All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 2

Certificate#4834StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorMotorola Solutions, Inc.
High review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/10/2029
CaveatWhen installed, initialized and configured as specified in Section 11 of Security Policy. No assurance of the minimum strength of generated SSPs
VendorMotorola Solutions, Inc.

Approved Algorithms (19)

AlgorithmACVP Cert
AES-CBCA2261
AES-CBCA2262
AES-CFB8A2260
AES-ECBA2261
AES-ECBA2262
AES-GCMA2262
AES-KWA2263
AES-KWA2264
AES-OFBA2260
AES-OFBA2261
AES-OFBA2262
Counter DRBGA2265
ECDSA KeyGen (FIPS186-4)A655
HMAC-SHA2-384HMAC 1796
KAS-ECC Sp800-56Ar3A2266
RSA SigVer (FIPS186-2)RSA 396
RSA SigVer (FIPS186-5)A5253
SHA2-256SHS 817
SHA2-384SHS 2399

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 2
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Astro Subscriber Motorola Advanced Crypto Engine (MACE) - Security Level 2
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Astro Subscriber Motorola Advanced Crypto Engine (MACE)

Page 2
Table of Contents
#SectionPage
Page 3
List of Tables
ItemPage
Table 1 – Security Levels4
Table 2 – Cryptographic Module Tested Configuration5
Table 3 – Approved Mode Drop-in Algorithms5
Table 4 – Approved Mode Indicator7
Table 5 – Approved Algorithms7
Table 6 – Non-Approved Algorithms Allowed in the Approved Mode of Operation9
.9
Table 8 – Ports and Interfaces10
Table 9 – Roles, Service Commands, Input and Output11
Table 10 – Roles and Authentication12
Table 11 – Approved Services12
Table 12 – Physical Security Inspection Guidelines18
Table 13 – SSP Management Methods20
Table 14 – SSPs21
Table 15 – Non-Deterministic Random Number Generation Specification23
Table 16 – Error States and Indicators24
Table 17 – Pre-Operational Self-Test24
Table 18 – Conditional Self-Tests25
Table 19 – References28
Table 20 – Acronyms and Definitions29
Figure 1: MACE Chip (Top)6
Figure 2: MACE Chip (Interfaces)6
Figure 3: Cryptographic Boundary Block Diagram6
Page 4
1 General

This document defines the Security Policy for the Astro Subscriber Motorola Advanced Crypto Engine (MACE)

1 General 2

2 Cryptographic Module Specification 2

3 Cryptographic Module Interfaces 2

4 Roles, Services, and Authentication 3

5 Software/Firmware Security 3

6 Operational Environment N/A

7 Physical Security 2

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 2

10 Self-Tests 3

11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks N/A

Overall 2 Motorola Solutions Public Material

Page 5
2 Cryptographic Module Specification

The MACE cryptographic module is a single chip hardware cryptographic module. The MACE is used in multiple Motorola Solutions, Inc. subscribers. The MACE cryptographic module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated overall Security Level 2.

2.1 Operational Environment

The MACE cryptographic module is tested on the following operational environment. Table 2

2.2 Cryptographic Boundary

The physical form of the MACE cryptographic module is depicted in Figure 1 and Figure

  1. The MACE is a single chip embodiment. The cryptographic boundary is drawn around the perimeter of the MACE IC as shown in Figure
  2. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 6

Figure 1: MACE Chip (Top) Figure 2: MACE Chip (Interfaces) The MACE IC has an SSI port, a KVL port when connected to the Motorola Key Variable Loader (KVL), SelfTest Indicator Interface, and Power Connections. Status Indicator Status KVL Port KYLD Cryptographic The MACE Boundary SSI RX 1.8V Power SSI Port SSI TX CPLD Audio OMAP CODECs Figure 3: Cryptographic Boundary Block Diagram

2.3 Modes of Operation

The MACE is originally non-compliant and must be configured to operate in an Approved Mode of operation. The MACE must be installed, initialized and configured, including a required change of the factory-default password, in order to be in an Approved Mode. Documented below are the additional configuration settings that are required for the MACE to be used in an Approved Mode of operation at overall Security Level

  1. At any given time, the Module status service can be used to determine whether the MACE is operating at overall Security Level
  2. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 7

There is no Non-approved Mode. Table 4

2.3.1 Configuration of the Approved Mode of Operation

In order to configure the MACE into an approved mode, the Module configuration service must be used to ensure Red Keyloading is enabled, and the following parameters are disabled.

