Symantec Corporation PGP Software Developer’s Kit (SDK) Cryptographic Module FIPS 140-2 Security Policy Document Version 4.2.2 Revision Date 2/21/12 © Symantec Corporation, 2012 May be reproduced only in its entirety (without revision). Table of Contents 1   INTRODUCTION ............................................................................................. 2   2   MODULE SPECIFICATIONS .......................................................................... 3   2.1   SUPPORTED ALGORITHMS ...................................................................................... 4   2.2   CRYPTOGRAPHIC BOUNDARY ................................................................................. 6   2.3   PORTS AND INTERFACES ........................................................................................ 7   2.4   SECURITY LEVEL ................................................................................................... 8   2.5   OPERATIONAL ENVIRONMENT ................................................................................. 9   2.6   APPROVED MODE OF OPERATION ......................................................................... 10   3   SECURITY RULES ....................................................................................... 11   4   ROLES AND SERVICES .............................................................................. 12   5   ACCESS CONTROL POLICY ...................................................................... 20   5.1   CRITICAL SECURITY PARAMETERS ........................................................................ 20   5.2   ACCESSES ........................................................................................................... 20   5.3   SERVICE TO CSP AND PUBLIC KEY ACCESS RELATIONSHIP .................................. 22   6   CRYPTOGRAPHIC KEY MANAGEMENT ................................................... 28   6.1   KEY GENERATION AND ESTABLISHMENT ............................................................... 28   7   PHYSICAL SECURITY POLICY ................................................................... 29   8   SELF-TESTS ................................................................................................. 29   8.1   POWER-UP TESTS ............................................................................................... 30   8.2   ON-DEMAND TESTS ............................................................................................. 31   8.3   CONDITIONAL TESTS ............................................................................................ 31   9   MITIGATION OF OTHER ATTACKS ............................................................ 32   GLOSSARY ........................................................................................................ 33   © Symantec Corporation, 2012 May be reproduced only in its entirety (without revision). PGP SDK 4.2.1 Cryptographic Module Security Policy 1 Introduction The PGP Software Developerʼs Kit (SDK) Cryptographic Module (SW Version 4.2.1) is a software only cryptographic module validated to the standards set forth by the FIPS PUB 140-2 Security Requirements for Cryptographic Modules document published by the National Institute of Standards and Technology (NIST). The module is intended to meet the security requirements of FIPS 140-2 Level 1 overall. This module is responsible for the cryptographic services used by Symantec Corporationʼs PGP line of software products and is used as a building block to provide the secure exchange of email, network communications and storage of data. This document, the Cryptographic Module Security Policy (CMSP), also referred to as the Security Policy, specifies the security rules under which the module must operate. Page 2 PGP SDK 4.2.1 Cryptographic Module Security Policy 2 Module Specifications The PGP SDK, SW Version 4.2.1, is a software-only cryptographic module embodied as a shared library binary that executes on general-purpose computer systems and is available on a number of operating systems. The specific operating system and version to be validated is specified in the Operational Environment section of this document. For the purpose of FIPS validation, this document will only be concerned with the core cryptographic APIs described under Section 4 of this document. Table 1: Embodiment of the PGP SDK core cryptographic module on various OS in FIPS Mode Operating System Typical Pathname Windows XP Professional SP3 %windir%/system32/PGPsdk.dll Mac OS X 10.7 PGP.framework/PGP