| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 10/22/2029 |
| Entropy | ENT (NP) |
| Caveat | When installed, initialized and configured as specified in Section 11 of the Security Policy. |
| Vendor | Quantum Xchange |
| Hardware versions | PhioTX, PhioTX-Q |
| Product page | https://quantumxc.com/phio-tx/ |
|---|---|
| Support page | https://quantumxc.com/product-information/ partial support |
| Documentation | https://quantumxc.com/product-information/ |
| https://quantumxc.com/resource-hub/ | |
| Assessment | Public product-information page with datasheets, a product guide, and white papers; deployment/admin documentation and demos are gated behind a request form. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2983 |
| AES-ECB | A2983 |
| AES-GCM | A2983 |
| Counter DRBG | A2983 |
| DSA KeyGen (FIPS186-4) | A2983 |
| ECDSA KeyGen (FIPS186-4) | A2983 |
| ECDSA SigGen (FIPS186-4) | A2983 |
| ECDSA SigVer (FIPS186-4) | A2983 |
| HMAC-SHA-1 | A2983 |
| HMAC-SHA2-256 | A2983 |
| HMAC-SHA2-384 | A2983 |
| KAS-ECC-SSC Sp800-56Ar3 | A2983 |
| KAS-FFC-SSC Sp800-56Ar3 | A2983 |
| KDF SSH | A2983 |
| RSA SigGen (FIPS186-4) | A2983 |
| RSA SigVer (FIPS186-4) | A2983 |
| SHA-1 | A2983 |
| SHA2-256 | A2983 |
| TLS v1.2 KDF RFC7627 | A2983 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 2 |
| Roles, Services, and Authentication | 2 |
| Software/Firmware Security | 2 |
| Operational Environment | N/A |
| Physical Security | 2 |
| Non-Invasive Security | N/A |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Quantum Xchange Phio TX
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>3.2.3</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>CLI: User management.</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CLI: Run CASTs.</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial console (qty. 1): RJ-45 connector.<br/>USB (qty. 2): USB 3.0 ports.</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C4,C5,C6 clue;
class I1,I2,I3,I4,I5,I6 infer;
class R1,R2,R3,R4,R5,R6 risk;
class E1,E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Quantum Xchange Phio TX
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>3.2.3</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>CLI: User management.</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>CLI: Run CASTs.</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial console (qty. 1): RJ-45 connector.<br/>USB (qty. 2): USB 3.0 ports.</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3,C4 clueHigh;
class C5,C6 clueLow;Phio TX Document Version 1.7 October 16, 2024 Prepared for: Prepared by: Quantum Xchange
Bethesda, MD 20814 info@quantumxc.com KeyPair Consulting Inc.
San Luis Obispo, CA 93401 keypair.us +1 805.316.5024
Quantum Xchange Phio TX FIPS 140-3 Security Policy Table of Contents List of Tables List of Figures
| Name | ISO Section | Requirement | Level | General | 2 | |
|---|---|---|---|---|---|---|
| 3 | 3 | Cryptographic Module Interfaces | 2 | |||
| 4 | Roles, Services, and Authentication | 2 | 4 | |||
| 5 | 5 | Software/Firmware Security | 2 | |||
| 6 | Operational Environment | N/A | 6 | |||
| 7 | 7 | Physical Security | 2 | |||
| 8 | Non-Invasive Security | N/A | 8 | |||
| 9 | 9 | Sensitive Security Parameters Management | 2 | |||
| 10 | Self-tests | 2 | 10 | |||
| 11 | 11 | Life-cycle Assurance | 2 | |||
| 12 | Mitigation of Other Attacks | N/A | 12 |
| Name | Model | Hardware Version | Firmware Version | Features |
|---|---|---|---|---|
| Phio TX-Q | Phio TX-Q | F109158-Q | 3.2.3 | With QRNG hardware option. |
Quantum Xchange This document defines the Security Policy for the Quantum Xchange Phio TX, hereafter denoted the Module. The Module is a of type hardware, with a multi-chip standalone embodiment and is validated to FIPS 140-3 overall Level
Table 1: Security Levels [Number Below] N/A N/A N/A The Phio TX has a multi-chip standalone embodiment in [FIPS140-3] terminology. The Phio TX provides network and secure communications functionality to facilitate propagation of keys between Phio TX nodes and endpoint clients in a Phio Hive (a dynamic peer network). The tested configurations are specified in Table 2 below. Table 2: Cryptographic Module Tested Configuration [Part Number and Version] 3.2.3 3.2.3 The optional QRNG is a quantum entropy source, with output used as additional entropy input that is not credited in the DRBG seeding strength rationale. As the QRNG is an optional feature, the Phio TX does not rely on it for assurance of key generation security strength in the [FIPS140-3] process. See the SSP section below for additional information.
