FIPS 140-2 Security Policy P7170IP System Portable Two-Way FM Radio M/A Com, Inc. 221 Jefferson Ridge Parkway Lynchburg, VA 24501 September 5, 2007 Revision Version 2.4 © Copyright 2007 M/A-Com, Inc. This document may be reproduced only in its original entirety without revision. Page 1 of 16 1. Introduction................................................................................................................. 3 1.1. Purpose................................................................................................................ 5 1.2. Validated Configurations .................................................................................... 5 2. Roles, Services, and Authentication ........................................................................... 7 2.1. Roles ................................................................................................................... 7 Crypto-Officer Role .................................................................................................... 7 KMF Role ................................................................................................................... 7 User Role .................................................................................................................... 8 2.2. Authentication Mechanisms and Strength .......................................................... 8 PIN Authentication ..................................................................................................... 8 CMAC Authentication ................................................................................................ 9 AES-MAC Authentication.......................................................................................... 9 3. Secure Operation and Security Rules ....................................................................... 10 3.1. Security Rules ........................................................................................................ 10 M/A Com Security Rules.......................................................................................... 10 FIPS 140-2 Security Rules........................................................................................ 10 3.2. Physical Security Rules..................................................................................... 10 3.3. Secure Operation Initialization Rules ............................................................... 11 4. Definition of SRDIs Modes of Access...................................................................... 13 4.1. Cryptographic Keys, CSPs, and SRDIs ............................................................ 13 4.2 Access Control Policy....................................................................................... 14 5. Glossary .................................................................................................................... 16 © Copyright 2007 M/A-Com, Inc. Page 2 of 16 1. Introduction The following describes the security policy for the multi-chip standalone module, the IP IP P7170 System Portable Two-Way FM Radio (P7170 ). This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module. IP The P7100 series portable radios are rugged, high-quality, high-performance two-way IP FM communication units. The P7100 series portables are available in the System IP (P7170 ) version with or without the immersion option HTMR. These are M/A COM's IP most sophisticated, high specification portable radios. The P7100 designs use custom integrated circuits to set new standards for size and weight in high power, feature-enriched IP two-way radios. The P7100 series radios are Phase-Locked-Loop synthesized radios that can be programmed to operate on EDACS® trunked, P25 trunked, or conventional communications systems. Features include: Lightweight, Rugged Construction Features a molded front case made of a polycarbonate. This construction provides a lightweight yet durable housing designed to withstand years of rugged use. High System/Group Capacity IP The P7100 series radios can manage up to 16 different EDACS system/group combinations (greater than 128 systems/groups with premium feature set) with up to 200 conventional channels. EDACS systems/groups can be configured in many different ways to meet specific user needs. Dual Mode Capability Conventional operation is obtained by simply selecting a pre-programmed conventional system. Project 25 (P25) Interoperability IP The P7100 portable is P25 trunked compliant and is ideal for use either as a primary P25 digital conventional portable