All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 3

Certificate#4833StandardFIPS 140-3Level3TypeHardwareEmbodimentSingle ChipStatusActiveVendorMotorola Solutions, Inc.
High review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level3
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/10/2029
CaveatWhen installed, initialized and configured as specified in Section 11 of Security Policy. No assurance of the minimum strength of generated SSPs
VendorMotorola Solutions, Inc.

Approved Algorithms (19)

AlgorithmACVP Cert
AES-CBCA2261
AES-CBCA2262
AES-CFB8A2260
AES-ECBA2261
AES-ECBA2262
AES-GCMA2262
AES-KWA2263
AES-KWA2264
AES-OFBA2260
AES-OFBA2261
AES-OFBA2262
Counter DRBGA2265
ECDSA KeyGen (FIPS186-4)A655
HMAC-SHA2-384HMAC 1796
KAS-ECC Sp800-56Ar3A2266
RSA SigVer (FIPS186-2)RSA 396
RSA SigVer (FIPS186-5)A5253
SHA2-256SHS 817
SHA2-384SHS 2399

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 3
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 3
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Astro Subscriber Motorola Advanced Crypto Engine (MACE)

Page 2
Table of Contents
#SectionPage
Page 3
List of Tables
ItemPage
Table 1 – Security Levels4
Table 2 – Cryptographic Module Tested Configuration5
Table 3 – Approved Mode Drop-in Algorithms5
Table 4 – Approved Mode Indicator7
Table 5 – Approved Algorithms7
Table 6 – Non-Approved but Allowed Cryptographic Functions9
Table 7 – Non-Approved but Allowed Cryptographic Functions with No Security Claimed9
Table 8 – Ports and Interfaces11
Table 9 – Roles, Service Commands, Input and Output12
Table 10 – Roles and Authentication13
Table 11 – Approved Services13
Table 12 – Physical Security Inspection Guidelines19
Table 13 – EFP/EFT19
Table 14 – Hardness testing temperature range19
Table 15 – SSP Management Methods21
Table 16 – SSPs Management22
Table 17 – Non-Deterministic Random Number Generation Specification24
Table 18 – Error States and Indicators25
Table 19 – Pre-Operational Self-Test25
Table 20 – Conditional Self-Tests26
Table 21 – References29
Table 22 – Acronyms and Definitions30
Figure 1: MACE Chip (Top)6
Figure 2: MACE Chip (Interfaces)6
Figure 3: Cryptographic Boundary6
Page 4
1 General

This document defines the Security Policy for the Astro Subscriber Motorola Advanced Crypto Engine (MACE)

1 General 3

2 Cryptographic Module Specification 3

3 Cryptographic Module Interfaces 3

4 Roles, Services, and Authentication 3

5 Software/Firmware Security 3

6 Operational Environment N/A

7 Physical Security 3

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 3

10 Self-Tests 3

11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks N/A

Overall 3 Motorola Solutions Public Material

Page 5
2 Cryptographic Module Specification

The MACE cryptographic module is a single chip hardware cryptographic module. The MACE is used in multiple Motorola Solutions, Inc. subscribers. The MACE cryptographic module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated overall security level 3.

2.1 Operational Environment

The MACE cryptographic module is tested on the following operational environment. Table 2

2.2 Cryptographic Boundary

The physical form of the MACE cryptographic module is depicted in Figure 1 and Figure

  1. The MACE is a single chip embodiment. The cryptographic boundary is drawn around the perimeter of the MACE IC as shown in Figure
  2. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 6

Figure 1: MACE Chip (Top) Figure 2: MACE Chip (Interfaces) The MACE IC has an SSI port, a KVL port when connected to the Motorola Key Variable Loader (KVL), SelfTest Indicator Interface, and Power Connections. Status Indicator Status KVL Port KYLD Cryptographic The MACE Boundary SSI RX 1.8V Power SSI Port SSI TX CPLD Audio OMAP CODECs Figure 3: Cryptographic Boundary

2.3 Modes of Operation

The MACE is originally non-compliant and must be configured to operate in an approved mode of operation. The MACE must be installed, initialized, and configured, including a required change of the factory-default password, in order to be in an approved mode. Documented below are the additional configuration settings that are required for the MACE to be used in an Approved Mode of operation at overall security level

  1. At any given time, the module status service can be used to determine whether the MACE is operating at overall security level
  2. There is no non-approved mode. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 7

Table 4

2.3.1 Configuration of the Approved Mode of Operation

In order to configure the MACE into an approved mode, the Module configuration service must be used to ensure the following parameters are disabled.

