Vormetric, Inc Vormetric Encryption Expert Cryptographic Module Software Version 5.1.3 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation 02 March 2015 © 2014 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. Table of Contents 1 INTRODUCTION .......................................................................................................... 3 1.1 Purpose ..................................................................................................................... 3 1.2 References ................................................................................................................ 3 1.3 Document History ...................................................................................................... 3 2 PRODUCT DESCRIPTION .......................................................................................... 4 2.1 Cryptographic Boundary ........................................................................................... 4 2.2 Platform Considerations ............................................................................................ 6 3 MODULE PORTS AND INTERFACES ........................................................................ 7 4 ROLES, SERVICES AND AUTHENTICATION ............................................................ 7 4.1 Roles and Services ................................................................................................... 7 4.2 Authentication ........................................................................................................... 7 4.3 Authorized Services .................................................................................................. 7 5 PHYSICAL SECURITY ................................................................................................ 8 6 Operational Environment .............................................................................................. 8 7 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................... 9 7.1 Cryptographic Keys and CSPs .................................................................................. 9 7.2 Approved Security Algorithms ................................................................................. 11 8 EMI/EMC .................................................................................................................... 11 9 SELF-TEST ................................................................................................................ 11 9.1 Power-up Self-Tests ................................................................................................ 11 9.2 Conditional Self-Tests ............................................................................................. 12 10 Crypto-Officer and User Guidance ........................................................................... 12 10.1 Secure Setup, Initialization, and Operation ........................................................... 12 10.2 Module Security Policy Rules ................................................................................ 12 11 Design Assurance .................................................................................................... 12 12 Mitigation of Other Attacks ....................................................................................... 12 © 2014 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. 1 INTRODUCTION 1.1 Purpose This is a non-proprietary FIPS 140-2 Security Policy for the version 5.1.3 Vormetric Encryption Expert Cryptographic Module. It describes how this module meets all the requirements as specified in the FIPS 140-2 Level 1 requirements. This Policy forms a part of the submission package to the validating lab. FIPS 140-2 (Federal Information Processing Standards Publication 140-2) specifies the security requirements for a cryptographic module protecting sensitive information. Based on four security levels for cryptographic modules this standard identifies requirements in eleven sections. 