or as a trunked portable with P25 Common Air Interface (CAI) for digital talkaround interoperability. The radio provides digital interoperability with other P25 users during critical communications situations. Project 25 (P25) Over-the-Air Rekeying (OTAR) © Copyright 2007 M/A-Com, Inc. Page 3 of 16 IP The P7100 portable provides P25 compliant OTAR support as described in TIA/EIA-102.AACA allowing the radio seamless digital interoperability with P25 compliant Key Management Facilities. Display System and group information, status icons and menu operation is supported by the 3-line, 12-character, alphanumeric backlit Liquid Crystal Display (LCD). Top-Mounted Rotary Knobs The rugged rotary knobs are designed for ease of operation by allowing tactile access to groups, systems, conventional channels, as well as volume and power control. Keypad The backlit keypad allows the user to access the many radio functions. The keypad provides easy access to preprogrammed telephone and individual radio IDs. A detailed description of the keypad and additional functions is found in the OPERATION section. Emergency ID and Alarm The user can alert the dispatcher to an emergency by pressing a recessed red button located on the top of the radio, which sends the user ID and an emergency signal. Universal Device Connector (UDC) The UDC provides the PC programmer and optional accessories access to the radio for ease and versatility of radio functionality. Variable Power Control Variable power control is PC programmable and keypad selectable for 1 or 3 watts. Weatherproof Radios operate reliably under adverse conditions. These portable radios meet military standards MIL-STD-810F specifications for high and low, operating and storage temperatures; low pressure extremes: thermal shock; solar radiation; driven rain; humidity; salt fog; blowing dust; shock and vibration. As mentioned, IP the P7100 series models can also be purchased with a water immersion option HTMR. Vibration © Copyright 2007 M/A-Com, Inc. Page 4 of 16 Meets TIA/EIA-603, U.S. Forest Service (USDA LMR Standard, Section 2.15), and MIL-STD-810F environmental and vibration-stability requirements. Personality Programming Can easily interface with a personal computer in the field, to allow system and radio parameters to be flexibly programmed as requirements change, without changing parts or opening the radio case. 1.1. Purpose This document treats to cover the secure operation of the radio including the initialization, roles, and responsibilities of operating the product in a secure, FIPS 140-2 compliant manner. 1.2. Validated Configurations All validated hardware configurations run the following firmware: H8 Version J2R14B02 and DSP Version F7R06A01. The hardware versions tested and validated are as follows: RU101219V22 ­ 136-174MHz, Portable 7170 System Model RU101219V42 ­ 450-512MHz, Portable 7170 System Model RU101219V52 ­ 378-430MHz, Portable 7170 System Model (100mW) RU101219V62 ­ 378-430MHz, Portable 7170 System Model RU101219V72 ­ 806-870MHZ, Portable 7170 System Model The following table identifies all of the validated hardware part numbers for the P7170IP System Portable Two-Way FM Radios. Validated Hardware Validated Hardware Part Description Version Numbers Numbers RU101219V22 HT7170TH1X P7170 System, 136-174MHz­ Unencrypted HT7170TH1A P7170 System, 136-174MHz ­ AES Algorithm RU101219V42 HT7170TU1X P7170 System, 450-512MHz ­ Unencrypted HT7170TU1A P7170 System, 450-512MHz ­ AES Algorithm RU101219V52 HT7170YN1X P7170 System (100 mW), 378-430MHz­ Unencrypted HT7170YN1A P7170 System (100 mW), 378-430MHz ­ AES Algorithm © Copyright 2007 M/A-Com, Inc. Page 5 of 16 RU101219V62 HT7170TN1X P7170 System, 378-430MHz­ Unencrypted HT7170TN1A P7170 System, 378-430MHz ­ AES Algorithm RU101219V72 HT7170T81X P7170 System, 806-870MHz ­ Unencrypted HT7170T81A P7170 System, 806-870MHz ­ AES Algorithm © Copyright 2007 M/A-Com, Inc. Page 6 of 16 2. Roles, Services, and Authentication The radio supports three roles: Crypto-Officer (CO), Key Management Facility (KMF), and User. By design, both the CO and User roles have access to a common set of services provided by the module, while the KMF role possess a separate set of services (OTAR). A single PIN is used to gain access to services for both the CO and User roles. 