iOS 5 PGPsdk.dylib Linux, 32-bit: CentOS 5.5 libPGPsdk.so The PGP SDK cryptographic module is accessible to client applications through an application-programming interface (API). The API functions in the crypto module are enumerated in the Roles and Services Section of this document. The PGP SDK provides a FIPS mode of operation; which is described in the Approved Mode of Operation section of this document. For the purposes of FIPS 140-2, the PGP SDK library is classified as a multi-chip standalone module. The PGP SDK does not support multiple concurrent operators. The module does not support a bypass mode. Page 3 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.1 Supported Algorithms The PGP SDK implements the following algorithms in the FIPS mode of operation. Table 2: Algorithms supported by the PGP SDK in FIPS mode Type Algorithm FIPS Status FIPS 46-3 (cert #1150) Symmetric Key Triple-DES (3-Key) TECB, TCBC, TCFB FIPS-197 (cert #1777) AES (128,192,256) ECB, CBC and CFB128 Asymmetric Key RSA (up to 4096 bits) FIPS 186-2 for Sign/Verify (cert #888) Encrypt/Decrypt (Key wrapping; key establishment methodology provides between 112 and 128 bits of encryption strength) DSA FIPS 186-2 (cert #558) Message Digest SHA-1, 224,256,384,512 FIPS 180-3 (cert #1558) Message HMAC SHA-1,224, 256, FIPS-198 (cert #1042) Authentication 384, 512 Random Number CTR_DRBG (AES-256) SP 800-90 (cert #124) Generation Split Knowledge Shamir Threshold Secret Allowed Sharing Page 4 PGP SDK 4.2.1 Cryptographic Module Security Policy In non-FIPS mode, the PGP SDK cryptographic module also provides the following non-FIPS Approved algorithms: Symmetric Key Encryption: CAST-5, IDEA, Two-Fish, Blow-Fish, Arc4-128, • AES (EME2 mode; non-compliant) Message Digest: MD5, HMAC-MD5, RIPEMD-160 • DSA with SHA-256 (FIPS 186-3) (non compliant) • ECDH (256, 384, 512) • Key establishment: ElGamal • ECDSA (P256, P384, P521) (non compliant) • Page 5 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.2 Cryptographic Boundary The physical cryptographic boundary is defined as the computer's case that the PGP SDK is installed in and includes all the accompanying hardware. The moduleʼs logical cryptographic boundary is defined to be a subset of the PGP SDK binary software library as defined by the Roles and Services Section of this document. An operator is accessing (or using) the module whenever one of the library calls is executed through the API and thus the module logical interfaces are provided by the API calls. In addition, the SDKʼs key database is included in the cryptographic boundary. Figure 1: Module Cryptographic Boundary Key Database(s) Programming API Client Asymmetric Key Management Application High-level Cryptographic Low-Level Cryptographic Random Number Miscellaneous Client Application User Interface Note that the dashed line represents the PGP SDK crypto boundary. Note that the Key Database itself is not a CSP, but rather the Key Database is an underlying data structure that contains CSPs. Page 6 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.3 Ports and Interfaces The PGP SDK software module restricts all access to its Critical Security Parameters (CSPs) through the API calls as enumerated in the Roles and Services Section of this document. This API acts as the logical interface to the module. Although the computerʼs physical ports such as keyboards, mouse, displays, hard disks, smart card interfaces, etc. provide a means to access the cryptographic module, the actual interface is via the API itself. For the purpose of FIPS 140-2, the logical interfaces can be modeled as described in the following table. Table 3: PGP SDK Logical Ports Data Input Parameters passed to the module via API calls Data Output Data returned by the module via API calls Control Input Control Input – API function calls Status Output Error and status codes returned by API calls The module does not support maintenance ports. The general purpose PC used receives power via a power supply. Input and output data can consist of plain-text, cipher-text, and cryptographic keys as well as other parameters. The module does not support a cryptographic bypass mode. All data output is prohibited whenever an error state occurs or during the self-test process. Page 7 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.4 Security Level The PGP SDK Cryptographic Module meets the overall security requirements of FIPS 140-2 Level 1. Table 4: Module Security Level Specification Security Requirements Area Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles and Services 1 Finite State Machine 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 3 Mitigation of Other Attacks N/A Page 8 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.5 Operational Environment The following Operating Systems were used to operationally test and validate the PGP SDK to the requirements of FIPS-140-2. Therefore these Operating Systems provide the highest level of assurance that the module will correctly operate. Operating System configurations Mac OS X 10.7 • iOS 5 • Windows XP Professional SP-3 • Linux, 32-bit: CentOS 5.5 • As per FIPS Implementation guidance the PGP SDK cryptographic module (without any source code modifications) will remain compliant with the requirements of FIPS 140-2 when operating on the following Operating Systems provided that the general-purpose computer (GPC) uses the specified single user operating system/mode specified on the validation certificate, or another compatible single user operating system: Windows XP SP1 • Windows 2000 SP3 • Windows NT 4 SP6a • Windows ME • Windows 98SE • Windows 98 • Mac OS X 10 • iOS 4.3 • Unix • o Linux, 32-bit: Fedora Core 4, 5, 6 Red Hat Enterprise Linux 3, 4 o AIX5.2 and 5.3 o Solaris 8 and 9 o HPUX 11.11 o Linux, 64-bit: Fedora Core 5 o CentOS 5.3 The operating system must be configured for single-user mode. Page 9 PGP SDK 4.2.1 Cryptographic Module Security Policy 2.6 Approved Mode of Operation The PGP SDK provides a FIPS 140-2 compliant mode of operation. Before any cryptographic operations can be performed, the client application must initialize (power-up) the module by invoking the PGPEnableFIPSMode() API. Once the PGPEnableFIPSMode() call is made, the following events will occur: 1. The module will perform a series of power on self-tests as detailed in the Self- Tests section of this document. 2. If a self-test fails, the module will return from the PGPEnableFIPSMode() API call with a status or error indication. 3. If a self-test fails, the module will enter a FIPS persistent error state and no cryptographic functions will be allowed until re-initialization. 4. All data output will be prohibited whenever an error state occurs or during the self-test process. 5. Only FIPS Approved or allowed cryptographic algorithms as enumerated in the Supported Algorithms section of this documents can be used in FIPS mode. 6. When in FIPS mode, the module will not allow the use of zero length passphrases because the passphrase is used to associate a key with the correct entity. 7. Once in FIPS mode the module will maintain that mode until the module is shut down by the PGPsdkCleanup() API call. 8. The module will also provide conditional tests specified in the Self-Test section of this document. The client application can, at any time, test if the module is in FIPS compliant mode by performing the PGPGetSDKErrorState() and PGPGetFeatureFlags() API call. An application can also check the module error state, reset the error state, and run all or any specific self-test through making the proper API calls. Page 10 PGP SDK 4.2.1 Cryptographic Module Security Policy 3 Security Rules The following is a list of security requirements that specify the Approved mode of operation and must be adhered to when complying with FIPS 140-2. 1. PGP SDK must be used as described in this document. Calling any function not listed under Section 4 of this document violates this security policy. For APIs that accept other functions as arguments, only those functions listed under Section 4 of this document are permitted. 2. All access to Critical Security Parameters (CSPs) must only be made through the API calls specified in Section 4 below. 3. Installation of the module is the responsibility of the Crypto-Officer. 4. The PGP SDK must be installed on a host computer where the operating system is configured for single user mode. 5. The PGP SDK provides a FIPS 140-2 compliant mode of operation. Before the module can be used, it must be initialized as described in the Approved Mode of Operation section of this document. 6. Only FIPS Approved or allowed cryptographic algorithms as enumerated in the Supported Algorithms section of this document are to be used. 7. Plaintext keys may only be manually established; automated distribution of these types of keys is prohibited. 8. The module inhibits data output during self-tests and error states. The data output interface is logically disconnected from the processes performing key generation and zeroization. 