IBM Java JCE FIPS 140-2 Cryptographic Module Version 1.8 FIPS 140-2 Non-Proprietary Security Policy Version 1.2 Last update: 2016-07-25 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Introduction ...................................................................................................... 4 2. Cryptographic Module Specification .................................................................... 5 2.1. Module Overview ................................................................................................................... 5 2.2. FIPS 140-2 Validation ............................................................................................................. 6 2.3. Modes of Operation ............................................................................................................... 9 3. Cryptographic Module Ports and Interfaces ........................................................ 10 4. Roles, Services and Authentication .................................................................... 11 4.1. Roles ....................................................................................................................................11 4.2. Services ...............................................................................................................................11 4.3. Operator Authentication ......................................................................................................15 5. Physical Security .............................................................................................. 16 6. Operational Environment .................................................................................. 17 6.1. Applicability .........................................................................................................................17 6.2. Policy ....................................................................................................................................17 7. Cryptographic Key Management ........................................................................ 18 7.1. Key/CSP Generation .............................................................................................................18 7.2. Key/CSP Establishment ........................................................................................................18 7.3. Key/CSP Entry and Output ...................................................................................................19 7.4. Key/CSP Storage ..................................................................................................................19 7.5. Key/CSP Zeroization.............................................................................................................19 7.6. Random Number Generation ...............................................................................................19 8. Self-Tests ......................................................................................................... 20 8.1. Power-Up Tests ....................................................................................................................20 8.1.1. Integrity Tests ............................................................................................................... 20 8.1.2. Cryptographic algorithm tests ...................................................................................... 20 8.2. On-Demand self-tests ..........................................................................................................21 8.3. Conditional Tests .................................................................................................................21 9. Guidance .......................................................................................................... 22 9.1. Crypto Officer Guidance ......................................................................................................22 9.2. User Guidance .....................................................................................................................22 10. Mitigation of Other Attacks ............................................................................. 23 © 2016 IBM Corporation / atsec information security. 2 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Copyrights and Trademarks © 2016 IBM Corporation / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. Java is a registered trademark of Oracle. Inc. AIX, z/OS, AS/400 and IBM are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. HP-UX is a registered trademark Hewlett Packard, Inc Microsoft, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Red Hat is a trademark of Red Hat, Inc. SuSE is a registered trademark of SuSE AG Other company, product, and service names may be trademarks or service marks of others. © 2016 IBM Corporation / atsec information security. 