Oberthur ID-One Cosmo 128 v5.5 for DoD Common Access Card (CAC) FIPS 140-2 Level 2 Security Policy Public Version Version 3 June 5, 2015 Oberthur Technologies of America Corp. 4250 Pleasant Valley Road Chantilly, VA 20151-1221 USA +1 (703) 263-0100 © 2015 Oberthur Technologies of America Corp. This document may be reproduced only in its original entirety without revision. Oberthur ID-One Cosmo128 v5.5 for DoD CAC Smart Card Cryptographic Module FIPS 140-2 Level 2 Security Policy Document Version Information Table 1 lists the version history of this Security Policy. Version - Date Description V 1 June 5, 2009 Official Release V 2 July 19, 2010 Firmware number update V 3-June 5, 2015 Firmware number update June 5, 2015 Version 2 Page 2 of 55 © 2015 Oberthur Technologies of America Corp. This document may be reproduced only in its original entirety without revision. Oberthur ID-One Cosmo128 v5.5 for DoD CAC Smart Card Cryptographic Module FIPS 140-2 Level 2 Security Policy Table of Contents 1 INTRODUCTION ................................................................................................................................................. 6 2 MODULE OVERVIEW ........................................................................................................................................ 6 2.1 ID-ONE COSMO 128 V5.5 ............................................................................................................................... 6 2.1.1 Common Criteria Protection Mechanisms ............................................................................................ 7 2.1.2 Product Form Factors ........................................................................................................................... 8 2.1.3 Product Terminology ............................................................................................................................. 9 2.2 ACTIVIDENTITY DIGITAL IDENTITY APPLET SUITE V2 FOR EXTENDED PIV .......................................................... 9 3 SECURITY LEVEL ............................................................................................................................................ 10 4 CRYPTOGRAPHIC MODULE SPECIFICATIONS ........................................................................................... 11 4.1 TARGET OF VALIDATION ................................................................................................................................ 11 4.2 ID-ONE COSMO 128 V5.5 ............................................................................................................................. 12 4.2.1 Module Hardware ................................................................................................................................ 12 4.2.2 Module Firmware ................................................................................................................................ 13 4.2.3 Module Firmware Extensions ............................................................................................................. 13 4.2.4 Locks Configuration ............................................................................................................................ 13 4.2.5 Module Identification ........................................................................................................................... 13 4.2.6 FIPS Approved Security Functions ..................................................................................................... 14 4.3 ACTIVIDENTITY APPLET V2 FOR EXTENDED PIV ............................................................................................. 15 5 PORTS AND INTERFACES ............................................................................................................................. 16 5.1 PHYSICAL PORT: SMART CARD CONTACT PLATE ........................................................................................... 17 5.1.1 Interface Physical Specifications ........................................................................................................ 17 5.1.2 Interface Electrical Specifications ....................................................................................................... 17 5.1.3 Condition of use .................................................................................................................................. 18 5.2 PHYSICAL PORT: CONTACTLESS MODE ......................................................................................................... 19 5.2.1 Interface Physical Specifications ........................................................................................................ 19 5.2.2 Interface Electrical Specifications ....................................................................................................... 20 5.2.3 Condition of use .................................................................................................................................. 20 5.3 LOGICAL INTERFACE DESCRIPTION ................................................................................................................ 21 5.3.1 APDU Commands ............................................................................................................................... 21 5.3.2 API Interface ....................................................................................................................................... 22 6 ROLES AND SERVICES .................................................................................................................................. 22 6.1 IDENTIFICATION ............................................................................................................................................ 22 6.2 ROLES ......................................................................................................................................................... 22 6.2.1 User Roles .......................................................................................................................................... 22 6.2.2 Cryptographic Officers roles ............................................................................................................... 23 6.2.3 Identity based Authentication .............................................................................................................. 23 6.2.4 User Role Authentication .................................................................................................................... 23 6.2.5 Cryptographic Officer Role Authentication .......................................................................................... 24 6.3 SERVICES .................................................................................................................................................... 24 6.3.1 Cryptographic Officer Services ........................................................................................................... 24 6.3.2 Application Operator Services ............................................................................................................ 27 6.3.3 User Services (Card Holder) ............................................................................................................... 27 June 5, 2015 Version 2 Page 3 of 55 © 2015 Oberthur Technologies of America Corp. This document may be reproduced only in its original entirety without revision. Oberthur ID-One Cosmo128 v5.5 for DoD CAC Smart Card Cryptographic Module FIPS 140-2 Level 2 Security Policy 6.4 NO ROLE ..................................................................................................................................................... 28 6.5 RELATIONSHIP BETWEEN ROLES, SERVICES AND CSP ACCESS ...................................................................... 31 7 CRYPTOGRAPHIC KEY MANAGEMENT ....................................................................................................... 33 7.1 GLOBAL PIN ................................................................................................................................................ 34 7.2 ACA PIN ..................................................................................................................................................... 34 7.3 PUK ............................................................................................................................................................ 34 7.4 CRYPTOGRAPHIC KEYS ................................................................................................................................. 35 7.4.1 Initial Issuer Transport Key ................................................................................................................. 35 7.4.2 Crypto-Officer keys in Card Manager ................................................................................................. 35 7.4.3 Keys in Security Domains ................................................................................................................... 36 7.4.4 Keys from ActivIdentity Applets .......................................................................................................... 36 7.4.5 Keys Exchange ................................................................................................................................... 37 7.4.6 Key Loading .......................................................................................................................................