FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 FIPS 140-2 Non-Proprietary Security Policy IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 FW version 5.3.1 Document Version 0.9 February 17, 2016 Prepared For: Prepared By: IBM Security SafeLogic Inc. 6303 Barfield Road 530 Lytton Ave, Suite 200 Atlanta, GA 30328 Palo Alto, CA 94301 www.ibm.com www.safelogic.com Document Version 0.9 © IBM Security Page 1 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Table of Contents 1 Introduction ......................................................................................................................................................4 1.1 About FIPS 140-2 ..........................................................................................................................................4 1.2 About this Document....................................................................................................................................4 1.3 External Resources .......................................................................................................................................4 1.4 Notices..........................................................................................................................................................4 1.5 Acronyms ......................................................................................................................................................5 2 IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 ...........................................................................6 2.1 Product Overview .........................................................................................................................................6 2.2 Validation Level Detail..................................................................................................................................6 2.3 Cryptographic Algorithms ............................................................................................................................7 2.3.1 Approved Algorithms and Implementation Certificates ..........................................................................7 2.3.2 Non-Approved but Allowed Algorithms.................................................................................................12 2.4 Cryptographic Module Specification ..........................................................................................................13 2.4.1 Excluded Components ...........................................................................................................................13 2.4.2 FIPS Mode ..............................................................................................................................................14 2.5 Module Interfaces ......................................................................................................................................15 2.6 Roles, Services, and Authentication ...........................................................................................................16 2.6.1 Management Options ............................................................................................................................16 2.6.2 Operator Services and Descriptions.......................................................................................................18 2.6.3 Operator Authentication .......................................................................................................................19 2.7 Physical Security .........................................................................................................................................20 2.8 Operational Environment ...........................................................................................................................20 2.9 Cryptographic Key Management ...............................................................................................................21 2.10 Self-Tests ....................................................................................................................................................33 2.10.1 Power-On Self-Tests ..........................................................................................................................33 2.10.2 Conditional Self-Tests ........................................................................................................................35 2.11 Mitigation of Other Attacks .......................................................................................................................37 3 Guidance and Secure Operation .....................................................................................................................38 3.1 Crypto Officer Guidance .............................................................................................................................38 3.1.1 Firmware Installation .............................................................................................................................38 3.1.2 Enabling FIPS Mode ...............................................................................................................................38 3.1.3 Placement of Tamper Evidence Labels ..................................................................................................39 3.2 User Guidance ............................................................................................................................................50 3.2.1 General Guidance ..................................................................................................................................50 Document Version 0.9 © IBM Security Page 2 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 List of Tables Table 1 – Acronyms and Terms......................................................................................................................................5 Table 2 – Validation Level by DTR Section .....................................................................................................................6 Table 3 – Algorithm Certificates (OpenSSL) .................................................................................................................11 Table 4 – Algorithm Certificates (GSKIT) ......................................................................................................................12 Table 5 – Interface Descriptions ..................................................................................................................................15 Table 6 – Logical Interface / Physical Interface Mapping ............................................................................................15 Table 7 – Operator Services and Descriptions .............................................................................................................19 Table 8 - Key/CSP Management Details ......................................................................................................................31 Table 9 - OpenSSL Self-Tests ........................................................................................................................................34 Table 10 - GSKIT Self-Tests...........................................................................................................................................35 List of Figures Figure 1 - Block Diagram ..............................................................................................................................................13 Figure 2 - Module Illustrations.....................................................................................................................................14 Figure 3 - Additional CLI Commands ............................................................................................................................17 Figure 4 - XGS 3100 Tamper evidence label placement (top left) ...............................................................................41 Figure 5 – XGS 3100 Tamper evidence label placement (bottom back) ......................................................................42 Figure 6 - XGS 3100 Tamper evidence label placement (top front) ............................................................................42 Figure 7 - XGS 4100 Tamper evidence label placement (top left). ..............................................................................44 Figure 8 – XGS 4100 Tamper evidence label placement (bottom