All modules
CMVP Validated Module · FIPS 140-3 Security Policy

FIPS Applet on RookySE

Certificate#4827StandardFIPS 140-3Level3TypeHardwareEmbodimentSingle ChipStatusActiveVendorIDEMIA
High review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level3
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/10/2029
CaveatWhen installed, initialized and configured as specified in Section 11 of the Security Policy
VendorIDEMIA

Approved Algorithms (27)

AlgorithmACVP Cert
AES-CBCA2912
AES-CMACA2912
AES-ECBA2912
Counter DRBGA2912
ECDSA KeyGen (FIPS186-4)A2912
ECDSA KeyVer (FIPS186-4)A2912
ECDSA SigGen (FIPS186-4)A2912
ECDSA SigVer (FIPS186-4)A2912
HMAC-SHA-1A2912
HMAC-SHA2-256A2912
HMAC-SHA2-384A2912
HMAC-SHA2-512A2912
KAS-ECC Sp800-56Ar3A2912
KDF SP800-108A2912
RSA KeyGen (FIPS186-4)A2912
RSA SigGen (FIPS186-4)A2912
RSA Signature PrimitiveA2912
RSA SigVer (FIPS186-4)A2912
SHA-1A2912
SHA2-224A2912
SHA2-256A2912
SHA2-384A2912
SHA2-512A2912
SHA3-224A2912
SHA3-256A2912
SHA3-384A2912
SHA3-512A2912

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for FIPS Applet on RookySE
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>Update<br/>upgrade</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>unauthenticated<br/>Status output</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for FIPS Applet on RookySE
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>Update<br/>upgrade</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>unauthenticated<br/>Status output</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

FIPS Applet on RookySE FIPS Applet v1.6.1.4 on RookySE ‘097153’ FIPS 140-3 Non-Proprietary Cryptographic Module Security Policy Version: 1.2 Revision Date: 30/09/2024

Page 2

About IDEMIA OT-Morpho is now IDEMIA, the global leader in trusted identities for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. Securing our identity has become mission critical in the world we live in today. By standing for Augmented Identity, we reinvent the way we think, produce, use and protect this asset, whether for individuals or for objects. We ensure privacy and trust as well as guarantee secure, authenticated and verifiable transactions for international clients from Financial, Telecom, Identity, Security and IoT sectors. With close to €3bn in revenues, IDEMIA is the result of the merger between OT (Oberthur Technologies) and Safran Identity & Security (Morpho). This new company counts 14,000 employees of more than 80 nationalities and serves clients in 180 countries. | For more information, visit www.idemia.com / Follow @IdemiaGroup on Twitter Specifications and information are subject to change without notice. The products described in this document are subject to continuous development and improvement. All trademarks and service marks referred to herein, whether registered or not in specific countries, are the properties of their respective owners. - Printed versions of this document are uncontrolled 2/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 3

TABLE OF CONTENT 3/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 4

4/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 5

TABLE OF ILLUSTRATIONS 5/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 6

TABLE OF TABLES Table 4 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed 14 Table 11 Approved Services - ISO19790:2012 7.4.3 Services, Non Security-Relevant Services, or Services Using 6/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 7
1 GENERAL

This document defines the Security Policy for FIPS Applet on RookySE with firmware FIPS Applet v1.6.1.4 on RookySE ‘097153’ cryptographic module. FIPS Applet on RookySE is a Hardware Security Module made by Idemia, hereafter denoted the module. The module, validated to [NIST.FIPS.140-3] overall Level 3, meets security levels of following individual areas. ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level [Number Below]

1 General 3

2 Cryptographic module specification 3
3 Cryptographic module interfaces 3
4 Roles, services, and authentication 3
5 Software/Firmware security 3

6 Operational environment N/A

7 Physical security 3

8 Non-invasive security N/A

9 Sensitive security parameter management 3

10 Self-tests 3

11 Life-cycle assurance 3

12 Mitigation of other attacks 3

2 CRYPTOGRAPHIC MODULE SPECIFICATION

FIPS Applet on RookySE is a cryptographic module intended to be used as hardware security module. It is designated for creating, storing, and operating keys with some cryptographic operations capabilities, and it relies on a secure element hardware with a tamper-protection.

2.1 Module Specifications
2.1.1 Module Type and Boundary

This cryptographic module, is a hardware module, and is a single chip. It is operated by embedded Global Platform OS with card manager capability for firmware (applet) loading, installation, or deletion. FIPS Applet is loaded at manufacturing and is part of the module. The module boundary is shown in red in the following picture: 7/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 8

Figure 1 Module Boundary The below picture shows the FIPS Applet on RookySE Cryptographic Module in a single chip (Module count is 1) in VQFN32 form factor with dual interface (ISO 7816 T0 Contact Protocol and SPI Protocol): 8/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 9

Figure 2 FIPS Applet on RookySE Chip

2.1.2 Module Components and Configuration

Below components are part of the module: Model/Part Hardware Firmware Version Processors Number Version Global Platform OS: RookySE ‘097153’ 32-bit ARM® SLC37ESA2M0 Version: ‘29’ Javacard Application: FIPS Applet v1.6.1.4 SecurCore® SC300™ Table 2 Cryptographic Module Tested Configuration The module can be in one of the two configurations below. The configuration is set in the manufacturing stage. FIPS Certified Product (FCP) This product configuration is intended to meet FIPS requirements and be validated by validation authority. This Security Policy describes this configuration. Non-FIPS Certified Product (NFCP) This product configuration is not intended to meet FIPS requirements and is out of scope of the FIPS evaluation. The module does not implement any Vendor Affirmed Operational Environments.

2.2 Modes of Operations

The module supports an applet instance that is running only in one mode of operation that is an approved mode. All services provided by the module when set in configuration FCP are approved services as specified in the section 4.3.2. A global indicator via FIPS Applet GET INFO service (unauthenticated service) is provided to show the status mode of operation.

2.2.1 Approved Mode of Operation

This mode means that the module is applying strictly rules of the FIPS requirements and the security policy is enforced. Access to some services is restricted and only approved services as specified in section 4.3.2 are available for users. 9/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 10

In this mode, customer is still allowed to load additional firmware but this is restricted to firmware (applet) that is already validated under [NIST.FIPS.140-3]. Any firmware (applet) that is not validated [NIST.FIPS.140-3] will cancel the FIPS status of the module. A procedure for firmware loading is described in [FQR 401 9097 Ed 4] section 3.4.2.

2.3 Security Functions

The module implements the ‘approved security functions’ and ‘non-approved but allowed security functions’ listed in Table 3 and Table 4 respectively.

2.3.1 Approved Security Functions

Note that the full cryptographic algorithm implementation capabilities were tested for the Approved cryptographic functions but only algorithms / mode / key sizes / functionalities identified in the Table 3 are implemented by the module. 10/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 11

Description / CAVP Algorithm and Mode/ Key Size(s) / Use Cert Standard Method Key / Function Strength(s) AES A2912 [NIST.FIPS.197] ECB, CBC 128/192/256 Data encryption/decryption [NIST.SP.800-38A] AES MAC Generation/Verification, A2912 CMAC 128/192/256 SP800-108 KDF [NIST.SP.800-38B]

5.1 Key Pairs for Digital RSA 2048,
5.2 Key Pairs for Key RSA 4096,

Establishment ECC P-224, ECC P-256, ECC P-384, ECC P-521,

6.1 The “Direct TDES-64,

Generation” of TDES-128, Symmetric Keys TDES-192, CKG Vendor 6.2.1 Symmetric Keys Key generation Affirmed [NIST.SP.800- Generated Using Key- Symmetric and Asymmetric HMAC 64, 133.Rev2] Agreement Schemes HMAC 128,

6.2.2 Symmetric Keys HMAC 160,

Derived from a Pre- HMAC 224, existing Key HMAC 256, HMAC 320, HMAC 384, HMAC 512, AES 128, AES 192, AES 256 DRBG Deterministic Random Bit A2912 [NIST.SP.800- CTR 256 Generation 90A.Rev1] CKG using method in P-224, ECDSA Key Generation, ECDSA section 4 and 5.1 P-256, A2912 [NIST.FIPS.186-4] [NIST.SP.800-133.Rev2] P-384, P-521 P-192, ECDSA Key Verification P-224, ECDSA A2912 P-256, [NIST.FIPS.186-4] P-384, P-521 SHA2-224, P-224, ECDSA Signature ECDSA SHA2-256, P-256, Generation A2912 [NIST.FIPS.186-4] SHA2-384, P-384, SHA2-512 P-521 SHA-1, P-192, ECDSA Signature SHA2-224, P-224, Verification ECDSA A2912 SHA2-256, P-256, [NIST.FIPS.186-4] SHA2-384, P-384, SHA2-512 P-521 11/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 12

Hardware True RNG used to seed the DRBG. The minimum number of bits of ENT (P) Entropy Source Physical entropy is specified in the [NIST.SP.800-90B] Table 17 Non-Deterministic Random Number Generation Specification SHA2-256 Message Authentication; HMAC Key strength : 112 A2912 SHA2-384, SP800-108 KDF [NIST.FIPS.198-1] (minimum) SHA2-512 MAC Generation SHA-1, HMAC SHA2-256, Key strength : 64 Message Authentication; A2912 [NIST.FIPS.198-1] SHA2-384, (minimum) MAC Verification SHA2-512 P-521 curve KAS-ECC providing 256 with bilateral key KAS-ECC SP800-56Ar3 A2912 [NIST.SP.800- confirmation bits of encryption 56A.Rev3] strength HMAC-64, HMAC-128, HMAC-160, HMAC-224, HMAC-256, Key Derivation KDF HMAC-320, A2912 AES CMAC, HMAC HMAC-384, Symmetric Keys Derived [NIST.SP.800-108] from a Pre-existing Key HMAC-512 using KDF AES-128, AES-192, AES-256 KTS (Secure 256 bits keys SP 800-38F. KTS (key AES-CBC, AES-CMAC providing 256 bits A2912 Channel GP) wrapping and of encryption [NIST.SP.800-38F] unwrapping) per IG D.G. strength KTS (Secure 256 bits keys SP 800-38F. KTS (key AES-CBC, AES-CMAC providing 256 bits A2912 Session) wrapping and of encryption [NIST.SP.800-38F] unwrapping) per IG D.G. strength 128,192, 256 bits KTS (Token SP 800-38F. KTS (key keys providing AES-CBC, AES-CMAC A2912 transport ) wrapping and 128,192, 256 bits [NIST.SP.800-38F] unwrapping) per IG D.G. of encryption strength A2912 RSA N/A 2048/3072/4096 RSA Key Generation [NIST.FIPS.186-4] SHA2-224, RSA Signature Generation A2912 RSA SHA2-256, 2048/3072/4096 using PCKS1 v1.5 and PSS [NIST.FIPS.186-4] SHA2-384, Scheme SHA2-512 SHA-1, RSA Signature Verification SHA2-224, using PCKS1 v1.5 and PSS A2912 RSA 1024/2048/3072/4 SHA2-256, Scheme [NIST.FIPS.186-4] 096 SHA2-384, (SHA-1 and module 1024 SHA2-512 allowed for legacy use) 12/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 13
2048 RSA Signature Generation

Primitive RSA (CVL) The RSA SigGen (CVL) shall A2912 [NIST.FIPS.186-4] only be used within the context of a FIPS 186-4 signature generation SHA3-224, SHA-3 SHA3-256, A2912 N/A Message Digest [NIST.FIPS.202] SHA3-384, SHA3-512 SHA-1, SHA2-224, SHS A2912 SHA2-256, N/A Message Digest [NIST.FIPS.180-4] SHA2-384, SHA2-512 Table 3 Approved Algorithms 13/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 14
2.3.2 Non-approved but Allowed Security Functions

These algorithms do not claim any security and are not used to meet [NIST.FIPS.140-3] requirements. Therefore, SSPs do not map to these algorithms. Algorithm Caveat Use / Function CSPs obfuscation with a nonCSPs obfuscation (no security claimed) Approved algorithm Table 4 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation with security claimed.

