| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 11/30/2030 |
| Caveat | When operated in approved mode |
| Vendor | Christie Digital Systems Canada Inc. |
| Algorithm | ACVP Cert |
|---|---|
| RSA SigVer (FIPS186- 4) | C838 |
| SHA-1 | A4665 |
| SHA2-256 | A4665 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Non-Invasive Security | N/A |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for Christie IMB-S4 4K Integrated Media Block (IMB)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Digital Signature<br/>Secure Hash<br/>Upgrade</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Get Module Information<br/>Get Status<br/>Perform Self-test (power cycle)</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Ingest USB</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>no library/version identified</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C4,C5 clue;
class I2,I3,I4,I5 infer;
class R2,R3,R4,R5 risk;
class E2,E3,E4,E5 evidence;flowchart LR
%% Deterministic clue tier for Christie IMB-S4 4K Integrated Media Block (IMB)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Digital Signature<br/>Secure Hash<br/>Upgrade</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Get Module Information<br/>Get Status<br/>Perform Self-test (power cycle)</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Ingest USB</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>no library/version identified</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C4 clueHigh;
class C5 clueLow;Christie Digital Systems Canada Inc. Christie IMB-S4 4K Integrated Media Block (IMB)
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 2 | Cryptographic Module Specification | 5 |
| 2.1 | Description | 5 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 8 |
| 2.3 | Excluded Components | 9 |
| 2.4 | Modes of Operation | 9 |
| 2.5 | Algorithms | 10 |
| 2.6 | Security Function Implementations | 11 |
| 2.7 | Algorithm Specific Information | 11 |
| 2.8 | RBG and Entropy | 11 |
| 2.9 | Key Generation | 11 |
| 2.10 | Key Establishment | 11 |
| 2.11 | Industry Protocols | 11 |
| 3 | Cryptographic Module Interfaces | 11 |
| 3.1 | Ports and Interfaces | 12 |
| 4 | Roles, Services, and Authentication | 12 |
| 4.1 | Authentication Methods | 12 |
| 4.2 | Roles | 13 |
| 4.3 | Approved Services | 13 |
| 4.4 | Non-Approved Services | 14 |
| 4.5 | External Software/Firmware Loaded | 23 |
| 5 | Software/Firmware Security | 23 |
| 5.1 | Integrity Techniques | 23 |
| 5.2 | Initiate on Demand | 24 |
| 6 | Operational Environment | 24 |
| 6.1 | Operational Environment Type and Requirements | 24 |
| 7 | Physical Security | 24 |
| 7.1 | Mechanisms and Actions Required | 24 |
| 8 | Non-Invasive Security | 25 |
| 9 | Sensitive Security Parameters Management | 25 |
| 9.1 | Storage Areas | 25 |
| 9.2 | SSP Input-Output Methods | 25 |
| 9.3 | SSP Zeroization Methods | 25 |
| 9.4 | SSPs | 26 |
| 10 | Self-Tests | 27 |
| 10.1 | Pre-Operational Self-Tests | 27 |
| 10.2 | Conditional Self-Tests | 27 |
| 10.3 | Periodic Self-Test Information | 28 |
| 10.4 | Error States | 31 |
| 11 | Life-Cycle Assurance | 31 |
| 11.1 | Installation, Initialization, and Startup Procedures | 31 |
| 11.2 | Administrator Guidance | 32 |
| Physical Ports and logical Interfaces | 32 | |
| Security Events | 32 | |
| Approved & Non-approved Security Functions | 32 | |
| Security Parameters | 32 | |
| 11.3 | Non-Administrator Guidance | 32 |
| 11.4 | Design and Rules | 32 |
| 11.5 | Maintenance Requirements | 33 |
| 11.6 | End of Life | 33 |
| 12 | Mitigation of Other Attacks | 33 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Hardware | 8 |
| Table 3 Get Module Information Service Response Fields | 9 |
| Table 4 Excluded Components | 9 |
| Table 5: Modes List and Description | 9 |
| Table 6: Approved Algorithms | 10 |
| Table 7: Non-Approved, Not Allowed Algorithms | 10 |
| Table 8: Security Function Implementations | 11 |
| Table 9: Ports and Interfaces | 12 |
| Table 10: Authentication Methods | 13 |
| Table 11: Roles | 13 |
| Table 12: Approved Services | 14 |
| Table 13: Non-Approved Services | 23 |
| Table 14: Mechanisms and Actions Required | 24 |
| Table 15: Storage Areas | 25 |
| Table 16: SSP Input-Output Methods | 25 |
| Table 17: SSP Zeroization Methods | 26 |
| Table 18: SSP Table 1 | 26 |
| Table 19: SSP Table 2 | 27 |
| Table 20: Pre-Operational Self-Tests | 27 |
| Table 21: Conditional Self-Tests | 28 |
| Table 22: Pre-Operational Periodic Information | 30 |
| Table 23: Conditional Periodic Information | 31 |
| Table 24: Error States | 31 |
| Figure 1 Top View of Christie IMB-S4 | 6 |
| Figure 2 Bottom View of Christie IMB-S4 | 7 |
| Figure 3 Block Diagram | 8 |
| Figure 4 Physical Security Mechanisms | 24 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 2 |
| 2 | 2 | Cryptographic module specification | 2 |
| 3 | 3 | Cryptographic module interfaces | 3 |
| 4 | 4 | Roles, services, and authentication | 3 |
| 5 | 5 | Software/Firmware security | 3 |
| 6 | 6 | Operational environment | N/A |
| 7 | 7 | Physical security | 2 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 3 |
| 10 | 10 | Self-tests | 2 |
| 11 | 11 | Life-cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 2 |
This document is the Cryptographic Module Security Policy for the Christie IMB-S4 4K Integrated Media Block (IMB) (also referred to herein as the Christie IMB-S4, the cryptographic module, or simply the module). This policy is a specification of the security rules under which the Christie IMB-S4 operates and meets the requirements of FIPS 140-3 Level 2.
