Security Policy, page by page
FIPS 140-3 Security Policy
- SE052F SE052F Document Version: 1.7 Date: 31 July 2025 Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Revision History: Version Date Changes
1.0 July 18, 2022 Full Release, added CAVP Cert. # to Table 3
1.1 June 14, 2023 Update after first round NIST comments
1.2 June 23, 2023 Update chapter 10
1.3 August 17, 2023 Update after CMVP comments
1.4 November 24, 2023 Update after CMVP comments
1.5 December 24, 2023 Update after CMVP comments
1.6 March 20, 2025 Minor updates to Section 2 to remove vendor affirmation claims based
1.7 July 31, 2025 Rebranded from JCOP 4.5 on P71D600 to SE052F
Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Contents List of Figures List of Table Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
1 General
Introduction Federal Information Processing Standards Publication 140-3
- Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a sensitive but unclassified (SBU) environment. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) run the FIPS 140-3 program. The National Voluntary Laboratory Accreditation Program (NVLAP) provides accreditation to independent testing labs performing FIPS 140-3 testing; the CMVP validates modules meeting FIPS 140-3 validation. Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographicmodulevalidation-program. About this Document This non-proprietary Cryptographic Module Security Policy for the NXP Semiconductors SE052F provides an overview of the product and a high-level description of how it meets the overall Security Level 3 requirements of FIPS 140-3. The SE052F may also be referred to as the “Secure Element” or “module” in this document. The module is available under several commercial type names addressing the different market segments relevant for NXP, such as:
- JCOP 4.5 on P71D600
- JCOP ID 2 on P71D600
- SE052F
- NCJ37B0HN Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. NXP Semiconductors shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. The following table lists the level of validation for each area in FIPS 140-3: Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F ISO/IEC 24759 Section 6 FIPS 140-3 Section Title Security Level [Number Below]
1 General 3
2 Cryptographic Module Specification 3
3 Cryptographic Module Interfaces 3
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 3
6 Operational Environment N/A
7 Physical Security 4
8 Non-Invasive Security 3
9 Sensitive Security Parameter Management 3
10 Self-Tests 3
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks 3
Table 1
- Security Levels The module claims an Overall Security Level 3. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
2 Cryptographic Module Specification
The module, validated to FIPS 140-3 overall Level 3, is a hardware module with single chip embodiment named SE052F implementing the GlobalPlatform operational environment (Card Manager (ISD/SSD)) and the applications:
- NXP IoT applet v7.2.22
- NXP SEMS Lite applet v2.0.2.11 The module is designed for use in smart cards, IoT and automotive applications. Hardware Firmware Version Distinguishing [Part Features Module Number and Version] Platform ID ROM ID Patch ID Applets The GlobalPlatform operational environment is identified with the Platform ID, the ROM ID, the Patch ID, NXP IoT and other applet information, v7.2.22 describing and
00000000 the content in
SE052F N7122 A1 J3R6000373181200 B3375FE9B5508BC4 NXP
00000000 ROM,
SEMS NVM and Lite loaded applet patches; v2.0.2.11 The Platform ID is a data string that allows the identification of the P71D600 Card Table 2
- Cryptographic Module Tested Configuration Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F The module is validated at an Overall Security Level 3 with Physical Security at Level 4 and all other areas at Level 3. The Operational Environment requirements do not apply to the module given that it meets Physical Security Level 4 requirements. Cryptographic Boundary The module is designed to be used as a part of a larger system. It works as an auxiliary security device attached to a host controller. The physical form of the module is depicted in Figures 1 and 2 (to scale); the outline depicts the cryptographic boundary, representing the surface of the chip and the bond pads. The red outline in Figure 3 also depicts the cryptographic boundary. In production use, the module is delivered to either vendors or end user customers either on film frame carrier (FFC) or various packages such as PDM1.1, NXD6.2, MOB6/10 or HVQFN20 package. The package is outside the cryptographic boundary and thus excluded from the FIPS 140-3/ISO/IEC 19790 security testing. The contactless ports of the module require connection to an antenna. The module relies on [ISO 7816] and [ISO 14443] card readers as input/output devices, or a [NXP I2C] connection to a host controller. No components have been excluded from within the cryptographic boundary. Approved Mode of Operation The module only supports an Approved mode of operation. The NXP SEMS Lite applet can support the NIST P-
256 curve or the vendor Approved and NIST allowed Brainpool256r1 elliptic curve to perform the ECDSA or
KASECC operations. In the Approved mode of operation, the NXP SEMS Lite applet supports the Brainpool256r1 elliptic curve by default. The CO role may use SEMS Lite Module Management service to load NIST P-256 curve parameters. The P71D600 GlobalPlatform operational environment component can be identified by using the IDENTIFY APDU command (Info service). This command returns the card identification data, which includes a Platform ID, a Patch ID and other information that allows the identification of the content in ROM, NVM and loaded patches. The Platform ID is a data string that allows the identification of the P71D600 Card Manager component. The IDENTIFY APDU command is formatted as follows: Code Value Parameter settings CLA ‘80’ GlobalPlatform INS ‘CA’ GET DATA (IDENTIFY) - ISD P1 ‘00’ High order tag value P2 ‘FE’ Low order tag value - proprietary data Lc ‘02’ Length of data field Data ‘DF28’ Module identification data Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy – SE052F Le ‘00’ Length of response data The command answers the content of the DF28 file: • Tag 02 identifies the Patch ID (see Table 2) • Tag 03 identifies the Platform Build ID which is made up of the Platform ID (16 Bytes, see Table 2) and the platform build fingerprint (8 Bytes) • Tag 08 identified the ROM ID (see Table
- To verify that the GlobalPlatform operational environment runs in the Approved mode of operation, use the IDENTIFY APDU (as described above). The DF28 file tag ‘05’ contains the status of the Approved mode compliancy, where ‘00’ identifies Approved mode not active and ‘01’ - Approved mode active. Both NXP IoT applet and NXP SEMS Lite applet of the module are configured to always run in an Approved mode of operation. The personalized product shall have: • NXP IoT applet v7.2.22 identification: o Package ID: A00000039654530000000103000200H o Applet ID: A0000003965453000000010300000000H o Instance ID: A0000003965453000000010300000000H • NXP SEMS Lite applet v2.0.2.11 identification: o Package ID: A00000039654530000000103300000H o Applet ID: A0000003965453000000010330000000H o Instance ID: A0000003965453000000010330000000H The operator can verify that NXP IoT applet v7.2.22 is in an Approved mode of operation by sending the two (2) following commands to the module:
- The SELECT APDU command (Context service) will be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010300000000, and Le =
- The module shall answer 07021626F2FFFF followed by status code 9000. The response includes the BCD encoded applet version (070216) and the supported applet feature bitmap (26F2). This encoded applet version (070216) corresponds to the decimal version v7.2.22 of the IoT Applet as specified in Table 2 in this document and the module certificate. It is not possible in any way to modify the applet version or the supported features bitmap after the device leaves the factory.
- The GetVersion APDU command (IoT Applet Management service) shall be called to get the extended feature bitmap. This command is 80040021 and shall return 26F20000011D81C1E101000E0000000F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F to be in Approved mode of operation. Public Material – May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy – SE052F The operator can verify that NXP SEMS Lite applet v2.0.2.11 is an Approved mode of operation by sending the three (3) following commands to the module:
- The SELECT APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010330000000, and Le =
- Return code shall be 90 00 (OK)
- The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = DE, and Le = 00.The command shall return DE04020002119000 with 02000211 indicating the NXP SEMS Lite applet version. This encoded applet version (02000211) corresponds to the decimal version v2.0.2.11 of the IoT Applet as specified in Table
2 in this document and the module certificate.