back) ......................................................................44 Figure 9 – XGS 4100 Tamper evidence label placement (top and bottom front) ........................................................45 Figure 10 – XGS 5100 Tamper evidence label placement (top left) ............................................................................46 Figure 11 – XGS 5100 Tamper evidence label placement (bottom back) ....................................................................47 Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front) ......................................................47 Figure 13 – XGS 7100 Tamper evidence label placement (top left) ............................................................................49 Figure 14 – XGS 7100 Tamper evidence label placement (bottom back) ....................................................................49 Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front) ......................................................50 Document Version 0.9 © IBM Security Page 3 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 1 Introduction 1.1 About FIPS 140-2 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Communications Security Establishment (CSE) Cryptographic Module Validation Program (CMVP) runs the FIPS 140-2 program. The CMVP accredits independent testing labs to perform FIPS 140-2 testing; the CMVP also validates test reports for products meeting FIPS 140-2 validation. Validated is the term given to a product that is documented and tested against the FIPS 140-2 criteria. More information is available on the CMVP website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.2 About this Document This non-proprietary Cryptographic Module Security Policy for the XGS 3100, XGS 4100, XGS 5100, and XGS 7100 from IBM Security provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-2. This document contains details on the module’s cryptographic keys and critical security parameters. This Security Policy concludes with instructions and guidance on running the module in a FIPS-approved mode of operation. The IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 may also be referred to as the “modules” in this document. 1.3 External Resources The IBM Security website (http://www.ibm.com) contains information on the full line of products from IBM Security, including a detailed overview of the XGS 3100, XGS 4100, XGS 5100, and XGS 7100 solution. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains links to the FIPS 140-2 certificate and IBM Security contact information. 1.4 Notices This document may be freely reproduced and distributed in its entirety without modification. Document Version 0.9 © IBM Security Page 4 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 1.5 Acronyms The following table defines acronyms found in this document: Acronym Term AES Advanced Encryption Standard BMC Baseboard Management Controller (a motherboard system management process) CBC Cipher Block Chaining CSE Communications Security Establishment CSP Critical Security Parameter DRBG Deterministic Random Bit Generator PCT Pairwise Consistency Test DTR Derived Testing Requirement ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standard FW Firmware GPC General Purpose Computer GUI Graphical User Interface HMAC Hashed Message Authentication Code IBM International Business Machines ISS Internet Security Systems KAT Known Answer Test NDRNG Non-deterministic Random Number Generator NIM Network Interface Module NIST National Institute of Standards and Technology RSA Rivest Shamir Adelman SEL System Error Log SHA Secure Hashing Algorithm Table 1 – Acronyms and Terms Document Version 0.9 © IBM Security Page 5 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2 IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.1 Product Overview The Network Intrusion Prevention System (IPS) automatically blocks malicious attacks while preserving network bandwidth and availability. The appliances are purpose-built, Layer 2 network security appliances that you can deploy either at the gateway or the network to block intrusion attempts, denial of service (DoS) attacks, malicious code, backdoors, spyware, peer-to-peer applications, and a growing list of threats without requiring extensive network reconfiguration. The XGS 3100, XGS 4100, XGS 5100, and XGS 7100 can be securely managed via SiteProtector, which is a central management console for managing appliances, monitoring events, and scheduling reports 2.2 Validation Level Detail The following table lists the level of validation for each area in FIPS 140-2: FIPS 140-2 Section Title Validation Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 Electromagnetic Interference / Electromagnetic 2 Compatibility Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Overall Validation Level 2 Table 2 – Validation Level by DTR Section The “Mitigation of Other Attacks” section is not relevant as the module does not implement any countermeasures towards special attacks. Document Version 0.9 © IBM Security Page 6 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.3 Cryptographic Algorithms 2.3.1 Approved Algorithms and Implementation Certificates The module’s cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program: Algorithm Type Algorithm CAVP Certificate Use Asymmetric Key RSA XGS3100: 1691 Sign / verify operations XGS4100: 1692 Key transport FIPS186-2: XGS5100: 1693 ALG[ANSIX9.31]: XGS7100: 1694 SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , ALG[RSASSA-PKCS1_V1_5]: SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS, FIPS186-4: 186-4KEY(gen): FIPS186- 4_Fixed_e _Value PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 , C.3 ) ALG[ANSIX9.31] Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 224 , 256 , 384 , 512 )) (3072 SHA( 224 , 256 , 384 , 512 )) SIG(Ver) (1024 SHA( 224 , 256 , 384 , 512 )) (2048 SHA( 224 , 256 , 384 , 512 )) (3072 SHA( 224 , 256 , 384 , 512 )) Document Version 0.9 © IBM Security Page 7 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Algorithm Type Algorithm CAVP Certificate Use ECDSA XGS3100: 640 XGS4100: 641 FIPS186-4: XGS5100: 642 PKG: CURVES( P-224 P-256 XGS7100: 643 P-384 P-521 K-233 K-283 K-409 K-571 B-233 B-283 B-409 B-571 ExtraRandomBits TestingCandidates ) PKV: CURVES( ALL-P ALL-K ALL-B ) SigGen: CURVES( P-224: (SHA-224, 256, 384, 512) P-256: (SHA-224, 256, 384, 512) P-384: (SHA-224, 256, 384, 512) P-521: (SHA-224, 256, 384, 512) K-233: (SHA-224, 256, 384, 512) K-283: (SHA-224, 256, 384, 512) K-409: (SHA-224, 256, 384, 512) K-571: (SHA-224, 256, 384, 512) B-233: (SHA-224, 256, 384, 512) B-283: (SHA-224, 256, 384, 512) B-409: (SHA-224, 256, 384, 512) B-571: (SHA-224, 256, 384, 512) ) SigVer: CURVES( P-192: (SHA-1, 224, 256, 384, 512) P-224: (SHA-1, 224, 256, 384, 512) P-256: (SHA-1, 224, 256, 384, 512) P-384: (SHA-1, 224, 256, 384, 512) P-521: (SHA-1, 224, 256, 384, 512) K-163: (SHA-1, 224, 256, 384, 512) K-233: (SHA-1, 224, 256, 384, 512) K-283: (SHA-1, 224, 256, 384, 512) K-409: (SHA-1, 224, 256, 384, 512) K-571: (SHA-1, 224, 256, 384, 512 B-163: (SHA-1, 224, 256, 384, 512) B-233: (SHA-1, 224, 256, 384, 512) B-283: (SHA-1, 224, 256, 384, 512) B-409: (SHA-1, 224, 256, 384, 512) B-571: (SHA-1, 224, 256, 384, 512) Document Version 0.9 © IBM Security Page 8 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Algorithm Type Algorithm CAVP Certificate Use Hashing SHA-1, SHA-224, SHA-256, XGS3100: 2740 Message digest in TLS sessions SHA-384, SHA-512 XGS4100: 2741 Module integrity via SHA-1 XGS5100: 2742 XGS7100: 2743 Keyed Hash HMAC: SHA-1, SHA-224, XGS3100: 2099 Message verification SHA-256, SHA-384, SHA- XGS4100: 2100 512 XGS5100: 2101 XGS7100: 2102 Document Version 0.9 © IBM Security Page 9 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Algorithm Type Algorithm CAVP Certificate Use Symmetric Key AES XGS3100: 3307 Data encryption / decryption XGS4100: 3308 ECB ( e/d; 128 , 192 , 256 ); XGS5100: 3309 CBC ( e/d; 128 , 192 , 256 ); XGS7100: 3310 CFB1 ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); OFB ( e/d; 128 , 192 , 256 ); CTR ( ext only; 128 , 192 , 256 ) CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 ) (KS: AES_192( e/d ) Tag Length(s): 128 ) (KS: AES_256( e/d ) Tag Length(s): 128 ) IV Generated: ( Internally (using Section 8.2.2 ) ) ; PT Lengths Tested: ( 0 , 128 , 256 , 8 , 248 ) ; AAD Lengths tested: ( 0 , 128 , 256 ) ; IV Lengths Tested: ( 96 , 1024 ) ; 96BitIV_Supported ; OtherIVLen_Supported GMAC_Supported Triple-DES TECB, TCBC, XGS3100: 1883 TCFB64, TOFB; XGS4100: 1884 XGS5100: 1885 XGS7100: 1886 Document Version 