3e Technologies International, Inc. FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation 3e-543 AirGuard iField Wireless Sensor Cryptographic Module HW Versions 1.0 FW Versions 1.0 Security Policy Version 1.0 January 2014 Copyright 2012 by 3e Technologies International. This document may freely be reproduced and distributed in its entirety. Page 1 3e-543 FIPS 140-2 Non-Proprietary Security Policy GLOSSARY OF TERMS ................................................................................................. 3 1. INTRODUCTION..................................................................................................... 4 1.1. PURPOSE ............................................................................................................... 4 1.2. DEFINITION ........................................................................................................... 4 1.3. PORTS AND INTERFACES ........................................................................................ 5 1.4. SCOPE.................................................................................................................... 6 2. ROLES, SERVICES, AND AUTHENTICATION ................................................ 6 2.1 ROLES & SERVICES ............................................................................................... 7 2.2 AUTHENTICATION MECHANISMS AND STRENGTH ................................................. 7 2.3 SERVICES .............................................................................................................. 8 3. SECURE OPERATION AND SECURITY RULES ........................................... 10 3.1. SECURITY RULES................................................................................................. 10 3.2. PHYSICAL SECURITY TAMPER EVIDENCE ............................................................ 10 4. OPERATIONAL ENVIRONMENT ..................................................................... 12 5. SECURITY RELEVANT DATA ITEMS ............................................................ 12 5.1. CRYPTOGRAPHIC ALGORITHMS ........................................................................... 12 5.2. SELF-TESTS ......................................................................................................... 12 5.2.1 Power-on Self-tests ..................................................................................... 12 5.3 CRYPTOGRAPHIC KEYS AND SRDIS .................................................................... 13 6. DESIGN ASSURANCE .......................................................................................... 14 2 3e-543 FIPS 140-2 Non-Proprietary Security Policy Glossary of terms CO Cryptographic Officer FIPS Federal Information Processing Standard MAC Medium Access Control RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SRDI Security Relevant Data Item ISA International Society of Automation 3 3e-543 FIPS 140-2 Non-Proprietary Security Policy 1. Introduction 1.1. Purpose This document describes the non-proprietary cryptographic module security policy for 3e Technologies International„s ISA 100.11a wireless sensor product, the 3e-543 AirGuard iField Wireless Sensor Cryptographic Module (Hardware Versions: HW V1.0, Firmware Versions: 1.0). This policy was created to satisfy the requirements of FIPS 140-2 Level 2. It defines 3eTI‟s security policy and explains how the 3e-543 AireGuard iField Wireless Sensor Cryptographic Module meets the FIPS 140-2 security requirements. The figure below shows the 3e-543 Secure Access Point Cryptographic Module. Figure 1 – 3e-543 AirGuard iField Wireless Sensor Cryptographic Module 1.2. Definition The 3e-543 AirGuard iField Wireless Sensor Cryptographic Module is a device which consists of electronic hardware, embedded software and an enclosure. For purposes of FIPS 140-2, the module is considered to be a multi-chip embedded module. The 3e-543 AirGuard iField Wireless Sensor Cryptographic Module is enclosed in a tamper-resistant opaque metal enclosure, protected by tamper-evident tape intended to provide physical 4 3e-543 FIPS 140-2 Non-Proprietary Security Policy security shown in figure 1. The module‟s cryptographic boundary is the metal enclosure. The components attached to the underside of the PCB and the components (RTC, reset delay chip, logic gates, and resistors, underside of chip pads, impedance beads and capacitors) which reside outside of the protective "can" of the module are excluded from FIPS requirements. This device always runs in FIPS mode. The table below lists the security level of this module. Table 1 – Module Security Level Section Section Title Level 1 Cryptographic Module 2 Specification Cryptographic Module Ports and 2 2 Interfaces Roles, Services, and 3 2 Authentication Finite State Model 4 2 Physical Security 5 2 Operational Environment 6 N/A Cryptographic Key Management 7 2 EMI/EMC11 8 2 Self-tests 9 2 Design Assurance 10 3 Mitigation of Other Attacks 11 N/A Cryptographic Module Security 14 2 Policy 1.3. Ports and Interfaces The module provides sensor analog and digital connection pins, one wireless radio, LEDs and USB port for serial management session communication and power input as shown in the figure below: 5 3e-543 FIPS 140-2 Non-Proprietary Security Policy RAM ISA 100.11a RF EnergyMicro CPU RADIO POWER External power FLASH EEPROM GPIO/Analog FIPS Boundary USB Sensor Terminals USB connector Figure 2 – 3e-543 Wireless Sensor Cryptographic Module High Level Block Diagram The ports are defined below: a. Status output: USB port and LED (GPIO) pins b. Data output: Radio interface c. Data input: Radio interface, USB port and sensor terminal pins d. Control input: USB port, radio interface and reset pin e. Power port 1.4. Scope This document covers the secure operation of the 3e-543 AirGuard iField Wireless Sensor Cryptographic Module, including the initialization, roles and responsibilities of operating the product in a secure, FIPS-compliant manner, and a description of the Security Relevant Data Items (SRDIs). 