OCT. 13,1998 2:02PM voror0.4 NO, 9045 =P 2 !

M) mororoLa

one eee

KVL 3000 Security
Policy

LAND MOBILE PRODUCTS SECTOR
Radio Network Solutions Group

Version 01.00.05

Last Revision: October 2, 1998

——————
Last Revision; October 2, 1998 page - 1
OCT, 13. 1998 2:02PM MOTOROL,

 

page - 2

 

NO. 9045 OP. 3
KVL 3000 Security Policy
Repository Information
Location: /vobs/kvl/doc/fips
Filename: curity_Policy
Revision History

   
  
   
  
 

 

  
 
 
  

Revision Date Author Comments
[010000 1117087 Tim Muni [TohiaiCieation |
01.0005 | OP [Lamy Muni | ard Reset Procedure
u Add Rule stating how to put
LanyMurnill the KVL into FIPS mode.

 

 

  

Remove the reference to the
Lary Morrill USK in rule 11.

: ‘Add Passwords to list of
Stinson

 
 

 

 

Last Revision: October 2, 1998

 
 

 

|

 

    
 

OCT. 13,1998 2:03PM MOTOROL

KV. 3000 Security Policy
Table of Contents

NO, 9045 P

4

    

 

Last Revision: October 2, 1998

 

page -9.
OCT. 13.1998 2:03PM MOTOROLA NO 9045 =P 5

Introduction

page - 4

KVL 3000 Security Policy
1 Introduction

 

11 Purpose

 

This document describes the FIPS 140-1 security policy requirements for
Motorola’s Land Mobile Products Sector's Key Variable Loader.

1.2 Definitions, Acronyms, Abbreviations

 

DES Data Encryption Standard

EEPROM Electrically Erasable Programmable Read Only Memo
Iv Initialization Vector

KVL Key Variable Loader

RAM Random Access Memory
SRDI Security Related Data Items
1.3 References

 

 

Last Revision: October 2, 1998

 
OCT. 13.1998 2:03PM MOTOROLA NO. 9045 =P. 6

Roles and Services

KVL 3000 Security Palicy

2 Roles and Services

 

The KVL supports a Crypto Officer, User, or Maintenance role during operation.

While in the Crypo Officer role, all of the KVL’s configuration parameters can be
edited and all of its services can be accessed. While in the User role, only key
loading services can be accessed, no editing of SRDI is allowed. Lastly, the
Maintenance role provides means to perform diagnostics, coin-cell battery
teplacement,

The KVL supports role based authentication, using password entry, as a means to
select a role when the KVL is first powered on. The unit's Supervisor mode serves
as the Crypto Officer role while the unit’s Operator mode serves as the User role.

Both the Supervisor and the Operator can perform the following cryptographic
services: Key load, Request for keys from a central KMF.

The Supervisor can perform the following additional cryptographic services: Key
zeroization, Key entry, Modification of SRDI parameters.

Security Rules

 

page-5

This section documents the security rules used by the cryptographic module to
implement the security requirements of a FIPS 140-1 Level 1 module.

1, The KVL3000 is placed in FIPS 140-1 Level 1 compliant mode by turning the
FIPS option, located in the config menu, ON.

2. Ifa KVL3000 receives keys from a Motorola KMC, the KVL is no longer
considered to be operating in a FIPS approved mode. To return to this mode
of operation the Supervisor must perform a HARD RESET, to destroy the
NON-FIPS compliant keys, and turn on the FIPS config option again, which
was reset to OFF during the HARD RESET.

3. A SUPERVISOR may prevent an OPERATIOR from inadvertently
downloading keys from a KMC into a FIPS-compliant KVL by turning off the
KMC option in the config menu. With this option turned off, KMC key
downloads are prohibited.

4. Upon detection of a low voltage power condition the cryptographic module
shall erase all plaintext keys and critical data.

5. The module shall not at any time output any security related data iterns
(SRDIs) from any ports other than the “keyloading port”.

6. The cryptographic module shall erase all plaintext keys, the USK and critical
information, when a tamper condition is detected. It shall also reset the KG.
Please refer the “KVL3000 FIPS 1401-1 Certification” section VEO5.01.02 for
details.

7. Keys entered into the cryptographic module shall be accompanied by a valid
key tag and unique logical ID. Also, CRCs will be calculated over each
encrypted key to ensure the keys integrity throughout its lifetime.

Last Revision: October 2, 1998

 
* 007 13.1998 2:03PM MOTOROLA NO9045 P 7

Security Related Data ttems KVL 3000 Security Policy

 

8. The cryptographic module shall be capable of encrypting, using the USK, all
keys before they are stored in the unit’s EEPROM, The cryptographic module
shall also be capable of decrypting all keys stored in the EEPROM.

9. Upon the application of power or the receipt of a Reset command the
Cryptographic module shall perform the following cryptographic related
tests:

¢ EEPROM Test (includes Key Database test)
* Flash Memory Test
10.After power-up tests are completed, the unit will perform role-based
authentication using a password entry mode.
11.An operator in the supervisor mode shall do a HARD RESET to zeroize the
PASSWORDS before the Maintenance role is entered.

Security Related Data Items

 

 

There are three types of security related data items (SRDIs). These are:

* Traffic Encryption Keys (TEK)

® The Key Encryption Keys (KEK) (Where a USK is the KVL’s master KEK used
to encrypt all TEKs & KEKs stored in the cryptographic module's EEPROM).

* KVL’s Supervisor and Operator Passwords. (Can only be entered and
modified by the Supervisor)

Security Level Objectives

The cryptographic module meets the requirements applicable to Level 1 security
of FIPS 140-1 and Level 1 physical security.

 

page - 6

Last Revision: October 2, 1998

 
"* 007. 13.1998 2:04PM MOTOROLA NO.9045 P. 8

Services to SRDI Relationships KVL 3000 Security Policy
6 Services to SRDI Relationships

 

 

The following describes the services provided by the module and those services’
use of the existing SRDIs:

1. Load Key: When the cryptographic module is instructed to load a selected
key, that key is decrypted using the KVL’s USK, packaged /concatenated with
that keys associated key tag+logical ID and transmitted to the intended cryp-
tographic target.

2. TEK/KEK Entry : Once a key has been fully entered into the cryptographic
module, it is associated with a key tag+logical ID, encrypted using the KVL’s
USK, and stored ina pre-specified (by user) location in the EEPROM.

3. USK Entry : Once the USK has been fully entered into the cryptographic
module, it is stored as plaintext in a 64-bit volatile shift register.

4, TEK/KEK/USK Zeroization : Each Traffic Encryption Key and Key
Encryption Key, Including the USK, can be actively zeroized by the crypto
officer.

Operator Access

 

page -7 Last Revision: October 2, 1998

  

The following is a table of what access an Operator has to the critical security
parameters while performing one of the cryptographic functions: Keyload, KMF
Key Request, Key Zeroization, Key Entry, SRDI Modifications. Note that the
only operators authorized are the persons in the User or Crypto Service Roles

Key Key SADI
Zerolzation Entry Mods