SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.2 Last update: 2015-11-24 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 1 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of contents 1 Introduction............................................................................................................................ 3 1.1 Purpose......................................................................................................................... 3 1.2 Document Organization / Copyright.............................................................................. 3 1.3 External Resources / References................................................................................... 3 2 Cryptographic Module Specification....................................................................................... 4 2.1 Module Overview.......................................................................................................... 4 2.2 Modes of Operation....................................................................................................... 5 2.3 Cryptographic Boundary............................................................................................... 7 2.3.1 Hardware Block Diagram..................................................................................... 7 2.3.2 Software Block Diagram...................................................................................... 8 3 Cryptographic Module Ports and Interfaces.......................................................................... 10 4 Roles, Services and Authentication...................................................................................... 11 4.1 Roles........................................................................................................................... 11 4.2 Services...................................................................................................................... 11 4.3 Authentication............................................................................................................ 13 4.4 Mechanism and Strength of Authentication................................................................ 13 5 Physical Security.................................................................................................................. 14 6 Operational Environment..................................................................................................... 15 6.1 Policy.......................................................................................................................... 15 7 Cryptographic Key Management.......................................................................................... 16 7.1 Random Number Generation...................................................................................... 16 7.2 Key Life Cycle Table.................................................................................................... 16 7.3 Key Zeroization........................................................................................................... 18 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............................. 19 9 Self Tests.............................................................................................................................. 20 9.1 Power-Up Tests............................................................................................................ 20 9.1.1 Software Integrity Test Details........................................................................... 20 10 Guidance............................................................................................................................ 21 10.1 Crypto Officer Guidance............................................................................................ 21 10.1.1 Configuration Changes and FIPS Approved Mode............................................ 21 10.2 User Guidance.......................................................................................................... 22 10.3 Handling Self Test Errors........................................................................................... 22 11 Mitigation of Other Attacks................................................................................................. 23 Appendix A Glossary and Abbreviations.................................................................................. 24 Appendix B References........................................................................................................... 25 ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 2 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1 Introduction 1.1 Purpose This document is the non-proprietary Security Policy for the SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module version 1.0. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS 140-2 (Federal Information Processing S24tandards Publication 140-2) for a security level 1 module. This document was prepared as part of the requirements for conformance to FIPS 140-2 Level 1. It is intended for security officers, developers, system administrators and end-users. FIPS 140-2 details the requirements of the Governments of the U.S. and Canada for cryptographic modules, aimed at the objective of protecting sensitive but unclassified information. For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at http://csrc.nist.gov/. Throughout the document "SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module", "the StrongSwan Module", or "the Module" are used interchangeably to refer to the SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module. 