SafeGuard CryptoServer x
What are the different states of the CryptoServer?
In this state the CryptoServer is assembled but no boot loader or any other firmware or keys are loaded. The housing has not been done yet.
After loading the boot loader, finally assembling the CryptoServer (i. e. do the housing and potting) and activating the sensory mechanism, the CryptoServer will enter the manufactured state. From now on it does not leave the secured production environment until the public part of the manufacturer Production Key KPROD-PUB is loaded, since no command authentication is possible prior to that.
The CryptoServer state manufactured exclusively occurs at the manufacturer site and never at the customer site.
After the public part of the Production Key KPROD_PUB has been loaded, the CryptoServer is in the produced state. It is now possible to authenticate commands with a RSA signature calculated by the private part of the manufacturers production key KPROD-PRV, which can be verified by the boot loader with the public part of the key. Therefore the CryptoServer can leave the secure production environment. Nevertheless it will remain at the manufacturers site until its initialization. In this state, only the manufacturer can perform command authentication because only he is in possession of the private part of the Production Key.
CryptoServer produced state exclusively occurs at the manufacturer site and never at the customer site.
As soon as the public part of the Initialization Key KINIT-PUB has been loaded with the boot loader command BLLoadInitKey (which can only be performed in the produced state and only by the manufacturer who has previously authenticated himself with the Production Key), the CryptoServer state is set to initialized. If the Initialization Key is customer-specific, at this point a direct connection is set up for the first time between CryptoServer and client.
The CryptoServer state initialized also occurs at the customer site.
When receiving an initialized CryptoServer, the customer is able to load the operating system module SMOS and the basic firmware modules containing the base functionality for download and communication. This BLLoadFile boot loader command has to be signed with the private part KINIT-PRV of the customer Initialization Key.3 At the end of that, the OS can be started (boot loader command StartOS which does not have to be authenticated). If this has been successfully completed, the boot loader terminates and the CryptoServer reaches the operational state.
From now on, each time the CryptoServer reboots, if the boot loader finds the CryptoServer at least in the initialized state (i. e. it finds the public Initialization Key KINIT-PUB) and if the boot loader is able to start the OS successfully at the end of the boot procedure, the global state of the CryptoServer is considered to be operational.
This operational state does not say anything about the available external functionality: to have the full spectrum of the external interface of the CryptoServer, the appropriate firmware modules have to be additionally loaded. Once the SMOS operating system has been successfully initialized, it will automatically search for further available firmware modules in the flash directory and subsequently start them.
If the boot loader self test fails during the starting phase, the CryptoServer will be in the defect state. This test is always run at the beginning of the boot phase after the deletion of the ID-RAM.
In the defect state the CryptoServer exclusively accepts the commands GetState, GetAlarmLog, GetTimeLog and GetTempLog (if yet technically possible), which are not to be authenticated. The alarm mechanism of the CryptoServer remains unchanged.
If the CryptoServer is in the defect state, please contact the manufacturer/Utimaco.
At the customers site only the CryptoServer’s initialized and operational states will normally occur. If the CryptoServer is found to be in any other state, the Utimaco Safeware AG has to be contacted.
Global states such as blank, manufactured and produced are exclusively relevant for the CryptoServer’s production process and for maintenance work done by the manufacturer. Utimaco will never deliver the CryptoServer in one of these states.