| Standard | FIPS 140-3 |
|---|---|
| Overall level | 3 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 3/24/2027 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Utimaco Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | AES 4600 |
| AES-CCM | A2606 |
| Conditioning Component Block Cipher Derivation Function SP800-90B | A2606 |
| Counter DRBG | A2606 |
| ECDSA SigVer (FIPS186-4) | A2606 |
| RSA SigVer (FIPS186-4) | A2606 |
| SHA2-512 | SHS 3776 |
flowchart LR
%% Deterministic review-risk graph for Atalla Cryptographic Subsystem (ACS)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Firmware Load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Unauthenticated<br/>Self-test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Atalla Cryptographic Subsystem (ACS)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Firmware Load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Unauthenticated<br/>Self-test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Atalla Cryptographic Subsystem (ACS) Hardware Version: C9B60-2108A, C9B60-2108B and C9B60-2108C, C9B60-2108D, C9B60-2108E Firmware Version: Loader Version 1.24; PSMCU Version 1.0.1 or 1.0.3; CMS-OCT Version 0.95,1.0.0, or 1.0.3; CMS-NTX Version 1.0.0; Loader Stage 1 Version 1.10; Loader Stage 2 Version 1.20; Boot Version 1.23 FIPS 140-3 Document Version 1.78 May 13, 2025 © 2025 Utimaco Inc This document may be freely reproduced in its original entirety. i
Atalla Cryptographic Subsystem Contents © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. ii
Introduction The Atalla Cryptographic Subsystem (ACS), hereafter referred as ACS, is a secure cryptographic coprocessor designed for use in a variety of high security applications. This document specifies the ACS security rules, including the services offered by the cryptographic module, the roles supported, and all keys and CSPs employed by the module. The ACS module is designed to comply with FIPS 140-3 Level 3 Security requirements. Related Documents [1] “Security Requirements for Cryptographic Modules,” FIPS PUB 140-3, Information Technology Laboratory, National Institute of Standards and Technology. March 22, 2019. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf [2] "Secure Hash Standard," FIPS Pub 180-4, Aug 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf [3] “Advanced Encryption Standard (AES)”, FIPS PUB 197, Nov 26 2001. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf [4] “Digital Signature Standard (DSS)”, FIPS PUB 186-4, July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf [5] “Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality,” Morris Dworkin, NIST Special Publication 800-38C, July 2007 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf [6] “Recommendation for Random Number Generation Using Deterministic Random Bit Generators”, Elaine Barker and John Kelsey, NIST Special Publication 800-90A, June 2015.http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf [7] “Recommendation for Block Cipher Modes of Operation: Methods and Techniques.”Dworkin, Morris, NIST Special Publication 800-38A, December 2001. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf [8] “Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping.” Dworkin, Morris, NIST Special Publication 800-38F, December 2012. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf [9] “Recommendation for Cryptographic Key Generation.” Elaine Barker, Allen Roginsky, and Richard Davis, NIST Special Publication 800-133 Revision 2, June 2020. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf [10] "Recommendation for Random Bit Generator (RBG) Constructions.” Elaine Barker, John Kelsey, Kerry McKay, Allen Roginsky, and Meltem Sönmez Turan, NIST SP 800-90C 3pd, September 2022. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90C.3pd.pdf [11] “Recommendation for the Entropy Sources Used for Random Bit Generation.” Meltem Sönmez Turan (NIST), Elaine Barker (NIST), John Kelsey (NIST), Kerry McKay (NIST), Mary Baish (NSA), Michael Boyle (NSA), NIST Special Bulletin 800-90B, January 2018. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf © 2025 Utimaco Inc This document may be freely reproduced in its original entirety. 3
Atalla Cryptographic Subsystem Glossary Term Definition ACS Atalla Cryptographic Subsystem, also called Icarus Adapter AES Advanced Encryption Standard symmetric encryption algorithm that uses a 128-bit block and a key size of 128,
CBC Cipher Block Chaining
Atalla Cryptographic Subsystem Term Definition EC or ECC Elliptic Curve Cryptography algorithm
Atalla Cryptographic Subsystem Product Overview 1. General The ACS module is designed to comply with FIPS 140-3 overall Level 3 Security requirements.
