1. Manuals
  2. Brands
  3. PROMETHEUS Manuals
  4. Control Unit
  5. Talon FIPS 140-2
  6. Manual

PROMETHEUS Talon FIPS 140-2 Manual

Cryptographic module
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Prometheus Security Group Global, Inc.
Talon™ Multi-Function Security Appliance
FIPS 140-2 Cryptographic Module
Non-Proprietary Security Policy
Document: 030-00004-001
Version: 1.2
Date: 2/10/2017
Prometheus Security Group Global
Document 030-00004-001 Version 1.1
Page 1 of 41
PSGG Public Material – May be reproduced only in its original entirety (without revision).

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Talon FIPS 140-2 and is the answer not in the manual?

Questions and answers

Summary of Contents for PROMETHEUS Talon FIPS 140-2

  • Page 1 Prometheus Security Group Global, Inc. Talon™ Multi-Function Security Appliance FIPS 140-2 Cryptographic Module Non-Proprietary Security Policy Document: 030-00004-001 Version: 1.2 Date: 2/10/2017 Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 1 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 2: Table 1 - Revision History

    This product, including any software and documentation, is the property of Prometheus Security Group Global, Inc. and/or its licensors. This document may be reproduced only in its original entirety (without revision). Copyright © 2016 by Prometheus Security Group Global, Inc. All rights reserved.

  • Page 3: Table Of Contents

    Configuration Requirements to Maintain Security of Module ............ 39 8.1.2 Decommissioning the Unit via Procedural Zeroization..............40 References and Definitions .................... 41 Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 3 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).
  • Page 4 Table 21 – Module Configuration Requirements ..................39 Table 22 – References ..........................41 Table 23 – Acronyms and Definitions ......................41 Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 4 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).
  • Page 5 Figure 12 – Tampered Product Seal #2 ....................... 33 Figure 13 – Tampered Product Seal #3 ....................... 33 Figure 14 - Cryptography Engine LED Indicators ..................34 Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 5 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 6: Introduction

    1 Introduction The Prometheus Security Group Global, Inc. Talon™ Multi-Function Security Appliance (MFSA) is a ruggedized, multi-function ultra-high security and surveillance appliance providing standards compliant, secure delivery of video, audio, sensor, control and data over an IP network. The end user can rest assured that their sensitive and critical data is reliably transported and securely delivered.

  • Page 7: Table 3 - Hardware Configuration Options

    The Module implementation is compliant with the following standards and certifications: • TUV-SUD 60950-1 (equivalent to UL 60950-1) o CB Scheme IEC tested Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 7 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).
  • Page 8 FCC 47 CFR part 15 as a Class B device • IEC-61000-4-2, Level 1 • RoHS • ONVIF Profile S Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 8 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 9: Hardware And Physical Cryptographic Boundary

    Figure 1 of the top enclosure depicts the physical cryptographic boundary, which is the entire product enclosure. Figure 1 – Talon Analog MFSA (Top-View) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 9 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 10: Figure 2 - Talon Analog Mfsa W/ Fips Tamper Seals (Bottom-View)

    Figure 2 – Talon Analog MFSA w/ FIPS Tamper Seals (Bottom-View) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 10 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 11: Figure 3 - Talon Analog Mfsa Fan, Rear Leds And Labeling (Rear-View)

    Figure 3 – Talon Analog MFSA Fan, Rear LEDs and Labeling (Rear-View) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 11 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 12: Standard Definition (Sd) Mfsa Connectors Explained

    RS485+ (red arrow points to pin 1) RS485- Ground RS422 RX+ RS422 RX- Ground RS232 TX RS232 RX Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 12 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 13: High Definition (Hd) Mfsa Connectors Explained

    8. Audio Output – Optional Line Level – 3.5 mm TRS 9. Serial Communications RS485+ (red arrow points to pin 1) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 13 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 14: Physical Ports & Interfaces

    Tamper Monitoring Provides tamper mitigation Control In Table 5 – Physical Ports and Interfaces Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 14 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 15: Logical To Physical Interface Mapping & Function

    FIRMWARE STATUS GREEN SELF TESTS PASSED, FIRMWARE OPERATING NORMALLY FIRMWARE STATUS FIRMWARE INTEGRITY CHECK FAILURE Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 15 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 16: Table 7 - Talon Mfsa Led Indicators

    AMBER Table 7 – Talon MFSA LED Indicators Figure 6 – Talon MFSA LED Indicator for Tamper Response Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 16 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 17: Firmware And Cryptographic Functionality

    The ONVIF (Open Network Video Interface Forum) Module handles all configuration and communication relating to compliance with the core specification as well as Profiles S (media streaming and control) and Profile G (stored media and retrieval). Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 17 of 41...