  1. Motorola Data Communication Over The Air Rekeying (MDC OTAR)
  2. Key Loss Key (KLK) generation
  3. Infinite UKEK Retention The operator shall configure the periodic self-tests timer as part of the Module configuration. Please refer to Section 11 for further details. Additionally, the MACE supports “drop-in algorithms” via the program update service. Drop-in algorithms may be added or removed from the MACE independent of the base FW. In order to remain in Approved Mode, only Approved and Allowed algorithms are loaded into the MACE during initialization; in particular AES-256 (Certs #A2261 and #A2262). The loading and unloading of any firmware within the validated cryptographic module invalidates the Module and zeroizes all SSPs except those entered at manufacturing. The Module is then in a non-compliant state.
2.4 Security Functions

The MACE implements the Approved and Non-Approved but Allowed cryptographic functions listed in the tables below. Note: The brackets [] reference the corresponding documents that can be found in the References - Table Table 5

Page 8

Description / Key Size(s) / Key Cert # Algorithm Mode Use/Functions Strength(s) CBC [38A] Key Sizes: 256 Encrypt, Decrypt OFB [38A] Key Sizes: 256 Encrypt, Decrypt ECB [38A] Key Sizes: 256 Encrypt, Decrypt CBC [38A] Key Sizes: 256 Encrypt, Decrypt A2262 AES [197] OFB [38A] Key Sizes: 256 Encrypt, Decrypt GCM [38D]1 Key Sizes: 256 Encrypt, Decrypt Authenticated Encrypt, Decrypt A2263 AES [197] KW [38F] Forward. Key Sizes: 256 for storing SSPs A2264 AES [197] KW [38F] Forward. Key Sizes: 256 Authenticated Decrypt for KTS [133] Sections 4 and 5.2 Asymmetric key establishment key generation using unmodified DRBG output [133] Section 4 and Section 6.1 Direct symmetric key VA CKG [IG D.H] Key Generation generation using unmodified DRBG output [133] Section 6.3 Symmetric Keys Produced by Combining (Multiple) Keys and Other Data CTR with derivation Deterministic Random Bit A2265 DRBG [90A] AES-256 function Generation2 A655 ECDSA [186-4] P-384 (SHA2-384) Key Generation HMAC Key Sizes: 32 bytes HMAC [198] SHA2-384 Message Authentication

1796 λ = 48 bytes

KASECC (Initiator, Key Agreement Scheme KAS-ECC Responder), KPG, P-384 Key establishment methodology A2266 [56Ar3] Partial, oneStepKdf SHA2-384 provides 192 bits of encryption (SP800-56Cr1) strength Decrypt OTAR Key blocks encrypted with AES 256 bit keys. A2264 KTS [38F] KW AES KW Cert. #A2264 Key establishment methodology provides 256 bits strength A5253 RSA [186-5] PKCS1_v1.5 2048 SigVer RSA RSA [186-2]3 PKCS1_v1.5 2048 SigVer Per IG C.H Scenario 2, the MACE generates GCM IVs randomly as specified in SP800-38D section 8.2.2 using approved DRBG (Cert #A2265) and the IV length is 96 bits. The entropy for seeding the SP 800-90A DRBG is determined by the operator of the MACE which is outside of the Module’s physical and logical boundary. The operator shall use entropy sources that meet the security strength required for the random number generation mechanism as shown in [SP 800-90A] Table 3 (CTR_DRBG) and set required bits into the Module by using Load Entropy service listed in Section 4.3. Since entropy is loaded passively into the Module, there is no assurance of the minimum strength of generated keys. The MACE will not operate in an Approved Mode if the Module is not seeded by the external entropy. RSA SigVer [FIPS 186-2] is approved for legacy use only: verifying signatures that were performed starting September 1st 2020 and onwards is a not a FIPS 140-3 compliant use of this algorithm/service and cannot Motorola Solutions Public Material

Page 9

Description / Key Size(s) / Key Cert # Algorithm Mode Use/Functions Strength(s) SHS Message Digest Generation, SHS [180] SHA2-256

