Cisco 4451‐X Integrated Services Router (ISR)   (with PVDM4‐32, PVDM4‐64, PVDM4‐128 and PVDM4‐256)                FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.4 Date: Oct 30, 2014 . Table of Contents 1  Introduction ................................................................................................................. 1  1.1  References ............................................................................................................ 1  1.2  FIPS 140-2 Submission Package.......................................................................... 1  2  Module Description .................................................................................................... 2  2.1  Cisco ISR4451-X ................................................................................................. 2  2.2  Embedded Services Processor (ESP) ................................................................... 2  2.3  Router Processor (RP) .......................................................................................... 2  2.4  Packet Voice Digital Signal Processor Module (PVDM) .................................... 3  2.5  Module Validation Level ..................................................................................... 3  3  Cryptographic Boundary ............................................................................................. 4  4  Cryptographic Module Ports and Interfaces ............................................................... 4  5  Roles, Services, and Authentication ........................................................................... 5  5.1  User Services ........................................................................................................ 5  5.2  Cryptographic Officer Services ............................................................................ 6  5.3  Unauthenticated User Services............................................................................. 7  6  Cryptographic Key/CSP Management ........................................................................ 8  7  Cryptographic Algorithms ........................................................................................ 14  7.1  Approved Cryptographic Algorithms................................................................. 14  7.2  Non-Approved Algorithms allowed for use in FIPS-mode ............................... 14  7.3  Non-Approved Algorithms ................................................................................ 15  7.4  Self-Tests ............................................................................................................ 15  8  Physical Security ....................................................................................................... 17  8.1  Module Opacity .................................................................................................. 17  8.2  Tamper Evidence................................................................................................ 18  9  Secure Operation ....................................................................................................... 22  i 9.1  System Initialization and Configuration ............................................................ 22  9.2  IPsec Requirements and Cryptographic Algorithms .......................................... 23  9.3  Protocols ............................................................................................................. 24  9.4  Remote Access ................................................................................................... 24  10  Related Documentation ............................................................................................. 24  ii 1 Introduction This is a non-proprietary Cryptographic Module Security Policy for the Cisco 4451-X Integrated Services Router (ISR) with integrated RP and ESP from Cisco Systems, Inc., referred to in this document as the modules, routers, or by their specific model name. This security policy describes how the module meets the security requirements of FIPS 140-2 and how to run the module in a FIPS 140-2 mode of operation. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.1 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources:  The Cisco Systems website (http://www.cisco.com) contains information on the full line of products from Cisco Systems.  The NIST Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/index.html) contains contact information for answers to technical or sales-related questions for the module. 