Cisco 5940 Embedded Services Routers FIPS 140-2 Non Proprietary Security Policy Level 1 Validation Version 0.7 September 2011 © Copyright 2007 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION.................................................................................................................. 3  1.1  PURPOSE ............................................................................................................................. 3  1.2  MODULE VALIDATION LEVEL ............................................................................................ 3  1.3  REFERENCES ....................................................................................................................... 3  1.4  TERMINOLOGY ................................................................................................................... 4  1.5  DOCUMENT ORGANIZATION ............................................................................................... 4  2  CISCO 5940 EMBEDDED SERVICES ROUTERS ........................................................... 5  2.1  THE 5940 EMBEDDED SERVICE ROUTER CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS ........................................................................................................................ 5  2.2  MODULE INTERFACES ......................................................................................................... 6  2.2.1  J1 connector .................................................................................................. 7  2.2.2  J2 connector .................................................................................................. 8  These interfaces are depicted in the figures below: .................................................. 9  2.3  ROLES AND SERVICES ....................................................................................................... 11  2.3.1  User Services .............................................................................................. 11  2.3.2  Crypto Officer Services................................................................................ 12  2.3.3  Maintenance Role ....................................................................................... 12  2.3.4  Unauthenticated Services............................................................................ 13  2.3.5  Strength of Authentication ........................................................................... 13  2.4  PHYSICAL SECURITY ........................................................................................................ 13  2.5  CRYPTOGRAPHIC ALGORITHMS ........................................................................................ 13  2.5.1  Approved Cryptographic Algorithms ............................................................ 13  2.5.2  Non-Approved Cryptographic Algorithms .................................................... 14  2.6  CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 14  2.7  SELF-TESTS ...................................................................................................................... 17  2.7.1  Self-tests performed by the IOS and Hardware ........................................... 18  3  SECURE OPERATION OF THE CISCO 5940 ESR ....................................................... 18  3.1  INITIAL SETUP .................................................................................................................. 18  3.2  SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 19  3.3  IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 19  3.4  PROTOCOLS ...................................................................................................................... 20  3.5  REMOTE ACCESS .............................................................................................................. 20  3.6  HTTPS/TLS MANAGEMENT IS NOT ALLOWED IN FIPS MODE. .......................................... 20  3.7  IDENTIFYING OPERATION IN AN APPROVED MODE ........................................................... 20  © Copyright 2011 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 5940 Embedded Services Router (ESR). This security policy describes how the Cisco 5940 Embedded Services Routers (Hardware Versions: Cisco 5940 ESR air-cooled card and Cisco 5940 ESR conduction-cooled card; Firmware Version: IOS 15.1(2)GC1) meet the security requirements of FIPS 140-2, and how to operate the router with on-board crypto enabled in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the Cisco 5940 Embedded Services Router. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. 1.2 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key management 1 8 Electromagnetic Interface/Electromagnetic Compatibility 1 9 Self-Tests 1 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Overall module validation level 1 Table 1 Module Validation Level 1.3 References This document deals only with operations and capabilities of the Cisco 5940 Embedded Services routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: • The Cisco Systems website contains information on the full line of Cisco Systems routers. Please refer to the following website: http://www.cisco.com/en/US/products/hw/routers/index.html © Copyright 2011 Cisco Systems, Inc. 3 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. • The Cisco 5940 Embedded Services Routers is part of the family of Mobile Internet Routers: http://www.cisco.com/en/US/products/hw/routers/products.html#N390A6E • For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. • The NIST Validated Modules website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. 1.4 Terminology In this document, the Cisco 5940 Embedded Services Routers are referred to as the 5940 ESR, router, the module, or the system. 1.5 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: • Vendor Evidence document • Finite State Machine • Other supporting documentation as additional references This document provides an overview of the Cisco 5940 Embedded Services Router and explains the secure configuration and operation of the module. This introduction section is followed by Section 2, which details the general features and functionality of the router. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2011 Cisco Systems, Inc. 4 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Cisco 5940 Embedded Services Routers The Cisco 5940 is a high-performance, ruggedized router. With onboard hardware encryption, the Cisco 5940 offloads encryption processing from the router to provide highly secure yet scalable video, voice, and data services for mobile and embedded outdoor networks. The Cisco 5940 Embedded Services Routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 1 requirements. This section describes the general features and functionality provided by the routers. The Cisco 5940 Router Card uses industrial-grade components and is optimized for harsh environments that require Cisco IOS Software routing technology. The following subsections describe the physical characteristics of the routers. 2.1 The 5940 Embedded Service Router Cryptographic Module Physical Characteristics Figure 1 Cisco 5940 Air Cooled Router Figure 2 Cisco 5940 Conduction Cooled Router Cisco 5940 Embedded Services Router is a multiple-chip embedded cryptographic module. The router is a cPCI 3U card. These cards are then inserted into a ruggedized enclosure (outside the cryptographic boundary) to protect against the elements. © Copyright 2011 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The physical boundary of the cPCI card is the cryptographic boundary. All of the functionality discussed in this document is provided by components within this cryptographic boundary. 2.2 Module Interfaces The module features the following interfaces: 1. One serial console port 2. cPCI J1 connector 3. cPCI J2 connector 4. JTAG connectors (via J2 connectors) 5. LEDs Below are the pin assignments for J1 and J2 connectors: © Copyright 2011 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.2.1 J1 connector J1 Pinout Column A B C D E F 1 5V -12V TRST# +12V 5V GND 2 TCK 5V TMS TDO TDI GND 5V INTA# INTB# INTC# INTD# GND 3 V(I/O) IPMB_PWR HEALTHY# INTP INTS GND 4 GND BRSVP1A5 BRSVP1B5 RST# GNT0# GND 5 3.3V REQ0# GND CLK0 AD[31] GND 6 GND AD[30} AD[29] AD[28] AD[27] GND 7 8 AD[26] GND V(I/O) AD[25] AD[24] GND GND GND C/BE[3]# AD[23] AD[22] GND 9 10 AD[21} GND 3.3V AD[20] AD[19] GND GND AD[18] AD[17] AD[16] C/BE[2]# GND 11 12 Row KEY AREA 13 14 BD_SEL# 3.3V FRAME# IRDY# TRDY# GND 15 16 DEVSEL# GND V(I/O) STOP# LOCK# GND GND 3.3V IPMB_SCL IPMB_SDA PERR# GND 17 18 SERR# GND 3.3V PAR C/BE[1]# GND GND 3.3V AD[15] AD[14] AD[13] GND 19 20 AD[12] GND V(I/O) AD[11] AD[10] GND 21 3.3V AD[9] AD[8] M66EN C/BE[0]# GND 3.3V AD[7] GND AD[6] AD[5] GND 22 5V 3.3V AD[4] AD[3] AD[2] GND 23 V(I/O) AD[1] 5V AD[0] ACK64# GND 24 25 5V REQ64# ENUM# 3.3V 5V GND Long Pins Medium Pins Short Pins © Copyright 2011 