User Guide DDOC0199-000-A9
1-Slot Data Transport System (CSfC) 3 - 4 Overview
© 2024 Curtiss-Wright Defense Solutions Revision 2.0
3.2 Protocols
The DTS1+ CSfC supported protocols include Telnet, TFTP, CIFS, NFS, FTP, SFTP, HTTP,
DHCP, SNMP, and iSCSI in addition to its RS-232 console port. The CIFS and NFS protocols are
enabled by default, all others are disabled. The unit also supports SSH, which is always enabled.
The user can enable the desired protocols to support their application. Refer to paragraph 13.3.30
serv for additional information.
The FDEEEcPP20 and FDEAAcPP20 Protection Profiles did not consider, nor did they include
networking protocols as part of the security functional requirements, and as a result, did not
include any requirements for addressing those protocols.
Therefore, as per the FDEEEcPP20 and FDEAAcPP20, the protocols have not been examined as
part of the required assurance activities and consequently the evaluation can make no claims
about the DTS1+ CSfC networking protocols.
3.3 CSfC Encryption
Commercial Solutions for Classified (CSfC) encryption is based on a National Security Agency (NSA)
specification. The CSfC program requires multi-layered security. Hardware data encryption is used for
the first security layer. The second security layer is software data encryption. Both encryption processes
are performed in the
DTS1+ CSfC
, one in the HW crypto module, the other by the Processor. The
hardware encryption key is retained in the
DTS1+ CSfC
crypto module memory, the software
encryption key is stored on the
RMC
module.
3.3.1 Hardware Encryption Layer
CAUTION
DATA LOSS. If the Specific User Token Key is lost, the user account will be rendered unusable.
NOTE
Refer to paragraph 6.3 Hardware Layer Encryption for information regarding the actual
commands and procedures used to create and log into the hardware encryption layer.
3.3.1.1 Account Creation
Before use, an account must be created (Figure 3.6) on the DTS1+ CSfC Hardware Encryption
(HWE) layer. To start the account creation, the user logs into the DTS1+ CSfC via the Command
Line Interface (CLI). Once logged in, additional commands are entered to create an account on the
DTS1+ CSfC HWE layer. A Pre-Shared Key (PSK) must also be generated and sealed so that it
cannot be read out by the DTS1+ CSfC. Refer to paragraph 6.3.1 Pre-Shared Key Setup for
additional details.When the account is created, a user token key is internally generated by the
HWE layer. The layer then keywraps the user token key using the PSK and supplies it to the end
user through the CLI. The keywrapped user token key is validated on a third-party system by
comparing the DTS1+ CSfC-generated HMAC and the third-party-generated HMAC. If both match,
the user token is unwrapped using the PSK. The unwrapped user token key is then used in
subsequent logins as the specific-user token.
3.3.1.2 Account Login
Any subsequent use of the equipment requires logging in (Figure 3.7) to the HWE layer before
data storage and/or transfer can begin. The user enters their user name and password into the
DTS1+ CSfC. The HWE layer checks the information against its accounts. If the user name and
password are recognized, a random one-time 64-byte key (also referred to as a nonce) is
generated. The nonce is sent to the end-user via the CLI. The user then enters the nonce and their
specific-user token key (generated when the account was created) into a third-party HMAC-
SHA384 generator using the user token as the key. The CLI then sends this data as a user-
generated HMAC to the DTS1+ CSfC HWE layer. The layer compares the user HMAC and the
HWE layer HMAC. If they are the same, the user is logged in. If they do not compare, the user is
denied access.
To Next Page
Loading...