Mocana Cryptographic Module Software Version 3.06.1 and 3.06.1a Security Policy Document Version 1.05 Mocana Corporation April 17, 2008 Copyright Mocana Corporation 2007. May be reproduced only in its original entirety [without revision]. Mocana Corporation Security Policy TABLE OF CONTENTS 1. MODULE OVERVIEW .........................................................................................................................................3 2. SECURITY LEVEL................................................................................................................................................5 3. MODES OF OPERATION.....................................................................................................................................6 APPROVED MODE OF OPERATION ...............................................................................................................................6 NON-FIPS APPROVED ALGORITHMS .........................................................................................................................6 4. PORTS AND INTERFACES .................................................................................................................................6 5. IDENTIFICATION AND AUTHENTICATION POLICY................................................................................7 ASSUMPTION OF ROLES ..............................................................................................................................................7 6. ACCESS CONTROL POLICY..............................................................................................................................8 ROLES AND SERVICES ................................................................................................................................................8 OTHER SERVICES .......................................................................................................................................................9 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)........................................................................................9 DEFINITION OF PUBLIC KEYS:..................................................................................................................................12 DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................13 7. OPERATIONAL ENVIRONMENT....................................................................................................................14 8. SECURITY RULES .............................................................................................................................................15 9. PHYSICAL SECURITY.......................................................................................................................................16 10. MITIGATION OF OTHER ATTACKS POLICY...........................................................................................16 11. CRYPTOGRAPHIC OFFICER GUIDANCE..................................................................................................16 KEY DESTRUCTION SERVICE ...................................................................................................................................16 12. DEFINITIONS AND ACRONYMS...................................................................................................................17 Page 2 Mocana Corporation Security Policy 1. Module Overview The Mocana Cryptographic Module is a software only, multi-chip standalone cryptographic module that runs on a general purpose computer. The purpose of this module is to provide FIPS Approved cryptographic routines to consuming applications via an Application Programming Interface. The physical boundary of the module is the case of the general purpose computer. The logical boundary of the module is the single cryptographic module dynamic link library (DLL) for Windows and the shared object (SO) for Linux. The cryptographic module runs on the Microsoft Windows CE 4.2, Linux Kernel 2.6 and uClinux Kernel 2.4 operating systems. Application 1 Application 2 Application 3 Mocana Cryptographic Module Operating System Hardware Figure 1 ­ Cryptographic Module Interface Diagram Page 3 Mocana Corporation Security Policy Information Flow Cryptographic Boundary Hash and Message Authentication Code SHA-1 Random Number Generator RSA Key Wrapping SHA-256 Facility SHA-512 HMAC SHA-1 DH Key Generation and Bulk Encryption/ RSA, DSA Calculation of shared Decryption with AES Key Generation secret and TDES Sign/Verify Cryptographic Boundary SHA-1 AES SHA-256 RSA RSA Key DH TDES SHA-512 DSA Wrapping HMAC SHA-1 FIPS 186-2 RNG Figure 2 ­ Logical Cryptographic Boundary Page 4 Mocana Corporation Security Policy 2. Security Level The cryptographic module meets the overall requirements applicable to Security Level 1 of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Page 5 Mocana Corporation Security Policy 3. Modes of Operation Approved mode of operation The module supports a FIPS Approved mode of operation. In the FIPS Approved mode of operation, RSA key generation is not allowed. The following FIPS Approved algorithms are supported: - AES (CBC mode; E/D; 128, 192 and 256) - Triple-DES (3-key and 2-key; TCBC mode; E/D) - HMAC-SHA-1 - SHA-1 - SHA-256 - SHA-512 - RSA signature generation and verification (PKCS #1 1.5, Sig Gen and