1.2 FIPS 140-2 Submission Package The security policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the submission package includes: Vendor Evidence  Finite State Machine  Other supporting documentation as additional references With the exception of this non-proprietary security policy, the FIPS 140-2 validation documentation is proprietary to Cisco Systems, Inc. and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems, Inc. See “Obtaining Technical Assistance” section for more information. Page 1 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Module Description 2.1 Cisco ISR4451-X The Cisco ISR 4451-X is a highly scalable WAN and Internet Edge router platform that delivers embedded hardware acceleration for multiple Cisco IOS XE Software services without the need for separate service blades. In addition, the Cisco ISR 4451-X Router is designed for business-class resiliency, featuring redundant Route and Embedded Services Processors, as well as software-based redundancy. With routing performance and IPsec VPN acceleration around ten-fold that of previous midrange aggregation routers with services enabled, the Cisco 4400 Series Integrated Services routers provide a cost-effective approach to meet the latest services aggregation requirement. This is accomplished while still leveraging existing network designs and operational best practices. The router also supports various VPN services (GetVPN, DMVPN, and EasyVPN). 2.2 Embedded Services Processor (ESP) The Cisco ISR 4451-X Embedded Service Processors (ESP) is based on the innovative, industry-leading Cisco QuantumFlow Processor for next-generation forwarding and queuing in silicon. These components use the first generation of the hardware and software architecture known as Cisco QuantumFlow Processor. The ESP provides centralized forwarding-engine options for the Cisco ISR 4451-X Router. The Cisco ISR 4451 ESP is responsible for the data-plane processing tasks, and all network traffic flows through them. The modules perform all baseline packet routing operations, including MAC classification, Layer 2 and Layer 3 forwarding, quality-of- service (QoS) classification, policing and shaping, security access control lists (ACLs), VPN, load balancing, and NetFlow. It should be noted that the ISR 4451-X uses an integrated ESP and as such does not have a distinct part number. 2.3 Router Processor (RP) The Cisco ISR 4451-X Route Processor addresses the route-processing requirements of carrier-grade IP and Multiprotocol Label Switching (MPLS) packet infrastructures. Not only does it provide advanced routing capabilities, but it also monitors and manages the other components in the ISR 4451-X Router. It should be noted that the ISR 4451 employs an integrated RP. Page 2 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.4 Packet Voice Digital Signal Processor Module (PVDM) The Cisco Fourth-Generation Packet Voice Digital Signal Processor Module (PVDM4) enables Cisco 4451-X Integrated Services Routers (ISRs) to provide rich-media capabilities such as high-density voice connectivity, conferencing, transcoding, media optimization, translating, and secure voice in Cisco Unified Communications Solutions. The fourth-generation packet voice digital-signal-processor (DSP) modules are available in four densities listed under hardware configuration. The validated platforms consist of the following components shown in Table 1. #  Base Unit  Image Version  Crypto  Hardware Configuration  Integrated RP and ESP, 1 and PVDM4-32 Integrated RP and ESP, 2 and PVDM4-64 ISR4451-X IOS-XE 3.10.2 IC2M(Rel 3) 1.5.2 Integrated RP and ESP, 3 and PVDM4-128 Integrated RP and ESP, 4 and PVDM4-256 Table 1: Module Hardware Configurations 2.5 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140-2. No.  Area Title  Level  1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 3 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key management 2 8 Electromagnetic Interface/Electromagnetic Compatibility 2 9 Self-Tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Overall Overall module validation level 2 Table 2: Module Validation Level Page 3 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 Cryptographic Boundary The cryptographic boundary for the Cisco ISR 4451-X is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a removable port adapter; and space within the case that would be occupied by an installed port adapter. The cryptographic boundary includes the connection apparatus between the port adapter and the board that hosts the port adapter, but the boundary does not include the port adapter itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular port adapter. 