FIPS 140-2 Level 3 Security Policy NITROX XL 1600-NFBE Version 2.0 Family Document number: CN16xx-NFBE-SPD-L3 Document Version: Version 1.2 Revision Date: 01/12/2011 © Copyright 2011 Cavium Networks ALL RIGHTS RESERVED This document may be reproduced only in its original entirety [without revision]. NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Revision History Revision Date Author Description of Change 0.001 08/12/2009 Prasad Vellanki Initial Draft Changes to the cloning procedure to include 0.002 10/16/2009 Prasad Vellanki ECC 0.003 10/30/2009 Prasad Vellanki Incorporated review comments 0.004 11/5/2009 Prasad Vellanki Incorporated CMVP lab comments 0.4.4 12/13/2009 Prasad Vellanki Incorporated comments from CMVP Lab 1.0 1/14/2010 Prasad Vellanki Final Changes 1.1 6/11/2010 Prasad Vellanki Incorporated comments from CMVP Lab Added changes relative to firmware version 2.0 1/12/2011 Mike Scruggs 2.0 from firmware version 1.x Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 2 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Table of Contents Table of Contents ..................................................................................................................................................... 3  1.  Module Overview ............................................................................................................................................ 6  2.  Security Level .................................................................................................................................................. 8  3.  Modes of Operation ........................................................................................................................................ 9  FIPS Approved Mode of Operation .............................................................................................................    3.1.  9 Non‐FIPS Mode of Operation ......................................................................................................................    3.2.  9 Approved and Allowed Algorithms .............................................................................................................    3.3.  9 3.4.  Non‐Approved, Non‐Allowed Algorithms .................................................................................................  0  1 3.5.  LED Error Pattern for FIPS failure ..............................................................................................................  0  1 4.  Ports and Interfaces ...................................................................................................................................... 12  5.  Identification and Authentication Policy ....................................................................................................... 13  5.1.  Assumption of Roles .................................................................................................................................  3  1 6.  Access Control Policy ..................................................................................................................................... 14  6.1.  Roles and Services  ....................................................................................................................................  4  . 1 6.1.1.  Cryptographic Officer (CO) Services ....................................................................................................  4  1 6.1.2.  CU services ...........................................................................................................................................  5  1 6.1.3.  Unauthenticated Services ....................................................................................................................  6  1 6.2.  Definition of Critical Security Parameters (CSPs) ......................................................................................  8  1 6.3.  Definition of Public Keys ...........................................................................................................................  0 2 6.4.  Definition of CSPs Modes of Access ..........................................................................................................  1  2 7.  Operational Environment .............................................................................................................................. 22  8.  Security Rules ................................................................................................................................................ 23  9.  Physical Security Policy ................................................................................................................................. 24  9.1.  Physical Security Mechanisms ..................................................................................................................  4  2 10.  