Senetas Corporation Ltd. CN1000 Fibre Channel Encryptor FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation October 2011 © 2011 Senetas Corporation Ltd. All rights reserved. (Doc No.) v1.0.9 This document may be freely reproduced and distributed whole and intact including this copyright notice. www.senetas.com Table of Contents 1. Introduction................................................................................................................................... 3 1.1 References ............................................................................................................................... 3 1.2 Document History ..................................................................................................................... 4 1.3 Acronyms and Abbreviations.................................................................................................... 4 1.4 Definitions ................................................................................................................................. 5 2. Product Description ...................................................................................................................... 6 2.1 Module Identification................................................................................................................. 6 2.2 Operational Overview ............................................................................................................... 7 2.2.1 General.............................................................................................................................. 7 2.2.2 Encryptor management ..................................................................................................... 8 2.2.3 Fibre Channel implementation .......................................................................................... 8 3. Module Ports and Interfaces ........................................................................................................ 9 3.1 CN1000 Ports ........................................................................................................................... 9 3.2 CN1000 Encryptor Interfaces ................................................................................................. 10 4. Roles, Services and Authentication ........................................................................................... 13 4.1 Identification and Authentication............................................................................................. 14 4.2 Roles and Services................................................................................................................. 15 5. Physical Security ........................................................................................................................ 18 6. Cryptographic Key Management................................................................................................ 20 6.1 Cryptographic Keys and CSPs ............................................................................................... 20 6.2 Cryptographic Algorithms ....................................................................................................... 22 7. Self Tests ................................................................................................................................... 24 8. Crypto-Officer and User Guidance............................................................................................. 26 8.1 Delivery................................................................................................................................... 27 8.2 Location .................................................................................................................................. 27 8.3 Configuration .......................................................................................................................... 27 9. Mitigation of Other Attacks ......................................................................................................... 29 Senetas Corporation Ltd Page 2 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 1. Introduction This is a non-proprietary FIPS 140-2 Security Policy for the Senetas Corporation Ltd. “CN1000 Fibre Channel Encryptor v1.9.3” cryptographic module. This Security Policy specifies the security rules under which the module operates to meet the FIPS 140-2 Level 3 requirements. FIPS 140-2 (Federal Information Processing Standards Publication 140-2), Security Requirements for Cryptographic Modules, specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive but unclassified information. Based on four security levels for cryptographic modules this standard identifies requirements in eleven sections. For more information about the NIST/CSEC Cryptographic Module Validation Program (CMVP) and the FIPS 140-2 standard, visit www.nist.gov/cmvp . This Security Policy, using the terminology contained in the FIPS 140-2 specification, describes how the CN1000 Fibre Channel Encryptor complies with the eleven sections of the standard. In this document, the CN1000 Fibre Channel Encryptor is also referred to as “the module” or “the encryptor”. This Security Policy contains only non-proprietary information. Any other documentation associated with FIPS 140-2 conformance testing and validation is proprietary and confidential to Senetas Corporation Ltd., and is releasable only under appropriate non-disclosure agreements. For more information describing the CN Series systems, visit http://www.senetas.com. References 1.1 For more information on the FIPS 140-2 standard and validation program please refer to the National Institute of Standards and Technology website at www.nist.gov/cmvp. The following standards from NIST are all available via the URL: www.nist.gov/cmvp . FIPS PUB 140-2: Security Requirements for Cryptographic Modules. • FIPS 140-2 Annex A: Approved Security Functions. • FIPS 140-2 Annex B: Approved Protection Profiles. • FIPS 140-2 Annex C: Approved Random Number Generators. • FIPS 140-2 Annex D: Approved Key Establishment. • Derived Test Requirements (DTR) for FIPS PUB 140-2, Security Requirements for • Cryptographic Modules. Advanced Encryption Standard (AES), Federal Information Processing Standards Publication • 197. Data Encryption Standard (DES), Federal Information Processing