3 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1. Introduction This document is the non-proprietary FIPS 140-2 Security Policy for the IBM Java JCE FIPS 140-2 Cryptographic Module. The version of the module is 1.8. This policy contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-2 (Federal Information Processing Standards Publication 140-2) for a Security Level 1 module. © 2016 IBM Corporation / atsec information security. 4 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 2. Cryptographic Module Specification The following section describes the cryptographic module and how it conforms to the FIPS 140- 2 specification in each of the required areas. 2.1. Module Overview The IBM Java JCE FIPS 140-2 Cryptographic Module (hereafter referred to as “the module”) is a scalable, multi-purpose cryptographic module that supports FIPS approved cryptographic operations. The module acts as a Java Cryptographic Extension (JCE) provider in the JCE framework, providing cryptographic services to Java applications. The software block diagram below shows the logical boundary of the module and its interfaces with the calling application. Figure 1 - Software Block Diagram The module is implemented as a Java Archive (JAR). The logical boundary of the module consists of the ibmjcefips.jar file. The module runs on a General Purpose Computer (GPC). The physical boundary of the module is the enclosure of the GPC on which the module is installed and executed, as shown with dotted lines in the diagram below: © 2016 IBM Corporation / atsec information security. 5 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Figure 2 – Hardware Block Diagram 2.2. FIPS 140-2 Validation For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone cryptographic module validated at overall Security Level 1. The table below shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: FIPS 140-2 Section Security Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self-Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks 1 Overall Level 1 Table 1 - Security Levels © 2016 IBM Corporation / atsec information security. 6 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy The module has been tested by the laboratory on the platforms shown in the table below. Each platform includes the hardware, processor name, operating system, and the hardware accelerator implemented in the module. The module runs on 64-bit Java Virtual Machine (JVM), Version 8. Hardware Platform and Operating System Hardware Accelerator Processor ThinkCentre M92P Tower Windows Server 2012 AES-NI Desktop with Intel Xeon E5 V3 release 2 family ThinkCentre M93P with Intel Red Hat Enterprise Linux AES-NI Xeon E5 V3 family Server release 7.1 IBM 9119-MHE with POWER 8 AIX 7 vcipher for AES, vshasigma for SHA IBM 9119-MHE with POWER 8 Red Hat Enterprise Linux vcipher for AES, vshasigma for Server release 7.1 SHA ThinkCentre M93P with Intel Windows 7 64-bit (None) Core i7 vPro 4770 Table 2 - Tested Platforms In addition to the configurations tested by the laboratory, the vendor affirmed testing was performed on the platforms shown in the table below. Each platform includes the hardware, processor name, operating system, and the hardware accelerator implemented in the module and JDK Bit level. The module runs on Java Virtual Machine (JVM), Version 8. Hardware Platform and Operating System Hardware JDK Bit Processor Accelerator level ThinkCentre M92P Tower Windows Server 2012 (None) 64 Desktop with Intel Xeon E5 release 2 V3 family ThinkCentre M93P with Intel Red Hat Enterprise Linux (None) 64 Xeon E5 V3 family Server release 7.1 IBM 9119-MHE with POWER 8 AIX 7 (None) 64 IBM 9119-MHE with POWER 8 Red Hat Enterprise Linux (None) 64 Server release 7.1 (Little Endian) IBM 9119-MHE with POWER 8 SuSE SLES 12 (None) 64 (Little Endian) IBM 9119-MHE with POWER 8 SuSE SLES 11 SP3 (None) 64 (Big Endian) IBM 9119-MHE with POWER 8 SuSE SLES 12 vcipher for AES, 64 (Little Endian) vshasigma for SHA IBM z13 model N63 (None) 64 SuSE SLES 11 SP4 © 2016 IBM Corporation / atsec information security. 7 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Hardware Platform and Operating System Hardware JDK Bit Processor Accelerator level IBM z13 model N63 z/OS version 2 release 2 (None) 64 IBM z13 model N63 Red Hat Enterprise Linux (None) 64 Server release 7.2 for IBM z Systems ThinkCentre M93P with Intel Windows 7 64-bit AES-NI 64 Core i7 vPro 4770 IBM,8205-E6B Processor AIX 6.1.0.0 (None) 64 Type: PowerPC_POWER7 Sun4v sparc SUNW,SPARC- Sun OS5.10 (None) 64 Enterprise-T5120 ThinkCentre, 8187 RedHat Enterprise Linux (None) 32 Server release 5.11 *9000/785/C3750 HP-UX B11.23 (None) 32 (running JVM 6) ia64 hp server rx1620 HP-UX B11.23 (None) 64 Table 2(A) - Vendor Affirmed Platforms In addition, the vendor claims correct operation of the module on other