Lexmark PrintCryption TM (Firmware Version 1.3.1)

Similar documents
Hughes Network Systems, LLC Hughes Crypto Kernel Firmware Version: FIPS Non-Proprietary Security Policy

Cisco VPN 3002 Hardware Client Security Policy

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

Hewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0

FIPS Level 1 Validation March 31, 2011 Version 1.12

This Security Policy describes how this module complies with the eleven sections of the Standard:

Integral Memory PLC. Crypto Dual (Underlying Steel Chassis) and Crypto Dual Plus (Underlying Steel Chassis) FIPS Security Policy

Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.

IOS Common Cryptographic Module (IC2M)

Dolphin Board. FIPS Level 3 Validation. Security Policy. Version a - Dolphin_SecPolicy_000193_v1_3.doc Page 1 of 19 Version 1.

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Polycom, Inc. VSX 3000, VSX 5000, and VSX 7000s (Firmware version: ) FIPS Non-Proprietary Security Policy

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

FEITIAN Technologies Company, LTD epass Token Hardware Version: FIPS Non-Proprietary Security Policy

CoSign Hardware version 7.0 Firmware version 5.2

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

FIPS Non-Proprietary Security Policy

FIPS SECURITY POLICY FOR

EgoSecure GmbH. EgoSecure Full Disk Encryption (FDE) Cryptographic Module. FIPS Security Policy

Silent Circle Mobile Application Cryptographic Module

Hitachi Virtual Storage Platform (VSP) Encryption Board. FIPS Non-Proprietary Cryptographic Module Security Policy

Comtech EF Data Corporation SLM-5650A TRANSEC Module Hardware Version: 1.2; Firmware Version: FIPS Non-Proprietary Security Policy

FIPS Security Policy

ProtectV StartGuard. FIPS Level 1 Non-Proprietary Security Policy

FIPS Non-Proprietary Security Policy. Cotap Cryptographic Module. Software Version 1.0. Document Version 1.4.

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

WatchKey USB Token Cryptographic Module Model Number: K6 Smart Card Chip: Z32L256D32U PCB: K003010A Firmware Version: 360C6702

Symantec Corporation

FIPS Security Policy

Dolby IMS-SM FIPS Level 2 Validation. Nonproprietary Security Policy Version: 4

SafeNet LUNA EFT FIPS LEVEL 3 SECURITY POLICY

Sony Security Module. Security Policy

AirMagnet SmartEdge Sensor A5200, A5205, A5220, and A5225 Security Policy

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

FIPS Level 2 Security Policy for FlagStone Core (Versions V a, V a, V )

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

Hydra PC FIPS Sector-based Encryption Module Security Policy

VMware, Inc. VMware Horizon JCE (Java Cryptographic Extension) Module

CAT862 Dolby JPEG 2000/MPEG-2 Media Block IDC Security Policy. Version 3 June 30, 2010

SecureDoc Disk Encryption Cryptographic Engine

Acme Packet 3820 and Acme Packet 4500

Dell SonicWALL. NSA 220, NSA 220W and NSA 240. FIPS Non-Proprietary Security Policy

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Imprivata FIPS Cryptographic Module Non-Proprietary Security Policy Version: 2.9 Date: August 10, 2016

Barco ICMP FIPS Non-Proprietary Security Policy

Credant CmgCryptoLib Version 1.7 Credant Cryptographic Kernel Version 1.5 FIPS Non-Proprietary Security Policy, Version 1.7 Level 1 Validation

IBM System Storage TS1140 Tape Drive Machine Type 3592, Model E07. Security Policy

Symantec Corporation Symantec Cryptographic Module Software Version: 1.1. FIPS Non-Proprietary Security Policy

Motorola PTP 800 Series CMU Cryptographic Module Security Policy

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Prepared by the Fortress Technologies, Inc., Government Technology Group 4023 Tampa Rd. Suite Oldsmar, FL 34677

Security Policy for FIPS KVL 3000 Plus

Avaya, Inc. Secure Router 2330 Hardware Version: SR2330; Firmware Version: FIPS Non-Proprietary Security Policy

Dell Software, Inc. Dell SonicWALL NSA Series SM 9600, SM 9400, SM 9200, NSA FIPS Non-Proprietary Security Policy