817 Password Obfuscation

SHS SHS [180] SHA2-384 Message Digest Generation 2399 Table 6

2.5 Overall Security Design
  1. The MACE provides two distinct operator roles: User and Cryptographic Officer.
  2. The MACE provides identity-based authentication.
  3. The MACE clears previous authentications on power cycle.
  4. An operator does not have access to any cryptographic services prior to assuming an authorized role.
  5. The MACE allows the operator to initiate power-up self-tests by power cycling power or resetting the MACE.
  6. Power up self-tests do not require any operator action.
  7. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the MACE.
  9. There are no restrictions on which keys or SSPs are zeroized by the zeroization service.
  10. The MACE does not support concurrent operators. claim security. Verifying signatures generated before September 1st 2020 is the approved legacy use of RSA SigVer [FIPS 186-2]. Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 10
  1. The MACE does not support a maintenance interface or role.
  2. The MACE does not support manual SSP establishment method.
  3. The MACE does not have any proprietary external input/output devices used for entry/output of data.
  4. The MACE does not output intermediate key values.
  5. The MACE does not provide bypass services on ports/interfaces.
2.6 Rules of Operation

The MACE shall be installed in the Motorola Solutions subscriber products. After authentication with the default password, the operator shall change the default password for the User role. The MACE is not usable until the factory default password is changed for the User role. Note that this makes it very important that physical access to the MACE is strictly controlled. The MACE shall be operated such that only approved Drop-in algorithms listed in the Table 3 are installed including Section 11 secure installation, initialization, startup and operation of the MACE.

3 Cryptographic Module Interfaces

The MACE’s ports and associated FIPS defined logical interface categories are listed in Table 8. Table 8

4 Roles, Services and Authentication
4.1 Assumption of Roles and Related Services

The MACE supports one distinct operator role, Cryptographic Officer (CO). Table 9 lists the operator role supported by the MACE and their related services. In addition, the MACE supports services which does not require to be authenticated, listed UA in Table 9. The MACE does not support a maintenance role and/or bypass capability. Motorola Solutions Public Material

Page 11

Table 9

4.2 Authentication Methods

The MACE supports one distinct operator roles (Crypto-Officer). The MACE uses a 10-digit password to authenticate the Crypto-Officer. The Module ensures that there is no visible display of the authentication data. Motorola Solutions Public Material

Page 12

Table 10

4.3 Services

All services implemented by the MACE are listed in Table 11 and indicated use is based on the Module being in Approved Mode per Table 4. The MACE does not allow any non-approved services while operating in FIPS 140-3 level 2 mode. The SSPs modes of access shown in Table 11 are defined as:

Page 13

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights DH-Pub Z DH-SS Z DH-CLI-Pub Z DRBG- WE AES Key Unwrap, EI/Seed Load entropy into the AES Certs. #A2261 Approved Load Entropy CO MACE. or #A2262, DRBG DRBG-State G Mode Cert. #2265 BKK E KPK E AES Key Unwrap Import keys Imports keys to the MACE (KTS), AES Cert. Approved over KYLD via a Key Variable Loader #A2260 KEK CO W Mode interface (KVL) in plaintext. AES Cert. #2264 TEK W KW [38F], Cert. KPK E Privileged Import, modify and query #A2264. Approved KEK CO WEZ APCO OTAR the keys. AES Certs. #A2261 Mode or #A2262. TEK WEZ Modify the currently active keyset used for Change Active Approved selecting keys for N/A N/A CO N/A Keyset Mode encryption/decryption services. UKKPK E PEK E Modify the current CKG, AES-256, Cert. KPK GEZ Change password used to identify #A2260. Approved KEK CO Z Password and authenticate the SHS [180], Cert. Mode User role. #817 TEK Z Password GEZ PWD Hash GEZ CKG, IDK-ROM EZ AES [197] CBC Cert. IDK-Block EZ Symmetric Key Generates the symmetric #A2261 or #A2262 Approved IDK CO GZ Generation keys AES CFB-8 Cert. Mode #A2260, DRBG Cert. KPK GZ #A2265 Motorola Solutions Public Material