4 Cryptographic Module Ports and Interfaces Each module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces: data input, data output, control input, and status output. The logical interfaces and their mapping are described in the following tables: Physical Interfaces  FIPS 140‐2 Logical Interfaces  Port Adapter Interface (6) Data Input Interface Console Port Auxiliary Port 10/100 Management Ethernet Port Port Adapter Interface (6) Data Output Interface Console Port Auxiliary Port 10/100 Management Ethernet Port Port Adapter Interface (6) Control Input Interface Console Port Auxiliary Port 10/100 BITS Ethernet Port 10/100 Management Ethernet Port Power Switch Port Adapter Interface (6) Status Output Interface LEDs USB Ports (2) Console Port Auxiliary Port 10/100 Management Ethernet Port Power Plug (up to 2) Power interface Table 3: ISR 4451-X Page 4 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 5 Roles, Services, and Authentication Authentication is identity-based. Each user is authenticated upon initial access to the module. There are two main roles in the router that operators may assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The module supports RADIUS and TACACS+ for authentication. A complete description of all the management and configuration capabilities of the modules can be found in the Cisco ISR 4400 Integrated Services Routers Software Configuration Guide Manual and in the online help for the modules. The User and Crypto Officer passwords and all shared secrets must each be at least eight (8) characters long, including at least one letter and at least one number character, in length (enforced procedurally). See the Secure Operation section for more information. If six (6) integers, one (1) special character and one (1) alphabet are used without repetition for an eight (8) digit PIN, the probability of randomly guessing the correct sequence is one (1) in 4,488,223,369,069,440 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. Since it is claimed to be for 8 digits with no repetition, then the calculation should be 94 x 93 x 92 x 91 x 90 x 89 x 88 x 87). In order to successfully guess the sequence in one minute would require the ability to make over 74,803,722,817,824 guesses per second, which far exceeds the operational capabilities of the module. Additionally, when using RSA-based authentication, RSA key pair has a modulus size of 2048 bits, thus providing between 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 2112 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 5.19x1028 attempts per minute, which far exceeds the operational capabilities of the modules to support. 5.1 User Services A User enters the system by accessing the console/auxiliary port with a terminal program or SSH v2 session to a LAN port or the 10/100 management Ethernet port. The module prompts the User for their username/password combination. If the username/password combination is correct, the User is allowed entry to the module management functionality. The services available to the User role accessing the CSPs, the type of access – read (r), write (w) and zeroized/delete (d) – and which role accesses the CSPs are listed below. Page 5 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Services and Access Description Keys and CSPs Status Functions (r) View state of interfaces and protocols, version of IOS currently running. User password Terminal Functions (r) Adjust the terminal session (e.g., lock the terminal, adjust flow control). User password Directory Services (r) Display directory of files kept in flash memory. User password Self-Tests (r) Execute the FIPS 140 start-up tests on demand N/A IPsec VPN (r, w, d) Negotiation and encrypted data transport via IPSec VPN User password GetVPN (GDOI) (r, w, d) Negotiation and encrypted data transport via GetVPN User password SSH Functions(r, w, d) Negotiation and encrypted data transport via SSH User password HTTPS Functions (TLS) Negotiation and encrypted data transport via HTTPS User password (r, w, d) SNMPv3 Functions(r, w, Negotiation and encrypted data transport via SNMPv3 User password d) CUBE/sRTP Functions (r, Negotiation and encrypted data transport via CUBE/sRTP User password w, d) Table 4: User Services 5.2 Cryptographic Officer Services A Crypto Officer enters the system by accessing the console/auxiliary port with a terminal program or SSH v2 session to a LAN port or the 10/100 management Ethernet port. The Crypto Officer authenticates in the same manner as a User. The Crypto Officer is identified by accounts that have a privilege level 15 (versus the privilege level 1 for users). A Crypto Officer may assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The services available to the Crypto Officer role accessing the CSPs, the type of access – read (r), write (w) and zeroized/delete (d) – and which role accesses the CSPs are listed below. Services and Access Description Keys and CSPs Configure the router (r,w) Define network interfaces and settings, create command ISAKMP pre-shared keys, IKE aliases, set the protocols the router will support, enable Authentication key, IKE Encryption Key, interfaces and network services, set system date and time, IPSec authentication keys, IPSec traffic and load authentication information. keys, User passwords, Enable password, Enable secret, Define Rules and Filters (r,w,d) Create packet Filters that are applied to User data streams on password each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based on Page 6 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. View Status Functions (r) View the router configuration, routing tables, active password sessions, use gets to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. Manage the router (r,w,d) Log off users, shutdown or reload the router, erase the flash password memory, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. SNMPv3 (r) Non security-related monitoring by the CO SnmpEngineID, SNMP v3 password, SNMP session key using SNMPv3. Configure Encryption/Bypass Set up the configuration tables for IP tunneling. Set ISAKMP pre-shared keys, IKE (r,w,d) preshared keys and algorithms to be used for each IP range Authentication key, IKE Encryption Key, or allow plaintext packets to be set from specified IP IPSec authentication keys, IPSec traffic address. keys, Enable secret, TLS VPN (TLSv1.0) (r,w,d) Configure SSL VPN parameters, provide entry and output TLS pre-master secret, TLS Traffic Keys of CSPs. SSH v2 (r, w, d) Configure SSH v2 parameter, provide entry and output of SSH Traffic Keys CSPs. sRTP/CUBE (r, w, d) Configure CUBE/sRTP parameter, provide entry and output CUBE/sRTP Traffic Keys of CSPs. IPsec VPN (r, w, d) Configure IPsec VPN parameters, provide entry and output skeyid, skeyid_d, IKE session encryption of CSPs. key, IKE session authentication key, ISAKMP pre-shared, IKE authentication private Key, IKE authentication public key, IPSec encryption key, IPSec authentication key GetVPN (GDOI) (r, w, d) Configure GetVPN parameters, provide entry and output of GDOI key encryption key (KEK), GDOI CSPs. traffic encryption key (TEK), GDOI TEK integrity key Self-Tests (r) Execute the FIPS 140 start-up tests on demand N/A User services (r,w,d) The Crypto Officer has access to all User services. Password Zeroization (d) Zeroize cryptographic keys All Keys and CSPs will be destroyed Table 5: Crypto Officer Services 5.3 Unauthenticated User Services The services for someone without an authorized role are to view the status output from the module’s LED pins and cycle power. Page 7 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 6 Cryptographic Key/CSP Management The module securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. All keys are also protected by the password-protection on the Crypto Officer operator logins, and can be zeroized by the Crypto Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE). The module supports the following critical security parameters (CSPs): Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  Manage the Security DRBG entropy DRBG_ 256-bit This is the entropy for SP 800-90 DRAM Power cycle the Appliance input CTR CTR_DRBG. (plaintext) device And (using Set Encryption AES- 256) Manage the Security DRBG Seed DRBG_ 384-bits This DRBG seed is collected from DRAM Automatic-ally Appliance CTR the onboard Cavium cryptographic (plaintext) every 400 bytes, And (using processor. or turn off the Set Encryption AES- router. 256) Manage the Security DRBG V DRBG_ 256-bit DRAM Power cycle the Appliance Internal V value used as part of SP (plaintext) CTR device And 800-90 CTR_DRBG (using Set Encryption AES- 256) Manage the Security DRBG Key DRBG_ 256-bit DRAM Power cycle the Appliance Internal Key value used as part of CTR (plaintext) device And SP (using Set Encryption 800-90 CTR_DRBG AES- 256) Diffie-Hellman DH 2048 – The shared exponent used in DRAM Zeroized upon Manage the Shared Secret 4096 bits Diffie-Hellman (DH) exchange. (plaintext) deletion. Security Created per the Diffie-Hellman Appliance protocol. And Set Encryption Page 8 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  Diffie Hellman DH 224 – The private exponent used in DRAM Zeroized upon Manage the private key 379 bits Diffie-Hellman (DH) exchange. (plaintext) deletion. Security This CSP is created using SP800- Appliance 90 DRBG And Set Encryption Diffie Hellman DH 2048 – The p used in Diffie-Hellman (DH) DRAM Zeroized upon Manage the public key 4096 bits exchange. This CSP is created (plaintext) deletion. Security using SP800-90 DRBG Appliance And Set Encryption EC Diffie- ECDH P-256/P- The p used in Elliptic Curve DRAM Automatically Key exchange Hellman 384 Diffie-Hellman (ECDH) exchange. after shared in IPsec private key secret generated. EC Diffie- ECDH P-256/P- The p used in Elliptic Curve DRAM Automatically Key exchange Hellman public 384 Diffie-Hellman (ECDH) exchange. after shared in IPsec key secret generated. EC Diffie- ECDH P-256/P- The shared key used in Elliptic DRAM Zeroized upon Key exchange Hellman 384 Curve Diffie-Hellman (ECDH) deletion. in IPsec shared secret exchange. Created per the Elliptic Curve Diffie-Hellman (ECDH) protocol. skeyid Keyed 160-bits Value derived per the IKE protocol DRAM Automatically Set Encryption SHA-1 based on the peer authentication (plaintext) after IKE method chosen. session terminated. skeyid_d Keyed 160-bits The IKE key derivation key for DRAM Automatically Set Encryption SHA-1 non ISAKMP security (plaintext) after IKE associations. session terminated. IKE session Triple- -168 bits/ The IKE session encrypt key. This DRAM Automatically Set Encryption encrypt key DES 128, 192, key is created per the Internet Key (plaintext) after IKE /AES or 256 Exchange Key Establishment session bits protocol. terminated. Page 9 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  IKE session HMAC 160-bits The IKE session authentication DRAM Automatically VPN functions authentic- SHA-1 key. This key is created per the (plaintext) after IKE And cation key Internet Key Exchange Key session Configure the Establishment protocol. terminated. Module and Set Encryption ISAKMP Secret At least The key used to generate IKE NVRAM # no crypto VPN functions preshared eight skeyid during preshared-key (plaintext) isakmp key And character authentication. # no crypto Configure the s isakmp key command zeroizes it. Module This key can have two forms based and on whether the key is related to the Set Encryption hostname or the IP address. This CSP is entered by the Cryptographic Officer. IKE RSA/ 2048 – The key used in IKE NVRAM # crypto key Set Encryption authentication ECDSA 4096 bits authentication. # crypto key (plaintext) zeroize rsa private Key and P- zeroize rsa command zeroizes it. 256/P- 384 IKE RSA/ 2048 – The key used in IKE NVRAM # crypto key Set Encryption authentication ECDSA 4096 bits authentication. # crypto key (plaintext) zeroize rsa public key and P- zeroize rsa command zeroizes it. 256/P- 384 IPsec encrypt- Triple- 168 bits/ The IPsec encryption key. This key DRAM Automatically VPN functions ion key DES 128, 192, is created per the Internet Key (plaintext) when IPsec And /AES or 256 Exchange Key Establishment session Configure the bits protocol. terminated. Module And Manage the Security Appliance and Set Encryption Page 10 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  IPsec HMAC 160-bits The IPsec authentication key. This DRAM Automatically VPN functions authentication SHA-1 key is created per the Internet Key (plaintext) when IPsec And key Exchange Key Establishment session Configure the protocol. terminated. Module And Manage the Security Appliance and Set Encryption Operator Shared At least The password of the operator. This NVRAM Overwrite with Status Function password Secret eight CSP is entered by the (plaintext) new password And character Cryptographic Officer. Terminal s function And VPN Function And Perform Cryptography And Configure the Module and Define Rules and filters And Status Function and Manage the Security Appliance and Set Encryption Enable Shared At least The plaintext password of the CO NVRAM Overwrite with Configure the password Secret eight role. This CSP is entered by the (plaintext) new password Module character Cryptographic Officer. and s Set Encryption And Zeroization Page 11 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  Enable secret Shared At least The obfuscated password of the NVRAM Overwrite with Manage the Secret eight CO role. However, the algorithm (plaintext) new password Security character used to obfuscate this password is Appliance s not FIPS approved. Therefore, this password is considered plaintext for FIPS purposes. This password is zeroized by overwriting it with a new password. The Cryptographic Operator optionally configures the module to obfuscate the Enable password. This CSP is entered by the Cryptographic Officer. RADIUS Shared 16 The RADIUS shared secret. This NVRAM # no radius- Manage the secret Secret character CSP is entered by the (plaintext), server key Security s Cryptographic Officer. DRAM Appliance (plaintext) TACACS+ Shared 16 The TACACS+ shared secret. NVRAM # no tacacs- Manage the secret