FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points November 4, 2010 Version 2.2 Contents This security policy contains these sections: · Overview, page 2 · Physical Security Policy, page 3 · Secure Configuration, page 8 · Roles, Services, and Authentication, page 9 · Cryptographic Key Management, page 11 · Disallowed Security Functions, page 14 · Self Tests, page 14 · Obtaining Documentation, Support, and Security Guidelines, page 15 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Overview Overview The Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i (herein collectively called the modules) are wireless access points that support the IEEE 802.11a/b/g Wi-Fi standards for wireless LAN communications, and the AP1142, AP1252, AP1262, CAP3502e, and CAP3502i are 802.11n and 802.11n draft 2.0 WiFi CERTIFIED. The modules support the IEEE 802.11i standard for wireless LAN security. They are multiple-chip standalone cryptographic modules, compliant with all requirements of FIPS 140-2 Level 2 and Level 3 for Design Assurance. In the FIPS mode of operations, the modules support Control and Provisioning of Wireless Access Points (CAPWAP) and Management Frame Protection (MFP). CAPWAP, together with X.509 certificates, authenticates the module as a trusted node on the wired network. CAPWAP protects all control and bridging traffic between trusted network access points and the module with DTLS encryption. The modules secure all wireless communications with Wi-Fi Protected Access 2 (WPA2). WPA2 is the approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. In the FIPS mode of operation, the modules use the following cryptographic algorithm implementations: AP1131 and AP1242: · AES CBC, ECB, CMAC and CCM (firmware) · AES CBC, CMAC and CCM (hardware) · SHA-1 (firmware) · HMAC SHA-1 (firmware) · X9.31 Random Number Generator (firmware) · RSA Sign/Verify (firmware) AP1142, AP1252, AP1262, CAP3502e, and CAP3502i: · AES CBC, ECB, CMAC and CCM (firmware) · AES CBC, CMAC and CCM (hardware) · AES CBC (hardware) · SHA-1 (firmware) · SHA-1 (hardware) · HMAC SHA-1 (firmware) · HMAC SHA-1 (hardware) · X9.31 Random Number Generator (firmware) · RSA Sign/Verify (firmware) All modules also implement a non-Approved NDRNG used to seed the Approved RNG. This document details the security policy for the Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i cryptographic modules. This document is non proprietary and may be freely distributed. The evaluated platforms are summarized in Table 1. Table 1 Evaluated Platforms Model Firmware Version Hardware Revision AP1131 7.0.98.0 S0 AP1142 7.0.98.0 G0 FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 2 OL-16067-06 Physical Security Policy Table 1 Evaluated Platforms (continued) Model Firmware Version Hardware Revision AP1242 7.0.98.0 P0 AP1252 7.0.98.0 F0 AP1262 7.0.98.0 B0 CAP3502e 7.0.98.0 B0 CAP3502i 7.0.98.0 B0 Physical Security Policy This section describes placement of tamper-evident labels on the module. Labels must be placed on the device(s) and maintained by the Crypto Officer in order to operate in the FIPS approved mode of operation. Label Placement on the AP1131 For the AP1131 (FIPS kit AIRLAP-FIPSKIT=, version B0), place quantity three (3) tamper evident labels over the bottom panel and over the top cover as shown in Figure 1 below. Also place one (1) tamper evident label over the console port. Figure 1 Tamper labels on AP1131 FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 3 Physical Security Policy Label Placement on the AP1142 For the AP1142 (FIPS kit AIRLAP-FIPSKIT=, version B0), put two (2) tamper evident labels over two screws, and one (1) tamper evident label over the cap of the mode button and console port as shown in Figure 2 below: Figure 2 Tamper labels on AP1142 FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 4 OL-16067-06 Physical Security Policy Label Placement on the AP1242 For the AP1242 (FIPS kit AIRLAP-FIPSKIT=, version B0), put four (4) tamper evident labels over the removable top cover, and one (1) tamper evident label over the cap of the mode button and console port as shown in Figure 3 below: Figure 3 Tamper labels on AP1242 FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 5 Physical Security Policy Label Placement on the AP1252 For the AP1252 (FIPS kit AIRLAP-FIPSKIT=, version B0), place quantity two (2) tamper evident labels over the removable top cover, and one (1) over the cap of the mode button and console port as shown in Figure 4 below: Figure 4 Tamper labels on AP1252 FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 6 OL-16067-06 Physical Security Policy Label Placement on the AP1262, CAP3502e, and CAP3502i The seal placement is identical for the AP1262, CAP3502e, and CAP3502i (FIPS kit AIRLAP-FIPSKIT=, version B0): one (1) seal is placed underneath the bottom metal cover to prevent access to the Console port (see Figure 5). This seal also covers a metal guard that physically prevents the "Mode" button from being pressed. Figure 5 Seal covering console port and Mode button FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 7 Secure Configuration Two (2) seals are placed over the specified two (2) screws on corners of the plastic module enclosure (see Figure 6) to prevent the screws from being removed without evidence of tamper and ensure that the enclosures are opaque. Figure 6 Seals covering screws on module enclosure Secure Configuration This section details the steps used to securely configure the modules to operate in FIPS 140-2 mode of operations. The administrator configures the modules from the wireless LAN controller with which the access point is associated. The wireless LAN controller shall be placed in FIPS 140-2 mode of operations prior to secure configuration of the access points. The Cisco Wireless LAN controller Security Policy contains instructions for configuring the controller to operate in the FIPS 140-2 approved mode of operation. Configure CCKM (Cisco Centralized Key Management) CCKM is Cisco's wireless key management and is an optional mode permitted by this security policy. CCKM uses the same cipher suite as 802.11i; however, it has a slightly different key management scheme to support wireless client fast roaming between access points. Wireless client must comply with the updated CCKM specification described in CCXv5 in the FIPS mode of operation. The following controller CLI command configures CCKM on a given WLAN: > config wlan security wpa akm cckm enable index FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 8 OL-16067-06 Roles, Services, and Authentication Refer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions. Note The module does not participate in the CCKM key establishment but rather assists in passing data between the client and the RADIUS server. Connect AP to a Controller Establish an Ethernet connection between the AP Cryptographic Module and a LAN controller configured for the FIPS 140-2 approved mode of operations. Set Primary Controller Enter the following controller CLI command from a wireless LAN controller with which the access point is associated to configure the access point to communicate with trusted wireless LAN controllers operating in FIPS mode: > config ap primary-base controller-name access-point Enter this command once for each trusted controller. Enter show ap summary to find the access point name. Enter show sysinfo to find the name of a controller. Save and Reboot After executing the above commands, you must save the configuration and reboot the wireless LAN controller: > save config > reset system Roles, Services, and Authentication This section describes the roles, services, and authentication types in the security policy. Roles The module supports the roles of Crypto Officer and User. The CO role is fulfilled by the wireless LAN controllers on the network that the module communicates with, and performs routine management and configuration services, including loading session keys and zeroization of the module. The User role is fulfilled by wireless clients. The module does not support a maintenance role. FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 9 Roles, Services, and Authentication Services The services provided are summarized in Table 2. Table 2 Module Services Service Role Purpose Self Test and CO Cryptographic algorithm tests, firmware Initialization integrity tests, module initialization. Note Module initialization can be obtained either by the CO resetting the access point remotely or by someone with physical access to the module manually cycling the power. System Status CO Show the network activity and overall operational status. Key Management CO Key and parameter entry, key output, key zeroization. Module Configuration CO Selection of non-cryptographic configuration settings. CAPWAP CO Establishment and subsequent data transfer of a CAPWAP session for use between the module and the CO. 802.11i User, CO Establishment and subsequent data transfer of an 802.11i session for use between the wireless client and the AP. CCKM User, CO Establishment and subsequent data transfer of a CCKM