3 CRYPTOGRAPHIC MODULE INTERFACES
3.1 Physical and Logical Interface

The module provides a dual interface for communications that is available to all users: ISO7816 T0 Contact Protocol and Serial Peripheral Interface (SPI) Protocol. These two interfaces cannot be used simultaneously. Data output is inhibited during error states in any interface. The module acts as a slave device and does not have control output.

3.1.1 ISO7816 T0 Contact Protocol

In the ISO7816 T0 protocol, data output is inhibited during key generation, self-tests, and zeroisation except for procedure byte NULL ‘60’ transmission in order to keep the communication between module and the interface device still alive. Data that passes over Physical port Logical interface port/interface VCC, GND Power ISO 7816: Supply voltage RST Control input ISO 7816: Reset CLK Control input ISO 7816: Clock ISO 7816: Input / Output of Data I/O Control input, Status output ISO 7816: Status Word Data input, Data output ISO 7816: Procedure Byte Table 5 Ports and Interfaces in ISO7816 T0 Contact Protocol

3.1.2 Serial Peripheral Interface (SPI) Protocol

In the SPI protocol, data output is inhibited during key generation, self-tests, and zeroisation with exception for Check Alive SPI command. This command is used to check if the module is still alive or not. This command can temporarily interrupt the current execution of key generation, self-tests, or zeroisation. Data that passes over Physical port Logical interface port/interface VCC, GND Power Supply voltage 14/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 15

RST Control input Chip Reset SPI_CLK Control input Clock SPI_MISO Control input, Data input Master IN, Slave OUT SPI_MOSI Data output, Status output Master OUT, Slave IN SPI_CS Control input Chip Select A status signal to inform command SPI_IRQ Status output completion Table 6 Ports and Interfaces in Serial Peripheral Interface (SPI) Protocol

4 ROLES, SERVICES, AND AUTHENTICATION
4.1 Roles

The FIPS Applet on RookySE Cryptographic module supports following user roles: Role Name ID Role Description GP Administrator - This role is responsible for upgrading and loading the Application main firmware version of the system and additional customer applet AA Administrator (delete/load/install Applet). This role is authenticated using Global Platform Secure Channel Protocol ‘03’ Crypto Officer Role 1 - Performing module Initialization for ADMIN Super User SU Creation process, Unblock Administrator, System Reset using DUAL Control with Administrator Crypto Officer Role 2 - Performing module initialization with the help Administrator CO SuperUser for its creation, global configuration, user management, and profile management for user and key Auditor AU Crypto Officer Role 3 - Performing Audit Management Performing Splitting Knowledge Procedure in the Key Ceremony and hold secrets of Crypto Card Master Key (CCMK) Key Custodians KC This role is split into 3 different roles: KC1

Page 16

Role Name ID Role Description A role that does not require an authentication of an operator for the role to Unauthenticated UU perform some services where CSPs and PSPs are not modified, disclosed User [for CSPs only], or substituted Table 7 Role Description The module does not support a maintenance role. Additionally, any user is allowed to perform non-sensitive services such as requesting status information, without prior authentication.

4.2 Authentication

There are three types of authentication methods employed by the Module:

  1. Global Platform Secure Channel Protocol ‘03’ (GP SCP ‘03’) Authentication
  2. FIPS Applet Password-based Authentication
  3. FIPS Applet Smartcard-based Authentication In the FIPS applet implementation, the module does support authentication level up to two levels where the last authenticated user will override the access control of the first authenticated user. The active access control in the second level is based on second authenticated user’s profile. When this user logoff, the active access control is set back to the first authenticated user’s profile. This authentication level is only applicable for authentication number 2 and number 3 above that is designed for specific procedure such as Key Ceremony, System Reset, or System Unblock services.

4.2.1 Global Platform Secure Channel Protocol ‘03’ (GP SCP ‘03’) Authentication

The Secure Channel Protocol authentication method is provided by the Secure Channel service. The SDKENC and SD-KMAC keys are used to derive the SD-SENC and SD-SMAC keys, respectively. The off-card entity participating in the mutual authentication sends a 64-bit challenge to the Cryptographic Module. The Cryptographic Module generates its own challenge and computes a 64-bit cryptogram with SD-SMAC key and both challenges. The Cryptographic Module cryptogram and challenge are sent to the off-card entity which checks the Cryptographic Module’s cryptogram and creates its own 64-bit cryptogram with both challenges. A 64-bit message authentication code (MAC) is also computed on the command containing the off-card entity cryptogram with AES-CMAC and SD-SMAC key, the MAC is concatenated to the command, and the command is sent to Cryptographic Module. The Cryptographic Module checks the message authentication code and compares the received cryptogram to the calculated cryptogram. If all of this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the Module in the AA role). GP Secure Channel Protocol establishment provides mutual authentication service as well as establishment of a secure channel to protect confidentiality and integrity of the transmitted data.

4.2.2 FIPS Applet Authentication Methods

The FIPS Applet uses identity-based operator authentication to enforce the separation of roles and allow corresponding services within each role. FIPS Applet Password-based Authentication The operator must enter its user name and its password for authentication process. The username is an alphanumeric string. The password is a binary string of a minimum of eight (8) characters. Key Agreement technique ((Cofactor) Full Unified Model, C(2e, 2s, ECC CDH) with bilateral key confirmation is used for mutual authentication and to derive session keys (H-SKAuthEnc, HSKAuthMac, H-SKAuthKC). H-SKAuthKC is used to calculate MAC of user credential (user token) for 16/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 17

authentication. If this mutual authentication process is success, the user can be verified via Key Confirmation using USER AUTH service employing user token. Other session keys, H-SKAuthEnc and H-SKAuthMac are used for protecting the message in Secure Channel. This scheme protects from eavesdropping and provides perfect forward secrecy. FIPS Applet Smartcard-based Authentication The operator must use smartcard that owns unique user EC-key pair used for Key Agreement ((Cofactor) Full Unified Model, C(2e, 2s, ECC CDH) with bilateral key confirmation). The static user key is different per user and stored inside the smartcard which is considered as secure enclave. The user must enter his pin for verification by the smartcard in order to use his static key and to perform key agreement. The rest of user authentication process is similar with the password-based method, except there is no password involved in the user token. Upon correct authentication, the role is selected based on current logged user’s profile. During authentication session keys are negotiated which are used to secure subsequent services request from operator. Since the session keys (and session ID) are stored in volatile memory all information about the authentication and session is lost if the module is powered down.

4.2.3 Authentication Strength in Each Role

Role Authentication Method Authentication Strength

Page 18

Role Authentication Method Authentication Strength Single Attempt Probability The probability that a random attempt will succeed using this authentication method is:

4.3 Services

All services implemented by the module are listed in the section 4.3.1 for each service description and its access for each Role. The module only provides approved services listed in the section 4.3.2 Approved 18/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 19

Services. The module does not provide bypass or self-initiated output capabilities. Each service of the module returns completion status to indicate successful execution or specific error code.

4.3.1 Roles, Service Commands, Input and Ouput

The following table shows data input and output of each service employed by the module. Some services do not require an operator to assume an authorized role. In this case the associated role is marked with the role UU (Unauthenticated User) defined in Table 7 Role Service Input Output Global Platform Services Card Challenge, Card Cryptogram, Key Identifier, Host Challenge, Security diversification data, and key AA GP Secure Channel Level Host Cryptogram, MAC information, Status Word of the command Loaded package and stored data and key AA GP Manage Content encrypted through GP SCP ‘03’ Security Status Word of the command Level 3 List of application and its status, AA GP Get Status Application Type Status Word of the command Corresponding data based on input AA GP Get Data Data Tag tag AA GP Life Cycle Status type and State Control Status Word of the command UU GP Select Application (applet) AID Status Word of the command UU SE Reset Signal Reset in port RST Answer-to-RESET (ATR) Firmware Upgrades Services - FIPS Applet Card Challenge, Card Cryptogram, diversification data, and key AA Initialize Update Key Identifier and host challenge information, Status Word of the command Security Level 3, Host Cryptogram and AA External Authenticate Status Word of the command MAC Sensitive Data and Key encrypted through AA Store Data Status Word of the command GP SCP ‘03’ Security Level 3 FIPS Applet Services System information as requested such as: Applet version, applet build type, single/multi SE configuration, life cycle status, storage size configuration, TC and sync status, UU Get Info Information type current active user, and/or last executed frame id Return Status1 UU Manage Session Session type Return Status Completion Status that indicates execution status result (success or error with specific reason code) 19/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 20

Role Service Input Output System's public ephemeral key and username, user/host public ephemeral receipt for key confirmation key, selected authentication method, and UU Mutual Authenticate host ID Return Status user token generated from MAC of user's Authentication result credential using generated session key UU User Authenticate from Key Agreement process in Mutual Return Status Authenticate SU, CO, KC1, KC2, User Logout Username information Return Status KC3, AU, UR SU, CO, KC1, Encrypted response data KC2, Secure Channel Encrypted data and its signature KC3, Return Status AU, UR AU Check Log Number of logs to be returned Activity logs and Return Status AU Read Log Number of logs to be read and deleted Activity logs and Return Status AU Delete Log Number of logs to be deleted Return Status AU Export Log (mode

  1. Mode to export the logs (mode: deleted) All activity logs and Return Status CO, Export Log (mode
  2. Mode to export the logs (mode: kept) All activity logs and Return Status AU CO Profile Create Profile name and the access control Return Status CO Profile Delete Profile name and deletion option Return Status information of all profiles Only input frame with no additional input CO Profile View data Return Status CO User Create User information and credential data Return Status SU User Create ADMIN Admin's information and credential data Return Status CO User Delete Username information Return Status User Change Username and new user’s password or SU, CO Credential Return Status new user’s public key Information of all users CO User View (full) User Type (All Users) Return Status information about admin user User View (Admin SU, CO User Type (Admin only) only) Return Status Secret data and its key check value to CO, CCMK Import 1 import CCMK using split knowledge Return Status KC1 procedure 20/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2
Page 21

Role Service Input Output Secret data and its key check value to CO, CCMK Import 2 import CCMK using split knowledge Return Status KC2 procedure Secret data and its key check value to Key check value of CCMK CO, CCMK Import 3 import CCMK using split knowledge KC3 procedure Return Status Secret data and its key check value of CCMK using split knowledge CO, Only input frame with no additional input CCMK Export 1 procedure KC1 data Return Status Secret data and its key check value of CCMK using split knowledge CO, Only input frame with no additional input CCMK Export 2 procedure KC2 data Return Status Secret data and its key check value of CCMK using split knowledge CO, Only input frame with no additional input CCMK Export 3 procedure KC3 data Return Status