- The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = C6, and Le =
- The command shall return C601019000 with C60101 indicating the NXP SEMS Lite applet is configured in Approved mode of operation. The module does not support a degraded operation. Public Material – May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Cryptographic Algorithms The module implements the following Approved cryptographic algorithms. CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) AES-128, AES192, AES-256 with A2713 AES-CBC AES-CBC 128, 192, 256-bit Data Encryption/ Decryption key strength AES-128, AES192, AES-256 with Authentication Encryption with A2713 AES-CCM AES-CCM 128, 192, 256-bit AES CTR mode and CBC-MAC key strength AES-128, AES-192, Message Authentication; AES-256 with 128, A2713 AES-CMAC AES-CMAC generation and verification 192, 256-bit key SP800-108 KDF Strength AES-128, AES-192, AES-256 with 128, A2713 AES-CTR AES-CTR Data Encryption/ Decryption 192, 256-bit key Strength AES-128, AES-192, AES-256 with 128, A2713 AES-ECB AES-ECB Data Encryption/ Decryption 192, 256-bit key strength AES-256 with 256- Deterministic Random Bit A2713 Counter DRBG Counter DRBG bit security Generation AES-256: RSA and strength ECDSA key generation P-224, P-256, P-384, ECDSA KeyGen ECDSA KeyGen P-521 with 112, 128, A2713 ECC Key Generation (FIPS186-4) (FIPS186-4) 192 and 256-bit key strength Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) P-224: (SHA2-224, SHA2-256, SHA2384, SHA2-512), P256: (SHA2-256, SHA2384, SHA2ECDSA SigGen (FIPS186- ECDSA SigGen Digital Signature A2713 512), P4) (FIPS186-4) 384: (SHA2-384, Generation SHA2-512), P-521: (SHA2-512) with 112, 128, 192 and 256bit key strength P-224: (SHA2-224, SHA2-256, SHA2384, SHA2-512), P256: (SHA2-256, SHA2384, SHA2ECDSA SigVer (FIPS186- ECDSA SigVer Digital Signature A2713 512), P4) (FIPS186-4) 384: (SHA2-384, Verification SHA2-512), P-521: (SHA2-512) with 112, 128, 192 and 256bit key strength HMAC-SHA-1 with Message A2713 HMAC-SHA-1 HMAC-SHA-1 128-bit key strength Authentication HMAC-SHA2- HMAC-SHA-256 Message A2713 HMAC-SHA2-256 256 with 256-bit key Authentication strength HMAC-SHA2- HMAC-SHA-384 Message A2713 HMAC-SHA2-384 384 with 256-bit key Authentication strength HMAC-SHA2- HMAC-SHA-512 Message A2713 HMAC-SHA2-512 512 with 256-bit key Authentication strength Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) ECKey session shared secret OnePass EC computation; SEMS Lite shared Diffie-Hellman secret computation (with KAS-ECC-SSC Sp800- P-256 with 128-bit A2713 FIPS 140-3 IG Brainpool256r1 curves); The 56Ar3 key strength D.F Scenario 2 module obtains assurances per Path 2 Section 5.6.2 in NIST SP80056Ar3 self-tests HMAC-SHA1, HMAC-SHA2-256, Two-step key HMACHKDF Operations
- A2713 KDA HKDF Sp800-56Cr1 derivation SHA2-384, HMACextract-then-expand function SHA2-512 with 128 and 256-bit key strength AES-128, AES-192, AES-256 with 128, Deriving keys from A2713 KDF SP800-108 Counter
192 and 256-bit key existing keys
strength HMAC-SHA1, HMAC-SHA2-256, HMACHKDF Operations A2713 KDF SP800-108 Feedback SHA2-384, HMACexpand only SHA2-512 with 128 and 256-bit key strength RSA Decryption RSA Decryption n=2048 with 112-bit Decryption Primitive (standard A2713 Primitive Primitive decryption strength and CRT) n=2048, 3072, 4096 RSA KeyGen Key Generation (standard and A2713 RSA KeyGen (FIPS186-4) with 112 and 128-bit (FIPS186-4) CRT) key strength n=2048, 3072, 4096 with PKCS v1.5 and RSA SigGen PKCSPSS and SHA2A2713 RSA SigGen (FIPS186-4) Signature Generation (FIPS186-4) (224, 256, 384, 512) with 112, 128 and
152 bit key strength
Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) n=2048, 3072, 4096 with PKCS v1.5 and PKCSPSS and SHA-1 , RSA SigVer A2713 RSA SigVer (FIPS186-4) SHA2-(224, 256, Signature Verification (FIPS186-4) 384, 512) with 112,
128 and 152 bit key
strength RSA Signature n=2048 with 112-bit Signature Primitive (standard A2713 RSA Signature Primitive Primitive security strength andCRT) Message Digest SHA-1 with 128-bit Generation, SEMS A2713 SHA-1 SHA-1 security strength Lite command integrity Message Digest SHA2-224 with Generation, SEMS A2713 SHA2-224 SHA2-224 112bit or 192-bit Lite command security strength integrity Message Digest SHA2-256 with 128 Generation, SEMS A2713 SHA2-256 SHA2-256 or 256-bit security Lite command strength integrity Message Digest SHA2-384 with 192 Generation, SEMS A2713 SHA2-384 SHA2-384 or 256-bit security Lite command strength integrity Message Digest SHA2-512 with 256Generation, SEMS A2713 SHA2-512 SHA2-512 bit security Lite command strength integrity AES-128, AES-192, Authentication Encryption with AES-256 with 128, Associated Data MAC A2714 AES-GCM AES-GCM 192, 256-bit key calculation, MAC strength verification AES-128, AES-192, Authentication Encryption with AES-256 with 128, Associated Data MAC A2714 AES-GMAC AES-GMAC 192, 256-bit key calculation, MAC strength verification Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) AES-128, AES-192, AES-256 with 128, A2714 AES-KW AES-KW Key Wrapping (Decryption) 192, 256-bit key strength KDA OneStep KDA OneStep Sp800- SHA-256 with 256- EcKey Session Key A2714 Sp800-56Cr1 56Cr1 bit key strength Derivation option 1 HMAC-SHA2-256, TLS version 1.2 HMAC-SHA2-384, Key Derivation Function used in A2714 KDF TLS Key Derivation HMAC-SHA2-512 with TLS 1.2 SP800-135r1 256-bit key strength Password-based Key Derivation; PBKDF2 Option HMAC-SHA-1 with This algorithm is provided as a A2714 PBKDF 1a acc. [SP800128-bit key strength service for module hosting the 132r2] Module KDA OneStep KDA OneStep Sp800- SHA-256 with 256-bit SEMS Lite shared A2715 Sp800-56Cr1 56Cr1 key strength master key derivation option 1 Section 4: Symmetric keys and seeds used for generating the asymmetric keys are generated using methods described in Section 4 of SP800- 133r2 Section 5.1: Key Pairs for Digital Signature Schemes Key Generation is based on Vendor Affirmed CKG SP800-133r2 Section 6.2.1: Symmetric Keys unmodified output of the DRBG Generated Using Key-Agreement cert. #A2713 Schemes Section 6.2.2: Symmetric Keys Derived from a Pre-existing Key Section 6.4: Distributing the Generated Symmetric Key KAS-ECC-SSC Sp80056Ar3/A2713 SP 800-56Arev3 KDA HKDF KAS-ECC per P-256 curve providing KAS (KAS-ECC-SSC Sp 800-56Ar3 Sp800- KAS-1 IG D.F 128 bits of encryption with KDA (HKDF)) 56Cr1/A2713 Scenario 2 path strength (2) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CAVP Cert Algorithm and Mode/ Method Description/ Use/Function Standard Key Size(s)/ Key Strength(s) KAS-ECC-SSC Sp80056Ar3/A2713 SP 800-56Arev3 P-256 curve providing KDA OneStep KAS-ECC per IG KAS (KAS-ECC-SSC Sp 800-56Ar3 KAS-2 128 bits of encryption Sp80056Cr1/A2714 D.F Scenario 2 with KDA (OneStep KDF)) strength path (2) KAS-ECC-SSC Sp80056Ar3/A2713 SP 80056Arev3. P-256 curve providing KDA OneStep KASECC per IG KAS (KAS-ECC-SSC Sp 800-56Ar3 KAS-3 128 bits of encryption Sp80056Cr1/A2715 D.F Scenario 2 with KDA (OneStep KDF)) strength path (2) AES-128, AES-192, SP 800-38D and SP AES-256 with 128, 800-38F KTS (key AES-CBC/A2713 AES CBC / AES KTS-1 192, 256-bit key wrapping) per IG D.G AES-CMAC/A2713 CMAC strength AES-128, AES-192, AES-256 with 128, AES-KW/#A2714 KTS-2 KW SP 800-38F KTS (key 192, 256-bit key wrapping) per IG D.G strength Table 3
- Approved Algorithms Algorithm Caveat Use/Function AES Cert. #A2713, key unwrapping; key establishment Symmetric key unwrapping (according to methodology provides between 128 and 256 bits RFC3394) of encryption strength Per IG D.G AES Cert. #A2713, key unwrapping; key establishment Symmetric key unwrapping (according to methodology provides 128 bits of encryption GlobalPlatform Amendment-I) strength Per IG D.G ECDSA with non- Provides between 112 and 256 bits of encryption Signature Generation/Verification using non-NIST NIST strength curves [Brainpool224r1, Brainpool256r1, recommended Per IG C.A Brainpool320r, Brainpool384r1, Brainpool512r1, curves Secp224k1, Secp256k1 with strengths ]112, 128,
192 and 256 bits]
Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F EC Diffie-Hellman Provides between 112 and 256 bits of encryption Shared secret computation using non-NIST curves with non-NIST strength [Brainpool224r1, Brainpool256r1, Brainpool320r, recommended Per IGs D.F and C.A Brainpool384r1, Brainpool512r1, Secp224k1, curves Secp256k1 with strengths ]112, 128, 192 and 256 bits] Table 4
- Non-Approved Algorithms Allowed in Approved Mode of Operation The following non-Approved but allowed EC curves (per IG C.A) are implemented by the module for use in ECDSA and KAS-ECC: EC Standard Strength Singular Field Co-Factor Brainpool224r1 [RFC5639] 112 No IFp 1 EC Standard Strength Singular Field Co-Factor Brainpool256r1 [RFC5639] 128 No IFp 1 Brainpool320r1 [RFC5639] 128 No IFp 1 Brainpool384r1 [RFC5639] 192 No IFp 1 Brainpool512r1 [RFC5639] 256 No IFp 1 Secp224k1 [SEC2] 112 No IFp 1 Secp256k1 [SEC2] 128 No IFp 1 The module does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed and Non-Approved Algorithms Not Allowed in the Approved Mode of Operation. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Figure 1
- P71D600 Figure 2
- P71D600 Physical Form (Schematic) Figure 3 below depicts the module operational environment. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Figure 3
- Module Block Diagram The JavaCard and Global Platform APIs are internal interfaces available to applets. Only NXP applets and Card Manager (ISD/SSD) services are available at the card edge (the interfaces that cross the cryptographic boundary). The product is delivered with:
- NXP IoT applet installed and configured before product’s delivery to customer. The end-user can personalize the module with its objects but cannot modify the configuration of the module, the Module always operates in an Approved mode of operation.