1.2 Document Organization / Copyright This non-proprietary Security Policy document may be reproduced and distributed only in its original entirety without any revision, ©2015 SUSE. 1.3 External Resources / References The SUSE website (www.suse.com) contains information about SUSE Linux Enterprise Server. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/) contains links to the FIPS 140-2 certificate and SUSE contact information. Appendix A contains the abbreviations and Appendix B contains the additional references. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 3 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 2 Cryptographic Module Specification 2.1 Module Overview For FIPS 140-2 purposes, the SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module is a software-only, security level 1 cryptographic module, running on a multi-chip standalone platform. The current version of the module is 1.0. The Module supplies cryptographic support of the IKEv2 protocols for the SUSE Linux Enterprise Server (SLES) user space. Table 1 shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: FIPS 140-2 Section Security Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 1: Security Levels The StrongSwan Module does not have a direct dependency on AES-NI implementation, but it is bound to the SUSE Linux Enterprise Server 12 - OpenSSL Module with FIPS140-2 validation certificate #2435, which could be operated either with or without AES-NI enabled. Therefore, the StrongSwan Module has been tested in the following software configurations: · 64-bit x86_64 with AES-NI disabled · 64-bit x86_64 with AES-NI enabled Table 2 shows the multi-chip standalone platform on which the Module has been tested: Manufacture Model O/S & Ver. HP ProLiant DL320e Gen8 SUSE Linux Enterprise Server 12 (with and without AES-NI) Table 2: Tested Platforms This cryptographic module consists of the following components: strongswan-ipsec RPM file providing the IPsec protocol with the version of the RPM file of 5.1.3-15.1.x86_64 containing the following files: /usr/lib/ipsec/charon /usr/lib/ipsec/duplichk /usr/lib/ipsec/imv_policy_manager ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 4 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy /usr/lib/ipsec/pt-tls-client /usr/lib/ipsec/scepclient /usr/lib/ipsec/starter /usr/lib/ipsec/stroke strongswan-libs0 RPM file providing the shared libraries with the version of the RPM file of 5.1.3-15.1.x86_64. The following files are provided by the RPM. Note that the RPM also delivers other shared libraries which are not part of the module and are not accessible in FIPS mode. /usr/lib64/ipsec/libcharon.so.0.0.0 /usr/lib64/ipsec/libstrongswan.so.0.0.0 /usr/lib64/ipsec/libtls.so.0.0.0 /usr/lib64/ipsec/plugins/libstrongswan-openssl.so The strongswan-hmac RPM file containing the HMAC integrity verification files for the 64-bit shared libraries with the version of the RPM file of 5.1.3-15.1.x86_64. The following files are provided: /usr/lib/ipsec/._fipscheck.hmac /usr/lib/ipsec/.charon.hmac /usr/lib/ipsec/.starter.hmac /usr/lib/ipsec/.stroke.hmac /usr/lib/ipsec/.libcharon.so.0.0.0.hmac /usr/lib/ipsec/.libstrongswan.0.0.0.hmac /usr/lib/ipsec/.libtls.0.0.0.hmac /usr/lib/ipsec/plugins/.libstrongswan-openssl.hmac The dracut-fips package provides for the configuration of FIPS mode with the version of the RPM file of 037-37.2.x86_64. It provides the following files: /etc/dracut.conf.d/40-fips.conf /usr/lib/dracut/modules.d/01fips/fips-boot.sh /usr/lib/dracut/modules.d/01fips/fips-noboot.sh /usr/lib/dracut/modules.d/01fips/fips.sh /usr/lib/dracut/modules.d/01fips/module-setup.sh The fipscheck package which ensures the system boots into FIPS mode with the version of the RPM file of 1.2.0-9.3.x86_64 provides the following files: /usr/bin/.fipscheck.hmac /usr/bin/fipscheck The integrity check and all cryptographic operations other than the KDF in IKEV2 for the StrongSwan Module are performed by the SUSE Linux Enterprise Server 12 - OpenSSL Module with FIPS140-2 validation certificate #2435. 2.2 Modes of Operation The Module supports two modes of operation: FIPS approved and non-approved. In FIPS approved mode, the Module will support the approved cryptographic algorithms as shown in Table 3. Column four lists the CAVP validation numbers obtained from NIST for successful validation testing of the implementation of the cryptographic algorithms on the platform as shown in Table 2. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 5 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy In the FIPS approved mode of operation, the Module will require the following approved cryptographic algorithms from the OpenSSL module. Algorithm Usage Keys/CSPs Validation/Certificate Triple-DES (CBC) Encryption and Triple-DES keys 168 Cert. #1823 Decryption bits AES (CBC, CTR, CCM Encryption and AES keys 128, 192 Cert. #3197, #3198 and GCM) Decryption and 256 bits and #3199 SHA-1 Hashing N/A Cert. #2645, #2646 SHA-224 and #2648 SHA-256 SHA-384 SHA-512 HMAC-SHA-1 Message Integrity At least 112 bits Cert. #2014, #2015 HMAC-SHA-256 HMAC key and #2016 HMAC-SHA-384 HMAC-SHA-512 AES CMAC Message Integrity AES keys 128, 192 Certs. #3197, #3198. Generation and 256 bits #3199 Hash-based DRBG SP 800-90A Seed and nonce Certs. #674, #675 and Random Number #676 Generation Diffie-Hellman SP 800-56A Diffie-Hellman CVL Cert. #431 DLC primitive Key Agreement public and private components with key size 2048 and 3072 bits EC Diffie-Hellman SP 800-56A EC Diffie-Hellman CVL Cert. #431 DLC primitive Key Agreement public and private components with P- 256, P-384 and P- 521 RSA FIPS 186-4 RSA keys 2048 and Cert. #1628 Signature Generation 3072 bits and Verification ECDSA FIPS 186-4 ECDSA keys P-256, Cert. #586 Signature Generation P-384 and P-521 and Verification Table 3: Approved Algorithms - provided by the bound OpenSSL Module The SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module implements the IKEv2 protocol and the following cryptographic algorithm: Algorithm Function Validation/Certificate SP 800-135 Key Derivation in Key derivation in IKEv2 CVL Cert. #486 IKEv2 Table 4: Approved Algorithm - provided by the StrongSwan Module Note that in FIPS mode the Module only supports the IKEv2 protocol and that the IKEv1 protocol is not supported and should not be used. The IKEv2 protocol has been reviewed and tested by the testing lab but it has not been reviewed or tested by the CAVP or CMVP. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 6 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy The following table shows the non-approved algorithms that can only be used in non- approved mode. Any use of these non-approved algorithm functions will cause the Module to operate in the non-FIPS mode implicitly. Non-approved Usage / Description Algorithm Diffie-Hellman Key agreement, key size smaller than 2048 bits or greater than 3072 bits Camellia Encryption and decryption Table 5: Non-approved Algorithms ­ provided by the bound OpenSSL Module Notes: 1. All cryptographic algorithms, approved and non-approved, other than the SP 800-135 Key Derivation in IKEv2 are provided by the SUSE Linux Enterprise Server 12 ­ OpenSSL Module (FIPS 140-2 Validation #2435) 2. The SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module uses the SUSE Linux Enterprise Server 12 ­ OpenSSL Module (FIPS 140-2 Validation #2435) for standard cryptographic algorithms and integrity checking. It will require that a copy of FIPS 140-2 level 1 validated version of SUSE Linux Enterprise Server 12 ­ OpenSSL Module is installed on the system. 2.3 Cryptographic Boundary 2.3.1 Hardware Block Diagram The physical boundary of the Module is the surface of the case of the target platform. Figure 1 shows the hardware block diagram of the Module including the processors, memory, internal power supply, power interface, data status and control paths, etc. The bold line surrounding the hardware components represents the Module's physical cryptographic boundary. The hardware devices consist of standard integrated circuits and does not include any security- relevant, semi- or custom integrated circuits or other active electronic circuit elements. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 7 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Figure 1: Hardware Block Diagram 2.3.2 Software Block Diagram The logical boundary of the Module is shown in the Software Block Diagram (Figure 2) and contains: · The SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module · The HMAC integrity verification file · the dracut-fips package The dracut-fips package is only used during boot time of the underlying operating system for the configuration of the Module. The OpenSSL module is a shared library to which the StrongSwan Module is bound. The OpenSSL module provides the standard cryptographic services to the StrongSwan Module. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 8 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Figure 2: Software Block Diagram ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 9 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 3 Cryptographic Module Ports and Interfaces As a software-only module, the Module does not have physical ports. For the purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces are the application program interface (API) through which applications request services. The following table summarizes the logical interfaces. Module Logical interface Description Data Input Host key file, ipsec.secrets and certificate file /etc/ipsec.d.cert, network Data Output Network Control Input Configuration files, keyboard (commands), command line options Status Output Display, network, system log Power Input Physical power connector of the General Purpose Computer Table 6: Ports and Interfaces ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 10 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4 Roles, Services and Authentication 4.1 Roles The Module meets all FIPS 140-2 level 1 requirements for Roles and Services, implementing both User and Crypto Officer (CO) role. The Module does not allow concurrent operators. User role: performs all services, except module installation and configuration. CO role: performs installation and configuration. The User and CO roles are implicitly assumed by the entity accessing the services implemented by the module. No further authentication is performed or required. 4.2 Services The Module provides services to authorized operators of either the User or CO role according to the applicable FIPS 140-2 security requirements. Table 7 contains the approved services provided by the StrongSwan Module in the approved mode. For each available service, it lists the associated role(s), the critical security parameters (CSPs) and cryptographic keys involved, and the type(s) of access to the CSPs and cryptographic keys. Please refer to Table 3 and 4 for approved key sizes of the approved algorithms and the algorithm certificates. The access types are denoted as follows: 'R': The item is read or referenced by the service 'W': The item is written or updated by the service 'Z': The persistent item is zeroized by the service Service Algorithm / Role Cryptographic Keys and CSPs Access Function Accessed Type (source module) Install and None CO RSA or ECDSA private/public key RWZ Configure the (OpenSSL) module Manage Commands CO DRBG seed and nonce RW Charon IKE (N/A, provided by /dev/urandom) daemon (start, stop, etc.) Negotiate IKE RSA/ECDSA User Servers RSA or ECDSA private/public RWZ to establish Signature key security Generation and (OpenSSL) associations Verification, (SAs) Hash-based DRBG, Peers RSA or ECDSA public key RWZ Diffie-Hellman and (N/A) EC Diffie-Hellman, AES/Triple-DES Encryption and DRBG seed and nonce RW Decryption, (N/A) SHS Keyed-Hash, HMAC Diffie-Hellman and EC Diffie-Hellman RW (provided by the private and public key components bound OpenSSL (OpenSSL) module. Please see Table 3) AES or Triple-DES encryption keys RW SP 800-135 KDF in (ISAKMP SA tunnel encryption key, ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 11 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Service Algorithm / Role Cryptographic Keys and CSPs Access Function Accessed Type (source module) IKEv2 (provided by IKEv2 SA tunnel encryption key and the StrongSwan IPSec SA tunnel encryption key) module. Please see (StrongSwan) Table 4) Zeroize of servers HMAC data authentication key RW RSA/ECDSA key (OpenSSL) Close Zeroize User Diffie-Hellman and EC Diffie-Hellman Z Association public and private components (OpenSSL) AES or Triple-DES encryption keys Z (ISAKMP SA tunnel encryption key, IKEv2 SA tunnel encryption key and IPSec SA tunnel encryption key) (StrongSwan) HMAC data authentication key Z (OpenSSL) Self-test Start/restart of CO Software Integrity key for StrongSwan R module (HMAC SHA-256) (StrongSwan) Software Integrity key for OpenSSL R (HMAC SHA-256) (OpenSSL) Software Integrity key for fipscheck R (HMAC SHA-256) (OpenSSL) Show status Exit codes CO None N/A Table 7: Approved Services Notes: · The Show Status indicator is via the messages sent to syslog to the location specified on the syslog configuration on the system. · Self tests are run when the Module is started. They can be run on demand by restarting the Module. The following table lists the non-approved service provided by the StrongSwan Module in non- approved mode. Service Algorithm / Function Role Access Type Negotiate IKE to Camellia Encryption and Decryption, Diffie-Hellman User RWZ establish security with non-approved key size as listed in Table 5 associations (The non-approved cipher suites can be configured (SAs) in ipsec.conf file) Table 7A: non-Approved Service ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 12 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4.3 Authentication The Module does not implement authentication. The role is implicitly assumed on entry. 4.4 Mechanism and Strength of Authentication The Module does not implement authentication. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 13 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 5 Physical Security The Module is comprised of software only and thus does not claim any physical security. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 14 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 6 Operational Environment This Module operates in a modifiable operational environment per the FIPS 140-2 definition. 6.1 Policy The operating system shall be restricted to a single operator mode of operation (i.e., concurrent operators are explicitly excluded). The application that makes calls to the cryptographic module is the single user of the cryptographic module, even when the application is serving multiple clients. In FIPS mode, the ptrace(2) system call, the debugger gdb(1) and strace(1) shall not be used. In addition, other tracing mechanisms offered by the Linux environment, such as ftrace or systemtap shall not be used. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 15 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 7 Cryptographic Key Management 7.1 Random Number Generation The Module employs a SP 800-90A deterministic random bit generator (DRBG) which is called from the OpenSSL module. The Linux kernel provides /dev/urandom as a source of random numbers for DRBG seeds. The Linux kernel initializes this pseudo device at system startup. The OpenSSL module performs Continuous Random Number Generation Test (CRNGT) on the output of the SP 800-90A DRBG to ensure that consecutive random numbers do not repeat. The CRNGT on the random numbers for seeding the DRBG is performed by the kernel. 7.2 Key Life Cycle Table The following table identifies the cryptographic keys and CSPs used within the Module. Cryptographic keys and CSPs are never output from the Module in plaintext. An approved key generation method is used to generate keys via the OpenSSL module. Key Type Generation Establish- Entry and Storage Zeroization ment Output method RSA Private RSA key N/A N/A N/A Plaintext Immediately and Public after use Keys ECDSA ECDSA N/A N/A N/A Plaintext Immediately Private and key after use Public Keys ISAKMP SA AES or N/A Established N/A Ephemeral Close of Tunnel Triple- during the ISAKMP SA Encryption DES ISAKMP SA or Keys handshake termination using of the Diffie- Charon Hellman or daemon EC Diffie- Hellman IKEv2 SA AES or N/A Established N/A Ephemeral Close of Tunnel Triple- during the IKEv2 SA or Encryption DES IKEv2 SA termination Keys handshake of the using Charon Diffie- daemon Hellman or EC Diffie- Hellman and SP 800-135 IKEv2 KDF IPSec SA AES or N/A Established N/A Ephemeral Close of Tunnel Triple- during the ISAKMP SA Encryption DES IPSec and IKEv2 SA Keys handshake or using overwritten Diffie- by Hellman or renegotiated EC Diffie- IPSec SA or ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 16 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Key