Purpose and Use: The Christie IMB-S4 is a multi-chip embedded cryptographic module. The IMB-S4 enables playback of encrypted cinema content packaged as an industry standard Digital Cinema Package (DCP). The IMB-S4 supports playback of digital cinema content from on-board storage (SSDs) as well as a network attached storage (NAS) device. Module Type: Hardware Module Embodiment: MultiChipEmbed Module Characteristics: Cryptographic Boundary: The illustrations below indicate the cryptographic boundary and the physical ports defined on the boundary.
Cryptographic Boundary Security Enclosure S4-Power Battery 1 Battery 2 SSD M.2 NAS SYNC In S4-Data Service Door LED FIPS Storage LED LEDs Aux Audio SYNC Out Media Figure 1 Top View of Christie IMB-S4 LTC Out Ingest USB AES3 Audio
Cryptographic Boundary DAD (not used) Figure 2 Bottom View of Christie IMB-S4 The cryptographic boundary is the outer physical perimeter of the module’s PCB board as represented by the blue boundary in the above photos.
| Name | Model | Hardware Version | Firmware Version | Processor | Features |
|---|---|---|---|---|---|
| Christie IMB-S4 4K Integrated Media Block (IMB) | Christie IMB-S4 4K Integrated Media Block (IMB) | 000-201699- 01 | 1.0.0- 5494@a | Intel Atom x7-E3950 and SE050 (HW P/N: N7121 B1) | N/A |
Cryptographic Boundary Aux Audio Projector I/O (S4-Data) (latent
Tested Module Identification
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved | Running in non- approved mode of operation | The module supports a separate indicator for non-approved security services. Module will display Ethernet (S4-Data) Status (FIPS_STATE) == non-approved | Non- Approved |
| Data | Status Item | Value | |||
|---|---|---|---|---|---|
| Module name | FIPS Model Name | IMB-S4 | |||
| Hardware part number / version | FIPS Hardware Version | 000-201699-01 | |||
| Firmware Version | IMB Software Version | 1.0.0-5494@a |
| Excluded Component # | Description | Reference Designator | |||
|---|---|---|---|---|---|
| 1 | Resistor 0Ω | R678 | |||
| 2 | Capacitor 47µF | C711 | |||
| 3 | Capacitor 47µF | C712 |
The Get Module Information approved service listed in section 4.3 Approved Services can be Specifically, each item is mapped to: Table 3 Get Module Information Service Response Fields
The following components are outside the security enclosure and are non-security relevant. Table 4 Excluded Components Modes List and Description: NonApproved NonApproved Table 5: Modes List and Description As per FIPS 140-3 IG 2.4.A, the non-approved mode services of the module do not share, access, nor use any SSP used by the module in approved mode of operation. The SSPs used by the “Upgrade” service are not used in non-approved mode.
