Hi Tape Folks,
It looks like NIST recently changed their FIPS 140-2 Implementation Guidance last January to require 'AES Key Wrap' as the only approved symmetric encryption algorithm for key establishment or entry. Previously, we believed that using ESP was adequate for encrypting keys for entry into a tape drive device.
To see NIST's latest guidance, look at <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf>
Also, see FIPS 140-2 Annex D "Key Establishment Techniques": <http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexd.pdf>.
Essentially, NIST is no longer allowing differentiating between the requirements for 'Key Entry' vs. 'Key Establishment'. It was previously possible to argue with FIPS certification labs that this process was covered under 'Key Entry', and the encryption of the key could use any Approved Mode of Operation (like as used in ESP-SCSI). For 'Key Establishment' AES Key Wrap (not CBC, CCM, or GCM) is the only approved symmetric wrapping algorithm.
This has an impact on SSC-3 (or SSC-4 if deferred), and will likely affect existing tape drive products that were expecting to get FIPS 140-2 approval by supporting IKEv2-SCSI with ESP for establishing encryption keys. Double-check with your validation lab (your mileage may vary).
There are several ways to approach this problem. One method will be described in T10/08-155r0. Another approach is to lobby NIST to change their guidance so that existing symmetric encryption modes are sufficient for key transport. Yet another approach is to use the existing RSA and ECC encryption algorithms for Key Entry, if you want to pay for an expense asymmetric key operation each time you enter a key.
If you have received different guidance from your FIPS lab, I would be interested in hearing different angles...
--
Thanks!
Matt Ball, IEEE P1619.x SISWG Chair
M.V. Ball Technical Consulting, Inc.
Phone: 303-469-2469, Cell: 303-717-2717
http://www.mvballtech.com
http://www.linkedin.com/in/matthewvball