FIPS 140-2 Security Policy Ultra Electronics DNE Technologies PacketAssure iQ1000 50 Barnes Park North Wallingford, CT 06492 October 9, 2014 Document Version 3.11 Firmware Version 3.2.0 Chassis V.003 PSM V.101 Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 1 of 25 Table of Contents 1. Module Specification .................................................................................................. 4 1.1. Module Description ............................................................................................ 4 1.2. Purpose................................................................................................................ 7 1.3. Security level ...................................................................................................... 7 1.4. References ........................................................................................................... 7 1.5. Glossary .............................................................................................................. 8 2. Cryptographic Module Ports and Interfaces ............................................................... 9 3. Roles, Services, and Authentication ........................................................................... 9 3.1. Roles ................................................................................................................... 9 Unauthenticated Services ............................................................................................ 9 Non-Approved Mode Services ................................................................................. 10 User Role Services (Approved Mode) ...................................................................... 10 Crypto-officer Role Services (Approved Mode) ...................................................... 12 3.2. Authentication Mechanisms and Strength ........................................................ 14 4. Finite State Model ..................................................................................................... 15 5. Physical Security....................................................................................................... 15 5.1. Enclosure........................................................................................................... 15 5.2. Tamper Evidence .............................................................................................. 15 5.3. Physical Security Rules..................................................................................... 16 5.4. Secure Operation Initialization Rules ............................................................... 16 6. Operational Environment .......................................................................................... 18 7. Definition of SRDIs Modes of Access...................................................................... 18 7.1. Cryptographic Keys, CSPs, and SRDIs ............................................................ 18 7.2. Access Control Policy ....................................................................................... 22 8. Electromagnetic Interface/Electromagnetic Compatibility....................................... 23 9. Self Tests................................................................................................................... 23 9.1. Power-Up Self Tests ......................................................................................... 23 9.2. Conditional Self tests ........................................................................................ 24 10. Mitigation of Other Attacks .................................................................................. 25 Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 2 of 25 List of Figures Figure 1 PacketAssure iQ1000, IOM Side ......................................................................... 4 Figure 2 Cryptographic Boundary ...................................................................................... 6 Figure 3 Tamper Evidence Seal Locations ....................................................................... 16 List of Tables Table 1 Items Excluded from Cryptographic Boundary .................................................... 5 Table 2 Security Levels ..................................................................................................... 7 Table 3 Ports and Interfaces ............................................................................................... 9 Table 4 Unauthenticated Services ..................................................................................... 10 Table 5 Non-Approved Services....................................................................................... 10 Table 6 User Roles ............................................................................................................ 12 Table 7 Crypto-officer Role .............................................................................................. 14 Table 8 Approved Cryptographic Algorithms .................................................................. 