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| RSA SigVer (FIPS186- 4) | C838 | Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072 | FIPS 186-4 |
| SHA-1 | A4665 | Message Length - Message Length: 8-1024 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4665 | Message Length - Message Length: 8-1024 Increment 8 | FIPS 180-4 |
| SHA2-256 | C837 | Message Length - Message Length: 0-51200 Increment 8 | FIPS 180-4 |
| Name | Approved Functions |
|---|---|
| MD5 | Used as part of the TLS 1.0 implementation. |
| RSA (non-compliant) | Used as part of the TLS 1.0 implementation and the Ingest, Generate SM Report, Perform Marriage services. |
| TLS 1.0 KDF (non- compliant) | Used as part of the TLS 1.0 implementation. |
| AES (non-compliant) | Used as part of the TLS 1.0 implementation and the Ingest, Load Content, Playback services. |
| HMAC (non-compliant) | Used as part of the TLS 1.0 implementation and the Load Content, Playback services. |
| SHS (non-compliant) | Used as part of the TLS 1.0 implementation and Generate SM Report, Perform Marriage services. |
| DRBG (non-compliant) | Used as part of the TLS 1.0 implementation. |
Mode Change Instructions and Status: The module enters the approved mode of operation immediately after the self-test is completed. The module enters the non-approved mode of operation as soon as the first non-approved service is called. The module can transition from non-approved to approved mode by rebooting the module and letting the self-test complete.
Approved Algorithms: Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Table 7: Non-Approved, Not Allowed Algorithms
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Digital Signature | Verification is used during the authentication of the firmware package during upgrade. | RSA SigVer (FIPS186-4): (C838) SHA2-256: (C837) | DigSig-SigVer |
| Secure Hash | SHA2-256 is used for Firmware Integrity during Upgrade and Self- Test. SHA-1 is only used as a standalone message digest. | SHA-1: (A4665) SHA2-256: (A4665) | SHA |
Table 8: Security Function Implementations
As per FIPS 140-3 IG C.K, the module supports a FIPS 186-4 algorithm (RSA 2048 SigVer) that was tested in 2019 prior to the Feb 5, 2024, transition. The FIPS 186-4 CAVP test (RSA 2048 SigVer) is mathematically identical to FIPS 186-5 CAVP tests (RSA 2048 SigVer), therefore this module will claim FIPS 186-5 compliance for this test (RSA 2048 SigVer). Please also note that the SHA-1 algorithm has a transition date of December 31st, 2030. SHA-1 will be disallowed for applying cryptographic protection effective January 1st, 2031.
N/A for this module. N/A for this module.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Aux Audio | Aux Audio | Data Input Data Output Control Output Status Output | Latent - Reserved for future use |
| Sync Out | Sync Out | Control Output | Latent - Reserved for future use |
| Sync In | Sync In | Control Input | Latent - Reserved for future use |
| LTC | LTC | Control Output | Time code information |
| AES3 Audio | AES3 Audio | Data Output | Unencrypted Audio |
| Storage LEDs | Storage LEDs | Status Output | SSD 1 / 2 / 3 status information |
| Ingest USB | Ingest USB | Data Input | DCP / KDM |
| Media | Media | Data Input Data Output | DCP / KDM |
| Media | Media | Status Output | Network Link status, Network Activity Status (via LEDs) Unauthenticated Status Information (TCP port 2000) |
| FIPS LED | FIPS LED | Status Output | FIPS Status |
| Service Door LED | Service Door LED | Status Output | Service Door open / closed |
| Video SERDES (S4-Data) | Video SERDES (S4-Data) | Data Output | Unencrypted Video |
| SSDs M.2 | SSDs M.2 | Data Input Data Output | DCP / KDM / Show Playlist |
| Marriage (S4-Data) | Marriage (S4-Data) | Control Input | Electrical signal indicating open or closed Marriage Ring |
| Service Door (S4-Data) | Service Door (S4-Data) | Control Input | Electrical signal indicating open or closed Service Door |
| NAS | NAS | Data Input Data Output | DCP / KDM |
| NAS | NAS | Status Output | Network Link status, Network Activity Status (via LEDs) Unauthenticated Status Information (TCP port 2000) |
| Projector I/O (S4-Data) | Projector I/O (S4-Data) | Control Input | FPGA handshake signals |
| Projector I/O (S4-Data) | Projector I/O (S4-Data) | Control Output | IMB Ready Electrical Signal |
| Aux SERDES (S4-Data) | Aux SERDES (S4-Data) | Data Input | Audio |
| Aux SERDES (S4-Data) | Aux SERDES (S4-Data) | Status Output | Latent - Reserved for future use |
| Ethernet (S4-Data) | Ethernet (S4-Data) | Data Input | DCP / KDM |
| Ethernet (S4-Data) | Ethernet (S4-Data) | Data Output | DCP / KDM / Rendered Subtitles |
| Ethernet (S4-Data) | Ethernet (S4-Data) | Control Input | CEP API |
| Ethernet (S4-Data) | Ethernet (S4-Data) | Control Output | FTP control as a client to a server |
| Ethernet (S4-Data) | Ethernet (S4-Data) | Status Output | Unauthenticated Status Information (TCP port 2000) |
| Ingest USB | Ingest USB | Power | N/A |
| SSDs M.2 | SSDs M.2 | Power | N/A |
| Battery 1 & 2 | Battery 1 & 2 | Power | N/A |
| S4-Power | S4-Power | Power | N/A |
| DAD | DAD | Status Output | Latent - Reserved for future use |
| Name | Description | Strength | Strength per Minute | |
|---|---|---|---|---|
| RSA Digital Signature Verification | Identity-based operator authentication | The authentication is based on RSA 2048 which provides an equivalent encryption strength of 112 bits. The | RSA Digital Signature Verification | There is a 1 second retry delay after each attempt which limits the number of attempts that can be launched per |
N/A N/A N/A N/A Table 9: Ports and Interfaces
