| Standard | FIPS 140-3 |
|---|---|
| Overall level | 3 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Active |
| Sunset date | 12/23/2029 |
| Caveat | Interim Validation; When operated in approved mode; No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Pitney Bowes, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2435 |
| AES-ECB | A2435 |
| AES-KW | A2435 |
| ECDSA KeyGen (FIPS186-4) | A2437 |
| ECDSA SigGen (FIPS186-4) | A2437 |
| ECDSA SigVer (FIPS186-4) | A2437 |
| Hash DRBG | A2436 |
| HMAC-SHA2-256 | A2438 |
| KAS-ECC-SSC Sp800-56Ar3 | A2439 |
| KDA OneStep Sp800-56Cr1 | A2439 |
| RSA SigVer (FIPS186-4) | A2440 |
| SHA2-224 | A2441 |
| SHA2-256 | A2441 |
flowchart LR
%% Deterministic review-risk graph for X5 Postal Security Device (PSD)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Rollback<br/>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>bootloader<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for X5 Postal Security Device (PSD)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Rollback<br/>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>bootloader<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;Pitney Bowes, Inc. X5 Postal Security Device (PSD) Version 1.0 This document may be freely reproduced and distributed, but only in its entirety and without modification.
| # | Section | Page |
|---|
This document may be freely reproduced and distributed, but only in its entirety and without modification.
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Hardware | 8 |
| Table 3: Modes List and Description | 9 |
| Table 4: Approved Algorithms | 9 |
| Table 5: Vendor-Affirmed Algorithms | 11 |
| Table 6 – FIPS Non-Approved, Not Allowed Algorithms | 11 |
| Table 7: Security Function Implementations | 12 |
| Table 8: Ports and Interfaces | 14 |
| Table 9: Authentication Methods | 15 |
| Table 10: Roles | 15 |
| Table 11: Approved Services | 16 |
| Table 12 - Non-Approved Services | 23 |
| Table 13: Mechanisms and Actions Required | 25 |
| Table 14: EFP/EFT Information | 25 |
| Table 15: Hardness Testing Temperatures | 25 |
| Table 16: Storage Areas | 26 |
| Table 17: SSP Input-Output Methods | 26 |
| Table 18: SSP Zeroization Methods | 27 |
| Table 19: SSP Table 1 | 28 |
| Table 20: SSP Table 2 | 29 |
| Table 21: Pre-Operational Self-Tests | 32 |
| Table 22: Conditional Self-Tests | 32 |
| Table 23: Pre-Operational Periodic Information | 34 |
| Table 24: Conditional Periodic Information | 34 |
| Table 25: Error States | 35 |
This document defines the Security Policy for the Pitney Bowes, Inc. (PB) X5 Postal Security Device (PSD) cryptographic module, hereafter “the module”. The physical form of the module is depicted in Figure 1. The module is a single-chip embodiment as defined by FIPS 140-3 and conforms to Security Level 3.
The module meets the overall requirements of FIPS 140-3 Security Level 3. Table 1: Security Levels Section Title Security Level
The X5 Postal Security Device (PSD) is a single-chip (hardware) cryptographic module designed by PB to conform with FIPS 140-3 Security Level 3 requirements. The module provides cryptographic services to a host device (i.e., Digital Postage Meter), to support postage evidence in the form of an indicium. A PSD provides protection that includes ensuring the secrecy of critical security parameters (CSPs) such as cryptographic keys and providing data This document may be freely reproduced and distributed, but only in its entirety and without modification.
integrity protection for funds relevant data items (FRDIs 1) such as accounting data. CSPs and FRDIs reside inside the strong physical protection of the PSD. Figure 1
1 FRDIs are not applicable to FIPS 140-3 and are not CSPs. The FRDIs’ authenticity and integrity are critical for
postal functionality, and they should never be zeroized. This document may be freely reproduced and distributed, but only in its entirety and without modification.
The module is designed to meet the requirements of FIPS 140-3 Security Level 3 (refer to Table 1). The module is available in the following configuration (refer to Table 2): Tested Module Identification
N/A for this module. Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.
Modes List and Description: The module only supports an Approved and non-Approved mode of operation. The module provides an explicit mode of operation indicator: the ‘Approved mode status flag’ is returned in every response from the module. The Approved Mode Status Flag is set to zero when a service utilizes an approved cryptographic algorithm, security function or process in an approved manner or to one for non-Approved cryptographic algorithms, security functions or process in a non-approved manner. The module’s mode of operation can only be configured within manufacturing. Once configured, the module does not have the ability to change modes. Table 3: Modes List and Description Mode Name Description Type Status Indicator Approved Mode Only Approved services are Approved Approved Mode Status Flag supported returns ‘0’. Non-Approved Non-Approved Configuration Non-Approved Approved Mode Status Flag Mode returns ‘1’.
The module supports the approved cryptographic algorithms shown in Table 4. Approved Algorithms: The module supports the following approved cryptographic algorithms. Table 4: Approved Algorithms Algorithm CAVP Cert Properties Reference AES-CBC Cert. #A2435 Direction: Encrypt, Decrypt FIPS 197, NIST SP 800Key Length: 2562 38A
2 Key sizes 128 and 192 are included in the algorithm certificate, but are not used in Approved mode.
This document may be freely reproduced and distributed, but only in its entirety and without modification.