Alcatel-Lucent. Alcatel-Lucent VPN Firewall Brick 50

IBM LTO Generation 6 Encrypting Tape Drive. FIPS Non-Proprietary Security Policy

IBM System Storage TS1120 Tape Drive - Machine Type 3592, Model E05. Security Policy

FireEye CM Series: CM-4400, CM-7400, CM-9400

FIPS Security Policy

WatchKey ProX USB Token Cryptographic Module Hardware Version: K023314A Firmware Version:

KEY-UP Cryptographic Module Security Policy Document Version 0.5. Ian Donnelly Systems (IDS)

FIPS Non-Proprietary Security Policy

),36 6(&85,7< 32/,&< 1HW6FUHHQ ;7 9HUVLRQ U 3 1 5HY %

Blue Ridge Networks BorderGuard 4000/3140. FIPS Security Policy

FIPS Non-Proprietary Security Policy. FIPS Security Level: 1 Document Version: 1.8

Telkonet G3 Series ibridge/extender Security Policy

Secure Cryptographic Module (SCM)

Security Policy: Astro Subscriber Encryption Module Astro Spectra, Astro Saber, Astro Consolette, and Astro XTS3000. Version

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

Canon MFP Security Chip. ISO/IEC Security Policy

FIPS Non-Proprietary Security Policy. Acme Packet FIPS Level 2 Validation. Hardware Version: Firmware Version: E-CZ8.0.

Security Policy: Astro Subscriber Motorola Advanced Crypto Engine (MACE)

1 INTRODUCTION CRYPTOGRAPHIC MODULE SPECIFICATION... 9

FIPS SECURITY POLICY

FIPS SECURITY POLICY

FireEye NX Series: NX-900, NX1400, NX-2400, NX-4400, NX4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX10450

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module Security Policy

Motorola PTP 600 Series Point to Point Wireless Ethernet Bridges

FIPS Non-Proprietary Security Policy. FIPS Security Level: 2 Document Version: Winterson Road Linthicum, MD 21090

Samsung FIPS BC for Mobile Phone and Tablet FIPS Security Policy

1(76&5((1 &U\SWRJUDSKLF 0RGXOH 6HFXULW\ 3ROLF\ 9HUVLRQ 3 1 5HY $

Juniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013

Security Policy. 10 th March 2005

STS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4

McAfee, Inc. McAfee Firewall Enterprise 1100E Hardware Part Number: NSA-1100-FWEX-E Firmware Versions: and 8.2.0

Version 2.0. FIPS Non-Proprietary Security Policy. Certicom Corp. September 27, 2005

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module. Security Policy. Security Level 2. Rev. 0.

Common Crypto Circuit Card Assembly Rockwell Collins. Commercial Crypto Contract (CCC)

Cryptographic Module Security Policy For Outbacker MXP (Non-Proprietary)

FIPS Cryptographic Module Security Policy Level 2 Validation

Cisco Systems 5760 Wireless LAN Controller

Expert 3.2

FIPS SECURITY POLICY

Acme Packet VME. FIPS Level 1 Validation. Software Version: E-CZ Date: July 20, 2018

RFS7000 SERIES Wireless Controller. FIPS Cryptographic Module Security Policy

Transcription:

Lexmark PrintCryption TM (Firmware Version 1.3.1) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 0.95 April 2007

Table of Contents INTRODUCTION... 3 PURPOSE... 3 REFERENCES... 3 DOCUMENT ORGANIZATION... 3 LEXMARK PRINTCRYPTION TM... 4 OVERVIEW... 4 MODULE SPECIFICATION... 4 MODULE INTERFACES... 6 ROLES AND SERVICES... 7 Crypto Officer Role... 7 User Role... 8 PHYSICAL SECURITY... 8 OPERATIONAL ENVIRONMENT... 9 CRYPTOGRAPHIC KEY MANAGEMENT... 9 Access Control Policy... 10 Key Generation... 10 Key Storage... 10 Key Entry and Output... 10 Key Zerorization... 10 SELF-TESTS... 10 DESIGN ASSURANCE... 11 MITIGATION OF OTHER ATTACKS... 11 OPERATION IN FIPS MODE... 12 INITIAL SETUP... 12 CRYPTO OFFICER GUIDANCE... 13 USER GUIDANCE... 14 ACRONYMS... 17 Page 2 of 17

