McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Version 2.1 Last Update: 2015-01-13 Prepared by: atsec information security Corp. 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 1. Introduction ......................................................................................................................................... 4 1.1. Purpose of the Security Policy.................................................................................................. 4 1.2. Target Audience .......................................................................................................................... 4 2. Cryptographic Module Specification ............................................................................................... 5 2.1. Description of Module ................................................................................................................ 5 2.2. Description of Approved Mode ................................................................................................. 6 2.3. Cryptographic Module Boundary ............................................................................................. 7 2.3.1. Software Block Diagram ..................................................................................................... 7 2.3.2. Hardware Block Diagram .................................................................................................... 8 3. Cryptographic Module Ports and Interfaces .................................................................................. 9 4. Roles, Services, and Authentication ............................................................................................. 10 4.1. Roles........................................................................................................................................... 10 4.2. Services...................................................................................................................................... 10 4.3. Operator Authentication ........................................................................................................... 27 4.4. Mechanism and Strength of Authentication .......................................................................... 27 5. Finite State Machine ........................................................................................................................ 28 6. Physical Security .............................................................................................................................. 29 7. Operational Environment ................................................................................................................ 30 8. Cryptographic Key Management ................................................................................................... 31 8.1. Random Number Generation ................................................................................................. 32 8.2. Key/CSP Generation ................................................................................................................ 32 8.3. Key/CSP Establishment........................................................................................................... 32 8.4. Key Entry and Output............................................................................................................... 33 8.5. Key Storage ............................................................................................................................... 33 8.6. Zeroization Procedure.............................................................................................................. 33 9. Self-Tests ........................................................................................................................................... 34 9.1. Power-Up Tests ......................................................................................................................... 34 9.2. Integrity Check .......................................................................................................................... 35 9.3. Conditional Tests....................................................................................................................... 35 10. Design Assurance .......................................................................................................................... 36 10.1. Configuration Management .................................................................................................. 36 10.2. Delivery and Operation .......................................................................................................... 36 © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 2 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 10.2.1. Downloading a FIPS 140-2-compatible engine version ........................................... 36 10.3. Cryptographic Officer Guidance ........................................................................................... 36 10.3.1. Installation........................................................................................................................ 36 10.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version ................ 36 10.3.1.2 Configuring the engine ............................................................................................... 37 10.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode .......................... 37 10.3.1.4 Resetting the appliance to factory settings ............................................................. 37 10.3.1.5 Recovering from a FIPS 140-2 self-test failure ...................................................... 38 10.3.2. Entropy Source ............................................................................................................... 38 10.3.3. Initialization ...................................................................................................................... 39 10.4. User Guidance ........................................................................................................................ 39 10.4.1. AES GCM ........................................................................................................................ 39 10.4.2. Zeroization ....................................................................................................................... 39 10.4.3. Key Export ....................................................................................................................... 39 11. Mitigation of Other Attacks ............................................................................................................ 40 12. Glossary and Abbreviations ......................................................................................................... 