Non-Proprietary Security Policy for the FIPS 140-2 Level 2 Validated Fortress Secure Bridge Firmware Version 5.1 (Document Version 1.14.4) March 31, 2009 This security policy of Fortress Technologies, Inc., for the FIPS 140-2 validated Fortress Secure Bridge (FSB), defines general rules, regulations, and practices under which the FSB was designed and developed and for its correct operation. These rules and regulations have been and must be followed in all phases of security projects, including the design, development, manufacture service, delivery and distribution, and operation of products. Page 1 of 35 Copyright 2009 Fortress Technologies, Inc., 4025 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge Page 2 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge Contents CONTENTS ................................................................................................................................... 3 LIST OF FIGURES AND TABLES ............................................................................................ 5 1.0 INTRODUCTION .............................................................................................................. 6 1.1 THE PURPOSE OF THIS DOCUMENT ................................................................................... 6 1.2 PRODUCTS ......................................................................................................................... 6 1.3 GLOSSARY OF TERMS........................................................................................................ 6 1.4 FUNCTIONAL DESCRIPTION ............................................................................................... 9 1.5 MOBILE SECURITY PROTOCOL (MSP) ............................................................................ 10 1.6 ROBUST SECURITY NETWORK (RSN) ............................................................................. 11 1.7 SECURE SOCKETS LAYER (SSL) ..................................................................................... 11 1.8 SECURE SHELL ................................................................................................................ 11 1.9 SECURE CONFIGURATION PROPAGATION (SCP)............................................................. 11 1.10 MANAGEMENT ................................................................................................................ 12 1.11 ALGORITHMS................................................................................................................... 12 2.0 IDENTIFICATION AND AUTHENTICATION POLICY.......................................... 15 2.1 ROLES .............................................................................................................................. 15 2.2 SERVICES......................................................................................................................... 15 2.3 AUTHENTICATION AND AUTHENTICATION DATA ........................................................... 15 2.3.1 Authentication Methods ........................................................................................... 15 2.3.2 Authentication Server Methods................................................................................ 16 3.0 CRYPTOGRAPHIC KEYS AND CSP .......................................................................... 18 3.1 FOR MSP ......................................................................................................................... 18 3.2 FOR RSN ......................................................................................................................... 20 3.3 FOR SSL AND SSH .......................................................................................................... 22 3.4 CRITICAL SECURITY PARAMETERS ................................................................................. 23 4.0 ACCESS CONTROL POLICY ....................................................................................... 25 4.1 ROLES EACH SERVICE IS AUTHORIZED TO PERFORM ...................................................... 25 4.2 ROLES, SERVICES AND ACCESS TO KEYS OR CSPS ........................................................ 25 4.3 ZEROIZATION .................................................................................................................. 26 4.4 UPGRADES ....................................................................................................................... 28 4.4.1 Introduction ............................................................................................................. 28 4.4.2 Selecting Software Image ........................................................................................ 28 4.4.3 Getting the Upgrade FSB Software ......................................................................... 28 4.4.4 Integrity of the Upgrade Bridge Image.................................................................... 28 5.0 PHYSICAL SECURITY POLICY ................................................................................. 