RSA BSAFE® Crypto-C Micro Edition Security Policy Version 3.0.0.1 January 14, 2009 Strong encryption technology for C/C++ developers Co nta ct Inf or ma t ion See our Web sites for regional Customer Support telephone and fax numbers. RSA Security Inc. RSA Security Ireland Limited T ra de ma rks ACE/Agent, ACE/Server, Because Knowledge is Security, BSAFE, ClearTrust, Confidence Inspired, eTitlement, IntelliAccess, Keon, RC2, RC4, RC5, RSA, the RSA logo, RSA Secured, the RSA Secured logo, RSA Security, SecurCare, SecurID, SecurWorld, Smart Rules, The Most Trusted Name in eSecurity, Transaction Authority, and Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. L i ce nse A g re e men t This software and the associated documentation are proprietary and confidential to RSA Security Inc., are furnished under license and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright below. This software and any copies thereof may not be provided or otherwise made available to any other person. Neither this software nor any copies thereof may be provided to or otherwise made available to any third party. No title to or ownership of the software or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA Security Inc. N o t e o n En cr yp t i on T ec hn o logie s This product may contain encryption technology. Many countries prohibit or restrict the use, import or export of encryption technologies and current use, import and export regulations should be followed when exporting this product. D is tr ib ut i on This document may be freely reproduced and distributed whole and intact including this Copyright Notice. R SA Sec urit y I n c . N ot ic e The RC5® Block Encryption Algorithm With DataDependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600. Efficient field multiplication in a normal basis is protected by U.S. Patent #6,389,442. Compaq MultiPrimeTM technology is protected by U.S. Patent #5,848,159 and is the subject of patent applications in other countries. Other trademarks in this document are held by their respective owners. © 2008 RSA Security Inc. All rights reserved. Published January 14, 2009 Table of Contents Table of Contents 1 Introduction .......................................................................................................................................................4 1.1 References ................................................................................................................................................4 1.2 Document Organization ........................................................................................................................4 2 CryptoC ME Cryptographic Toolkit ............................................................................................................5 2.1 Cryptographic Module ..........................................................................................................................5 2.1.1 Configuring Single User Mode ....................................................................................................6 2.2 CryptoC ME Interfaces .........................................................................................................................7 2.3 Roles and Services ..................................................................................................................................8 2.3.1 Officer Role.....................................................................................................................................8 2.3.2 User Role.........................................................................................................................................8 2.4 Cryptographic Key Management .........................................................................................................8 2.4.1 Key Generation ..............................................................................................................................8 2.4.2 Key Storage.....................................................................................................................................9 2.4.3 Key Access ....................................................................................................................................10 2.4.4 Key Protection/Zeroization ........................................................................................................10 2.5 Cryptographic Algorithms ..................................................................................................................11 2.6 Selftests .................................................................................................................................................12 2.6.1 Powerup Selftest .......................................................................................................................12 2.6.2 Conditional Selftests ..................................................................................................................13 2.6.3 Critical Functions Tests...............................................................................................................13 2.6.4 Mitigation of Other Attacks .......................................................................................................13 3 Secure Operation of CryptoC ME...............................................................................................................14 3.1 Crypto Officer and User Guidance ....................................................................................................14 3.2 Roles .......................................................................................................................................................14 3.3 Modes of Operation..............................................................................................................................15 3.4 Operating CryptoC ME ......................................................................................................................16 