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.2.2 J2 connector J2 Pinout Column A B C D E F 2 2 2 2 1 GND GND N/C N/C N/C N/C 2 2 2 2 2 2 GND N/C N/C N/C N/C N/C 2 2 2 2 3 GND GND N/C N/C N/C N/C JTAG/COP JTAG/COP JTAG/COP JTAG/COP 2 GND N/C 4 TCK HRESET# TRST# VDD_SENSE JTAG/COP JTAG/COP JTAG/COP JTAG/COP JTAG/COP GND 5 COP_CPU_SEL# TDI SRESET# CKSTP_IN# NC JTAG/COP JTAG/COP JTAG/COP JTAG/COP JTAG/COP GND 6 JTAG_CPLD_SEL# TDO TMS CKSTP_OUT# RUN/STOP# 7 ETH3_DB+ ETH3_DB- ETH3_LED ETH3_DD+ ETH3_DD- GND 8 ETH3_DA+ ETH3_DA- ETH3_LEDRTN ETH3_DC+ ETH3_DC- GND 9 ETH2_DB+ ETH2_DB- ETH2_LED ETH2_DD+ ETH2_DD- GND 10 ETH2_DA+ ETH2_DA- ETH2_LEDRTN ETH2_DC+ ETH2_DC- GND 11 ETH1_DB+ ETH1_DB- ETH1_LED ETH1_DD+ ETH1_DD- GND Row 12 ETH1_DA+ ETH1_DA- ETH1_LEDRTN ETH1_DC+ ETH1_DC- GND 13 ETH0_DB+ ETH0_DB- ETH0_LED ETH0_DD+ ETH0_DD- GND 14 ETH0_DA+ ETH0_DA- ETH0_LEDRTN ETH0_DC+ ETH0_DC- GND 2 2 2 15 STS_LEDR STS_LEDRTN GND N/C N/C N/C 2 1 16 STS_LEDG RTS GND GND N/C DTR BMC Console 2 2 TxD PRST# GND N/C N/C 17 RXD BMC Console BMC DBG BMC DBG RxD CTS GND 18 TXD TMS TDO BMC DBG BMC DBG BMC DBG GND GND GND 19 3.3VOUT TDI ALLPST BMC DBG BMC DBG 2 GND Reserved GND N/C 20 TCK RST_IN# BMC DBG 2 GND Reserved Reserved GND N/C 21 TRST# 2 2 2 2 2 22 GND N/C N/C N/C N/C N/C Notes: Color Code: 1) DTR permanently asserted GbE Console 2) Assigned by cPCI specification, but unused in RTM JTAG/COP BMC Status LED cPCI Spec © Copyright 2011 Cisco Systems, Inc. 8 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. These interfaces are depicted in the figures below: The interface for the router is located on the front and rear panels as shown in Figure 3 and Figure 5, respectively. Figure 3: Faceplate Figure 4: Conduction Cooled cover Figure 5: Connector pins © Copyright 2011 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The following tables provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Name State Description Ethernet LEDs Active Used to show activity on Ethernet ports in the RTM Status LED Active Bicolor user LED to assist location of the device in a rack. Hot Swap Active BLUE LED indicates hot swap status based on ejector handle position Table 2 – 5940 ESR LED Indicators Each 5940 ESR provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-2 defined logical interfaces: data input, data output, control input, status output, and power. The logical interfaces and their mapping are described in the following table: Router Physical Interface FIPS 140-2 Logical Interface J2 Connector Data Input Interface Console Port JTAG Connector J2 Connector Data Output Interface Console Port JTAG Connector J2 Connector Control Input Interface Console Port JTAG Connector J2 Connector Status Output Interface Console Port JTAG Connector LEDs J1 Connector Power Interface Table 3 – 5940 ESR FIPS 140-2 Logical Interfaces © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.3 Roles and Services Authentication in Cisco 5940 ESR is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. There is also a maintenance role available through the JTAG connector. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The configuration of the encryption and decryption functionality is performed only by the Crypto Officer after authentication to the Crypto Officer role by providing a valid Crypto Officer username and password. Once the Crypto Officer configured the encryption and decryption functionality, the User can use this functionality after authentication to the User role by providing a valid User username and password. The Crypto Officer can also use the encryption and decryption functionality after authentication to the Crypto Officer role. The module supports RADIUS and TACACS+ for authentication. The RSA digital signature authentication mechanism is used to authenticate the User role via IPSec/IKE protocol implementation. The maintenance role does not include authentication, and it has the capability to read and write memory, reset the board, program the Complex Programmable Logic Device (CPLD), and debug Rommon. 2.3.1 User Services Users can access the system in two ways: 1. By accessing the console port with a terminal program or via IPSec protected telnet or SSH session to an Ethernet port. Please note that the PC used for the console connection is a non-networked PC. The IOS prompts the User for username and password. If the password is correct, the User is allowed entry to the IOS executive program. 