All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series

Certificate#4709StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSamsung Electronics Co., Ltd.
Low review priority  ·  no TCB surface named  ·  last validated 3 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date6/12/2029
EntropyENT (P)
CaveatNone
VendorSamsung Electronics Co., Ltd.
Hardware versionsMZWLR1T9HCJR-00AC9 [1, 3, 12, 13], MZWLR3T8HCLS-00AC9 [1, 3, 12, 13], MZWLR7T6HBLA-00AC9 [1, 3, 12, 13], MZWLR15THBLA-00AC9 [1, 3, 12, 13], MZWLR30THBLA-00AC9 [1, 3, 12, 13], MZWLR1T9HCJR-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T8HCLS-00AD9 [2, 4, 6, 7, 8, 9], MZWLR7T6HBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR15THBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR30THBLA-00AD9 [6, 7, 8, 9], MZWLR1T6HCJR-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T2HCLS-00AD9 [2, 4, 6, 7, 8, 9], MZWLR6T4HBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR12THBLA-00AD9 [2, 4, 6, 7, 8, 9], MZWLR3T8HCLS-00AG6 [5, 10, 16], MZWLR3T8HCLS-00AV8 [5], MZWLR15THBLA-00AG6 [5, 10, 16], MZWLR3T8HCLS-00AGB [11, 14, 15], MZWLR15THBLA-00AGB [11, 14, 15]

Approved Algorithms (4)

AlgorithmACVP Cert
AES-XTSC1271
Hash DRBGA1720
RSA SigVer (FIPS186-4)A940
SHA2-256C1272

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Roles, Services, and Authentication4
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>MPP92E5Q [1], MPP90D3Q [2], MPP95E5Q [3], MPP92D3Q…</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update the firmware8<br/>Error state in Boot</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Error State</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C6 clue;
  class I1,I2,I3,I6 infer;
  class R1,R2,R3,R6 risk;
  class E1,E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>MPP92E5Q [1], MPP90D3Q [2], MPP95E5Q [3], MPP92D3Q…</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Update the firmware8<br/>Error state in Boot</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Error State</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3 clueHigh;
  class C6 clueLow;

Security Policy, page by page

Page 1

Samsung NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series Document Version: 1.4 H/W Version: MZWLR1T6HCJR-00AD9, MZWLR1T9HCJR-00AC9, MZWLR1T9HCJR-00AD9, MZWLR3T2HCLS-00AD9, MZWLR3T8HCLS-00AC9, MZWLR3T8HCLS-00AD9, MZWLR3T8HCLS-00AV8, MZWLR3T8HCLS-00AG6, MZWLR15THBLA-00AG6, MZWLR6T4HBLA-00AD9, MZWLR7T6HBLA-00AC9, MZWLR7T6HBLA-00AD9, MZWLR12THBLA-00AD9, MZWLR15THBLA-00AC9, MZWLR30THBLA-00AC9, MZWLR15THBLA-00AD9, MZWLR30THBLA-00AD9, MZWLR3T8HCLS-00AGB, MZWLR15THBLA-00AGB F/W Version: MPP90D3Q, MPP92E5Q, MPP92D3Q, MPP93D3Q, MPP95E5Q, MPP95D3Q, MPP96D3Q, MPP97D3Q, MPP96E5Q, MPP97E5Q, NA50(MPPA165Q), NA50(MPP9065Q), NA51(MPP9165Q), NA50(MPP95G5Q), NA51(MPPA6G5Q), and NA52(MPP97G5Q)

Page 2
VersionChanges
1.0Initial version
1.1Update for MPP95D3Q, MPP96D3Q, MPP97D3Q, NA51, NA50 (MPPA165Q)
1.2Update for MPP96E5Q
1.3Update for MPP97E5Q
1.4Update for NA50 (MPP9065Q)
1.5Update for NA51 (MPP9165Q) and NA52 (MPP97G5Q) firmware

