CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy Version No.: 2.3 Date: May 30, 2014 Prepared by: CoCo Communications Corp. www.cococorp.com 800 5th Avenue, Suite 3700 Seattle, WA 98104 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy Table of Contents 1 Introduction ........................................................................................................................................... 1 1.1 Purpose of the Security Policy ...................................................................................................... 1 1.2 Target Audience ............................................................................................................................ 1 2 Cryptographic Module Specification .................................................................................................... 2 2.1 Module Description ...................................................................................................................... 2 2.2 Description of Approved Mode .................................................................................................... 3 2.3 Cryptographic Module Boundary ................................................................................................. 3 3 Cryptographic Module Ports and Interfaces ......................................................................................... 6 4 Roles, Services, and Authentication ..................................................................................................... 7 4.1 Roles ............................................................................................................................................. 7 4.2 Services ......................................................................................................................................... 7 4.3 Operator Authentication.............................................................................................................. 21 4.4 Mechanism and Authentication Strength .................................................................................... 21 5 Physical Security ................................................................................................................................. 22 6 Operational Environment .................................................................................................................... 23 6.1 Policy .......................................................................................................................................... 23 7 Cryptographic Key Management ........................................................................................................ 24 7.1 Key/CSP Generation ................................................................................................................... 26 7.2 Key Entry and Output ................................................................................................................. 26 7.3 Key Storage ................................................................................................................................. 26 7.4 Key Zeroization .......................................................................................................................... 26 8 Electromagnetic Interference/Compatibility ....................................................................................... 27 9 Self-Tests ............................................................................................................................................ 28 9.1 Integrity test ................................................................................................................................ 28 9.2 Power-up Tests............................................................................................................................ 28 9.3 Conditional Tests ........................................................................................................................ 29 9.4 On-Demand Self-Test ................................................................................................................. 29 10 Design Assurance............................................................................................................................ 30 10.1 Configuration Management ........................................................................................................ 30 10.2 Installation and Usage Guidance................................................................................................. 30 11 Mitigation of Other Attacks ............................................................................................................ 31 12 Abbreviations .................................................................................................................................. 32 13 References ....................................................................................................................................... 33 ii ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy List of Figures Figure 1: Software Block Diagram ............................................................................................................... 4 Figure 2: Hardware Block Diagram .............................................................................................................. 5 iii ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy List of Tables Table 1: Security Levels ............................................................................................................................... 2 Table 2: Tested Platforms ............................................................................................................................. 2 Table 3: Ports and Interfaces......................................................................................................................... 6 Table 4: Services ......................................................................................................................................... 17 Table 4.1: Non Approved Services ............................................................................................................. 22 Table 5: Key Management Details.............................................................................................................. 