Motorola Mobility Linux Kernel Software Cryptographic Module FIPS 140-2 Security Policy Module Version 1.0 Document version 1.11 September 16, 2013 This document may be freely copied and distributed provided that it is copied in its entirety without modification. < Motorola Mobility LLC> CHANGE RECORD Revision Date Author Description of Change 1.11 09/16/13 W. Ribeiro Update to add official name to new test platform 1.10 09/13/13 W. Ribeiro Update based on CMVP comments 1.9 04/17/13 W. Ribeiro Including new operation system version 1.8 01/07/13 J. Pinto Update based on review comments 1.7 12/21/12 W. Ribeiro Update based on review comments Added CAVP numbers and updated based on 1.6 12/19/2012 W. Ribeiro review comments 1.5 11/12/2012 W. Ribeiro Update based on review comments 1.4 10/31/2012 W. Ribeiro Update based on review comments 1.3 10/30/2012 W. Ribeiro Update based on review comments 1.2 10/11/2012 J. Pinto Update with latest review comments 1.1 08/27/2012 J. Pinto Include review comments 1.0 03/28/2012 J. Pinto Initial version Page 2 of 15 < Motorola Mobility LLC> Contents 1  Module Overview ............................................................................................................................................ 5  2  Security Level ................................................................................................................................................... 7  3  Modes of Operation ........................................................................................................................................ 8  3.1  FIPS Approved Mode of Operation .............................................................................................................................. 8  4  Ports and Interfaces ........................................................................................................................................ 9  5  Identification and Authentication Policy ....................................................................................................... 10  5.1  Assumption of Roles .................................................................................................................................................. 10  6  Access Control Policy ..................................................................................................................................... 10  6.1  Roles and Services ..................................................................................................................................................... 10  7  Operational Environment .............................................................................................................................. 12  8  Security Rules ................................................................................................................................................ 13  9  Physical Security Policy .................................................................................................................................. 15  10  Mitigation of Other Attacks Policy ................................................................................................................ 15  11  References ..................................................................................................................................................... 15    Page 3 of 15 < Motorola Mobility LLC> Tables Table 1 ‐ Module Security Level Specification .......................................................................................................... 7  Table 2 ‐ FIPS Approved Algorithms Used in Current Module ................................................................................. 8  Table 3 – Ports and Interfaces .................................................................................................................................. 9  Table 4 ‐ Services .................................................................................................................................................... 11  Table 5 – CSPs description ..................................................................................................................................... 11  Figures Figure 1 ‐ Module Cryptographic Boundary – Software Block Diagram .................................................................. 5  Figure 2 ‐ Module Cryptographic Boundary – Hardware Block Diagram ................................................................. 