Version 1.8 n: Page 1 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d FIP 14 2 No PS 40-2 on-Pr rieta ropr ary Sec ty Policy curit y BlackBe erry Cryptographic Java Mod dule Versio ons 2.8, 2. .8.7 and 2 .8.8 Docume version 1.8 ent BlackBe erry Secur rity Certifi ications, BlackBerry B y © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 2 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Table of Cont tents TABLE OF CONTENTS ........................................ F S ...................... ...................... 2 .......................................... ..... LIST OF FIGURES ................................................ F ...................... ...................... 4 .......................................... ..... LIST OF TABLES.................................................. T ...................... ...................... 5 .......................................... ..... CTION ................................................... INTRODUC ...................... ...................... 6 .......................................... ..... 1 CRYP PTOGRAPHIC MODULE SPECIFICATION ............... C S ...................... 8 .......................................... ..... 1.1 CIFICATIONS ......................... PHYSICAL SPEC .......................... 8 .......................................... ...................... 1.2 COMPUTER HARRDWARE, OS, AND JVM ....... A ........................ 10 .......................................... ...................... 1.3 SOFTWARE SPEECIFICATIONS ....................... ........................ 11 .......................................... ...................... 2 PTOGRAPHIC MODULE PORTS AND INTERFACE S ....................................... CRYP C P ...................... 12 ... 3 ROLE SERVICES, AND AUTHENTICATIO ................. ES, ON ...................... 13 .......................................... ... 3.1 ROLES AND SER RVICES ................................ ........................ 13 .......................................... ...................... 3.2 SECURITY FUNC CTION .................................. ........................ 14 .......................................... ...................... 3.3 OPERATOR AUTTHENTICATION ..................... ........................ 17 .......................................... ...................... 4 FINITE STATE MO E ODEL ................................. ...................... ...................... 18 .......................................... ... 5 PHYS SICAL SECUR RITY .................................. ...................... ...................... 19 .......................................... ... 6 OPER RATIONAL EN NVIRONMEN .................. NT ...................... ...................... 20 .......................................... ... 7 CRYP PTOGRAPHIC KEY MANA C AGEMENT .... ...................... ...................... 21 .......................................... ... 7.1 KEY GENERATIO ...................................... ON ........................ 21 .......................................... ...................... 7.2 KEY ESTABLISHMENT ................................. ........................ 21 .......................................... ...................... 7.3 KEY ENTRY AND OUTPUT ............................ D ........................ 21 .......................................... ...................... 7.4 KEY STORAGE ........................................... ........................ 21 .......................................... ...................... 7.5 KEY ZEROIZATIO ...................................... ON ........................ 22 .......................................... ...................... 8 SELF- -TESTS.................................................. ...................... ...................... 23 .......................................... ... 8.1 POWER-UP TESTS ...................................... ........................ 23 .......................................... ...................... 8.2 ON-DEMAND SE -TESTS ........................... ELF ........................ 23 .......................................... ...................... 8.3 CONDITIONAL TEESTS .................................. ........................ 23 .......................................... ...................... 8.4 FAILURE OF SEL -TESTS ............................ A LF ........................ 23 .......................................... ...................... 9 DESIG ASSURANCE .................................. GN ...................... ...................... 24 .......................................... ... 9.1 CONFIGURATION MANAGEMEN .................. N NT ........................ 24 .......................................... ...................... 9.2 DELIVERY AND OPERATION ......................... O ........................ 24 .......................................... ...................... 9.3 DEVELOPMENT .......................................... ........................ 24 .......................................... ...................... 9.4 GUIDANCE DOCUMENTS ............................. ........................ 