Nortel Networks Nortel VPN Router 1010, 1050, and 1100 (Hardware Modules with Firmware Version 7_05.100) FIPS 140-2 Security Policy Level 1 Validation Document Version 0.8 Prepared for: Prepared by: Nortel Networks Corsec Security, Inc. 600 Technology Park 10340 Democracy Lane, Suite 201 Billerica, MA 01821 Fairfax, VA 22030 Phone: (800) 466-7835 Phone: (703) 267-6050 Fax: (978) 288-4004 Fax: (703) 267-6810 http://www.nortel.com http://www.corsec.com © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Revision History Version Modification Date Modified By Description of Changes 0.1 2007-05-15 Xiaoyu Ruan Initial draft. Darryl Johnson 0.2 2008-02-21 Xiaoyu Ruan Added algorithm certificate numbers. 0.3 2008-05-29 Xiaoyu Ruan Addressed Lab comments. 0.4 2008-06-03 Xiaoyu Ruan Addressed Lab comments. 0.5 2008-06-10 Xiaoyu Ruan Addressed Lab comments. 0.6 2008-06-18 Xiaoyu Ruan Addressed Lab comments. 0.7 2008-06-27 Xiaoyu Ruan Addressed Lab comments. 0.8 2008-10-27 Darryl Johnson Addressed CMVP comments. Nortel VPN Router 1010, 1050, and 1100 Page 2 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Table of Contents 0 INTRODUCTION ...............................................................................................................................................5 0.1 PURPOSE .........................................................................................................................................................5 0.2 REFERENCES ...................................................................................................................................................5 0.3 DOCUMENT ORGANIZATION ...........................................................................................................................5 1 NORTEL VPN ROUTER 1010, 1050, AND 1100.............................................................................................6 1.1 OVERVIEW......................................................................................................................................................6 1.2 MODULE INTERFACES ....................................................................................................................................7 1.3 ROLES AND SERVICES...................................................................................................................................10 1.3.1 Crypto Officer Role..............................................................................................................................10 1.3.2 User Role .............................................................................................................................................11 1.3.3 Authentication Mechanisms .................................................................................................................11 1.3.4 Unauthenticated Operator ...................................................................................................................12 1.4 PHYSICAL SECURITY ....................................................................................................................................12 1.5 OPERATIONAL ENVIRONMENT ......................................................................................................................12 1.6 CRYPTOGRAPHIC KEY MANAGEMENT ..........................................................................................................12 1.7 SELF-TESTS ..................................................................................................................................................15 1.8 MITIGATION OF OTHER ATTACKS.................................................................................................................16 2 SECURE OPERATION....................................................................................................................................17 2.1 INITIAL SETUP ..............................................................................................................................................17 2.1.1 Applying Tamper-Evident Labels ........................................................................................................17 2.2 CRYPTO OFFICER GUIDANCE ........................................................................................................................17 2.2.1 Initialization.........................................................................................................................................17 2.2.2 Management ........................................................................................................................................18 