25 Table 6: EMI and EMC............................................................................................................................... 27 iv ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 1 Introduction This document is a non-proprietary FIPS 140-2 Security Policy for the CoCo OpenSSL Cryptographic Module 2.1 (the Module). It contains a specification of the rules under which the Module must operate and describes how the Module meets the requirements as specified in Federal Information Processing Standards Publication 140-2 (FIPS PUB 140-2) for a Security Level 1, multi-chip, standalone software module. 1.1 Purpose of the Security Policy There are three major reasons why a security policy is requested: • It is required for FIPS 140-2 validation. • It allows individuals and organizations to determine whether the cryptographic module, as implemented, satisfies the stated security policy. • It describes the capabilities, protections, and access rights provided by the cryptographic module that will allow individuals and organizations to determine whether it meets their security requirements. 1.2 Target Audience This document will be one of many that are submitted as a package for FIPS validation; it is intended for the following people: • Developers working on the release • The FIPS 140-2 testing lab • Cryptographic Module Validation Program (CMVP) • Consumers 1 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 2 Cryptographic Module Specification This document is the non-proprietary security policy for the CoCo OpenSSL Cryptographic Module 2.1, and was prepared as part of the requirements process that will ensure its conformance with Federal Information Processing Standard (FIPS) 140-2, Level 1. The following section describes the Module and how it complies with the FIPS 140-2 standard in each of the required areas. 2.1 Module Description Table 1, below, provides an overview of the security level required for each validation section. Security Component Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Table 1: Security Levels The Module has been tested on the platforms shown in Table 2: Tested Platforms. Module/Implementation Processor OS and Version Test Platform CoCo OpenSSL AMD Red Hat Enterprise oMG 2000 Cryptographic Module 2.1 Geode Linux 6 32-bit (single-user mode) CoCo OpenSSL Intel x86 Vyatta 6.4 32-bit Dell PowerEdge R210 Cryptographic Module 2.1 without (single-user mode) AES-NI support CoCo OpenSSL Intel x86 Vyatta 6.4 32-bit Dell PowerEdge R210 Cryptographic Module 2.1 With AES- (single-user mode) NI support Table 2: Tested Platforms 2 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 2.2 Description of Approved Mode The Module supports a FIPS-Approved mode and provides the following FIPS-Approved or Allowed functions: • AES (128/192/256 ECB, CBC, OFB, CFB 1, CFB 8, CFB 128, CTR, XTS; CCM; GCM; CMAC) • Triple-DES (3-key ECB, CBC, CFB, OFB; CMAC) • SHS (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) • HMAC (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) • RNG (ANS X9.31) • DRBGs (SP800-90A: HASH DRBG, HMAC DRBG, CTR DRBG) • RSA (FIPS 186-2 2048 bits key for all services; 1024, 1536 bits key for signature verification only) • DSA (FIPS 186-2, FIPS 186-3 2048,3072 bits key for all services; 1024 bits key for domain parameters verification and signature verification only) • ECDSA (FIPS 186-2, FIPS 186-3 P-224, 256, 384, 521; K-233, 283, 409, 571; B-233, 283, 409, 571; for all services; P-192 K-163,B-163 for public key verification and signature verification only) • KAS ECC Component (ECC CDH Primitive as specified in section 5.7.1.2 of SP 800-56A P-224, 256,384,521;K-233, 283,409,571;B-233, 283,409,571) • RSA key wrapping (2048, 3072, 4096) For the details of these functions including the algorithm certificate numbers, CSPs, accessing roles, etc., please see section 4.2 Services. As per the SP800-131A transition on 2014-01-01, the key lengths providing less than 112 bits of security strength are listed as non-Approved functions. Also for the cryptographic security reason, the SP 800-90A Dual EC DRBG has been moved to non-Approved functions list even though the implementation is validated with CAVS cert. #304 and #305. The use of Dual EC DRBG and other algorithms with following key sizes is not recommended. • DRBGs (SP800-90A: Dual EC DRBG) • RSA (FIPS 186-2,1024,1536 bits key for key generation and signature generation) • DSA (FIPS 186-2, FIPS 186-3 1024 bits key for key generation and signature generation) • ECDSA (FIPS 186-2, FIPS 186-3 Curves P-192 K-163,B-163 and Curves P-224, 256, 384, 521; K-233, 283, 409, 571; B-233, 283, 409, 571 with SHA-1 for key and signature generation) • KAS ECC Component (ECC CDH Primitive as specified in section 5.7.1.2 of SP 800-56A Curves P-192, K- 163,B-163) • RSA key wrapping (1024) The use of any of the above listed non-Approved functions will result the module operating in a non-FIPS- Approved mode. PKCS #3 Diffie-Hellman primitive is implemented in the Module, but it is not allowed to be used in the FIPS- Approved mode. The calling application shall use EC Diffie-Hellmann primitive service provided by the module. 2.3 Cryptographic Module Boundary The logical boundary of the Module is the fipscanister object module, a single binary object module file fipscanister.o. It is distributed in the following packages for the target platforms: • coco-openssl-crypto-canister_2.1-4.6.1210_i386.deb with HMAC-SHA-1 value 0e080ec50f21d9b96b83928bd3afec4b3e9a9042 for Dell PowerEdge R210 with Vyatta 6.4 Operating System 3 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy • coco-openssl-crypto-canister-cross-geode-2.1-4.6.1210.i686.rpm with HMAC-SHA-1 value d8de6cb46396527eb64bb7b7dd4103036e17b1a4 for oMG 2000 with Red Hat Enterprise Linux 6 Operating System Figure 1 shows the logical boundary of the Module’s software components. CoCo OpenSSL Crypto Application api input Module api output Module boundary Figure 1: Software Block Diagram 4 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy The physical boundary of the Module is the enclosure of the general purpose computer on which the Module is installed and executed. Figure 2 shows the physical boundary of the Module and the hardware components of the test platforms on which the Module is installed and executed. Figure 2: Hardware Block Diagram 5 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 3 Cryptographic Module Ports and Interfaces The physical ports of the Module are the same as the computer system on which this software module is executing. The logical interface is an application program interface (API) as shown in Table 3, below. FIPS Interface Ports Data Input API input parameters Data Output API output parameters Control Input API function calls, HMAC-SHA-1 value in the binary code and the binary code itself on which the HMAC-SHA-1 is calculated Status Output API return codes and status parameters Power Input Physical power connector of the underlying host platform, not in the logical boundary of the Module. Included for the sake of completion. Table 3: Ports and Interfaces When the Module is performing self-tests or is in an error state, all output on the logical data output interface is inhibited. As a software module, it cannot control the physical ports. 