  1. Motorola Data Communication Over The Air Rekeying (MDC OTAR)
  2. Key Loss Key (KLK) generation
  3. Red Keyloading
  4. Infinite UKEK Retention The operator shall configure the periodic self-tests timer as part of the Module configuration, refer to Section 11 for further details. Additionally, the MACE supports “drop-in algorithms” via the program update service. Drop-in algorithms may be added or removed from the MACE independent of the base FW. In order to remain in the Approved mode, only Approved and Allowed algorithms are loaded into the MACE during initialization; in particular AES-256 (Cert #A2261 and #A2262). The loading and unloading of any firmware within the validated cryptographic module invalidates the Module’s validation and zeroizes all SSPs except those entered at manufacturing. The Module is then in a non-compliant state.
2.4 Security Functions

The MACE implements the Approved Mode and Non-Approved but Allowed cryptographic functions listed in the tables below. Note: The brackets [] reference the corresponding documents that can be found in the References section - Table 21 Table 5

Page 8

Description / Key Size(s) / Cert # Algorithm Mode Use/Functions Key Strength(s) ECB [38A] Key Sizes: 256 Encrypt, Decrypt CBC [38A] Key Sizes: 256 Encrypt, Decrypt A2262 AES [197] OFB [38A] Key Sizes: 256 Encrypt, Decrypt GCM [38D] 1 Key Sizes: 256 Encrypt, Decrypt Authenticated Encrypt, Decrypt for A2263 AES [197] KW [38F] Forward Key Sizes: 256 storing SSPs A2264 AES [197] KW [38F] Forward Key Sizes: 256 Authenticated Decrypt for KTS [133] Sections 4 and 5.2 Asymmetric key establishment key generation using unmodified DRBG output VA CKG [IG D.H] [133] Section 4 and Section 6.1 Direct symmetric Key Generation key generation using unmodified DRBG output [133] Section 6.3 Symmetric Keys Produced by Combining (Multiple) Keys and Other Data CTR with derivation A2265 DRBG [90A] AES-256 Deterministic Random Bit Generation 2 function A655 ECDSA [186-4] P-384 (SHA2-384) Key Generation HMAC Key Sizes: 32 bytes HMAC [198] SHA2-384 Message Authentication

1796 λ = 48 bytes

ECC (Initiator, Key Agreement Scheme KAS-ECC Responder), KPG, P-384 A2266 Key establishment methodology [56Ar3] Partial, oneStepKdf SHA2-384 (SP800-56Cr1) provides 192 bits of encryption strength Decrypt OTAR Key blocks encrypted with AES256 keys. A2264 KTS [38F] KW AES KW Cert. #A2264 Key establishment methodology provides 256 bits strength A5253 RSA [186-5] PKCS1_v1.5 2048 SigVer RSA 396 RSA [186-2] 3 PKCS1_v1.5 2048 SigVer Message Digest Generation, Password SHS 817 SHS [180] SHA2-256 Obfuscation SHS 2399 SHS [180] SHA2-384 Message Digest Generation Per IG C.H Scenario 2, the MACE generates GCM IVs randomly as specified in SP800-38D section 8.2.2 using approved DRBG (Cert #A2265) and the IV length is 96 bits. The entropy for seeding the SP 800-90A DRBG is determined by the operator of the MACE which is outside of the module’s physical and logical boundary. The operator shall use entropy sources that meet the security strength required for the random number generation mechanism as shown in [SP 800-90A] Table 3 (CTR_DRBG) and set required bits into the module by using Load Entropy service listed in Section 4.3. Since entropy is loaded passively into the module, there is no assurance of the minimum strength of generated keys. The MACE will not operate in an approved mode if the module is not seeded by the external entropy. RSA SigVer [FIPS 186-2] is approved for legacy use only: verifying signatures that were performed starting September 1, 2020 and onwards is a not a FIPS 140-3 compliant use of this algorithm/service and cannot claim security. Verifying signatures generated before September 1, 2020 is the approved legacy use of RSA SigVer [FIPS 186-2]. Motorola Solutions Public Material