Revision History 1.0 1.1 1.2 1.3 1.4 1.5 Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 3
Table of Contents
#SectionPage
1GENERAL4
1.1SCOPE4
1.2ACRONYMS4
2CRYPTOGRAPHIC MODULE SPECIFICATION5
2.1CRYPTOGRAPHIC BOUNDARY5
2.2VERSION INFORMATION6
2.3CRYPTOGRAPHIC FUNCTIONALITY7
2.3.1APPROVED ALGORITHM7
2.3.2NON-APPROVED ALGORITHM7
2.4APPROVED MODE OF OPERATION7
3CRYPTOGRAPHIC MODULE INTERFACES8
4ROLES, SERVICES, AND AUTHENTICATION9
4.1ROLE9
4.2APPROVED SERVICE9
4.3AUTHENTICATION10
5SOFTWARE/FIRMWARE SECURITY11
6OPERATIONAL ENVIRONMENT12
7PHYSICAL SECURITY13
8NON-INVASIVE SECURITY14
9SENSITIVE SECURITY PARAMETER MANAGEMENT15
10SELF-TESTS17
10.1PRE-OPERATIONAL TEST17
10.2CONDITIONAL TEST17
10.3ERROR STATES17
11LIFE-CYCLE ASSURANCE18
11.1SECURE INSTALLATION18
11.2OPERATIONAL DESCRIPTION OF MODULE18
12MITIGATION OF OTHER ATTACKS19
Page 4
Security level
NameISO SectionRequirementLevelISO/IEC 24759 Section 6.
11General2
22Cryptographic module specification2
33Cryptographic module interfaces2
44Roles, services, and authentication2
55Software/Firmware security2
66Operational environmentN/A
77Physical security2
88Non-invasive securityN/A
99Sensitive security parameter management2
1010Self-tests2
1111Life-cycle assurance2
1212Mitigation of other attacksN/A
AcronymDescriptionAcronym
CTRLCTRLController
CPUCPUCentral Processing Unit (ARM-based)
DRAMDRAMDynamic Random Access Memory
DRAM I/FDRAM I/FDynamic Random Access Memory Interface
ECCECCError Correcting Code
KATKATKnown Answer Test
LBALBALogical Block Address
MD/EEMD/EEManual Distribution/Electronic Entry
MEKMEKMedia Encryption Key
NANDNANDNAND Flash Memory
NAND I/FNAND I/FNAND Flash Interface
NVMeNVMeNon-Volatile Memory Host Controller Interface Specification
ROMROMRead-only Memory
SFRSFRSpecial Function Register

1.1. Scope This document specifies the security policy for Samsung Electronics Co., Ltd. (“Samsung”) SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series, herein after referred to as a “cryptographic module” or “module”, SSD (Solid State Drive), satisfies all applicable FIPS 140-3 Security Level 2 requirements of a hardware module, supporting TCG Opal SSC based SED (Self-Encrypting Drive) features, designed to protect unauthorized access to the user data stored in its NAND flash memories. The built-in AES hardware engines in the cryptographic module’s controller provide on-the-fly encryption and decryption of the user data without performance loss. The SED’s nature also provides instantaneous sanitization of the user data via cryptographic erase. [Number Below] Table

  1. Security Levels 1.2. Acronyms Table
  2. Acronyms Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy N/A N/A N/A
Page 5
  1. Cryptographic Module Specification 2.1. Cryptographic Boundary The following photographs show the cryptographic module’s top and bottom views. The multiple-chip standalone cryptographic module consists of hardware and firmware components that are all enclosed in two aluminum alloy cases, which serve as the cryptographic boundary of the module. Figure
  2. Specification of the Samsung SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series Cryptographic Boundary Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
Page 6
Module configuration
NameHardware VersionFirmware Version
PM1733aMZWLR3T8HCLS-00AG63.84TBPM1733aNA50 (MPP95G5Q), NA51 (MPPA6G5Q) NA52 (MPP97G5Q)
MZWLR15THBLA-00AG6MZWLR15THBLA-00AG615.36TB
MZWLR3T8HCLS-00AV8MZWLR3T8HCLS-00AV83.84TBNA50 (MPP95G5Q)
MZWLR3T8HCLS-00AGBMZWLR3T8HCLS-00AGB3.84TBNA50 (MPPA165Q) NA50 (MPP9065Q) NA51(MPP9165Q)
MZWLR15THBLA-00AGBMZWLR15THBLA-00AGB15.36TB
MZWLR1T9HCJR-00AC9MZWLR1T9HCJR-00AC91.92TBMPP92E5Q, MPP95E5Q, MPP96E5Q MPP97E5Q
MZWLR3T8HCLS-00AC9MZWLR3T8HCLS-00AC93.84TB
MZWLR7T6HBLA-00AC9MZWLR7T6HBLA-00AC97.68TB
MZWLR15THBLA-00AC9MZWLR15THBLA-00AC915.36TB
MZWLR30THBLA-00AC9MZWLR30THBLA-00AC930.72TB
MZWLR30THBLA-00AD9MZWLR30THBLA-00AD930.72TBMPP93D3Q, MPP95D3Q, MPP96D3Q MPP97D3Q
MZWLR1T9HCJR-00AD9MZWLR1T9HCJR-00AD91.92TBMPP90D3Q, MPP92D3Q, MPP93D3Q, MPP95D3Q, MPP96D3Q MPP97D3Q
MZWLR3T8HCLS-00AD9MZWLR3T8HCLS-00AD93.84TB
MZWLR7T6HBLA-00AD9MZWLR7T6HBLA-00AD97.68TB
MZWLR15THBLA-00AD9MZWLR15THBLA-00AD915.36TB
PM1735aMZWLR1T6HCJR-00AD91.6TBPM1735a
MZWLR3T2HCLS-00AD9MZWLR3T2HCLS-00AD93.2TB
MZWLR6T4HBLA-00AD9MZWLR6T4HBLA-00AD96.4TB
MZWLR12THBLA-00AD9MZWLR12THBLA-00AD912.8TB