ISO/IEC 24759 Section 6 FIPS 140-3 Section Title Security Level [Number Below]
Table 2 Security Level 2. Cryptographic Module Specification The ACS is a multi-chip embedded cryptographic module. It consists of a secure hardware platform, a firmware secure loader, and three separate microcontrollers, collectively called the Physical Security Monitoring Control Unit (or PSMCU) The purpose of the cryptographic module is to load Approved (RSA and ECDSA signed) application programs, called “personalities,” in a secure manner. The module is in an Approved mode of operation until a personality is loaded and started, at which point the module enters a non-compliant state. Verification that the module is in Approved mode can be observed by running the “getstatus” and “version” commands. This security policy addresses only the hardware and the firmware secure loader; the personality is not included in the current FIPS validation. But, the PCI-HSM version of the personality, as well as the Loader are included in the PCI-HSM validation. This approach creates a common secure platform with the ability to load trusted code (the personality). Once control passes from the loader to a personality, the module enters a non-compliant state. Note that the PSMCU is always running and no personality, no matter what its FIPS 140-3 validation level, will have access to the module’s secret keys and CSPs. © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 6
Atalla Cryptographic Subsystem The cryptographic boundary of the ACS for the FIPS 140-3 Level 3 validation is the outer perimeter of the secure metal enclosure that encompasses all critical security components. Model Hardware (Part Firmware Version Distinguishing Features Number & Version) ACS C9B60-2108A Loader: 1.24 PSMCU: 1.0.1 CMS-OCT: 1.0.0 CMS-NTX: 1.0.0 N/A Loader Stage 1: 1.10 Loader Stage 2: 1.20 Boot: 1.23 ACS C9B60-2108B Loader: 1.24 PSMCU: 1.0.1 CMS-OCT: 1.0.0 CMS-NTX: N/A N/A Loader Stage 1: 1.10 Loader Stage 2: 1.20 Boot: 1.23 ACS C9B60-2108C Loader: 1.24 PSMCU: 1.0.1, 1.0.3 CMS-OCT: 1.0.0, 1.0.3 CMS-NTX: N/A N/A Loader Stage 1: 1.10 Loader Stage 2: 1.20 Boot: 1.23 ACS C9B60-2108D Loader: 1.24 PSMCU: 1.0.3 CMS-OCT: 1.0.3 CMS-NTX: N/A N/A Loader Stage 1: 1.10 Loader Stage 2: 1.20 Boot: 1.23 ACS C9B60-2108E Loader: 1.24 PSMCU: 1.0.3 CMS-OCT: 1.0.3 CMS-NTX: N/A N/A Loader Stage 1: 1.10 Loader Stage 2: 1.20 Boot: 1.23 Table 3 Cryptographic Module Tested Configuration The hardware features of the ACS include:
Atalla Cryptographic Subsystem
Atalla Cryptographic Subsystem Vendor CKG Section 6.1 Cryptographic Key Symmetric Key Affirmed [SP 800- Generation; SP 800- Generation 133rev2] 133rev2 and IG. D.H. Table 4 Approved Algorithms Note: The module does not implement any non-approved algorithms allowed in the approved mode of operation, non-approved algorithms allowed in the approved mode of operation with no security claimed or non-approved algorithms not allowed in the approved mode of operation.
The cryptographic boundary of the module is the outer perimeter of the secure metal enclosure that encompasses all critical security components. The red line around the outer metallic enclosure, as shown in Figure below, represents the cryptographic boundary. Note: There is no visibly discernable difference between hardware versions other than the part number. Figure 1: Front and back side of the Atalla Cryptographic Subsystem © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 9
Atalla Cryptographic Subsystem 3. Cryptographic Module Interfaces
There are four physical data paths into and out of the ACS.