Quantum Xchange 2.1 Phio TX FIPS 140-3 Security Policy Cryptographic Boundary The physical form of the Module is depicted below. The cryptographic boundary is the metal chassis shown in Figure 1 and Figure 2; as such the Phio TX is validated as a hardware module in [FIPS140-3] terms. The figures represent both hardware versions listed in Table 2. Figure 1: Module Cryptographic Boundary
Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module logical functionality (outlined in red) is shown below. All Module firmware is contained within the boundary. Figure 5: Module High Level Block Diagram The following hardware/firmware components are excluded from the cryptographic boundary and thus the FIPS 140-3 requirements: - TPM (use is optional): used to measure and track Module configuration. - Whole disk encryption (use is optional): not security relevant, similar to [FIPS 140-3_IG] 2.4.A Scenario 2. - PQC (use is optional): used for redundant communications channel obfuscation. - QRNG (hardware option): used for redundant entropy input. - Password hash: not security relevant, similar to [FIPS 140-3_IG] 2.4.A Scenario
Quantum Xchange 5. 6. 7. 8. 9. Phio TX FIPS 140-3 Security Policy The Module does not output plaintext CSPs or intermediate key values. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module. The Module can use only algorithms that have passed self-tests. The Module prohibits changing to the Crypto Officer state from any other role other than the Crypto Officer. The Module does not support multiple concurrent operators (over the serial console), a maintenance role, or a bypass capability. The Module design corresponds to the Module security rules. Initialization and installation requirements of the Module have been specified in Section 11 of this document. AES GCM is used to support TLS and SSH secure communications and adheres to the [FIPS140-3_IG] C.H Resolution 1a TLS
AES-GCM IVs shall be used in compliance with [FIPS140-3_IG] C.H scenario 1a (TLS/DTLS 1.2, per [RFC5288]) and 1d (SSHv2, per [RFC5647]). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The Module’s implementation of AES-GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; Per [FIPS1403_IG] D.C, no parts of these protocols, other than the approved cryptographic algorithms and KDF, have been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no re-connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. Connections are monitored, with a maximum lifetime of two hours or a maximum transaction count that is established to be less than the number of transactions prior to IV “rollover”.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | CAVP Cert.1 | ||||
|---|---|---|---|---|---|---|---|---|---|
| AES-CBC | A2983 | AES-CBC. | AES-128 (s = 128), | A2983 | Encryption and decryption. | ||||
| [FIPS197], | AES-192 (s = 192), | CBC: TLS, SSH ciphers. | |||||||
| [SP800-38A] | AES-256 (s = 256). | ||||||||
| A2983 | A2983 | AES-ECB. | AES primitive used by CBC and CTR_DRBG. | AES-ECB [FIPS197], [SP800-38A] | AES-128 (s = 128), AES-192 (s = 192), AES-256 (s = 256). | ||||
| AES-GCM | A2983 | AES-GCM. | AES-128 (s = 128), | Authenticated encryption and decryption. | |||||
| [SP800-38D] | AES-256 (s = 256). | TLS, SSH cipher options. | |||||||
| Vendor Affirmed | Vendor Affirmed | §4, §5.2, §6.2.1: Unmodified DRBG output. | Asymmetric, symmetric key generation per [FIPS140-3_IG] D.H. | CKG [SP800-133r2] | N/A. | ||||
| A2983 | A2983 | Random numbers used in key, IV and nonce generation. | Counter DRBG [SP800-90Ar1] | AES-256 (s = 256). | AES CTR_DRBG: | ||||
| A2983 | A2983 | FFC key generation. | TLS DH/DHE key exchange. | DSA KeyGen [FIPS186-4] | L=2048, N=256 (s = 112); L=3072, N=256 (s = 128). See Note 4 and Note 6. | ||||
| A2983 | A2983 | ECC key generation. | P-256 (s ~= 128), | TLS, SSH key exchange and authentication. | ECDSA KeyGen [FIPS186-4] | ||||
| A2983 | A2983 | ECDSA signature generation (tested with SHA2-256, SHA2-384). | TLS, SSH authentication. Certificate signing. | ECDSA SigGen [FIPS186-4] | P-256 (s ~= 128), P-384 (s ~= 192). See Note 2. | ||||