6  Page 4 of 15 < Motorola Mobility LLC> 1 Module Overview This non-proprietary security policy describes the Motorola Mobility Linux Kernel Software Cryptographic Module (hereafter referred to as the module) and the FIPS Approved mode of operation per FIPS 140-2 Level-1 requirements. The module is a software only Linux kernel cryptographic module intended to operate on a multi-chip standalone mobile device (physical boundary) running Android 4.1 or 4.2. The name of the module file in the mobile device file system is moto_crypto.ko. The module provides general-purpose cryptographic services to the remainder of the Linux kernel. As with all Linux kernel modules, this module is written in C. The logical cryptographic boundary of the module is shown in Figure 1. Figure 1 - Module Cryptographic Boundary – Software Block Diagram The software configuration for this validation is Motorola Linux Kernel Software Cryptographic Module, Version 1.0. This module includes Power-On Self Tests. Page 5 of 15 < Motorola Mobility LLC> Figure 2 depicts the hardware block diagram of a device that will run the module. Physical boundary Power DRAM I/O devices Flash (display, touch CPU ROM screen, USB) Figure 2 - Module Cryptographic Boundary – Hardware Block Diagram Page 6 of 15 < Motorola Mobility LLC> 2 Security Level The cryptographic module is designed to operate at FIPS 140-2 overall security level 1. Table 1 below shows the security level met for each of the eleven areas specified within the FIPS 140-2 security requirements. Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Table 1 - Module Security Level Specification Page 7 of 15 < Motorola Mobility LLC> 3 Modes of Operation 3.1 FIPS Approved Mode of Operation The module always operates in a FIPS Approved mode of operation and provides all of the algorithms described in Table 2. The module will enter FIPS Approved mode following successful power up initialization. The module supports the following FIPS Approved algorithms. The module does not provide non- approved security functions. FIPS Approved Algorithm Key / block size CAVP Cert. AES (CBC/ECB/CTR) Encryption and Decryption 128, 192, 256 bits #2287 Triple DES (CBC/ECB) Encryption and Decryption 192 bits (3-key only) #1435 SHA 160, 224, 256, 384, 512 bits #1968 HMAC SHA 160, 224, 256, 384, 512 bits #1403 ANSI X 9.31 PRNG AES-128 #1138 Table 2 - FIPS Approved Algorithms Used in Current Module Page 8 of 15 < Motorola Mobility LLC> 4 Ports and Interfaces FIPS Interface Port Data Input API input parameters Data Output API return values Control Input API function calls Status Output API return codes; Kernel log file Power Input Physical power connector Table 3 – Ports and Interfaces Page 9 of 15 < Motorola Mobility LLC> 5 Identification and Authentication Policy 5.1 Assumption of Roles The module supports two distinct operator roles, User and Cryptographic Officer (CO). The operators assume their roles implicitly based on the services being accessed. The module does not support authentication of roles. 6 Access Control Policy 6.1 Roles and Services Table 4 shows the services available on the module, which roles are enabled to access the service, the API calls which support the service, the CSPs involved, if any, and the access mode to them. Role Service Description CSP API Calls Access (Read, Write, Execute) User Encrypt/Decrypt Encrypt/Decrypt AES keys moto_aes_set_key R, W, EX with AES data using AES in moto_ecb_aes_encrypt CBC/ECB/CTR moto_ecb_aes_decrypt modes moto_cbc_aes_encrypt moto_cbc_aes_decrypt moto_ctr_aes_encrypt moto_ctr_aes_decrypt User Encrypt/Decrypt Encrypt/Decrypt Triple DES 3 moto_des3_ede_set_key R, W, EX with Triple DES data using Triple keys moto_ecb_des3_ede_encrypt DES moto_ecb_des3_ede_decrypt moto_cbc_des3_ede_encrypt moto_cbc_des3_ede_decrypt User SHA Use hash functions N/A moto_sha1_init R, W, EX to perform SHA-1, moto_sha1_update SHA-224, SHA- moto_sha1_final 256, SHA-384 or moto_sha224_init SHA-512 moto_sha224_final moto_sha256_update moto_sha256_init moto_sha256_final moto_sha384_init moto_sha512_update moto_sha384_final moto_sha512_init moto_sha512_update moto_sha512_final User HMAC SHA Perform HMAC HMAC key moto_hmac_create R, W, EX SHA-1, HMAC moto_hmac_init SHA-224, HMAC moto_hmac_setkey SHA-256, HMAC moto_hmac_update SHA-384 or HMAC moto_hmac_final SHA-512 Page 10 of 15 < Motorola Mobility LLC> Role Service Description CSP API Calls Access (Read, Write, Execute) PRNG1 User Generate pseudo Seed, moto_cprng_init R, W, EX random number moto_fips_cprng_reset Seed key using ANSI X 9.31 moto_fips_cprng_get_random PRNG with AES- moto_cprng_exit 128 User Show status Provides N/A Kernel log and return codes R information about from API calls the status of the