Stonesoft Cryptographic Library FIPS 140-2 Security Policy Version 1.2 Last Update: 2013-10-28 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 1. Introduction ..................................................................................................................................... 4 1.1. Purpose of the Security Policy .......................................................................................... 4 1.2. Target Audience ..................................................................................................................... 4 2. Cryptographic Module Specification ...................................................................................... 5 2.1. Description of Module .......................................................................................................... 5 2.2. Description of Approved Mode ......................................................................................... 6 2.3. Cryptographic Module Boundary ..................................................................................... 7 2.3.1. Software Block Diagram ............................................................................................ 7 2.3.2. Hardware Block Diagram ........................................................................................... 8 3. Cryptographic Module Ports and Interfaces ........................................................................ 9 4. Roles, Services, and Authentication ..................................................................................... 10 4.1. Roles ......................................................................................................................................... 10 4.2. Services ................................................................................................................................... 10 4.3. Operator Authentication ................................................................................................... 27 4.4. Mechanism and Strength of Authentication .............................................................. 27 5. Finite State Machine ................................................................................................................... 28 6. Physical Security.......................................................................................................................... 29 7. Operational Environment ......................................................................................................... 30 8. Cryptographic Key Management ........................................................................................... 31 8.1. Random Number Generation .......................................................................................... 32 8.2. Key/CSP Generation ............................................................................................................ 32 8.3. Key/CSP Establishment ...................................................................................................... 32 8.4. Key Entry and Output......................................................................................................... 33 8.5. Key Storage............................................................................................................................ 33 8.6. Zeroization Procedure ........................................................................................................ 33 9. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) .............. 34 10. Self-Tests ....................................................................................................................................... 35 10.1. Power-Up Tests ................................................................................................................... 35 10.2. Integrity Check ................................................................................................................... 36 10.3. Conditional Tests ............................................................................................................... 36 11. Design Assurance ....................................................................................................................... 37 11.1. Configuration Management .......................................................................................... 37 © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 2 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 11.2. Delivery and Operation ................................................................................................... 37 11.2.1. Downloading a FIPS 140-2-compatible engine version ................................ 37 11.3. Cryptographic Officer Guidance .................................................................................. 37 11.3.1. Installation .................................................................................................................... 37 11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version . 37 11.3.1.2 Configuring the engine ......................................................................................... 38 11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode ............ 38 11.3.1.4 Resetting the appliance to factory settings .................................................. 39 11.3.1.5 Recovering from a FIPS 140-2 self-test failure............................................. 39 11.3.2. Entropy Source ............................................................................................................ 39 11.3.3. Initialization .................................................................................................................. 40 11.4. User Guidance .................................................................................................................... 40 11.4.1. AES GCM ........................................................................................................................ 40 11.4.2. Zeroization .................................................................................................................... 40 11.4.3. Key Export ..................................................................................................................... 40 12. Mitigation of Other Attacks ................................................................................................... 41 13. Glossary and Abbreviations .................................................................................................. 42 14. References ................................................................................................................................... 