Code fips overview, Chapter 1 – what you need to know about fips mode – Code CR2500 Code FIPS User Manual

C005590_01_CR2500_CR3500_User Manual_Appendix H

1

The FIPS versions of the Code Reader 2500 FIPS (CR2500 FIPS), Code Reader 3500 FIPS (CR3500 FIPS) and CodeXML® FIPS
Bluetooth® Modem (hereafter referred to as the modules) are bar code reading devices that have passed the rigorous
testing of the FIPS 140-2 standard. The modules use FIPS approved AES-256 algorithms to encrypt data transmitted
wirelessly between the reader and modem.

The versions of the FIPS modules are as follows:

•

Code Reader 2500 – 2512FIPS_01 using firmware 4641

•

Code Reader 3500 – 3512FIPS_01 using firmware 4641

•

CODE FIPS Bluetooth Modem – BTHDFIPS-M2_01 using firmware 0187

The FIPS modules are based on the standard CR2500, CR3500, and CodeXML® Bluetooth® Modem. Therefore most
operation questions can be answered in the User Manual for those devices. This document will call out the differences
in behavior and operation of the FIPS modules.

Chapter 1 – What you need to know about FIPS Mode

The FIPS modules must be used in a CR2500 FIPS /CodeXML® FIPS Bluetooth® Modem or CR3500 FIPS/CodeXML® FIPS
Bluetooth® Modem pair while in FIPS mode. FIPS mode is defined as a reader and modem paired together;

transmitting data encrypted with FIPS approved AES algorithms. In order to achieve FIPS mode the reader and modem
must be initialized with passwords for two different roles – Cryptographic Officer (CO) and Reader – plus a Key
Encryption Key (KEK) that is used to encrypt transmissions of passwords and keys between the reader and modem. The
readers and modem come with a default password installed for the CO role. The default password cannot be used to
transmit encrypted data and must be updated through the Initialization process. The CO and Reader roles can’t be
initialized to the same password. Once initialized you may authenticate the CO role or the Reader role by expressly
reading a bar code containing the corresponding password. The roles have different purposes and a different set of
services that are available to them in the FIPS process, as explained below.

Roles

Cryptographic Officer (CO) – this role can request the following FIPS services:

1.

Authenticate to the modules

2.

Initialize the modules with new CO and Reader passwords and a new Key Encryption Key (KEK)

3.

Zeroization of non-default passwords and KEK

Reader – this role can request the following FIPS services:

1.

Authenticate to the modules

2.

Transmit encrypted data between the reader and the modem

3.

Zeroization of a non-default passwords and KEK

Services

Authentication – This is the service where a role can prove it is authorized to access the modules. Only the CO role can
authenticate to the modules using the default password. Either role can authenticate to either module as long as the CO
has initialized the modules with new passwords and KEK. Activation of this service is accomplished through reading a
Data Matrix bar code that contains the Authentication command plus the password of the role wishing to authenticate.

Code FIPS Overview