operating systems as listed below. As outlined in G.5 of the Implementation Guidance for FIPS 140-2, the module maintains its compliance on other operational environments as listed below:  Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2 running JVM 8.x Microsoft Windows XP, Microsoft Windows Vista, Windows 7, Windows 8, Windows 10,  Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 running JVM 6.x and JVM 7.x  Window 2000 running JVM 6.x  AIX, Solaris, Red Hat Linux, SuSE Linux, Linux OS on z Systems, and z/OS running JVM levels 6.x, 7.x and 8.x  IBM LinuxONE and IBM Operating System/400 platforms  JVMs at the 6.x level and 7.x level on the above operating systems  32 bit and 64 bit levels of JVMs for the above listed Operating Systems. Hardware acceleration is not supported when running JVMs 6.x, 7.x and 32-bit JVMs. When running JVM 8.x, IBM affirms the module operates correctly with hardware acceleration on machines with  Intel processors with support for AES-NI,  IBM Power 8 processors with support for vcipher for AES and vshasigma for SHA As outlined in G.5 of the Implementation Guidance for FIPS 140-2, the module maintains its compliance on other operating systems provided:  The operating system meets the operational environment requirements at the module’s level of validation, and runs in a single-user mode. © 2016 IBM Corporation / atsec information security. 8 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy  The module does not require modification to run in the new environment. Note: CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. 2.3. Modes of Operation The module supports both FIPS mode (i.e. Approved mode of operation) and non-FIPS mode (i.e., non-Approved mode of operation). After successful completion of power-on self-tests, the module enters FIPS mode. Any calls to the non-Approved security functions as listed in Table 5, will cause the module to implicitly transition to the non-Approved mode of operation. The keys and CSPs used for cryptographic operations are not shared between the modes of operation. © 2016 IBM Corporation / atsec information security. 9 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 3. Cryptographic Module Ports and Interfaces As a software-only module, the module does not have physical ports. For the purpose of FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces are the Application Program Interface (API) through which Java applications request services. The following table summarizes the four logical interfaces: Logical Interface Description Data Input API input parameters for data. Data Output API output parameters for data. Control Input API function calls, API input parameters for control. Status Output API return values, API output parameters for status, API error messages. Table 3 - Ports and Interfaces © 2016 IBM Corporation / atsec information security. 10 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4. Roles, Services and Authentication 4.1. Roles The module supports the following roles:  User role: performs all services as listed in Table 4 and Table 5 except module installation and configuration.  Crypto Officer role: performs module installation and configuration as listed in Table 4. The User and Crypto Officer roles are implicitly assumed by the entity accessing the module services. The module does not support the maintenance role. 4.2. Services The module provides services to users that assume one of the available roles. All services are described in detail in the user documentation. Table 4 lists the Approved services and the non-Approved but allowed services in FIPS mode of operation, the roles that can request the service, the algorithms involved with their corresponding CAVS certificate numbers (if applicable), the Keys/CSPs involved and how they are accessed: Services Algorithms CAVS Certificates Keys/CSPs Access AES key NIST SP800-90A #1119, #1120, 128/192/256 bits Write generation Hash_DRBG with SHA- #1121, #1122, AES key 256 #1123 Triple-DES key 192 bits three-key Write generation Triple-DES key AES AES (ECB, CBC, OFB, #3904, #3905, 128/192/256 bits Read encryption CFB8, CFB128 and #3906, #3907, AES key and GCM modes) #3908 decryption Three-key Three-key Triple-DES #2140, #2141, 192 bits three-key Read Triple-DES (ECB, CBC, CFB8, #2142, #2143, Triple-DES key encryption and CFB64 and OFB #2144 decryption modes) Two-key Two-key Triple-DES 192 bits two-key Read Triple-DES (ECB, CBC, CFB8, Triple-DES key decryption CFB64 and OFB (Legacy Use) modes) © 2016 IBM Corporation / atsec information security. 