session for use between the wireless client and the AP. MFP User, CO · Validating one AP with a neighboring AP's management frames using infrastructure MFP · Encrypt and sign management frames between AP and wireless client using client MFP DTLS data encrypt CO Enabling optional DTLS data path encryption for Office Extend APs.1 1. For further DTLS data configuration information, see the Cisco Wireless LAN Controller Configuration Guide. An unauthenticated operator may observe the System Status by viewing the LEDs on the module which show network activity and overall operational status. A solid green LED indicates normal operation and the successful completion of self-tests. The module does not support a bypass capability in the approved mode of operations. FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 10 OL-16067-06 Cryptographic Key Management Crypto Officer Authentication The Crypto Officer (Wireless LAN Controller) authenticates to the module through the CAPWAP protocol, using an RSA key pair with 1536 bit modulus. NIST SP 800-57 defines this modulus size as having effective symmetric key strength of 96 bits. An attacker would have a 1 in 296 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 7.9x1023 attempts per minute, which far exceeds the operational capabilities of the modules to support. User Authentication Users are authenticated to the module by means of the Temporal Key (TK). The TK portion of the 802.11i Pairwise Transient Key (PTK) is 128 bits. An attacker would have a 1 in 2128 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 3.4x1033 attempts per minute, which far exceeds the operational capability of the module to support. Cryptographic Key Management Cryptographic keys are stored in flash and in SDRAM for active keys. The DTLS Pre-Master Secret is generated in the AP using the approved DRNG. The DTLS Pre-Master Secret is used to derive the DTLS Encryption and Integrity Keys. All other keys are input into the module from the controller encrypted over a CAPWAP session. During a CAPWAP session, the APs first authenticate to the Wireless LAN controller using an RSA key pair. All traffic between the AP and the controller is encrypted in the DTLS tunnel. Keys such as the 802.11i, CCKM and MFP keys are input into the module encrypted with the DTLS session key over the CAPWAP session. The module does not output any plain text cryptographic keys. Table 4 lists the secret and private cryptographic keys and CSPs used by the module. Table 5 lists the public keys used by the module. Table 6 lists the access to the keys by service. Table 3 Secret and Private Cryptographic Keys and CSPs Name Algorithm Storage Description and Zeroization PRNG seed key X9.31 Flash This is the seed key for the PRNG. It is statically stored in the code and is zeroized when the controller image is erased during zeroization procedure. PRNG seed X9.31 SDRAM This is the seed for the PRNG. It is generated using the reg_add_fresh_entropy function. It is zeroized during the zeroization procedure. cscoIdCert RSA Flash This is the AP's RSA private key. It is zeroized during the zeroization procedure. DTLS Shared secret SDRAM Shared secret generated by approved RNG for Pre-Master generating the DTLS encryption key. Secret FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 11 Cryptographic Key Management Table 3 Secret and Private Cryptographic Keys and CSPs (continued) Name Algorithm Storage Description and Zeroization DTLS Master Shared secret SDRAM Derived from DTLS Pre-Master Secret. Used to Secret create the DTLS Encryption and Integrity Keys. DTLS AES-CBC SDRAM Session key used to encrypt and decrypt Encryption Key CAPWAP control messages. (CAPWAP Session Key) DTLS Integrity HMAC- SHA-1 SDRAM Session key used for integrity checks on Key CAPWAP control messages. Infrastructure AES-CMAC SDRAM The 128 bit AES Key which is used to sign MFP MIC Key management frames when infrastructure MFP is enabled. It is zeroized during the zeroization procedure. 802.11i AES-CCM SDRAM The PTK, also known as the CCMP key, is the Pairwise 802.11i session key for unicast communications. Transient Key This key also used to encrypt and sign (PTK) management frames between AP and the wireless client. It is zeroized during the zeroization procedure. 802.11i AES-CCM SDRAM The TK, also known as the CCMP key, is the Temporal Key 802.11i session key for unicast communications. (TK) It is zeroized during the zeroization procedure. 