9. The zeroization process can be achieved as follows: a. Free all allocated contexts with the appropriate API function: PGPFreePrivateKeyContext, PGPFreeSymmetricCipherContext, PGPFreeCBCContext, PGPFreeCFBContext, PGPFreeHashContext, PGPFreeHMACContext, or PGPFreeData. b. Make calls to the PGPWipeFile API function and zeroize all persistently stored CSPs including ASCII armored files and all “.rnd” files. c. On exit, make a call to the PGPsdkCleanup API function . Page 11 PGP SDK 4.2.1 Cryptographic Module Security Policy 4 Roles and Services As mentioned earlier the only access to the cryptographic module is through the PGP SDK API. Thus, the module operator is defined as any client application that is linked to the PGP SDK shared library. The cryptographic module supports two roles. An operator accesses both roles while using the PGP SDK and the means of access is the same for both roles. A role is implicitly assumed based on the services that are accessed. The roles are defined as the following: User: Shall be allowed to perform the Module Info Service. • Cryptographic Officer: Shall be allowed to perform all security relevant • services provided by the module. The following table lists the services in the cryptographic module organized by service category. Table 5: Asymmetric Key Management Service API Description Open key PGPOpenKeyDBFile Create a new key set and Database its underlying database based on key data archived in file(s). The key set contains all the keys in the file(s). Free key PGPFreeKeyDB Release the storage for a Database key. The removal includes clearing any memory that held key material. Import key(s) PGPImport Import key(s) that were previously exported into a new key set. Export key(s) PGPExport Export key(s) from a key set into a specified file or buffer. Page 12 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 5: Asymmetric Key Management Service API Description Manage Key PGPFindKeyByKeyID Operations to manage Database PGPIncKeyDBRefCount and get status of a Key PGPKeyDBIsMutable Database PGPKeyDBIsUpdated PGPKeyDBSetAutoUpdate Generate a key PGPGenerateKey Generate a new PGP key PGPGenerateSubKey and place it into a key set PGPCreateKeyBundle in association with a CO via a passphrase. Change key PGPChangePassphrase Change the passphrase passphrase associated with a private key. PGPAddAttributeUserID Update key Change various values PGPAddKeyOptions properties associated with a key PGPAddUserID including it current trust PGPRevoke value, its current status PGPSetKeyAxiomatic (enabled, disabled, PGPCreateX509CRL revoked), its user ID, its subkeys, and signatures. Get key PGPPassphraseIsValid Obtain various values properties PGPGetKeyDBObjDataProperty associated with a key PGPGetKeyDBObjAllocatedDataProperty including algorithms PGPGetKeyDBObjBooleanProperty used, key sizes, user PGPGetKeyDBObjTimeProperty IDs, key Ids and PGPGetKeyDBObjNumericProperty fingerprints, key parameter data, and signature information. Sign key PGPCertifyUserID Digitally sign a particular PGPCreateX509Certificate key with RSA (via RSA PGPCreateX509CertificateFromRequest private key) or DSA (via PGPCreateSelfSignedX509Certificate DSA signing key). Split a binary PGPSecretReconstructData Split a binary passphrase passphrase PGPSecretShareData using the Shamir Threshold Secret Sharing scheme. Page 13 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 5: Asymmetric Key Management Service API Description High Level binary PGPCombineShares Wrapper code to facilitate PGPCopySharesFromFile passphrase split Shamir Threshold Secret PGPCopySharesToFile API Sharing functions. PGPCreateShares PGPFreeShareFile PGPFreeShares PGPGetPasskeyFromShares PGPNewShareFile PGPOpenShareFile PGPSaveShareFile PGPSplitShares Manage a key set PGPCheckKeyRingSigs Operations to manage PGPNewKeySet the references in a key PGPNewOneKeySet set. PGPNewOneInclusiveKeySet PGPAddKey(s) PGPDeleteKeys PGPDeleteKey PGPFreeKeySet PGPCleanSignatures Page 14 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 6: High Level Cryptographic Service API Description Encrypt the provided data with the Encrypt data PGPEncode using provided key. This service formats the PGPOEncryptToKeyDBObj resultant cipher text based on the OpenPGP or S/MIME Message format. Digitally sign the provided data with the Sign data PGPEncode using provided key. This service formats the PGPOSignwithKey resultant signature based on the OpenPGP or S/MIME Message format. Decrypt the provided data with the Decrypt data PGPDecode provided key. This service assumes the data provided is formatted based on