FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Document Version: 1.2 BlackBerry Certifications, Research In Motion © 2011 Research In Motion Limited. All rights reserved. www.blackberry.com This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Page 2 of 21 Document and contact information Version Date Description 1.0 September 20, 2011 Document creation 1.1 September 29, 2011 Added certificate numbers from CAVP and updated with comments received from CGI 1.2 January 16, 2012 Updated Table of Contents to include Appendix A Contact Corporate office BlackBerry Certifications Research In Motion certifications@rim.com 295 Phillip Street (519) 888-7465 ext. 72921 Waterloo, Ontario N2L 3W8 Canada www.rim.com: www.blackberry.com BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 3 of 21 Table of Contents DOCUMENT AND CONTACT INFORMATION ........................................................................................... 2 TABLE OF CONTENTS ............................................................................................................................... 3 LIST OF FIGURES ....................................................................................................................................... 4 LIST OF TABLES ......................................................................................................................................... 5 1 INTRODUCTION ................................................................................................................................... 6 1.1 IDENTIFICATION ................................................................................................................................ 6 1.2 OVERVIEW ....................................................................................................................................... 6 1.3 FIPS 140-2 SECURITY LEVELS ......................................................................................................... 7 2 CRYPTOGRAPHIC MODULE SPECIFICATION ................................................................................. 8 2.1 SECURITY FUNCTIONS ...................................................................................................................... 8 2.2 MODES OF OPERATION ..................................................................................................................... 9 2.2.1 Switching to FIPS 140-2 Approved Mode of Operation .......................................................... 9 2.2.2 Verifying the Module is in FIPS 140-2 Approved Mode of Operation ..................................... 9 2.3 CONFORMANCE TESTING AND FIPS-COMPLIANCE ............................................................................. 9 2.4 CRYPTOGRAPHIC BOUNDARY ............................................................................................................ 9 2.5 DETERMINING MODULE VERSION..................................................................................................... 10 3 CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .............................................................. 11 4 ROLES, SERVICES AND AUTHENTICATION .................................................................................. 12 4.1 ROLES ........................................................................................................................................... 12 4.2 SERVICES ...................................................................................................................................... 12 4.3 AUTHENTICATION............................................................................................................................ 12 5 PHYSICAL SECURITY ....................................................................................................................... 14 6 CRYPTOGRAPHIC KEYS AND CRITICAL SECURITY PARAMETERS.......................................... 15 6.1 KEY ZEROIZATION........................................................................................................................... 16 7 SELF-TESTS....................................................................................................................................... 17 7.1 INVOKING THE SELF-TESTS ............................................................................................................. 18 8 MITIGATION OF OTHER ATTACKS ................................................................................................. 19 APPENDIX A ACRONYMS ........................................................................................................................ 20 BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 4 of 21 List of Figures Figure 1: BlackBerry Solution Architecture ................................................................................................... 6 Figure 2: Physical Boundary ....................................................................................................................... 10 BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 5 of 21 List of Tables Table 1: Summary of Achieved Security Levels per FIPS 140-2 Section .................................................... 7 Table 2: Approved Security Functions .......................................................................................................... 