Barracuda Cryptographic Software Module Version 1.0.1.8 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 1.7 Prepared By: Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Revision History Version Modification Date Modified By Description of Changes 1.0 2014-09-12 ICSA Labs Initial Document 1.1 2015-02-19 Barracuda Networks Incorporating comments from BAH 1.2 2015-02-19 ICSA Labs Updated block diagram 1.3 2015-02-19 ICSA Labs Formatting correction after updating block diagram 1.4 2015-02-19 ICSA Labs Updated block diagram Updated Table of Contents to include section 7.5 (added in v1.1) 1.5 2015-03-30 Barracuda Networks Updated RSA Certificate number 1.6 2015-04-16 Barracuda Networks Updated section “Cryptographic Key Management” (section 7.2) 1.7 2015-09-21 Barracuda Networks Incorporating comments from CMVP Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page ii Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Table of Contents 1 INTRODUCTION ...............................................................................................................................................1 1.1 PURPOSE .........................................................................................................................................................1 2 CRYPTOGRAPHIC MODULE SPECIFICATION ........................................................................................1 2.1 MODULE OVERVIEW.......................................................................................................................................1 2.2 SECURITY LEVELS ..........................................................................................................................................2 2.3 MODES OF OPERATION ...................................................................................................................................3 3 MODULE PORTS AND INTERFACES ...........................................................................................................4 4 ROLES, SERVICES, AND AUTHENTICATION ...........................................................................................5 5 PHYSICAL SECURITY ................................................................................................................................... 13 6 OPERATIONAL ENVIRONMENT ................................................................................................................ 13 7 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................................................. 13 7.1 CRITICAL SECURITY PARAMETERS (CSPS) ................................................................................................... 13 7.2 KEY GENERATION ........................................................................................................................................ 13 7.3 KEY ENTRY, STORAGE, OUTPUT .................................................................................................................. 14 7.4 ZEROIZATION ............................................................................................................................................... 14 7.5 ENTROPY ...................................................................................................................................................... 14 8 EMI/EMC ........................................................................................................................................................... 14 9 SELF-TESTS ..................................................................................................................................................... 14 10 DESIGN ASSURANCE..................................................................................................................................... 15 11 MITIGATION OF OTHER ATTACKS ......................................................................................................... 16 12 CRYPTO-OFFICER AND USER GUIDANCE ............................................................................................. 