00 to keep FIPS Certified Product

CO System Set Config 01 to change to Non FIPS Certified Return Status Product Imported key in key token form Imported key in key token form protected by CCMK of the module as CO, Import Key protected by protection key whose label protection key UR specified in key token's properties Return Status Exported key in key token form with Exported key label and protection key protection key as configured in input CO, label where those key tokens shall be Export Key frame UR loaded to the module prior to this service via Load Key service Return Status Loaded key in key token form protected CO, Load Key by protection key whose label specified Return Status UR in key token's properties Diversified key in key token form protected by CCMK of the module as CO, Key token properties and diversification Diversify Key its protection key UR method Return Status Generated key in key token form protected by CCMK of the module as CO, Generate Key Key token properties its protection key UR Return Status Generated key in key token form CO, protected by CCMK of the module as Generate Key Pair Key token properties UR protection key 21/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 22

Role Service Input Output Return Status Generate Key (For CO Customer key properties Return Status Split Knowledge) Customer key’s secret data, its KCV CO, Only input frame with no additional input and properties CK Export 1 UR data Return Status Customer key’s secret data and its CO, Only input frame with no additional input KCV CK Export 2 UR data Return Status Exported Customer key's properties, secret data, secret KCV, customer CO, Only input frame with no additional input CK Export 3 key KCV UR data Return Status Customer key's properties, secret data, CO, CK Import 1 and its KCV to import Customer Key using Return Status UR split knowledge procedure Customer key's secret data and its KCV to CO, CK Import 2 import Customer Key using split Return Status UR knowledge procedure Customer Key Token protected by Imported Customer key's properties, CCMK of the module as its CO, secret data, secret KCV, and customer CK Import 3 protection key UR key KCV to import Customer Key using split knowledge procedure Return Status CO Set Date Date information Return Status Only input frame with no additional input SU, CO System Reset Return Status data Requested data Requested data such as: System, Host or SU, CO Get Data Super User’s Ephemeral public key Return Status Data to be stored such as: : System, Host or Super User’s Authentication public SU, CO System Store Data key, System Authentication private key, Return Status System Sync Master Key, logging configuration Sync token data SU, CO Sync Request Token Sync properties Return Status SU, CO Sync Write Token Sync token data Sync result status SU, CO Sync Report Sync result data Return Status Encrypted data CO, Encipher Key label, plain data and cipher Crypto Encipher UR configuration Return Status Decrypted data CO, Decipher Key label, encrypted data and Crypto Decipher UR decipher configuration Return Status 22/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 23

Role Service Input Output Signature of the data CO, Signature Key label, data and signature Crypto Sign UR configuration Return Status Signature verification result CO, Signature Key label, data, signature of Crypto Verify UR the data, and verification configuration Return Status CO User Unblock Username information Return Status SU Admin Unblock Admin username information Return Status Only input frame with no additional input SU, CO System Unblock Return Status data Table 9 Roles, Service Commands, Input and Output 23/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 24
4.3.2 Approved Services

Services listed below are approved services: either FIPS-approved security services, [ISO/IEC 19790] 7.4.3 services, non security-relevant services, or services using non-approved algorithm but claiming no security. Those services are available when the module is running in approved mode of operation. 24/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 25

Access rights to Approved Security Service Description Keys and/or SSPs Roles Keys and/or Indicator Function SSPs GP SCP ‘03’ Authentication OS-DRBG-STATE G, E Establish a Global and Secure Messaging SD-KENC E GP Secure Platform secure vendor affirmed CKG SD-KMAC E Completion AA Channel communications [NIST.SP.800-133.Rev2] SD-SENC G, E Status2 channel SD-SMAC G, E A2912 SD-RMAC G, E SD-KENC W Load and install GP SCP ‘03’ Secure SD-KMAC W application Messaging SD-KDEK W GP Manage packages and its AES Encryption/Decryption SD-SENC AA E Completion Status Content associated keys SD-SMAC E and data A2912 SD-RMAC E DAP-AES W, E GP Life Cycle Set GP life cycle - OS-MKEK AA Z Completion Status H-eAUTH_sk Z H-Zs Z H-Ze Z H-SKAuthEnc Z H-SKAuthMac Z SE Reset Reset Warm/Cold - H-SKAuthKC UU Z Completion Status H-SKSyncEnc Z H-SKSyncMac Z H-eAUTH_pk Z H-eHOST_pk Z H-HostID Z Performs initiation GP SCP ‘03’ Authentication vendor affirmed CKG SD-SENC G, E Initialize of a GP SCP ‘03’ Secure Channel [NIST.SP.800-133.Rev2] SD-SMAC AA G, E Completion Status Update Session SD-RMAC G A2912 Authenticate the host and to SD-SENC GP SCP ‘03’ Authentication E External determine the level SD-SMAC AA E Completion Status Authenticate of security required A2912 SD-RMAC E for all subsequent commands Completion Status that indicates execution status result (success or error with specific reason code) 25/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 26

H-sAUTH_sk W GP SCP ‘03’ Secure Transfer data to an Messaging H-Ksync W Store Data Application in the AES Encryption/Decryption H-sAUTH_pk AA W Completion Status GP secure channel H-sHOST_pk W A2912 W H-sUSER_pk H-KT_ECDSA_PAIR Z H-KT_ECDSA_sk Z H-KT_AES Z H-KT_3DES Z FIPS Applet open H-KT_RSA_CRT_PAIR Z Manage session and close N/A H-KT_RSA_SFM_PAIR UU Z Completion Status Session session H-KT_RSA_CRT_sk Z H-KT_RSA_SFM_sk Z H-KT_HMAC Z H-KT_ECDSA_pk H- Z KT_RSA_pk Z H-sAUTH_sk E H-eAUTH_sk G, E, Z C(2s,2e, ECDH) Key H-eD E Agreement using Curve H-Zs G, E, Z P521 H-Ze G, E, Z Public key One Step Key Derivation H-SKAuthEnc G exchange leads to Counter Mode using H-SKAuthMac G Mutual key agreement HMAC-SHA2-256 between HOST’s H-SKAuthKC UU G, E Completion Status Authenticate operator and the A2912 H-sAUTH_pk E module H-sHOST_pk E vendor affirmed CKG H-sUSER_pk E [NIST.SP.800-133.Rev2] H-eAUTH_pk G, E, Z H-eHOST_pk G, E, Z H-HsmID E H-HostID W, E Key Confirmation using H-SKAuthEnc Z User Login on current AES-CMAC-256 H-SKAuthMac Z open session UU Completion Status Authenticate H-SKAuthKC E, Z A2912 H-User_pwd E AES-256-CBC for Message SU, CO, Encryption & Decryption H-SKAuthEnc E, Z Secure Secure Messaging AES-256-CMAC for KC1, KC2, for sensitive data H-SKAuthMac E, Z Completion Status Channel Message Authenticity KC3, AU, H-SKAuthKC E, Z A2912 UR 26/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 27

Import secret based Split knowledge procedure CCMK Import on user’s and 32 Bits for KCV

1 (KeyCustodian1)

N/A CO, KC1 N/A Completion Status input A2912 Import secret based Split knowledge procedure CCMK Import on user’s and 32 Bits for KCV

2 (KeyCustodian2)

N/A CO, KC2 N/A Completion Status input A2912 Split knowledge procedure and 32 Bits for KCV Import secret based A2912 on user’s One Step Key Derivation H-CCMK W, Z CCMK Import (KeyCustodian3) Counter Mode: AES- H-CCMKEnc CO, KC3 G, Z Completion Status input. CCMK will be CMAC-256 H-CCMKMac G, Z set in this sequence vendor affirmed CKG [NIST.SP.800-133.Rev2] A2912 Export secret of vendor affirmed CKG KeyCustodian1 (SP800-133 Rev2) CCMK Export Split knowledge procedure

1 Secret is calculated

H-CCMK CO, KC1 G Completion Status and 32 Bits for KCV by FIPS applet in this case A2912 Export secret of KeyCustodian2. Split knowledge procedure CCMK Export and 32 Bits for KCV Secret is calculated H-CCMK CO, KC2 E Completion Status by FIPS applet in A2912 this case Split knowledge procedure Export secret of and 32 Bits for KCV KeyCustodian3. One Step Key Derivation Secret is calculated Counter Mode: AES- H-CCMK E CCMK Export by FIPS applet in CMAC-256 H-CCMKEnc CO, KC3 G Completion Status this case. CCMK H-CCMKMac G vendor affirmed CKG will be set in this sequence [NIST.SP.800-133.Rev2] A2912 27/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 28

H-CCMKEnc E H-CCMKMac E H-KT_AES W, E Key Protection using H-KT_3DES W combination of approved H-KT_HMAC W Create new key with encryption method and H-KT_RSA_CRT_PAIR W parameters totally approved authentication Import Key based on user’s H-KT_RSA_SFM_PAIR CO, UR W Completion Status method in section 2.3.1 H-KT_RSA_pk W input. A2912 H-KT_RSA_CRT_sk W H-KT_RSA_SFM_sk W H-KT_ECDSA_PAIR W H-KT_ECDSA_pk W H-KT_ECDSA_sk W H-CCMKEnc E H-CCMKMac E H-KT_AES R, E Key Protection using H-KT_3DES R Export existing key combination of approved H-KT_HMAC R into key file with encryption method and H-KT_RSA_CRT_PAIR R Export Key CCMK or other approved authentication H-KT_RSA_SFM_PAIR CO, UR R Completion Status existing key H-KT_RSA_pk R protection method in section 2.3.1 H-KT_RSA_CRT_sk R A2912 H-KT_RSA_SFM_sk R H-KT_ECDSA_PAIR R H-KT_ECDSA_pk R H-KT_ECDSA_sk R H-CCMKEnc E H-CCMKMac E H-KT_AES W Key Protection using H-KT_3DES W Load PERMANENT H-KT_HMAC W key from LKD or combination of approved encryption method and H-KT_RSA_CRT_PAIR W VOLATILE FOR Load Key STORAGE key from approved authentication H-KT_RSA_SFM_PAIR CO, UR W Completion Status LKD_DP into FIPS method in section 2.3.1 H-KT_RSA_pk W applet H-KT_RSA_CRT_sk W A2912 H-KT_RSA_SFM_sk W H-KT_ECDSA_PAIR W H-KT_ECDSA_pk W H-KT_ECDSA_sk W 28/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 29

Using approved Key Derivation Function SP800-108 H-CCMKEnc E Diversify an existing H-CCMKMac E Diversify Key key with user’s Key Protection using H-KT_AES CO, UR G, E Completion Status choice of method combination of approved H-KT_3DES G encryption method and H-KT_HMAC G, E approved authentication method in section 2.3.1 vendor affirmed CKG Create a new key [NIST.SP.800-133.Rev2] with user’s input H-CCMKEnc E algorithm Key Protection using H-CCMKMac E Generate Key combination of approved H-KT_AES CO, UR G Completion Status Key value encryption method and H-KT_3DES G randomized by approved authentication H-KT_HMAC G FIPS applet method in section 2.3.1 A2912 Create a new vendor affirmed CKG asymmetric key [NIST.SP.800-133.Rev2] H-CCMKEnc E User can freely Key Protection using H-CCMKMac E Generate Key choose the combination of approved algorithm and curve H-KT_RSA_CRT_PAIR CO, UR G Completion Status Pair encryption method and H-KT_RSA_SFM_PAIR G Key value approved authentication H-KT_ECDSA_PAIR G randomized by method in section 2.3.1 FIPS applet A2912 Customer key generation Generate Key This service will vendor affirmed CKG H-KT_AES G determine the (for Split specification of key [NIST.SP.800-133.Rev2] H-KT_3DES CO G Completion Status Knowledge) token output from H-KT_HMAC G the whole Customer Key Ceremony procedure Export a secret for Split knowledge procedure H-KT_AES E CK Export 1 customer key and 32 bits KCV H-KT_3DES CO, UR E Completion Status creation for KCP1 A2912 H-KT_HMAC E 29/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 30

Export a secret for Split knowledge procedure H-KT_AES E CK Export 2 customer key and 32 bits KCV H-KT_3DES CO, UR E Completion Status creation for KCP2 A2912 H-KT_HMAC E Export a secret for customer key creation for KCP3 Split knowledge procedure and 32 bits KCV H-KT_AES E AES-CMAC-256 for Key H-KT_3DES E CK Export 3 This sequence will H-KT_HMAC CO, UR E Completion Status return KCV of Authenticity Secret and Key H-CCMKMac E A2912 Token for CK Import procedure later on Import secret based Split knowledge procedure CK Import 1 on user’s (KCP1) N/A CO, UR N/A Completion Status input and 32 bits KCV Import secret based Split knowledge procedure CK Import 2 on user’s (KCP2) N/A CO, UR N/A Completion Status input and 32 bits KCV Split knowledge procedure Import secret and key token based on and 32 bits KCV user’s (KCP3) input. Key Protection using This sequence will combination of approved H-CCMKEnc E CK Import 3 return a completed encryption method and H-CCMKMac CO, UR E Completion Status key token to be approved authentication stored in LKD or method in section 2.3.1 LKD_DP A2912 This service normally used to store SUPER_USER ECC CDH Key Agreement public key within for Key Validation FIPS Applet H-sHOST_pk W Store Data FIPS Applet Message Digest SHA2-256 H-sUSER_pk SU, CO W Completion Status Initialization procedure after A2912 SUPER_USER change its smartcard’s PIN 30/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 31

Key Derivation One Step Counter Mode : AESCMAC-256 vendor affirmed CKG [NIST.SP.800-133.Rev2] This service is targeted to Automated SSPs SE_MASTER to Establishment using H-KSync E Sync Request Token retrieve a sync approved method SP800- H-SKSyncEnc SU, CO G, E, Z Completion Status token which will be H-SKSyncMac G, E, Z referred on Sync 38F Write Token service SYNC Message Encryption: AES-256-CBC-M2 SYNC Message Authenticity: AES-256CMAC A2912 Key Derivation One Step Counter Mode: AESCMAC-256-M2 H-KSync E vendor affirmed CKG H-SKSyncEnc G, E, Z [NIST.SP.800-133.Rev2] H-SKSyncMac G, E, Z This service will H-KT_AES Z write sync token on Automated SSPs H-KT_3DES Z SE_SLAVE. Sync Establishment using H-KT_HMAC Z Sync Write token that is written approved method SP800- H-KT_RSA_CRT_PAIR Z Token in this service can H-KT_RSA_SFM_PAIR SU, CO Z Completion Status be retrieved from 38F SYNC Message Decryption H-KT_RSA_pk Z Sync Request H-KT_RSA_CRT_sk Z Token service & Encryption : AES-256CBC H-KT_RSA_SFM_sk Z SYNC Message H-KT_ECDSA_PAIR Z Authenticity: AES-256- H-KT_ECDSA_pk Z CMAC H-KT_ECDSA_sk Z A2912 This service purpose is to SYNC Message confirm that Sync Decryption: AES-256-CBCWrite Token had M2 H-SKSyncEnc E, Z Sync Report performed SYNC Message H-SKSyncMac SU, CO E, Z Completion Status successfully. The Authenticity: AES-256target of this service CMAC is SE_MASTER A2912 31/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 32

When used with an Perform encipher approved encryption E Crypto H-KT_AES on the user’s input algorithm in section 2.3.1 CO, UR Completion Status Encipher data A2912 When used with an Perform decipher approved decryption Crypto H-KT_AES E on the user’s input algorithm in section 2.3.1 CO, UR Completion Status Decipher data A2912 H-KT_HMAC E When used with an H-KT_RSA_CRT_PAIR E Create signature approved signature and H-KT_RSA_SFM_PAIR E Crypto Sign based on the user’s MAC algorithm in section H-KT_RSA_CRT_sk CO, UR E Completion Status input data 2.3.1 H-KT_RSA_SFM_sk E A2912 H-KT_ECDSA_PAIR E H-KT_ECDSA_sk E When used with an H-KT_HMAC E approved verification and H-KT_RSA_CRT_PAIR E Confirm the verified MAC algorithm in section H-KT_RSA_SFM_PAIR E Crypto Verify status of the user’s CO, UR Completion Status signature data 2.3.1 H-KT_RSA_pk E H-KT_ECDSA_PAIR E A2912 H-KT_ECDSA_pk E Service that uses FIPS Applet Set FIPS applet processes in approved Set Config configuration manner N/A CO N/A Completion Status Service that uses Profile Create Create new profile processes in approved N/A CO N/A Completion Status manner Delete non-default Service that uses Profile Delete profile based on processes in approved N/A CO N/A Completion Status profile name input manner Service that uses H-User_pwd W User Create Create new user processes in approved H-sUSER_pk CO W Completion Status manner Admin creation. This is a step during Service that uses User Create H-User_pwd W ADMIN FIPS Applet processes in approved H-sUSER_pk SU W Completion Status Initialization manner procedure 32/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 33

Service that uses Delete user based H-User_pwd Z User Delete on user name input processes in approved H-sUSER_pk CO Z Completion Status manner Change user’s Service that uses User Change H-User_pwd W password or user’s processes in approved SU, CO Completion Status Credential public key H-sUSER_pk W manner SU, CO, H-SKAuthEnc Z KC1, KC2, User Logout Logout the user N/A H-SKAuthMac Z Completion Status H-SKAuthKC KC3, AU, Z UR H-CCMK Z H-CCMKEnc Z H-CCMKMac Z H-User_pwd Z H-KT_ECDSA_PAIR Z H-KT_ECDSA_sk Z H-KT_AES Z Reset admin user, H-KT_3DES Z System Reset applet life cycle, N/A H-KT_RSA_CRT_PAIR SU, CO Z Completion Status LKD, and LKD_DP H-KT_RSA_SFM_PAIR Z H-KT_RSA_CRT_sk Z H-KT_RSA_SFM_sk Z H-KT_HMAC Z H-KT_ECDSA_pk Z H-KT_RSA_pk Z H-sUSER_pk Z Table 10 Approved Security Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. - = Not accessed by the service 33/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 34

Service Approved Service’s Rationale Global Platform Services GP Get Status Show status service as specified in the [ISO/IEC 19790] section 7.4.3 Show module’s versioning information service as specified in the ISO19790:2012 GP Get Data section 7.4.3 GP Select There is no intervention to the security process nor access to defined SSP FIPS Applet Services Show module’s versioning information and Show status service as specified in the Get Info [ISO/IEC 19790] section 7.4.3 Check Log There is no intervention to the security process nor access to defined SSP Read Log There is no intervention to the security process nor access to defined SSP Delete Log There is no intervention to the security process nor access to defined SSP Export Log (mode

  1. There is no intervention to the security process nor access to defined SSP Export Log (mode
  2. There is no intervention to the security process nor access to defined SS. Profile View There is no intervention to the security process nor access to defined SSP User View (full) There is no intervention to the security process nor access to defined SSP User View (Admin only) There is no intervention to the security process nor access to defined SSP Set Date There is no intervention to the security process nor access to defined SSP Get Data There is no intervention to the security process nor access to defined SSP User Unblock Crypto Officer management function service Admin Unblock Crypto Officer management function service System Unblock Crypto Officer management function service Table 11 Approved Services - ISO19790:2012 7.4.3 Services, Non Security-Relevant Services, or Services Using NonApproved Algorithm but Claiming No security The module does not support any non-approved services.
4.3.3 Firmware Loading

The module employs GP APDU Commands i. e Load command and Install command as specified in [GPC_Specification_v2.3] as part of GP Manage Content Services for firmware loading. Due to I/O buffer size of the module, the firmware loading process utilizes several Load commands and Install command. Data output is inhibited in each APDU command execution and during Load Test. The module performs Load Test specified in the section 10.2.2 during firmware loading process. If the load test is failed, specific Status Word of the command is returned to indicate failure on firmware loading and the firmware cannot be used. New firmware version within the scope of this validation must be validated through the [NIST.FIPS.140-3] CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate [NIST.FIPS.140-3] validation. A procedure for firmware loading is described in [FQR 401 9097 Ed 4] section 3.4.2. 34/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 35
5 SOFTWARE AND FIRMWARE SECURITY

Initial firmware is loaded through a chip loader (referenced as Initial Flash Loader) and provided by Hardware Manufacturer. The loader is used to decrypt a RookySE firmware delivered in an encrypted firmware. Once full firmware is received and deciphered, a final checksum is sent to the Flash Loader to compare against the internal computed checksum. From the RookySE firmware, OS checksum can be verified through a GP GET DATA command on DGI DF6E. During this command, the checksum is recalculated on the OS memory range. In case of memory corruption, the card might trigger a security event. OS checksum is checked using a 16-bit EDC and compared against a stored value in NVM. Beside OS Firmware verification, the module also ensures the Applet Packages integrity by computing a CRC16 on each package, and comparing against stored values. The laters are computed during application loading and stored as references. Upon a failed checksum verification, the OS Firmware will trigger a security event. The operator can perform a warm or cold reset to check OS integrity and NVM (applet packages) integrity is valid or not as specified in section 10.1.1 integrity self test.

5.1 Form of Executable Code

The module consists of several components that have different forms of executable code. The following table shows the form of each component: Component Sub Components Form A binary code written in c and assembly language Native Application running on Hardware’s CPU OS Built-in Card Manager A binary code written in Java running on JCVM FIPS Applet A binary code written in Java running on JCVM FIPS Applet Rooky Common Package A binary code written in Java running on JCVM Table 12 Form of Executable Code

5.2 Initiate on Demand

The module permits operators to initiate the pre-operational self-tests on demand by power cycling the module.