Page 9

Table 6

2.5 Overall Security Design
  1. The MACE provides two distinct operator roles: User and Cryptographic Officer.
  2. The MACE provides identity-based authentication.
  3. The MACE clears previous authentications on power cycle.
  4. An operator does not have access to any cryptographic services prior to assuming an authorized role.
  5. The MACE allows the operator to initiate power-up self-tests by power cycling power or resetting the MACE.
  6. Power up self-tests do not require any operator action.
  7. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the MACE.
  9. There are no restrictions on which keys or SSPs are zeroized by the zeroization service.
  10. The MACE does not support concurrent operators.
  11. The MACE does not support a maintenance interface or role.
  12. The MACE does not support manual SSP establishment method.
  13. The MACE does not have any proprietary external input/output devices used for entry/output of data.
  14. The MACE does not enter or output plaintext CSPs.
  15. The MACE does not output intermediate key values.
  16. The MACE does not provide bypass services on ports/interfaces. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 10
2.6 Rules of Operation

The MACE shall be installed in the Motorola Solutions subscriber products. After authentication with the default password, the operator shall change the default password for the User role. The MACE is not usable until the factory default password is changed for the User role. Note that this makes it very important that physical access to the MACE is strictly controlled. The MACE shall be operated such that only approved Drop-in algorithms listed in the Table 3 are installed including section 11 secure installation, initialization, startup and operation of the MACE. Motorola Solutions Public Material

Page 11
3 Cryptographic Module Interfaces

The MACE’s ports and associated FIPS defined logical interface categories are listed in Table 8. Table 8

Page 12
4 Roles, Services and Authentication
4.1 Assumption of Roles and Related Services

The MACE supports two distinct operator roles, User and Cryptographic Officer (CO). Table 9 lists all operator roles supported by the MACE and their related services. In addition, the MACE supports services which does not require to be authenticated, listed UA in Table 9. The MACE does not support a maintenance role and/or bypass capability. Table 9

Page 13
4.2 Authentication Methods

The MACE supports one distinct operator role (Crypto-Officer). The MACE uses a 10-digit password to authenticate the Crypto-Officer. The module ensures that there is no visible display of the authentication data. Table 10

4.3 Services

All services implemented by the MACE are listed in Table

  1. The MACE does not allow any non-approved service while operating in FIPS 140-3 level 3 mode and indicated use is based on the Module being in Approved mode per Table
  2. The SSPs modes of access shown in Table 11 are defined as: • G = Generate: The MACE generates or derives the SSP. • R = Read: The SSP is read from the MACE (e.g., the SSP is output). • W = Write: The SSP is updated, imported, or written to the MACE. • E = Execute: The MACE uses the SSP in performing a cryptographic operation. • Z = Zeroize: The MACE zeroizes the SSP Table 11 – Approved Services Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights FW-LD-Pub Z IDK-ROM E Update the MACE firmware. Firmware upgrades are IDK-Block EZ authenticated using a digital IDK Z signature. The Program Program RSA [186-5], Cert. Approved Update Public Signature Key BKK UA Z Update #A5253 Mode is used to validate the UKKPK Z signature of the firmware image being loaded before PEK Z it is allowed to be executed. KPK Z KEK Z Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 14

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights TEK Z Password Z PWD Hash Z PKPK Z DH-Priv Z DH-Pub Z DH-SS Z DH-CLI-Pub Z DRBG- WE AES Key Unwrap, AES EI/Seed Load entropy into the Certs. #A2261 or Approved Load Entropy CO MACE. #A2262, DRBG Cert. DRBG-State G Mode #2265 BKK E CKG, BKK E AES Cert. #A2260. Import keys Imports keys to the MACE KPK E AES Key Unwrap, Approved over KYLD via a Key Variable Loader CO (KTS), AES Cert. Mode interface (KVL) encrypted KEK W #A2261, #A2262. AES Cert. #2264 TEK W KPK E KW [38F], Cert. KEK WEZ Privileged Import, modify and query Approved #A2264. CO APCO OTAR the keys. TEK WEZ Mode AES Certs. #A2261 or #A2262. Modify the currently active keyset used for selecting Change Active Approved keys for N/A N/A CO N/A Keyset Mode encryption/decryption services. UKKPK E PEK E Modify the current CKG, AES-256, Cert. KPK GEZ Change password used to identify #A2260. Approved KEK CO Z Password and authenticate the User Mode role. SHS [180], Cert. #817 TEK Z Password GEZ PWD Hash GEZ CKG, IDK-ROM CO EZ Motorola Solutions Public Material