0.9 © IBM Security Page 10 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Algorithm Type Algorithm CAVP Certificate Use DRBG 800-90A DRBG (HMAC_DRBG (SHA- XGS3100: 756 Deterministic Random Bit 1, SHA-224, SHA-256, SHA- XGS4100: 757 Generation 384, SHA-512), HASH_DRB XGS5100: 758 G (SHA-1, SHA-224, SHA- XGS7100: 759 256, SHA-384, SHA-512), CTR_DRBG (AES-128- ECB, AES- 192-ECB, AES-256- ECB) Table 3 – Algorithm Certificates (OpenSSL) Algorithm CAVP Certificate Use RSA Key 186-4KEY(gen) XGS3100: 1677 Sign / verify operations Generation (2048 to 3072 bits) XGS4100: 1679 Key transport XGS5100: 1680 RSA Signature PKCS#1.5 XGS7100: 1681 Generation (2048 to 3072 bits) (SHA-224,SHA-256,SHA- 384,SHA-512) RSA Signature PKCS#1.5 (1024, 2048, 3072 bits) Verification (SHA-1,SHA-224,SHA- 256,SHA-384,SHA- 512) ECDSA KeyPair P: 224, 256, 384, 521 XGS3100: 633 Sign / verify operations Generation K: 233, 283, 409, 571 XGS4100: 635 B: 233, 283, 409, 571 XGS5100: 636 XGS7100: 637 ECDSA PKV P: 192, 224, 256, 384, 521 K: 163, 233, 283, 409, 571 B: 163, 233, 283, 409, 571 ECDSA P: 224, 256, 384, 521 Signature K: 233, 283, 409, 571 Generation B: 233, 283, 409, 571 ECDSA P: 192, 224, 256, 384, 521 K: 163, 233, 283, Signature 409, 571 B: 163, 233, 283, 409, 571 Verification ECC CDH P: 224, 256, 384, 521 XGS 3100 Cofactor Diffie-Hellman CVL: #463 Primitive Component (SP800-56A) XGS 4100 CVL: #465 XGS 5100 CVL: #466 XGS 7100 CVL: #467 SHA message SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 XGS3100: 2718 Message digest in TLS digest XGS4100: 2720 sessions generation XGS5100: 2721 Module integrity via XGS7100: 2722 SHA-1 Document Version 0.9 © IBM Security Page 11 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 HMAC HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA- XGS3100: 2077 Message verification 256, HMAC-SHA-384, HMAC-SHA-512 XGS4100: 2079 XGS5100: 2080 XGS7100: 2081 AES AES-128-CMAC, AES-192-CMAC, AES-256- XGS3100: 3280 Data encryption / CMAC. ECB, CBC, CFB1, CFB8, CFB128 & OFB XGS4100: 3282 decryption XGS5100: 3283 AES_CCM 128, 192,or 256 bit keys (SP800- XGS7100: 3284 38C) AES_GCM 128, 192,or 256 bit keys (FIPS 197, SP800-38D) AES_XTS 128, 256 bit keys (FIPS SP 800-38E) 1 Triple-DES Triple-DES 192-bit keys in ECB, CBC, CFB64, XGS3100: 1867 Data encryption / and OFB mode, CMAC XGS4100: 1869 decryption XGS5100: 1870 XGS7100: 1871 DRBG 800-90A HMAC_DRBG (SHA-1, SHA-224, SHA-256, XGS3100: 738 DRBG SHA-384, SHA-512), HASH_DRBG (SHA-1, XGS4100: 740 SHA-224, SHA-256, SHA-384, SHA-512), XGS5100: 741 CTR_DRBG (AES-128- ECB, AES- 192-ECB, XGS7100: 742 AES-256- ECB) DSA [(1024, 160) bits; (2048, 224) bits; (2048, XGS 3100 Verify operations 256) bits; (3072, 256) bits] DSA: #937 (SHA-1, SHA-224, SHA-256, SHA-256) XGS 4100 DSA: #939 XGS 5100 DSA: #940 XGS 7100 DSA: #941 Table 4 – Algorithm Certificates (GSKIT) The TLS, SSH, and SNMP protocols have not been reviewed or tested by the CAVP and CMVP. Please see NIST document SP800-131A for guidance regarding the use of non FIPS-approved algorithms. 2.3.2 Non-Approved but Allowed Algorithms The module implements the following non-FIPS approved but allowed algorithms: True Random Number Generator (TRNG), a non-deterministic RNG (NDRNG) used to seed the • DRBG. GSKIT: RSA Key Wrapping Encrypt / Decrypt (2048, 3072 bits) Allowed to be used in FIPS mode • (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength) 1 AES XTS mode was CAVS validated but not implemented within the module. Document Version 0.9 © IBM Security Page 12 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Diffie-Hellman (key agreement; key establishment methodology provides 112 or 128 • bits of encryption strength) EC Diffie-Hellman (key agreement; key establishment methodology provides between • 128 and 256 bits of encryption strength) 2.4 Cryptographic Module Specification The modules are running firmware version 5.3.1. Each module is classified as a multi-chip standalone cryptographic module and contains a cryptographic module to manage secure communications with SiteProtector Management System. The physical cryptographic boundary is defined as the module case (shown in Figure 1). Figure 1 - Block Diagram 2.4.1 Excluded Components Excluded components include the following: Monitoring Ports • The network card provides input/output functionality from the motherboard to the o exterior network; it does not provide any FIPS security relevant processing. Document Version 0.9 © IBM Security Page 13 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 These ports accept and pass data traffic that is analyzed by the internal IDS analysis o engine. The traffic is not security relevant and does not interact with the cryptographic processing of the appliance. Management Port 2 • Excluded when configured for TCP reset o Although the actual data over these interfaces is excluded, the appliances do provide analysis of data. These scan results are encrypted by the cryptographic module and sent to the management interfaces for review. The module illustrations are provided in the table below. Top to bottom: XGS 3100, XGS 4100, XGS 5100 and XGS 7100. Figure 2 - Module Illustrations 2.4.2 FIPS Mode The module can only be enabled for FIPS mode at the time of initial configuration. Additionally, if the module enters an error state (e.g., a known answer test fails), the module must be powered off and reimaged to FIPS mode of operation. Document Version 0.9 © IBM Security Page 14 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.5 Module Interfaces Each appliance runs the same version of firmware and has the same basic physical interfaces; the main difference is the number of Monitoring Ports (i.e., traffic monitoring interfaces) and the processing speed. The table below describes the main interface on each module: Physical Interface Description / Use LCD Initial network configuration, restarting or shutting down the appliance Monitoring Ports Either inline intrusion prevention (IPS mode) or passive intrusion detection (excluded) (IDS mode). Inline prevention uses a pair of ports per segment. Passive detection uses a single port per segment. IDS traffic is excluded from the validation. Serial Console Port Optional terminal-based setup and recovery USB Ports Connection to a CD-ROM or similar peripheral for loading images Management Port 1 Communication with SiteProtector Management System Management Port 2 Communication with SiteProtector Management System and for sending (excluded) TCP Reset responses. This interface is excluded from the validation when configured for TCP Reset processing otherwise it is identical to Management Port #1. Table 5 – Interface Descriptions Each module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces: data input, data output, control input, and status output. The logical interfaces and their mapping are described in the following table: FIPS 140-2 Logical Interface Module Physical Interface Data Input Management Port Serial Console Port Data Output Management Port Serial Console Port Control Input Management Port Serial Console Port USB Ports LCD Panel Status Output Management Port Serial Console Port LCD Panel LEDs Power Power Plug On/Off Switch Table 6 – Logical Interface / Physical Interface Mapping Document Version 0.9 © IBM Security Page 15 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.6 Roles, Services, and Authentication The module is accessed via Local Management Interface (LMI), Command Line Interface (CLI) or the SiteProtector management application. The CLI is additionally used for installation and initial configuration of the module. The module supports basic management via the LCD panel during module initialization. The LCD Management is unauthenticated but requires physical access and only allows: View the IP address • Restart the appliance • Shutdown the appliance • As required by FIPS 140-2, there are two roles (a Crypto Officer role and User role) in the module that operators may assume. The module supports identity-based authentication, and the respective services for each role are described in the following sections. 