Chapter 2 – setting up your fips hardware – Code CR2500 Code FIPS User Manual
Page 4
C005590_01_CR2500_CR3500_User Manual_Appendix H
3
not accessible by users.
Chapter 2 – Setting up your FIPS hardware
Out of the box the reader/modem pair will behave as any standard non-FIPS pair. You can use them in non-FIPS mode
but be aware that any data you transmit will not be protected by the FIPS approved AES-256 encryption algorithms. In
order to use FIPS mode the modules must be initialized by the CO. Initialization cannot be performed by the Reader
role. You must authenticate the CO role using the default password before Initialization and you must create an
Initialization bar code before you can perform Initialization on the FIPS readers.
The reader module provides the interface to the modem module. Therefore, if you wish to Authenticate or Initialize
both the reader and the modem you must have the reader paired with the modem while performing these tasks. To
connect the reader and modem, read the QuickConnect code printed on the modem with the reader. Refer to the User
Manual for the reader and modem for more information on pairing.
Default CO Authentication
The bar code below contains the Authentication command and the default CO password. Using this Authentication the
CO can only Initialize or Zeroize the modules.
Figure 1 - Default Cryptographic Officer Authentication Bar Code
Creating an Initialization Bar Code
Create the Initialization bar code by writing a .crb file containing the Initialization commands and data. Convert the .crb
file to a Data Matrix bar code by passing it through the CodeXML CRB to Code Utility found at http://codecorp.com/
EULACodeXMLCRBtoCodeUtility.php. The Initialization command must be encoded in a Data Matrix bar code in order to
function.
The initialization bar code contains six items.
1.
The Initialization command (H2; H indicates the FIPS command set, 2 is the Initialization command)
2.
A new Cryptographic Officer password (Eight characters in the set 20
hex
through FF
hex
)
3.
A group separator (1D
hex
)
4.
A new Reader password (Eight characters in the set 20
hex
through FF
hex
)
5.
A group separator (1D
hex
)
6.
A new Key Encryption Key (32 characters in the set 20
hex
through FF
hex
)
The code below shows example values for the new CO password, Reader password and KEK in a .crb file. You should
not use these values when creating an Initialization bar code and the CO and Reader passwords must not be equal. You
must
substitute your own eight character passwords and 32 character KEK when you initialize. The lines starting with ‘;’
are comments. Some comment lines wrap to the next line in this example. Please see your FIPS documentation kit for
the actual demo .crb file. The last line that starts with % is the Initialization command. You may omit all comment lines
if you wish.
An ASCII to hex converter can be found at http://www.idea2ic.com/PlayWithJavascript/hexToAscii.html. Use the ‘De-
limit with %’ to create hex strings of ASCII characters you can paste into .crb files.
;8/6/2010 16:43