4 Finite State Machine
As part of FIPS 140-2 Level 2 compliance, the Acme Packet 1100 and Acme Packet 3900 platforms support a Finite State Machine (FSM).
The following Diagram displays the state model of the FSM in the FIPS 140-approved mode of operation:
State Diagram
The following sections describe all states and transitions that can occur with the Finite State Diagram. The finite state machine never ends in an undefined state. Any combination of data and control inputs always place the FSM in a well-defined state.
Note:
The inputs described in this document for each state are inputs that would result in a successful operation.State 0 - Power Off
Either the power
switch is in the off position, or there is no power connected to the FSM. No
services are available in this state. This state is available from every other
state, and can be entered using the power switch and cycling power.
| Transition Number | Transition | Next State |
|---|---|---|
| 01a | Module is powered on | 0a |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Connect Power Supply | N/A |
| Status Output | LED - power | N/A |
State 0a - Power On
The FSM's power
switch is turned on. No services are available in this state. The FSM
automatically transitions to the Power-On Self-Tests state.
| Transition Number | Transition | Next State |
|---|---|---|
| 01b | Begin boot | 1 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Power switch on | N/A |
| Status Output | LED - power | N/A |
State 1 - Power-On Self-Tests
The FSM performs a
series of self-tests to ensure correct operation; these include a software
integrity check, cryptographic known answer tests, and other self-tests
described in the Security Policy. If the POSTs are successful, the module
continues to boot, and this state automatically transfers to the "No Auth"
state. If the POSTs should fail, the module transitions to the "Error" state.
| Transition Number | Transition | Next State |
|---|---|---|
| 13 | Self Tests Pass | 3 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | Initial login prompt | N/A |
| 12 | POST Failure | 2 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | Error logged | N/A |
| 20 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
State 2 - Error
This state
represents an error, such as a POST failure or Conditional Self-Test Failure.
The FSM halts cryptographic operations and the operator must use any of the 3
possible recovery options:
- Reset the FSM
- Reset the FSM and use the bootloader to select the valid image
- Reset the FSM and use the bootloader to zeroize the system to RMA
| Transition Number | Transition | Next State |
|---|---|---|
| 20 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
State 3 - No Auth
The FSM transitions
to this state when startup has completed and the module is fully configured for
FIPS mode of operation. In this state no User or Crypto Officer is logged in,
and the module is in an idle state. The FSM is operational but is not providing
security services or performing cryptographic functions. Cryptographic keys and
security parameters are loaded, and the FSM is waiting for data or control
inputs. The FSM transitions to the User state when a User is successfully
authenticated or it transitions to the Crypto Officer state when a Crypto
Officer is successfully authenticated.
| Transition Number | Transition | Next State |
|---|---|---|
| 34 | User Login | 4 |
| Data Input | User or SSH public key | N/A |
| Data Output | Acceptance / Denial of Authentication Attempt | N/A |
| Control Input | Authentication Data | N/A |
| Status Output | User Authentication Prompt | N/A |
| 35 | Crypto Officer Login | 5 |
| Data Input | Crypto Officer Authentication Data | N/A |
| Data Output | Acceptance / Denial of Authentication Attempt | N/A |
| Control Input | Authentication Data | N/A |
| Status Output | Crypto Officer Authentication Prompt | N/A |
| 30 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
| 02 | Conditional Test Failure | 2 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | Error logged | N/A |
State 4 - User
The FSM transitions
into this state when a User authenticates to the module or when an encrypted
session has been initiated. After successful login, the User has access to the
services defined in the Roles, Services, and Authentication section of the
Security Policy.
| Transition Number | Transition | Next State |
|---|---|---|
| 43 | User Logoff | 3 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Initiate Log Off | N/A |
| Status Output | Logoff confirmation | N/A |
| 47 | Initial Bypass | 7 |
| Data Input | Call from endpoint configured for plaintext received | N/A |
| Data Output | Plaintext call output | N/A |
| Control Input | Endpoint Configuration | N/A |
| Status Output | Call Successful | N/A |
| 30 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
| 02 | Conditional Test Failure | 2 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | Error logged | N/A |
State 5 - Crypto Officer
This state is
entered when an operator successfully authenticates as a Crypto Officer. A
Crypto Officer may configure the FSM as defined in the Secure Operation section
of the Security Policy. A Crypto Officer can re-enter the
No Auth state by
logging out. The Crypto Officer may return to
Power On Self Tests
state by rebooting the software. Physically removing power from the module will
return it to the Power Off state. The Crypto Officer can transition to the
Edit Configuration
state to edit the running configuration and manipulate keys.
| Transition Number | Transition | Next State |
|---|---|---|
| 56 | Initiate Configuration Edit | 6 |
| Data Input | Configuration Parameters | N/A |
| Data Output | None | N/A |
| Control Input | Configuration Parameters | N/A |
| Status Output | Configuration Verifications | N/A |
| 53 | Crypto Officer Logoff | 3 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Initiate Log Off | N/A |
| Status Output | Logoff confirmation | N/A |
| 50 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
| 02 | Conditional Test Failure | 1 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | None | N/A |
State 6 - Edit Configuration
This state is
entered from the
Crypto Officer
state with various commands to configure the FSM and enter cryptographic keys.
Only a Crypto Officer may edit the configuration of the FSM. Once the
configuration is complete, the new configurations are effective immediately
once the configuration is activated. The FSM returns to the
Crypto Officer
state when the Crypto Officer has completed configuration.
| Transition Number | Transition | Next State |
|---|---|---|
| 65 | Edit Configuration Complete | 5 |
| Data Input | Configuration Parameters | N/A |
| Data Output | None | N/A |
| Control Input | Configuration Parameters | N/A |
| Status Output | Configuration Verifications | N/A |
| 60 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |
| 02 | Conditional Test Failure | 2 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | None | N/A |
| Status Output | Error logged | N/A |
State 7 - Bypass
The FSM is
providing services without cryptographic processing (e.g., transferring
plaintext calls through the FSM). In this state, the FSM is providing services
with non-cryptographic processing (e.g., transferring plaintext through the
module). The FSM can transition to a Bypass state when a call is received from
an end point configured for non-encrypted calls.
| Transition Number | Transition | Next State |
|---|---|---|
| 74 | POST Failure | 4 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Call is disconnected | N/A |
| Status Output | Call ends | N/A |
| 70 | Power Switch to Off/Reboot | 0 |
| Data Input | None | N/A |
| Data Output | None | N/A |
| Control Input | Disconnect Power Supply | N/A |
| Status Output | None / Display boot status on startup | N/A |