KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Suite B Cryptographic Module v2.3.1 FIPS 140-2 Security Policy Revision: 1.0 Prepared by: KEYW Corporation 7740 Milestone Parkway, Suite 500 Hanover, MD 21076 443-733-1600 Phone 443-733-1601 Fax KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Contents Revision History ............................................................................................................................................ 4 Abbreviations ................................................................................................................................................ 5 1. Introduction ........................................................................................................................................... 6 1.1. Identification .................................................................................................................................. 6 1.2. Overview ......................................................................................................................................... 6 1.3. FIPS 140-2 Security Levels .............................................................................................................. 8 2. Cryptographic Module Specification ..................................................................................................... 9 2.1. Security Functions .......................................................................................................................... 9 2.2. Modes of Operation ....................................................................................................................... 9 2.3. Cryptographic Boundary............................................................................................................... 10 2.4. Determining Module Version ....................................................................................................... 10 3. Cryptographic Module Ports and Interfaces ....................................................................................... 11 4. Roles, Services, and Authentication .................................................................................................... 13 4.1. Roles ............................................................................................................................................. 13 4.2. Services ......................................................................................................................................... 14 4.3. Authentication .............................................................................................................................. 16 5. Physical Security .................................................................................................................................. 17 6. Cryptographic Keys and Critical Security Parameters ......................................................................... 18 6.1. Key Zeroization ............................................................................................................................. 20 7. Self-Tests ............................................................................................................................................. 21 7.1. Invoking Self-Tests ........................................................................................................................ 23 7.2. Self-Tests Results .......................................................................................................................... 23 8. Mitigation of Other Attacks ................................................................................................................. 24 9. Referenced Documents ....................................................................................................................... 25 Page 2 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Tables and Figures Figure 1 – Module Message Encryption/Decryption Flow ........................................................................... 6 Table 1 – Summary of Achieved FIPS 140-2 Security Levels ......................................................................... 8 Table 2 – FIPS-Approved Security Functions................................................................................................. 9 Figure 2 – Module Cryptographic Boundary ............................................................................................... 10 Table 3 – Module Ports and Interfaces ....................................................................................................... 11 Figure 3 – Module I/O ................................................................................................................................. 12 Figure 4 – Module Cryptographic Boundary I/O ......................................................................................... 12 Table 4 – Module Services for Cryptographic Officer Role ......................................................................... 14 Table 5 – Module Services for User Role .................................................................................................... 15 Table 6 – Module Authentication ............................................................................................................... 