2. Via an IPSec session. This session is authenticated either using a shared secret or RSA digital signature authentication mechanism. The services available to the User role consist of the following: View state of interfaces and protocols, version of IOS currently Status Functions running. Connect to other network devices and initiate diagnostic network Network Functions services (i.e., ping, mtrace). Adjust the terminal session (e.g., lock the terminal, adjust flow Terminal Functions control). Display directory of files kept in flash memory. Directory Services Negotiation and encrypted data transport via Get VPN GetVPN Perform the FIPS 140 start-up tests on demand Perform Self-Tests Zeroize cryptographic keys stored in Dynamic Random Access Zeroization Services Memory (DRAM) via power cycling © Copyright 2011 Cisco Systems, Inc. 11 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.3.2 Crypto Officer Services A Crypto Officer enters the system by accessing the console/auxiliary port with a terminal program or SSH v2 session to a LAN port or the 10/100 management Ethernet port. The Crypto Officer authenticates as a User and then authenticates as the Crypto Officer role. During initial configuration of the router, the Crypto Officer password (the “enable” password) is defined. A Crypto Officer can assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following: Define network interfaces and settings, create command aliases, set Configure the router the protocols the router will support, enable interfaces and network services, set system date and time, and load authentication information. Define Rules and Filters Create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based on characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. View the router configuration, routing tables, active sessions, use View Status Functions gets to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. Log off users, shutdown or reload the router, erase the flash Manage the router memory, manually back up router configurations, zeroize all cryptographic keys or CSPs, view complete configurations, manager user rights, and restore router configurations. In addition, Crypto Officer also has access to all User services. Set up the configuration tables for IP tunneling. Set preshared keys Set Encryption/Bypass and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. Perform the FIPS 140 start-up tests on demand Perform Self-Tests 2.3.3 Maintenance Role The module supports a Maintenance role while operating in FIPS mode of operation. The maintenance role can be accessed via the JTAG connector. The services available to this role include reading and writing memory, resetting the board, programming the Complex Programmable Logic Device (CPLD), and debugging Rommon. The entity entering the maintenance role must zeroize all plaintext keys and CSPs before entering and exiting the Maintenance role. © Copyright 2011 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.3.4 Unauthenticated Services The services available to unauthenticated users are: • Viewing the status output from the module’s LEDs • Powering the module on and off using the power switch on the third-party chassis 2.3.5 Strength of Authentication The security policy stipulates that all user passwords and shared secrets must be 8 alphanumeric characters, so the password space is 2.8 trillion possible passwords. The possibility of randomly guessing a password is thus far less than one in one million. To exceed a one in 100,000 probability of a successful random password guess in one minute, an attacker would have to be capable of 28 million password attempts per minute, which far exceeds the operational capabilities of the module to support. When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit, thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 280 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 1.8x1021 attempts per minute, which far exceeds the operational capabilities of the modules to support. 2.4 Physical Security The module is being validated at physical security level 1. As such apart from using production grade material, the module does not implement any physical security mechanisms. 