the OpenPGP or S/MIME Message format. Verify the digital signature on the Validate PGPDecode provided data using the provided key. signed data This service assumes the data provided is formatted based on the OpenPGP or S/MIME Message format. Encrypt the provided data with the Encrypt to a PGPEncode using provided symmetric key. This service Symmetric PGPOConventionalEncrypt formats the resultant cipher text based Key on the OpenPGP or S/MIME Message format. Page 15 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 7: Low Level Cryptographic Service API Description Hash data PGPContinueHash Create a hash value based PGPCopyHashContext on the provided data. PGPFinalizeHash PGPFreeHashContext PGPNewHashContext PGPResetHash PGPGetHashSize Compute PGPContinueHMAC Compute the message HMAC on data PGPFinalizeHMAC authentication code on the PGPFreeHMACContext provided data using the PGPNewHMACContext provided key. PGPResetHMAC Encrypt data PGPCBCEncrypt Encrypt the provided data via symmetric PGPCFBEncrypt with the provided key using a cipher PGPSymmetricCipherEncrypt symmetric cipher algorithm. PGPCBCGetSymmetricCipher PGPCFBGetSymmetricCipher PGPCFBSync PGPCopyCBCContext PGPCopyCFBContext PGPCopySymmetricCipherContext PGPFreeCBCContext PGPFreeCFBContext PGPFreeSymmetricCipherContext PGPGetSymmetricCipherSizes PGPInitCBC PGPInitCFB PGPInitSymmetricCipher PGPNewCBCContext PGPNewCFBContext PGPNewSymmetricCipherContext PGPWashSymmetricCipher PGPWipeSymmetricCipher PGPImportTARCacheObj PGPOpenTarCacheFile PGPFreeTarCache Page 16 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 7: Low Level Cryptographic Service API Description Decrypt data PGPCBCDecrypt Decrypt the provided data via symmetric PGPCFBDecrypt with the provided key using a cipher PGPSymmetricCipherDecrypt symmetric cipher algorithm. PGPExportTARCacheObj Encrypt with PGPPublicKeyEncrypt Encrypt the provided data public key * PGPFreePublicKeyContext with the public portion of a PGPNewPublicKeyContext public/private key pair. Verify signature PGPPublicKeyVerifyRaw Verify the digital signature on with public key PGPPublicKeyVerifySignature the provided data using the provided key. Decrypt with PGPPrivateKeyDecrypt Decrypt the provided data private key * PGPFreePrivateKeyContext with the private portion of a PGPNewPrivateKeyContext public/private key pair. Create PGPPrivateKeySign Digitally sign the provided signature with PGPPrivateKeySignRaw data with the provided key. private key * Low-level Public Key Crypto functions can only be used for key wrapping. Table 8: Random Number Services Service API Description Get PGPContextGetRandomBytes Obtain random random data. bytes Page 17 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 9: Miscellaneous Service API Description Initialize SDK PGPsdkInit Initialize the library for use. Cleanup SDK PGPsdkCleanup Cleanup the library after use. Create context PGPNewContext Create a context for a PGPNewContextCustom particular use of the library. Free context PGPFreeContext Destroy a context from a particular use of the library (zeroize the data from RAM). Page 18 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 9: Miscellaneous Service API Description Data storage PGPFreeData Create and free memory for management PGPNewData holding various data PGPNewSecureData including plaintext and PGPReallocData passphrases. The PGPWipeFile PGPWipeFile function is used to zeroize data from the hard drive. Data I/O PGPOAllocatedOutputBuffer Deal with buffers and file PGPOInputBuffer references for data PGPOInputFile including plaintext and PGPOOutputBuffer passphrases. PGPOOutputFile PGPOInputTARCache PGPOOutputTARCache PGPOOutputDirectory PGPOPasskeyBuffer PGPOPassphrase PGPOPassphraseBuffer PGPORawPGPInput Option list PGPAddJobOptions Create, modify, and free a manipulation PGPAppendOptionList list of options and PGPBuildOptionList parameters provided to SDK PGPCopyOptionList services. PGPFreeOptionList PGPNewOptionList Module status PGPGetSDKErrorState Obtain or reset the current PGPResetSDKErrorState status of the PGP SDK PGPGetFeatureFlags cryptographic module. Run self tests PGPRunAllSDKSelfTests Run the required self-tests. PGPRunSDKSelfTest Enable FIPS PGPEnableFIPSMode Power-Up the module into compliant mode FIPS 140-2 mode Module Info PGPGetVersionString Obtain module version number information. Page 19 PGP SDK 4.2.1 Cryptographic Module Security Policy 5 Access Control Policy In the PGP SDK, access to critical security parameters is controlled. A PGP SDK User or Cryptographic Officer can only read, modify, or otherwise access the security relevant data through the cryptographic module services provided by the module API interface. This section details the Critical Security Parameters (CSPs) in the cryptographic module that a User or Cryptographic Officer can access, how the CSPs can be accessed in the cryptographic module, and which services are used for access to the data item. A PGP SDK operator using the module in the Cryptographic Officer role can access all of the module services, but an operator in the User role can only use a subset of those functions. More information on this can be found in the Roles and Services section of this document. 