Sig Ver; 1024, 1536, 2048, 3072, 4096) - DSA key generation, signature generation and verification (PQG Gen/Ver, Key Pair Gen, Sig Gen/Ver; 512, 576, 640, 704, 768, 832, 896, 960, 1024) - FIPS 186-2 DRNG Non-FIPS Approved Algorithms Within the FIPS Approved mode of operation, the module supports the following allowed algorithms: - Diffie-Hellman for SSH v2 (for key agreement; provides 80 or 112 bits of encryption strength) - RSA Key Wrapping (provides between 80 and 128 bits of encryption strength) In addition to the above algorithms, the following algorithm is available in the non-FIPS Approved mode of operation: - RSA Key Generation (not algorithm tested) 4. Ports and Interfaces The physical ports of the module are provided by the general purpose computer on which the module is installed. The logical interfaces are defined as the API of the cryptographic module. The module's API supports the following logical interfaces: data input, data output, control input, and status output. Page 6 Mocana Corporation Security Policy 5. Identification and Authentication Policy Assumption of roles The Mocana Cryptographic Module shall support two distinct roles (User and Cryptographic Officer). The cryptographic module does not provide any identification or authentication methods of its own. The Cryptographic Officer and the User roles are implicitly assumed based on the service requested. Table 2 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User N/A N/A Cryptographic Officer N/A N/A Table 3 ­ Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism N/A N/A Page 7 Mocana Corporation Security Policy 6. Access Control Policy Roles and Services Table 4 ­ Services Authorized for Roles Role Authorized Services User · Self-tests · Show Status Cryptographic-Officer · DH Key Generation · DH Key Exchange · RSA Signature Generation · RSA Signature Verification · RSA Key Wrapping Encryption · RSA Key Wrapping Decryption · DSA Key Generation · DSA Signature Generation · DSA Signature Verification · AES Encryption · AES Decryption · TDES Encryption · TDES Decryption · SHA-1 · SHA-256 · SHA-512 · HMAC-SHA1 Message Authentication Code · FIPS 186-2 Random Number Generation · Key Destruction · Self-tests · Show Status Page 8 Mocana Corporation Security Policy Other Services The cryptographic module supports the following service that does not require an operator to assume an authorized role: · Self-tests: This service executes the suite of self-tests required by FIPS 140-2. It is invoked by reloading the library into executable memory. Definition of Critical Security Parameters (CSPs) The following are CSPs contained in the module: Table 5: CSP Information Key Description/Usag Generation Storage Entry / Destruction e Output DH Private Used to derive the Internally Temporarily N/A An application Components secret session key using the in volatile program which during DH key FIPS 186-2 RAM uses the API agreement protocol DRNG may destroy the key. The Key Destruction service zeroizes this CSP. DRNG Seed Used to seed the Externally Temporarily Entry: Automatically Key DRNG for key in volatile Plaintext after use generation RAM Output: N/A RSA Private Used to create Externally Temporarily Entry: An application Key RSA digital in volatile Plaintext program which signatures RAM uses the API may destroy the key. The Key Output: Destruction N/A service zeroizes this CSP. Page 9 Mocana Corporation Security Policy Key Description/Usag Generation Storage Entry / Destruction e Output RSA Key Used for RSA Key Externally Temporarily Entry: An application Wrapping Wrapping in volatile Plaintext program which Private Key decryption RAM uses the API operation may destroy the key. The Key Output: Destruction N/A service zeroizes this CSP. DSA Private Used to create May be Temporarily Entry: An application Key DSA digital internally in volatile Plaintext program which signatures generated RAM if uses the API using the generated may destroy the FIPS 186-2 externall key. The Key DRNG or y Destruction generated service zeroizes externally this CSP. Output: Plaintext TDES Key Used during TDES Externally. Temporarily Entry: An application encryption and in volatile Plaintext program which decryption RAM uses the API may destroy the key. The Key Output: Destruction N/A service zeroizes this CSP. AES Key Used during AES Externally. Temporarily Entry: An application encryption and in volatile Plaintext program which decryption RAM uses the API may destroy the key. The Key Output: Destruction N/A service zeroizes this CSP. Page 10 Mocana Corporation Security Policy Key Description/Usag Generation Storage Entry / Destruction e Output HMAC Key Used during Externally. Temporarily Entry: An application HMAC-SHA-1 in volatile Plaintext program which operation RAM uses the API may destroy the key. The Key Output: Destruction N/A service zeroizes this CSP. Page 11 Mocana Corporation Security Policy Definition of Public Keys: The following are the public keys contained in the module: Table 6: Public Key Information Key Description/Usage Generation Storage Entry/Output DH Public Used to derive the Internally Temporarily in Entry: Receive Component secret session key using the volatile RAM Client Public during DH key FIPS 186-2 Component agreement protocol DRNG during DH exchange. Output: Transmit Host Public Component during DH exchange RSA Public Used to verify RSA Externally