Cryptography – General Physical Security Requirements

This post is part of the Computer Security – Cryptography posts series.

The succeeding necessities shall implement to all physical embodiments:

  • Documentation shall specify the physical embodiment and the security level for which the physical security mechanisms of a cryptographic module are implemented.
  • Whenever zeroization is executed for physical security uses, the zeroization shall happen in a sufficiently small time period so as to prevent the recuperation of the sensitive information between the time of detection and the actual zeroization.
  • In case a module includes a maintenance role that necessitates physical access to the contents of the module or in case the module is projected to allow physical access (for instance., by the module vendor or other authorized individual), then:
    • A maintenance access interface shall be defined.
    • The maintenance access interface shall include all physical access paths to the contents of the cryptographic module, including any removable covers or doors.
    • Any removable covers or doors included within the maintenance access interface shall be safeguarded utilizing the appropriate physical security mechanisms.
    • All Critical Security Parameters (as well, Public Security Parameters if Security Level 5) shall be zeroized when the maintenance access interface is accessed.

SECURITY LEVEL 1

The succeeding necessities shall implement to all cryptographic modules for this level of security:

  • The cryptographic module shall consist of production-grade parts that shall include standard passivation techniques (for example, a conformal coating or a sealing coat applied over the module’s circuitry to protect against environmental or other physical damage).
  • When performing physical maintenance, all Critical Security Parameters contained in the cryptographic module shall be zeroized. Zeroization shall either be executed procedurally by the operator or automatically by the cryptographic module.

SECURITY LEVEL 2

In plus to the general necessities for Security Level 1, the succeeding necessity shall implement to all cryptographic modules for this level of security:

  • The cryptographic module shall provide evidence of tampering (for instance, on the cover, enclosure, or seal) when physical access to the module is attempted.
  • The tamper-evident material, coating or tamper-evident enclosure shall either be opaque or translucent within the visible spectrum (id est, light of wavelength range of 400nm to 750nm) to prevent the collecting of data about the internal operations of the critical areas of the module.
  • In case the cryptographic module contains ventilation holes or slits, then the holes or slits shall be built in a mode to prevent the collecting of data by direct visual observation using artificial light sources in the visual spectrum of the module’s internal construction or components.


SECURITY LEVEL 3

In plus to the general necessities for Security Levels 1 and 2, the succeeding necessities shall apply to all cryptographic modules for this level of security:

  • In case the cryptographic module contains ventilation holes or slits, then the holes or slits shall be built in mode to forbid the collecting of data of the module’s internal construction or parts by direct visual observation utilizing artificial light sources in the visual spectrum, then the module shall contain tamper response and zeroization circuitry. The tamper response and zeroization circuitry shall immediately zeroize all Critical Security Parameters when a door is opened, a cover is removed, or when the maintenance access interface is accessed. The tamper response and zeroization circuitry shall remain operational when Critical Security Parameters are contained within the cryptographic module.
  • If the cryptographic module contains ventilation holes or slits, then the holes or slits shall be constructed in a manner that prevents undetected physical probing inside the enclosure (for instance, require at least one 90 degree bend or obstruction with a substantial blocking material).

SECURITY LEVEL 4

In plus to the general necessities for Security Levels 1, 2, and 3, the succeeding necessity shall enforce to all cryptographic modules for this level of security:

  • The cryptographic module shall be secured either by a hard opaque removal-resistant coating, or by a tamper detection envelope with tamper response and zeroization capability.
  • The module shall either include Environmental Failure Protection characteristics or under go Environmental Failure Testing .

SECURITY LEVEL 5

In plus to the general necessities for Security Levels 1, 2, 3, and 4, the succeeding necessity shall implement to all cryptographic modules for this level of security:

  • The cryptographic module shall include Environmental Failure Protection features for both temperature and voltage.
  • The cryptographic module shall be opaque to non-visual radiation examination (for instance, x-rays, MRI, thermal imaging, etc).
  • The cryptographic module shall include fault-tolerant features to provide protection from electrostatic discharge and electromagnetic radiation induced faults.
Cryptographic module

Cryptographic module

Published in Cryptography , Friday February 6th 2009
Tags: , ,



27 Responses to “Cryptography – General Physical Security Requirements”

  1. Anna says:

    good introduction about Cryptographic Modules

  2. Crypto says:

    How do I move into cryptography industry?

