Vormetric, Inc Vormetric Encryption Expert Cryptographic Module Software Version 5.1.3 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation 02 March 2015 © 2014 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. Table of Contents 1 INTRODUCTION .......................................................................................................... 3 1.1 Purpose ..................................................................................................................... 3 1.2 References ................................................................................................................ 3 1.3 Document History ...................................................................................................... 3 2 PRODUCT DESCRIPTION .......................................................................................... 4 2.1 Cryptographic Boundary ........................................................................................... 4 2.2 Platform Considerations ............................................................................................ 6 3 MODULE PORTS AND INTERFACES ........................................................................ 7 4 ROLES, SERVICES AND AUTHENTICATION ............................................................ 7 4.1 Roles and Services ................................................................................................... 7 4.2 Authentication ........................................................................................................... 7 4.3 Authorized Services .................................................................................................. 7 5 PHYSICAL SECURITY ................................................................................................ 8 6 Operational Environment .............................................................................................. 8 7 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................... 9 7.1 Cryptographic Keys and CSPs .................................................................................. 9 7.2 Approved Security Algorithms ................................................................................. 10 8 EMI/EMC .................................................................................................................... 10 9 SELF-TEST ................................................................................................................ 10 9.1 Power-up Self-Tests ................................................................................................ 10 9.2 Conditional Self-Tests ............................................................................................. 11 10 Crypto-Officer and User Guidance ........................................................................... 11 10.1 Secure Setup, Initialization, and Operation ........................................................... 11 10.2 Module Security Policy Rules ................................................................................ 11 11 Design Assurance .................................................................................................... 11 12 Mitigation of Other Attacks ....................................................................................... 11 © 2014 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. 1 INTRODUCTION 1.1 Purpose This is a non-proprietary FIPS 140-2 Security Policy for the version 5.1.3 Vormetric Encryption Expert Cryptographic Module. It describes how this module meets all the requirements as specified in the FIPS 140-2 Level 1 requirements. This Policy forms a part of the submission package to the validating lab. FIPS 140-2 (Federal Information Processing Standards Publication 140-2) specifies the security requirements for a cryptographic module protecting sensitive information. Based on four security levels for cryptographic modules this standard identifies requirements in eleven sections. 1.2 References This Security Policy describes how this module complies with the eleven sections of the Standard:  For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at csrc.nist.gov/groups/STM/cmvp/index.html  For more information about Vormetric, please visit www.vormetric.com 1.3 Document History Authors Date Version Comment Mike Yoder 18 June 2013 0.1 First Draft Mike Yoder 9 August 2013 0.2 Second Draft Mike Yoder 12 February 2014 0.3 Changed version 5.1.2 -> 5.1.3 Mike Yoder 26 March 2014 0.4 Added algorithm numbers Peter Henscheid 21 May 2014 0.5 Added algorithm numbers Peter Henscheid 25 August 2014 0.6 Cleaned up typo Peter Henscheid 19 December 2014 0.7 Third Draft Peter Henscheid 4 February 2015 0.8 Fourth Draft Jonathan