24 .......................................... ...................... 10 MITIG GATION OF OTHER ATTA O ACKS ............ ...................... ...................... 25 .......................................... ... 10.1 TIMING ATTAC ON RSA ......................... CK ........................ 25 .......................................... ...................... 10.2 ATTACK ON BIASED PRIVATE KEY OF DSA .................... B E A ........................ 25 .......................................... © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 3 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d DOCUMEN AND CON NT NTACT INFORMATION .... ...................... ...................... 31 .......................................... ... © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 4 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d List of Figure o es Figure 1. BlackBerry En B nterprise Serv vice 10 archite ecture............ .......................................... .......................... 6 Figure 2. Cryptographic module hard C c dware block diagram.......... .......................................... .......................... 9 Figure 3: Cryptographic module softw C c ware block diaagram ..................................................... ........................ 11 © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 5 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d List of Tables f s Table 1. Su ummary of ac chieved secur levels per FIPS 140-2 s rity r section .............................. .......................... 7 Table 2. Im mplementation of FIPS 140 interfaces ..................... n 0-2 .......................................... ........................ 12 Table 3. Ro vices .................................. oles and serv .......................................... ...................... ........................ 13 Table 4. Su upported crypptographic alg gorithms ........ .......................................... ...................... ........................ 14 Table 5. Ke and CSP, key size, sec ey curity strength and access ......................................... h, ........................ 16 Table 6. Module self-tes ..................................... sts .......................................... ...................... ........................ 23 © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 6 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Introd duction BlackBerry is the leading wireless solution that allows users t stay conne y® s a to ected to a full suite of application including email, phone, enterprise ap ns, e pplications, th Internet, Short Message Service (SM he e MS), and organizer informatio BlackBerr is a totally integrated pa on. ry i ackage that includes innova ative software e, advanced BlackBerry wireless device and wireless network se w es ervice, provid ding a seamle solution. T ess The BlackBerry Enterprise Service 12 architecture is shown in the following fig y® a s e gure. Figure 1. Bla ackBerry Ent terprise Serv vice 12 archite ecture BlackBerry smartphon are built on industry-lea y® nes o ading wireles technology and, combined with ss BlackBerry Enterprise Service, provid users with an industry l eading, end t end securit solution. W y S de to ty With the use of BlackBerry Enterprise Ser E rvice 12, you can manage BlackBerry s martphones, as well as iOS® c devices, AndroidTM dev A vices, and Winndows phone es® all from a unified interf face. BlackBerry 10 smartpho y ones contain the BlackBerr OS Cryptog t ry graphic Libra a software module that ary, e t provides th cryptograp he phic functionality required fo basic oper or ration of the d device. The BlackBerry Cryptograpphic Java Moddule expands the secure capabilities an features BlackBerry is k s c nd known for, to devices run nning operating systems other than the BlackBerry O o OS. The BlackB Berry Cryptoggraphic Java Module, hereafter referred to as cryptog M d graphic modu or module, is a ule software module that pr m rovides the following crypto ographic serv vices to the BllackBerry Ent terprise Service 12 and other BlackBerry device management com y mponents: · Data en ncryption and decryption · Messag digest and authenticatio code generation ge on · Random data genera m ation · Elliptic curve key pai generation c ir · Elliptic curve digital signature gen c s neration and verification v · Elliptic curve key agr c reement mation on the BlackBerry solution is ava More inform e s ailable from h http://ca.black kberry.com/. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 7 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d The BlackBBerry Cryptog graphic Java Module meets the requirem M s ments applica able to FIPS 1 140-2 Securit ty Level 1 as shown in Tab 1. ble Table 1. Su ummary of ac chieved secur levels per FIPS 140-2 s rity r section Section Level Cryptogra aphic Module Specification n 1 Cryptogra aphic Module Ports and Int terfaces 1 Roles, Se ervices, and Authentication A n 1 Finite Sta Model ate 1 Physical Security S N/A Operation Environme nal ent 1 Cryptogra aphic Key Ma anagement 1 EMI/EMC C 1 Self-Tests s 1 Design Assurance 1 Mitigation of Other Atta n acks 1 Cryptogra aphic Module Security Poli icy 1 © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 8 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 1 Cryp ptograp phic module sp pecificat tion The BlackBBerry Cryptog graphic Java Module is a multiple-chip, stand-alone s M m software cryp ptographic mo odule that operat with the fo tes ollowing compponents: · Comme ercially available general-p purpose comp puter hardwar re · Comme ercially available Operating System (OS that runs on the compute hardware g S) n er · A comm mercially available Java Vir rtual Machine (JVM) that r uns on the co e omputer hardw ware and OS S 1.1 Physical specific l cations The genera computer hardware com al, mponent cons sists of the fo llowing device es: · CPU (m microprocesso or) · Working memory loc g cated on the RAM and contains the follo R owing spaces s: In nput/Output buffer b Plaintext/ciphe P ertext buffer Control buffer C Note: Key storage is no deployed in this module. y ot n Prog gram memory is also located on the RA y AM Hard disk (or disk including flash memory d ks), y Disp play controller including the touch scree controller r, en Keyboard interfac ce Mou interface, including the trackball inte use e erface Audio controller work interface Netw e Serial port Para port allel USB interface B Pow supply wer Figure 2 illustrates the configuration of this compo c onent. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 9 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Key: Phy ysical Cryptograp phic Boundary Flo of data, contro input, and statu output ow ol us Flo of control inpu ow ut Flo of status outpu ow ut Figure 2. Cry yptographic module hardw m ware block di iagram © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 10 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 1.2 Compute hardw er ware, OS, and JVM M The BlackkBerry Crypttographic Java Module versions 2.8 and 2.8.7 have been te v ested on the following representative combinattions of com mputer hardw ware and OS running the Java Runt S, e time Environment (JRE) 1. .5.0 and 1.6.0 by Sun Microsystemss: 1. Solaris 10, 32-bit SPAR (Binary compatible to Solaris 9) 3 RC o 2. Solaris 10, 64-bit SPAR (Binary compatible to Solaris 9) 6 RC o 3. Red Hat Lin AS 5.5, 32-bit x86 (B nux 3 Binary comp patible to AS 2.1/3.0/4.0/ /5.0) 4. Red Hat Lin AS 5.5, 64-bit x86 (B nux 6 Binary comp patible to AS 4.0/5.0) 5. Windows Vista, 32-bit x86 (Binary compatible to Windows 9 x c o 03/XP) 98/2000/200 6. Windows Vista, 64-bit x86 (Binary compatible to Windows 6 x c o 64-bit XP). 7. Windows 20 Server, 64-bit x86 008 kBerry Crypt The Black tographic Java Module version 2.8.8 has been t v 8 tested on the following e representative combin nations of co omputer hard dware and O running the Java Ru OS, untime Environment (JRE) 1..8.0 by Oraccle: 1. CentOS Linux 7.0 64-b x86 bit The modu will run on the JREs 1.3.1, and 1.4.2, and on various har ule o n rdware and OS such as, 1. Any other Solaris Platfo S orms, 2. Any other Linux Platform L ms, 3. Any other Windows Pla W atforms, 4. AIX Platform and ms, 5. HP-UX Plat tforms, while maintaining its compliance to the FIPS 140-2 Level 1 requireme c t ents. Thus, this validation is applicable to these JREs and platforms as well. p © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 11 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 1.3 Software specifications e The BlackBBerry Cryptoggraphic Java Module provid services to the Java c M des computer lang guage users in the n form of a Java archive (JAR). The sa ( ame binary is used for all id dentified com mputer hardwa and OS are because th JVM under he rneath the Bla ackBerry Cryp ptographic Ja Module w absorb the differences o ava will of the computer hardware and OS. The interfa into the BlackBerry Cry ace yptographic Ja Module is through App ava s plication Prog grammer's Interface (A API) method calls. These method calls provide the in c m nterface to the cryptograph services, f e hic for which the parameters and return cod provide th control inpu and status output (see F p des he ut Figure 3). Key: Cry yptographic boun ndary Dat flows ta Figure 3: Cry yptographic module softw m ware block di iagram © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 12 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 2 Cryp ptograp phic module po orts and interfa d aces The crypto ographic modu ports corre ule espond to the physical por of the GPC that is exec e rts C cuting the mod dule, and the moodule interfac correspon to the module's logical in ces nd nterfaces. Th following ta he able describes the s module ports and interfaaces. Table 2. Implementation of FIPS 140- interfaces n -2 FIPS 140 interface 0-2 Module ports e M Module interf faces Data Inpu ut API E Ethernet Port Data Outp put API E Ethernet Port Control In nput API K Keyboard and Mouse d Status Ou utput Return Code C D Display Power Inp put Initializa ation Function n T Power Su The upply is