Cisco IOS 15.5M Router Security Policy Integrated Services Router (ISR) 891W, 1941W, 829W FIPS 140-2 Non Proprietary Security Policy Level 1 Validation Version 1.0 June 2016 © Copyright 2016 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION .................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 MODULE VALIDATION LEVEL ............................................................................................ 3 1.3 REFERENCES ....................................................................................................................... 3 1.4 TERMINOLOGY ................................................................................................................... 3 1.5 DOCUMENT ORGANIZATION ............................................................................................... 3 2 CISCO ISR WIRELESS ROUTERS ................................................................................... 5 2.1 MODULE INTERFACES ......................................................................................................... 6 DATA INPUT INTERFACE ....................................................................................................... 6 2.2 CRYPTOGRAPHIC BOUNDARY ............................................................................................. 7 2.3 ROLES, SERVICES AND AUTHENTICATION .......................................................................... 7 2.3.1 User Services .............................................................................................................. 7 2.3.2 Crypto Officer Services ............................................................................................... 8 2.4 UNAUTHENTICATED SERVICES ........................................................................................... 9 2.5 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................................ 9 2.6 CRYPTOGRAPHIC ALGORITHMS ........................................................................................ 12 2.6.1 Approved Cryptographic Algorithms........................................................................ 12 2.6.2 Non-FIPS Approved Algorithms Allowed in FIPS Mode ......................................... 14 2.6.3 Non-FIPS Approved Algorithms ............................................................................... 14 2.7 SELF-TESTS ...................................................................................................................... 14 2.7.1 Router Power-On Self-Tests (POSTs) ....................................................................... 14 2.7.2 AP Power-On Self-Tests (POSTs) ............................................................................. 15 2.7.3 Router Conditional tests ........................................................................................... 15 2.7.4 AP Conditional tests ................................................................................................. 15 3 SECURE OPERATION ...................................................................................................... 17 3.1 INITIAL SETUP .................................................................................................................. 17 3.2 SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 17 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 17 3.4 SSLV3.1/TLS REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................... 18 3.5 ACCESS ............................................................................................................................. 18 © Copyright 2016 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction Purpose 1.1 This is the non-proprietary Cryptographic Module Security Policy for Cisco IOS 15.5M Router running on Cisco 891W, 1941W and IR829W (Router Firmware Version: IOS 15.5M and AP Firmware Version: 15.3.3-JB). This security policy describes how the modules meet the security requirements of FIPS 140-2 Level 1 and how to run the modules in a FIPS 140-2 mode of operation and may be freely distributed. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. Module Validation Level 1.2 The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 3 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key management 1 8 Electromagnetic Interface/Electromagnetic Compatibility 1 9 Self-Tests 1 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Overall module validation level 1 Table 1 Module Validation Level References 1.3 This document deals only with the capabilities and operations of the Cisco 891W, 1941W and IR829W in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. The NIST Validated Modules website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. Terminology 1.4 In this document, these Cisco Integrated Services Router models identified above are referred to as Integrated Services Router, ISR or the systems. Document Organization 1.5 The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document © Copyright 2016 Cisco Systems, Inc. 3 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Finite State Machine Other supporting documentation as additional references This document provides an overview of the routers and explains their secure configuration and operation. This introduction section is followed by Section 2, which details the general features and functionality of the router. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2016 Cisco Systems, Inc. 4 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Cisco ISR Wireless Routers Cisco 891W, 1941W, IR829W are multifunctional networking devices delivering fast, reliable, data transfers with a high standard in security. These routers offer full network security, and other capabilities to fill networking needs for a small to medium size network. The following subsections describe the physical characteristics of the Cisco 891W, 1941W and IR829W which are a multiple-chip standalone cryptographic module. Cisco 891 Gigabit Ethernet security router with SFP and Dual Radio 802.11n Wifi for FCC -A domain or ETSI -E domain. Cisco 891 Series Integrated Services Routers are designed to deliver highly secure broadband, Metro Ethernet, wireless LAN connectivity, and business continuity for enterprise small branch offices. Secure 802.11a/g/n access point (optional), which offers dual-band radios for mobility, and supports Cisco Unified WLAN architectures. The Cisco 1941 are future-enabled with multi-core CPUs, Gigabit Ethernet switching with enhanced POE, and new energy monitoring and control capabilities while enhancing overall system performance. Additionally, a new Cisco IOS® Software Universal image and Services Ready Engine module enable you to decouple the deployment of hardware and software, providing a stable technology foundation which can quickly adapt to evolving network requirements. The units offer differentials based on carrier and country compliance of use. The IR829 are the first generation Internet of Things Group (IOTG) Routing Platform intended for hardened/extended-temperature M2M, mobile/fleet, Smart-Connected Vehicle (SCV), and road-side infrastructure applications. C829 Hardened WAN GE 4G LTE secure platform multi-mode carrier specific with 802.11n, FCC compliant. The tested platforms consist of the following components: Router Hardware Model Protocols Firmware version C891FW-A C891 C891FW-E 802.1X Authentication, SSH, Router IOS 15.5M 1941W 1941W TLS (VPN/Mgt/SIP), IPSec, and AP IOS 15.3.3-JB SNMPv3 IR829GW-LTE-NA-A IR829 IR829GW-LTE-VZ-A Table 2 Module Hardware Configurations The following pictures are representative each of the modules hardware model: Figure 1 - Cisco 891W ISR © Copyright 2016 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 2 - Cisco 1941 ISR Figure 3 - IR829 Module Interfaces 2.1 The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following table: Logical Interface 891w 1941w IR829w Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Fast Ethernet (FE) ports WAN interface slots Console Port Antenna Ports EHWIC Auxiliary Port Data Input Interface Console Port Antenna Ports Antenna Ports Auxiliary Port Console Port USB Console Port Auxiliary Port USB Console Port Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Fast Ethernet (FE) ports WAN interface slots Console Port Antenna Ports EHWIC Auxiliary Port Data Output Interface Console Port Antenna Ports Antenna Ports Auxiliary Port Console Port USB Console Port Auxiliary Port USB Console Port Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Fast Ethernet (FE) ports WAN interface slots Console Port Antenna Ports EHWIC Auxiliary Port Console Port Antenna Ports Antenna Ports Control Input Interface Auxiliary Port Console Port USB Console Port Reset Button Auxiliary Port Reset Button USB Console Port Reset