Standards Publication 46-3. • DES Modes of Operation, Federal Information Processing Standards Publication 81. • Digital Signature Standard (DSS), Federal Information Processing Standards Publication • 186-2. Secure Hash Standard (SHS), Federal Information Processing Standards Publication 180-3. • ATM Security Specification (Version 1.1), af-sec-0100.002, The ATM Forum Technical • Committee, March, 2001. Senetas Corporation Ltd Page 3 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Document History 1.2 Authors Date Version Comment Senetas Security 26-May-2009 1.0.0 First submission 1000 Series Security Policy. Senetas Security 12-Jan-2010 1.0.1 Coordination review. nd Senetas Security 28-Jan-2010 1.0.2 Coordination review 2 Edition Senetas Security 23-Mar-2011 1.0.3 Fibre Channel re-verification Senetas Corporation Ltd 11-Jul-2011 1.0.4 Modified Security Policy document to be Fibre Channel specific Senetas Corporation Ltd 14-Jul-2011 1.0.5 Review comments incorporated Senetas Corporation Ltd 6-Sep-2011 1.0.6 Updated certificate numbers Senetas Corporation Ltd 6-Sep-2011 1.0.7 Final edits pre submission Senetas Corporation Ltd 30-Sep-2011 1.0.8 CSC QA review notes incorporated Senetas Corporation Ltd 5-Sep-2011 1.0.9 CSC Final Review Acronyms and Abbreviations 1.3 AES Advanced Encryption Standard ATM Asynchronous Transfer Mode CAT Connection Action Table CBC Cipher Block Chaining CFB Cipher Feedback CLI Command Line Interface CMVP Cryptographic Module Validation Program CSE Communications Security Establishment CSP Critical Security Parameter DES Data Encryption Standard EDC Error Detection Code EMC Electromagnetic Compatibility EMI Electromagnetic Interference FC Fibre Channel FCC Federal Communication Commission FIPS Federal Information Processing Standard Gbps Gigabits per second GFC Generic Framing Protocol HMAC Keyed-Hash Message Authentication Code IP Internet Protocol IV Initialization Vector Senetas Corporation Ltd Page 4 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy KAT Known Answer Test LED Light Emitting Diode Mbps Megabits per second NC Network Certificate NIST National Institute of Standards and Technology NTU Network Termination Unit NVLAP National Voluntary Laboratory Accreditation Program PRNG Pseudo Random Number Generator PUB Publication RAM Random Access Memory RFC Request for Comment ROM Read Only Memory RNG Random Number Generator RSA Rivest Shamir and Adleman Public Key Algorithm SAN Storage Area Network SDH Synchronous Digital Hierarchy SFP Small Form-factor Pluggable (transceiver) SHA-n Secure Hash Algorithm SONET Synchronous Optical Network VCAT Virtual Channel Action Table X.509 Digital Certificate Standard RFC 2459 Definitions 1.4 The following Senetas product designators have been updated from those referenced by FIPS140-2 Cryptographic module validation certificate 1267. New designators CN1000 New identifier for CypherNET 1000 platform CN3000 New identifier for CypherNET 3000 platform CN Series Refers to the CN1000 and CN3000 encryptor family Legacy designators CypherNET Legacy designator for the CN Series encryptors CypherNet Legacy designator for the CN Series encryptors Senetas Corporation Ltd Page 5 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 2. Product Description The CN1000 Fibre Channel Encryptor is a multiple-chip standalone cryptographic module consisting of production-grade components contained, in accordance with FIPS 140-2 Level 3, in a physically protected enclosure. Excluding the pluggable interface (SFP) transceivers, the module’s outer casing defines the cryptographic boundary. The encryptor is completely enclosed in a steel case which is protected from tampering by internal tamper protection circuitry and external tamper response seals. Any attempt to remove the cover automatically erases all sensitive information stored internally in the cryptographic module. The module meets the overall requirements applicable to Level 3 security for FIPS 140-2. Table 1 Module Compliance Table Security Requirements Section Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 3 Roles and Services and Authentication 3 Finite State Machine Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 3 Module Identification 2.1 The CN1000 Fibre Channel Encryptor v.1.9.3 provides data privacy and access control services for Fibre Channel networks. See model details summarized in Table 2. Data privacy is provided by FIPS approved AES and Triple-DES algorithms. The complete list of approved module algorithms is included in the Approved Security Function table. Table 2 CN1000 Fibre Channel Model Model Interface / Protocol (Cryptographic Module) Notes A5175B 4 Gbps – Fibre Channel AC power This model supports pluggable transceivers which are considered to be outside the cryptographic boundary. (2088 Module) Senetas Corporation Ltd Page 6 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Operational Overview 2.2 2.2.1 General The CN1000 Fibre Channel (FC) encryptor operates in a point-to-point network topology. Encryptors are typically installed between an operators’ private network equipment and public network infrastructure. Securing an optic fibre link that connects two remote office sites is a common installation application. Figure 1. provides a operational overview of two CN1000 encryptors positioned in the network. Figure 1 - Operational Overview The data path between two encryptors is referred to as a `connection`. The term `session` refers to a connection that has been securely established and is processing data according to a defined encryption policy. The Connection Action Table (CAT) stores the processing rules for each policy. The CN1000 Fibre Channel encryptor supports policy options of ‘Secure` and ‘Discard` and these apply to all data carried on each connection. The default policy for a pair of connected encryptors is `Discard`. In this mode user data is not transmitted to the public network. In order to enter `Secure` mode and pass information securely, each encryptor must be `Certified` by the same trusted body and exchange a secret `Session Key` using the RSA key exchange process (as specified in the ATM Forum’s ATM Security Specification version 1.1). If the session key exchange is successful this results in a separate secure session per connection, without the need for secret session keys to be displayed or manually transported and installed. Figure 2. (overleaf) illustrates the conceptual data flow through a CN1000 encryptor. 