2.6.1 Management Options 2 2.6.1.1 Command Line Interface The command line interface offers the Crypto Officer role basic functions for installation and initial configuration. An authorized Crypto Officer operator can use the CLI to initially configure the following functions: Change Password • Network Configuration Information • Host Configuration • Time Zone/Data/Time Configuration • Agent Name Configuration • Port Link Configuration • Adapter Mode Configuration. • Additional commands are below: Please note that SiteProtector is outside of the module boundary and only the module interface to these 2 applications are relevant to the validation. Document Version 0.9 © IBM Security Page 16 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 3 - Additional CLI Commands 2.6.1.2 LMI XGS also offers the Crypto-Officer a browser-based graphical user interface for local, single appliance management (LMI) with the functional overlap to the CLI. Besides the functions similar to the CLI, the LMI can also configure IPS related application policies and monitor the security events detected by the appliance. 2.6.1.3 SiteProtector SiteProtector is the IBM central management console. SiteProtector can manage appliances, monitor events, and schedule reports. If managing a group of appliances along with other sensors, the centralized management capabilities of SiteProtector may be preferred. SiteProtector controls the following management functions of the appliance: Monitor appliance status • View log files • Configure password • Document Version 0.9 © IBM Security Page 17 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.6.2 Operator Services and Descriptions The services available to the User and Crypto Officer roles in the module are as follows: Service Description Service Input / Interface Key/CSP Access Roles Output (API) Configure Initializes the Configuration Serial Console None Crypto Port module for FIPS Parameters / Module Officer USB Ports mode of configured LCD Panel operation Self Test Performs self Initiate self tests / Self Management None Crypto Port tests on critical tests run Officer Power switch functions of User module Decrypt Decrypts a block Initiate decryption / Management AES Session Key Crypto Port of data data decrypted Triple-DES Officer Session Key User Private Key SNMP AES Key Encrypt Encrypts a block Initiate encryption/ Management AES Session Key Crypto Port of data data encrypted Triple-DES Officer Session Key User Public Key External Entity Public Key SNMP AES Key Establish Provides a Initiate session Management Private Key Crypto Port Session protected establishment / Public Key Officer session for session established HMAC Key User establishment of Premaster encryption keys Secret (48 with peers Bytes) Master Secret (48 Bytes) Session Key Symmetric Key External Entity Public Key Session Key DRBG Seed Key Entropy Input String Document Version 0.9 © IBM Security Page 18 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Service Description Service Input / Interface Key/CSP Access Roles Output (API) Hash_DRBG mechanism HMAC_DRBG mechanism CTR_DRBG mechanism Zeroize Crypto Clear CSPs from Terminate Session / Management None CSPs Officer memory CSPs cleared Port User Clear CSPs from Reimage module / USB None Crypto disk CSPs cleared and Officer Serial module restored to factory settings Show Shows status of Show status Management None Crypto Port Status the module commands / Module Officer Serial Console status User Port USB Ports LCD Panel LEDs Table 7 – Operator Services and Descriptions 2.6.3 Operator Authentication The CO role authentication via CLI (when initially configuring the module for FIPS mode) is over SSH. The LMI connection is over HTTPS/TLS in FIPS mode. Other than the LCD panel services and status functions available by viewing LEDs, the services described in the table above are available only to authenticated operators. The operator authenticates via username/password, and passwords are stored on the module. The module checks these parameters before allowing access. The module enforces a minimum password length of 6 characters (see Guidance and Secure Operation section of this document). The password can consist of alphanumeric values, {a-zA-Z0-9], yielding 62 choices per character. The probability of a successful random attempt is 1/626, which is less than 1/1,000,000. Assuming 10 attempts per second via a scripted or automatic attack, the probability of a success with multiple attempts in a one minute period is 600/626, which is less than 1/100,000. 3 The password complexity rules are configurable; users can have more strict password rules. The guidance The 3 minimum password length can be configured to be 6 to 15 characters and can be configured to require special, numeric, upper and lower case characters. The default minimum password length is 6 characters, and the account should be locked after 3 unsuccessful attempts; therefore this analysis. Document Version 0.9 © IBM Security Page 19 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Per the Configuration Guidance, the module will lock an account after 3 failed authentication attempts; thus, the maximum number of attempts in one minute is 3. Therefore, the probability of a success with multiple consecutive attempts in a one minute period is 3/626 which is less than 1/100,000. For authentication of SiteProtector sessions (i.e., the User Role), the module supports a public key based authentication with 2048 bit keys via RSA. A 2048-bit RSA key has 112-bits of equivalent strength. The probability of a successful random attempt is 1/2^112, which is less than 1/1,000,000. Assuming the module can support 60 authentication attempts in one minute, the probability of a success with multiple consecutive attempts in a one minute period is 60/2^112 which is less than 1/100,000. 2.7 Physical Security Each module is a multiple-chip standalone module and conforms to Level 2 requirements for physical security. The modules’ production-grade enclosure is made of a hard metal, and the enclosures contain a removable cover. The baffles installed by IBM Security satisfy FIPS 140-2 Level 2 requirements for module opacity. For details on tamper evidence, please see Section 1.16.4 – Placement of Tamper Evidence Labels. 2.8 Operational Environment The modules operate in a limited operational environment and do not implement a General Purpose Operating System. The modules meet Federal Communications Commission (FCC) FCC Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. Document Version 0.9 © IBM Security Page 20 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.9 Cryptographic Key Management The table below provides a complete list of Critical Security Parameters used within the module: Key/CSP Name Description / Use Generation Storage Establishment / Export Interface Privileges GSKIT Implementation Storage: RAM plaintext Agreement: Via secure AES Session AES 128, 192, 256 Internal generation at Decrypt Crypto Key encryption & installation by DRBG TLS tunnel Officer Encrypt Type: Ephemeral decryption of Entry: NA management traffic RWD Association: The system is the User Output: NA one and only owner. Relationship is maintained by RWD the operating system via protected memory. Storage: RAM plaintext Agreement: Via secure Triple-DES Triple-DES 192 Internal generation at Decrypt Crypto Session Key encryption & installation by DRBG TLS tunnel Officer Encrypt Type: Ephemeral decryption Entry: NA of management traffic RWD Association: The system is the User Output: NA one and only owner. Relationship is maintained by RWD the operating system via protected memory. Storage: RAM plaintext Agreement: NA HMAC key HMAC-SHA-1, HMAC- Internal generation at Establish Session Crypto SHA-224, HMAC-SHA- installation by DRBG Officer Type: Ephemeral Entry: NA 256, HMAC-SHA-384, HMAC-SHA-512 for RWD Document Version 0.6 © IBM Security Page 21 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Association: The system is the Output: None message verification User one and only owner. RWD Relationship is maintained by the operating system via protected memory. Storage: on disk/obfuscated Agreement: NA Crypto Officer Alphanumeric Not generated by the Configure Crypto Password passwords externally module; defined by the Officer Type: Static Entry: Manual entry generated by a human human user of the RWD user for workstation via operating system Association: controlled by the authentication to the Output: NA operating system. operating system Storage: on disk/obfuscated Agreement: NA User Password Alphanumeric Not generated by the Configure Crypto passwords externally module; defined by the Officer Type: Static Entry: Manual entry generated by a human human user of the D user for workstation via operating system User Association: controlled by the authentication to the RW Output: NA operating system. operating system Storage: RAM plaintext Agreement: NA External Entity RSA Public key External generation by Establish Session Crypto Public Key associated with FIPS-approved Officer Type: Ephemeral Entry: Plaintext remote entities (such technique as SiteProtector) RWD Association: The system is the Output: NA User one and only owner. RWD Relationship is maintained by the operating system via X509 certificates. Storage: RAM plaintext Agreement: NA DRBG Seed Key 256-bit value to seed Generated internally Establish Session Crypto the FIPS-approved by non-Approved RNG Officer Type: Ephemeral Entry: NA DRBG None Document Version 0.6 © IBM Security Page 22 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA Entropy Input Input value for Generated internally Establish Session Crypto String entropy calculation by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA Hash_DRBG V and C values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA HMAC_DRBG V and Key values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Document Version 0.6 © IBM Security Page 23 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Storage: RAM plaintext Agreement: NA CTR_DRBG V and Key values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: On disk in plaintext Agreement: NA RSA Private Private key for sign / Internal generation at Establish Session Crypto Key verify operations and installation by DRBG Officer Type: Static Entry: NA key establishment 4 for XGS TLS connections RWD Association: The system is the Output: None User one and only owner. R Relationship is maintained by the operating system via protected memory. Storage: On disk in plaintext Agreement: NA RSA Public Key Public key for sign / Internal generation at Establish Session Crypto verify operations and installation by DRBG Officer Type: Static Entry: NA key establishment 5 for XGS TLS connections RWD Association: The system is the Output: plaintext User Encryption/Decryption one and only owner. during TLS negotiation R of the Premaster Relationship is maintained by Secret for the operating system via X509 entry/output certificates. Key establishment methodology provides 112 or 128 bits of encryption strength 4 Key establishment methodology provides 112 or 128 bits of encryption strength 5 Document Version 0.6 © IBM Security Page 24 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Storage: RAM plaintext Agreement: NA ECDHE Private Private asymmetric Internal generation Establish Session Crypto Key key for key Officer Type: Static Entry: NA establishment 6 for RWD XGS TLS connections. Association: The system is the Output: None User one and only owner. R Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA ECDHE Public Public asymmetric key Internal generation Establish Session Crypto Key for key establishment 7 Officer Type: Static Entry: NA for XGS TLS RWD connections. Association: The system is the Output: Key handle User Encryption/Decryption one and only owner. from API request is R of the Premaster Relationship is maintained by output only to the Secret for the operating system via X509 SiteProtector entry/output certificates. application Storage: On disk in plaintext Agreement: NA ECDSA Private Private key for sign / Internal generation Establish Session Crypto Key verify operations and Officer Type: Static Entry: NA key establishment for RWD XGS TLS connections User Association: The system is the Output: None R one and only owner. Relationship is maintained by the operating system via X509 certificates. Key establishment methodology provides between 128 and 256 bits of encryption strength 6 Key establishment methodology provides between 128 and 256 bits of encryption strength 7 Document Version 0.6 © IBM Security Page 25 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Storage: On disk in plaintext Agreement: NA ECDSA Public Public key for sign / Internal generation Establish Session Crypto Key verify operations and Officer Type: Static Entry: NA key establishment for RWD XGS TLS connections Association: The system is the Output: plaintext User one and only owner. during TLS negotiation R Relationship is maintained by the operating system via X509 certificates. Storage: On disk in plaintext Agreement: NA DSA Public Key Public key for sign / Internal generation Establish Session Crypto verify operations and Officer Type: Static Entry: NA key establishment for RWD XGS TLS connections Association: The system is the Output: plaintext User one and only owner. during TLS negotiation R Relationship is maintained by the operating system via X509 certificates. OpenSSL Implementation Storage: RAM plaintext Agreement: Via secure Session Key AES CBC 256-bit key Derived from the Decrypt Crypto for encryption / Master Secret TLS tunnel Encrypt Officer Type: Ephemeral decryption of Entry: NA management traffic RWD Association: The system is the User Output: NA one and only owner. RWD Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA DRBG Seed 160-bit system Use dev/random to Establish Session Crypto Entropy seed the gather bytes from Officer Type: Ephemeral Entry: NA DBRG several areas of system data (including None Document Version 0.6 © IBM Security Page 26 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Association: The system is the Output: NA time/date), User concatenate them one and only owner. None together and hash via Relationship is maintained by SHA-1 the operating system via protected memory. Storage: On disk in plaintext Agreement: NA RSA Private Private key for sign / Internal generation at Establish Session Crypto Key verify operations and installation by DRBG Officer Type: Static Entry: NA key establishment 8 for XGS TLS connections RWD Association: The system is the Output: None User one and only owner. R Relationship is maintained by the operating system via protected memory. Storage: On disk in plaintext Agreement: NA RSA Public Key Public key for sign / Internal generation at Establish Session Crypto verify operations and installation by DRBG Officer Type: Static Entry: NA key establishment 9 for XGS TLS connections RWD Association: The system is the Output: plaintext User Encryption/Decryption one and only owner. during TLS negotiation R of the Premaster Relationship is maintained by Secret for the operating system via X509 entry/output certificates. Storage: RAM plaintext Agreement: NA ECDHE Private Private asymmetric Internal generation Establish Session Crypto Key key for key Officer Type: Static Entry: NA establishment 10 for RWD XGS TLS connections. Key establishment methodology provides 112 or 128 bits of encryption strength 8 Key establishment methodology provides 112 or 128 bits of encryption strength 9 Key establishment mythology provides between 128 and 256 bits of encryption strength 10 Document Version 0.6 © IBM Security Page 27 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Association: The system is the Output: None User one and only owner. R Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA ECDHE Public Public asymmetric key Internal generation Establish Session Crypto Key for key Officer Type: Static Entry: NA establishment 11 for RWD XGS TLS connections. Association: The system is the Output: Key handle User one and only owner. from API request is R Relationship is maintained by output only to the the operating system via X509 SiteProtector certificates. application Storage: RAM plaintext Agreement: NA Premaster RSA-Encrypted Internal generation by Establish Session Crypto Secret (48 Premaster Secret DRBG Officer Type: Ephemeral Entry: Input during TLS Bytes) None Message negotiation User Association: The system is the None Output: Output to one and only owner. Relationship is maintained by server encrypted by the operating system via Public Key protected memory. Storage: RAM plaintext Agreement: NA Master Secret Used for computing Internal generation by Establish Session Crypto (48 Bytes) the Session Key DRBG Officer Type: Ephemeral Entry: NA None Key establishment mythology provides between 128 and 256 bits of encryption strength 11 Document Version 0.6 © IBM Security Page 28 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA SNMP AES Key AES CBC 256-bit key Internal generation by Encrypt Crypto for encryption / DRBG Officer Type: Ephemeral Entry: NA decryption of SNMP RWD traffic User Association: The system is the Output: NA RWD one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA HMAC key HMAC-SHA-1, HMAC- Internal generation at Establish Session Crypto SHA-224, HMAC-SHA- installation by DRBG Officer Type: Ephemeral Entry: NA 256, HMAC-SHA-384, HMAC-SHA-512 for RWD Association: The system is the Output: None message verification User one and only owner. Relationship is maintained by RWD the operating system via protected memory. Storage: RAM