5.1 Critical Security Parameters The Critical Security Parameters (CSPs) used by the PGP SDK module are protected from unauthorized disclosure, modification, and substitution. Public keys are protected from unauthorized modification, and substitution Definition of CSPs: DSA Signing Key - used to sign data with DSA. • RSA Private Key - used to sign data with RSA (or) to decrypt RSA • wrapped keys (Note: the same key may not be used for signing and decryption). TDES Encrypting Key - used to TDES encrypt/decrypt data. • AES Encrypting Key - used to AES encrypt/decrypt data. • HMAC Key - used for message authentication of data. • Random Seed Pool - An internally maintained pool of data for seeding the • random number functions. Definition of Public Keys: RSA Public Key - used to verify RSA signatures (or) used to wrap session • specific symmetric keys. (Note: the same key may not be used for signature verification and encryption) DSA Public Key - used to verify DSA signatures. • 5.2 Accesses The types of access to CSPs and Public Keys in the PGP SDK are listed in the following table. Page 20 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 10: CSP Access Types Access Description create The item is created destroy The item is destroyed, in other words the data is cleared from any memory in the cryptographic module and then that memory is released read The item is accessed for reading and use write The item is modified or changed Page 21 PGP SDK 4.2.1 Cryptographic Module Security Policy 5.3 Service to CSP and Public Key Access Relationship The following table shows which CSPs and Public Keys are accessed by each service, the role(s) the operator must be in for access, and how the CSP or Public Key is accessed on behalf of the operator when the service is performed. Several services provided by the PGP SDK do not access any CSPs and are included here for completeness. Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Open key database DSA Signing Key • RSA Private Key RSA Public Key DSA Public Key X Free key database DSA Signing Key • RSA Private Key RSA Public Key DSA Public Key X Import key(s) DSA Signing Key • RSA Private Key RSA Public Key X DSA Public Key Page 22 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Export key(s) DSA Signing Key • RSA Private Key RSA Public Key DSA Public Key X Manage key DSA Signing Key • database RSA Private Key RSA Public Key DSA Public Key X Page 23 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Generate a key DSA Signing Key • • RSA Private Key RSA Public Key DSA Public Key X Random Seed Pool Change key DSA Signing Key • • passphrase RSA Private Key RSA Public Key DSA Public Key X Update key DSA Signing Key • • properties RSA Private Key X RSA Public Key DSA Public Key Get key properties DSA Signing Key • RSA Private Key X RSA Public Key DSA Public Key Page 24 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Sign key DSA Signing Key • • RSA Private Key RSA Public Key X DSA Public Key Split a binary N/A X passphrase High level binary N/A X passphrase split API Manage a key set X N/A Encrypt data RSA Public Key • • (Note: RSA is used to TDES Encrypt Key X wrap the TDES and AES Encrypt Key AES keys) Sign data DSA Signing Key • X RSA Private Key Decrypt data RSA Private Key • (Note: RSA is used to TDES Encrypt Key X unwrap the TDES AES Encrypt Key and AES keys) Validate signed data RSA Public Key • X DSA Public Key Encrypt to a TDES Encrypt Key • • X Symmetric key AES Encrypt Key Page 25 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Hash data X N/A Compute HMAC on HMAC Key • • • • X data Encrypt data via TDES Encrypt Key • • • • X symmetric cipher AES Encrypt Key Decrypt data via TDES Encrypt Key • • • • X symmetric cipher AES Encrypt Key Encrypt with public RSA Public Key • • • • key X (Note: RSA is used to wrap keys) Verify signature with RSA Public Key • • • • public