Type Generation Establish- Entry and Storage Zeroization ment Output method Hellman termination of the Charon daemon Diffie- Diffie- SP 800-90A N/A N/A Ephemeral Close of Hellman Hellman Hash-based ISAKMP SA Private and DRBG and IKEv2 SA Public or Parameters termination of the Charon IKE daemon EC-Diffie- EC- SP 800-90A N/A N/A Ephemeral Close of Hellman Diffie- Hash-based ISAKMP SA Private and Hellman DRBG and IKEv2 SA Public or Parameters termination of the Charon IKE daemon DRBG seed SP 800- N/A N/A N/A (see Ephemeral N/A 90A section 7.1), Hash- provided by based /dev/urandom DRBG DRBG SP 800- N/A N/A N/A (see Ephemeral N/A nonce 90A section 7.1), Hash- provided by based /dev/urandom DRBG Software HMAC N/A N/A N/A Plaintext Termination Integrity SHA-256 within the of the Key for OpenSSL fipscheck OpenSSL library application application Software HMAC N/A N/A N/A Plaintext Termination Integrity SHA-256 within the of the Key for fipscheck fipscheck fipscheck library application application Software HMAC N/A N/A N/A Plaintext Termination Integrity SHA-256 within the of the Key for StrongSwan fipscheck StrongSwan library application application Table 8: Key Life Cycle Notes: The Module ships without containing any keys and CSPs. When the Module is configured, the CO specifies secrets (RSA private keys, x.509 certificates or eXtended Authentication passwords (XAUTH)) in the /etc/ipsec.secrets file (see the ipsec.secrets(5) man page). ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 17 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy A secret is associated with the correct entity using optional selectors. A selector is an IP address, a fully qualified domain name, user@FQDN, %any or %any6. To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is used. An entry with no selectors will match any host and peer. An entry with one selector will match a host and peer if the selector matches the host's ID (the peer is not considered). An entry with multiple selectors will match a host and peer if the host ID and peer ID each match one of the selectors. If the key is for an asymmetric authentication technique (e.g., RSA) an entry with multiple selectors will match a host and peer even if only the host Id matches a selector (all selectors are assumed to be identities of the host). Persistently stored secret and private keys are out of scope, but may be zeroized using a FIPS140-2 approved mechanism to clear data on hard disks. 7.3 Key Zeroization For volatile memory, overwriting with hex 0 is included in deallocation operations. There are no restrictions when zeroizing any cryptographic keys and CSPs. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 18 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) The test platform as shown in Table 2 is compliant to 47 CFR FCC Part 15, Subpart B, Class A (Business use). ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 19 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 9 Self Tests 9.1 Power-Up Tests Software Integrity Test: all cryptographic function tests are performed by the SUSE Linux Enterprise Server 12 - OpenSSL Module before it will perform cryptographic operations for the StrongSwan Module. 9.1.1 Software Integrity Test Details StrongSwan userspace modules have their integrity verified at startup by the software integrity test. The integrity check is performed by the SUSE Linux Enterprise Server 12 - OpenSSL Module utility fipscheck using HMAC-SHA256. When the Module starts, it exercises the power-on self test, including the software integrity test. The software integrity test (HMAC-SHA256) constitutes a known answer test for the HMAC-SHA256 algorithm. The user space integrity verification is performed as follows: The StrongSwan application links with the library libfipscheck.so which is intended to execute fipscheck to verify the integrity of the calling application file using HMAC-SHA256. Upon calling the FIPSCHECK_verify() function provided with libfipscheck.so, the fipscheck application is loaded and executed, and the following steps are performed: · OpenSSL, as loaded by fipscheck, performs the integrity check of the OpenSSL library files using HMAC-SHA256. · The application fipscheck performs the integrity check of its application file using HMAC-SHA256 provided by OpenSSL. · The fipscheck application performs the integrity check of the calling application. The fipscheck computes the HMAC-SHA256 checksum of the file from the command line and compares the computed value to the value stored inside the /path/to/application/..hmac checksum file. The fipscheck application returns the appropriate exit value based on the comparison result (zero if the checksum is OK ­ which is enforced by the libfipscheck.so library). The fipscheck application also automatically verifies the integrity of libfipscheck when loaded. No operator intervention is required during the running of the self tests. Successful or unsuccessful completion of the power-up and integrity tests is displayed via the messages sent to syslog to the location specified on the syslog configuration on the system. See section 10.3 for descriptions of possible self test errors and recovery procedures. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 20 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 10 Guidance Password-based encryption and password-based key generation do not provide sufficient strength to satisfy FIPS 140-2 requirements. As a result, data processed with password-based encryption methods are considered to be unprotected. NOTE: The SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module requires that a copy of a FIPS 140-2 validated version of the SUSE Linux Enterprise Server 12 - OpenSSL Module (validation certificate #2435) be installed on the same operational environment. 