Manualshelf

Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Crypto-J
11121314151617181920
Crypto-C ME Cryptographic Toolkit 15
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy
Level 1 with Level 2
PIN Data
PIN data supplied by the application is hashed using the SHA-512 algorithm to
generate 64 bytes of authentication data, which is stored in the roles database.
To prevent successful random authentication attempts the application must set random
PIN data of sufficient security strength. The PIN must contain random data with the
equivalent of a minimum of 74 effectively random bits. The actual length of the PIN
data depends upon the randomness of the source of PIN data used by the application.
The minimum length of the PIN specified in this Security Policy document is
sufficient to prevent brute force searching of the PIN value with a probability greater
than 1 in 100000 over a period of one minute when the hash calculations are
performed by a computing resource with the performance equivalence of a cluster of
up to one million Amazon EC2 GPU instances. Other considerations of the
application environment might require other PIN lengths. Up to 64 bytes of PIN data
can be passed to the module by a call to assume a role.
2.3.2 Crypto Officer Role
The Crypto Officer is responsible for installing and loading the cryptographic module.
After the module is installed and operational, an operator can assume the Crypto
Officer role by calling
R_PROV_FIPS140_assume_role() with
R_FIPS140_ROLE_OFFICER. The preinstalled authentication callback function will
gather PIN data during the call. A message digest of the PIN, generated using
SHA-512, is checked against the authentication data held by the roles database.
An operator assuming the Crypto Officer role can call any Crypto-C ME function. For
a complete list of functions available to the Crypto Officer, see “Services” on page 29.
2.3.3 Crypto User Role
An operator can assume the Crypto User role by calling
R_PROV_FIPS140_assume_role() with R_FIPS140_ROLE_USER. The
preinstalled authentication callback function will gather PIN data during the call. A
message digest of the PIN, generated using SHA-512, is checked against the
authentication data held by the roles database.
An operator assuming the Crypto User role can use the entire Crypto-C ME API except
for
R_PROV_FIPS140_self_test_full()
, which is reserved for the Crypto
Officer. For a complete list of Crypto-C ME functions, see
“Services” on page 29
.