  3. admin says:

    If you were in the United States, I would say talk to the National Security Agency

  4. Katz says:

    Do you have a diploma ?

  5. Daniel says:

    I am a final year maths student at university and I would like to move into cryptography.

  6. Hamid says:

    Most governments will have people doing cryptography, also internet security firms. They’ll probably want master’s level qualifications, so you might look around for advanced cryptography programs.

  7. Eric says:

    One book on the subject is “The Code Book” by Simon Singh.

  8. Kahn says:

    If you really want to know the concepts then you read the book, “Applied Cryptography” by Bruce Scheneir.

  9. John says:

    One more recent book on the subject is “Introduction to Modern Cryptography: Principles and Protocols” by by Jonathan Katz and Yehuda Lindell

  10. Slim says:

    What is in Jonathan Katz Introduction to Modern Cryptography :

    1) Perfect security and Shannon's theorem (information theoretic security)
    2) Computational security, indistinguishability, CPA
    3) Pseudorandomness
    4) One-way functions, hard-core predicate, Levin's theorem
    5) Message Authentication Codes
    6) Costructions of Pseudorandom objects, AES, Substitution-Permutation networks
    7) Relation between Private-Key, one-way functions and pseudrandomness.
    8) Number theory for the cryptography
    9) Computational number theory, factorization, square roots,discrete log,diffie-hellman problems
    10) Public key, goldwasser-micali, el gamal, pallier, hybrid encryption, encryption schemes based on trapdoor permutations
    11) Digital Signature Schemes

  11. merc says:

    What is a trapdoor function in cryptography ?

  12. Liam says:

    A trapdoor function is a function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the “trapdoor”. Trapdoor functions are widely used in cryptography.

  13. Gop says:

    What are URLs Tokens ?

  14. admin says:

    A URL token is cryptographic token that is protecting URLs from being
    altered or tampered with.
    This can have applications for protecting data and session,protect static content and using the token as an authentication tag.

  15. Andy says:

    How to protect static content ?

  16. admin says:

    The first solution is to put content in question as part of the query string and protect that:

    /c/dir/myapp.cgi?doc=/other/dir/myfile.html&mac=…

    But is ugly.

    The second solution is to use the CGI protocol is PATH function.

    /c/directory/app/another/directory/myfile.html

    If part of the path in the URL is a CGI-enabled application, the application
    is invoked with the PATH variable set to

    /another/directory/myfile.html.

    For creating the token, you’d pass in the static directory path /another/
    directory/myfile.html as the payload.
    For verification you just extract the MAC from the beginning of the URL and continue.

  17. Rico says:

    What standard to use to implement a Public Key Crytography ?

  18. admin says:

    I recommend to use IEEE Standard P1363-2000. Also I recommend reading Implementing Elliptic Curve Cryptography by Michael Rosen

  19. Vivi says:

    I need some books about Numerical Algorithms ?

  20. admin says:

    The Art of Computer Programming. Vol. 2, Seminumerical Algorithms by Donald Knuth

    Prime Numbers: A Computational Perspective by Carl Pomerance.

  21. Enas says:

    Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications by Andrew Rukin

  22. kiko says:

    What are the Cryptographic Standards ?

  23. admin says:

    NIST FIPS
    IETF RFC
    PKCS (RSA)
    IEEE 1363
    ANSI/ABA X9 standards
    ISO Standards

  24. Carmine says:

    What is the diffrence between cryptographic hashes checksum hashes ?

  25. admin says:

    A cryptographic hash guard against malicious alteration of a message.

  26. Ken says:

    interesting post

  27. P. Silva says:

    a very good article about Cryptography – General Physical Security Requirements

Privacy | About Us | Contact
Copyright © 2008 Home Automation - JAEC - All the rights reserved