Atalla Cryptographic Subsystem Left Right NIC RJ45 Connector NIC
Figure 2 Status LED Layout Group LED # Description Normal State NIC NIC Not currently used Off Octeon 1 LED_SYSTEM_READY
Green) 6/7 LED_SECURE/TAMPER
13/14 BATTERY_LIFE Solid Green (Good = Green, Replace = Red/Green, Critical = Red, Expired = Flashing Red) 15/16 CPU_BUSY (0% = Solid Green, 100% = Flashing Red) Solid Green PSMCU 15/16 PSMCU General/Loader Status
CMS- 1 DDR0_2V5_STATUS
CMS- 1 NTX_CLOCK_STATUS On NTX
Table 5 Status LED Meanings © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 13
Atalla Cryptographic Subsystem
Primary main system power is derived from the 3.3V pins on the PCIe connector. The supplies derived from the 3.3V pins are
Atalla Cryptographic Subsystem
An unauthenticated role has access to services as specified in Table 9. These services fall under Exception “e” (show status, show version, and self-tests) or Additional Comment 5 (zeroization) from FIPS 140-3 IG 4.1.A.
A Crypto Officer is responsible for the overall security of the module. Only an operator in the Crypto Officer role can load a personality into the ACS.
A User can perform a limited number of the services available on the module as indicated in the following section.
Role Service Input Output Crypto Officer Firmware Load prepdnld and “ok” upon success “fail” upon failure writeimage Unauthenticated Status GetStatus Status information Information Unauthenticated Version Version Version numbers of loader, boot, psmcu, cms-oct, cms-ntx (if applicable) Unauthenticated Help Help List of available commands Unauthenticated Get Time Gettime Time in yymmddhhmmss and “ok” upon success Unauthenticated Get Serial Getsn Serial number and “ok” upon success Number Unauthenticated Echo Test Echo along with Testing text is returned upon success testing text © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 15
Atalla Cryptographic Subsystem Unauthenticated RSA Signature Test_sig_rsa “ok” upon success, “fail” upon test Test failure Unauthenticated ECDSA Test_sig_ecdsa “ok” upon success, “fail” upon test Signature Test failure Unauthenticated SHA Test Test_sha “ok” upon success, “fail” upon test failure Unauthenticated AES Test Test_aes “ok” upon success, “fail” upon test failure Unauthenticated RBG Test Test_rng “ok” upon success, “fail” upon test failure Unauthenticated DRBG Test Test_drbg “ok” upon success, “fail” upon test failure Unauthenticated Entropy Test Test_entropy “ok” upon success, “fail” upon test failure Unauthenticated CCM Test Test_ccm “ok” upon success, “fail” upon test failure Unauthenticated CRC Test Test_crc “ok” upon success, “fail” upon test failure Crypto Officer Personality prepdnld and “ok” upon success, “fail” upon failure Load writeimage Unauthenticated Zeroize N/A ALARM or TAMPER state User Start “go”, “go-pci”, “go- “ok” when personality is valid and ready Personality fips” to start “go” Table 7 Roles, Service Commands, Input and Output
The ACS supports identity-based authentication of operators. The operator’s identity is represented by public key stored on behalf of the respective operator. Signing with the corresponding private key authenticates the operator. Note that the module is only able to store four operator identities
A Crypto Officer is required to be properly authenticated and its authentication mechanism is controlled by the PSK (private key) and PECSK (private key), which are used to sign personality images, and the LSK (private key) and LECSK (private key) (not SSP’s), which are used to sign the Loader firmware. A CO uses his knowledge of the PSK (private key) and PECSK (private key) to create signed personality images for download to the unit. Similarly, the CO uses his knowledge of the LSK (private © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 16
Atalla Cryptographic Subsystem key) and LECSK (private key) to create signed loader images. A 4096-bit RSA key and a P-521 ECDSA private key shall be used for the authentication process.