Secret character This CSP is entered by the (plaintext), server key Security s Cryptographic Officer. DRAM Appliance (plaintext) SSH Private RSA 2048 – The SSH private key for the NVRAM SSH private key Manage the Key 4096 bits module. RSA key sizes 1024 - (plaintext) is zeroized by Security 4096 bits. either deletion Appliance (via # crypto key zeroize rsa) or by overwriting with a new value of the key SSH Public RSA 2048 – The SSH public key for the NVRAM Zeroized upon Manage the Key 4096 bits module. RSA key sizes 1024 - (plaintext) deletion. Security 4096 bits. Appliance SSH Session Triple- 168 bits/ The SSH session key. This key is DRAM Automatically Manage the Key DES 128, 192, created through SSH key (plaintext) when the SSH Security /AES or 256 establishment. session is Appliance bits terminated. GDOI Data Triple- 168 bits/ This key is created using the DRAM Automatically Manage the Security Key DES 128, 192, “GROUPKEY-PULL” registration (plaintext) when session Security (TEK) /AES or 256 protocol with GDOI. terminated. Appliance bits Page 12 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key Size  Zeroization  Service and  Name  Alg.  Description  Storage  Access  GDOI Group Triple- -168 bits/ This key is created using the DRAM Automatically Manage the Key DES 128, 192, “GROUPKEY-PUSH” registration (plaintext) when session Security Encryption /AES or 256 protocol with GDOI. terminated. Appliance Key (KEK) bits GDOI TEK HMAC -160 bits This key is created using the DRAM Automatically Manage the integrity key SHA-1 "GROUPKEY-PULL" registration (plaintext) when session Security protocol and updated using the terminated. Appliance "GROUPKEY-PUSH" registration protocol with GDOI snmpEngineID Shared -32-bits A unique string used to identify the NVRAM Overwrite with Manage the Secret SNMP engine. new engine ID Security Appliance SNMPv3 Shared -8 – 25 The password use to setup SNMP NVRAM Overwrite with Manage the password Secret character v3 connection. new password Security s Appliance SNMPv3 AES -128-bits Encryption key used to protect Automatically Manage the DRAM session key SNMP traffic. when session Security (plaintext) terminated. Appliance sRTP Master AES AES Generated by the CUCM and sent upon end of call Manage the (128/196/ to phone in TLS session. Key used DRAM Key or device Security 256 bits) to generate sRTP session keys Appliance and reset. seesions sRTP AES AES Generated via the sRTP protocol. upon end of call Set encryption DRAM Encryption (128/196/ Key used to encrypt/decrypt sRTP or device 256 bits) packets key (AES) reset. sRTP HMAC -160 bits Generated via the sRTP protocol. upon end of call Authentication DRAM Authentication SHA-1 Key used to authenticate sRTP or device packets key (HMAC) reset. Table 6: CSP Table Page 13 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 7 Cryptographic Algorithms 7.1 Approved Cryptographic Algorithms The Cisco ISR 4451 supports many different cryptographic algorithms. However, only FIPS approved algorithms may be used while in the FIPS mode of operation. The following table identifies the approved algorithms included in the ISR 4451 for use in the FIPS mode of operation. Algorithm Supported Mode Cert. #  IC2M(IOS XE) IOS Common Crypto Module/Common Crypto Module-Extended2 AES CBC (128, 192, 256), CMAC, GCM 2817 SHS (SHA-1, 256, Byte Oriented 2361 384, and 512) HMAC SHA (1, 256, Byte Oriented 1764 384, and 512) ECDSA KeyGen, SigGen/Ver 493 DRBG CTR (using AES-256) 481 RSA PKCS#1 v.1.5, 2048-4096 bit key 1471 Triple-DES KO 1,2; CBC 1688/1670 KAS Component Test KAS FFC/ECC 252 KDF Component Test KDF-135 253 Cavium Octeon II CN6645 (Embedded Services Processor (ESP)) AES ECB, CBC (128, 192, 256), GMAC 2345 SHS (SHA-1, 256, Byte Oriented 2022 384, 512) HMAC SHA-1, 256, Byte Oriented 1454 384, 512 Triple-DES KO 1,2 - ECB, CBC 1468 Table 7: FIPS-Approved Algorithms for use in FIPS Mode Note: Each of Triple-DES certs (#1468, #1688 and #1670) supports two-key and three- key Triple-Des options, but only three-key Triple-DES is used in FIPS mode. 7.2 Non-Approved Algorithms allowed for use in FIPS-mode The ISR 4451 cryptographic module implements the following non-Approved algorithms that are allowed for use in FIPS-mode: Page 14 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  Diffie-Hellman – provides between 112 and 150-bits of encryption strength  RSA Key Wrapping – provides between 112 and 150-bits of encryption strength  EC Diffie-Hellman (key establishment methodology provides between 128 and 192 bits of encryption strength)  GDOI (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength)  Non-approved RNG for seeding the DRBG. 7.3 Non-Approved Algorithms