2.5 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 2.5.1 Approved Cryptographic Algorithms The routers support the following FIPS-2 approved algorithm implementations: Algorithm Algorithm Certificate Number IOS MPC8548E AES #1643 #962 and #1535 Triple-DES #1073 #757 SHS #1444 #933 HMAC #965 #537 DRBG #89 N/A RSA #811 N/A Table 4: Approved Cryptographic Algorithms © Copyright 2011 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.5.2 Non-Approved Cryptographic Algorithms The module supports the following non-approved cryptographic algorithms that shall not be used in FIPS mode of operation: • DES • DES MAC • MD5 • MD4 • HMAC MD5 • RC4 The modules support the following key establishment/derivation schemes: • Diffie-Hellman (key establishment methodology provides between 80 and 112 bits of encryption strength) • Internet Key Exchange Key Establishment (IKEv1/IKEv2) • GDOI (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength) 2.6 Cryptographic Key Management The module securely administers both cryptographic keys and other critical security parameters such as passwords. All keys are also protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. The zeroization method for each individual keys or CSPs can be found in table 4 below. All cryptographic keys are exchanged and entered electronically or via Internet Key Exchange (IKE)/Group Domain of Interpretation (GDOI), and all CSPs are entered into the module by the Crypto Officer role. The module supports the following keys and critical security parameters (CSPs): ID Algorithm Size Description Storage Zeroization Method DRBG V SP 800-90 128-bits Generated by entropy source via the DRAM Automatically when CTR_DRBG CTR_DRBG derivation function. It is stored (plaintext) the router is power in DRAM with plaintext form cycled DRBG Key SP 800-90 256-bits This is the 256-bit DRBG key used for SP DRAM Automatically when CTR_DRBG 800-90 CTR_DRBG (plaintext) the router is power cycled Diffie-Hellman Diffie-Hellman 1024 The private exponent used in Diffie-Hellman DRAM Automatically after private exponent /1536/ (DH) exchange. Generate by the module. (plaintext) shared secret 2048 bits Zeroized after DH shared secret has been generated. generated. Diffie-Hellman Diffie-Hellman 1024/1536 Shared secret generated by the Diffie- DRAM Automatically after Shared Secret /2048-bits Hellman Key exchange (plaintext) session is terminated Skeyid Keyed SHA-1 160-bits Value derived from the shared secret within DRAM Automatically after IKE exchange. Zeroized when IKE session is (plaintext) IKE session © Copyright 2011 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. terminated. terminated. skeyid_d Keyed SHA-1 160-bits The IKE key derivation key for non DRAM Automatically after ISAKMP security associations. (plaintext) IKE session terminated. IKE session Triple-DES/AES 168- The IKE session encrypt key. Generate by DRAM Automatically after encrypt key bits/256- the module (plaintext) IKE session bits terminated. IKE session SHA-1 HMAC 160-bits The IKE session authentication key. DRAM Automatically after authentication key Generate by the module. (plaintext) IKE session terminated. ISAKMP Secret At least The key used to generate IKE skeyid during NVRAM “# no crypto isakmp preshared eight preshared-key authentication. It is entered by (plaintext or key” characters the Crypto Officer. “no crypto isakmp key” encrypted) command zeroizes it. This key can have two forms based on whether the key is related to the hostname or the IP address. IKE RSA RSA 1024 – RSA private key for IKE authentication. NVRAM “# crypto key zeroize Authentication 2048 bits Generated or entered like any RSA key, set (plaintext) rsa" private Key as IKE RSA Authentication Key with the “crypto keyring” or “ca trust-point” command. IPSec encryption Triple-DES/AES 168- The IPSec encryption key. Generate by the DRAM Automatically when key bits/256- module . Zeroized when IPSec session is (plaintext) IPSec session bits terminated. terminated. IPSec SHA-1 HMAC 160-bits The IPSec authentication key. Generate by DRAM Automatically when authentication key the module. The zeroization is the same as (plaintext) IPSec session above. terminated. GDOI Key Triple-DES/AES Triple- This key is created using the “GROUPKEY- DRAM Automatically when encryption Key DES (168- PULL” registration protocol with GDOI. (plaintext) session terminated. (KEK) bits)/AES Generate by the module. It is used protect (128/192/ GDOI rekeying data.” 256-bits) GDOI Traffic Triple-DES/AES Triple- This key is created using the “GROUPKEY- DRAM Automatically when Encryption Key DES (168- PULL” registration protocol and updated (plaintext) session terminated. (TEK) bits)/AES using the “GROUPKEY-PUSH” registration (128/192/ protocol with GDOI. Generate by the 256-bits) module. It is used to encrypt data traffic between