16 Table 7 – Module Cryptographic Keys and Critical Security Parameters.................................................... 19 Table 8 – Module Self-Tests ........................................................................................................................ 22 Table 9 – Module Self-Test Error Codes ..................................................................................................... 23 Page 3 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Revision History Revision Date Author Changes 1.0 July 11, 2014 R. Glenn Initial Release D. Mackie C. Constantinescu D. Wolff E. Hufford Page 4 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Abbreviations AAD Additional Authentication Data AC Alternating Current AES Advanced Encryption Standard API Application Programming Interface BAS BlackBerry Administration Service BES BlackBerry Enterprise Server BIN Binary CA Certification Authority CAVP Cryptographic Algorithm Validation Program CSP Critical Security Parameters CVL Component Validation List DEP Default Entry Point DLL Dynamic Link Library EC Elliptic Curve ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FFC Finite Field Cryptography FIPS Federal Information Processing Standard GCM Galois/Counter Mode Keyed-hash Message Authentication Code HMAC HRNG Hardware Random Number Generator I/O Input/Output IV Initialization Vector KAM Key Agreement Manager KAS Key Agreement Scheme KASVS Key Agreement Schemes Validation System KAT Known Answer Test KDF Key Derivation Function KEK Key Encryption Key LCD Liquid Crystal Display LED Light Emitting Diode MDS Mobile Data System MS Mobile Set NIST National Institute of Standards and Technology OS Operating System PKI Public Key Infrastructure PKV Public Key Validation PT Plaintext RBG Random Bit Generator S/MIME Secure/Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SSL Secure Sockets Layer TLS Transport Layer Security µSC Micro Smart Card USB Universal Serial Bus USSOCOM United States Special Operations Command VS Validation Specification XEX Tweakable Block Cipher with Ciphertext Stealing XTS Page 5 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 1. Introduction 1.1. Identification The following information identifies this document: • Title: Suite B Cryptographic Module FIPS 140-2 Security Policy • Version: 2.3.1 1.2. Overview KEYW, in coordination with the United States Special Operations Command (USSOCOM), has developed a Suite B-compliant, standards based, Federal Information Processing Standard (FIPS) 140-2 Level 1 certified Cryptographic Library that is utilized by the Suite B Cryptographic Module. The Suite B Cryptographic Module implements an AES/GCM-256 layer of encrypted communications between a BlackBerry Enterprise Server (BES) and a BlackBerry Mobile Set (MS) with Elliptic Curve (EC) key exchange used to negotiate symmetric keys, which is initiated by a Key Agreement Manager (KAM). An “in-band” Elliptic Curve Diffie-Hellman (ECDH) Key Agreement Scheme (KAS) implementing the Full Unified Model, C(2, 2, ECC CDH) as described in National Institute of Standards and Technology (NIST) publication SP 800-56A (Reference [1]) is used by the Suite B Cryptographic Module as it provides an optimal encryption and keying solution on the BES and the BlackBerry MS. The in-band KAS solution integrates with existing BlackBerry Application Programming Interfaces (APIs), which includes a C++ API for the BES and a Java API for the BlackBerry MS, and fits within the BES infrastructure -- making it the simplest solution to manage. Figure 1 – Module Message Encryption/Decryption Flow The Suite B Cryptographic Module, hereafter referred to as the Module, operates as one of several layers of encryption within the BlackBerry infrastructure. The BlackBerry encryption is invoked automatically when the Module is instantiated, providing an additional layer of encryption and obfuscation above the Module. Additional encryption at the application layer can be added by enabling S/MIME encryption on emails and SSL/TLS encryption on web traffic via the use of the BlackBerry Page 6 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 S/MIME Support Package and the BlackBerry MDS Connection Service. All of these additional layers of encryption use FIPS 140-2 Level 1 certified cryptographic libraries, either from BlackBerry (FIPS 140-2 Validation Certificate #1669) on the BlackBerry MS or Microsoft (FIPS 140-2 Validation Certificate #1335) on the BES. The Module has been developed to operate on Microsoft Windows Server 2008 with BES version 5.0 (Service Pack 3) or later and the BlackBerry Operating System (OS) version 7.0.0/7.1.0. The Module has been tested on Microsoft Windows Server 2008 with BES version 5.0 (Service Pack 3) and the BlackBerry OS version 7.0.0. The Module has been developed in Microsoft Visual C++ 2010 for the BES portion of the solution and in Java BlackBerry OS 7.0.0 for the BlackBerry MS. The Module relies on the Cryptographic Library, which has been developed from the same source code base and performs the same cryptographic functions end-to-end. The Module must be installed on the server hosting the BES and on the BlackBerry MS during initial provisioning. Once installed with the appropriate BES security policy, the Module cannot be removed from the BlackBerry MS