Button Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Gigabit Ethernet (GE) ports Fast Ethernet (FE) ports WAN interface slots Console Port Antenna Ports EHWIC Auxiliary Port Console Port Antenna Ports Antenna Ports Status Output Interface Auxiliary Port Console Port USB Console Port LED Auxiliary Port Top Panel LED USB Console Port Top Panel Ethernet LED © Copyright 2016 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Logical Interface 891w 1941w IR829w Ethernet Jack LEDs Top Panel Status LED 5v DC power supply 110v ~240v AC power supply 12VDC, 30W or 60W AC Power Interface POE POE Table 3 Module Interfaces Cryptographic Boundary 2.2 The cryptographic boundary of the module is the physical enclosure of the system on which the module is executed. All of the functionality discussed in this document is provided by components within this cryptographic boundary. Roles, Services and Authentication 2.3 Authentication is identity-based. Each user is authenticated upon initial access to the module. The module also supports RADIUS or TACACS+ for authentication. There are two roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role and associated services in order to configure the router, while the Users exercise only the basic User services. A complete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual or Configuration Guide Manual and in the online help for the routers. The User and Crypto Officer passwords and all shared secrets must each be at least eight (8) characters long, including at least one letter and at least one number character, in length (enforced procedurally). See the Secure Operation section for more information. If six (6) integers, one (1) special character and one (1) alphabet are used without repetition for an eight (8) digit PIN, the probability of randomly guessing the correct sequence is one (1) in 4,488,223,369,069,440 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. Since it is claimed to be for 8 digits with no repetition, then the calculation should be 94 x 93 x 92 x 91 x 90 x 89 x 88 x 87). In order to successfully guess the sequence in one minute would require the ability to make over 74,803,722,817,824 guesses per second, which far exceeds the operational capabilities of the module. Additionally, when using RSA-based authentication, RSA key pair has a modulus size of 2048-3072 bits, thus providing 112 or 128 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 2 112 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 5.19x1028 attempts per minute, which far exceeds the operational capabilities of the modules to support. 2.3.1 User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port. The IOS prompts the User for username and password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role and the type of access – read (r), write (w) and zeroized/delete (d) –are listed below. Services and Access Description Keys and CSPs Status Functions View state of interfaces and protocols, version of IOS currently running. User password (r) Network Functions Connect to other network devices through outgoing telnet, PPP, etc. and User password (r) initiate diagnostic network services (i.e., ping, mtrace). Terminal Functions Adjust the terminal session (e.g., lock the terminal, adjust flow control). User password (r) Directory Services Display directory of files kept in flash memory. User password (r) Self-Tests Execute the FIPS 140 start-up tests on demand N/A SSL VPN (TLSv1.0) Negotiation and encrypted data transport via SSL VPN (TLSv1.0) Operator password (r, w, d) and [TLS pre-master secret, TLS Traffic Keys] (r, w, d) IPsec VPN Negotiation and encrypted data transport via IPSec VPN Operator password (r, w, d) and [skeyid, skeyid_d, SKEYSEED, IKE session © Copyright 2016 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Services and Access Description Keys and CSPs encrypt key, IKE session authentication key, ISAKMP preshared, IKE authentication private Key, IKE authentication public key, IPsec encryption key, IPsec authentication key] (r, w, d) SSH Functions Negotiation and encrypted data transport via SSH Operator password (r. w. d), SSH Traffic Keys (r, w, d) HTTPS Functions (TLS) Negotiation and encrypted data transport via HTTPS Operator password (r, w, d) and [TLS pre-master secret, TLS Traffic Keys] (r, w, d) SNMPv3 Functions Negotiation and encrypted data transport via SNMPv3 SNMP v3 password, SNMP