The ISR 4451 cryptographic module implements the following non-Approved algorithms:  MD5  DES  HMAC MD5  RC4 7.4 Self-Tests The modules include an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to insure all components are functioning correctly. The modules implement the following power-on self-tests:  IC2M(IOS XE) o POSTs - IOS Common Crypto Module  Firmware Integrity Test (HMAC SHA-256)  AES encrypt and decrypt KATs  AES GCM KAT  AES-CMAC KAT  DRBG KAT  ECDSA Sign/Verify  HMAC-SHA-1 KAT  HMAC-SHA-256 KAT  HMAC-SHA-384 KAT  HMAC-SHA-512 KAT  KAS ECC Primitive “Z” KAT  KAS FFC Primitive “Z” KAT  RSA KAT  SHA-1 KAT Page 15 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  SHA-256 KAT  SHA-512 KAT  Triple-DES encrypt and decrypt KATs o POSTs - IOS Common Crypto Module-Extended2  Triple-DES encrypt and decrypt KATs  Cavium Octeon II CN6645 (Embedded Services Processor (ESP))  AES encrypt and decrypt KATs  AES-GMAC encrypt and decrypt KATs  HMAC-SHA-1 KAT  HMAC-SHA-256 KAT  HMAC-SHA-384 KAT  HMAC-SHA-512 KAT  SHA-1 KAT  SHA-256 KAT  SHA-512 KAT  Triple-DES encrypt and decrypt KATs The modules perform all power-on self-tests automatically at boot. All power-on self- tests must be passed before any operator can perform cryptographic services. The power- on self-tests are performed after the cryptographic systems are initialized but prior any other operations; this prevents the module from passing any data during a power-on self- test failure. In addition, the modules also provide the following conditional self-tests:  IC2M(IOS XE) o Continuous Random Number Generator test for the FIPS-approved DRBG o Continuous Random Number Generator test for the non-approved RNG o Pair-Wise Consistency Test for RSA o Pair-Wise Consistency Test for ECDSA keys Page 16 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 8 Physical Security This module is a multi-chip standalone cryptographic module. The FIPS 140-2 level 2 physical security requirements for the modules are met by the use of opacity shields covering the front panels of modules to provide the required opacity and tamper evident seals to provide the required tamper evidence. The following sections illustrate the physical security provided by the module. The module relies upon Tamper Evident Labels and Opacity Shields with the following Cisco part numbers:  ISR4451-FIPS-Kit 8.1 Module Opacity To install an opacity shield on the ISR 4451 routers, follow these steps: 1. The opacity shield is designed to be installed on an ISR 4451 router chassis that is already rack-mounted. If your ISR 4451-X router chassis is not rack-mounted, install the chassis in the rack using the procedures contained in the ISR 4451 router Installation Guide. If your ISR 4451-X router chassis is already rack- mounted, proceed to step 2. 2. Open the FIPS kit packaging. 3. Open the protective packaging and remove the opacity shield and the two bags of installation hardware. Select the bag of installation hardware appropriate for your installation. Set the second bag of fasteners aside; you will not need them for this installation. 4. Open the bag of installation hardware (Bag with part number 69-1497) and remove the following: Two M4 thumbscrews, four M4 snap rivet fastener sleeves, and four M4 snap rivet pins. Note: Extra snap fasteners are included in the bags of installation hardware in case of loss or damage. Note: Installation hardware from one bag is not interchangeable with the installation hardware from the second bag. The figures in the following section illustrate the installation of the opacity shields for each platform. Page 17 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 8.2 Tamper Evidence The tamper evident seals (hereinafter referred to as tamper evident labels (TEL)) shall be installed on the security devices containing the module prior to operating in FIPS mode. TELs shall be applied as depicted in the figures below. Any unused TELs must be securely stored, accounted for, and maintained by the CO in a protected location. Should the CO have to remove, change or replace TELs (tamper-evidence labels) for any reason, the CO must examine the location from which the TEL was removed and ensure that no residual debris is still remaining on the chassis or card. If residual debris remains, the CO must remove the debris using a damp cloth. Any deviation of the TELs placement such as tearing, misconfiguration, removal, change, replace or any other change in the TEL’s from its original configuration as depicted below by unauthorized operators shall mean the module is no longer in FIPS mode of operation. Returning the system back to FIPS mode of operation require the replacement of the