6 OPERATIONAL ENVIRONMENT

Not Applicable (Remarks. The module is designated as a limited operational environment under the [NIST.FIPS.140-3] definitions. The module includes a firmware load process (GP Manage Content service) to support necessary updates. New firmware versions within the scope of this validation must be validated through the [NIST.FIPS.140-3] CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate [NIST.FIPS.140-3] validation.) 35/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 36
7 PHYSICAL SECURITY

The module is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The following table shows the physical security mechanisms that are implemented in the module and the actions required by the operator(s) to ensure that the physical security is maintained: Recommended Inspection/Test Physical Security Mechanism Frequency of Guidance Details Inspection/Test Tamper-evident coating on chip The module implements a secure wiring: all security critical wires are protected by special routing measures against probing. Additionally, the wires are embedded into shield lines and used as normal lines for Permanently active, the operation to prevent successful probing N/A detection is automatic Whenever a physical manipulation or physical probing attack is detected, the processing of the module is stopped, and the module enters a secure state (reset) Memory Protection All memories present on the module (Flash, ROM, RAM) are encrypted, memory addresses are scrambled and data transferred over bus are masked. Permanently active, the N/A Furthermore, RAM, Flash and Cache detection is automatic integrity are protected with error detection mechanisms In case of security critical error, the module enters a secure state (reset) Sensors The module is equipped with a temperature Permanently active, the sensor, a voltage sensor, a frequency sensor N/A detection is automatic and backside light detection. The module enters a secure state in case of range violation (reset) Table 13 Physical Security Inspection Guidelines 36/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 37

The following table shows temperature and voltage measurement for EFP that is required for modules with physical Security Level 3: Specify if this Temperature or

11 condition results in

voltage Specify EFP or EFT a shutdown or measurement zeroisation Low Temperature -25°C Shutdown EFT High Temperature +85°C EFT Shutdown Low Voltage 1.40V < Vcc < 1.62V EFT Shutdown High Voltage 5.5V < Vcc < 7.9V EFT Shutdown Table 14 EFP/EFT The following table shows hardness tested at the lowest and highest temperatures within the module's intended temperature range of operation: Hardness tested temperature measurement Low Temperature -25°C High Temperature +85°C Table 15 Hardness Testing Temperature Range

8 NON-INVASIVE SECURITY

Not Applicable 37/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 38
9 SENSITIVE SECURITY PARAMETER MANAGEMENT
9.1 SSP Management

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number CRITICAL SECURITY PARAMETERS

256 CTR_DRBG state (Global) or when no

longer used Overwrite with all zeros value SD-KENC Imported using APDU on: Command STORE Plaintext(obfus Master Encryption DATA or PUT KEY cated)/static in Personalization Master key used to Security Domain key AES through GP SCP ‘03’ persistent at Manufacturing generate SD‐SENC AES-256 N/A at Manufacturing, and N/A memory of the A2912 by erasing all AES Key also later, IN USE Module at data in NVM Mode: N/A (only phase manufacturing derivation) stage APDU I/O type: electronic Command GP Delete Key 38/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 39

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Overwrite with all zeros value SD-KMAC on: Imported using APDU Plaintext(obfus Master MAC Security Command STORE cated)/static in Personalization Domain key AES DATA or PUT KEY persistent Master key used to at Manufacturing AES-256 N/A through GP SCP ‘03’ N/A memory of the generate SD‐SMAC A2912 by erasing all AES Key at Manufacturing Module at data in NVM Mode: N/A (only manufacturing derivation) I/O type: electronic stage APDU Command GP Delete Key Overwrite with all zeros value SD-KDEK Sensitive data decry on: Imported using APDU Plaintext(obfus ption key used to de Master DEK Security Command STORE cated)/static in crypt CSPs (SDPersonalization Domain key AES DATA or PUT KEY persistent KENC, SD-KMAC, at Manufacturing AES-256 N/A through GP SCP ‘03’ N/A memory of the SD-KDEK, DAPA2912 by erasing all AES Key at Manufacturing Module at AES) data in NVM Mode: N/A (only manufacturing derivation) I/O type: electronic stage APDU Command GP Delete Key Generated SD-SENC during Secure Plaintext/dyna Overwrite with CKG Channel mic as a all zeros value Session encryption k GP Secure Channel opening (in volatile Native on: ey used to encrypt / Session Encryption Key AES-256 AES N/A N/A InitUpdate Key Object decrypt secure chan command) using A2912 (RAM) inside Power_ON or nel data AES Key approved key the Module applet selection Mode: CBC generation function (CKG) 39/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 40

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Generated SD-SMAC during Secure Plaintext/dyna Overwrite with CKG Channel GP Secure Channel mic as a all zeros value Session MAC key us opening (in Session Command volatile Native on: ed to verify inbound AES-256 AES N/A N/A InitUpdate MAC Key Key Object secure channel data command) using A2912 (RAM) inside Power_ON or integrity approved key AES Key, the Module applet selection generation Mode: CMAC function (CKG) Generated SD-RMAC during Secure Plaintext/dyna Overwrite with CKG Channel GP Secure Channel mic as a all zeros value Session MAC key us opening (in Session Response volatile Native on: ed to generate respo AES-256 AES N/A N/A InitUpdate MAC Key Key Object nse secure channel command) using A2912 (RAM) inside Power_ON or data MAC approved key AES Key the Module applet selection generation Mode: CMAC function (CKG) Overwrite with all zeros value on: DAP-AES Plaintext/static Imported using APDU as persistent Command PUT KEY Personalization Used to calculate Data Authentication JCVM Key AES through GP SCP ‘03’ at Manufacturing signature (MAC) of Pattern AES Key AES-128 N/A N/A Object owned A2912 at Manufacturing by erasing all loaded package for by the ISD data in NVM firmware loading AES Key inside the I/O type: electronic Mode: CMAC Module APDU Command GP Delete Key CRITICAL SECURITY PARAMETERS

Page 41

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number System Authentication A2912 Data’ that is JCVM Key on: with HOST Static Private Key authenticated and Object owned Authentication Static protected using GP by the FIPS Personalization Public Key (HEC Private Key SCP ‘03’ level 3 Applet inside at Manufacturing sHOST_pk) or User (Encrypted and MAC) the Module as by erasing all Authentication Static on: non-volatile data in NVM Public Key (Hdata sUSER_pk) to Personalization at Firmware generate shared Manufacturing Loading Process secret H-Zs using APDU Firmware Loading Command process to upgrade Delete Package version of new and Instance validated FIPS Applet I/O type: electronic Overwrite with all zeros value on: Plaintext/dyna Used in the Key H-eAUTH_sk Destroy on CKG Generated using mic as JCVM Agreement together shared secret HECDSA Key Pair Key Object with HOST System Authentication Ze generation. Curve KAS- Generation function owned by the Authentication Ephemeral Private Key P-521 N/A N/A ECC (CKG) on FIPS Applet Ephemeral Public Any failure Mutual Authenticate inside the Key (H-eHOST_pk) EC Private Key A2912 during mutual service Module as to generate shared authentication volatile data secret H-Ze On RESET (Warm/Cold) 41/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 42

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Established in the Key Agreement (A2912) Overwrite with between H- all zeros value Combined with H-Ze sAUTH_sk and on: to construct secret Z H-Zs H-sUSER_pk if used in Key Plaintext/Dyna authentication After Key Derivation to KAS- mic in transient Shared secret Zs method is Derivation generate session ECC byte array N/A N/A N/A smartcard- keys H-SKAuthEnc, owned by FIPS

66 bytes of secret data A2912 based or H- Any failure H-SKAuthMac, H-

Applet inside sHOST_pk if during SKAuthKC on the module authentication authentication successful user method is authentication password-based On RESET on Mutual (Warm/Cold) Authenticate service Overwrite with Established in all zeros value the Key Combined with H-Zs on: Agreement to construct secret Z H-Ze used in Key (A2912) Plaintext/dyna After Key Derivation to KAS- between H- mic in transient Derivation Shared secrets Ze generate session ECC eAUTH_sk and byte array N/A N/A N/A keys H-SKAuthEnc, H-eHOST_pk owned by FIPS Any failure

66 bytes of secret data A2912 H-SKAuthMac, H-

on Applet inside during SKAuthKC on Mutual the module authentication successful user Authenticate authentication service On RESET (Warm/Cold) 42/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 43

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Overwrite with all zeros value Generated using on: approved key generation Any failure (CKG) using during User H-SKAuthEnc derivation from authentication Key Agreement Plaintext/dyna CKG Used to encrypt and Encryption Secure Scheme mic in transient Error secure decrypt the Channel Session Key followed by One byte array AES-256 AES N/A N/A messaging in message for secure Step KDF in owned by FIPS secure channel messaging in the AES Key A2912 counter mode Applet inside Secure Channel Mode: CBC with (H-Zs ||H- the module User logging out Ze) as message in the process Close Session on Mutual Authenticate On RESET service (Warm/Cold) Generated using Overwrite with approved key all zeros value generation on: H-SKAuthMac (CKG) using Any failure derivation from Plaintext/dyna CKG during User Used to calculate MAC Secure Channel Key Agreement mic in transient authentication MAC of the Session Key Scheme byte array AES-256 AES N/A N/A message for secure followed by One owned by FIPS Error secure messaging in the AES Key A2912 Step KDF Applet inside messaging in Secure Channel Mode: CMAC counter mode the module secure channel with (H-Zs ||HZe) as message User logging out in the process on Mutual Close Session 43/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 44

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Authenticate service On RESET (Warm/Cold) Used for bilateral Overwrite with key confirmation Generated using all zeros value including for approved key on: generating generation UserToken from (CKG) using Any failure username, {HH-SKAuthKC derivation from during User User_pwd}, HKey Agreement Plaintext/dyna authentication HsmID, H-HostID, Key Confirmation CKG Scheme mic in transient H-eAUTH_pk , and Secure Channel followed by One byte array Error secure H-eHOST_pk in the Session Key AES-256 AES N/A N/A Step KDF owned by FIPS messaging in authentication A2912 counter mode Applet inside secure channel process AES Key with (H-Zs ||H- the module Mode: CMAC Ze) as message User logging out Used to generate in the process IVs for Message on Mutual Close Session Encryption / Authenticate Decryption for service On RESET secure messaging in (Warm/Cold) Secure Channel Exported and Established from Plaintext(obfus Overwrite with H-CCMK encrypted through CKG Generated internally three different cated)/static as all zeros on: secure channel using using approved CKG secrets from JCVM Key Used as master key Crypto Card Master split knowledge AES (Direct Generation of three different Object owned System Reset to derrive HKey procedure on Export AES-256 DRBG Symmetric Key) and key custodians by the FIPS service CCMKEnc and HCCMK services KDF split into 3 secrets on through secure Applet inside CCMKMac AES Key Export CCMK channel on the Module as Personalization Mode: N/A (only A2912 services Import CCMK non-volatile at Manufacturing derivation) Imported through services data by erasing all secure channel using 44/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 45

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number split knowledge data in NVM procedure on Import CCMK services Firmware Loading Process I/O type: electronic using APDU Command Delete Package and Instance Overwrite with all zeros on: System Reset service Derived from Plaintext(obfus Used to H-CCMKEnc pre-existing key cated)/static as CKG Personalization encrypt/decrypt key H-CCMK using JCVM Key at Manufacturing token for Key Encryption Derived one step KDF Object owned AES by erasing all Protection CCMK Key AES-256 N/A N/A counter mode by the FIPS data in NVM A2912 on successful Applet inside AES Key completion of 3 the Module as Firmware Mode : CBC secrets export or non-volatile Loading Process import data using APDU Command Delete Package and Instance Overwrite with H-CCMKMac Derived from Plaintext(obfus CKG all zeros on: pre-existing key cated)/static as Used to calculate MAC Derived CCMK H-CCMK using JCVM Key MAC of key token as AES System Reset Key AES-256 N/A N/A one step KDF Object owned part of token for Key service A2912 counter mode by the FIPS Protection AES Key on successful Applet inside Personalization Mode : CMAC completion of 3 the Module as at Manufacturing 45/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 46

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number secrets export or non-volatile by erasing all import data data in NVM Firmware Loading Process using APDU Command Delete Package and Instance Imported using APDU Command ‘Store Overwrite with Data’ that is all zeros on: authenticated and protected using GP Personalization H-KSync SCP ‘03’ level 3 Plaintext(obfus at Manufacturing (Encrypted and MAC) Used as master key cated)/static in by erasing all Synchronization Master on: to derive HKDF persistent byte data in NVM Key SKSyncEnc and HAES-256 N/A N/A array owned by A2912 Personalization at SKSyncMac for FIPS Applet Firmware AES Key Manufacturing Synchronization inside the Loading Process Mode: N/A (only Firmware Loading Session Keys module using APDU derivation) process to upgrade Command version of new Delete Package validated FIPS Applet and Instance I/O type: electronic H-SKSyncEnc CKG Derived from Plaintext/dyna Used to Overwrite with pre-existing key mic in transient encrypt/decrypt all zeros on: Encryption AES H-KSync using byte array SYNC Token using AES-256 N/A N/A Synchronization one step KDF owned by FIPS Automated SSP A2912 Any failure Session Key counter mode Applet inside Establishment Key during with incremental the module Transport in 46/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 47