Page 15

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights AES [197] CBC Cert. IDK-Block EZ #A2261 or #A2262 Symmetric Key Generates the symmetric IDK GZ Approved AES CFB-8 Cert. Generation keys Mode #A2260, DRBG Cert. KPK GZ #A2265 AES [197], Cert. Encrypt digital voice or #A2261 or #A2262 Approved Encrypt TEK CO E data. Mode DRBG Cert. #2265 Decrypt digital voice or AES [197], Cert. Approved Decrypt TEK CO E data. #A2261 or #A2262 Mode Zeroize selected key KEK Z Approved Zeroize Keys N/A CO variables from the MACE. TEK Z Mode Key/Keyset Obtain status information Approved N/A N/A CO N/A Check about a specific key/keyset. Mode Generate Generate HMAC-SHA2-384 HMAC [198], Cert. Approved TEK CO E Signature signature. #1796 Mode KEK W PKPK GE CKG, Perform a key agreement DH-Priv GE Key DRBG Cert. #2265 process to create an ECDH Approved Agreement KAS-ECC [56Ar3], DH-Pub CO GRE Shared Secret, and ECDH Mode Process Cert. #A2266, ECDSA Public and Private Keys. DH-SS GE Cert. #A655 DH-CLI-Pub WE DRBG-State GE UKKPK E KPK GZ KEK Z Zeroize the KPK and all keys and CSPs in the key TEK Z Zeroize all database and causes a new Approved keys and N/A Password CO Z KPK to be generated. Mode password Resets the password to the PWD Hash Z factory default. PKPK Z DH-Priv Z DH-Pub Z Provide module version, Approved Module Status firmware version, FIPS N/A N/A UA N/A Mode status Motorola Solutions Public Material

Page 16

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights Perform module self-tests comprised of cryptographic algorithm tests, firmware integrity test, and critical Approved Self-Tests N/A FW-LD-Pub UA E functions test. Initiated by Mode module reset or transition from power off state to power on state. UKKPK E PEK E Validate the current AES-256, Cert. KPK GEZ Validate password used to identify #A2260. Approved KEK UA Z Password and authenticate the User Mode role. SHS [180], Cert. #817 TEK Z Password Z PWD Hash Z Extract Error Provide the history of error Approved N/A N/A UA N/A Log events. Mode Clear Error Log Clears the history of error Approved N/A N/A UA N/A events. Mode DRBG- Z EI/Seed Reset/power cycle the DRBG-State Z Approved Reset N/A UA MACE. Mode DH-SS Z DH-CLI-Pub Z KPK GEZ KEK Z Download configuration Module Approved parameters used to specify N/A TEK UA Z Configuration Mode module behavior. Password WZ PWD Hash Z Note: The module does not implement any Non-Approved Services and only provides an Approved mode of operation. Motorola Solutions Public Material

Page 17
5 Firmware Security

The MACE is composed of base firmware version identified in Table

  1. On top of that customer shall load at least one of the Drop-in algorithms listed in Table
  2. The firmware components are protected with the approved firmware integrity technique described in Table
  3. The Module includes a firmware verification and load service to support necessary updates for the base firmware. The operator can initiate the firmware integrity test on demand by power cycling the MACE. The Module is composed of the following firmware component(s): • non-modifiable operating system - binary Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 18
6 Operational Environment

The MACE has a non-modifiable operational environment under the FIPS 140-3 definitions with a Physical Security at Level 3 therefore this section in not applicable. Motorola Solutions Public Material

Page 19
7 Physical Security

The MACE is a production grade, single-chip cryptographic module as defined by FIPS 140-3 and is designed to meet level 3 physical security requirements. The information below is applicable to cryptographic module hardware kit numbers 5185912Y03, 5185912Y05, and 5185912T05, which have identical physical security characteristics. The MACE is covered with a hard-opaque epoxy coating that provides evidence of attempts to tamper with the MACE. The security provided from the hardness of the MACE's epoxy encapsulate is claimed at ambient temperature (-40 to 85 degrees Celsius) only. No assurance of the epoxy hardness is claimed for this physical security mechanism outside of this range. The MACE does not contain any doors, removable covers, or ventilation holes or slits. No maintenance access interface is available. No special procedures are required to maintain physical security of the MACE while delivering to operators. There are two (2) voltage powers that power the MACE. VDDCORE voltage powers all MACE chip functions while VDDBU voltage powers the MACE chip battery. VDDCORE and VDDBU voltages enter the cryptographic boundary of the module separately; and therefore, were tested separately to verify that they both cause the MACE chip to zeroize SSPs Table 12