2.1. Roles The roles of the module include a Crypto-officer (CO), a Key Management Facility (KMF), and a User Role. All the services of the module require the assumption of an authorized role (i.e., the CO, KMF, or User role). Crypto-Officer Role The Crypto-Officer is an operator who has access to all of the radios management tasks as well as all User services identified below. The CO services include: Putting the module into FIPS mode Loading cryptographic keys and radio personality configuration Upgrading radio firmware (H8 and DSP firmware) Downloading the personality file, Tracking Data and Feature Encryption Data to the radio Using Direct Frequency Entry feature (see the section 6.5.5 of the Maintenance Manual) Loading Tracking Data and Feature Encryption Data KMF Role The KMF sends OTAR key management messages to the radio to configure, update, and modify a given radio's Traffic and KEKs. All KMF services are described in the P25 OTAR standard (TIA/EIA-102.AACA) Change-RSI Procedure Changeover Procedure Delayed-Acknowledgment Delete-Key Procedure Modify-Key Procedure Negative-Acknowledgment © Copyright 2007 M/A-Com, Inc. Page 7 of 16 Rekey Procedure Rekey-Acknowledgment Warm-Start Procedure Zeroize Procedure Hello Procedure Delete-Keyset Procedure No-Service Procedure User Role The User is an operator who is not allowed to perform management tasks such as loading new firmware and loading keys. The following services are assigned to the User role. Turning the module on and initiating power-up self-tests Authenticating / changing PIN Sending/receiving encryption calls Sending/receiving plaintext calls Activating bypass mode Changing the current system and group Browsing through menus to view radio status information Zeroize encryption keys 2.2. Authentication Mechanisms and Strength There are three kinds of authentication mechanisms in the module. First, operators assuming the Crypto-Officer and User roles authenticate by entering a PIN into the radio. Second, the module authenticates loading code by verifying the accompanying CMAC checksum. Finally, the module authenticates messages sent by the KMF by validating the accompanying AES-MAC checksum. Note that only the CO and KMF roles are allowed to perform key management operations. PIN Authentication The Crypto-Officer and the User roles authenticate to the module by presenting a 6-digit PIN. The CO must make sure that the PIN is at least six digits long in order to comply with the FIPS 140-2 authentication requirements. The false acceptance rate of one attempt in this © Copyright 2007 M/A-Com, Inc. Page 8 of 16 PIN authentication is 1/106. The false acceptance rate for multiple attempts is less than 1/105 in a minute. CMAC Authentication The DSP file that is loaded to the module contains an embedded CMAC. When loading the DSP file, the module calculates a CMAC of the file using the CMAC key stored in the module and compares it with the CMAC embedded in the file. If the comparison succeeds, the module resumes normal operation. If the comparison fails, the module continuously resets and does not resume normal operation. AES-MAC Authentication The module supports P25 KMF communication using the AES algorithm, and the KMF will include an AES-MAC with each message to allow the module to authenticate the validity of the message. The module will verify the AES-MAC before processing the message. The KMF uses 256-bit AES-MAC keys to generate a 64-bit OTAR AES-MAC, and thus the false acceptance rate is 1/18x1019, which is far less than 1/106. Additionally, one would need to authenticate 1.84x1014 times in one minute make the probability of a false acceptance greater than 1/105. Therefore, the false acceptance rate for multiple attempts is less than 1/105 in a minute for AES-MAC authentication. © Copyright 2007 M/A-Com, Inc. Page 9 of 16 3. Secure Operation and Security Rules In order to operate the P7170IP System Portable Two-Way FM Radio securely, the operator should be aware of the security rules enforced by the module and should adhere to the physical security rules and secure operation rules required. 3.1. Security Rules The security rules enforced by the radio include both the security rules that the M/A Com has imposed and the security rules that result from the security requirements of FIPS 140-2. M/A Com Security Rules The following security rules are imposed by M/A Com: 1. DSP code with an embedded CMAC should be loaded to the module 2. A CMAC key and a KEK should be loaded to the module 3. All the keys and the PIN should be loaded to the module in encrypted form FIPS 140-2 Security Rules The following are security rules that stem from the requirements of FIPS PUB 140-2. 