29 Page 3 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 5.1 HARDWARE ..................................................................................................................... 29 5.2 TAMPER EVIDENCE APPLICATION .................................................................................. 29 5.3 TAMPER EVIDENCE INSPECTIONS ................................................................................... 29 6.0 FIRMWARE SECURITY ............................................................................................... 30 7.0 OPERATING SYSTEM SECURITY ............................................................................. 31 8.0 SELF TESTS ..................................................................................................................... 32 9.0 SECURITY POLICY FOR MITIGATION OF OTHER ATTACKS POLICY ........ 33 10.0 EMI/EMC.......................................................................................................................... 33 11.0 CUSTOMER SECURITY POLICY ISSUES ................................................................ 34 11.1 FIPS MODE ..................................................................................................................... 34 11.2 ALTERNATING BYPASS MODE ...................................................................................... 35 12.0 MAINTENANCE ISSUES ............................................................................................... 35 Page 4 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge List of Figures and Tables Figure 1: The Fortress Secure Bridge Top Level Configuration ............................................ 6 Figure 2: Example Configuration of the FSB ............................................................................ 9 Figure 3: Front View of the ES520V2 (Left) and ES520V1 (Right) with Blue Blocker ..... 30 Figure 4: Back View of the ES520V2 (Left) and ES520V1 (Right) with Blue Blocker...... 30 Table 1: FIPS Approved Algorithms............................................................................................ 12 Table 2: Non-FIPS Approved Algorithms ................................................................................ 13 Table 3: Authentication Data..................................................................................................... 16 Table 4: Probability of guessing the authentication data ...................................................... 17 Table 5: MSP Keys ..................................................................................................................... 18 Table 6: RSN Keys ..................................................................................................................... 20 Table 7: SSL and SSH Crypto Keys ........................................................................................ 22 Table 8: Other Keys and Critical Security Parameters ......................................................... 23 Table 9: Roles each Service is authorized to Perform .......................................................... 25 Table 10: Roles who has Access to Keys or CSPs ............................................................... 26 Table 11: Defaults and Zeroization .......................................................................................... 27 Table 12: Recommended Physical Security Activities .......................................................... 29 Table 13: Self Tests ................................................................................................................... 32 Page 5 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 1.0 Introduction 1.1 The Purpose of this Document This security policy defines all FIPS 140-2 level 2 security rules under which the Fortress Secure Bridge (FSB) complies with and enforces. The FSB is a multi-chip standalone module. 1.2 Products The current FSB products this Security Policy is relevant to are identified as: Hardware FSB Numbers: ES520V1 and ES520V2 Firmware Version: 5.1 The FSB top level configurable hierarchy is shown in Figure 1. Fortress Secure Bridge (FSB) Hardware Software ES520V1 ES520V2 Firmware version 5.1 Figure 1: The Fortress Secure Bridge Top Level Configuration 1.3 Glossary of Terms · AES (Advanced Encryption Standard): also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government. · ANSI (American National Standards Institute): a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States · CBC (cipher-block chaining): A mode of operation where each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks processed up to that point. Also, to make each message unique, an initialization vector must be used in the first block. · Crypto Officer (Crypto Officer): an operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions. Page 6 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge · CTR (Counter): generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time. It allows a random access property during decryption. The IV/nonce and the counter can be concatenated, added, or XORed together to produce the actual unique counter block for encryption. · Diffie-Hellman: is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. · ECB (Electronic