| A2983 | A2983 | ECDSA signature verification (tested with SHA2-256, SHA2-384). | P-256 (s ~= 128), | TLS, SSH authentication. Certificate verification. | ECDSA SigVer [FIPS186-4] | ||||
| N/A | N/A | Entropy source. | Used only to seed the approved DRBG. | ENT (NP) [SP800-90B] | 256 bits. | ||||
| HMAC-SHA-1 | A2983 | TLS message integrity. | SHA-1 (s = 160). | HMAC generation, verification with | |||||
| [FIPS198-1] | SHA-1. | ||||||||
| A2983 | A2983 | HMAC generation, verification with the listed SHA2 modes. | SSH, TLS message integrity. Firmware integrity. | HMAC-SHA2 [FIPS198-1] | SHA2-256 (s = 256), SHA2-384 (s = 384). | ||||
| A2983 | A2983 | Scheme: Ephemeral Unified. Role: Initiator, Responder. | P-256 (s ~= 128), | TLS ECDH/ECDHE key exchange. SSH key exchange. | KAS-ECC-SSC [SP800-56Ar3] | ||||
| A2983 | A2983 | Scheme: dhEphem. Role: Initiator, Responder. [FIPS140-3_IG] D.F Scenario 2, path 2) with TLS v1.2 KDF [RFC7627] and KDF SSH, per [FIPS140-3_IG] 2.4.B. | TLS DH/DHE key exchange. | KAS-FFC-SSC [SP800-56Ar3] | FB (s = 112), ffdhe2048 (s = 112), ffdhe3072 (112 ≤ s ≤ 128). See Note 5. |
Quantum Xchange 2.3 Phio TX FIPS 140-3 Security Policy Approved and Allowed Cryptographic Functionality The Module implements the Approved cryptographic functions listed in Table 3. Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources (refer to the notes below Table 3). This table is referenced by Table 9 (SSPs). All references to the algorithm standards cited throughout this document can be found in the References section. Table 3: Approved Algorithms N/A. §4, §5.2, §6.2.1: N/A
1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the
algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | ||||
|---|---|---|---|---|---|---|---|---|
| TLS v1.2 KDF | CVL | SHA2-256 (s = 256), | TLS key derivation. | CVL A2983 | TLS v1.2 KDF [RFC7627] | TLS [RFC7627] key derivation with | SHA2-256 (s = 256), SHA2-384 (s = 384). | |
| [RFC7627] | A2983 | SHA2-384 (s = 384). | Extended Master Secret (EMS) | |||||
| CVL A2983 | SSH v2 KDF using the listed hash algorithms. | SSH key derivation. | CVL A2983 | KDF SSH [SP800-135r1] | SHA2-256 (s = 256), SHA2-384 (s = 384). | |||
| A2983 | SSH, TLS authentication. Certificate signing. | A2983 | RSA SigGen [FIPS186-4] | PSS signature generation (tested | k=2048 (s ~= 112), k=3072 (s ~= 128). See Note 4 and Note 7. | |||
| A2983 | PSS signature verification (tested with the listed moduli and the following hash algorithms: SHA2-256, SHA2-384). | SSH, TLS authentication. Certificate verification. | A2983 | RSA SigVer [FIPS186-4] | K=2048 (s ~= 112), k=3072 (s ~= 128). See Note 4 and Note 7. | |||
| SHA-1 | N/A. | Primitive used by HMAC. | A2983 | SHA-1 (s = 160). | ||||
| A2983 | SHA2 modes listed at right. | Message digest generation. Primitive used by HMAC, ECDSA, RSA and KDFs. | A2983 | SHA2 [FIPS180-4] | SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) See Note 1. | |||
| A2983 | AES-CBC, AES-GCM, HMAC-SHA2, HMAC-SHA-1. | SP 800-38D and SP 800- | TLS key establishment. | A2983 | KTS-1 | |||
| A2983 | AES-CBC, AES-GCM, HMAC-SHA2. | SSH key establishment. | A2983 | KTS-2 | SP 800-38D and SP 800- 38F. KTS (key wrapping) per IG D.G. 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength. | |||
| A2983 | Schemes: Ephemeral Unified. Roles: Initiator, Responder. KAS-ECC-SSC curves: P-256, P-384. TLS v1.2 KDF [RFC7627]. | SP 800-56Arev3. KAS-ECC | TLS key agreement. | A2983 | KAS-1 | |||
| A2983 | Schemes: Ephemeral Unified. Roles: Initiator, Responder. KAS-ECC-SSC curves: P-256, P-384. KDF SSH. | SSH key agreement. | A2983 | KAS-2 | SP 800-56Arev3. KAS-ECC per IG D.F Scenario 2 path (2) option 2. P-256 and P-384 curves providing 128 or 192 bits of encryption strength. | |||
| A2983 | TLS key agreement. | A2983 | KAS-3 | Schemes: dhEphem. | SP 800-56Arev3. KAS-FFC per IG D.F Scenario 2 path (2) option 2. |
Quantum Xchange Phio TX FIPS 140-3 Security Policy N/A.