41 13. References...................................................................................................................................... 43 © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 3 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 1. Introduction This document is a non-proprietary FIPS 140-2 Security Policy for the McAfee NGFW Cryptographic Library module. The current version of the module is 2.0. An earlier version of this module has gone through FIPS 140-2 validation under certificate #2031. This document contains a specification of the rules under which the module must operate and describes how this module meets the requirements as specified in the Federal Information Processing Standards Publication (FIPS PUB) 140-2 for a Security Level 1 multi-chip standalone software module. 1.1. Purpose of the Security Policy There are three major reasons that a security policy is required:  For FIPS 140-2 validation,  Allows individuals and organizations to determine whether the cryptographic module, as implemented, satisfies the stated security policy, and  Describes the capabilities, protection, and access rights provided by the cryptographic module, allowing individuals and organizations to determine whether it will meet their security requirements. 1.2. Target Audience This document is intended to be part of the package of documents that are submitted for FIPS validation. It is intended for the following people:  Developers working on the release  FIPS 140-2 testing lab  Cryptographic Module Validation Program (CMVP)  Consumers © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 4 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 2. Cryptographic Module Specification This document is the non-proprietary security policy for the McAfee NGFW Cryptographic Library and was prepared as part of the requirements to FIPS 140-2, Level 1. The following section describes the module and how it complies with the FIPS 140-2 standard in each of the required areas. 2.1. Description of Module The McAfee NGFW Cryptographic Library is a shared library that provides a C-language application programming interface for use by McAfee applications. Assembly language optimizations are used in the cryptographic module implementation. The files consisting of the logical boundary of the module are the module binary file libqscrypto.so.2 and the checksums.fips file that contains the HMAC-SHA-256 value needed for the module integrity check. The module contains the following cryptographic functionality:  Pseudo random number generation  Cryptographic hash functions  Message authentication code functions  Symmetric key encryption and decryption  Public key cryptography: key pair generation, digital signature generation and verification  Key agreement and establishment  Key wrapping The following table shows the overview of the security level for each of the eleven sections of the validation. Security Component Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 3 Mitigation of Other Attacks N/A Table 1: Security Levels The module has been tested on the following platforms: © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 5 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Manufacturer Model O/S & Ver. AES-NI McAfee MIL-320 Debian GNU/Linux 6.0-based distribution running on Intel Atom Not Supported Processor D525 (single-user mode) McAfee 5206 Debian GNU/Linux 6.0-based distribution running on Intel Xeon With AES-NI E5-2680 (single-user mode) McAfee 3206 Debian GNU/Linux 6.0-based distribution running on Intel Xeon With and Without AES- E5-2680 (single-user mode) NI McAfee 3202 Debian GNU/Linux 6.0-based distribution running on Intel Xeon With and Without AES- Processor E5-2660 (single-user mode) NI McAfee 1402 Debian GNU/Linux 6.0-based distribution running on Intel Xeon With AES-NI Processor E5-1650v2 (single-user mode) McAfee 1065 Debian GNU/Linux 6.0-based distribution running on Intel Core With AES-NI i3-2115c (single-user mode) McAfee 1035 Debian GNU/Linux 6.0-based distribution running on Intel With AES-NI Celeron Processor 725c (single-user mode) Table 2: Tested Platforms 2.2. Description of Approved Mode The cryptographic module supports only a FIPS 140-2 approved mode. The calling application can invoke ssh_crypto_get_certification_mode() to check the status of the module. It returns SH_CRYPTO_CERTIFICATION_FIPS_140_2 to indicate that the module is indeed in the FIPS-APPROVED mode. The module provides the following algorithms and services:  AES: key wrapping, encryption and decryption; ECB, CBC, OFB, CFB128 and GCM modes  Triple-DES: encryption and decryption; ECB, CBC, OFB and CFB64 modes  DSA: key generation, digital signatures, and verification  RSA: key generation, digital signatures, and verification  ECDSA: key generation, digital signature, and verification  DRBG: random number generation  SHS: hashing  HMAC: message authentication code In addition, the module provides the following key establishment methods:  Diffie-Hellman key agreement as key establishment method  EC Diffie-Hellman: key agreement as key establishment method © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 6 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 2.3. Cryptographic Module Boundary 2.3.1. Software Block Diagram The logical boundary of the module is the Cryptographic Library itself, which is indicated by the “Cryptographic Boundary” rectangle as illustrated in the diagram below. Physical Boundary Cryptographic Boundary Data in Control in McAfee NGFW Cryptographic Library Data out Status out Figure 1: Software Block Diagram © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 7 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 2.3.2. Hardware Block Diagram The physical boundary of the module is the enclosure of the appliance that the module is running on. The module was tested on seven separate appliances, all of which are general purpose computers. The hardware block diagram below depicts all test appliances and their internal components and ports (processor, SSD, USB, Ethernet, etc.). Cryptographic Module Boundary Ethernet CFast Drive* (10) (9) Controller / (4) (1) Ports (5) Disk Controller Storage Slot / ROM (11) SSD** Expansion Module Slot / (13) (12) Chipset Ethernet RAM (6) Serial Controller / Port (2) Ports *** (8) USB Controller / Ports Wireless Module / Power Processor (7) (15) (14) Radio / (3) Supply Antenna **** 1, 2, 4, 5, 6, 7, 8, 12, 13, 14 and 15: Data in, data out, control in, status out 3: Power in 9, 10 and 11: Control in *) MIL-320, 1035, 1065 **) 1402, 3202, 3206, 5206 ***) 1035, 1065, 1402, 3202, 3206, 5206 ****) MIL-320 only Figure 2: Hardware Block Diagram © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 8 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 3. Cryptographic Module Ports and Interfaces FIPS Interface Physical Ports Logical Ports Data Input Ethernet ports, serial port, wireless radio API input parameters Data Output Ethernet ports, serial port, wireless radio API output parameters Control Input Ethernet ports, serial port, wireless radio API function calls Status Output Ethernet ports, serial port, wireless radio API return values Power Input PC power supply port N/A Table 3: Ports and Interfaces © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 9 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 4. Roles, Services, and Authentication 4.1. Roles The module implements both a User and a Crypto Officer role. The module does not allow concurrent operators. The User and Crypto Officer roles are implicitly assumed by the entity accessing services implemented by the module. No further authentication is required. The Crypto Officer can install and initialize the module. 