Access Control Policy; Key Generation; Key Storage; Key Entry And Output - Lexmark 10G0149 - PrintCryption Card Encryption Module Manual

RSA Private Key
Integrity Check Keys
X9.31 PRNG

Access Control Policy

User functionalities have read/write access to the AES Session Key and RSA
public key. AES Session key is used to decrypt the data for printing. RSA public
key is used for AES Session key transport. Integrity Check Keys can be read by
Crypto-Officer "Run Self-Test" service.

Key Generation

The module key is generated internally is 1024 bits RSA key pair using PKCS#1-
compliant key generation techniques. FIPS-approved PRNG X9.31 Appendix
A.2.4 is used to seed the RSA key generation mechanism. AES Session Key is
generated outside of the module and imported via RSA key transport.

Key Storage

The AES Session Key is held in volatile memory only in plaintext. The RSA
public key is stored in flash memory in an X.509 certificate in plaintext, and the
RSA private key is stored flash memory in plaintext.

Key Entry and Output

All keys that are entered into (AES key) or output from (RSA certificate) the
module are electronically entered or output. AES Session Key is enters into the
module transported (encrypted) by RSA public key.

Key Zerorization

AES Session key is an ephemeral key which is zerorized after the connection is
closed or by rebooting the module. The module provides no service to erase or
discard the RSA key pair. The key pair is erased by overwriting the flash image
with a new image.
Self-Tests
The PrintCryption module runs power-up and conditional self-tests to verify that
it is functioning properly. Power-up self-tests are performed during startup of the
module, and conditional self-tests are executed whenever specific conditions are
met.
© Copyright 2006 Lexmark International Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
1024 bit RSA Internally generated using PKCS#1
private key key generation mechanism
(80-bits of
security)
HMAC keys Externally generated, hard coded in
the module
2-key TDES Internally generated
keys, 8 bytes
of seed value
Table 5 – Listing of Key and Critical Security Parameters
Page 10 of 17
Stored on flash in Key transport
plaintext. Zerorized
by overwriting the
flash image.
Stored on flash in Firmware Integrity
plaintext. Zerorized test
by overwriting the
flash image.
Held in volatile RNG
memory only in
plaintext. Zerorized
on reboot.