Page 14

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights AES [197], Cert. Encrypt digital voice or #A2261 or #A2262 Approved Encrypt TEK CO E data. Mode DRBG Cert. #2265 Decrypt digital voice or AES [197], Cert. Approved Decrypt TEK CO E data. #A2261 or #A2262 Mode Zeroize selected key KEK Z Approved Zeroize Keys N/A CO variables from the MACE. TEK Z Mode Key/Keyset Obtain status information Approved Check about a specific N/A N/A CO N/A Mode key/keyset. Generate Generate HMAC-SHA2- HMAC [198], Cert. Approved TEK CO E Signature 384 signature. #1796 Mode KEK W PKPK GE Perform a key agreement CKG DH-Priv GE Key process to create an DRBG Cert. #2265, Approved Agreement ECDH Shared Secret, and KAS-ECC [56Ar3], DH-Pub CO GRE Mode Process ECDH Public and Private Cert. #A2266, DH-SS GE Keys. ECDSA Cert. #A655 DH-CLI-Pub WE DRBG-State GE UKKPK E KPK GZ KEK Z Zeroize the KPK and all keys and CSPs in the key TEK Z Zeroize all database and causes a Approved keys and N/A Password CO Z new KPK to be generated. Mode password Resets the password to PWD Hash Z the factory default. PKPK Z DH-Priv Z DH-Pub Z Module Status Provide module version, Approved firmware version, FIPS N/A N/A UA N/A Mode status Motorola Solutions Public Material

Page 15

Approved Security Keys and/or Access Service Description Roles Indicator Functions SSPs Rights Perform module self-tests comprised of cryptographic algorithm tests, firmware integrity Approved Self-Tests test, and critical functions N/A FW-LD-Pub UA E Mode test. Initiated by module reset or transition from power off state to power on state. UKKPK E PEK E Validate the current AES-256, Cert. KPK GEZ Validate password used to identify #A2260. Approved KEK UA Z Password and authenticate the SHS [180], Cert. Mode User role. #817 TEK Z Password Z PWD Hash Z Extract Error Provide the history of Approved N/A N/A UA N/A Log error events. Mode Clear Error Log Clears the history of error Approved N/A N/A UA N/A events. Mode DRBG- Z EI/Seed Reset/power cycle the DRBG-State Z Approved Reset N/A UA MACE. Mode DH-SS Z DH-CLI-Pub Z KPK GEZ KEK Z Download configuration Module Approved parameters used to N/A TEK UA Z Configuration Mode specify module behavior. Password WZ PWD Hash Z Note: The Module does not implement any Non-Approved Services and only provides an Approved Mode of operation. Motorola Solutions Public Material

Page 16
5 Firmware Security

The MACE is composed of base firmware version identified in Table

  1. In addition, the customer shall load at least one of the Drop-in algorithms listed in Table
  2. The firmware components are protected with the approved firmware integrity technique described in Table
  3. The Module includes a firmware verification and load service to support necessary updates for the base firmware. The operator can initiate the firmware integrity test on demand by power cycling the MACE. The Module is composed of the following firmware component(s): • non-modifiable operating system - binary Motorola Solutions Public Material – May be reproduced only in its original entirety (without revision).
Page 17
6 Operational Environment

The MACE has a limited operational environment under the FIPS 140-3 definitions with a Physical Security at Level 2 therefore this section in not applicable. Motorola Solutions Public Material

Page 18
7 Physical Security

The MACE is a production grade, single-chip cryptographic module as defined by FIPS 140-3 and is designed to meet Level 2 physical security requirements. The information below is applicable to cryptographic module hardware kit numbers 5185912Y03, 5185912Y05, and 5185912T05, which have identical physical security characteristics. The MACE is covered with a hard-opaque epoxy coating that provides evidence of attempts to tamper with the MACE. The security provided from the hardness of the MACE's epoxy encapsulate is claimed at ambient temperature (20 to 25 degrees Celsius) only. No assurance of the epoxy hardness is claimed for this physical security mechanism outside of this range. The MACE does not contain any doors, removable covers, or ventilation holes or slits. No maintenance access interface is available. No special procedures are required to maintain physical security of the MACE while delivering to operators. Table 12

Page 19
8 Non-Invasive Security

The MACE does not implement any mitigation method against non-invasive attack. Motorola Solutions Public Material