Introduction Purpose References This is a non-proprietary Cryptographic Module Security Policy for the Lexmark PrintCryption TM from Lexmark International Inc. This Security Policy describes how the Lexmark PrintCryption TM meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/cryptval/. The Lexmark PrintCryption TM is referred to in this document as PrintCryption, PrintCryption module, cryptographic module, firmware module, or module. This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: The Lexmark International website (http://www.lexmark.com) contains information on the full line of products from Lexmark International. The CMVP website (http://csrc.nist.gov/cryptval/) contains contact information for answers to technical or sales-related questions for the module. Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietary to Lexmark and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Lexmark International. Page 3 of 17

LEXMARK PRINTCRYPTION TM Overview The Lexmark PrintCryption TM is an option for the Lexmark printers that enable the transfer and printing of encrypted print jobs. This new Lexmark technology offers a level of security that is the first of its kind in the printing industry. With the PrintCryption module installed, the printer is capable of decrypting print jobs encrypted with the AES (FIPS 197) algorithm. The Lexmark PrintCryption TM analyses the encrypted data stream, determines if the correct key was used to encrypt the data, decrypts the data and allows the confidential document to be printed. This new level of printing security is ideal for industries that commonly handle sensitive or personal information, such as financial institutions, government agencies, and healthcare organizations. Module Specification The PrintCryption TM module (firmware version 1.3.1) is a firmware module composed of three binaries, and it is installed in Lexmark printers using a Downloaded Emulator Card (DLE), a serial interface PCB board that plugs into the printer. The DLE card is shown in Figure 1. Figure 1 - Optional Firmware Card Per FIPS PUB 140-2, the cryptographic module is classified as multi-chip standalone cryptographic module. The module meets overall level 1 FIPS 140-2 requirements, as detailed in Table 1. Tested DLE Configurations (Option P/N15A1962): T630, T632, T634: P/N 10G0149 C760, C762: P/N 16N3204 W820: P/N 19E0123 C912: P/N 12N1253 T640, T642, T644: P/N 20G0740 W840: P/N 25A0034 Page 4 of 17

C920: P/N 13N1343 C534: P/N 36B0147 X644e, X646e, X646dte: P/N 22G0352 X850e, X852e, X854e: P/N 15R0093 C772: P/N 20B3204 C782: P/N 10Z0403 C935: P/N 21Z0366 X945e: P/N 21Z0370 Operating System: Lexmark proprietary ver. 2.4 based on Linux Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 1 Security Level per FIPS 140-2 Section Logically, the cryptographic boundary is composed of three binaries and is evaluated for use on Lexmark printers that are running Linux operating system. Once the PrintCryption firmware is installed in the printer, the printer must use this firmware. The cryptographic module cannot be bypassed. Functionality is then controlled by the PrintCryption firmware. Internal Data Applications OS Plaintext Ciphertext PrintCryption Firmware Cryptographic Boundary Figure 2 - Logical Cryptographic Boundary Page 5 of 17

The PrintCryption module is evaluated for running on number of Lexmark printers including mono-color printers (T630, T632, T634, W820, T640, T642, T644, W840), Color printers (C534, C760, C762, C912, C920, C772, C782, C935) and MFP printers (X644e, X646e, X646dte, X850e, X852e, X854e, X945e). The module s physical cryptographic boundary is the metal and plastic enclosure of the printer. Print Engine PCI BUS Option Slot Custom ASIC I/O Port FLASH System BUS Volatile Memory CPU Cryptographic Boundary Figure 3 - Physical Cryptographic Boundary Module Interfaces The cryptographic module s physical ports are composed of the physical ports provided by the hardware platforms listed above. These printer ports include the network port, parallel port, USB port, paper exit port, multipurpose feeder, LED, and LCD display. Since all of the module s services are server processes, the logical interfaces of the module are network port and API calls, which provide the only means of accessing the module s services. Data inputs are service requests on the TCP ports. Control inputs are also data at TCP/IP port, however they are logically distinct from Data input and controls how the function is executed. The data output from the module includes X.509 certificate and deciphered data, which exit through the network port and an internal API, respectively. The status outputs of the module are sent via network and stored in log file. All of these physical ports are separated into logical interfaces defined by FIPS 140-2, as described in the following table. Page 6 of 17