The firmware utilizes a single chip controller with an NVMe interface on the system side as well as Samsung NAND flash. The following figure depicts the module operational environment. The firmware within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. Any firmware loaded into this module that is not shown on the module certificate, is out of the scope of this validation and requires a separate FIPS 140-3 validation Figure 2. Block Diagram for Samsung SSD NVMe TCG Opal SSC SEDs PM1733a/PM1735a Series 2.2. Version information Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionDescription/ Key Size(s)/ Key Strength(s)
AES / FIPS 197, SP 800-38EC12711XTS256 bitsData Encryption / Decryption (Only used for storage)
DRBG / SP 800-90A Rev. 1A1720Hash_ DRBG (SHA-256)N/ADeterministic Random Bit Generation
RSA / FIPS 186-4A940PSS SigVer (SHA-256)3072 bitsDigital Signature Verification
SHS / FIPS 180-4C1272SHA-256N/AMessage Digest
CKG / SP 800-133 Rev2Vendor AffirmedSection 4 and Section 6.1N/ACryptographic Key Generation (Symmetric Keys)
ENT (P) / SP800-90BN/AN/AN/ANon-deterministic Random Number Generator (Only used for generating seed materials for the Approved DRBG) ENT (P) provides a minimum of 256 bits of entropy for DRBG seed
AES-XTS / FIPS 197, SP 800-38EAES-XTS / FIPS 197, SP 800-38ENo Security Claimed; AES-XTS is only used for firmware removal of obfuscation during ROM initialized. (IG 2.4.A Scenario #2)Firmware Removal of obfuscation
AES-CCM / FIPS 197, SP 800-38CAES-CCM / FIPS 197, SP 800-38CNo Security Claimed; Non-approved algorithms here are only used for obfuscation and removal of obfuscation the CSP. (IG 2.4.A Scenario #1)Key obfuscation and Removal of obfuscation
PBKDF2PBKDF2Non-SSP Derivation
HMAC / SHA-256 (SHS Cert.# C1272)HMAC / SHA-256 (SHS Cert.# C1272)Non-SSP Derivation

Table 3. Cryptographic Module Tested Configuration 2.3. Cryptographic Functionality 2.3.1. C1271 1 N/A N/A N/A N/A N/A N/A 2.3.2. Following algorithms are not intended to be used as a security function, and not used whatsoever to meet any FIPS 1403 requirements. These algorithms are not provided through a non-approved service to an operator. #1) 2.4. The module only has a single approved mode of operation and does not have a non-approved mode of operation. The cryptographic module shows the approved mode through validated version status by Show Status Service in Table 9 via NVM express Identify Controller command. AES-ECB is the pre-requisite for AES-XTS; AES-ECB alone is NOT supported by the cryptographic module in Approved Mode. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 8
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
NVMe ConnectorNVMe ConnectorData Inputplaintext data; signed data; authentication data
Data OutputData Outputplaintext data;
Control InputControl Inputcommands input logically via an API (e.g., for the software and firmware components of the cryptographic module); signals input logically or physically via one or more physical ports (e.g., for the hardware components of the cryptographic module);
Status OutputStatus Outputstatus information output logically via an API; signal outputs logically or physically via one or more physical ports;
Power InputPower InputPower input