Smith 13 February 2015 0.9 Fifth Draft Jonathan Smith 2 March 2015 0.9.1 Sixth Draft Non-Proprietary Security Policy 3 Vormetric Encryption Expert Agent v 5.1.3 2 PRODUCT DESCRIPTION The Vormetric Encryption Expert Cryptographic Module is a Level 1 FIPS 140-2 module of type Software with an embodiment classified as Multi-chip Standalone. This module is a subset of the Vormetric Encryption Expert Agent, which in turn is part of the Vormetric Data Security solution. The Vormetric Encryption Expert Cryptographic Module interacts with the Vormetric Data Security Manager, which is itself a cryptographic hardware module. It has been validated separately from this module. The Vormetric Encryption Expert Cryptographic Module is a loadable kernel module also known as “SECFS” (SECure File System). This module is a file system layer that enforces an access and encryption policy upon selected data on end-user systems. The policy specifies a key to be used when writing data to disk and while reading data from disk. This module contains the Vormetric Encryption Expert Cryptographic Library, which provides all cryptographic services. The Vormetric Encryption Expert Cryptographic Module implements Triple-DES, AES, SHA-1, SHA-256, and HMAC-SHA-256. The product meets the overall requirements applicable to Level 1 security for FIPS 140-2. Security Requirements Section Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles and Services and Authentication 1 Finite State Machine Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 1 Overall Level of Certification 1 Table 1 - Module Compliance Table 2.1 Cryptographic Boundary The Vormetric Encryption Expert Cryptographic Module’s boundary is illustrated in red in the figure below: Non-Proprietary Security Policy 4 Vormetric Encryption Expert Agent v 5.1.3 Figure 1 – Logical Cryptographic Boundary The loadable kernel module (“SECFS” in the diagram above) has different names on different operating systems. On 64-bit Windows it is called “vmmgmt.sys”. On AIX it is “secfs2”. On HPUX the name is “vormetric”. Non-Proprietary Security Policy 5 Vormetric Encryption Expert Agent v 5.1.3 Figure 2 – Physical Cryptographic Boundary 2.2 Platform Considerations This module is validated on a variety of platforms: Windows 2008, HPUX 11iv3, and AIX 6.1. Cryptographic operations are implemented in different places depending on the platform:  For Windows 2008 AES and Triple-DES cryptography is performed by the Microsoft Kernel Mode Cryptographic Primitives Library, and hence uses validated FIPS certificate #1335  For Windows 2008 SHA and HMAC cryptography is performed in software inside the module boundary  For HPUX and AIX all cryptography is performed in software inside the module boundary Non-Proprietary Security Policy 6 Vormetric Encryption Expert Agent v 5.1.3 3 MODULE PORTS AND INTERFACES The module is software based and designed to meet FIPS 140-2 Level 1 requirements. FIPS 140-2 Physical Interface Logical Interface Interface External Devices (LAN/USB/…), Data Input interface File System write() function calls Keyboard External Devices (LAN/USB/…), Data Output interface File System read() function calls Monitor External Devices (LAN/USB/…), Control Input interface Input parameters to ioctl() calls into the Keyboard module External Devices (LAN/USB/…), Status Output interface Output parameters from ioctl() calls Monitor into the module Table 2 – Mapping FIPS 140-2 Interfaces and Logical Interfaces 4 ROLES, SERVICES AND AUTHENTICATION 4.1 Roles and Services The User and Crypto Officer roles are implicitly assumed by the entities that can access the interfaces to the cryptographic module. These entities do so implicitly through the file system read() and write() interfaces, and control through the ioctl() interfaces of the module. 4.2 Authentication The module does not provide identification or authentication mechanisms that would distinguish between the two supported roles. Each process or thread accessing the module is logically separated by the operating system into independent contexts of execution, and hence the FIPS 140-2 requirement for a single user mode of operation is upheld. 