1.2 References This Security Policy describes how this module complies with the eleven sections of the Standard:  For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at csrc.nist.gov/groups/STM/cmvp/index.html  For more information about Vormetric, please visit www.vormetric.com 1.3 Document History Authors Date Version Comment Mike Yoder 18 June 2013 0.1 First Draft Mike Yoder 9 August 2013 0.2 Second Draft Mike Yoder 12 February 2014 0.3 Changed version 5.1.2 -> 5.1.3 Mike Yoder 26 March 2014 0.4 Added algorithm numbers Peter Henscheid 25 August 2014 0.5 Changed software module to software-hybrid module Peter Henscheid 19 December 2014 0.6 Added encryption hardware documentation Peter Henscheid 4 February 2015 0.7 Third Draft Jonathan Smith 13 February 2015 0.8 Fourth Draft Jonathan Smith 2 March 2015 0.9 Fifth Draft Non-Proprietary Security Policy 3 Vormetric Encryption Expert Agent v 5.1.3 2 PRODUCT DESCRIPTION The Vormetric Encryption Expert Cryptographic Module is a Level 1 FIPS 140-2 module of type Software- Hybrid with an embodiment classified as Multi-chip Standalone. This module is a subset of the Vormetric Encryption Expert Agent, which in turn is part of the Vormetric Data Security solution. The Vormetric Encryption Expert Cryptographic Module interacts with the Vormetric Data Security Manager, which is itself a cryptographic hardware module. It has been validated separately from this module. The Vormetric Encryption Expert Cryptographic Module is a loadable kernel module also known as “SECFS” (SECure File System). This module is a file system layer that enforces an access and encryption policy upon selected data on end-user systems. The policy specifies a key to be used when writing data to disk and while reading data from disk. This module contains the Vormetric Encryption Expert Cryptographic Library, which provides all cryptographic services. The Vormetric Encryption Expert Cryptographic Module implements Triple-DES, AES, SHA-1, SHA-256, and HMAC-SHA-256. The product meets the overall requirements applicable to Level 1 security for FIPS 140-2. Security Requirements Section Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles and Services and Authentication 1 Finite State Machine Model 1 Physical Security 1 Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 1 Overall Level of Certification 1 Table 1 - Module Compliance Table 2.1 Cryptographic Boundary The Vormetric Encryption Expert Cryptographic Module’s boundary is illustrated in red in the figure below: Non-Proprietary Security Policy 4 Vormetric Encryption Expert Agent v 5.1.3 Figure 1 – Logical Cryptographic Boundary The loadable kernel module for all Linux platforms (“SECFS” in the diagram above) is named “secfs2.ko”. Non-Proprietary Security Policy 5 Vormetric Encryption Expert Agent v 5.1.3 Figure 2 – Physical Cryptographic Boundary 2.2 Platform Considerations This module is validated on Red Hat Enterprise Linux (RHEL 6.3), running on a Supermicro X9DR7 and SUSE Linux Enterprise Server (SLES 11 SP 2), running on a Supermicro X9DR7. This module utilizes the “AES-NI” instruction set for AES cryptographic operations. All other cryptographic operations are performed in software inside the module boundary. Non-Proprietary Security Policy 6 Vormetric Encryption Expert Agent v 5.1.3 3 MODULE PORTS AND INTERFACES The module is software based and designed to meet FIPS 140-2 Level 1 requirements. FIPS 140-2 Physical Interface Logical Interface Interface External Devices (LAN/USB/…), Data Input interface File System write() function calls Keyboard External Devices (LAN/USB/…), Data Output interface File System read() function calls Monitor External Devices (LAN/USB/…), Control Input interface Input parameters to ioctl() calls into the Keyboard module External Devices (LAN/USB/…), Status Output interface Output parameters from ioctl() calls Monitor into the module Table 2 – Mapping FIPS 140-2 Interfaces and Logical Interfaces 4 ROLES, SERVICES AND AUTHENTICATION 4.1 Roles and Services The User and Crypto Officer roles are implicitly assumed by the entities that can access the interfaces to the cryptographic module. These entities do so implicitly through the file system read() and write() interfaces, and control through the ioctl() interfaces of the module. 4.2 Authentication The module does not provide identification or authentication mechanisms that would distinguish between the two supported roles. Each process or thread accessing the module is logically separated by the operating system into independent contexts of execution, and hence the FIPS 140-2 requirement for a single user mode of operation is upheld. 