without performing a complete wipe of the BlackBerry MS. The Module key exchange functions are managed from the BES by the KAM web application, which is developed by KEYW but does not perform any cryptographic functions, only the management of those functions. The Module meets the requirements of the FIPS 140-2 Security Level 1 specification. The Module Cryptographic Library provides the following cryptographic services: • Data encryption and decryption • Message digest and authentication code generation • Digital signature verification • Elliptic curve key agreement The Module leverages Random Bit Generators (RBGs) from the FIPS 140-2 certified environments on which it runs based upon configuration. • BlackBerry MS o BlackBerry RBG – FIPS 140-2 Level 1 (Certificates #132 and #133) o Supports FIPS 140-2 certified microSD Smart Card HRNG (Compatible with SafeNet microSD Smart Card 650 (µSC650) HRNG) • BES o Microsoft Cryptographic Library RBG – FIPS 140-2 Level 1 (Certificates #23 and #27) o SafeNet Luna SA5 with Luna SA 7000 PCI card HRNG – FIPS 140-2 Level 3 (Certificate #998) Page 7 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 1.3. FIPS 140-2 Security Levels The Module meets the overall requirements applicable to Level 1 security for FIPS 140-2 as shown in the table below: Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 1 Table 1 – Summary of Achieved FIPS 140-2 Security Levels Page 8 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 2. Cryptographic Module Specification 2.1. Security Functions The Module Cryptographic Library is software that implements the following FIPS-approved security functions: Algorithm Description CAVP Certificate No. AES-128, AES-192, FIPS Publication 197, The Advanced Encryption AES-256 Standard (AES), U.S. DoC/NIST, November 26, #2603 2001, Natl. Inst. Stand. Technol. (Reference [3]) GCM NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode #2603 (GCM) and GMAC, November 2007, Natl. Inst. Stand. Technol. (Reference [4]) ECDSA ANS X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). Per the NIST #448 SP 800-131A transition: curve sizes less than P-224 shall not be used. (Reference [8]/[15]) ECDH ECDH Key Agreement Scheme (KAS) implementing the Full Unified Model, C(2, 2, ECC CDH) as described in NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using #98 and #259 Discrete Logarithm Cryptography, Revision 1, (CVL Certificate Nos.) March 2007, Natl. Inst. Stand. Technol. Per the NIST SP 800-131A transition: curve sizes less than P-224 shall not be used. (Reference [1]/[2]/[15]) SHA-1, 224, 256, FIPS Publication 180-4, Secure Hash Standard 384, 512, 512/224, (SHS), March 2012, Natl. Inst. Stand. Technol. #2187 512/256 (Reference [5]) HMAC-SHA-1, 224, FIPS Publication 198-1, The Keyed-Hash Message 256, 384, 512, Authentication Code (HMAC), July 2008, Natl. Inst. #1610 512/224, 512/256 Stand. Technol. (Reference [6]) XTS NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for #2603 Confidentiality on Storage Devices, January 2010, Natl. Inst. Stand. Technol. (Reference [7]) Table 2 – FIPS-Approved Security Functions 2.2. Modes of Operation The Module must be installed on the BES and the BlackBerry MS manually, and once installed the Module Cryptographic Library runs all algorithms in FIPS 140-2 compliant mode. There are no algorithms or “expanded” cryptographic modes within the Module that are not FIPS 140-2 compliant. As mentioned in Section 1.2, the Module leverages RBGs from the FIPS 140-2 certified environments that shall be configured for FIPS mode. Page 9 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 • BlackBerry MS o Enable the Enforce FIPS Mode of Operation IT policy rule via the BAS to guarantee generating FIPS-validated random bytes for the ephemeral keys and initialization vectors • BES o Enable the FIPS compliant algorithms mode via the Local Security Policy to guarantee generating FIPS-validated random bytes for the ephemeral keys, nonces and initialization vectors 2.3. Cryptographic Boundary The physical boundary of the Module is the physical boundary of the BlackBerry MS or BES hardware device that executes the Module as shown in the following figure. Consequently, the embodiment of the Module is a multiple-chip standalone. Figure 2 – Module Cryptographic Boundary 2.4. Determining Module Version The operator can determine the version of the Module by performing the following steps: On the BlackBerry MS: 1. On the BlackBerry MS Home screen, click the Options icon 2. Click Device > Application Management 3. The Applications screen displays the KEYWxcoder version as v2.3.1 On the BES: 1. On the BES, right-click the KEYWxcoder.dll file and click view Properties 2. Click Details tab The File version property displays the KEYWxcoder version as v2.3.1 Page 10 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 3. Cryptographic Module Ports and Interfaces The Module ports correspond to the physical ports of the BlackBerry MS and BES executing the Module, and the Module interfaces correspond to the logical interfaces to the Module. The following table and figures describe the Module ports and interfaces. FIPS 140-2 Interface Module Ports Module Interfaces Data Input BlackBerry MS: All data traffic Input parameters of Module (email, contacts, calendars, function calls web traffic, management