Algorithm CAVP Cert Properties Reference AES-ECB Cert. #A2435 Direction: Encrypt, Decrypt FIPS 197, NIST SP 800Key Length: 2563 38A AES KW Cert. #A2435 Direction: Wrap, Unwrap NIST SP 800-38F Key Length: 2564 ECDSA Key Cert. #A2437 Curves: P-224, P-256 FIPS 186-4 Generation SHA Size: 224, 256 ECDSA Signature Cert. #A2437 Curves: P-224, P-256 FIPS 186-4 Generation SHA Size: 224, 256 ECDSA Signature Cert. #A2437 Curves: P-224, P-256 FIPS 186-4 Verification SHA Size: 224, 256 Hash DRBG Cert. #A2436 Function: Hash_DRBG NIST SP 800-90A Rev. 1 HMAC-SHA2-256 Cert. #A2438 Function: Generate Message FIPS 198-1 Authentication Codes SHA Size: 256 KAS-ECC-SSC Cert. #A2439 Scheme: Ephemeral Unified Model NIST SP 800-56A Rev. 3 NIST SP 800-56Ar3 C (2e, 0s, ECC CDH) Curve: P-256 KDA OneStep Cert. #A2439 Function: One-Step KDF (Session NIST SP 800-56C Rev. 2 NIST SP 800-56Cr1 Key) SHA Size: 256 Cert. #A2435 Function: Wrap, Unwrap NIST SP 800-38F KTS Key Length: 256 Cert. #A2435 AES Function: Encrypt, Decrypt NIST SP 800-38F; FIPS Cert. #A2438 197; FIPS 198-1 HMAC Function: Generate HMAC KTS Key Length: 256 SHA Size: 256 RSA Signature Cert. #A2440 Function: Signature Verification FIPS 186-4 Verification (PKCS PSS) Key Length: 2048 SHA Size: 256 SHA2-224 Cert. #A2441 SHA Size: 224 FIPS 180-4
3 Key sizes 128 and 192 are included in the algorithm certificate, but are not used in Approved mode.
4 Key sizes 128 and 192 are included in the algorithm certificate, but are not used in Approved mode.
5 RSA PKCS1 v1.5 and ANSI X9.31 are not used by the module in Approved mode. Only the modulus size of
This document may be freely reproduced and distributed, but only in its entirety and without modification.
Algorithm CAVP Cert Properties Reference SHA2-256 Cert. #A2441 SHA Size: 256 FIPS 180-4 Vendor-Affirmed Algorithms: The module supports the following vendor affirmed algorithms in accordance with IG D.H (refer to Table 5). Table 5: Vendor-Affirmed Algorithms Name Properties Implementation Reference CKG - Asymmetric Key Type: N/A NIST SP 800-133r2 Section 4 and Section 5.1 Asymmetric The unmodified output of the DRBG is used for generation of asymmetric keys. CKG - Symmetric Key Type: Symmetric N/A NIST SP 800-133r2 Section 4 and Section 6.1 The unmodified output of the DRBG is used for generation of symmetric keys. CKG - Key Type: N/A NIST SP 800-133r2 Section 4 and Section 5.2 Establishment Asymmetric The unmodified output of the DRBG is used for key pair generation for key establishment. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: The following cryptographic algorithms are used solely in a non-Approved mode of operation (this includes specified CAVP-validated algorithms). There exists no mechanism to allow the use of these algorithms in an Approved mode of operation. Table 6
Table 7: Security Function Implementations Name Type Description Properties Algorithms DRBG Generate DRBG NIST SP 800-90A Returned Hash DRBG/A2436 Function CTR_DRBG Bits:1024 generate function for delivering random bits on demand ECDSA Key AsymKeyPair- FIPS 186-4 ECDSA P- Curve:P-224 ECDSA KeyGen (FIPS186-4) Generation KeyGen 224/P-256 Key Curve:P-256 Curves: P-224, P256 CKG Generation Secret Generation Mode: Testing Candidates CKG - Asymmetric Key Type: Asymmetric ECDSA Signature DigSig-SigGen FIPS 186-4 ECDSA P- Curve:P-224 ECDSA SigGen (FIPS186-4) Generation 224/P-256 digital Curve:P-256 Curves: P-224, P-256 signature SHA2-224, SHA2-256 generation of postal relevant data ECDSA Signature DigSig-SigVer FIPS 186-4 ECDSA P- Curve:P-224 ECDSA SigVer (FIPS186-4) Verification 224/P-256 digital Curve:P-256 Curves: P-224, P256 signature SHA2-224, SHA2-256 verification Hash Function SHA SHA2-224 and SHA2-224, SHA2- SHA2-224 and SHA2-256 SHA2-256 data 256 Message Length Min: 8 bits integrity for ECDSA Message Length Max: 51200 bits digital signatures KAS KAS NIST SP 800-56Ar3 ECC P-256 KAS-ECC-SSC SP800-56Ar3/A2439 KAS-SSC Per IG D.F providing KDA OneStep SP800-56Cr1/A2439 Scenario 2 path (2) strength of 128 bits KTS_1 KTS NIST SP 800-38F 256-bit key AES-KW/A2435 key wrapping and providing unwrapping per IG strength of 256 D.G bits KTS_2 KTS NIST SP 800-38F 256-bit key AES-CBC/A2435 key wrapping and providing HMAC-SHA2-256/A2438 unwrapping per IG strength of 256 D.G bits Message MAC HMAC-SHA-256 Key: 256-bit HMAC-SHA2-256 Authentication used for Key Length Min: 128-bit authentication for Key Length Max: 512-bit secure sessions RSA Signature DigSig-SigVer FIPS 186-4 RSA Key:2048-bit RSA SigVer (FIPS186-4) Verification (Auth) 2048 digital Signature Type: PKCS PSS signature Modulo: 2048 verification SHA2-256 This document may be freely reproduced and distributed, but only in its entirety and without modification.
Seed DRBG DRBG Instantiate the Length: 1024 bits Hash DRBG/A2436 DRBG SSP Authentication MAC Message Key: 256-bit HMAC-SHA2-256 authentication code Key Length: 128-bit applied to stored SSPs SSP Decryption BC-UnAuth SSP Decryption in Key:256-bit AES-CBC NVRAM Key Size: 128-bit SSP Encryption BC-UnAuth SSP encryption in Key:256-bit AES-CBC NVRAM Key Size: 128-bit Symmetric Key CKG Symmetric Key Key: 256-bit CKG Generation Generation Key Type: Symmetric The module utilizes only approved algorithms that are tested and validated under the Cryptographic Algorithm Validation Program (CAVP).