1. Enable FIPS mode 2. Only FIPS approved cryptographic algorithms to be used (this is automatically done by the module once the FIPS mode is enabled) 3. PIN should be at least 6-digits in length 4. The menu item "ZERO AES" should be configured on the personality file. 3.2. Physical Security Rules The radio is physically protected by applying a tamper evident label as shown in the following figure. The tamper evident label is shown in blue. The following steps shall be taken to apply the serialized tamper-evident label. © Copyright 2007 M/A-Com, Inc. Page 10 of 16 Turn off the radio and remove the battery. Clean the surface surrounding the screw on which the tamper evident label will be applied (see the above figure). Alcohol-based cleaning pads can be used for the cleaning. Apply the tamper evident label covering the screw beneath it as shown in the above figure Record the serial number of the applied label in a security log Allow 24 hours for the adhesive in the tamper-evident seals to completely cure. The battery should be replaced only after this time period has been elapsed. The CO is required to periodically inspect the tamper-evident label to ensure that it is not damaged. 3.3. Secure Operation Initialization Rules The radio provides the following algorithms: Algorithm Type Modes/Mod sizes FIPS-approved Symmetric Algorithms DES 64-bit, OFB No AES 256-bit, ECB, CBC, Yes, AES (Certs. #155 and OFB #623) VGE (M/A Com No proprietary digital voice encryption algorithm) Message Authentication Code CMAC Yes, CMAC (Cert. #623) AES-MAC Allowed, AES MAC (Cert. #623, vendor affirmed) Because FIPS 140-2 prohibits the use of non-FIPS approved algorithms while operating in a FIPS compliant manner, the Crypto-Officer should follow the following rules to initialize a new radio to ensure FIPS level 2. (1) Apply the tamper evident label as described in the section 2.4 (2) Enable FIPS mode on the radio in the following manner (a) Make sure that the radio is turned off. (b) Set up the radio in the configuration shown on Figure 8-2 of the Maintenance Manual. © Copyright 2007 M/A-Com, Inc. Page 11 of 16 (c) Make sure to define a PIN (equal to 6-digits in length), a CMAC key and an AES KEK on the master key file (The master key file is the file containing all the keys, PIN and the EnableFips parameter before encrypting keys and the PIN). Make sure to set the EnableFips parameter to 'true' on the master key file to enable FIPS mode. (d) Before loading the DSP code into the radio [done in step (g) below], use the Keyadminconsole program to generate a CMAC of the code using the CMAC key and embed it in the DSP code. Generate the distribution key file based on the master key file. (e) Start the radio in the programming mode by pressing Option, Clear/Monitor and PTT buttons simultaneously and by powering on the module. (f) Using the ProGrammer (this program runs on a PC as well; please refer to the section 8.5 of the Maintenance Manual and the Help menu on the ProGrammer for details on using it) read the personality from the radio. A window should pop up showing the personality settings of the radio. Under the Options tab, go to Programmable Menus. On the window popped up, under Conventional Menus, select "ZERO AES" as one of the menu items. Once this new personality is loaded to the radio, it gives a menu item called or "ZERO AES" to zeroize all the keys and CSPs of the DSP EEPROM. (g) Load the DSP code and the above personality to the module using the ProGrammer. (h) Load the keys in the distribution key file to the module using the Keyloaderconsole program. This program runs on a PC. (i) Power off and on the module; now the module should be in the FIPS (Approved) mode. (3) Finally, operators should only load AES TEK's and not load any DES TEK's keys during operation (irrespective of whether the DES TEK's are manually distributed or sent via P25 OTAR), as DES is no longer a FIPS approved algorithm. Additionally, operators should not attempt to load any DES TEK's via P25 OTAR (which would only be possible if using a non-standard compliant KMF). When initialized and operated in this fashion, the radio will only use FIPS-approved algorithms. © Copyright 2007 M/A-Com, Inc. Page 12 of 16 4. Definition of SRDIs Modes of Access This section specifies the radio's Security Relevant Data Items as well as the access control policy enforced by the radio. 