session key (r, w, d) Wireless functions Negotiation and encrypted data transport via 802.11i User password (r, w, d) Table 4 - User Services 2.3.2 Crypto Officer Services During initial configuration of the router, the Crypto Officer password (the “enable” password) is defined. A Crypto Officer can assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration of the router. The services available to the Crypto Officer role and the type of access – read (r), write (w) and zeroized/delete (d) –are listed below. Services and Access Description Keys and CSPs Configure the router Define network interfaces and settings, create command [ISAKMP preshared, Operator password, aliases, set the protocols the router will support, enable Enable password] - (r, w, d), [IKE session interfaces and network services, set system date and time, encrypt key, IKE session authentication key, and load authentication information. IKE authentication private Key, IKE authentication public key, IPsec encryption key, IPsec authentication key] – (w, d) Define Rules and Filters Create packet Filters that are applied to User data streams on Operator password, Enable password - (r, w, each interface. Each Filter consists of a set of Rules, which d) define a set of packets to permit or deny based on characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. View Status Functions View the router configuration, routing tables, active Operator password, Enable password - (r, w, sessions, use gets to view SNMP MIB statistics, health, d) temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. Manage the router Log off users, shutdown or reload the router, erase the flash Operator password, Enable password - (r, w, memory, manually back up router configurations, view d) complete configurations, manager user rights, and restore router configurations. SNMPv3 Non security-related monitoring by the CO SnmpEngineID, SNMP v3 password, using SNMPv3. SNMP session key (w, d) Configure Encryption/Bypass Set up the configuration tables for IP tunneling. Set [ISAKMP preshared, Operator password, preshared keys and algorithms to be used for each IP range Enable password] - (r, w, d); [IKE session or allow plaintext packets to be set from specified IP encrypt key, IKE session authentication key, address. IKE authentication private Key, IKE authentication public key, IPsec encryption key, IPsec authentication key] – (w, d) TLS pre-master secret, TLS Traffic Keys – SSL VPN (TLSv1.0) Configure SSL VPN parameters, provide entry and output of CSPs. (r, w, d) SSH v2 Configure SSH v2 parameter, provide entry and output of SSHv2 Private Key, SSHv2 Public Key and CSPs. SSHv2 session key (r, w, d) IPsec VPN Configure IPsec VPN parameters, provide entry and output skeyid, skeyid_d, IKE session encryption of CSPs. ISAKMP preshared (r, w, d), [skeyid, skeyid_d, SKEYSEED, IKE session encrypt key, IKE session authentication key, IKE authentication private Key, IKE © Copyright 2016 Cisco Systems, Inc. 8 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. authentication public key, IPsec encryption key, IPsec authentication key] – (r, w, d) Self-Tests Execute the FIPS 140 start-up tests on demand N/A User services The Crypto Officer has access to all User services. Operator password (r, w, d) Zeroization Zeroize cryptographic keys All CSPs (d) Wireless Functions Configure wireless parameters, provide entry and output of 802.11i Pre-shared Key (PSK), 802.11i CSPs. Pairwise Master Key (PMK), 802.11i Pairwise Transient Key (PTK), 802.11i Temporal Key (TK), 802.11i Group Master Key (GMK), 802.11i Group Temporal Key (GTK) (r, w, d) Table 5 - Crypto Officer Services Unauthenticated Services 2.4 The services available to unauthenticated users are:  Viewing the status output from the module’s LEDs  Powering the module on and off using the power switch  Sending packets in bypass Cryptographic Key Management 2.5 The router securely administers both cryptographic keys and other critical security parameters such as passwords. All keys are protected by the Crypto Officer role login password-protection, and these keys can be zeroized by the Crypto Officer. Zeroization consists of overwriting the memory that stored the key. The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used (except DH and RSA key transport which are allowed in the approved mode for key establishment despite being