plaintext Agreement: NA DRBG Seed Key 256-bit value to seed Generated internally Establish Session Crypto the FIPS-approved by non-Approved RNG Officer Type: Ephemeral Entry: NA DRBG None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Document Version 0.6 © IBM Security Page 29 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Storage: RAM plaintext Agreement: NA Entropy Input Input value for Generated internally Establish Session Crypto String entropy calculation by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA Hash_DRBG V and C values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA HMAC_DRBG V and Key values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: RAM plaintext Agreement: NA CTR_DRBG V and Key values Generated internally Establish Session Crypto mechanism by non-Approved RNG Officer Type: Ephemeral Entry: NA None Document Version 0.6 © IBM Security Page 30 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 User Association: The system is the Output: NA None one and only owner. Relationship is maintained by the operating system via protected memory. Storage: On disk in plaintext Agreement: NA ECDSA Private Private key for sign / Internal generation Establish Session Crypto Key verify operations and Officer Type: Static Entry: NA key establishment for RWD XGS TLS connections Association: The system is the Output: None User one and only owner. R Relationship is maintained by the operating system via X509 certificates. Storage: On disk in plaintext Agreement: NA ECDSA Public Public key for sign / Internal generation Establish Session Crypto Key verify operations and Officer Type: Static Entry: NA key establishment for RWD XGS TLS connections Association: The system is the Output: plaintext User one and only owner. during TLS negotiation R Relationship is maintained by the operating system via X509 certificates. R = Read W = Write D = Delete Table 8 - Key/CSP Management Details Document Version 0.6 © IBM Security Page 31 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Public keys are protected from unauthorized modification and substitution. The module ensures only authenticated operators have access to keys and functions that can generate keys. Unauthenticated operators to not have write access to modify, change, or delete a public key. Ephemeral CSPs are zeroized by the RAM clearing processes, and static CSPs are zeroized by reimaging the module. Document Version 0.6 © IBM Security Page 32 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.10 Self-Tests The modules include an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to ensure all components are functioning correctly. In the event of any self-test failure, the modules will output an error dialog and will shut down. When a module is in an error state, no keys or CSPs will be output and the module will not perform cryptographic functions. The module does not support a bypass function. The following sections discuss the modules’ self-tests in more detail. 2.10.1 Power-On Self-Tests Power-on self-tests are run upon every initialization of each module and do not require operator intervention to run. If any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the users. Each module implements the following power-on self-tests: Critical functions test: Checks, identifies, and initializes system devices such as the CPU, RAM, interrupt and DMA controllers and other • parts of the chipset, BIOS FW integrity, video display memory, Storage drive, PCIe bus, network cards. System high-level POST issues are reported to the BMC, where the events are logged into the SEL. Module integrity check for OpenSSL and components other than GSKit are by digital signature verification based on a 3072-bit CAVS- • validated RSA public key using SHA-256 hashing. The signatures are created when the modules are created by IBM. Signature verification is done performed before module initialization (part of system load procedure). Module integrity check for the GSKit cryptographic library is via 2048-bit CAVS-validated RSA public key (PKCS#1.5) and a single HMAC • SHA-1 digest calculated over the module at the time it is created. This RSA public key is stored inside the static stub and relies on the operating system for protection. Self-test and library verification is performed at library load by hooking the shared library’s ‘call on load’ entry points. OpenSSL Implementation Algorithm Type Description Document Version 0.6 © IBM Security Page 33 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 SHA KAT SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 HMAC KAT One KAT per SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 AES KAT Separate encrypt and decrypt, ECB mode, 128 bit key length AES CCM KAT Separate encrypt and decrypt, 192 key length AES GCM KAT Separate encrypt and decrypt, 256 key length AES CMAC KAT Sign and verify CBC mode, 128, 192, 256 key lengths Triple-DES KAT Separate encrypt and decrypt, ECB mode, 3Key Triple-DES CMAC KAT CMAC generate and verify, CBC mode, 3Key RSA KAT Sign and verify using 2048 bit key, SHA256,PKCS#1, pairwise consistency test DRBG KAT CTR_DRBG: AES, 256 bit with and without derivation function, HASH_DRBG: SHA256, HMAC_DRBG: SHA256 ECDSA PCT KeyGen, sign, verify using P224, K233 and SHA512, pairwise consistency test RSA PCT RSA Pairwise consistency test on each generation of a key pair Table 9 - OpenSSL Self-Tests GSKIT Implementation Algorithm Type Description RSA PCT Pairwise consistency test RSA KAT signature generation with 2048 modulus RSA KAT signature verification with 2048 modulus RSA KAT encryption with 2048 modulus RSA KAT decryption with 2048 modulus ECDSA PCT pairwise consistency test with P-384 ECDSA KAT signature verification with P-384 ECDSA PCT pairwise consistency test with B-233 ECDSA KAT signature verification with B-233 ECDSA PCT pairwise consistency test with K-233 ECDSA KAT signature verification with K-233 Triple-DES–CBC KAT separate encrypt and decrypt AES 256–CBC KAT separate encrypt and decrypt AES_GCM KAT separate encrypt and decrypt Document Version 0.6 © IBM Security Page 34 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 AES_CCM KAT separate encrypt and decrypt SHA KAT SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 HMAC KAT SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 DRBG 800-90A KAT CTR_DRBG: AES, 256 bit with and without derivation function, HASH_DRBG: SHA256, HMAC_DRBG: SHA256 DSA PCT Sign and verify using 2048 bit key ECC CDH KAT Shared secret calculation per SP 800-56A §5.7.1.2, IG 9.6 DSA KAT Signing and signature verification Table 10 - GSKIT Self-Tests Each module performs all power-on self-tests automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The Power-on self-tests can be run on demand by rebooting the module in FIPS approved Mode of Operation. 2.10.2 Conditional Self-Tests Conditional self-tests are test that run continuously during operation of each module. If any of these tests fail, the module will enter an error state. The module can be re-initialized to clear the error and resume FIPS mode of operation. No services can be accessed by the operators. Each module performs the following conditional self-tests: OpenSSL Implementation • • DRBG 800-90A 
 o Health Tests compliant with SP 800-90A – Section 11.3. o The DRBG 800-90A generates a minimum of 8 bytes per request. If less than 8 bytes are requested, the rest of the bytes is discarded and the next request will generate new random data. 
 o The first 8 bytes of every request is compared with the last 8 bytes requested, if the bytes match an error is generated. 
 o For the first request made to any instantiation of a DRBG 800-90A, two internal 8 byte cycles are performed. o The DRBG 800-90A relies on the environment (i.e. proper shutdown of the shared libraries) for resistance to retrospective attacks on data. 
 o The DRBG 800-90A performs known answer tests when first instantiated and health checks at intervals as specified in the standard. 
 • True Random Number Generator (TRNG) 
 Document Version 0.6 © IBM Security Page 35 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 A non-deterministic RNG (NDRNG) is used to seed the DRBG. Every time a new seed or n bytes is required (either to initialize o the DRBG, reseed the DRBG periodically or reseed the DRBG by user’s demand), the cryptographic module performs a comparison between the SHA-256 message digest using the new seed and the previously calculated digest. If the values match, the TRNG generates a new stream of bytes until the continuous DRBG test passes. 