44 © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 3 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 1. Introduction This document is a non-proprietary FIPS 140-2 Security Policy for the Stonesoft Cryptographic Library module. The current version of the module is v1.1. This document contains a specification of the rules under which the module must operate and describes how this module meets the requirements as specified in the Federal Information Processing Standards Publication (FIPS PUB) 140-2 for a Security Level 1 multi-chip standalone software module. 1.1. Purpose of the Security Policy There are three major reasons that a security policy is required:  For FIPS 140-2 validation,  Allows individuals and organizations to determine whether the cryptographic module, as implemented, satisfies the stated security policy, and  Describes the capabilities, protection, and access rights provided by the cryptographic module, allowing individuals and organizations to determine whether it will meet their security requirements. 1.2. Target Audience This document is intended to be part of the package of documents that are submitted for FIPS validation. It is intended for the following people:  Developers working on the release  FIPS 140-2 testing lab  Cryptographic Module Validation Program (CMVP)  Consumers © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 4 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 2. Cryptographic Module Specification This document is the non-proprietary security policy for the Stonesoft Cryptographic Library and was prepared as part of the requirements to FIPS 140-2, Level 1. The following section describes the module and how it complies with the FIPS 140-2 standard in each of the required areas. 2.1. Description of Module The Stonesoft Cryptographic Library is a shared library that provides a C-language application programming interface for use by Stonesoft applications. Assembly language optimizations are used in the cryptographic module implementation. The files consisting of the logical boundary of the module are the module binary file libqscrypto.so.1.1 and the checksums.fips file that contains the HMAC-SHA-256 value needed for the module integrity check. The module contains the following cryptographic functionality:  Pseudo random number generation  Cryptographic hash functions  Message authentication code functions  Symmetric key encryption and decryption  Public key cryptography: key pair generation, digital signature generation and verification  Key agreement and establishment  Key wrapping The following table shows the overview of the security level for each of the eleven sections of the validation. Security Component Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 3 Mitigation of Other Attacks N/A Table 1: Security Levels © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 5 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy The module has been tested on the following platforms: Manufacturer Model O/S & Ver. Stonesoft FW-315 Debian GNU/Linux 6.0-based distribution (single-user mode) Stonesoft FW-1301 Debian GNU/Linux 6.0-based distribution (single-user mode) Table 2: Tested Platforms 2.2. Description of Approved Mode The cryptographic module supports only a FIPS 140-2 approved mode. The calling application can invoke ssh_crypto_get_certification_mode() to check the status of the module. It returns SH_CRYPTO_CERTIFICATION_FIPS_140_2 to indicate that the module is indeed in the FIPS- APPROVED mode. The module provides the following algorithms and services:  AES: key wrapping, encryption and decryption; ECB, CBC, and GCM modes  Triple-DES: encryption and decryption; ECB and CBC modes  DSA: key generation, digital signatures, and verification  RSA: key generation, digital signatures, and verification  ECDSA: key generation, digital signature, and verification  DRBG: random number generation  SHS: hashing  HMAC: message authentication code In addition, the module provides the following key establishment methods:  Diffie-Hellman key agreement as key establishment method  EC Diffie-Hellman: key agreement as key establishment method © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 6 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 2.3. Cryptographic Module Boundary 2.3.1. Software Block Diagram The logical boundary of the module is the Cryptographic Library itself, which is indicated by the “Cryptographic Boundary” rectangle as illustrated in the diagram below. Physical Boundary Cryptographic Boundary Data in Control in Stonesoft Cryptographic Library Data out Status out Figure 1: Software Block Diagram © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 7 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 2.3.2. Hardware Block Diagram The physical boundary of the module is the enclosure of the appliance that the module is running on. The module was tested on two separate appliances, both of which are general purpose computers. The hardware block diagram below depicts both test appliances (FW-1301 and FW- 315) and their internal components and ports (processor, SSD, USB, Ethernet, etc.). Cryptographic Module Boundary Flash Drive Ethernet (10) (9) (FW-315) Controller / (4) (1) Ports (5) Disk Storage Slot / Controller ROM SSD (11) Expansion (FW-1301) module slot / (13) (12) Chipset Ethernet Ports RAM (6) Serial Controller / Port (2) (FW-1301) (8) USB Controller / Ports Power Processor (7) (3) Supply 1, 2, 4, 5, 6, 7, 8, 12 and 13: Data in, data out, control in, status out 3: Power in 9, 10 and 11: Control in Figure 2: Hardware Block Diagram © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 8 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 3. Cryptographic Module Ports and Interfaces FIPS Interface Physical Ports Logical Ports Data Input Ethernet ports, serial port API input parameters Data Output Ethernet ports, serial port API output parameters and return values Control Input Ethernet ports, serial port API input parameters Status Output Ethernet ports, serial port API return values Power Input PC power supply port N/A Table 3: Ports and Interfaces © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 9 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 4. Roles, Services, and Authentication 4.1. Roles The module implements both a User and a Crypto Officer role. The module does not allow concurrent operators. The User and Crypto Officer roles are implicitly assumed by the entity accessing services implemented by the module. No further authentication is required. The Crypto Officer can install and initialize the module. 