VE 02

designer handbag kate replica spade wholesale replica coach handbag coach signature replica handbag wholesale aaa replica handbag aaa chloe handbag replica aaa grade handbag replica handbag lv replica wholesale hermes handbag replica cheap replica handbag cheap replica chanel handbag cheap replica coach handbag cheap wholesale replica handbag cheap designer replica handbag wholesale replica chloe handbag chloe handbag paddington replica chloe designer handbag replica fendi replica handbag fendi and gucci replica handbag wholesale designer replica handbag replica designer handbag at wholesale prices wholesale replica handbag handbag wholesale replica watch wholesale replica lv handbag replica handbag wholesale price replica chanel handbag replica designer handbag chanel discount chanel handbag replica handbag louis replica theda vuitton handbag louis replica shopping vuitton bag image louis mirror replica vuitton bag designer diaper replica bag dior replica bag christian dior replica bag hermes replica bag birkin hermes replica bag burberry replica

==SECTION 2: MODULE PORTS AND INTERFACES==

AS.02.01Thecryptographic module shall restrict all information flow and

physicalaccess points to physical ports and logical interfaces that define

allentry and exit points to and from the module.

Assessment:

==VE.02.01.01==

VE.02.01.01Vendordocumentation shall specify each of the physical ports and

logicalinterfaces of the cryptographic module, including the:

1.Physical ports and their pin assignments

2.Physical covers, doors or openings

3.Logical interfaces (e.g., APIs and all other data/control/status

signals)and the signal names and functions

4.Manual controls (e.g., buttons or switches) for applicable physical

controlinputs

5.Physical status indicators (e.g., lights or displays) for applicable

physicalstatus outputs

6.Mapping of the logical interfaces to the physical ports, manual

controls,and physical status indicators of the cryptographic module

7.Physical, logical, and electrical characteristics, as applicable, ofthe

aboveports and interfaces

Assessment:

==VE.02.01.02==

VE.02.01.02Vendordocumentation shall specify the information flows and physical

accesspoints of the cryptographic module by highlighting or annotating

copiesof the block diagrams, design specifications and/or source code

andschematics provided in Sections 1 and 10. The vendor shall also

provideany other documentation necessary to clearly specify the

relationshipof the information flows and physical access points to the

physicalports and logical interfaces.

Assessment:

==VE.02.01.03==

VE.02.01.03Foreach physical or logical input to the cryptographic module, or

physicaland logical output from the module, vendor documentation

shallspecify the logical interface to which the physical input or output

belongs,and the physical entry/exit port. The specifications provided

shallbe consistent with the specifications of the cryptographic module

componentsprovided under sections 1 and 10, and the specifications of

thelogical interfaces provided in assertions AS02.03 to AS02.09 of this

section.

Assessment:

AS.02.02Thecryptographic module interfaces shall be logically distinct from

eachother although they may share one physical port (e.g., input data

mayenter and output data may exit via the same port) or may be

distributedover one or more physical ports (e.g., input data may enter

viaboth a serial and a parallel port).

Assessment:

==VE.02.02.01==

VE.02.02.01Thevendor's design shall separate the cryptographic module interfaces

intologically distinct and isolated categories, using the categorieslisted

inassertion AS02.03, and, if applicable, AS02.09 in this section. This

informationshall be consistent with the specification of the logical

interfacesand physical ports provided in AS02.01 in this section.

Assessment:

==VE.02.02.02==

VE.02.02.02Vendordocumentation shall provide a mapping of each category of

logicalinterface to a physical port of the cryptographic module. A

logicalinterface may be physically distributed across more than one

physicalport, or two or more logical interfaces may share one physical

portas long as the information flows are kept logically separate. If two

ormore logical interfaces share the same physical port, vendor

documentationshall specify how the information from the different

interfacecategories is kept logically separate.

Assessment:

AS.02.03Thecryptographic module shall have the following four logical

interfaces("input" and "output" are indicated from theperspective of

themodule):

*Data input interface

*Data output interface

*Control input interface

*Status output interface

Assessment:

==VE.02.03.01==

VE.02.03.01Vendordocumentation shall specify that the following four logical

interfaceshave been designed within the cryptographic module ("input"

and"output" are indicated from the perspective of the module):

*data input interface (for the entry of data as specified in AS02.04),

*data output interface (for the output of data as specified in

AS02.05),

*control input interface (for the entry of commands as specified in

AS02.07),and

*status output interface (for the output of status information as

Assessment:

AS.02.04Alldata (except control data entered via the control input interface)that

isinput to and processed by the cryptographic module (including

plaintextdata, ciphertext data, cryptographic keys and CSPs,

authenticationdata, and status information from another module) shall enter via the"data input" interface.