11 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Services Algorithms CAVS Certificates Keys/CSPs Access RSA key FIPS186-4 Appendix #1988, #1989, RSA public and Write generation B.3.3 RSA key #1990, #1991, private key pair with generation #1992 2048/ 3072 bits modulus size RSA signature PKCS#1 v1.5 and PSS RSA private key with Read generation RSA signature 2048/3072 bits generation with SHA- modulus size 224, SHA-256, SHA- 384 and SHA-512 RSA signature PKCS#1 v1.5 and PSS RSA public key with Read verification RSA signature 1024/2048/3072 bits verification with SHA- modulus size 1, SHA-224, SHA-256, SHA-384 and SHA-512 RSA key NIST SP800-56B RSA Vendor-affirmed RSA public and Read transport key transport according to IG D.4 private key pair with 2048/3072 bits modulus size DSA key FIPS186-4 DSA key #1062, #1063, DSA public and Write generation pair generation #1064, #1065, private key pair with #1066 L=2048, N=256; L=3072, N=256 DSA domain DSA domain DSA domain Read parameter parameter generation parameters with generation with SHA-256, SHA- L=2048, N=224; 384 and SHA-512 L=2048, N=256; L=3072, N=256 DSA signature DSA signature DSA private key with Read generation generation with SHA- L=2048, N=224; 256 L=2048, N=256; L=3072, N=256 DSA signature DSA signature DSA public key with Read verification verification with SHA- L=1024, N=160; 1, SHA-224 and SHA- L=2048, N=224; 256 L=2048, N=256; L=3072, N=256 ECDSA key FIPS186-4 Appendix #847, #848, #849, ECDSA public and Write generation B.4.1 ECDSA key #850, #851 private key pair generation according to P-224, P-256, P-384 and P- 521 curves © 2016 IBM Corporation / atsec information security. 12 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Services Algorithms CAVS Certificates Keys/CSPs Access ECDSA ECDSA signature ECDSA private key Read generation with according to P-224, signature P-256, P-384 and P- generation SHA-224, SHA-256, 521 curves SHA-384 and SHA-512 ECDSA ECDSA signature ECDSA public key Read signature verification with according to P-192, verification P-224, P-256, P-384 SHA-1, SHA-224, SHA- and P-521 256, SHA-384 and SHA-512 Message SHA-1, SHA-224, SHA- #3216, #3217, n/a n/a digest 256, SHA-384 and #3218, #3219, SHA-512 #3220 Message HMAC with SHA-1, #2533, #2534, At least 112 bits Read authentication SHA-224, SHA-256, #2535, #2536, HMAC key SHA-384 and SHA-512 #2537 Random NIST SP800-90A #1119, #1120, Entropy input string, Read, number Hash_DRBG with SHA- #1121, #1122, V and C values Write generation 1, SHA-224, SHA-256, #1123 SHA-384 and SHA-512 NDRNG (Used by the Non-approved but Read module to internally allowed to be used seed the DRBG.) in FIPS mode Diffie-Hellman NIST SP800-56A KAS CVL #759, #761, Diffie-Hellman public Write key FFC except KDF #763, #765, #767 and private agreement primitives with 2048 bits key size EC Diffie- NIST SP800-56A KAS EC Diffie-Hellman Write Hellman key ECC except KDF; public and private agreement Section 5.7.1.2 ECC primitives with P- CDH Primitive 224, P-256, P-384 and P-521 curves Key derivation NIST SP800-135 key CVL #758, #760, TLS pre-master Write derivation in TLS 1.0, #762, #764, #766 secret and TLS 1.1 and 1.2 master secret Show status n/a n/a n/a n/a Self-Tests n/a n/a HMAC key for Read module integrity test Zeroization n/a n/a All aforementioned Zeroize Keys/CSPs © 2016 IBM Corporation / atsec information security. 13 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Services Algorithms CAVS Certificates Keys/CSPs Access Module n/a n/a n/a n/a installation and configuration Table 4 - Services in FIPS mode of operation Note: TLS protocol implementation has not been reviewed or tested by the CAVP and CMVP. Table 5 lists the non-Approved services only available in non-FIPS mode of operation. Services Algorithms Access AES encryption and decryption AES (CTS and PCBC modes) Read Three-key or Two-key Triple- Three-key or Two-key Triple-DES (CTS and PCBC Read DES encryption and decryption modes) Two-key Triple-DES encryption Two-key Triple-DES (ECB, CBC, CFB8, CFB64 and Read OFB modes) RSA key generation RSA key generation with modulus size between 512 Write and 16384 bits excluding 2048 and 3072 bits RSA signature generation RSA signature generation with modulus size Read between 512 and 16384 bits excluding 2048 and 3072 bits or RSA signature generation using SHA-1 RSA signature verification RSA signature verification with modulus size Read between 512 and 16384 bits excluding 1024, 2048 and 3072 bits RSA key transport RSA key transport with modulus size between 512 Read and 16384 bits excluding 2048 and 3072 bits RSA signature generation and RSA signature generation and verification without Read verification without hashing hashing and with modulus size between 512 and 16384 bits DSA key generation DSA key generation with key size between 512 and Write 3072 bits which is multiple of 64 but excluding 2048 and 3072 bits DSA signature generation DSA signature generation with key size between Read 512 and 3072 bits which is multiple of 64 but excluding 2048 and 3072 bits DSA signature verification DSA signature verification with key size between Read 512 and 3072 bits which is multiple of 64 but excluding 1024, 2048 and 3072 bits DSA signature generation and DSA signature generation and verification without Read verification without hashing hashing and with key size between 512 and 3072 bits which is multiple of 64 © 2016 IBM Corporation / atsec information security. 