- NXP SEMS Lite Applet installed and configured before product’s delivery to customer. The enduser cannot modify the configuration of the module, the module always operates in an Approved mode of operation. Thus, the end-user cannot bring unauthorized changes to the Approved configuration of the module. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Overall Security Design and Rules of Operation PBKDF Operation details
- Password strength The password is stored in an APP-HMAC-KEY object as input to the PBKDF2 function. This key requires a minimum of
112 bits. The probability that a random attempt will end up with the same output is:
- 1/(2^112) = 1.9E-34 (using a minimum size for the password)
- Iteration Count and Justification Iteration count should be at least 1000, following the recommendation in SP800-132r2. If an application desires less iterations, the iteration count can be lower than 1000, but in any case, the iteration count shall be 2 or more.
- Storage Only Statement Output of PBKDF Operation service shall be used in storage applications. AES GCM IV The module enforces the use of an Approved DRBG in accordance with IG C.H scenario 2; the internal Approved CTR_DRBG, which has a security strength of 128 bits, is used to generate the 96-bit IV. TLS 1.2 Support The module supports the TLS KDF Functions service. This service provides support for TLS v1.2 calculations. It does not implement the TLS v1.2 protocol. Per FIPS 140-3 IG D.C, no parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
3 Cryptographic Module Interfaces
Physical Port Logical Interface Data that Passes over Port/Interface VSS, VDD Power interface These interfaces are used to supply power to the module in contact mode; The module starts when interface is powered VIN, VOUT Power interface These interfaces are used to supply power to the module in contact, contactless and I2C mode in case deep power-down mode is used RST_N Control input interface If a signal is sent on this interface on contact mode, the module will reboot (active low) CLK Control input interface The interface is used by an external device (ex: smartcard reader) to provide a clock signal to the IC in contact mode; The IC will derive its own clock from this signal IO1 Control input interface, Data The interface is used to communicate with an external entity (ex: input interface, Data output SmartCard reader) in contact mode; It also functions as I2C master interface, Status output interface SDA in I2C mode IO2 Control input interface, Data The interface is used to communicate with an external entity (ex: input interface, Data output SmartCard reader) in contact mode; It also functions as I2C master interface, Status output interface SCL in I2C mode or as SPI interface LA, LB Power interface, Control input The interface is used to communicate with an external entity (ex: interface, Data input interface, smartcard reader) in contactless mode; This interface is also used to Data output interface, Status set the internal clock and to supply power to the module output interface SDA Control input interface, Data The interface is used to communicate with an external entity such as input interface, Data output a host controller interface, Status output interface SCL Control input interface The interface is used by an external device (ex: host controller) to provide a clock signal to the I2C HW Table 5
- Ports and Interfaces The module does not support control output. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
4 Roles, Services and Authentication
The module supports the following roles:
- Cryptographic Officer (CO): Manages module content and configuration, including management of module data via the SSD. Authenticated as described in Table 7 below.
- User (the device Holder (applet user)): Performs Approved cryptographic operations. Authenticated as described in Table 7 below. Role Service Input Output ISD Services CO Manage Content APDU(s) used: Command parameters Status Word DELETE LOAD (data objects, SSPs) (Response APDU INSTALL 9000) MANAGE CHANNEL SSD Services CO Lifecycle APDU(s) used: Target status Status Word (Show status and SET STATUS (Response APDU Perform GET STATUS 9000) zeroisation) CO Manage Content APDU(s) used: Command parameters Status Word PUT KEY (data objects, SSPs) (Response APDU STORE DATA 9000) CO Privileged Info APDU(s) used: Command parameters Requested information; (Show module’s GET DATA (privileged data objects, Status Word versioning but no SSPs) (Response APDU 9000) information) CO Secure Channel APDU(s) used: Command parameters Status Word INITIALIZE UPDATE (data objects, SSPs) (Response APDU EXTERNAL AUTHENTICATE 9000) IoT Applet Services Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CO IoT Applet APDU(s) used: Authentication data to Status Word Management SetLockState, open an applet session (Response APDU SetPlatformSCPRequest, 9000) DeleteAll, SetAppletFeatures, ImportExternalObject Role Service Input Output User, CO Module Usage APDU(s) used: Command parameters Requested (Perform Self- DisableSecureObjectCreation, (e.g. required length for information; Tests and Show SendCardManagerCommand, GetRandom, memory Status Word module’s TriggerSelfTest, type for (Response APDU versioning I2CM_ExecuteCommandSet, GetFreeMemory, etc.) 9000) information) GetVersion, GetTimestamp, GetFreeMemory, GetRandom, ReadState User, CO Session APDU(s) used: Session creation C-APDU; Status Word Management CreateSession, authentication data to (Response APDU VerifySessionUserID, open the applet session 9000) SCPInitializeUpdate, SCPExternalAuthenticate, ECKeySessionInternalAuthenticate, ECKeySessionGetECKAPublicKey, ExchangeSessionData, ProcessSessionCmd, RefreshSession, CloseSession User, CO Secure Object APDU(s) used: Object identifier; Secure Status Word Write WriteECKey/WriteRSAKey, Object characteristics (Response APDU Functionality WriteSymmKey, (transient/persistent; 9000) WriteBinary, Authentication rights or WriteUserID, not; etc.); (optionally) WriteCounter, WritePCR, Secure Object value; ImportObject (optionally) Secure Object non-default policy (optionally) Secure Object version Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F User, CO Secure Object APDU(s) used: ReadObject, Object identifier Secure Object value (if Read ReadAttributes, non-secret) Functionality ExportObject (optionally) Secure Object attributes Status Word (Response APDU 9000) User, CO Secure Object APDU(s) used: Object identifier Secure Object Management ReadType, ReadSize, characteristics (type, ReadIDList, size, exists, etc.) or CheckObjectExists, listing of Secure DeleteSecureObject Objects Status Word (Response APDU 9000) User, CO EC Curve APDU(s) used: Curve Identifier; Status Word Management CreateECCurve, (optionally) curve (Response APDU (Perform SetECCurveParam, parameters 9000) approved GetECCurveID, Secure Object identifier Curve set indicators security ReadECCurveList, (for GetECCurveID) (for ReadECCurveList) functions) DeleteECCurve Curve identifier (for GetECCurveID) User, CO Crypto Object APDU(s) used: Crypto object identifier; Status Word Management CreateCryptoObject, (optionally) Crypto (Response APDU ReadCryptoObjectList, Object characteristics 9000) DeleteCryptoObject List of Crypto Object identifiers (for ReadCyptoObjectList) User, CO EC Crypto APDU(s) used: Secure Object identifier; Output data Operations ECDSASign, Input data (signature, result of (Perform ECDSAVerify (message/signature/exte verification, shared approved rnal public key) secret) security Status Word functions) (Response APDU 9000) User, CO RSA Crypto APDU(s) used: Secure Object identifier; Output data Operations RSASign, Input data (signature, result of (Perform RSAVerify, (message/signature) verification, encrypted approved RSAEncrypt, or decrypted data) security RSADecrypt Status Word functions) (Response APDU 9000) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F User, CO Symmetric APDU(s) used: Secure Object identifier Output data Cipher Crypto CipherInit, or Crypto Object (encrypted or Operations CipherUpdate, identifier decrypted message) (Perform CipherFinal, Input data (message) Status Word approved CipherOneShot (Response APDU security 9000) functions) User, CO Authenticated APDU(s) used: Secure Object identifier Output data Encryption AEADInit, or Crypto Object (encrypted or Crypto AEADUpdate, identifier decrypted message, Operations AEADFinal, Input data (message, tag or result of tag (Perform AEADOneShot AAD, tag, etc.) verification) approved Status Word security (Response APDU functions) 9000) User, CO MAC Calculation APDU(s) used: Secure Object identifier Output data (MAC or Crypto MACInit, or Crypto Object result of MAC Operations MACUpdate, identifier verification) (Perform MACFinal, Input data (message, Status Word approved MACOneShot MAC (for verification)) (Response APDU security 9000) functions) User, CO HKDF operations APDU(s) used: Secure Object identifier Output data (derived (Perform HKDFExtractAndExpand, HKDF input parameters data) if not stored approved HKDFExpandOnly (digest type, message, onchip security requested length, salt, Status Word functions) output object, etc.) (Response APDU 9000) User, CO PBKDF Operation APDU(s) used: Secure Object identifier Output data (derived (Perform PBKDF2DeriveKey PBKDF2 input data (salt, data) approved iteration count, Status Word security requested length) (Response APDU functions) 9000) User, CO TLS KDF APDU(s) used: Secure Object Output data Functions TLSGenerateRandom, identifier(s) Status Word (Perform TLSCalculatePremasterSecret, TLS KDF input data (Response APDU approved TLSPerformPRF (digest type, label, 9000) security random, requested functions) length) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F User, CO Secure Hash APDU(s) used: Digest mode or Crypto Output data (hashed Crypto DigestInit, Object identifier message) Operations DigestUpdate, Input data (message) Status Word (Perform DigestFinal, (Response APDU approved DigestOneShot 9000) security functions) SEMS Lite Applet Services Role Service Input Output User, SEMS Lite APDU(s) used: Authentication Allow or reject SEMS CO Authentication PROCESS, information or Lite Manage Content SCRIPT, SEMS Secure channel service or COMMAND SEMS Lite Root Key Update or Error code User, SEMS Lite APDU(s) used: Content management Implicit indication via CO Manage Content SEMS_SELECT, commands wrapped in the successful SEMS_APDU, SEMS Secure channel completion of service SEMS_BEGIN_PERSO, SEMS_END_PERSO, SEMS_INSTALL_FOR_LOAD, SEMS_LOAD, SEMS_INSTALL_FOR_INSTALL, SEMS_DELETE, SEMS_BINDING_SE, BEGIN_MANAGE_ELF_UPGRADE, END_MANAGE_ELF_UPGRADE CO SEMS Lite Root APDU(s) used: Key update commands Implicit indication via Key Update SEMS_KEY_ROTATION wrapped in SEMS Secure the successful channel completion of service CO, User, Card Reset APDU(s) used: N/A Power cycle or reset the Status Word Unauthor module (Response APDU ised 9000) CO, User, Context APDU(s) used: Command parameters Status Word Unauthor SELECT. (data objects, SSPs) (Response APDU ised MANAGE CHANNEL 9000) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CO, User, Info APDU(s) used: Command parameters Status Word Unauthor (Show status and GET DATA (data objects, SSPs) (Response APDU ised Perform 9000) selftests) CO, User, SEMS Lite APDU(s) used: Command parameters Status Word Unauthor General SEMS_SELECT, GET (data objects, SSPs) (Response APDU ised (Show module’s DATA 9000) versioning information) Table 6
- Roles, Service Commands, Input and Output Authentication of each operator and their access to roles and services is as described below, independent of logical channel usage (identity-based authentication methods implemented).