Assessment:

==VE.02.04.01==

VE.02.04.01Thecryptographic module shall have a data input interface. All data

(exceptcontrol data entered via the control input interface) that is to be

inputto and processed by the cryptographic module shall enter via the

datainput interface, including:

1.Plaintext data

2.Ciphertext or signed data

3.Cryptographic keys and other key management data (plaintext or

encrypted)

4.Authentication data (plaintext or encrypted)

5.Status information from external sources

6.Any other input data

Assessment:

==VE.02.04.02==

VE.02.04.02Ifapplicable, vendor documentation shall specify any external input

devicesto be used with the cryptographic module for the entry of data

intothe data input interface, such as smart cards, tokens, keypads, key

loaders,and/or biometric devices.

Assessment:

AS.02.05Alldata (except status data output via the status output interface) thatis

outputfrom the cryptographic module (including plaintext data,

ciphertextdata, cryptographic keys and CSPs, authentication data, and

controlinformation for another module) shall exit via the "data output"

Assessment:

==VE.02.05.01==

VE.02.05.01Thecryptographic module shall have a data output interface. All data

(exceptstatus data output via the status output interface) that has been

processedand is to be output by the cryptographic module shall exit via

thedata output interface, including:

1.Plaintext data

2.Ciphertext data and digital signatures

3.Cryptographic keys and other key management data (plaintext or

encrypted)

4.Control information to external targets

5.Any other output data

Assessment:

==VE.02.05.02==

VE.02.05.02Ifapplicable, vendor documentation shall specify any external output

devicesto be used with the cryptographic module for the output of data

fromthe data output interface, such as smart cards, tokens, displays,

and/orother storage devices.

Assessment:

AS.02.06Alldata output via the data output interface shall be inhibited when an

errorstate exists and during self-tests.

Assessment:

==VE.02.06.01==

VE.02.06.01Vendordocumentation shall specify how the cryptographic module

ensuresthat all data output via the data output interface is inhibited

wheneverthe module is in an error state (error states are covered in

Section4). Status information may be allowed from the status output

interfaceto identify the type of error, as long as no CSPs, plaintext

data,or other information that if misused could lead to a compromised.

Assessment:

==VE.02.06.02==

VE.02.06.02Vendordocumentation shall specify how the design of the

cryptographicmodule ensures that all data output via the data output

interfaceis inhibited whenever the module is in a self-test condition

(self-testsare covered in Section 9). Status information to display the

resultsof the self-tests may be allowed from the status output interface,

aslong as no CSPs, plaintext data, or other information that if misused

Assessment:

AS.02.07Allinput commands, signals, and control data (including calls and

manualcontrols such as switches, buttons, and keyboards) used to

controlthe operation of the cryptographic module shall enter via the

"controlinput" interface.

Assessment:

==VE.02.07.01==

VE.02.07.01Thecryptographic module shall have a control input interface. All

commands,signals, and control data (except data entered via the data

inputinterface) used to control the operation of the cryptographic

moduleshall enter via the control input interface, including:

1.Commands input logically via an API (e.g., for the software and

firmwarecomponents of the cryptographic module)

2.Signals input logically or physically via one or more physical ports

(e.g.,for the hardware components of the cryptographic module)

3.Manual control inputs (e.g., using switches, buttons, or a keyboard)

4.Any other input control data

Assessment:

==VE.02.07.02==

VE.02.07.02Ifapplicable, vendor documentation shall specify any external input

devicesto be used with the cryptographic module for the entry of

commands,signals, and control data into the control input interface,

suchas smart cards, tokens, or keypads.

Assessment:

AS.02.08Alloutput signals, indicators, and status data (including return codes

andphysical indicators such as Light Emitting Diodes and displays)

usedto indicate the status of the cryptographic module shall exit via the

"statusoutput" interface.