The module incorporates a NIST SP 800-90A Hash-DRBG (Cert. #A2436) that is seeded with 512 bits of entropy and a 512-bit nonce from an external source during manufacturing of the module. The unmodified output of the DRBG is used for generating cryptographic key material or random nonces. Given that the entropy is imported from outside the device, there is no assurance of the minimum strength of generated SSPs.
The module generates symmetric cryptographic keys in conformance with NIST SP 800-133r2 using a NIST SP 80090A conforming DRBG (Cert. #A5176) for the encryption and protection of data and cryptographic keys. The module generates asymmetric cryptographic key pairs in conformance with FIPS 186-5 for the verification of digital signatures, or for the facilitation of key agreement in conformance with NIST SP 800-56ar3.
The module supports the establishment of cryptographic keys using elliptic curve cryptography (ECC) in conformance with NIST SP 800-56ar3 and IG D.F
The module relies upon the standard USB and other serial protocols for communication with general purpose computer (GPC) systems. This document may be freely reproduced and distributed, but only in its entirety and without modification.
The module incorporates physical ports and logical interfaces. The MAX32590 is supplied in a 324-pin Ball Grid Array (BGA) package where all power input, data input, data output, control input, and status output interfaces are supported. The module does not support a control output interface. The physical ports are defined within Table 8 below: Table 8: Ports and Interfaces Physical Port Logical Data That Passes Interface(s) G13, J5, J13, K5, K13 Control Input Reset Input, RTC, Commands. B7, F13, F14, R10, R11, R12, R13, Control Input Serial UART and USB interfaces for inputting postal T10, T11, T12, T13, U10, U11, Data Input relevant data items, configuration or sensitive security U12, U13, V10, V11, V12, V13 parameters (SSPs). A7, F13, F14, P4, P6, P7, P8, P9, Data Output, Serial UART and USB interfaces for outputting postal P10, P11, P13, P14, P15, P16, Status Output relevant data items, sensitive security parameters (SSPs), P17, P18, R10, R11, R12, R13, error codes and module status. R14, R15, R16, R17, R18, T10, T11, T12, T13, T15, T16, T17, T18, U10, U11, U12, U13, U16, U17, U18, V10, V11, V12, V13, V16, V17, V18 G5, H13, M4, N14, N17, N18 Status Output USB Detect, Reset Output, module status. C3, D3, F6, F7, F8, F9, F10, F11, Power Power input. F12, G6, G12, H5, H6, H12, J6, J12, K6, K12, L6, L12, M6, M12, N6, N7, N8, N9, N10, N11, N12 This document may be freely reproduced and distributed, but only in its entirety and without modification.
The module supports authentication methods for the Cryptographic Officer (CO) or User roles. These roles have separate authentication methods as indicated in Table 9. Table 9: Authentication Methods Method Name Description Security Strength Strength per Minute Mechanism Each Attempt Cryptographic Identity-based. Allows ECDSA P-256 128 bits The module can execute at most 17.85 Officer (CO) the Cryptographic Officer SigVer (FIPS ECDSA verifications per second. to authenticate 186-4) (A2437) Therefore, the probability of a successful random attempt in a onethemselves. Sets up a minute period is 1 in 3.2 x 10^35 for remote session with CO. ECDSA, which is far less than 1 in 100,000. User Identity-based. Allows Challenge 128 bits The module can execute at most 40 the User to authenticate response password authentication attempts per to the module. mechanism. minute. Therefore, the probability of a successful random attempt in a oneminute period is 1 in 8.5 x 10^36, which is far less than 1 in 100,000.
Table 10: Roles Name Type Operator Type Authentication Methods Cryptographic Officer (CO) Identity Cryptographic Digital Signature (ECDSA P-256, Officer authenticated with Vendor, Download or Certificate Keys) User Identity User Uniquely Assigned ID in conjunction with 128-bit password Unauthenticated N/A Unauthenticated None The module does not support concurrent operators. Only one operator is allowed to access the device at any time. Operator authentication does not persist beyond power-cycling the module. The selection of roles is implicit. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Table 11: Approved Services Name Description Indicator Inputs Outputs Security SSP Access Functions Generate PSD Key Instructs the PSD to Approved Command PSD Certificate ECDSA P-256/P- Cryptographic Officer generate its Unique Service ID, Block:0x203F00BD + Request block after 224 KeyGen, - Operation Private/Public Keys: G ECDSA P-256 Operation Success or Signed Key Record the key has been Hash-DRBG, AES - Or Debit Private/Public Keys: G Key pair or the Unique Error ID with the parameters generated or an 256, HMAC-SHA- - DRBG Working State: E, G ECDSA P-256 Debit Key for use in the error condition has 256, CKG - Vendor Key: E pair. generation of the been detected - KEK: E private and public - KAK: E key values. Generate Session Instructs the PSD to Approved Command Status bits, Session Hash-DRBG, NIST Cryptographic Officer Key generate an AES 256-bit Service ID, Block:0x203F00C3 + Key SP 800-56A KAS- - DRBG Working State: E, G and a HMAC 256-bit Success or Signed Key Block SSC, NIST SP 800- - Shared Secret: G, E session key via NIST SP Error ID with an ECDH key 56C KDA, ECDSA - ECC-CDH PSD KAS Private Key: G, E 800-56A and NIST SP for generating the P-256 SigVer, AES - Operation Private Key: E, Session 800-56C. shared secret key. KW 256, HMAC- - Authentication Key: G, E SHA-256 Or AES - Or Session Privacy Key: G, E 256, CKG - KEK: E, KAK: E - Certificate Key: E, ECC-CDH - Infrastructure KAS Public Key: E - ECC-CDH PSD KAS Public Key: G, E, R Load Certificate Key Instructs the PSD to Approved Command Block: Status bits (Success HMAC-SHA-256, Cryptographic Officer load the (ECDSA P-256) Service ID, 0x203F00BA + or Error ID) ECDSA P-256 - KAK: E, Vendor Key: E Certificate Key. Success or Certificate Key SigVer - Certificate Key: W Error ID Load CRL Loads the Certificate Approved Command Block: Status bits (Success ECDSA P-256 Cryptographic Officer Revocation List and the Service ID, 0x203F00B8 + CRL or Error ID) SigVer - Download Key: E CRL version. Success or Error ID Load Download Key Instructs the PSD to Approved Command Status bits (Success HMAC-SHA-256 Cryptographic Officer load the (ECDSA P-256) Service ID, Block:0x203F00BB + or Error ID) ECDSA P-256 - KAK: E Download Key Success or Download Key SigVer - Certificate Key: E Certificate. Error ID - Download Key: W