| Name | Strength | Strength per Minute |
|---|---|---|
| probability that a random attempt will succeed, or a false acceptance will occur is 1/2 ^ 112 which is less than 1/1,000,000. | probability that a random attempt will succeed, or a false acceptance will occur is 1/2 ^ 112 which is less than 1/1,000,000. | minute. The probability that a random attempt will successfully authenticate to the module within one minute is 60/2 ^ 112 which is less than 1/100,000. |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Identity | RSA Digital Signature Verification | ||||||
| Upgrade | Verify authenticity and integrity of firmware package. | Crypto Officer - Christie Firmware Update Certificate: E - Christie Firmware Update Public Key: E - Cave SMS Certificate: W - Cave SMS Public Key: W - Christie Root CA Self Signed Certificate: E - Christie Root CA Public Key: E - Christie CA Certificate Chain: E | Digital Signature Secure Hash | Ethernet (S4- Data) Status (FIPS_STATE) == approved | Firmware Package, CAVE SMS Certificate | Ethernet (S4- Data) Upgrade Status == Success | |||
| Get Module Information | Retrieve hardware version and firmware version (Show Version) | Unauthenticated | None | Ethernet (S4- Data) Status (FIPS_STATE) == approved | None | Hardware Version, Firmware Version | |||
| Get Status | Retrieve Status (Show Status) | Unauthenticated | None | Ethernet (S4- Data) Status (FIPS_STATE) == approved | None | Status of module |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | Security Functions | |
|---|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Identity | RSA Digital Signature Verification | |||||||
| Upgrade | Verify authenticity and integrity of firmware package. | Crypto Officer - Christie Firmware Update Certificate: E - Christie Firmware Update Public Key: E - Cave SMS Certificate: W - Cave SMS Public Key: W - Christie Root CA Self Signed Certificate: E - Christie Root CA Public Key: E - Christie CA Certificate Chain: E | Digital Signature Secure Hash | Ethernet (S4- Data) Status (FIPS_STATE) == approved | Firmware Package, CAVE SMS Certificate | Ethernet (S4- Data) Upgrade Status == Success | ||||
| Get Module Information | Retrieve hardware version and firmware version (Show Version) | Unauthenticated | None | Ethernet (S4- Data) Status (FIPS_STATE) == approved | None | Hardware Version, Firmware Version | ||||
| Get Status | Retrieve Status (Show Status) | Unauthenticated | None | Ethernet (S4- Data) Status (FIPS_STATE) == approved | None | Status of module | ||||
| Perform Self-test (power cycle) | Run pre- operational self-tests | Unauthenticated | None | N/A - self-tests are performed at boot-up irrespective of the mode of operation. | None | Ethernet (S4- Data) FIPS_STATE == approved | ||||
| Get Upgrade Status | Retrieve status of upgrade | Unauthenticated | None | Ethernet (S4- Data) Status (FIPS_STATE) == approved | None | Status Information of upgrade | ||||
| Ingest | Retrieve and store DCP / KDM | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Load Content | Unwrap Content Decryption Keys and perform CPL verification | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Playback | Decrypt Content, verify frame integrity, and perform playback | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Generate SM Report | Build and sign the SM Report | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Perform Marriage | Perform Electronic Marriage | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| List Remote Device Configurations | List all remote device configurations | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Add Remote Device Configuration | Specify a remote device to ingest content from | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Delete Remote Device Configuration | Delete a remote device configuration | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Test FTP Server | Confirm connectivity to FTP Server | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| List Ingest Sources | List sources to ingest content from | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Scan for Ingestible Content | Find all ingestible content on local drives | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Cancel Scan for Ingestible Content | Cancel a scan in progress | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| List Ingestible Content | List all ingestible content found from scan | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Cancel Ingest | Cancel an ingest in progress | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Get Ingest Status | Get Status information about current ingest | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get List of Shared Directories | Retrieve list of shared directories on NAS drive | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| List Content | Retrieve list of content | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Refresh Content | Refresh cached list of content | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get CPL | Retrieve a CPL | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get CPL Details | Retrieve details of a CPL | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Is CPL Complete | Confirm all assets are available for CPL | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get KDM | Retrieve a KDM | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Delete Content | Remove content from Onboard Storage | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Type of UUID | Retrieve type of content for UUID | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Load Status | Retrieve