8 Table 3: Implementation of FIPS 140-2 Interfaces ..................................................................................... 11 Table 4: Module Services ........................................................................................................................... 12 Table 5: Role Selection by Module Service ................................................................................................ 13 Table 6: Cryptographic Keys and CSPs ..................................................................................................... 15 Table 7: Module Self-Tests ......................................................................................................................... 17 Table 8: Attack Types ................................................................................................................................. 19 BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 6 of 21 1 Introduction 1.1 Identification The following information identifies this document: • Title: FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 • Version: 1.2 1.2 Overview BlackBerry® is the leading wireless solution that allows users to stay connected to a full suite of applications, including email, phone, enterprise applications, the Internet, SMS, and organizer information. BlackBerry is a totally integrated package that includes innovative software, advanced BlackBerry wireless devices and wireless network service, providing a seamless solution. The BlackBerry architecture is shown in the following figure: Figure 1: BlackBerry Solution Architecture BlackBerry devices are built on industry-leading wireless technology, allowing users to receive email and information automatically with no need to request delivery. Additionally, users are notified when new information arrives, making it easier to stay informed. BlackBerry devices also provide an intuitive user experience. Users simply click on an email address, telephone number, or URL inside a message to automatically begin composing the new email, make the call, or link to the web page. BlackBerry device users can also easily navigate through icons, menus, and options with the trackpad or touch screen, and quickly compose messages or enter data using the device keyboard. 1 Each BlackBerry handheld device contains the BlackBerry Cryptographic Kernel, a firmware module that provides the cryptographic functionality required for basic operation of the device. The BlackBerry Cryptographic Kernel meets the requirements of the FIPS 140-2 Security Level 1. The BlackBerry Cryptographic Kernel, hereafter referred to as cryptographic module or module, provides the following cryptographic services: • data encryption and decryption 1 Excludes RIM 850™, RIM 950™, RIM 857™, and RIM 957™ wireless handheld devices. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 7 of 21 • message digest and authentication code generation • random data generation • digital signature verification • elliptic curve key agreement More information on the BlackBerry solution is available from http://www.blackberry.com/. 1.3 FIPS 140-2 Security Levels The BlackBerry Cryptographic Kernel meets the overall requirements applicable to Level 1 security for FIPS 140-2 as shown in Table 1. Table 1: Summary of Achieved Security Levels per FIPS 140-2 Section Section Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment N/A Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 3 Mitigation of Other Attacks 1 Cryptographic Module Security Policy 1 BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 8 of 21 2 Cryptographic Module Specification 2.1 Security Functions The cryptographic module is a firmware module that implements the following FIPS-approved security 2: functions Table 2: Approved Security Functions Algorithm Description Certificate Number v3.8.7.0 v3.8.7.1 AES-128, Encrypts and decrypts, as specified in FIPS 197. The #1798 #1800 AES-192 & implementation supports the ECB, CBC, CFB, OFB and AES-256 CTR modes of operation. AES-256 ECM Encrypts and decrypts, as specified in FIPS 197. The #1799 #1801 implementation supports the ECB and CTR modes of operation. Triple DES Encrypts and decrypts, as specified in NIST Special #1163 #1164 Publication 800-67. The implementation supports the CBC mode of operation. SHA-1, As specified in FIPS 180-3 #1581 #1582 SHA-256 & SHA-512 HMAC-SHA-1, As specified in FIPS 198. The implementation is based #1063 #1064 HMAC-SHA-256 & on SHA-1, SHA-256 and SHA-512 as specified in FIPS HMAC-SHA-512 180-3 AES CTR DRBG As specified in NIST Special Publication 800-90. The #132 #133 implementation is CTR_DRBG using AES CTR mode. ECDSA Signature verification, as specified in FIPS 186-3 and #244 #245 ANSI X9.62. The implementation supports elliptic curve K-571. RSA PKCS#1 Signature verification, as specified in PKCS #1, version #902 #903 2.1 The module implements the following non approved security functions that, per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, may presently be used in a FIPS- approved mode of operation: • EC Diffie-Hellman (key agreement, key establishment methodology provides 256 bits of encryption strength), Per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, the implementation may presently be used in a FIPS-approved mode of operation. The implementation supports elliptic curves P-521 and K-571. 