17 Table 9 Non-Approved Cryptographic Algorithms .......................................................... 18 Table 10 Key, CSPs and SRDIs ........................................................................................ 22 Table 11 SRDI Access ...................................................................................................... 23 Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 3 of 25 FIPS 140-2 Security Policy Ultra Electronics DNE Technologies PacketAssure iQ1000 Firmware Version 3.2 (Freescale PowerQUICC II Pro) Chassis V.003 PSM V.101 1. Module Specification 1.1. Module Description The Ultra Electronics DNE Technologies PacketAssure iQ1000, see Figure 1, is a rugged, one 19” rack unit Service Delivery Management (SDM) appliance. It integrates adaptation of legacy circuit based traffic with high performance layer-2 IP switching and intelligent IP quality of service to precisely classify/manage voice, video and data services. The PacketAssure iQ1000 provides the following features:  High-performance, intelligent, traffic management assures application delivery meets service objectives.  Robust VLAN awareness and capabilities for traffic segregation and broadcast domain control.  Multi-layer traffic classification gives administrators consistent, end-to-end control of service priority.  A customized web user interface that improves operator efficiency and reduces training costs.  A full Command Line Interface (CLI). Figure 1 PacketAssure iQ1000, IOM Side The iQ1000 is modular, with a basic system configuration consisting of the chassis, power supply, Packet Switching Module (PSM), System Interface Module (SIM), Fan module and Filter Module. The PSM provides all packet switching, service delivery Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 4 of 25 management, configuration/status and cryptographic functions. The SIM provides Ethernet and Serial local user interfaces and a network timing input. Up to three Interface Option Modules (IOMs) complete the appliance, providing Serial, Ethernet and T1/E1 data interfaces. No Data I/O cards, including the SIM (System Interface Module) need be installed for the cryptographic module to operate. However, in order to locally manage the device, a SIM card must be installed. For remote management at least one IOM must be installed. The iQ supports both a FIPS 140-2 approved mode of operation and a non-approved mode operation. All security functions and cryptographic algorithms are performed in Approved mode. If the iQ cannot run in the FIPS Approved mode because FIPS self-test failed, the unit faults and all operations are halted. The iQ supports SSH, TLS, and SNMP. By IG D.8 Scenario 4, these protocols are allowed to be used in the FIPS approved mode, but are non-compliant. The module also incorporates a security log which records user authentication and other security events. These include user login (successful or unsuccessful), user logout, configuration changes and system file changes. The iQ1000 satisfies FIPS 140-2 Level 2 requirements for multiple-chip standalone modules. Figure 2 shows a functional block diagram of the iQ1000 looking down from the top as if looking through the top cover. All cryptographic functions are contained within the PSM. The cryptographic boundary, delineated in red, consists of the chassis, the top cover, the front panel of the PSM and the mid-plane. Tamper evidence seals, described in section 5.2 indicate when the removable cover or removable PSM have been disturbed. Louvers inside the chassis allow cooling airflow through the unit and satisfy FIPS opacity requirements. The louvers prevent viewing crypto module components on the PSM through the ventilation holes and fans. On the opposite side the louvers prevent viewing PSM components when the filter is removed, as must be allowed for maintenance. All IOMs, the SIM, the fan tray and the power supply are outside the cryptographic boundary. Item Rationale for Exclusion Power Supply No security relevance Hot-swappable Fan Module No security relevance Hot-swappable Interface Option Modules No security relevance Hot-swappable System Interface Module No security relevance Removable Filter Module No security relevance Table 1 Items Excluded from Cryptographic Boundary Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 5 of 25 Fan Module Ctrl I2C 1G Enet(Serdes) 1G Enet(Serdes) I2C 1G Enet(Serdes) switch 1G Enet(Serdes) 1G Enet(Serdes) 1G Enet(Serdes) Interface Option Module (IOM), Slot 1 10/100M Enet Host Processor Ctrl I2C 1G Enet(Serdes) 1G Enet(Serdes) Data 1G Enet(Serdes) Plane 1G Enet(Serdes) 1G Enet(Serdes) 1G Enet(Serdes) Ctrl M Plane Interface Option Module (IOM), Slot 2 10/100M Enet I D P 17.25" L Ctrl I2C A N 1G Enet(Serdes) E 1G Enet(Serdes) 1G Enet(Serdes) 1G Enet(Serdes) 1G Enet(Serdes) 1G Enet(Serdes) Interface Option Module (IOM), Slot 3 10/100M Enet Ctrl I2C Mgt Console 10/100M Enet Mgt Console Serial Packet Switching Module (PSM) System Interface Module (SIM), Slot POWER SUPPLY Filter Module 6" 14.75" Figure 2 Cryptographic Boundary The module is 1.75” in height (not shown in this diagram). Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 6 of 25 1.2. Purpose This Cryptographic Module Security Policy describes how the cryptographic module in the iQ1000, referred to as the “Module” in the remainder of this document, meets the requirements of FIPS140-2 Level 2; and how to operate the Module in a secure, FIPS- compliant manner. Only features and operation associated with FIPS-140 cryptographic security are presented. Complete product documentation including installation and operations manuals can be downloaded at http://www.ultra-dne.com/. The complete FIPS140-2 submission package consists of:  Security Policy  Vendor Evidence  Finite State Model This document is non-proprietary and may be distributed without restriction while all other documents are proprietary to Ultra Electronics DNE Technologies and only available under Non-Disclosure Agreement (NDA). For access to these documents contact Ultra Electronics DNE Technologies. 1.3. Security level The module meets the overall requirements applicable to Level 2 security of FIPS 140-2. Security Level Security Requirements Specification Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services, and Authentication 3 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 Security Levels 1.4. References Title Document File Name OpenSSL FIPS Object Module SecurityPolicy-1.2.3.pdf Version 1.2.3, Open Source Software Institute, 5/3/2011 Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 7 of 25 PacketAssure iQ1000 Product http://www.ultra-dne.com/ Documentation 1.5. Glossary Term/Acronym Description BIST Built In Self Test BOM Bill Of Materials CLI Command Line Interface Enet Ethernet IC Integrated Circuit ICD Interface Control Document IOM Interface Option Module PSM Packet Switching Module POST Power On Self Test SDA Service Delivery Appliance SerDes Serializer/Deserializer SIM System Interface Module Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 8 of 25 2. Cryptographic Module Ports and Interfaces Table 3 below illustrates the logical to physical mapping of interfaces contained inside the cryptographic boundary of the module. Logical mapping is accomplished using the four FIPS 140-2 defined logical interfaces. Logical Interfaces Physical Interface Count Control Input Interface 1G Ethernet Ports (Serdes) 18 Status Output Interface Data Input Interface Data Output Interface Control Input Interface 10/100M Ethernet 1 Status Output Interface Management Port Data Input Interface Data Output Interface Control Input Interface Serial Management Port 1 Status Output Interface Status Output Interface Power LED 1 Status Output Interface Alarm LED 1 Power Interface (2 switches, 1 Power 2 power cord) Table 3 Ports and Interfaces 3. Roles, Services, and Authentication Each user assigned to a role can be distinguished by identity and is authenticated upon initial access to the module. The module implements three separate roles, of which two are User Roles and one is the Crypto-officer Role. The Administrator (admin) of the iQ1000 takes on the Crypto-officer Role and configures and maintains the module. 3.1. Roles The module maintains the following three roles: admin, config and oper. The oper and config roles can be considered as user roles with the config role having read-write privileges and the oper role having read-only privileges. The admin role is equivalent to the Crypto Officer role defined in the FIPS DTR. Unauthenticated Services All services require authentication with the exception of those listed in Table 4. The Table 4 services can only be performed from the Serial Management Interface. Service Input Output Description Bootloader factory-reset Command result Return module to its factory default command factory default state. Bootloader switch switch command Command result Two versions of code banks application code can be stored, one in each bank Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 9 of 25 of memory. Users can select which version to boot from. Power on/off NA NA Power the module on or off. Table 4 Unauthenticated Services Non-Approved Mode Services Non-Approved services can be performed from the Serial Management Interface, the Ethernet Management Interface, or the 1GB Ethernet Interface (Inband Management). Service Input Output Description Configuration and Module Success or error Status of the iQ via status services configuration messages SNMP (SNMP gets only) using SNMP input using non-Approved key The module strengths <112 bits. Any Module status information or error use of AES or Triple- message DES with these key strengths is non- Approved. Configuration and Module Success or error Status of the iQ via status services configuration messages HTTPS (TLS). Uses RSA using HTTPS input key wrapping with public (TLS) The module keys <2048 bits with key Module status information or error strengths <112 bits. Any message use of AES or Triple- DES with keys established in this manner is non-Approved. Configuration and Module Success or error Status of the iQ via SSH. status services configuration messages Uses Diffie-Hellman with using SSH input keys <2048 bits with key The module strengths <112 bits. Any