6 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 4 Roles, Services, and Authentication 4.1 Roles The User and Crypto Officer roles are implicitly assumed by the entity that is accessing services implemented by the Module, so no further authentication is required. The services associated with each role are explained in the next section. 4.2 Services Roles FIPS Appr oved Service CSP Modes Standard API Functions User CO (Cert #) Symmetric Algorithms  FIPS_cipherinit AES 128-, 192-, ECB, 2366 FIPS 197 256-bit keys FIPS_cipher encryption/ CBC, 2367 FIPS_cipher_ctx_new decryption CFB1, 2381 FIPS_cipher_ctx_init CFB8, FIPS_cipher_ctx_ctrl CFB128, FIPS_cipher_ctx_copy OFB, FIPS_cipher_ctx_set_key_l CTR ength FIPS_cipher_ctx_free FIPS_cipher_ctx_cleanup  FIPS_cipherinit Triple-DES 64-bit ECB, 1479 SP 800-67 encryption/ independent FIPS_cipher CBC, 1480 K1,K2,K3 decryption FIPS_cipher_ctx_new CFB1, FIPS_cipher_ctx_init CFB8, FIPS_cipher_ctx_ctrl CFB64, FIPS_cipher_ctx_copy OFB FIPS_cipher_ctx_set_key_l ength FIPS_cipher_ctx_free FIPS_cipher_ctx_cleanup  FIPS_cipherinit XTS 128-, 256- Largest 2366 SP 800- encryption / bit AES data length 38E FIPS_cipher 2367 decryption keys 2^16 FIPS_cipher_ctx_new 2381 FIPS_cipher_ctx_init FIPS_cipher_ctx_ctrl FIPS_cipher_ctx_copy FIPS_cipher_ctx_set_key_l ength 7 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_cipher_ctx_free FIPS_cipher_ctx_cleanup Asymmetric Algorithms  FIPS_dsa_sig_new DSA 1024 bits With SHA- 739 FIPS 186-2 Signature modulus 1 only FIPS_dsa_verify 740 verification size key pair FIPS_dsa_verify_ctx FIPS_dsa_verify_digest FIPS_dsa_sig_free L=2048,N=  FIPS_dsa_new DSA domain With all 739 FIPS 186-4 224,L=2048 parameter SHA sizes FIPS_dsa_openssl 740 ,N=256, generation except fips_dsa_builtin_paramgen2 L=3072,N= SHA-1 FIPS_dsa_free 256  FIPS_dsa_generate_key DSA Key Pair L=2048,N= With all 739 FIPS 186-4 224,L=2048 SHA sizes 740 ,N=256,L=3 except 072,N=256 SHA-1 L=2048,N=  FIPS_dsa_sig_new DSA With all 739 FIPS 186-4 224,L=2048 FIPS_dsa_sign Signature SHA sizes 740 ,N=256,L=3 generation except FIPS_dsa_sign_ctx 072,N=256 SHA-1 FIPS_dsa_sign_digest FIPS_dsa_sig_free L=1024,N=  FIPS_dsa_sig_new DSA With all 739 FIPS 186-4 160,L=2048 Signature SHA sizes FIPS_dsa_verify 740 ,N=224,L=2 verification FIPS_dsa_verify_ctx 048,N=256, FIPS_dsa_verify_digest L=3072,N= FIPS_dsa_sig_free 256  FIPS_rsa_rsa RSA key 2048, 3072, 1222 FIPS 186-2 generation 4096 FIPS_rsa_blinding_off 1223 modulus FIPS_rsa_blinding_on size. FIPS_rsa_flags Public key FIPS_rsa_pkcs1_ssleay values 3, 17, FIPS_rsa_size and 65537. FIPS_rsa_x931_derive_ex FIPS_rsa_x931_generate_ key_ex FIPS_rsa_generate_key_ex FIPS_rsa_free  FIPS_rsa_sign RSA 2048, 3072, 1222 FIPS 186-2 signature 4096 bit FIPS_rsa_sign_ctx 1223 Generation modulus FIPS_rsa_sign_digest based on SHA-256, X9.31 SHA-384, SHA-512 hashing algorithm  FIPS_rsa_verify RSA 1024, 1536, 1222 FIPS 186-2 8 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_rsa_verify_ctx Signature 2048, 3072, 1223 Verification 4096 bit FIPS_rsa_verify_digest based on modulus X9.31  FIPS_rsa_sign RSA 2048, 3072, SHA-224, 1222 FIPS 186-2 Signature 4096 bit SHA-256, FIPS_rsa_sign_ctx 1223 Generation modulus SHA-384, FIPS_rsa_sign_digest based on SHA-512 PKCS#1 v1.5  FIPS_rsa_verify RSA 1024, 1536, SHA-1, 1222 FIPS 186-2 Signature 2048, 3072, SHA-224, FIPS_rsa_verify_ctx 1223 Verification 4096 bit SHA-256, FIPS_rsa_verify_digest based on modulus SHA-384, PKCS#1 v1.5 SHA-512  FIPS_rsa_sign RSA 2048, 3072, SHA-224, 1222 FIPS 186-2 Signature 4096 bit SHA-256, FIPS_rsa_sign_ctx 1223 Generation modulus SHA-384, FIPS_rsa_sign_digest based on PSS SHA-512 (probabilistic signature scheme)  FIPS_rsa_verify RSA 1024, 1536, SHA-1, 1222 FIPS 186-2 Signature 2048, 3072, SHA-224, FIPS_rsa_verify_ctx 1223 Verification 4096 bit SHA-256, FIPS_rsa_verify_digest based on PSS modulus SHA-384, (probabilistic SHA-512 signature scheme)  FIPS_ec_key_new ECDSA Key P-224, 256, 389 FIPS 186-2 Pair 384, 521 FIPS_ec_key_new_by_cur 390 Generation ve_name FIPS_ec_key_check_key K- 233, 283, FIPS_ec_key_clear_flags 409,571 FIPS_ec_key_copy FIPS_ec_key_dup B- 233, 283, FIPS_ec_key_get0_private 409, 571 _key FIPS_ec_key_get0_public _key FIPS_ec_key_get_conv_form FIPS_ec_key_set_conv_form FIPS_ec_key_get_enc_flags FIPS_ec_key_set_enc_flags FIPS_ec_key_get_flags FIPS_ec_key_set_flags FIPS_ec_key_get_key_me thod_data FIPS_ec_key_set_group FIPS_ec_key_insert_key_ method_data 9 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_ec_key_precompute _mult FIPS_ec_key_set_asn1_flag FIPS_ec_key_set_private_key FIPS_ec_key_set_public_key FIPS_ec_key_up_ref FIPS_ec_key_new_by_cur ve_name FIPS_ec_key_generate_key FIPS_ec_key_set_public_k ey_affine_coordinates FIPS_ec_key_free FIPS_ec_point_new FIPS_ec_point_set_to_infi nity FIPS_ec_point_get_affine_ coordinates_gfp FIPS_ec_point_get_jprojec tive_coordinates_gfp FIPS_ec_point_is_at_infinity FIPS_ec_point_is_on_curve FIPS_ec_point_make_affine FIPS_ec_points_make_affine FIPS_ec_point_method_of FIPS_ec_point_mul FIPS_ec_point_free FIPS_ec_point_clear_free FIPS_ecdsa_openssl  FIPS_ecdsa_verify ECDSA P-192,224, 389 FIPS 186-2 Signature 256,384,521 FIPS_ecdsa_verify_ctx 390 Verification FIPS_ecdsa_verify_digest FIPS_ecdsa_sig_free K-163,233, 283,409,571 B-163,233, 283,409,571  FIPS_ecdsa_verify ECDSA P-192, 224, 389 FIPS 186-2 256, 384, FIPS_ecdsa_verify_ctx PKV 390 521 FIPS_ecdsa_verify_digest K-163, 