- Only one operator at a time is permitted on a channel.
- Applet de-selection (including Card Manager), card reset, or power down terminates the current authentication. Re-authentication is required after any of these events for access to authenticated services.
- CO authentication method does not exchange plaintext CSP.
- User authentication data is encrypted and authenticated during entry with GlobalPlatform SCP03, is stored encrypted with OS-MKEK and is only accessible by authenticated services. This includes user identifier (UserID) in case of UserID session method. Role Authentication Method Authentication Strength CO User SCP03 128 bits UserID Session 32 bits (minimum) AESKey Session 128 bits ECKey Session 128 bits SEMS Lite Applet 128 bits Table 7
- Roles and Authentication Platform Authentication (Secure Channel Protocol 03 Authentication Method) The Secure Channel Protocol authentication method is provided by the Secure Channel service. The SD-KENC and SDKMAC keys are used to derive the SD-SENC, SD-SMAC, and SD-RMAC session keys. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F The external entity participating in the mutual authentication sends a 64-bit challenge to the Secure Element. The Secure Element generates its own challenge and computes a 64-bit cryptogram with SD-SMAC key and both challenges. The Secure Element cryptogram and challenge are sent to the external entity which checks the Secure Element cryptogram and creates its own 64-bit cryptogram with both challenges. A 64-bit message authentication code (MAC) is also computed on the command containing the external entity cryptogram with AES-CMAC and SDSMAC key. The MAC is concatenated to the command, and the command is sent to the Secure Element. The Secure Element checks the message authentication code and compares the received cryptogram to the calculated cryptogram. If all of this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the module). The probability that a random attempt will succeed using this authentication method is:
- 1/(2^128) = 2.9E-39 (MAC||cryptogram) using a 128-bit block for authentication. This authentication method includes a counter of failed authentication called “velocity checking” by GlobalPlatform. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. The module enforces a maximum of 60 failed Global Platform SCP03 authentication attempts before permanently blocking the card. The probability that a random attempt will succeed over a one-minute interval is (with the assumption here that one attempt is possible per second):
- 60/(2^128) = 1.7E-37 (MAC||cryptogram), using a 128-bit block for authentication IoT applet Authentication The applet allows creating an authenticated session using an Authentication Object which can be either UserID session, AESKey session, or ECKey session. An authenticated session allows users to protect and safeguard their credentials against third party use as only the authenticated user has proper rights on the credentials. This is ensured by applying correct policies to the credentials. A policy binds functional access to an Authentication Object where an Authentication Object represents a user. The different authentication methods are described in the sub-sections below. UserID Session An UserID session authentication method is provided by the Session management service. During a UserID session, the session user identifier (UserID) is verified in order to allow setting up a session. If the UserID is correct, the session establishment will succeed; otherwise, the session will not be opened. An UserID can be configured from a minimum of four (4) bytes up to a maximum of 16 bytes (128 bits). In the worstcase scenario, a 4-byte UserID is used, the probability that a random attempt will succeed using this authentication method is:
- 1/(2^32) = 4.3E-9 Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F The number of authentication attempts is configurable. It can be an infinite attempt number, or it can be limited by a counter comprised between 1 and 255 attempts. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is:
- 4700/(2^32) = 1.0E-6. AESKey Session The AESKey session authentication method is provided by the Session management service. The APP-AES-KEY-AUTH key is used to derive the APP-SENC, APP-SMAC keys, and APP-RMAC. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. The external entity participating in the mutual authentication sends a 64-bit challenge to the Secure Element. The Secure Element generates its own challenge and computes a 64-bit cryptogram with APP-SMAC key and both challenges. The Secure Element cryptogram and challenge are sent to the external entity which checks the Secure Element cryptogram and creates its own 64-bit cryptogram with both challenges. A 64-bit message authentication code (MAC) is also computed on the command containing the external entity cryptogram with AES-CMAC and APPSMAC key. The MAC is concatenated to the command, and the command is sent to the Secure Element. The Secure Element checks the message authentication code and compares the received cryptogram to the calculated cryptogram. If all of this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the module in the CO/User role). The probability that a random attempt will succeed using this authentication method is:
- 1/(2^128) = 2.9E-39 (MAC||cryptogram, using a 128-bit block for authentication) The number of authentication attempts is configurable. It can be an infinite attempt numbers or it can be limited by a counter comprised between 1 and 32767. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is:
- 4700/(2^128) = 1.3E-35 (MAC||cryptogram, using a 128-bit block for authentication). ECKey Session An ECKey session authentication method is provided by the Session management service. The ECKey session authentication method consists of verifying a P-256 ECDSA signature. The P-256 EC public key is either initially imported by the User (APP-EC-PUBLIC-KEY-USER) or provisioned during the manufacturing (APPECPUBLIC-KEY-CO). The user will own the corresponding ECDSA private key. In addition to User’s authentication, ECKey session is used to establish Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F APP-KAS-IOT-SS/APP-KAS-SEMS-SS with the Approved KAS algorithm. The shared secret is used to derive the AES-128 APP-AES-KEY-AUTH which is itself used to derive the APP-SENC, APP-SMAC and APP-RMAC session keys. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. First, the user requests the module public key, APP-KAS-SSC-EC-PUB-KEY; this key is signed with the private key APPKAS-SSC-EC-PRIV-KEY by the module. Then, the User sends the ephemeral KAS public key signed with User’s ECDSA private key. Finally, the module verifies the ECDSA signature of the ephemeral key with either APP-EC-PUBLICKEYUSER or APP-EC-PUBLIC-KEY-CO before initiating the KAS shared secret computation. The probability that a random attempt will succeed using this authentication method is:
- 1/(2^128) = 2.9E-39 (using a 256-bit EC key for authentication) The number of authentication attempts is configurable. It can be an infinite attempt numbers or it can be limited by a counter comprised between 1 and 32767. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is:
- 4700/(2^128) = 1.4E-35 (using a 256-bit EC key for authentication) SEMS Lite Applet Authentication The SEMS Lite applet is provided by the SEMS Lite Authentication service. The service provides authentication, confidentiality, and integrity of each authenticated service. The SEMS Lite Applet authentication consists of verifying a Brainpool256r1 ECDSA signature computed on a 113-byte data generated off the module and the CO public key APP-ECC-RT-PUB-AUT, see section 5.1.4 of [GP] Amendment-I. The probability that a random attempt will succeed using this authentication method is:
- 1/(2^128) = 2.9E-39 (using a 256-bit EC key for authentication) To keep the SEMS Lite Applet from blocking, an infinite number of attempts is allowed. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is:
- 4700/(2^128) = 1.4E-35 (using a 256-bit EC key for authentication) The module does not support bypass or self-initiated cryptographic output capabilities. The module is a limited operational environment under the FIPS 140-3 definitions. The module includes a firmware load function to support necessary updates, but these are only limited to the vendor, NXP. New firmware versions within the scope of this validation must be validated through the CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. Public Material
- May be reproduced only in its original entirety (without revision).
Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs ISD Services Manage Load keys and data N/A OS-SKEK CO E, W, Z Status Content SD-KENC Word SD-KMAC (Response SD-KDEK APDU DAP-DAPK 9000) SSD Services Lifecycle Get or modify the card N/A All CO E, Z Status (Show status or applet life cycle Word and Perform status (Response zeroisation) APDU 9000) Manage Load keys and data N/A OS-SKEK CO E, W, Z Status Content SD-KENC Word SD-KMAC SD- (Response KDEK APDU DAP-DAPK 9000) Privileged Read Module data N/A OS-MKEK CO E Status Info (privileged data objects, SD-KENC Word (Show but no CSPs) SD-KMAC (Response module’s SD-SENC APDU versioning SD-SMAC 9000) information) SD-RMAC Secure Establish and use a CTR_DRBG OS-DRBG-EI CO E, G, Z Status Channel secure communication (Cert. OS-DRBG-SEED Word channel A2713) OS-DRBG-STATE (Response CKG OS-DRBG-KEY APDU (Vendor OS-DRBG-V 9000) Affirmed) OS-DRBG-OUTPUT OS-MKEK SD-KENC SD-KMAC SD-SENC SD-SMAC SD-RMAC IoT Applet Services Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs IoT Applet This service manages AES SD-SENC CO E, G, Status Management the P71D600 applet CBC, ECB, SD-SMAC W Word CTR, SD-RMAC (Response CCM, CMAC APP-ECC-RT-PRIV-KA APDU (Cert. APP-AES-RAM-K0-KEY 9000) A2713) APP-AES-RAM-Kn-KEY GCM/GMAC APP-EC-PUB-KEY-CO (Cert. APP-EC-PUB-KEY-USER A2714) APP-ECC-RT-PUB-AUT KDF SP800- APP-ECC-PUB-eKA
108 (Cert. APP-ECC-PUB-AUT
A2713) APP-KAS-IOT-SS ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KASECC (Cert. A2713) P-256 SHS (Cert. A2713) CKG (Vendor Affirmed) Module Perform Self-Tests and All All CO, E Status Usage Show module’s User Word (Perform versioning information (Response Self-Tests APDU and Show 9000) module’s versioning information) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs Session This service manages AES OS-DRBG-EI CO, E, G, Z Status Management the applet sessions; CBC, ECB, OS-DRBG-STATE User Word Users can decide to CTR, OS-DRBG-KEY (Response open a session or not; CCM, CMAC OS-DRBG-V APDU Opening a session (Cert. OS-DRBG-OUTPUT 9000) requires to authenticate A2713) OS-MKEK to the applet using GCM/GMAC SD-KENC either an UserID, an (Cert. SD-KMAC AES128 key or an EC key A2714) SD-SENC depending on the KDF SP800- SD-SMAC session type 108 (Cert. SD-RMAC A2713) APP-KAS-SSC-EC-PRIVECDSA (Cert. KEY A2713) APP-KAS-IOT-SS P-256 SHS APP-AES-KEY-AUTH (Cert. APP-SENC A2713) KASAPP-SMAC ECC APP-RMAC (Cert. APP-USERID-FILE A2713) APP-EC-PRIV-KEY P-256 SHS (Cert. APP-AES-KEY A2713) CKG APP-KAS-SSC-EC-PUB(Vendor KEY Affirmed) APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs Secure This service manages CTR_DRBG OS-DRBG-EI CO, E, G, Status Object Write the generation (either (A2713) AES OS-DRBG-STATE User R, W, Z Word Functionality an RSA or EC key pair) or CBC, ECB, OS-DRBG-KEY (Response transport (EC keys, CTR, OS-DRBG-V APDU RSA keys, symmetric CCM, CMAC OS-DRBG-OUTPUT 9000) keys, binary files, (Cert. OS-MKEK UserIDs, monotonic A2713) SD-SENC counters, PCRs) of GCM/GMAC SD-SMAC Secure Objects. (Cert. SD-RMAC A2714) APP-TRANSPORTKDF SP800- CIPHER
108 (Cert. APP-TRANSPORT-MAC
A2713) APP-AES-KEY-AUTH ECDSA (Cert. APP-USERID-FILE A2713) APP-EC-PRIV-KEY P-256 SHS APP-RSA-PRIV-KEY (Cert. APP-AES-KEY A2713) KASAPP-HMAC-KEY ECC (Cert. APP-EC-PUB-KEY-CO A2713) APP-EC-PUB-KEY-USER P-256 RSA APP-EC-PUB-KEY (Cert. APP-RSA-PUB-KEY A2713)2048, 3072,
4096 bits
SHS (Cert. A2713) CKG (Vendor Affirmed) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs Secure This service manages N/A OS-MKEK CO, E, R Status Object Read the reading of Secure SD-SENC User Word Functionality Objects or its attributes; SD-SMAC (Response Asymmetric private SD-RMAC APDU keys or symmetric keys APP-TRANSPORT- 9000) can never be read in CIPHER plaintext APP-TRANSPORT-MAC APP-EC-PRIV-KEY APP-RSA-PRIV-KEY APP-AES-KEY APP-HMAC-KEY APP-KAS-SSC-EC-PUBKEY APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER APP-EC-PUB-KEY APP-RSA-PUB-KEY Secure This service manages AES OS-MKEK CO, E, Z Status Object the reading of Secure CBC, ECB, SD-SENC User Word Management Object attributes CTR, SD-SMAC (Response CCM, CMAC SD-RMAC APDU (Cert. APP-AES-KEY-AUTH 9000) A2713) APP-USER-ID-FILE GCM/GMAC APP-RSA-PRIV-KEY (Cert. APP-AES-KEY A2714) APP-HMAC-KEY HMAC (Cert. APP-EC-PUB-KEY-USER A2713) APP-EC-PUB-KEY ECDSA (Cert. APP-RSA-PUB-KEY A2713) P-256 SHS (Cert. A2713) RSA (Cert. A2713)2048, 3072,
4096 bits
SHS (Cert. A2713) CKG (Vendor Affirmed) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs EC Curve This service manages ECDSA (Cert. SD-SENC CO, E Status Management the EC curves that can A2713) SD-SMAC User Word (Perform be used during EC P-256 SHS SD-RMAC (Response approved cryptographic (Cert. APDU security operations A2713) 9000) functions) Crypto This service manages SHS (Cert. SD-SENC CO, E Status Object the Crypto Objects that A2713) SD-SMAC User Word Management can be used. Crypto AES SD-RMAC (Response Objects allow to do CBC, ECB, APP-AES-KEY APDU operations in multiple CTR, APP-HMAC-KEY 9000) steps (init/update/final) CCM, CMAC Supported Crypto (Cert. Objects allow to use a A2713) digest, cipher or MAC GCM/GMAC algorithm to be used (Cert. A2714) HMAC (Cert. A2713) EC Crypto This service triggers OS ECDSA OS-DRBG-EI CO, E, G, Z Status Operations API for ECDSA signature (Cert. OS-DRBG-STATE User Word (Perform generation and A2713) OS-DRBG-KEY (Response approved verification, and for EC P-256 KAS- OS-DRBG-V APDU security DH shared secret SSC OS-DRBG-OUTPUT 9000) functions) calculation according to (Cert. OS-MKEK [56Ar3] Section 5.7.1.2 A2713) SD-SENC P-256 SHS SD-SMAC (Cert. SD-RMAC A2713) CKG APP-EC-PRIV-KEY (Vendor APP-EC-PUB-KEY Affirmed) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs RSA Crypto This service triggers OS RSA (Cert. OS-DRBG-EI CO, E, G, Z Status Operations API for RSA signature A2713)2048, OS-DRBG-STATE User Word (Perform generation and 3072, OS-DRBG-KEY (Response approved verification, and for RSA 4096 bits OS-DRBG-V APDU security encryption and SHS (Cert. OS-DRBG-OUTPUT 9000) functions) decryption (components A2713) CKG OS-MKEK only) (Vendor SD-SENC Affirmed) SD-SMAC SD-RMAC APP-RSA-PRIV-KEY APP-RSA-PUB-KEY Symmetric This service triggers OS AES OS-MKEK CO, E Status Cipher Crypto API for AES encryption CBC, ECB, SD-SENC User Word Operations and decryption CTR, SD-SMAC (Response (Perform CCM, CMAC SD-RMAC APDU approved (Cert. APP-AES-KEY 9000) security A2713) functions) GCM/GMAC (Cert. A2714) Authenticate AES SD-SENC CO, E Status d Encryption CBC, ECB, SD-SMAC User Word Crypto This service provides CTR, SD-RMAC (Response Operations execution of the AEAD CCM, CMAC APDU (Perform function using OS API (Cert. 9000) approved primitives for AES GCM A2713) security encryption and GCM/GMAC functions) decryption, and DRBG (Cert. for internal IV A2714) generation CTR_DRBG (A2713) MAC This service triggers OS CMAC OS-MKEK CO, E Status Calculation API for MAC Calculation (Cert. SD-SENC User Word Crypto A2713) SD-SMAC (Response Operations HMAC SD-RMAC APDU (Perform (Cert. APP-HMAC-KEY 9000) approved A2713) security functions) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs HKDF This service triggers OS HKDF OS-MKEK CO, E Status operations API for HKDF operations (Certs. SD-SENC User Word (Perform (either Two Step Key A2713 and SD-SMAC (Response approved Derivation using HMAC A2714) SD-RMAC APDU security or the Key Derivation APP-HMAC-KEY 9000) functions) Function using Pseudorandom functions) PBKDF This service provides PBKDF2 OS-MKEK CO, E Status Operation execution of the (Cert. SD-SENC User Word (Perform Password-Based Key A2714) SD-SMAC (Response approved Derivation Function. SD-RMAC APDU security The derived key is 9000) functions) returned to the operator and not used by the module TLS KDF This service provides KDF OS-MKEK CO, E Status Functions support for TLS v1.2 (Cert. SD-SENC User Word (Perform calculations. It does not A2713) SD-SMAC (Response approved implement the TLS v1.2 SD-RMAC APDU security protocol 9000) functions) Secure Hash This service triggers OS SHA OS-MKEK CO, E Status Crypto API for [FIPS 180-4] (Cert. SD-SENC User Word Operations compliant hash A2713) SD-SMAC (Response (Perform algorithms SD-RMAC APDU approved 9000) security functions) SEMS Lite Applet Services Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs SEMS Lite The service provides the AES OS-MKEK CO, E, G, Status Authenticatio authenticated secure CBC, ECB, APP-ECC-RT-PRIV-KA User W, Z Word n messaging CTR, APP-AES-RAM-K0-KEY (Response CCM, CMAC APP-AES-RAM-Kn-KEY APDU (Cert. APP-ECC-RT-PUB-AUT 9000) A2713) APP-ECC-PUB-eKA GCM/GMAC APP-ECC-PUB-AUT (Cert. APP-CERT-KR-AUT A2714) APP-CERT-AUT DAPECDSA (Cert. DAPK A2713) P-256 SHS (Cert. A2713) KASECC (Cert. A2713) P-256 CKG (Vendor Affirmed) SEMS Lite The service is used to AES OS-MKEK CO, E, G, Status Manage load data. The data is CBC, ECB, APP-ECC-RT-PRIV-KA User W, Z Word Content wrapped in SEMS Lite CTR, APP-AES-RAM-K0-KEY (Response Authentication CCM, CMAC APP-AES-RAM-Kn-KEY APDU (Cert. APP-ECC-RT-PUB-AUT 9000) A2713) APP-ECC-PUB-eKA GCM/GMAC APP-ECC-PUB-AUT (Cert. APP-CERT-KR-AUT A2714) APP-CERT-AUT ECDSA (Cert. DAP-DAPK A2713) P-256 SHS (Cert. A2713) KASECC (Cert. A2713) P-256 CKG (Vendor Affirmed) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs SEMS Lite This service updates AES OS-MKEK CO E, G, Status Root Key APP-ECC-RT-PRIV-KA CBC, ECB, APP-ECC-RT-PRIV-KA W, Z Word Update and APP-ECC-RT-PUB- CTR, APP-AES-RAM-K0-KEY (Response AUT keys wrapped in CCM, CMAC APP-AES-RAM-Kn-KEY APDU SEMS Lite (Cert. APP-ECC-RT-PUB-AUT 9000) Authentication A2713) APP-ECC-PUB-eKA GCM/GMAC APP-ECC-PUB-AUT (Cert. APP-CERT-KR-AUT A2714) APP-CERT-AUT ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KASECC (Cert. A2713) P-256 CKG (Vendor Affirmed) N/A N/A CO, N/A Status User, Word Power cycle or reset the Card Reset Unauthor (Response module ised APDU 9000) N/A N/A CO, N/A Status User, Word Select an applet or Context Unauthor (Response manage logical channels ised APDU 9000) Info Read unprivileged data N/A N/A CO, N/A Status objects, e.g., module User, Word configuration or status Unauthor (Response information (Show ised APDU Status). This service 9000) includes the Preoperational Self-Test on-demand Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs SEMS Lite This service provides N/A N/A CO, N/A Status General generic operations User, Word which are not required Unauthor (Response to be protected by ised APDU applying security. It 9000) includes selecting the SEMS Lite applet, reading version of the SEMS Lite applet or APP-ECC-RT-PUB-AUT public key of SEMS Lite Applet Table 8
- Approved Services The modes of access shown in the table above are defined as:
- G = Generate: The service generates or derives the CSP/Public Key.