codebook): This is the simplest of the encryption modes. The message is divided into blocks and each block is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all. · EAP (Extensible Authentication Protocol): is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. · EAP-TLS: is an IETF open standard that is the original standard wireless LAN EAP authentication protocol, and is well-supported among wireless vendors. · Hard Key: A key that is generated using information that is static. · HMAC (Hash Message Authentication Code): a keyed Hash Message Authentication Code is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key. · HTTPS: Hypertext Transfer Protocol over Secure Socket Layer · IEEE 802.11: is a set of standards for wireless local area network (WLAN) computer communication, developed by the IEEE LAN/MAN Standards Committee (IEEE 802) in the 5 GHz and 2.4 GHz public spectrum bands. · IEEE 802.11i: Is an amendment to the IEEE 802.11 standard specifying security mechanisms for wireless networks. · IV (initialization vector): is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go through a (usually lengthy) re- keying process. · MAC (Message Authentication Code): a short piece of information used to authenticate a message. · MIC (Message Integrity code): is a short piece of information used to check the integrity of a message. This is the same as a MAC. Normally in communications this would be called a MAC (Message Authentication Code) however since the term MAC is used in IEEE 802 products to mean the physical address of a Network Interface Card the term MIC was created. · Mode: In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output (as described in the ECB), several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbitrary length. Page 7 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge · Multi-factor AuthenticationTM: The FSB guards the network against illicit access by checking three levels of access credentials before allowing a connection. o Network authentication mandates that connecting devices use the correct shared identifier for the network. The Fortress Security System requires all members of a secure network to authenticate with the correct Access ID. o Device authentication mandates that a connecting device is individually recognized on the network through its unique device identifier. The Fortress Security System requires each device to authenticate on the secure network with the unique Device ID generated for that device. o User authentication requires the user of a connecting device to enter a recognized user name and valid credentials, a password, for example, or a digital certificate. The Fortress Security System can authenticate users locally · Nonce: stands for number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. · PMK (Pairwise Master Key): an EAP exchange will provide the shared secret key called a PMK (Pairwise Master Key) in IEEE 802.11 security. This key is designed to last the entire session and should be exposed as little as possible. · PRNG (pseudorandom number generator): is an algorithm for generating a sequence of numbers that approximates the properties of random numbers. The sequence is not truly random in that it is completely determined by a relatively small set of initial values, called the PRNG's state. · RNG (Random Number Generator): is a computational or physical device designed to generate a sequence of numbers or symbols that lack any pattern, i.e. appear random. · PSK (Pre Shared Key): is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. · PTK (Pairwise Transient Key): A Key generated by concatenating the following attributes in IEEE 802.11 security: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address and STA MAC address.. The product is then put through a cryptographic hash function. · SHA (Secure Hash Algorithm): these are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. · TRNG (True Random Number Generator): This is the Fortress implementation of a non-deterministic Random Number Generator. The design of the TRNG contains two free-running oscillators, a fast and slow one. Neither is intentionally related in any way, and indeed the relationship changes with physical affects. The basic principle of operation is that the slow oscillator samples the fast one, and it is the thermal jitter effects present on the slow oscillator which are "measured" as the sources of random entropy. The TRNG is used to generate real cryptographically strong random numbers to use as seeds into the PRNG. The PRNG are started from this arbitrary starting state, using the TRNG `random' seed state. · TLS (Transport Layer Security): Along with its predecessor the Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant Page 8 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge messaging and other data transfers. TLS in this module is implemented by using SSL 3.1. · WPA2 (Wireless Protected Access 2): The advanced protocol, certified through Wi-Fi Alliance's WPA2 program, implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, which is considered fully secure. · ANSI X9.31 PRNG: This is a cryptographically