3.5 Startup Selftests ...................................................................................................................................17 3.6 Random Number Generator ...............................................................................................................17 3.6.1 PRNG Seeding..............................................................................................................................17 4 Services .............................................................................................................................................................18 5 Acronyms and Definitions ............................................................................................................................22 6 Contacting RSA ...............................................................................................................................................25 6.1 Support and Service .............................................................................................................................25 6.2 Feedback ................................................................................................................................................25 iii Introduction 1 Introduction This is a nonproprietary RSA cryptographic module security policy. This security policy describes how RSA BSAFE CryptoC Micro Edition (CryptoC ME) meets the security requirements of FIPS 1402, and how to securely operate CryptoC ME in a FIPS 1402compliant manner. This policy is prepared as part of the FIPS 1402 Level 1 validation of CryptoC ME. FIPS 1402 (Federal Information Processing Standards Publication 1402 ­ Security Requirements for Cryptographic Modules) details the United States Government requirements for cryptographic modules. More information about the FIPS 1402 standard and validation program is available on the NIST Web site at http://csrc.nist.gov/cryptval/. 1.1 References This document deals only with the operations and capabilities of CryptoC ME in the technical terms of a FIPS 1402 cryptographic module security policy. More information about CryptoC ME and the entire RSA BSAFE product line is available from the following resources: · Information on the full line of RSA products and services is available at http://www.rsa.com/. · RSA BSAFE product overviews are available at http://www.rsa.com/node.asp?id=1204. · Answers to technical or sales related questions are available at http://www.rsasecurity.com./node.asp?id=1067. 1.2 Document Organization This document explains the CryptoC ME FIPS 1402 relevant features and functionality. This document consists of the following sections: · This section, Introduction, provides an overview and introduction to the Security Policy. · CryptoC ME Cryptographic Toolkit on page 5 describes CryptoC ME and how it meets FIPS 140 2 requirements. · Secure Operation of CryptoC ME on page 14 specifically addresses the required configuration for the FIPS 1402 mode of operation. · Services on page 18 lists all of the functions of CryptoC ME. · Acronyms and Definitions on page 22 lists the acronyms and definitions used in this document. 4 Crypto-C ME Cryptographic Toolkit 2 Crypto-C ME Cryptographic Toolkit The CryptoC ME software development toolkit enables developers to incorporate cryptographic technologies into applications. CryptoC ME security software is designed to help protect sensitive data as it is stored, using strong encryption techniques that ease integration with existing data models. Using the capabilities of CryptoC ME software in applications helps provide a persistent level of protection for data, lessening the risk of internal, as well as external, compromise. The features of CryptoC ME include the ability to optimize code for different processors, and specific speed or size requirements. Assemblylevel optimizations on key processors mean that CryptoC ME algorithms can be used at increased speeds on many platforms. CryptoC ME offers a full set of cryptographic algorithms including publickey (asymmetric) algorithms, symmetric (secret key) block and stream ciphers, message digests, message authentication, and Pseudo Random Number Generator (PRNG) support. Developers can implement the full suite of algorithms through a single Application Programming Interface (API) or select a specific set of algorithms to reduce code size or meet performance requirements. Note: When operating in a FIPS 1402approved manner, the set of algorithm implementations is not customizable. 2.1 Cryptographic Module CryptoC ME is classified as a multichip standalone cryptographic module for the purposes of FIPS 1402. As such, CryptoC ME must be tested on a specific operating system and computer platform. The cryptographic boundary includes CryptoC ME running on selected platforms running selected operating systems while configured in single user mode. CryptoC ME was validated as meeting all FIPS 1402 Level 1 security requirements, including cryptographic key management and operating system requirements. CryptoC ME is packaged as a set of dynamically loaded modules or shared library files that contain the module's entire executable code. The CryptoC ME toolkit relies on the physical security provided by the host PC in which it runs. For FIPS 1402 validation, CryptoC ME is tested on the following platforms: · Red Hat® Enterprise Linux® AS 4.0, x86 (32bit), built with LSB3.0.3 and gcc 3.4.6. · Microsoft®: o Windows® XP Professional SP2, x86 (32bit), built with Visual Studio 2005 SP1 using the /MT option 1 . T o Windows Vista® Ultimate, x86 (32bit), built with Visual Studio 2005 SP1 using the /MD option. 1 The /MT compiler option causes the application to use the multithread, static version of the runtime library(libcmt.lib), while the /MD causes the application to use the multithread and DLLspecific version of the runtime library(msvcrt.lib/msvcr80.dll). For more information, see http://msdn.microsoft.com/en us/library/2kzt1wy3.aspx. 5 Crypto-C ME Cryptographic Toolkit Note: Compliance is maintained on all of the above platforms for which the binary executable remains unchanged. For resolution of the Multi User modes issue, see the NIST document, Implementation Guidance for FIPS PUB 1402 and the Cryptographic Module Validation Program, located at http://csrc.nist.gov/groups/STM/cmvp/documents/fips1402/FIPS1402IG.pdf. 2.1.1 Configuring Single User Mode This section describes how to configure single user mode for the different operating system platforms supported by CryptoC ME. 2.1.1.1 Red Hat Linux To configure single user mode for systems running a Red Hat Linux operating system: 1. Log in as the root user. 2. Edit /etc/passwd and /etc/shadow to remove all the users except root and the pseudousers (daemon users). Make sure the password fields in /etc/shadow for the pseudousers are either a star (*) or double exclamation mark (!!). This prevents login as the pseudousers. 3. Edit /etc/nsswitch.conf so that files is the only option for passwd, group, and shadow. This disables the Network Information Service (NIS) and other name services for users and groups. 4. In the /etc/xinetd.d directory, edit rexec, rlogin, rsh, rsync, telnet, and wu-ftpd, setting the value of disable to yes. 5. Reboot the system for the changes to take effect. 2.1.1.2 Microsoft Windows To configure single user mode for systems running a Microsoft Windows XP Professional SP2, Windows 2003 Server, and Windows Vista Ultimate operating system, guest accounts, server services, terminal services, remote registry services, remote desktop services, and remote assistance must be disabled. For detailed instructions on how to perform these tasks, see the Microsoft support site. 6 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Crypto-C ME Cryptographic Toolkit 2.2 Crypto-C ME Interfaces CryptoC ME is evaluated as a multichip, standalone module. The physical cryptographic boundary of the module is the case of the generalpurpose computer or mobile device, which encloses the hardware running the module. The physical interfaces for CryptoC ME consist of the keyboard, mouse, monitor, CDROM drive, floppy drive, serial ports, USB ports, COM ports, and network adapter(s). The logical boundary of the cryptographic module is the set of library files (cryptocme2.dll, ccme_base.dll, ccme_ecc.dll, ccme_eccaccel.dll, and ccme_eccnistaccel.dll for a Windows operating system, or libcryptocme2.so, libccme_base.so, libccme_ecc.so, libccme_eccaccel.so, and libccme_eccnistaccel.so for a Linux operating system) and the signature file that make up the module. The underlying logical interface to CryptoC ME is the API, documented in the RSA BSAFE CryptoC ME 3.0 Developer's Guide. CryptoC ME provides for Control Input through the API calls. Data Input and Output are provided in the variables passed with the API calls, and Status Output is provided through the returns and error codes that are documented for each call. This is illustrated in the following diagram. Figure 1. Crypto-C ME Logical Interfaces 7 Crypto-C ME Cryptographic Toolkit 2.3 Roles and Services CryptoC ME meets all FIPS 1402 Level 1 requirements for roles and services, implementing both a User (User) role and Officer (CO) role. As allowed by FIPS 1402, CryptoC ME does not support user identification or authentication for these roles. Only one role can be active at a time and CryptoC ME does not allow concurrent operators. The following table describes the services accessible by the two roles. Table 1. Crypto-C ME Roles and Services Role Services Officer The Officer has access to a superset of the services that are available to the User. The Officer role can also invoke the full set of self-tests inside the module. User The User can perform general security functions, as described in the RSA BSAFE Crypto-C Micro Edition Developer's Guide. The User can also call specific FIPS 140-2 module functions as defined in the Developer's Guide. 2.3.1 Officer Role An operator assuming the Officer role can call any CryptoC ME function. The complete list of the functionality available to the Officer is outlined in Services on page 18. 2.3.2 User Role An operator assuming the User role can use the entire CryptoC ME API except for R_FIPS140_self_test_full(), which is reserved for the Officer. The complete list of CryptoC ME functions is outlined in Services on page 18. 2.4 Cryptographic Key Management Cryptographic key management is concerned with generating and storing keys, managing access to keys, protecting keys during use, and zeroizing keys when they are not longer required. 2.4.1 Key Generation CryptoC ME supports generation of DSA, RSA, DiffieHellman (DH) and Elliptic Curve Cryptography (ECC) public and private keys. Also, CryptoC ME uses a FIPS 1862compliant random number generator as well as a Dual Elliptic Curve Deterministic Random Bit Generator (Dual ECDRBG) and HMACDRBG in the generation asymmetric and symmetric keys used in algorithms such as AES, Triple DES, RSA, DSA, DiffieHellman, ECC, and HMAC. 8 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Crypto-C ME Cryptographic Toolkit 2.4.2 Key Storage CryptoC ME does not provide longterm cryptographic key storage. If a user chooses to store keys, the user is responsible for storing keys exported from the module. The following table lists all keys and critical security parameters (CSPs) in the module and where they are stored. Table 2. Key Storage Key or CSP Storage Hardcoded DSA public key Persistent storage embedded in the module binary (encrypted). Hardcoded AES key Persistent storage embedded in the module binary (plaintext). AES keys Volatile memory only (plaintext). Triple-DES keys Volatile memory only (plaintext). HMAC with SHA-1 and SHA-2 keys Volatile memory only (plaintext). (SHA-224, SHA-256, SHA-384, SHA-512) Diffie-Hellman public/private keys Volatile memory only (plaintext). ECC public/private keys Volatile memory only (plaintext). RSA public/private keys Volatile memory only (plaintext). DSA public/private keys Volatile memory only (plaintext). FIPS 186-2 seed Volatile memory only (plaintext). FIPS 186-2 key Volatile memory only (plaintext). EC DRBG entropy Volatile memory only (plaintext). EC DRBG S value Volatile memory only (plaintext). EC DRBG init_seed Volatile memory only (plaintext). HMAC DRBG entropy Volatile memory only (plaintext). HMAC DRBG V value Volatile memory only (plaintext). HMAC DRBG key Volatile memory only (plaintext). HMAC DRBG init_seed Volatile memory only (plaintext). 9 Crypto-C ME Cryptographic Toolkit 2.4.3 Key Access An authorized operator of the module has access to all key data created during CryptoC ME operation. Note: The User and Officer roles have equal and complete access to all keys. The following table lists the different services provided by the toolkit with the type of access to keys or CSPs. Table 3. Key and CSP Access Service Key or CSP Type of Access Encryption and decryption Symmetric keys (AES, Triple-DES) Read/Execute Digital signature and verification Asymmetric keys (DSA, RSA, ECDSA) Read/Execute Hashing None N/A MAC HMAC keys Read/Execute Random number generation FIPS 186-2 seed and key Read/Write/Execute HMAC DRBG entropy, V, key, and init_seed EC DRBG entropy, S, and init_seed Key generation Symmetric keys (AES, Triple-DES) Write Asymmetric keys (DSA, EC DSA, RSA, DH, ECDH) MAC keys (HMAC) Key establishment primitives Asymmetric keys (RSA, DH, ECDH) Read/Execute Self-test (Crypto Officer service) Hardcoded keys (DSA and AES) Read/Execute Show status None N/A Zeroization All Read/Write 2.4.4 Key Protection/Zeroization All key data resides in internally allocated data structures and can be output only using the CryptoC ME API. The operating system protects memory and process space from unauthorized access. The operator should follow the steps outlined in the RSA BSAFE CryptoC Micro Edition Developer's Guide to ensure sensitive data is protected by zeroizing the data from memory when it is no longer needed. 10 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Crypto-C ME Cryptographic Toolkit 2.5 Cryptographic Algorithms CryptoC ME supports a wide variety of cryptographic algorithms. To achieve compliance with the FIPS 1402 standard, only FIPS 1402approved or allowed algorithms can be used in an approved mode of operation. The following table lists the FIPS 1402approved algorithms supported by CryptoC ME. Table 4. Crypto-C ME FIPS 140-2-approved Algorithms Algorithm Validation Certificate AES ECB, CBC, CFB, OFB, CTR, and CCM (all modes 128, 192, and 860 256-bit key sizes). AES GCM and GMAC (all modes 128, 192, and 256-bit key sizes). Vendor affirmed. Triple-DES ECB, CBC, CFB (64-bit), and OFB. 707 Diffie-Hellman, EC-Diffie-Hellman, and EC-Diffie-Hellman with Non-approved (Allowed in FIPS 140-2 Components. mode). DSA. 311 ECDSA. 98 and 100 FIPS 186-2 Pseudo Random Number Generator (PRNG) ­ Change 492 Notice 1, with and without the mod q step. Dual ECDRBG and HMAC-DRBG 4 RSA X9.31, PKCS#1 V.1.5, and PKCS#1 V.2.1 (SHA256 ­ PSS). 412 RSA encrypt and decrypt. Non-approved (Allowed in FIPS 140-2 mode for key transport). SHA-1. 855 SHA-224, 256, 384, and 512. 855 HMAC-SHA1, SHA224, SHA256, SHA384, and SHA512. 477 The following algorithms are not FIPS 1402approved: · DES · MD2 · MD5 · HMAC MD5 · DES40 · RC2 · RC4 11 Crypto-C ME Cryptographic Toolkit · RC5 · ECAES · ECIES · PBKDF1 SHA1 · PBKDF2 HMAC SHA1, SHA224, SHA256, SHA384, and SHA512 · RSA PKCS#1 V.2.0 (OAEP) · Entropy RNG · OTP RNG. For more information about using CryptoC ME in a FIPS 1402compliant manner, see Secure Operation of CryptoC ME on page 14. 2.6 Self-tests CryptoC ME performs a number of powerup and conditional selftests to ensure proper operation. If the powerup selftest fails, the toolkit is disabled and the operation fails. If the ECC provider selftest fails, the provider libraries (ccme_base.dll, ccme_ecc.dll, and ccme_eccaccel.dll for a Windows operating system, or libccme_base.so, libccme_ecc.so, and libccme_eccaccel.so for a Linux operating system) are disabled and the operation fails. The toolkit can only leave the disabled state by reloading the FIPS 1402 module. If the conditional selftest fails, the operation fails but the toolkit is not disabled. 2.6.1 Power-up Self-test CryptoC ME implements the following powerup selftests: · AES, AES CCM, AES GCM, and AES GMAC Known Answer Tests (KATs) · DES and Triple DES KATs · SHA1, SHA224, SHA256, SHA384, and SHA512 KATs · HMAC SHA1, HMAC SHA224, HMAC SHA256, HMAC SHA384, and HMAC SHA512 KATs · RSA sign/verify test · DSA sign/verify test · DH, ECDH, and ECDH with components conditional test · ECDSA sign/verify test · PRNG (FIPS 1862, Dual ECDRBG, and HMAC­DRBG) KATs · Software integrity test. Powerup selftests are executed automatically when CryptoC ME is loaded into memory. 12 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Crypto-C ME Cryptographic Toolkit 2.6.2 Conditional Self-tests CryptoC ME performs two conditional selftests: · A pairwise consistency test each time CryptoC ME generates a DSA, RSA, or EC public/private key pair. · A Continuous Random Number Generation (CRNG) test each time the toolkit produces random data, as per the FIPS 1862 standard. The CRNG test is performed on all approved and nonapproved RNGs. 2.6.3 Critical Functions Tests Depending on operating mode, CryptoC ME performs the following known answer tests: · In R_FIPS140_MODE_FIPS140_SSL mode, CryptoC ME performs a known answer test for MD5 and HMACMD5. · In R_FIPS140_MODE_FIPS140_ECC mode, CryptoC ME performs a known answer test for ECAES and ECIES. · In R_FIPS140_MODE_SSL_ECC mode, a known answer test is performed for MD5, HMACMD5, ECAES, and ECIES. 2.6.4 Mitigation of Other Attacks RSA key operations implement blinding, a reversible way of modifying the input data, so as to make the RSA operation immune to timing attacks. Blinding has no effect on the algorithm other than to mitigate attacks on the algorithm. Blinding is implemented through blinding modes, and the following options are available: · Blinding mode off. · Blinding mode with no update, where the blinding value is constant for each operation. · Blinding mode with full update, where a new blinding value is used for each operation. 13 Secure Operation of Crypto-C ME 3 Secure Operation of Crypto-C ME This section provides an overview of how to securely operate CryptoC ME to be in compliance with the FIPS 1402 standards. 3.1 Crypto Officer and User Guidance The Crypto Officer and User must only use algorithms approved for use in a FIPS 140 mode of operation, as listed in Table 4 CryptoC ME FIPS 1402approved Algorithms on page 11. The requirements for using the approved algorithms in a FIPS 140 mode of operation are as follows: · The bit length for a DSA key pair must be 1024 bits . · Bit lengths for an RSA key pair must be between 1024 and 4096 bits in multiples of 512. · Bit lengths for an HMAC key must be between 80 and 4096 bits. · EC key pairs must have named curve domain parameters from the set of NISTrecommended named curves (P192, P224, P256, P384, P521, B163, B233, B283, B409, B571, K163, K233, K283, K409, K571). The module limits possible curves for Dual EC DRBG to P256, P384, and P521 in accordance with SP 80090. · When using RSA for key wrapping, the strength of the methodology is between 80 and 150 bits of security. · The DiffieHellman shared secret provides between 80 and 150 bits of encryption strength. · EC DiffieHellman primitives must use curve domain parameters from the set of NIST recommended named curves. Using NISTrecommended curves, the computed DiffieHellman shared secret provides between 80 and 256 bits of encryption strength. · When using an approved RNG to generate keys, the requested security strength for the RNG must be at least as great as the security strength of the key being generated. 3.2 Roles If a user of CryptoC ME needs to operate the toolkit in different roles, then the user must ensure that all instantiated cryptographic objects are destroyed before changing from the Crypto User role to the Crypto Officer role, or unexpected results could occur. 14 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Secure Operation of Crypto-C ME The following table lists the roles a user can operate in. Table 5. Crypto-C ME Roles Role Description R_FIPS140_ROLE_OFFICER An operator assuming the Crypto Officer role can call any Crypto-C ME function. The complete list of the functionality available to the Crypto Officer is outlined in "Services" on page 18. R_FIPS140_ROLE_USER An operator assuming the Crypto User role can use the entire Crypto-C ME API except for R_FIPS140_self_test_full(), which is reserved for the Crypto Officer. The complete list of Crypto-C ME functions is outlined in "Services" on page 18. 3.3 Modes of Operation The following table lists and describes the available modes of operation. Table 6. Crypto-C ME Modes of Operation Mode Description R_FIPS140_MODE_FIPS140 Provides the cryptographic algorithms listed in Table 4 Crypto-C ME FIPS 140-2-approved. FIPS 140-2-approved Algorithms on page 11. The default random number generator is the FIPS 186-2 PRNG. This is the Crypto-C ME default mode on start up. R_FIPS140_MODE_FIPS140_SSL Provides the same algorithms as R_FIPS140_MODE_FIPS140, plus the FIPS 140-2-approved if used with TLS MD5 message digest. protocol implementations. This mode can be used in the context of the key establishment phase in the TLSv1 and TLSv1.1 protocol. For more information, see section 7.1 Acceptable Key Establishment Protocols in "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program". The implementation guidance disallows the use of the SSLv2 and SSLv3 versions. Cipher suites that include non-FIPS 140-2-approved algorithms are unavailable. This mode allows implementations of the TLS protocol to operate Crypto-C ME in a FIPS 140-2-compliant manner with the FIPS 186-2 PRNG as the default. R_FIPS140_MODE_FIPS140_ECC Provides the same algorithms as R_FIPS140_MODE_FIPS140, plus Not FIPS 140-2-approved. ECAES and ECIAS. The random number generator in this mode is the Dual ECDRBG. 15 Secure Operation of Crypto-C ME Mode Description R_FIPS140_MODE_FIPS140_SSL_ECC Provides the same algorithms as R_FIPS140_MODE_FIPS140_SSL, plus Not FIPS 140-2-approved. ECAES and ECIAS. The random number generator in this mode is the Dual ECDRBG. The same restrictions with respect to protocol versions and cipher suites as in R_FIPS140_MODE_FIPS140_SSL apply. R_FIPS140_MODE_NON_FIPS140 Allows users to operate Crypto-C ME without any cryptographic Not FIPS 140-2-approved. algorithm restrictions. R_FIPS140_MODE_DISABLED Indicates that the FIPS140 library is disabled, usually due to an internal Not FIPS 140-2-approved. or caller's usage error. No future transition into other modes is permitted. In each mode of operation, the complete set of services, which are listed in this Security Policy, are available to both the Crypto Officer and User roles (with the exception of R_FIPS140_self_test_full(), which is always reserved for the Crypto Officer). Note: Cryptographic keys must not be shared between modes. For example, a key generated in R_FIPS140_MODE_FIPS140 mode must not be shared with an application running in R_FIPS140_MODE_NON_FIPS140 mode. 3.4 Operating Crypto-C ME CryptoC ME operates in R_FIPS140_MODE_FIPS140 by default if the CryptoC ME library is initialized with the PRODUCT_DEFAULT_RESOURCE_LIST(). The current CryptoC ME mode can be determined calling R_FIPS140_get_mode(). When changing the mode of operation to a FIPSapproved mode, the module must be reinitialized with the appropriate product resource list, (PRODUCT_DEFAULT_RESOURCE_LIST() or PRODUCT_FIPS140_SWITCH_RESOURCE_LIST() for R_FIPS140_MODE_FIPS140, or PRODUCT_FIPS140_SSL_SWITCH_RESOURCE_LIST() for R_FIPS140_MODE_FIPS140_SSL). This ensures that the module is reloaded and all powerup selftests are properly executed. To change the module to a nonFIPSapproved mode, call R_FIPS140_set_mode() with one of the information identifiers listed in Table 6 CryptoC ME Modes of Operation on page 15. Note: R_FIPS140_set_mode() can only be used when changing to a nonFIPSapproved mode. After setting CryptoC ME into a FIPS 1402approved mode, CryptoC ME enforces that only the algorithms listed in Table 4 CryptoC ME FIPS 1402approved Algorithms on page 11 are available to operators. To disable FIPS 1402 mode, call R_FIPS140_set_mode() with the R_FIPS140_MODE_NON_FIPS140 information identifier. R_FIPS140_self_tests_full() is restricted to operation by the Crypto Officer. 