Page 20
9 Sensitive Security Parameter (SSP) Management

The SSPs access methods are described in Table 13 below: Table 13

Page 21
9.1 Sensitive Security Parameters (SSP)

All SSPs (CSPs and PSPs) used by the MACE are described in this section. All usage of these CSPs by the MACE is described in the services detailed in 4.3. Table 14

256 G2 N/A N/A S1 Z2 Key (AES 256) and

State #A2265 derived from DRBGEI/Seed A 256-bit AES CBC key used in the reAES CBC Cert. construction of IDK per IDK ROM 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 SP800-133r2 (Section #A2262

6.3 #2) via XOR using

IDK Block A 256-bit AES CBC key used in the reAES CBC Cert. construction of IDK per IDK Block 256 #A2261 or G1 E1 N/A S1, S2 Z1, Z2 SP800-133r2 (Section #A2262

6.3 #2) via XOR using

IDK ROM A 256-bit AES CBC key AES CBC Cert. used to decrypt IDK 256 #A2261 or G6 N/A N/A S1 Z2 downloaded firmware #A2262 images. A 256 bit AES key used AES ECB Cert. for decrypting Load BKK 256 #A2261, G1 N/A N/A S1, S2 Z1, Z2 entropy into the #A2262 MACE. AES CBC Cert. 256 bit AES Key used UKKPK 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 for encrypting the KPK #A2262 in flash. AES CBC Cert. 256-bit AES CFB-8 key PEK 256 #A2261 or G1 N/A N/A S1, S2 Z1, Z2 used for decrypting #A2262 passwords. Motorola Solutions Public Material

Page 22

Key/SSP Security Strength Genera- Import Establish- ZeroizaName/ Function / Storage Use / Related SSPs (in bits) tion /Export ment tion Type Cert. #

256 bit AES CFB-8 key

AES CFB-8 Cert. Z1, Z2, Z3, used to encrypt all KPK 256 #A2260, DRBG G4 N/A N/A S1, S3 Z4, Z5, Z6, TEKs and KEKs stored Cert. #A2265 Z7 in flash. AES KW Cert. 256-bit AES Keys used Z1, Z2, Z3, #A2264, AES E4, E5, for decrypting key KEK 256 N/A N/A S1, S3 Z4, Z5, Z6, OFB Cert. E6 blocks in the OTAR Z7, Z8, Z9 #A2260 service. AES KW Cert. 256-bit AES key used Z1, Z2, Z3, #A2264 AES for voice and data TEK 256 N/A E4, E5 N/A S1, S3 Z4, Z5, Z6, OFB Cert. decryption. Z7, Z8, Z9 #A2260 10-digit hexadecimal AES CFB-8 Cert. Z1, Z2, Z4, number user Password N/A N/A E3 N/A S1 #A2260 Z5, Z6, Z7 authentication password SHS [180] Cert. 256-bit password hash PWD #817 Z1, Z2, Z4, stored in the non-

128 G1 N/A N/A S1, S2

Hash Z5, Z6, Z7 volatile memory. SHA2-256 256-bit AES KW used AES KW to store encrypted, the PKPK 256 G4 N/A N/A S1, S3 Z1, Z2, Z4 #A2263 ECDH generated private key. The Elliptic Curve Diffie-Hellman (DH) KAS #A2266, private key used for DH-Priv 192 ECDSA Cert. G3 N/A N/A S1, S3 Z1, Z2, Z4 establishing a shared #A655 secret over an insecure channel. The Elliptic DiffieHellman (DH) Shared Secret (SS) is DH-SS 192 KAS #A2266 N/A N/A G5 S1 Z2 established as a part of DH key agreement scheme. PSPs AES CBC 2048-bit RSA key used #A2261 or to validate the FW-LD- #A2262,

112 G1 N/A N/A S1, S2 Z1, Z2 signature of the

Pub RSA Cert. firmware image before #A5253 it is allowed. Motorola Solutions Public Material

Page 23

Key/SSP Security Strength Genera- Import Establish- ZeroizaName/ Function / Storage Use / Related SSPs (in bits) tion /Export ment tion Type Cert. # The Elliptic Curve (EC) Diffie-Hellman (DH) KAS Cert. public key, used for DH-Pub 192 #A2266, ECDSA G3 E6 N/A S1, S2 Z1, Z2 establishing a shared Cert. #A655 secret over an insecure channel. The Elliptic Curve (EC) Diffie-Hellman (DH) public key from the DH-CLI- KAS Cert.