233, FIPS_ecdsa_sig_free 283, 409, 571 B-163,233, 283,409,571  FIPS_ec_key_new ECDSA Key P-224, Key Pair 389 FIPS 186-4 Pair 256,384,521 generation FIPS_ec_key_new_by_cur 390 by testing ve_name Generation candidates. FIPS_ec_key_check_key K-233, 10 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_ec_key_clear_flags 283,409,571 FIPS_ec_key_copy FIPS_ec_key_dup B-233, FIPS_ec_key_get0_private 283,409,571 _key FIPS_ec_key_get0_public _key FIPS_ec_key_get_conv_form FIPS_ec_key_set_conv_form FIPS_ec_key_get_enc_flags FIPS_ec_key_set_enc_flags FIPS_ec_key_get_flags FIPS_ec_key_set_flags FIPS_ec_key_get_key_me thod_data FIPS_ec_key_set_group FIPS_ec_key_insert_key_ method_data FIPS_ec_key_precompute _mult FIPS_ec_key_set_asn1_flag FIPS_ec_key_set_private_key FIPS_ec_key_set_public_key FIPS_ec_key_up_ref FIPS_ec_key_new_by_cur ve_name FIPS_ec_key_generate_key FIPS_ec_key_set_public_k ey_affine_coordinates FIPS_ec_key_free FIPS_ec_point_new FIPS_ec_point_set_to_infi nity FIPS_ec_point_get_affine_ coordinates_gfp FIPS_ec_point_get_jprojec tive_coordinates_gfp FIPS_ec_point_is_at_infinity FIPS_ec_point_is_on_curve FIPS_ec_point_make_affine FIPS_ec_points_make_affine FIPS_ec_point_method_of FIPS_ec_point_mul FIPS_ec_point_free FIPS_ec_point_clear_free FIPS_ecdsa_openssl  FIPS_ecdsa_sign ECDSA P-224, 256, SHA-224, 389 FIPS 186-4 Signature 384, 521 SHA-256, FIPS_ecdsa_sign_ctx 390 Generation SHA-384, K- 233, 283, FIPS_ecdsa_sign_digest SHA-512 409, 571 FIPS_ecdsa_sig_free 11 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy B-233, 283,409,571  FIPS_ecdsa_verify ECDSA PKV P-192, 224, SHA-1, 389 FIPS 186-4 256, 384, SHA-224, FIPS_ecdsa_verify_ctx 390 521 SHA-256, FIPS_ecdsa_verify_digest SHA-384, K-163, 233, FIPS_ecdsa_sig_free SHA-512 283, 409, 571 B-163,233, 283,409,571  FIPS_ecdsa_verify ECDSA P-192, 224, SHA-1, 389 FIPS 186-4 Signature 256, 384, SHA-224, FIPS_ecdsa_verify_ctx 390 verification 521 SHA-256, FIPS_ecdsa_verify_digest SHA-384, K-163, 233, FIPS_ecdsa_sig_free SHA-512 283, 409, 571 B-163,233, 283,409,571 KEY EXCHANGE  FIPS_ecdh_openssl KASECC P-224, Section 62 SP 800- Component 256,384,521 5.7.1.2 FIPS_ecdh_compute_key 56A 63 test ECC CDH K-233, FIPS_ec_group_new Primitive 283,409,571 FIPS_ec_group_new_by_c urve_name B-233, FIPS_ec_group_new_curv 283,409,571 e_gf2m FIPS_ec_group_new_curv e_gfp FIPS_ec_group_precompu te_mult FIPS_ec_group_get0_gen erator FIPS_ec_group_get0_seed FIPS_ec_group_get_asn1 _flag FIPS_ec_group_set_asn1_ flag FIPS_ec_group_get_cofactor FIPS_ec_group_get_curve _gf2m FIPS_ec_group_set_curve _gf2m FIPS_ec_group_get_curve _gfp FIPS_ec_group_set_curve _gfp FIPS_ec_group_get_curve 12 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy _name FIPS_ec_group_set_curve _name FIPS_ec_group_get_degree FIPS_ec_group_set_gener ator FIPS_ec_group_set_point_ conversion_form FIPS_ec_group_method_of FIPS_ec_key_new FIPS_ec_key_new_by_cur ve_name FIPS_ec_key_check_key FIPS_ec_key_clear_flags FIPS_ec_key_copy FIPS_ec_key_dup FIPS_ec_key_get0_private _key FIPS_ec_key_get0_public _key FIPS_ec_key_get_conv_form FIPS_ec_key_set_conv_form FIPS_ec_key_get_enc_flags FIPS_ec_key_set_enc_flags FIPS_ec_key_get_flags FIPS_ec_key_set_flags FIPS_ec_key_get_key_me thod_data FIPS_ec_key_set_group FIPS_ec_key_insert_key_ method_data FIPS_ec_key_precompute _mult FIPS_ec_key_set_asn1_flag FIPS_ec_key_set_private_key FIPS_ec_key_set_public_key FIPS_ec_key_up_ref FIPS_ec_key_new_by_cur ve_name FIPS_ec_key_generate_key FIPS_ec_key_set_public_k ey_affine_coordinates FIPS_ec_key_free FIPS_ec_point_new FIPS_ec_point_set_to_infi nity FIPS_ec_point_get_affine_ coordinates_gfp FIPS_ec_point_get_jprojec tive_coordinates_gfp FIPS_ec_point_is_at_infinity 13 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_ec_point_is_on_curve FIPS_ec_point_make_affine FIPS_ec_points_make_affine FIPS_ec_point_method_of FIPS_ec_point_mul FIPS_ec_point_free FIPS_ec_point_clear_free FIPS_ec_group_clear_free Hash Functions  FIPS_digest SHA-1 N/A 2039 FIPS 180- FIPS_digestinit 4 SHA-224 2040 FIPS_digestupdate SHA-256 FIPS_digestfinal SHA-384 FIPS_md_ctx_init SHA-512 FIPS_md_ctx_create FIPS_md_ctx_copy FIPS_md_ctx_destroy FIPS_md_ctx_cleanup Message Authentication Codes (MACs)  HMAC-SHA-1 FIPS_hmac N/A 1470 FIPS 198 HMAC-SHA-224 FIPS_hmac_init 1471 HMAC-SHA-256 FIPS_hmac_init_ex HMAC-SHA-384 FIPS_hmac_update HMAC-SHA-512 FIPS_hmac_ctx_copy FIPS_hmac_ctx_set_flags FIPS_hmac_final FIPS_hmac_ctx_cleanup Supports 0  FIPS_cmac_init CMAC 128,192,256 2366 SP 800- length generate and key sizes 38B FIPS_cmac_update 2367 verify with CMAC FIPS_cmac_resume 2381 AES length FIPS_cmac_final Min 2 FIPS_cmac_ctx_new Max 16 FIPS_cmac_ctx_copy  FIPS_cmac_ctx_free CMAC 3 key Supports 0 1479 SP 800- generate and Triple-DES length 38B FIPS_cmac_ctx_get0_ciph 1480 er_ctx verify with Triple-DES FIPS_cmac_ctx_cleanup 128,192,256 Tag len  FIPS_cipherinit CCM 2366 SP 800- key sizes 4,6,8,10,12 38C FIPS_cipher 2367 Nonce len ,14,16 FIPS_cipher_ctx_new 2381 7, 8, 9,10, FIPS_cipher_ctx_init 11, 12,13 FIPS_cipher_ctx_ctrl FIPS_cipher_ctx_copy FIPS_cipher_ctx_set_key_l ength FIPS_cipher_ctx_free 14 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_cipher_ctx_cleanup  FIPS_cipherinit GCM 128, 192, Tag length 2366 SP 800- encryption/ 256 bit keys supports 38D, FIPS_cipher 2367 96 bit IV 32,64,96,1 compliant decryption FIPS_cipher_ctx_new 2381 supported 04,112,120 to section FIPS_cipher_ctx_init Max IV ,128 8.2.1 for FIPS_cipher_ctx_ctrl length 1024 IV FIPS_cipher_ctx_copy generation FIPS_cipher_ctx_set_key_l ength FIPS_cipher_ctx_free FIPS_cipher_ctx_cleanup Random Number Generation RNG Seed and AES-128  FIPS_x931_bytes 1176 ANS seed key AES-192 X9.31 FIPS_x931_method 1177 AES-256 FIPS_x931_reset 1182 FIPS_x931_seed FIPS_x931_set_dt FIPS_x931_set_key FIPS_x931_status FIPS_x931_stick FIPS_x931_test_mode FIPS_rand_add FIPS_rand_bytes FIPS_rand_get_method FIPS_rand_set_method FIPS_rand_pseudo_bytes FIPS_rand_seed FIPS_rand_set_bits FIPS_rand_status FIPS_rand_strength Zeroization of Seed and AES based  fips_rand_prng_reset RNG CSPs seed key RNG  FIPS_drbg_init HASH DRBG SHA-1, 304 SP 800- SHA-224, 90A FIPS_drbg_new 305 SHA-256, FIPS_drbg_instantiate SHA-384, FIPS_drbg_generate SHA-512 FIPS_drbg_get_app_data Prediction FIPS_drbg_set_app_data resistance FIPS_drbg_set_callbacks supported FIPS_drbg_set_check_inte for al rval variations FIPS_drbg_set_rand_callb