the p power interfac ce. Maintenance Not supported N supported Not d © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 13 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 3 Role serv es, vices, and auth henticat tion 3.1 Roles an servic nd ces The module supports User and Crypto Officer role The modu does not s es. ule support a maintenance role e. The module does not suupport multiple or concurre operators and is intend for use by a single ent ded y operator, th it always operates in a single-user mode. hus Table 3. Ro oles and services Service Cryp Officer pto User r Initializat tion, etc. Initialization Deinitializ zation Self-tests s Show status Symmetr Ciphers (A ric AES and TRI IPLE-DES) Key gene eration (Triple-DES only) Encrypt Decrypt Key zeroization Hash Alg gorithms and Message Authentication (SHA, HMA d n AC) Hashing Message authenticatio on Random Number Gen neration (pRNG) Instantiation Request CSP/key zeroization Digital Si ignature (DS ECDSA, RSA) SA, R Key pair generation g © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 14 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Service Cryp Officer pto User r Sign Verify Key Zeroization Key Agre eement (Diffie-Hellman, Elliptic Curve Diffie-Hellm E e man, ECMQV V) Key pair generation g Shared se ecret generat tion Key Zeroization KeyWrap pping (RSA) Key pair generation g Wrap Unwrap Key Zeroization To operate the module securely, the Crypto Office and User a responsiblle for confinin those meth e s er are ng hods that have been FIPS 14 b 40-2 Approved Thus, in the Approved m d. e mode of opera ation, all roles shall confine s e themselves to calling FIPS Approved algorithms, as shown in T s d a Table 4. 3.2 Security function y n The BlackB Berry Cryptog graphic Java Module suppo many cry M orts yptographic algorithms. Ta able 4 shows t the set of crypt tographic algo orithms suppo orted by the BlackBerry Cr B ryptographic Java Module. Table 4. Su upported cryp ptographic alg gorithms Type Algor rithm FIPSS Certificate appproved or number allo owed Block Cip phers DES (ECB, CBC, CFB64, OFB6 ( C 64) TRIPL LE-DES (TEC TCBC, TC CB, CFB64, TOFB B) # 964, # 19 954 [SP80 00-67] DESX (ECB, CBC, CFB64, OFB X B64) AES (ECB, CBC, CFB128, OFB ( C B128, # 1411, # 3 3465 CTR, CCM, CMAC GCM) [FIPS 197] C, S © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 15 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Type Algor rithm FIPSS Certificate appproved or number allo owed ARC2 (ECB, CBC, CFB64, OFB 2 , B64) [RFC 22 268] Stream ARC4 4 Cipher Hash SHA-1 [FIPS 180-4 4] # 1281, # 2 2860 s Functions SHA-224 [FIPS 18 80-4] # 1281, # 2 2860 SHA-256 [FIPS 18 80-4] # 1281, # 2 2860 SHA-384 [FIPS 18 80-4] # 1281, # 2 2860 SHA-512 [FIPS 18 80-4] # 1281, # 2 2860 MD5 [RFC 1321] MD4 MD2 [RFC 1115] Message HMAC C-SHA-1 [FIP 198-1] PS # 832, # 22 210 Authentic cation # 832, # 22 210 HMAC C-SHA-224 [F FIPS 198-1] # 832, # 22 210 HMAC C-SHA-256 [F FIPS 198-1] # 832, # 22 210 HMAC C-SHA-384 [F FIPS 198-1] # 832, # 22 210 HMAC C-SHA-512 [F FIPS 198-1] HMAC C-MD5 [RFC 2104] pRNG ANSI X9.62 RNG [ANSI X9.62] [ DRBG [NIST SP 800-90A Rev. 1] G # 52, # 85 52 NDRB (Generate BG eSeed()) # 455, # 9 978 Digital DSA [FIPS 186-4] Signature e # 179, # 7 702 ECDS [FIPS 186-4] SA # 687, # 17 776 RSA PKCS1 v1.5 Signature[PK S KCS #1 v2.1] # 687, # 17 776 RSA PSS [PKCS #1 v2.1] # © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 16 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Type Algor rithm FIPSS Certificate appproved or number allo owed ECQV V # 8, # 61 Key Diffie- -Hellman [NIS SP 800-56 ST 6A] Agreement # 8, # 62 2 Elliptic Curve Diffie e-Hellman [NI IST SP 800-5 56A] # 8, # 62 2 ECMQ [NIST SP 800-56A] QV Key Wrap pping RSA PKCS1 v1.5 Encryption [P PKCS #1 v2.1 ] RSA OAEP [NIST SP 800-56B] O ECIES [ANSI X9.6 S 63] The DES, DESX, AES CCM* (CCM star) mode, pRNG (ANSI X C s p X9.62), ARC2 ARC4, MD5 MD4, MD2 2, 5, 2, and HMAC C-MD5, ECQV ECIES, RS PKCS #1 v1.5 Encryptio algorithm, and Diffie-He V, SA v on ellman with strength < 112 bits are supported as non FIPS Ap s pproved algor rithms. In orde to operate the module in a er n FIPS Approoved mode of operation thhese algorithm must not b used. GCM encryption should not be ms be M e performed in order to re emain FIPS coompliant Note: 2-Ke Triple-DES decryption is permitted fo legacy purp ey S s or poses. 