 DRBG FIPS 140-2 continuous test for stuck fault • ECDSA Pairwise consistency test on each generation of a key pair • RSA Pairwise consistency test on each generation of a key pair • GSKIT Implementation • • Pairwise consistency test for RSA (Signature Generation, Signature Verification, Key Generation, Key Wrapping) • Pairwise consistency test for ECDSA (KeyPair Generation, PKV, Signature Generation, Signature Verification) • DSA Pairwise consistency test on each generation of a key pair • DRBG 800-90A 
 o Health Tests compliant with SP 800-90A – Section 11.3. o The DRBG 800-90A generates a minimum of 8 bytes per request. If less than 8 bytes are requested, the rest of the bytes is discarded and the next request will generate new random data. 
 o The first 8 bytes of every request is compared with the last 8 bytes requested, if the bytes match an error is generated. 
 o For the first request made to any instantiation of a DRBG 800-90A, two internal 8 byte cycles are performed. o The DRBG 800-90A relies on the environment (i.e. proper shutdown of the shared libraries) for resistance to retrospective attacks on data. 
 o The DRBG 800-90A performs known answer tests when first instantiated and health checks at intervals as specified in the standard. 
 • True Random Number Generator (TRNG) 
 o A non-deterministic RNG (NDRNG) is used to seed the DRBG. Every time a new seed or n bytes is required (either to initialize the DRBG, reseed the DRBG periodically or reseed the DRBG by user’s demand), the cryptographic module performs a comparison between the SHA-256 message digest using the new seed and the previously calculated digest. If the values match, the TRNG generates a new stream of bytes until the continuous DRBG test passes. 
 The module will inhibit data output via the output interface when conditional tests are performed. Once the tests have passed and the keys have been generated, the module will pass the key to the calling daemon. The modules do not perform a firmware load test because no additional firmware can be loaded in the module while operating in FIPS-approved mode. Please see Section 3 for guidance on configuring and maintaining FIPS mode. Document Version 0.6 © IBM Security Page 36 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 2.11 Mitigation of Other Attacks The module does not mitigate other attacks. Document Version 0.6 © IBM Security Page 37 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 3 Guidance and Secure Operation This section describes how to configure the modules for FIPS-approved mode of operation. Operating a module without maintaining the following settings will remove the module from the FIPS-approved mode of operation. All updates via the My Software | Download menu are signed using SP 800-131a validated algorithms with RSA-3072 key-pair and SHA-256 integrity hash. 3.1 Crypto Officer Guidance 3.1.1 Firmware Installation To install the appliance firmware, please follow these steps: 1. Log in to the ISS support site at https://ibmss.flexnetoperations.com/, 2. Select My Software | Download from the menu 3. Choose IBM Security Network Protection (XGS) and then the specific XGS model. 4. Select the appropriate firmware and recovery images from the New Versions dropdown menu then select Go 5. Accept the End User License and select Submit 6. Select the appropriate Recovery image type (USB image) 7. Download the *.img image and follow the installation instructions. 3.1.2 Enabling FIPS Mode When first powering on the module, the operator will be guided through a configuration wizard. In the CLI, the following will appear: Enable FIPS mode Document Version 0.6 © IBM Security Page 38 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 To initialize the module for FIPS mode, the Crypto Officer must select Y at this prompt then 1 to enable FIPS mode. Note: The module can only be enabled for FIPS mode at the time of initial configuration. Additionally, if the module enters an error state (e.g., a known answer test fails), the module must be powered off and reimaged to FIPS mode of operation. The Crypto Officer must configure and enforce the following initialization procedures in order to operate in FIPS approved mode of operation: Verify that the firmware version of the module is Version 5.3.1. No other version can be loaded or used in FIPS mode of operation. • Apply tamper evidence labels as specified in Section 1.16.4 – Placement of Tamper Evidence Labels. The tamper evident labels shall be • installed for the module to operate in a FIPS Approved mode of operation. Ensure any unused labels are secure at all times. • Inspect the tamper evidence labels periodically to verify they are intact. • Do not disclose passwords and store passwords in a safe location and according to his/her organization’s systems security policies for • password storage. Root privilege to the module must be disabled. • Configure the module to lock accounts after 3 unsuccessful authentication attempts. • 3.1.3 Placement of Tamper Evidence Labels To meet Physical Security Requirements for Level 2, each module enclosure must be protected with tamper evidence labels. The tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation. The Crypto Officer is responsible for applying the labels; IBM Security does not apply the labels at time of manufacture. Once applied, the Crypto Officer shall not remove or replace the labels unless the module has shown signs of tampering, in which case the Crypto Officer shall reimage the module and follow all Guidance to place the module in FIPS mode. Please note that if additional labels need to be ordered, the Crypto Officer shall contact IBM Security support and request part number 00VM255. Document Version 0.6 © IBM Security Page 39 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 The Crypto Officer is responsible for securing and having control at all times of any unused seals, and • maintaining the direct control and observation of any changes to the module such as reconfigurations where the tamper evident seals or • security appliances are removed or installed to ensure the security of the module is maintained during such changes and the module is returned to a FIPS Approved state. Important – Do not disturb labels for 10 minutes after application. You must allow labels to set for 24 hours at room temperature to reach full tamper resistance. 3.1.3.1 XGS 3100 Up to five tamper evidence labels are required for XGS FIPS 140-2 Level 2 deployments. (Functional NIMs do not need tamper labels.) Application of the tamper evidence labels is as follows: Note – Tamper labels are very fragile. Handle with care. 1. Turn off and unplug the system. 2. Clean the enclosure before you apply the tamper evidence labels. 3. Place Label #1 over the top left side of the enclosure, covering the cover screw, as shown in Figure 4 – XGS 3100 Tamper evidence label placement (top left). 4. Place Label #2 over the bottom back side of the enclosure, covering the bottom right corner of the left fan (1), as shown in Figure 5 – XGS 3100 Tamper evidence label placement (bottom back). 5. Place Label #3 over the bottom back side of the enclosure, covering the bottom right corner of the middle fan (2), as shown in Figure 5 – XGS 3100 Tamper evidence label placement (bottom back). 6. Place Label #4 over the bottom back side of the enclosure, covering the bottom right corner of the right fan (3), as shown in Figure 5 – XGS 3100 Tamper evidence label placement (bottom back). Document Version 0.6 © IBM Security Page 40 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 7. Place Label #5 over the top front side of the enclosure, covering the right side of the storage tray (1), as shown in Figure 6 - XGS 3100 Tamper evidence label placement (top front). Important – Do not disturb labels for 10 minutes after application. You must allow labels to set for 24 hours at room temperature to reach full tamper resistance. Figure 4 - XGS 3100 Tamper evidence label placement (top left) Document Version 0.6 © IBM Security Page 41 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 5 – XGS 3100 Tamper evidence label placement (bottom back) Figure 6 - XGS 3100 Tamper evidence label placement (top front) 3.1.3.2 XGS 4100 Up to seven tamper evidence labels are required for XGS FIPS 140-2 Level 2 deployments. (Functional NIMs do not need tamper labels.) Application of the tamper evidence labels is as follows: Note – Tamper labels are very fragile. Handle with care. 1. Turn off and unplug the system. 