acks FIPS_drbg_set_reseed_int erval FIPS_drbg_stick FIPS_drbg_get_blocklength 15 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_drbg_reseed FIPS_drbg_method FIPS_drbg_get_strength FIPS_drbg_health_check FIPS_drbg_free FIPS_drbg_uninstantiate  FIPS_drbg_init HMAC SHA-1, No reseed 304 SP 80-90A DRBG SHA-224, FIPS_drbg_new 305 SHA-256, FIPS_drbg_instantiate SHA-384, FIPS_drbg_generate SHA-512 FIPS_drbg_get_app_data Prediction FIPS_drbg_set_app_data resistance FIPS_drbg_set_callbacks supported for al FIPS_drbg_set_check_inte variations rval FIPS_drbg_set_rand_callb acks FIPS_drbg_set_reseed_int erval FIPS_drbg_stick FIPS_drbg_get_blocklength FIPS_drbg_reseed FIPS_drbg_method FIPS_drbg_get_strength FIPS_drbg_health_check FIPS_drbg_free FIPS_drbg_uninstantiate  FIPS_drbg_init CTR DRBG AES-192, Supported 304 SP 800- derivation 90A FIPS_drbg_new AES-256 305 function Prediction FIPS_drbg_instantiate 313 for all resistance FIPS_drbg_generate variations supported FIPS_drbg_get_app_data for al FIPS_drbg_set_app_data variations FIPS_drbg_set_callbacks FIPS_drbg_set_check_inte rval FIPS_drbg_set_rand_callb acks FIPS_drbg_set_reseed_int erval FIPS_drbg_stick FIPS_drbg_get_blocklength FIPS_drbg_reseed FIPS_drbg_method FIPS_drbg_get_strength FIPS_drbg_health_check 16 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS_drbg_free FIPS_drbg_uninstantiate  fips_drbg_uninstantiate Zeroization of DRBG Hash_DRB DRBG CSPs context G fips_drbg_free HMAC_D RBG CTR_DRB G Dual_EC_ DRBG  RSA_public_encrypt RSA Key A service Encryption, IG D.9 SP 800- wrapping provided for Decryption 56B RSA_private_encrypt calling for key RSA_private_decrypt application, wrapping RSA_public_decrypt but no CSPs 2048, are 3072, 4096 transported into or out of the Module Other Services  Initialization N/A N/A Non securit y functi on  FIPS_selftest Self-Tests N/A N/A Non securit y functi on FIPS_module_version  Get status N/A N/A Non FIPS_module_version_text securit FIPS_module_mode y FIPS_selftest_failed functi on Diffie- Shall not be used in the FIPS- Non- PKCS #3 Hellman Approved mode Appro primitive ved Table 4: Services As per the SP800-131A transition on 2014-01-01, the key lengths providing less than 112 bits of security strength are listed as non-Approved functions in Table 4.1, so their usage is discouraged as they cannot be used in FIPS mode after the transition period. 17 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy FIPS Approved Service Roles CSP Modes Standard (Cert #) U s C e O r  RSA key generation 1024, 1536, 1222 FIPS 186-2 modulus size. 1223 Public key values 3, 17, and 65537.  1024, 1536, 2048, 1222 RSA signature SHA-1, SHA-256, FIPS 186-2 3072, 4096 bit Generation based on SHA-384, SHA-512 1223 modulus X9.31  2048, 3072, 4096 1222 RSA signature SHA-1 FIPS 186-2 bit modulus Generation based on 1223 X9.31  1222 RSA Signature 1024, 1536, bit SHA-1, SHA-256, FIPS 186-2 Generation based on modulus SHA-384, SHA-512 1223 PKCS#1 v1.5  1222 RSA Signature 2048, 3072, 4096 SHA-1 FIPS 186-2 Generation based on bit modulus 1223 PKCS#1 v1.5  1222 RSA Signature 1024, 1536, bit SHA-1, SHA-224, FIPS 186-2 Generation based on SHA-256, SHA-384, modulus 1223 PSS (probabilistic SHA-512 signature scheme)  1222 RSA Signature 2048, 3072, 4096 SHA-1 FIPS 186-2 Generation based on bit modulus 1223 PSS (probabilistic signature scheme)  IG D.9 RSA Key wrapping A service provided Encryption, SP 800-56B for calling Decryption for key application, but no wrapping 1024 bits CSPs are transported into or out of the Module  739 DSA domain p, q, g; 1024 bits With SHA-1 only FIPS 186-2 parameter generation modulus size 740  739 DSA Key pair 1024 bits modulus With SHA-1 only FIPS 186-2 generation size key pair 740 18 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy  739 DSA Signature 1024 bits modulus With SHA-1 only FIPS 186-2 generation size key pair 740 L=1024,N=160  739 DSA domain With all SHA sizes FIPS 186-4 parameter generation 740 L=2048,N=224,L=  739 DSA domain With SHA-1 only FIPS 186-4 2048,N=256, parameter generation 740 L=3072,N=256  739 DSA Key Pair L=1024,N=160 With all SHA sizes FIPS 186-4 740  739 DSA Key Pair L=2048,N=224,L= With SHA-1 only FIPS 186-4 2048,N=256,L=30 740 72,N=256  739 DSA Signature L=1024,N=160 With all SHA sizes FIPS 186-4 generation 740  739 DSA Signature L=2048,N=224,L= With SHA-1 only FIPS 186-4 2048,N=256,L=30 generation 740 72,N=256  P-192 389 ECDSA Key Pair FIPS 186-2 Generation K-163 390 B-163  P-192,224, 389 ECDSA Signature FIPS 186-2 256,384,521 Generation 390 K-163,233, 283,409,571 B-163,233, 283,409,571  ECDSA Key Pair P-192 Key Pair generation 389 FIPS 186-4 by testing candidates. K-163 390 Generation B-163  P-192 389 ECDSA Signature SHA-1, SHA-224, FIPS 186-4 SHA-256, SHA-384, Generation K-163 390 SHA-512 B-163  P-224, 256, 384, 389 ECDSA Signature SHA-1 FIPS 186-4 521 Generation 390 K-233, 283, 409, 571 B-233, 83,409,571  P-192 62 KASECC Section 5.7.1.2 ECC SP 800-56A Component test CDH Primitive K-163 63 B-163  P-256 304 Dual EC DRBG SHA-1, SHA-224, SP 800-90A SHA-256, SHA-384, Prediction 19 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 305 (non-compliant) SHA-512 resistance supported for al variations P-384 SHA-224, SHA-256, SHA-384, SHA-512 Prediction resistance supported for al variations P-521 SHA-256, SHA-384, SHA-512 Prediction resistance supported for al variations Table 4.1: Non Approved Services Caveat 1: NIST SP 800-131A describes the transition associated with the use of cryptographic algorithms and key lengths. Based on the information included in this publication, the following algorithms implemented in this cryptographic module will become “disallowed” after 2013 or 2015, so their usage is discouraged as they cannot be used in FIPS mode after the transition period: • DSA Key Generation and Digital Signature Generation with keys of length < 2048 bits. • RSA Key Generation and Digital Signature Generation with keys of length < 2048 bits. • EC Diffie- Hellman’s primitive using elliptic curves with keys of length < 224 bits. • RSA Key Wrapping with keys of length < 2048 bits. • RNG specified in ANS X9.31 • SHA-1 for digital signature generation • HMAC with key lengths < 112 bits Caveat 2: Elliptic Curve Diffie-Hellman (ECDH) with 163-571 bits curves (P-192, P-224, P-256, P-384, P-521, K- 163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409, B-571) provides 80-256 bits of security strength. Caveat 3: RSA Key Wrapping with 1024-4096 bits of keys provides 80-150 bits of security strength. Caveat 4: The calling application provides the entropy input to the module. There is no assurance of the minimum strength of generated keys. Caveat 5: In case the Module’s power is lost and then restored, the calling application must ensure that the keys used for the AES GCM encryption/decryption are re-distributed. 