traffic). Cellular Voice traffic is excluded. BES: All data traffic (email, contacts, calendars, web traffic, management traffic). Cellular Voice traffic is excluded. Data Output BlackBerry MS: All data traffic Output parameters of Module (email, contacts, calendars, function calls web traffic, management traffic). Cellular Voice traffic is excluded. BES: All data traffic (email, contacts, calendars, web traffic, management traffic). Cellular Voice traffic is excluded. Control Input BlackBerry MS: Touch Screen, Module function calls BlackBerry Buttons BES: Keyboard, Mouse Status Output BlackBerry MS: LCD, LED Return codes of Module function calls BES: BlackBerry Dispatcher Logs, KAM web application Power Input BlackBerry MS: USB Port, N/A Battery BES: AC Power Supply Maintenance N/A N/A Table 3 – Module Ports and Interfaces Page 11 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 Figure 3 – Module I/O Figure 4 – Module Cryptographic Boundary I/O Page 12 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 4. Roles, Services, and Authentication 4.1. Roles The Module supports user and cryptographic officer roles. The Module does not support a maintenance role. The Module does not support multiple or concurrent operators and is intended for use by a single operator, thus it always operates in a single-user mode of operation. Page 13 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 4.2. Services The services described in the following tables are available to the operator roles: Cryptographic Officer Role (BES/KAM) Service Description Input/Output Start Transcoding Performed by the KAM during BlackBerry MS Input: The state of provisioning, which initializes the Module and the Module BIN file allows encryption and decryption of data traffic. for a BlackBerry MS is The Module will continue Transcoding until the modified to Start KAM performs Stop Transcoding or as a result of a Transcoding. fault in Key Exchange. Stop Transcoding Performed by the KAM or as a result of a fault in Input: The state of Key Exchange, which disallows Module encryption the Module BIN file and decryption of data traffic. for a BlackBerry MS is modified to Stop Transcoding. Key Exchange Initiated by the KAM on a schedule and/or Input: The state of manually and also by a custom email message from the Module BIN file an email server, which performs key agreement for a BlackBerry MS is between the BES and a BlackBerry MS using ECDH modified to perform to negotiate new symmetric keys for data traffic Key Exchange. encryption and decryption. View Status The Module status for a BlackBerry MS is displayed Output: The state of by the KAM. The Module status for the BES is the Module BIN file displayed by Windows Services via the BlackBerry for a BlackBerry MS Dispatcher service in the Status column. The determines status. BlackBerry Dispatcher service can be started, The running state of stopped or re-started via Windows Services. the Module for the BES determines status. Zeroize Performed by the BlackBerry “Wipe Handheld” or Input: BlackBerry “Security Wipe” function via the BES, which Encrypted Key Store remotely erases all user data, certificates and keys is erased and BIN file on a BlackBerry MS. The KAM can also delete the is deleted. Module BIN file for a BlackBerry MS, which erases the keying material on the BES for that BlackBerry MS. Table 4 – Module Services for Cryptographic Officer Role Page 14 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 User Role (BlackBerry MS) Service Description Input/Output View Status Displayed in the BlackBerry notification area and Output: The state of BlackBerry MS logs. the status flag determines status. Encrypt Data Encrypts all data traffic that is sent from the Output: Plaintext Traffic BlackBerry MS or BES with a symmetric key that data is encrypted was negotiated during Key Exchange. into ciphertext. Decrypt Data Decrypts all data traffic that is received by the Input: Ciphertext Traffic BlackBerry MS or BES with a symmetric key that data is decrypted was negotiated during Key Exchange. into plaintext. Zeroize Performed by the BlackBerry “Wipe Handheld” or Input: BlackBerry “Security Wipe” function on the BlackBerry MS, Encrypted Key Store which erases all user data, certificates and keys on is erased. that BlackBerry MS. Table 5 – Module Services for User Role Page 15 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 4.3. Authentication The Module does not support operator authentication. Roles are implicitly selected based on the service performed by the operator. Role Type of Authentication Authentication Data Cryptographic Officer Module: None Module: None (BES/KAM) BES: Keyboard Login BES: Username and Password as required by IT Policy User (BlackBerry MS) Module: None Module: None BlackBerry MS: Keyboard Login BlackBerry MS: User PIN or Password as required by IT Policy Table 6 – Module Authentication Page 16 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 5. Physical Security The Module is implemented entirely in software, thus it is not subject to the FIPS 140-2 Physical Security requirements. The BES that executes the Module is located on production grade equipment within the backend network infrastructure and is expected to be secure by best practices. Similarly, on the BlackBerry MS, physical security is provided as