status of load operation | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get ID of Loaded Content | Retrieve ID of loaded content | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Enable Looping | Enable content looping | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Unload Content | Unload content from memory | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Module Details / History | Start information collection of Module | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Status of Information Collection | Retrieve status of information collection | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Show Playlists | Retrieve list of show playlists | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Is Show Playlist Complete | Determine if all components of show playlist are present | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Does Content Exist in Show Playlist | Check if content exists in a playlist | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Confirm KDM Validity for Show Playlist | Confirm that all KDMs for playlist are valid at specified time | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Validate Show Playlist | Validate a specified playlist | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Show Playlist Validation Results | Get the results of the playlist validation | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Enable Scheduler Support | Enable flag indicating that scheduler is active | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Status Item | Retrieve individual status item | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Get SM Certificate | Retrieve SM Leaf Certificate | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get LS Certificate | Retrieve LS Leaf Certificate | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Stop SM Report Generation | Stop SM Report generation | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Audio Configuration | Retrieve Audio Configuration | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Save Audio Configuration | Save Audio Configuration | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Test NAS Connectivity | Verify connectivity to NAS | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Get Storage Status | Retrieve status of each storage device | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Save Storage Configuration | Save Storage Configuration | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Storage Configuration | Get Storage Configuration | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Does Show Playlist Exist | Check for an individual show playlist | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Save Show Playlist | Save a show playlist | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Get Show Playlist | Retrieve a saved show playlist | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) | Crypto Officer | |||||||
| Adjust Time | Adjust the Real Time Clock | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer | |||||||
| Is SM Busy | Return True if SM is Busy | MD5 RSA (non-compliant) TLS 1.0 KDF (non- compliant) AES (non-compliant) HMAC (non- compliant) SHS (non-compliant) DRBG (non- compliant) | Crypto Officer |
Table 10: Authentication Methods Authentication for the Ethernet Control Input Interface is accomplished via identity-based
Run preoperational Ethernet (S4Data) Z Table 12: Approved Services As per FIPS 140-3 IG 2.4.C, module supports a separate indicator per approved security service. HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant)
DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) HMAC (noncompliant) DRBG (noncompliant) Table 13: Non-Approved Services
Any firmware loaded into this module that is not shown on the module certificate, is out of scope of this validation and requires a separate FIPS 140-3 validation. Loading of External Firmware is performed through the Upgrade Service via the Crypto Officer role. Unauthorized firmware loading is not possible. Additionally, all firmware is digitally signed and checked as per section 5. Data Output and Control Output is inhibited during firmware load testing. The module also prevents firmware loading during any Data Output and/or Control Output operations. During firmware loading, requests for other services involving Data Output and/or Control Output are prohibited until firmware load is complete and the module is restarted. The module implements partial image replacement since there is a BIOS firmware component that is not upgradeable in the field and can only be modified by Christie at Christie’s secure facility.
The integrity of the module is verified by comparing the SHA2-256 (SHS Cert. # A4665) value of the firmware calculated at the time of construction of the firmware, with the SHA2-256 value of the currently running firmware. This is performed as part of the Pre-Operational Self-Tests. Please note the SHA2-256 implementation will perform a Cryptographic Algorithm Self-Test using a Known Answer Test, prior to performing the firmware integrity test.
| Mechanism | Inspection Frequency | Inspection Guidance | ||
|---|---|---|---|---|
| Metal Security Enclosure | Upon receipt of module and as often as feasible. | Visually inspect metal enclosure for scratches, gouges, deformation, and other signs of visible signs of tamper. | ||
| Tamper Evident Seals | Upon receipt of module and as often as feasible. | Visually inspect the tamper evident seals for scratches, gouges, deformation, or other physical signs of tampering. |
The operator can initiate firmware integrity test by power-cycling the module.
