A SERVICE OF

logo

Open as PDF
next previous
Security Policy, version 1.0 January 31, 2008
HP StorageWorks Secure Key Manager
Page 19 of 26
© 2008 Hewlett-Packard Company
This document may be freely reproduced in its original entirety.
Key Key Type
Generation /
Input
Output Storage Zeroization Use
Log signing
keys
1024-bit RSA
public and
private keys
Generated by
ANSI X9.31
DRNG at first-
time
initialization
Never In non-volatile
memory
When new log
signing keys are
generated on
demand by
Crypto Officer
Sign logs and
verify signature
on logs
ANSI X9.31
DRNG
seed
DRNG seed Generated by
non-Approved
RNG
Never In non-volatile
memory
When module is
powered off
Initialize ANSI
X9.31 DRNG
PKEK 256-bit AES
key
Generated by
ANSI X9.31
DRNG
In encrypted
form for backup
purposes only
In non-volatile
memory
At operator delete
or by zeroize
request
Encrypt client
keys
2.7.2 Key Generation
The module uses an ANSI X9.31 DRNG with 2-key 3DES to generate cryptographic keys. This DRNG is a FIPS
140-2 approved DRNG as specified in Annex C to FIPS PUB 140-2.
2.7.3 Key/CSP Zeroization
All ephemeral keys are stored in volatile memory in plaintext. Ephemeral keys are zeroized when they are no longer
used. Other keys and CSPs are stored in non-volatile memory with client keys being stored in encrypted form.
To zeroize all keys and CSPs in the module, the Crypto Officer should execute the reset factory settings
zeroize command at the serial console interface. For security reasons, this command is available only through the
serial console.
2.8 Self-Tests
The device implements two types of self-tests: power-up self-tests and conditional self-tests.
Power-up self-tests include the following tests:
Firmware integrity tests
Known Answer Test (KAT) on 3DES
KAT on AES
KAT on SHA-1
KAT on SHA-256
KAT on SHA-384
KAT on SHA-512
KAT on HMAC SHA-1
KAT on HMAC SHA-256
KAT on ANSI X9.31 DRNG
KAT on Diffie-Hellman
KAT on SSH Key Derivation Function
KAT on RSA signature generation and verification
Pairwise consistency test on DSA signature generation and verification
Conditional self-tests include the following tests: