MozillaWiki

FIPSFSM: Difference between revisions

Page Discussion

FIPSFSM (view source)

Revision as of 19:15, 9 March 2007

2,557 bytes removed ,  9 March 2007
no edit summary
No edit summary
 
(17 intermediate revisions by 4 users not shown)
Line 1: Line 1:
''This is a draft document.''
''This is a draft document.''
We use an extended finite state model called '''Statecharts''' to specify the operation of the NSS cryptographic module. [http://www.wisdom.weizmann.ac.il/~harel/SCANNED.PAPERS/Statecharts.pdf Statecharts], invented by David Harel to solve the state explosion problem of complex systems, extend the finite state model with two concepts:
* '''Hierarchical substates''' represent a refinement of a state, exposing more details. In addition to allowing us to specify a system's behavior at multiple levels of details, hierarchical substates can also reduce the number of transitions. A single transition leaving a composite state is equivalent to multiple transitions each leaving a hierarchical substate of the composite state. For example, transition 4.0 in our state transition diagram is such a transition.
* '''Concurrent substates''' represent concurrent subsystems that operate in parallel.
Statecharts have been adopted by the [http://www.uml.org/ Unified Modeling Language (UML)].


==Finite State Model==
==Finite State Model==


The state transition diagram of the NSS cryptographic module is shown below as a UML Statechart.
The state transition diagram of the NSS cryptographic module is shown below.


[[ Image:Fsm7.png ]]
[[ Image:Fsm8.png ]]


The NSS cryptographic module has two modes of operation: FIPS Approved mode and non-FIPS Approved mode. The two modes of operation are independent of each other -- they have their own copies of data structures and they are even allowed to be active at the same time. The two modes are represented by the two concurrent substates inside the Power On composite state. '''The module is FIPS 140-2 compliant only when the non-FIPS Approved mode is inactive (in state 5.A).''' The FIPS Approved mode on the left hand side is of more interest to the FIPS 140-2 validation and it is therefore shown with more details. When a program calls the <code>FC_Initialize</code> function of the NSS cryptographic module library, the state changes and power-up self-tests are performed. See [http://wiki.mozilla.org/Section_9:_Self_Tests Self Tests] for a description of the power-up self-tests. If the self-tests succeed, the library is considered initialized for the FIPS Approved mode and the module enters the normal operational state. Please refer to the tables below when studying this state transition diagram.
The NSS cryptographic module has two modes of operation: FIPS Approved mode and non-FIPS Approved mode. The FIPS Approved mode is of more interest to the FIPS 140-2 validation and it is therefore shown with more details. When a program calls the <code>FC_Initialize</code> function of the NSS cryptographic module library, the state changes and power-up self-tests are performed. See [http://wiki.mozilla.org/Section_9:_Self_Tests Self Tests] for a description of the power-up self-tests. If the self-tests succeed, the library is considered initialized for the FIPS Approved mode and the module enters the normal operational state. Please refer to the tables below when studying this state transition diagram.
 
'''Access to certificate and key databases''': Only one of the two modes of operation may have the certificate and key databases open at any time. This is enforced by the <code>FC_Initialize</code> and <code>NSC_Initialize</code> functions. When a mode of operation opens the databases, it also causes the other mode (the ''peer'') to close the databases. In the diagram below this is represented by a toggle switch.
 
[[Image:Dbsw1.png]]


'''Recovery from error states''': If the FIPS Approved mode of the module ever enters the Error state, the NSS cryptographic module library needs to be shut down (transition 3.0) and reinitialized (transition 1.1).
'''Recovery from error states''': If the FIPS Approved mode of the module ever enters the Error state, the NSS cryptographic module library needs to be shut down (transition 3.0) and reinitialized (transition 1.1).
Line 40: Line 31:
| 1.X|| Power Off
| 1.X|| Power Off
| Host computer is powered off. The initial state.|| Host computer's power light is off.
| Host computer is powered off. The initial state.|| Host computer's power light is off.
|-
| 1.Y|| Power On
| Host computer is up and running. This is a composite state with concurrent component state machines (separated by the dotted line) for the FIPS Approved mode and non-FIPS Approved mode.|| Host computer's power light is on.
|-
|-
| 1.A|| Inactive
| 1.A|| Inactive
| The FIPS Approved mode of the NSS cryptographic module is inactive.|| Only <code>FC_GetFunctionList</code> and <code>FC_Initialize</code> may be called.
| Host computer is up and running.|| Host computer's power light is on.
|-
|-
| 1.B|| Power Up Self Test
| 1.B|| Power Up Self Test
Line 59: Line 47:
| The FIPS Approved mode of the NSS cryptographic module either has failed a conditional test while performing a service or has failed a power-up or operator-initiated self-test. No further cryptographic operations will be performed.|| Only <code>FC_Finalize</code>, <code>FC_InitToken</code>, <code>FC_CloseSession</code>, <code>FC_CloseAllSessions</code>, <code>FC_WaitForSlotEvent</code>, and the "get info" functions (<code>FC_GetFunctionList</code>, <code>FC_GetInfo</code>, <code>FC_GetSlotList</code>, <code>FC_GetSlotInfo</code>, and <code>FC_GetTokenInfo</code>) can be invoked. <code>FC_Initialize</code> fails with the error code <code>CKR_CRYPTOKI_ALREADY_INITIALIZED</code>. All other functions fail with the error code <code>CKR_DEVICE_ERROR</code>.
| The FIPS Approved mode of the NSS cryptographic module either has failed a conditional test while performing a service or has failed a power-up or operator-initiated self-test. No further cryptographic operations will be performed.|| Only <code>FC_Finalize</code>, <code>FC_InitToken</code>, <code>FC_CloseSession</code>, <code>FC_CloseAllSessions</code>, <code>FC_WaitForSlotEvent</code>, and the "get info" functions (<code>FC_GetFunctionList</code>, <code>FC_GetInfo</code>, <code>FC_GetSlotList</code>, <code>FC_GetSlotInfo</code>, and <code>FC_GetTokenInfo</code>) can be invoked. <code>FC_Initialize</code> fails with the error code <code>CKR_CRYPTOKI_ALREADY_INITIALIZED</code>. All other functions fail with the error code <code>CKR_DEVICE_ERROR</code>.
|-
|-
| 5.A|| Inactive
| 5.B|| Non-FIPS Mode
| The non-FIPS Approved mode of the NSS cryptographic module is inactive.|| Only <code>NSC_GetFunctionList</code> and <code>NSC_Initialize</code> may be called.
| The non-FIPS Approved mode of the NSS cryptographic module has been activated. This is a composite state whose substates are not relevant to FIPS 140-2.|| <code>NSC_Initialize</code> has been called successfully. All other <code>NSC_xxx</code> functions may be called.
|-
| 5.B|| Activated
| The non-FIPS Approved mode of the NSS cryptographic module has been activated. This is a composite state whose substates are not relevant to FIPS 140-2.|| All <code>NSC_xxx</code> functions may be called.
|}
|}


Line 81: Line 66:
Output Event
Output Event
|-
|-
| 1.0|| Power Off|| Power On (states 1.A and 5.A)|| Host computer is powered up|| None
| 1.0|| Power Off|| Inactive|| Host computer is powered up|| None
|-
|-
| 1.1|| (FIPS Approved mode) Inactive|| Power Up Self Test|| <code>FC_Initialize</code> called|| Opens the databases. Causes the peer (non-FIPS Approved mode) to close the databases. Power-up self-tests initiated.
| 1.1|| Inactive|| Power Up Self Test|| <code>FC_Initialize</code> called|| Opens the databases. Power-up self-tests initiated.
|-
|-
| 1.2|| Power Up Self Test|| Public Services|| Successful library initialization, software integrity test, and power-up self-tests|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>fatalError</code> to false and returns <code>CKR_OK</code>
| 1.2|| Power Up Self Test|| Public Services|| Successful library initialization, software integrity test, and power-up self-tests|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>sftk_fatalError</code> to false and returns <code>CKR_OK</code>
|-
|-
| 1.3|| Power Up Self Test|| Error|| Software integrity test or power-up self-test failure|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code>
| 1.3|| Power Up Self Test|| Error|| Software integrity test or power-up self-test failure|| <code>FC_Initialize</code> sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code>
|-
|-
| 1.4|| Public Services|| Error|| Conditional self-test (continuous random number generator test) failed while performing a service (random number generation)|| The function (<code>FC_SeedRandom</code> or <code>FC_GenerateRandom</code>) sets the internal Boolean state variable <code>fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code>
| 1.4|| Public Services|| Error|| Conditional self-test (continuous random number generator test) failed while performing a service (random number generation)|| The function (<code>FC_SeedRandom</code> or <code>FC_GenerateRandom</code>) sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code>
|-
|-
| 1.5|| Public Services|| NSS User Services|| User login succeeded|| <code>FC_Login</code> sets the internal Boolean state variable <code>isLoggedIn</code> to true and returns <code>CKR_OK</code>
| 1.5|| Public Services|| NSS User Services|| User login succeeded|| <code>FC_Login</code> sets the internal Boolean state variable <code>isLoggedIn</code> to true and returns <code>CKR_OK</code>
Line 95: Line 80:
| 1.6|| Public Services|| Public Services|| User login failed|| <code>FC_Login</code> returns a nonzero error code (e.g., <code>CKR_PIN_INCORRECT</code>)
| 1.6|| Public Services|| Public Services|| User login failed|| <code>FC_Login</code> returns a nonzero error code (e.g., <code>CKR_PIN_INCORRECT</code>)
|-
|-
| 1.7|| Public Services|| (FIPS Approved mode) Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
| 1.7|| Public Services|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
|-
|-
| 2.1|| NSS User Services|| Public Services|| User logout requested|| <code>FC_Logout</code> sets the internal Boolean state variable <code>isLoggedIn</code> to false and returns <code>CKR_OK</code>
| 2.1|| NSS User Services|| Public Services|| User logout requested|| <code>FC_Logout</code> sets the internal Boolean state variable <code>isLoggedIn</code> to false and returns <code>CKR_OK</code>
|-
|-
| 2.5|| NSS User Services|| (FIPS Approved mode) Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
| 2.5|| NSS User Services|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
|-
|-
| 2.6|| NSS User Services|| Error|| Conditional self-test (continuous random number generator test or pair-wise consistency test) failed while performing a service (random number generation or key pair generation)|| The function (<code>FC_SeedRandom</code>, <code>FC_GenerateRandom</code>, or <code>FC_GenerateKeyPair</code>) sets the internal Boolean state variable <code>fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code> or <code>CKR_GENERAL_ERROR</code>
| 2.6|| NSS User Services|| Error|| Conditional self-test (continuous random number generator test or pair-wise consistency test) failed while performing a service (random number generation or key pair generation)|| The function (<code>FC_SeedRandom</code>, <code>FC_GenerateRandom</code>, or <code>FC_GenerateKeyPair</code>) sets the internal Boolean state variable <code>sftk_fatalError</code> to true and returns <code>CKR_DEVICE_ERROR</code> or <code>CKR_GENERAL_ERROR</code>
|-
|-
| 3.0|| Error|| (FIPS Approved mode) Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
| 3.0|| Error|| Inactive|| <code>FC_Finalize</code> called|| <code>FC_Finalize</code> returns <code>CKR_OK</code>
|-
|-
| 4.0|| Power On|| Power Off|| Host computer is powered off|| None
| 4.0|| Any state other than "Power Off"|| Power Off|| Host computer is powered off|| None
|-
|-
| 5.1|| (non-FIPS Approved mode) Inactive|| (non-FIPS Approved mode) Activated|| <code>NSC_Initialize</code> called|| Opens the databases. Causes the peer (FIPS Approved mode) to close the databases. <code>NSC_Initialize</code> returns <code>CKR_OK</code>.
| 5.1|| Inactive|| Non-FIPS Mode|| <code>NSC_Initialize</code> called|| Opens the databases. <code>NSC_Initialize</code> returns <code>CKR_OK</code>.
|-
|-
| 5.2|| (non-FIPS Approved mode) Activated|| (non-FIPS Approved mode) Inactive|| <code>NSC_Finalize</code> called|| <code>NSC_Finalize</code> returns <code>CKR_OK</code>
| 5.2|| Non-FIPS Mode|| Inactive|| <code>NSC_Finalize</code> called|| <code>NSC_Finalize</code> returns <code>CKR_OK</code>
|+
|+
}
}
Wtchang
canmove, Confirmed users
937

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/31187...51329"