A User is required to be properly authenticated and his authentication mechanism is controlled by the GSK (private key), which is used to sign the ‘go’ command for each of the three personality types. A User uses his knowledge of the GSK (private key) to sign either the ‘go’ command, the ‘go-pci’ command, or the ‘go-fips” command which allows the Loader to exit and start a personality of the same designated type. The User’s authentication key is a 2048-bit RSA key. Role Authentication Authentication Strength Method Crypto Single-Factor 256 bits; Officer Cryptographic (RSA) Authentication is performed using RSA 4096 /w SHA-512 Device signatures (provides 152 bits of strength). The probability that a Authenticators random attempt will succeed, or a false acceptance will occur, is approximately 1 in 2^152, which is less than 1 in 1,000,000. The command authentication takes approximately 1 second to complete. Therefore a maximum of 60 authentication attempts can be made per minute. Based on this maximum rate, the probability that a random attempt will succeed in a one-minute period is approximately 60 in 2^152, which is less than 1 in 100,000. (ECDSA) Authentication is performed using ECDSA P-521 /w SHA-
a random attempt will succeed, or a false acceptance will occur, is approximately 1 in 2^256, which is less than 1 in 1,000,000. The command authentication takes approximately 1 second to complete. Therefore a maximum of 60 authentication attempts can be made per minute. Based on this maximum rate, the probability that a random attempt will succeed in a one-minute period is approximately 60 in 2^256, which is less than 1 in 100,000. User Single-Factor 112 bits; Cryptographic Authentication is performed using RSA 2048 /w SHA-512 signatures Device (provides 112 bits of strength). The probability that a random Authenticators attempt will succeed, or a false acceptance will occur, is approximately 1 in 2^112, which is less than 1 in 1,000,000. The command authentication takes approximately 1 second to complete. Therefore a maximum of 60 authentication attempts can be made per minute. Based on this maximum rate, the probability that a random attempt will succeed in a one-minute period is approximately 60 in 2^112, which is less than 1 in 100,000. Table 8 Roles and Authentication © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 17
The following table specifies the module’s approved services. For Access rights to Keys and/or SSPs the following legend applies: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Service Description Approve Keys and/or Roles Access Indicator d SSPs rights Security to Function Keys s and/o r SSPs Firmware Firmware Load AES- IMFK, PSK, Crypto Officer E, E, E, The Load service is to CCM, PECSK, FFK GWE successful update the Loader AES-CBC, completio firmware. Two RSA n of a commands are SigVer, service is required to ECDSA an implicit perform this SigVer, indicator service: prepdnld KTS for the use and writeimage. of an The former approved prepares the service module to receive an image download and the latter is used to load the firmware to the module. New firmware versions within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 18
Atalla Cryptographic Subsystem out of the scope of this validation and requires a separate FIPS 140-
service is authenticated as described below Status Limited status N/A N/A Unauthenticate N/A The Informatio information shall d successful n always be completio available. This n of a command is used service is to read and an implicit display the status indicator of the module. for the use The status of an includes tamper approved information, service personality application load status, mode of operation (Approved vs. non-compliant state), etc. Approved vs. noncompliant state of operation is indicated by the combination of status, software version information, and hardware serial number given in the output of the command. The status output is broken into three parts: basic status, which customers can use for simple problem © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 19
Atalla Cryptographic Subsystem diagnosis; extended status, which is used by Atalla for problem analysis; and event status, which is a dateand-time stamped record of all events which have taken place with the ACS, also for use by Atalla for problem analysis. There is an optional parameter for basic getstatus service to display the other status information. None of the status information can compromise the security of the module in any way. Note, this corresponds to the “Show Status” mandatory service. Version The version N/A N/A Unauthenticate N/A The command is used d successful to retrieve the completio loader name, n of a product type, service is software version, an implicit and build date indicator and time. for the use Note, this of an corresponds to approved the “Show service module’s versioning © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 20
