FIPSFSM: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (30 intermediate revisions by 4 users not shown) | |||
| Line 2: | Line 2: | ||
==Finite State Model== | ==Finite State Model== | ||
The NSS cryptographic module is | The state transition diagram of the NSS cryptographic module is shown below. | ||
When a program calls the <code>FC_Initialize</code> function of the NSS cryptographic module library, the state changes and power-up self-tests are performed. See [http://wiki.mozilla.org/Section_9:_Self_Tests Self Tests] for a description of the power-up self-tests. If the self-tests succeed, the library is considered initialized and the module enters the normal operational state. | [[ Image:Fsm8.png ]] | ||
The NSS cryptographic module has two modes of operation: FIPS Approved mode and non-FIPS Approved mode. The FIPS Approved mode is of more interest to the FIPS 140-2 validation and it is therefore shown with more details. When a program calls the <code>FC_Initialize</code> function of the NSS cryptographic module library, the state changes and power-up self-tests are performed. See [http://wiki.mozilla.org/Section_9:_Self_Tests Self Tests] for a description of the power-up self-tests. If the self-tests succeed, the library is considered initialized for the FIPS Approved mode and the module enters the normal operational state. Please refer to the tables below when studying this state transition diagram. | |||
'''Recovery from error states''': If the FIPS Approved mode of the module ever enters the Error state, the NSS cryptographic module library needs to be shut down (transition 3.0) and reinitialized (transition 1.1). | '''Recovery from error states''': If the FIPS Approved mode of the module ever enters the Error state, the NSS cryptographic module library needs to be shut down (transition 3.0) and reinitialized (transition 1.1). | ||
| Line 36: | Line 31: | ||
| 1.X|| Power Off | | 1.X|| Power Off | ||
| Host computer is powered off. The initial state.|| Host computer's power light is off. | | Host computer is powered off. The initial state.|| Host computer's power light is off. | ||
|- | |- | ||
| 1.A|| Inactive | | 1.A|| Inactive | ||
| | | Host computer is up and running.|| Host computer's power light is on. | ||
|- | |- | ||
| 1.B|| Power Up Self Test | | 1.B|| Power Up Self Test | ||
| Line 49: | Line 41: | ||
| NSS cryptographic module library has been initialized for the FIPS Approved mode and its self-tests have passed. Services that do not require logging in to the module are available.|| Public services can be invoked. Private services fail with the error code <code>CKR_USER_NOT_LOGGED_IN</code>. | | NSS cryptographic module library has been initialized for the FIPS Approved mode and its self-tests have passed. Services that do not require logging in to the module are available.|| Public services can be invoked. Private services fail with the error code <code>CKR_USER_NOT_LOGGED_IN</code>. | ||
|- | |- | ||
| 2 | | 2|| NSS User Services | ||
| Operator has successfully logged in to assume the NSS User role and has access to all the services provided by the FIPS Approved mode of the NSS cryptographic module.|| All services can be invoked. | | Operator has successfully logged in to assume the NSS User role and has access to all the services provided by the FIPS Approved mode of the NSS cryptographic module.|| All services can be invoked. | ||
|- | |- | ||
| 3|| Error | | 3|| Error | ||