secure pseudo-random number generator with properties that make it suitable for use in cryptography. Figure 2: Example Configuration of the FSB 1.4 Functional Description The FSB is an all-in-one network access device that implements the strongest security commercially available today. It can serve simultaneously as a wireless bridge (or a Page 9 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge node in a wireless mesh network), a WLAN access point, and an eight-port LAN switch, while it encrypts traffic and provides Multi-factor AuthenticationTM for devices on the network it secures. The hardware is a rugged, compact chassis as shown in a sample network drawing in Figure 2. The FSB can be used indoors or outdoors with the Mast-Mounting and Weatherizing kits shipped with every device. The FSB can be quickly and transparently integrated into an existing network to provide enhanced FIPS 140-2 security. The FSB can have up to eleven data input or output interfaces: Any of the interfaces can be used within a Clear Text Zone 1 or Encrypted Zones 2. The unit can be powered with standard AC current or as an Ethernet powered device (PD) through its WAN port, which supports power over Ethernet (PoE). The FSB can accept secure or unsecured connections from the wireless device (i.e. laptops or handheld) by means of its low powered WAN interface or from wired devices (i.e. workstation or printers) by means of one of their Ethernet interfaces. The FSB can be wirelessly networked together by using its high power Ethernet interface or it WAN Ethernet interface. The FSB uses two methods to protect and secure End Users data. They are the Fortress' proprietary Mobile Security Protocol (MSP) or the Robust Security Network (RSN) which is the IEEE 802.11i security recommendation. Both of these methods can protect IEEE802.11 wireless network communication while MSP can also protect Ethernet communication. It also uses the SSL protocol to protect HTTPS connections into the GUI or SSH connections (SSH use the same cryptographic algorithms as SSL) into the CLI. 1.5 Mobile Security Protocol (MSP) MSP is used to secure connections between an End User and the FSB. MSP uses the Diffie-Hellman (D-H) or Elliptical Curve Cryptography Diffie-Hellman (ECDH) for key generation and agreement, AES-CBC for strong encryption and Multi-factor Authentication for added protection for clients. It protects both users Peer-to-Peer packets and Multicast/Broadcast packets. FSB supports the National Security Agency Suite B recommendations using the 384 bit prime-modulus curve. Once it's installed and configured, operation is automatic, requiring no or little administrator intervention as it protects data transmitted on WLANs and between WLAN devices and the wired LAN. For peer-to-peer packets MSP uses a unique dual Diffie-Hellman or ECDH key generation method that will not only protect user packets but will also protect against "Man in the Middle" attacks. The first key exchanged is masked using AES (i.e. 128, 192 or 256 bits depending on the configuration) encryption using the Module Secret Key (Hardkey) and is considered plaintext for the FIPS validation. This creates a Diffie- 1 Clear Test Zone refers to the portions of the network that are trusted and that the FSB will normally only send and receive packets that have not been FIPS encrypted. These could be packets that have come from a encrypted zone that have been decrypted or packet that have originated from the FSB like from the GUI, CLI or SNMP. 2 Encrypted Zone refers to the portions of the network that are untrusted and that the FSB will normally only send or receive encrypted packets. Page 10 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge Hellman (1024 or 2048 depending on configuration) or 384 bit ECDH intermediate key that is hashed with other information to create the AES Static Secret Encryption Key. The second key exchanged is AES encrypted using the Static Secret Encryption Key This creates an intermediate Diffie-Hellman key or ECDH Key that is Hashed with other information to create an AES Dynamic Secret Encryption Key. User's Peer-to Peer packets are AES encrypted using this Dynamic Secret Encryption Key. For multicast and broadcast packets MSP also has a unique protocol. When the module is first powered-up a Multicast/Broadcast packets are masked using AES with a Static Group Key and is considered plaintext for the FIPS validation. At this time a Public Dynamic Group Key is passed around the network as a token by a Master FSB. A Private Dynamic Group Key is calculated by each module on the network. From this a Dynamic Group Key is calculated by each module (replacing the Static Group Key) for AES encryption. The encryption keys used for AES are equal to or greater than 80 bit strength as defined by NIST Special Publication 800-57 and the key establishment method as defined in NIST Special Publication 800-56A. 1.6 Robust Security Network (RSN) RSN is used to secure connections between an End User and the FSB. RSN is a component of WPA2 that implements only the FIPS capable portions of the IEEE 802.11i security recommendations. It uses the AES-CCM (CCMP) IEEE 