- bit | N/A | N/A | N/A | Plaintext in RAM | MD/EE | CO Password | Via “Authentication ” service |
| N/A | Min. 64- bit | N/A | N/A | N/A | Plaintext in RAM | MD/EE | User Password | Via “Authentication ” service |
| N/A | 128-bit | C1272 SHA-256 | Hashed from Password as per SHA-256 | N/A | Plaintext in Flash | N/A | Hashed CO Authenticati on Data | Via “Change the Password” and Revert” service |
| N/A | 128-bit | C1272 SHA-256 | Hashed from Password as per SHA-256 | N/A | Plaintext in Flash | N/A | Hashed User Authenticati on Data | Via “Set User Password” and Revert” service |
| N/A | 256-bit | C1271 AES-XTS | SP 800-90A HASH_DRBG (SHA-256) | N/A | Plain Text in RAM, Flash | N/A | MEK | Via “Unlock an LBA Range”, “Erase an LBA Range’s Data”, “Revert” and “FormatNVM / Sanitize / DeleteNS” service |
| Firmwa re load test | 128-bit | A940 RSA | N/A | N/A | Plaintext in Hardware SFR | Entered during manufacturi ng | Firmware Verification Key | Right after FW load test |
| Plaintext in Flash | Plaintext in Flash | N/A |
| Name | Key Size | |
|---|---|---|
| Details | Minimum Number of Bits of Entropy | Entropy Sources |
| Entropy source for Hash_DRBG | - 0.5 entropy per bit - Minimum of 256 bits of entropy for DRBG seed (Total seed size of 512 bits). | ENT (P) |
The module contains an entropy source, compliant with SP 800-90B, within the module’s cryptographic boundary. Table 13. Non-Deterministic Random Number Generation Specification Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
| Name | Algorithm Or Test | Test Type | Details |
|---|---|---|---|
| DRBG | DRBG | Cryptographic algorithm self-test | KATs for Hash_DRBG (SHA-256) described in SP 800-90A Section 11.3.1, 11.3.2, 11.3.3, 11.3.4 KAT performed with 512-bit entropy input |
| AES-XTS | AES-XTS | Cryptographic algorithm self-test | Encrypt and Decrypt KAT performed with 512-bit key size |
| SHA | SHA | Cryptographic algorithm self-test | Hash Digest KAT performed with 256-bit message size |
| RSA | RSA | Cryptographic algorithm self-test | Verify KAT performed with 3072 Modulus (3072-bit key size) and SHA-256. |
| RSA | RSA | Firmware load test | Perform using RSA-3072 with SHA-256 when new firmware is downloaded. |
| ENT (P) | ENT (P) | Cryptographic algorithm self-test | Perform the below 2 types of tests and each test includes the Repetition Count test and Adaptive Proportion test described in SP800-90B. • Start-up test is performed for Entropy Source after power on reset. • Continuous test is performed for Entropy Source while the module is operating |
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Error state in Boot | The module does not provide any crypto operation. | Integrity test or SP 800-90B start-up failure during boot | Hang state. No action | Power cycle |
| Error State | Any other self-test failure | If the module enters the FIPS Fail Mode, Show Status service indicates “ERRORMOD” in Firmware Revision (FR). |
While executing the following self-tests, all data output is inhibited until self-test completion. To execute the preoperational tests on-demand, the operator may power-cycle the module. If a cryptographic module fails a self-test, the module will enter an error state. While in this state, all data output is inhibited. 10.1. Pre-operational Test • Firmware integrity check is performed by using 428-byte parity at power-on. 10.2. Conditional Test • • • Table
11. Life-Cycle Assurance The following specifies the security rules under which the cryptographic module shall operate in accordance with FIPS 140-3:
| Other Attacks | Mitigation | Specific Limitations | |
|---|---|---|---|
| Mechanism | |||
| N/A | N/A | N/A |
The cryptographic module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-3. N/A N/A N/A Table 16. Mitigation of Other Attacks Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy