McAfee, Inc. McAfee Endpoint Encryption for Mobile FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document revision 0.4, April 2009 © 2009 McAfee, Inc. This document may be reproduced only in its original entirety [without McAfee, Inc. revision].The information in this document is provided only for educational purposes and for the 3965 Freedom Circle convenience of McAfee's customers. The information contained herein is subject to change without Santa Clara, CA 95054, notice, and is provided "as is" without guarantee or warranty as to the accuracy or applicability of the 888.847.8766 information to any specific situation or circumstance. McAfee, Avert, and Avert Labs are trademarks or www.mcafee.com registered trademarks of McAfee, Inc. in the United States and other countries. All other names and brands may be the property of others. www.mcafee.com Table of Contents 1 INTRODUCTION...................................................................................................................................3 1.1 PURPOSE ...........................................................................................................................................3 1.2 REFERENCES .....................................................................................................................................3 1.3 DOCUMENT ORGANIZATION .............................................................................................................3 2 MCAFEE ENDPOINT ENCRYPTION FOR MOBILE.....................................................................4 2.1 MCAFEE ENDPOINT ENCRYPTION FOR MOBILE ................................................................................5 2.2 MODULE INTERFACES .......................................................................................................................5 2.3 OPERATIONAL ENVIRONMENT ..........................................................................................................6 2.4 ROLES AND SERVICES .......................................................................................................................6 2.5 ACCESS TO SERVICES ........................................................................................................................7 2.6 PHYSICAL SECURITY .........................................................................................................................8 2.7 CRYPTOGRAPHIC KEY MANAGEMENT ..............................................................................................8 2.7.1 Key generation .............................................................................................................................8 2.7.2 Key entry and output....................................................................................................................8 2.7.3 Key storage ..................................................................................................................................9 2.7.4 Protection of key material............................................................................................................9 2.7.5 Zeroization of key material ..........................................................................................................9 2.7.6 Access to key material..................................................................................................................9 2.8 CRYPTOGRAPHIC ALGORITHMS ......................................................................................................10 2.9 SELF-TESTS ....................................................................................................................................10 2.9.1 Power-up self-tests.....................................................................................................................10 2.9.2 Conditional self-tests .................................................................................................................11 2.10 DESIGN ASSURANCE .......................................................................................................................11 3 FIPS MODE...........................................................................................................................................12 4 APPENDIX A ­ SWITCHING THE MODULE SOFTWARE TO FIPS MODE ..........................13 Table of Figures Figure 1: Block Diagram of the cryptographic boundary................................................................................4 Figure 2: Security Level specification per individual areas of FIPS 140-2.....................................................5 Figure 3: Roles.................................................................................................................................................6 Figure 4: Services Authorized for Roles..........................................................................................................7 Figure 5: Keys used by McAfee Endpoint Encryption for Mobile Client.......................................................8 Figure 6: User Role..........................................................................................................................................9 Figure 7: Crypto Officer role .........................................................................................................................10 Figure 8: Power-up Self-tests.........................................................................................................................11 2 www.mcafee.com 1 INTRODUCTION 1.1 Purpose This is the non-proprietary FIPS 140-2 Security Policy for the McAfee Endpoint Encryption for Mobile cryptographic module, also referred to as "the module" within this document. This Security Policy details the secure operation of McAfee Endpoint Encryption for Mobile as required in Federal Information Processing Standards Publication 140-2 (FIPS 140-2) as published by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce. 1.2 References For more information on McAfee Endpoint Encryption please visit: http://www.mcafee.com/us/enterprise/products/data_loss_prevention/endpoint_encryption.html. For more information on NIST and the Cryptographic Module Validation Program (CMVP), please visit http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.3 Document Organization This Security Policy document is one part of the FIPS 140-2 Submission Package. This document outlines the functionality provided by the module and gives high-level details on the means by which the module satisfies FIPS 140-2 requirements. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Submission documentation may be McAfee, Inc. proprietary or otherwise controlled and releasable only under appropriate non-disclosure agreements. For access to these documents, please contact McAfee, Inc. 3 www.mcafee.com 2 McAfee Endpoint Encryption for Mobile McAfee Endpoint Encryption for Mobile (SW Version 2.3.0.5), also referred to simply as "module", is a Software Only Module which resides on a General Purpose Computer (see Figure 1). It provides a security system for smart phones and Pocket PCs that prevents the data stored on such devices from being read or used by an unauthorized person. In simple terms, McAfee Endpoint Encryption for Mobile takes control of a user's data away from the operating system. McAfee Endpoint Encryption secures access to databases within the device and all access to external storage media. It does this by encrypting data written to databases and storage media and decrypting data read from them. If one read these secured items directly, one would find only encrypted data. The cryptographic boundary of the module is the case of the device on which it is installed. See Figure 1. The module is a software module running on a standard General Purpose Computing (GPC) device. The processor of the GPC device executes all software. All software components of the module are persistently stored within the device, and while executing, are stored in the device local RAM. Figure 1: Block Diagram of the cryptographic boundary 4 www.mcafee.com The cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-2. Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Figure 2: Security Level specification per individual areas of FIPS 140-2 McAfee Endpoint Encryption has the option of being configured in different ways. At installation, the McAfee Endpoint Encryption Administrator can choose whether application data and external media are encrypted or not. Refer to Section 3 for FIPS compliant configuration. 2.1 McAfee Endpoint Encryption for Mobile McAfee Endpoint Encryption for Mobile is an application that consists of a number of individual drivers to handle encryption and synchronization. There is also a system tray application which provides a Graphical User Interface (GUI) to the operator via the GPC devices display. These components comprise the validated module. McAfee Endpoint Encryption hooks into a number of Windows Mobile 5 system interfaces and is seamlessly integrated into the device operating system, with the only outward signs that it is installed being the proprietary logon screen and tray application. 2.2 Module Interfaces McAfee Endpoint Encryption for Mobile is classified as a multi-chip standalone module for FIPS 140-2 purposes. The module's physical boundary is that of the Windows mobile device on which it is installed. The Windows mobile device shall be running a supported operating system (OS) and supporting all standard interfaces, including keys, buttons and switches, touch screen, data ports and external storage. McAfee Endpoint Encryption provides a logical interface via an Application Programming Interface (API) and a Graphical User Interface (GUI). This logical interface exposes services (described in section 2.4) that the User and operating system may utilize directly. 5 www.mcafee.com The logical interfaces provided by McAfee Endpoint Encryption for Mobile are mapped onto the FIPS 140-2 logical interfaces: data input, data output, control input, and status output as follows: · Data Input ­ Input to all driver functions, Software Interface (SWI), GUI · Data Output ­ Output from all driver functions, GUI, Software Interface (SWI) · Control Input ­ Input from TCP/IP interface, IPC interface, GUI, Software Interface (SWI) · Status Output ­ Return codes from driver functions, GUI, Software Interface (SWI) 2.3 Operational Environment The McAfee Endpoint Encryption for Mobile module has been tested on and found to be conformant with the requirements of FIPS 140-2 overall Level 1 on the following GPC operating system: Windows Mobile 5. Additionally, the module is supported on other GPC's running Microsoft Windows Mobile 6. The cryptographic module runs in its own operating system threads. This provides it with protection from all other processes, preventing access to all keys, intermediate key generation values, and other CSPs. The task scheduler and architecture of the operating system maintain the integrity of the cryptographic module. The module supports only one single user and only one operator can have access to the device that contains the module at a time. For the purposes of FIPS 140-2, Windows Mobile is considered a single user operating system. 2.4 Roles and Services McAfee Endpoint Encryption for Mobile implements both a Crypto Officer role and a User role. Roles are assumed implicitly upon accessing the associated services as depicted below in Figure 4.. Role Description Crypto Officer The administrator of the module having full configuration and key management privileges. User General User of the module Figure 3: Roles 6 www.mcafee.com 2.5 Access to Services The following table lists the authorized services linked to each of the Roles offered by the module. Role Authorized Services Description User Synchronization Establishes a network connection between the module and the remote Crypto Officer for the purpose of synchronizing the configuration data currently stored on the module with the current set of Crypto Officer specified settings stored on the Crypto Officer managed Personal Computer (PC). Encryption/Decryption Encryption/Decryption of data written to the hard drive. Self-test Functions Performs all FIPS 140-2 defined self tests. Recovery request If the User is denied access to the module then the recovery request can be used to re-allow access. (Note: Successful utilization of this service requires Crypto Officer assistance.) Uninstall Uninstalls the module from the host platform and zeroizes the Server Public Key Power Cycle Power Cycles the host device Zeroize (see Appendix B) Actively overwrites the Device Encryption Key. See Appendix B for details. Crypto Officer Synchronization Establishes a network connection between the module and the remote Crypto Officer for the purpose of synchronizing the configuration data currently stored on the module with the current set of Crypto Officer specified settings stored on the Crypto Officer managed Personal Computer (PC). Configuration Configuration of the module. View audit View audit log information. Clear audit Deletes the audit log. File Updates This service is used to update or add-on module functionality as opposed to performing a full software update. Manage McAfee Endpoint Manage McAfee Endpoint Encryption for Mobile Encryption for Mobile (Cryptographic & Key Management Functions) (Cryptographic & Key Management Functions) Software Updates Loads new module software. Recovery Will allow a User to access a module to which they are currently disallowed access. Set Attributes Set module Attributes Change Attributes Change module Attributes Figure 4: Services Authorized for Roles 7 www.mcafee.com 2.6 Physical Security McAfee Endpoint Encryption for Mobile is a software only cryptographic module and therefore the physical security requirements of FIPS 140-2 do not apply. 2.7 Cryptographic Key Management The following tables list all Critical Security Parameters (CSPs) and public keys used within the McAfee Endpoint Encryption module. Currently, AES-256 is the only Approved encryption algorithm in McAfee Endpoint Encryption for Mobile product and all encryption keys are AES-256 keys. The server public key is a DSA key. Key Purpose Device Encryption Key Used to encrypt local storage, application databases, and external storage. Session Key Key used to encrypt traffic between device and remote server Diffie-Hellman Shared Shared secret generated by the Diffie-Hellman Key Secret exchange. Diffie-Hellman Private Key Private Diffie-Hellman component used during Session Key agreement. DRNG Seed Key Seed values and seed key used as input into the FIPS 186-2 DRNG. Figure 5: CSPs used by McAfee Endpoint Encryption for Mobile Key Purpose Server Public Key DSA Key used to authenticate software during power- up self tests and software updates. Diffie-Hellman Server The Server Public Diffie-Hellman component used Public Key during Session Key agreement. Diffie-Hellman Client The Client Public Diffie-Hellman component generated Public Key internally by the module and used during Session Key agreement. Figure 6: Public Keys used by McAfee Endpoint Encryption for Mobile 2.7.1 Key generation McAfee Endpoint Encryption for Mobile generates symmetric key material and CSPs (and the Diffie- Hellman public/private key components used in session CSP establishment), using a FIPS 186-2 Appendix 3.1 compliant deterministic random number generator. The only symmetric keys/CSPs generated in this way are the Device Encryption Key and the Session Key. 2.7.2 Key entry and output The module supports the following key entry: · Entry of the Diffie-Hellman Server Public Key signed with the Server Private Key · Entry of the Server Public Key during Software Update 8 www.mcafee.com The module supports the following key output: · Plaintext output of the Diffie-Hellman Client Public Key · Encrypted output of the Device Encryption Key 2.7.3 Key storage Key material is stored in the McAfee Endpoint Encryption datastore in local GPC storage. 2.7.4 Protection of key material McAfee Endpoint Encryption for Mobile securely manages key material for the lifetime of the key. 2.7.5 Zeroization of key material All key material managed by the McAfee Endpoint Encryption for Mobile has the ability to be zeroized. 2.7.6 Access to key material The following matrices (Figures 7 and 8) show the access that an operator has to specific keys or other critical security parameters when performing each of the services relevant to his/her role. Key Service DK SPK DRNGSK DHK DHSPK DHCPK DHSS SK Synchronization R, O R, W W W, E W, O W, R R, W Encryption/Decryption R Self-test Functions Recovery Request Uninstall Z Power Cycle Z Z Z Z Z Z Z Zeroize Z Figure 7: User Role Key Service DK SPK DRNGSK DHK DHSPK DHCPK DHSS SK Synchronization R, O R, W R W W, E W, O W, R R View audit R Clear audit R Configuration R R File Updates R R Manage McAfee Endpoint R R R R R R Encryption for Mobile (Cryptographic & Key Management Functions) 9 www.mcafee.com Key Service DK SPK DRNGSK DHK DHSPK DHCPK DHSS SK Software Updates R, E, R W Recovery R R Set Attributes R Change Attributes R Figure 8: Crypto Officer Role Access rights Keys Blank Not Applicable DK Device Encryption Key W Write access SPK Server Public Key R Read Access DRNGSK DRNG Seed Key E Key Entry DHK Diffie-Hellman Private Key O Key Output DHSS Diffie-Hellman Shared Secret Z Zeroize Access DHSPK Diffie-Hellman Server Public Key DHCPK Diffie-Hellman Client Public Key SK Session Key Note: If a service requires read or write access, it is the service as realized by module processes that requires access to the keys or CSPs. The operator (either User or Crypto Officer) does not have access to the CSPs themselves. The operator may change keys or use keys, but in all cases has no plaintext access to key material or CSPs. 2.8 Cryptographic Algorithms McAfee Endpoint Encryption for Mobile supports the following algorithms: · FIPS-approved algorithms o AES-256 o DSA o SHA-1 o FIPS 186 Appendix 3.1 DRNG. · Non FIPS-approved algorithms: o Diffie-Hellman (key establishment methodology provides 80 bits of security) o NDRNG (Used to seed the FIPS approved DRNG) 2.9 Self-Tests McAfee Endpoint Encryption for Mobile implements both power-up and conditional self tests as required by FIPS 140-2. The following two sections outline the tests that are performed. 2.9.1 Power-up self-tests The following table, Figure 9, lists the power-up self-tests performed by the module: 10 www.mcafee.com SHA-1 known answer test DSA known answer test AES-256 known answer test Software integrity test (DSA Signature verification) Deterministic Random Number Generator Known Answer Test Figure 9: Power-up Self-tests Each of these tests is executed when the computer is turned on and the module first executes. If any of these tests fail, the module will not load. The module must be reset to re-execute these tests. 2.9.2 Conditional self-tests There are a number of conditional tests that are run by the module. A continuous random number generator test is run every time the module requests a random number from either the FIPS Approved 186-2 DRNG or the NDRNG. Failure of this test may result in keys not being generated and an appropriate error message will be given. A test is also done when a software update occurs. All files are digitally signed and this signature is checked prior to any update of the software. 2.10 Design Assurance McAfee, Inc. employ industry standard best practices in the design, development, production and maintenance of the McAfee Endpoint Encryption product, including the FIPS 140-2 module. This includes the use of an industry standard configuration management system that is operated in accordance with the requirements of FIPS 140-2, such that each configuration item that forms part of the module is stored with a label corresponding to the version of the module and that the module and all of its associated documentation can be regenerated from the configuration management system with reference to the relevant version number. Design documentation for the module is maintained to provide clear and consistent information within the document hierarchy to enable transparent traceability between corresponding areas throughout the document hierarchy, for instance, between elements of this Cryptographic Module Security Policy (CMSP) and the design documentation. Guidance appropriate to an operator's Role is provided with the module and provides all of the necessary assistance to enable the secure operation of the module by an operator, including the Approved security functions of the module. 11 www.mcafee.com 3 FIPS Mode The following procedures must be followed to operate McAfee Endpoint Encryption for Mobile cryptographic module in a FIPS Approved mode. For more information please refer to the McAfee Administrators Guide for Endpoint Encryption for Mobile: 1. The module software must be operating in "FIPS" mode. This is done by setting the FIPS registry key value from 0 (disabled) to 1 (enabled). The first step is to create a FIPS registry script (see Appendix A for details). Once the file is created right click on the newly created .reg file and select merge from the drop down menu. 2. To verify that the registry has been updated properly the user must install a registry editor and navigate to HKEY_LOCAL_machine\SOFTWARE\ Safeboot International/Windows Mobile/FIPS and verify the value of 1. 3. All application databases and external media on the device where McAfee Endpoint Encryption for Mobile has been installed MUST be fully encrypted. This is performed by setting the module's internal memory encryption parameter to "Encrypt Entire Device". 12 www.mcafee.com 4 Appendix A ­ Creating the FIPS enable script The following needs to be saved to a text file with the extension ".reg" and then merged into the registry as a requirement for installing the module in a FIPS-compliant mode of operation: REGEDIT4 [HKEY_LOCAL_MACHINE\Software\SafeBoot International\Windows Mobile] "FIPS"=dword:00000001 13 www.mcafee.com 5 Appendix B ­ Zeroization of Device Encryption Key In order to zeroize the Device Encryption Key in an Endpoint Encryption for Mobile protected device, two separate actions are required. However, it should be noted that this process will render the module inoperable and will result in the potential loss of all module protected assets. Firstly, the encrypted form of the device key has to be actively deleted from the registry by overwriting it with "0"s. The registry key to overwrite is: "HKEY_LOCAL_MACHINE\Software\SafeBoot International\Windows Mobile\DevKey" This can be done using a registry script file. Simply save the following to a file with a ".reg" extension, such as "DeleteDeviceKey.reg" and running it from File Explorer. REGEDIT4 [HKEY_LOCAL_MACHINE\Software\SafeBoot International\Windows Mobile] "DevKey"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00 Alternatively, the key can be overwritten using a registry editor. Once the encrypted form of the device key has been zeroized, the form of the device key that is in use in the module can be removed by switching the module off and then on again. McAfee, Inc. © 2009 McAfee, Inc. This document may be reproduced only in its original entirety [without 3965 Freedom Circle revision].The information in this document is provided only for educational purposes and for the Santa Clara, CA 95054, convenience of McAfee's customers. The information contained herein is subject to change without 888.847.8766 notice, and is provided "as is" without guarantee or warranty as to the accuracy or applicability of the www.mcafee.com information to any specific situation or circumstance. McAfee, Avert, and Avert Labs are trademarks or registered trademarks of McAfee, Inc. in the United States and other countries. All other names and brands may be the property of others. 14