20 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy Caveat 6: Some of the above listed FIPS_* APIs call FIPS_selftest_failed() to check if the self-test was failed before providing the requested cryptographic services. The check on the self-test status is intended as an aid to the developer in preventing the accidental use of the cryptographic services while the Module is in the error state after the self-test failed. Nevertheless, this is not a guarantee that cryptographic services are absolutely not available in the error state. Sufficiently creative or unusual use of the APIs may still allow the use of some pieces of cryptographic services. It is the responsibility of the application developer to ensure that if the self-test fails during the Module initialization, the application must exit and then to initialize the Module. In case the self-test fails, the application shall not call any of the cryptographic API functions. 4.3 Operator Authentication There is no operator authentication; assumption of role is implicit by the services that the operator invokes. 4.4 Mechanism and Authentication Strength No authentication is required at security level 1; authentication is implicit by assumption of the role. 21 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 5 Physical Security This is a software module and provides no physical security. 22 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 6 Operational Environment The Module operates in a modifiable operational environment. 6.1 Policy The tested operating systems segregate user processes into separate process spaces. Each process space is logically separated from all other processes by the operating system software and hardware. The Module is single-threaded and functions entirely within the process space of the calling application. The application that uses the Module is the single user of the Module. No concurrent operators are allowed. 23 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 7 Cryptographic Key Management The management of all keys/CSPs used by the Module is summarized in the table below. The key/CSP names are generic, corresponding to API parameter data structures. Key/CSP Name Details Accessible by Roles: User, Crypto Officer Generation: Maybe by RNG and DRBG Type: Symmetric Encryption and Decryption Key 128-, 192-, and 256-bit AES keys Entry: API parameter Output: API parameter Storage: RAM for the lifetime of API call Zeroization APIs: FIPS_cipher_ctx_cleanup Accessible by Roles: User, Crypto Officer Generation: Maybe by RNG and DRBG Type: Symmetric Encryption and Decryption Key 3-Key Triple-DES Key Entry: API parameter Output: API parameter Storage: RAM for the lifetime of API call Zeroization API: FIPS_cipher_ctx_cleanup Accessible by Roles: User, Crypto Officer Generation: N/A Type: 3-Key Triple key or AES key CMAC keys Entry: API function Output: N/A Storage: RAM for the lifetime of API call Zeroization API: CMAC_CTX_cleanup Accessible by Roles: User, Crypto Officer Generation: N/A Type: Keyed-Hash Message Authentication HMAC keys Entry: API function Output: N/A Storage: RAM for the lifetime of API call Zeroization API: HMAC_CTX_cleanup Accessible by Roles: Crypto Officer Generation: N/A Type: Keyed-Hash Message Authentication HMAC key for Module integrity check Entry: API function Output: N/A Storage: Module binary Zeroization: not required per FIPS IG 7.4. Accessible by Roles: User, Crypto Officer Generation: RNG or DRBG Type: Asymmetric key pair RSA key pairs Entry: API function Output: API function Storage: N/A 24 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy Key/CSP Name Details Zeroization API: FIPS_rsa_free Accessible by Roles: User, Crypto Officer Generation: RNG or DRBG Type: Asymmetric key pair DSA key pairs Entry: API function Output: API function Storage: RAM for the lifetime of API call Zeroization API: FIPS_dsa_free Accessible by Roles: User, Crypto Officer Generation: RNG or DRBG Type: Asymmetric key pair ECDSA key pairs Entry: API function Output: API function Storage: RAM for the lifetime of API call Zeroization API: EC_KEY_free Accessible by Roles: User, Crypto Officer Generation: RNG or DRBG Type: primitives Entry: API function EC Diffie-Hellman primitives Output: API function Storage: RAM for the lifetime of API call Zeroization API: EC_KEY_free Accessible by Roles: User, Crypto Officer Generation: NDRNG from the OE Type: seed and seed key RNG CSPs Entry: API function Output: API function Storage: RAM for the lifetime of RNG instance Zeroization API: fips_rand_prng_reset Accessible by Roles: User, Crypto Officer Generation: NDRNG from the OE Type: V, C, HMAC Key, AES Key, and entropy input Entry: API function DRBG CSPs Output: API function Storage: RAM for the lifetime of DRBG instance Zeroization API: FIPS_drbg_free, FIPS_drbg_uninstantiate Table 5: Key Management Details 25 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 7.1 Key/CSP Generation The Module implements ANS X9.31 compliant RNG and SP 800-90A compliant DRBG services for creation of symmetric and asymmetric keys. The calling application is responsible for storage of generated keys returned by the Module. The seeds and entropy input are provided to the Module by the calling application. Module users (the calling application) shall use entropy sources that meet the security strength required for the random number generation mechanism: 128 bits for the RNG based on ANS X9.31, and as shown in Table 2, Table 3, and Table 4 in SP 800-90A for DRBG. The entropy is supplied by means of callback functions. Those functions must return an error if the minimum entropy strength cannot be met. 7.2 Key Entry and Output All CSPs enter the Module's logical boundary as cryptographic algorithm API parameters in plaintext. They are associated with memory locations and do not persist across power cycles. The Module does not output intermediate key generation values or other CSPs. The Module provides the resulting keys as explicit return values of key generation services to the calling application, but they do not cross the physical boundary. 