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number AES Key SYNC session synchronization synchronization Mode: CBC counter as part session process of the message on every After synchronization synchronization initiation (SYNC session Request Token completed service in System On RESET MASTER and (Warm/Cold) SYNC Write Token service in System SLAVE) Derived from pre-existing key H-KSync using Overwrite with one step KDF all zeros on: counter mode with incremental Any failure Used to calculate H-SKSyncMac SYNC session during CKG Plaintext/dyna MAC of SYNC counter as part synchronization mic in transient Token using MAC Synchronization of the message session AES byte array Automated SSP Session Key AES-256 N/A N/A on every owned by FIPS Establishment Key A2912 synchronization After Applet inside Transport in AES Key initiation (SYNC synchronization the module synchronization Mode: CMAC Request Token session process service in completed System MASTER and On RESET SYNC Write (Warm/Cold) Token service in System SLAVE) H-User_pwd Maximum 16 Imported along with Plaintext(obfus Overwrite with Used as part of char AES N/A N/A username via User cated)/static in all zeros on: credential data to 47/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 48

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number User’s password KAS- Create service persistent byte generate User credential ECC through secure array owned by System Reset Token using HA2912 channel FIPS Applet SKAuthKC Maximum 16 Updated the old inside the User deletion characters password with new module password via User Synchronization Change Password service through Personalization secure channel at Manufacturing by erasing all I/O type: electronic data in NVM Firmware Loading Process using APDU Command Delete Package and Instance Key token data Hwill be zeroised KT_ECDSA_PAIR when the user is can be stored blocked, System outside the System Imported via Import is blocked or module protected by H-KT_ECDSA_PAIR Generated using CKG Key service and Plaintext/dyna terminated, and H-CCMKEnc and HCurve P-192 ECDSA Key Pair Curve P-224 Exported via Export mic as a device reset CCMKMac, or by Key Token ECDSA Generation function Curve P-256 ECDSA Key service N/A volatile data (warm/cold). approved symmetric PAIR Curve P-384 (CKG) on inside the key token (HCurve P-521 A2912 Generate Key I/O type: electronic System module Also when the KT_AES) ECC Key Pair service following services are executed: Public Key of this - System Reset key token can be used to perform 48/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 49

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number - Manage Crypto operation via Crypto Verify service session - Sync write Private Key of this token key token can be used to perform Crypto operation via Crypto Sign service HKT_ECDSA_PAIR with Curve P-192 can only be used for signature verification and not for signature generation Key token data will be zeroised H-KT_ECDSA_sk when the user is can be stored blocked, System outside the system is blocked or module protected by terminated, and H-CCMKEnc and HImported via Import H-KT_ECDSA_sk device reset CCMKMac, or by Key service and Plaintext/dyna Curve P-192 (warm/cold). approved symmetric Curve P-224 ECDSA Exported via Export mic as a Key Token ECDSA key token (HCurve P-256 N/A Key service N/A volatile data PRIVATE Curve P-384 A2912 Also when the KT_AES) Curve P-521 inside the I/O type: electronic System module following ECC Private Key services are All curves (except executed: curve P-192) of this key token can be - System Reset used to perform - Manage Crypto operation via session Crypto Sign service 49/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 50

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number - Sync write token H-KT_AES can be stored outside the Key token data System module will be zeroised protected by Hwhen the user is CCMKEnc and Hblocked, System CCMKMac, or by is blocked or approved symmetric H-KT_AES also terminated, and key token (Hcan be device reset KT_AES) Imported via Import generated from H-KT_AES Generated internally (warm/cold). CKG Key service and Diversify Key Plaintext/dyna using approved H-KT_AES can be AES-128 Exported via Export service using mic as a Key Token AES Generate Key Also when the used to protect AES-192 Key service KDF Counter volatile data AES-256 AES service (CKG)

Page 51

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number device reset approved symmetric (warm/cold). key token (HKT_AES) Also when the following Public Key of this services are key token can be executed: used to perform - System Reset Crypto operation via Crypto Verify - Manage service. session - Sync write Private Key of this key token can be token used to perform Crypto operation via Crypto Sign service. (Key Token RSA-

1024 can only be

used for signature verification) Key token data Hwill be zeroised KT_RSA_SFM_PAI HImported via Import when the user is R can be stored KT_RSA_SFM_PAIR Generated using CKG Key service and Plaintext/dyna blocked, System outside the System RSA-1024 RSA Key Pair Exported via Export mic as a is blocked or module protected by Key Token RSA SFM RSA-2048 Generation function RSA-3072 RSA Key service. N/A volatile data terminated, and H-CCMKEnc and HPAIR (CKG) on approved RSA-4096 inside the device reset CCMKMac, or by A2912 Generate Key I/O type: electronic System module (warm/cold). approved symmetric RSA SFM Key Pair service key token (HMode: PSS or PKSC1 Also when the KT_AES) following 51/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 52

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number services are Public Key of this executed: key token can be - System Reset used to perform Crypto operation via - Manage Crypto Verify session service. - Sync write Private Key of this token key token can be used to perform Crypto operation via Crypto Sign service. (Key Token RSA-

1024 can only be

used for signature verification) Key token data Hwill be zeroised KT_RSA_CRT_sk when the user is can be stored blocked, System outside the System H-KT_RSA_CRT_sk Imported via Import is blocked or module protected by Key service and Plaintext/dyna terminated, and RSA-1024 H-CCMKEnc and HKey Token RSA CRT RSA Exported via Export mic as a device reset RSA-2048 CCMKMac, or by PRIVATE N/A Key service N/A volatile data (warm/cold). RSA-3072 A2912 approved symmetric RSA-4096 inside the key token (HRSA CRT Private Key I/O type: electronic System module Also when the KT_AES) Mode: PSS or PKSC1 following services are Key Token RSA executed: Private can be used - System Reset to perform Crypto 52/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 53

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number - Manage operation via Crypto sign service session - Sync write (For Crypto sign, token key token RSA Private 1024 is excluded) HKey token data KT_RSA_SFM_sk will be zeroised can be stored when the user is outside the System blocked, System module protected by is blocked or H-CCMKEnc and Hterminated, and CCMKMac, or by device reset approved symmetric H-KT_RSA_SFM_sk Imported via Import (warm/cold). key token (HKey service and Plaintext/dyna RSA-1024 KT_AES) Key Token RSA SFM RSA Exported via Export mic as a RSA-2048 Also when the PRIVATE N/A Key service N/A volatile data RSA-3072 A2912 following Key Token RSA RSA-4096 inside the services are Private can be used RSA SFM Private Key I/O type: electronic System module executed: to perform Crypto Mode: PSS or PKSC1 - System Reset operation via Crypto sign service. - Manage session (For Crypto sign, - Sync write key token RSA Private 1024 is token excluded) H-KT_HMAC HMAC-64 CKG Generated internally H-KT_HMAC Plaintext/dyna Key token data H-KT_HMAC can be HMAC-128 Imported via Import HMAC-160 using approved also can be mic as a will be zeroised stored outside the Key service and HMAC-224 HMAC Generate Key generated from volatile data when the user is System module 53/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 54

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Key Token HMAC HMAC-256 A2912 service (CKG)

Page 55

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number - Manage session Sync write token Key token data H-KT_RSA_pk can will be zeroised be stored outside when the user is the System module blocked, System protected by His blocked or CCMKEnc and Hterminated, and CCMKMac, or by device reset approved symmetric H-KT_RSA_pk Imported via Import (warm/cold). key token (HKey service and Plaintext/dyna RSA-1024 KT_AES) Key Token RSA RSA Exported via Export mic as a RSA-2048 Also when the PUBLIC N/A Key service N/A volatile data RSA-3072 A2912 following Key Token RSA RSA-4096 inside the services are Public can be used RSA Public Key I/O type: electronic System module executed: to perform Crypto Mode: PSS or PKSC1 - System Reset operation via Crypto Verify service. - Manage session Key Token RSA- Sync write 1024 Public can only be used for token signature verification Used in the Key Imported using APDU Plaintext(obfus Overwrite with Agreement together H-sAUTH_pk Command ‘Store cated)/static as all zeros value with HOST Data’ that is JCVM Key on: KAS- Authentication Static System Authentication authenticated and Object owned Curve ECC Private Key or User Static Public Key N/A protected using GP N/A by the FIPS Personalization P-521 Authentication Static A2912 SCP ‘03’ level 3 Applet inside at Manufacturing Private Key to EC Public Key (Encrypted and MAC) the Module as by erasing all generate shared on: non-volatile data in NVM secret in H-Zs in the data client side 55/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 56

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Personalization at Firmware Manufacturing Loading Process Firmware Loading using APDU process to upgrade Command version of new Delete Package validated FIPS Applet and Instance Exported using System Get Data Service through Secure Channel I/O type: electronic Imported using APDU Command ‘Store Overwrite with Data’ that is all zeros value authenticated and on: protected using GP SCP ‘03’ level 3 Plaintext/static Used in the Key Personalization H-sHOST_pk (Encrypted and MAC) as JCVM Key Agreement together at Manufacturing KAS- on: Object owned with System by erasing all HOST Authentication Curve ECC by the FIPS Authentication Static N/A N/A data in NVM Static Public Key P-521 Personalization at Applet inside Private Key (HA2912 Manufacturing the Module as sAUTH_sk) to Firmware EC Public Key Firmware Loading non-volatile generate shared Loading Process process to upgrade data secret H-Zs using APDU version of new Command validated FIPS Applet Delete Package and Instance Exported using System Get Data 56/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 57

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Service through Secure Channel I/O type: electronic Imported via User Create service through secure channel (for all users except Super User) Overwrite with all zeros on: Personalized at Manufacturing System Reset through GP SCP ‘03’ level 3 (only User deletion Plaintext(obfus applicable for Super Used in the Key cated)/static as H-sUSER_pk User’s Public Key) Synchronization Agreement together JCVM Key KAS- with System Object owned User Authentication Curve ECC Updated using Personalization Authentication Static N/A N/A by the FIPS Static Public Key P-521 System Store Data at Manufacturing Private Key (HA2912 Applet inside service through by erasing all sAUTH_sk) to the Module as EC Public Key secure channel (only data in NVM generate shared non-volatile applicable for Super secret H-Zs data User’s Public Key) Firmware Loading Process Exported using using APDU System Get Data Command Service through Delete Package Secure Channel (only and Instance applicable for Super User’s Public Key) I/O type: electronic 57/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 58

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number Overwrite with all zeros value on: H-eAUTH_pk Plaintext/dyna Used in the Key Returned to the user Generated using mic as JCVM Any failure Agreement together CKG as part of response System Authentication ECDSA Key Pair Key Object during mutual with HOST data of Mutual Ephemeral Public Key Curve Generation function owned by the authentication Authentication ECDSA Authenticate service N/A P-521 (CKG) on Mutual FIPS Applet Ephemeral Private EC Public Key A2912 Authenticate service inside the Successful user Key to generate I/O type: electronic Module as authentication shared secret in Hvolatile data Ze in the client side On RESET (Warm/Cold) Overwrite with all zeros value on: Plaintext/dyna Used in the Key H-eHOST_pk Imported through mic as JCVM Any failure Agreement together KAS- Mutual Authenticate Key Object during mutual with System HOST / SMA ECC Curve service owned by the authentication Authentication Authentication KDF N/A N/A P-521 FIPS Applet Ephemeral Private Ephemeral Public Key A2912 I/O type: electronic inside the Successful user Key (H-eAUTH_sk) Module as authentication to generate shared EC Public Key volatile data secret H-Ze On RESET (Warm/Cold) H-HsmID Plaintext/static Used as FixedInfo KDF Overwrite with in persistent data in Key N/A N/A Pre-defined value N/A all zeros value Predefined System A2912 byte array Confirmation and on: Identification data owned by the UserToken 58/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 59