Table 6. Ports and Interfaces Note: The module does not implement the Control Output Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 9
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputWZG
Lock/Unlock an LBA RangeCryptographic Officer (CO) and UserLBA RangeStatus
Erase an LBA Range’s DataLBA RangeStatus
Change the Password.COCO PasswordStatus
Set User PasswordUserUser PasswordStatus
Change the Password.Change CO passwordCOCO PasswordSHA-256OUID: AdminSP_SID_C_PIN / AdminSP_Admin1_C_PIN TCG Method: Set Result: TCG status codeOO
Hashed CO Authentication DataHashed CO Authentication DataOOO
Set User PasswordSet User PasswordUserUser PasswordSHA-256OUID: LockingSP_Admin1~4_C_PIN / LockingSP_User1~9_C_PIN TCG Method: Set Result: TCG status codeOO
Hashed User Authentication DataHashed User Authentication DataOOO
Lock/Unlock an LBA Range4Block or allow read (decrypt) / write (encrypt) of user data.CO, UserMEKN/AUID: Locking_GlobalRange / Locking_RangeNNNN TCG Method: Set Result: TCG status codeOO
Erase an LBA Range’s DataErase user data by changing the data encryption key.DRBG Internal StateHash_ DRBG (SHA-256)OUID: K_AES_256_GlobalRange_Key / K_AES_256_RangeNNNN_Key TCG Method: GenKey Result: TCG status codeOOO
MEKMEKOOO
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputWZG
Lock/Unlock an LBA RangeCryptographic Officer (CO) and UserLBA RangeStatus
Erase an LBA Range’s DataLBA RangeStatus
Change the Password.COCO PasswordStatus
Set User PasswordUserUser PasswordStatus
Change the Password.Change CO passwordCOCO PasswordSHA-256OUID: AdminSP_SID_C_PIN / AdminSP_Admin1_C_PIN TCG Method: Set Result: TCG status codeOO
Hashed CO Authentication DataHashed CO Authentication DataOOO
Set User PasswordSet User PasswordUserUser PasswordSHA-256OUID: LockingSP_Admin1~4_C_PIN / LockingSP_User1~9_C_PIN TCG Method: Set Result: TCG status codeOO
Hashed User Authentication DataHashed User Authentication DataOOO
Lock/Unlock an LBA Range4Block or allow read (decrypt) / write (encrypt) of user data.CO, UserMEKN/AUID: Locking_GlobalRange / Locking_RangeNNNN TCG Method: Set Result: TCG status codeOO
Erase an LBA Range’s DataErase user data by changing the data encryption key.DRBG Internal StateHash_ DRBG (SHA-256)OUID: K_AES_256_GlobalRange_Key / K_AES_256_RangeNNNN_Key TCG Method: GenKey Result: TCG status codeOOO
MEKMEKOOO
  1. Roles, Services, and Authentication 4.1. The following table defines the roles, and associated services supported by the each role: Table
  2. Roles, Service Commands, Input and Output 4.2. E: EXECUTE; W: WRITE; G: GENERATE; Z: ZEROISE E N/A W G Z O O O O O O O O O Indicator 3 O O Access 2 O O O O O O Table
  3. Authenticated Services It means that “Write” and “Zeroise” perform in each storage of SSPs that is described in Table
  4. The (R)ead column, which is specified in NIST SP 800-140B, is not applicable to the module.
3 The result of NVMe or TCG command is used as an indicator.

4 The CO can grant Users the authority to utilize this service via updating the “Locking SP ACE Table”, in accordance with the TCG specification

(included in the Lock/Unlock an LBA Range service). Initially, only the CO can perform this service. This module provides an indicator which shows when Self-Initiated Cryptographic Output Capability is activated or inactivated. The operator can check whether the target range is locked or unlocked through the ‘getLockingTable’ query per the TCG specification. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 10
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorRole
Show Status6Show approved version status of the module / FIPS fail modeN/AN/ANVM Command: Identify Controller command Result: Status CodeN/A
AuthenticationAuthenticate to the moduleOCO PasswordSHA-256UID: AdminSP_SID / AdminSP_Admin1 / LockingSP_Admin1~4 / LockingSP_User1~9 TCG Method: Authenticate Result: TCG status codeO
User PasswordOUser PasswordO
Get Random NumberProvide a random number generated by the CM.ODRBG Internal StateHash_ DRBG (SHA-256)UID: ThisSP TCG Method: Random Result: TCG status codeO
IO Command7Read/Write user dataOMEKAES-XTSNVM Command: Write / Read Result: Status Code
RevertErase user data in all Range by changing the data encryption key and clearing the authentication dataODRBG Internal StateHash_ DRBG (SHA-256)UID: SPObj(AdminSP) TCG Method: Revert Result: TCG status codeO
MEKMEKOOO
Hashed CO Authentication DataHashed CO Authentication DataO
Hashed User Authentication DataHashed User Authentication DataO
FormatNVM / Sanitize / DeleteNSErase user data by changing the data encryption key.ODRBG Internal StateHash_ DRBG (SHA-256)Admin Command: Format NVM / Sanitize / Namespace Management Result: Status CodeOOO
MEKMEKOOO
Update the firmware8Update the firmwareOFirmware Verification KeyRSAAdmin Command: Firmware Commit Result: Status CodeO
Perform Self-testsPower cycling the module to perform self-testsN/AN/AN/A
RoleAuthentication MethodAuthentication Strength
COPassword (Min: 8 bytes, Max: 32 bytes)Probability of 1/264 in a single random attempt Probability of 80/264 in multiple random attempts in a minute
User

Following table shows unauthenticated services. It is initially possible to use the services in following table without authentication. The operator can be configured setting that complied with NVM, TCG spec. N/A E W G Z N/A O O O O N/A N/A N/A O Indicator 5 O O O O O O O O O O O O O O N/A Table

  1. Unauthenticated Services 4.3. This module provides the role-based authentication. The authentication mechanism allows a minimum 8-byte length or longer (up to 32-byte) Password, where each byte can be any of 0x00 to 0xFF, for every Cryptographic Officer and User role supported by the module, which means a single random attempt can succeed with the probability of 1/264 or lower. Each Password authentication attempt takes at least 750ms. It means, the number of attempts possible in a minute period is maximum 80 attempts (60000ms/750ms). Table
  2. Roles and Authentication The module only supports approved services in an approved manner. The module uses implicit indicators through the result of the NVMe or TCG commands.

6 The cryptographic module shows the hardware version and firmware version through the ‘Model Number (MN)’ and ‘Firmware Revision (FR)’

7 The I/O command itself is the approved service where Self-Initiated Cryptographic Output Capability occurs, while the unlock request (via

Lock/Unlock an LBA range” service) is the authorized enablement of this capability.

8 This service is exempted from being authenticated by exception clause (c) of IG 4.1.A.

Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 11

5. Software/Firmware Security The cryptographic module employs the 428-byte parity for firmware integrity test. The firmware integrity test is performed when power on reset. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 12

6. Operational Environment The cryptographic module operates in a limited operational environment that is consist of the module’s firmware. This operational environment does not require any specific security rules, settings, configurations or restrictions to be set. The cryptographic module does not provide any general-purpose operating system to the operator. Unauthorized modification of the firmware is prevented by the pre-operational firmware integrity test and conditional firmware load test. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 13
Physical Security MechanismsRecommended Frequency of Inspection/TestInspection/Test Guidance Details
Production grade casesAs often as feasibleInspect the entire perimeter for cracks, gouges, lack of screw(s) and other signs of tampering. Remove from service if tampering found.
Tamper-evident Sealing LabelsInspect the sealing labels for scratches, gouges, cuts and other signs of tampering. Remove from service if tampering found.

The following physical security mechanisms are implemented in a cryptographic module:

2 tamper-evident labels are applied over both top and bottom cases of the module at the factory. The tamper-evident

labels are not removed and reapplied without tamper evidence. The tamper-evident labels are applied by Samsung at Manufacturing. The following table summarizes the actions required by the Cryptographic Officer Role to ensure that physical security is maintained: Figure 3. Tamper Evident Label Placement Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 14