192 N/A E6 N/A S1, S2 Z1, Z2 other party, used for

Pub #A2266 establishing a shared secret over an insecure channel. Table 15

Page 24
10 Self-Tests

The MACE performs self-tests to ensure the proper operation of the MACE. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. Pre-operational self-tests are available on demand by power cycling the MACE. Conditional self–tests are periodically performed by the MACE as configured by the operator during module configuration as shown in Section 11.1.1. The MACE will not accept any commands when a periodic self-test is required; the commands still in the I/O buffer will be processed by the MACE at the end of periodic self-test when the I/O buffer is emptied. The MACE will reset if any self-tests fail, otherwise it will continue to operate normally. The MACE logs the most recent self-test errors to the internal flash; the operator (UA) can extract the error logs using Extract Error Log service list in section 4.3. The self-tests error states and status indicator are described in table below: Table 16

Page 25

Table 18

2048 SHA2-256 and RSA-2048 (FIPS 186-5). The digital signature is verified ES2

(Cert. #A5253) SigVer upon download into the MACE. HMAC KAT HMAC-SHA2-384 KAT. ES1 (Cert. #1796) KAS-ECC Per IG D.F, separately tested KAS Shared Secret generation with P-384 KAT ES1 (Cert. #2266) and SP 800-56Cr2 one-step KDA RSA SigVer RSA-2048 SigVer, performed before FW integrity tests. Inclusive for KAT ES2 (Cert. #A5253) 186-2 (Cert. #396) SHS 256-bit KAT SHA2-256 KAT, performed before FW integrity tests. ES2 (Cert. #817) SHS 384-bit KAT SHA2-384 KAT ES1 (Cert. #2399) Motorola Solutions Public Material

Page 26
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
11.1.1 Installation and Initialization

The Module is originally a non-compliant module and must be initialized to be in Approved Mode. There is no Non-approved Mode. During initialization the operator shall configure the MACE from the instructions below:

  1. Upon first access, the operator will use the default password provided by Motorola in a separate communication.
  2. The operator will then change the default password based on the requirements in Table 10 – Roles and Authentication
  3. The operator will then configure the MACE using the Module configuration service as specified in the section 2.3.1.
  4. Finally, the operator will set the periodic self-tests timer as part of the Module configuration in every X minutes, where X is a minimum value = 1 minute and maximum value = 712,800 minutes (495 days). Note: the default minimum = 0* but must be changed to a minimum of 1. * periodic self-tests will not perform if minimum = 0
11.1.2 Delivery

The MACE is embedded in multiple Motorola Solutions, Inc. radios (aka, subscribers). Motorola uses commercially available courier systems such as UPS, FedEx, and DHL with a tracking number and requires a signature at the end by an authorized client.

11.2 Administrator Guidance

Use radio specific user guide available on the www.motorolasolutions.com website for secure operations.

11.3 Non-Administrator Guidance

Use radio specific user guide available on the www.motorolasolutions.com website for secure operations.

11.4 Maintenance Requirements

The MACE does not require any special maintenance.

11.5 End of Life

After the end-of-life, the operator should zeroize all SSPs using the “Zeroize all keys and password“ service listed in the Section 4.3 followed by shredding the MACE chip. Motorola Solutions Public Material

Page 27
12 Mitigation of Other Attacks

The MACE does not implement any mitigation method against other attacks. Motorola Solutions Public Material

Page 28
13 References and Definitions

The following standards are referred to in this Security Policy. Table 19

Page 29

Abbreviation Full Specification Name Project 25

Page 30

Acronym Definition OTAR Over The Air Rekeying PEK Password Encryption Key PKPK Private Key Protection Key PWCT Pair-Wise Consistency Test PWD Hash Password Hash RSA Rivest–Shamir–Adleman SSI Synchronous Serial Interface SSP Sensitive Security Parameter TEK Traffic Encryption Key UA Unauthenticated Service UKEK Universal Key Encryption Key UKKPK Universal Key for Key Protection Key Motorola Solutions Public Material