F2009VE 02
Contents
- 1 SECTION 2: MODULE PORTS AND INTERFACES
- 2 VE.02.01.01
- 3 VE.02.01.02
- 4 VE.02.01.03
- 5 VE.02.02.01
- 6 VE.02.02.02
- 7 VE.02.03.01
- 8 VE.02.04.01
- 9 VE.02.04.02
- 10 VE.02.05.01
- 11 VE.02.05.02
- 12 VE.02.06.01
- 13 VE.02.06.02
- 14 VE.02.07.01
- 15 VE.02.07.02
- 16 VE.02.08.01
- 17 VE.02.08.02
- 18 VE.02.09.01
- 19 VE.02.10.01
- 20 VE.02.11.01
- 21 VE.02.12.01
- 22 VE.02.13.01
- 23 VE.02.14.01
SECTION 2: MODULE PORTS AND INTERFACES
AS.02.01The cryptographic module shall restrict all information flow and
physical access points to physical ports and logical interfaces that define
all entry and exit points to and from the module.
Assessment:
VE.02.01.01
VE.02.01.01Vendor documentation shall specify each of the physical ports and
logical interfaces of the cryptographic module, including the:
1. Physical ports and their pin assignments
2. Physical covers, doors or openings
3. Logical interfaces (e.g., APIs and all other data/control/status
signals) and the signal names and functions
4. Manual controls (e.g., buttons or switches) for applicable physical
control inputs
5. Physical status indicators (e.g., lights or displays) for applicable
physical status outputs
6. Mapping of the logical interfaces to the physical ports, manual
controls, and physical status indicators of the cryptographic module
7. Physical, logical, and electrical characteristics, as applicable, of the
above ports and interfaces
Assessment:
VE.02.01.02
VE.02.01.02Vendor documentation shall specify the information flows and physical
access points of the cryptographic module by highlighting or annotating
copies of the block diagrams, design specifications and/or source code
and schematics provided in Sections 1 and 10. The vendor shall also
provide any other documentation necessary to clearly specify the
relationship of the information flows and physical access points to the
physical ports and logical interfaces.
Assessment:
VE.02.01.03
VE.02.01.03For each physical or logical input to the cryptographic module, or
physical and logical output from the module, vendor documentation
shall specify the logical interface to which the physical input or output
belongs, and the physical entry/exit port. The specifications provided
shall be consistent with the specifications of the cryptographic module
components provided under sections 1 and 10, and the specifications of
the logical interfaces provided in assertions AS02.03 to AS02.09 of this
section.
Assessment:
AS.02.02The cryptographic module interfaces shall be logically distinct from
each other although they may share one physical port (e.g., input data
may enter and output data may exit via the same port) or may be
distributed over one or more physical ports (e.g., input data may enter
via both a serial and a parallel port).
Assessment:
VE.02.02.01
VE.02.02.01The vendor's design shall separate the cryptographic module interfaces
into logically distinct and isolated categories, using the categories listed
in assertion AS02.03, and, if applicable, AS02.09 in this section. This
information shall be consistent with the specification of the logical
interfaces and physical ports provided in AS02.01 in this section.
Assessment:
VE.02.02.02
VE.02.02.02Vendor documentation shall provide a mapping of each category of
logical interface to a physical port of the cryptographic module. A
logical interface may be physically distributed across more than one
physical port, or two or more logical interfaces may share one physical
port as long as the information flows are kept logically separate. If two
or more logical interfaces share the same physical port, vendor
documentation shall specify how the information from the different
interface categories is kept logically separate.
Assessment:
AS.02.03The cryptographic module shall have the following four logical
interfaces ("input" and "output" are indicated from the perspective of
the module):
* Data input interface
* Data output interface
* Control input interface
* Status output interface
Assessment:
VE.02.03.01
VE.02.03.01Vendor documentation shall specify that the following four logical
interfaces have been designed within the cryptographic module ("input"
and "output" are indicated from the perspective of the module):
* data input interface (for the entry of data as specified in AS02.04),
* data output interface (for the output of data as specified in
AS02.05),
* control input interface (for the entry of commands as specified in
AS02.07), and
* status output interface (for the output of status information as
Assessment:
AS.02.04All data (except control data entered via the control input interface) that
is input to and processed by the cryptographic module (including
plaintext data, ciphertext data, cryptographic keys and CSPs,
authentication data, and status information from another module) shall enter via the "data input" interface.
Assessment:
VE.02.04.01
VE.02.04.01The cryptographic module shall have a data input interface. All data
(except control data entered via the control input interface) that is to be
input to and processed by the cryptographic module shall enter via the
data input interface, including:
1. Plaintext data
2. Ciphertext or signed data
3. Cryptographic keys and other key management data (plaintext or
encrypted)
4. Authentication data (plaintext or encrypted)
5. Status information from external sources
6. Any other input data
Assessment:
VE.02.04.02
VE.02.04.02If applicable, vendor documentation shall specify any external input
devices to be used with the cryptographic module for the entry of data
into the data input interface, such as smart cards, tokens, keypads, key
loaders, and/or biometric devices.
Assessment:
AS.02.05All data (except status data output via the status output interface) that is
output from the cryptographic module (including plaintext data,
ciphertext data, cryptographic keys and CSPs, authentication data, and
control information for another module) shall exit via the "data output"
Assessment:
VE.02.05.01
VE.02.05.01The cryptographic module shall have a data output interface. All data
(except status data output via the status output interface) that has been
processed and is to be output by the cryptographic module shall exit via
the data output interface, including:
1. Plaintext data
2. Ciphertext data and digital signatures
3. Cryptographic keys and other key management data (plaintext or
encrypted)
4. Control information to external targets
5. Any other output data
Assessment:
VE.02.05.02
VE.02.05.02If applicable, vendor documentation shall specify any external output
devices to be used with the cryptographic module for the output of data
from the data output interface, such as smart cards, tokens, displays,
and/or other storage devices.
Assessment:
AS.02.06All data output via the data output interface shall be inhibited when an
error state exists and during self-tests.
Assessment:
VE.02.06.01
VE.02.06.01Vendor documentation shall specify how the cryptographic module
ensures that all data output via the data output interface is inhibited
whenever the module is in an error state (error states are covered in
Section 4). Status information may be allowed from the status output
interface to identify the type of error, as long as no CSPs, plaintext
data, or other information that if misused could lead to a compromised.
Assessment:
VE.02.06.02
VE.02.06.02Vendor documentation shall specify how the design of the
cryptographic module ensures that all data output via the data output
interface is inhibited whenever the module is in a self-test condition
(self-tests are covered in Section 9). Status information to display the
results of the self-tests may be allowed from the status output interface,
as long as no CSPs, plaintext data, or other information that if misused
Assessment:
AS.02.07All input commands, signals, and control data (including calls and
manual controls such as switches, buttons, and keyboards) used to
control the operation of the cryptographic module shall enter via the
"control input" interface.
Assessment:
VE.02.07.01
VE.02.07.01The cryptographic module shall have a control input interface. All
commands, signals, and control data (except data entered via the data
input interface) used to control the operation of the cryptographic
module shall enter via the control input interface, including:
1. Commands input logically via an API (e.g., for the software and
firmware components of the cryptographic module)
2. Signals input logically or physically via one or more physical ports
(e.g., for the hardware components of the cryptographic module)
3. Manual control inputs (e.g., using switches, buttons, or a keyboard)
4. Any other input control data
Assessment:
VE.02.07.02
VE.02.07.02If applicable, vendor documentation shall specify any external input
devices to be used with the cryptographic module for the entry of
commands, signals, and control data into the control input interface,
such as smart cards, tokens, or keypads.
Assessment:
AS.02.08All output signals, indicators, and status data (including return codes
and physical indicators such as Light Emitting Diodes and displays)
used to indicate the status of the cryptographic module shall exit via the
"status output" interface.