Atalla Cryptographic Subsystem information” mandatory service. Help The help N/A N/A Unauthenticate N/A The command simply d successful returns a list of completio the available n of a commands. Help service is is context an implicit sensitive; i.e., it indicator shows only the for the use commands valid of an at the current approved time, so the service responses are different in normal, error, and tamper states. It does not provide any syntax help. Get Time This command is N/A N/A Unauthenticate N/A The used to read the d successful contents of the completio real time clock. n of a The date and time service is are a 12-character an implicit formatted ASCII indicator string with the for the use format: of an YYMMDDHHMMS approved S (year-month- service day-hour-minutesecond). Get Serial This command N/A N/A Unauthenticate N/A The Number reads the value of d successful the serial number completio field stored in the n of a EEROM. If the service is serial number has an implicit not been set, an indicator error is returned. for the use The serial number of an © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 21
Atalla Cryptographic Subsystem is at most a 15- approved character ASCII service string. Echo Test The echo N/A N/A Unauthenticate N/A The command is used d successful to test the I/O completio connection to the n of a Loader. service is an implicit indicator for the use of an approved service RSA This command RSA N/A Unauthenticate N/A The Signature performs a SigVer d successful Test known-answer completio test of the RSA n of a 4096-bit modulus service is signature an implicit computation indicator algorithm using for the use test vectors of an published on NIST approved CAVP website. service ECDSA This command ECDSA N/A Unauthenticate N/A The Signature performs a SigVer d successful Test known-answer completio test of the ECDSA n of a P-521 curve service is signature an implicit computation indicator algorithm using for the use test vectors of an published on NIST approved CAVP website. service SHA Test This command SHA2- N/A Unauthenticate N/A The does a test of the 512 d successful SHA-512 completio cryptographic n of a engine using the service is © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 22
Atalla Cryptographic Subsystem test vectors an implicit contained in [2]. indicator for the use of an approved service AES Test This command AES-CBC N/A Unauthenticate N/A The does a test of the d successful AES cryptographic completio engine using the n of a test vectors service is contained in [3]. an implicit indicator for the use of an approved service RBG Test This command N/A N/A Unauthenticate N/A The does a known- d successful answer test of the completio SP800-90C RBG n of a draft construction. service is an implicit indicator for the use of an approved service DRBG Test This command Counter N/A Unauthenticate N/A The does a known- DRBG d successful answer test of the completio SP800-90Arev1 n of a DRBG using service is known answer an implicit test values indicator contained in [6]. for the use of an approved service Entropy This command ENT (P) N/A Unauthenticate N/A The Test does a self-test of d successful the SP800-90B completio Entropy Source n of a generating 4096 service is © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 23
Atalla Cryptographic Subsystem entropy samples an implicit with continuous indicator health-tests for the use enabled. of an approved service CCM Test This command AES-CCM N/A Unauthenticate N/A The does a test of the d successful CCM mode of completio operation of the n of a AES algorithm service is using test vectors an implicit published on NIST indicator CAVP website. for the use of an approved service CRC Test This command N/A N/A Unauthenticate N/A The does a test of the d successful CRC-32 cyclical completio redundancy check n of a algorithm using service is known answer an implicit test. indicator for the use of an approved service Personality Personality Load AES- IMFK, PSK, Crypto Officer E, E, E, The Load service is to CCM, PECSK, PDEK, E, EZ, successful download AES-CBC, IDFK, FFK, GWE, completio personalities. RSA DRBG Seed, GWE, n of a Personality load SigVer, DRBG Key, GWE, service is instructions, when ECDSA DRBG V, GWE, an implicit successful, result SigVer, Entropy GWE indicator in updating the CKG, input string for the use flash memory. Counter of an This service is DRBG, approved authenticated as KTS service described below. Zeroize The zeroize N/A ALL Unauthenticate Z The service is not a d successful command. It completio © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 24
Atalla Cryptographic Subsystem occurs n of a automatically service is following any an implicit tamper event. A indicator user can choose for the use to invoke this of an service by the approved physical removal service of the batteries. This results in the battery low event, which zeroizes non-volatile RAM, and forces the unit into the ALARM state. The time required for the PSMCU to perform the zeroization is less than 500 microseconds from the time of detection. The first half of this time, less than microseconds, is used for the primary CSP erasure, while the second half is used for extended CSP erasure. Note, this corresponds to the “Perform zeroization” mandatory service. Start The start AES- IMFK, GSK, User E, E, E, The Personality personality CCM, PSK, PECSK, E, E successful “go” service passes AES-CBC, FFK completio control from the RSA n of a loader to the service is © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 25