2.2.3 Zeroization...........................................................................................................................................18 2.3 USER GUIDANCE ..........................................................................................................................................18 3 ACRONYMS......................................................................................................................................................19 Table of Figures FIGURE 1 - NORTEL VPN ROUTER DEPLOYMENT ARCHITECTURE.................................................................................6 FIGURE 2 - FRONT VIEW OF 1010...................................................................................................................................9 FIGURE 3 - FRONT VIEW OF 1050...................................................................................................................................9 FIGURE 4 - FRONT VIEW OF 1100...................................................................................................................................9 FIGURE 5 - REAR VIEW OF 1010/1050/1100...................................................................................................................9 FIGURE 6 ­ TAMPER-EVIDENT LABEL PLACEMENT......................................................................................................17 FIGURE 7 - FIPS MODE CONFIGURATION.....................................................................................................................17 List of Tables TABLE 1 - SECURITY LEVEL PER FIPS 140-2 SECTION ..................................................................................................6 TABLE 2 - NETWORK INTERFACE CARDS AVAILABLE ....................................................................................................7 TABLE 3 - PHYSICAL PORTS AND LOGICAL INTERFACES ................................................................................................8 Nortel VPN Router 1010, 1050, and 1100 Page 3 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 TABLE 4 - LED STATUS .................................................................................................................................................9 TABLE 5 - CRYPTO OFFICER SERVICES ........................................................................................................................10 TABLE 6 - USER SERVICES ...........................................................................................................................................11 TABLE 7 - AUTHENTICATION MECHANISM USED BY THE MODULES ............................................................................11 TABLE 8 - LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS ....................................13 TABLE 9 - ACRONYMS..................................................................................................................................................19 Nortel VPN Router 1010, 1050, and 1100 Page 4 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 0 Introduction 0.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the VPN (Virtual Private Network) Router 1010, 1050, and 1100 from Nortel Networks. This Security Policy describes how the Nortel VPN Router 1010, 1050, and 1100 meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 ­ Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at: http://csrc.nist.gov/groups/STM/index.html. The Nortel VPN Router 1010, 1050, and 1100 is referred to in this document as the routers, the cryptographic modules, or the modules. 0.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: · The Nortel website (http://www.nortel.com/) contains information on the full line of products from Nortel. · The CMVP website (http://csrc.nist.gov/groups/STM/index.html) contains contact information for answers to technical or sales-related questions for the module. 0.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: · Vendor Evidence document · Finite State Machine · Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Nortel. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietary to Nortel and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel. Nortel VPN Router 1010, 1050, and 1100 Page 5 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 1 Nortel VPN Router 1010, 1050, and 1100 1.1 Overview Nortel is a recognized leader in delivering communications capabilities that secure and protect the world's most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing routing, firewall, bandwidth management, encryption, authentication, and data integrity for secure tunneling across managed Internet Protocol (IP) networks and the Internet. Nortel VPN Routers give enterprises a competitive edge by enabling cost-effective, secure connectivity across the entire supply chain, including branch offices, suppliers, distributors, and other business partners. The modules streamline equipment requirements by packaging required VPN firmware and hardware in a single box, without requiring other localized network equipment or servers, minimizing administration costs. A typical deployment of Nortel VPN Routers is shown in Figure 1. Figure 1 - Nortel VPN Router Deployment Architecture The Nortel VPN Router 1010, 1050, and 1100 is validated at the following FIPS 140-2 Section levels: Table 1 - Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 2 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key Management 1 Nortel VPN Router 1010, 1050, and 1100 Page 6 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Section Section Title Level 8 EMI/EMC 1 9 Self-tests 1 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Notice that N/A indicates "Not Applicable". EMC and EMI refer to Electromagnetic Compatibility and Electromagnetic Interference, respectively. 1.2 Module Interfaces The Nortel VPN Router 1010, 1050, and 1100 are multi-chip standalone modules that meet overall level 1 FIPS 140-2 requirements. The cryptographic boundary of the Nortel VPN Router 1010, 1050, and 1100 is defined by the outer case of the modules which encloses the complete set of hardware and firmware components. The firmware version number (7_05.100) is the same for all models. The VPN Routers are designed to be modular. They include a power supply, Random Access Memory (RAM), processors, hard disk, floppy drive and Peripheral Component Interconnect (PCI) slots. The VPN Router 1100 communicates with clients via Local Access Network (LAN) and Wide Access Network (WAN) network interface cards that can be factory installed or field installed. The following network interface cards are available. The option cards are excluded from the security requirements of FIPS 140-2 because they do not provide any security-relevant functionality. The VPN Routers 1010 and 1050 do not support network interface cards. Table 2 - Network Interface Cards Available Factory Installable Field Installable Description DM1004002 DM1011002 10/100 Ethernet Option Card DM3919002 DM3919001 1000Base-SX Option Card DM3919003 DM3919004 1000Base-T Option Card DM3811001 DM3811002 56/64K Channel Service Unit/Data Service Unit (CSU/DSU) PCI Option Card DM2111015 DM2111016 Asymmetrical Digital Subscriber Line (ADSL) Annex A Option Card. DM2111017 DM2111018 ADSL Annex B Option Card. DM1519006 DM1519003 Integrated Services Digital Network (ISDN) - BRI S/T Option Card DM1519005 DM1519004 ISDN - BRI U (US/Canada Only - American National Standards Institute (ANSI) Standard) Option Card DM2111013 DM2111014 Half Height Single Port T1/FT1 E1 (G.703) w/CSU/DSU Option Card DM2119002 DM2119001 Quad T1/FT1 E1 (G.703) w/quad CSU/DSU (4 x RJ48C) Option Card DM3819002 DM3819004 V.90 Modem Option Card DM2111027 DM2111006 Single X.21 / V.35 Card Option Card DM2104003 DM2111003 High Speed Serial Interface (HSSI) option card for external T3/E3 CSU/DSU DM1004002 DM1011002 10/100 Ethernet Option Card The modules' design separates the physical ports into four logically distinct and isolated categories. They are logically divided but are accessed through either the Console port or the network ports. They are: Nortel VPN Router 1010, 1050, and 1100 Page 7 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 · Data Input · Data Output · Control Input · Status Output Data input/output are the packets utilizing the services provided by the modules. These packets enter and exit the modules through the network ports. Control input consists of Configuration/Administration data entered into the modules through the web interface or the Command Line Interface (CLI) management interface and the input for the power. Any user can be given administrative permissions by the Crypto Officer. Status output consists of the status indicators displayed through the Light Emitting Diodes (LEDs) and log information through the Graphical User Interface (GUI) or CLI. A user with administrative permissions has access to the modules status logs. The following is a list of the possible physical ports supported by the modules: · Power connector · Power switch · Network ports (LAN port, WAN port) · Serial port · LEDs Table 3 lists the interfaces available in each Router and also provides the mapping from the physical interfaces to logical interfaces as defined