The module operates in a limited operational environment that only allows the loading of a trusted and validated firmware binary image through an authenticated service. Firmware binary images are signed by an RSA key which is part of the Christie certificate chain. Type of Operational Environment: Limited
Table 14: Mechanisms and Actions Required The Christie IMB-S4 is a multi-chip embedded cryptographic module which is composed of production-grade components. The module satisfies Security Level 2 only for physical security. Figure 4 Physical Security Mechanisms
| Name | Type | Description |
|---|---|---|
| IMB CPU RAM | Dynamic | System Memory |
| IMB CPU Flash | Static | System Non-Volatile Memory |
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| Factory Installed | Plaintext | Manufacturer | N/A | Automated | Electronic |
| Upgrade Service | Plaintext | Ethernet (S4-Data) | IMB CPU RAM | Automated | Electronic |
The physical security mechanisms of the module include a hard, opaque and tamper-evident metal security enclosure. The module includes four tamper evident seals (Figure 4 Physical Security Mechanisms) covering the screws that secure the metal enclosure to the module; said tamper evident seals are installed as part of the manufacturing process and shall not be removed (i.e. maintenance role is not supported, maintenance interface is not supported). The tamper evident metal security enclosure and the tamper-evident seals shall be periodically inspected to ensure the physical security of the module is maintained. All components which lie outside the metal enclosure are not security relevant and are listed under section 2.3 Excluded Components. NOTE: Although strictly outside the scope of physical security level 2, the metal security enclosure is monitored 24/7 by battery backed-up tamper detection and response mechanisms. Any attempt to remove the metal enclosure results in instantaneous active zeroization. Zeroization also occurs if both batteries become discharged.
N/A Table 16: SSP Input-Output Methods
| Name | Description | Operator Initiation Zeroization Service |
|---|---|---|
| Tamper | Security Enclosure Removal or full loss of power | Remove Security Enclosure Remove Both Batteries and main power |
| Loss of Main Power | Loss of Main Power but battery power is still present | Disconnect power from S4-Power Physical Port |
| Completion of Service | SSP temporary values are zeroised at the completion of a service | Automatically performed by the module |
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|
| Christie Firmware Update Certificate | X.509 - PSP | X.509 Firmware Update Certificate for update package verification | 2048 - 112 | Digital Signature | |||||
| Christie Firmware Update Public Key | Public - PSP | RSA Public Key for verifying update package signature | 2048 - 112 | Digital Signature | |||||
| Cave SMS Certificate | X.509 - PSP | X.509 Certificate containing the Cave SMS Public Key | 2048 - 112 | Digital Signature | |||||
| Cave SMS Public Key | Public - PSP | Crypto Officer RSA Public Key | 2048 - 112 | Digital Signature | |||||
| Christie Root CA Self Signed Certificate | X.509 - PSP | X.509 CA Certificate for leaf certificate verification | 2048 - 112 | Digital Signature | |||||
| Christie Root CA Public Key | Public - PSP | RSA Public Key for leaf certificate verification | 2048 - 112 | Digital Signature | |||||
| Christie CA Certificate Chain | X.509 - PSP | X.509 CA Certificate | 2048 - 112 | Secure Hash Digital Signature | |||||
| Christie Firmware Update Certificate | IMB CPU Flash:Plaintext IMB CPU RAM:Plaintext | Tamper Zeroization Service | Factory Installed | N/A | Christie Firmware Update Public Key:Paired With | ||||
| Christie Firmware Update Public Key | IMB CPU Flash:Plaintext IMB CPU RAM:Plaintext | Tamper Zeroization Service | Factory Installed | N/A | Christie Firmware Update Certificate:Paired With | ||||
| Cave SMS Certificate | IMB CPU RAM:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Cave SMS Public Key:Paired With |
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|
| Christie Firmware Update Certificate | X.509 - PSP | X.509 Firmware Update Certificate for update package verification | 2048 - 112 | Digital Signature | |||||
| Christie Firmware Update Public Key | Public - PSP | RSA Public Key for verifying update package signature | 2048 - 112 | Digital Signature | |||||
| Cave SMS Certificate | X.509 - PSP | X.509 Certificate containing the Cave SMS Public Key | 2048 - 112 | Digital Signature | |||||
| Cave SMS Public Key | Public - PSP | Crypto Officer RSA Public Key | 2048 - 112 | Digital Signature | |||||
| Christie Root CA Self Signed Certificate | X.509 - PSP | X.509 CA Certificate for leaf certificate verification | 2048 - 112 | Digital Signature | |||||
| Christie Root CA Public Key | Public - PSP | RSA Public Key for leaf certificate verification | 2048 - 112 | Digital Signature | |||||
| Christie CA Certificate Chain | X.509 - PSP | X.509 CA Certificate | 2048 - 112 | Secure Hash Digital Signature | |||||