1.350 VVDBU

High Voltage 2.034V VDDCORE: A tamper flag is raised, a wake-up reset Shutdown 2.292V - VVDBU of the product is triggered. Table 14

Page 20
8 Non-Invasive Security

The MACE does not implement any mitigation method against non-invasive attack. Motorola Solutions Public Material

Page 21
9 Sensitive Security Parameter (SSP) Management

The SSPs access methods are described in Table 15 below: Table 15

Page 22
9.1 Sensitive Security Parameters (SSP)

All SSPs (CSPs and PSPs) used by the MACE are described in this section. All usage of these CSPs by the MACE is described in the services detailed in 4.3. Table 16

256 G2 N/A N/A S1 Z2 Key (AES 256) and

State #A2265 derived from DRBGEI/Seed A 256-bit AES CBC key used in the reAES CBC Cert. construction of IDK per IDK ROM 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 SP800-133r2 (Section #A2262

6.3 #2) via XOR using

IDK Block A 256-bit AES CBC key used in the reAES CBC Cert. construction of IDK per IDK Block 256 #A2261 or G1 E1 N/A S1, S2 Z1, Z2 SP800-133r2 (Section #A2262

6.3 #2) via XOR using

IDK ROM A 256-bit AES CBC key AES CBC Cert. used to decrypt IDK 256 #A2261 or G6 N/A N/A S1 Z2 downloaded firmware #A2262 images. A 256-bit AES key used AES ECB/OFB for decrypting Load BKK 256 Cert. #A2261, G1 N/A N/A S1, S2 Z1, Z2 entropy (ECB) and #A2262 TEK/KEK (OFB) into the MACE. AES CBC Cert. 256-bit AES Key used UKKPK 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 for encrypting the KPK #A2262 in flash. AES CBC Cert. 256-bit AES CFB-8 key PEK 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 used for decrypting #A2262 passwords. Motorola Solutions Public Material

Page 23

Key/SSP Security Strength Genera- Import Establish- ZeroizaName/ Function / Storage Use / Related SSPs (in bits) tion /Export ment tion Type Cert. # 256-bit AES CFB-8 key AES CFB-8 Cert. Z1, Z2, Z3, used to encrypt all KPK 256 #A2260, DRBG G4 N/A N/A S1, S3 Z4, Z5, Z6, TEKs and KEKs stored Cert. #A2265 Z7 in flash. AES KW Cert. 256-bit AES Keys used Z1, Z2, Z3, #A2264, AES E3, E5, for decrypting key KEK 256 N/A N/A S1, S3 Z4, Z5, Z6, OFB Cert. E6 blocks in the OTAR Z7, Z8, Z9 #A2260 service. AES KW Cert. 256-bit AES key used Z1, Z2, Z3, #A2264 AES for voice and data TEK 256 N/A E3, E5 N/A S1, S3 Z4, Z5, Z6, OFB Cert. decryption. Z7, Z8, Z9 #A2260 10-digit hexadecimal AES CFB-8 Cert. Z1, Z2, Z4, number user Password N/A N/A E4 N/A S1 #A2260 Z5, Z6, Z7 authentication password SHS [180] Cert. 256-bit password hash PWD #817 Z1, Z2, Z4, stored in the non-

128 G1 N/A N/A S1, S2

Hash Z5, Z6, Z7 volatile memory. SHA2-256 256-bit AES KW used AES KW to store encrypted, the PKPK 256 G4 N/A N/A S1, S3 Z1, Z2, Z4 #A2263 ECDH generated private key. The Elliptic Curve Diffie-Hellman (DH) KAS #A2266, private key used for DH-Priv 192 ECDSA Cert. G3 N/A N/A S1, S3 Z1, Z2, Z4 establishing a shared #A655 secret over an insecure channel. The Elliptic DiffieHellman (DH) Shared Secret (SS) is DH-SS 192 KAS #A2266 N/A N/A G5 S1 Z2 established as a part of DH key agreement scheme. PSPs AES CBC 2048-bit RSA key used #A2261 or to validate the FW-LD- #A2262,