by FIPS 140-2: Table 3 - Physical Ports and Logical Interfaces Logical 1010 1050 1100 Interfaces Data input Network ports Network ports Network ports Data output Network ports Network ports Network ports Serial port, Network ports, Serial port, Network ports, Serial port, Network ports, Control input Power switch Power switch Power switch LEDs, Serial port, Network LEDs, Serial port, Network LEDs, Serial port, Network Status output ports ports ports Power input Power connector Power connector Power connector The physical ports of the modules are depicted in the following figures: Nortel VPN Router 1010, 1050, and 1100 Page 8 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Figure 2 - Front View of 1010 Figure 3 - Front View of 1050 Figure 4 - Front View of 1100 Figure 5 - Rear View of 1010/1050/1100 The cryptographic modules have a number of LEDs which indicate the state of the modules. The descriptions for the LEDs are listed below for each module. Table 4 - LED Status LED Indicator Description Yellow The router is booting and is in a non-ready state. Boot/Ready Green The boot process is complete and the router is in a state of readiness. Nortel VPN Router 1010, 1050, and 1100 Page 9 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 LED Indicator Description An alarm condition exists. The alarm may indicate a serious condition, such On as a hardware defect, or a software attention condition. The alert condition is Alert described in the health check display. Off No alert condition exists. 1.3 Roles and Services The modules support role-based authentication. There are two roles in the modules (as required by FIPS 140-2) that operators may assume: a Crypto Officer role and a User role. 1.3.1 Crypto Officer Role The Crypto Officer role is the administrator for the router and does the initial setup and maintenance. Descriptions of the services available to the Crypto Officer role are provided in the table below. CSP stands for Critical Security Parameter. Crypto Officer services are provided via various protocols including Transport Layer Security (TLS), Secure Shell (SSH), and Remote Authentication Dial-In User Service (RADIUS). Table 5 - Crypto Officer Services Keys/CSPs and Type of Service Description Input Output Access Configuring Define network interfaces and Command and Command RSA public key - write, read the router settings, set the protocols the parameters response RSA private key - write, read router will support and load Password - write, read authentication information RADIUS shared secret - write, read Create user Creating, editing and deleting Command and Command Password - write, read groups user groups, define common parameters response IPsec pre-shared keys - sets of user permissions. write, read Create users Creating, editing and deleting Command and Command Password - write, read user, Define user accounts parameters response and assign permissions. Define rules Create packet filters that are Command and Command None and filters applied to user data streams parameters response on each interface. Monitor View the router configuration, Command Status None status active sessions and logs. information Manage the Log off users, shut down or Command and Command All - write, read, delete router reset the router, backup or parameters response restore the router configuration, create recovery diskette or zeroize. RADIUS RADIUS server logs in and RADIUS shared Status RADIUS shared secret - read service performs User authentication. secret information TLS service Manage the module using Command, Status RSA public key - read with TLS protocol. username, information RSA private key - read password Password - read TLS Session Keys - write, read, delete ANSI X9.31 PRNG key - write, read, delete Nortel VPN Router 1010, 1050, and 1100 Page 10 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Keys/CSPs and Type of Service Description Input Output Access SSH service Manage the module using Command, Status SSH DSA public key - read with SSH protocol. username, information SSH DSA private key - read password Password - read SSH Diffie-Hellman key pair - write, read, delete ANSI X9.31 PRNG key - write, read, delete SSH Session Key - write, read, delete 1.3.2 User Role The User role has the ability to access the VPN services provided by the modules which can be exercised by authenticating during the establishment of an IPsec session using a pre-shared key or digital certificate. Descriptions of the services available to the User role are provided in the table below. API stands for Application Programming Interface. Table 6 - User Services Keys/CSP and Type Service Description Input Output