Quantum Xchange Phio TX FIPS 140-3 Security Policy Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table
Quantum Xchange Phio TX FIPS 140-3 Security Policy
Quantum Xchange Phio TX FIPS 140-3 Security Policy
Quantum Xchange
| Name | Physical Port | Logical Interface | Data That Passes | |||
|---|---|---|---|---|---|---|
| LED (qty. 1): “PWR”. | LED (qty. 1): “PWR”. | SO. | Phio TX power status (green=on). | |||
| LCD screen (qty. 1): Basic information display. | Status output, two lines of 20 characters. | LCD screen (qty. 1): Basic information display. | SO. | |||
| Control button (qty. 4): Pushbuttons. | Control button (qty. 4): Pushbuttons. | CI. | Unused. | |||
| LED (qty. 4): Indicators (details at right). | Activity LEDs (green = OK; red = not OK). | LED (qty. 4): Indicators (details at right). | SO. | |||
| Reset button (qty. 1): Recessed paper clip reset button. | Reset button (qty. 1): Recessed paper clip reset button. | CI. | Push button reset. | |||
| Serial console (qty. 1): RJ-45 connector. | Serial console (qty. 1): RJ-45 connector. | DI, DO, CI, SO. | System console, local administration TTY. | |||
| USB (qty. 2): USB 3.0 ports. | USB (qty. 2): USB 3.0 ports. | DI, DO, CI, SO. | System update. | |||
| Ethernet (qty. 6): RJ-45 connectors (numbered 1 - 6). | Ethernet (qty. 6): RJ-45 connectors (numbered 1 - 6). | DI, DO, CI, SO. | Phio Hive and client endpoint traffic. | |||
| Ethernet activity LED (qty. 12): Activity/rate indicators on each RJ-45. | Ethernet activity LED (qty. 12): Activity/rate indicators on each RJ-45. | SO. | Left LED: activity. Right LED: connection rate. | |||
| SFP1 (qty. 1): Fiber optic networking connector. | SFP1 (qty. 1): Fiber optic networking connector. | DI, DO, CI, SO. | Phio Hive and client endpoint traffic. | |||
| SFP2 (qty. 1): Fiber optic networking connector. | SFP2 (qty. 1): Fiber optic networking connector. | DI, DO, CI, SO. | Phio Hive and client endpoint traffic. | |||
| Ground (qty. 1): Banana plug for ESD wrist strap. | Ground (qty. 1): Banana plug for ESD wrist strap. | N/A. | N/A – power. | |||
| Ground (qty. 1): Chassis ground screw. | Ground (qty. 1): Chassis ground screw. | N/A. | N/A – power (Note: left of AC power switch). | |||
| Power switch (qty. 1): AC power rocker switch. | Power switch (qty. 1): AC power rocker switch. | CI. | N/A – power. | |||
| Alarm reset (qty. 1): Power supply alarm reset. | Unused. Present only for supplies with audible | Alarm reset (qty. 1): Power supply alarm reset. | SO. | |||
| LED (qty. 2): Power indicators (on power supplies). | LED (qty. 2): Power indicators (on power supplies). | SO. | Individual power supply indicators. | |||
| Power (qty. 2): Power supply (2x) NEMA connectors. | Power (qty. 2): Power supply (2x) NEMA connectors. | N/A. | N/A – power. |
Quantum Xchange Phio TX FIPS 140-3 Security Policy Cryptographic Module Interfaces The Module supports the physical ports shown in Error! Reference source not found. and Error! Reference source not fo und. in Section 2 of this document. The ports and corresponding logical interfaces are described in Table 4. Table 4: Ports and Interfaces N/A. N/A. N/A. interfaces, and as such are marked as N/A in the logical interface and data columns.