4.3 Authorized Services The Vormetric Encryption Expert Agent supports the services listed in the following tables. Each table shows the privileges of each role on a per-service basis. The privileges are divided into: R - The item is read or referenced by the service. W -The item is written or updated by the service. E - The item is executed by the service. (The item is used as part of a cryptographic function.) The cryptographic module is a loadable kernel module. It intercepts file system calls, evaluates a policy, and encrypts or decrypts data according to the rules in the policy. There are several control interfaces for this component, all of which have to do with either initialization or with policy and key configuration. These are accessed in the “Crypto Officer” role. The data input/output interfaces are done through intercepting file system calls, and are accessed in the “User” role. The keys used in the Authorized Services are described in Section 7, “Key Management”, in Table 5. Non-Proprietary Security Policy 7 Vormetric Encryption Expert Agent v 5.1.3 Cryptographic Key/CSP Authorized Services Roles Access Run Power-On Self Test HMAC Integrity Key Crypto Officer E Initialization (Also known as “registration”) SECFS Private Key Crypto Officer WE SECFS Wrapping Key SECFS HMAC Key Configuration Update (New configuration / All keys in Table 5 Crypto Officer WE policy / key information is given to the kernel module) Status Query N/A Crypto Officer R Rekey (converting data from being encrypted File System Keys Crypto Officer RWE with one key to being encrypted with another) Zeroization All Crypto Officer WE File System interfaces: read(), write(), etc File System Keys (Triple- User RWE DES, AES 128-bit and 256-bit) non-Approved Service: File System File System Keys (ARIA User RWE interfaces: read(), write(), etc 128-bit and 256-bit) Table 3 – Authorized Services 5 PHYSICAL SECURITY This module does not claim to enforce any physical security as it is implemented entirely in software. The module runs on a general purpose computer. 6 Operational Environment The Vormetric Encryption Expert Agent operates in a “modifiable operational environment”. It exists as software executed in a commercially available operating system. The specifically tested platforms are Operating System Bits Processor Intel Core 2 Duo – Thinkpad T61 Windows 2008 R2 64 Itanium – HP Server rx7620 HPUX 11i v3 64 Power – AIX IBM P7 8233 AIX 6.1 64 Table 4 – Tested Platforms All other platforms supported by Vormetric are “Vendor Affirmed” to be FIPS 140-2 compliant as per FIPS Implementation Guidance section G.5. The CMVP allows vendor porting of a validated level 1 software cryptographic module from the GPC(s) specified on the validation certificate to a GPC that was not included as part of the validation status, as long as no source code modifications are required. The validation status is maintained on the new GPC without re-testing the cryptographic module on the new GPC. The CMVP makes no statement as to the correct operation of the module when so ported if the specific operational environment is not listed on the validation certificate. Non-Proprietary Security Policy 8 Vormetric Encryption Expert Agent v 5.1.3 7 CRYPTOGRAPHIC KEY MANAGEMENT The cryptographic library manages keys. All of the keys and CSPs are generated externally. 7.1 Cryptographic Keys and CSPs Key Generation Storage Use Input/Output HMAC At vendor facility Incorporated into Protects the integrity Hardcoded Integrity Key binary of the module Cannot be (HMAC-SHA exported 256-bit, key size 256-bit) SECFS HMAC At vendor facility Incorporated into Protects the integrity Hardcoded Key (HMAC- binary of keys when stored. Cannot be SHA 256-bit, exported key size 256- bit) SECFS At vendor facility Incorporated into Protects storage of Hardcoded Wrapping Key binary keys Cannot be (AES 256-bit) exported SECFS Private Generated externally Stored in encrypted Protects the File Input only, Key to the module form with AES System Key Cannot be (RSA 2048-bit) Encrypting Key for exported key transport File System Generated externally Stored in encrypted Protects the File Input only, Key by the Vormetric Data form with AES System Keys Cannot be Encrypting Security Server exported Key Module (NIST 800- (AES 256-bit) 90A DRBG) File System Generated externally Stored in encrypted Encrypts and Input only, Keys by the Vormetric Data form with AES decrypts file system Cannot be (Triple-DES, Security Server data exported AES 128-bit Module (NIST 800- and 256-bit) 90A DRBG) File System Generated externally Stored in encrypted Obfuscates and Input only, Keys (ARIA by the Vormetric Data form with AES unobfuscates file Cannot be 128-bit and Security Server system data. This is exported a non-approved 256-bit) Module (NIST 800- 90A DRBG) security function Table 5 – Keys and CSPs Non-Proprietary Security Policy 9 Vormetric Encryption Expert Agent v 5.1.3 7.2 Approved Security Algorithms The module keys map to the following algorithms certificates. On the Windows 2008 R2 platform the certificates from the Microsoft Kernel Mode Cryptographic Primitives Library (FIPS certificate #1335) are referenced. For AES encryption, Linux platforms have an algorithm certificate which utilizes AES-NI. All others are implemented in software inside the module boundary. Approved