Atalla Cryptographic Subsystem personality in one SigVer, an implicit of 3 different KTS indicator types (A PCI-HSM for the use validated of an personality mode, approved a FIPS validated service personality mode, and a mode for personalities that have not been PCI-HSM or FIPS validated). This service must be authenticated by an operator in the User role by verifying a signature of the “go” command for the specified personality type (i.e. go, go-pci, or go-fips), which must also match the type of the personality stored in flash. If the PSMCU active “type” value has not been selected (i.e. type = “General”), any of the 3 personality types can be loaded. If the PSMCU active “type” value has already been selected (i.e. type != “General”) by a previous personality load, then only that same type of personality can be © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 26
Atalla Cryptographic Subsystem loaded, without resetting the PSMCU “type” value. Once the PSMCU “type” value has been selected and the personality has been enrolled in an association, it will require the personality to be reset to factory state and then be server powercycled or rebooted. If the personality is loaded and not enrolled into an association yet, it will automatically reset the “type” to “General” on the next power cycle or reboot. Table 9 Approved Services Note: The services that correspond to the “Perform self-tests” mandatory service include RSA Signature Test, ECDSA Signature Test, SHA Test, AES Test, RBG Test, DRBG Test, Entropy Test, CCM Test, and CRC Test. The self-tests can also be invoked on-demand by power cycling the module. Note: All services that specify an approved security function correspond to the “Perform approved security functions” mandatory service. The module does not support any Non-Approved services. 5. Software/Firmware Security The integrity of the module’s executable firmware is verified using CRC-32 (EDC), a 64-bit EDC, and approved integrity techniques for the following firmware components:
Atalla Cryptographic Subsystem • RSA SigVer (FIPS 186-4) (Cert. #A2606) using 4096-bit modulus with PKCS #1.5 padding and SHA2-512, ECDSA SigVer (FIPS 186-4) (Cert. #A2606) using P-521 and SHA2-512 – Loader The firmware integrity tests can be invoked on-demand by power-cycling the module. The required CASTs are executed for the RSA and ECDSA approved integrity techniques prior to the execution of the firmware integrity test. Please refer to Section 2.10 of this document for more information.
Atalla Cryptographic Subsystem service by physical removal of the batteries. Alarm These automatically occur following Alarm state will be entered automatically, a tamper attempt, or failure of and the unit will become non-operational critical function or self-tests Table 10 Physical Security Inspection Guidelines In addition to physical penetration monitoring, the module supports Environment Failure Protection (EFP)1 for the following parameters. Temperature or Specify EFP or EFT Specify if this condition Voltage Measurement results in a shutdown or zeroization Low Temperature +5℃ EFP Shutdown (reset) Low Temperature -20℃ EFP Zeroization (tamper) High Temperature +63℃ EFP Shutdown (reset) High Temperature +100℃ EFP Zeroization (tamper) Low Voltage (on host 12V= <9.6V EFP Shutdown power) 3V= <2.5V High Voltage (on host 12V= >14.4V EFP Shutdown power) 3V= >4.13V Low Voltage (NOT on Battery voltage = <8V EFP Zeroization host power) Table 11 EFP/EFT The following table specifies the temperature range that the hardness of the module’s enclosure was tested at. Hardness tested temperature measurement Low Temperature -20 ℃ High Temperature +100 ℃ Table 12 Hardness Testing Temperature Ranges
For FIPS 140-3 validation the EFP/EFT functionality was tested in order to meet the Security Level 3 requirements. © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 29
Atalla Cryptographic Subsystem Events are signals that are generated by hardware circuits that monitor the physical environment. There are no actions required by the operator to enable the monitoring of the physical environment. There is no method for the operator to disable the monitoring of the physical environment. When events have occurred, the unit becomes non-operational either by going into the permanent ALARM state or the temporary RESET state. The detected events are:
PDEK using complet personality AES-CCM e or application © 2025 Utimaco Inc This document may be freely reproduced in its original entirety. 31
Atalla Cryptographic Subsystem interrupt ed FFK 256 AES- CKG N/A N/A Flash Zeroized Used in CBC (CSP) bits CBC (Vendor ROM, when mode to Cert Affirmed encrypt the IMFK decrypt the #AES ) ed is personality