14 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Services Algorithms Access ECDSA key generation ECDSA key generation with P-192 curve Write ECDSA signature generation ECDSA signature generation with P-192 curve or Read ECDSA signature generation using SHA-1 ECDSA signature generation ECDSA signature generation and verification Read and verification without without hashing and with P-192, P-224, P-256, P- hashing 384 and P-521 curves Message digest MD5 n/a Message authentication HMAC with keys less than 112 bits Read Diffie-Hellman key agreement Diffie-Hellman key agreement with key size Write between 256 and 2048 bits which is multiple of 64 but excluding 2048 bits EC Diffie-Hellman key EC Diffie-Hellman key agreement with P-192 curve Write agreement Table 5 - Services in non-FIPS mode of operation Note: The module implements non-Approved NDRNG algorithm which is allowed to be used in FIPS mode to internally seed the DRBG. NDRNG is not available as an external service provided by the module. 4.3. Operator Authentication The module does not implement user authentication. The role of the user is implicitly assumed depending on the service used. Notice that at Security Level 1, authentication is not required. © 2016 IBM Corporation / atsec information security. 15 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 5. Physical Security The module is comprised of software only and therefore this security policy does not make any claims on physical security. © 2016 IBM Corporation / atsec information security. 16 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 6. Operational Environment 6.1. Applicability The module operates in a modifiable operational environment per FIPS 140-2 Security Level 1 specifications. The module runs on a GPC as specified in Table 2 of section 2.2. 6.2. Policy The operating system is restricted to a single operator (i.e., concurrent operators are explicitly excluded). The Java application that requests cryptographic services is the single user of the module. © 2016 IBM Corporation / atsec information security. 17 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 7. Cryptographic Key Management The management of all Keys/CSPs used by the module is summarized in the table below: Name Generation Storage Zeroization AES keys NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method Triple-DES keys NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method RSA key pair NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method DSA key pair NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method ECDSA key pair NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method HMAC key NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method DRBG entropy input Obtained from the NDRNG RAM Zeroized by zeroize() string method DRBG V and C values Derived from the entropy string RAM Zeroized by zeroize() as defined in NIST SP800-90A method Diffie-Hellman NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() Primitives method EC Diffie-Hellman NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() Primitives method TLS pre-master NIST SP800-90A Hash_DRBG RAM Zeroized by zeroize() method secret TLS master Use of the TLS pre-master RAM Zeroized by zeroize() method secret secret and PRF Table 6 - Life cycle of Keys/CSPs The following sections describe how Keys/CSPs are managed during its life cycle. 7.1. Key/CSP Generation The module implements symmetric key generation using a Hash_DRBG compliant with [NIST SP800-90A]. For generating RSA, DSA and ECDSA key pairs, the module implements asymmetric key generation services compliant with [FIPS 186-4]. 7.2. Key/CSP Establishment The module implements Diffie-Hellman key agreement scheme, EC Diffie-Hellman key agreement scheme and vendor affirmed RSA key transport scheme.  Diffie-Hellman with 2048 bit key provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength.  EC Diffie-Hellman with P-224, P-256, P-384 and P-521 curves provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength © 2016 IBM Corporation / atsec information security. 18 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy  RSA key transport with 2048 or 3072 bit modulus provides 112 or 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength 7.3. Key/CSP Entry and Output All the keys enter into the module’s logical boundary as API input parameters. They are associated with memory locations and do not persist across power cycles. The module does not support manual key entry. The module does not output intermediate key generation values or other CSPs. The module provides the keys as output parameters of the key generation service API to the Java application, but they do not cross the module’s physical boundary. 7.4. Key/CSP Storage The HMAC key used for integrity test is stored in the module and relies on the operating system for protection. The module does not perform persistent storage for any other Keys/CSPs. The module does not store any Key/CSP beyond the lifetime of the API call. 7.5. Key/CSP Zeroization Except for the HMAC key used for integrity test, all keys/CSPs are ephemeral and are destroyed when released by the appropriate API function calls. The application is responsible for calling the zeroization methods as listed Table 6. The zeroization methods overwrite the memory occupied by keys with “zeros” and deallocate the memory with the regular memory deallocation operating system call. 7.6. Random Number Generation The module employs a NIST SP800-90A-compliant HASH (SHA-256) DRBG as a random number generator for the generation of Keys/CSPs. The module uses a CPU jitter based random number generator as NDRNG which serves as the entropy source for seeding the DRBG and provides 256 bits of entropy. © 2016 IBM Corporation / atsec information security. 19 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 8. Self-Tests 8.1. Power-Up Tests The module performs power-up tests automatically when the module is loaded into memory without any operator intervention; power-up tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. While the module is performing the power-up tests, no cryptographic service is available and all data output is inhibited. Once the power-up tests are completed successfully, the module enters operational mode and cryptographic services are available. If any of the power-up tests fails, the module throws an exception and enters ERROR state. In ERROR state, all data output is inhibited and no cryptographic operation is allowed. The module needs to be reloaded in order to recover from the ERROR state. 8.1.1. Integrity Tests The integrity of the module is verified by comparing a HMAC-SHA-1 value calculated at run time with the HMAC value pre-stored in the module. 8.1.2. Cryptographic algorithm tests The module performs self-tests on all FIPS-Approved cryptographic algorithms supported in the approved mode of operation, using the known answer test (KAT) or Pair-wise Consistency Test (PCT) shown in the following table: Algorithm Test AES KATs for AES ECB mode; encryption and decryption are tested separately KATs for AES GCM mode; encryption and decryption are tested separately Triple-DES KATs for Triple-DES ECB mode; encryption and decryption are tested separately RSA KATs for RSA signature scheme with 2048 bits modulus size; signature generation and verification are tested separately KATs for RSA key transport scheme with 2048 bits modulus size; encryption and decryption are tested separately DSA PCT for DSA with (L=2048, N=256) ECDSA PCT for ECDSA with NIST P-256 curve SHS KATs for SHA-1, SHA-256, SHA-384 and SHA-512 HMAC KATs for HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and HMAC- SHA-512 Hash_DRBG KATs for Hash_DRBG with SHA-1, SHA-256, SHA-384 and SHA-512 Diffie-Hellman Primitive “Z” Computation KAT © 2016 IBM Corporation / atsec information security. 20 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Test EC Diffie-Hellman Primitive “Z” Computation KAT NIST SP800-135 KDF in Covered by KATs of SHS TLS Table 7- Self-Tests 8.2. On-Demand self-tests The on-demand self-tests can be invoked by powering-off the module and reloading it. This performs all the cryptographic algorithm tests as listed in section 8.1.2. During the execution of the on-demand self-tests, no cryptographic service is available and all data output is inhibited. If any of the tests fails, the module will enter ERROR state. 8.3. Conditional Tests The module performs conditional tests on the cryptographic algorithms shown in the following table. If any of the conditional tests fail, the module throws an exception with an error message and enters ERROR state. Algorithm Test RSA PCT for RSA key generation DSA PCT for DSA key generation ECDSA PCT for ECDSA key generation NDRNG Continuous Random Number Generator Test Table 8 - Conditional Tests © 2016 IBM Corporation / atsec information security. 21 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 9. Guidance 9.1. Crypto Officer Guidance The IBMJCEFIPS provider jar file must be accessible via the Java CLASSPATH and should be installed in the directory $JAVA_HOME/jre/lib/ext as this is a secure location and is also automatically available via the JVM without a CLASSPATH update. The application will be required to call the IBMJCEFIPS provider (as opposed to another JCE provider) through the normal Java 2 mechanisms such as specifically adding the provider name to the getInstance call as part of the instantiation of a cryptographic object or by placing the IBMJCEFIPS provider higher in the provider list (in java.security) and allowing the JVM to select the first provider that has the requested cryptographic capability. 