16 13 ACRONYMS...................................................................................................................................................... 17 Table of Figures FIGURE 2-1: LOGICAL BLOCK DIAGRAM ........................................................................................................................2 Table of Tables TABLE 2-1: TESTED CONFIGURATIONS ...........................................................................................................................1 TABLE 2-2: SECURITY LEVEL PER FIPS 140-2 ................................................................................................................3 TABLE 2-3: FIPS APPROVED ALGORITHMS ....................................................................................................................4 TABLE 3-1: FIPS 140-2 LOGICAL INTERFACES ...............................................................................................................5 TABLE 4-1: FIPS APPROVED SERVICES WITH ROLES/CSPS.......................................................................................... 11 TABLE 4-2: NON-FIPS APPROVED BUT ALLOWED CRYPTOGRAPHIC FUNCTIONS ........................................................ 12 TABLE 7-1: MODULE CSPS .......................................................................................................................................... 13 Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page iii Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Barracuda Cryptographic Software Module from Barracuda Inc.. It provides detailed information relating to the Federal Information Processing Standard (FIPS) 140-2 security requirements for conformance to security Level 1, and instructions on how to run the module in a secure FIPS 140-2 approved mode. 2 Cryptographic Module Specification The Barracuda Cryptographic Software Module is a cryptographic software library that provides fundamental cryptographic functions for applications in Barracuda security products that use Barracuda OS v2.3.4 and require FIPS 140-2 approved cryptographic functions. The FIPS 140-2 validation of the Barracuda Cryptographic Software Module is comprised of the fips_crypto_module.o file. 2.1 Module Overview The Barracuda Cryptographic Software Module is a software-based cryptographic module evaluated for use on processors. Table provides a list of platforms, operational systems and processors on which the Barracuda Cryptographic Software Module was tested. Hardware Test Operating System Processor Processor Platforms Optimization BNHW002 Barracuda OS v2.3.4 Intel Xeon None BNHW008 Barracuda OS v2.3.4 Intel Xeon AES-NI BNHW003 Barracuda OS v2.3.4 AMD Opteron None BNHW003 Barracuda OS v2.3.4 AMD Opteron AES-NI Table 2-1: Tested Configurations The logical cryptographic boundary of the module is the Barracuda Cryptographic Software Module dynamic library (fips_crypto_module.o). It is contained in the physical boundary of the general purpose computer (GPC) on which the module resides. Figure 2-1 describes the GPC physical boundary, the Barracuda Cryptographic Software Module logical boundary, and their relationship. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 1 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Figure 2-1: Logical Block Diagram 2.2 Security Levels Per FIPS 140-2 terminology, the Barracuda Cryptographic Software Module is a multi-chip standalone module that meets overall level 1 FIPS 140-2 requirements. Table 2-2 lists the validation levels for each section of the Barracuda Cryptographic Software Module: Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 2 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self-tests 1 Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 2 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Section Section Title Level 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Table 2-2: Security Level per FIPS 140-2 2.3 Modes of Operation The Barracuda Cryptographic Software Module has only a FIPS Approved mode of operation. The Barracuda