Assessment:
VE.02.08.01
VE.02.08.01The cryptographic module shall have a status output interface. All
status information, signals, logical indicators, and physical indicators
used to indicate or display the status of the module shall exit via the
status output interface, including:
1. Status information output logically via an API
2. Signals output logically or physically via one or more physical
3. Manual status outputs (e.g., using LEDs, buzzers, or a display)
4. Any other output status information
Assessment:
VE.02.08.02
VE.02.08.02If applicable, vendor documentation shall specify any external output
devices to be used with the cryptographic module for the output of
status information, signals, logical indicators, and physical indicators via
the status output interface, such as smart cards, tokens, displays,
and/or other storage devices.
Assessment:
AS.02.09All external electrical power that is input to the cryptographic module
(including power from an external power source or batteries) shall enter
via a power port.
Assessment:
VE.02.09.01
VE.02.09.01If the cryptographic module requires or provides power to/from other
devices external to the boundary (e.g., a power supply or a external
battery), vendor documentation shall specify a power interface and a
corresponding physical port. All power entering or exiting the
cryptographic module to/from other devices external to the
cryptographic boundary shall pass through the specified power
Assessment:
AS.02.10The cryptographic module shall distinguish between data and control
for input and data and status for output.
Assessment:
VE.02.10.01
VE.02.10.01Vendor documentation shall specify how the cryptographic module
distinguishes between data and control for input and data and status for
output, and how the physical and logical paths followed by the input
data and control information entering the module via the applicable
input interfaces are logically or physically disconnected from the
physical and logical paths followed by the output data and status
information exiting the module via the applicable output interfaces.
Assessment:
AS.02.11All input data entering the cryptographic module via the "data input"
interface shall only pass through the input data path.
Assessment:
VE.02.11.01
VE.02.11.01Vendor documentation shall specify the physical and logical paths used
by all major categories of input data entering the cryptographic module
via the data input interface and the applicable physical ports. The
documentation shall include a specification of the applicable paths (e.g.,
by highlighted or annotated copies of the schematics, block diagrams,
or other information provided under AS01.08, AS01.09, and AS01.13).
All input data entering the cryptographic module via the data input
interface shall only use the specified paths while being processed or
stored by each physical or logical sub-section of the module.
Assessment:
AS.02.12All output data exiting the cryptographic module via the "data output"
interface shall only pass through the output data path.
Assessment:
VE.02.12.01
VE.02.12.01Vendor documentation shall specify the physical and logical paths used
by all major categories of output data exiting the cryptographic module
via the data output interface and the applicable physical ports. The
documentation shall include a specification of the applicable paths (e.g.,
by highlighted or annotated copies of the schematics, block diagrams,
or other information provided under AS01.08, AS01.09, and AS01.13).
All output data exiting the cryptographic module via the data output
interface shall only use the specified paths.
Assessment:
AS.02.13The output data path shall be logically disconnected from the circuitry
and processes while performing key generation, manual key entry, or
key zeroization.
Assessment:
VE.02.13.01
VE.02.13.01Vendor documentation shall specify how the physical and logical paths
used by all major categories of output data exiting the cryptographic
module are logically or physically disconnected from the processes
performing key generation, manual key entry, and zeroization of
cryptographic keys and CSPs. The cryptographic module shall not
allow the specified key processes to pass key/CSP information to the
output data path, and shall not allow output data exiting the module to
interfere with the key processes.
Assessment:
AS.02.14To prevent the inadvertent output of sensitive information, two
independent internal actions shall be required to output data via any
output interface through which plaintext cryptographic keys or CSPs or
sensitive data are output (e.g., two different software flags are set, one
of which may be user initiated; or two hardware gates are set serially
Assessment:
VE.02.14.01
VE.02.14.01If the cryptographic module allows plaintext cryptographic key
components or other unprotected CSPs to be output on one or more
physical ports, two independent internal actions shall be performed by
the module before the plaintext cryptographic key components or other
unprotected CSPs may be output. Vendor documentation shall specify
the two independent internal actions performed and how the two
independent internal actions protect against the inadvertent release of
the plaintext cryptographic key components or other unprotected CSPs.
Assessment:
AS.02.15Documentation shall specify the physical ports and logical interfaces
and all defined input and output data paths.Note: This assertion is not
separately tested. Verification of vendor documentation is performed
under assertions AS02.01 to AS02.14 and AS02.16 to AS02.18.