16 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Secure Operation of Crypto-C ME The user of CryptoC ME links with the static library for their platform, which loads the CryptoC ME shared or dynamic link master and provider libraries at runtime. For more information, see FIPS 1402 Library and Modes of Operation in the RSA BSAFE CryptoC Micro Edition Developers Guide. The current CryptoC ME role can be determined calling R_FIPS140_get_role(). The role can be changed by calling R_FIPS140_set_role() with one of the information identifiers listed in Table 5 CryptoC ME Roles on page 15. 3.5 Startup Self-tests CryptoC ME provides the ability to configure when powerup selftests are executed. To operate CryptoC ME in a FIPS 1402compliant manner, the default shipped configuration, which executes the selftests when the module is first loaded, must be used. For more information about this configuration setting, see the RSA BSAFE CryptoC ME Installation Guide. 3.6 Random Number Generator In FIPS 1402 modes, CryptoC ME provides a default RNG. For R_FIPS140_MODE_FIPS140 and R_FIPS140_MODE_FIPS140_SSL, CryptoC ME provides a FIPS 1862 PRNG for all operations that require the generation of random numbers. For R_FIPS140_MODE_FIPS140_ECC and R_FIPS140_MODE_FIPS140_SSL_ECC, CryptoC ME implements a Dual ECDRBG internally. In all modes, users can choose to use an approved RNG other than the default RNG, including the FIPS 1862 PRNG (with or without mod q), Dual ECDRBG, or HMAC DRBG when creating a RNG object and setting this object against the operation requiring random number generation (for example, key generation). However, when DSA is used, the RNG used internally is always the FIPS 1862 Change Notice 1 Option 1 with mod q PRNG. This module also includes a nonapproved Entropy RNG that is used to generate seed material for the approved PRNGs. 3.6.1 PRNG Seeding In the FIPS 1402 validated library CryptoC ME implements deterministic random number generators that can be called to generate random data. The quality of the random data output from these RNGs depends on the quality of the supplied seeding (entropy). CryptoC ME provides internal entropy collection (for example, from high precision timers) where ever possible, but it is strongly recommended to collect entropy from external sources. This is particularly critical if developing on embedded platforms where there are only limited internal entropy sources available. For more information on seeding PRNGs, see Randomness Recommendations for Security in RFC 1750. 17 Services Setting the R_CR_INFO_ID_RAND_ENTROPY_FUNC identifier specifies that additional entropy be available. R_CR_INFO_ID_RAND_ENTROPY_FUNC is set against the R_CR object, which encapsulates the random number generator, and takes a callback function that the random number generator then uses to gather additional entropy if needed. For more information on R_CR_INFO_ID_RAND_ENTROPY_FUNC, see the RSA BSAFE CryptoC Micro Edition Developers Guide. 4 Services The following is the list of services provided by CryptoC ME. For more information about these functions, see the RSA BSAFE CryptoC Micro Edition Developers Guide. · BIO_append_filename() · BIO_push() · BIO_clear_flags() · BIO_puts() · BIO_clear_retry_flags() · BIO_read() · BIO_copy_next_retry() · BIO_read_filename() · BIO_debug_cb() · BIO_reference_inc() · BIO_dump() · BIO_reset() · BIO_dump_format() · BIO_retry_type() · BIO_dup_chain() · BIO_rw_filename() · BIO_f_buffer() · BIO_s_file() · BIO_f_null() · BIO_s_mem() · BIO_find_type() · BIO_s_null() · BIO_flags_to_string() · BIO_seek() · BIO_flush() · BIO_set_bio_cb() · BIO_free() · BIO_set_cb() · BIO_free_all() · BIO_set_cb_arg() · BIO_get_cb() · BIO_set_close() · BIO_get_cb_arg() · BIO_set_flags() · BIO_get_close() · BIO_set_fp() · BIO_get_flags() · BIO_should_io_special() · BIO_get_fp() · BIO_should_read() · BIO_get_retry_BIO() · BIO_should_retry() · BIO_get_retry_flags() · BIO_should_write() · BIO_get_retry_reason() · BIO_tell() · BIO_gets() · BIO_write() · BIO_method_name() · BIO_write_filename() · BIO_method_type() · PRODUCT_DEFAULT_RESOURCE_LIST() · BIO_new() · PRODUCT_FIPS140_ECC_SWITCH_RESOURCE_LIST() · BIO_new_file() · PRODUCT_FIPS140_SSL_ECC_SWITCH_RESOURCE_ · BIO_new_fp() LIST() · BIO_new_mem() · PRODUCT_FIPS140_SSL_SWITCH_RESOURCE_LIST() · BIO_open_file() · PRODUCT_FIPS140_SWITCH_RESOURCE_LIST() · BIO_pop() · PRODUCT_LIBRARY_FREE() · BIO_print_hex() · PRODUCT_LIBRARY_INFO() · BIO_printf() · PRODUCT_LIBRARY_INFO_TYPE_FROM_STRING() 18 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Services · PRODUCT_LIBRARY_INFO_TYPE_TO_STRING() · R_CR_get_file() · PRODUCT_LIBRARY_NEW() · R_CR_get_function() · PRODUCT_LIBRARY_VERSION() · R_CR_get_function_string() · PRODUCT_NON_FIPS140_SWITCH_RESOURCE_LIST() · R_CR_get_function_string_table() · R_CR_asym_decrypt() · R_CR_get_info() · R_CR_asym_decrypt_init() · R_CR_get_line() · R_CR_asym_encrypt() · R_CR_get_reason() · R_CR_asym_encrypt_init() · R_CR_get_reason_string() · R_CR_CTX_alg_supported() · R_CR_get_reason_string_table() · R_CR_CTX_free() · R_CR_ID_from_string() · R_CR_CTX_get_info() · R_CR_ID_sign_to_string() · R_CR_CTX_ids_from_sig_id() · R_CR_ID_to_string() · R_CR_CTX_ids_to_sig_id() · R_CR_key_exchange_init() · R_CR_CTX_new() · R_CR_key_exchange_phase_1() · R_CR_CTX_set_info() · R_CR_key_exchange_phase_2() · R_CR_decrypt() · R_CR_mac() · R_CR_decrypt_final() · R_CR_mac_final() · R_CR_decrypt_init() · R_CR_mac_init() · R_CR_decrypt_update() · R_CR_mac_update() · R_CR_DEFINE_CUSTOM_CIPHER_LIST() · R_CR_new() · R_CR_DEFINE_CUSTOM_METHOD_TABLE() · R_CR_random_bytes() · R_CR_derive_key() · R_CR_random_seed() · R_CR_digest() · R_CR_RES_CRYPTO_CUSTOM_METHOD() · R_CR_digest_final() · R_CR_set_info() · R_CR_digest_init() · R_CR_sign() · R_CR_digest_update() · R_CR_sign_final() · R_CR_dup() · R_CR_sign_init() · R_CR_encrypt() · R_CR_sign_update() · R_CR_encrypt_final() · R_CR_SUB_from_string() · R_CR_encrypt_init() · R_CR_SUB_to_string() · R_CR_encrypt_update() · R_CR_TYPE_from_string() · R_CR_free() · R_CR_TYPE_to_string() · R_CR_generate_key() · R_CR_verify() · R_CR_generate_key_init() · R_CR_verify_final() · R_CR_generate_parameter() · R_CR_verify_init() · R_CR_generate_parameter_init() · R_CR_verify_mac() · R_CR_get_crypto_provider_name() · R_CR_verify_mac_final() · R_CR_get_default_imp_method() · R_CR_verify_mac_init() · R_CR_get_default_method() · R_CR_verify_mac_update() · R_CR_get_default_signature_map() · R_CR_verify_update() · R_CR_get_detail() · R_ERROR_EXIT_CODE() · R_CR_get_detail_string() · R_FIPS140_free() · R_CR_get_detail_string_table() · R_FIPS140_get_default() · R_CR_get_device_handle() · R_FIPS140_get_failure_reason() · R_CR_get_error() · R_FIPS140_get_failure_reason_string() · R_CR_get_error_string() · R_FIPS140_get_info() 19 Services · R_FIPS140_get_interface_version() · R_HW_DRIVER_new() · R_FIPS140_get_mode() · R_HW_DRIVER_probe_devices() · R_FIPS140_get_role() · R_HW_DRIVER_set_info() · R_FIPS140_get_supported_interfaces() · R_HW_OBJ_dup() · R_FIPS140_library_free() · R_HW_OBJ_free() · R_FIPS140_library_init() · R_HW_OBJ_get_info() · R_FIPS140_load_module() · R_HW_OBJ_init() · R_FIPS140_MODE_from_string() · R_HW_OBJ_new() · R_FIPS140_MODE_to_string() · R_HW_OBJ_set_info() · R_FIPS140_new() · R_HW_SEARCH_eof() · R_FIPS140_RESULT_from_string() · R_HW_SEARCH_free() · R_FIPS140_RESULT_to_string() · R_HW_SEARCH_get_locate_count() · R_FIPS140_ROLE_from_string() · R_HW_SEARCH_locate() · R_FIPS140_ROLE_to_string() · R_HW_SEARCH_new() · R_FIPS140_self_tests_full() · R_HW_SEARCH_next() · R_FIPS140_self_tests_short() · R_HW_SEARCH_set_browse() · R_FIPS140_set_info() · R_LIB_CTX_free() · R_FIPS140_set_interface_version() · R_LIB_CTX_get_detail_string() · R_FIPS140_set_mode() · R_LIB_CTX_get_error_string() · R_FIPS140_set_role() · R_LIB_CTX_get_function_string() · R_FIPS140_STATE_from_string() · R_LIB_CTX_get_info() · R_FIPS140_STATE_to_string() · R_LIB_CTX_get_reason_string() · R_FIPS140_unload_module() · R_LIB_CTX_new() · R_FORMAT_from_string() · R_LIB_CTX_set_info() · R_FORMAT_to_string() · R_lock_ctrl() · R_free() · R_lock_get_cb() · R_get_mem_functions() · R_lock_get_name() · R_HW_CTX_build_device_handle_list() · R_lock_num() · R_HW_CTX_free() · R_lock_r() · R_HW_CTX_get_device_handle_list() · R_lock_set_c() · R_HW_CTX_get_device_handle_list_count() · R_lock_w() · R_HW_CTX_get_device_handle_list_handle() · R_locked_add() · R_HW_CTX_get_info() · R_locked_add_get_cb() · R_HW_CTX_iterate_devices() · R_locked_add_set_cb() · R_HW_CTX_new() · R_lockid_new() · R_HW_CTX_probe_devices() · R_lockids_free() · R_HW_CTX_set_info() · R_malloc() · R_HW_DEV_get_device_driver_id() · R_PKEY_cmp() · R_HW_DEV_get_device_name() · R_PKEY_CTX_free() · R_HW_DEV_get_device_number() · R_PKEY_CTX_get_info() · R_HW_DEV_get_info() · R_PKEY_CTX_get_LIB_CTX() · R_HW_DEV_is_equal() · R_PKEY_CTX_new() · R_HW_DEV_set_info() · R_PKEY_CTX_set_info() · R_HW_DRIVER_free() · R_PKEY_decode_pkcs8() · R_HW_DRIVER_get_info() · R_PKEY_delete_device() · R_HW_DRIVER_load_devices() · R_PKEY_encode_pkcs8() 20 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Services · R_PKEY_FORMAT_from_string() · R_PKEY_to_file() · R_PKEY_FORMAT_to_string() · R_PKEY_to_public_key_binary() · R_PKEY_free() · R_PKEY_TYPE_from_string() · R_PKEY_from_binary() · R_PKEY_TYPE_to_string() · R_PKEY_from_bio() · R_PKEY_write_device() · R_PKEY_from_file () · R_realloc() · R_PKEY_from_public_key_binary() · R_remalloc() · R_PKEY_get_handle() · R_RES_LIST_get_item() · R_PKEY_get_info() · R_RES_LIST_get_resource() · R_PKEY_get_num_bits() · R_RES_LIST_set_item() · R_PKEY_get_num_primes() · R_RES_LIST_set_resource() · R_PKEY_get_PKEY_CTX() · R_set_mem_functions() · R_PKEY_get_private_handle() · R_SKEY_delete_device() · R_PKEY_get_public_handle() · R_SKEY_free() · R_PKEY_get_purpose() · R_SKEY_get_handle() · R_PKEY_get_type() · R_SKEY_get_info() · R_PKEY_iterate_fields() · R_SKEY_new() · R_PKEY_METHOD_free() · R_SKEY_read_device() · R_PKEY_METHOD_get_flag() · R_SKEY_set_handle() · R_PKEY_METHOD_get_name() · R_SKEY_set_info() · R_PKEY_METHOD_get_type() · R_SKEY_write_device() · R_PKEY_new() · R_thread_id() · R_PKEY_PASSWORD_TYPE_from_string() · R_thread_id_get_cb() · R_PKEY_PASSWORD_TYPE_to_string() · R_thread_id_set_cb() · R_PKEY_pk_method() · R_TIME_cmp() · R_PKEY_print() · R_TIME_CTX_free() · R_PKEY_public_cmp() · R_TIME_CTX_new() · R_PKEY_public_to_bio() · R_TIME_dup() · R_PKEY_public_to_file() · R_TIME_export() · R_PKEY_read_device() · R_TIME_free() · R_PKEY_reference_inc() · R_TIME_get_time_mi_method() · R_PKEY_rsa_blinding_lib_start() · R_TIME_get_utc_time_method() · R_PKEY_rsa_no_blinding_lib_start() · R_TIME_import() · R_PKEY_set_handle() · R_TIME_new() · R_PKEY_set_info() · R_TIME_offset() · R_PKEY_set_private_handle() · R_TIME_time() · R_PKEY_set_public_handle() · R_unlock_r() · R_PKEY_set_purpose() · R_unlock_w() · R_PKEY_to_binary() · R_PKEY_to_bio() 21 Acronyms and Definitions 5 Acronyms and Definitions The following table lists and describes the acronyms and definitions used throughout this document. Table 7. Acronyms and Definitions Term Definition AES Advanced Encryption Standard. A fast block cipher with a 128-bit block, and keys of lengths 128, 192, and 256 bits. Replaces DES as the US symmetric encryption