key DSA Public Key X Decrypt with private RSA Private Key • • • • key (Note: RSA is used to unwrap X keys) Create signature RSA Private Key • • • • with private key DSA Public Key X Get random bytes Random Seed Pool • X Get random pool Random Seed Pool • X properties Page 26 PGP SDK 4.2.1 Cryptographic Module Security Policy Table 11: Module Services vs. CSP and Public Key Access vs. Role Access Service CO User CSP or Public Key create destroy read write Update random pool Random Seed Pool • X Initialize SDK Random Seed Pool • X Cleanup SDK X N/A Create context X N/A Free context X N/A Data storage N/A X management Data I/O X N/A Option list N/A X manipulation Module Status X N/A Run self-tests X N/A Enable FIPS N/A X compliant mode Module Info X N/A Page 27 PGP SDK 4.2.1 Cryptographic Module Security Policy 6 Cryptographic Key Management The PGP SDK takes a number of steps to protect secret keys and CSPs from unauthorized disclosure, modification, and substitution throughout the key life cycle. 6.1 Key Generation and Establishment The PGP SDK only supports the generation and establishment of wrapped key pairs in OpenPGP or X.509 certificate formats. The generation of wrapped key pairs is an atomic operation to a module • API client, and intermediate key values are never output nor are they ever accessible from the API. The PGP SDK key export and database services can be used to distribute • the public keys as appropriate via manual processes. The module uniquely identifies key certificates by using the opaque data • reference, PGPKeyID. When establishing a symmetric key, an appropriate size public key and hash algorithm must be used. Table 12: Guidelines for equivalent strengths of cryptographic algorithms Security Symmetric Minimum size of public keys (bits) (bits) encryption algorithm 112 Triple-DES 2048 128 AES-128 3072 192 AES-192 7680 256 AES-256 15360 Note that the current version of PGP SDK limits the size of RSA keys to 4096 bits, as such the maximum estimated strength of any key establishment technique using RSA is limited to 128 bits of strength. Page 28 PGP SDK 4.2.1 Cryptographic Module Security Policy 7 Physical Security Policy The PGP SDK is implemented as a software module and as such, the physical security section of FIPS 140-2 is not applicable. 8 Self-Tests The PGP SDK provides for three forms of self-tests: power-on, on-demand and conditional. Since the PGP SDK module provides a special FIPS Approved mode of operation, the module is defined as powering-up into FIPS mode when the PGPEnableFIPSMode() call is made by the client application. All data output is prohibited during the self-test process. If any of these test fail, the module will enter an error state, which can only be cleared by a deliberate call to PGPResetSDKErrorState() or by powering down the module. Once in an error state, all further cryptographic operations and data output is disabled. The resultant test status will be also returned by the PGPEnableFIPSMode() call. A client application can also ascertain module at anytime by using the PGPGetSDKErrorState() function. Possible error codes returned by the self-test routines include: kPGPError_NoErr – Self-test was successful. • kPGPError_SelfTestFailed – Self Test Failed. • Page 29 PGP SDK 4.2.1 Cryptographic Module Security Policy 8.1 Power-Up Tests When the client application invokes a PGPEnableFIPSMode() API call, the module will start the self-test process. The following self-tests will run and in the following order until all the tests have been completed or one of the tests fail. Triple-DES – Runs known answer test of a 64-byte block in ECB, CBC • and CFB modes, then decrypts the block checking for consistency with original plain-text. DSA – Runs a pair-wise consistency sign/verify test of a 48-byte block • using a 1024 bit DSS key. AES - Runs known answer test of a 16 byte block in ECB modes for 128, • 192 and 256 bit keys then decrypts the block checking for consistency with original plain-text RSA – Signs a 48 byte block of data using a 2048 bit RSA key certificate, • check against a known answer then performs a pair-wise consistency test. For encryption functionality, the module however only executes the pair- wise consistency test, because the SDK support for asymmetrical encryption outputs padded cipher-text e.g. Open-PGP. SHA-1, 224, 256, 384, 512 – Runs a series of known answer tests using • test vectors derived from the FIPS-180 document. HMAC/SHA-1, 224, 256, 384, 512 – Runs a series of known answer tests • DRBG Known answer