802.11i Group AES-CCM SDRAM The GTK is the 802.11i session key for Temporal Key broadcast communications. It is zeroized during (GTK) the zeroization procedure. Key HMAC- SHA-1 SDRAM HMAC-SHA-1 Key component of PTK. Confirmation Key (KCK) Key Encryption AES-KeyWrap SDRAM AES Key Encryption Key component of PTK. Key (KEK) CCKM AES-CCM SDRAM The CCKM PTK is the CCKM session key for Pairwise unicast communications. It is zeroized during Transient Key the zeroization procedure. (PTK) CCKM Group AES-CCM SDRAM The CCKM GTK is the CCKM session key for Temporal Key broadcast communications. It is zeroized during (GTK) the zeroization procedure. FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 12 OL-16067-06 Cryptographic Key Management Table 4 Public Keys Name Algorithm Storage Description and Zeroization bsnOldDefaultCaCert RSA Flash Verification certificate, used with CAPWAP to authenticate the controller. It is zeroized during the zeroization procedure. bsnDefaultRootCaCert RSA Flash Verification certificate, not used in FIPS mode of operations. It is zeroized during the zeroization procedure. bsnDefaultCaCert RSA Flash Verification certificate, not used in FIPS mode of operations. It is zeroized during the zeroization procedure. cscoDefaultNewRootCaCert RSA Flash Verification certificate, not used in FIPS mode of operations. It is zeroized during the zeroization procedure. cscoDefaultMfgCaCert RSA Flash Verification certificate, not used in FIPS mode of operations. It is zeroized during the zeroization procedure. cscoIdCert RSA Flash This is the AP's RSA public key. Table 5 Key/CSP Access by Service Service Key Access Self Test and Initialization · Initializes PRNG Seed System Status · None Key Management · Read/Write Infrastructure MFP MIC Key, PTK, TK, GTK, KCK, KEK, CCKM PTK, CCKM GTK · Destroy all keys (with Key Zeroization command) Module Configuration · None DTLS · Uses cscoIdCert and bsnOldDefaultCaCert to authenticate Wireless controller · Generates DTLS Pre-Master Secret · Derives DTLS Master Secret · Derives the DTLS encryption and DTLS integrity keys to secure CAPWAP transactions between AP and Wireless controller DTLS Data Encrypt · Use DTLS Master Secret to derive DTLS Encryption Key and DTLS Integrity Key · Use DTLS Encryption Key and DTLS Integrity Key FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 13 Disallowed Security Functions Table 5 Key/CSP Access by Service (continued) Service Key Access CAPWAP · Convey CSPs using DTLS, including: ­ Decrypt GTK and TK entry from the controller for 802.11i service ­ Decrypt CCKM PTK and GTK from the controller for CCKM service ­ Decrypt MFP MIC key entry from the controller for use in MFP service 802.11i · Encrypt/decrypt using TK, GTK CCKM · Encrypt/decrypt using CCKM PTK and GTK MFP · Sign AP management frames using Infrastructure MIC key · Encrypt and sign AP management frames using 802.11i PTK Key Establishment The module uses RSA key wrapping which provides 96 bits of effective key strength to establish 128-bit AES keys for DTLS. Keys are also entered into the module encrypted with the DTLS Encryption Key. Key Zeroization All keys in the module may be zeroized by entering this command on the controller to which the access point is associated: > config switchconfig key-zeroize ap ap-name Disallowed Security Functions These cryptographic algorithms are not approved, and may not be used in FIPS mode of operations: · RC4 · MD5 (MD5 is allowed for use in DTLS) · HMAC MD5 Self Tests These self tests are performed by the modules: AP1131 and AP1242: · Firmware integrity test · AES KAT (Firmware and Hardware) · AES-CCM KAT (Firmware and Hardware) FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN 14 OL-16067-06 Obtaining Documentation, Support, and Security Guidelines · AES-CMAC KAT (Firmware and Hardware) · SHA-1 KAT (Firmware) · HMAC SHA-1 KAT (Firmware) · RNG KAT (Firmware) · RSA KAT (Firmware) · Continuous random number generator test for Approved and non-Approved RNGs AP1142, AP1252, AP1262, CAP3502e, and CAP3502i: · Firmware integrity test · AES KAT (Firmware and Hardware) · AES-CCM KAT (Firmware and Hardware) · AES-CMAC KAT (Firmware and Hardware) · SHA-1 KAT (Firmware and Hardware) · HMAC SHA-1 KAT (Firmware and Hardware) · RNG KAT (Firmware) · RSA KAT (Firmware) · Continuous random number generator test for Approved and non-Approved RNGs Obtaining Documentation, Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) © 2010 Cisco Systems, Inc. All rights reserved. May be reproduced only in its original entirety (without revision). FIPS 140-2 Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN OL-16067-06 15