S 4.85 Design of suitable interfaces for crypto modules

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

The design and configuration options of a crypto module should allow the entire flow of information to and from the module or even direct physical access to the database in the module to be controlled or restricted as necessary. Depending on the application or protection requirements, it may be advisable to use physically separate input and output ports. Whatever the case, the module interfaces should be set up such that the individual data channels are logically separated from each other, even though they may possibly share a common input or output port. In connection with the key management functions for the crypto module it must be guaranteed that the output channels are separated (at least logically) from internal key generation and the input port for manual key entry. In many cases there will be separate interfaces available for the connection of an external supply voltage or an external supply pulse and for exclusive use by repair or maintenance tasks. From the standpoint of the crypto module, therefore, it makes sense to divide these up and use them as follows:

• Data input interface, which carries all the input data for the crypto module that is to be processed or edited in the module (e.g. cryptographic keys, authentication information, status information from other crypto modules, plaintext data etc.).
• Data output interface, which carries all of the data from the crypto module that is to be passed from the module to its environment (e.g. encrypted data, authentication information, control information for other crypto modules, etc.).
• Control input interface, which carries all control commands, control signals and control data for executive sequencing and setting the module's mode of operation.
• Status output interface, which outputs all signals, indications and data to the environment in order to indicate the internal security status of the crypto module.

And finally:

• Maintenance interface, which is used exclusively for maintenance and/or repair purposes.

The documentation for a crypto component should contain a description of all components (hardware, firmware and/or software).

Furthermore, the documentation should contain the complete specification of the module interfaces as well as the physical or logical ports, manual or logical control units, physical or logical indicating elements and their physical, logical or electrical properties. If a crypto component contains a maintenance interface, the documentation should also provide a full specification of the maintenance processes that have to be performed. All physical and logical input and output channels within the module must be explicitly declared. In addition to specific details of the way the crypto component is integrated into the intended application environment, the methods of operating and using the crypto component must also be described.

The documentation should also contain a survey of the security functionality, and if possible point out dependence on hardware, firmware or software that is not included directly in the scope of supply of the crypto component, depending on the conceptual design of the component.

The documentation about the module interfaces must be provided by the module vendor. The documentation is required in a variety of circumstances, for example by an administrator who intends integrating the crypto module into his/her system environment or by an evaluator who would like to carry out a security assessment of the crypto module.

Review questions:

• Do the configuration options of the crypto modules used allow the entire flow of information and accesses to be controlled or restricted?
• Is the documentation of the crypto component and its module interface complete?
• Are the maintenance processes that have to be performed for crypto components fully documented?