7.3 Key Storage The Module does not provide persistent key storage for keys or CSPs. The Module stores RNG and DRBG state values for the lifetime of the RNG or DRBG instance in RAM. The Module uses pointers to plaintext keys/CSPs that are passed in by the calling application. The Module does not store any CSP beyond the lifetime of an API call, with the exception of RNG and DRBG state values used for the Module’s key generation services. 7.4 Key Zeroization Zeroization of sensitive data is performed automatically by API function calls for temporarily stored CSPs. All keys and CSPs are ephemeral and are destroyed when released by the appropriate API function calls. Keys and CSPs residing in internally allocated data structures (during the lifetime of an API call) can only be accessed using the Module defined API. The operating system protects memory and process space from unauthorized access. Only the calling application that creates or imports keys can use or export such keys. All API functions are executed in a single user mode by one calling application at a time to ensure that no two API functions will execute concurrently. In addition, the Module provides functions to explicitly destroy CSPs related to random number generation services. The calling application is responsible for parameters passed in and out of the Module. 26 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 8 Electromagnetic Interference/Compatibility The Module's electromagnetic interference (EMI) and electromagnetic compatibility (EMC) features are summarized in Table 6: EMI and EMC . Testing Platform Product Name/Model Model Number EMI/EMC Notes Compliant to FCC part 15 Class oMG oMG 2000 A per FCC report Compliant to FCC part 15 Class Dell PowerEdge R210 A per “PowerEdge R210 Dell Technical Guide” Table 6: EMI and EMC 27 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 9 Self-Tests The module performs all the power-up self test upon initialization of the module and before the module becomes usable. All the tests are performed automatically without requiring any operator intervention. Call to the FIPS_selftest() function is made in the constructor which performs the test. The invocation of FIPS_selftest() function performs all power-up self-tests listed below in section 9.2 with no operator intervention required, returning a “1” if all power-up self-tests succeed, and a “0” otherwise. If any component of the power-up self-test fails an internal flag is set to prevent subsequent invocation of any cryptographic function calls. 9.1 Integrity test During the software build process, the Module is used to compute a HMAC-SHA-1 message authentication code (MAC) of the Module binary—the MAC and the required key are then stored with the Module. Prior to loading the Module, a HMAC-SHA-1 MAC of the binary is again computed and compared to the original. If the comparison passes, the Module is loaded and the power-up self-tests are run; if the self- tests pass, the Module enters FIPS- Approved mode. If the comparison for integrity check fails, the FIPS_selftest()function returns “0” to indicate the failure and set a global flag for the failing status. The calling application shall check the Module status before proceeding with any further action. 9.2 Power-up Tests At Module start-up, the following Known Answer Tests (KAT) or Pair-wise Consistency Test (PCT) in place of KAT for DSA and ECDSA are performed by FIPS_selftest(): • AES separate encrypt and decrypt, ECB mode, 128 bit key • AES CCM separate encrypt and decrypt, 192 key length • AES GCM separate encrypt and decrypt, 256 key length • XTS-AES 128- or 256-bit key size to support XTS-AES-128 or XTS-AES-256 respectively • AES CMAC generate and verify CBC mode, 128, 192, 256 key lengths • Triple-DES separate encrypt and decrypt, ECB mode, 3-Key • Triple-DES CMAC generate and verify, CBC mode, 3-Key • HMAC one KAT per SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 • SHA KATs is performed via HMAC KATs (allowed via FIPS 140-2 IG 9.1) • ANS X9.31 RNG 128-, 192-, 256-bit AES keys • DRBG 800-90A CTR_DRBG: AES, 256-bit with and without derivation function o HASH_DRBG: SHA-256 o HMAC_DRBG: SHA-256 o Dual_EC_DRBG: P-256 and SHA-256 o • RSA sign and RSA verify separately using 2048-bit key, SHA-256 • DSA PCT on signing and verifying signature using 2048-bit key, SHA-384 28 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy • ECDSA PCT on key generation, signing, and verifying using P-224, K-233 and SHA-512 • ECC CDH shared secret calculation per section 5.7.1.2 of SP 800-56A, IG 9.6 Depending on whether the underlying Operational Environment has AES-NI capable processor with this feature enabled, the KATs for AES and all algorithms that rely on AES (i.e., AES CCM/GCM/CMAC/XTS, RNG and CTR_DRBG) may or may not utilize the AES-NI support from the processor. When the AES-NI support is enabled, the AES implementation utilizes the AES-NI support from the processor. When the AES-NI support is disabled, the AES implementation is solely in software. In both AES-NI enabled and disabled scenarios, there is one and only one AES implementation in the Module is used. The KATs of AES and algorithms relying on AES as well as the subsequent calls to these cryptographic services consistently use the same AES implementation. The Module has been tested on the Dell PowerEdge R210 platform containing Intel x86 processor with and without the AES-NI support enabled. AES and all algorithms that rely on AES also have algorithm certificates for Intel x86 processor with and without the AES-NI support enabled. 9.3 Conditional Tests The Module also implements the following conditional tests: • ANS X9.31 RNG continuous test • DRBG SP 800-90 continuous test • RSA pairwise consistency test on each generation of a key pair o Use private key for signature generation and public key for signature verification o Use public key for key encryption and private key for key decryption • DSA pairwise consistency test on each generation of a key pair o Use private key for signature generation and public key for signature verification • ECDSA pairwise consistency test on each generation of a key pair o Use private key for signature generation and public key for signature verification 9.4 On-Demand Self-Test On-demand self-tests can be invoked by calling FIPS_selftest() function. This function performs all the power-up self-tests listed in section 9.2. The function returns “1” on successful completion of all the tests and returns “0” if any error occurs. 