Name Description Indicator Inputs Outputs Security SSP Access Functions Load Encrypted Key The Crypto Officer Approved Command Status bits (Success HMAC-SHA-256 Cryptographic Officer instructs the PSD to Service ID, Block:0x203F00AD + or Error ID) AES KW 256 AES - Debit Secret Key: W load a signed key Success or Encrypted Secret 256 ECDSA P-256 - Session Privacy Key: E record containing an Error ID Key SigVer - KEK: E encrypted symmetric or - KAK: E private key. - Certificate Key: E Load Key Acknowledge that the Approved Command Block: N/A ECDSA P-256 Cryptographic Officer Acknowledgement generated PSD Key has Service ID, 0x203F00AE + SigVer - Certificate Key: E been successfully Success or Affirmation from registered and that the Error ID server with Key PSD can activate that Acknowledgement key. Load Parameters: Causes the PSD to Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Transition to transition to the PSD Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E Operational State Operational lifecycle Success or parameter value state. Error ID Load Parameters: Transitions the PSD Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Transition to Base from its Manufacturing Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E State lifecycle state to Base Success or parameter value lifecycle state. Error ID Load Parameters: Places the PSD in the Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Disable PSD Disabled lifecycle state. Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E In the Disabled lifecycle Success or parameter value state, further financial Error ID functions are prohibited. Load Parameters: Transition the PSD from Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Enable PSD Disabled lifecycle state Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E to Operational lifecycle Success or parameter value state. Error ID Load Parameters: Causes PSD to zeroize Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Reinitialize PSD all plaintext Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E cryptographic keys and Success or parameter value CSPs, and then Error ID invalidates the PSD Application. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Load Parameters: Update utility that Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Software Update allows start of firmware Service ID, Block:0x203F00B5 + or Error ID) Ver - SWAK: E download. Success or parameter value - Certificate Key: E Error ID Load Parameters: Triggers event to have Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Transaction Start the PSD prepare for a Service ID, Block:0x203F00B5 + or Error ID) Ver - Certificate Key: E (Commit, Rollback) multi-message Success or parameter value transaction that must Error ID be completed successfully as a unit (atomic transaction). Wipe PSD Causes PSD to zeroize Approved None Status bits (Success ECDSA P-256 Sig Cryptographic Officer all plaintext Service ID, or Error ID) Ver - KEK: Z cryptographic keys and Success or - Certificate Key: E CSPs. Error ID Load Vendor Key Instructs the PSD to Approved Command Status bits (Success HMAC-SHA-256, Cryptographic Officer load the (ECDSA-P256) Service ID, Block:0x203F00BC + or Error ID) ECDSA P-256 - KAK: E Vendor Key Certificate. Success or Vendor Key SigVer - Manufacturing Key: E Error ID - Vendor Key: W Process Audit Instructs the PSD to Approved Command Status Bits ECDSA P-256 Sig Cryptographic Officer Response process the Horizon Service ID, Block:0x203F00B2 + Ver - Certificate Key: E Audit Response Block Success or Audit Response returned from the Error ID Block Pitney Bowes infrastructure. Process Postage Instructs the PSD to Approved Command Status bits (Success ECDSA P-256 Sig Cryptographic Officer Value Download perform a postage Service ID, Block:0x203F00B9 or Error ID) Ver - Certificate Key: E value download Success or operation. Error ID Process Withdraw Instructs the PSD to Approved Command Status Bits ECDSA P-256/P- Cryptographic Officer Response complete the withdraw Service ID, Block:0x203F00B0 224 Sig Ver - Debit Private Key: E process. Success or - Certificate Key: E Error ID Audit Request Instructs the PSD to Approved Command Audit block Hash-DRBG, AES- User prepare a signed Audit Service ID, Block:0x204E0007 - 256, ECDSA P-256 - DRBG Working State: E, G Request Block. Success or initiates an Audit SigGen - KEK:E Error ID Request - Operation Key: E This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Clear Upload Interval Instructs the PSD to Approved Command Block: Status bits (Success None User clear the Upload Service ID, 0x204E0032 - clears or Error ID) - None Interval Timer. Success or the upload interval Error ID Create Debit Instructs the PSD to Approved Command Status bits, Signed DRBG, AES 256, User Certificate create a debit Service ID, Block:0x204E0029 + data block ECDSA P-256/P- - DRBG Working State: E, G certificate in the format Success or Postal data for 224 SigGen or - KEK: E defined by the Flex Error ID signing HMAC-SHA-256 - Debit Secret Key: E, or Debit Private Debit Certificate Key: E or Mail Piece Key: E Template. Create PVD Request Instructs the PSD to Approved Command Status bits (Success Hash-DRBG, AES User create a Postage Value Service ID, Block:0x204E0033 - or Error ID) 256, ECDSA P-256 - DRBG Working State: E, G Download Request Success or initiates an PVD SigGen - KEK: E Block. Error ID Request - Operation Key: E Finalize Debit Performs post-debit Approved Command Status Bits None User housekeeping and Service ID, Block:0x204E0008 + - None prepare for the next Success or data to perform a Debit operation by Error ID debit transaction precomputing the ‘r’ signature parameter if necessary Log Permit Logs the permit and the Approved Command Status Bits and None User data capture recovery Service ID, Block:0x204E002B Register Values - None information. Success or Error ID Authenticates the User Approved Command Status Bits with AES 256 User Login Request with the PSD. If the Service ID, Block:0x204E002F + login success or - KEK: E authentication is Success or Login data failure - Password: E successful, the PSD Error ID allows debit operations. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Precompute r for Pre-computes the ‘r’ Approved Command Status bits (Success Hash-DRBG, AES- User Debit signature component Service ID, Block:0x204E0009 or Error ID) 256 - DRBG Working State: E, G for the PSD Key Success or - KEK: E signature (ECDSA). This Error ID message is used for countries whose debit certificate is signed by an ECDSA key. Process Flex Debit Loads a flex debit Approved Command Status bits (Success ECDSA P-256 User Block template into the PSD. Service ID, Block:0x203F00B4 + or Error ID) SigVer - Download Key: E The flex debit template Success or debit template data defines the indicia Error ID content for debit operations. Sign Transaction Generates a signature Approved Command Digital Signature Hash-DRBG, AES User Data on the included hash. Service ID, Block:0x204E0030 + 256, ECDSA P-256 - DRBG Working State: E, G Success or Data to be hashed SigGen - KEK: E Error ID - Operation Key: E Verify Hash Block Validates the included Approved Command Status bits (Success ECDSA P-256 User hash. Service ID, Block:0x203F00B3 + or Error ID) SigVer - Download Key: E Success or data and hash to be Error ID verified Verify Mail Piece Verifies the hash of the Approved Command Status bits (Success HMAC-SHA-256 User Data transaction data for a Service ID, Block:0x204E0031 + or Error ID) - MailPiece Key: E mail piece. Success or Data to be verified Error ID Withdraw Request Instructs the PSD to Approved Command Status bits (Success ECDSA P-256 User initiate a Withdrawal Service ID, Block:0x204E000A or Error ID) SigGen - Operation Key: E operation. Success or Error ID Get Challenge Returns an 8-byte Approved Command Nonce (8 bytes from Hash-DRBG, AES- Unauthenticated nonce (random Service ID, Block:0x204E0003 DRBG) 256 - DRBG Working State: E, G number) from the Success or - KEK: E DRBG. Error ID This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Get Clock Offsets Returns the drift and Approved Command Status bits, + value None Unauthenticated GMT offset values. Service ID, Block:0x204E0020 of offsets - None Success or Error ID Get Flex Debit Returns the loaded flex Approved Command Status bits + Debit None Unauthenticated Template debit template. Service ID, Block:0x204E002E Template - None Success or Error ID Get GMT Time Returns the real time Approved Command Time None Unauthenticated clock value with only Service ID, Block:0x204E001C YYYYMMDDhhmmss - None the drift correction Success or applied. Error ID Get Key List Returns a list of all Approved Command Key List None Unauthenticated active keys stored in Service ID, Block:0x204E0004 - None the PSD. Success or Error ID Get Local Time Returns the real time Approved Command Time None Unauthenticated clock with drift and Service ID, Block:0x204E001E YYYYMMDDhhmmss - None GMT offsets applied. Success or Error ID Get ML Attributes Returns device versions Approved Command DAL Layer versions None Unauthenticated and unique device Service ID, Block:0x204E002D - None serial number. Success or Error ID Get Parameters Returns parameter Approved Command Status bits + None Unauthenticated values stored in the Service ID, Block:0x204E0005 parameter - None PSD. The Host can Success or information request individual Error ID parameter IDs or all the Parameters in the PSD. Get PSD Attributes Returns PSD attribute Approved Command PSD versioning None Unauthenticated data, including Service ID, Block:0x204E0021 information - None firmware and hardware Success or versions. Error ID This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Get PSD Status Returns PSD status Approved Command Status of the PSD None Unauthenticated information that Service ID, Block:0x204E0022 - None includes the module’s Success or mode of operation Error ID indicator. Get PSD Versions Retrieves the versions Approved Command PSD Versioning None Unauthenticated of the hardware, Service ID, Block:0x204E0037 information - None software and Success or (includes HW ID and cryptographic libraries. Error ID FW versions) Get Withdraw Retrieves the Withdraw Approved Command Signed withdrawal None Unauthenticated Certificate Certificate created at Service ID, Block:0x204E0034 certificate - None the successful Success or completion of the Error ID Withdraw process. Perform Diagnostic The User sends this Approved Command Status bits (Success None Unauthenticated Test message to request Service ID, Block:0x204E0026 or Error ID - None that the PSD perform a Success or diagnostic test. Error ID Perform Full The User sends this Approved Command Status bits (Success None Unauthenticated Diagnostics command to request Service ID, Block:0x204E0024 or Error ID - None the PSD perform its Success or diagnostic processing. Error ID Read Log File Returns Log Data stored Approved Command Log data None Unauthenticated in the PSD. Service ID, Block:0x204E0028 - None Success or Error ID Reboot PSD Restarts the PSD Approved Command N/A None Unauthenticated application. The PSD Service ID, Block:0x204E0006 - None will run its power up Success or tests. Error ID Set Clock Sets the real time clock Approved Command Status bits (Success None Unauthenticated in the PSD. The real Service ID, Block:0x204E0002 + or Error ID - None time clock can only be Success or clock data set when the PSD is in Error ID YYYYMMDDhhmmss manufacturing state. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Name Description Indicator Inputs Outputs Security SSP Access Functions Set GMT Offset Sets the GMT offset in Approved Command Time with offset None Unauthenticated the PSD. The GMT Service ID, Block:0x204E001D + - None offset is a combination Success or 4-byte offset of time zone offset and Error ID daylight savings time offset (if applicable).
The non-Approved Mode of the module implements the same roles and services as the Approved Mode of operations, but this mode also allows the use of the algorithms specified in Section 2.10. Table 12 - Non-Approved Services Name Description Algorithms Accessed Role General Postal Services Postal services for countries that utilize non-approved algorithms (e.g. France, DSA, ECDSA, HMAC, CO/User Germany, etc.) KAS, RSA, SHS, TripleDES This document may be freely reproduced and distributed, but only in its entirety and without modification.