2. Roles, Services, and Authentication The product software supports three separate roles. The set of services available to each role is defined in this section. The product authenticates an operator‟s role by verifying his/her password or possession of a shared secret. 6 3e-543 FIPS 140-2 Non-Proprietary Security Policy 2.1 Roles & Services The product supports the following authorized roles for operators: Crypto Officer Role: The Crypto officer (CO) role performs all security functions provided by the product. This role performs cryptographic initialization and management functions (e.g., module initialization, input/output of cryptographic keys and SRDIs, audit functions and Administrator user management). The Crypto Officer authenticates to the product using a username and password (8-32 characters). Administrator User Role: This role performs general product configuration. No CO security functions are available to the Administrator. The Administrator can also reboot the product if deemed necessary. The Administrator authenticates to the product using a username and password (8-32 characters). Device Role: The purpose of the device role is to describe other devices as they interact with this Cryptographic Module, including: - Other ISA 100.11a wireless sensor - ISA 100.11a wireless gateway The Device Role has access to the data encryption and decryption service (AES-CCM). The is the only FIPS 140-2 corresponding “User” role. NetUser Role: This is a special administrator role assumed by the ISA100 Gateway device when the Gateway loads firmware into the module using the encrypted wireless data link. The NetUser authenticates to the module with user name and password. The only extra service available to this role is to load firmware over wireless link. 2.2 Authentication Mechanisms and Strength The following table summarizes the roles and the type of authentication supported for each role: Table 2 – Authentication versus Roles Role Type of Authentication Authentication Data Crypto Officer ID-based Userid and password Administrator User NetUser Device ISA100.11a wireless Static key The possession of network join sensor key, identifiable with MAC address ISA 100.11a wireless Static key The possession of the network gateway join key, identifiable with MAC address 7 3e-543 FIPS 140-2 Non-Proprietary Security Policy The following table identifies the strength of authentication for each authentication mechanism supported: Table 3 – Strength of Authentication Authentication Mechanism Strength of Mechanism Userid and password (8-32 chars) Minimum 8 characters => 94^8 = 6.096E15 Static key 128 bits => 2^128 = 3.40E38 The module halts (introduces a delay) for one second (initial value and keep incrementing) after each unsuccessful authentication attempt by Crypto Officer or Administrator. The highest rate of authentication attempts to the module is one attempt per second. This translates to 60 attempts per minute. Therefore the probability for multiple attempts to use the module's authentication mechanism during a one-minute period is 60/(94^8), or less than (9.84E-15). As for the wireless device, the IEEE 15.4 network join key is 128 bits, the probability for a random attempt to succeed is 1:2128. The fastest network connection supported by the module is 256 Kbps. Hence at most (256 ×103 × 60 = 1.536x107) 1,536,000bits of data can be transmitted in one minute. Therefore, the probability that a random attempt will succeed or a false acceptance will occur in one minute is less than 1: (2128 / 1.536x107), which is less than 100,000 as required by FIPS 140-2. 2.3 Services The Crypto Officer and Administrator can configure the module while Device users can only use the encryption/decryption service of the module. The table below details the roles and available services Table 4- Services and Roles Service and Details Crypto Administrator Device NetUser Purpose Officer Input of Keys Network Join key X Firmware verification key Create and Support up to 10 X manage administrator Administrator users user Change password Administrator X X change his own password only Load Firmware Upload new X X firmware to the 8 3e-543 FIPS 140-2 Non-Proprietary Security Policy module Show system View traffic X X status status and systems log excluding security audit log Key zeroization X X via reboot View Audit Log View security X audit logs Factory default Delete all X X configurations and set device back to factory default state Sensor setting X X and other general configuration Wireless data X X encryption & decryption Please note that the Crypto Officer should only load the NIST FIPS validated firmware as indicated in this document. Loading invalidated firmware will result in the module operating in non-validated mode. The table below shows the services and their access rights to the Critical Security Parameters (CSPs) Table 5- CSPs and Access by Services Service and Purpose CSPs Access Input of Keys Network Join key Write Firmware verification key Create and manage Administrator Administrator Password Read and Write user Change password CryptoOfficer, Administrator or Read and Write NetUser password Show system status None None Key zeroization via reboot All Write Factory default Delete all configurations and set Write device back to factory default state Sensor setting and other general None None configuration Wireless data encryption & Execute decryption 9 3e-543 FIPS 140-2 Non-Proprietary Security Policy 3. Secure Operation and Security Rules By factory default, the device is put in FIPS mode with NO security setting, and the radio is turned on but the network join key is not configured. In order to operate the product securely, each operator shall be aware of the security rules enforced by the module and shall adhere to the physical security rules and secure operation rules detailed in this section. 