1. Information arrives at the encryptor’s interface ports 2. The encryptor looks up a connection rule in the Connection Action Table (CAT) which specifies how that information is to be processed, 3. The information is processed according to the rule and (if not being discarded) is encrypted and sent out the opposite port Senetas Corporation Ltd Page 7 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy encrypted payload hdr clear payload hdr Decryption hdr encrypted payload hdr clear payload Network Encryption Local Physical Physical encrypted bit stream clear bit stream interface interface Control and encrypted bit stream clear bit stream Management Unprotected Network Protected Network Figure 2 - Data Flow Through the Encryptor 2.2.2 Encryptor management Encryptors can be centrally controlled or managed across local and remote stations using Senetas’ `CypherManager` Remote Management application. Encryptors support both in-band and out-of-band SNMPv3 management. In-band management interleaves management messages with user data on the encryptor’s network interface port whilst out-of-band management uses the dedicated front panel Ethernet port. A Command Line Interface (CLI) is also available via the console RS-232 port. 2.2.3 Fibre Channel implementation Fibre Channel is the de-facto interconnection technology for storage networking and is optimised for the efficient movement of data between server and storage systems in a Storage Area Network (SAN). Acting as a `Bump in the Fibre`, the CN1000 can secure point-to-point Fibre Channel network connections operating at speeds up to 4.25Gbps. Figure 3. shows a typical Fibre Channel installation in which the encryptors are deployed on a public network link. In this example the encryptors provide a secure connection between two SAN components; a File Server and remote Disk Array. Fibre Channel information is sent in discrete frames as per the Fibre Channel ANSI standard (ANSI INCITS 424-2007). The standard defines a multi-layer hierarchy of which the CN1000 Fibre Channel encryptor implements FC-0, FC-1 and the required FC-2 layer functionality to enable network interoperability with Direct Fibre, Fibre with Repeater, GFP-T and GFP-F connections. In order to interwork with Fibre Channel network devices the FC-2 header is only partially encrypted. The Source identifier, Destination identifier and Frame Type fields of the frame header are left unencrypted. The remaining header fields and payload are encrypted. Figure 3 – Fibre Channel Configuration Senetas Corporation Ltd Page 8 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 3. Module Ports and Interfaces CN1000 Ports 3.1 The encryptor user access ports, LCD display and Keypad are located on the front of the module as presented in Figure 4. Ethernet port LCD USB LEDs Keypad Serial console Figure 4 - Front View of CN1000 The encryptor has two data interface ports (Local and Network) located in the rear of the module as presented in Figure 5. ON/OFF switch Power Interface card receptacle Figure 5 - Rear View of CN1000 The Local Port connects to the physically secure private network while the Network Port connects to an unsecured public network. Figure 6 - A5175B 1/2/4 Gbps (SFP) Fibre Channel dual port label The rear panel also contains a tamper evident seal that indicates movement of the module interface card with respect to the module enclosure. See Section 5, Physical Security for details. Senetas Corporation Ltd Page 9 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Table 3 defines the Physical Ports. Table 3 Physical Ports Port Location Purpose RJ-45 Ethernet Front Panel Allows secure and authenticated remote management by the CypherManager application. DB9 RS-232 Serial Front Panel The Serial Console port connects to a local terminal Console and provides a simple command line interface for initialization prior to authentication and operation in the approved mode. This port also allows administrative access and monitoring of operations. User name and password authentication is required to access this port. USB Front Panel The USB port provides the Crypto Officer with a mechanism for applying approved and properly signed firmware updates to the module. Keypad Front Panel Allows entry of initialization commands. LCD Front Panel Displays configuration information in response to commands entered via the keypad. Also indicates the state of RSA keys and certificates. LEDs Front Panel Indicate the system state, including alarms. LEDs Rear Panel Indicate network traffic. Network Port Rear Panel The Network Port connects to the public network; access is protected by RSA certificates. The Network Port is of the same interface type as the Local Port. Local Port Rear Panel The Local Port connects to the private network; access is protected by RSA certificates. The Local Port is of the same interface type as the Network Port. Power Connector Rear Panel Provides power to the module. CN1000 Encryptor Interfaces 3.2 Table 4 summarizes the FIPS 140-2 defined Logical Interfaces. Table 4 Logical Interfaces Interface Explanation Data Input Interface through which data is input to the module. Data Output Interface by which data is output from the module. Control Input Interface through which commands are input to configure or control the operation of the module. Status Output Interface by which status information is output from the module. Senetas Corporation Ltd Page 10 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy The FIPS 140-2 Logical Interfaces map to the Physical Ports as outlined in Table 5. Table 5 FIPS 140-2 Logical Interface to Physical Port Mapping FIPS 140-2 Logical CN1000 Interface Physical Port Interface Data Input Private Network Interface Local Port Public Network Interface Network Port Data Output Private Network Interface Local Port Public Network Interface Network Port Control Input Local Console DB9 RS-232 Serial Console Keypad & Display Keypad / LCD CypherManager Remote Management RJ-45 Ethernet Management Interface Port Private Network Interface Local Port Public Network Interface Network Port Status Output Local Console DB9 RS-232 Serial Console Keypad & Display Keypad / LCD CypherManager Remote Management RJ-45 Ethernet Management Interface Port Private Network Interface Local Port Public