4.2. Services Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) Symmetric Algorithms   128, 192, AES encryption ECB, CBC Yes RWX FIPS 197 and decryption 256 bit Cert #2240, ssh_cipher_allocate keys 2241 ssh_cipher_free ssh_cipher_get_blo ck_length ssh_cipher_get_iv ssh_cipher_get_iv_l ength ssh_cipher_get_key _length ssh_cipher_get_ma x_key_length ssh_cipher_get_mi n_key_length ssh_cipher_get_sup ported ssh_cipher_has_fix ed_key_length ssh_cipher_is_fips_ approved ssh_cipher_name sh_cipher_set_iv ssh_cipher_support ed ssh_cipher_transfor m ssh_cipher_transfor m_remaining © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 10 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ssh_cipher_transfor m_with_iv ssh_cipher_get_blo ck_len  128, 192,  AES-GCM au- GCM Yes RWX SP 800-38D thenticated en- 256 bit Cert #2240, ssh_cipher_allocate cryption and de- keys 2241 ssh_cipher_free cryption ssh_cipher_get_blo ck_length ssh_cipher_get_iv ssh_cipher_get_iv_l ength ssh_cipher_get_key _length ssh_cipher_get_ma x_key_length ssh_cipher_get_mi n_key_length ssh_cipher_get_sup ported ssh_cipher_has_fix ed_key_length ssh_cipher_is_fips_ approved ssh_cipher_name sh_cipher_set_iv ssh_cipher_support ed ssh_cipher_transfor m ssh_cipher_transfor m_remaining ssh_cipher_transfor m_with_iv ssh_cipher_get_blo ck_len ssh_cipher_is_auth _cipher ssh_cipher_auth_re set © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 11 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ssh_cipher_auth_u pdate ssh_cipher_auth_fi nal ssh_cipher_auth_di gest_length ssh_cipher_is_auth ssh_cipher_generat e_iv_ctr ssh_cipher_auth_di gest_len   128, 256 AES key wrap- ECB Yes RWX sg_aes_key_unwra ping bit keys p_kek_with_paddin Cert #2240, g 2241 sg_aes_key_unwra p_with_padding sg_aes_key_wrap_k ek_with_padding sg_aes_key_wrap_ with_padding ssh_aes_key_unwr ap ssh_aes_key_unwr ap_kek ssh_aes_key_wrap ssh_aes_key_wrap_ kek  168 bit  Triple-DES en- ECB, CBC Yes RWX ssh_cipher_allocate cryption and de- keys Cert #1401, ssh_cipher_free cryption 1402 ssh_cipher_get_blo ck_length ssh_cipher_get_iv ssh_cipher_get_iv_l ength ssh_cipher_get_key _length ssh_cipher_get_ma x_key_length ssh_cipher_get_mi n_key_length ssh_cipher_get_sup © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 12 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ported ssh_cipher_has_fix ed_key_length ssh_cipher_is_fips_ approved ssh_cipher_name sh_cipher_set_iv ssh_cipher_support ed ssh_cipher_transfor m ssh_cipher_transfor m_remaining ssh_cipher_transfor m_with_iv ssh_cipher_get_blo ck_len Asymmetric Algorithms   L=1024, DSA domain pa- Yes RWX FIPS 186-3 rameter genera- N=160; Cert #694, ssh_private_key_ge tion L=2048, 695 nerate N=224; L=2048, N=256; L=3072, N=256   L=1024, DSA key pair Yes RWX FIPS 186-3 generation N=160; Cert #694, ssh_private_key_ge L=2048, 695 nerate N=224; ssh_private_key_de L=2048, rive_public_key N=256; L=3072, N=256   L=1024, DSA signature Yes RX FIPS 186-3 generation N=160; Cert #694, ssh_private_key_si L=2048, 695 gn N=224; ssh_private_key_si L=2048, gn_async © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 13 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) N=256; ssh_private_key_si gn_digest L=3072, N=256 ssh_private_key_si gn_digest_async ssh_private_key_m ax_signature_input _len ssh_private_key_m ax_signature_outp ut_len ssh_private_key_de rive_signature_has h ssh_proxy_key_rgf_ sign   L=1024, DSA signature Yes RX FIPS 186-3 verification N=160; Cert #694, ssh_public_key_ver L=2048, 695 ify_async N=224; ssh_public_key_ver L=2048, ify_digest_async N=256; ssh_public_key_ver L=3072, ify_signature N=256 ssh_public_key_ver ify_signature_with_ digest ssh_public_key_der ive_signature_hash ssh_proxy_key_rgf_ verify  1024,  DSA public key Yes RX FIPS 186-3 validation 2048, Cert #694, ssh_public_key_vali 3072 bits 695 date modulus size   1024, RSA key genera- Yes RWX FIPS 186-3 tion 2048, Cert #1147, ssh_private_key_ge 3072 1148 nerate modulus ssh_private_key_de size. rive_public_key Public key ssh_mp_fip186_ifc_ value aux_prime_create © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 14 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) 65537. ssh_mp_fips186_ifc _prime_factor   1024, RSA signature SHA-1, Yes RX FIPS 186-3 generation 2048, SHA-224, Cert #1147, ssh_private_key_si based on 3072 bit SHA-256, 1148 gn PKCS#1 v1.5 modulus SHA-384, ssh_private_key_si SHA-512 gn_async ssh_private_key_si gn_digest ssh_private_key_si gn_digest_async ssh_private_key_m ax_signature_input _len ssh_private_key_m ax_signature_outp ut_len ssh_private_key_de rive_signature_has h ssh_proxy_key_rgf_ sign   1024, RSA signature SHA-1, Yes RX FIPS 186-3 verification 2048, SHA-224, Cert #1147, ssh_public_key_ver based on 3072 bit SHA-256, 1148 ify_async PKCS#1 v1.5 modulus SHA-384, ssh_public_key_ver SHA-512 ify_digest_async ssh_public_key_ver ify_signature ssh_public_key_ver ify_signature_with_ digest ssh_public_key_der ive_signature_hash ssh_proxy_key_rgf_ verify © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 15 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable)   1024, RSA signature SHA-1, Yes RX FIPS 186-3 generation 2048, SHA-224, Cert #1147, ssh_private_key_si based on PSS 3072 bit SHA-256, 1148 gn (probabilistic modulus SHA-384, ssh_private_key_si signature SHA-512 gn_async scheme) ssh_private_key_si gn_digest ssh_private_key_si gn_digest_async ssh_private_key_m ax_signature_input _len ssh_private_key_m ax_signature_outp ut_len ssh_private_key_de rive_signature_has h ssh_proxy_key_rgf_ sign   1024, RSA signature SHA-1, Yes RX FIPS 186-3 verification 2048, SHA-224, Cert #1147, ssh_public_key_ver based on PSS 3072 bit SHA-256, 1148 ify_async (probabilistic modulus SHA-384, ssh_public_key_ver signature SHA-512 ify_digest_async scheme) ssh_public_key_ver ify_signature ssh_public_key_ver ify_signature_with_ digest ssh_public_key_der ive_signature_hash ssh_proxy_key_rgf_ verify  1024,  RSA public key Yes RX FIPS 186-3 validation 2048, Cert #1147, ssh_public_key_vali 3072 bit 1148 date modulus © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 16 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable)  192, 224,  ECDSA key pair Yes RWX FIPS 186-3 generation 256, 384, Cert #349, ssh_private_key_ge 521 bit 350 nerate prime ssh_private_key_de modulus rive_public_key  192, 224,  ECDSA signature Yes RX FIPS 186-3 generation 256, 384, Cert #349, ssh_private_key_si 521 bit 350 gn prime ssh_private_key_si modulus gn_async ssh_private_key_si gn_digest ssh_private_key_si gn_digest_async ssh_private_key_m ax_signature_input _len ssh_private_key_m ax_signature_outp ut_len ssh_proxy_key_rgf_ sign  192, 224,  ECDSA signature Yes RX FIPS 186-3 verification 256, 384, Cert #349, ssh_public_key_ver 521 bit 350 ify_async prime ssh_public_key_ver modulus ify_digest_async ssh_public_key_ver ify_signature ssh_public_key_ver ify_signature_with_ digest ssh_public_key_der ive_signature_hash ssh_proxy_key_rgf_ verify  192, 224,  ECDSA public Yes RX FIPS 186-3 key validation 256, 384, Cert #349, ssh_public_key_vali 521 bit 350 date prime © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 17 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) modulus  Private  Asymmetric key RW ssh_private_key_co management keys py ssh_private_key_fr ee ssh_private_key_ge t_info ssh_private_key_is_ fips_approved ssh_private_key_na me ssh_private_key_pr ecompute ssh_private_key_se lect_scheme ssh_public_key_cop y ssh_public_key_cre ate_proxy ssh_public_key_fre e ssh_public_key_get _info ssh_public_key_get _predefined_group s ssh_public_key_get _supported ssh_public_key_is_f ips_approved ssh_public_key_na me ssh_public_key_pre compute Hash Functions  SHA-1 N/A Yes RX ssh_hash_allocate Cert #1929, ssh_hash_asn1_oid 1930 ssh_hash_asn1_oid _compare ssh_hash_asn1_oid © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 18 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) _generate ssh_hash_compare _result ssh_hash_compare _start ssh_hash_digest_le ngth ssh_hash_final ssh_hash_free ssh_hash_get_supp orted ssh_hash_input_blo ck_size ssh_hash_is_fips_a pproved ssh_hash_name ssh_hash_reset ssh_hash_supporte d ssh_hash_update ssh_hash_of_buffer ssh_sha_transform ssh_sha_permuted _transform  SHA-224 N/A Yes RX ssh_hash_allocate SHA-256 Cert #1929, ssh_hash_asn1_oid 1930 SHA-384 ssh_hash_asn1_oid _compare SHA-512 ssh_hash_asn1_oid _generate ssh_hash_compare _result ssh_hash_compare _start ssh_hash_digest_le ngth ssh_hash_final ssh_hash_free ssh_hash_get_supp orted © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 19 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ssh_hash_input_blo ck_size ssh_hash_is_fips_a pproved ssh_hash_name ssh_hash_reset ssh_hash_supporte d ssh_hash_update ssh_hash_of_buffer Message Authentication Codes (MACs)   HMAC key N/A HMAC-SHA-1 Yes RWX ssh_mac_allocate Cert #1370, ssh_mac_final 1371 ssh_mac_free ssh_mac_get_block _length ssh_mac_get_max_ key_length ssh_mac_get_min_ key_length ssh_mac_get_supp orted ssh_mac_is_fips_ap proved ssh_mac_length ssh_mac_name ssh_mac_reset ssh_mac_supporte d ssh_mac_update   HMAC key N/A HMAC-SHA-224 Yes RWX ssh_mac_allocate HMAC-SHA-256 Cert #1370, ssh_mac_final 1371 HMAC-SHA-384 ssh_mac_free HMAC-SHA-512 ssh_mac_get_block _length ssh_mac_get_max_ key_length ssh_mac_get_min_ © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 20 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) key_length ssh_mac_get_supp orted ssh_mac_is_fips_ap proved ssh_mac_length ssh_mac_name ssh_mac_reset ssh_mac_supporte d ssh_mac_update Random Number Generation   Seed with AES 256 DRBG Yes RWX SP 800-90A 256-bit ECB Cert #266, ssh_random_add_n entropy, 267 oise Entropy ssh_random_get_b input yte string with ssh_random_get_ui 256-bit nt32 entropy ssh_random_stir ssh_random_get_s upported ssh_random_suppo rted ssh_random_is_fips _approved ssh_random_alloca te ssh_random_free ssh_random_name ssh_random_add_e ntropy ssh_random_add_li ght_noise ssh_mprz_aux_mod _random ssh_mprz_aux_mod _random_entropy Key Agreement © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 21 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable)   Diffie- Diffie-Hellman Component RWX SP 800-56A Hellman Cert #37, 38 ssh_pk_group_copy secret, ssh_pk_group_coun shared t_randomizers secret ssh_pk_group_dh_a gree ssh_pk_group_dh_a gree_async ssh_pk_group_dh_a gree_max_output_l ength ssh_pk_group_dh_r eturn_randomizer ssh_pk_group_dh_s ecret_free ssh_pk_group_dh_s etup ssh_pk_group_dh_s etup_async ssh_pk_group_dh_s etup_max_output_l ength ssh_pk_group_free ssh_pk_group_gen erate ssh_pk_group_gen erate_randomizer ssh_pk_group_get_i nfo  EC Diffie-  EC Diffie- Component RWX SP 800-56A Hellman Hellman Cert #37, 38 ssh_pk_group_copy secret, ssh_pk_group_coun shared t_randomizers secret ssh_pk_group_dh_a gree ssh_pk_group_dh_a gree_async ssh_pk_group_dh_a gree_max_output_l ength ssh_pk_group_dh_r © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 22 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) eturn_randomizer ssh_pk_group_dh_s ecret_free ssh_pk_group_dh_s etup ssh_pk_group_dh_s etup_async ssh_pk_group_dh_s etup_max_output_l ength ssh_pk_group_free ssh_pk_group_gen erate ssh_pk_group_gen erate_randomizer ssh_pk_group_get_i nfo ssh_pk_group_prec ompute ssh_pk_group_sele ct_scheme ssh_dh_group_crea te_proxy Key Entry and Output   DSA pri- DSA key entry Yes W ssh_pk_import vate key Cert #694, ssh_private_key_de 695 fine ssh_private_key_im port ssh_public_key_def ine ssh_public_key_im port  DSA pri-  DSA key output Yes R ssh_pk_export vate key Cert #694, ssh_private_key_ex 695 port  RSA pri-  RSA key entry Yes W ssh_pk_import vate key Cert #1147, ssh_private_key_de 1148 fine © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 23 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ssh_private_key_im port ssh_public_key_def ine ssh_public_key_im port  RSA pri-  RSA key output Yes R ssh_pk_export vate key Cert #1147, ssh_private_key_ex 1148 port  ECDSA  ECDSA key entry Yes W ssh_pk_import private Cert #349, ssh_private_key_de key 350 fine ssh_private_key_im port ssh_public_key_def ine ssh_public_key_im port  ECDSA  ECDSA key out- Yes R ssh_pk_export put private Cert #349, ssh_private_key_ex key 350 port  Diffie-  Diffie-Hellman Component W ssh_pk_import key entry Hellman Cert #37, 38 ssh_pk_group_imp private ort key ssh_pk_group_imp ort_randomizers  Diffie-  Diffie-Hellman Component R ssh_pk_export key output Hellman Cert #37, 38 ssh_pk_group_expo private rt key ssh_pk_group_expo rt_randomizers  EC Diffie-  EC Diffie- Component W ssh_pk_import Hellman key en- Hellman Cert #37, 38 ssh_pk_group_imp try private ort key ssh_pk_group_imp ort_randomizers  EC Diffie-  EC Diffie- Component R ssh_pk_export Hellman key Hellman Cert #37, 38 ssh_pk_group_expo © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 24 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) output private rt key ssh_pk_group_expo rt_randomizers Management  Installation N/A N/A N/A N/A Please refer to sec- tion 11.3 “Crypto- graphic Officer Guidance” for se- cure installation of the module.  