Cryptographic Equipment Assessment Laboratory (CEAL) CEAL Example: Finite State Model
The CryptoGarage 900
Design Document 1054-4
Finite State Model (FSM)
CygnaCom Solutions
Revision 0.1
August 13, 1997
Copyright 1997 all rights reserved
Purpose:
This is an example Finite State Model for a fictional device. This document is intended to familiarize people with the concept and contents of a Finite State Model (FSM) as required by the Federal Information Processing Standards Publication (FIPS PUB) 140-2. The FSM described herein contains flaws and errors that are intended to be used for discussion and training purposes. The reader should bear in mind that these errors, while reasonably obvious, are not pointed out in this document.
Scope:
This document describes the FSM and transitions in the fictional CryptoGarage. A separate software design document would describe the actual firmware implementation of the device and relate the software design to the operation of the FSM. The descriptions in this document are brief, however, as with all FSMs they are required to be complete in their description of the cryptographic module FSM.
Introduction:
The CryptoGarage 900 is a FIPS 140-2 level 1 compliant cryptographic garage door controller. Separate documents describe the CryptoGarage cryptographic module, its interfaces (RF antennae, door sensor input, power switch, LEDs, and motor control output), roles and services, FSM, physical security controls, software design, key management, and cryptographic algorithms, and self test design.
The CryptoGarage 900 is the flagship automatic garage door controller, featuring all the amenities of the 800 series, cryptographic user authentication, state-of-the art door interlock safety control, automatic shop light, and pretty flashing LEDs. All communication with the remote device is cryptographically protected to prevent sophisticated thieves from intercepting your private communications with your CryptoGarage 900. The CryptoGarage must be activated with the radio frequency remote control. Activation uses a challenge response with SKIPJACK encryption using symmetric keys. Once activated, the door can be raised and lowered until it is deactivated. Deactivation is either explicit using the remote, or implicit using a one-minute timeout circuit.
States- Power-Up: The Power-Up state is entered whenever the power switch is flipped to the "juice" setting. When in the Power-Up state, the pretty flashing LEDs flash in attractive patterns. The CryptoGarage has a five-year Lithium-Sodium battery. (Caution: do not disconnect or open the Lithium-Sodium battery except in an atmosphere of noble gas.) The CryptoGarage will automatically transition to either the no-key or deactivated state after powering up.
- Power-Down: The Power-Down state is entered whenever the power switch is flipped to the "die" setting. Flipping the switch back will bring the CryptoGarage back to the Power-Up state. In the Power-Down state, the self-destruct command may be given, causing the battery compartment to automatically pop open.
- No Key: When the CryptoGarage is first connected to a battery, it has no SKIPJACK key. A key must be entered using the remote control before the device can accept any other commands.
- Deactivated: Once a keyed CryptoGarage is powered up, it enters the deactivated state and waits for authentication input from the remote control. After successful authentication, it will enter the activated state.
- Activated: Whenever the PIN has been successfully entered from the Deactivated state, the CryptoGarage is in the Activated state and can perform all of the door opening and closing functions.
- Up: When the garage door has reached the fully open position, it stops and enters the Up state.
- Down: When the garage door has reached the fully closed position, it stops and enters the Down state.
- Moving on Up: When the garage door motor is engaged and the door is opening, the module is in the moving on up state. This process can be interrupted for a safety error.
- Moving on Down: When the garage door motor is engaged and the door is closing, the module is in the moving on down state. This process can be interrupted for a safety error.
- Safety Error: The CryptoGarage 900 has a patented ACSC sensor. The ACSC will sense problems in the moving on up or down states and stop the door action to enter the safety error state. Once in this state the CryptoGarage will perform a sophisticated self test until the anti-crush-small-children (ACSC) indicates the danger has passed. The door is then restarted moving up or down.
- Security Error: If the CryptoGarage ever receives a transmission not encrypted with the correct SKIPJACK key it will enter the Security Error state. From this state the module will transition to the deactivated state and require authentication from the user.
- Self-Destruct: In this mode which is accessible only from the Power Down state, the module opens the battery compartment cover. If the module is in a reactive atmosphere, the Lithium-Sodium battery will violently react with the surrounding gas causing a violent explosion.
State Transitions
The developers decided to specify the transitions in-line using a Mealy machine. A separate pictorial FSM is provided later. Each of these transition inputs and output are described with a separate paragraph in the software and firmware design description documents All inputs not specified in the following table result in no state transition.
| Current State | Input | Output | Next State |
| Power Up | No Skipjack Key | No Key LED lit | No Key |
| Power Up | Skipjack Key Loaded | Pretty LEDs lit | Deactivated |
| Power Down | Self-destruct Command | Boom | Self Destruct |
| Self Destruct | Any Command | Boom | Self Destruct |
| No Key | Successful Key Entry | Pretty LEDs lit & flash | Deactivated |
| Deactivated | Successful Challenge | Pretty LEDs lit | Activated |
| Activated | Door is closed | All LEDs lit | Up |
| Activated | Door is open | All LEDs off | Down |
| Activated | Timer Off | Pretty LEDs lit | Deactivated |
| Activated | Deactiavte Command | Pretty LEDs lit | Deactivated |
| Up | Close Command | Pretty LEDs lit | Moving on Down |
| Up | ACSC | LEDs flash | Safety Error |
| Down | Open Command | Pretty LEDs lit | Moving on Up |
| Down | ACSC | LEDs flash | Safety Error |
| Moving on Up | Close Command | Pretty LEDs lit | Moving on Down |
| Moving on Up | ACSC | LEDs flash | Safety Error |
| Moving on Up | Reached Top | All LEDs lit | Up |
| Moving on Down | Open Command | Pretty LEDs lit | Moving on Up |
| Moving on Down | ACSC | LEDs flash | Safety Error |
| Moving on Down | Reached Bottom | All LEDs off | Down |
| Safety Error | ACSC off | Pretty LEDs | Self Test |
| Safety Error | ACSC | LEDs flash | Safety Error |
| Any State | Bad Encryption | LEDs flash | Security Error |
| Security Error | Auto Transition | All LEDs flash | Deactivated |
State Diagrams