29 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 10 Design Assurance 10.1 Configuration Management CDs containing the uncompressed and expanded contents of the source code distribution openssl-fips- 2.0.1.tar.gz are obtained from the OpenSSL Software Foundation (OSF). The openssl-fips-2.0.1 source code is compiled and built for the Dell PowerEdge R210 and oMG 2000 platforms. The generated resulting object code is in file fipscanister.o. The object code file is distributed in the packages as described in section 2.3. Upon receiving the CDs from OSF, the source code for the Module is then stored on a server that is connected to a private corporate intranet. Changes to the source code, and other required files, are managed with the git distributed version control system, which provides traceability between developers, the source code, and the released binary module. Each binary is tracked with an embedded build number that has a matching tag in the revision control system, which identifies the source files that were used to produce the binary. 10.2 Installation and Usage Guidance The Module is a monolithic FIPS Object Module. It is designed for indirect use via the OpenSSL API. For the convenience of use, CoCo delivers the OpenSSL library (i.e., libcrypto.so) with the Module embedded within as part of the OpenSSL build process. The applications can then link to the OpenSSL library to utilize the FIPS validated cryptographic functions provided by the embedded fipscanister object code. Developers who intend to build FIPS capable OpenSSL library by combining the FIPS validated canister object code and a version of the OpenSSL product that is suitable for use with this object module shall follow two steps listed below: 1. The HMAC-SHA-1 digest of the Module object file must be calculated and verified against the pre- calculated digest to ensure the integrity of the Module object file. 2. A HMAC-SHA-1 digest of the Module must be generated and embedded in the Module for use by the FIPS_check_incore_fingerprint() function at runtime initialization. The fips_standalone_sha1 command can be used to perform the verification of the Module object file and to generate the new HMAC-SHA-1 digest for the runtime executable object. Failure to embed the digest in the executable object will prevent initialization of the Module into the FIPS-Approved mode. At runtime, the FIPS_check_incore_fingerprint() function compares the embedded HMAC-SHA-1 digest with a digest generated form the Module object code. The calling application interfacing with the Module is outside the cryptographic boundary, but it has to link the Module appropriately by following the steps described above in order to ensure that the Module is compliant with FIPS 140-2. 30 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 11 Mitigation of Other Attacks No other attacks are mitigated. 31 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 12 Abbreviations Advanced Encryption Specification AES Cryptographic Algorithm Validation Program CAVP Cipher Block Chaining CBC Counter with Cipher Block Chaining-Message Authentication CCM Code Cipher Feedback CFB Cryptographic Module Testing CMT Cryptographic Module Validation Program CMVP Critical Security Parameter CSP Component Verification Testing CVT Data Encryption Standard DES Digital Signature Algorithm DSA Finite State Model FSM Hash Message Authentication Code HMAC Known Answer Test KAT Message Authentication Code MAC National Institute of Science and Technology NIST National Voluntary Laboratory Accreditation Program NVLAP Operational Environment OE Output Feedback OFB Operating System O/S Random Number Generator RNG Rivest, Shamir, Addleman RSA Software Development Kit SDK Secure Hash Algorithm SHA Secure Hash Standard SHS Service Level Agreement SLA Strength of Function SOF Secure Shell SSH Scenario Verification Testing SVT Triple DES TDES User Interface UI 32 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy 13 References [1] FIPS 140-2 Standard, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf [2] FIPS 140-2 Implementation Guidance, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402IG.pdf [3] FIPS 140-2 Derived Test Requirements, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402DTR.pdf [4] FIPS 197, Advanced Encryption Standard (AES), http://csrc.nist.gov/publications/fips/fips197/fips- 197.pdf [5] FIPS 180-4 Secure Hash Standard, http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf [6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC), http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf [7] FIPS 186-2, Digital Signature Standard, http://csrc.nist.gov/publications/fips/archive/fips186- 2/fips186-2.pdf [8] FIPS 186-3 Digital Signature Standard (DSS), http://csrc.nist.gov/publications/fips/fips186- 3/fips_186-3.pdf [9] ANS X9.31 Appendix A.2.4, Random Number Generator, http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf [10] NIST SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf [11] NIST SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf [12] NIST SP 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800- 38C_updated-July20_2007.pdf [13] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf [14] NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800- 38E.pdf [15] NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes using Discrete Logarithm Cryptography (Revised), http://csrc.nist.gov/publications/nistpubs/800-56A/SP800- 56A_Revision1_Mar08-2007.pdf 33 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo OpenSSL Cryptographic Module 2.1 FIPS 140-2 Security Policy [16] NIST SP 800-56B, Recommendation for Pair-Wise Establishment Schemes Using Integer Factorization Cryptography, http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf [17] NIST SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf [18] NIST SP 800-131A Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf 34 ©2013 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice.