Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 0.5 Prepared for: Prepared by: Nortel Networks, Inc. Corsec Security, Inc. 600 Technology Park Drive 10340 Democracy Lane, Suite 201 Billerica, MA 01821 Fairfax, VA 22030 Phone: (978)-670-8888 Phone: (703) 267-6050 Fax: (978) 288-4004 Fax: (703) 267-6810 http://www.nortel.com http://www.corsec.com © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Revision History Version Modification Date Modified By Description of Changes 0.1 2007-05-15 Xiaoyu Ruan Initial draft. Darryl H. Johnson 0.2 2008-02-21 Xiaoyu Ruan Added algorithm certificate numbers. 0.3 2008-06-06 Xiaoyu Ruan Version changed to 07_11.101. 0.4 2008-06-10 Xiaoyu Ruan Addressed Lab comments. 0.5 2008-09-17 Darryl H. Johnson Addressed Lab comments. Nortel VPN Client Software Page 2 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Table of Contents 0 INTRODUCTION ...............................................................................................................................................4 0.1 PURPOSE........................................................................................................................................................4 0.2 REFERENCES..................................................................................................................................................4 0.3 DOCUMENT ORGANIZATION ..........................................................................................................................4 1 VPN CLIENT SOFTWARE ...............................................................................................................................5 1.1 OVERVIEW ....................................................................................................................................................5 1.2 MODULE INTERFACES ...................................................................................................................................6 1.3 ROLES AND SERVICES ...................................................................................................................................7 1.3.1 Crypto Officer Role........................................................................................................................7 1.3.2 User Role .......................................................................................................................................8 1.4 PHYSICAL SECURITY .....................................................................................................................................9 1.5 OPERATIONAL ENVIRONMENT.......................................................................................................................9 1.6 CRYPTOGRAPHIC KEY MANAGEMENT ...........................................................................................................9 1.7 SELF-TESTS .................................................................................................................................................12 1.8 DESIGN ASSURANCE....................................................................................................................................12 1.9 MITIGATION OF OTHER ATTACKS ...............................................................................................................12 2 SECURE OPERATION....................................................................................................................................13 2.1 INITIAL SETUP .............................................................................................................................................13 2.2 CRYPTO OFFICER GUIDANCE.......................................................................................................................13 2.2.1 Installation ...................................................................................................................................13 2.2.2 Management.................................................................................................................................13 2.2.3 Zeroization ...................................................................................................................................13 2.3 USER GUIDANCE .........................................................................................................................................13 3 ACRONYMS......................................................................................................................................................14 Table of Figures FIGURE 1 ­ LOGICAL BLOCK DIAGRAM ..........................................................................................................................6 List of Tables TABLE 1 ­ SECURITY LEVEL PER FIPS 140-2 SECTION ..................................................................................................5 TABLE 2 ­ MAPPING OF LOGICAL AND PHYSICAL INTERFACES ......................................................................................6 TABLE 3 ­ MAPPING OF CRYPTO OFFICER'S SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS ..................7 TABLE 4 ­ MAPPING OF USER'S SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS .....................................8 TABLE 5 ­ LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS .....................................11 TABLE 6 ­ FIPS-APPROVED MSCAPI MODULES PROVIDING RSA FUNCTIONALITY ...................................................13 TABLE 7 ­ ACRONYMS .................................................................................................................................................14 Nortel VPN Client Software Page 3 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Virtual Private Network (VPN) Client Software from Nortel Networks, Inc. This Security Policy describes how the VPN Client Software meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 ­ Security Requirements for Cryptographic Modules) details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/index.html. The VPN Client Software is referred to in this document as the VPN Client, the Client Software, or the module. 0.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: · The Nortel website (http://www.nortel.com/) contains information on the full line of products from Nortel. · The CMVP website (http://csrc.nist.gov/groups/STM/index.html) contains contact information for answers to technical or sales-related questions for the module. 0.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: · Vendor Evidence document · Finite State Machine · Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Nortel. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietary to Nortel and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel. Nortel VPN Client Software Page 4 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 1 VPN Client Software 1.1 Overview The Nortel VPN Client provides the user-side functionality for secure remote access over Internet Protocol (IP) networks using Nortel IP access routers and VPN routers. The VPN Client ensures end-to-end network security by establishing a fully encrypted and authenticated VPN connection from a user's desktop across the Internet, terminating at a Nortel VPN router located at a trusted enterprise location. The following table details the security level achieved by the VPN Client in each of the eleven sections of FIPS 140- 2. Table 1 ­ Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 Electromagnetic Interference/Electromagnetic Compatibility 3 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A The Nortel VPN Client is a software module composed of a set of binaries running on the Windows 2000 or Windows XP operating system on a general-purpose personal computer (PC). The module was tested for FIPS 140- 2 requirements on Windows XP Professional with Service Pack (SP) 2. Testing was not performed on Windows 2000. In FIPS 140-2 terminology, the VPN Client is a multi-chip standalone module that meets the Level 1 FIPS 140-2 requirements. Physically, the module is composed of the components of a general purpose PC, and the physical cryptographic boundary is the case of the PC. The PC or motherboard manufacturer could provide a block diagram for the exact hardware on which the module is installed, and the physical cryptographic boundary surrounds all of those components. Logically, the VPN Client consists of the following four binaries running on Windows 2000 or Windows XP operating system (and the logical cryptographic boundary includes these four components, as depicted in Figure 1): · VPN Client Application (extranet.exe) ­ Performs Internet Key Exchange (IKE) and provides a graphical user interface (GUI) · IPSec Driver (ipsecw2k.sys) ­ Performs Internet Protocol Security (IPsec) functions · Filter Driver (eacfilt.sys) ­ Filters traffic other than IKE and IPsec communications · Library (CertAl.dll) ­ Interfaces with Microsoft Crypto Application Programming Interface (MSCAPI) for authentication using digital certificates Nortel VPN Client Software Page 5 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Figure 1 ­ Logical Block Diagram 1.2 Module Interfaces The VPN Client Software's physical ports are those provided by the general purpose PC, including the Ethernet ports and mouse/keyboard ports. The Client's logical interfaces are composed of: · GUI · Command line interface (CLI) · Application programming interface (API) · Configuration and log files · Packets traversing the networking stack A mapping of the FIPS 140-2 logical interfaces to the VPN Client's logical interfaces and the physical interfaces of the PC can be found in the following table. Table 2 ­ Mapping of Logical and Physical Interfaces FIPS Logical Interface VPN Client Logical Interface(s) Physical Interface(s) Data Input Interface The data input is any data sent into the module Network ports through the networking stack to an application on the PC (such as email, browser, etc), and any data coming into the module through the networking stack from the network ports. Also, data input to the module via the MSCAPI for certificate processing and Rivest Shamir Adleman (RSA) algorithm operations. Nortel VPN Client Software Page 6 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 FIPS Logical Interface VPN Client Logical Interface(s) Physical Interface(s) Data Output Interface The data output is any data going out of the module Network ports through the networking stack from an application on the PC (such as email, browser, etc), and any data going out of the module through the networking stack out the network ports. Also, data output from the module to MSCAPI for certificate processing and RSA operations. Control Input Interface Data read from configuration files, data input via the Keyboard port, hard disk, Nortel VPN Client GUI or CLI. mouse ports Status Output Interface The Status Output is all error messages either Light-emitting diodes (LEDs), logged by the module in a log file or the error hard disk, monitor ports messages in the GUI. The error messages from IKE negotiations are also status output. The logged error messages can be seen through the log files provided. 1.3 Roles and Services The module supports role-based authentication. There are two roles in the module (as required by FIPS 140-2) that operators may assume: Crypto Officer and User. 1.3.1 Crypto Officer Role The Crypto Officer role has the ability to install, uninstall, and configure the module's services using the GUI and CLIs provided by the module. Descriptions of the services (along with the inputs, outputs, critical security parameters (CSPs) and type of access for each) available to the Crypto Officer role are provided in the table below. Table 3 ­ Mapping of Crypto Officer's Services to Inputs, Outputs, CSPs, and Type of Access Type of Service Description Input Output CSP Access Install Installing the VPN Command Result of installation Keyed-Hash Read Client options or Message Commands Authentication Code (HMAC) - Secure Hash Algorithm (SHA1) for Integrity check Customize Client Client software Command Result of None None installation installation options or customization customization using Commands setup.ini Create a To set up connection Command Status of command, Username and Read/Write connection parameters options response and results password Profile data To add/edit/delete a Command Status of command, None None profile options response and results Nortel VPN Client Software Page 7 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Type of Service Description Input Output CSP Access Authentication To authenticate to the Command Command response Username and Write options Nortel VPN router options or password Commands Name Server To specify a Domain Command Command response None None options Name Service (DNS) option or Windows Internet Name Service (WINS) server, overriding the Nortel VPN router KeepAlives To enable or disable Command Command response None None KeepAlive packets options that maintain a connection during idle periods Auto Connect To Install/uninstall Command Command response None None Auto Connect feature options Connect before To enable or disable Command Command response None None logon the Nortel VPN Client options Graphical Identification and Authentication (GINA) dialog box on logon Uninstall To uninstall the Command Command response All CSPs Delete software options Start/Stop To start/stop the Menu options Status of command HMAC-SHA1 for Read Nortel VPN Client or Commands Integrity check services. The self tests are performed during the module start/restart. Show status Status messages for Commands Status info in log file None None the module written to log file. Zeroization Zeroizing CSPs Uninstalling the Result of zeroizing All CSPs Delete module and reformatting the hard drive 1.3.2 User Role The User role has the ability to establish and utilize VPN sessions with a Nortel VPN router. Descriptions of the services available to the User role are provided in the table below. Table 4 ­ Mapping of User's Services to Inputs, Outputs, CSPs, and Type of Access Type of Service Description Input Output CSP Access VPN session Use the VPN Encrypted/decrypted Encrypt/decrypted IPsec Session Read/Write services data data keys Nortel VPN Client Software Page 8 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Type of Service Description Input Output CSP Access Connect To establish VPN Authentication Result of login Username and Read/Write session by Information attempt password authenticating to the Nortel VPN router Edit profile Edit the profile Command options Updated profile Username and Read/Write information on information password the Client Change Change the Password Updated password Password Write password current password used on the Nortel VPN router Monitor To monitor Command options Status of command None None Status connection status Disconnect To end the VPN Command options Status of command IPsec Session Delete session keys 1.4 Physical Security The VPN Client Software is a multi-chip standalone cryptographic module. It is a software module and does not implement any physical security mechanisms. Although the VPN Client consists entirely of software, the FIPS 140-2 tested platform is a standard PC which has been tested for, and meets, applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for home and business use as defined in Subpart B of FCC Part 15. 