112 G1 N/A N/A S1, S2 Z1, Z2 signature of the

Pub RSA Cert. firmware image before #A5253 it is allowed. Motorola Solutions Public Material

Page 24

Key/SSP Security Strength Genera- Import Establish- ZeroizaName/ Function / Storage Use / Related SSPs (in bits) tion /Export ment tion Type Cert. # The Elliptic Curve (EC) Diffie-Hellman (DH) KAS Cert. public key, used for DH-Pub 192 #A2266, ECDSA G3 E6 N/A S1, S2 Z1, Z2 establishing a shared Cert. #A655 secret over an insecure channel. The Elliptic Curve (EC) Diffie-Hellman (DH) public key from the DH-CLI- KAS Cert.

192 N/A E6 N/A S1, S2 Z1, Z2 other party, used for

Pub #A2266 establishing a shared secret over an insecure channel. Table 17

Page 25
10 Self-Tests

The MACE performs self-tests to ensure the proper operation of the MACE. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. Both pre-operational and conditional self-tests are executed automatically by the Self-test service when the module is initiated by module reset or transitions from power off state to power on state. All KATs (including the integrity test) are passed before the module transitions to an operational state. While the module is executing all selftests, services are not available, and data output (via the data output interface) is inhibited until all tests are successfully completed. No operator intervention is required. Pre-operational self-tests are available on demand by power cycling the MACE. Conditional self–tests are periodically performed by the MACE as configured by the operator during module configuration as shown in Section 11.1.1. The MACE will not accept any commands when a periodic self-test is required; the commands still in the I/O buffer will be processed by the MACE at the end of periodic self-test when the I/O buffer is emptied. The MACE will reset if any self-tests fail, otherwise it will continue to operate normally. The MACE logs the most recent self-test errors to the internal flash; the operator (UA) can extract the error logs using Extract Error Log service list in section 4.3. The self-tests error states and status indicator are described in table below: Table 18

Page 26

The MACE performs the conditional self-tests listed in the table below. All KATs are performed during boot up of the module and before the module transitions to an operational state. Table 20

Page 27
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
11.1.1 Installation and Initialization

The Module is originally a non-compliant module and must be initialized to be in approved mode. There is no non-approved mode. During initialization the operator shall configure the MACE from the instructions below:

  1. Upon first access, the operator will use the default password provided by Motorola in a separate communication.
  2. The operator will then change the default password based on the requirements in Table 10 – Roles and Authentication.
  3. The operator will then configure the MACE using the Module configuration service as specified in the section 2.3.1.
  4. Finally, the operator will set the periodic self-tests timer as part of the Module configuration in every X minutes, where X is a minimum value = 1 minute and maximum value = 712,800 minutes (495 days). Note: the default minimum = 0* but must be changed to a minimum of 1. * Periodic self-tests will not perform if minimum = 0
11.1.2 Delivery

The MACE is embedded in multiple Motorola Solutions, Inc. radios (aka, subscribers). Motorola uses commercially available courier systems such as UPS, FedEx, and DHL with a tracking number and requires a signature at the end by an authorized client.

11.2 Administrator Guidance

Use radio specific user guide available on the www.motorolasolutions.com website for secure operations.

11.3 Non-Administrator Guidance

Use radio specific user guide available on the www.motorolasolutions.com website for secure operations.

11.4 Maintenance Requirements

The MACE does not require any special maintenance.

11.5 End of Life

After the end-of-life, the operator should zeroize all SSPs using the “Zeroize all keys and password” service listed in the Section 4.3 followed by shredding the MACE chip. Motorola Solutions Public Material

Page 28
12 Mitigation of Other Attacks

The MACE does not implement any mitigation method against other attacks. Motorola Solutions Public Material

Page 29
13 References and Definitions

The following standards are referred to in this Security Policy. Table 21

Page 30

Table 22

Page 31

Acronym Definition OTAR Over The Air Rekeying PEK Password Encryption Key PKPK Private Key Protection Key PWCT Pair-Wise Consistency Test PWD Hash Password Hash RSA Rivest–Shamir–Adleman SSI Synchronous Serial Interface SSP Sensitive Security Parameter TEK Traffic Encryption Key UA Unauthenticated Service UKEK Universal Key Encryption Key UKKPK Universal Key for Key Protection Key Motorola Solutions Public Material