| Name | Roles | Indicator | Input | ||||
|---|---|---|---|---|---|---|---|
| CO, A | CO, A | CLI: SSH connect. | Username, password. SSH handshake input. | Status; CLI shell prompt on success. SSH handshake output. | |||
| CLI: Miscellaneous. | CO, A | Status; CLI shell prompt on success. | Phio TX CLI command and arguments. | ||||
| CO, A | CO, A | CLI: Certificate management. | Phio TX CLI command and arguments. | Status; CLI shell prompt on success. | |||
| CLI: User management. | CO, A | Status; CLI shell prompt on success. | Phio TX CLI command and arguments. | ||||
| CO, A | CO, A | CLI: Tests. | Phio TX CLI command and arguments. | Status; CLI shell prompt on success. | |||
| CLI: Status. | CO, A | Status; module identifier & version; prompt. | tx_status command line. | ||||
| CO, A | CO, A | CLI: Run CASTs. | txfips command line. | Status; CAST results; prompt. | |||
| CLI: Run FW integrity tests. | CO, A | Status; prompt. | txscan command line. | ||||
| CO, A | CO, A | CLI: Zeroise. | tx_reset command. | Status; prompt. | |||
| CO, A | https / TLS handshake output. | https / TLS handshake input. | CO, A | Web Monitor. | |||
| Mouse and keyboard events. | Status; Web monitor page display. | Mouse and keyboard events. | |||||
| User | User | ETSI REST Services. | JSON GET/POST/PUT messages. | Status; JSON response messages. | |||
| SKIP REST Services. | User | Status; JSON response messages. | JSON GET/POST/PUT messages. | ||||
| User | User | Phio Hive REST Services. | JSON GET/POST/PUT messages. | Status; JSON response messages. | |||
| Authentication Method | Role | Within 1 minute | One time | ||||
| CO, A | CO, A | Debian login (memorized secret). | 6.6E+15 | 1.1E+08 | |||
| OpenSSL client authentication (based on ECDSA P-384 SHA2-384 signature | CO, A | 6.3E+57 | 1.0E+50 | ||||
| User | User | JSON Web Token authentication (based on RSA 2048). | 5.2E+33 | 8.7E+25 |
Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module supports three roles using role-based authentication: the Cryptographic Officer (CO) role, a limited privilege Admin role (abbreviated as ‘A’ in tables below) and the User role. Each role is implicitly identified by the service requested, with authentication as shown in Table 6. The Status service may be used to determine the current status of the Module, as well as provide the CMVP listing information for the Module (identifiers and version). Table 5: Roles, Service Commands, Input and Output Commands corresponding to [FIPS140-3] required services are italicized: tx_status (output module identifier and version, Table 6: Roles and Authentication For an operator in the CO or Admin role, connected via the console or SSH (Debian login (memorized secret)):
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| CLI: Console connect. | CO | CO-IPW CO-RPW | N/A. | WEZ | LCD-R SH-LOGIN | Console login, password | WEZ E | |||
| (memorized secret) | E | (memorized secret) | ||||||||
| CLI: SSH connect. | SSH login, password (memorized secret) authentication. SSH†. | CO, A | CO-IPW CO-RPW SSH† | SSH†. | LCD-R SH-LOGIN | WEZ E SSH† | ||||
| CLI: Miscellaneous. No security function or CSP usage. | CO, A | N/A | N/A. | LCD-R SH-LOGIN | CO administrative commands, | N/A | ||||
| CLI: Certificate management. | Commands to generate, install, set or remove certificates and keys. | CO, A | SSH-HSK-Pri SSH-HSK-Pub SSH-KEX-Pri SSH-KEX-Pub TLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-Pub | DSA KeyGen, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, RSA SigGen, RSA SigVer, CKG. | LCD-R SH-CMD | GWEZ GWEZ GWEZ GWEZ GWEZ GWEZ GWEZ GWEZ | ||||
| CLI: User management. | Add, remove or update users. | N/A. | W | LCD-R | CO-IPW | CO, | ||||
| CO-RPW | W | CO-RPW | A | |||||||
| CLI: Tests. | Check: - a Phio Hive connection. - e-mail problem notification setup. SSH† (command invocation). TLS‡ (peer interaction). | CO, A | SSH† TLS‡ | SSH† TLS‡. | LCD-R | SSH† TLS† | ||||
| CLI: Status. | N/A. | N/A | LCD-R SH-STAT | Report Phio TX identifier, | N/A | N/A | CO, A | |||
| CLI: Run CASTs. | Run CASTs on demand (all conditional self-tests in Section 10, for self-test only). | SSH†. | LCD-R > LCD-CF SH-CAST | SSH† | SSH† | A | ||||
| CLI: Run FW integrity tests. | Run firmware integrity test on demand. | SSH†. | LCD-R > LCD-CF SH-FWIT | N/A SSH† | N/A SSH† | CO, A | ||||
| CLI: Zeroise. | Factory reset zeroises Phio TX SSPs. | N/A. | LCD-R > LCD-NR SH-RST | Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z | JWT-Pub CO-IPW CO-RPW SSH-HSK-Pri SSH-HSK-Pub SSH-KEX-Pri SSH-KEX-Pub SSH-EDK SSH-MK SSH-SS TLS-EDK TLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-Pub TLS-MK TLS-MS TLS-SS | CO, A | ||||
| Web Monitor. | TLS‡ | TLS‡. | TLS† | LCD-R | Visual display of Phio Hive | CO, A | ||||
| connections. | CO-IPW | W | connections. | |||||||
| TLS‡ (web server interaction). | CO-RPW | E | TLS‡ (web server interaction). | |||||||
| ETSI REST Services. | Connect to an endpoint using ETSI. Respond to ETSI REST API functions. TLS‡ (REST interaction). | TLS‡. | LCD-R | TLS† | TLS‡ | User | ||||
| SKIP REST Services. | TLS‡. | LCD-R | Connect to an endpoint using | TLS† | TLS‡ | User | ||||
| Phio Hive REST Services. | Connect to a Phio TX peer. Respond to Phio TX REST API functions. TLS‡ (REST interaction). | TLS‡. | LCD-R | TLS† | TLS‡ | User | ||||