Entro 322 Counte ENT (P) N/A N/A Volatile Zeroized Entropy py bits r DRBG Memor with any Input Cert. y, loss of String #A2606 plaintex power (CSP) ; t CKG (Vendo r Affirme d DRBG 322 Counte ENT (P) N/A N/A Volatile Zeroized Entropy Seed bits r DRBG Memor with any Input, (CSP) Cert. y, loss of Nonce, #A2606 plaintex power Personalizat ; t ion String CKG (Vendo r Affirme d) DRBG 256 Counte Generat N/A N/A Volatile Zeroized DRBG Key bits r DRBG ed per Memor actively Internal (CSP) Cert. SP 800- y, by State #A2606 90Arev1 plaintex tamper ; t event, CKG passively (Vendo by r battery Affirme failure, d) or by any power failure DRBG 128 Counte Generat N/A N/A Volatile Zeroized DRBG V bits r DRBG ed per Memor actively Internal (CSP) Cert. SP 800- y, by State #A2606 90Arev1 plaintex tamper ; t event, © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 32
Atalla Cryptographic Subsystem CKG passively (Vendo by r battery Affirme failure, d) or by any power failure GSK 112 RSA Factory N/A KTS (AES- Stored Zeroized Signature (PSP) bits SigVer pre- CCM Cert. Encrypt when verification Cert. loading #A2606) as ed by the IMFK public key #A2606 of a key part of the is for Go Loader IMFK zeroized Command image. PSK 152 RSA Factory N/A N/A Stored Zeroized Used for (PSP) bits SigVer pre- Encrypt when image Cert. loading ed by the IMFK validation #A2606 of a key the is for the IMFK zeroized personality application. Note, this is not an SSP. PECSK 256 ECDSA Factory N/A N/A Stored Zeroized Used for (PSP) bits SigVer pre- Encrypt when image Cert. loading ed the IMFK validation #A2606 of a key under is for the the zeroized personality IMFK application. Note, this is not an SSP. Table 13 SSPs The following table specifies the module’s only entropy source, which is internal to the module’s cryptographic boundary. Entropy Minimum Details Sources Number of Bits of Entropy SP800-90B 322-bits The DRBG requests 1024-bits of output from the entropy source. The Entropy entropy source provides 0.31515540348 bits of entropy per bit of Source output from the vetted Conditioning Component Block Cipher Derivation Function SP 800-90B (A2606). Therefore the DRBG is seeded with at least 322 bits of entropy before generating keys. Table 14 Non-Deterministic Random Number Generation Specification © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 33
Atalla Cryptographic Subsystem 10.Self-Tests The following self-tests are performed automatically by the module without requiring operator intervention.
Atalla Cryptographic Subsystem c. Conditional critical functions test: i. “go” command personality start validation: The “go” command is authenticated using a 2048-bit signature. Following this, the personality integrity is validated with CRC-32, then decrypted using AES-256, then validated again by verifying its signatures (RSA 4096-bit modulus and ECDSA P-521 curve both with SHA-512), prior to passing control to it. Failure of any of the above tests results in an error state. Recovery from the error state requires power cycling. When an error state occurs, cryptographic operations (like “go”, personality load, etc.) are disabled until the error state has been rectified. Since the module is only powered-on for short periods of time (30-60 seconds to start a personality, 3-
4 minutes to update flash) self-tests are periodically performed by nature of the design (i.e. power-on
self-tests, conditional self-tests, and signature tests on every start of the card). The only time the loader remains active for more than a couple minutes is if the ACS card has tampered or entered test state, in which case it is prevented from doing any cryptographic or security-related operations, permanently, so there is no need for periodic self-tests, in this case. In addition to the automatic self-tests, the module supports cryptographic algorithm self-test services (<algorithm> Test). These services allow the user to request on-demand invocation of any specific test. Additionally, the user can invoke all of the self-tests on demand by power-cycling the module. 11.Life-cycle Assurance The module is always in an Approved mode of operation until a personality is loaded and started, at which point the module enters a non-compliant state. The ACS loads and generates its initial keys randomly in manufacturing in the factory, during the process of entering into secure state. Once secure state has been entered, the physical security monitoring of external penetration, and voltage/thermal operating conditions are continuously maintained by the PSMCU, which is battery and system powered. The monitoring is maintained for the entire ACS life cycle. During normal operational use of the cryptographic operations, any failed startup test or self-test will enter a state that does not allow any cryptographic operations to be completed without cycling the power to the ACS. If an event is detected that results in the ACS security boundary being compromised, all keys are erased immediately and the ACS enters Tampered State, which renders the device cryptographic operations unusable, ending the ACS life cycle. There is no means to recover from this state, without irreversible damage. HSM lifecycle is documented and located within the HSM security directory and available upon request. 12.Mitigation of Other Attacks The module does not implement any additional attack mitigation techniques. © 2025 Utimaco Inc. This document may be freely reproduced in its original entirety. 35