4.3 Authorized Services The Vormetric Encryption Expert Agent supports the services listed in the following tables. Each table shows the privileges of each role on a per-service basis. The privileges are divided into: R - The item is read or referenced by the service. W -The item is written or updated by the service. E - The item is executed by the service. (The item is used as part of a cryptographic function.) The cryptographic module is a loadable kernel module. This module utilizes the “AES-NI” instruction set, if available, for AES cryptographic operations. It intercepts file system calls, evaluates a policy, and encrypts or decrypts data according to the rules in the policy. There are several control interfaces for this component, all of which have to do with either initialization or with policy and key configuration. These are accessed in the “Crypto Officer” role. The data input/output interfaces are done through intercepting file system calls, and are accessed in the “User” role. The keys used in the Authorized Services are described in Section 7, “Key Management”, in Table 5. Non-Proprietary Security Policy 7 Vormetric Encryption Expert Agent v 5.1.3 Cryptographic Key/CSP Authorized Services Roles Access Run Power-On Self Test HMAC Integrity Key Crypto Officer E Initialization (Also known as “registration”) SECFS Private Key Crypto Officer WE SECFS Wrapping Key SECFS HMAC Key Configuration Update (New configuration / All keys in Table 5 Crypto Officer WE policy / key information is given to the kernel module) Status Query N/A Crypto Officer R Rekey (converting data from being encrypted File System Keys Crypto Officer RWE with one key to being encrypted with another) Zeroization All Crypto Officer WE File System interfaces: read(), write(), etc File System Keys (Triple- User RWE DES, AES 128-bit and 256-bit) non-Approved Service: File System File System Keys (ARIA User RWE interfaces: read(), write(), etc 128-bit and 256-bit) Table 3 – Authorized Services Note: The module utilizes the AES-NI instructions when the module runs on processors that implement these instructions. The AES-NI instructions accelerate the AES algorithm. 5 PHYSICAL SECURITY This software-hybrid module meets the level 1 physical security requirements. The module runs on a general purpose computer. 6 Operational Environment The Vormetric Encryption Expert Agent operates in a “modifiable operational environment”. It exists as software executed in a commercially available operating system. The specifically tested platforms are Operating System Bits Processor / System Cryptographic Hardware Intel Xeon – Supermicro Red Hat Enterprise Linux 6.3 64 Type: Intel® Xeon® X9DR7 Part/Version: E5-2670 @ 2.60Ghz Intel Xeon – Supermicro SUSE Linux Enterprise Server 64 Type: Intel® Xeon® 11 SP 2 X9DR7 Part/Version: E5-2670 @ 2.60Ghz Table 4 – Tested Platforms Non-Proprietary Security Policy 8 Vormetric Encryption Expert Agent v 5.1.3 Figure 3 – Physical Cryptographic Hardware for AES-NI All other platforms supported by Vormetric are “Vendor Affirmed” to be FIPS 140-2 compliant as per FIPS Implementation Guidance section G.5. The CMVP allows vendor porting of a validated level 1 software- hybrid cryptographic module running on a CPU supporting the AES-NI instruction set from the GPC(s) specified on the validation certificate to a GPC that was not included as part of the validation status, as long as no source code modifications are required. The validation status is maintained on the new GPC without re-testing the cryptographic module on the new GPC. The CMVP makes no statement as to the correct operation of the module when so ported if the specific operational environment is not listed on the validation certificate. 7 CRYPTOGRAPHIC KEY MANAGEMENT The cryptographic library manages keys. All of the keys and CSPs are generated externally. 7.1 Cryptographic Keys and CSPs Key Generation Storage Use Input/Output HMAC Integrity At vendor facility Incorporated Protects the integrity Hardcoded Key (HMAC- into binary of the module Cannot be SHA 256-bit, exported key size 256-bit) SECFS HMAC At vendor facility Incorporated Protects the integrity Hardcoded Key (HMAC- into binary of keys when stored. Cannot be SHA 256-bit, exported key size 256-bit) SECFS At vendor facility Incorporated Protects storage of Hardcoded Wrapping Key into binary keys Cannot be (AES 256-bit) exported SECFS Private Generated externally to Stored in Protects the File Input only, Key the module encrypted System Key Cannot be (RSA 2048-bit) form with Encrypting Key for exported AES key transport Non-Proprietary Security Policy 9 Vormetric Encryption Expert Agent v 5.1.3 Key Generation Storage Use Input/Output File System Generated externally by Stored in Protects the File Input only, Key Encrypting the Vormetric Data encrypted System Keys Cannot be Key Security Server Module form with exported (AES 256-bit) (NIST 800-90A DRBG) AES File System Generated externally by Stored in Encrypts and Input only, Keys the Vormetric Data encrypted decrypts file system Cannot be (Triple-DES, Security Server Module form with data exported AES 128-bit and (NIST 800-90A DRBG) AES 256-bit) File System Generated externally by Stored in Obfuscates and Input only, Keys (ARIA the Vormetric Data