Network Interface Network Port LEDs Front & Rear LEDs Power Power Switch Power Connector The Fibre Channel Encryptor supports the FIPS 140-2 Logical Interfaces as outlined in Table 6. Table 6 Interface Support Logical Interface Support Data Input & Local Interface: Data Output Connects to the local (private) network; sends and receives • plaintext user data to and from the local network. Network Interface: Connects to the public network; sends and receives ciphertext • user data, via the public network, to and from a far end cryptographic module. Authenticates with the far end cryptographic module(s); sends • and receives authentication data and RSA key exchange components to and from a far end module. The module can be set to bypass allowing it to send and receive plaintext user data for selected connections. Control Input Control Input is provided by the Local Console, Keypad & Display, and CypherManager Remote Management Interface as follows: The Keypad supports module initialization prior to authentication • Senetas Corporation Ltd Page 11 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Logical Interface Support and operation in the approved mode. A Crypto Officer sets the IP address for remote administration by CypherManager; sets the system clock; and loads, in conjunction with CypherManager, the module’s certificate. As an alternative to using the Keypad, the Local Console may • be used for initialization prior to certification and operation in the approved mode. The Local Console receives control input from a locally connected terminal. Following initialization and authentication, the CypherManager • application can communicate with the module to receive out-of- band control input. When configured for in-band management, the Private and Public Network Interfaces may also receive control input. In this mode, the CypherManager application sends control input by way of the Local or Network Port rather than the RJ-45 Ethernet. Status Output Status output is provided by the Keypad & Display, LEDs, Local Console and CypherManager Remote Management Interface as follows The Display presents the Crypto Officer with the command data • being entered via the Keypad. It also indicates the state of the RSA keys and certificates. The LEDs indicate error states, state of the local and network • interfaces, alarm, temperature, battery state and network traffic. As an alternative to using the Keypad & Display, the Local • Console may be used for initialization prior to certification and operation in the approved mode. The Local Console may also be used for monitoring some operations; status output is sent to a locally connected terminal. Following initialization and authentication, the module sends • out-of-band status output to the CypherManager application. When configured for in-band management, the Private and Public Network Interfaces may also send status output. In this mode, the module status output is sent to the CypherManager application by way of the Local or Network Port rather than the RJ-45 Ethernet Port. The encryptor does permit logically distinct categories of information to share the Local and Network Ports. If the module is configured to allow in-band management traffic, then the control/status information (key exchange or management commands) and user data enter and exit the module via the Network Interfaces. The module separates these two logically distinct categories of information, using the mechanisms specific to the operational protocols. Fibre Channel systems use the SOFi4 unused ordered set in conjunction with a proprietary • header type for key management and for segregating in-band management traffic. Senetas Corporation Ltd Page 12 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 4. Roles, Services and Authentication The cryptographic module supports four roles: Crypto Officer, Operator, Upgrader and User. Crypto Officers are assigned permissions based on one of two subcategories: Administrator and Supervisor. The supported roles are summarized in Table 7. Table 7 Roles Role Description Crypto Officer Administrator: Provides cryptographic initialization and management functions. Crypto Officer functions are available via CypherManager. Limited functions are also available via the Console interface. Supervisor: Provides limited operational management functions. Functions are available via CypherManager. Limited functions are also available via the Console interface. Services for the CO are accessible directly via the Local Console CLI or remotely via the CypherManager Remote Management Interface and the CypherManager application. User Restricted to read-only access to module configuration data. Operator: Services for the Operator are accessible directly via the Local Console CLI or remotely via the CypherManager Remote Management Interface and the CypherManager application. Upgrader: The Upgrader Role is limited to applying field upgrades to the module firmware. Additional access is restricted to read-only access to module configuration data. Services for the Upgrader are accessible directly via the Local Console CLI or remotely via the CypherManager Remote Management Interface and the CypherManager application. The User Role is available in conjunction with other authenticated modules. The User Role negotiates encryption/decryption keys and uses encryption/decryption services. User services are only indirectly accessible based on the connections configured with other cryptographic modules. Roles cannot be changed while authenticated to the module; however, the module permits multiple concurrent operators. While only one operator may connect to the Local Console at a time, multiple concurrent remote sessions are permitted. CypherManager based management is not session oriented; thus, multiple operators may be issuing commands with each command processed individually as it is received by the module. In a meshed network the system architecture supports simultaneous interactions with many far end modules; the multiple users (remote modules) all sending data to the data input port. The module’s access control rules, system timing, and internal controls maintain separation of the multiple concurrent COs, Operators, Upgraders and Users. The module does not support a maintenance role. Since there are no field services requiring removal of the cover, physical maintenance is