Code CR2500 Code FIPS User Manual
Page 3
C005590_01_CR2500_CR3500_User Manual_Appendix H
2
An Authentication is initiated on the reader. If the Authentication completes successfully on the reader, and the reader
is attached to a modem, the Authentication information is transferred to the modem after being encrypted with the KEK.
If the Authentication is completed successfully on the modem it returns an acknowledgement to the reader.
Initialization – This is the service that can update the passwords for the roles plus update the KEK on the modules.
Only the CO role has access to the Initialization service. Activation of this service is accomplished through reading a
Data Matrix bar code that contains the Initialization command plus the new passwords for both roles and a new KEK.
An Initialization is initiated on the reader. If the Initialization completes successfully on the reader, and the reader is
attached to a modem, the Initialization information is transferred to the modem after being encrypted with the old
KEK. If the Initialization is completed successfully on the modem, it returns an acknowledgement to the reader. All
subsequent non-data communications between the reader and the modem are encrypted with the new KEK.
Transmitting Encrypted Data – This is the service that transmits data from the reader to the modem using the FIPS
approved AES-256 encryption scheme. Only the Reader role has access to this service. Activation of this service is
accomplished through completing authentication in the Reader role and reading a bar code containing data. If the
transmission is successful the reader will indicate by flashing an LED light amber.
Zeroization – This is the service that removes any customized passwords and KEK from the modules. Either role can
access this service at any time. After Zeroization the modules will not return to FIPS mode until the Initialization service
has been invoked. Activation of this service is accomplished through reading a Data Matrix bar code that contains the
Zeroization command. A Zeroization is initiated on the reader. If the Zeroization completes successfully on the reader,
and the reader is attached to a modem, the Zeroization information is transferred to the modem. If the Zeroization is
completed successfully on the modem it returns and acknowledgement to the reader.
Critical Security Parameters (CSPs)
The modules utilize four CSPs. They consist of the CO role password, the Reader role password, the KEK and the Traffic
Encryption Key (TEK). The passwords and KEK are updated through the Initialization process and the TEK is internally
generated by the reader module.
Passwords and keys are made up of hexidecimal characters representing ASCII characters. Hexidecimal values are
represented in text by a subscript ‘hex’ as in 1D
hex
. In programming, the passwords and KEK are represented by a leading
‘%’ - %1D.
CO role password – this 64 bit password is used to authenticate the CO role. The modules are shipped with a default
CO password of the word ‘password’ that can only be used to initialize the modules with new CO and Reader role
passwords and a new KEK. The modules will not transfer encrypted data using the default password. A 64 bit password
is constructed out of eight ASCII characters that can be represented by the hexadecimal digits 20
hex
through FF
hex
.
Constructing a password to use in the Initialization process is covered below.
Reader role password – this 64 bit password is used to authenticate the Reader role. A 64 bit password is constructed
out of eight ASCII characters that can be represented by the hexadecimal digits 20
hex
through FF
hex
. Constructing a
password to use in the Initialization process is covered below.
Key Encryption Key (KEK) – this 265 bit key is used by an AES algorithm to encrypt transmissions of passwords and keys
between the reader and modem modules. A 256 bit password is constructed out of 32 ASCII characters that can be
represented by the hexadecimal digits 20
hex
through FF
hex
. Constructing a password to use in the Initialization process is
covered below.
Traffic Encryption Key (TEK) – this 256 bit key is used by an AES algorithm to encrypt transmissions of data from the
reader to the modem. The modem utilizes the same TEK to decrypt the data. The TEK is generated by the reader and is