802.11i security which utilizes two methods to acquire a master key: one method uses a pre-shared Master Key that is configured by the Crypto Officer (Crypto Officer) and the other gets the Master Key from an EAP-TLS session. If the latter is used a Pair-wise Master Key is generated between the Client and Authentication Server (AS). The AS sends this to the FSB. A Pairwise Transient Key will be generated between the client and the FSB. A four way handshake is used to guarantee that both the Client and the FSB will have the appropriate information and will generate the same Pairwise Transient Key. 1.7 Secure Sockets Layer (SSL) The SSL protocol is used to secure HTTPS connections into the FSB GUI that a Crypto Officer can use for administration. The FSB uses the SSL version 3.1 as a library. SSL provides confidentiality, integrity, and message digest services. OpenSSL toolkit version 1.1.1 with patch was used in the creation of the SSL library. 1.8 Secure Shell The SSH protocol is used to secure remote terminal connections into the FSB that a Crypto Officer can use for administration. The SSH protocol uses the same cryptographic algorithms as SSL. 1.9 Secure Configuration Propagation (SCP) In a mesh network of FSBs, a user can designate one of them as the network's Secure Configuration Propagation (SCP) master Bridge and then use the SCP master to automatically propagate configuration changes to the rest of the network Bridges. SCP runs only over AES encrypted MSP interfaces 3, so the Crypto Officer must pre- configure and deploy a network connected only through interfaces in the Bridge's 3 It will use the active configuration, default if nothing was configured or the current configuration. Page 11 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge encrypted zone. The FSB to be included in an SCP network or must be at their factory-default settings. The SCP slave Bridges receive and adopt the settings propagated from the master Bridge. 1.10 Management The FSB can be managing by the following: · Internet browser through the Graphical User Interface (GUI); · A directly connected terminal plugged into the Console Port through the Command Line Interface (CLI); · A remote workstation using SSH through the CLI; · using SNMP Version 3 Network Station or Utility. 1.11 Algorithms This software contains four different security methods MSP, RSN, SSL and SSH. MSP and RSN will secure End User data while SSL and SSH will secure Crypto Officer connections to the FSB. They all use the algorithms as detailed in Table 1. The non- FIPS algorithms are detailed in Table 2. The AMD Alchemy will execute the code containing the algorithms that are mainly written in the C or C++ programming language. The FPGA will have loaded a binary package that will set up the chip for the algorithm processing. This will define the makeup of the FPGA and was designed using a binary language called VHDL. Table 1: FIPS Approved Algor ithms Algorithm Cert Implementation Operational Val Date Modes/States/Key sizes/ # Environment Description/Notes AES 698 Fortress SWAB FW AMD Alchemy 1/30/2008 ECB(e/d; 128,192,256); CBC(e/d; Algorithms MIPS Processor 128,192,256) AES 694 Fortress SWAB Xilinx Spartan 1/17/2008 CBC(e/d; 128,192,256) FPGA Algorithms FPGA CCM (KS: 128 ) (Assoc. Data Len Range: 22 - 30 ) (Payload Length Range: 1 - 32 ) ( Nonce Length(s): 13 ) (Tag Length(s): 8 AES 688 Fortress SWAB 5.0 AMD Alchemy 12/31/2007 ECB(e/d; 128,192,256); CBC(e/d; SSL MIPS Processor 128,192,256); CFB8(e/d; 128,192,256); CFB128(e/d; 128,192,256); OFB(e/d; 128,192,256) RSA 439 Fortress Secure AMD Alchemy 11/4/2008 ALG[RSASSA-PKCS1_V1_5]; SIG(gen); Bridge 5.1 SSL MIPS Processor SIG(ver); 2048 , SHS: SHA-1Cert#717 SHS 726 Fortress SWAB FW AMD Alchemy 1/30/2008 SHA-1 (BYTE-only) Algorithms MIPS Processor SHA-384 (BYTE-only) SHS 722 Fortress SWAB SHS Xilinx Spartan 1/17/2008 SHA-256 (BYTE-only) and HMAC FPGA SHA-512 (BYTE-only) SHS 721 Fortress SWAB Xilinx Spartan 1/17/2008 SHA-1 (BYTE-only) FPGA Algorithms FPGA SHS 717 Fortress SWAB 5.0 AMD Alchemy 12/31/2007 SHA-1 (BYTE-only) SSL MIPS Processor SHA-224 (BYTE-only) SHA-256 (BYTE-only) SHA-384 (BYTE-only) SHA-512 (BYTE-only) Page 12 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge Algorithm Cert Implementation Operational Val Date Modes/States/Key sizes/ # Environment Description/Notes SHS 715 Fortress SWAB SHS- AMD Alchemy 12/31/2007 SHA-384 (BYTE-only) 384 Algorithm MIPS Processor HMAC 376 Fortress SWAB FW AMD Alchemy 1/30/2008 HMAC-SHA1 (Key Sizes Ranges Tested: Algorithms MIPS Processor KS=BS ) SHS Cert#726 HMAC-SHA384 ( Key Size Ranges Tested: KS=BS ) SHS Cert#726 HMAC 372 Fortress SWAB SHS Xilinx Spartan 1/17/2008 HMAC-SHA256 ( Key Size Ranges Tested: and HMAC FPGA KS=BS ) SHS Cert#722 HMAC-SHA512 ( Key Size Ranges Tested: KS=BS ) SHSCert#722 HMAC 371 Fortress SWAB Xilinx Spartan 1/17/2008 HMAC-SHA1 (Key Sizes Ranges Tested: FPGA Algorithms FPGA KS System Tools from the menu on the left. 2. In the Reset to Factory Defaults frame click EXECUTE. 3. Click OK at the confirmation query. At the top of the screen the GUI displays: Reset to Factory Defaults - please be patient. 