Cryptographic Software Module must be initialized with the FIPS_module_mode_on function. The Barracuda Cryptographic Software Module will then operate in a FIPS approved mode of operation. Once initialized, the Barracuda Cryptographic Software Module supports the FIPS Approved Algorithms listed in Table 2-3: Algorithm Modes CAVS Cert AES-128/192/256 ECB, CBC, CFB1, CFB8, CFB128, OFB, CTR, CCM, CMAC, GCM, 3165 XTS • ECC CDH Component 414 P-224/256/384/521 • K-233//283/409/571 • B-233/283/409/571 • DRBG 651 Hash • HMAC • CTR • DSA (FIPS 186-4) 911 PQG Generate o (2048, 224): SHA-224/256/384/512 o (2048, 256): SHA-256/384/512 o (3072, 256): SHA-256/384/512 • PQG Verify o (1024, 160) : SHA-1/224/256/384/512 o (2048, 224): SHA-224/256/384/512 o (2048, 256): SHA-256/384/512 o (3072, 256): SHA-256/384/512 • Key Pair o (2048, 224) o (2048, 256) o (3072, 256) • Signature Generate o (2048, 224): SHA-224/256/384/512 o (2048, 256): SHA-224/256/384/512 o (3072, 256): SHA-224/256/384/512 • Signature Verify o (1024, 160): SHA-1/224/256/384/512 o (2048, 224): SHA-1/224/256/384/512 o (2048, 256): SHA-1/224/256/384/512 o (3072, 256): SHA-1/224/256/384/512 Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 3 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Algorithm Modes CAVS Cert • ECDSA (FIPS 186-4) 576 PKG Curves: o P-224/256/384/521 o K-233//283/409/571 o B-233/283/409/571 • PKV Curves: o (All P, K and B curves) • SigGen Curves with SHA-224/256/384/512: o P-224/256/384/521 o K-233//283/409/571 o B-233/283/409/571 • SigVer Curves with SHA-1/224/256/384/512: o P-224/256/384/521 o K-233//283/409/571 o B-233/283/409/571 HMAC SHA-1/224/256/384/512 1993 • RSA (FIPS 186-4) 1603, 1690 RSASSA-PKCS1_V1_5: o SigGen: o Mod 2048/3072 SHA-224/256/384/512 o SigVer: o Mod 1024/1536/2048/3072/4096 SHA- 1/224/256/384/512 • RSASSA-PSS: o SigGen: o Mod 2048/3072 SHA-224/256/384/512 o SigVer: o Mod 1024/1536/2048/3072/4096 SHA- 1/224/256/384/512 • SHA 2618 SHA-1 • SHA-224 • SHA-256 • SHA-384 • SHA-512 • Triple-DES 1803 Encrypt: 3-Key: ECB/CBC/CFB1/CFB8/CFB64/OFB • Decrypt: 2-Key & 3-Key: ECB/CBC/CFB1/CFB8/CFB64/OFB • CMAC (Generation/Verification) Table 2-3: FIPS Approved Algorithms In addition to the FIPS Approved algorithms, the module also supports the non-approved but allowed EC Diffie- Hellman (Shared Secret Computation) primitive, and RSA Encrypt/Decrypt for key transport only (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength). The FIPS 186-4 complaint RSA key generation function is FIPS_rsa_generate_key_ex (). The AES XTS mode is only to be used for storage applications. The Barracuda Cryptographic Software Module does not support concurrent operators. 3 Module Ports and Interfaces The physical ports of the module include those of the GPC on which the module is executed, but are outside the scope of the FIPS 140-2 validation. The logical interface consists of a C language application program interface (API) through which consumers of the module’s services may exact control, request status, or pass data in/out. The Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 4 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 FIPS 140-2 interfaces are described in Table 3-1: FIPS 140-2 Logical Interfaces. The Barracuda Cryptographic Software Module API documentation includes all the inputs, outputs, control, and status parameters. FIPS 140-2 Logical Interface Implementation Data Input C-language API with stack and register input parameters Data Output C-language API with stack and register output parameters Control Input C-language API with stack and register control parameters Status Output C-language API with stack and register status parameters Power Interface N/A Table 3-1: FIPS 140-2 Logical Interfaces 4 Roles, Services, and Authentication The Barracuda Cryptographic Software Module operates only in FIPS Approved mode and supports operators in either a Crypto-Officer (CO) role or User role. To initialize the cryptographic functions and select an operational role, the consumer of the module supplies a pre-defined password identifying the