2-Key Triple-DES e encryption is considered a non FIPS Approved alg d gorithm as of January 1st, 2 2016. Please consult NIST SP 800-131A T for addition details on algorithm transitions. nal Table 5 summarizes the keys and CS used in the FIPS mod e SPs de. Table 5. Ke and CSP, key size, secu ey k urity strength and access h, s Security Algorithm m Key and CSP Key si ize Access s strength AES Key y 128 to 256 bits 128 to 256 biits Use TRIPLE-D DES Key y 192 bit ts 112 bits Creat Read, Use te, e HMAC Key y 160 to 512 bits 160-512 bits Use pRNG (DRBG) see ed 160-51 bits 12 160-256 bits Use DSA Key pair y 2048 to 15360 o 112 to 256 biits Creat Read, Use te, e bits ECDSA Key pair y 224 to 521 bits 112 to 256 biits Creat Read, Use te, e RSA Key pair y 2048 to 15360 o 112 to 256 biits Creat Read, Use te, e bits © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 17 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Security Algorithm m Key and CSP Key si ize Access s strength DH Sta atic/ephemera al 2048 to 15360 o 112 to 256 biits Creat Read, Use te, e key pair y bits ECDH Sta atic/ephemera al 224 to 521 bits 112 to 256 biits Creat Read, Use te, e key pair y ECMQV Sta atic/ephemera al 224 to 521 bits 112 to 256 biits Creat Read, Use te, e key pair y RSA key Key pair y 2048 to 15360 o 112 to 256 biits Creat Read, Use te, e wrapping bits Note: Diffie-Hellman (key agreem D ment; key esta ablishment mmethodology p provides betwween 112 and 256 d bits of encryption strength; non-complian less than 1 12-bits of enc nt cryption stren ngth). EC Diffie-Hellm (key agr E man reement; key establishmen methodolo provides between 112 and nt ogy 2 cryption strength; non-com 256 bits of enc mpliant less tha 112-bits o encryption s an of strength). ECMQV (key agreement; key establishm E a k ment methodo ology provide between 11 and 256 bits of es 12 encryption stre ompliant less than 112-bits of encryption strength). ength; non-co t n RSA (key wra R apping; key establishment methodolog provides b e gy between 112 and 256 bits of 2 encryption stre ength; non-co ompliant less than 112-bits of encryption strength). t n Digital signatu generation that provid D ure des less than 112 bits of security (usi n ing RSA, DS or SA ECDSA) is disallowed begin E nning January 1st, 2014. y Digital signature generation using SHA-1 as its under D n 1 unction is disa rlying hash fu allowed begin nning Ja anuary 1st, 2014. HMAC-SHA-1 shall have a key size of at least 112 bit H t ts. In FIPS appro n oved mode on the curves P-224, P-25 P-384, P- nly s 56, -521, K-233, K-283, K-409 K- 9, 571, B-233, B--283, B-409 and B-571 can be used. a n The BlackBerr Cryptograp T ry phic Java Mo odule support the elliptic curves K-16 B-163, P- ts c 63, -192, se ecp160r1, se ect239k1 and wTLS5 that are not FIP approved. They can b used with the d t PS be h ECDSA, ECDH ECMQV an ECIES alg E H, nd gorithms, but not in FIPS a approved mod de. 3.3 Operator authent r tication The BlackB Berry Cryptoggraphic Java Module does not deploy an authentication mechanis The opera M n sm. ator implicitly se elects the Cry ypto Officer and User roles s. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 18 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 4 Finite State Model e l The Finite State Model contains the following state c f es: In nstalled/Uninitialized In nitialized Self-Test S Id dle Crypto Officer/ C /User Error E The followi list provides the import ing tant features of the state tr o ransitions: 1. Whe the Crypto Officer instal the module the module is in the Inst en lls e, e talled/Uninitia alized state. 2. Whe the initializ en zation comma is applied to the modul e, the module is loaded into memory an and e nd trans sitions to the Initialized sta Then, the module trans ate. e sitions to the Self-Test state and auto omatically runs the power-u tests. Whil in the Self- Test state, all data output through the d up le data outp interface is prohibited. On success, the module e nters the Idle state; on fail put s O t e lure, the module ente the Error state and the module is dis ers s sabled. From the Error stat the Crypto Officer migh te, o ht need to reinstall the module to attempt corr d t o rection. 3. From the Idle state, which is entered only if the self-test has succeeded, the modu can transit m e f ule tion to th Crypto Officer/User state when an AP function is called. he PI 4. Whe the API fun en nction has completed succ cessfully, the s state transitio back to th Idle state. ons he 5. If the conditional test (continuo RNG test or Pair-wise consistency T e ous t Test) fails, the state transitions to th Error state and the module is disable he ed. 6. Whe the on-dem en mand self-test is executed, the module e t elf-Test state. On success, the enters the Se moddule enters the Idle state; on failure, the module ente the Error s e o ers state and the module is disa abled. 7. Whe the de-initialization com en mmand is exec odule returns to the Installe cuted, the mo ed/Uninitialize ed state e. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 19 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 5 Phy ysical se ecurity The BlackB Berry device that executes this module is manufactu red using industry standar integrated t s rd circuits and meets the FIPS 140-2 Le d F evel 1 physica security req al quirements. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 20 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 6 Ope erationa enviro al onment The BlackBBerry Cryptog graphic Java Module runs on a single-us operation environme where eac M o ser nal ent ch user applic cation runs in a virtually separated, inde ependent spac ce. Note: Modern operating systems, suc as Unix, Linux, and Win g ch ndows provide such opera ational environments. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 21 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 7 Cryp ptograp phic key manag y gement The BlackBBerry Cryptog graphic Java Module provid the unde rlying function to support FIPS 140-2 M des ns Level 1 key management. The user will select FIP Approved algorithms an will handle keys with y w PS nd e appropriate care to build up a system that complie with FIPS 140-2. The C e d m es Crypto Officer and User are e responsible for selecting FIPS 140-2 validated alg e g gorithms. For more informaation, see Tab 4. ble 7.1 Key gene eration The BlackB graphic Java Module provid FIPS 140 compliant key generation. The Berry Cryptog M des 0-2 t underlying random nummber generatio uses a FIP Approved method, DRB on PS BG. The module also supports Dual_EC DRBG; howe ever, the use o Dual_EC D of DRBG is non--approved for key generation. No keys ge enerated using this version of the DRBG can be used to protect se g n G d ensitive data in the Approv mode. An random ou ved ny utput in Approoved mode us sing the DUAL L_EC DRBG is equivalent to plaintext. 7.2 Key esta ablishme ent The BlackBBerry Cryptog graphic Java Module provid the follow M des wing FIPS App owed key proved or Allo establishm ment technique [5]: es · Diffie Hellman (DH): The DH key agreemen technique i mplementatio supports m e k nt on modulus sizess from 512 bits to 15360 bits tha provides be m 1 at etween 56 and 256 bits of security stren d ngth, where 2048 bits and above must be used to provide a minimum of 11 bits of sec m t m 12 curity in the FI IPS mode. · EC Diffie-Hellman (ECDH) & ECMQV : The ECDH and E D n E e ECMQV key a agreement teechnique implementations support elliptic curve sizes from 160 bit to 571 bits that provide b s ts between 80 a and 256 bits of security strength, where 224 bits and above m w s must be used to provide a minimum of 112 d bits of security in the FIPS moode. · RSA OAEP: The RSA OAEP key wrapping implementat A k tion supports modulus size from 512 bits to es 1536 bits that pr 60 rovides betwe 56 and 25 bits of sec een 56 curity, where 2 2048 bits and above must be d used to provide minimum of 11 bits of sec d m 12 curity in the FIIPS mode. It is the responsibility of the calling application to make sure that the app y g e propriate key e establishment techniques are applied to the app propriate keyss. 7.3 Key entr and ou ry utput Secret (sec curity sensitiv keys must be imported to and expor ve) t rted from the cryptographic boundary in c n encrypted form using a FIPS Approved algorithm. 7.4 Key stor rage The BlackBBerry Cryptog graphic Java Module is a lo M ow-level crypt tographic toolkit; therefore it does not e, provide key storage. y © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 22 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 7.5 Key zero oization The BlackBBerry Cryptoggraphic Java Module provid zeroizablle interfaces w M des which implem ment zeroizatio on methods. Zeroization of all keys and CSPs are pe Z f erformed in th e finalizing m methods of the objects; JVM e M executes th finalizing methods ever time it oper he m ry rates garbage collection. e © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 23 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 8 Self f-tests 8.1 Power-up tests p Self-tests are initiated automatically by the module at start-up. The following tests are ap a a b e g pplied. Table 6. Mo odule self-tes sts Test Description Known An nswer Tests (KATs) ( KA are perfo ATs ormed on TRI IPLE-DES, AES, AES GCM SHS (usin M, ng HMAC-SHS), HMAC-SHS, DRBG, RNG, RSA Signature Algorithm H m, an KDF. For DSA and ECD nd D DSA, a Pair-w wise Consiste ency Test is us sed. Fo DH, ECDH ECMQV, th underlying arithmetic im or H, he mplementation ns ar tested usin DSA and E re ng ECDSA tests. Software integrity test Th software in he ntegrity test d deploys ECDS signature validation to SA ve erify the integrity of the moodule. DRBG He ealth tests DRBG Instantia DRBG G ate, Generate, DRB Reseed, D BG DRBG Un- instantiate 8.2 On-dema and self-t tests The Crypto Officer or Us can invok on-demand self-tests by invoking a fu o ser ke d y unction, which is described in h d Appendix C Crypto Offic and User Guide in this document. cer 8.3 Conditio onal tests s The continuous RNG te is executed on all RNG generated da examinin the first 160 bits of each est d ata, ng 0 h requested random gene erator for repe etition. This ex xamination m makes sure tha the RNG is not stuck at any at s constant va alue. In additi ion, upon eac generation of a DSA, EC ch CDSA, or RSA key pair, th generated key A he pair is teste for its corr ed rectness by geenerating a signature and verifying the signature on a given messsage as a Pair-wwise Consisteency Test. Upo generation or reception of a DH, EC on n n CDH, or ECMQ key pair, t QV the key pair is tested of thei correctness by checking shared secre matching o two key agr ir s et of reement partie es as a Pair-wwise Consisteency Test. 8.4 Failure of self-te o ests Self-test fa ailure places the cryptograp phic module in the Error st tate, wherein no cryptographic operations can be per rformed. The module is dis sabled. Additio onally, the cry yptographic mmodule will throw a Java exception to the caller. t © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 24 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 9 Des sign ass surance 9.1 Configur ration ma anageme ent A configura ation manage ement system for the crypto m ographic mod dule is employ and has been described yed in documentation submitted to the testing laborato The modu uses the C ory. ule Concurrent V Versioning Sys stem (CVS) or Subversion (S S SVN) to track the configurat t tions. 