Initialization N/A N/A N/A RX ssh_crypto_library_ initialize ssh_crypto_library_ regis- ter_noise_request ssh_crypto_library_ regis- ter_progress_func ssh_pk_provider_re gister sg_crypto_register_ error_callback ssh_random_noise_ polling_init ssh_drbg_instantiat e sg_drbg_enable_co ntinuous_test ssh_drbg_reseed ssh_drbg_generate ssh_drbg_uninstant iate  Mode manage- N/A N/A N/A RX ssh_crypto_get_cer ment tification_mode ssh_crypto_set_cer tification_mode  Uninitialization N/A N/A N/A RX ssh_crypto_free ssh_crypto_library_ uninitialize © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 25 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) ssh_crypto_library_ unregis- ter_noise_request ssh_random_noise_ polling_uninit  External crypto N/A N/A N/A RX The external cryp- registration to registration is not supported on the tested Stonesoft plat- forms.. The func- tions below return SG_CRYPTO_REGIS TER_NOT_SUPPORT ED. sg_cipher_external _register sg_cipher_external _unregister sg_hash_external_r egister sg_hash_external_ unregister sg_mac_external_r egister sg_mac_external_u nregister sg_ciphermac_exte rnal_register sg_ciphermac_exte rnal_unregister Status  N/A  Query status N/A N/A RX ssh_crypto_library_ get_status ssh_crypto_library_ get_version sg_crypto_library_g et_path ssh_crypto_status_ message © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 26 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Func- proved? Cert tion # (if appli- User CO cable) Self-tests  N/A  Perform self- N/A N/A RX ssh_crypto_library_ tests self_tests Other services  N/A  Compression N/A N/A RX ssh_compress_allo cate ssh_compress_free ssh_compress_get_ supported ssh_compress_is_n one ssh_compress_syn c_levels ssh_compress_buff er  N/A  Auxiliary ser- N/A N/A RX ssh_aux_pkcs1_pa vices d ssh_aux_pkcs1_un pad ssh_aux_pkcs1_wra p_and_pad ssh_cipher_alias_g et_native ssh_cipher_alias_g et_supported ssh_cipher_alias_su pported ssh_ecp_set_param Table 4: Services 4.3. Operator Authentication There is no operator authentication; assumption of role is implicit by action. 4.4. Mechanism and Strength of Authentication No authentication is required at Security Level 1; authentication is implicit by assumption of the role. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 27 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 5. Finite State Machine The following diagram represents the states and transitions of the cryptographic module. Figure 3: Cryptographic Module Finite State Machine The state model contains the following states:  UNLOADED: The start state of the cryptographic module is UNLOADED. The module is in this state until the shared library is loaded and linked to the application. Cryptographic operations are not available while in this state.  UNINITIALIZED: The module is in the UNINITIALIZED state after it has been loaded but not yet initialized, or it has been successfully uninitialized. Cryptographic operations are not available while in this state.  SELF-TEST: The module performs power-up self-tests during initialization or on-demand. Cryp- tographic operations are not available while in this state.  OK: The module enters the FIPS mode in the “OK” state after successfully passing the power- up self-tests. The cryptographic services are available in this state.  ERROR: The module enters this state after a self-test, a cryptographic operation or uninitializa- tion has failed. An error indicator is output by the module. The state transitions are as follows: 1. The shared library is loaded and linked dynamically to the application. 2. The cryptographic module is initialized using the ssh_crypto_library_initialize function. The function is called automatically when the shared library is loaded. 3. The self-tests succeed. 4. A cryptographic operation is performed successfully. 5. On-demand self-tests are performed using the ssh_crypto_library_self_tests function. 6. The cryptographic module is uninitialized using the ssh_crypto_library_uninitialize function. 7. The shared library is unloaded. 8. Power-up self-tests fail. 9. A conditional test fails during a cryptographic operation. 10. The module uninitialization fails because cryptographic objects are still referenced. 11. Cryptographic objects are no longer in use and the module uninitialization succeeds. This transition also occurs automatically when the power-up self-tests fail during the module initialization. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 28 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 6. Physical Security The cryptographic module is tested on the Stonesoft FW-315 and FW-1301 appliances that consist of production-grade components with standard passivation and a production-grade enclosure. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 29 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 7. Operational Environment This module will operate in a modifiable operational environment per the FIPS 140-2 definition. The module operates on the Stonesoft Debian GNU/Linux based hardened operating system that is set in the FIPS compatible mode of operation. Login to the operating system is disabled and only the preinstalled Stonesoft application is running on the system. Therefore the operational environment is considered non-modifiable. The application that uses the cryptographic module is also the single user of the module. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 30 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 8. Cryptographic Key Management Keys are established externally. CSPs can be accessed only using the API. The operating system protects the memory and the address space of the process from unauthorized access. Name Auth Generation Type Output Storage Zeroization Role HMAC key User, External, HMAC key N/A In module Zeroization is not for CO electronic binary required per FIPS module entry IG 7.4 integrity check AES, User, External, Symmetric N/A Plaintext in API call, power off Triple-DES CO electronic key memory symmetric entry keys DSA User, DSA key Private Encrypted, Plaintext in API call, power off private CO generation key plaintext memory key using DRBG, externally using DSA key entry RSA User, RSA key Private Encrypted, Plaintext in API call, power off private CO generation key plaintext memory key using DRBG, externally using RSA key entry ECDSA User, ECDSA key Private Encrypted, Plaintext in API call, power off private CO generation key plaintext memory key using DRBG, externally using ECDSA key entry HMAC key User, External, HMAC N/A Plaintext in API call, power off CO electronic memory entry DRBG User, External, Entropy N/A Plaintext in API call, power off entropy CO electronic input memory input entry DRBG User, Dev/urandom Seed N/A Plaintext in API call, power off seed CO and memory dev/random Diffie- User, DSA key Private N/A Plaintext in API call, power off © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 31 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Hellman CO generation key memory secret using DRBG Diffie- User, Generated Symmetric Plaintext Plaintext in API call, power off Hellman CO through key memory shared Diffie- secret Hellman protocol EC Diffie- User, ECDSA key Private N/A Plaintext in API call, power off Hellman CO generation key memory secret using DRBG, EC Diffie- User, Generated Symmetric Plaintext Plaintext in API call, power off Hellman CO through key memory shared Diffie- secret Hellman protocol Table 5: Key Management 8.1. Random Number Generation The cryptographic module implements an AES block cipher based DRBG with derivation function according to SP 800-90A. The module obtains the seed and the entropy input string from /dev/urandom. The seed and the entropy input string are both 256 bytes. Their security strength is 256 bits, i.e., 1 bit per byte is assumed. In the operational environment, /dev/urandom is seeded with 4096 bytes from /dev/urandom. During the installation, the seed data is also mixed with 32 bytes from /dev/random to ensure sufficient entropy. 