desired role to the FIPS_module_mode_on () API. As the operator that uses the FIPS module is a software program/application, the pre-defined password of the required role may be set during the application compile time. The crypto-officer password is 36 characters in length and the user password is 33 characters in length. The probability of a random successful authentication attempt is 2 ( ∗ ) for the crypto-officer and is 2 ( ∗ ) for the user. As the operator is a software application and it is expected to have the password at the application compiletime, failure to provide a valid password is treated as a module level error and will result in the module entering an error state, which can be cleared only by terminating and restarting the offending application. The password is not entered manually, but passed as a parameter in an API call by the calling application. Hence, there will be only one attempt and it is required to treat invalid password as module level error. The module does not allow for multiple authentication attempts. Since the error state can be cleared by power cycling the module, it would be possible to make one authentication attempt per second and restart the module per attempt. Thus 60 attempts per minute could be made. However since the probability of guessing the password per attempt has probability 1 in 2^ (8*36), it is clear that 60* (1 in 2^ (8*36)) is much less than 1 in 100,000. The module provides the services listed in Table 4-1. Both the CO and the User roles have full read, write, execute, and zeroize access to all services. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 5 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys AES-128/192/256 FIPS 197 User/CO Symmetric AES FIPS_evp_aes_128_cbc() Encrypt/Decrypt (Modes: SP 800-38A Encryption/ Encrypt/Decrypt FIPS_evp_aes_128_cfb1() CBC, CFB1, CFB128, SP 800-38D (GCM) Decryption using the Key (all modes), FIPS_evp_aes_128_cfb128() CFB8, CTR, ECB, GCM, SP 800-38E (XTS) AES encryption Generate/Verify FIPS_evp_aes_128_cfb8() OFB) Standard key (GCM) FIPS_evp_aes_128_ctr() FIPS_evp_aes_128_ecb() AES-128/256 FIPS_evp_aes_128_gcm() Encrypt/Decrypt (Mode FIPS_evp_aes_128_ofb() XTS) FIPS_evp_aes_128_xts() FIPS_evp_aes_192_cbc() FIPS_evp_aes_192_cfb1() FIPS_evp_aes_192_cfb128() FIPS_evp_aes_192_cfb8() FIPS_evp_aes_192_ctr() FIPS_evp_aes_192_ecb() FIPS_evp_aes_192_gcm() FIPS_evp_aes_192_ofb() FIPS_evp_aes_256_cbc() FIPS_evp_aes_256_cfb1() FIPS_evp_aes_256_cfb128() FIPS_evp_aes_256_cfb8() FIPS_evp_aes_256_ctr() FIPS_evp_aes_256_ecb() FIPS_evp_aes_256_gcm() FIPS_evp_aes_256_ofb() FIPS_evp_aes_256_xts() Triple-DES Encrypt SP 800-67 User/CO Symmetric Triple-DES Keys FIPS_evp_des_ede3() (Modes CBC, CFB1, Encryption using the Three-key: FIPS_evp_des_ede3_cbc() CFB64, CFB8, ECB, Triple-DES K1 != K2 != K3 != FIPS_evp_des_ede3_cfb1() OFB) encryption Standard K1 FIPS_evp_des_ede3_cfb64() FIPS_evp_des_ede3_cfb8() FIPS_evp_des_ede3_ecb() FIPS_evp_des_ede3_ofb() Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 6 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys Triple-DES Decrypt SP 800-67 User/CO Symmetric Triple-DES Keys FIPS_evp_des_ede3() (Modes CBC, CFB1, Decryption using the Three-key: FIPS_evp_des_ede3_cbc() CFB64, CFB8, ECB, Triple-DES K1 != K2 != K3 != FIPS_evp_des_ede3_cfb1() OFB) encryption Standard K1 FIPS_evp_des_ede3_cfb64() FIPS_evp_des_ede3_cfb8() Two-Key: FIPS_evp_des_ede3_ecb() K1 != K2 != K3 = FIPS_evp_des_ede3_ofb() K1 (Legacy use only) DSA Signature FIPS 186-4 User/CO Verify a signed DSA Public FIPS_dsa_verify() Verification message using DSA signature FIPS_dsa_verify_ctx() verification key FIPS_dsa_verify_digest() DSA Generate Domain FIPS 186-4 User/CO L>=2048, N=256 public domain FIPS_dsa_generate_parameters_ex() Parameters with SHA256 parameters DSA-2048/3072 FIPS 186-4 User/CO Generate 2048 or DSA Private/Public FIPS_dsa_generate_key() Generate Key Pair 3072 bit DSA key Keys pair DSA Sign FIPS 186-4 User/CO Sign a message using Private Key FIPS_dsa_sign() DSA provided by calling FIPS_dsa_sign_ctx() application