There is no complete image replacement process. New firmware may be downloaded by the module for the country-specific postal application. The postal application firmware is signed by PB, with an ECDSA P-256 digital signature. On downloading, the device verifies the firmware digital signature.
The module includes the following firmware components that include separate firmware integrity tests: − Bootloader: RSA 2048 Digital Signature Verification (RSA, Cert. #A2440) − Postal Application Firmware: ECDSA P-256 Digital Signature Verification (ECDSA, Cert. #A2437) The module will transition to its error state upon the failure of either firmware integrity test.
Self-tests may be initiated on demand by power cycling the module (‘Reboot PSD’) or invoking the ‘Perform Diagnostic Test’ or ‘Perform Full Diagnostics’ services.
Type of Operational Environment: Limited How Requirements are Satisfied: The module does not contain a modifiable operational environment. The module’s operational environment is limited. The module includes a firmware load service to support necessary updates. Firmware versions validated through the FIPS 140-3 CMVP will be explicitly identified on a validation certificate. Any firmware not identified in this Security Policy does not constitute the module defined by this Security Policy or covered by this validation. This document may be freely reproduced and distributed, but only in its entirety and without modification.
The device includes automatic tamper detection and response. CSPs are zeroized automatically and immediately upon a tamper event being detected. On detection of a tamper event, the device is to be returned to PB. Table 13: Mechanisms and Actions Required Mechanism Inspection Frequency Inspection Guidance Tamper Evidence During installation, re-installation, Inspect device for obvious damage or other decommissioning, and servicing. evidence of tamper. Tamper Detection Every 30 days The module HW status flag is submitted every 30 days to the PB servers to check for tamper.
The module supports environmental failure protection (EFP) mechanisms for high/low voltage and temperature extremes (refer to Table 14). Table 14: EFP/EFT Information Temp/Voltage Type Temperature or EFP or Result Voltage EFT Low Temperature -65°C EFP Zeroization High Temperature 117°C EFP Zeroization Low Voltage 2.9V EFP Zeroization High Voltage 3.6V EFP Zeroization
The module has been tested at the operational, storage and distribution temperatures listed in Table 15. The module’s epoxy hardness is assured within these ranges. Table 15: Hardness Testing Temperatures Temperature Type Temperature Low Temperature -65°C High Temperature 150°C This document may be freely reproduced and distributed, but only in its entirety and without modification.
The module does not provide protections against non-invasive security methods.
The module supports both volatile and persistent storage of SSPs. Table 16: Storage Areas Storage Area Name Description Persistence Type Battery Backed RAM Register (BBREG) On-chip memory that is zeroized on tamper detection. Static NVRAM On-chip memory that is zeroized on tamper detection. Static SRAM Volatile memory Dynamic FLASH Persistent long-term storage Static
Table 17: SSP Input-Output Methods Name From To Format Distribution Entry SFI or Algorithm Type Type Type Input Outside the NVRAM Encrypted Automated Electronic Key Transport (Encrypted) Module Output NVRAM Outside the Encrypted Automated Electronic Key Transport (Encrypted) Module Input Outside the SRAM Plaintext Automated Electronic KAS (dhEphem C(2e, (Plaintext) Module 0s, FFC DH)) Output SRAM Outside the Plaintext Automated Electronic KAS (dhEphem C(2e, (Plaintext) Module 0s, FFC DH))
The zeroization methods described within Table 18 are supported by the module. Zeroization services explicitly overwrite SSPs with zero values. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Table 18: SSP Zeroization Methods Zeroization Description Rationale Operator Initiation Method Reinitialize PSD Service Forces a zeroization of the KEK (Key Encryption Host device calls the Key) and NVRAM memory components. N.B. This service process is irreversible. Wipe PSD Service Forces a zeroization of the KEK (Key Encryption Host device calls the Key) and NVRAM memory components. N.B. This service process is irreversible. End of session Automatic Firmware programmed zeroization of ephemeral N/A SSPs used in secure session Removal of Physical Forces a zeroization of the KEK (Key Encryption Removal of battery Battery/Tamper Key) and removal of power from battery-backed power or a tamper memory. event Automatically Automatic Immediately after use. N/A This document may be freely reproduced and distributed, but only in its entirety and without modification.
Table 19: SSP Table 1 Name Description Size - Type - Category Generated By Established By Used By Strength KEK (Key Encryption Protect all keys stored 256-bit Symmetric Key - CSP Generated Internally by N/A SSP Encryption Key) internally or in NVM DRBG (during SSP Decryption manufacturing) KEK’ (Backup Key Backup KEK 256-bit Symmetric Key - CSP Generated Internally by N/A SSP Encryption Encryption Key) DRBG (during SSP Decryption manufacturing) KAK (Key Authenticate keys 256-bit Symmetric Key - CSP Generated Internally by N/A SSP Authentication Authentication Key) externally stored in NVM DRBG (during manufacturing) Debit Private Key Digitally sign debit 112-bit or Asymmetric Private Generated Internally by N/A ECDSA Signature records (indicia data) 128-bit Key - CSP DRBG Generation Debit Secret Key Digitally authenticate 256-bit Symmetric Key - CSP Externally N/A Message Authentication debit records (indicia data) Operation Private Key Authenticate to the 128-bit Asymmetric Private Generated Internally by N/A ECDSA Signature communicating Key - CSP DRBG Generation infrastructure Session Authentication Used to authenticate 256-bit Symmetric Key - CSP N/A KAS (dhEphem Message Authentication Key messages sent between C(2e, 0s, FFC DH)) the Host and the PSD Session Privacy Key Encrypt data or wrap 256-bit Symmetric Key - CSP N/A KAS (dhEphem KTS_1 keys transported to C(2e, 0s, FFC DH)) KTS_2 infrastructure ECC-CDH PSD KAS Key Ephemeral ECC-CDH 256-bit Asymmetric Private Generated Internally by N/A KAS private key used in KAS Key - CSP DRBG Shared Secret Used to derive session 256 bits Shared Secret - CSP N/A KAS (dhEphem KAS keys C(2e, 0s, FFC DH)) Entropy Input Instantiate the DRBG 512 bits Entropy - CSP Externally N/A DRBG Generate DRBG Seed Seeding the DRBG 1024 bits Entropy - CSP Generated Internally by N/A DRBG Generate DRBG (during manufacturing) This document may be freely reproduced and distributed, but only in its entirety and without modification.