| The FIPS Approved mode of the NSS cryptographic module either has failed a conditional test while performing a service or has failed a power-up or operator-initiated self-test. No further cryptographic operations will be performed.|| Only <code>FC_Finalize</code>, <code>FC_InitToken</code>, <code>FC_CloseSession</code>, <code>FC_CloseAllSessions</code>, <code>FC_WaitForSlotEvent</code>, and the "get info" functions (<code>FC_GetFunctionList</code>, <code>FC_GetInfo</code>, <code>FC_GetSlotList</code>, <code>FC_GetSlotInfo</code>, and <code>FC_GetTokenInfo</code>) can be invoked. <code>FC_Initialize</code> fails with the error code <code>CKR_CRYPTOKI_ALREADY_INITIALIZED</code>. All other functions fail with the error code <code>CKR_DEVICE_ERROR</code>. | | The FIPS Approved mode of the NSS cryptographic module either has failed a conditional test while performing a service or has failed a power-up or operator-initiated self-test. No further cryptographic operations will be performed.|| Only <code>FC_Finalize</code>, <code>FC_InitToken</code>, <code>FC_CloseSession</code>, <code>FC_CloseAllSessions</code>, <code>FC_WaitForSlotEvent</code>, and the "get info" functions (<code>FC_GetFunctionList</code>, <code>FC_GetInfo</code>, <code>FC_GetSlotList</code>, <code>FC_GetSlotInfo</code>, and <code>FC_GetTokenInfo</code>) can be invoked. <code>FC_Initialize</code> fails with the error code <code>CKR_CRYPTOKI_ALREADY_INITIALIZED</code>. All other functions fail with the error code <code>CKR_DEVICE_ERROR</code>. | ||
|- | |- | ||
| 5. | | 5.B|| Non-FIPS Mode | ||
| | | The non-FIPS Approved mode of the NSS cryptographic module has been activated. This is a composite state whose substates are not relevant to FIPS 140-2.|| <code>NSC_Initialize</code> has been called successfully. All other <code>NSC_xxx</code> functions may be called. | ||
| The non-FIPS Approved mode of the NSS cryptographic module has been activated. This is a composite state whose substates are not relevant to FIPS 140-2.|| All <code>NSC_xxx</code> functions may be called. | |||
|} | |} | ||
| Line 80: | Line 66: | ||
Output Event | Output Event | ||
|- | |- | ||
| 1.0|| Power Off|| | | 1.0|| Power Off|| Inactive|| Host computer is powered up|| None | ||
|- | |- | ||
| 1.1|| | | 1.1|| Inactive|| Power Up Self Test|| <code>FC_Initialize</code> called|| Opens the databases. Power-up self-tests initiated. | ||
|- | |- | ||
| 1.2|| Power Up Self Test|| Public Services|| Successful library initialization, software integrity test, and power-up self-tests|| <code>FC_Initialize</code> sets the internal Boolean state variable <code> | | 1.2|| Power Up Self Test|| Public Services|| Successful library initialization, software integrity test, and power-up self-tests|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>sftk_fatalError</code> to false and returns <code>CKR_OK</code> | ||
|- | |- | ||
| 1.3|| Power Up Self Test|| Error|| Software integrity test or power-up self-test failure|| <code>FC_Initialize</code> sets the internal Boolean state variable <code> | | 1.3|| Power Up Self Test|| Error|| Software integrity test or power-up self-test failure|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code> | ||
|- | |- | ||
| 1.4|| Public Services|| Error|| Conditional self-test (continuous random number generator test) failed while performing a service (random number generation)|| The function (<code>FC_SeedRandom</code> or <code>FC_GenerateRandom</code>) sets the internal Boolean state variable <code> | | 1.4|| Public Services|| Error|| Conditional self-test (continuous random number generator test) failed while performing a service (random number generation)|| The function (<code>FC_SeedRandom</code> or <code>FC_GenerateRandom</code>) sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code> | ||
|- | |- | ||
| 1.5|| Public Services|| NSS User Services|| User login succeeded|| <code>FC_Login</code> sets the internal Boolean state variable <code>isLoggedIn</code> to true and returns <code>CKR_OK</code> | | 1.5|| Public Services|| NSS User Services|| User login succeeded|| <code>FC_Login</code> sets the internal Boolean state variable <code>isLoggedIn</code> to true and returns <code>CKR_OK</code> | ||
| Line 94: | Line 80: | ||
| 1.6|| Public Services|| Public Services|| User login failed|| <code>FC_Login</code> returns a nonzero error code (e.g., <code>CKR_PIN_INCORRECT</code>) | | 1.6|| Public Services|| Public Services|| User login failed|| <code>FC_Login</code> returns a nonzero error code (e.g., <code>CKR_PIN_INCORRECT</code>) | ||