test • Software Integrity – The module contains a compiled in DSA/SHA public • key certificate used for SDK integrity verification. The PGP SDK library binary is signed by PGP Corporation at ship, and a detached OpenPGP signature file is added to the distribution. The module uses this public key to test the installed module binary against the signature file. Critical Function Tests – self signatures of key certificates are checked • when keys are established via the PGPimport() API function. Page 30 PGP SDK 4.2.1 Cryptographic Module Security Policy 8.2 On-Demand Tests After the PGPEnableFIPSMode() call is complete, the client application can optionally initiate a specific test or all tests on demand by using the PGPRunSDKSelfTest() or PGPRunAllSDKSelfTests() functions respectively. Note that if the on-demand tests fail, the module will enter an error state in a manner identical to the power-on self-tests. 8.3 Conditional Tests When in FIPS mode, the module will perform the following conditional tests. Continuous random number generator tests on DRBG and NDRNG. • Pair-wise consistency test when new public key pairs are generated: • When a signing key-pair is generated, a plain-text value is signed by private key and verified by public key. Whenever an encryption key-pair is generated, a plain-text value is encrypted with the public key, the cipher- text is checked to be not the same as the original plaintext, the cipher-text is then decrypted with the private-key and checked against original plain- text. Page 31 PGP SDK 4.2.1 Cryptographic Module Security Policy 9 Mitigation of Other Attacks The Mitigation of Other attacks security section of FIPS 140-2 is not applicable to the PGP SDK cryptographic module. Page 32 PGP SDK 4.2.1 Cryptographic Module Security Policy Glossary API: Application Programming Interface. Asymmetric Key: a public or private key. Context: a reference value used to accept (or refer to) an internal PGP SDK state for an ongoing operation. Examples of contexts include “asymmetric cipher context” or “hash context.” CSP: Critical Security Parameters Cipher: a cryptographic algorithm used for encryption and decryption. Client: Application or program calling into the PGP SDK API ElGamal: ElGamal is a cryptographic algorithm used by the SDK for key establishment in non-FIPS mode. FIPS: Federal Information Processing Standards. FIPS 140-2: FIPS for cryptographic modules. FIPS Mode: FIPS 140-2 compliant mode of operation for PGP SDK. High-level cryptographic: a high-level CAPI that abstracts away the details of the cryptographic algorithms to be used. Key Pair: a pair of public/private asymmetric keys. Key Set: a collection of asymmetric keys. Low-level cryptographic: a low-level CAPI that includes the intimate details for specific cryptographic algorithms. MAC: Message Authentication Code. NIST: National Institute of Standards and Technology. OpenPGP Message Format: the message-exchange packet formats used by OpenPGP and all PGP products. See "OpenPGP Message Format, IETF RFC 4880.” Option List: a list of options that indicates how processing should proceed. PGP: Pretty Good Privacy; an application and protocol (RFC 1991) for secure e- mail and file encryption developed by Phil R. Zimmermann. Originally published as Freeware, the source code has always been available for public scrutiny. PGP uses a variety of algorithms, like IDEA, RSA, DSA, MD5, SHA-1 for providing encryption, authentication, message integrity, and key management. PGP is based on the Web-of-Trust model and has worldwide deployment. PGP SDK: PGP Software Developer's Kit. Page 33 PGP SDK 4.2.1 Cryptographic Module Security Policy Passphrase: a value used to provide key to entity association, either an ASCII passphrase (a sequence of ASCII characters) or a binary passphrase (binary data). Private Key: the secret portion of an asymmetric key pair. Public Key: the public portion of an asymmetric key pair. Random Number: a number generated randomly. Random Pool: a collection of random bytes, global to the PGP SDK. Signature: an encrypted hash of data that provides authentication and integrity for the data. S/MIME message format: : the message-exchange packet formats specified by IETF RFC 3852, 3370, 2633 and 2632. Symmetric Key: key material used for symmetric ciphers. A symmetric key can be provided by the operator or created as needed by the PGP SDK. User ID: an identifier that is associated with an asymmetric key (via a Signature) that represents the entity (e.g., user) to which the key is assigned. Page 34