DRBG Working State Internal working state of N/A N/A - CSP Generated Internally by N/A DRBG Generate the DRBG DRBG Mail Piece Key Authenticate stored mail 256-bit Symmetric Key - CSP Generated Internally by N/A Message Authentication piece data DRBG Password Authenticate User Role 128-bit N/A - CSP Externally N/A SWAK Used to verify loaded 128-bit Asymmetric Public Key Externally N/A ECDSA Signature (Software application code - PSP Verification Authentication Key) Manufacturing Key Validates Vendor 128-bit Asymmetric Public Key Externally N/A ECDSA Signature Certificate - PSP Verification Vendor Key Authenticates CO role 128-bit Asymmetric Public Key Externally N/A ECDSA Signature - PSP Verification Certificate Key Authenticates CO role. 128-bit Asymmetric Public Key Externally N/A ECDSA Signature Validates Authority Data, - PSP Verification including other public keys Download Key Authenticates CO role 128-bit Asymmetric Public Key Externally N/A ECDSA Signature - PSP Verification ECC-CDH Infrastructure ECDH public counterpart 128-bit Asymmetric Public Key Externally N/A KAS KAS Public Key received as part of tKAS - PSP ECC-CDH PSD KAS ECDH public key 128-bit Asymmetric Public Key Generated Internally by N/A KAS Public Key transmitted as part of - PSP DRBG KAS Debit Public Key Output to the CO. Used 112-bit or N/A - PSP Generated Internally by N/A KTS_1, KTS_2 to allow the CO to 128-bit DRBG authenticate the debit records Operation Public Key Output to the CO. Used 128-bit Asymmetric Public Key Generated Internally by N/A KTS_1, KTS_2 to allow the CO to - PSP DRBG authenticate the PSD Table 20: SSP Table 2 Name Input - Storage Storage Duration Zeroization Related SSPs Output KEK (Key Encryption Key) N/A NVRAM: Plaintext N/A Zeroization, Tamper or DRBG Working State: Generated from removal of all power This document may be freely reproduced and distributed, but only in its entirety and without modification.
KEK’ (Backup Key N/A NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from Encryption Key) removal of all power KEK (Key Encryption Key): Encrypted by KAK (Key Authentication N/A NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from Key) removal of all power KEK (Key Encryption Key): Encrypted by Debit Private Key N/A NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from removal of all power Debit Public Key: Paired with KEK (Key Encryption Key): Encrypted by Debit Secret Key Input NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by (Encrypted) removal of all power Operation Private Key N/A NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from removal of all power Operation Public Key: Paired with KEK (Key Encryption Key): Encrypted by Session Authentication Key N/A SRAM: Plaintext For the life of the Zeroization, Tamper or Shared Secret (Z): Derived from Secure Session removal of all power Session Privacy Key N/A SRAM: Plaintext For the life of the Zeroization, Tamper or Shared Secret (Z): Derived from Secure Session removal of all power ECC-CDH PSD KAS Key N/A SRAM: Plaintext Until Use Immediately after use ECC-CDH PSD KAS Public Key: Paired with DRBG Working State: Generated from Shared Secret (Z): Derives Shared Secret (Z) N/A SRAM: Plaintext Until Use Immediately after use Session Authentication Key: Derives Session Privacy Key: Derives ECC-CDH Infrastructure KAS Public Key: Derived From ECC-CDH PSD KAS Key: Derived From Entropy Input N/A SRAM: Plaintext Until Use Immediately after use DRBG Working State: Derives DRBG Seed N/A SRAM: Plaintext Until Use Immediately after use DRBG Working State: Derives DRBG Working State N/A NVRAM: Encrypted N/A Zeroization, Tamper or Entropy Input: Derived from removal of all power KEK (Key Encryption Key): Encrypted by Mail Piece Key N/A NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by removal of all power Password N/A NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by removal of all power SWAK (Software N/A Plaintext N/A N/A N/A Authentication Key) Manufacturing Key N/A NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by removal of all power Vendor Key Input NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by (Encrypted) removal of all power This document may be freely reproduced and distributed, but only in its entirety and without modification.
Certificate Key Input NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by (Encrypted) removal of all power Download Key Input NVRAM: Encrypted N/A Zeroization, Tamper or KEK (Key Encryption Key): Encrypted by (Encrypted) removal of all power ECC-CDH Infrastructure Input SRAM: Plaintext Until Use Zeroization, Tamper or Shared Secret (Z): Derives KAS Public Key (Plaintext) removal of all power ECC-CDH PSD KAS Public Output SRAM: Plaintext Until Use Zeroization, Tamper or ECC-CDH PSD KAS Key: Paired with Key (Plaintext) removal of all power DRBG Working State: Generated from Debit Public Key Output NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from (Encrypted) removal of all power Debit Private Key: Paired With KEK (Key Encryption Key): Encrypted by Operation Public Key Output NVRAM: Encrypted N/A Zeroization, Tamper or DRBG Working State: Generated from (Encrypted) removal of all power Operation Private Key: Paired with KEK (Key Encryption Key): Encrypted by This document may be freely reproduced and distributed, but only in its entirety and without modification.