encrypted unobfuscates file Cannot be 128-bit and 256- Security Server Module form with system data. This is exported a non-approved bit) (NIST 800-90A DRBG) AES security function Table 5 – Keys and CSPs Non-Proprietary Security Policy 10 Vormetric Encryption Expert Agent v 5.1.3 7.2 Approved Security Algorithms The module keys map to the following algorithms certificates. On the Windows 2008 R2 platform the certificates from the Microsoft Kernel Mode Cryptographic Primitives Library (FIPS certificate #1335) are referenced. For AES encryption, Linux platforms have an algorithm certificate which utilizes AES-NI. All others are implemented in software inside the module boundary. Approved or Allowed Security Functions Vormetric Encryption Expert Agent Certificate Symmetric Encryption/Decryption AES: (CBC Mode; Encrypt/Decrypt; 128 and 256 bit) 2807 Triple-DES (3-key) (CBC Mode, Encrypt/Decrypt) 1685 Secure Hash Standard (SHS) SHA-1, SHA-256 2355 Data Authentication Code HMAC-SHA-256 1758 Allowed Security Function RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) Non-Approved Security Function ARIA: Obfuscate/Unobfuscate, Key Size = 128, 256 Table 6 - Algorithms Table 8 EMI/EMC The general purpose computers that this module was tested on meet the FCC Code of Federal Regulations, Title 47, Part 15, Subpart B as a class B unintentional radiator. 9 SELF-TEST The module performs power-up self-tests and conditional self tests. 9.1 Power-up Self-Tests Any other processing and data input/output is inhibited while the tests are in progress. If any test fails, an error status such as “FIPS Algorithm Known Answer Test/Integrity test failed” is displayed and the module will cease operation. When each of the five tests run to completion, a “FIPS Test passed” message is written to the log. When all five tests pass, the module is operating in FIPS mode. While running the non-Approved security function ARIA the module is in non-FIPS mode. To run these self- tests on demand, restart the module. Cryptographic Algorithm KATs: Known Answer Tests (KATs) are run at power-up for:  AES (CBC mode for Encrypt/Decrypt)  Triple-DES (3-key) (CBC mode for Encrypt/Decrypt)  SHA-1, SHA-256  HMAC-SHA-256 Software Integrity Tests: The module checks the integrity of its object code when it is initialized. It performs an HMAC-SHA-256 of itself when it is loaded into the kernel; this is compared to an HMAC-SHA-256 digest generated during Non-Proprietary Security Policy 11 Vormetric Encryption Expert Agent v 5.1.3 build time. If the results are not the same, an error message is written to the output interface, and the kernel module will cease further operation. 9.2 Conditional Self-Tests The module performs no conditional self-tests. 10 Crypto-Officer and User Guidance This section shall describe the configuration, maintenance, and administration of the cryptographic module. 10.1 Secure Setup, Initialization, and Operation It is the operator’s responsibility to operate the module according to the security policy rules described in the following section. To configure the module, the Crypto-Officer should  Install the Vormetric Encryption Expert Agent software package  Register with a Vormetric Data Security Server  Verify that the fingerprints of the generated certificates match those shown on the Vormetric Data Security Server  Verify that the message described in section 9.1 is emitted to ensure that the module is operating in a FIPS approved mode. Zeroization is performed by uninstalling the module. The platform’s hard drive must be reformatted or overwritten after uninstallation. To show the status of the module, run the command “vmsec status”. 10.2 Module Security Policy Rules The module operates in FIPS mode after all the power-up self tests have passed and the message described in section 9.1 has been displayed. However when using the non-Approved Security Function ARIA the module is in a non-FIPS mode. To operate in FIPS mode use only FIPS Approved security functions. 11 Design Assurance Vormetric utilizes Concurrent Versioning System (CVS) for configuration management of product source code. Vormetric also utilizes Confluence, an internal wiki for configuration management of functional specifications and documentation. Both support authentication, access control, and logging. A high-level programming language is used for all software components within the module. Software is distributed either in person or via a secure https-based web site. 12 Mitigation of Other Attacks The module does not mitigate against any specific attacks. Non-Proprietary Security Policy 12 Vormetric Encryption Expert Agent v 5.1.3