module User Perform Self-Test Power cycle the N/A N/A N/A module to perform self-test on demand Crypto Initialization Module N/A moto_crypto_init N/A Officer initialization Crypto Finalization Module finalization N/A moto_crypto_fini N/A Officer Table 4 - Services The table below details the usage of the CSPs involved in the module. CSP Description / Usage AES keys Passed in moto_aes_set_key API call to be used as the key on the AES encrpyt/decrypt process. Supported key sizes are 128, 192 and 256 bits. Triple DES keys Passed in moto_des3_ede_set_key API call to be used as the key on the triple DES encrpyt/decrypt process. Total key size is 192 bits (3 keys of 64 bits each). HMAC key Passed in moto_hmac_setkey API call to be used as the key on the HMAC generation process. Seed key1 Passed in moto_fips_cprng_reset API call to be used as the key for the PRNG underlying AES encryption. Key size is 128 bits. Seed1 Passed in moto_fips_cprng_reset API call to be used as the PRNG seed. Table 5 – CSPs description Note: The module does not use public keys. 1 There is no assurance of the strength of the externally provided entropy in the seed and seed key. Page 11 of 15 < Motorola Mobility LLC> 7 Operational Environment The module was operational tested on the following platforms:  Motorola Droid Razr HD (XT926) device running Android 4.1.2  Motorola Droid Ultra (XT1080) device running Android 4.2.2 The module is intended for use on a personal mobile device using Android operating system versions 4.1 or 4.2. For FIPS 140-2 compliance this is considered to be a single-user operational environment due to the fact that only one operator is in possession of the device at a time. Also, the module implementation is single-threaded. All CSPs in memory remain in the process space of the operator using the module. The Android operating system uses its memory management and process separation mechanisms to ensure that outside processes cannot access the process memory used by the module. Page 12 of 15 < Motorola Mobility LLC> 8 Security Rules The module design corresponds to the FIPS 140-2 Level 1 security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1 module. 1. The cryptographic module shall provide two distinct operator roles. These are the User role, and the Cryptographic Officer role. 2. The cryptographic module does not support authentication; roles are implicitly assumed depending on the service accessed. 3. The cryptographic module shall perform the following tests: A. Power on Self-Tests 1. Cryptographic algorithm tests a. SHA-1 Known Answer Test b. SHA-224 Known Answer Test c. SHA-256 Known Answer Test d. SHA-384 Known Answer Test e. SHA-512 Known Answer Test f. HMAC-SHA-1 Known Answer Test g. HMAC-SHA-224 Known Answer Test h. HMAC-SHA-256 Known Answer Test i. HMAC-SHA-384 Known Answer Test j. HMAC-SHA-512 Known Answer Test k. AES Encrypt Known Answer Test l. AES Decrypt Known Answer Test m. TDES Encrypt Known Answer Test n. TDES Decrypt Known Answer Test o. ANSI X 9.31 RNG Known Answer Test 2. Software Integrity Test (HMAC SHA-256) B. Conditional Tests A continuous RNG test is performed during each use of the RNG service. If values of two consecutive random numbers are the same, the module goes into error state. 4. The operator shall be capable of commanding the module to perform the power-up self-test by cycling power or resetting the module. 5. Power-up self tests do not require any operator intervention. 6. Data output is inhibited during self-tests and error states. Only status information is output when in those states. 7. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 8. The module does not support concurrent operators. Page 13 of 15 < Motorola Mobility LLC> 9. The module does not support a maintenance interface or role. 10. The module does not support manual key entry. 11. The module does not have any external input/output devices used for entry/output of data. 12. The module does not output plaintext CSPs. 13. The module does not generate keys. 14. The module zeroizes memory used by CSPs prior to deallocation. 15. The RNG service returns an error if initialized with a seed and seed key with the same value. Page 14 of 15 < Motorola Mobility LLC> 9 Physical Security Policy This is a software module therefore the FIPS 140-2 physical security requirements are not applicable. 10 Mitigation of Other Attacks Policy The module has not been designed to mitigate attacks outside of the scope of FIPS 140-2. Therefore this section is not applicable. 11 References [FIPS 140-2] FIPS Publication 140-2 Security Requirements for Cryptographic Modules. Page 15 of 15