4.2. Services Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO Symmetric Algorithms  AES encryption 128, 192, ECB, CBC, Yes RWX FIPS 197 and decryption 256 bit keys OFB, Certs ssh_cipher_allocate CFB128, #2948, #2949, ssh_cipher_free #2950, #2951, ssh_cipher_get_block #2952, #2953, _length #2954, #2955 ssh_cipher_get_iv ssh_cipher_get_iv_le ngth ssh_cipher_get_key_l ength ssh_cipher_get_max_ key_length ssh_cipher_get_min_ key_length ssh_cipher_get_supp orted ssh_cipher_has_fixed _key_length ssh_cipher_is_fips_a pproved ssh_cipher_name sh_cipher_set_iv ssh_cipher_supporte d ssh_cipher_transform ssh_cipher_transform _remaining ssh_cipher_transform _with_iv ssh_cipher_get_block © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 10 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO _len  128, 192, AES-GCM authen- GCM Yes RWX SP 800-38D ticated encryption 256 bit keys Certs ssh_cipher_allocate and decryption #2948, #2949, ssh_cipher_free #2950, #2951, ssh_cipher_get_block #2952, #2953, _length #2954, #2955 ssh_cipher_get_iv ssh_cipher_get_iv_le ngth ssh_cipher_get_key_l ength ssh_cipher_get_max_ key_length ssh_cipher_get_min_ key_length ssh_cipher_get_supp orted ssh_cipher_has_fixed _key_length ssh_cipher_is_fips_a pproved ssh_cipher_name sh_cipher_set_iv ssh_cipher_supporte d ssh_cipher_transform ssh_cipher_transform _remaining ssh_cipher_transform _with_iv ssh_cipher_get_block _len ssh_cipher_is_auth_c ipher ssh_cipher_auth_res et ssh_cipher_auth_upd ate ssh_cipher_auth_final ssh_cipher_auth_dige © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 11 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO st_length ssh_cipher_is_auth ssh_cipher_generate _iv_ctr ssh_cipher_auth_dige st_len  AES key wrapping 128, 192, ECB Vendor RWX SP 800-38F 256 bit keys Affirmed, the sg_aes_key_unwrap_ underlying AES kek_with_padding algorithm has sg_aes_key_unwrap_ been CAVS with_padding tested. sg_aes_key_wrap_ke k_with_padding sg_aes_key_wrap_wi th_padding ssh_aes_key_unwrap ssh_aes_key_unwrap _kek ssh_aes_key_wrap ssh_aes_key_wrap_k ek  168 bit keys ECB, CBC, Yes Triple-DES en- RWX SP 800-67 cryption and de- OFB, Certs ssh_cipher_allocate cryption CFB64 #1752, #1753, ssh_cipher_free #1754, #1755, ssh_cipher_get_block #1756, #1757 _length ssh_cipher_get_iv ssh_cipher_get_iv_le ngth ssh_cipher_get_key_l ength ssh_cipher_get_max_ key_length ssh_cipher_get_min_ key_length ssh_cipher_get_supp orted ssh_cipher_has_fixed _key_length ssh_cipher_is_fips_a © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 12 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO pproved ssh_cipher_name sh_cipher_set_iv ssh_cipher_supporte d ssh_cipher_transform ssh_cipher_transform _remaining ssh_cipher_transform _with_iv ssh_cipher_get_block _len Asymmetric Algorithms  DSA domain pa- L=2048, Yes RWX FIPS 186-4 rameter generation N=224; Certs ssh_private_key_gen L=2048, #878, erate N=256; #879, #880, L=3072, #881, N=256 #882, #883  DSA key pair gen- L=2048, Yes RWX FIPS 186-4 eration N=224; Certs ssh_private_key_gen L=2048, #878, erate N=256; #879, ssh_private_key_deri #880, L=3072, ve_public_key #881, N=256 #882, #883  DSA signature L=2048, Yes RX FIPS 186-4 generation N=224; Certs ssh_private_key_sign L=2048, #878, ssh_private_key_sign N=256; #879, _async #880, L=3072, ssh_private_key_sign #881, N=256 _digest #882, ssh_private_key_sign #883 _digest_async ssh_private_key_max _signature_input_len ssh_private_key_max © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 13 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO _signature_output_le n ssh_private_key_deri ve_signature_hash ssh_proxy_key_rgf_si gn  DSA signature L=1024, Yes RX FIPS 186-4 verification N=160; Certs ssh_public_key_verify L=2048, #878, _async N=224; #879, ssh_public_key_verify #880, L=2048, _digest_async #881, N=256; ssh_public_key_verify #882, L=3072, _signature #883 N=256 ssh_public_key_verify _signature_with_dige st ssh_public_key_deriv e_signature_hash ssh_proxy_key_rgf_v erify  1024, 2048, DSA public key N/A RX FIPS 186-4 validation 3072 bits ssh_public_key_valid modulus ate size  RSA key genera- 2048, 3072 Yes RWX FIPS 186-4 tion modulus Certs ssh_private_key_gen size. #1549, #1550, erate Public key #1551, #1552, ssh_private_key_deri value #1553, #1554 ve_public_key 65537. ssh_mp_fip186_ifc_a ux_prime_create ssh_mp_fips186_ifc_ prime_factor sg_mp_fip186_ifc_au x_prime_create  RSA signature 2048, 3072 SHA-224, Yes RX FIPS 186-4 generation based bit modulus SHA-256, Certs ssh_private_key_sign on PKCS#1 v1.5 SHA-384, #1549, #1550, ssh_private_key_sign SHA-512 #1551, #1552, _async #1553, #1554 ssh_private_key_sign © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 14 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO _digest ssh_private_key_sign _digest_async ssh_private_key_max _signature_input_len ssh_private_key_max _signature_output_le n ssh_private_key_deri ve_signature_hash ssh_proxy_key_rgf_si gn  RSA signature 1024, 2048, SHA-1, Yes RX FIPS 186-4 verification based 3072 bit SHA-224, Certs ssh_public_key_verify on PKCS#1 v1.5 modulus SHA-256, #1549, #1550, _async SHA-384, #1551, #1552, ssh_public_key_verify SHA-512 #1553, #1554 _digest_async ssh_public_key_verify _signature ssh_public_key_verify _signature_with_dige st ssh_public_key_deriv e_signature_hash ssh_proxy_key_rgf_v erify © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 15 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO  RSA signature 2048, 3072 SHA-224, Yes RX FIPS 186-4 generation based bit modulus SHA-256, Certs ssh_private_key_sign on PSS (probabil- SHA-384, #1549, #1550, ssh_private_key_sign istic signature SHA-512 #1551, #1552, _async scheme) #1553, #1554 ssh_private_key_sign _digest ssh_private_key_sign _digest_async ssh_private_key_max _signature_input_len ssh_private_key_max _signature_output_le n ssh_private_key_deri ve_signature_hash ssh_proxy_key_rgf_si gn  RSA signature 1024, 2048, SHA-1, Yes RX FIPS 186-4 verification based 3072 bit SHA-224, Certs ssh_public_key_verify on PSS (probabil- modulus SHA-256, #1549, #1550, _async istic signature