9.2. User Guidance This section contains guidance for application programmers to avoid practices that could potentially compromise the secure use of this cryptographic module.  Key Zeroization - the zeroization method should be used to remove the key from memory when a cryptographic key object is no longer needed. While normal Java garbage collection will zeroize the key from memory as part of the object finalizer method, it is a safer coding practice to explicitly call the zeroization method when an application is finished with a key object.  Avoid using static objects – the Java architecture creates objects that are unique to the application, which allows for “single” user access to the cryptographic operations and data, so it is recommended that an application should not create static objects. Static objects are shared in the Java architecture and the creation of a static object would be counter to the unique object method of controlling access and data.  In case the module’s power is lost and then restored, the AES GCM key shall be re- distributed. © 2016 IBM Corporation / atsec information security. 22 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 10. Mitigation of Other Attacks The module has been obfuscated using the commercial product KlassMaster. This level of optimized code makes it difficult to decompile and reuse the derived source code. IBM's tests with popular de-compilers (e.g. Jasmine) have shown that de-compiled IBMJCEFIPS code for Java code cannot be compiled and used without extensive alteration. RSA Blinding has been added to the RSA Signing and RSA encryption function to help mitigate timing attacks. © 2016 IBM Corporation / atsec information security. 23 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix A. Glossary and Abbreviations Advanced Encryption Standard AES Advanced Encryption Standard New Instructions AES-NI Cipher Block Chaining CBC Cipher Feedback CFB Cryptographic Module Validation Program CMVP Critical Security Parameter CSP Data Encryption Standard DES Digital Signature Algorithm DSA Deterministic Random Bit Generator DRBG Electronic Code Book ECB Elliptic Curve Cryptography ECC Finite Field Cryptography FFC Federal Information Processing Standards Publication FIPS Galois Counter Mode GCM Hash Message Authentication Code HMAC Key Agreement Schema KAS Known Answer Test KAT Message Authentication Code MAC National Institute of Science and Technology NIST Non-Deterministic Random Number Generator NDRNG Output Feedback OFB Probabilistic Signature Scheme PSS Random Number Generator RNG Rivest, Shamir, Addleman RSA Secure Hash Algorithm SHA Secure Hash Standard SHS © 2016 IBM Corporation / atsec information security. 24 of 25 IBM Java JCE FIPS 140-2 Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix B. References FIPS140-2 FIPS PUB 140-2 - Security Requirements For Cryptographic Modules http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf FIPS140-2_IG Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf FIPS180-4 Secure Hash Standard (SHS) http://csrc.nist.gov/publications/fips/fips180-4/fips 180-4.pdf FIPS186-4 Digital Signature Standard (DSS) http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard (AES) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) http://csrc.nist.gov/publications/fips/fips198 1/FIPS-198 1_final.pdf NIST SP800- Recommendation for Existing Application-Specific Key Derivation 135 Revision 1 Functions http://csrc.nist.gov/publications/nistpubs/800-135-rev1/sp800-135-rev1.pdf NIST SP800- Recommendation for Block Cipher Modes of Operation Methods and 38A Techniques http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf NIST SP800- Recommendation for Block Cipher Modes of Operation: 38D Galois/Counter Mode (GCM) and GMAC http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf NIST SP800- Recommendation for Pair-Wise Key Establishment Schemes Using 56A Revision 1 Discrete Logarithm Cryptography http://csrc.nist.gov/publications/nistpubs/800-56A/SP800- 56A_Revision1_Mar08-2007.pdf NIST SP800- Recommendation for Pair-Wise Key Establishment Schemes Using 56B Revision 1 Integer Factorization Cryptography http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf NIST SP800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Revision 1 Block Cipher http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf NIST SP800- Recommendation for Random Number Generation Using 90A Deterministic Random Bit Generators http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf © 2016 IBM Corporation / atsec information security. 25 of 25