2. Clean the enclosure before you apply the tamper evidence labels. Document Version 0.6 © IBM Security Page 42 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 3. Place Label #1 over the top left side of the enclosure, covering the cover screw, as shown in Figure 7 – XGS 4100 Tamper evidence label placement (top left). 4. Place Label #2 over the bottom back side of the enclosure, covering the bottom right corner of the left fan (1), as shown in Figure 8 – XGS 4100 Tamper evidence label placement (bottom back). 5. Place Label #3 over the bottom back side of the enclosure, covering the bottom right corner of the middle fan (2), as shown in Figure 8 – XGS 4100 Tamper evidence label placement (bottom back). 6. Place Label #4 over the bottom back side of the enclosure, covering the bottom right corner of the right fan (3), as shown in Figure 8 – XGS 4100 Tamper evidence label placement (bottom back). 7. Place Label #5 over the top front side of the enclosure, covering the right side of the left storage (1) tray, as shown in Figure 9 – XGS 4100 Tamper evidence label placement (top and bottom front). 8. Place Label #6 over the top front side of the enclosure, covering the right side of the right storage tray (2), as shown in Figure 9 – XGS 4100 Tamper evidence label placement (top and bottom front). 9. Place Label #7 over the bottom front side of the enclosure, covering the middle of the NIM (2), as shown in Figure 9 – XGS 4100 Tamper evidence label placement (top and bottom front). Important – Do not disturb labels for 10 minutes after application. You must allow labels to set for 24 hours at room temperature to reach full tamper resistance. Document Version 0.6 © IBM Security Page 43 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 7 - XGS 4100 Tamper evidence label placement (top left). Figure 8 – XGS 4100 Tamper evidence label placement (bottom back) Document Version 0.6 © IBM Security Page 44 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 9 – XGS 4100 Tamper evidence label placement (top and bottom front) 3.1.3.3 XGS 5100 Up to eight tamper evidence labels are required for XGS FIPS 140-2 Level 2 deployments. (Functional NIMs do not need tamper labels.) Application of the tamper evidence labels is as follows: Note – Tamper labels are very fragile. Handle with care. 1. Turn off and unplug the system. 2. Clean the enclosure before you apply the tamper evidence labels. 3. Place Label #1 over the top left side of the enclosure, covering the cover screw, as shown in Figure 10– XGS 5100 Tamper evidence label placement (top left). 4. Place Label #2 over the bottom back side of the enclosure, covering the bottom left corner of the left fan (1), as shown in Figure 11 – XGS 5100 Tamper evidence label placement (bottom back). 5. Place Label #3 over the bottom back side of the enclosure, covering the bottom left corner of the middle fan (2), as shown in Figure 11 – XGS 5100 Tamper evidence label placement (bottom back). 6. Place Label #4 over the bottom back side of the enclosure, covering the bottom left corner of the right fan (3), as shown in Figure 11 – XGS 5100 Tamper evidence label placement (bottom back). Document Version 0.6 © IBM Security Page 45 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 7. Place Label #5 over the top front side of the enclosure, covering the right side of the left storage tray (1), as shown in Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front). 8. Place Label #6 over the top front side of the enclosure, covering the right side of the right storage tray (2), as shown in Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front). 9. Place Label #7 over the bottom front side of the enclosure, covering the middle of the left NIM (2), as shown in Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front). 10. Place Label #8 over the bottom front side of the enclosure, covering the middle of the right NIM (3), as shown in Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front). Important – Do not disturb labels for 10 minutes after application. You must allow labels to set for 24 hours at room temperature to reach full tamper resistance. Figure 10 – XGS 5100 Tamper evidence label placement (top left) Document Version 0.6 © IBM Security Page 46 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 11 – XGS 5100 Tamper evidence label placement (bottom back) Figure 12 – XGS 5100 Tamper evidence label placement (top and bottom front) 3.1.3.4 XGS 7100 Up to 10 tamper evidence labels are required for XGS FIPS 140-2 Level 2 deployments. (Functional NIMs do not need tamper labels.) Application of the tamper evidence labels is as follows: Note – Tamper labels are very fragile. Handle with care. 1. Turn off and unplug the system. 2. Clean the enclosure before you apply the tamper evidence labels. 3. Place Label #1 over the top left side of the enclosure, covering the cover screw, as shown in Figure 13 – XGS 7100 Tamper evidence label placement (top left). Document Version 0.6 © IBM Security Page 47 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 4. Place Label #2 over the bottom back side of the enclosure, covering the bottom left corner of the left fan (1), as shown in Figure 14 – XGS 7100 Tamper evidence label placement (bottom back). 5. Place Label #3 over the bottom back side of the enclosure, covering the bottom left corner of the middle fan (2), as shown in Figure 14 – XGS 7100 Tamper evidence label placement (bottom back). 6. Place Label #4 over the bottom back side of the enclosure, covering the bottom left corner of the right fan (3), as shown in Figure 14 – XGS 7100 Tamper evidence label placement (bottom back). 7. Remove left NIM (1), place Label #5 in the middle of the bottom of the left storage tray (1), and then wrap the label up over the storage tray so that it covers the middle of the storage tray, as shown in Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front). Replace the left NIM. 8. Remove second from the left NIM (2), place Label #6 on the middle of the bottom the left storage tray (2), and then wrap the label up over the storage tray so that it covers the middle of the storage tray, as shown in Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front). Replace the second from the left NIM. 9. Place Label #7 over the bottom front side of the enclosure, covering the middle of the left NIM (1), as shown in Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front). 10. Place Label #8 over the bottom front side of the enclosure, covering the middle of the second from the left NIM (2), as shown in Figure15 – XGS 7100 Tamper evidence label placement (top and bottom front). 11. Place Label #9 over the bottom front side of the enclosure, covering the middle of the third from the left NIM (3), as shown in Figure 14 – XGS 7100 Tamper evidence label placement (top and bottom front). 12. Place Label #10 over the bottom front side of the enclosure, covering the middle of the fourth from the left NIM (4), as shown in Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front). Important – Do not disturb labels for 10 minutes after application. You must allow labels to set for 24 hours at room temperature to reach full tamper resistance. Document Version 0.6 © IBM Security Page 48 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 13 – XGS 7100 Tamper evidence label placement (top left) Figure 14 – XGS 7100 Tamper evidence label placement (bottom back) Document Version 0.6 © IBM Security Page 49 of 50 FIPS 140-2 Non-Proprietary Security Policy: IBM Security XGS 3100, XGS 4100, XGS 5100, and XGS 7100 Figure 15 – XGS 7100 Tamper evidence label placement (top and bottom front) 3.2 User Guidance 3.2.1 General Guidance The User role is defined by a management session over a TLS tunnel. As such, this role is authenticated, and no additional guidance is required to maintain FIPS mode of operation. End of Document Document Version 0.6 © IBM Security Page 50 of 50