performed at the factory. Note: A Crypto Officer should zeroize the module before it is returned to the factory. The module can be zeroized by command or by removing the network interface card(s). Senetas Corporation Ltd Page 13 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Identification and Authentication 4.1 The module employs Identity-Based Authentication. Access is restricted as indicated in Table 8. Up to 30 unique names and passwords may be defined for operators (COs, Operators, Upgraders) of the module. Operators using the Local Console enter their name and password to authenticate directly with the module. Operators using CypherManager issue commands to the encryptor. Password based authentication and Diffie-Hellman Key Agreement allow the transport of secure messages to the module. Commands from CypherManager are individually authenticated to ensure Data Origin Authentication and Data Integrity. Data Origin Authentication, based on the names and passwords, ensures the authenticity of the user claiming to have sent the command. Users employing the module’s security functions and cryptographic algorithms, over the Data Input and Output ports, authenticate via certificates that have been generated and signed by a common CypherManager. The Users exchange master and session keys using RSA public key wrapping. Table 8 Authentication Type Role Type of Authentication Authentication Data Crypto Officer Identity-based Crypto Officers using the Local Console present unique user names and passwords to log in to the CLI. Crypto Officers using CypherManager have unique identities embedded in the command protocol. Each issued command is individually authenticated. Operator Identity-based Operators follow the same authentication rules as Crypto Officers. Upgrader Identity-based Upgraders follow the same authentication rules as Crypto Officers. User Identity-based Users (remote encryptors) authenticate to each other with their CypherManager issued certificates. The strength of the authentication mechanisms is detailed in Table 9. Table 9 Strength of Authentication Authentication Mechanism Strength Password COs, Operators, and Upgraders accessing the module CLI, via the Local Console, must authenticate using a password that is at least 8 characters and at most 16 characters in length. The characters used in the password must be from the ASCII character set of alphanumeric and special (shift- 8 number) characters. This yields a minimum of 62 (over 14.5 million) possible combinations. The possibility of correctly guessing a password is less than 1 in 1,000,000. After three failed authentication attempts via the CLI, the Local Console port access is locked for 3 minutes. With the 3 minute lockout, the possibility of randomly guessing a password in 60 seconds is less than 1 in 100,000. Note: The module also suppresses feedback of authentication data, being entered into the Local Console, by returning blank characters. User Certificates Far end modules (Users) authenticate using an RSA authentication certificate based on a 1024, 2048 or 4096 bit keys. The possibility of deriving a private RSA key is less than Senetas Corporation Ltd Page 14 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Authentication Mechanism Strength 1 in 1,000,000. Based on the multi-step handshaking process between modules, the possibility of randomly guessing the passphrase in 60 seconds is less than 1 in 100,000. Roles and Services 4.2 The CN1000 Fibre Channel Encryptor supports the services listed in the following tables. The tables group the authorized services by the module’s defined roles and identify the Cryptographic Keys and CSPs associated with the services. The modes of access are also identified per the explanation. R - The item is read or referenced by the service. W - The item is written or updated by the service. E - The item is executed by the service (the item is used as part of a cryptographic function) D - The item is deleted by the service. The module’s services are described in more detail in the CN Series documentation. The following basic services are Unauthenticated . They either require physical access to the module or are used in establishing the operator’s authorized role. With the exception of power cycling (to run the Self Tests) or physically tampering the module, all Crypto Officer services require the operator to be Authenticated. For a Crypto Officer, the process of authenticating establishes the access level (Administrator, Supervisor or Operator) afforded to the operator. Power cycling or physically tampering the module requires physical access to the CN1000 Fibre Channel Encryptor. Table 10 Unauthenticated Services Service Cryptographic Keys and CSPs Access Type Run Self Test (Power Cycle Initialization Vector D,W the Module) RSA Public Key D,W RSA Private Key D,W,E Password (HMAC-SHA-1) R,E Authenticate operator [1] Console: Plain Password R,E Tamper System Master Key W [1] Once authenticated, the module establishes whether the operator is authorized for CO (Administrator, Supervisor), Operator or Upgrader access. Once authenticated, the operator has access to the services required to initialize, configure and monitor the module. With the exception of passwords associated with user accounts, the operator never enters Cryptographic Keys or CSPs directly into the module (an Administrator CO will enter passwords when working with user accounts). Senetas Corporation Ltd Page 15 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Table 11 Operator – Roles and Services Crypto Officer User Authorized Cryptographic Keys and Access Service CSPs Type Admin Supv Oper Upgr User Set Real Time none W Clock RSA Public and Private W Load Module Keys Certificate W RSA Public Key Certificate Password W Create User Account Modify User Password E, W Account Delete User Password D Account View User none R Account Edit Connection none W Action Table (Bypass) View Connection none R Action Table Show Firmware none R Version Clear Audit Trail Password W View Audit Trail none R Clear Event Log Password W View Event Log none R View FIPS Mode none R Status Change FIPS Password W Mode Status Run Self Test Password E (Reboot Command) Install Firmware none E Update Generate AES or Triple-DES Session W [1] [1] Session Key Keys Generate Initialization Vector W [1] [1] Initialization Vector RSA signature RSA Private Key