- W = Write: The service inputs the CSP/Public Key.
- E = Execute: The Module executes using the CSP/Public Key.
- R = Read: The service outputs the CSP/Public Key. CSP are always protected with the approved KTS.
- Z = Zeroize: The Module zeroizes the CSP/Public Key after usage. A zeroised CSP is not retrievable or reusable. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
5 Software/Firmware Security
The cryptographic module is considered a hardware module with firmware components. An error detection code (32-bit CRC performed over all code located in Flash) is applied to all firmware components within the module. If the integrity test fails, the module enters the hard error (MUTE) state. An operator of the module can perform the integrity test on demand with the GET DATA APDU command. As a single-chip hardware module, the executable form of the code, i.e., firmware is binary format. The module does not support loading of firmware from an external source. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, per FIPS 140-3 IG 5.A, no pre-operational ROM integrity self-test has been implemented. The module’s endof-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state. All data and control inputs, and data and status outputs of the cryptographic module and services are directed through the module’s defined interfaces. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
6 Operational Environment
The module claims to meet Physical Security Level 4 and thus the requirements per this section do not apply. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
7 Physical Security
The module is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The module uses standard passivation techniques. The module includes Environmental Failure Protection features such as temperature and voltage sensors. Fault Induction mitigation techniques are light sensors and spike sensors on the supply voltage lines. Identification of internal features such as sensitive components or interconnections is impeded by a fine mesh of metal shield lines that resides at the outermost layers of the chip. Delivery forms of the module are QFN package, contactless chip card module, or sawn wafer. Therefore, the module does not rely on any physical security based on a package. Physical Security Mechanism Recommended Frequency of Inspection/Test Guidance Details Inspection/Test N/A N/A N/A Table 9
- Physical Security Inspection Guidelines Result Temperature or voltage EFP or EFT (Shutdown/Zeroisation) Measurement Low Temperature -40°C EFP Shutdown High Temperature +105°C EFP Shutdown Low Voltage 1.62V EFP Shutdown High Voltage 6.0V EFP Shutdown Table 10
- EFP/EFT Hardness tested temperature measurement Low Temperature -45°C High Temperature +125°C Table 11
- Hardness Testing Temperature Ranges Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
8 Non-Invasive Security
Please see Section 12 below for information regarding non-invasive security countermeasures. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
9 Sensitive Security Parameter Management
Key Security Establ /SSP Function Import Use & Related Strength Generation ishm Storage Zeroisation Name and Cert. /Export Keys ent /Type Number
384 bits CTR_DRB Internally via N/A N/A Temporarily Power-off Random value
G ENT (P) stored in RAM (temporarily from ENT (P) (Cert. in plaintext stored in used to seed A2713) (does not RAM) reciprocally OSpersist beyond and AES-256 DRBGa power cycle); DRBG EI CSP object identifier to entity association
880 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG
G SP800- NVM in by state value (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the OSprocess identifier to module DRBGentity (LifeCycle/ STATE association Perform CSP Zeroisation service); overwritten with zeroes
256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG
G SP800- NVM in by state value OS- (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the DRBGprocess identifier to Module KEY entity (LifeCycle/ CSP association Perform Zeroisation service); overwritten with zeroes
256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG
G SP800- NVM in by state value OS- (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the DRBGprocess identifier to Module V entity (LifeCycle/ CSP association Perform Zeroisation service); Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F overwritten with zeroes
256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Unmodified
G SP800- NVM in by output from (Cert. 90Ar1 plaintext; termination the DRBG A2713) DRBG object of the used for SSP OSprocess identifier to module generation DRBGentity (LifeCycle/ OUTPU association Perform T CSP Zeroisation service); overwritten with zeroes
128 bits AES N/A Entered N/A Stored in Destroyed Used to build
CBC, during NVM in by OS-MKEK ECB, manufactu plaintext; termination CTR, ring/ object of the CCM, personaliz identifier to module CMAC ation entity (LifeCycle/ (Cert. association Perform Zeroisation A2713) service); GCM/G OS- overwritten MAC SKEK with zeroes (Cert. CSP A2714)
128 bits AES OS-SKEK N/A N/A Stored in Destroyed Used to
CBC, permutation NVM in by encrypt all ECB, (xor plaintext; termination secret and CTR, between object of the private key CCM, OS-SKEK and identifier to module data stored in OS- a (LifeCycle/Pe CMAC entity NVM MKEK constant association rform (Cert. CSP value) Zeroisation A2713) service); GCM/G overwritten MAC with zeroes (Cert. A2714)
128 bits AES N/A Entered N/A Stored in Destroyed Used to derive
SDCBC, during NVM because of SD-SENC KENC manufactu OS-MKEK ECB, encrypted with CSP ring/ zeroisation CTR, Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F CCM, personaliz Approved AES CMAC ation CBC with OS(Cert. Or MKEK; key A2713) AES-CBC version to GCM/G (using SD- entity MAC KDEK) association (Cert. encrypted A2714) (RFC 3394 method) and transportted using platform SCP03 Exported using Approved KTS
128 bits AES N/A Entered N/A Stored in Destroyed Used to derive
CBC, during NVM because of SD-SMAC ECB, Manufac- encrypted with OS-MKEK CTR, turing/per- Approved AES zeroisation CCM, sonalizat- CBC with OSCMAC ion MKEK; key Or version to (Cert. AES-CBC entity A2713) GCM/G (using SD- association SD- MAC KDEK) (Cert. encrypted KMAC A2714) (RFC 3394 CSP method) and transportted using platform SCP03 Exported using Approved KTS
128 bits AES N/A Entered N/A Stored in Destroyed Sensitive data
CBC, during NVM because of decryption ECB, manufac- encrypted with OS-MKEK key used to SD- CTR, turing/per- Approved AES zeroisation decrypt CSPs CCM, sonaliza- CBC with OSKDEK CMAC tion MKEK; key CSP Or version to (Cert. Entered entity encrypted association with the Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F A2713) previous GCM/G SD-KDEK MAC (Cert. Exported A2714) using Approved KTS
128 bits AES N/A N/A Deri- Temporarily Power-off Session
CBC, ved stored in (temporarily encryption ECB, with RAM in stored in key used to CTR, Appr plaintext RAM) secure CCM, - (does not channel data CMAC oved persist beyond a (Cert. KDF SP power cycle); A2713) GCM/G 800- object SD- MAC 108 identifier to SENC (Cert. entity A2714) association CSP KDF SP800(Cert. A2713) CKG (Vendor Affirmed )
128 bits AES N/A N/A Deri- Temporarily Power-off Session MAC
CBC, ved stored in (temporarily key used to ECB, with RAM in stored in verify inbound CTR, Appr plaintext RAM) secure CCM, - (does not channel data CMAC oved persist integrity beyond a (Cert. KDF power cycle); A2713) SP object GCM/G 800SD- identifier to MAC 108 (Cert. entity SMAC association CSP A2714) KDF SP800(Cert. A2713) CKG (Vendor Affirmed) Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
128 bits AES N/A N/A Der- Temporarily Power-off Session MAC
CBC, ived stored in (temporarily key used to ECB, with RAM in stored in verify CTR, Appr plaintext RAM) outbound CCM, - (does not secure CMAC persist channel data oved beyond a integrity (Cert. KDF power cycle); A2713) SP object GCM/G 800- identifier to SD- MAC 108 entity RMAC (Cert. association CSP A2714) KDF SP800(Cert. A2713) CKG (Vendor Affirmed) APP- 256 bits AES N/A Entered N/A Stored in Destroyed Used to TRANS CBC, during NVM because of encrypt either PORT- ECB, manufac- encrypted with OS-MKEK exported or CIPHER CTR, turing/per- Approved AES zeroisation imported CSP CCM, sonaliza- CBC with OS- Secure CMAC tion MKEK; key Objects or (Cert. version to data A2713) Output: entity GCM/G N/A association MAC (Cert. A2714) APP- 128 bits AES N/A Entered N/A Stored in Destroyed Used to TRANS CMAC during NVM because of authenticate PORT- (Cert. Manufac- encrypted with OS-MKEK either MAC A2713) turing/per- Approved AES zeroisation exported or CSP sonaliza- CBC with OS- imported tion MKEK; key Secure version to Objects Output: entity N/A association APP- 128 bits KAS-ECC- N/A Entered N/A Stored in Destroyed KAS Shared KAS- SSC P- during NVM because of Secret SSC-EC- 256 Manufac- encrypted with OS-MKEK computation PRIV- (Cert. turing/per- Approved AES zeroisation private key KEY A2713) sonaliza- CBC with OSCSP KDA tion MKEK; key (Cert. version to Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F A2713) Output: entity N/A association APP- 128 bits KAS-ECC- N/A N/A Establ Temporarily Power-off KAS-ECC KAS- SSC P- ish- stored in (temporarily Shared Secret IOT-SS 256 ed RAM in stored in CSP (Cert. with plaintext RAM) A2713) the (does not KDA SP persist (Cert. 800- beyond a A2714) 56A- power cycle); rev3 object KAS- identifier to ECC entity association APP- 128 bits AES N/A Entered App- Stored in Destroyed Used in AES- CBC, during roved NVM because of AESKey KEY- ECB, Manufac- KTS encrypted with OS-MKEK session or AUTH CTR, turing/per- Approved AES zeroisation ECKey session CSP CCM, sonaliz- CBC with OS- authenCMAC ation MKEK; key tication (Cert. version to methods A2713) Output: via entity GCM/G Approved association MAC KTS (Cert. A2714) or ECDSA (Cert. A2713)