Get VPN peers GDOI TEK HMAC SHA-1 160-bits This key is created using the “GROUPKEY- DRAM Automatically when Integrity key PULL” registration protocol and updated (plaintext) session terminated. using the “GROUPKEY-PUSH” registration protocol with GDOI. Generate by the module. It is used to ensure data traffic integrity between Get VPN peers. SSH RSA private RSA 1024/1536 This key is used for message signing when NVRAM “# crypto key zeroize key /2048 performing SSH (plaintext or rsa” authentication. Generated by the module. encrypted) SSH session key TDES /AES TDES This is the SSH session key. It is used to DRAM Automatically when (Key Size encrypt all SSH data traffics traversing (plaintext) SSH session 168 between the SSH client and SSH server. It is terminated bits)/AES generated by the module (Key Size © Copyright 2011 Cisco Systems, Inc. 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 128/192/2 56 bits) SSH session HMAC-SHA-1 160 bits This key is used to perform the DRAM Automatically when authentication key authentication between the SSH client and (plaintext) SSH session SSH server. It is generated by the module. terminated User password Shared At least The password of the User role. This NVRAM Overwrite with new Secret eight password is zeroized by overwriting it with a (plaintext or password characters new password. encrypted) Enable password Shared At least The plaintext password of the CO role. It is NVRAM Overwrite with new Secret eight entered by the Crypto Officer. This (plaintext or password characters password is zeroized by overwriting it with a encrypted) new password. Enable secret Shared At least The ciphertext password of the CO role. NVRAM Overwrite with new Secret eight However, the algorithm used to encrypt this (plaintext or password characters password is not FIPS approved. Therefore, encrypted) this password is considered plaintext for FIPS purposes. It is entered by the Crypto Officer. This password is zeroized by overwriting it with a new password. RADIUS secret Shared At least The RADIUS shared secret. It is entered by NVRAM “# no radius-server Secret eight the Crypto Officer. This shared secret is (plaintext or key” characters zeroized by executing the “no radius-server encrypted), key” command. DRAM (plaintext) TACACS+ secret Shared At least The TACACS+ shared secret. It is entered NVRAM “# no tacacs-server Secret eight by the Crypto Officer. This shared secret is (plaintext or key” characters zeroized by executing the “no tacacs-server encrypted), key” command. DRAM (plaintext) Table 5: Cryptographic Keys and CSPs The services accessing the CSPs, the type of access and which role accesses the CSPs are listed below. GDOI Traffic Encryption Key (TEK) IKE RSA Authentication private Key GDOI Key encryption Key (KEK) Diffie Hellman private exponent SSH session authentication key IKE session authentication key Diffie Hellman Shared Secret GDOI TEK Integrity Key IPSec authentication key IKE session encrypt key SSH RSA Private Key IPSec encryption key ISAKMP preshared TACACS+ secret Enable password SSH session key RADIUS secret User password Enable secret DRBG Key DRBG V skeyid_d Skeyid CSP Role/Service User Role Status Function © Copyright 2011 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. r r r r r r r r r r r r r r r r r r r Network Function Terminal Function Directory Services Perform Self- tests r r r r r r r r r r r r r VPN Function w w w w w w w w w w w w w d d d d d d d d d d d d d CO Role r Configure the w module Define Rules and Filters Status Functions d d r r r r r Manage the w w w w w module d d d d d r r r r r r r r r r r r r r r r r Set w w w w w w w w w w w w w w w w w Encryption/ d d d d d d d d d d d d d d d d d Bypass Perform Self- tests r = read w = write d= delete Table 6: CSP/Role/Service Access Policy 2.7 Self-Tests In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. All self-tests are implemented by the firmware and associated hardware component. An example of self-tests run at power-up is a cryptographic known answer test (KAT) on each of the FIPS- approved cryptographic algorithms and on the Diffie-Hellman algorithm. Examples of tests performed at startup are a software integrity test using an EDC. Examples of tests run periodically or conditionally include: a bypass mode test performed conditionally prior to executing IPSec, and a continuous random number generator test. If any of self-tests fail, the router transitions into an error state. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure. Examples of the errors that cause the system to transition to an error state: • IOS image integrity checksum failed • Microprocessor overheats and burns out • Known answer test failed • NVRAM module malfunction. © Copyright 2011 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.7.1 Self-tests performed by the IOS and Hardware • IOS Self Tests o POST tests Firmware Integrity test AES Known Answer test DRBG Known Answer test HMAC-SHA-1 Known Answer test RSA Known Answer Test (both signature/verification) SHA-1/256/512 Known Answer test Triple-DES Known Answer test o Conditional tests RSA PWCT test Conditional bypass test DRBG CRNG test CRNG test on non-approved RNGs • Hardware Self Tests o POST tests AES Known Answer Test HMAC-SHA-1 Known Answer Test Triple-DES Known Answer Test 3 Secure Operation of the Cisco 5940 ESR The Cisco 5940 ESR meets all the Level 1 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. 3.1 Initial Setup 1. The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version NOTE: Once Password Recovery is disabled, administrative access to the module without the password will not be possible. © Copyright 2011 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3.2 System Initialization and Configuration 1. The Crypto Officer must perform the initial configuration. IOS version 15.1(2)GC1, filename: c5940-adventerprisek9-mz.SPA.151-2.GC1.bin is the only allowable image; no other image should be loaded. 2. The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the “configure terminal” command line, the Crypto Officer enters the following syntax: config-register 0x0102 3. The Crypto Officer must create the “enable” password for the Crypto Officer role. The password must be at least 8 characters (all digits; all lower and upper case letters; and all special characters except ‘?’ are accepted) and is entered when the Crypto Officer first engages the “enable” command. The Crypto Officer enters the following syntax at the “#” prompt: enable secret [PASSWORD] 4. The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the “configure terminal” command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local 5. The Crypto Officer shall only assign users to a privilege level 1 (the default). 6. The Crypto Officer shall not assign a command to any privilege level other than its default. 7. The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication. Configuring the module to use RADIUS or TACACS+ for authentication is optional. RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long. 8. Loading any IOS image onto the router is not allowed while in FIPS mode of operation. 3.3 IPSec Requirements and Cryptographic Algorithms 1. The only type of IPSec key establishment methods that is allowed in FIPS mode are Internet Key Exchange (IKE) and Group Domain of Interpretation (GDOI). 2. Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration: ah-sha-hmac esp-sha-hmac esp-Triple-DES © Copyright 2011 Cisco Systems, Inc. 19 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. esp-aes 3. The following algorithms are not FIPS approved and should not be used during FIPS- approved mode: DES DES-MAC HMAC MD-5 MD-4 MD-5 RC4 3.4 Protocols 1. SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure SNMP gets and sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C. 3.5 Remote Access 1. Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec, using FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 2. SSH access to the module is only allowed if SSH is configured to use a FIPS-approved algorithm. The Crypto officer must configure the module so that SSH uses only FIPS- approved algorithms. Note that all users must still authenticate after remote access is granted. 3.6 HTTPS/TLS management is not allowed in FIPS mode. 3.7 Identifying Operation in an Approved Mode The following activities are required to verify that that the module is operating in an Approved mode of operation. 1. Verify that the length of User and Crypto Officer passwords and all shared secrets are at least eight (8) characters long, include at least one letter, and include at least one number character, as specified in the “Secure Operation of the Cisco 5940 ESR” section of this document. 2. Issue the following commands: 'show crypto ipsec sa', 'show crypto isakmp policy', and ‘show crypto gdoi policy’. Verify that only FIPS approved algorithms are used. © Copyright 2011 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.