non-approved). All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the Internet Key Exchange (IKE)/Group Domain of Interpretation (GDOI). RSA Public keys are entered into the modules using digital certificates which contain relevant data such as the name of the public key's owner, which associates the key with the correct entity. All other keys are associated with the user/role that entered them. The module supports the following keys and critical security parameters (CSPs). Name CSP Type Size Description Storage Zeroization DRBG entropy SP800-90A 256-bits This is the entropy for SP 800-90A SDRAM Power cycle the input DRBG_CTR CTR_DRBG. (plaintext) device (using AES-256) HW (onboard Cavium cryptographic processor) based entropy source used to construct seed. DRBG Seed SP800-90A 384-bits Input to the DRBG that determines the internal SDRAM Power cycle the DRBG_CTR state of the DRBG. Generated using DRBG (plaintext) device derivation function that includes the entropy input from hardware-based entropy source. DRBG V SP800-90A 128-bits The DRBG V is one of the critical values of the SDRAM Power cycle the DRBG_CTR internal state upon which the security of this (plaintext) device DRBG mechanism depends. Generated first during DRBG instantiation and then subsequently updated using the DRBG update function. DRBG Key SP800-90A 256-bits Internal Key value used as part of SP 800-90A SDRAM Power cycle the © Copyright 2016 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. DRBG_CTR CTR_DRBG. Established per SP 800-90A (plaintext) device CTR_DRBG. 2048 – 4096 Diffie-Hellman DH The shared secret used in Diffie-Hellman (DH) SDRAM Power cycle the Shared Secret bits exchange. Established per the Diffie-Hellman (plaintext) device key agreement. Diffie Hellman DH 224-379 bits The private key used in Diffie-Hellman (DH) SDRAM Power cycle the private key exchange. This key is generated by calling (plaintext) device SP800-90A DRBG. 2048 – 4096 Diffie Hellman DH The public key used in Diffie-Hellman (DH) SDRAM Power cycle the public key bits exchange. This key is derived per the Diffie- (plaintext) device Hellman key agreement. EC Diffie- ECDH Curves: P- Used in establishing the session key for an IPSec SDRAM Power cycle the Hellman private 256/P-384 session. The private key used in Elliptic Curve (plaintext) device key Diffie-Hellman (ECDH) exchange. This key is generated by calling SP800-90A DRBG. EC Diffie- ECDH Curves: P- Used in establishing the session key for an IPSec SDRAM Power cycle the Hellman public 256/P-384 session. The public key used in Elliptic Curve (plaintext) device key Diffie-Hellman (ECDH) exchange. This key is established per the EC Diffie-Hellman key agreement. EC Diffie- ECDH Curves: P- The shared secret used in Elliptic Curve Diffie- SDRAM Power cycle the Hellman shared 256/P-384 Hellman (ECDH) exchange. Established per the (plaintext) device secret Elliptic Curve Diffie-Hellman (ECDH) protocol. skeyid Shared Secret 160 bits A shared secret known only to IKE peers. It was SDRAM Power cycle the established via key derivation function defined (plaintext) device in SP800-135 KDF (IKEv1) and it will be used for deriving other keys in IKE protocol implementation. skeyid_d Shared Secret 160 bits A shared secret known only to IKE peers. It was SDRAM Power cycle the derived via key derivation function defined in (plaintext) device SP800-135 KDF (IKEv1) and it will be used for deriving IKE session authentication key. SKEYSEED Shared Secret 160 bits A shared secret known only to IKE peers. It was SDRAM Power cycle the derived via key derivation function defined in (plaintext) device SP800-135 KDF (IKEv2) and it will be used for deriving IKE session authentication key. IKE session Triple-DES/AES 192 bit Triple- The IKE session (IKE Phase I) encrypt key. This SDRAM Power cycle the encrypt key DES or key is derived via key derivation function (plaintext) device 128/192/256 defined in SP800-135 KDF (IKEv1/IKEv2). bits AES IKE session HMAC SHA-1 160 bits The IKE session (IKE Phase I) authentication SDRAM Power cycle the authentication key. This key is derived via key derivation (plaintext) device key function defined in SP800-135 KDF (IKEv1/IKEv2). By running ‘# no ISAKMP Pre-shared key Variable 8 plus The secret used to derive IKE skeyid when using NVRAM preshared characters preshared secret authentication. This CSP is (plaintext) crypto isakmp key’ command entered by the