1.5 Operational Environment The Nortel VPN Client was tested and validated on Windows XP, but it could run on either Windows XP or Windows 2000. For FIPS 140-2 compliance, these are considered to be single user operating systems. As such, all keys, intermediate values, and other CSPs remain only in the process space of the operator using the module. The operating system uses its native memory management mechanisms to ensure that outside processes cannot access the process space used by the module. 1.6 Cryptographic Key Management The module utilizes the following FIPS-approved software algorithm implementations: · Advanced Encryption Standard (AES) ­ Cipher-Block Chaining (CBC) mode (128, 256 bits) ­ FIPS 197 (certificate #721) · Triple Data Encryption Standard (Triple-DES) ­ CBC mode (112, 168 bits) ­ FIPS 46-3 (certificate #644) · Secure Hash Algorithm (SHA-1) ­ FIPS 180-2 (certificate #740) · Keyed-Hash Message Authentication Code SHA-1 (HMAC-SHA1) ­ FIPS 198 (certificate #389) · Pseudorandom Number Generator (PRNG) ­ General purpose implementation of FIPS 186-2 [(x-Original); (SHA-1)] (certificate #421) In the FIPS mode of operation, the module utilizes the following non-Approved key agreement schemes. They are allowed by FIPS 140-2: Nortel VPN Client Software Page 9 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 · Diffie-Hellman Group 2 (1024 bit), providing 80 bits of key strength · Diffie-Hellman Group 5 (1536 bit), providing 96 bits of key strength The module disables the following algorithm(s) when running in a FIPS mode of operation: · Diffie-Hellman Group 8 (Elliptical Curve Discrete Logarithm (ECDL)) · Diffie-Hellman Group 1 (768 bit) · Data Encryption Standard (DES) · 40-bit DES · Message-Digest Algorithm 5 (MD5) · Keyed Hash Message Authentication Code MD5 (HMAC-MD5) The following table lists all cryptographic keys, key components, and CSPs used by the module. Nortel VPN Client Software Page 10 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 Table 5 ­ List of Cryptographic Keys, Cryptographic Key Components, and CSPs Key Key Type Generation / Input Output Storage Zeroization Use Integrity check HMAC (160 bits) Externally generated Never Non-volatile memory When the module is Software integrity HMAC-SHA1 key predetermined value (hard drive ­ plaintext) in uninstalled or the check hard coded into the module binaries in hard drive is module \isakmpd\fips.cpp reformatted. FIPS 186-2 PRNG Seed key (160 bits) Generated internally Never Volatile memory only When the module Used by FIPS 186-2 Seed key by gathering system (plaintext) reboots PRNG entropy Passwords Alphanumeric string Externally created by Never Volatile memory, or non- By changing the Generate pre-shared (minimum of 6 an operator and volatile memory (hard password keys for authentication characters) entered into the drive ­ plaintext) during IKE module IPsec pre-shared IPsec pre-shared key Generated internally Never Volatile memory only When the module Mutual authentication keys (160 bits) by HMAC of user ID (plaintext) reboots between the module and password and the server RSA public keys RSA public key Externally generated During IPsec/IKE Volatile memory only When the module Mutual authentication (Certificates) (1024­4096 bits) and input into and negotiation in (plaintext) reboots between the module output from the plaintext and the server module during IKE IKE Diffie-Hellman Diffie-Hellman Group Generated internally Never Volatile memory only When no longer used Used for session key key pair 2 (1024 bits) or during IKE (plaintext) by the module or agreement ­ public Group 5 (1536 bits) reboot key sent to server IKE Diffie-Hellman Diffie-Hellman Group Exchanged during During IPsec/IKE Volatile memory only When no longer used Used for session key public key 2 (1024 bits) or IKE negotiation in (plaintext) by the module or agreement ­ received Group 5 (1536 bits) plaintext reboot from server IPsec session keys AES (128, 256 bits) Negotiated during Never Volatile memory only When no longer used Used to Triple-DES (112, 168 IKE using Diffie- (plaintext) by the module or encrypt/decrypt/HMAC bits), HMAC-SHA-1 Hellman key reboot tunnel traffic keys (160 bits) agreement Nortel VPN Client Software Page 11 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 1.7 Self-Tests The VPN Client performs the following self-tests at power-up: · Software integrity check: Verifying the integrity of the software binaries of the module using an HMAC- SHA1 keyed hash. · AES Known Answer Test (KAT): Verifying the correct operation of the AES algorithm implementation. · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementation. · SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementation. · HMAC-SHA1 