|- | |- | ||
| 1.7|| Public Services|| | | 1.7|| Public Services|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code> | ||
|- | |- | ||
| 2.1|| NSS User Services|| Public Services|| User logout requested|| <code>FC_Logout</code> sets the internal Boolean state variable <code>isLoggedIn</code> to false and returns <code>CKR_OK</code> | | 2.1|| NSS User Services|| Public Services|| User logout requested|| <code>FC_Logout</code> sets the internal Boolean state variable <code>isLoggedIn</code> to false and returns <code>CKR_OK</code> | ||
|- | |- | ||
| 2.5|| NSS User Services|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code> | |||
| 2.5|| NSS User Services|| | |||
|- | |- | ||
| 2.6|| NSS User Services|| Error|| Conditional self-test (continuous random number generator test or pair-wise consistency test) failed while performing a service (random number generation or key pair generation)|| The function (<code>FC_SeedRandom</code>, <code>FC_GenerateRandom</code>, or <code>FC_GenerateKeyPair</code>) sets the internal Boolean state variable <code> | | 2.6|| NSS User Services|| Error|| Conditional self-test (continuous random number generator test or pair-wise consistency test) failed while performing a service (random number generation or key pair generation)|| The function (<code>FC_SeedRandom</code>, <code>FC_GenerateRandom</code>, or <code>FC_GenerateKeyPair</code>) sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code> or <code>CKR_GENERAL_ERROR</code> | ||
|- | |- | ||
| 3.0|| Error|| | | 3.0|| Error|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code> | ||
|- | |- | ||
| 4.0|| Power | | 4.0|| Any state other than "Power Off"|| Power Off|| Host computer is powered off|| None | ||
|- | |- | ||
| 5.1|| | | 5.1|| Inactive|| Non-FIPS Mode|| <code>NSC_Initialize</code> called|| Opens the databases. <code>NSC_Initialize</code> returns <code>CKR_OK</code>. | ||
|- | |- | ||
| 5.2|| | | 5.2|| Non-FIPS Mode|| Inactive|| <code>NSC_Finalize</code> called|| <code>NSC_Finalize</code> returns <code>CKR_OK</code> | ||
|+ | |+ | ||
} | } | ||
Latest revision as of 19:15, 9 March 2007
This is a draft document.
Finite State Model
The state transition diagram of the NSS cryptographic module is shown below.
The NSS cryptographic module has two modes of operation: FIPS Approved mode and non-FIPS Approved mode. The FIPS Approved mode is of more interest to the FIPS 140-2 validation and it is therefore shown with more details. When a program calls the FC_Initialize function of the NSS cryptographic module library, the state changes and power-up self-tests are performed. See Self Tests for a description of the power-up self-tests. If the self-tests succeed, the library is considered initialized for the FIPS Approved mode and the module enters the normal operational state. Please refer to the tables below when studying this state transition diagram.
Recovery from error states: If the FIPS Approved mode of the module ever enters the Error state, the NSS cryptographic module library needs to be shut down (transition 3.0) and reinitialized (transition 1.1).
Inclusive statement: The action of the finite state model as a result of all other combinations of data and control inputs is defined as follows.
- If the data and control inputs are valid and the module performs the service successfully, the module outputs the requested data or status information and returns
CKR_OK. - If the data and control inputs are invalid or the module encounters an error (e.g., running out of memory) when performing a service, the module does not output any data and simply returns an appropriate error code (e.g.,
CKR_HOST_MEMORY,CKR_TOKEN_WRITE_PROTECTED,CKR_TEMPLATE_INCOMPLETE, orCKR_ATTRIBUTE_VALUE_INVALID).
The module stays in the current state.
States
|
State Label |
State Mnemonic |
State Description |
Distinct Indicator |
|---|---|---|---|
| 1.X | Power Off | Host computer is powered off. The initial state. | Host computer's power light is off. |
| 1.A | Inactive | Host computer is up and running. | Host computer's power light is on. |
| 1.B | Power Up Self Test | NSS cryptographic module library initialization for the FIPS Approved mode has been initiated. This state performs library initialization, software integrity test, and power-up self-tests. | The FC_Initialize call is executing.
|
| 1.C | Public Services | NSS cryptographic module library has been initialized for the FIPS Approved mode and its self-tests have passed. Services that do not require logging in to the module are available. | Public services can be invoked. Private services fail with the error code CKR_USER_NOT_LOGGED_IN.
|
| 2 | NSS User Services | Operator has successfully logged in to assume the NSS User role and has access to all the services provided by the FIPS Approved mode of the NSS cryptographic module. | All services can be invoked. |
| 3 | Error | The FIPS Approved mode of the NSS cryptographic module either has failed a conditional test while performing a service or has failed a power-up or operator-initiated self-test. No further cryptographic operations will be performed. | Only FC_Finalize, FC_InitToken, FC_CloseSession, FC_CloseAllSessions, FC_WaitForSlotEvent, and the "get info" functions (FC_GetFunctionList, FC_GetInfo, FC_GetSlotList, FC_GetSlotInfo, and FC_GetTokenInfo) can be invoked. FC_Initialize fails with the error code CKR_CRYPTOKI_ALREADY_INITIALIZED. All other functions fail with the error code CKR_DEVICE_ERROR.
|
| 5.B | Non-FIPS Mode | The non-FIPS Approved mode of the NSS cryptographic module has been activated. This is a composite state whose substates are not relevant to FIPS 140-2. | NSC_Initialize has been called successfully. All other NSC_xxx functions may be called.
|
Transitions
|
Trans # |
Current State |
Next State |
Input Event |
Output Event |
|---|---|---|---|---|
| 1.0 | Power Off | Inactive | Host computer is powered up | None |
| 1.1 | Inactive | Power Up Self Test | FC_Initialize called |
Opens the databases. Power-up self-tests initiated. |
| 1.2 | Power Up Self Test | Public Services | Successful library initialization, software integrity test, and power-up self-tests | FC_Initialize sets the internal Boolean state variable sftk_fatalError to false and returns CKR_OK
|
| 1.3 | Power Up Self Test | Error | Software integrity test or power-up self-test failure | FC_Initialize sets the internal Boolean state variable sftk_fatalError to true and returns CKR_DEVICE_ERROR
|
| 1.4 | Public Services | Error | Conditional self-test (continuous random number generator test) failed while performing a service (random number generation) | The function (FC_SeedRandom or FC_GenerateRandom) sets the internal Boolean state variable sftk_fatalError to true and returns CKR_DEVICE_ERROR
|
| 1.5 | Public Services | NSS User Services | User login succeeded | FC_Login sets the internal Boolean state variable isLoggedIn to true and returns CKR_OK
|
| 1.6 | Public Services | Public Services | User login failed | FC_Login returns a nonzero error code (e.g., CKR_PIN_INCORRECT)
|
| 1.7 | Public Services | Inactive | FC_Finalize called |
FC_Finalize returns CKR_OK
|
| 2.1 | NSS User Services | Public Services | User logout requested | FC_Logout sets the internal Boolean state variable isLoggedIn to false and returns CKR_OK
|
| 2.5 | NSS User Services | Inactive | FC_Finalize called |
FC_Finalize returns CKR_OK
|
| 2.6 | NSS User Services | Error | Conditional self-test (continuous random number generator test or pair-wise consistency test) failed while performing a service (random number generation or key pair generation) | The function (FC_SeedRandom, FC_GenerateRandom, or FC_GenerateKeyPair) sets the internal Boolean state variable sftk_fatalError to true and returns CKR_DEVICE_ERROR or CKR_GENERAL_ERROR
|
| 3.0 | Error | Inactive | FC_Finalize called |
FC_Finalize returns CKR_OK
|
| 4.0 | Any state other than "Power Off" | Power Off | Host computer is powered off | None |
| 5.1 | Inactive | Non-FIPS Mode | NSC_Initialize called |
Opens the databases. NSC_Initialize returns CKR_OK.
|
| 5.2 | Non-FIPS Mode | Inactive | NSC_Finalize called |
NSC_Finalize returns CKR_OK
|