9.2 Delivery and ope eration Please refe to Section A.1 of Crypto Officer And User Guide in Appendix A to review the steps neces er o n e ssary for the secure installatio and initializ on zation of the cryptographic module. c c 9.3 Developm ment Detailed deesign informaation and proc cedures have been describ in documentation that was submitte to bed ed the testing laboratory. The source co is fully annotated with c T ode comments, and it was also submitted to the o o oratory. testing labo 9.4 Guidance docum ments The Crypto Officer Guid and User Guide outlines the operatio for the Cry o de G s ons ypto Officer a User to and ensure the security of th module. e he © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 25 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d 10 Mitigatio of oth M on her atta acks The BlackB Berry Cryptog graphic Java Module imple M ements mitiga ation of the folllowing attack ks: Timing attack on RSA T o Attack on biased private key of DSA A 10.1 Timing attack on RSA a n When emp ploying Montg gomery compu utations, timin effects allo an attacke to tell when the base of ng ow er n exponentia ation is near the secret modulus. This atttack leaks in formation con ncerning the s secret modulu us. In order to mitigate this attack, the ba ases of expon nentiation are randomized by a novel te e echnique that requires no inversion to remove (unlike other blind o ding methods for example see BSAFE Crypto-C Us s, e, E ser Manual v4.2). mote timing att Note: Rem tacks are prac ctical. For mo informatio see Remo Timing Atta ore on, ote acks are Prac ctical [9]. 10.2 Attack on biased private key of D o d DSA The standa ards for choos sing ephemer values in El-Gamal type signatures iintroduce a sl ral E e light bias. Daniel Bleichenba acher present the means to exploit th ted s hese biases to ANSI. o evels that are far below the Bleichenbacher In order to mitigate this attack, this bias in RNG is reduced to le s e e attack threshold. To mitigate this attack, NIST publishe Change Notice 1 of FIP 186-2. e N ed PS © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 26 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Appendix A Acrony x yms Introdu uction This appen ndix lists the acronyms use in this docu a ed ument. Acrony yms Acronym m Full term AES Advanced Encryption Standard S ANSI American National Stan ndards Institu ute ARC Alleged Ri ivest's Cipher r CBC cipher bloc chaining ck CCM Counter with CBC-MAC w C CFB cipher feed dback CMAC Cipher-bas MAC sed CSP critical sec curity parame eter CTR counter CVS Concurren Versioning System nt DES Data Encr ryption Standa ard DH Diffie-Hellm man DRBG determinis random bit generator stic DSA Digital Signature Algorithm EC Elliptic Curve ECB electronic codebook ECC Elliptic Curve Cryptogra aphy ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Sig gnature Algor rithm ECIES Elliptic Curve Integrate Encryption Standard ed ECMQV Elliptic Curve Menezes-Qu-Vanstone e © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 27 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Acronym m Full term ECNR Elliptic Curve Nyburg Rueppel R ECQV Elliptic Curve Qu-Vanst tone FIPS Federal Information Pro ocessing Stan ndards GCM Galois/Counter Mode HMAC Hash-base Message Authentication code ed A n IEEE Institute of Electrical an Electronics Engineers f nd s KAT known ans swer test LCD liquid crystal display LED light-emitti diode ing MD Message Digest Algorit D thm NIST National In nstitute of Sta andards and T Technology OAEP Optimal As symmetric En ncryption Pad dding OFB output feedback PIM personal in nformation management PIN personal id dentification number n PKCS Public-Key Cryptograph Standard y hy PSS Probabilist Signature Scheme tic pRNG pseudoran ndom number generator r RFC Recursive Flow Classification RNG random nu umber genera ator RSA Rivest Sha amir Adleman n SHA Secure Ha Algorithm ash m SHS Secure Ha Service ash SMS Short Mes ssage Service e SVN Subversion TRIPLE-D DES Triple Data Encryption Standard a USB Universal Serial Bus © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 28 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Appendix B Refere x ences s Introdu uction This appen ndix lists the references tha were used for this projec r at ct. Referen nces 1. NIST Security Re equirements For Cryptogra F aphic Modules FIPS PUB 140-2, Decem s, mber 3, 2002 2. NIST Security Re equirements For Cryptogra F aphic Modules Annex A: A s, Approved Sec curity Function ns for FIPS PUB 140 Draft, Jul 26, 2011 F 0-2, ly 3. NIST Security Re equirements For Cryptogra F aphic Modules Annex B: A s, Approved Protection Profile es for FIPS PUB 140 Draft, Au F 0-2, ugust 12, 2011 4. NIST Security Reequirements For Cryptogra F aphic Modules Annex C: A s, Approved Ran ndom Numbe er Gen nerators for FI IPS PUB 140-2, Draft, July 26, 2011. y 5. NIST Security Re equirements For Cryptogra F aphic Modules Annex D: A s, Approved Key Establishme y ent Tech hniques for FIPS PUB 140 Draft, July 26, 2011. F 0-2, y 6. NIST Security Re equirements For Cryptogra F aphic Modules Derived Tes Requireme s st ents for FIPS P PUB 140- Draft, January 4, 2011. -2, 7. NIST Implementaation Guidanc for FIPS PU 140-2 and the Cryptog ce UB d graphic Modul Validation le Prog gram, July 15 2011. 