| Christie Firmware Update Certificate | IMB CPU Flash:Plaintext IMB CPU RAM:Plaintext | Tamper Zeroization Service | Factory Installed | N/A | Christie Firmware Update Public Key:Paired With | ||||
| Christie Firmware Update Public Key | IMB CPU Flash:Plaintext IMB CPU RAM:Plaintext | Tamper Zeroization Service | Factory Installed | N/A | Christie Firmware Update Certificate:Paired With | ||||
| Cave SMS Certificate | IMB CPU RAM:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Cave SMS Public Key:Paired With |
Table 17: SSP Zeroization Methods The module explicitly zeroizes SSPs as per the methods above. Please see Section 9.4 for more details. Table 18: SSP Table 1 N/A N/A
| Name | Storage | Zeroization | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|
| Cave SMS Public Key | IMB CPU RAM:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Cave SMS Certificate:Paired With |
| Christie Root CA Self Signed Certificate | IMB CPU Flash:Plaintext IMB CPU RAM:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Christie Root CA Public Key:Paired With |
| Christie Root CA Public Key | IMB CPU RAM:Plaintext IMB CPU Flash:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Christie Root CA Self Signed Certificate:Paired With |
| Christie CA Certificate Chain | IMB CPU RAM:Plaintext IMB CPU Flash:Plaintext | Loss of Main Power Completion of Service | Upgrade Service | During authentication of Upgrade Service | Christie Root CA Self Signed Certificate:Used With |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| Check Security MCU | Check Security MCU | N/A | Critical Function | Check Security MCU | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=SECURITY_MCU_OFFLINE" and FIPS LED will be solid red. If success | |
| Check Enclosure Status | Check Enclosure Status | N/A | Critical Function | Check Enclosure Status | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TAMPERED: 1 EN_OPEN: 1" and FIPS LED will be solid red. | |
| Check NXP SE050 | Check NXP SE050 | N/A | Critical Function | Check NXP SE050 | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TPM_FAILURE" and FIPS LED will be solid red. | |
| SHS | SHS | FW Integrity | SW/FW Integrity | Secure Hash | SHA2-256 | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=IMAGE_INTEGRITY" and FIPS LED will be solid red. | |
| RSA SigVer (FIPS186- 4) (C838) | RSA SigVer (FIPS186- 4) (C838) | KAT | CAST | Sign, Verify | 2048-bit data, 160- bit digest | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| Check Security MCU | Check Security MCU | N/A | Critical Function | Check Security MCU | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=SECURITY_MCU_OFFLINE" and FIPS LED will be solid red. If success | |||
| Check Enclosure Status | Check Enclosure Status | N/A | Critical Function | Check Enclosure Status | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TAMPERED: 1 EN_OPEN: 1" and FIPS LED will be solid red. | |||
| Check NXP SE050 | Check NXP SE050 | N/A | Critical Function | Check NXP SE050 | N/A | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=TPM_FAILURE" and FIPS LED will be solid red. | |||
| SHS | SHS | FW Integrity | SW/FW Integrity | Secure Hash | SHA2-256 | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=IMAGE_INTEGRITY" and FIPS LED will be solid red. | |||
| RSA SigVer (FIPS186- 4) (C838) | RSA SigVer (FIPS186- 4) (C838) | KAT | CAST | Sign, Verify | 2048-bit data, 160- bit digest | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up | ||
| SHA2-256 (A4665) | SHA2-256 (A4665) | KAT | CAST | Secure Hash | SHA-256, 256-bit data | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up | ||
| SHA-1 (A4665) | SHA-1 (A4665) | KAT | CAST | Secure Hash | SHA-1 | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up | ||
| RSA SigVer (FIPS186- 4) (C838) | RSA SigVer (FIPS186- 4) (C838) | SW/FW Load | SW/FW Load | Verify | 2048-bit key with SHA2-256 Signature Verification | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=UPGRADE_FAILURE" and FIPS LED will be solid red. | Conditional | ||
| Check Security MCU | Check Security MCU | N/A | Critical Function | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. | ||||
| Check Enclosure Status | Check Enclosure Status | N/A | Critical Function | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, |
N/A N/A N/A N/A N/A N/A Table 20: Pre-Operational Self-Tests The NXP SE050 referenced above is synonymous with TPM.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| SHA2-256 (A4665) | SHA2-256 (A4665) | KAT | CAST | Secure Hash | SHA-256, 256-bit data | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up | ||
| SHA-1 (A4665) | SHA-1 (A4665) | KAT | CAST | Secure Hash | SHA-1 | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=KAT_CHECK" and FIPS LED will be solid red. | Power-Up | ||
| RSA SigVer (FIPS186- 4) (C838) | RSA SigVer (FIPS186- 4) (C838) | SW/FW Load | SW/FW Load | Verify | 2048-bit key with SHA2-256 Signature Verification | If success, "FIPS_ERROR=None" and FIPS LED will be solid green. If failed, "FIPS_ERROR=UPGRADE_FAILURE" and FIPS LED will be solid red. | Conditional | ||
| Check Security MCU | Check Security MCU | N/A | Critical Function | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. | ||||