10.1 Crypto Officer Guidance The version of the RPM containing the validated module is stated in section 2 above. The integrity of the RPM is automatically verified during the installation and the crypto officer shall not install the RPM file if the RPM tool indicates an integrity error. The RPM package of the Module can be installed by standard tools recommended for the installation of RPM packages on a SUSE Linux system. For proper operation of the in-module integrity verification, the prelink must be disabled. This can be done by setting PRELINKING=no in the /etc/sysconfig/prelink configuration file. If the libraries were already prelinked, the prelink should be undone on all the system files using the 'prelink -u -a' command. To bring the Module into FIPS approved mode, perform the following: 1. Install the dracut-fips package: # zypper install dracut-fips 2. Recreate the INITRAMFS image: # dracut -f After regenerating the initrd, the crypto officer has to append the following parameter in the /etc/default/grub configuration file in the GRUB_CMDLINE_LINUX_DEFAULT line: fips=1 After editing the configuration file, please run the following command to change the setting in the boot loader: grub2-mkconfig -o /boot/grub2/grub.cfg If /boot or /boot/efi resides on a separate partition, the kernel parameter boot= must be supplied. The partition can be identified with the command "df /boot" or "df /boot/efi" respectively. For example: $ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 233191 30454 190296 14% /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended to the kernel command line: "boot=/dev/sda1" Reboot to apply these settings. To operate the crypto module, the operating system must be restricted to a single operator mode of operation, and the ptrace(2) system call, the debugger gdb(1) and strace(1) shall not be used. In addition, other tracing mechanisms offered by the Linux environment, such as ftrace or systemtap shall not be used. 10.1.1 Configuration Changes and FIPS Approved Mode Use caution whenever making configuration changes that could potentially prevent access to the /proc/sys/crypto/fips_enabled flag (fips=1) in the file/proc. If the Module does not detect this flag during initialization, it does not enable the FIPS approved mode. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 21 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy All user space modules depend on this file for transitioning into FIPS approved mode. 10.2 User Guidance See the StrongSwan(8) man page for general usage documentation of StrongSwan. 10.3 Handling Self Test Errors OpenSSL self test failures may prevent the StrongSwan Module from operating. See the Guidance section in the Security Policy of SUSE Linux Enterprise Server 12 ­ OpenSSL Module for instructions on handling OpenSSL self test failures. The StrongSwan Cryptographic Module self test consists of the software integrity test. If the integrity test fails, StrongSwan enters an error state. When an error occurs, a message is written to the syslog. The only recovery from this type of failure is to reload the SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module. If the user downloaded the software, the package hash needs to be verified to confirm a proper download. Conditional tests are performed within the bound SUSE Linux Enterprise Server 12 ­ OpenSSL Module. See the OpenSSL Security Policy for details on conditional test failures. OpenSSL self test failures may prevent the StrongSwan Module from operating. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 22 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 11 Mitigation of Other Attacks The cryptographic Module is not designed to mitigate any specific attacks. ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 23 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix A Glossary and Abbreviations AES Advanced Encryption Specification CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining Message Authentication Code CMAC Cipher-based Message Authentication Code CFB Cipher Feedback CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback O/S Operating System PKCS Public Key Cryptography Standards PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSH Secure Shell TDES Triple-DES XTS XEX Tweakable Block Cipher with Ciphertext Stealing ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 24 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix B References FIPS 140-2 Security Requirements for Cryptographic Modules PUB January 2011 http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 http://csrc.nist.gov/publications/fips/fips180-4/fips 180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198 1/FIPS-198 1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated July20_2007.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-56A NIST Special Publication 800-56A Revision 2 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography May 2013 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 56Ar2.pdf ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 25 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90A NIST Special Publication 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators January 2012 http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf ©2015 SUSE Linux Products GmbH / atsec information security corporation Page 26 of 26 This document can be reproduced and distributed only whole and intact, including this copyright notice.