SHA-384, #1551, #1552, ssh_public_key_verify scheme) SHA-512 #1553, #1554 _digest_async ssh_public_key_verify _signature ssh_public_key_verify _signature_with_dige st ssh_public_key_deriv e_signature_hash ssh_proxy_key_rgf_v erify  1024, 2048, RSA public key N/A RX FIPS 186-4 validation 3072 bit ssh_public_key_valid modulus ate © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 16 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO  224, 256, ECDSA key pair Yes RWX FIPS 186-4 generation 384, 521 bit Certs ssh_private_key_gen prime #537, erate modulus #538, ssh_private_key_deri #539, ve_public_key #540, #541, #542  224, 256, ECDSA signature Yes RX FIPS 186-4 generation 384, 521 bit Certs ssh_private_key_sign prime #537, ssh_private_key_sign modulus #538, _async #539, ssh_private_key_sign #540, _digest #541, ssh_private_key_sign #542 _digest_async ssh_private_key_max _signature_input_len ssh_private_key_max _signature_output_le n ssh_proxy_key_rgf_si gn  192, 224, ECDSA signature Yes RX FIPS 186-4 verification 256, 384, Certs ssh_public_key_verify 521 bit #537, _async prime #538, ssh_public_key_verify modulus #539, _digest_async #540, ssh_public_key_verify #541, _signature #542 ssh_public_key_verify _signature_with_dige st ssh_public_key_deriv e_signature_hash ssh_proxy_key_rgf_v erify  192, 224, ECDSA public key Yes RX FIPS 186-4 validation 256, 384, Certs ssh_public_key_valid 521 bit #537, ate prime #538, © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 17 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO modulus #539, #540, #541, #542  Private keys Asymmetric key N/A RW ssh_private_key_cop management y ssh_private_key_free ssh_private_key_get_ info ssh_private_key_is_fi ps_approved ssh_private_key_nam e ssh_private_key_prec ompute ssh_private_key_sele ct_scheme ssh_public_key_copy ssh_public_key_creat e_proxy ssh_public_key_free ssh_public_key_get_i nfo ssh_public_key_get_ predefined_groups ssh_public_key_get_ supported ssh_public_key_is_fip s_approved ssh_public_key_nam e ssh_public_key_prec ompute Hash Functions  SHA-1 N/A Yes RX FIPS 180-4 Certs ssh_hash_allocate #2482, #2483, ssh_hash_asn1_oid #2484, #2485, ssh_hash_asn1_oid_ #2486, #2487 compare ssh_hash_asn1_oid_ © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 18 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO generate ssh_hash_compare_r esult ssh_hash_compare_s tart ssh_hash_digest_len gth ssh_hash_final ssh_hash_free ssh_hash_get_suppo rted ssh_hash_input_bloc k_size ssh_hash_is_fips_ap proved ssh_hash_name ssh_hash_reset ssh_hash_supported ssh_hash_update ssh_hash_of_buffer ssh_sha_transform ssh_sha_permuted_tr ansform  SHA-224 N/A Yes RX FIPS 180-4 SHA-256 Certs ssh_hash_allocate #2482, #2483, SHA-384 ssh_hash_asn1_oid #2484, #2485, SHA-512 ssh_hash_asn1_oid_ #2486, #2487 compare ssh_hash_asn1_oid_ generate ssh_hash_compare_r esult ssh_hash_compare_s tart ssh_hash_digest_len gth ssh_hash_final ssh_hash_free © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 19 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO ssh_hash_get_suppo rted ssh_hash_input_bloc k_size ssh_hash_is_fips_ap proved ssh_hash_name ssh_hash_reset ssh_hash_supported ssh_hash_update ssh_hash_of_buffer Message Authentication Codes (MACs)  HMAC-SHA-1 At least 112 N/A Yes RWX FIPS 198-1 bits HMAC HMAC-SHA-224 Certs ssh_mac_allocate key #1869, #1870, HMAC-SHA-256 ssh_mac_final #1871, #1872, HMAC-SHA-384 ssh_mac_free #1873, #1874 HMAC-SHA-512 ssh_mac_get_block_l ength ssh_mac_get_max_k ey_length ssh_mac_get_min_ke y_length ssh_mac_get_suppor ted ssh_mac_is_fips_app roved ssh_mac_length ssh_mac_name ssh_mac_reset ssh_mac_supported ssh_mac_update Random Number Generation  DRBG Seed with AES 256 Yes RWX SP 800-90A 256-bit en- ECB Certs ssh_random_add_noi tropy, #549, se Entropy in- #550, ssh_random_get_byt put string #551, e © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 20 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO with 256-bit #552, ssh_random_get_uint entropy #553, 32 #554, ssh_random_stir #555, ssh_random_get_sup #556 ported ssh_random_support ed ssh_random_is_fips_ approved ssh_random_allocate ssh_random_free ssh_random_name ssh_random_add_ent ropy ssh_random_add_lig ht_noise ssh_mprz_aux_mod_ random ssh_mprz_aux_mod_ random_entropy Key Agreement  Diffie-Hellman Diffie- Yes RWX SP 800-56A Hellman Certs ssh_pk_group_copy secret, #344, ssh_pk_group_count shared se- #346, _randomizers cret #348, ssh_pk_group_dh_ag #350, ree #352, #354 ssh_pk_group_dh_ag ree_async ssh_pk_group_dh_ag ree_max_output_leng th ssh_pk_group_dh_ret urn_randomizer ssh_pk_group_dh_se cret_free ssh_pk_group_dh_se tup ssh_pk_group_dh_se tup_async © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 21 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO ssh_pk_group_dh_se tup_max_output_leng th ssh_pk_group_free ssh_pk_group_gener ate ssh_pk_group_gener ate_randomizer ssh_pk_group_get_in fo  EC Diffie- EC Diffie-Hellman Yes RWX SP 800-56A Hellman Certs ssh_pk_group_copy secret, #344, ssh_pk_group_count shared se- #345, _randomizers cret #346, ssh_pk_group_dh_ag #347, ree #348, ssh_pk_group_dh_ag #349, ree_async #350, #351, ssh_pk_group_dh_ag #352, ree_max_output_leng #353, th #354, ssh_pk_group_dh_ret #355 urn_randomizer ssh_pk_group_dh_se cret_free ssh_pk_group_dh_se tup ssh_pk_group_dh_se tup_async ssh_pk_group_dh_se tup_max_output_leng th ssh_pk_group_free ssh_pk_group_gener ate ssh_pk_group_gener ate_randomizer ssh_pk_group_get_in fo ssh_pk_group_preco mpute © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 22 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO ssh_pk_group_select _scheme ssh_dh_group_create _proxy Key Entry and Output  DSA key entry DSA private N/A W ssh_pk_import key and ssh_private_key_defi public key ne ssh_private_key_imp ort ssh_public_key_defin e ssh_public_key_impo rt  DSA private DSA key output N/A R ssh_pk_export key and ssh_private_key_exp public key ort  RSA private RSA key entry N/A W ssh_pk_import key and ssh_private_key_defi public key ne ssh_private_key_imp ort ssh_public_key_defin e ssh_public_key_impo rt  RSA private RSA key output N/A R ssh_pk_export key and ssh_private_key_exp public key ort © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 23 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO  ECDSA pri- ECDSA key entry N/A W ssh_pk_import vate key ssh_private_key_defi and public ne key ssh_private_key_imp ort ssh_public_key_defin e ssh_public_key_impo rt  ECDSA pri- ECDSA key output N/A R ssh_pk_export vate key ssh_private_key_exp and public ort key  Diffie- Diffie-Hellman key N/A W ssh_pk_import entry Hellman ssh_pk_group_import private key ssh_pk_group_import and public _randomizers key  Diffie- Diffie-Hellman key N/A R ssh_pk_export output Hellman ssh_pk_group_export private key ssh_pk_group_export and public _randomizers key  EC Diffie- EC Diffie-Hellman N/A W ssh_pk_import key entry Hellman ssh_pk_group_import private key ssh_pk_group_import and public _randomizers key  EC Diffie- EC Diffie-Hellman N/A R ssh_pk_export key output Hellman ssh_pk_group_export private key ssh_pk_group_export and public _randomizers key Management  Installation N/A N/A N/A N/A Please refer to sec- tion 11.3 “Crypto- graphic Officer Guid- ance” for secure in- stallation of the mod- ule. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 24 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO  Initialization N/A N/A N/A RX ssh_crypto_library_ini tialize ssh_crypto_library_re gister_noise_request ssh_crypto_library_re gister_progress_func ssh_pk_provider_regi ster sg_crypto_register_er ror_callback ssh_random_noise_p olling_init ssh_drbg_instantiate sg_drbg_enable_cont inuous_test ssh_drbg_reseed ssh_drbg_generate ssh_drbg_uninstantiat e  Mode manage- N/A N/A N/A RX ssh_crypto_get_certifi ment cation_mode ssh_crypto_set_certifi cation_mode  Uninitialization N/A N/A N/A RX ssh_crypto_free ssh_crypto_library_un initialize ssh_crypto_library_un regis- ter_noise_request ssh_random_noise_p olling_uninit  External crypto N/A N/A N/A RX The external crypto registration registration is not supported on the tested McAfee plat- forms. The functions below return SG_CRYPTO_REGI STER_NOT_SUPPO RTED. sg_cipher_external_r © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 25 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO egister sg_cipher_external_u nregister sg_hash_external_re gister sg_hash_external_un register sg_mac_external_reg ister sg_mac_external_unr egister sg_ciphermac_extern al_register sg_ciphermac_extern al_unregister Status  N/A  Query status N/A N/A RX ssh_crypto_library_ge t_status ssh_crypto_library_ge t_version ssh_crypto_status_m essage Self-tests  N/A  Perform self-tests N/A N/A RX ssh_crypto_library_se lf_tests Other services  N/A Compression N/A N/A RX ssh_compress_alloca te ssh_compress_free ssh_compress_get_s upported ssh_compress_is_no ne ssh_compress_sync_ levels ssh_compress_buffer  N/A Auxiliary services N/A N/A RX ssh_aux_pkcs1_pad ssh_aux_pkcs1_unpa © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 26 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Service Roles CSP Modes FIPS Ap- Access Notes/API Function proved? Cert # (if applicable) User CO d ssh_aux_pkcs1_wrap _and_pad ssh_cipher_alias_get _native ssh_cipher_alias_get _supported ssh_cipher_alias_sup ported ssh_ecp_set_param Table 4: Services 4.3. Operator Authentication There is no operator authentication; assumption of role is implicit by action. 4.4. Mechanism and Strength of Authentication No authentication is required at Security Level 1; authentication is implicit by assumption of the role. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 27 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 5. Finite State Machine The following diagram represents the states and transitions of the cryptographic module. Figure 3: Cryptographic Module Finite State Machine The state model contains the following states:  UNLOADED: The start state of the cryptographic module is UNLOADED. The module is in this state until the shared library is loaded and linked to the application. Cryptographic operations are not available while in this state.  UNINITIALIZED: The module is in the UNINITIALIZED state after it has been loaded but not yet initialized, or it has been successfully uninitialized. Cryptographic operations are not available while in this state.  SELF-TEST: The module performs power-up self-tests during initialization or on-demand. Cryptographic operations are not available while in this state.  OK: The module enters the FIPS mode in the “OK” state after successfully passing the power-up self-tests. The cryptographic services are available in this state.  ERROR: The module enters this state after a self-test, a cryptographic operation or uninitialization has failed. An error indicator is output by the module. The state transitions are as follows: 1. The shared library is loaded and linked dynamically to the application. 2. The cryptographic module is initialized using the ssh_crypto_library_initialize function. The function is called automatically when the shared library is loaded. 3. The self-tests succeed. 4. A cryptographic operation is performed successfully. 5. On-demand self-tests are performed using the ssh_crypto_library_self_tests function. 6. The cryptographic module is uninitialized using the ssh_crypto_library_uninitialize function. 7. The shared library is unloaded. 8. Power-up self-tests fail. 9. A conditional test fails during a cryptographic operation. 10. The module uninitialization fails because cryptographic objects are still referenced. 11. Cryptographic objects are no longer in use and the module uninitialization succeeds. This transition also occurs automatically when the power-up self-tests fail during the module initialization. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 28 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 6. Physical Security The cryptographic module is tested on the McAfee MIL-320, 5206, 3206, 3202, 1402, 1065 and 1035 appliances that consist of production-grade components with standard passivation and a production-grade enclosure. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 29 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 7. Operational Environment This module will operate in a modifiable operational environment per the FIPS 140-2 definition. The module operates on the McAfee NGFW Debian GNU/Linux based hardened operating system that is set in the FIPS compatible mode of operation. Login to the operating system is disabled and only the preinstalled McAfee application is running on the system. Therefore the operational environment is considered non-modifiable. The application that uses the cryptographic module is also the single user of the module. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 30 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 8. Cryptographic Key Management Keys are established externally. CSPs can be accessed only using the API. The operating system protects the memory and the address space of the process from unauthorized access. Name Auth Generation Type Output Storage Zeroization Role HMAC key User, Manufacturer 128 bits N/A In module Zeroization is not for module CO HMAC key binary required per FIPS IG integrity 7.4 check AES User External, electronic Symmetric N/A Plaintext in API call, power off symmetric entry key memory keys Triple-DES User External, electronic Symmetric N/A Plaintext in API call, power off symmetric entry key memory keys DSA private User DSA key Private key Encrypted, Plaintext in API call, power off key generation using plaintext memory DRBG, externally using DSA key entry RSA private User RSA key Private key Encrypted, Plaintext in API call, power off key generation using plaintext memory DRBG, externally using RSA key entry ECDSA User ECDSA key Private key Encrypted, Plaintext in API call, power off private key generation using plaintext memory DRBG, externally using ECDSA key entry HMAC key User External, electronic HMAC key N/A Plaintext in API call, power off entry memory DRBG User External, electronic Entropy N/A Plaintext in API call, power off entropy input entry input memory DRBG seed User /dev/random Seed N/A Plaintext in API call, power off memory Diffie- User DSA key Private key N/A Plaintext in API call, power off Hellman generation using memory secret DRBG Diffie- User Generated through Symmetric Plaintext Plaintext in API call, power off Hellman Diffie-Hellman © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 31 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy Name Auth Generation Type Output Storage Zeroization Role shared protocol key memory secret EC Diffie- User ECDSA key Private key N/A Plaintext in API call, power off Hellman generation using memory secret DRBG, EC Diffie- User Generated through Symmetric Plaintext Plaintext in API call, power off Hellman Diffie-Hellman key memory shared protocol secret Table 5: Key Management 8.1. Random Number Generation The cryptographic module implements an AES block cipher based DRBG with derivation function according to SP 800-90A. The module obtains the seed and the entropy input string by default from /dev/random. The entropy source can be changed by setting the new source either in the /etc/qscrypto.entropysource file or in the LIBQSCRYPTO_ENTROPY_SOURCE environment variable. The seed and the entropy input string are both 256 bytes long. Their security strength is 256 bits, i.e., 1 bit per byte is assumed. In the operational environment, /dev/random is used as the entropy source. The Linux kernel has been patched to contain the CPU Jitter Random Number Generator [19]. 8.2. Key/CSP Generation DSA key pairs are generated using random bits from DRBG according to FIPS 186-4 Appendix B.1.1. RSA key pairs are generated using probable primes with conditions using auxiliary probable primes and random bits from the DRBG according to FIPS 186-4 Appendix B.3.6. ECDSA key pairs are generated using extra random bits from the DRBG according to FIPS 186-4 Appendix B.4.1. Diffie-Hellman and EC Diffie-Hellman secrets and public values are generated using random bits from the DRBG. 8.3. Key/CSP Establishment The cryptographic module supports Diffie-Hellman primitives for key agreement using ephemeral keys:  FFC DH dhEphem, C(2, 0, FFC DH) using 2048-bit group  ECC CDH Ephemeral Unified Model, C(2, 0, ECC CDH) using p-224, p-256, p-384, and p-521 curves CAVEAT 1: Diffie-Hellman key agreement; key establishment methodology provides 112 bits of encryption strength; CAVEAT 2: EC Diffie-Hellman key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength. The cryptographic module also supports the AES key wrapping algorithm as key transport method to wrap the private keys for imports/exports. The AES algorithm is FIPS 140-2-approved and its implementation in the mod- ule is certified by CAVP. The key size for AES key wrap can be 128, 192 or 256 bits depending on the key that is provided by the calling application. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 32 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CAVEAT 3: AES key wrapping; key establishment methodology provides between 128 and 256 bits of encryp- tion strength. 8.4. Key Entry and Output The cryptographic module supports electronic entry of symmetric keys and HMAC keys. The application using the cryptographic module can import secret keys to the module in plaintext within the physical boundary. In addition, private keys can be imported encrypted using AES key wrapping. Private keys can be exported in plaintext to the application using the module within the physical boundary. In addition, private keys can be exported encrypted using AES key wrapping. There is no output of intermediate key generation values from the module at any point in time. The module does not support manual entry of keys. 8.5. Key Storage The keys and CSPs are stored in plaintext in memory. The module does not provide persistent storage of keys. 8.6. Zeroization Procedure The stored keys and CSPs are zeroized when the application calls the appropriate API function: ssh_cipher_free, ssh_mac_free, ssh_private_key_free, ssh_pk_group_free and ssh_crypto_library_uninitialize. Intermediate key material is zeroized automatically by the module when no longer needed. All keys and CSPs can be zeroized by powering off the module and performing a system restore operation by the operational environment. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 33 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 9. Self-Tests 9.1. Power-Up Tests The power-up self-tests are executed automatically when the cryptographic module is loaded. The ssh_crypto_library_initialize() function returns 0 (SSH_CRYPTO_OK) when the power-up self-tests are successfully completed. If the power-up self-tests fail, the cryptographic module outputs an error message and enters an error state. No further operations are allowed when the module is in an error state. The cryptographic module causes the process termination with a non-zero exit status when the power-up self-tests have failed. The computer will need to be restarted in order for the cryptographic module to enter to an operational state. Self-tests are performed on-demand when the user calls the ssh_crypto_library_self_tests() function. Algorithm Test AES Known Answer Test (KAT), encryption and decryption are tested separately Triple-DES KAT, encryption and decryption are tested separately DSA Pair-wise consistency test (PCT) for DSA key pair generation RSA KAT for signature generation and verification tested separately, PCT for RSA key pair generation ECDSA KAT for signature generation, PCT for ECDSA key pair generation SHS KAT for SHA-1, SHA-256 and SHA-512 HMAC KAT for HMAC-SHA-1, HMAC-SHA-256 and HMAC-SHA-512 DRBG KAT Diffie-Hellman KAT, PCT EC Diffie-Hellman KAT, PCT Table 7: Power-Up Tests The following are the error messages related to self-test failure: Reason For Failure Error Message Failure of AES/Triple-DES Cipher algorithm test failed during self-test KAT Failure of RSA/DSA/Diffie- Public key algorithm test failed during self-test Hellman KAT or PCT Failure of ECDSA/EC-Diffie- Unknown error code (exit code 160) Hellman KAT or PCT Failure of SHS KAT Hash algorithm test failed during self-test Failure of HMAC KAT Mac algorithm test failed during self-test Failure of integrity test The checksum of the library is incorrect. Integrity has been compromised Table 8: Error Messages Related to Self-Test Failure © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 34 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy It is the applications responsibility to reboot the appliance to recover the module from the error state. The library will not cause the rebooting of the appliance. 