Mitigation of Other Attacks Policy ................................................................................................................ 24  11.  References ..................................................................................................................................................... 25  12.  Definitions and Acronyms ............................................................................................................................. 25  Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 3 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy List of Tables Table 1 – Module Security Level Specification......................................................................................................... 8  Table 2 – FIPS Approved Algorithms Used in the Module ....................................................................................... 9  Table 3 – FIPS Allowed Algorithms Used in the Module ........................................................................................ 10  Table 4 – Non‐Approved, Non‐Allowed Algorithms Used in the Module  ............................................................. 10  . Table 5 – Cavium HSM Ports and Interfaces .......................................................................................................... 12  Table 6 – Roles and Required Identification and Authentication .......................................................................... 13  Table 7 – Strengths of Authentication Mechanisms .............................................................................................. 14  Table 8 – Authenticated Services (CO only) ........................................................................................................... 14  Table 9 – Authenticated Services (CU only) ........................................................................................................... 15  Table 10 – Unauthenticated Services .................................................................................................................... 16  Table 11 – Specification of Service Inputs & Outputs ............................................................................................ 16  Table 12 – Private Keys and CSPs ........................................................................................................................... 18  Table 13 – Public Keys ............................................................................................................................................ 20  Table 14 – CSP Access Rights within Roles & Services ........................................................................................... 22  Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 4 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy List of Figures Figure 1 – Top View of Cryptographic Module ........................................................................................................ 6  Figure 2 – Bottom view of Cryptographic Module  .................................................................................................. 7  . Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 5 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 1. Module Overview The Cavium Networks NITROX XL 1600-NFBE HSM Family (hereafter referred to as the module or HSM) is a high performance purpose built security solution for crypto acceleration. The module provides a FIPS 140-2 overall Level 3 security solution. The module is deployed in a PCIe slot to provide crypto and TLS 1.0 acceleration in a secure manner to the system host. It is typically deployed in a server or an appliance to provide crypto offload. The module’s functions are accessed over the PCIe or Ethernet interface via an API defined by the module. The module is a hardware/firmware multi-chip embedded cryptographic module. The module provides cryptographic primitives to accelerate approved and allowed algorithms for TLS 1.0 and SSH. The cryptographic functionality includes modular exponentiation, random number generation, and hash processing, along with protocol specific complex instructions to support TLS 1.0 security protocols using the embedded NITROX chips. The module implements single and two factor authentication at FIPS 140-2 Level 3 security. The physical boundary of the module is implemented by an epoxy enclosure. LED  . Figure 1 – Top View of Cryptographic Module Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 6 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Figure 2 – Bottom view of Cryptographic Module The configuration of hardware and firmware for this validation is: Hardware Version: 2.0 Hardware Part Numbers: NIC version CN1620-NFBE1NIC-2.0-G CN1620-NFBE2NIC-2.0-G CN1620-NFBE3NIC-2.0-G CN1610-NFBE1NIC-2.0-G Non-NIC version CN1620-NFBE1-2.0-G CN1620-NFBE2-2.0-G CN1620-NFBE3-2.0-G CN1610-NFBE1-2.0-G Firmware: Version 2.0 The module supports the performance options listed above in the hardware identifier. The physical hardware and firmware are identical across all options. The underlying hardware has multiple identical cryptographic engines which are enabled or disabled using an option parameter set at manufacturing time. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 7 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy The major blocks of the module are: General purpose MIPS based control processor, Crypto processors, RAM memory, NOR and NAND flash for persistent storage, Ethernet and USB interfaces, and PCIe x4 interfaces. 2. Security Level The cryptographic module meets the overall requirements applicable to Level 3 security of FIPS 140-2. Table 1 – Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 3 Module Ports and Interfaces 3 Roles, Services and Authentication 3 Finite State Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Power on Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 8 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 3. Modes of Operation The module supports the following modes of operation – 1) Non-FIPS mode of operation 2) FIPS Approved Level 3 mode of operation The module is initialized into one of the modes specified above during the module initialization period. The value of the parameter fipsState passed into the call specifies the mode. The following are the allowed values for fipsState parameters: 0 - Non-FIPS mode 2 - FIPS Approved mode with single factor authentication mechanism 3 - FIPS Approved mode with two factor authentication mechanism The indicator of Approved mode is obtained by using the Get Status service. The fipstate field of Get Status service indicates the mode. 3.1. FIPS Approved Mode of Operation The module provides a FIPS Approved mode of operation, comprising all services described in Section 6.1 below. In this mode, the module allows only FIPS Approved or allowed algorithms. Request for any non Approved/allowed algorithm is rejected. 3.2. Non-FIPS Mode of Operation The Module supports a Non-FIPS mode implementing the non-FIPS Approved algorithms listed in Table 4. 3.3. Approved and Allowed Algorithms The cryptographic module supports the following FIPS Approved algorithms. Table 2 – FIPS Approved Algorithms Used in the Module FIPS Approved Algorithm Usage Certificate AES: CBC; 128, 192, 256 bits Data encryption and decryption, key wrap 1265 AES: ECB CTR 256 bits SP800-90 CTR DRBG 1266 Triple-DES: CBC; 168 bits Data encryption and decryption 898 Authentication, Key Transport, Signature RSA 1024, 2048, 3072, 4096 607 Verification, Key generation RSA Sign/Verify: PKCS#1 padded with Signature Generation and Verification 742 SHA_1, SHA-2 ECDSA PKG: All NIST Approved curves. Key Generation, public key validation 150 Appendix A. ECDSA Sign/Verify: With SHA-1 Signature Generation and Verification 188 SHA1:160; SHA2: 256, 384, 512 Secure hashing 1165 SHA1:160; SHA2:512 For use during Signature Verification 1166 HMAC: SHA2: 512 Message integrity, authentication 736 Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 9 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy KAS – SP800-56A (ECC) Key agreement 5 RNG – ANSI X9.31 Deterministic random number generation 707 SP800-90 CTR DRBG Deterministic random number generation 32 DSA Key Gen: 1024, 2048 and 3072 bits Key Generation, public key validation 474 DSA Sign/Verify: with SHA-1 Signature Generation and Verification 474 The cryptographic module supports the following non-FIPS Approved algorithms which are allowed for use in FIPS mode. ECC key pair generation is done as per Appendix B.4.1 key pair generation. Table 3 – FIPS Allowed Algorithms Used in the Module Algorithm Usage Hardware RNG (NDRNG) Seed, seed key generation RSA PKCS#1 2048 (key wrapping; key establishment methodology CSP Encrypt/Decrypt provides 112 bits of encryption strength) AES Key Wrap per NIST Specification (key wrapping; key Key Transport establishment methodology provides 256 bits of encryption strength) KAS – SP800-56B (RSA) Key agreement MD5 Hashing within TLS The support of TLS 1.0 protocol by the module is restricted to the TLS Key Derivation Function and the crypto operation. This functionality of the module is used by the user of the module as part of TLS protocol negotiation. 