2 A security function is FIPS-approved if it is explicitly listed in FIPS 140-2 Annex A: Approved Security Functions for FIPS PUB 140-2. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 9 of 21 • ECMQV (key agreement, key establishment methodology provides 256 bits of encryption strength), Per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, the implementation may presently be used in a FIPS-approved mode of operation. The implementation supports elliptic curves P-521 and K-571. 2.2 Modes of Operation A function call is required to initialize the module in the FIPS 140-2 approved mode of operation. When the module is in the FIPS 140-2 approved mode of operation, only approved security functions and cryptographic algorithms are performed. 2.2.1 Switching to FIPS 140-2 Approved Mode of Operation The operator can switch the mode of operation of the module on a BlackBerry device to the FIPS 140-2 approved mode of operation by performing the following operations: 1. From BlackBerry Administration Service, click Manage IT Polices. 2. Select the IT Policy in effect on the BlackBerry device. 3. Click Edit IT Policy  Security Tab. 4. Select Yes for Enforce FIPS Mode of Operation. 5. Reboot the BlackBerry handheld as instructed. 2.2.2 Verifying the Module is in FIPS 140-2 Approved Mode of Operation The operator can determine whether the module on a BlackBerry device is operating in the FIPS 140-2 approved mode of operation by performing the following operations: 1. On the BlackBerry device Home screen, click the Options icon. 2. Click Security  Security Status Information 3. The Security Status Information screen displays FIPS Mode of Operation Enabled 2.3 Conformance Testing and FIPS-Compliance For the purposes of FIPS 140-2 conformance testing, the module was executed on the BlackBerry 9900 per FIPS 140-2 Implementation Guidance G.5.The module remains vendor affirmed FIPS-compliant when executed on other BlackBerry devices. Conformance testing for BlackBerry Cryptographic Kernel Version 3.8.7.0 was performed using BlackBerry OS Version 7.0, while conformance testing for BlackBerry Cryptographic Kernel Version 3.8.7.1 was performed using BlackBerry OS Versions 7.0 and 7.1. In order for the module to remain validated on a specific handheld device, both the unchanged module and the tested operating platform shall be ported to any device. 2.4 Cryptographic Boundary The physical boundary of the module is the physical boundary of the BlackBerry device that executes the module as shown in the following figure. Consequently, the embodiment of the module is a multiple-chip standalone. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 10 of 21 Application Module Operating system Device physical boundary Figure 2: Physical Boundary 2.5 Determining Module Version The operator can determine the version of the module on a BlackBerry device by performing the following operations: 1. On the BlackBerry device Home screen, click the Options icon. 2. Click Device  About Device Versions 3. The About screen displays the module version, for example, Cryptographic Kernel v3.8.7.1 BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 11 of 21 3 Cryptographic Module Ports and Interfaces The module ports correspond to the physical ports of the BlackBerry device executing the module, and the module interfaces correspond to the logical interfaces to the module. The following table describes the module ports and interfaces. Table 3: Implementation of FIPS 140-2 Interfaces FIPS 140-2 Interface Module Ports Module Interfaces Data Input keyboard, touch screen, microphone, input parameters of module USB port, headset jack, wireless function calls modem, and Bluetooth® wireless radio Data Output speaker, USB port, headset jack, output parameters of module wireless modem, and Bluetooth function calls wireless radio Control Input keyboard, touch screen, USB port, module function calls trackpad, BlackBerry button, escape button, backlight button, and phone button Status Output USB port, primary LCD screen, and return codes of module LED function calls Power Input USB port and battery not supported Maintenance not supported not supported BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 12 of 21 4 Roles, Services and Authentication 4.1 Roles The module supports user and crypto officer roles. The module does not support a maintenance role. The module does not support multiple or concurrent operators and is intended for use by a single operator, thus it always operates in a single-user mode of operation. 