5, 8. NIST Frequently Asked Quest tions for the Cryptographic Module Valid C c dation Progra Decembe 4, am, er 2007. 9. David Brumley, Dan Boneh, "R D Remote Timin Attacks are Practical", S ng e Stanford Univ versity http: ://crypto.stanf ford.edu/~dab bo/papers/ssl-timing.pdf © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 29 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Appendix C Crypto Office an Us x o nd ser Guid de C.1 In nstallatio on In order to carry out a se ecure installa ation of the Bla ackBerry Cry yptographic Ja Module, t Crypto Of ava the fficer must follow the procedu described in this section. w ure C.1.1 In nstalling the cryp g ptograph modu hic ule The Crypto Officer is res o sponsible for the installatio of the Blac on ckBerry Crypt tographic Java Module. On nly the Crypto Officer is allo owed to instal the product. ll . oFIPS.jar in C LASSPATH o as in installed extension Note: Place the cryptographic module, Eccpresso or n. C.1.2 Uninstalli U ing the cryptogra c aphic mo odule Remove th jar file, Ecc he cpressoFIPS.j from the computer har jar, c rdware. C.2 Co ommands C.2.1 In nitializat tion FIPSMana age.getInstancce().activateF FIPSMode() This metho runs a series of Self-Tests on the mo od odule. These tests examine the integrity of the share y ed object, and the correct operation of th cryptograp d o he phic algorithm If these tests are succe ms. essful, the moodule will be ena abled. C.2.2 Deinitializ D zation FIPSMana age.getInstancce().deactivat teFIPSMode() This metho de-initialize the module od es e. C.2.3 Self-tests S s FIPSMana age.getInstancce().runSelfTeests() This metho runs a series of Self-Tests, and retur if the tests are success od rns s sful, otherwise and except e, tion is thrown. These tests examine the in T e ntegrity of the shared objec and the co e ct, orrect operatio of the on cryptograpphic algorithms. If these tes fail, the mo sts odule will be d disabled. Sec ction C.3 of th document his describes how to recove from the disabled state. h er © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 30 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d C.2.4 Show Sta S atus Status can be found by calling FIPSMManager.getIn nstance().isF IPSMode() an nd FIPSMana ager.getInstan nce().requestC CryptoOperattion(). If both methods retu true, the m urn module is in th he Idle state. C.3 When the cryptogr W raphic module is disabled m d When Blac ckBerry Cryptographic Java Module bec a comes disable attempt to bring the mo ed, o odule back to the o Installed st tate by calling the deinitialization metho and then to initialize the module usin the g od, o e ng initialization method. If the initializatio is success t on sful, the modu is recovere If this atte ule ed. empt fails, uninstall th module and re-install it. If the module is initialized successfully by this re-ins he d e stallation, the recovery is successful. If this recover attempt fails, it indicates a fatal error.. Contact Bla s ry s ackBerry Support immediately. © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht Version 1.8 n: Page 31 o 31 of BlackBerry Cryptograph Java Modu Versions 2.8, 2.8.7 and 2.8.8 y hic ule 2 d Docum ment an conta nd act information n Version Date Author Reas son for revis sion 1.0 January 06, 2012 0 Randy Ey yamie Docu ument creatio on 1.1 June 1, 2012 2 Randy Ey yamie Upda ates based on Lab Comme n ents 1.2 June 14, 2012 Randy Ey yamie Adde reference to version 2.8 ed 8.7 1.3 May 29, 2015 2 Randy Ey yamie Adde reference to version 2.8 ed 8.8 1.4 July 29, 2015 2 Randy Ey yamie Upda ates based on Lab Comme n ents 1.5 Novembe 12, 2015 er Randy Ey yamie Upda ates based on Lab Comme n ents 1.6 Novembe 25, 2015 er Randy Ey yamie Upda ates based on Lab Comme n ents 1.7 Decembe 16, 2015 er Randy Ey yamie Upda ates based on Lab Comme n ents Randy Ey yamie Updaates required for NIST SP 1.8 January 11, 2016 1 800- -131A transitio ons Contact Corpora office ate Security Certifications Team C BlackBe B erry certificatio ons@blackbe erry.com 2200 Un niversity Ave. E . (519) 888 8-7465 ext. 72 2921 Waterlo ON, Canad oo, da N2K 0A A7 www.bla ackberry.com m © 2016 BlackBerry Limit All rights res ted. served. www.blackb berry.com Product Security y This document may be freely reproduced and distributed whole a intact includ ing this Copyrigh Notice and ht