Crypto Officer. RSA (2048 – IKE RSA/ ECDSA RSA/ECDSA private key used in IKE NVRAM By running ‘#crypto key authentication 3072 bits) or authentication. This key is generated by calling (plaintext) zeroize’ command private Key ECDSA SP800-90A DRBG. (Curves: P- 256/P-384) RSA (2048 – IKE RSA/ ECDSA RSA/ECDSA public key used in IKE SDRAM By running © Copyright 2016 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. ‘#crypto key authentication 3072 bits) or authentication. Internally generated by the (plaintext) zeroize’ command public key ECDSA module (Curves: P- 256/P-384) IPsec encryption Triple-DES/AES 192 bits Triple- The IPsec (IKE phase II) encryption key. This SDRAM Power cycle the key DES or key is derived via a key derivation function (plaintext) device 128/192/256 defined in SP800-135 KDF (IKEv1/IKEv2). bits AES IPsec HMAC- 160-512 bits The IPsec (IKE Phase II) authentication key. SDRAM Power cycle the authentication SHA1/256/384/512 This key is derived via a key derivation function (plaintext) device key defined in SP800-135 KDF (IKEv1/IKEv2). Operator Password 8 - 25 The password of the User role. This CSP is NVRAM Overwrite with password characters entered by the Crypto Officer. (plaintext) new password Enable password Password 8 - 25 The password of the CO role. This CSP is NVRAM Overwrite with characters entered by the Crypto Officer. (plaintext) new password By running ‘# no RADIUS secret Shared Secret 8 - 25 The RADIUS shared secret. Used for RADIUS NVRAM radius-server key’ characters Client/Server authentication. This CSP is (plaintext), entered by the Crypto Officer. command By running ‘# no TACACS+ Shared Secret 8 - 25 The TACACS+ shared secret. Used for NVRAM tacacs-server key’ secret characters TACACS+ Client/Server authentication. This (plaintext), CSP is entered by the Crypto Officer. command 2048 – 3072 By running ‘# SSHv2 Private RSA The SSHv2 private key used in SSHv2 NVRAM Key bits modulus connection. This key is generated by calling (plaintext) crypto key zeroize rsa’ command SP800-90A DRBG. 2048 – 3072 By running ‘# SSHv2 Public RSA The SSHv2 public key used in SSHv2 NVRAM Key bits modulus connection. This key is internally generated by (plaintext) crypto key zeroize rsa’ command the module. SSHv2 Session Triple-DES/AES 192 bits Triple- This is the SSHv2 session key. It is used to SDRAM Power cycle the Key DES or encrypt all SSHv2 data traffics traversing (plaintext) device 128/192/256 between the SSHv2 Client and SSHv2 Server. bits AES This key is derived via key derivation function defined in SP800-135 KDF (SSH). snmpEngineID Shared Secret 32 bits A unique string used to identify the SNMP NVRAM Overwrite with engine. This key is entered by Crypto Officer. (plaintext) new engine ID SNMPv3 Shared Secret 256 bits The password use to setup SNMP v3 NVRAM Overwrite with password connection. This key is entered by Crypto (plaintext) new password Officer. SNMPv3 session AES 128 bits Encryption key used to protect SNMP traffic. SDRAM Power cycle the key This key is derived via key derivation function (plaintext) device defined in SP800-135 KDF (SNMPv3). “# crypto key TLS server RSA 2048-3072 Private key used for SSLv3.1/TLS. NVRAM private key modulus (plaintext) zeroize rsa" “# crypto key TLS server RSA 2048-3072 Private key used for SSLv3.1/TLS. NVRAM public key modulus (plaintext) zeroize rsa" TLS pre-master Shared Secret 384-bits Shared Secret created using asymmetric SDRAM Automatically secret cryptography from which new TLS session keys (plaintext) when TLS session can be created is terminated TLS session Triple-DES/AES 192- bits Triple- Key used to encrypt TLS session data SDRAM Automatically encryption key DES or/ (plaintext) when TLS session 128/192/256- is terminated © Copyright 2016 Cisco Systems, Inc. 11 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. bits AES TLS session HMAC- 160-512 bits Used for TLS data integrity protection SDRAM Automatically integrity key SHA1/256/384/512 (plaintext) when TLS session is terminated 8 – 25 802.11i Pre- Shared Secret The PSK is used to derive the PMK for 802.11i DRAM Using either the “no shared characters communications. (plaintext) wpa-psk” or Key (PSK) “no dot11 ssid” command 802.11i Pairwise HMAC-SHA-1 160-bits The PMK is Used to derive the Pairwise DRAM Automatically Master Key Transient Key (PTK) for 802.11i (plaintext) when (PMK) communications. the router is powercycled. 