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number FIPS Applet inside the Personalization Module at Manufacturing by erasing all data in NVM Firmware Loading Process using APDU Command Delete Package and Instance Imported as part of Plaintext/dyna Overwrite with mutual authenticate mic in transient all zeros value Used as FixedInfo H-HostID KDF service’s incoming byte array on: data in Key N/A N/A data N/A owned by the Confirmation and HOST Identification A2912 FIPS Applet On RESET UserToken data I/O type: electronic inside the (Warm/Cold) Module OTHER PARAMETERS (not considered as SSPs but included here for completeness) Key token data H-KT_3DES will be zeroised also can be when the user is Imported via Import Needed by some generated from blocked, System Generated internally Key service and product outside the H-KT_3DES Diversify Key Plaintext/dyna is blocked or using approved CKG Exported via Export cryptographic TDES-64 service using mic as a terminated, and (Direct Generation of Key service module for Key Token DES TDES-128 CKG KDF Counter volatile data device reset TDES-192 Symmetric Key) in compatibility mode with inside the (warm/cold). Generate Key purpose. DES Key approved System module service I/O type: electronic MasterKey (H- Also when the KT_AES or H- following KT_HMAC) services are executed: 59/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 60

Security Function Key/SSP Name/ Type Strength and Cert. Generation Import /Export Establishment Storage Zeroisation Use & related keys Number - System Reset - Manage session - Sync write token OS-MKEK Key is erased Generated using Plaintext/static upon Card Key Encryption Key Master Key approved CKG in persistent Manager used to encrypt (obf (Direct Generation of memory of the lifecycle AES Key AES-128 CKG N/A N/A uscate) Symmetric Key) Module at switched to storage of CSPs function as described manufacturing TERMINATED (Not a SSP but list here in SP800-90 stage (Overwrite with for completeness) all zeros) Table 16 SSPs 60/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 61
9.2 SSPs Access

SSPs are securely stored in the Cryptographic Module, a secure element hardware that is considered as secure enclave. The SSPs stored in the module is associated and accessible only via approved services as you can see in this section. The approved services itself are associated and accessible to some specific roles as described in the table section 4.3.1.

9.3 Random Bit Generator (RBG)

The RBG source within this module is from entropy source with tittle “ENT (P)” in the Table Approved Algorithm. Minimum number of Entropy sources Details bits of entropy The Entropy Source is a hardware module inside the CM boundary. The Entropy Source supplies the DRBG with more than 92 bytes Minimum entropy of Since the entropy source provides a min Hardware-TRNG

2.800831 bits per byte entropy output of at least 2.800831 bits of min

entropy per byte, this is sufficient to obtain 256 bits of security strength Table 17 Non-Deterministic Random Number Generation Specification The TRNG (or entropy source) output is used to seed DRBG. The use of DRBG output in the module are described below:

  1. Generate random number for initial Nonce for key protection by CCMK during FIPS Applet Installation
  2. Generate key for CCMK in “CCMK Export 1” service
  3. Generate random numbers for Split procedure in “CCMK export” services and “Generate Key (for Split Knowledge)” service
  4. Generate key for Customer key in “Generate Key (for Split Knowledge)” service
  5. Generate key for Symmetric Key in “Generate Key” Service
  6. Generate key for Asymmetric Key (RSA and EC Key pair) in “Generate Key Pair” Service
  7. Ephemeral EC Key Generation during Key Agreement in the Mutual Authentication service
  8. Utilized in Cipher process of RSA PKCS and PSS
  9. Utilized in Signature Generation process using ECDSA
  10. Utilized to generate card challenge in GP Initialize Update command
  11. Utilized in GP Put Key Command
  12. Utilized in the creation of OS-MKEK The approved services that uses DRBG are listed in the section 4.3.2 with link to “DRBG”.
9.4 SSP Zeroization

For all SSP, an implicit indicator that the zeroization is completed is provided. This indicator is the successful completion of the requested service for SSP zeroized through a dedicated command (the command is indicated in column “zeroization” of Table 16 SSPs) or Answer-to-RESET (ATR) in case of module reset. For SSP that are automatically zeroized (e.g H-Zs and H-Ze), the implicit indicator is the completion of the command mentioned in Table 16 SSPs with a correct status or an error status. 61/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.1

Page 62
10 SELF-TESTS

The module has several self-tests that are triggered at pre-operational (manufacturing stage, power on, or prior to its first use), on demand, conditionally, and periodically. If any self-test fails other than the pairwise consistency, manual entry test, and firmware load test in the conditional self-test, the module will enter in the Kill Card state and emit an error code that identifies the type of test that failed. No further communication with the module is possible until the module is reset (Power-On). If it happens several times and reaches the error limit, the module will be terminated.

10.1 Pre-Operational Self-Tests

This section describes pre-operational self-test executed at startup (power on).

10.1.1 Pre-Operational Software/Firmware Integrity Test

The software/firmware integrity is verified using a 16-bit EDC, referred to as CRC-16 hereafter. Test Target Description NVM Integrity CRC-16 performed over all executable (JavaCard packages) in NVM ROM Code Integrity CRC-16 performed over all ROM code Table 18 Integrity Self-Test Target

10.1.2 Pre-Operational Critical Functions Test

This critical function self-test is performed in every power on before executing integrity self-test. Test Target Description CRC-16 Computes CRC-16 from a fixed message and checks the result (a critical function test) TRNG Performs Hardware True Random Number Generator tests DRBG Performs a fixed input KAT of CTR_DRBG instantiate and generate functions Table 19 Critical Function Self-test

10.2 Conditional Self-Tests

The module will automatically trigger specific self-test in some conditions. There are several types of conditional self-tests that are employed by the module described in the following section.

10.2.1 Conditional Cryptographic Algorithm Test

The module employs Known Answer Test (KAT) to perform Cryptographic Algorithm Self-test. For performance concern, not all algorithm are executed in the startup (power on) but prior to its first use. Algorith Test Condition Coverag Coverag Periodic Test method Type Indicator Details Period m or Test Properties s e e Notes Method Pass: Next On test Power 2.097.15 Deman CRC-16 CRC-16 bit KAT CAST CRC - - 1 d& Fail: On Module Auto in 62/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 63

Algorith Test Condition Coverag Coverag Periodic Test method Type Indicator Details Period m or Test Properties s e e Notes Method KillCar d State Pass: Next test On AES, 128- Covered by AES- Fail: Power Cert IG 2.097.15 Deman bit, CAST on KDF- CAST Encrypt

1 d&

CBC CMAC Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On Covered by AES- AES, 128- Fail: Power Cert IG 2.097.15 Deman CAST on AES CAST Decrypt

1 d&

CBC bit, ECB Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On Covered by AES- AES, 128- Fail: Power Cert IG 2.097.15 Deman CAST on KDF- CAST Encrypt

1 d&

ECB bit, ECB CMAC Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On AES- AES, 128- Fail: Power Cert IG 2.097.15 Deman KAT CAST Decrypt ECB bit, ECB Module On #A2912 10.3.A 1 d& in Auto KillCar d State Pass: Next test On CTR_DRB Fail: Power Cert IG 2.097.15 Deman DRBG G KAT CAST Generate

1 d&

Module On #A2912 10.3.A AES 256 Auto in KillCar d State Pass: Next test On CTR_DRB Fail: Power Cert IG 2.097.15 Deman DRBG G KAT CAST Instantiate

1 d&

Module On #A2912 10.3.A AES 256 Auto in KillCar d State Pass: Next test On CTR_DRB Fail: Power Cert IG 2.097.15 Deman DRBG G KAT CAST Reseed

1 d&

Module On #A2912 10.3.A AES 256 Auto in KillCar d State Pass: Next test On HMAC SHA- Fail: Power Cert IG 2.097.15 Deman HMAC 1, 128-bit KAT CAST Generate

1 d&

Module On #A2912 10.3.A in Auto KillCar d State 63/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 64

Algorith Test Condition Coverag Coverag Periodic Test method Type Indicator Details Period m or Test Properties s e e Notes Method Pass: Next test On Covered by SHA2- Fail: Power Cert IG 2.097.15 Deman CAST on SHA2- CAST Generate

1 d&
224 256 – bit

Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On SHA2- SHA2-256 Fail: Power Cert IG 2.097.15 Deman KAT CAST Generate

256

in Auto KillCar d State Pass: Next test On Covered by SHA2- Fail: Power Cert IG 2.097.15 Deman CAST on SHA2- CAST Generate

1 d&
384 512 – bit

Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On SHA2- SHA2-512- Fail: Power Cert IG 2.097.15 Deman KAT CAST Generate

512 bit Module On #A2912 10.3.A 1 d&

in Auto KillCar d State Pass: Next test On SHA3-512- Fail: Power Cert IG 2.097.15 Deman SHA-3 KAT CAST Generate

1 d&

bit Module On #A2912 10.3.A in Auto KillCar d State Pass: Next test On KDF, Fail: Power Cert IG 2.097.15 Deman KDF AES CMAC KAT CAST Generate

1 d&

128 -bit Auto

in KillCar d State Pass: Next test On signature Fail: Cert IG 2.097.15 Deman ECDSA P-224 curve KAT CAST generation First Use 1 d& Module , #A2912 10.3.A in Auto KillCar d State Pass: Next test On Fail: Signature Cert IG 2.097.15 Deman ECDSA P-224 curve KAT CAST verification First Use 1 d& Module #A2912 10.3.A in Auto KillCar d State 2048-bit On Pass: signature RSA RSA-STD Cert IG 2.097.15 Deman KAT CAST Next generation First Use 1 d& PSS PSS with STD #A2912 10.3.A test Auto SHA2-256 64/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 65

Algorith Test Condition Coverag Coverag Periodic Test method Type Indicator Details Period m or Test Properties s e e Notes Method Fail: Module in KillCar d State Pass: Next 2048-bit test On signature RSA RSA-CRT Fail: Cert IG 2.097.15 Deman KAT CAST generation First Use 1 d& PSS PSS with Module CRT #A2912 10.3.A SHA2-256 in Auto KillCar d State Pass: Next 2048-bit test On RSA RSA PSS Fail: Signature Cert IG 2.097.15 Deman KAT CAST verification First Use 1 d& PSS with SHA2- Module #A2912 10.3.A

256 in Auto

KillCar d State Pass: Next 2048-bit test On RSA Covered by signature RSA-STD Fail: Cert IG 2.097.15 Deman PKCS 1 CAST on RSA- CAST generation First Use 1 d& PSS with PSS Module STD #A2912 10.3.A V1.5 Auto SHA2-256 in KillCar d State Pass: Next 2048-bit test On RSA Covered by signature RSA-CRT Fail: Cert IG 2.097.15 Deman PKCS 1 CAST on RSA- CAST generation First Use 1 d& PSS with PSS Module CRT #A2912 10.3.A V1.5 Auto SHA2-256 in KillCar d State Pass: Next 2048-bit test On RSA RSA-PSS Covered by CAST Fail: Signature Cert IG 2.097.15 Deman PKCS 1 on RSA-PSS CAST verification First Use 1 d& with SHA2- Module #A2912 10.3.A V1.5 Auto

256 in

KillCar d state Pass: Covered by Next CAST on test On KAS- ECDSA, KDF Fail: Cert IG 2.097.15 Deman KDF CAST Generate First Use 1 d& ECC and Module #A2912 10.3.A AES CMAC 128 in Auto -bit KillCar d state Pass: Next AES-CBC Covered by- test On & AES CAST on AES- Fail: Cert IG 2.097.15 Deman KTS CAST - First Use 1 d& CMAC 128 CBC and AES- Module #A2912 10.3.A -bit CMAC. in Auto KillCar d state Pass: Next Encryption On (Verify AES Covered by test Cert IG 2.097.15 Deman CAST uses First Use 1 d& CMAC AES CMAC CAST on KDF Fail: encryption #A2912 10.3.A

128 -bit Module Auto

) in 65/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 66

Algorith Test Condition Coverag Coverag Periodic Test method Type Indicator Details Period m or Test Properties s e e Notes Method KillCar d state Table 20 CM Conditional CAST

10.2.2 Conditional Software/Firmware Load Test

The module relies on DAP Verification specified in [GPC_Specification_v2.3] section 9.2.1. The employed DAP Verification for Load Test is using AES-CMAC as approved data authentication technique to verify the validity of the firmware that is loaded. The AES Key with 128 bits key length (DAP-AES) is loaded at manufacturing stage used as authentication key to calculate the MAC of the loaded firmware.

10.2.3 Conditional Pair-Wise Consistency Test

When the module generating RSA and ECC Key Pair via ‘Generate Key Pair’ service, the module performs pairwise consistency test using sign and verify of known value technique. If pairwise consistency test is failed the module returns error code value ‘D6’ indicating error in Generate Key Service with reason pair-wise consistency self-test is failed. On five consecutive errors, the module will enter blocked state. An exit procedure from this state is described in [FQR 401 9097 Ed 4] section 7.3.

10.2.4 Conditional Manual Entry Test

The module performs manual entry self-test on some services such as “CCMK Import” services done by each key custodian to enter each secret of CCMK and “CK Import” services done by each customer key custodian enter secrets of customer key. Those operators enter KCV along with its secret. The module performs manual entry self-test by comparing entered KCV and calculated KCV of given secret. If the entered KCV does not match with calculated KCV, the manual entry test is failed with error code ‘D7’. On five consecutive errors, the module enters blocked state. An exit procedure from this state is described in [FQR 401 9097 Ed 4] section 7.3.

10.3 Periodic Self-Test

The module provides a periodic self-test that is executed in every certain number of FIPS Applet service execution. This number is configured on FIPS Applet installation with 2,097,151 as default value. This periodic self-test executes the self-test described in the section 10.1. Data output is inhibited during self-test execution. Only power reset, Hard-fault, procedure NULL (‘60’) byte in ISO7816 interface, and check alive command in SPI can interrupt the process. If it’s interrupted by the Hard-fault, the module enters error state of the hardware and requires power reset to exit from this state.

10.4 Operator Initiation of Self-Tests

The module permits operators to initiate the pre-operational self-tests on demand by power cycling the module.

10.5 Error States

Recovery Name Description Conditions Indicator Method A state that indicates the module Pre-Operational SelfKillCard State is in security state. Module at this Tests Failure Power Muted (Low-level state can no longer communicate Conditional cycle Device Error State) till a power reset (cold or warm) Cryptographic Algorithm is performed Test Failure 66/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 67

Periodic Self-Test Failure Table 21 Error States

11 LIFE-CYCLE ASSURANCE
11.1 Installation, Initialization and Startup Procedure

The module is delivered as single chip to the customer where its life cycle state is in SYSTEM INITIALIAZATION state. The customer shall follow below procedures for secure installation, initialization, startup and operation of the module:

  1. The installation procedure of the module that supports two physical interface ISO7816 T0 protocol and SPI Protocol are described as follow: a. Each ISO7816 physical port defined in section 3.1.1 must be installed correctly by connecting each ISO port (VCC, GND, RST, CLK, IO) of the module to the corresponding ISO Reader’s port or terminal’s port. Electrical characteristics in each connected port, signal sequence in activation and deactivation, and transmission protocol shall follow [ISO/IEC 7816-3]. b. Each SPI physical port defined in section 3.1.2 must be installed correctly by connecting each SPI port (VCC, GND, RST, SPI_CLK, SPI_MISO, SPI_MOSI, SPI_CS) of the module to the corresponding SPI Reader’s port or SPI master device’s port. Electrical characteristics in each connected port and its transmission protocol shall follow chip manufacturer datasheet.
  2. All module components specified in section 2.1.2 are already installed in the manufacturing. The configuration is set to FIPS Certified Product (FCP).
  3. In the SYSTEM INITIALIZATION state: a. Super User shall create new credential and replace its default credential in the module. b. Then, Super User shall create new Administrator role in the module. When this procedure is successfully done, the module state is automatically changed to KEY CEREMONY state.
  4. In the KEY CEREMONY state: a. Administrator shall create new roles for Auditor and three Key Custodians role. b. Then, Administrator shall initiate KEY CEREMONY session together with three Key Custodians to import or export CCMK of the module using split knowledge procedure. c. After that Administrator shall confirm either to keep the configuration still in FIPS Certified Product (FCP) or not. Please note that if Administrator is answering no, then the module will loose its FIPS Certified status. Customer cannot revert to FIPS Certified status unless the module is returned at IDEMIA to be erased and personalized with new SSPs. It is recommended for customer to perform System Reset before returning the module to the IDEMIA. When this procedure is successfully done, the module state is automatically changed to System USER (operational) state.
  5. When the module is in operational state and configured as FIPS Certified Product (FCP): a. Only approved mode of operation is available for users. In this mode of operation, only approved services in section 4.3.2 is available for users. b. Only applet that is already validated under [NIST.FIPS.140-3] evaluation shall be loaded and installed in the module. Otherwise, the module will loose its FIPS certified status. This is not 67/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2
Page 68

automatically enforced by the module but must be obeyed by following procedure defined in [FQR 401 9097 Ed 4] section 3.4.2.

  1. The module does not support maintenance role.
  2. The Administrator shall update current date of the module. It is strongly recommended to update the current date of the module on daily basis.
  3. Detailed information about module life cycle state and procedures for initialization and operation of the module at customer side, and the procedure to keep the module still in FIPS are described in document [FQR 401 9097 Ed 4] for Crypto Officer Role and [FQR 401 9098 Ed 3] for User Role.
11.1.1 Components Version Number Retrieval Procedures

Hardware version can be retrieved with the following steps:

Page 69
11.2 Secure Sanitization and Destruction Procedure

Sanitization can be done by performing HSM Reset that is authorized by SUPER_USER and HSM Administrator credentials authenticated in Admin Session. HSM Reset service will perform zeroization that is created at customer side and set back module to Factory State like when the customer receives the module for the first time. For secure destruction procedure, it is recommended for customers to follow below step:

  1. Under role ‘’AA” (Application Administrator) to set card manager state to TERMINATED.
  2. Once, it is terminated, OS-MKEK that is used to encrypt all keys stored in the module is zeroised.
  3. Once OS-MKEK is zeroised, all keys stored in the module cannot be retrieved in plaintext form. Event encrypted form, it is difficult to those keys which are stored inside the flash on single chip component which are protected with hard tamper-evident coating on the chip.
12 MITIGATION OF OTHER ATTACKS

The Module implements defenses against:

Page 70

Reference Detail Reference [NIST.FIPS.140-3] Security Requirements for Cryptographic Modules [NIST.FIPS.180-4] Secure Hash Standard (SHS) [NIST.FIPS.186-4] Digital Signature Standard (DSS) [NIST.FIPS.197] Advanced Encryption Standard (AES) [NIST.FIPS.198-1] The Keyed-Hash Message Authentication Code (HMAC) SHA-3 Standard: Permutation-Based Hash and Extendable-Output [NIST.FIPS.202] Functions Recommendation for Block Cipher Modes of Operation: Methods and [NIST.SP.800-38A] Techniques Recommendation for Block Cipher Modes of Operation: the CMAC Mode [NIST.SP.800-38B] for Authentication Recommendation for Block Cipher Modes of Operation: Methods for Key [NIST.SP.800-38F] Wrapping Recommendation for Pair-Wise Key-Establishment Schemes Using [NIST.SP.800-56A.Rev3] Discrete Logarithm Cryptography Recommendation for Pair-Wise Key-Establishment Using Integer [NIST.SP.800-56B.Rev2] Factorization Cryptography Recommendation for Key-Derivation Methods in Key-Establishment [NIST.SP.800-56C.Rev2] Schemes [NIST.SP.800-63b] Digital Identity Guidelines Recommendation for the Triple Data Encryption Algorithm (TDEA) Block [NIST.SP.800-67.Rev2] Cipher Recommendation for Random Number Generation Using Deterministic [NIST.SP.800-90A.Rev1] Random Bit Generators [NIST.SP.800-90B] Recommendation for the Entropy Sources Used for Random Bit Generation Recommendation for Key Derivation Using Pseudorandom Functions [NIST.SP.800-108] (Revised) [NIST.SP.800-131A.Rev2] Transitioning the Use of Cryptographic Algorithms and Key Lengths [NIST.SP.800-133.Rev2] Recommendation for Cryptographic Key Generation CMVP Documentation Requirements: CMVP Validation Authority Updates [NIST.SP.800-140A] to ISO/IEC 24759 [NIST.SP.800-140B] CMVP Security Policy Requirements [NIST.SP.800-140E] CMVP Approved Authentication Mechanisms A.2 ISO/IEC References Reference Detail Reference “Identification cards - Integrated circuit cards - Part 3: Cards with contacts [ISO/IEC 7816-3] Electrical signal and transmission protocols”. - 2006-11-01 - Third edition 70/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 71

REFERENCE NUMBER: ISO/IEC 7816-3:2006(E) “Identification cards - Integrated circuit cards - Part 4: Organization, security [ISO/IEC 7816-4] and commands for interchange." - 2013-04-15 - Third edition REFERENCE NUMBER: ISO/IEC 7816-4:2013(E) Information technology

Page 72

APPENDIX 2. ACRONYMS AND DEFINITIONS Acronym Definition FIPS Federal Information Processing Standard LKD Local Key Database LKD_DP Local Key Database Data Preparation KCV Key Check Value CCMK Crypto Card Master Key DGI Data Grouping Identifier APDU Application Protocol Data Unit SE Secure Element SPI Serial Peripheral Interface GP Global Platform RAM Random Access Memory AdminApp Admin Application Enc Encipher Dec Decipher Sig Signature Ver Verify JCVM Java Card Virtual Machine 72/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2

Page 73
13 DOCUMENT REVISIONS

1.2 - Update table 3 for CKG and KDF to update description/key size

- Update table 16 to add CKG in some key and its used - Update table conditional self-test - Add new table for error states - Add new section 11.2 Secure Sanitization and Destruction Procedure

1.1 Renaming some tables according SP800-140B; typographic errors corrections.

1.0 Initial version

73/73 FIPS Applet on RookySE FIPS 140-3 Non-Proprietary Security Revision Date: 30/09/2024 Policy V1.2