128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC
CBC, ived stored in (temporarily Key session ECB, with RAM in stored in encryption CTR, Appr- plaintext RAM) key used to CCM, oved (does not encrypt / CMAC KDF persist decrypt beyond a secure (Cert. SP power cycle); channel data A2713) 800object GCM/G 108 APP- identifier to MAC SENC entity (Cert. association CSP A2714) or ECDSA (Cert. A2713) KDF SP800(Cert. A2713) CKG Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC
CBC, ived stored in (temporarily Key session ECB, with RAM in stored in MAC key used CTR, Appr plaintext RAM) to verify CCM, - (does not inbound CMAC oved persist secure beyond a channel data (Cert. KDF power cycle); integrity A2713) SP object GCM/G 800- identifier to MAC 108 entity (Cert. APP- association A2714) SMAC or ECDSA CSP (Cert. A2713) KDF SP800(Cert. A2713) CKG (Vendor Affirmed)
128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC
CBC, ived stored in (temporarily Key session ECB, with RAM in stored in MAC key used CTR, Appr plaintext RAM) to generate CCM, - (does not response CMAC oved persist secure beyond a channel data (Cert. KDF power cycle); MAC A2713) SP object GCM/G 800APP- identifier to MAC 108 RMAC entity (Cert. association CSP A2714) or ECDSA (Cert. A2713) KDF SP800(Cert. A2713) CKG Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F (Vendor Affirmed) APP- N/A N/A N/A Entered Appr- Stored in Destroyed 4-byte up to USERID during oved NVM because of 16-byte - Manufac- KTS encrypted with OS-MKEK UserID FILE turing/per- Approved AES zeroisation authentication CSP sonaliz- CBC with OS- data ation MKEK; key version to Output: via entity Approved association KTS APP- 112, 128, ECDSA The Entered: N/A Stored in Destroyed Elliptic curve EC- 192, 256 Key Approved key N/A NVM because of key that PRIV- bits Genera- pair Output: via encrypted with OS-MKEK allows to KEY tion generation Approved Approved AES zeroisation perform EC CSP P-224, P- method is KTS CBC with OS- cryptographic 256, compliant MKEK; key operations P-384, with FIPS version to P-521 186-4, entity (Cert. Sections association A2713) B.43.23 CKG (RSA) or B.4.2 (Vendor (ECDSA), Key Pair AffirmGeneration ed) by Testing Candidates; Generated on the module using Approved DRBG, AES-256 CTR_DRBG APP- 112, RSA The Entered: N/A Stored in Destroyed RSA key that RSA- 128, 152 Key Approved key N/A NVM because of allows to PRIV- bits Genera- pair encrypted with OS-MKEK perform RSA KEY tion generation Output: via Approved AES zeroisation cryptographic CSP 2048, method is Approved CBC with OS- operations 3072, compliant KTS MKEK; key
4096 bits with FIPS version to
(Cert. 186-4, entity A2713) Sections association CKG B.43.23 (Vendor (RSA) or B.4.2 Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Affirm- (ECDSA), Key ed) Pair Generation by Testing Candidates; Generated on the module using Approved DRBG, AES-256 CTR_DRBG APP- 128, AES N/A Entered Appr- Stored in Destroyed Used to AES- 192, CBC, during oved NVM because of perform AES KEY 256 bits ECB, Manufac- KTS encrypted with OS-MKEK cipher mode CSP CTR, turing/per- Approved AES zeroisation. operations CCM, sonaliz- CBC with OSCMAC ation MKEK; key (Cert. version to A2713) Output: via entity GCM/G Approved association MAC KTS (Cert. A2714) APP- 128 and HMAC N/A Entered Appr- Stored in Destroyed Used to HMAC- 256 bits SHA-1, during oved NVM because of perform KDF KEY SHA2- Manufac- KTS encrypted with OS-MKEK or HMAC CSP 256, 384, turing/per- Approved AES zeroisation operations
512 sonaliz- CBC with OS-
(Cert. ation MKEK; key A2713) version to Output: via entity Approved association KTS APP- 256 bits ECDSA N/A Entered N/A Stored in Destroyed Private static ECC- (Cert. during NVM because of key used in RT- A2713) Manufac- encrypted with OS-MKEK key establishPRIV- P-521 turing/ Approved AES zeroisation ment KA CSP SHS Personali- CBC with OS- (KAS-SSC) (Cert. zation or MKEK; key operations A2713) Imported version to in secure entity channel association specified by GPAmd-I Output: Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F N/A APP- 128 bits KAS- N/A N/A Esta- Temporarily Power-off KAS Shared KAS- ECC- blish- stored in (temporarily Secret CSP SEMS- SSC P- ed RAM in stored in SS CSP 256 with plaintext RAM) (Cert. the (does not #A2713) SP persist 800- beyond a KDA 56A power cycle); (Cert. rev3 object A2715) KAS identifier to entity association
128 bits AES N/A N/A Esta- Temporarily Power-off Used as secret
CBC, blish- stored in (temporarily key material ECB, ed RAM (does stored in in the very CTR, with not persist RAM) first CCM, the beyond a decryption CMAC SP power cycle) operations as 800- part of (Cert. 56A AuthenticaAPP- A2713) GCM/G rev3 tion and AESMAC KAS- Secure RAM- Messaging (Cert. SCC K0-Key service of A2714) follCSP owed SEMS Lite CKG (Vendor by applet Affirmed SHA2 ) -256 as One Pass KDF
128 bits AES CBC, N/A Imported N/A Temporarily Power-off Used as secret
ECB, CTR, in secure stored in (temporarily key material CCM, channel RAM (does stored in in the CMAC specified not persist RAM) subsequent APP- (Cert. by GP- beyond a decryption AES- A2713) Amd-I power cycle) operations as RAM- GCM/G part of SEMS Kn-Key MAC Output: Lite CSP (Cert. N/A AuthenticaA2714) tion and Secure Messaging service DAP- 256 bits ECDSA N/A Entered N/A Stored in N/A
- ECC public key DAPK P-521 during NVM Considered used for PSP (Cert. encrypted with protected by Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F A2713) Manufac- Approved AES ISO 19790 Mandated turing/ CBC with OS- definition DAP Personali- MKEK; key zation version to entity association APP- 128 bits KAS-ECC- N/A Entered N/A Stored in N/A
- KAS Shared KAS- SSC during NVM Considered Secret SSC- P-256 Manufac- encrypted with protected by computation EC- (Cert. turing/ Approved AES ISO 19790 public key PUB- A2713) Personali- CBC with OS- definition KEY zation MKEK; key PSP version to Output: entity Approved association KTS APP- 128 bits ECDSA N/A Entered N/A Stored in N/A
- ECDSA public EC- (Cert. during NVM Considered key used to PUB- A2713) Manufac- encrypted with protected by authenticate KEY-CO P-256 turing/ Approved AES ISO 19790 the CO PSP SHS Personali- CBC with OS- definition (Cert zation MKEK; key A2713) version to Output: entity Approved association KTS APP- 128 bits ECDSA N/A Entered N/A Stored in N/A
- ECDSA public EC- (Cert. during NVM Considered key used to PUB- A2713) Manufac- encrypted with protected by authenticate KEY- P-256 turing/ Approved AES ISO 19790 as user USER SHS Personali- CBC with OS- definition PSP (Cert zation MKEK; key A2713) version to Output: entity Approved association KTS
128 bits ECDSA The Entered: N/A Stored in N/A
(Cert. Approved key N/A NVM Considered execute EC A2713) pair encrypted with protected by cryptographic P-256 generation Output: Approved AES ISO 19790 operations APP- CKG method is Approved CBC with OS- definition EC- (Vendor compliant KTS MKEK; key PUBKE Affirm- with FIPS version to Y 186-4, entity ed) PSP Sections association B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Generation by Testing Candidates; Generated on the module using Approved DRBG, AES-256 CTR_DRBG 112, RSA The Entered: N/A Stored in N/A
- Used to 128, (Cert. Approved key N/A NVM Considered execute RSA
152 bits A2713) pair encrypted with protected by cryptographic
2048, generation Output: Approved AES ISO 19790 operations 3072, method is Approved CBC with OS- definition
4096 bits compliant KTS MKEK; key
CKG with FIPS version to (Vendor 186-4, entity Affirm- Sections association ed) B.43.23 APP(RSA) or B.4.2 RSA(ECDSA), Key PUBPair KEY Generation PSP by Testing Candidates; Generated on the module using Approved DRBG, AES-256 CTR_DRBG
128 bits KAS- N/A Entered: N/A Stored in N/A
ECC- Certifi-cate NVM Considered public key APP- SSC is entered encrypted with protected by used in key ECC- P-256 in plain- Approved AES ISO 19790 establishPUB- (Cert. text CBC with OS- definition ment eKA A2713) MKEK; key (KAS) PSP Output: version to operation N/A entity association APP- 256 bits ECDSA N/A Entered: N/A Stored in N/A