3.4. Non-Approved, Non-Allowed Algorithms The cryptographic module supports the following non-Approved algorithms available only in non-FIPS mode. Table 4 – Non-Approved, Non-Allowed Algorithms Used in the Module Algorithm Usage Keys/CSPs RC4 Encryption/Decryption RC4 key of 128 bits PBE Key generation Password 3.5. LED Error Pattern for FIPS failure The blink pattern (ON then OFF, X times) followed by a blink gap delay of 200 ms are kept for easy identification of the error on the HSM. All blinks are 50msec ON and 50 msec OFF. Cycles (X) Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 10 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy AES (Encrypt, Decrypt) 1 Triple-DES (Encrypt, Decrypt) 2 SHA 160, 256, 512 (Hardware) 3 RSA Sig Ver 4 RSA Key Gen 5 RSA Enc/Dec 6 DSA Sig Ver 7 DSA PQG Ver 8 RNG (ANSI 9.31 KAT) 9 SHA 512 (Firmware) 10 HMAC SHA512 (Firmware) 11 DRBG (SP-800-90 KAT) 12 ECDSA Key Gen 13 ECDSA PKV 14 ECDSA Sig Ver 15 KAS (IG9.6) KAT 16 AES ECB (Encrypt, Decrypt Hardware) 17 HMAC (SHA169, SHA256, SHA384, SHA512) 18 DRBG continuous number test 12 ECDSA PKV Conditional Test 14 Hardware RNG continuous number test 24 ECDSA Pairwise Consistency Conditional Test 25 Conditional Load Test (RSA Sig Ver) 4 On successful completion of the FIPS tests, the LED remains in the “ON” state. Blinking indicates failures on the HSM. If the LED remains in the permanent glow, the card’s state is fine. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 11 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 4. Ports and Interfaces The module ports and interfaces are: Table 5 – Cavium HSM Ports and Interfaces Physical Pins Used FIPS 140-2 Name and Description Ports/Interface Designation Ethernet Transmit/Receive Gigabit Ethernet (2) Data Input Ethernet Interface standard interface (bidirectional Data Output - Used for Level 3 pairs) leading to a standard RJ-45 authentication pinout - Used as NIC interface Pins (1,2), (3,6), (4,5), (7,8) for the host the module is plugged into (passthrough) USB Interface USB Interface Power USB Interface USB0_DP, USB0_DM No functionality Used for public key loading in FIPS mode during initialization period only; not used in FIPS mode 4 Pin serial interface - GND, Disabled at the hardware level Serial Interface N/A 3.3V, Tx, Rx once the module has completed No functionality the initialization period. in FIPS mode PCIE x4 Interface PCIe Interface Data Input PCIe Interface Lane 0 Control Input - Primary interface to Transmit Side B (14, 15) communicate with the Data Output Receive Side A (16, 17) module Status Output Lane 1 - Provides APIs for the Power Transmit Side B (19, 20) software on the host to Receive Side A (21, 22) communicate with the Lane 2 module Transmit Side B (23, 24) Receive Side A (25, 26) Lane 3 Transmit Side B (27, 28) Receive Side A (29, 30) LED LED interface (2 pins) Status output Visual status indicator Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 12 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 5. Identification and Authentication Policy 5.1. Assumption of Roles The module supports two distinct operator roles, Cryptographic User (CU) and Cryptographic Officer (CO). The module enforces the separation of roles using identity-based authentication. Re-authentication is required to change roles. Concurrent operators are allowed; however, only one operator is allowed per login session. The User Id is used as the identification for identity-based authentication. The module supports two different authentication schemes based on the initial module configuration: • Single factor password based authentication: Username and the password encrypted with 2048 bit RSA public key is passed during the Login service. • Two factor password and challenge/response authentication: Username and encrypted password are supplied during the Login service, followed by a cryptographic challenge response mechanism. Table 6 – Roles and Required Identification and Authentication Role Description Authentication Type Authentication Data This role has access to Identity-based operator CO Single factor: administrative services authentication Username and 7 to14 character offered by the module. encrypted password. Two factor: 1) Username and 7 to14 character encrypted password 2) An RSA 1024 signed challenge. This role has access to all Identity-based operator CU Single factor: crypto services offered by authentication Username and 7 to14 character the module. encrypted password. Two factor: 1) Username and 7 to14 character encrypted password 2) An RSA 1024 signed challenge. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 13 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Table 7 – Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism Single Factor Authentication using password Single factor authentication provides a false acceptance rate of based scheme 1/78,364,164,096 less than 1/1,000,000), determined by the password. Password is minimum 7 characters, alpha-numeric so it is (26+10)^7 To exceed 1 in 100,000 probability of a successful random attempt during a 1-minute period, 7350919 (122515 per second) attempts would have to be executed. The module limits the number of Login tries to a user configured value “login_fail_count” during module initialization. This configuration value cannot exceed 20. If the user exceeds the configured value for maximum consecutive failed login attempts then the module is zeroized. Two-factor authentication using password Two factor authentication is in excess of the false acceptance scheme and RSA public key cryptography rate requirement. The analysis for single factor authentication above holds, with the addition of a cryptographic challenge response. The module limits the number of Login tries to a user configured value “login_fail_count” during module initialization. This configuration value cannot exceed 20. If the user exceeds the configured value for maximum consecutive failed login attempts then the module is zeroized. 