| SSH† = SSH Usage. | This entry indicates all security functions and SSPs associated with SSH usage. SSH is used for Admin shell functions. | SSH-HSK-Pri | AES-CBC, AES-GCM, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, HMAC-SHA2-256, HMAC-SHA2-384, KAS-ECC-SSC, RSA SigGen, RSA SigVer, KDF SSH, CKG. | LCD-R SH-LOGIN | GEZ | CO, A |
Quantum Xchange
Quantum Xchange Phio TX FIPS 140-3 Security Policy N/A. N/A A N/A A N/A A N/A N/A. A Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z A W E A
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| TLS‡ = TLS usage. | This entry indicates all security functions and SSPs associated with TLS usage. TLS is used for Web Monitor (CO) and ETSI, SKIP and PHIO REST services (User). | CO, A, User | TLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-Pub TLS-SS TLS-MS TLS-EDK TLS-MK | AES-CBC, AES-GCM, DSA KeyGen, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA-1, KAS-ECC-SSC, KAS-FFC-SSC, RSA SigGen, RSA SigVer, TLS v1.2 KDF [RFC7627], CKG. | E ER E ER GEZ GEZ GEZ GEZ | LCD-R |
Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module supports self-initiated cryptographic output capability in the context of the TLS v1.2 protocol. The following two actions are performed prior to activation of the self-initiated cryptographic output capability: Action 1: installation of credentials (PKIs), using tx_generate_tx_csr followed by tx_install_tx_crt. Action 2: registration of the peer in the config file, specifying name (matching the peer CN) and optionally IP address. For self-initiated cryptography to function, both actions are required on each peer (both sides of the connection). The Module supports a partial firmware load from an external source and this functionality is limited to the Crypto Officer role thus ensuring that unauthorised access to and use of the Module is not feasible. The firmware load test using HMAC-SHA2-384 performed prior to installation of the loaded firmware ensures an isolation of code. Software/Firmware Security The Module uses HMAC-SHA2-384 performed over all Module firmware as the integrity technique. The operator can initiate the integrity test on demand via the txscan command.The Phio TX application is delivered in a single executable binary, as a self-extracting installation package which can be installed on any system on which the base OS has been installed. The Module supports firmware loading (partial update). HMAC-SHA2-384 with (256-bit HMAC key) is performed on updated components. Operational Environment The Module is classified in [FIPS140-3] terms as a limited operational environment. Physical Security The Phio TX is a hardware Module (multichip standalone embodiment) packaged in a metal chassis as shown in Figure 1 and Figure 2. The enclosure is protected by four (4) tamper-evident seals as shown in Figure 6, is production grade and opaque in the visible spectrum. The Crypto Officer role is responsible for securing and having control at all times of any unused seals, and the direct control and observation of any changes to the Module such as reconfigurations where the
| Physical Security Mechanism | Recommended Frequency of Inspection/Test | Inspection/Test Guidance Details | |
|---|---|---|---|
| Tamper-evident seals (qty. 4) over chassis screws. | Seals should be inspected during physical maintenance | Inspect seals for evidence of lifted edges or excessive wear. | Inspect seals for evidence of lifted edges |
| operations and when circumstances dictate (e.g., if | or excessive wear. | ||
| tampering is suspected). |
| Establishment (equated to Key Agreement [FIPS140-3_IG] D.F) | |
|---|---|
| E1: Calculated using KAS-ECC-SSC or KAS-FFC-SSC. | |
| E2: Calculated using approved TLS KDF. | |
| E3: Calculated using approved SSH KDF. |
| Zeroisation | |
|---|---|
| Z1: Overwritten by zeros after use (Module initiated), shutdown or loss of power (operator initiated). | |
| Z2: Overwritten by zeros by Zeroisation service (operator initiated). |
Quantum Xchange Phio TX FIPS 140-3 Security Policy tamper evident seals or security appliances are removed or installed to ensure the security of the Module is maintained during such changes and the Module is returned to the Approved state. Rear right tamper seal Rear left tamper seal Left front tamper seal Right front tamper seal Figure 6: Module Seal Application Locations Non-Invasive Security The Module does not implement non-invasive security measures. Sensitive Security Parameters Management Table 9 summarizes the SSPs implemented by the Module. System keys handled by the Phio TX are not classified as SSPs as they are not used by the Phio TX. All such data crosses the boundary via TLS connections, such that system secrets are TLS protected. Generation, inclusive of derivation (Key-entity association) G1: Generated by on-chip [SP800-90B] ENT (NP) (memory map). G2: Derived using [SP800-90Ar1] with Block_cipher_df (memory map). G3: FFC (DSA) or ECC (ECDSA) or RSA (memory map). Storage (associated to entity by memory mapping) S1: Stored in plaintext in RAM, dynamic storage. S2: Stored in PEM format in hard drive media, static storage. IE1: Provided in plaintext to the Module (message parameter). IE2: Imported and exported in ciphertext (positional parameter). IE3: Established in Quantum Xchange manufacturing facility.