a basic requirement for BlackBerry production-grade components that host the Module. Page 17 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 6. Cryptographic Keys and Critical Security Parameters The following table describes the cryptographic keys, key components and Critical Security Parameters (CSPs) utilized exclusively by the Module. Key/CSP Type(s) of Access Input/Output Storage Destruction HMAC Integrity Cryptographic Generated (using a HMAC key not Destroyed Check Key Officer Role KEYW proprietary stored, only (zeroized) (BES/KAM): Read method) during briefly immediately Used for Software & Write each Module generated (in after each Integrity Checksum. registration. A new RAM) during Module key is generated Module registration after each build. registration ECDH Key User Role When executing a BlackBerry MS: BlackBerry MS: Establishment Keys (BlackBerry MS): key agreement BlackBerry Erased on “Wipe Read & Write scheme, each side Encrypted Key Handheld” or The BES and each imports its own PKI Store “Security Wipe” BlackBerry MS are static key pair command acting as (private and public Cryptographic BES: since BES: Delete BIN independent entities keys) and imports Officer Role retrieving static file within a PKI the other side’s (BES/KAM): Read keys from PKI framework and use public key, & Write Certificates is approved methods accessing PKI repetitive and of (traffic) key Certificates issued time consuming, establishment. (and signed) by a the static keys Certification are cached (and Authority (CA). KEK- encrypted) Additionally, each in the BIN files in side outputs order to internally a Private expedite Ephemeral key and subsequent key then outputs the exchanges corresponding Public Ephemeral key to the other side. XTS-AES Keys Cryptographic Generated (using a XTS-AES keys not Destroyed Officer Role KEYW proprietary stored, only (zeroized) Serve as Key (BES/KAM): Read method) each time briefly immediately Encryption Keys & Write CSPs are accessed generated (in after each usage (KEKs) to protect and/or updated on RAM) during (encrypt) the a BIN file. Each BIN CSPs access contents of BIN files file has its own KEK. on the BES. Page 18 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 AES (Traffic) Keys User Role Negotiated after a BlackBerry MS: BlackBerry MS: (BlackBerry MS): BES-initiated Key BlackBerry Erased on “Wipe Symmetric keys Read & Write Agreement process, Encrypted Key Handheld” or used for encryption using an approved Store “Security Wipe” and decryption of ECDH scheme. command traffic packets. Distinct keys are Cryptographic BES: BIN files on BES: traffic keys used for incoming Officer Role server protected not archived; and outgoing traffic. (BES/KAM): Read by KEKs existing keys & Write discarded and substituted by newly negotiated keys GCM IVs and Tags User Role BlackBerry MS: IV BlackBerry MS: BlackBerry MS: (BlackBerry MS): provided by RBG on IVs and Tags not Erased after Used during GCM Read & Write MS before packet stored, only transmission of authenticated encryption, GCM briefly outgoing packets encryption of traffic authentication Tag generated (in and reception/ packets. computed after RAM) during verification of packet encryption packet incoming transmission packets Cryptographic BES: IV provided by BES: IVs and BES: Erased after Officer Role RBG on BES before Tags not stored, transmission of (BES/KAM): Read packet encryption, only briefly outgoing packets & Write GCM authentication generated (in and reception/ Tag computed after RAM) during verification of packet encryption packet incoming transmission packets HMAC Keys User Role BlackBerry MS: BlackBerry MS: BlackBerry MS: (BlackBerry MS): Split from the front HMAC keys not Erased after the Used during HMAC- Read & Write part of the Derived stored, only Key SHA-1, 256, 384, Key Material built briefly Confirmation 512 operations during key generated (in phase of key executed during the exchange RAM) during key exchange is Key Confirmation exchange completed phase of key Cryptographic BES: Split from the BES: HMAC keys BES: Erased after exchange. Officer Role front part of the not stored, only the Key (BES/KAM): Read Derived Key briefly Confirmation & Write Material built generated (in phase of key during key RAM) during key exchange is exchange exchange completed Table 7 – Module Cryptographic Keys and Critical Security Parameters Page 19 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 6.1. Key Zeroization The Module leverages the built-in BlackBerry security solution to ensure algorithmic keys and key components are protected. Similarly, data and specifically key removal via zeroization, is an integral part of the BlackBerry security solution. A user can request a zeroization at any time by navigating to Options and selecting “Wipe Handheld” or “Security Wipe” on the BlackBerry MS, which erases all user data, certificates and keys on that BlackBerry MS. The BES administrator may also zeroize the BlackBerry MS remotely via the “Wipe Handheld” or “Security Wipe” command through the BlackBerry Administration Service (BAS) interface on the BES as well. Furthermore, new symmetric keys for data traffic encryption and decryption can be negotiated using ECDH via the KAM as frequently as possible by schedule and/or manually and also by a custom email message from an email server. The KAM can also delete the Module BIN file for each individual BlackBerry MS, which erases the keying material on the BES for that BlackBerry MS. Page 20 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 7. Self-Tests The Module implements a series of self-tests that are described in the following table: Test Description Software Integrity The BES validates the software integrity during registration of the Module DLL file on the BES on power-up. The integrity check is a two- step process consisting of an HMAC verification (based on the NIST- approved HMAC-160 algorithm), applied to the whole Module DLL image processed as a binary data file. In the first step, the 160-bit (20-byte) HMAC key for the HMAC verification is derived (in a KEYW proprietary manner) from several build- specific data fields including the current version string and build date. This HMAC key customization is aimed at preventing malicious Module DLL rebuilds and authenticating the original build only. In the second step, the 160-bit HMAC key is used to perform an HMAC- 160 integrity check of the whole Module DLL image. This computation produces a 160-bit checksum that is compared against a hexadecimal value pre-stored in the KEYWxcoder.ini file. The BlackBerry MS validates the software integrity during registration of the Module COD file on a BlackBerry MS on power-up, which is only allowed if the BES has deployed the Security Transcoder Cod File Hashes IT policy rule and the Primary Transcoder IT policy rule (only applicable for BES 5.0 SP4 or later and BlackBerry OS 7.1.0.9 or later) via IT Policy to the BlackBerry MS, which contains the SHA-1 hash of the Module COD file. GCM Exercises a set of Known Answer Tests (KATs) extracted from the GCM Encrypt/Decrypt test vectors published by NIST in the GCMVS specification (Reference [9]) on all three GCM encryption modes corresponding to AES key sizes of 128, 192 and 256 bits featuring the largest combinations of PT, IV and AAD. SHA Exercises a set of Known Answer Tests (KATs) extracted from the SHA test vectors published by NIST in the SHAVS specification (Reference [10]) on all SHA versions specified in FIPS Publication 180-4 including the new SHA-512/224 and SHA-512/256 featuring mixed hash/digest size combinations with the longest input data. The comprehensive SHA KATs implicitly provide assurance about the validity of the Key Derivation Function (KDF) employed by the ECDH Key Agreement Scheme (as recommended in NIST SP 800-56A - Reference [1], a SHA-based concatenation KDF is being used). HMAC Exercises a set of Known Answer Tests (KATs) extracted from the HMAC test vectors published by NIST in the HMACVS specification (Reference [11]) featuring the largest combinations of key and tag sizes covering all versions of the underlying hashing algorithm (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256). The comprehensive HMAC KATs implicitly provide assurance about the validity of the Bilateral Key Confirmation method employed by the ECDH Key Agreement Scheme (Reference [1], Section 8.4). Page 21 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 ECDSA KeyPair/PKV Exercises a set of Known Answer Tests (KATs) adapted from the ECDSA KeyPair (private/public key verification) and PKV (Public Key Validation) test vectors published by NIST in the ECDSA2VS specification (Reference [14]) covering each version of the underlying prime-field EC (P-192, P- 224, P-256, P-384 and P-521). The ECDSA KeyPair tests include multiple KAT verifications of ECC point multiplication, which is the ECC primitive used for shared-secret (“Z”) computation by the ECDH Key Agreement Scheme. Key Agreement Exercises a set of Known Answer Tests (KATs) adapted from the ECDH Scheme (KAS) test vectors published by NIST in the KASVS specification (Reference [12]) featuring the Full Unified model of ECDH covering each version of the underlying prime-field EC (P-192, P-224, P-256, P-384 and P-521). Each test run includes both Initiator-side and Responder-side functions. Every invocation of the Key Agreement Scheme involves (within the BES and BlackBerry MS class constructors) a verification of the arithmetic validity of the selected set of ECC domain parameters (Reference [1], Section 5.5.2). The KAS implementation provides built-in assurance (verification) of the arithmetic validity of a public key, by performing a full ECC public key validation each time such a key is being used: each side verifies both own and opposite static public keys, each side verifies opposite side’s ephemeral public key (Reference [1], Section 5.6.2). Also, during key agreement, each side renews its assurance of possessing the correct private key by using the Key Regeneration method (Reference [1], Section 5.6.3), while the ephemeral (generated) private key is subjected to the constraints specified in Reference [1], Section 5.6.1.2. The underlying cryptographic algorithms used during ECDH key agreement are fully validated via individual power-on self-tests: • ECC point multiplication is validated via ECDSA KeyPair KATs • The Key Derivation Function is validated via SHA KATs • The Key Confirmation function is validated via HMAC KATs XTS Encrypt/Decrypt Exercises a set of Known Answer Tests (KATs) extracted from the XTS test vectors published by NIST in the XTSVS specification (Reference [13]). Both formats specified for the tweak value input (128-bit hexadecimal string or 64-bit Data Unit Sequence Number) are being tested with various, non-trivial Data Unit bit sizes in encrypt and decrypt mode. Table 8 – Module Self-Tests Page 22 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 7.1. Invoking Self-Tests The operator can invoke the power-on self-tests on the BlackBerry MS by hard resetting the BlackBerry MS (soft resetting the BlackBerry MS will not invoke power-on self-tests). At power-on the BlackBerry OS executes the Module’s Default Entry Point (DEP) automatically, which invokes the self-tests listed in Table 8 and does not require operator intervention. public static void main(String[] args) // Default Entry Point (DEP) The operator can invoke the power-on self-tests on the BES by restarting the BlackBerry Dispatcher service via Windows Services. At power-on the BlackBerry Dispatcher service executes the Module’s DEP automatically, which invokes the self-tests listed in Table 8 and does not require operator intervention. int __cdecl LoadDLL() // Default Entry Point (DEP) If the Software Integrity self-test fails the Module will not load and an error is logged. If the KAT self- tests fail the Module will prohibit any subsequent cryptographic operations and an error is logged. Subsequent self-tests on both the BES and BlackBerry MS exercise all Suite B cryptographic algorithms used by the Module, either via regular traffic encryption/decryption or during key exchange. The Module does not rely on any other external service to initiate the power-on self-tests. 7.2. Self-Tests Results Upon successful self-test completion, the Module will complete its initialization and transition to normal operational state. In the event of a self-test failure, the Module will enter an error state and a specific error code will be returned indicating which self-test has failed. The Module will not provide any cryptographic services while in this state. Self-Test Possible Error Code Software Integrity 444 Checksum GCM Encrypt 2100 + Test Count GCM Decrypt 2200 + Test Count SHA 2300 + Test Count HMAC 2400 + Test Count ECDSA Key 2800 + Test Count KAS 2500 + Test Count (combined indicator of the EC type and failing sub-test) XTS Encrypt 2600 + Test Count XTS Decrypt 2700 + Test Count Table 9 – Module Self-Test Error Codes Page 23 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 8. Mitigation of Other Attacks The Module has not been designed to mitigate any specific attacks outside the scope of the FIPS 140-2 requirements. The Module resides within the FIPS 140-2 BlackBerry Cryptographic Kernel operating environment, which provides an additional layer of protection to attacks of the Module. Furthermore, any concerns related to the recently discovered (April 2014) bug in some TLS implementations, publicized as the “heartbleed bug” and referenced as CVE-2014-0160 in the National Vulnerability Database, are not applicable to the Module implementation. This is because the Module, either during validation testing or regular operation, does not employ any services, nor does it import any software components, pertaining to affected OpenSSL implementations. Page 24 of 25 KEYW Corporation Suite B Cryptographic Module Cyber Security Division KXD002 9. Referenced Documents [1] NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, Revision 1, March 2007, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf [2] NIST SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision), August 2012, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf [3] FIPS Publication 197, The Advanced Encryption Standard (AES), U.S. DoC/NIST, November 26, 2001, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf [4] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf [5] FIPS Publication 180-4, Secure Hash Standard (SHS), March 2012, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf [6] FIPS Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf [7] NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices, January 2010, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf [8] ANS X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), November 2005 [9] The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS), National Institute of Standards and Technology, Updated: August 30, 2012, [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf [10] The Secure Hash Algorithm Validation System (SHAVS), Updated: July 23, 2012, National Institute of Standards and Technology, [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf [11] The Keyed-Hash Message Authentication Code Validation System (HMACVS), Updated: July 23, 2012, National Institute of Standards and Technology, [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/HMACVS.pdf [12] The Key Agreement Schemes Validation System (KASVS), Updated September 2011, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASVS.pdf [13] The XTS-AES Validation System (XTSVS), Updated: March 2, 2011, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf [14] The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS), Updated: January 9, 2013, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf [15] NIST SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, January 2011, Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf Page 25 of 25