6. Access Control Policy The Cryptographic Hardware Security Module enforces identity-based authentication. A role is explicitly selected at authentication; either Crypto Officer (CO) or Crypto User (CU) is valid. The module allows one identity per role. 6.1. Roles and Services 6.1.1. Cryptographic Officer (CO) Services The following table lists the services. Each service is implemented using one or more of the API functions. Table 8 – Authenticated Services (CO only) Service Description Allows the CO to upgrade the firmware after the firmware load test. New firmware Firmware Upgrade is out of scope of this validation; as the module’s validation to FIPS 104-2 is no longer valid once any non-validated firmware is installed. Securely clones the Masking key between the modules which is used to encrypt Clone Masking Key backup CSPs from the module Performance Allows the CO to set the performance configuration Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 14 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Configuration Generate MAC Generates a message authentication code using HMAC Change CO Password Changes CO password Logs out the operator (returns the module to the unauthenticated state) and closes the Logout session Encrypt/Decrypt Data Encrypts and decrypts data using keys in the module Displays the status of the module like configuration, FIPS Approved mode, free Show Status memory, and used sessions. Fipsstate field indicates the mode of operation for the HSM. Session Status Shows the login status of the session Zeroizes all plaintext CSPs in the module by overwriting CSPs in all memory Zeroize Module locations Logical reset of the module. This service functions the same as a hardware reset, Reset Module except that it does not reset host-side PCIe bus interface configuration. 6.1.2. CU services Table 9 – Authenticated Services (CU only) Service Description Key and Key Pair Generates, imports, deletes and changes label of symmetric and asymmetric Management keys. Outputs plaintext public key. Generate KLK Generates KLK Masks and unmasks symmetric and asymmetric keys using masking key in the Secure Backup / Restore module Encrypt/Decrypt Data Encrypts and decrypts data using keys in the module Sign/Verify Data Generates signature on given data and verifies a pre-generated signature Wrap/Unwrap data Does NIST AES wrap or unwrap of given databuf Secure Key Load Enters CSPs into the module in encrypted form Generate MAC Generates a message authentication code using HMAC Generate Random number Generates FIPS approved random number of given size Change CU Password Changes CU password Logs out the operator (returns the module to the unauthenticated state) and Logout closes the session Displays the status of the module like configuration, FIPS Approved mode, free Show Status memory, and used sessions. Fipsstate field indicates the mode of operation for the HSM. Session Status Shows the login status of the session Zeroizes all plaintext CSPs in the module by overwriting memory in all Zeroize Module locations Logical reset of the module. This service functions the same as a hardware reset, Reset Module except that it does not reset host-side PCIe bus interface configuration. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 15 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 6.1.3. Unauthenticated Services The cryptographic module supports the following unauthenticated services: Table 10 – Unauthenticated Services Service Description Login Allows the operator to authenticate to the module Displays the status of the module like configuration, FIPS Approved mode, free memory, Show Status and used sessions. Fipsstate field indicates the mode of operation for the HSM. Session Status Shows the login status of the session Session Close Closes the session Zeroize Module Zeroizes all plaintext CSPs in the module by overwriting memory in all locations Logical reset of the module. This service functions the same as a hardware reset, except Reset Module that it does not reset host-side PCIe bus interface configuration. The following table describes the input/output arguments and the return values from all the services. All the inputs and outputs - Data and Control, are exchanged over PCIe interface. Table 11 – Specification of Service Inputs & Outputs Service Control Input Data Input Data Output Status Output User Name, Login Session Handle N/A SUCCESS/FAILURE Encrypted Password, Nonce Show Status Session Handle Flags Session Status SUCCESS/FAILURE Session Status Session Handle N/A Login Status SUCCESS/FAILURE