4.2 Services The services described in the following table are available to the operator. Table 4: Module Services Service Description Reset Resets the module. The module can be reset by power cycling the module. View Status Displays the status of the module Perform Key Agreement Establishes a secure channel to the module utilizing ECDH and ECMQV key agreement algorithms in transport of the new Master Key that is created outside the cryptographic boundary. Generate Session Key Generates a session key or a PIN session key. This service is performed automatically on behalf of the operator during the Encrypt Data service. Encrypt Data Encrypts data that is to be sent from the device. A session key is automatically generated through the Generate Session Key service and used to encrypt the data. The session key is encrypted with the master key and then the encrypted data and encrypted session key are ready for transmission. Decrypt Data Decrypts data that has been received by the device. The encrypted session key is decrypted with the master key and is then used to decrypt the data. This service is performed automatically on behalf of the operator. Generate HMAC Generates a message authentication code Perform Self-Tests Executes the module self-tests Verify Signature Verifies the digital signature of an IT policy received by the device. This service is performed automatically on behalf of the operator. Wipe Handheld Zeroizes all software device keys and user data present on device 4.3 Authentication The module does not support operator authentication. Roles are implicitly selected based on the service performed by the operator. Implicit role selection is summarized in the following table, as are the keys and critical security parameters (CSPs) that are affected by each service. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 13 of 21 Table 5: Role Selection by Module Service Implicitly selected Affected keys and Access to keys and Service role CSPs CSPs Reset user n/a n/a View Status user n/a n/a Perform Key Agreement crypto officer ECC key pair execute master key write Generate Session Key user session key or write PIN session key Encrypt Data user master key or execute PIN master key session key or execute PIN session key Decrypt Data user master key or execute PIN master key session key or execute PIN session key Generate HMAC user HMAC key execute Perform Self-Tests user firmware integrity key execute Verify Signature user ECC public key execute Wipe Handheld crypto officer all software keys write BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 14 of 21 5 Physical Security The BlackBerry device that executes the module is manufactured using industry standard integrated circuits and meets the FIPS 140-2 Level 1 physical security requirements. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 15 of 21 6 Cryptographic Keys and Critical Security Parameters The following table describes the cryptographic keys, key components, and CSPs15utilized by the module. Table 6: Cryptographic Keys and CSPs Key or CSP Description Master Key A Triple DES or AES-256 key used to encrypt and decrypt Session Keys. The Master Key is always generated outside the cryptographic boundary. The key is passed into the module for temporary use in the following ways:  in plaintext as parameters to an API call when connected directly to the USB port of a workstation operating BlackBerry Desktop Manager, or  encrypted by the current Master Key if utilizing key agreement with the BlackBerry Enterprise Server. Session Key A Triple DES or AES-256 key used to encrypt and decrypt data. The module generates session keys using the implemented AES CTR DRBG in accordance to SP 800-90. PIN Master Key A master key that is specifically a Triple DES key used to encrypt and decrypt PIN session keys. The PIN master key is generated outside the cryptographic boundary. The key is passed into the module for temporary use in the following ways:  in plaintext, as parameters to an API call when connected directly to the USB port of a workstation operating BlackBerry Desktop Manager  encrypted by the current master key if utilizing key agreement with the BlackBerry Enterprise Server. PIN Session Key A session key that is specifically a Triple DES key used to encrypt and decrypt data for PIN messaging. The module generates PIN session keys using the implemented AES CTR DRBG in accordance to SP 800-90. ECC Key Pair A key pair used to perform key agreement over elliptic curves An ECC session key, that is specifically a short lived ephemeral key, is ECC Session Key used during key agreement during Master Key transport and is zeroized after use. ECC Public Key A public key used to verify digital signatures over elliptic curves and part of the Key Agreement process HMAC Key A key used to calculate a message authentication code using the HMAC algorithm RSA Public Key A public key used to verify digital signatures in the Firmware Integrity Test ECDSA Public Key A public key used to verify digital signatures in the Firmware Integrity Test BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 16 of 21 6.1 Key Zeroization The BlackBerry security solution provides multiple protective features to ensure algorithmic keys and key components are protected. Similarly, data, and specifically key removal through zeroization, is an integral part of the BlackBerry security solution. A user can also request a zeroization at any time by navigating to Options and selecting Wipe Handheld using the Options  Security  Security Wipe. The BlackBerry Enterprise Server administrator may also zeroize the device remotely to wipe all device data and keys. Furthermore, session keys that are created per datagram are destroyed after each data fragment is sent. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 17 of 21 7 Self-Tests The module implements the self-tests that are described in the following table: Table 7: Module Self-Tests Test Description Firmware Integrity Test The module implements an integrity test for the module software by verifying its 1024-bit RSA signature. The firmware integrity test passes if and only if the signature verifies successfully using the Firmware Integrity Key. AES KAT The module implements known answer tests for the AES variants. The tests pass if and only if the calculated output equals the expected output Triple DES KAT The module implements a KAT for Triple DES in the CBC mode of operation. The test passes if and only if the calculated output equals the expected output. SHA-1 KAT The module implements a KAT for SHA-1. The KAT passes if and only if the calculated output equals the expected output. SHA-256 KAT The module implements a KAT for SHA-256. The KAT passes if and only if the calculated output equals the expected output. SHA-512 KAT The module implements a KAT for SHA-512. The KAT passes if and only if the calculated output equals the expected output. HMAC SHA-1 KAT The module implements a KAT for HMAC SHA-1. The KAT passes if and only if the calculated output equals the expected output. HMAC SHA-256 KAT The module implements a KAT for HMAC SHA-256. The KAT passes if and only if the calculated output equals the expected output. HMAC SHA-512 KAT The module implements a KAT for HMAC SHA-512. The KAT passes if and only if the calculated output equals the expected output. RSA Verify KAT The module implements a KAT for RSA signature verification. The test passes if and only if the calculated output equals the expected output. ECDSA Verify KAT The module implements a KAT for ECDSA signature verification. The test passes if and only if the calculated output equals the expected output. AES CTR DRBG KAT The module implements a KAT for the AES CTR DRBG. The KAT passes if and only if the calculated output equals the expected output. Continuous RNG Test The module implements a continuous RNG test, as specified in FIPS 140- 2, for the implemented AES CTR DRBG EC Diffie-Hellman KAT The module implements a KAT for EC Diffie-Hellman. The KAT passes if and only if the calculated output equals the expected output. ECMQV KAT The module implements a KAT for ECMQV. The KAT passes if and only if the calculated output equals the expected output. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 18 of 21 All self-tests (except the Continuous RNG test) are executed during power-up without requiring operator input or action. The Firmware Integrity Test is the first self-test executed during power-up. 7.1 Invoking the Self-Tests The operator can invoke the power-up self-tests by resetting the module using the Reset service. The operator can also invoke all of the self-tests with the exception of the Firmware Integrity Test and Continuous RNG test by performing the following operations: 1. Navigate to the Options  Security  Security Status Information. 2. Click the BlackBerry button to open the options menu. 3. In the menu, click Verify Security Software. When the self-tests are executed in this manner, the module displays the list of self-tests that are being executed and a pass or fail status upon completion. BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 19 of 21 8 Mitigation of Other Attacks The module is designed to mitigate multiple side-channel attacks specific to the AES algorithm. Mitigation of these attacks is accomplished through the execution of table masking, splitting, and stirring maneuvers designed to aid in the protection of cryptographic keys and plaintext data at all points during the encryption, decryption, and self-test operations. The following table describes the types of attacks the module mitigates. Table 8: Attack Types Attack type Description • attempts to exploit physical properties of the algorithm implementation Side-Channel using Power Analysis (for example, SPA and DPA) and Electromagnetic Analysis (for example, SEMA and DEMA) • attempts to determine the encryption keys that a device uses by measuring and analyzing the power consumption, or electro-magnetic radiation emitted by the device during cryptographic operations BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 20 of 21 Appendix A Acronyms Introduction This appendix lists the acronyms that are used in this document. Acronyms Acronym Full term AES Advanced Encryption Standard ANSI American National Standards Institute API application programming interface CAT compare answer test CBC cipher block chaining CSP critical security parameter DEMA differential electromagnetic analysis DES Data Encryption Standard DPA differential power analysis DRBG Deterministic Random Bit Generator EC Elliptic curve ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm ECMQV Elliptic Curve Menezes, Qu, Vanstone FIPS Federal Information Processing Standard HMAC keyed-hash message authentication code IEEE Institute of Electrical and Electronics Engineers KAT known answer test LCD liquid crystal display LED light-emitting diode OS operating system PIN personal identification number PKCS Public Key Cryptography Standard PUB Publication BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security Page 21 of 21 Acronym Full term RIM Research In Motion RNG Random Number Generator RSA Rivest, Shamir, Adleman SEMA simple electromagnetic analysis SHA Secure Hash Algorithm SHS Secure Hash Standard SMS Short Message Service SPA simple power analysis URL Uniform Resource Locator USB Universal Serial Bus BlackBerry Cryptographic Kernel Versions 3.8.7.0 and 3.8.7.1 Published by BlackBerry Security