Module status information or error use of AES or Triple- message DES with keys established in this manner is non-Approved. Table 5 Non-Approved Services User Role Services (Approved Mode) The User Role services can be performed from the Serial Management Interface, the Ethernet Management Interface, or the 1GB Ethernet Interface (Inband Management). Service Input Output Description Secure Module Success or error Configuration and status Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 10 of 25 configuration and configuration messages of the iQ via SNMP status services input (SNMP gets only) using using SNMP The module Approved key strengths Module status information or error >=112 bits. Any use of message AES or Triple-DES with these keys is Approved. Note 1 Secure Module Success or error Configuration and status configuration and configuration messages of the iQ via HTTPS status services input (TLS). Uses RSA key using HTTPS The module wrapping with public (TLS) Module status information or error keys >=2048 bits with message >=112 bits of security strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 Secure Module Success or error Configuration and status configuration and configuration messages of the iQ via SSH. Uses status services input Diffie-Hellman with using SSH The module keys >=2048 bits with Module status information or error >=112 bits of security message strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 Change password Old and new Success or error Users may change their passwords message own passwords only. Configure Interface Success or error Configure interfaces parameters message Serial/Ethernet/TE1 physical interfaces. Configure Service Success or error Configure CES & services parameters message Ethernet services. Configure system Timing Success or error Configure system timing timing parameters message sources. View iQ1000 Select the type The module Status functions: view module information to information or error status of module, information view message temperature, memory status, CPU utilization status; view physical interfaces status, packet statistics, services status; review system logs. Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 11 of 25 Table 6 User Roles Note 1 - SSH, TLS and SNMP protocols and KDFs are allowed to be used in FIPS Approved mode. Crypto-officer Role Services (Approved Mode) The Crypto-Officer Role services can be performed from the Serial Management Interface, the Ethernet Management Interface, or the 1GB Ethernet Interface (Inband Management). Service Input Output Description Factory reset of factory-reset Success or error Delete all configuration module command message data and restore the factory default settings. System security Security Success or error Configure security and management parameters message management using SNMP preferences. Configure SNMP trap listeners. Uses key strengths >=112 bits. Any use of AES or Triple-DES with these keys is Approved.Note 1 System security Security Success or error Remote access to the management parameters message module via HTTPS using HTTPS (TLS). Configure in- (TLS) band and out-band interfaces. Configure IPv4 and IPv6 routes. Uses RSA key wrapping with public keys >=2048 bits and >=112 bits of security strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 System security Security Success or error Remote access to the management parameters message module via SSH. using SSH Configure in-band and out-band interfaces. Configure IPv4 and IPv6 routes. Uses Diffie-Hellman with Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 12 of 25 keys >=2048 bits and >=112 bits of security strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 User management User parameters Success or error Add/Delete/Modify message users. Change passwords and roles for the existed users. Perform Self Select tests Success or error Perform SHA-256 sum Tests message file integrity verification test. Configure secure Server Success or error Configure secure server server parameters message used for file transfer. Reboot module Reboot Success or error Reboot iQ1000 module command message to initiate the power-up self test on demand. Software upgrade Software Success or error Perform the software service package message upgrade process. Switch banks Switch command Success or error Switch the flash bank. message Secure Module Success or error Configuration and status configuration and configuration messages of the iQ via SNMP status services input (SNMP gets only) using using SNMP The module Approved key strengths Module status information or error >=112 bits. Any use of message AES or Triple-DES with these keys is Approved. Note 1 Secure Module Success or error Configuration and status configuration and configuration messages of the iQ via HTTPS status services input (TLS). Uses RSA key using HTTPS The module wrapping with public (TLS) Module status information or error keys >=2048 bits with message >=112 bits of security strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 Secure Module Success or error Configuration and status configuration and configuration messages of the iQ via SSH. Uses status services input Diffie-Hellman with using SSH The module keys >=2048 bits with Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 13 of 25 Module status information or error >=112 bits of security message strength. Any use of AES or Triple-DES with keys established in this manner is Approved. Note 1 Configure Interface Success or error Configure interfaces parameters message Serial/Ethernet/TE1 physical interfaces. Configure Service Success or error Configure CES & services parameters message Ethernet services. Configure system Timing Success or error Configure system timing timing parameters message sources. Set system date Date and time Success or error Set system date & time. and time message View iQ1000 Select the type The module Status functions: view module information to information or error status of module, information view message temperature, memory status, CPU utilization status; view physical interfaces status, routing tables, packet statistics, services status; view active sessions; review system logs. Table 7 Crypto-officer Role Note 1 - SSH, TLS and SNMP protocols and KDFs are allowed to be used in FIPS Approved mode. 3.2. Authentication Mechanisms and Strength Access control restrictions for Data Paths, Action Paths, and CLI commands will be defined for all privilege groups. These restrictions will be implemented by command and data authorization rules defined within the AAA system. The PacketAssure iQ1000 provides two-factor authentication to secure user logins and protect against account takeover and data theft. Two-factor authentication systems overcome the issues of single secret authentication by the requirement of a second secret. Two-factor authentication uses a combination of the following items:  Something that the user has, such as a smart card.  Something that the user knows, such as a password. Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 14 of 25 User Authentication is identity based where the identity is defined by the username and password. Password rules are as follows:  Passwords must contain between 8 and 32 characters.  Passwords must consist of at least 2 lower case letters, 2 upper case letters, 2 numerical digits and 2 special characters.  New passwords MUST differ from previous password by a minimum of 4 characters.  Only the MD5 hash of user passwords is stored in system database. When the user enters his/her password, the MD5 hash of the entered password will be calculated and compared to the stored MD5 hash. MD5 is not a FIPS approved algorithm and therefore considered no more secure than plaintext.  During the login process no character echo will take place. With a minimum 8 character authentication password and the required use of 2 upper/lower case characters(26), 2 numbers(10) and 2 special characters(at least 10) there is approximately a 1 in (26)(26)(26)(26)(10)(10)(10)(10)8! = (1.84 e14) possibilities of random access succeeding. The password rules are non-modifiable and to decrease the probability of correctly guessing a password within a reasonable timeframe, the module will not accept another password attempt for a minimum of ten seconds after three consecutive unsuccessful attempts. With a maximum 18 attempts to use the authentication mechanism during a one-minute period, the probability is less than 1 in 7,665,840,000,000 that a random access will succeed. 4. Finite State Model The finite state model is defined in the proprietary FIPS140_FSM document, see section 1.2 for guidance. 5. Physical Security The iQ1000 incorporates a multi-chip standalone cryptographic module which is designed to meet FIPS 140-2 security level 2 requirements. These requirements are described in the following sections: 5.1. Enclosure The enclosure is comprised of a metal chassis with a metal cover. The top, bottom and sides of the enclosure are opaque. Internal louvers are installed so no part of the module is visible through ventilation holes. 5.2. Tamper Evidence Four holographic tamper evidence seals (TES), NovaVision Inc Ultra-Guard label, product code UG4-08, will be applied to the enclosure. The hologram image will contain an embedded “VOID OPENED” pattern. Three tamper evidence seals prevent removal Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 15 of 25 of cover screws while a fourth TES prevents removal of another cover screw and the PSM, see Figure 3. Figure 3 Tamper Evidence Seal Locations 5.3. Physical Security Rules The crypto-officer of the module is required to inspect the enclosure periodically looking for:  Tamper evidence seals that have “VOID OPENED” visible.  Disfiguration of the cover, such as creases, indicating that someone has attempted to pry the cover open. The crypto officer should perform a factory reset on the module if tamper evidence is detected. The factory reset procedure is described in the Administrator Guide (DNE document number 24001197) available on the DNE website http://www.ultra-dne.com. The crypto-officer should also replace any damaged tamper evidence seals. Prior to replacing the seals, the crypto-officer shall remove the damaged labels and clean off any remaining residue on the mounting surface using an adhesive remover. Tamper evidence seals can be obtained from Ultra Electronics DNE Technologies, DNE part number 57005924-000. 5.4. Secure Operation Initialization Rules PacketAssure iQ1000 software version 3.2.0 was validated for compliance with FIPS140- 2 and is the only allowable software version for FIPS-Approved operation. FIPS140 compliant self-tests execute automatically at power-up. Failure of any test puts the module in an error state and no services are provided. The module is in an approved mode when using the approved services; and in a non-approved mode when using non- approved services. Encryption strength must not be less than 112 bits when in the approved mode. Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 16 of 25 The module implements several cryptographic algorithms for use in its operation. The following table identifies the FIPS approved algorithms: Algorithm Implementation Details Algorithm Certificate Image A AES AES keys 128, 192, 256 bits; #2191 encrypt and decrypt. TDES Triple-DES keys 168 bits; #1384 encrypt/decrypt. #685Note 1 DSA DSA keys 1024 bits; verify. PRNG (ANSI X9.31 PRNG seed value is 128 bits; #1109 Appendix A.2.4 using seed key values are 128, 192, AES) and 256 bits, #1130Note 2 RSA (X9.31, RSA keys 2048 to 4096 bits; PKCS #1.5, PSS) sign and verify. SHA-1, 224, 256, 384, Hashing. #1899 512 HMAC-SHA-1, 224, 256, HMAC key; message #1343 384, 512 integrity. Table 8 Approved Cryptographic Algorithms Note 1 - DSA (Cert. #685, non-compliant with the functions from the CAVP Historical DSA list): FIPS186-2: PQG(gen) MOD(1024); KEYGEN(Y) MOD(1024); SIG(gen) MOD(1024) Note 2 - RSA (Cert. #1130, non-compliant with the functions from CAVP Historical RSA list): FIPS186-2: ALG[ANSIX9.31]:KEY(gen)(MOD:1024, 1536 PubKey Values: 3, 17, 65537) ALG[ANSIX9.31]:SIG(gen); 1024, 1536, SHS: SHA-1, SHA-256, SHA-384, SHA-512, 2048, 3072, 4096, SHS:SHA-1 ALG[RSASSA-PKCS1_V1_5]:SIG(gen): 1024, 1536, SHS: SHA-224, SHA-256, SHA-384, SHA-512 ALG[RSASSA-PSS]: SIG(gen);1024, 1536, SHS: SHA-224, SHA-256, SHA-384, SHA-512 The module supports the following non-Approved algorithms in the Approved mode of operation as allowed. Algorithm Algorithm Type Utilization Key wrapping Note 2 AES AES 128, 192, 256 bit Diffie-Hellman Key establishment Key establishment methodology supports 2048 to 4096 bit keys, providing between 112 and 150 bits of encryption strengthNote 1 RSA RSA (key wrapping; key Key establishment / Key encrypt/decrypt Establishment wrapping methodology supports 2048 to 4096 bit keys providing 112 – 150 bits Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 17 of 25 of encryption strength.Note 1 HMAC SHA-1 SNMPv3 USM HMAC authentication key Note 2 SHA-1 SSH Key Derivation Hash Function Note 2 SHA-1 / MD5 TLS (PRF) Key Hash Derivation Function SHA-1 SNMP Key Derivation Hash Function Note 2 NDRNG Part of PRNG seed Non-Deterministic Random Number Generator Table 9 Non-Approved Cryptographic Algorithms Note 1 – Non-compliant when encryption strength is less than 112 bits. Note 2 – These are approved algorithms but their specific use specified here is non- approved. SSH, TLS and SNMP protocols and KDFs are allowed to be used in FIPS Approved mode. In addition the following algorithms are used in non-Approved mode when using non- Approved key strengths <112 bits: AES, Triple-DES 6. Operational Environment Since the iQ1000 does not allow operators to load or modify software or firmware that was not included as part of the validation of the module, it is considered “non- modifiable” and is therefore not subject to the requirements of the Operational Environment component of the FIPS specification. 7. Definition of SRDIs Modes of Access This section specifies the module’s Security Relevant Data Items as well as the access control policy enforced by the module. 7.1. Cryptographic Keys, CSPs, and SRDIs While operating in a FIPS-compliant manner, the module contains the following security relevant data items. Unless otherwise noted, All keys are generated using FIPS approved algorithms, using a FIPS approved RNG. Zeroization ID Algorithm Size Description Origin Storage Method General Keys/CSPs Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 18 of 25 User Password Variable Used to authenticate The user sets their NVRAM Zeroized by Password (8-32 local users password on first (plaintext) overwriting character login with new s) password External Password Variable Used to authenticate The crypto officer NVRAM Zeroized by Secure (0-128 users on remote sets the password (AES 128- overwriting Server character SFTP server of a remote server bits) with new Password s) password OR deleting the server Security Password Variable Used to encrypt the The crypto officer NVRAM Zeroized by Log Pass (1-128 security log file, sets the pass (AES 128- overwriting Phrase character which is only phrase bits) with new s) claimed to be pass phrase obfuscated. RNG Seed ANSI 16 bytes This is the seed for This key is DRAM Zeroized by X9.31 ANSI X9.31 RNG NDRNG based (plaintext) power Appendix and created during cycling the 2.4 using RNG initialization device AES at power on. RNG Seed ANSI 32 bytes This is the seed key This key is DRAM Zeroized by Key X9.31 for ANSI X9.31 NDRNG based (plaintext) power Appendix RNG and created during cycling the 2.4 using RNG initialization device AES at power on. Diffie- DH 2048- The public exponent This key is Created DRAM Automaticall Hellman 4096 bits used in Diffie- using the (plaintext) y after shared public Hellman (DH) OpenSSL library secret exponent exchange during key generated establishment. Diffie- DH 2048- The private This key is Created DRAM Automaticall Hellman 4096 bits exponent used in using the (plaintext) y after shared private Diffie-Hellman OpenSSL library secret exponent (DH) exchange during key generated establishment. Diffie- DH 2048- This is the shared This key is Created DRAM Zeroized Hellman 4096 bits secret agreed upon using the (plaintext) upon deletion Shared as part of DH OpenSSL library Secret exchange during key establishment. Database AES Key AES CFB 128-bits This is the AES key This key is NVRAM # factory- and IV used to automatically (plaintext) reset encrypt/decrypt created during CSPs in the database startup of a factory defaulted system Software Upgrade Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 19 of 25 Package RSA 2048-bits This key is the This key is NVRAM This is not Public Key public product key installed with the (plaintext) zeroized used to verify system software software packages Package Password Fixed (11 This password is This phrase is NVRAM This is not Pass Phrase character used to decrypt installed with the (plaintext) zeroized s) software packages system software SNMPv3Note 2 Trap Password Variable Used to authenticate This key is created NVRAM Zeroized by Listener (8-32 and encrypt when the crypto (plaintext) overwriting PasswordNot character SNMPv3 traps officer creates trap with new e1 s) listeners password or deleting the listener Authenticati HMAC- 16 bytes This is the SNMPv3 This key is NVRAM Zeroized by on Key SHA-1 USM authentication automatically (plaintext) overwriting key created when a with new user or v3 trap password or listener is created deleting the user Privacy AES 16 bytes This is the SNMPv3 This key is NVRAM Zeroized by Key USM encryption key automatically (plaintext) overwriting created when a with new user or v3 trap password or listener is created deleting the user SSHNote 2 SSH RSA RSA 2048-bits This is the SSH This key is NVRAM # factory- public key RSA host key automatically (plaintext) reset created during startup of a factory defaulted system SSH RSA RSA 2048-bits This is the SSH This key is NVRAM # factory- private key RSA host key automatically (plaintext) reset created during startup of a factory defaulted system SSH session Triple-DES 168 bits This is the SSH This key is DRAM Zeroized key session symmetric automatically (plaintext) when SSH AES 128-bits key created during session is 192-bits session creation terminated 256-bits SSH session HMAC 96-bits or This is the SSH This key is DRAM Zeroized authenticati SHA-1 160-bits session automatically (plaintext) when SSH on key authentication key created during session is session creation terminated Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 20 of 25 SSH RSA, 2048 bits, Allowed SSH public The crypto officer NVRAM # factory- authenticati 4096 bits keys adds/removes (plaintext) reset on keys entries TLS2 TLS CA RSA 2048-bits The internal CA This key is NVRAM # factory- public key certificate used to automatically (plaintext) reset self-sign the created during generated TLS startup of a factory server certificate defaulted system TLS CA RSA 2048-bits The CA certificate This key is NVRAM # factory- private key private key automatically (plaintext) reset created during startup of a factory defaulted system TLS Server RSA 2048-bits Identity certificate This key is NVRAM # factory- public key for module itself and automatically (PEM) reset also used in TLS created during negotiations. This startup of a factory certificate is self- defaulted system signed on a default OR loaded by the system, but can later Crypto Officer as a be replaced by a part of server signed CSR by an certificate external CA. installation TLS Server RSA 2048-bits The TLS Server This key is NVRAM # factory- private key private key automatically (PEM) reset created during startup of a factory defaulted system OR as a part of Certificate Signing Request TLS Shared 384-bits Shared secret This key is DRAM Zeroized premaster Secret created using automatically (plaintext) when TLS secret asymmetric created during session is cryptography from session creation terminated which new HTTPS session keys can be created TLS Master Shared 384-bits Shared secret This key is DRAM Zeroized Secret Secret created using automatically (plaintext when TLS asymmetric created during session is cryptography from session creation terminated which new HTTPS session keys can be created Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 21 of 25 TLS session Triple-DES 168 bits This is the TLS This key is DRAM Zeroized key session key automatically (plaintext) when TLS AES 128-bits created during session is 192-bits session creation terminated 256-bits X.509 Trust RSA 2048-bits Manually loaded Trust points are NVRAM # factory- Points X.509 certificates installed/removed (DER) reset used in path by the crypto- validation officer. Used by two-factor authentication. X.509 SHA-256, 2048-bits Digitally signed CRLs are NVRAM # factory- CRLs RSA CRLs used in x.509 installed/removed (DER) reset path validation by the crypto- officer. Used by two-factor authentication. X.509 RSA 2048-bits Automatically Certificates are DRAM # factory- Cached downloaded X.509 cached (PEM) reset Certificates certificates used in automatically via path validation HTTP or LDAP from external servers as client certificates are validated X.509 SHA-256, 2048-bits Digitally signed CRLs are cached DRAM # factory- Cached RSA CRLs used in x.509 automatically via (DER) reset CRLs path validation HTTP or LDAP from external servers as client certificates are validated Table 10 Key, CSPs and SRDIs Note 1 - The Trap Listener password must be at least 8 characters to comply with FIPS. Note 2 - SSH, TLS and SNMP protocols and KDFs are allowed to be used in FIPS Approved mode, but are non-compliant. 7.2. Access Control Policy The terminal allows controlled access to the SRDIs contained within it. The following table defines the access that an operator or application has to each SRDI while operating the module in a given role performing a specific service (command). The permissions are categorized as a set of four separate permissions: read, write, execute, delete. If no permission is listed, then an operator outside the module has no access to the SRDI. Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 22 of 25 DH private exponent, DH Shared Package Public Key, Package Pass SSH RSA private key, DSA private TLS Server public key, private key TLS premaster secret, session key SSH session key, session auth key TLS CA public key, private key SNMPv3 Auth Key, Priv Key Security Relevant Data Item RNG Seed, RNG Seed Key Security Log Pass Phrase Secure Server Password Module Trap Listener Password Database AES Key SRDI/Role/Service Access Policy User Password Phrase Secret key Role/Service Unauthenticated Services Bootloader factory default d d d d d d d d d d d d d Bootloader switch code banks Power on/off d d d d User role Oper Role w x x wx x x x x Config Role wx x x wx x x x x Crypto-officer Role Admin Role wwwx x x x wwx x d x x xxx d xxd dd dd Table 11 SRDI Access 8. Electromagnetic Interface/Electromagnetic Compatibility The iQ1000 conforms to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use). 9. Self Tests The module contains the following power up self tests. All of the tests shown in section 9.1 execute at power-up without user input. Failure of any power-up self-test is a system fault and therefore will transition the module into the error state as defined by the FSM. 9.1. Power-Up Self Tests 1. Cryptographic algorithm test OpenSSL provides:  AES KAT encrypt Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 23 of 25  AES KAT decrypt  Triple-DES KAT encrypt  Triple-DES KAT decrypt  DSA pair-wise consistency test (sign/verify)  RSA KAT sign  RSA KAT verify  PRNG KAT  HMAC-SHA-1 KAT  HMAC-SHA-224 KAT  HMAC-SHA-256 KAT  HMAC-SHA-384 KAT  HMAC-SHA-512 KAT  OpenSSL internal integrity HMAC-SHA-1 sshd provides:  AES-CTR KAT 2. Software/firmware integrity test File Integrity Test:  SHA-256 checksum verification of individual security relevant files. 3. Critical functions test-  N/A 9.2. Conditional Self tests The module contains the following conditional self tests. 1. Pair-wise consistency test (for public and private keys) OpenSSL provides:  RSA pair-wise consistency 2. Software/firmware load test Software Package Test:  Signed by RSA 2048 bit private key  Symmetrically Encrypted with AES-256  SHA-256 digest During software download the package is checked against the SHA-256 digest which is also downloaded to the target system. This only serves to confirm uncorrupted download of the package. The package is then unencrypted using symmetrical AES-256 and the password which is already stored on the target. The decrypted package consists of a tarball and the signed SHA-256 of the tarball. The private key used in the signature is of type RSA-2048. If the signed hash cannot be validated (using the locally stored public key), the package will not be installed and the upgrade fails. The status of each step of the upgrade process is displayed on the GUI-interface and is also appended to the system log. Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 24 of 25 3. Manual key entry test  N/A 4. Continuous random number generator test OpenSSL provides:  PRNG continuous test  Per Implementation Guide section 9.8, continuous test of the NDRNG is not required because its output is only used once after module power-on and not used again until the module is power cycled off. 5. Bypass test  N/A 10. Mitigation of Other Attacks  N/A Non-proprietary security policy. This document may be freely distributed in its entirety without modification. Page 25 of 25