R, E [1] [1] generation Senetas Corporation Ltd Page 16 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Crypto Officer User Authorized Cryptographic Keys and Access Service CSPs Type Admin Supv Oper Upgr User RSA signature RSA Public Key R, E [1] [1] verification Erase Module – System Master Key and all W Zeroize (Console CSP data stored in non- Command) volatile memory Establish a Privacy Key R, W, E [2] [2] [2] Remote Session [1] Restarting a connection causes new session keys to be generated. [2] Privacy keys are established when a remote session is initiated and used to encrypt and decrypt all subsequent directives. Note: Plaintext Cryptographic Keys and CSPs are never output from the module regardless of the operative role or the mode of operation. Senetas Corporation Ltd Page 17 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 5. Physical Security The CN1000 Fibre Channel Encryptor employs the following physical security mechanisms: 1. The encryptor is made of commercially available, production grade components meeting commercial specifications for power, temperature, reliability, shock and vibration. All Integrated Circuit (IC) chips have passivation applied to them. The steel enclosure is opaque to the visible spectrum. The ventilation holes on the encryptor’s sides are factory fitted with baffles to obscure visual access and to prevent undetected physical probing inside the enclosure. Attempts to enter the module without removing the cover will cause visible damage to the module, while removing the cover will trigger the tamper circuitry. 2. Access to the internal circuitry is restricted by the use of tamper detection and response circuitry which is operational whether or not power is applied to the module. Attempting to remove the enclosure’s cover causes the immediate zeroization of the System Master Key (a 168-bit symmetric key which is used to encrypt the unit’s private key and user localized passwords). Zeroization of the System Master Key renders all cryptographic keys and CSPs indecipherable. 3. Two tamper evident seals are pre-installed (at factory). The first is placed over the interface module face plate, between the interface card and the underside of the main enclosure. The second is placed between the top cover and underside of the main enclosure (refer Figure 7). Attempting to remove the interface card or top cover to obtain access to the internal components of the module will irreparably disturb these seals, thus providing visible evidence of the tamper attempt. Note that it is not physically possible to remove the enclosure lid without first removing the interface card. Figure 7 – Factory installed tamper seals Senetas Corporation Ltd Page 18 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Access to the cryptographically relevant components of the module requires the cover to be removed, and any attempt to remove the module cover is considered tampering. Removal of the cover requires removal of the network interface card(s) which triggers the Tamper Circuit. Should the tamper circuit be triggered, the module zeroizes the System Master Key. All data previously encrypted by the System Master Key is no longer able to be decrypted correctly, including cryptographic keys and CSP data. The module then returns to an uncertified state and remains in that state until it is checked and re-certified. The Tamper Circuit is active at all times; the specific tamper response differs slightly based on the module’s power state. 1. The module is powered on when the Tamper Circuit is triggered: The module zeroizes the System Master Key. It also erases any active key material and logs an event message indicating that the network interface card has been removed. After tamper activation, the system is uncertified and the Secure LED (on the front panel) is illuminated red until the module is re-certified (a new certificate is loaded). Whilst in the uncertified state, CLI and CypherManager access are active, but no user data is output. 2. The module is powered off when the Tamper Circuit is triggered: The module zeroizes the System Master Key. Since the module does not retain active key material across power cycles, there is no additional key material to be zeroized. The event message is logged and the Secure LED (on the front panel) is illuminated red after the module is once again powered on. When the Tamper Circuit is triggered, the module powers on to the uncertified state. Whilst in this state, CLI and CypherManager access are active, but no user data is output. While the physical security mechanisms protect the integrity of the module and its keys and CSPs, it is strongly recommend that the cryptographic module be maintained within a physically secure, limited access room or environment. Table 12 outlines the recommended inspection practices and/or testing of the physical security mechanisms. Table 12 Physical Security Inspection & Test Security Mechanism Inspection & Test Guidance Frequency Tamper Evidence Tamper indication is available to all user In accordance with roles via the alarm mechanism and organization’s Security evidence by the physical tamper labels. Policy. The Crypto Officer is responsible for the physical security inspection. During normal operation, the Secure LED is illuminated green. When the unit is uncertified (has no loaded certificate as either the default factory manufactured state or user erase operation has been executed) or in the tampered state, the Secure LED is illuminated red and all traffic is blocked. Inspect the enclosure and tamper evident seals for physical signs of tampering or attempted access to the cryptographic module. Tamper Circuit The module enters the tampered state No direct inspection or test when the circuit is triggered. Once in this is required; triggering the state, the module blocks all user traffic circuit will block all data until the module is physically reset. flow. Senetas Corporation Ltd Page 19 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 6. Cryptographic Key Management Cryptographic Keys and CSPs 6.1 The following table identifies the Cryptographic Keys and Critical Security Parameters (CSPs) employed within the module. Table 13 Cryptographic Keys and CSPs Key Use Storage System Master Key On initialization, the module generates a Stored, as plaintext, in a 168-bit symmetric key. This key encrypts, tamper