| Check Enclosure Status | Check Enclosure Status | N/A | Critical Function | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, | ||||
| Check NXP SE050 | Check NXP SE050 | N/A | Critical Function | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. | ||||
| SHS | SHS | FW Integrity | SW/FW Integrity | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- |
(FIPS1864) (C838) Table 21: Conditional Self-Tests The IMB-S4 has one conditional self-test related to firmware loading. Firmware loading requires are tested as part of the self-test on boot up and during the periodic self-tests. N/A N/A
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| RSA SigVer (FIPS186-4) (C838) | RSA SigVer (FIPS186-4) (C838) | KAT | CAST | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. |
| SHA2-256 (A4665) | SHA2-256 (A4665) | KAT | CAST | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. |
| SHA-1 (A4665) | SHA-1 (A4665) | KAT | CAST | 7 days | The periodic self- test is performed |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| RSA SigVer (FIPS186-4) (C838) | RSA SigVer (FIPS186-4) (C838) | KAT | CAST | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. |
| SHA2-256 (A4665) | SHA2-256 (A4665) | KAT | CAST | 7 days | The periodic self- test is performed programmatically at 7 days from when the module is powered on (main power via S4- POWER). Once each periodic self- test is completed, the next self-test will be scheduled at 7 days from that point in time (and so on). If the self-test is to be performed while content is loaded, the self-test will be deferred until content is unloaded. If the maximum 7- day deferment period is hit, the module will force the self-test. |
| SHA-1 (A4665) | SHA-1 (A4665) | KAT | CAST | 7 days | The periodic self- test is performed |
| RSA SigVer (FIPS186-4) (C838) | RSA SigVer (FIPS186-4) (C838) | SW/FW Load | SW/FW Load | None | Automatically performed by the module during the Upgrade service |
Table 22: Pre-Operational Periodic Information
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Tampered | Tampering, Zeroization Service | Full loss of power Security Enclosure Removal Started by Crypto Officer | FIPS LED will be solid red. | Return to Factory |
| Self-Test Failure | Critical Function Failure | Pre-operational self-test failure | FIPS LED will be solid red. | Return to Factory |
| Firmware Integrity Failure | Verify Firmware Integrity SHA2-256 checksum | Incorrect checksum | FIPS LED will be solid red. | Return to Factory |
| Firmware Load Test Failure | Failure during firmware load | Signature Verification or SHA Checksum failure. | FIPS LED will be solid red. | Power Cycle |
Table 23: Conditional Periodic Information
Table 24: Error States For more information about each error state, please see the relevant Self-Test section above.
The module is manufactured in a secure facility and placed into the approved mode of operation prior to shipping to the customer. On powering up the module (from battery to main power), the module goes through self-tests and an image integrity check to confirm that the non-modifiable operating environment has not been tampered with.
Any other failure will result in a hard FIPS error state to prevent use of the product in a nonapproved mode.
The module consists of a single Crypto Officer role (see 4.2 Roles) and there are no administrative specific procedures functions required to administer the module while it’s in its approved mode of operation. The module is fully secured and in the approved mode of operation once it is shipped from the factory. There is no additional user behavior expected for secure operation of the module. Physical Ports and logical Interfaces Please refer to section 3 Cryptographic Module Interfaces. Security Events Please refer to section 2.4 Modes of Operation. Approved & Non-approved Security Functions Please refer to section 4.3 Approved Services and section 4.4 Non-Approved Services. Security Parameters Please refer to section 9.4 SSPs.
As defined in section 4.1 Authentication Methods, the module supports identity-based operator authentication and there are no specific procedures required to maintain the operator authentication data and mechanisms functionally independent. The module enters the approved mode of operation immediately after self-test is completed. The module enters the non-approved mode of operation as soon as the first non-approved service is called. The module can transition from non-approved to approved mode by rebooting the module and letting the self-test complete. Please see section 2.4 Modes of Operation for more details.
The module supports both battery power and main power by design. Powering up is defined as the process of switching from battery power to main power. All pre-operational self-tests are performed during the powering up sequence and the model automatically transitions to the operational state when the self-tests have passed. Once in this state, the module awaits service requests from the operator.
Procedure for secure sanitization of the IMB-S4 at end-of-life:
The IMB-S4 module does not mitigate any specific attacks beyond the scope of FIPS140-3.