4. Close your browser. In order to re-access a FSB reset to factory defaults you must use a new browser instance on a computer with a nonrouted connection to the FSB's clear zone and an IP address in the same subnet (192.168.254.0) as the FSB's default address. After restoring default settings, the FSB will have to be reconfigured for use. The common network AccessID must be re-entered. The crypto-officer is forced to enter a new password prior to gaining access. To do so you can re-install it as you would a new FSB. Alternatively, you can back the configuration up before you reset the FSB to its defaults and then restore the backup configuration, after you have manually configured network properties and passwords. Table 11: Defaults and Zeroization CSP Reset value (Default) AccessID All Zeros Log Viewer Password maintenance Maintenance Password logviewer SNMPV3 Authentication FSGSnmpAdminPwd. Pass phrase Preshared Key All Zeros 8 This will reset the box back to what it was set to out of the factory. Any changes in the configuration will be lost and all key and CSP will be zeroed. Page 27 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 4.4 Upgrades 4.4.1 Introduction The FSB can be upgraded in FIPS mode. The Upgrade packaged is downloaded from a workstation via using the GUI. The upgrade is integrity checked and stored on the internal flash and booted. The previous image is kept stored on flash and can be selected as the boot image in case of problems with the upgrade image. 4.4.2 Selecting Software Image The FSB stores two, user-selectable copies (or images) of the FSB software on separate partitions of the internal flash memory. When the FSB's software is upgraded the new software is first written to the non-running boot partition, overwriting any version stored there. When the FSB is rebooted to complete the upgrade process, it boots from the partition to which the upgrade was downloaded, with the same configuration settings that were in effect before the upgrade procedure. The FSB then defaults to the boot partition with the latest software image--the last image booted--whenever it restarts. New configuration changes are not written to the non-running boot partition. If you boot from the non-running boot partition, configuration settings will return to those in effect at the time the FSB's software was last upgraded. To select the next boot image: 1. Log on to the FSB GUI through an Administrator-level account and select Tools - > System Tools from the menu on the left. 2. In the System Tools screen's Version frame, in Image for Next Boot, select the next image to boot from the dropdown. 3. Click EXECUTE. 4.4.3 Getting the Upgrade FSB Software Fortress Technologies regularly releases updated versions of the FSB software to add new features, improve functionality and/or fix known bugs. Upgrade files may be shipped to the customer on CD-ROM or, more often, made available for downloading from a customers account on www.fortresstech.com. 4.4.4 Integrity of the Upgrade Bridge Image The upgrade package for the FSB uses a RSA Signature Algorithm for integrity checking of the image. This algorithm uses a Public/Private Key Pair. A SHA-1 digest is taken of the Upgrade Image and encrypted using RSA using a Private Key. This encrypted hash is appended to the image. After the image is downloaded, the FSB uses the corresponding Public Key to decrypt this Hash and will compare that Hash to another it will do on the image. If they match the integrity is verified. Page 28 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 5.0 Physical Security Policy 5.1 Hardware The FCB includes two ES hardware model; the ES520V1 and the ES520V2 as shown in Figure 3. 5.2 Tamper Evidence Application The FSB hardware uses Loctite 425 blue adhesive to cover screws for tamper evidences as shown in Figure 3 and Figure 4. This adhesive is usually applied during manufacturing however the adhesive can be applied by the vendor or the user at the site. 5.3 Tamper Evidence Inspections The FSB Firmware is installed by Fortress Technologies on a production-quality, FCC certified hardware device, one of the FSB hardware enclosures, which also define the FSB's physical boundary. All hardware platforms are or will be manufactured to meet FIPS 140-2, L2 requirements. Table 12 details the recommended physical security activities that should be carried out by the Crypto Officer. The host hardware platform server must be located in a controlled access area. Tamper evidence is provided by the use of an epoxy potting material covering the chassis access screws. Some screws on the front and back panel are covered with the material for tamper evidence as detailed in the above section. A sample screw with the adhesive coving for the ES products is shown in Figure 3 and Figure 4. Table 12: Recommended Physical Security Activities Physical Security Object Recommended Frequency of Inspection Guidance Inspection Appropriate chassis screws covered Daily Inspect screw heads for chipped with epoxy coating. epoxy material. If found, remove FSB from service. Overall physical condition of the FSB Daily Inspect all cable connections and the FSB's