  • Page 18: Mode Of Operation

    4) The Security Status Menu in the Web User interface should show FIPS running mode a) Reference document # 030-00004-013 for how to access and read this menu Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 18 of 41...

  • Page 19: Cryptographic Functionality

    Functions: TLS v1.0/1.1 KDF (Note that TLS v1.1 is not implemented; the KDF is the same for TLSv1.0 and TLSv1.1.) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 19 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 20: Non-Approved But Allowed Cryptographic Functions

    Ring-oscillator-based NDRNG within the i.MX6Q processor provides the CTR_DRBG with entropy. This entropy is sufficient for the module’s strongest randomly generated keys. (DH-3072, which has 128 bits of strength). Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 20 of 41...

  • Page 21: Fips Mode Allowed Protocols

    Used for login of the Factory Support role. 802.1X EAP-TLS EAP-TLS Master Secret Master Secret; Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 21 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).
  • Page 22 Pre-calculated HMAC-SHA-1 digests; User and CO Passwords Used for Crypto Officer and User role authentication. LIBGCRYPT Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 22 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 23: Public Keys

    Used to verify firmware integrity when updating to new firmware versions is attempted. Table 12 – Public Keys Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 23 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 24: Roles, Authentication And Services

    This role has no access to security relevant features. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 24 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 25: Authentication Methods

    Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 25 of 41...

  • Page 26: System Administration

    Network Firewall This uses no CSPs, but controls routing of data over the secure VPN tunnel. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 26 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 27: Table 15 - Authenticated Services (Co,U & F)

    Inputs: Console commands Outputs: Console command responses Table 15 – Authenticated Services (CO,U & F) Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 27 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 28: Unauthenticated Services

    W = Write: The module writes the CSP. The write access is typically performed after a CSP is imported into the module, when the module generates a CSP, or when the module overwrites an existing CSP. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 28 of 41...
  • Page 29 Note 1: Services not listed in the table above do not access any CSPs. Note 2: The keys not zeroized by the Tamper Monitoring service are protected by the MCU Master Key and rendered unrecoverable upon Master Key zeroization. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 29 of 41...

  • Page 30: Self-Tests

    Table 18 – Power Up Self-tests The module performs the following additional conditional self-tests during operation as shown in Table 19 – Conditional Self-tests. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 30 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 31: Table 19 - Conditional Self-Tests

    Table 20 – Critical Function Self-tests Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 31 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 32: Physical Security Policy

    The two tamper evident seals are placed on the sides of the device in the following locations noted in the figure below: Figure 10 – Talon Tamper Evident Seals Applied Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 32 of 41...

  • Page 33: Figure 11 - Tampered Product Seal #1

    Figure 11 – Tampered Product Seal #1 Figure 12 – Tampered Product Seal #2 Figure 13 – Tampered Product Seal #3 Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 33 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 34: Cryptographic Engine Light Emitting Diode (Led) Inspection

    When the battery life is at an acceptable level the icon will be green and read . When the battery drops below the thresholds discussed below, the icon turns red and reads Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 34 of 41...

  • Page 35: Components Quality

    5.1.5 Components Quality The module is produced with either commercial or industrial grade components capable of meeting a minimum of commercial specifications for power, temperature, reliability, shock and vibration. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 35 of 41...

  • Page 36: Operational Environment

    FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and require a separate FIPS 140-2 validation. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 36 of 41 PSGG Public Material –...

  • Page 37: Mitigation Of Other Attacks Policy

    While not meeting Level 3 physical security, the module does provide tamper response functionality within its shielded secure area. Attempts to remove the cover from this area will trigger the mechanism, which zeroizes the MCU Master Key. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 37 of 41...

  • Page 38: Security Rules And Guidance

    CSPs. This section documents the security rules imposed by the vendor. 1. The module does not support the update of the logical serial number or vendor ID. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 38 of 41...

  • Page 39: Configuration Requirements To Maintain Security Of Module

    IP tables of the Module, IF the VPN is part of the intended operational environment. Table 22 – Module Configuration Requirements Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 39 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

  • Page 40: Decommissioning The Unit Via Procedural Zeroization

    7) Re-apply power to the unit and ensure that it boots up to a state where all LED indicators are RED as shown in Figure 6. 8) Decommissioning via procedural zeroization is completed. Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 40 of 41...

  • Page 41: References And Definitions

    Open Network Video Interface Forum Part Number Standard Definition Table 24 – Acronyms and Definitions Prometheus Security Group Global Document 030-00004-001 Version 1.1 Page 41 of 41 PSGG Public Material – May be reproduced only in its original entirety (without revision).

Table of Contents