Temporarily in Input: Plaintext Keys signatures volatile RAM Output: N/A RSA Key Used for RSA Key Externally Temporarily in Input: Plaintext Wrapping Wrapping encryption volatile RAM Public Keys operation Output: N/A DSA Public Used to verify DSA May be Temporarily in Input: Plaintext if Keys signatures internally volatile RAM generated generated externally using the FIPS 186-2 Output: Plaintext DRNG or generated externally Page 12 Mocana Corporation Security Policy Definition of CSPs Modes of Access Table 5 defines the relationship between access to CSPs and the different module services. Table 7 ­ CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User X DH Key Use DH Parameters Generation Generate DH Key pair X DH Key Use DH Private Component Exchange Generate DH shared secret X RSA Signature Use RSA Private Key Generation Generate RSA Signature X RSA Signature Use RSA Public Key Verification Verify RSA Signature X RSA Key Use RSA Public Key Wrapping Performs Key Wrapping Encryption Encryption X RSA Key Use RSA Private Key Wrapping Performs Key Wrapping Decryption Decryption X DSA Key Generate DSA Key Pair for Signature Generation Generation/Verification X DSA Signature Use DSA Private Key Generation Generate DSA Signature X DSA Signature Use DSA Public Key Verification Verify DSA Signature X AES Encryption Use AES Key X AES Use AES Key Decryption X TDES Use TDES Key Encryption Page 13 Mocana Corporation Security Policy Role Service Cryptographic Keys and CSPs Access Operation C.O. User X TDES Use TDES Key Decryption X SHA-1 Generate SHA-1 Output; no CSP access X SHA-256 Generate SHA-256 Output; no CSP access X SHA-512 Generate SHA-512 Output; no CSP access X HMAC-SHA-1 Use HMAC-SHA-1 Key Message Generate HMAC-SHA-1 Output Authentication Code X FIPS 186-2 Use Seed Key to generate random number Random Destroy Seed Key after use Number Generation X Key Destruction Destroy All CSPs X X Show Status N/A X X Self-Tests N/A 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are applicable because the Mocana Cryptographic Module operates in a modifiable operational environment. The following Operational Environments are supported: - Windows CE 4.2 (single-user mode) - Linux Kernel 2.6 (single-user mode) - uClinux Kernel 2.4 (single-user mode) Page 14 Mocana Corporation Security Policy 8. Security Rules The Mocana Cryptographic Module design corresponds to the following security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1 module. 1. The cryptographic module shall provide two distinct roles. These are the User role and the Cryptographic Officer role. 2. The cryptographic module does not provide any operator authentication. 3. The cryptographic module shall encrypt/decrypt message traffic using the Triple-DES or AES algorithms. 4. The cryptographic module shall perform the following self-tests: Power-up Self-Tests: Cryptographic Algorithm Tests: - AES Known Answer Test - Triple-DES Known Answer Test - HMAC-SHA-1 Known Answer Test - SHA-1 Known Answer Test - SHA-256 Known Answer Test - SHA-512 Known Answer Test - RSA Pairwise Consistency Test - RSA Key Wrapping Known Answer Test - DSA Pairwise Consistency Test - FIPS 186-2 DRNG Known Answer Test Software Integrity Test: HMAC-SHA-1 Critical Functions Tests: N/A Conditional Tests: - DSA Pairwise Consistency Test - FIPS 186-2 DRNG Continuous Test 5. At any time, the operator shall be capable of commanding the module to perform the power-up self-tests by reloading the cryptographic module into memory. 6. The cryptographic module is available to perform services only after successfully Page 15 Mocana Corporation Security Policy completing the power-up self-tests. 7. Data output shall be inhibited during key generation, self-tests, zeroization, and error states. 8. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. The module shall not support concurrent operators. 10. RSA key generation is not allowed in the FIPS Approved mode of operation. 9. Physical Security The FIPS 140-2 Area 5 Physical Security requirements are not applicable because the Mocana Cryptographic Module is software only. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. 11. Cryptographic Officer Guidance There are no installation or configuration instructions required for the Mocana Cryptographic Module. RSA key generation is not allowed in the FIPS Approved mode of operation. Key Destruction Service There is a context structure associated with every cryptographic algorithm available in this module. Context structures hold sensitive information such as cryptographic keys. These context structures must be destroyed via respective API calls when the application software no longer needs to use a specific algorithm any more. This API call will zeroize all sensitive information including cryptographic keys before freeing the dynamically allocated memory. See the Mocana Cryptographic API Reference for additional information. Page 16 Mocana Corporation Security Policy 12. Definitions and Acronyms AES Advanced Encryption Standard API Application Program Interface CO Cryptographic Officer CSP Critical Security Parameter DES Data Encryption Standard DH Diffie-Hellman DLL Dynamic Link Library DRNG Deterministic Random Number Generator DSA Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir and Adleman Algorithm TDES Triple-DES SHA Secure Hash Algorithm SO Shared Object SSH Secure Shell Page 17