Security Functions Windows 2008 R2 Vormetric Platform Certificate Encryption Expert Agent Certificate Symmetric Encryption/Decryption AES: (CBC Mode; Encrypt/Decrypt; 128 and 256 bit) 1168 (From 140-2 2807 cert number 1335) Triple-DES (3-key) (CBC Mode, Encrypt/Decrypt) 846 (From 140-2 1685 cert number 1335) Secure Hash Standard (SHS) SHA-1, SHA-256 2390 2355 Data Authentication Code HMAC-SHA-256 1788 1758 Allowed Security Function RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) Non-Approved Security Function ARIA: Obfuscate/Unobfuscate, Key Size = 128, 256 Table 6 - Algorithms Table 8 EMI/EMC The general purpose computers that this module was tested on meet the FCC Code of Federal Regulations, Title 47, Part 15, Subpart B as a class B unintentional radiator. 9 SELF-TEST The module performs power-up self-tests and conditional self tests. 9.1 Power-up Self-Tests Any other processing and data input/output is inhibited while the tests are in progress. If any test fails, an error status such as “FIPS Algorithm Known Answer Test/Integrity test failed” is displayed and the module will cease operation. When each of the five tests run to completion, a “FIPS Test passed” message is written to the log. When all five tests pass, the module is operating in FIPS mode. While running the non-Approved security function ARIA the module is in non-FIPS mode. To run these self-tests on demand, restart the module. Cryptographic Algorithm KATs: Known Answer Tests (KATs) are run at power-up for:  AES (CBC mode for Encrypt/Decrypt)  Triple-DES (3-key) (CBC mode for Encrypt/Decrypt)  SHA-1, SHA-256  HMAC-SHA-256 Software Integrity Tests: Non-Proprietary Security Policy 10 Vormetric Encryption Expert Agent v 5.1.3 The module checks the integrity of its object code when it is initialized. It performs an HMAC-SHA-256 of itself when it is loaded into the kernel; this is compared to an HMAC-SHA-256 digest generated during build time. If the results are not the same, an error message is written to the output interface, and the kernel module will cease further operation. 9.2 Conditional Self-Tests The module performs no conditional self-tests. 10 Crypto-Officer and User Guidance This section shall describe the configuration, maintenance, and administration of the cryptographic module. 10.1 Secure Setup, Initialization, and Operation It is the operator’s responsibility to operate the module according to the security policy rules described in the following section. To configure the module, the Crypto-Officer should  Install the Vormetric Encryption Expert Agent software package  Register with a Vormetric Data Security Server  Verify that the fingerprints of the generated certificates match those shown on the Vormetric Data Security Server  Verify that the message described in section 9.1 is emitted to ensure that the module is operating in a FIPS approved mode.  Ensure that when running on the Windows 2008 platform, the Microsoft Kernel Mode Cryptographic Primitives Library is configured in FIPS mode according to the instruction in its Security Policy (FIPS 140-2 Certificate #1335). The Vormetric Encryption Expert module requires that the bound validated Microsoft Kernel Mode Cryptographic Primitives Library be in FIPS mode when running on this particular OE. Zeroization is performed by uninstalling the module. The platform’s hard drive must be reformatted or overwritten after uninstallation. To show the status of the module on UNIX platforms, run the command “vmsec status”. To show the status of the module on Windows platforms, click on the Vormetric icon in the tray and select “status”. 10.2 Module Security Policy Rules The module operates in FIPS mode after all the power-up self tests have passed and the message described in section 9.1 has been displayed. However when using the non-Approved Security Function ARIA the module is in a non-FIPS mode. To operate in FIPS mode use only FIPS Approved security functions. 11 Design Assurance Vormetric utilizes Concurrent Versioning System (CVS) for configuration management of product source code. Vormetric also utilizes Confluence, an internal wiki for configuration management of functional specifications and documentation. Both support authentication, access control, and logging. A high-level programming language is used for all software components within the module. Software is distributed either in person or via a secure https-based web site. On the Windows 2008 R2 platform, the design assurance is inherited from the Microsoft Kernel Mode Cryptographic Primitives Library (FIPS certificate #1335). 12 Mitigation of Other Attacks The module does not mitigate against any specific attacks. Non-Proprietary Security Policy 11 Vormetric Encryption Expert Agent v 5.1.3