FIPS_dsa_sign_digest() RSA Signature FIPS 186-4 User/CO Verify an RSA 1024, RSA Signature FIPS_rsa_verify() Verification 2048 or 3072 bit RSA Verification Public FIPS_rsa_verify_ctx() key signature. Based Key FIPS_rsa_verify_digest() on PKCS#1 v1.5 or PSS RSA Generate Key Pair FIPS 186-4 User/CO Generate 2048 or RSA Private/Public FIPS_rsa_generate_key_ex() 3072 bit RSA key Keys pair. Based on ANSI X9.31 RSA Private Key FIPS 186-4 User/CO Used for digital RSA Private Key FIPS_rsa_private_encrypt() Encrypt signature RSA Public Key Decrypt FIPS 186-4 User/CO Used for digital RSA Public Key FIPS_rsa_public_decrypt() signature verification Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 7 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys RSA Sign FIPS 186-4 User/CO Generate 2048, 3072 RSA Private FIPS_rsa_sign() bit RSA signature. Signature FIPS_rsa_sign_ctx() Based on PKCS#1 Generation Key FIPS_rsa_sign_digest() v1.5 or PSS ECDSA Signature FIPS 186-4 User/CO Verify message ECDSA Public FIPS_ecdsa_verify() Verification signature (uses all Signature FIPS_ecdsa_verify_ctx() SHA sizes including Verification Key SHA-1 for legacy use) Generate Shared Secret SP 800-56A Section User/CO Generate Shared Shared Secret ECDH_compute_key() (ECC CDH Primitive) 5.7.1.2 Secret (KAS component). Allows only NIST recommended B, K and P curves. EC Generate Key Pair FIPS 186-4 User/CO Allows only NIST EC Private Key EC_KEY_generate_key() recommended B, K and P curves. ECDSA Sign FIPS 186-4 User/CO Sign message ECDSA Private FIPS_ecdsa_sign() Signature FIPS_ecdsa_sign_ctx() Generation Key SHA-1/224/256/384/512 FIPS 180-4 User/CO Generate a hash value None FIPS_digestinit() based on the Secure FIPS_digestupdate() Hash Standard (SHS) FIPS_digestfinal() FIPS_evp_sha1() FIPS_evp_sha224() FIPS_evp_sha256() FIPS_evp_sha384() FIPS_evp_sha512() Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 8 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys HMAC-SHA- FIPS 198-1 User/CO Generate HMAC- HMAC Key FIPS_hmac_init() 1/224/256/384/512 SHA FIPS_hmac_init_ex() FIPS_evp_sha1() FIPS_evp_sha224() FIPS_evp_sha256() FIPS_evp_sha384() FIPS_evp_sha512() CMAC AES- SP 800-38B User/CO Generate CMAC with AES FIPS_cmac_init() 128/192/256 AES Generate/Verify FIPS_cmac_update() Key FIPS_cmac_final() FIPS_evp_aes_128_cbc() FIPS_evp_aes_192_cbc() FIPS_evp_aes_256_cbc() CMAC Triple-DES SP 800-38B User/CO Generate CMAC with Triple-DES Keys FIPS_cmac_init() Triple-DES Three-key: FIPS_cmac_update() K1 != K2 != K3 != FIPS_cmac_final() K1 FIPS_evp_des_ede3_cbc() CCM AES-128/192/256 SP 800-38C User/CO Generate CCM with AES FIPS_cipherinit() AES Encrypt/Decrypt FIPS_cipher() Key EVP_aes_128_ccm() EVP_aes_192_ccm() EVP_aes_256_ccm() Reseed DRBG SP 800-90A User/CO Reseed the DRBG V, Key, and drbg_ctr_reseed() from a NDRBG entropy input for drbg_hash_reseed() HMAC and CTR drbg_hmac_reseed() DRBG; V, C and FIPS_drbg_reseed() entropy input for FIPS_drbg_set_reseed_interval() Hash DRBG Get security strength SP800-57, Table 2 User/CO Provides the security None FIPS_drbg_get_strength() strength of the DRBG based on the strength of the underlying DRBG mechanism Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 9 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys Generate Random Bits; SP 800-90A User/CO Generate Random Returned FIPS_rand_bytes() Generate Symmetric Key Bits as defined in Symmetric Key FIPS_drbg_generate() SP800-90A. (depends on usage); Supported options: V, Key, and Hash DRBG, HMAC entropy input for DRBG, no reseed, HMAC and CTR CTR DRBG (AES), DRBG; V, C and no derivation entropy input for function. Prediction Hash DRBG. Resistance supported for all options. Initialization & Operator User/CO Prepare the module Pre-calculated FIPS_module_mode_on(password) Authorization for use in FIPS HMAC-SHA-1’s approved mode for for CO and User the role associated role authentications with “password” Status / Version User/CO Retrieve the current None FIPS_module_mode() status of the module FIPS_incore_fingerprint() or version FIPS_module_version() information FIPS_module_version_text() Zeroize User/CO Zeroize the CSP’s of V, Key, and fips_drbg_uninstantiate() an algorithm. All entropy input for fips_drbg_free() symmetric and public HMAC and CTR key Encrypt/Decrypt DRBG; V, C and algorithms are entropy input for automatically Hash DRBG; zeroized when the Symmetric keys; associated context is Pubic /Private Keys released. The DRBG CSP’s may be zeroized by uninstantiating the DRBG or via the fips_drbg_free function. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 10 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Standard Roles Description CSPs & Public API Keys Self-Test User/CO Performs integrity None FIPS_selftest() test (using HMAC- FIPS_selftest_sha1() SHA256) and FIPS_selftest_aes_ccm() algorithm self-tests. FIPS_selftest_aes_gcm() These are always FIPS_selftest_aes_xts() performed at power- FIPS_selftest_aes() on and may FIPS_selftest_des() optionally be run on – FIPS_selftest_rsa() demand. FIPS_selftest_dsa() FIPS_selftest_ecdsa() FIPS_selftest_ecdh() FIPS_drbg_stick() FIPS_selftest_hmac() FIPS_selftest_drbg() FIPS_selftest_drbg_all() FIPS_selftest_cmac() FIPS_check_incore_fingerprint() Table 4-1: FIPS Approved Services with Roles/CSPs Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 11 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Service Reference Roles Description CSPs API RSA Public Key Encrypt / IG D.9 User/CO Used to RSA Private Key, FIPS_rsa_private_decrypt() Private Key Decrypt encrypt/decrypt key Wrapped Key FIPS_rsa_public_encrypt() material for key transport EC Diffie-Hellman (Shared IG D.8, Scenario 6 User/CO Calculate the shared Calculated Shared ECDH_compute_key() Secret Computation) Primitive secret. The Secret ECDH_compute_key () function is same as listed in Table 4-1. But this entry is for non- Approved (non complaint with SP 800-56A) primitive only. Table 4-2: Non-FIPS Approved but Allowed Cryptographic Functions Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 12 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 5 Physical Security The physical security requirements do not apply to the Barracuda Cryptographic Software Module because the module is a FIPS 140-2 Level 1 software module and the physical security is provided by the host platform. 6 Operational Environment The module operates on a General Purpose Computer (GPC), which is a modifiable operating system. The module was tested on the platforms defined in Table 2-1. The operating systems on the platforms tested segregate each process into a separate process space that is logically separated from all other processes. The module only allows for single user operation in that each module function is processed in the process space of the calling application (operator). 7 Cryptographic Key Management 7.1 Critical Security Parameters (CSPs) Table 7-1 contains a list of keys/CSPs used in the module. Sections 7.2-7.4 describe the generation, entry, storage, output and zeroization of the keys/CSPs used in the module. CSP Description AES Encrypt/Decrypt Key (all modes), AES EDK (Encrypt/Decrypt Key), CMAC, GCM, XTS Generate/Verify key (CMAC, GCM) Triple-DES Keys Three-key: K1 != K2 != K3 != K1 Triple-DES Symmetric Keys Two-Key: K1 != K2 != K3 = K1 (Legacy use only) CMAC Generate/Verify Key Public domain parameters DSA Sign/Verify Keys DSA Private/Public Keys RSA Private/Public Key RSA Sign/Verify, Encrypt/Decrypt Keys ECDSA Signature Keys ECDSA Sign/Verify Keys Shared Secret used to derive keying material ECC CDH Shared Secret Elliptic Curve Private/Public keys EC Public/Private Keys Message Authentication Code Key. HMAC Key The HMAC key size can be less than the block size, equal to the block size or greater than the block size. The HMAC key must have at least 112 bits of security strength to meet FIPS 140-2 requirements V, Key and entropy input for HMAC and CTR DRBG, DRBG State V, C and entropy input for Hash DRBG Digest for Crypto Officer authentication CO Auth Digest Digest for User authentication User Auth Digest Table 7-1: Module CSPs 7.2 Key Generation The module supports generation of Elliptic Curve, RSA, DSA key pairs and symmetric keys using an approved SP800-90A DRBG. Table 4-1 identifies keys generated by the module. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 13 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Keys are generated from the output of an SP800-90 compliant random bit generator (DRBG). The entropy input provided to the DRBG originates in the NDRBG of the platform. No assurance of the minimum strength of generated keys. In the event Module power is lost and restored the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed. IG D.8 Scenario 5 requires compliance with one or more of the key agreement primitives specified in SP 800-56A. Domain parameters and key sizes shall conform to SP 800-56A. A CVL algorithm validation certificate for a DLC primitive is required (See CVL cert. #414) 7.3 Key Entry, Storage, Output No keys are persisted by the module beyond the lifetime of the API call, except the DRBG CSPs. All keys/keying material is entered into the module from the consuming application (i.e. “operator”) as plaintext parameters in RAM to API functions. Keys/keying material originates within the physical boundary of the module and is not output outside the physical boundary. 7.4 Zeroization Temporarily stored keys and keying material are zeroized automatically by the API functions when complete. CSPs related to random number functions (identified in Table 7-1) may be zeroized via explicit function calls. The operating system protects system memory and process space from access by unauthorized users. CSPs, secret and private keys that are used by the API function are stored temporarily in RAM during the function process. The zeroization is performed by each API function, which calls the function OPENSSL_cleanse at the end of the process. The OPENSSL_cleanse function overwrites the memory space with pseudorandom values that are produced based on the address of the buffer that is being zeroized and an internal counter. 7.5 Entropy Module users (the calling applications) shall use entropy sources that meet the security strength required for the random number generation mechanism. This entropy is supplied by means of callback functions. Those functions must return an error if the minimum entropy strength cannot be met. 8 EMI/EMC The module is a software module and was tested on standard GPC platforms that meet the applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined in Subpart B of FCC Part 15. 9 Self-Tests The Barracuda Cryptographic Software Module performs the required suite of self-tests upon initialization of the module. The self-tests are performed automatically without operator intervention. The following self-tests are performed: Self Tests: Software integrity KAT: HMAC-SHA256 o SHA-1 o HMAC- SHA1 KAT o HMAC- SHA224 KAT o Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 14 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 HMAC- SHA256 KAT o HMAC- SHA384 KAT o HMAC- SHA512 KAT o AES KAT: ECB mode, Encrypt, 128-bit o AES KAT: ECB mode, Decrypt, 128-bit o AES CCM KAT: Encrypt, 192-bit o AES CCM KAT: Decrypt, 192-bit o AES GCM KAT: Encrypt, 256-bit o AES GCM KAT: Decrypt, 256-bit o XTS-AES KAT: Encrypt, 128,256 o XTS-AES KAT: Decrypt, 128,256 o AES CMAC KAT: CBC mode, sign, 128,192,256 o AES CMAC KAT: CBC mode, verify, 128,192,256 o Triple-DES KAT: ECB mode, Encrypt, 3-key o Triple-DES KAT: ECB mode, Decrypt, 3-key o Triple-DES CMAC KAT: CBC mode, generate, 3-key o Triple-DES CMAC KAT: CBC mode, verify, 3-key o RSA KAT: sign, 2048 bit, SHA256 o RSA KAT: verify, 2048 bit, SHA256 o DSA Pairwise Consistency: sign, 2048 bit, SHA384 o DSA Pairwise Consistency: verify, 2048 bit, SHA384 o DRBG SP800-90: o CTR_DRBG: AES 256-bit, with and without derivation function HASH_DRBG: SHA256 HMAC_DRBG: SHA256 ECDSA Pairwise Consistency: KeyGen, sign, P-224, K-233 and SHA512 o ECDSA Pairwise Consistency: KeyGen, verify, P-224, K-233 and SHA512 o ECC CDH KAT: Shared secret calculation per section 5.7.1.2 of SP800-56A, IG 9.6 o The module also implements the following conditional