- EC public key ECC- (Cert. Certificate NVM Considered used in ECDSA RT- A2713) is entered encrypted with protected by verification PUB- P-521 in plain Approved AES ISO 19790 operations AUT SHS text CBC with OS- definition PSP (Cert. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F A2713) Output: In MKEK; key plaintext version to entity association
256 bits ECDSA N/A Entered: N/A Stored in N/A
(Cert. Certificate NVM Considered public key APP- A2713) is entered encrypted with protected by used in ECDSA ECC- P-521 in plain- Approved AES ISO 19790 verification PUB- SHS text CBC with OS- definition operations AUT (Cert. MKEK; key PSP A2713) Output: version to N/A entity association
256 bits ECDSA N/A Entered: N/A Stored in N/A
(Cert. Certificate NVM in Considered with EC public A2713) is entered plaintext; protected by key providing APPP-521 in plain- object ISO 19790 authorization CERT- text and SHS identifier to definition AUT authenticity to (Cert. entity PSP Output: SEMS Lite A2713) association N/A applet 256-bits ECDSA N/A Entered: N/A Stored in N/A
- Certificate (Cert. Certificate NVM in Considered with 256-bit A2713) is entered plaintext; ‘protected’ EC public key P-521 in plain object by ISO providing APP- SHS text identifier to 19790 authorization CERT- (Cert. entity definition and KR- A2713) Output: association authenticity AUT N/A to SEMS Lite PSP applet for SEMS Lite Root Key Update service Table 12
- SSPs The module implements a NIST SP800-90Ar1 Approved CTR_DRBG. The unmodified outputs of the DRBG are used for Cryptographic Key Generation (CKG) of Symmetric Keys and seeds for Asymmetric Key Generation as noted in Table 3 in this document per Section 4 in NIST SP800-133r2. Entropy sources Minimum Number of bits of entropy Details NIST SP800-90B ENT (P)
- Used as entropy 256-bits of overall entropy for AES- Noise source based on hardware input to the Approved DRBG 256 CTR_DRBG; implementing an iterated Bernouli Shift Map
0.912949 per entropy source output
bit Table 13
- Non-Deterministic Number Generator Specification Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F Per FIPS 140-3 IG 9.5.A, the module supports AD/EE (Automated Distribution/Electronic Entry). Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
10 Self-Tests
On power-on or on demand, the module performs self-tests described below. The pre-operational self-test must be completed successfully prior to any other use of cryptography by the module. The Cryptographic Algorithm Self-Tests are either performed at boot or prior to first use. The conditional self-tests are performed when the corresponding conditions occur. If one of the self-tests fails, the system is halted and will start again after a reset. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, no pre-operational ROM integrity self-test has been implemented. The module’s end-of-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state, The Flash Firmware Integrity check is performed on every reset or on demand. Pre-operational Self-Tests
- Firmware Integrity: 32-bit CRC performed over all code located in Flash. Conditional Self-Tests
- Cryptographic Algorithm Self-Tests
- AES CBC 128-bit Encrypt KAT
- AES CBC 128-bit Decrypt KAT
- AES CMAC 128-bit Encrypt KAT
- AES CMAC 128-bit Decrypt KAT
- CTR_DRBG 256-bit KAT (Health Tests: Generate, Reseed, Instantiate functions per Section 11 in NIST SP800-90Ar1)
- ECDSA P-521 SHA-256 Signature Generation KAT
- ECDSA P-521 SHA-256 Signature Verification KAT
- HMAC-SHA2-256 KAT
- KAS-ECC-SSC P-256 KAT
- KDF TLS 1.2 KAT
- KDA KAT (One-Step KDF per SP800-56Cr1 for both Cert. #A2714 and #A2715)
- KDA KAT (Two-Step KDF KAT (HKDF) per SP800-56Cr1 for Cert.#A2713)
- NIST KDF SP800-108 KAT (Counter mode with AES-128)
- NIST KDF SP800-108 KAT (Feedback Mode with HMAC-SHA1)
- NIST SP800-132 KDF KAT (with HMAC-SHA-1)
- RSA 2048-bit SHA2-256 Signature Generation KAT
- RSA 2048-bit SHA2-256 Signature Verification KAT
- SHA-1 KAT (for both Cert. #A2713 and #A2714)
- SHA2-256 KAT (for both Cert. #A2713 and #A2714 (inclusive of SHA2-224, per IG 10.3.A))
- SHA2-512 KAT (for both Cert. #A2713 and #A2714 (inclusive of SHA2-384, per IG 10.3.A))
- NIST SP800-90B ENT (P) Repetition Count Test (RCT) performed on raw data Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
- SE052F
- NIST SP800-90B ENT (P) Developer Defined Heath Test Transition Count Test performed on the raw data
- NIST SP800-90B ENT (P) Developer Defined Heath Test Chi-Square Test performed on the conditioned data
- NIST SP800-90B ENT (P) Developer Defined Heath Test Amplitude Limiter Analog Test on the analog data
- Pairwise Consistency Tests
- Generate PCT: Pairwise consistency test performed when an asymmetric key pair is generated for RSA or ECC. The conditional test is implemented at the applet level
- Signature PCT: Pairwise consistency test performed when a signature is generated for RSA or ECDSA
- Firmware Load Test: Signature Verification based on ECDSA P-256 with SHA2-256 Note: The module does not support loading of external firmware by the operator (it is limited to the vendor, NXP Semiconductors, at factory pre-shipment of the module). The Firmware Load Test above is performed by the module in support of the same. All the Self-Tests can be performed on-demand with the GET DATA APDU command (Info service) with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = FE, Lc = 04, Incoming Data = DF4B0120, and Le = 00. The expected result is FE04DF4B0120. In case of a failure, the module enters a hard error (MUTE) state and returns a code/status indicator. The APDU code 9000 signifies success and 66A7 is the error indicator corresponding to the MUTE error state. The JCOP OS is intended to execute pre-operational self-tests (rather than conditional self- tests) periodically, since these tests are pre-defined to be executed post resets. The periodic time will thus always start from zero. RAM can be used to manage the periodic time interval which is the number of execution events e.g., number of APDUs/commands received (the tests are repeated after every 500,000 CAPDUs/commands). Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
11 Life-Cycle Assurance
All configuration management items are managed using an automated configuration management system. The module is designed to allow the testing of all provided security-related services. All firmware is implemented using a high-level language and is designed in a manner that avoids the use of code, parameters, or symbols not necessary for the module’s functionality and execution. While the module can be delivered with the Approved mode enabled by default, customers also have the option to receive a module which is in the unconfigured state, i.e., non-Approved mode. To comply with and maintain the FIPS 140-3 validation, it would be the CO’s responsibility to enable the Approved mode of operation as follows (this information can also be found in the JCOP 4.5 User guidance and administrator manual document):
- Install SEMS Lite applet to run in Approved mode of operation.
- Install the IoT applet and configure the applet to run in Approved mode of operation.
- Configure the Operation System to run in Approved mode of operation. In each of these steps, it is in the CO’s responsibility to apply proper security conditions and to ensure that once the device is put into Approved mode of operation, it will not be set into non-Approved mode of operation ever again. The operator can verify that the module is operating in the Approved mode by following instructions specified in Section 2 in this document. There are no specific maintenance requirements for this module. Public Material – May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy
12 Mitigation of Other Attacks
The module is protected against the following non-invasive attacks: SPA, DPA, Timing Analysis and Fault Induction using a combination of firmware and hardware countermeasures. Protection features include detection of outofrange supply voltages, frequencies or temperatures, fault induction mitigations like light sensors, voltage glitch sensors and an active shield, and detection of illegal address or instruction. All cryptographic computations and sensitive operations such as critical data comparison provided by the module are designed to be resistant to timing and power analysis. Sensitive operations are performed in constant time, regardless of the execution context (parameters, keys, etc.), owing to a combination of hardware and firmware features. In addition to the non-invasive attacks, the module also uses standard passivation techniques and is protected by active shielding (a grid of top metal layer wires with tamper response) which qualifies for classification under mitigation of other attacks. Public Material
- May be reproduced only in its original entirety (without revision).
FIPS 140-3 Security Policy