KAT: Verifying the correct operation of the HMAC-SHA1 algorithm implementation. · FIPS 186-2 PRNG KAT: Verifying the correct operation of the FIPS 186-2 PRNG implementation. The VPN Client performs the following conditional self-tests: · FIPS 186-2 Continuous Random Number Generator (RNG): Verifying that the Approved RNG does not repeatedly generate a constant value. · Continuous RNG for entropy gathering: Verifying that the seed for the FIPS 182-2 PRNG does not repeatedly generate a constant value. · Alternating bypass mode test: Verifying the integrity of the modules' bypass capability hardcoded in the filter driver. The VPN Client will start its services only after all the self tests have passed. If the self tests have not passed, it enters an error state and logs the failure. All error conditions can be cleared by restarting the module. 1.8 Design Assurance Nortel Networks uses the ClearCase Configuration Management System. The ClearCase software is used for software and document version control, code sharing, and build management. ClearCase also keeps track of what versions of files were used for each release and what combinations were used in builds. Additionally, Microsoft Visual SourceSafe is used to provide configuration management for the VPN Client Software's FIPS documentation. This software provides access control, versioning, and logging. 1.9 Mitigation of Other Attacks This section is not applicable. The VPN Client module does not claim to mitigate any attacks beyond the FIPS 140- 2 Level 1 requirements for this validation. Nortel VPN Client Software Page 12 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 2 Secure Operation The VPN Client Software meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS-approved mode of operation. 2.1 Initial Setup By default, the Nortel VPN Client is configured for a FIPS mode of operation. 2.2 Crypto Officer Guidance The Crypto Officer is responsible for installation, customization configuration, management of the module, and removal of the module. More details on how to use the module can be found in the "Configuring the Nortel VPN Client" and "Using the Nortel VPN Client in FIPS Mode" documents. 2.2.1 Installation The module uses RSA digital signature generation and verification as provided by the Microsoft Windows Operating System through the FIPS-approved MSCAPI libraries. However, the RSA functionality is not included inside the module; it is provided by one of the following FIPS-approved MSCAPI modules: Table 6 ­ FIPS-Approved MSCAPI Modules Providing RSA Functionality Certificate # Windows Platform rsaenh.dll Version 238 XP 5.1.2518.0 [XP] 5.1.2600.1029 [XP SP1] 5.1.2600.2161 {XP SP2] 103 2000 SPx 5.0.2150.1391 [SP1] 5.0.2195.2228 [SP2] 5.0.2195.3839 [SP3] 76 2000 5.0.2150.1 2.2.2 Management By default, the Nortel VPN Client is configured for a FIPS mode of operation. The module can be put in a non- FIPS mode during custom installation or configuration. When switching between FIPS and non-FIPS modes, the operator must zeroize the group and user passwords by overwriting them with new values. Operators must not perform switching between FIPS and non-FIPS mode when using the module in a FIPS mode of operation. This should only be done during installation. 2.2.3 Zeroization At the end of the life cycle of the module, the Crypto Officer must uninstall the module's software, overwrite all addressable locations with a single character, and reformat the hard drive which contained the software. This will zeroize all hard-coded keys and CSPs stored on the drive. 2.3 User Guidance The User accesses the module's VPN functionality. The User must not modify the configuration of the module as established by the Crypto Officer, nor should a User reveal any of the CSPs (such as group and user passwords) used by the module to other parties. Nortel VPN Client Software Page 13 of 14 © 2008 Nortel Networks, Inc. Security Policy, Version 0.5 September 27, 2008 3 Acronyms Table 7 ­ Acronyms Acronym Definition AES Advanced Encryption Standard API Application Programming Interface CBC Cipher-Block Chaining CLI Command Line Interface CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Data Encryption Standard DNS Domain Name Service ECDL Elliptical Curve Discrete Logarithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communication Commission FIPS Federal Information Processing Standard GINA Graphical Identification and Authentication GUI Graphical User Interface HMAC (Keyed-) Hash Message Authentication Code IKE Internet Key Exchange IP Internet Protocol IPsec Internet Protocol Security KAT Known Answer Test LED Light Emitting Diode MD5 Message-Digest Algorithm 5 MSCAPI Microsoft Crypto Application Programming Interface NIST National Institute of Standards and Technology PC Personal Computer PRNG Pseudorandom Number Generator RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SP Service Pack VPN Virtual Private Network WINS Windows Internet Name Service Nortel VPN Client Software Page 14 of 14 © 2008 Nortel Networks, Inc.