Assessment:

==VE.02.08.01==

VE.02.08.01Thecryptographic module shall have a status output interface. All

statusinformation, signals, logical indicators, and physical indicators

usedto indicate or display the status of the module shall exit via the

statusoutput interface, including:

1.Status information output logically via an API

2.Signals output logically or physically via one or more physical

3.Manual status outputs (e.g., using LEDs, buzzers, or a display)

4.Any other output status information

Assessment:

==VE.02.08.02==

VE.02.08.02Ifapplicable, vendor documentation shall specify any external output

devicesto be used with the cryptographic module for the output of

statusinformation, signals, logical indicators, and physical indicators via

thestatus output interface, such as smart cards, tokens, displays,

and/orother storage devices.

Assessment:

AS.02.09Allexternal electrical power that is input to the cryptographic module

(includingpower from an external power source or batteries) shall enter

viaa power port.

Assessment:

==VE.02.09.01==

VE.02.09.01Ifthe cryptographic module requires or provides power to/from other

devicesexternal to the boundary (e.g., a power supply or a external

battery),vendor documentation shall specify a power interface and a

correspondingphysical port. All power entering or exiting the

cryptographicmodule to/from other devices external to the

cryptographicboundary shall pass through the specified power

Assessment:

AS.02.10Thecryptographic module shall distinguish between data and control

forinput and data and status for output.

Assessment:

==VE.02.10.01==

VE.02.10.01Vendordocumentation shall specify how the cryptographic module

distinguishesbetween data and control for input and data and status for

output,and how the physical and logical paths followed by the input

dataand control information entering the module via the applicable

inputinterfaces are logically or physically disconnected from the

physicaland logical paths followed by the output data and status

informationexiting the module via the applicable output interfaces.

Assessment:

AS.02.11Allinput data entering the cryptographic module via the "datainput"

interfaceshall only pass through the input data path.

Assessment:

==VE.02.11.01==

VE.02.11.01Vendordocumentation shall specify the physical and logical paths used

byall major categories of input data entering the cryptographic module

viathe data input interface and the applicable physical ports. The

documentationshall include a specification of the applicable paths (e.g.,

byhighlighted or annotated copies of the schematics, block diagrams,

orother information provided under AS01.08, AS01.09, and AS01.13).

Allinput data entering the cryptographic module via the data input

interfaceshall only use the specified paths while being processed or

storedby each physical or logical sub-section of the module.

Assessment:

AS.02.12Alloutput data exiting the cryptographic module via the "dataoutput"

interfaceshall only pass through the output data path.

Assessment:

==VE.02.12.01==

VE.02.12.01Vendordocumentation shall specify the physical and logical paths used

byall major categories of output data exiting the cryptographic module

viathe data output interface and the applicable physical ports. The

documentationshall include a specification of the applicable paths (e.g.,

byhighlighted or annotated copies of the schematics, block diagrams,

orother information provided under AS01.08, AS01.09, and AS01.13).

Alloutput data exiting the cryptographic module via the data output

interfaceshall only use the specified paths.

Assessment:

AS.02.13Theoutput data path shall be logically disconnected from the circuitry

andprocesses while performing key generation, manual key entry, or

keyzeroization.

Assessment:

==VE.02.13.01==

VE.02.13.01Vendordocumentation shall specify how the physical and logical paths

usedby all major categories of output data exiting the cryptographic

moduleare logically or physically disconnected from the processes

performingkey generation, manual key entry, and zeroization of

cryptographickeys and CSPs. The cryptographic module shall not

allowthe specified key processes to pass key/CSP information to the

outputdata path, and shall not allow output data exiting the module to

interferewith the key processes.

Assessment:

AS.02.14Toprevent the inadvertent output of sensitive information, two

independentinternal actions shall be required to output data via any

outputinterface through which plaintext cryptographic keys or CSPs or

sensitivedata are output (e.g., two different software flags are set, one

ofwhich may be user initiated; or two hardware gates are set serially

Assessment:

==VE.02.14.01==

VE.02.14.01Ifthe cryptographic module allows plaintext cryptographic key

componentsor other unprotected CSPs to be output on one or more

physicalports, two independent internal actions shall be performed by

themodule before the plaintext cryptographic key components or other

unprotectedCSPs may be output. Vendor documentation shall specify

thetwo independent internal actions performed and how the two

independentinternal actions protect against the inadvertent release of

theplaintext cryptographic key components or other unprotected CSPs.

Assessment:

AS.02.15Documentationshall specify the physical ports and logical interfaces

andall defined input and output data paths.Note: This assertion is not

separatelytested. Verification of vendor documentation is performed

underassertions AS02.01 to AS02.14 and AS02.16 to AS02.18.

VE 02

Navigation menu

Search