of Access VPN session Establish VPN session and API calls, including Result of negotiation RSA private key - read establishment authenticate proper messages to and session key Password - read authenticate IPsec pre-shared keys - read IKE Diffie-Hellman key pair - write, read, delete FIPS 186-2 PRNG Seed key - write, read, delete VPN session Use the VPN services Encrypted/decrypted Encrypted/decrypted IPsec Session Keys - data data write, read, delete Change Change the user password Command and Result of password Password - write, read, password parameters change delete 1.3.3 Authentication Mechanisms The Crypto Officer can access the module over the console port, TLS session or an IPsec VPN Client session. The Crypto Officer authenticates using a user ID and password. The user authenticates using a pre-shared key or digital certificate during Internet Key Exchange (IKE). In addition to these mechanisms, authentication may be performed by the internal Lightweight Directory Access Protocol (LDAP) or external LDAP or external LDAP proxy or RADIUS servers. Table 7 - Authentication Mechanism Used by the Modules Authentication Type Strength Password Passwords are required to be at least 8 characters in length, and the module supports lengths of up to 32 characters. Considering only the case sensitive English alphabet and the numerals 0-9 using an 8 digit password with repetition, the number of potential passwords is 628, which equates to a 1 in 628 chance of false positive. Pre-shared key The module authenticates the user during IKE using pre-shared keys. Pre-shared keys are generated based on user credentials. The probability of a random attempt to succeed is 1:2160. Nortel VPN Router 1010, 1050, and 1100 Page 11 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Authentication Type Strength RSA Public Key Certificates The module supports RSA digital certificate authentication of users during IPsec/IKE. The module also supports RSA digital certificate authentication of LDAP servers during TLS. Using conservative estimates and equating a 1024 bit RSA key to an 80 bit symmetric key, the probability for a random attempt to succeed is 1:280. RADIUS shared secret The RADIUS server authenticates to the module using a hash of the secret key with other information. The shared secret should be at least 8 characters in length, and the module supports lengths of up to 32 characters. Considering only the case sensitive English alphabet and the numerals 0-9 using an 8-digit password with repetition, the number of potential passwords is 628, which equates to a 1 in 628 chance of false positive. 1.3.4 Unauthenticated Operator The Simple Network Management Protocol (SNMP) services are provided without authentication. An unauthenticated operator uses a community string to access the SNMP services. The SNMP implemented in the routers is version 1 and it only allows the unauthenticated operator to get non-security-relevant system condition information. The SNMP services do not affect the security of the module. 1.4 Physical Security The Nortel VPN Router 1010, 1050, and 1100 are multi-chip standalone cryptographic modules and are enclosed in a hard and opaque metal case that completely encloses all of the internal components of the modules. There are only a limited set of vent holes provided in the case. Tamper-evidence labels are applied to the case to provide physical evidence of attempts to remove the case of the modules. All of the modules' components are production grade. The placement of tamper-evidence labels can be found in section 2 - Secure Operation. The modules were tested and found conformant to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use). 1.5 Operational Environment The operational environment requirements do not apply to the VPN Router 1010, 1050, and 1100. The modules do not provide a general purpose operating system. 1.6 Cryptographic Key Management The modules implement the following FIPS-approved algorithms: · AES1-CBC2 (128, 256 bits) ­ FIPS 197 (certificates #718 and #719) · Triple DES3-CBC (168 bits) ­ FIPS 46-3 (certificates #641 and #642) · RSA4 (1024, 2048) ­ PKCS5#1 (certificates #338 and #339) · DSA6 (1024) ­ FIPS 186-2 (certificate #272) · FIPS 186-2 PRNG7 ­ General purpose implementation [(x-Original); (SHA8-1)] (certificate #420) 1 Advanced Encryption Standard 2 Cipher Block Chaining 3 Data Encryption Standard 4 Rivest, Shamir, and Adleman 5 Public Key Cryptography Standard 6 Digital Signature Algorithm Nortel VPN Router 1010, 1050, and 1100 Page 12 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 · ANSI X9.31 Appendix A.2.4 PRNG (certificate #419) · SHA-1 ­ FIPS 180-2 (certificates #738 and # 739) · HMAC9-SHA-1 ­ FIPS 198 (certificates #387 and #388) The module utilizes the following non-FIPS-approved algorithm implementation in the FIPS Mode of operation: · Hardware RNG10 ­ for seeding the FIPS 186-2 PRNG · Non-approved RNG ­ for seeding the ANSI X9.31 PRNG · RSA PKCS #1 key wrap (1024 and 2048 bits), providing 80 and 112 bits of encryption strength; non- compliant less than 80 bits (when using key sizes less than 1024 bits) · Diffie-Hellman Group 5 (1536 bits), providing 96 bits of encryption strength · Diffie-Hellman Group 2 (1024 bits), providing 80 bits of encryption strength Additionally, the following algorithms are disabled within the module in the FIPS mode of operation: · DES-CBC (56 bits) · DES MAC11 · Diffie-Hellman Group 8 (Elliptic Curve Diffie-Hellman) · Diffie-Hellman Group 1 (768 bit) · RC4-CBC (128, 40 bits) · RC2-CBC (128 bits) · MD5 · HMAC MD5 · MD2 The module supports the following critical security parameters: Table 8 - List of Cryptographic Keys, Cryptographic Key Components, and CSPs Key Key Type Generation / Input Storage Zeroization Use Firmware DES MAC (56 Externally generated Non-volatile Zeroized by This key is used to integrity bits) predetermined value memory (hard formatting the hard perform the integrity check key hard coded into the drive ­ drive check on the module plaintext) in module. module binaries ANSI X9.31 Triple DES key Generated internally Volatile Zeroized when the Used by ANSI X9.31 PRNG key by non-approved RNG memory only module reboots PRNG (plaintext) FIPS 186-2 160 bits Generated internally Volatile Zeroized when the Used by FIPS 186-2 PRNG by gathering system memory only module reboots PRNG Seed key entropy (plaintext) 7 Pseudo Random Number Generator 8 Secure Hash Algorithm 9 Keyed-Hash Message Authentication Code 10 Random Number Generator 11 Message Authentication Code Nortel VPN Router 1010, 1050, and 1100 Page 13 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Key Key Type Generation / Input Storage Zeroization Use RSA public 1024, 2048 bits Server public key is Non-volatile Zeroized when the Public key used for key (X.509 internally generated memory certificate is IPsec/IKE and TLS certificate) using PKCS #1; User deleted; User key negotiation public key is sent to public key is the module during zeroized when IPsec/IKE and TLS tunnel is session key disconnected negotiation. RSA private 1024-2048 bits Generated internally Non-volatile Zeroized when the Private key used for key using PKCS #1. memory certificate is IPsec/IKE and TLS (PKSC#5 ­ deleted key negotiation plaintext) SSH RSA 1024, 2048 bits Server public key is Non-volatile Zeroized when the Public key used for public key (X.509 internally generated memory certificate is SSH key negotiation certificate) using PKCS #1; User deleted; User public key is sent to public key is the module during zeroized when SSH SSH sessions. session is disconnected SSH RSA 1024-2048 bits Generated internally Non-volatile Zeroized when the Private key used for private key using PKCS #1. memory certificate is SSH key negotiation (PKSC#5 ­ deleted plaintext) Passwords Alphanumeric Entered into module Non-volatile Zeroized when the Used for string (8 ­ 32 over a console port, memory password is authenticating the characters) TLS or IPsec session (internal LDAP updated with a new Crypto Officer and database ­ one Users plaintext) IPsec pre- 160 bits Generated internally Not stored - in Zeroized when not Mutual shared using user id and volatile needed or when authentication keys password memory only the module reboots between the server (plaintext) and the client IKE Diffie- Diffie-Hellman Generated internally Not stored - When no longer Used for session key Hellman Group 2 (1024 using FIPS 186-2 Volatile used by the module agreement ­ public key pair bits) or Group 5 PRNG during IKE memory only or reboot key sent to client (1536 bits) (plaintext) SSH Diffie- Diffie-Hellman Generated internally Not stored - When no longer Used for session key Hellman Group 2 (1024 using ANSI X9.31 Volatile used by the module agreement ­ public key pair bits) or Group 5 PRNG during SSH memory only or reboot key sent to client (1536 bits) sessions (plaintext) SSH DSA 1024 bits Generated internally Not stored - Zeroized by Used for client to public key using ANSI X9.31 Volatile formatting the hard verify SSH traffic PRNG memory only drive (plaintext) SSH DSA 1024 bits Generated internally Not stored - Zeroized by Used for server to private key using ANSI X9.31 Volatile formatting the hard sign SSH traffic PRNG memory only drive (plaintext) Nortel VPN Router 1010, 1050, and 1100 