Logical Interface of the Module Module Physical Port FIPS 140-2 Logical Interface Network Port Network (Ethernet 10/100) Port Data Input Interface USB Port Parallel Port Network Port Network (Ethernet 10/100) Port Data Output Interface Internal API Paper Exit Port Network Port Operator Panel Control Input Interface Network (Ethernet 10/100) Port USB Port Parallel Port Paper Exit Port Multipurpose/envelope Feeder Power Switch Circuit Breaker Switch Network Port LED Status Output Interface Log File LCD Display Network (Ethernet 10/100) Port USB Port Parallel Port. Not Applicable Power Plug Power Connector Power Interface Table 2 FIPS 140-2 Logical Interfaces Roles and Services The module supports two roles, a Crypto Officer role and a User role, and an operator on the module must assume one of the roles. Descriptions and responsibilities for the two roles are described below. Crypto Officer Role The Crypto Officer installs and uninstalls the PrintCryption. The Crypto Officer is also responsible for monitoring the printer s configuration and operational status via network port. Service Description Input Output CSP Type of Access to CSP Install Assemble the printer(s); Install PrintCryption TM firmware card; Install printer driver on host PC Command Result of installation None -- Page 7 of 17

Service Description Input Output CSP Type of Access to CSP Uninstall Uninstall the firmware Command Uninstalled None -- module Monitor Configure of the Command Module setting None -- module Run Self- Perform the self-test Command Status output Integrity Check Read Test on demand Key Show Status Call a show status from the printer status menu (HTTP) which has an LPC log page Command Status output None -- User Role Table 3 Crypto Officer Services, Descriptions, CSPs Users utilize the cryptographic functionalities of the PrintCryption, and they communicate with the module via network port only. Service descriptions and inputs/outputs are listed in the following table: Service Role Input Output CSP Type of Access to CSP Public Key request X.509 certificate RSA public key Read/Write Secure Printing Physical Security Users request for printers public key. The module generates a key pair if needed AES encrypted printing program; Decrypts and prints the print job data using the supplied AES Session key Public Key Request (PKR) at network port 9150. Encrypted print job at TCP/IP port 9152. Status output AES session key Read/Write Table 4 User Services, Descriptions, Inputs and Outputs In FIPS terminology, the firmware module is defined as a multi-chip standalone cryptographic module. The module runs on Lexmark printers listed in Module Specification section. The printers are made of all production-grade components and are enclosed in a strong plastic and steel case, which surrounds all of the module s internal components, including all hardware and firmware. While purely a firmware module, the FIPS 140-2 evaluated platforms must have been tested for and meet applicable FCC EMI and EMC requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. Page 8 of 17

Operational Environment The operational environment is non-modifiable and thus not applicable for this firmware module. The PrintCryption module runs on the Linux OS, and configured for single-user mode by default. The operating system is used as an embedded OS within the Lexmark printers, and there is no direct access to the OS provided. Cryptographic Key Management The module implements the following FIPS-approved algorithms. AES ECB, CBC mode decryption FIPS 197 (certificate #273, #274, #275, #276, #277, and #452) Deterministic Random Number Generator (RNG) Appendix A.2.4 of ANSI X9.31 (certificate #100, #101, #102, #103, #104, and #237) HMAC FIPS 198 (certificate #89, #90, #91, #92, #93, and #215) RSA (sign/verify) PKCS#1 (certificate #73, #74, #75, #76, #77, and #171) SHS FIPS 180-2 (certificate #350, #351, #352, #353, #354, and #515) TDES 2 key ECB mode encryption/decryption FIPS 46-3 (certificate #356, #357, #358, #359, #360, and #470) (Note: The FIPS approved X9.31 Appendix A.2.4 PRNG utilizes 2 key TDES algorithm). Additionally, the module utilizes the following non-fips-approved algorithm implementation: RSA Key Wrapping (PKCS #1): Key establishment method uses a 1024- bit key length providing 80-bits of security. The module supports the following critical security parameters: Key or CSP Key type Generation Storage Use AES Session Key 128, 192, 256 Externally generated. Imported in bits AES key encrypted form (RSA key transport) RSA Public Key 1024 bit RSA public key (80- bits of security) Internally generated using PKCS#1 key generation mechanism Held in volatile memory in plaintext. Zerorized after the session is closed or on reboot. Stored on flash in plaintext. Zerorized by overwriting the flash image. Page 9 of 17 Decrypts input data for printing Key transport