| Name | Strength | Security Function | Use | G1 | S1 | Z1 | Key/SSP Name/Type DRBG-EI (CSP) | N o it a r e n e G G1 | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| SSH-HSK-Pri (CSP) | 128 or 192 | ECDSA (P-256, P-384) or RSA (2048, 3072) private key - signature generation. | ECDSA SigGen #A2983. | G3 | S2 | Z2 | |||||
| SSH-HSK-Pub (PSP) | 128 or 192 | ECDSA SigVer #A2983. RSA SigVer #A2983. CKG. | ECDSA (P-256, P-384) or RSA (2048, 3072) public key - signature verification. | G3 | S2 | Z2 | |||||
| SSH-KEX-Pri (CSP) | 128 or 192 | ECDSA (P-256, P-384) private key for SSH key exchange. | KAS-ECC-SSC #A2983. | G3 | S1 S2 | Z1 Z2 | |||||
| TLS-HSK-Pri | ECDSA SigGen #A2983. | S2 | Z2 | TLS-HSK-Pri | 128 or 192 | G3 | ECDSA (P-256, P-384) or RSA (2048, 3072) private key |
Quantum Xchange Phio TX FIPS 140-3 Security Policy Import/Export Establishment Storage Zeroisation Table 9: SSPs ---------------------------
3 Strength is provided in bits. Please refer to Table 3 and the notes below it for the strength provenance (traceability to applicable standards and
| Name | Key Size | Use Function | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ECDSA SigVer #A2983. RSA SigVer #A2983. CKG. | ECDSA (P-256, P-384) or RSA (2048, 3072) public key for digital signature verification. | TLS-HSK-Pub (PSP) | 128 or 192 112 or 128 | G3 | IE3 | S2 | Z2 | |||
| TLS-KEX-Pri (CSP) | ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) private key for TLS KAS SSC. | TLS-KEX-Pri (CSP) | 112 or 128 128 or 192 | G3 | IE3 | S1 S2 | Z1 Z2 | KAS-FFC-SSC #A2983. | ||
| KAS-FFC-SSC #A2983. KAS-ECC-SSC #A2983. | ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) public key for TLS KAS SSC. | TLS-KEX-Pub (PSP) | 112 or 128 128 or 192 | IE1 AD /EE | S1 S2 | Z1 Z2 | ||||
| TLS-MK (CSP) | TLS Session MAC Key (for non-AEAD suites). | TLS-MK (CSP) | 256 or 384 | E2 | S1 | Z1 | HMAC-SHA2-256 | |||
| TLS v1.2 KDF [RFC7627] #A2983. CKG. | TLS Master Secret: derive key block; finalize. | TLS-MS (CSP) | 256 or 384 | E2 | S1 | Z1 | ||||
| TLS-SS (CSP) | TLS Shared Secret: derive TLS Master Secret. | TLS-SS (CSP) | 128 or 192 112 or 128 | E1 | S1 | Z1 | KAS-ECC-SSC #A2983. | |||
| Entropy | Minimum number | Entropy | Details | |||||||
| sources | of bits of entropy | sources | ||||||||
| [SP800-90Ar1] min_length: 256 bits. [SP800-90Ar1] seedlen: 384 bits. | [SP800-90Ar1] min_length: | Jent | Jent | [FIPS140-3_IG] 9.3.A: The Module generates ENT within the Module boundary: option 1(a) | ||||||
| 256 bits. | 256 bits. | using a [SP800-90B] compliant ENT (NP). | ||||||||
| [SP800-90Ar1] seedlen: | [SP800-90Ar1] seedlen: | Per [SP800-90Ar1] Table 2, the AES CTR_DRBG requires 384 bits of entropy in the | ||||||||
| 384 bits. | 384 bits. | DRBG_Seed value. |
| Name | Key Size | Use Function | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ECDSA SigVer #A2983. RSA SigVer #A2983. CKG. | ECDSA (P-256, P-384) or RSA (2048, 3072) public key for digital signature verification. | TLS-HSK-Pub (PSP) | 128 or 192 112 or 128 | G3 | IE3 | S2 | Z2 | |||
| TLS-KEX-Pri (CSP) | ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) private key for TLS KAS SSC. | TLS-KEX-Pri (CSP) | 112 or 128 128 or 192 | G3 | IE3 | S1 S2 | Z1 Z2 | KAS-FFC-SSC #A2983. | ||
| KAS-FFC-SSC #A2983. KAS-ECC-SSC #A2983. | ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) public key for TLS KAS SSC. | TLS-KEX-Pub (PSP) | 112 or 128 128 or 192 | IE1 AD /EE | S1 S2 | Z1 Z2 | ||||
| TLS-MK (CSP) | TLS Session MAC Key (for non-AEAD suites). | TLS-MK (CSP) | 256 or 384 | E2 | S1 | Z1 | HMAC-SHA2-256 | |||