The following pre-operational tests are performed upon power-up, on-demand and periodically. Prior to the PreOperational firmware integrity self-tests being performed, the module performs the required known answer test (KAT) on the implementation. Table 21: Pre-Operational Self-Tests Algorithm or Test Properties Test Method Test Type Indicator Details Test Firmware RSA 2048 RSA Signature SW/FW Success: No Error RSA 2048 Digital Integrity of (Cert. #A2440) Verification Integrity Code; Failure: Signature Bootloader Error Code Verification Firmware ECDSA P-256 ECDSA SW/FW Success: No Error ECDSA P-256 Digital Integrity of (Cert. #A2437) Signature Integrity Code; Failure: Signature Firmware Verification Error Code Verification The module also includes critical function tests that test the real time clock (RTC) and BRAM.
The following conditional tests are performed upon power-up, on-demand and periodically. Table 22: Conditional Self-Tests Algorithm or Test Test Method Test Type Indicator Details Conditions Test Properties AES-ECB 256-bit KAT CAST Success: No Encrypt and Decrypt Power-up, (Cert. #A2435) Error Code; KATs Periodically & Failure: on-demand Error Code AES-KW 256-bit KAT CAST Success: No Encrypt and Decrypt Power-up, (Cert. #A2435) Error Code; KATs Periodically & Failure: on-demand Error Code ECDSA P-256 KAT CAST Success: No Signature Power-up, (Cert. #A2437) Error Code; Generation and Periodically & Failure: Verification KATs on-demand Error Code Hash DRBG N/A KAT CAST Success: No Instantiate and Power-up, (Cert. #A2436) Error Code; Generate KAT Periodically & Failure: on-demand Error Code This document may be freely reproduced and distributed, but only in its entirety and without modification.
Algorithm or Test Test Method Test Type Indicator Details Conditions Test Properties HMAC 256-bit KAT CAST Success: No HMAC-SHA-256 KAT Power-up, (Cert. #A2438) Error Code; Periodically & Failure: on-demand Error Code KAS-ECC-SSC P-256 KAT CAST Success: No KAS-ECC Shared Power-up, SP800-56Ar3 Error Code; Secret Computation Periodically & (Cert. #A2439) Failure: KAT per IG D. F on-demand Error Code KDA OneStep 256-bit KAT CAST Success: No KDA KAT Power-up, SP800-56Cr1 Error Code; Periodically & (Cert. #A2439) Failure: on-demand Error Code RSA 2048-bit KAT CAST Success: No Signature Power-up, (Cert. #A2440) Error Code; Verification KAT Periodically & Failure: on-demand Error Code Firmware Load ECDSA P- Digital SW/FW Success: No Firmware load test During Test 256 Signature Load Error Code; occurs during 'Load Firmware Verification Failure: Parameters Updates Error Code Software Update' service Public Key P-256 N/A Critical Success: No Occurs during KAS During key Validation Function Error Code; upon receipt of the agreement Failure: connected host Error Code application public key ECC Pairwise P-256 PCT PCT Success: No Pairwise consistency During key Consistency Error Code; test agreement Test Failure: Error Code ECDSA Key P-256 PCT PCT Success: No Pairwise consistency After key pair Generation Error Code; test generation Failure: Error Code This document may be freely reproduced and distributed, but only in its entirety and without modification.
The pre-operational and conditional algorithm self-tests are also automatically run on a periodic basis every 24 hrs. Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method Firmware Integrity of RSA Signature SW/FW Integrity Every Power- Automatic Bootloader Verification On invocation of selftest service Firmware Integrity of Firmware ECDSA SW/FW Integrity Every Power- Automatic Signature On invocation of selfVerification test service Table 24: Conditional Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB KAT CAST 24 hours Automatic invocation of self(Cert. #A2435) test service AES-KW KAT CAST 24 hours Automatic invocation of self(Cert. #A2435) test service ECDSA KAT CAST 24 hours Automatic invocation of self(Cert. #A2437) test service Hash DRBG KAT CAST 24 hours Automatic invocation of self(Cert. #A2436) test service HMAC KAT CAST 24 hours Automatic invocation of self(Cert. #A2438) test service KAS-ECC-SSC KAT CAST 24 hours Automatic invocation of selfNIST SP 800-56Ar3 test service (Cert. #A2439) KDA OneStep KAT CAST 24 hours Automatic invocation of selfNIST SP 800-56Cr1 test service (Cert. #A2439) RSA KAT CAST 24 hours Automatic invocation of self(Cert. #A2440) test service This document may be freely reproduced and distributed, but only in its entirety and without modification.
ERROR STATES The module incorporates a single error state (refer to Table 25). Table 25: Error States Name Description Conditions Recovery Indicator Method Tampered Occurs in the event of a physical tamper event Tamper Event None Error Code e.g. removal of battery power, physical breach. Hard Error An error condition that is not recoverable. Self-Test Failure None Error Code Soft Error Non-critical, recoverable errors that allow the Non-Critical Automated or Error Code module to transition back to operation. Error Power-Cycle Occurrences
Self-tests may be triggered by the user on demand by power cycling the module (‘Reboot PSD’) or invoking the ‘Perform Diagnostic Test’ or ‘Perform Full Diagnostics’ services, which allows either individual or all tests to be run.
There are no specific maintenance requirements.
The module is initialized within PB manufacturing and installed into a PB manufactured PES. The PES is authorized and shipped to an end customer.
The device will only be provided to or retrieved from PB customers as part of a postage evidencing system. Administration guidance, in the form of API definitions, exists for PB engineers involved in the development of PES equipment.
The device will only be provided to customers as part of a postage meter. Any user guidance will be provided as part of that equipment.
The following security rules are enforced by the cryptographic module to ensure the FIPS 140-3 security requirements are met. This document may be freely reproduced and distributed, but only in its entirety and without modification.
Once a module is no longer needed by a customer, they will walk through a process called withdrawal and return the PSD to PB where an operator will perform the “re-initialize” operation, zeroizing the KEK. Once a module has been zeroized, it must be returned to the factory for software loading and parameterizing prior to being usable by a customer.
The module is not purposefully designed to mitigate any attacks beyond the scope of FIPS 140-3 requirements. This document may be freely reproduced and distributed, but only in its entirety and without modification.