overall condition. If any discrepancy found, correct and test the system for correct operation or remove FSB from service. Page 29 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge Figure 3: Front View of the ES520V2 (Left) and ES520V1 (Right) with Blue Blocker Figure 4: Back View of the ES520V2 (Left) and ES520V1 (Right) with Blue Blocker 6.0 Firmware Security Self-tests validate the operational status of each product, including critical functions and files. If the firmware is compromised, the FSB enters an error state in which no cryptographic processing occurs, preventing a security breach through a malfunctioning device. Page 30 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 7.0 Operating System Security The FSB operates automatically after power-up. The FSB operates on Fortress Technologies proprietary version of hardened Linux operating system that is installed along with the FSB's software, with user access to standard OS functions eliminated. The FSB provides no means whereby an operator could load and execute software or firmware that was not included as part of the FSB's validation. Updates to the firmware are supported, but can only be made using the Vendor provided services. Page 31 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 8.0 Self Tests The following tables will summaries the FCM self tests. A self-test status indication is provided in the event log (passed or failed) for both the CLI and GUI interfaces. Table 13: Self Tests Test Description MIPS Power Up Test AES Known Answer Test (KAT) A known answer test is performed Note: For all lengths, CBC and ECB modes RSA KAT A known answer test is performed ANSI X9.31 PRNG A known answer test is performed SHA (1, 256, 384, 512). KAT A known answer test is performed HMAC (SHA 1,256,384, 512) A known answer test is performed Software/ Firmware Integrity Uses a RSA Signature Algorithm for integrity checking of the image. This algorithm Check uses a Public/Private Key Pair. A SHA-1 (SSL) digest is taken of the Upgrade Image and encrypted using RSA (SSL) with a Private Key. This encrypted hash is appended to the image. After the image is loaded, the FSB uses the corresponding Public Key to decrypt this Hash and will compare that Hash to another it will do on the image. If they match the integrity is verified. Elliptical Curve Test A known answer test is performed Bypass Test See Below FPGA Power up Test AES KAT A known answer test is performed Note: For all lengths, CBC and ECB modes ANSI X9.31 PRNG Random A known answer test is performed Number Test SHA (1,384) KAT Test A known answer test is performed HMAC (SHA (1,384)) KAT Test A known answer test is performed MIPS Conditional Tests Software/ Firmware Load Check The upgrade package for the FSB uses a RSA Signature Algorithm for integrity checking of the image. This algorithm uses a Public/Private Key Pair. A SHA-1 (SSL) digest is taken of the Upgrade Image and encrypted using RSA (SSL) using a Private Key. This encrypted This is used when upgrading the hash is appended to the image. After the image is downloaded, the FSB uses the FSB. corresponding Public Key to decrypt this Hash and will compare that Hash to another it will do on the image. If they match the integrity is verified. Duplicate Key Entry Test When a value is configured it's required to be entered the value a second time. Both values are compared. If the don't equal a message will force the values to be entered again. Even through the AccessID is not a key its material used to generate a key so the test is preformed. This test is also used when inputting the PSK for RSN. ANSI X9.31 PRNG Test This test will compare the current random number and a previous random number output to ensure that they are not the same. If they are the same the test failed. MSP Bypass Test When a MAC lookup table entry changes, the bypass test tests whether clear packets can be sent into the encrypted zone. or not, and they cover combinations of hosts, guests, and clients as SAs or DAs, plus they cover broadcast vs unicast packets. An error occurs if the Packets don't match the known answers. Page 32 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge RSN Bypass Test When a MAC lookup table entry changes, or is added or deleted. The CCMP bypass tests are intended to test whether packets are receiving the proper type of encryption as configured. An error occurs if the Packets don't match the known answers. Bypass Mechanism Test There are a set of special values (the FIPS mode for example) that have an additional CRC protecting them while they are in memory and they are protected by the SHA1 hash used when the information is stored on the compact flash. FPGA Conditional Tests ANSI X9.31 PRNG This test will compares the current random number and a previous random number output to ensure that they are not the same. If they are the same the test failed. 9.0 Security Policy for Mitigation of Other Attacks Policy No special mechanisms are built in the FSB; however, the cryptographic module is designed to mitigate several specific attacks above the FIPS defined functions. Additional features that mitigate attacks are listed here: 1. The MSP Dynamic Secret Encryption Key is changed at least once every 24 hours, with 4 hours being the factory default duration: Mitigates key discovery. 