9.2. Integrity Check The cryptographic module uses the HMAC-SHA-256 message authentication code of the module binary for the integrity tests. The module reads the module binary file, computes the HMAC-SHA-256 MAC of the file content and compares it to the known correct MAC that is input to the module when it is loaded. 9.3. Conditional Tests Algorithm Test DSA Pair-wise consistency test RSA Pair-wise consistency test ECDSA Pair-wise consistency test DRBG Continuous test Table 9: Conditional Tests The following are the error messages related to conditional test failure: Reason For Failure Error Message Failure of DSA pair-wise One of the following (%d is error code): consistency test Private key consistency test failed: %d Public key consistency test failed: %d DH group consistency test failed: %d and Cryptographic Library error occurred (1) Failure of RSA pair-wise One of the following (%d is error code): consistency test Private key consistency test failed: %d Public key consistency test failed: %d and Cryptographic Library error occurred (1) Failure of ECDSA pair-wise One of the following (%d is error code): consistency test Private key consistency test failed: %d Public key consistency test failed: %d DH group consistency test failed: %d and Cryptographic Library error occurred (1) Failure of DRBG continuous Continuous DRBG test failed test Cryptographic Library error occurred (0) Table 10: Error Messages Related to Conditional Test Failure © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 35 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 10. Design Assurance 10.1. Configuration Management Git and Lotus Notes are used for configuration management of the cryptographic module. 10.2. Delivery and Operation The cryptographic module is never released as source code. It is delivered as part of the McAfee NGFW soft- ware (formerly Stonesoft Security Engine). The FIPS 140-2-compatible McAfee NGFW software image is down- loaded from the McAfee website. The McAfee NGFW software is also preinstalled on McAfee NGFW appliances (see Table 2: Tested Platforms). Product information for the appliances is available at the McAfee website: http://www.mcafee.com/us/products/next-generation-firewall.aspx 10.2.1. Downloading a FIPS 140-2-compatible engine version A FIPS 140-2-compatible version of the McAfee NGFW software is downloaded as follows: 1. Go to the McAfee NGFW Downloads page at https://my.stonesoft.com/download.do. 2. Enter the Proof-of-License (POL) or Proof-of-Serial (POS) code in the License Identification field and click Submit. 3. Click McAfee NGFW downloads. The McAfee NGFW Downloads page opens. 4. Download the .zip installation file. 5. Verify the SHA checksum. The correct checksum is shown on the download page. 10.3. Cryptographic Officer Guidance 10.3.1. Installation The cryptographic module is delivered as part of the McAfee NGFW software. To run the cryptographic module on a McAfee NGFW appliance, the NGFW software is set to a FIPS 140-2-compatible operating mode. 10.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version McAfee NGFW appliances are delivered with the most recent engine software preinstalled. The engine software must be upgraded to the FIPS 140-2-compatible engine version before entering FIPS-compatible operating mode. This is necessary even if the same version was installed previously, because the file system checksum is stored during the upgrade process. To upgrade to the FIPS-compatible engine version: Save the FIPS 140-2-compatible engine upgrade zip file in the root directory of a USB memory stick. Note – 1. The engine upgrade zip file must be in the root directory of the media. 2. Boot up the appliance. The Engine Configuration Wizard starts. 3. Select Upgrade. The Select Source Media dialog opens. 4. Select USB Memory. The upgrade starts. 5. Select OK. The engine reboots and the Engine Configuration Wizard starts with the engine image verifica- tion dialog shown. Select Calculate. The file system checksum is calculated and displayed below the checksum from the engine image zip file. 6. Verify that the calculated checksum is identical to the checksum from the zip file. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 36 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 7. Select OK. The engine reboots. 8. Check the engine version to make sure that the certified version is loaded. Continue as instructed in Configuring the engine, below. 10.3.1.2 Configuring the engine To configure the engine: 1. Start the Engine Configuration Wizard as instructed in the Configuring the Engine in the Engine Configu- ration Wizard section of the McAfee NGFW Installation Guide. 2. Configure the Operating System settings as instructed in the Configuring the Operating System Settings section of the McAfee NGFW Installation Guide. Select Restricted FIPS-compatible operating mode. The SSH daemon and root password options are automatically disabled in the Engine Configuration Wizard. 3. Configure the network interfaces according to your environment as instructed in the Configuring the Net- work Interfaces section of the McAfee NGFW Installation Guide. 4. Contact the Management Server as instructed in the Contacting the Management Server section of the McAfee NGFW Installation Guide. Enter node IP address manually is selected by default and other IP ad- dress options are disabled when FIPS-compatible operating mode is enabled. The engine restarts. 10.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode Restricted FIPS-compatible operating mode must be enabled during the initial configuration of the appliance. The following steps describe how to verify that FIPS 140-2-compatible operating mode has been activated. To verify activation of FIPS 140-2-compatible operating mode: 1. Verify that the following messages are displayed on the console when the engine restarts: FIPS: rootfs integrity check OK (displayed after the root file system integrity test has been executed successfully) FIPS power-up tests succeeded (displayed after the FIPS 140-2 power-up tests have been executed successfully) 2. Continue as instructed in the After Successful Management Server Contact section of the McAfee NGFW Installation Guide. Note – If the engine does not enter the FIPS 140-2-compatible operating mode even though it is configured to do so, or if the power-up tests fail (a power-up test error message is displayed or the success message is not displayed), the appliance must be reset to factory settings and reinstalled as instructed in Recovering from a FIPS 140-2 self-test failure. 