Session Close Session Handle N/A N/A SUCCESS/FAILURE Zeroize Module Session handle NA N/A SUCCESS/FAILURE Power Cycle N/A N/A N/A SUCCESS Key and Key pair Session handle Key handle Encrypted key SUCCESS/FAILURE management Plain Public key Secure Session Handle Key Handle Wrapped Key SUCCESS/FAILURE Backup/Restore Plain Sign/Verify Data Session handle Signature/Status SUCCESS/FAILURE Data/Signature, Key handle Plain/Wrapped Wrapped/Unwrap Wrap/Unwrap Data Session handle SUCCESS/FAILURE Data, Key handle ped data Encrypt/Decrypt Plain/Encrypted Encrypted/Decryp Session handle SUCCESS/FAILURE Data Data, Key handle ted Data Secure Key Load Session Handle Encrypted CSP Key Handle SUCCESS/FAILURE Generate MAC Session handle Data, Key Handle MAC on Data SUCCESS/FAILURE Change CU Encrypted old and Session Handle N/A SUCCESS/FAILURE Password new passwords Logout Session Handle N/A N/A SUCCESS/FAILURE Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 16 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Source HSM Encrypted Generate KLK Session Handle SUCCESS/FAILURE Public Key, Masking Key Target HSM Public Key, Nonce Performance Performance Session Handle N/A SUCCESS/FAILURE Configuration Level, Signature Change CO Encrypted old and Session Handle N/A SUCCESS/FAILURE Password new passwords Source HSM Encrypted Clone Masking Key Session Handle SUCCESS/FAILURE Public Key, Masking Key Target HSM Public Key, Nonce Firmware file, Firmware Upgrade Session Handle N/A SUCCESS/FAILURE Signature file Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 17 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 6.2. Definition of Critical Security Parameters (CSPs) Master Key is stored in the EEPROM while all other CSPs are encrypted using Master Key and stored in the persistent memory. The operator Login Public Keys for Crypto User (CU) and Crypto-Officer (CO) are generated on a smart card and imported to store in modules persistent memory. The following table lists the CSPs contained in the module. Table 12 – Private Keys and CSPs Key Name Type Description RNG Internal State Input to AES256 XKEY and XSEED. (XKEY, XSEED) whitening function DRBG Internal Input to AES256 CTR Counter, entropy input, nonce, and personalization input. State mode whitening function Used to encrypt and decrypt a subset of CSPs stored in the Master Key AES-256 key module. KBK AES-256 key Used to encrypt the CSPs to extract the keys out of the module. KLK (Key Loading AES-256 key Used to decrypt the imported CSPs. Key) Cloning ECC 512 bit ECDSA Private Used for key agreement of clone module service Private Key key Cloning 4096 bit RSA Private Used for key agreement of clone module service RSAPrivate Key Key Cloning Shared Random number Output from the Approved KDF. Secret (Z) Clone Session Ephemeral wrapping key generated as part of key agreement AES-256 key Encryption Key scheme. This key is used for wrapping of the Key Backup Key (KBK) during module cloning service. Key Loading ECC 512 bit ECDSA Private Used for key agreement of key import service to derive KLK. Private Key key Key Loading RSA 4096 bit RSA Private Used for key agreement of key import service to derive KLK. Private Key Key Key Loading Random number Output from the Approved KDF. Shared Secret (Z) Crypto User Entered into the module during the user creation. The password 7 to 14 Characters Password is also compared during the Login service to authenticate the CU. Crypto-Officer Entered into the module during the user creation. The password 7 to 14 Characters Password is also compared during the Login service to authenticate the CO. PSWD_DEC 2048-bits RSA private Used to decrypt the operator supplied encrypted password Private Key key during user creation and login. RSA key of 1024, Generated, imported, or inserted into the module using the RSA Private Key 2048, 3072 and 4096 module services. bits DSA key of 1024, Generated, imported, or inserted into the module using the DSA Private Key 2048, 3072 bits module services. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 18 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Key Name Type Description ECDSA Private All NIST supported Generated, imported, or inserted into the module using the Key curves, Appendix A. module services. Triple-DES Set of Triple-DES-168 Generated, transported, or entered into the module using the Symmetric Keys keys module services under the control of authenticated (CO or CU) operators. If generated on the module, generated with an Approved RNG. If transported or entered, the module uses key transport of 256 bits of strength. AES Symmetric Set of AES-128, 192, Generated, transported, or entered into the module using the Keys 256 keys module services under the control of authenticated (CO or CU) operators. If generated on the module, generated with an Approved RNG. If transported or entered, the module uses key transport of 256 bits of strength. HMAC-SHA Key Random