2. In the MSP, the second Diffie-Hellman key exchange produces a dynamic common secret key in each of the modules by combining the other module's dynamic public key with the module's own dynamic private key: Mitigates "man- in-the-middle" attacks. 3. In MSP and RSN key exchanges after the first Diffie-Hellman exchange are encrypted: Mitigates encryption key sniffing by hackers. 4. In MSP compression and encryption of header information inside of the frame, making it impossible to guess. MSP, RSN or SSL uses strong encryption further protects the information. Any bit flipping would be useless in this frame to try to change the IP address of the frame: Mitigates active attacks from both ends. 5. In both MSP and RSN encryption happens at the datalink layer so that all network layer information is hidden: Mitigates hacker's access to the communication. 6. In MSP Multi-factor Authentication: The FSB guards the network against illicit access with "multi-factor authentication", checking three levels of access credentials before allowing a connection. These are: a) Network authentication requires a connecting device to use the correct shared identifier for the network b) Device authentication requires a connecting device to be individually recognized on the network, through its unique device identifier. c) User authentication requires the user of a connecting device to enter a recognized user name and password. 10.0 EMI/EMC All models of the FSB hardware are FCC compliant and certified (Part 15, Subpart J, Class A) devices. Page 33 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 11.0 Customer Security Policy Issues Fortress Technologies, Inc. expects that after the FSB's installation, any potential customer (government organization or commercial entity or division) employs its own internal security policy covering all the rules under which the FSB(s) and the customer's network(s) must operate. In addition, the customer systems are expected to be upgraded as needed to contain appropriate security tools to enforce the internal security policy. 11.1 FIPS Mode FIPS Mode Requirements: a. At module start-up the module shall be set to FIPS Mode. b. The AccessID shall be generated using the Approved RNG option or to the network AccessID value if joining an established network. A valid FIPS network shall use an Approved RNG generated AccessID. c. The Pre-Shared Key shall be entered using 64-hex values. The passphrase method shall not be used in the FIPS mode of operation The FSB comes up in the FIPS operating mode during module initialization. FIPS can be disabled or enabled through the GUI or through the Command Line Interface (CLI) by the Administrator. When FIPS is disabled FIPS tests are not executed. · On the GUI the Mode Indicator (Left Top of the GUI Screen) will show whether the unit is in Normal or FIPS module. To change operating mode on the GUI: o Log on to the Bridge GUI through an Administrator-level account and select Configuration -> Security from the menu on the left. On the Security screen click EDIT. o In the Edit Security screen's Security Settings frame change the Operating Mode to Normal or FIPS. · To change operating mode on the CLI o The operating mode can be determined by whether the command prompt displays FIPS; Normal operating mode displays only the hostname and single-character command prompt (> or #). o FIPS operating mode is the default Bridge mode of FSB: Bridge CLI operation. The FSB Normal operating mode does not comply with FIPS. o Change between operating modes with the set fips command. To turn FIPS operating mode on: # set fips on · To place the Bridge in Normal operating mode, turn FIPS operating mode off: o FIPS# set fips off · You must be logged on to an administrator-level account to change the operation mode. Page 34 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice. Security Policy for the Fortress Secure Bridge 11.2 Alternating BYPASS Mode The FSB may be configured to allow cleartext traffic in the encrypted zone in FIPS mode. The FSB will support alternating Bypass since it allows both clear text and encrypted data on the same interface. Cleartext Traffic is enabled by configuring a Trusted Device rule or using a protocol that needs clear text authentication service. This protocol (IEEE802.1x) is used for port-based Network Access Control and is used within the IEEE 802.11i security recommendations. The module performs alternating Bypass by allowing cleartext traffic and encrypted traffic together. IF Cleartext Traffic is Enabled the hardware's front-panel Cleartext LED flashes a signal whenever the Bridge passes unencrypted traffic in an encrypted zone. 12.0 Maintenance Issues The FSB have no operator maintainable components. Unserviceable FSB must be returned to the factory for repair. Page 35 of 35 Copyright 2009 Fortress Technologies, Inc., 4023 Tampa Rd., Suite 2000, Oldsmar, FL 34677 This document can be reproduced and distributed only whole and intact, including this copyright notice.