Page 14 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Key Key Type Generation / Input Storage Zeroization Use SSH 128-bit AES Diffie-Hellman key Not stored - Upon session Encrypt and decrypt Session key agreement, Group 2 or Volatile termination or when SSH traffic Key Group 5 memory only a new key is (plaintext) generated (after a certain timeout) IPsec AES (128, 256 Negotiated during IKE Not stored - in Zeroized when not Used to Session bits) using Diffie-Hellman volatile needed or when encrypt/decrypt/MAC Keys Triple-DES key agreement memory only the module reboots tunnel traffic (168 bits), (plaintext) HMAC-SHA-1 keys (160 bits) TLS AES (128, 256 Negotiated during TLS Not stored - in Zeroized when not Used to Session bits) session establishment. volatile needed or when encrypt/decrypt/MAC Keys Triple-DES memory only in the module reboots the TLS session (168 bits), plaintext HMAC-SHA-1 keys (160 bits) RADIUS Alphanumeric Entered into module Non-volatile Zeroized when the Used to authenticate shared string (8 -32 over an console port, memory RADIUS server RADIUS server secret characters) TLS or IPsec session (internal LDAP setup is deleted database ­ plaintext) 1.7 Self-Tests The VPN Router 1010, 1050, and 1100 performs the following self-tests at power-up: · Firmware integrity check: Verifying the integrity of the firmware binaries of the module using a DES MAC error detection code. · AES Known Answer Test (KAT): Verifying the correct operation of the AES algorithm implementations. · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementations. · RSA sign/verify test: Verifying the correct operation of the RSA implementations. · DSA sign/verify test: Verifying the correct operation of the DSA implementation. · SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementations. · HMAC-SHA-1 KAT: Verifying the correct operation of the HMAC-SHA-1 algorithm implementations. · FIPS 186-2 PRNG KAT: Verifying the correct operation of the FIPS 186-2 PRNG implementations. · ANSI X9.31 PRNG KAT: Verifying the correct operation of the ANSI X9.31 PRNG implementations. The VPN Router 1010, 1050, and 1100 perform the following conditional self-tests: · Continuous test for the FIPS 186-2 PRNG: Verifying the correct operation of the FIPS 186-2 algorithm implementation. · Continuous test for the entropy gathering RNG: Verifying the correct operation of the seeding mechanism for the FIPS 182-2 PRNG. · Continuous test for the ANSI X9.31 PRNG: Verifying the correct operation of the ANSI X9.31 algorithm implementation. · Continuous test for the non-approved RNG: Verifying the correct operation of the seeding mechanism for the ANSI X9.31 PRNG. · RSA sign/verify pair-wise consistency test: Verifying that a newly generated RSA key pair works properly. · DSA sign/verify pair-wise consistency test: Verifying that a newly generated DSA key pair works properly. Nortel VPN Router 1010, 1050, and 1100 Page 15 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 If any of the self-tests fail the module enters an error state, logs the error to the event log, forces a controlled crash and then reboots itself 1.8 Mitigation of Other Attacks This section is not applicable. The modules do not claim to mitigate any attacks beyond the FIPS 140-2 level 2 requirements for this validation. Nortel VPN Router 1010, 1050, and 1100 Page 16 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 2 Secure Operation The Nortel VPN Router 1010, 1050, and 1100 meets Level 1 requirements for all sections of FIPS 140-2 except Section 3 ­ Roles, Services, and Authentication and Section 10 ­ Design Assurance, which meet the Level 2 requirements. The sections below describe how to place and keep the module in the FIPS-approved mode of operation. 2.1 Initial Setup Before enabling the FIPS mode, tamper-evident labels and the tamper-evident shields (included in the FIPS kit) must be applied to the VPN Router enclosures as shown in the following sections. 2.1.1 Applying Tamper-Evident Labels To provide evidence of tampering, the Nortel VPN Router 1010, 1050, and 1100 requires the use of tamper-evident labels. See Figure 6. Figure 6 ­ Tamper-Evident Label Placement 2.2 Crypto Officer Guidance The Crypto Officer is the administrator for the router and does the initial setup and maintenance. 2.2.1 Initialization The modules are shipped with a default administrator ID and password. The FIPS mode of operation can be enabled from the CLI or web GUI. In CLI, use "fips enable" to enable the FIPS mode and use "no fips" to disable the FIPS mode. In GUI, the FIPS configuration is on the Services Available page. Figure 7 - FIPS Mode Configuration When FIPS mode is enabled, the modules automatically reboot and disable the following features/services. · Debugging scripts are disabled · FTP is disabled on the public interface · Telnet is disabled on the public interface · The `NULL' encryption option is disabled for IPsec services Additionally the Crypto Officer must perform these additional actions to put the modules in a FIPS mode: Nortel VPN Router 1010, 1050, and 1100 Page 17 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 · Change the default administrator password · The Crypto Officer password must be between 8 and 32 characters in length · RADIUS shared secret must be between 8 and 32 characters in length · Maximum number of login attempts must be configured to five · RSA key size of 1024 bits or greater should be used · All cryptographic services (Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F) etc.) that employ Non-FIPS Approved algorithms must be disabled · All access to the web based management interface should be over a TLS session (Secure Hypertext Transfer Protocol or HTTPS) or IPsec VPN Client connection · Use only TLS and enable Ciphers 1 and 2 from services -> ssltls · LDAP and LDAP Proxy must be over a TLS session · The backup interface should be over an IPsec session · Disable DES (56 and 40 bits) · Do not perform any firmware upgrades At this point, the module must be rebooted to enable all of the changes. Upon reboot, initialization of the module in FIPS mode is complete and the module is now configured securely. 2.2.2 Management The Crypto Officer must be sure to only configure cryptographic services for the module using the FIPS Approved algorithms, as listed in the Cryptographic Key Management section above. IPsec and TLS must only be configured to use FIPS Approved cipher suites, and only digital certificates generated with FIPS Approved algorithms may be utilized. RSA key size must be a minimum of 1024 bits in length. Do not perform any firmware upgrades. When transitioning the modules from Non-FIPS mode to FIPS mode, the Crypto Officer should ensure that the module is running only the Nortel supplied FIPS 140-2 validated firmware. 2.2.3 Zeroization At the end of its life cycle or when taking the modules out of FIPS mode, the modules must be fully zeroized to protect CSPs. When switching between FIPS and non-FIPS mode the module automatically reboots, zeroizing all the CSPs. The Crypto Officer must wait until the modules have successfully rebooted in order to verify that zeroization has completed. 2.3 User Guidance The User does not have the ability to configure sensitive information on the modules, with the exception of their password. The User must be diligent to pick strong passwords (alphanumeric with minimum 8 characters or greater), and must not reveal their password to anyone. Additionally, the User should be careful to protect any secret/private keys in their possession, such as IPsec session keys. Nortel VPN Router 1010, 1050, and 1100 Page 18 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 3 Acronyms Table 9 - Acronyms Acronym Definition ADSL Asymmetrical Digital Subscriber Line AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface CBC Cipher Block Chaining CLI Command Line Interface CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CSU Channel Service Unit DES Data Encryption Standard DSA Digital Signature Algorithm DSU Data Service Unit EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FTP File Transfer Protocol GUI Graphical User Interface HMAC (Keyed-) Hash MAC HSSI High Speed Serial Interface HTTPS Secure Hypertext Transfer Protocol IKE Internet Key Exchange IP Internet Protocol IPsec IP Security ISDN Integrated Services Digital Network KAT Known Answer Test L2F Layer 2 Forwarding L2TP Layer 2 Tunneling Protocol LAN Local Access Network LDAP Lightweight Directory Access Protocol LED Light Emitting Diode MAC Message Authentication Code N/A Not Applicable NIST National Institute of Standards and Technology Nortel VPN Router 1010, 1050, and 1100 Page 19 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.8 October 27, 2008 Acronym Definition PCI Peripheral Component Interconnect PKCS Public Key Cryptography Standards PPTP Point-to-Point Tunneling Protocol PRNG Pseudo Random Number Generator RADIUS Remote Authentication Dial-In User Service RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SSH Secure Shell TLS Transport Layer Security WAN Wide Access Network VPN Virtual Private Network Nortel VPN Router 1010, 1050, and 1100 Page 20 of 20 © 2008 Nortel Networks This document may be freely reproduced and distributed whole and intact including this copyright notice.