802.11i Pairwise AES-CCM 128-bits The PTK, also known as the CCMP key, is the DRAM Automatically Transient Key 802.11i session key for unicast communications. (plaintext) when session (PTK) This key also used to encrypt and sign terminated. management frames between AP and the wireless client. 802.11i AES-CCM 128-bits The TK, also known as the CCMP key, is the DRAM Automatically Temporal 802.11i session key for unicast communications. (plaintext) when session Key (TK) terminated. 802.11i Group HMAC-SHA-1 160-bits The GMK is Used to derive the Group Temporal DRAM Automatically Master Key Key (GTK) for 802.11i communications. (plaintext) when session (GMK) terminated. 802.11i Group AES-CCM 128-bits The GTK is the 802.11i session key for DRAM Automatically Temporal Key broadcast communications. (plaintext) when session (GTK) terminated. Table 6 – Keys/CSPs Table Cryptographic Algorithms 2.6 The router is in the approved mode of operation only when FIPS 140-2 approved/allowed algorithms are used. The module implements a variety of approved and non-approved algorithms. 2.6.1 Approved Cryptographic Algorithms The routers support the following FIPS 140-2 approved algorithm implementations: Router IOS Router HW Accelerator AP IOS Wireless Radio Mac #2817 #2343 (128,192,256)(ECB, #2817 #1791 (128)(CCM) AES (128,192,256)(ECB CBC, GCM) (128,192,256)(E , CBC, CB, CBC, CFB,CTR,CMAC, CFB,CTR,CMAC, GCM), #3625 GCM), #3625 (128,192,256)(CBC (128,192,256)(C , CFB,CTR,CMAC, BC, GCM) CFB,CTR,CMAC, GCM) #1688 (192) (CBC) N/A N/A #1466 (192) (ECB, CBC) Triple-DES #2361 #2361 N/A #2020 SHS (SHA1,256,384,512) (SHA1,256,384,51 (SHA1,256,384, 2), #3043 512), #3043 (SHA1,256,384,51 (SHA1,256,384, © Copyright 2016 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Router IOS Router HW Accelerator AP IOS Wireless Radio Mac 2), 512), #1764 (HMAC #1452 (HMAC #1764 (HMAC N/A HMAC SHA1,256,384,512 SHA1,256,384,512) SHA1,256,384,5 ), #2377 (HMAC 12), #2377 SHA1,256,384,512 (HMAC ), SHA1,256,384,5 12), #1471 (Gen, N/A N/A N/A RSA PKCS1_V1_5, Sig- GEN, SIG-VER) (2048, 3072), #1868 (Gen, PKCS1_V1_5, Sig- GEN, SIG-VER) (2048, 3072) Note 1: The module supports 1024-bit RSA Signature Generation. This may not be used in FIPS mode Note 2: The module supports RSA Signature Generation with SHA-1. This may only be used in protocols as defined in SP 800- 52 and SP 800-57. #493 (P-256, P- N/A N/A N/A ECDSA 384), #752 (P-256, P-384) #481 (CTR-AES- N/A #481 (CTR-AES- N/A DRBG 256), #953 (CTR- 256), #953 AES-256), (CTR-AES-256), #253 (IKE, TLS, N/A N/A N/A CVL IPsec, SSH, SNMP, SRTP), #645 (IKE, TLS, IPsec, SSH, SNMP, SRTP) SP800-108 KBKDF N/A N/A #49 (HMAC- N/A SHA1, CTR), #86 (HMAC-SHA1, CTR) Table 7 – Algorithm Certificates Note: © Copyright 2016 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  The module's AES-GCM implementation conforms to IG A.5 scenario #1 following RFC 6071 for IPsec. The module uses basically a 96-bit IV, which is comprised of a 4 byte salt unique to the crypto session and 8 byte monotonically increasing counter. The module generates new AES-GCM keys if the module loses power.  The TLS, IKEv1/IKEv2, SSH, and SNMP protocols have not been reviewed or tested by the CAVP and CMVP. 2.6.2 Non-FIPS Approved Algorithms Allowed in FIPS Mode  Diffie-Hellman (key establishment methodology provides 112 or 128 bits of encryption strength; non- compliant less than 112 bits of encryption strength)  EC Diffie-Hellman (key establishment methodology provides 128 or 192 bits of encryption strength)  RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength)  NDRNG 2.6.3 Non-FIPS Approved Algorithms Integrated Services Routers (ISRs) cryptographic module implements the following non-Approved algorithms: Service Non-Approved Algorithm SSH* Hashing: MD5, MACing: HMAC MD5, Symmetric: DES, Asymmetric: 1024-bit RSA, 1024-bit Diffie-Hellman TLS* Hashing: MD5, MACing: HMAC MD5 Symmetric: DES, RC4 Asymmetric: 1024-bit RSA, 1024-bit Diffie-Hellman IPsec* Hashing: MD5, MACing: HMAC MD5 Symmetric: DES, RC4 Asymmetric: 1024-bit RSA, 1024-bit Diffie-Hellman SNMP* Hashing: MD5, MACing: HMAC MD5 Symmetric: DES, RC4 Asymmetric: 1024-bit RSA, 1024-bit Diffie-Hellman Table 8 Non-Approved Services Note: Services marked with a single asterisk (*) have the listed non-approved cryptographic algorithms available to be used. Use of these algorithms are prohibited in a FIPS-approved mode of