4.1. Cryptographic Keys, CSPs, and SRDIs While operating in the level 2 FIPS-compliant manner, the radio contains the following security relevant data items: Security Relevant Data SRDI Description Item TEK (Traffic Encryption These keys are used in the encryption and decryption of voice Keys) and data calls. The encryption algorithm used is AES. The key sizes 256-bits, and the keys are stored in the DSP EEPROM in plaintext. AES MAC (TEK) This key is used by the module to authenticate messages sent by the KMF role and to generate AES MAC for response messages. The key is a specially designated 256-bit AES TEK. KEK When the key loading is performed, this key decrypts the encrypted TEKs and the PIN that are being loaded. If a new KEK is loaded (which is encrypted using AES), this key is also used to decrypt the new KEK. The encryption algorithms used is AES. The key size is 256 bits and it is stored in the DSP EEPROM in plaintext. CMAC key At power-up or after firmware loading, the module calculates a CMAC of the DSP firmware using this key and compares it with the CMAC embedded in the DSP firmware. If a new CMAC key is loaded (which is encrypted using AES), this key is also used to decrypt the new CMAC key. The key size is 256 bits and it is stored in the DSP EEPROM in plaintext. Copy of CMAC key This is a copy of the CMAC key mentioned in the above row. When the module performs power-up self-tests, this key is compared with the CMAC key of the above row. The key size is 256 bits and it is stored in the DSP EEPROM in plaintext. PIN This is the PIN that is used for CO and User authentication. The PIN is exactly 6-digits. It is stored in the DSP EEPROM in plaintext. Seed of the RNG This is the random number last generated by the non-Approved RNG before powering off the module. After powering on, the first iteration of the RNG uses this seed. The size is 64 bits and it is stored in the DSP EEPROM in plaintext. Feature Encryption Data This data defines various features (including if the FIPS is enabled and if the AES algorithm is used) enabled on the radio. This data is stored in the Flash and the H8 EEPROM in encrypted form. However, the encryption algorithm is not FIPS approved. Therefore, according to FIPS, this data is considered plaintext. The size of the data is 128 bits. Instance of Feature An instance of the Feature Encryption Data mentioned above Encryption Data is stored in the SRAM (after decryption) at power up in plaintext. The M/A Com proprietary encryption algorithm is used for this decryption. © Copyright 2007 M/A-Com, Inc. Page 13 of 16 P25 Key Instance An instance of the TEK keys that belongs to the P25 system is stored in the SRAM at power up in plaintext. The size of a key is 256 bits. 4.2 Access Control Policy The radio allows controlled access to the SRDIs contained within it. The following table defines the access that an operator or application has to each SRDI while operating the radio in a given role performing a specific service. The permissions are categorized as a set of three separate permissions: read, write, delete. If no permission is listed, then an operator has no access to the SRDI. Feature Encryption Data (FED) Security Relevant Data Item P7170IP System Portable Two-Way FM Radio Copy of CMAC key P25 Key Instance Seed of the RNG Instance of FED SRDI/Role/Service Access Policy CMAC key KEK TEK PIN Role/Service Crypto-Officer Role Placing module in FIPS mode w w w w w Loading keys and radio personality w w w w w configuration Upgrading radio firmware r r r r r r w w Downloading H8 and DSP r firmware, the personality file, Tracking Data and Feature Encryption Data from radio Using Direct Frequency Entry r feature Loading Tracking Data and r r r r r r w w Feature Encryption Data KMF Role Change-RSI Procedure Changeover Procedure Delayed-Acknowledgment © Copyright 2007 M/A-Com, Inc. Page 14 of 16 Delete-Key Procedure w w Modify-Key Procedure w w Negative-Acknowledgment Rekey Procedure w w Rekey-Acknowledgment r r Warm-Start Procedure w w Zeroize Procedure w w w w w w Hello Procedure Delete-Keyset Procedure w w No-Service Procedure User role Turning the module on and initiate r r r r r r r r power-up self-tests Authenticating/modifying PIN r/w Sending/receiving encrypted calls r r r r r r Sending/receiving plaintext calls r r r r r r Activating bypass mode Changing the current system and r group Browsing through menus to view r status information Zeroize encryption keys w w w w w w w © Copyright 2007 M/A-Com, Inc. Page 15 of 16 5. Glossary Term/Acronym Description CO Cryptographic-officer or Crypto-officer EDACS Enhanced Digital Access Communications System KEK Key Encryption Key MDT Mobile Data Terminal PC Personal Computer PTT Push-to-talk RF Radio Frequency SRDI Security Relevant Data Items TEK Traffic Encryption Key OTAR Over the air rekey KMF Key Management Facility © Copyright 2007 M/A-Com, Inc. Page 16 of 16