tests: Conditional Self-test o DRBG SP800-90 continuous test o DSA: Pairwise Consistency test on each generation of a key pair o RSA: Pairwise Consistency test on each generation of a key pair o ECDSA: Pairwise Consistency test on each generation of a key pair o NDRBG: continuous test The module will enter an error state if any of the self-tests fail and an internal flag is set to prevent any subsequent requests for cryptographic functions. The module must be power cycled to remove it from the error state. Once power cycled the self-test will be run upon initialization. If all tests pass the module will move into an operational state. If any of the self-test fails the module will move back to the error state. The operator can perform the self-tests on demand by invoking the FIPS_selftest () function. 10 Design Assurance Barracuda uses Git for configuration management of source code and documentation. All module source code and documentation is maintained on a server that is internal to Barracuda. Git maintains a history of all changes made to documents and source code. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 15 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 The Barracuda Cryptographic Software Module is for use inside of Barracuda products. The module is a binary object module and is only distributed to the Barracuda development team as the FIPS 140-2 validated fips_crypto_module.o binary object. The module code has a computed HMAC SHA-256 embedded in it for the software integrity test. If there are any changes to the module or the HMAC SHA-256 the software integrity test will fail. The Barracuda development teams work in secure environments with controlled access. The module and the host application are installed on one of the operational environments listed in Table 2-1. 11 Mitigation of Other Attacks This module was not designed to mitigate any specific attacks outside the scope of the FIPS 140-2 requirements. 12 Crypto-Officer and User Guidance The calling application is the operator (crypto-officer or user depending on the password supplied) of the module. The Barracuda Cryptographic Software Module is for use on a GPC. It is the responsibility of the calling application to secure any keys or CSPs passed outside of the logical boundary of the module, to the calling application. The module does not provide any persistent storage of keys or CSPs. Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 16 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 13 Acronyms Acronym Definition AES Advanced Encryption Standard API Application Program Interface CBC Cipher Block Chaining CFB Cipher Feedback CO Cryptographic Officer CMAC Cryptographic Message Authentication Code CSP Critical Security Parameter CTR Counter DES Data Encryption Scheme DRBG Deterministic Random Bit Generator DSA Digital Signature Algorithm EC Elliptic Curve ECB Electronic Codebook EMC Electromagnetic Compatibility ECC CDH Elliptic Curve Cryptography Cofactor Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EDK Encrypt Decrypt Key EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standard GCM Galois Counter Mode GPC General Purpose Computer HMAC Keyed-Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test NDRBG Non-Deterministic Random Bit Generator OFB Output Feedback OS Operating System PKCS Public Key Cryptography Standard PKG Public Key (Q) Generation PKV Public Key (Q) Validation PQG DSA parameters P, Q and G PSS Probabilistic Signature Scheme RAM Random Access Memory Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 17 Barracuda Non-Proprietary Security Policy, Version 1.7 October 16, 2015 Acronym Definition RNG Random Number Generator RSA Rivest, Shamir and Adleman Algorithm RSASSA RSA Signature Scheme with Appendix SHA Secure Hash Algorithm Triple-DES Triple-DES XEX XOR Encrypt XOR XOR Exclusive OR XTS XEX Tweakable Block Cipher with Cipher text Stealing Barracuda Cryptographic Software Module © Barracuda Inc. 2015 – This document may be reproduced only in its entirety including this Copyright Notice. page 18