operation. The services may be used with FIPS-approved algorithms. Self-Tests 2.7 In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure. 2.7.1 Router Power-On Self-Tests (POSTs)  IOS Algorithm Self-Test o AES (encrypt/decrypt) Known Answer Tests © Copyright 2016 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. o AES GCM Known Answer Test o DRBG Known Answer Test o ECDSA Sign/Verify o HMAC-SHA-1 Known Answer Test o HMAC-SHA-256 Known Answer Test o HMAC-SHA-384 Known Answer Test o HMAC-SHA-512 Known Answer Test o RSA Known Answer Test o SHA-1 Known Answer Test o SHA-256 Known Answer Test o SHA–384 Known Answer Test o SHA-512 Known Answer Test o Triple-DES (encrypt/decrypt) Known Answer Test ECC Primitive “Z” KAT o FFC Primitive “Z” KAT o  Hardware Accelerator Self-Tests o AES (encrypt/decrypt) Known Answer Tests o Triple-DES (encrypt/decrypt) Known Answer Tests o HMAC (SHA-1) Known Answer Test o SHA-1 Known Answer Test o SHA-256 Known Answer Test o SHA–384 Known Answer Test o SHA-512 Known Answer Test  Firmware integrity test o RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-512 2.7.2 AP Power-On Self-Tests (POSTs)  IOS Algorithm Known Answer Testes: o AES (encrypt/decrypt) Known Answer Tests o DRBG Known Answer Test o HMAC (SHA-1) Known Answer Test o KBKDF Known Answer Test  AP Radio MAC Known Answer Tests: o AES-CCM Known Answer Test  Firmware integrity test o RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-512 2.7.3 Router Conditional tests  Conditional Bypass test  Continuous random number generation test for approved and non-approved RNGs  Pairwise consistency test for ECDSA  Pairwise consistency test for RSA  Firmware load test 2.7.4 AP Conditional tests  Continuous random number generation test for approved and non-approved RNGs © Copyright 2016 Cisco Systems, Inc. 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. © Copyright 2016 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 Secure Operation The Cisco 891W, 1941W and IR829W Routers meet all the Level 1 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. Initial Setup 3.1 The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version NOTE: Once Password Recovery is disabled, administrative access to the module without the password will not be possible. System Initialization and Configuration 3.2 1 The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the “configure terminal” command line, the Crypto Officer enters the following syntax: config-register 0x0102 The Crypto Officer must create the “enable” password for the Crypto Officer role. The password must be at 2 least 8 characters (all digits; all lower and upper case letters; and all special characters except ‘?’ are accepted) and is entered when the Crypto Officer first engages the “enable” command. The Crypto Officer enters the following syntax at the “#” prompt: enable secret [PASSWORD] 3 The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the “configure terminal” command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local 4 If using a Radius/TACACS+ server for authentication, it is recommended that an IPsec tunnel or some other secure tunnel between the Router and the RADIUS/TACACS+ be set up. The pre-shared key must be at least 8 characters long. IPSec Requirements and Cryptographic Algorithms 3.3 1 Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration:  ah-sha-hmac  esp-sha-hmac  esp-Triple-DES  esp-aes 2 The following algorithms are not FIPS approved and should not be used during FIPS-approved mode:  DES © Copyright 2016 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  MD-5 for signing  MD-5 HMAC SSLV3.1/TLS Requirements and Cryptographic Algorithms 3.4 When negotiating TLS cipher suites, only FIPS approved algorithms must be specified. All other versions of SSL except version 3.1 must not be used in FIPS mode of operation. The following algorithms are not FIPS approved and should not be used in the FIPS-approved mode:  MD5  RC4  DES Access 3.5 1 Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec, using FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 2 SSH access to the module is only allowed if SSH is configured to use a FIPS-approved algorithm. The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 3 SNMP access is only allowed via when SNMPv3 is configured with AES encryption. © Copyright 2016 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.