RSA Private Key 1024 bit RSA private key (80-bits of security) Internally generated using PKCS#1 key generation mechanism Integrity Check Keys HMAC keys Externally generated, hard coded in the module X9.31 PRNG 2-key TDES keys, 8 bytes of seed value Internally generated Stored on flash in plaintext. Zerorized by overwriting the flash image. Stored on flash in plaintext. Zerorized by overwriting the flash image. Held in volatile memory only in plaintext. Zerorized on reboot. Table 5 Listing of Key and Critical Security Parameters Key transport Firmware Integrity test RNG Self-Tests Access Control Policy User functionalities have read/write access to the AES Session Key and RSA public key. AES Session key is used to decrypt the data for printing. RSA public key is used for AES Session key transport. Integrity Check Keys can be read by Crypto-Officer Run Self-Test service. Key Generation Key Storage The module key is generated internally is 1024 bits RSA key pair using PKCS#1- compliant key generation techniques. FIPS-approved PRNG X9.31 Appendix A.2.4 is used to seed the RSA key generation mechanism. AES Session Key is generated outside of the module and imported via RSA key transport. The AES Session Key is held in volatile memory only in plaintext. The RSA public key is stored in flash memory in an X.509 certificate in plaintext, and the RSA private key is stored flash memory in plaintext. Key Entry and Output All keys that are entered into (AES key) or output from (RSA certificate) the module are electronically entered or output. AES Session Key is enters into the module transported (encrypted) by RSA public key. Key Zerorization AES Session key is an ephemeral key which is zerorized after the connection is closed or by rebooting the module. The module provides no service to erase or discard the RSA key pair. The key pair is erased by overwriting the flash image with a new image. The PrintCryption module runs power-up and conditional self-tests to verify that it is functioning properly. Power-up self-tests are performed during startup of the module, and conditional self-tests are executed whenever specific conditions are met. Page 10 of 17

Design Assurance Firmware Integrity Check: The module employs a firmware integrity test in the form of HMAC SHA-1 over the three module binaries. Cryptographic Algorithm Tests: Known Answer Tests (KATs) are run at power-up for the following algorithms: AES KAT TDES KAT RSA Sign/Verify and Encrypt/Decrypt pair-wise consistency check SHA-1 KAT X9.31 RNG KAT The module implements the following Conditional self-tests: Continuous RNG Test for X9.31 PRNG Continuous RNG Test for entropy gathering RSA Sign/Verify and Encrypt/Decrypt pair-wise consistency check If any of these self-tests fail, the module will output an error indicator and enter an error state. Source code and associated documentation files are managed and recorded using a MLS/Subversion system. Subversion is a version control system that stores multiple revisions of the codeset with a revisionary history and older revisions are always accessible. MLS is a customized user interface for use by developers that does not override or bypass the role of the Subversion backend. Additionally, Concurrent Versions System (CVS) is used to provide configuration management for the firmware module s FIPS documentation. This software provides access control, versioning, and logging. Mitigation of Other Attacks The PrintCryption module does not employ security mechanisms to mitigate specific attacks. Page 11 of 17

OPERATION IN FIPS MODE Initial Setup The PrintCryption meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. The DLE card containing PrintCryption module may be factory installed or userinstalled. Lexmark provides an Installation sheet, a driver CD with publications, and license agreement for the module in the option kit. Installation procedure of the module is as follows. 1. Print a menu settings page from an AIO: a. Press Menu and then select Reports. b. Press Menu Settings Page to print the page. Note: This Page is needed for later use. c. Configure the printer onto the TCP/IP network per installation requirements. If the printer is behind a firewall, it must allow IP ports 9150 and 9152 to pass through. 1. Print a menu settings page from a printer: a. Press Menus until Utilities menu appears, and then press Select. b. Press Menu until Print menu appears, and then press Select to print the page. Note: This Page is needed for later use. c. Configure the printer onto the TCP/IP network per installation requirements. If the printer is behind a firewall, it must allow IP ports 9150 and 9152 to pass through. 2. Turn off the printer and install the card. Please refer to the printer s documentation for further instructions on installing the card. 3. Turn the printer on. a. If the printer displays the message 41 Unsupported Firmware Card, then the installed card is not compatible for the printer. Turn off the printer and remove the card. Page 12 of 17