standard. API Application Programming Interface. Attack Either a successful or unsuccessful attempt at breaking part or all of a cryptosystem. Various attack types include an algebraic attack, birthday attack, brute force attack, chosen ciphertext attack, chosen plaintext attack, differential cryptanalysis, known plaintext attack, linear cryptanalysis, and middleperson attack. CBC Cipher Block Chaining. A mode of encryption in which each ciphertext depends upon all previous ciphertexts. Changing the Initialization Vector (IV) alters the ciphertext produced by successive encryptions of an identical plaintext. CFB Cipher Feedback. A mode of encryption that produces a stream of ciphertext bits rather than a succession of blocks. In other respects, it has similar properties to the CBC mode of operation. CRNG Continuous Random Number Generation. CTR Counter mode of encryption that turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter. DES Data Encryption Standard. A symmetric encryption algorithm with a 56-bit key. See also Triple DES. Diffie-Hellman The Diffie-Hellman asymmetric key exchange algorithm. There are many variants, but typically two entities exchange some public information (for example, public keys or random values) and combines them with their own private keys to generate a shared session key. As private keys are not transmitted, eavesdroppers are not privy to all of the information that composes the session key. DSA Digital Signature Algorithm. An asymmetric algorithm for creating digital signatures. DRBG Deterministic Random Bit Generator. Dual ECDRBG Dual Elliptic Curve Deterministic Random Bit Generator. EC Elliptic Curve. ECAES Elliptic Curve Asymmetric Encryption Scheme. ECB Electronic Codebook. A mode of encryption that divides a message into blocks and encrypts each block separately. 22 Acronyms and Definitions Term Definition ECC Elliptic Curve Cryptography. ECDH Elliptic Curve Diffie-Hellman. ECDHC Elliptic Curve Diffie-Hellman with Components. Described NIST SP 800-56A, March 2007, Section 5.7.1.2 Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECC CDH) Primitive. ECDSA Elliptic Curve Digital Signature Algorithm. ECIES Elliptic Curve Integrated Encryption Scheme. Encryption The transformation of plaintext into an apparently less readable form (called ciphertext) through a mathematical process. The ciphertext can be read by anyone who has the key that decrypts (undoes the encryption) the ciphertext. FIPS Federal Information Processing Standards. GCM Galois/Counter Mode. A mode of encryption that combines the Counter mode of encryption with Galois field multiplication for authentication. GMAC Galois Message Authentication Code. An authentication only variant of GCM. HMAC Keyed-Hashing for Message Authentication Code. HMAC DRBG HMAC Deterministic Random Bit Generator. IV Initialization Vector. Used as a seed value for an encryption operation. KAT Known Answer Test. Key A string of bits used in cryptography, allowing people to encrypt and decrypt data. Can be used to perform other mathematical operations as well. Given a cipher, a key determines the mapping of the plaintext to the ciphertext. The types of keys include distributed key, private key, public key, secret key, session key, shared key, subkey, symmetric key, and weak key. MD5 A secure hash algorithm created by Ron Rivest. MD5 hashes an arbitrary-length input into a 16- byte digest. NIST National Institute of Standards and Technology. A division of the US Department of Commerce (formerly known as the NBS) which produces security and cryptography-related standards. OFB Output Feedback. A mode of encryption in which the cipher is decoupled from its ciphertext. OS Operating System. PC Personal Computer. PDA Personal Digital Assistant. PPC PowerPC. privacy The state or quality of being secluded from the view or presence of others. 23 Acronyms and Definitions Term Definition private key The secret key in public key cryptography. Primarily used for decryption but also used for encryption with digital signatures. PRNG Pseudo-random Number Generator. RC2 Block cipher developed by Ron Rivest as an alternative to the DES. It has a block size of 64 bits and a variable key size. It is a legacy cipher and RC5 should be used in preference. RC4 Symmetric algorithm designed by Ron Rivest using variable length keys (usually 40-bit or 128-bit). RC5 Block cipher designed by Ron Rivest. It is parameterizable in its word size, key length, and number of rounds. Typical use involves a block size of 64 bits, a key size of 128 bits, and either 16 or 20 iterations of its round function. RNG Random Number Generator. RSA Public key (asymmetric) algorithm providing the ability to encrypt data and create and verify digital signatures. RSA stands for Rivest, Shamir, and Adleman, the developers of the RSA public key cryptosystem. SHA Secure Hash Algorithm. An algorithm that creates a unique hash value for each possible input. SHA takes an arbitrary input that is hashed into a 160-bit digest. SHA-1 A revision to SHA to correct a weakness. It produces 160-bit digests. SHA-1 takes an arbitrary input that is hashed into a 20-byte digest. SHA-2 The NIST-mandated successor to SHA-1, to complement the Advanced Encryption Standard. It is a family of hash algorithms (SHA-224, SHA-256, SHA-384 and SHA-512) that produce digests of 224, 256, 384 and 512 bits respectively. Triple DES A variant of DES that uses three 56-bit keys. 24 RSA BSAFE Crypto-C ME 3.0.0.1 Security Policy Contacting RSA 6 Contacting RSA The RSA Web site contains the latest news, security bulletins and information about coming events. The RSA BSAFE Web site contains product information. The RSA Laboratories Web site contains frequently asked questions. 6.1 Support and Service If you have any questions or require additional information, see RSA Support or RSA SecurCare Online. 6.2 Feedback We welcome your feedback on the documentation produced by RSA. Please email us at userdocs@rsa.com. 25