8. Non-Invasive Security Non-invasive security has not applicable for this cryptographic module. Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 15
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP Name/ TypeZeroisation
MEK256-bitA1720 Hash_ DRBG (SHA-256)SP 800-90A HASH_DRBG (SHA-256)N/APlaintext in RAMN/ADRBG Internal State9Power on Reset
MEK256-bitA1720 Hash_ DRBG (SHA-256)ENT (P)N/APlaintext in RAMN/ADRBG SeedPower on Reset
MEK256-bitA1720 Hash_ DRBG (SHA-256)ENT (P)N/APlaintext in RAMN/ADRBG Entropy Input StringPower on Reset
N/AMin. 64- bitN/AN/AN/APlaintext in RAMMD/EECO PasswordVia “Authentication ” service
N/AMin. 64- bitN/AN/AN/APlaintext in RAMMD/EEUser PasswordVia “Authentication ” service
N/A128-bitC1272 SHA-256Hashed from Password as per SHA-256N/APlaintext in FlashN/AHashed CO Authenticati on DataVia “Change the Password” and Revert” service
N/A128-bitC1272 SHA-256Hashed from Password as per SHA-256N/APlaintext in FlashN/AHashed User Authenticati on DataVia “Set User Password” and Revert” service
N/A256-bitC1271 AES-XTSSP 800-90A HASH_DRBG (SHA-256)N/APlain Text in RAM, FlashN/AMEKVia “Unlock an LBA Range”, “Erase an LBA Range’s Data”, “Revert” and “FormatNVM / Sanitize / DeleteNS” service
Firmwa re load test128-bitA940 RSAN/AN/APlaintext in Hardware SFREntered during manufacturi ngFirmware Verification KeyRight after FW load test
Plaintext in FlashPlaintext in FlashN/A
  1. Sensitive Security Parameter Management Temporary SSPs are zeroised when power on reset. Firmware integrity temporary values are zeroised after the firmware integrity test is complete. The zeroisation is performed before overwriting to the target SSP with random value which is generated from the DRBG. SSP’s are not exported outside the module. N/A N/A N/A N/A N/A N/A N/A N/A N/A Min. 64bit N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A State 9 Min. 64bit N/A Table
  2. SSPs The values of V and C are the “secret values” of the internal state Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy N/A N/A N/A N/A N/A N/A
Page 16
Approved algorithm
NameKey Size
DetailsMinimum Number of Bits of EntropyEntropy Sources
Entropy source for Hash_DRBG- 0.5 entropy per bit - Minimum of 256 bits of entropy for DRBG seed (Total seed size of 512 bits).ENT (P)

The module contains an entropy source, compliant with SP 800-90B, within the module’s cryptographic boundary. Table 13. Non-Deterministic Random Number Generation Specification Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy

Page 17
Self test
NameAlgorithm Or TestTest TypeDetails
DRBGDRBGCryptographic algorithm self-testKATs for Hash_DRBG (SHA-256) described in SP 800-90A Section 11.3.1, 11.3.2, 11.3.3, 11.3.4 KAT performed with 512-bit entropy input
AES-XTSAES-XTSCryptographic algorithm self-testEncrypt and Decrypt KAT performed with 512-bit key size
SHASHACryptographic algorithm self-testHash Digest KAT performed with 256-bit message size
RSARSACryptographic algorithm self-testVerify KAT performed with 3072 Modulus (3072-bit key size) and SHA-256.
RSARSAFirmware load testPerform using RSA-3072 with SHA-256 when new firmware is downloaded.
ENT (P)ENT (P)Cryptographic algorithm self-testPerform the below 2 types of tests and each test includes the Repetition Count test and Adaptive Proportion test described in SP800-90B. • Start-up test is performed for Entropy Source after power on reset. • Continuous test is performed for Entropy Source while the module is operating
Service
NameDescriptionRole AccessIndicatorRecovery Method
Error state in BootThe module does not provide any crypto operation.Integrity test or SP 800-90B start-up failure during bootHang state. No actionPower cycle
Error StateAny other self-test failureIf the module enters the FIPS Fail Mode, Show Status service indicates “ERRORMOD” in Firmware Revision (FR).

While executing the following self-tests, all data output is inhibited until self-test completion. To execute the preoperational tests on-demand, the operator may power-cycle the module. If a cryptographic module fails a self-test, the module will enter an error state. While in this state, all data output is inhibited. 10.1. Pre-operational Test • Firmware integrity check is performed by using 428-byte parity at power-on. 10.2. Conditional Test • • • Table

  1. Self-tests 10.3. Error States Table
  2. Error States Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy
Page 18

11. Life-Cycle Assurance The following specifies the security rules under which the cryptographic module shall operate in accordance with FIPS 140-3:

Page 19
Other AttacksMitigationSpecific Limitations
Mechanism
N/AN/AN/A

The cryptographic module has not been designed to mitigate any specific attacks beyond the scope of FIPS 140-3. N/A N/A N/A Table 16. Mitigation of Other Attacks Samsung Electronics Co., Ltd. SSD FIPS 140-3 Security Policy