8.2. Key/CSP Generation DSA key pairs are generated using random bits from DRBG according to FIPS 186-3 Appendix B.1.1. RSA key pairs are generated using probable primes with conditions using auxiliary probable primes and random bits from the DRBG according to FIPS 186-3 Appendix B.3.6. ECDSA key pairs are generated using extra random bits from the DRBG according to FIPS 186-3 Appendix B.4.1. Diffie-Hellman and EC Diffie-Hellman secrets and public values are generated using random bits from the DRBG. 8.3. Key/CSP Establishment The cryptographic module supports Diffie-Hellman primitives for key agreement using ephemeral keys:  FFC DH dhEphem, C(2, 0, FFC DH) using 1024, 1536, and 2048-bit groups  ECC CDH Ephemeral Unified Model, C(2, 0, ECC CDH) using p-192, p-224, p-256, p-384, and p-521 curves CAVEAT 1: Diffie-Hellman key agreement; key establishment methodology provides between 80 and 112 bits of encryption strength; CAVEAT 2: EC Diffie-Hellman key agreement; key establishment methodology provides between © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 32 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 80 and 256 bits of encryption strength. The cryptographic module also supports the AES key wrapping algorithm as key transport method to wrap the private keys for imports/exports. The AES algorithm is FIPS 140-2-approved and its implementation in the module is certified by CAVP. The key size for AES key wrap is either 128 or 256 bits depending on the key that is provided by the calling application. CAVEAT 3: AES key wrapping; key establishment methodology provides 128 or 256 bits of encryp- tion strength. 8.4. Key Entry and Output The cryptographic module supports electronic entry of symmetric keys and HMAC keys. The application using the cryptographic module can import secret keys to the module in plaintext within the physical boundary. In addition, private keys can be imported encrypted using AES key wrapping. Private keys can be exported in plaintext to the application using the module within the physical boundary. In addition, private keys can be exported encrypted using AES key wrapping. There is no output of intermediate key generation values from the module at any point in time. The module does not support manual entry of keys. 8.5. Key Storage The keys and CSPs are stored in plaintext in memory. The module does not provide persistent storage of keys. 8.6. Zeroization Procedure The stored keys and CSPs are zeroized when the application calls the appropriate API function: ssh_cipher_free, ssh_mac_free, ssh_private_key_free, ssh_pk_group_free and ssh_crypto_library_uninitialize. Intermediate key material is zeroized automatically by the module when no longer needed. All keys and CSPs can be zeroized by powering off the module and performing a system restore operation by the operational environment. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 33 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 9. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) Testing Platform EMC information Stonesoft FW-315 Testing Laboratory: Intertek ETL Semko OY FCC registration number: 910391 Test summary: 15.107 Conducted emissions to AC-mains test passed 15.109 Radiated emissions test passed Conforms to Class B Stonesoft FW-1301 Testing Laboratory: Intertek ETL Semko OY FCC registration number: 910391 Test summary: 15.107 Conducted emissions to AC-mains test passed 15.109 Radiated emissions test passed Conforms to Class A Table 6: FCC IDs © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 34 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 10. Self-Tests 10.1. Power-Up Tests The power-up self-tests are executed automatically when the cryptographic module is loaded. The ssh_crypto_library_initialize() function returns SSH_CRYPTO_OK when the power-up self-tests are successfully completed. If the power-up self-tests fail, the cryptographic module outputs an error message and enters an error state. No further operations are allowed when the module is in an error state. The cryptographic module causes the process termination with a non-zero exit status when the power- up self-tests have failed. The computer will need to be restarted in order for the cryptographic module to enter to an operational state. Self-tests are performed on-demand when the user calls the ssh_crypto_library_self_tests() function. Algorithm Test AES Known Answer Test (KAT), encryption and decryption are tested separately Triple-DES KAT, encryption and decryption are tested separately DSA Pair-wise consistency test (PCT) in place of KAT for signature generation and verification test, pair-wise consistency test for DSA key pair generation RSA KAT for signature generation and verification tested separately , pair-wise consistency test for RSA key pair generation ECDSA KAT for signature generation and verification tested separately, pair-wise consistency test for ECDSA key pair generation SHS KAT for SHA-1, SHA-256 and SHA-512 HMAC KAT for HMAC-SHA-1, HMAC-SHA-256 and HMAC-SHA-512 DRBG KAT Diffie-Hellman KAT, pair-wise consistency test EC Diffie-Hellman KAT, pair-wise consistency test Table 7: Power-Up Tests The following are the error messages related to self-test failure: Reason For Failure Error Message Failure of AES/Triple-DES Cipher algorithm test failed during self-test KAT Failure of Public key algorithm test failed during self-test RSA/DSA/ECDSA/Diffie- Hellman, EC-Diffie- Hellman KAT or PCT Failure of SHS KAT Hash algorithm test failed during self-test Failure of HMAC KAT Mac algorithm test failed during self-test © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 35 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Failure of integrity test The checksum of the library is incorrect. Integrity has been compromised Table 8: Error Messages Related to Self-Test Failure It is the applications responsibility to reboot the appliance to recover the module from the error state. The library will not cause the rebooting of the appliance. 10.2. Integrity Check The cryptographic module uses the HMAC-SHA-256 message authentication code of the module binary for the integrity tests. The module reads the module binary file, computes the HMAC-SHA- 256 MAC of the file content and compares it to the known correct MAC that is input to the module when it is loaded. 10.3. Conditional Tests Algorithm Test DSA Pair-wise consistency test RSA Pair-wise consistency test ECDSA Pair-wise consistency test DRBG Continuous test Table 9: Conditional Tests The following are the error messages related to conditional test failure: Reason For Failure Error Message Failure of DSA pair-wise Cryptographic Library error occurred (1) consistency test Failure of RSA pair-wise Cryptographic Library error occurred (1) consistency test Failure of ECDSA pair- Cryptographic Library error occurred (1) wise consistency test Failure of DRBG Continuous DRBG test failed continuous test Table 10: Error Messages Related to Conditional Test Failure © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 36 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 11. Design Assurance 11.1. Configuration Management Git and Lotus Notes are used for configuration management of the cryptographic module. 11.2. Delivery and Operation The cryptographic module is never released as source code. It is delivered as part of the Stonesoft Security Engine software version 5.4.7 and later. The FIPS 140-2-compatible Security Engine software image is downloaded from the Stonesoft website. The Security Engine software is also preinstalled on Stonesoft appliances (see Table 2: Tested Platforms). Product information for the appliances is available at the Stonesoft website: http://www.stonesoft.com/en/products/appliances/ 11.2.1. Downloading a FIPS 140-2-compatible engine version A FIPS 140-2-compatible version of the Security Engine software is downloaded as follows: 1. Go to the Stonesoft Downloads page at https://my.stonesoft.com/download.do. 2. Enter the Proof-of-License (POL) or Proof-of-Serial (POS) code in the License Identification field and click Submit. 3. Click Stonesoft Security Engine Downloads. The Stonesoft Security Engine Downloads page opens. 4. Download the .zip installation file. 5. Contact Stonesoft Support by e-mail or phone and verify the SHA-1 checksum. The correct checksum is also shown on the download page. If e-mail is used to contact Stonesoft Support, the Stonesoft Support PGP private key is used to sign the e-mail reply message. Verify the sig- nature using the Stonesoft Support PGP public key available at the Stonesoft website at http://www.stonesoft.com/en/support/support_contact_information/index.html. 11.3. Cryptographic Officer Guidance 11.3.1. Installation The cryptographic module is delivered as part of the Stonesoft Security Engine software. To run the cryptographic module on a Stonesoft appliance, the engine software is set to a FIPS 140-2- compatible operating mode. 11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version Stonesoft appliances are delivered with the most recent engine software preinstalled. The engine software must be upgraded to the FIPS 140-2-compatible engine version before entering FIPS- compatible operating mode. This is necessary even if the same version was installed previously, because the file system checksum is stored during the upgrade process. To upgrade to the FIPS-compatible engine version: 1. Save the FIPS 140-2-compatible engine upgrade zip file in the root directory of a USB memory stick. Note – The engine upgrade zip file must be in the root directory of the media. 2. Contact Stonesoft support using the PGP key, available at: http://www.stonesoft.com/en/support/support_contact_information/index.html to obtain the correct SHA1 checksum. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 37 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 3. Boot up the appliance. The Engine Configuration Wizard starts. 4. Select Upgrade. The Select Source Media dialog opens. 5. Select USB Memory. The upgrade starts. 6. Select OK. The engine reboots and the Engine Configuration Wizard starts with the engine im- age verification dialog shown. Select Calculate SHA1. The SHA1 checksum is calculated and displayed below the checksum from the engine image zip file. 7. Verify that the calculated checksum is identical to the checksum from the zip file and that both checksums match the checksum provided by Stonesoft Support. 8. Select OK. The engine reboots. 9. Check the engine version to make sure that the certified version is loaded. Continue as instructed in Configuring the engine, below. 11.3.1.2 Configuring the engine To configure the engine: 1. Start the Engine Configuration Wizard as instructed in the Configuring the Engine in the Engine Configuration Wizard section of the Firewall/VPN Installation Guide. 2. Configure the Operating System settings as instructed in the Configuring the Operating System Settings section of the Firewall/VPN Installation Guide. Select Restricted FIPS- compatible operating mode. The SSH daemon and root password options are automatically disabled in the Engine Configuration Wizard. 3. Configure the network interfaces according to your environment as instructed in the Config- uring the Network Interfaces section of the Firewall/VPN Installation Guide. 4. Contact the Management Server as instructed in the Contacting the Management Server section of the Firewall/VPN Installation Guide. Enter node IP address manually is selected by default and other IP address options are disabled when FIPS-compatible operating mode is en- abled. The engine restarts. 11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode Restricted FIPS-compatible operating mode must be enabled during the initial configuration of the appliance. The following steps describe how to verify that FIPS 140-2-compatible operating mode has been activated. To verify activation of FIPS 140-2-compatible operating mode: 1. Verify that the following messages are displayed on the console when the engine restarts: FIPS: rootfs integrity check OK (displayed after the root file system integrity test has been executed successfully) FIPS power-up tests succeeded (displayed after the FIPS 140-2 power-up tests have been executed successfully) 2. Continue as instructed in the After Successful Management Server Contact section of the Firewall/VPN Installation Guide. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 38 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy Note – If the engine does not enter the FIPS 140-2-compatible operating mode even though it is configured to do so, or if the power-up tests fail (a power-up test error message is displayed or the success message is not displayed), the appliance must be reset to factory settings and reinstalled as instructed in Recovering from a FIPS 140-2 self-test failure. 