protected memory using 3-key Triple-DES CFB8, the device. module’s public and private RSA keys and On tamper, the System the user table stored in the configuration Master Key is zeroized flash memory. rendering the encrypted data, in the configuration flash memory, undecipherable. RSA Private Key This 1024 or 2048 bit key is the secret Stored, in 3-key Triple- component of the module’s RSA Key pair. DES-encrypted format, in It is generated when the module receives a non-volatile memory. Load Certificate command from On tamper, the Triple-DES CypherManager. The RSA Private Key is System Master Key is used to authenticate connections with zeroized, rendering the other encryptors and to unwrap master encrypted RSA Private session keys and session keys received Key undecipherable. from far-end encryptors. RSA Public Key This 1024 or 2048 bit key is the public Stored, in 3-key Triple- component of the module’s RSA Key pair. DES-encrypted format, in It resides in the Network Certificate, and is Flash Memory. used for authenticating connections with On tamper, the Triple-DES other encryptors. System Master Key is zeroized, rendering the encrypted RSA Public Key undecipherable. Module Certificate The X.509v3 certificate is associated with Stored, in the clear, in the module in an operational environment. non-volatile system It is produced and signed by the managing memory. CypherManager system to establish root The certificate is deleted trust between encryptors. Once the from memory only on an certificate has been authenticated, Far-end Erase command from a encryptors use the embedded RSA Public Crypto Officer. Key to wrap the initial session keys used to encrypt a session. Alteration of the certificate will result in an authentication failure between encryptors. Authentication Up to 30 unique Crypto Officers Passwords and their Password (Administrator, Supervisor or Operator) associated Usernames are may be defined, with associated hashed and stored in the passwords, within the module. User Table which is stored 3-key Triple-DES- The CLI uses the Authentication Password encrypted format in non- to authenticate Crypto Officers accessing volatile memory. the system via the Local Console. On tamper, the Triple-DES CypherManager requires an operator System Master Key is password that is used to uniquely zeroized, rendering the authenticate each command to the Senetas Corporation Ltd Page 20 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Key Use Storage module. encrypted Passwords undecipherable. Session Master Key For each session, the module generates a All session keys are held symmetric session master key using the in volatile system memory ANSI X9.31 PRNG. The seed key and and destroyed at the end seed value are not part of the stored CSP of a session. data, but are generated on demand as required. RSA key exchange is used to transfer this key to a far-end encryptor. The session master key persists for the life of the session and is used to secure the active session keys that may be changed periodically during the session. Session Keys For each session, the module also All session keys are held generates two session keys for each data in volatile system memory flow path in the secure connection (one for and destroyed at the end the Initiator-Responder path and another of a session. for the Responder-Initiator path) using the ANSI X9.31 PRNG. These keys Triple-DES or AES encrypt and decrypt the user data transferred between the encryptors. These active session keys are normally changed periodically based on the duration of the session. Privacy Keys For each remote management session, the All privacy keys are held in module generates an AES privacy key volatile system memory using Diffie-Hellman to secure the control / and destroyed at the end flow path in the secure connection. The of a remote management key is generated using the ANSI X9.31 session. PRNG. X9.31 PRNG Seed For each ANSI X9.31 PRNG operation, the The ANSI X9.31 Seed key Key RNG Seed Key is sourced from the is held in volatile system hardware RNG device. memory and destroyed on power cycle. X9.31 PRNG Seed For each ANSI X9.31 PRNG operation, the The ANSI X9.31 Seed is RNG Seed is sourced from the hardware held in volatile system RNG device. memory and destroyed on power cycle. Note: While the certificates, maintained within the module, are listed as CSPs, they contain only public information. The module prevents data output during system initialization. No data is output until the module is successfully authenticated and the module certificate has been properly loaded. Following system initialization, the module prevents data output during the self tests associated with a power cycle or reboot event. No data is output until all self tests have completed successfully. The module also prevents data output during and after zeroization of cryptographic keys and CSPs; zeroization occurs when the tamper circuit is triggered. In addition, the system’s internal modules and timing controls work together to isolate the CSP and key management functions from the user data input and output processes. Senetas Corporation Ltd Page 21 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Cryptographic Algorithms 6.2 The CN1000 Fibre Channel Encryptor employs the following approved cryptographic algorithms. Table 14 FIPS Approved Algorithms Algorithm Algorithm FIPS Validation Target Model Type Certificate CN Series Crypto Library CN1000 Symmetric Triple-DES Key TCBC (e/d; KO 1) TDES # 1158 TCFB8 (e/d; KO 1,2) TCFB64 (e/d; KO 1,2) AES CBC (e/d; 128,256) AES # 1786 CFB128 (e/d; 128,256) Asymmetric RSA Key ALG[ANSIX9.31]; Key(gen) (MOD: 1024, 2048, 4096; PubKey Values: 65537) ALG[RSASSA- RSA # 893 PKCS1_V1_5]; SIG(gen); SIG(ver); 1024, 2048, 4096, SHS: SHA-1, SHA- 256, SHA-512 DSA KEYGEN(Y) MOD(1024) DSA # 562 SIG(gen) MOD(1024) SIG(ver) MOD(1024) Hashing SHA-1 (BYTE only) SHS # 1568 SHA-256 (BYTE only) SHA-512 (BYTE only) HMAC HMAC-SHA-1 (Key Sizes HMAC # 1051 Ranges Tested: KS> fips CN1000 Encryptor> fips FIPS mode enabled The CypherManager screen for reporting the FIPS status is found on the User Management screen, in the Access tab. Note: Read all of the instructions in this section before installing, configuring, and operating the CN1000 Fibre Channel Encryptor. Senetas Corporation Ltd Page 26 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy Delivery 8.1 When the CN1000 Fibre Channel Encryptor is delivered, the CO can verify that the model and serial numbers on the outside of the packaging, the model and serial numbers attached to the encryptor itself, and the numbers listed on the order acknowledgement, all match. The CO can also verify that the encryptor has not been modified by examining the tamper evident seal on the outside of the unit. If the seal is broken, then the integrity of the encryptor cannot be assured and Senetas should be informed immediately. Upon receipt of the CN1000 Fibre Channel Encryptor, the following steps should be undertaken: 1. Inspect the shipping label as well as the label on the bottom of the system to ensure it is the correct FIPS approved version of the hardware. 