TEL as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The modules shall require the following number of labels to be affixed: Number of Tamper  Opacity Shields  Model  Labels Affixed    ISR 4451-X 13 (indicated in red) 5 (indicated in blue) Table 8: TELs Table The following figures illustrate the installation of the TELs for each platform. Page 18 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 2 1 4 2 3 5 7 6 Front 8 9 4 5 10 Right side Page 19 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 11 1 Left side 12 Back 13 Page 20 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 7 43 10 11 Top 12 8 9 Bottom 13 Page 21 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 9 Secure Operation 9.1 System Initialization and Configuration Prior to system operational initialization and configuration the Crypto Officer must install the opacity shields and tamper evidence seals as specified in section 8 above. Step1 - The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots. From the “configure terminal” command line, the Crypto Officer enters the following syntax: config-register 0x0102 Step 2 - The Crypto Officer must create the “enable” password for the Crypto Officer role. Procedurally, the password must be at least 8 characters, including at least one letter and at least one number, and is entered when the Crypto Officer first engages the “enable” command. The Crypto Officer enters the following syntax at the “#” prompt: enable secret [PASSWORD] Step 3 - The Crypto Officer must set up the operators of the module. The Crypto Officer enters the following syntax at the “#” prompt: Username [USERNAME] Password [PASSWORD] Step 4 – For the created operators, the Crypto Officer must always assign passwords (of at least 8 characters, including at least one letter and at least one number) to users. Identification and authentication on the console/auxiliary port is required for Users. From the “configure terminal” command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local Step 5 - The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication. Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+ shared secret keys that are at least 8 characters long, including at least one letter and at least one number. Step 6 - The Crypto Officer must apply tamper evidence labels as described earlier in this document. Page 22 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Step 7 - Dual IOS mode is not allowed. ROMMON variable IOSXE_DUAL_IOS must be set to 0. Step 8 - In service software upgrade (ISSU) is not allowed. The operator should not perform in service software upgrade of an ISR 4451-X FIPS validated firmware image Step 9 - Use of the debug.conf file is not allowed. The operator should not create the bootflash:/debug.conf file and use it for setting environment variables values. NOTE: The keys and CSPs generated in the cryptographic module during FIPS mode of operation cannot be used when the module transitions to non-FIPS mode and vice versa. Although key separation is maintained by the module so that FIPS mode keys are not used in non-FIPS mode or vice versa, it is recommended that keys be zeroized by the Crypto Officer prior to the module transition from FIPS to non-FIPS mode or from non- FIPS to FIPS mode. 9.2 IPsec Requirements and Cryptographic Algorithms Step 1 - The only type of key management that is allowed in FIPS mode is Internet Key Exchange (IKE) (non-compliant). Step 2 - Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration:  ah-sha-hmac  esp-sha-hmac  esp-3des  esp-aes  esp-aes-192  esp-aes-256 Step 3 - The following algorithms shall not be used:  MD-5 for signing  MD-5 HMAC  DES Page 23 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 9.3 Protocols Step 1 - SNMP v3 over a secure IPsec tunnel may be employed for authenticated, secure SNMP gets and sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C. Step 2 - Secure DNS is not allowed in FIPS mode of operation and shall not be configured. 9.4 Remote Access SSH access to the module is allowed in FIPS approved mode of operation, using SSH v2 and a FIPS approved algorithm. 10 Related Documentation This document deals only with operations and capabilities of the security appliances in the technical terms of a FIPS 140-2 cryptographic device security policy. More information is available on the security appliances from the sources listed in this section and from the following source:  The NIST Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/index.html) contains contact information for answers to technical or sales-related questions for the security appliances. Page 24 of 24 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.