11.3.1.4 Resetting the appliance to factory settings Resetting the appliance to factory settings is not part of the normal installation procedure. There is no need to reset the appliance to factory settings before starting to use it for the first time. These instructions can be used to reset the appliance to factory settings when necessary, such as when initial configuration has been completed without enabling the Restricted FIPS 140-2-compatible operating mode, during use, or when the appliance is being removed from use. To reset the appliance to factory settings: 1. Reboot the appliance and select System restore options from the boot menu. Stonesoft En- gine System Restore starts. 2. Enter 2 for Advanced data removal options. 3. Enter one of the following options:  1 for 1 pass overwrite  8 for a Custom number of overwrite passes If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is more secure, but it may take a considerable amount of time depending on the appliance storage capacity. 11.3.1.5 Recovering from a FIPS 140-2 self-test failure If the FIPS 140-2 power-up self-tests fail, or the engine does not enter FIPS 140-2-compatible operating mode, the appliance must be reset to factory settings and reinstalled according to these instructions. Begin by Resetting the appliance to factory settings. To recover from a FIPS 140-2 self-test failure: 1. Reset the appliance to factory settings as instructed in Resetting the appliance to factory settings. 2. Repeat the engine version upgrade as instructed in Upgrading appliances to the FIPS 140- 2-compatible engine version. 3. Configure the firewall engine and enable FIPS 140-2-compatible operating mode as instructed in Configuring the engine. 4. Verify that FIPS-compatible operating mode is activated as instructed in Verifying activation of FIPS 140-2-compatible operating mode. 11.3.2. Entropy Source The cryptographic module uses /dev/urandom as the entropy source. To have a sufficient amount of entropy available, /dev/urandom must be seeded before using the cryptographic module. During the installation of the module, 4096 bytes must be read from /dev/urandom. This data is mixed with 32 bytes from /dev/random using an exclusive or operation. The mixed data is used to seed /dev/urandom. The state must be saved before shutdown by writing 4096 bytes to an entropy file for reading and seeding /dev/urandom during the next startup. The operation is performed automatically by the Stonesoft engine software. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 39 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 11.3.3. Initialization The cryptographic module is initialized using the ssh_crypto_library_initialize() function before any cryptographic functionality is available. In order for the integrity check to succeed, the known SHA- 265 MAC needs to be available either in: /etc/checksums.fips file or LIBQSCRYPTO_CHECKSUM environment variable The /etc/checksums.fips file is provided with the Stonesoft engine software. 11.4. User Guidance 11.4.1. AES GCM In case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. 11.4.2. Zeroization When a cryptographic key is no longer used, the key must be zeroized and freed using the ssh_cipher_free, ssh_mac_free and ssh_private_key_free functions for symmetric key encryption/decryption, message authentication and public key cryptography, respectively. 11.4.3. Key Export Private keys must not be exported unencrypted outside the physical module boundary from the application using the cryptographic module. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 40 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 12. Mitigation of Other Attacks No other attacks are mitigated. © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 41 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 13. Glossary and Abbreviations AES Advanced Encryption Specification API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cypher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cypher Feedback CMT Cryptographic Module Testing CMVP Cryptographic Module Validation Program CO Cryptographic Officer CSP Critical Security Parameter CTR Counter CVT Component Verification Testing DES Data Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm ECB Electronic Codebook ECDH EC Diffie-Hellman EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standards FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology NVLAP National Voluntary Laboratory Accreditation Program OFB Output Feedback O/S Operating System PCT Pair-wise Consistency Test POL Proof-of-License © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 42 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy POS Proof-of-Serial PP Protection Profile RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSH Secure Shell UI User Interface © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 43 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy 14. References [1] FIPS 140-2 Standard, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf [2] FIPS 140-2 Implementation Guidance, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf [3] FIPS 140-2 Derived Test Requirements, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402DTR.pdf [4] FIPS 197, Advanced Encryption Standard (AES), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf [5] FIPS 180-4 Secure Hash Standard, http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf [6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC), http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf [7] FIPS 186-2, Digital Signature Standard, http://csrc.nist.gov/publications/fips/archive/fips186- 2/fips186-2.pdf [8] FIPS 186-3 Digital Signature Standard (DSS), http://csrc.nist.gov/publications/fips/fips186- 3/fips_186-3.pdf [9] ANS X9.31 Appendix A.2.4, Random Number Generator, http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf [10] NIST SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf [11] NIST SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf [12] NIST SP 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800- 38C_updated-July20_2007.pdf [13] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf [14] NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, http://csrc.nist.gov/publications/nistpubs/800-38E/nist- sp-800-38E.pdf [15] NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes using Discrete Logarithm Cryptography (Revised), http://csrc.nist.gov/publications/nistpubs/800-56A/SP800- 56A_Revision1_Mar08-2007.pdf [16] NIST SP 800-56B, Recommendation for Pair-Wise Establishment Schemes Using Integer Factor- ization Cryptography, http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 44 of 45 Stonesoft Cryptographic Library FIPS 140-2 Security Policy [17] NIST SP 800-90A, Recommendation for Random Number Generation Using Deterministic Ran- dom Bit Generators, http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf [18] NIST SP 800-131A Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf © 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 45 of 45