| TLS v1.2 KDF [RFC7627] #A2983. CKG. | TLS Master Secret: derive key block; finalize. | TLS-MS (CSP) | 256 or 384 | E2 | S1 | Z1 | ||||
| TLS-SS (CSP) | TLS Shared Secret: derive TLS Master Secret. | TLS-SS (CSP) | 128 or 192 112 or 128 | E1 | S1 | Z1 | KAS-ECC-SSC #A2983. | |||
| Entropy | Minimum number | Entropy | Details | |||||||
| sources | of bits of entropy | sources | ||||||||
| [SP800-90Ar1] min_length: 256 bits. [SP800-90Ar1] seedlen: 384 bits. | [SP800-90Ar1] min_length: | Jent | Jent | [FIPS140-3_IG] 9.3.A: The Module generates ENT within the Module boundary: option 1(a) | ||||||
| 256 bits. | 256 bits. | using a [SP800-90B] compliant ENT (NP). | ||||||||
| [SP800-90Ar1] seedlen: | [SP800-90Ar1] seedlen: | Per [SP800-90Ar1] Table 2, the AES CTR_DRBG requires 384 bits of entropy in the | ||||||||
| 384 bits. | 384 bits. | DRBG_Seed value. |
Quantum Xchange Phio TX FIPS 140-3 Security Policy ------------ = not applicable. The firmware integrity key (FWIK, formally not a SSP) is a 256-bit HMAC key used with HMAC-SHA2-384. Table 10: Non-Deterministic Random Number Generation Specification
Quantum Xchange Phio TX FIPS 140-3 Security Policy
The Module automatically invokes all tests listed below on each power-on or reset. The FW integrity test is run periodically as a scheduled system service (nominally every eight hours) and may also be run on demand by running txscan on an SSH or Console connection. The complete set of ACVP tests used to achieve the CAVP listings are run at power-on (as listed under Conditional Selftests below), are also run periodically as a scheduled system service (nominally every eight hours) and may also be run on demand by running txfips on an SSH or Console connection. All cryptographic algorithm self-tests (CASTs) must complete successfully prior to any other use of cryptography by the Module. If the firmware integrity test fails, the Module enters the ERR_TXSCAN state (indicated by LCD-IF, see Table 7). If one of the CASTs fails, the Module enters the ERR_TXFIPS state (indicated by LCD-CF, see Table 7). The ERR_TXFIPS and ERR_TXSCAN error states are persistent, cleared by successful completion of txfips or txscan, respectively. When in an error state, only self-test and status services are available. All attempts to use the Module’s services result in the return of the error state indicator (Failed TXFIPS or Failed TXSCAN). Pre-operational Self-tests
Quantum Xchange Phio TX FIPS 140-3 Security Policy
Installation, initialization, configuration, and provisioning are managed using Quantum Xchange provided scripts as well as the administrative tools of the Phio TX shell available via SSH or the console. This involves installation of a valid Phio TX License with locked Approved mode enforcement. Once configured, the Approved mode of operation persists. Quantum Xchange recommends the use of the tx_reset command to reset the Phio TX to factory defaults.
Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module Guidance Documentation [GD] provides detailed procedures for secure installation, initialization, configuration, provisioning, decommissioning, and sanitization of the Module. No maintenance requirements are defined for the Phio TX. The Phio TX application is delivered as a single executable binary. The binary must be run with the root account to install the upgrade. The firmware load test and integrity tests implemented ensure protection of the firmware during delivery.
The Module does not implement mitigations of other attacks outside the scope of [FIPS140-3].
Quantum Xchange Phio TX FIPS 140-3 Security Policy References
Quantum Xchange Phio TX FIPS 140-3 Security Policy
Quantum Xchange