3.1. Security Rules The following product security rules must be followed by the operator in order to ensure secure operation: 1. The Crypto Officer shall not share any key, or SRDI used by the product with any other operator or entity. 2. The Crypto officer is responsible for inspecting the tamper evident seals. Other signs of tamper include wrinkles, tears and marks on or around the label. 3. The Crypto Officer shall change the default password when configuring the product for the first time. The default password shall not be used. The module software also enforces the password change upon Crypto Officer‟s first log in. 4. The Crypto Officer shall login to make sure radio join key and configured and applied in the device. 3.2. Physical Security Tamper Evidence The physical security provided is intended to meet FIPS 140-2 Level 2 physical security (i.e. tamper evidence). The tamper evidence tape is applied at the factory. Crypto Officer should check the integrity of the tape at the first time using the crypto module and later at one year interval. In case he/she notices any damage or missing seals, the Crypto Officer shall treat the device no longer in FIPS mode of operation and shall power off the device. The picture below shows the physical interface side of 3e-543 enclosure with tamper- evident seals. Figure 3 – 3e-543 with tamper seals 10 3e-543 FIPS 140-2 Non-Proprietary Security Policy 11 3e-543 FIPS 140-2 Non-Proprietary Security Policy 4. Operational Environment This module uses Energy Micro EFM32 processor with 3eTI embedded firmware. The firmware version is 1.0. 5. Security Relevant Data Items This section specifies the product‟s Security Relevant Data Items (SRDIs) as well as the product-enforced access control policy. 5.1. Cryptographic Algorithms The product supports the following FIPS-approved cryptographic algorithms. The algorithms are listed below, along with their corresponding CAVP certificate numbers. 3e Technologies International Inc. Sensor Cryptographic Library Algorithm Implementation version 1.0 AES: #2251 SHS: SHA-1, SHA-256 #1939 HMAC: SHA-1, SHA-256 #1379 ECDSA verify with P256 curve #359 NIVIS Radio Hardware Encryption Engine AES (CCM, CMAC) #1611 5.2. Self-tests POST (Power on Self Tests) is performed on each boot. A command to reboot the device is considered on-demand self test “Crypto Officer” can send reboot command from serial console GUI. 5.2.1 Power-on Self-tests 3eTI 543 Sensor Cryptographic Module Power-on self-tests include all known answers test for algorithms listed above. – encrypt AES CCM 128 KAT – decrypt AES CCM 128 KAT SHA-1, SHA-256 KAT HMAC-SHA-1, HMAC-SHA-256 KAT 12 3e-543 FIPS 140-2 Non-Proprietary Security Policy *ECDSA verification is supported by the module. There is no separate test for it since the integrity test meets the requirement. NIVIS Radio Hardware Encryption Engine Power-on self-tests: AES CCM 128 bit –encrypt KAT –decrypt AES CCM 128 bit KAT Software Integrity Test Firmware Integrity Test with ECDSA P256 curve verify Radio firmware Integrity Test with ECDSA P256 curve verify Firmware integrity is performed at POST (Power On Self Test) during module boot up. 5.2.2 Conditional Self-tests Whenever a firmware package (for the application processor) is uploaded through GUI console over USB port or over the air, the package integrity check is performed before the firmware can be updated. The firmware package is digitally signed with 3eTI ECDSA private key and the crypto module performs ECDSA verify before accepting the firmware. Whenever a radio firmware is uploaded either through the GUI console or Over the Air (OTA), the radio firmware‟s integrity is checked via ECDSA before acceptance. Then the radio is rebooted with the newly updated firmware and all self tests are performed again. Whenever a key is input through the local USB console, double entries are required the two entries are compare to make sure the contents are identical. In case of inconsistent key entries, the key input will be rejected. 5.3 Cryptographic Keys and SRDIs The module contains the following security relevant data items: Table 6 - SRDIs Keys/CSPs Key/CSP Type Generation/ Output Storage Zeroization Use 13 3e-543 FIPS 140-2 Non-Proprietary Security Policy Input Operator ASCII string Input over Not output Hashed value Zeroized Used to passwords serial console is stored in when reset to authenticate EEPROM factory CryptoOfficer settings. Or Administrator User Firmware ECDSA Embedded in Not output Plaintext in N/A Used for verification public key firmware at flash firmware key compile time. digital One signature additional key verification can be input through serial console ISA 100.11a AES key Updated value Not output Plaintext in Zeroized Used to radio network (HEX string) through serial FLASH when communicate join key console and Plaintext in firmware is with ISA stored in Radio FLASH upgraded or 100.11a EEPROM storage new value is Gateway and input through data packets local encryption/de management cryption console. (AES_CCM) HMAC Key ASCII string Input over Not output Plaintext in Zeroized Message 4-64 chars serial console flash when reset to authentication factory settings or changed via console Application AES_CCM Input over No output Plaintext in Zeroized Used to Data Key (HEX serial console flash when new encrypt the Encryption string) values is input application Key or at factory level data default 6. Design Assurance All source code and design documentation for this module are stored in version control system CVS. The module is coded in C with module‟s components directly corresponding to the security policy‟s rules of operation. Functional Specification is also provided. 14