10.3.1.4 Resetting the appliance to factory settings Resetting the appliance to factory settings is not part of the normal installation procedure. There is no need to reset the appliance to factory settings before starting to use it for the first time. These instructions can be used to reset the appliance to factory settings when necessary, such as when initial configuration has been completed without enabling the Restricted FIPS 140-2-compatible operating mode, during use, or when the appliance is being removed from use. To reset the appliance to factory settings: © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 37 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 1. Reboot the appliance and select System restore options from the boot menu. McAfee NGFW System Re- store starts. 2. Enter 2 for Advanced data removal options. 3. Enter one of the following options:  1 for 1 pass overwrite  8 for a Custom number of overwrite passes If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is more secure, but it may take a considerable amount of time depending on the appliance storage capacity. 10.3.1.5 Recovering from a FIPS 140-2 self-test failure If the FIPS 140-2 power-up self-tests fail, or the engine does not enter FIPS 140-2-compatible operating mode, the appliance must be reset to factory settings and reinstalled according to these instructions. Begin by Resetting the appliance to factory settings. To recover from a FIPS 140-2 self-test failure: 1. Reset the appliance to factory settings as instructed in Resetting the appliance to factory settings. 2. Repeat the engine version upgrade as instructed in Upgrading appliances to the FIPS 140-2-compatible engine version. 3. Configure the firewall engine and enable FIPS 140-2-compatible operating mode as instructed in Configur- ing the engine. 4. Verify that FIPS-compatible operating mode is activated as instructed in Verifying activation of FIPS 140- 2-compatible operating mode. 10.3.2. Entropy Source The cryptographic module uses /dev/random as the default entropy source. The entropy source can be changed by setting the new source either in the /etc/qscrypto.entropysource file or in the LIBQSCRYPTO_ENTROPY_SOURCE environment variable. /dev/random is always used as the entropy source for the cryptographic module when the McAfee NGFW software is in FIPS-compatible operating mode. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 38 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 10.3.3. Initialization The cryptographic module is initialized using the ssh_crypto_library_initialize() function before any cryptographic functionality is available. In order for the integrity check to succeed, the known HMAC-SHA-256 MAC needs to be available either in: /etc/checksums.fips file or LIBQSCRYPTO_CHECKSUM environment variable The /etc/checksums.fips file is provided with the McAfee NGFW software. 10.4. User Guidance 10.4.1. AES GCM In case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. 10.4.2. Zeroization When a cryptographic key is no longer used, the key must be zeroized and freed using the ssh_cipher_free, ssh_mac_free and ssh_private_key_free functions for symmetric key encryption/decryption, message authentication and public key cryptography, respectively. 10.4.3. Key Export Private keys must not be exported unencrypted outside the physical module boundary from the application using the cryptographic module. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 39 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 11. Mitigation of Other Attacks No other attacks are mitigated. © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 40 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 12. Glossary and Abbreviations AES Advanced Encryption Specification API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CFB Cipher Feedback CMT Cryptographic Module Testing CMVP Cryptographic Module Validation Program CO Cryptographic Officer CSP Critical Security Parameter CTR Counter CVT Component Verification Testing DES Data Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm ECB Electronic Codebook ECDH EC Diffie-Hellman EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standards FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology NVLAP National Voluntary Laboratory Accreditation Program OFB Output Feedback O/S Operating System PCT Pair-wise Consistency Test © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 41 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard UI User Interface © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 42 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy 13. References [1] FIPS 140-2 Standard, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf [2] FIPS 140-2 Implementation Guidance, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402IG.pdf [3] FIPS 140-2 Derived Test Requirements, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402DTR.pdf [4] FIPS 197, Advanced Encryption Standard (AES), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf [5] FIPS 180-4 Secure Hash Standard, http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf [6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC), http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf [7] FIPS 186-2, Digital Signature Standard, http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf [8] FIPS 186-4 Digital Signature Standard (DSS), http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf [9] ANS X9.31 Appendix A.2.4, Random Number Generator, http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf [10] NIST SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Ci- pher, http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf [11] NIST SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authenti- cation, http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf [12] NIST SP 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentica- tion and Confidentiality, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated- July20_2007.pdf [13] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf [14] NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confi- dentiality on Storage Devices, http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf [15] NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes using Discrete Logarithm Cryptography (Revised), http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08- 2007.pdf [16] NIST SP 800-56B, Recommendation for Pair-Wise Establishment Schemes Using Integer Factorization Cryptography, http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf [17] NIST SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 43 of 44 McAfee NGFW Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy [18] NIST SP 800-131A Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf [19] CPU Time Jitter Based Non-Physical True Random Number Generator, http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf © 2015 McAfee, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copy- right notice. 44 of 44