number Secret key used to generate HMAC-SHA MAC data. TLS 1.0 Session AES 128, 192, 256 Generated as part of the TLS 1.0 protocol negotiation. AES Symmetric Key TLS 1.0 Session 3_DES 192 Generated as part of the TLS 1.0 protocol negotiation. Triple-DES Symmetric Key TLS 1.0 Session SHA-1 key Generated as part of the TLS 1.0 protocol negotiation. MAC Key Clone Session Generated as part of key agreement scheme and used as key SHA-256 MAC key MAC Key confirmation during clone module service. Password/Authenticati PAC Imported as part of the EAP-FAST authentication. on Info Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 19 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 6.3. Definition of Public Keys The module contains the following public keys: Table 13 – Public Keys Key Name Type Description Used to validate the firmware upgrade and SW/FW Validation Key 1024 bits RSA public key Manufacturer provided static configuration. License Key 1024 bits RSA public key Used to validate the license service for module configuration (1, 2, 3, 4 module configurations). Password Encryption Public Used by operator to encrypt the user passwords 2048 bits RSA public key Key during user creation and login. The encrypted passwords will be decrypted by the associated PSWD_DEC Private Key Cloning Initiator ECC Public ECC 512 bit Static public Used in SP 800-56A C(0,2,ECC DH) key Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Cloning Responder ECC ECC 512 bit Static public Used in SP 800-56A C(0,2,ECC DH) key Public Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Key Load Initiator ECC ECC 512 bit Static public Used in SP 800-56A C(0,2,ECC DH) key Public Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for importing encrypted CSPs (Secure Key Loading). Key Load Responder ECC ECC 512 bit Static public Used in SP 800-56A C(0,2,ECC DH) key Public Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for importing encrypted CSPs(Secure Key Loading). Cloning Initiator RSA Public 4096 bit Static RSA Public Used in SP 800-56B KAS2-bilateral-confirmation Key Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Cloning Responder RSA 4096 bit Static RSA Public Used in SP 800-56B KAS2-bilateral-confirmation Public Key Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Key Load Initiator RSA 4096 bit Static RSA Public Used in SP 800-56B KAS2-bilateral-confirmation Public Key Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Key Load Responder RSA 4096 bit Static RSA Public Used in SP 800-56B KAS2-bilateral-confirmation Public Key Key key agreement to generate shared secret Z. At HSM level, used to establish secure channel for cloning process (to export Masking Key). Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 20 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Key Name Type Description CO Login Public Key 1024 bits RSA public key Used for signature verification in a challenge / response protocol during Login process as an optional second authentication factor. CU Login Public Key 1024 bits RSA public key Used for signature verification in a challenge / response protocol during Login process as an optional second authentication factor. ECC P-512 curve domain Cloning ECC Domain Domain parameter set D (Set EE) ECC P-512 Parameter Set parameters curve domain parameters used in SP 800-56A C(0,2,ECC DH) key agreement to deriveshared secret Z. RSA:1024,2048,3072 and All Keys are used for signature verification. User Generated Public Keys 4096 DSA:1024,2048,3072 ECDSA: All NIST supported curves, Appendix A. 6.4. Definition of CSPs Modes of Access Table 13 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: G = Generate: The module generates the CSP. R = Read: The module reads the CSP. The read access is typically performed before the module uses the CSP. W = Write: The module writes the CSP. The write access is typically performed after a CSP is imported into the module, or the module generates a CSP, or the module overwrites an existing CSP. Z = Zeroize: The module zeroizes the CSP. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 21 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy Table 14 – CSP Access Rights within Roles & Services Role Service Mode Cryptographic Key or CSP Password Encryption public Key, Crypto User Unauthenticated Login R Password, Crypto-Officer Password Unauthenticated Show Status None None Unauthenticated Session Status None None Unauthenticated Session Close None None Unauthenticated Zeroize Module Z All CSPs CO Firmware Upgrade R SW/Firmware Validation Key CO Performance Configuration R License Key Key Load Initiator Public Key, Key Load CO Generate KLK G, R Responder Public Key, Key Loading Private Key, KLK Password Encryption public Key, Crypto User CO Change CO Password R Password, Crypto Officer Password Cloning Initiator Public Key, Cloning CO Clone Masking Key G, R Responder Public Key, Cloning Private Key, KBK CO Generate MAC R MAC Key CO Logout None None CU Encrypt/Decrypt Data R Symmetric Key: TDES, AES Asymmetric Key RSA CU Sign and Verify R Asymmetric Key RSA, DSA and ECDSA CU Wrap/UnwrapText R Symmetric Key: AES Key and Key Pair CU G, R, Z Symmetric Key: AES, TDES Management Asymmetric Key: RSA, DSA, ECDSA Password Encryption public key(RSA) CU Secure Backup/Restore R, RZ, W KBK, Symmetric Key/Asymmetric Key Key Load Initiator Public Key, Key Load CU Secure Key Load R, W Responder Public Key, Key Load private key, KLK , Key Object CU Generate MAC R MAC Key Password Encryption public Key, Crypto User CU Change CU Password R Password, Crypto Officer Password CU Logout None None CU Encrypt/Decrypt Data R Symmetric Key: TDES, AES Asymmetric Key: RSA 7. Operational Environment The module implements a limited operational environment. FIPS 140-2 Area 6 Operational Environment requirements do not apply to the module in this validation. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 22 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 8. Security Rules This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level-3 module. 1. The cryptographic module clears previous authentications on power cycle 2. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 3. The cryptographic module shall perform the following power up, continuous and conditional self-tests A. Power-Up Tests - AES Encrypt & Decrypt KATs - Triple-DES Encrypt & Decrypt KAT - SHS KAT 160 bit (hardware implementation) - RSA Sig Gen/Ver and KeyGen KAT - DSA Sig Gen/Ver, PQG Gen/Ver and KeyGen KAT - ECDSA Sig Gen/Ver. PKV and KeyGen KAT - HMAC-SHA-512 KAT (firmware implementation) - RNG ANSI X9.31 KAT - SHS KAT 160, 256, 512 (firmware implementation) - SP800-90 CTR_DRBG KAT - ECDSA KeyGen and PKV KAT - RSA Encrypt & Decrypt KAT - KAS KAT per IG 9.6 (Q=dG and KDF) - Firmware integrity test (CRC16) B. Conditional Self-Tests - ECDSA Pairwise Consistency Test - RSA Pairwise Consistency Test - DSA Pairwise Consistency Test - ANSI X9.31 Continuous number test - SP800-90 CTR_DRBG Continuous number test - KAS conditional test - Firmware load test (RSA SigVer KAT) - HW RNG Continuous Number Test 4. Critical Functions Tests: The module runs the following Critical Functions Tests which are required to ensure the correct functioning of the device. a. Power On Memory Test b. Power On Phy Test c. EEPROM Test d. NOR Flash Test e. Nitrox Chips Tests 5. The operator shall be capable of commanding the module to perform the power up self- test by cycling power or resetting the module. 6. Power up self-tests do not require any operator action. 7. Data output shall be inhibited during self-tests, zeroization, and error states. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 23 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. The module ensures that the seed and seed key inputs to the Approved RNG are not equal. 10. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 11. The module does not support a maintenance interface or role. 12. The module does not support bypass capabilities. 13. The module does not support manual key entry. 14. The module has no CSP feedback to operators. 15. The module does not enter or output plaintext CSPs 16. The module does not output intermediate key values. 17. The module shall be configured for FIPS operation by following the first-time initialization procedure described in User Manual and C-API Specification (CN16xx- NFBE-API-0.9) 9. Physical Security Policy 9.1. Physical Security Mechanisms The module’s cryptographic boundary is defined to be the outer perimeter of the hard epoxy enclosure containing the hardware and firmware components. The module is opaque and completely conceals the internal components of the cryptographic module. The epoxy enclosure of the module prevents physical access to any of the internal components without having to destroy the module. There are no operator required actions. 10. Mitigation of Other Attacks Policy No mitigation of other attacks are implemented by the module. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 24 NITROX XL 16xx-NFBE HSM Family Version 2.0 Security Policy 11. References 1. NIST AES Key Wrap Specification, 16th Nov, 2001. 2. NIST Special Publication 800-56A, March, 2007. 3. NIST Special Publication 800-56B, August, 2009. 4. NIST Special Publication 800-57 Part-1, May 2006. 5. FIPS PUB 140-2, FIPS Publication 140-2 Security Requirements for Cryptographic Modules 6. Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program 12. Definitions and Acronyms CO – Crypto Officer CU – Crypto User HSM – Hardware Security Module KBK – Key Backup Key KLK – Key Loading Key KAT – Known Answer Test Appendix A: Supported ECC curves Curves over prime number fields: P-192, P-224, P-256, P384, P-521. Koblitz curves over 2^m fields: K-163, K-233, K-283, K-409, K-571. Curves over 2^m fields: B-163, B-233, B-283, B-409, B-571. Cavium Networks CN16xx-NFBE-SPD-L3-v1.2.pdf 25