2. Inspect the encryptor for signs of tampering. Check that the tamper evident tape and the covers of the device do not show any signs of tampering. If tampering is detected, return the device to the manufacturer. Do not install the encryptor if it shows signs of tampering or has an incorrect label. Contact your organization’s Security Officer for instructions on how to proceed. If the device has the correct label and shows no signs of tampering, proceed to the next section. Location 8.2 The encryptor must be installed in a secure location to ensure that it cannot be physically bypassed or tampered with. Ultimately the security of the network is only as good as the physical security around the encryptor. Always maintain and operate CN1000 Fibre Channel Encryptor in a protected/secure environment. If it is configured in a staging area, and then relocated to its operational location, never leave the unit unsecured and unattended. Ideally the encryptor will be installed in a climate-controlled environment with other sensitive electronic equipment (e.g. a telecommunications room, computer room or wiring closet). The encryptor can be installed in a standard 19-inch rack or alternatively mounted on any flat surface. Choose a location that is as dry and clean as possible. Ensure that the sides of the encryptor are unobstructed to allow a good flow of air through the fan vents. The encryptor is intended to be located between a trusted and an untrusted network. The Local Interface of the encryptor is connected to appropriate equipment on the trusted network and the Network Interface of the encryptor is connected to the untrusted (often public) network. Depending on the topology of your network, the Local Interface will often connect directly to a router, switch, or Add/Drop Multiplexer, while the Network Interface will connect to the NTU provided by the network carrier. Configuration 8.3 Full configuration instructions are provided in the User Manual. Use the guidance here to constrain the configuration so that the device is not compromised during the configuration phase. This will ensure the device boots properly and enters FIPS 140-2 approved mode. When powering up the module for the first time, use the front panel to configure the system for network connectivity. Then use CypherManager to initialize the module and perform the configuration operations. 1. Power on the unit. The system bootup sequence is entered each time the module is powered on and after a firmware restart. CN1000 automatically completes its self tests and verifies the authenticity of its firmware as part of the initialization process. The results of these tests are reported on the front panel LCD and are also logged in the system audit log. If errors are detected during the diagnostic phase, the firmware will not complete the power up sequence but will instead enter a fatal shutdown state indicating it has been tampered. If Senetas Corporation Ltd Page 27 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy this is the case the first time the system is powered on, the system must be returned for inspection and repair. 2. Follow the User Manual’s Installation section to set the system’s IP Address, Date and Time. 3. If CypherManager is being run for the first time, it will ask if the installation will act as the Certification Authority (CA) for the secure network. If the user selects yes a private and public RSA key pair that will be used to sign X.509 certificates is generated.. 4. Install the X.509 certificate into the cryptographic module. The process to install a certificate is as follows: 1. The administrator clicks the Get Certificate button in the CypherManager Install New Certificate screen. The CN1000 Fibre Channel Encryptor returns a certificate containing its public key and name. The information returned is hashed and the hash value is displayed as the validation code. Note: For the initial certification CN1000 must be placed in Certificate Mode via the front panel. Subsequent recertification does not require CypherNET to be placed in Certification Mode. 2. After verification of the validation code the administrator must enter the private key password (used to secure the local CypherManager database) and the new administrator account details for CN1000. 3. After the administrator clicks the OK button CypherManager signs the X.509 certificate and sends it back to the CN1000. The contents of the certificate are hashed and the hash value is displayed as the validation code. Note: On initial certification the certificate must be accepted on CN1000 to complete installation. 4. The administrator must then log out of the CN1000 being managed and log back in using the new administrator account details. After an X.509 certificate has been installed into CN1000 the administrator can create supervisor and operator accounts. At this point the CN1000 is able to encrypt in accordance with the configured security policy; the ENT key on the front panel is disabled; and the default factory account has been removed. 5. Ensure the encryptor is in FIPS 140-2 mode (default setting) via the CypherManager User Management Access tab; 6. Configure the security policy to enable encrypted tunnels with other CN1000 units. Configuration of the security policy is network specific; refer to the User Manual for specific details. Senetas Corporation Ltd Page 28 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy 9. Mitigation of Other Attacks The module does not mitigate specific attacks. End Senetas Corporation Ltd Page 29 of 29 CN1000 Fibre Channel Encryptor v1.0.9 Non-Proprietary Security Policy