Crypto Officer Guidance b. If the printer displays the message Resetting all of NVRAM for longer than 45 seconds, turn off the printer and reinstall the card. 4. Print a menu settings page. If the new card is not listed under Printer Information, turn off the printer and repeat steps 2 and 3. 5. Launch the CD to host PC to install the software application using setup.exe program. Please refer to the documents on the CD for further instructions on installing the software. The setup executable, once launched, will: a. Ask for confirmation of the End-User License Agreement. b. Present a small README, which explains that after installation, the Crypto Officer can add a new port to their printer driver that will support Lexmark PrintCryption TM. Note: Please refer to Crypto Officer Guidance section for more information. c. Perform the installation, and stop and restart the print spooler. 6. Print a menu settings page. Compare these settings to those on the page printed in step 1. 7. Place the Option Added label on the printer next to the printer model and serial number label. Lexmark provides the Option Added label with the Installation guide. The Crypto Officer is responsible for installing, uninstalling and monitoring the module. The card comes in a static sensitive package. Upon receiving the PrintCryption card, the Crypto Officer should check for any signs of tampering to the package, including a damaged seal or package. The Crypto Officer may follow the installation sheet found in the option kit to install the PrintCryption module. After the installation is complete, the Crypto Officer must print a Menu page and verify that Optional Firmware Card is displayed under the Installed Features section of the Menu Page. The Crypto Officer must configure the printer onto the TCP/IP network per installation requirements. While installing the PrintCryption host software application on a PC, Crypto Officer must choose port 9150 to communicate with the printer. It is recommended that Crypto Officer name the port FIPS to clearly distinguish the port that provides secured printing service. Page 13 of 17

User Guidance The User accesses the module printing functionality as a user over network. Although outside the boundary of the module, the User should be careful to use secured printing services as needed. Uses can select the AES encryption key length, block length and mode using the printer property. 1. Open the printer folder, right click on the desired printer and select Properties. 2. Navigate to Port tab and press the Configure Port button to proceed. 3. Configure Secure Port dialog box will appear which enables Users to choose their options. Page 14 of 17

Figure 4 - Configuring a Secure Port Users must choose the key size and block size approved in FIPS PUB 197 standard. FIPS approved key and block sizes, and mode of operation are as follows: Key Length: 128, 192, or 256 bit. Block Length: 128 bit. Page 15 of 17

Cipher Mode: ECB (Electronic Code Book, or CBC (Cipher Block Mode)). Setup.exe also installs the Lexmark PrintCryption Utility (LPCU) program as part of the install session. The program can be invoked by - START Programs Lexmark PrintCryption PrintCryption Test Utility The LPCU utility program can help Users to determine: The Lexmark PrintCryption Card is installed. The network path exists, even through a firewall, and when ping command does not work. The proper IP ports (9150 and 9152) are open. The printer is capable of returning an X.509 security certificate. The printer can successfully decode an encrypted packet. Users also can view the communication to the printer via PrintCryption Log Viewer, installed during the installation session, which can be started by - START Programs Lexmark PrintCryption PrintCryption Log Viewer Figure 5 - PrintCryption Log Viewer Users can see the key size, block length, and mode been used for encryption from the Log Viewer program. Page 16 of 17

ACRONYMS AESSD ANSI API CMVP CSE CSP DKMD DLE EMC EMI FCC FIPS HMAC HTTP IP KAT LED LPC MAC NIST NVLAP OS PC RAM RNG RSA SHA SKH SNMP SP TCP VSS AES Session Daemon American National Standards Institute Application Programming Interface Cryptographic Module Validation Program Communications Security Establishment Critical Security Parameter Decryption Key Management Daemon Downloaded Emulator Card Electromagnetic Compatibility Electromagnetic Interference Federal Communication Commission Federal Information Processing Standard (Keyed-) Hash MAC Hypertext Transfer Protocol Internet Protocol Known Answer Test Light Emitting Diode Line Printer Control Message Authentication Code National Institute of Standards and Technology National Voluntary Laboratory Accreditation Program Operating System Personal Computer Random Access Memory Random Number Generator Rivest Shamir and Adleman Secure Hash Algorithm Session Key Header Simple Network Management Protocol Secure Platform Transmission Control Protocol Visual Source Safe Page 17 of 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback