FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel Versions 3.8.0.18, 3.8.0.20, 3.8.0.23, 3.8.0.23b, 3.8.0.24, 3.8.0.24b, 3.8.0.26, 3.8.0.26b, 3.8.0.27, and 3.8.0.27b Document Version 1.14 Government Certifications Team Research In Motion © 2004-05 Research In Motion Limited. All rights reserved. www.blackberry.com This document may be freely reproduced and distributed whole and intact including this Copyright Notice. FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel Document and Contact Information Version Date Author Description 1.0 7 July 2004 David MacFarlane Document creation. 1.1 27 August 2004 David MacFarlane Moved to new document template. 1.2 8 September 2004 David MacFarlane Updated module version number. Updated per conformance testing feedback and 1.3 9 September 2004 David MacFarlane included version 3.8.0.20 of the module. Updated algorithm certificate numbers and included 1.4 4 October 2004 David MacFarlane version 3.8.0.23 of the module. 1.5 20 December 2004 David MacFarlane Updated per CMVP review comments. 1.6 22 December 2004 David MacFarlane Updated per CMVP review comments. 1.7 5 January 2005 David MacFarlane Updated per CMVP review comments. 1.8 10 January 2005 David MacFarlane Included module version 3.8.0.24. 1.9 21 January 2005 David MacFarlane Included module version 3.8.0.26. 1.10 8 February 2005 David MacFarlane Included module version 3.8.0.27. Included module versions 3.8.0.23b, 3.8.0.24b, 1.11 17 June 2005 David MacFarlane 3.8.0.26b, and 3.8.0.27b. 1.12 22 June 2005 David MacFarlane Minor revisions. 1.13 1 September 2005 David MacFarlane Minor revisions. 1.14 21 September 2005 David MacFarlane Updated per CMVP review comments. Contact Corporate Office Government Certifications Team Research In Motion certifications@rim.com 295 Phillip Street (519) 888-7465 ext. 2921 Waterloo, Ontario Canada N2L 3W8 www.rim.com www.blackberry.com www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel Contents Introduction ....................................................................................................................... 1 Cryptographic Module Specification.................................................................................. 2 Cryptographic Module Ports and Interfaces...................................................................... 4 Roles, Services, and Authentication ................................................................................. 5 Physical Security............................................................................................................... 7 Cryptographic Keys and Critical Security Parameters ...................................................... 8 Self-Tests .......................................................................................................................... 9 Mitigation of Other Attacks .............................................................................................. 11 Glossary .......................................................................................................................... 12 www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel List of Tables Table 1. BlackBerry Software Versions for Functional Testing ...................................................... 1 Table 2. Implementation of FIPS 140-2 Interfaces......................................................................... 4 Table 3. Role Selection and CSP Access by Service .................................................................... 5 Table 4. Cryptographic Keys and CSPs ......................................................................................... 8 Table 5. Module Self-Tests............................................................................................................. 9 www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel List of Figures Figure 1. Physical Boundary........................................................................................................... 3 www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 1 Introduction BlackBerry® is the leading wireless enterprise solution that allows users to stay connected with secure, wireless access to e-mail, corporate data, phone, web, and organiser features. BlackBerry is a totally integrated package that includes hardware, software, and service, providing a complete end-to-end solution. More information on the BlackBerry wireless solution is available at http://www.blackberry.com/. Each BlackBerry device contains the BlackBerry Cryptographic Kernel1, a software cryptographic module that provides the cryptographic functionality required for basic operation of the device. For the purposes of FIPS 140-2 conformance testing the BlackBerry Cryptographic Kernel was executed on the BlackBerry 7230 Wireless HandheldTM and, per FIPS 140-2 Implementation Guidance G.5, remains FIPS-compliant when executed on other BlackBerry devices. Functional testing was performed on BlackBerry device software versions 3.8, 4.0, and 4.1, as shown in the following table. Table 1. BlackBerry Software Versions for Functional Testing BlackBerry Software Version Module Version 3.8 3.8.0.18, 3.8.0.20, 3.8.0.23, 3.8.0.24, 3.8.0.26, 3.8.0.27 3.8.0.18, 3.8.0.20, 3.8.0.23, 3.8.0.23b, 3.8.0.24, 3.8.0.24b, 3.8.0.26, 3.8.0.26b, 4.0 3.8.0.27, 3.8.0.27b 4.1 3.8.0.23b, 3.8.0.24b, 3.8.0.26b, 3.8.0.27b The BlackBerry Cryptographic Kernel is hereafter referred to as cryptographic module or module. Introduced in version 3.8.0.0 and present in all subsequent versions of the module is additional cryptographic functionality required for new features introduced in BlackBerry device software version 4.0, namely enhanced protection for wireless communications between the device and the BlackBerry Enterprise ServerTM, protection of data stored on the device, and wireless enterprise activation and provisioning. Wireless communications between the device and the BlackBerry Enterprise Server are protected with Triple DES encryption and BlackBerry device software version 4.0 introduces support for alternatively protecting these communications with AES-256 encryption2. Similarly, BlackBerry device software version 4.0 introduces support for the use of AES-256 encryption to protect data stored on the device. Also introduced is key agreement functionality to support wireless activation and provisioning of the device . 2 1 Excludes RIM 850TM, RIM 950TM, RIM 857TM, and RIM 957TM wireless handhelds. 2 Requires BlackBerry device and BlackBerry Enterprise Server software version 4.0 or higher. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 2 Cryptographic Module Specification The cryptographic module is a software module that implements the following FIPS-Approved security functions3: · AES-256 (encrypt and decrypt), as specified in FIPS 197. The implementation supports the CBC mode of operation and has been awarded AES validation certificate #177. · Triple DES (encrypt and decrypt), as specified in FIPS 46-3. The implementation supports the CBC mode of operation and has been awarded Triple DES validation certificate #281. · RSA PKCS#1 (signature verification), as specified in PKCS #1, version 2.1. The implementation has been awarded RSA validation certificate #22. · SHA-1, SHA-256, and SHA-512, as specified in FIPS 180-2. The implementation has been awarded SHS validation certificate #264. · HMAC SHA-1, HMAC SHA-256, and HMAC SHA-512, as specified in FIPS 198. The implementation has been awarded HMAC validation certificate #1. · FIPS 186-2 RNG, as specified in FIPS 186-2 Appendix 3.1. The implementation uses SHA-1 as the function G and has been awarded RNG validation certificate #27. The module implements the following non-Approved security functions that, per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, may presently be used in a FIPS-Approved mode of operation: · EC Diffie-Hellman (key agreement), as specified in IEEE P1363 Draft 13. · EC MQV, as specified in IEEE P1363 Draft 13. The module does not have a non-Approved mode of operation and, consequently, always operates in a FIPS-Approved mode of operation. The physical boundary of the module is the physical boundary of the BlackBerry device that executes the module and is shown in the following figure: 3 A security function is FIPS-Approved if it is explicitly listed in FIPS 140-2 Annex A: Approved Security Functions for FIPS PUB 140-2. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 3 Application Module Operating System Device Physical Boundary Figure 1. Physical Boundary Determining the Module Version The operator may determine the version of the module on a BlackBerry device by performing the following operations: 1. Navigate to the Options screen. 2. Click the About item. The About screen appears and displays the module version, e.g. "Cryptographic Kernel v3.8.0.18". www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 4 Cryptographic Module Ports and Interfaces The module ports correspond to the physical ports on the BlackBerry device executing the module software, and the module interfaces correspond to the logical interfaces to the module. The following table describes the ports and interfaces implemented by the BlackBerry 7230TM. Table 2. Implementation of FIPS 140-2 Interfaces FIPS 140-2 Module Ports Module Interfaces Interface Keyboard, microphone, USB port, headset Data Input Input parameters of module function calls jack, wireless modem Speaker, USB port, headset jack, wireless Data Output Output parameters of module function calls modem Keyboard, USB port, trackwheel, escape Control Input Module function calls button, backlight button, phone button Status Output USB port, LCD screen, LED Return codes of module function calls Power Input USB port Not applicable Maintenance Not supported Not supported www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 5 Roles, Services, and Authentication The module does not support multiple or concurrent operators and is intended for use by a single operator, thus it always operates in a single-user mode of operation. Operators are not required to authenticate to the module. The module supports a User and Crypto Officer role. The module does not support a Maintenance role. Role selection is performed implicitly and is dependent on the service performed by the operator. The following table describes the services that are available to the operator: · Reset ­ Resets the module. The module may be reset by pressing the Alt key + Right Shift key + Backspace key combination or power cycling the module. · View Status ­ Displays the status of the module. · Inject Master Key ­ Replaces the existing Master Key with a new Master Key. The new Master Key is created outside of the cryptographic boundary for this service. · Perform Key Agreement ­ Creates a new Master Key and uses it to replace the existing Master Key. The new Master Key is created by performing key agreement with the BlackBerry Enterprise Server. · Inject PIN Master Key ­ Replaces the existing PIN Master Key with a new PIN Master Key. The new PIN Master Key is created outside the cryptographic boundary and is encrypted for input into the module for this service. · Generate Session Key ­ Generates a Session Key or a PIN Session Key. This service is performed automatically on behalf of the operator during the Encrypt Data service. · Encrypt Data ­ Encrypts data that is to be sent from the device. A Session Key is automatically generated via the Generate Session Key service and used to encrypt the data. The Session Key is encrypted with the Master Key and then the encrypted data and encrypted Session Key are ready for transmission. · Decrypt Data ­ Decrypts data that has been received by the device. The encrypted Session Key is decrypted with the Master Key and is then used to decrypt the data. This service is performed automatically on behalf of the operator. · Generate HMAC ­ Generates a message authentication code. · Perform Self-Tests ­ Executes the module self-tests. The following table summarises implicit role selection based on services and the associated access to critical security parameters (CSPs): Table 3. Role Selection and CSP Access by Service Role Implicitly Affected Keys and Access to Keys Service Selected CSPs and CSPs Reset User N/A N/A View Status User N/A N/A Inject Master Key Crypto Officer Master Key Write Perform Key Agreement Crypto Officer Master Key Write www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 6 Role Implicitly Affected Keys and Access to Keys Service Selected CSPs and CSPs EC MQV Key Pair Execute EC DH Key Pair Execute Inject PIN Master Key Crypto Officer PIN Master Key Write Session Key Write Generate Session Key User PIN Session Key Write Master Key / Execute PIN Master Key Encrypt Data User Session Key / Execute PIN Session Key Master Key / Execute PIN Master Key Decrypt Data User Session Key / Execute PIN Session Key HMAC SHA-1 Key / Generate HMAC User HMAC SHA-256 Key / Execute HMAC SHA-512 Key Perform Self-Tests User Software Integrity Key Execute www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 7 Physical Security The BlackBerry device that executes the module meets the FIPS 140-2 Level 1 physical security requirements. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 8 Cryptographic Keys and Critical Security Parameters The following table describes the cryptographic keys, key components, and CSPs utilised by the module. Table 4. Cryptographic Keys and CSPs Key / CSP Description A Triple DES or AES-256 key used to encrypt and decrypt Session Keys. The Master Key can be generated outside of the cryptographic boundary and input into the module, Master Key or created cooperatively with the BlackBerry Enterprise Server through EC Diffie- Hellman or EC MQV key agreement. A Triple DES or AES-256 key used to encrypt and decrypt data. The module generates Session Key Session Keys using the implemented FIPS 186-2 RNG. A Master Key that is specifically a Triple DES key used to encrypt and decrypt PIN Session Keys. The PIN Master Key is generated outside the cryptographic boundary PIN Master Key and input into the module. The PIN Master Key cannot be created through key agreement with the BlackBerry Enterprise Server. A Session Key that is specifically a Triple DES key used to encrypt and decrypt PIN-to- PIN Session Key PIN data. The module generates PIN Session Keys using the implemented FIPS 186-2 RNG. Software Integrity Key An RSA public key used to verify the integrity of the module software. EC Diffie-Hellman Key Pair An elliptic curve key pair used to perform Diffie-Hellman key agreement. EC MQV Key Pair An elliptic curve key pair used to perform MQV key agreement. A key used to calculate and verify a keyed message authentication code using the HMAC SHA-1 Key HMAC SHA-1 algorithm. A key used to calculate and verify a keyed message authentication code using the HMAC SHA-256 Key HMAC SHA-256 algorithm. A key used to calculate and verify a keyed message authentication code using the HMAC SHA-512 Key HMAC SHA-512 algorithm. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 9 Self-Tests The following table describes the self-tests implemented by the module: Table 5. Module Self-Tests Test Description The module implements an integrity test for the module software by verifying its 1024- Software Integrity Test bit RSA signature. The software integrity test passes if and only if the signature verifies successfully using the Software Integrity Key. The module implements a known answer test (KAT) for AES-256 in the CBC mode of AES-256 CBC KAT operation. The test passes if and only if the calculated output equals the expected output. The module implements a KAT for Triple DES in the CBC mode of operation. The test Triple DES CBC KAT passes if and only if the calculated output equals the expected output. The module implements a KAT for SHA-1. The KAT passes if and only if the calculated SHA-1 KAT output equals the expected output. The module implements a KAT for SHA-256. The KAT passes if and only if the SHA-256 KAT calculated output equals the expected output. The module implements a KAT for SHA-512. The KAT passes if and only if the SHA-512 KAT calculated output equals the expected output. The module implements a KAT for HMAC SHA-1. The KAT passes if and only if the HMAC SHA-1 KAT calculated output equals the expected output. The module implements a KAT for HMAC SHA-256. The KAT passes if and only if the HMAC SHA-256 KAT calculated output equals the expected output. The module implements a KAT for HMAC SHA-512. The KAT passes if and only if the HMAC SHA-512 KAT calculated output equals the expected output. The module implements a KAT for RSA signature verification. The test passes if and RSA Verify KAT only if the calculated output equals the expected output. The module implements a KAT for the Diffie-Hellman key agreement protocol using elliptic curve cryptography (ECC). Using known input, a shared secret is generated. EC Diffie-Hellman KAT The test passes if and only if the calculated shared secret equals the expected shared secret. The module implements a continuous RNG test, as specified in FIPS 140-2, for the Continuous RNG Test implemented RNG. The module implements a KAT for the FIPS 186-2 RNG. The KAT passes if and only if FIPS 186-2 RNG KAT the calculated output equals the expected output. All self-tests except the ECC Pair-Wise Consistency Test and the Continuous RNG Test are executed during power-up without requiring operator input or action. The Software Integrity Test is the first self-test executed during power-up. Invoking the Self-Tests The operator may invoke the power-up self-tests by resetting the module. The operator may also invoke the all of the self-tests with the exception of the Software Integrity Test, ECC Pair-Wise Consistency Test, and Continuous RNG Test, by performing the following operations: 1. Navigate to the Security Options screen. 2. For BlackBerry device software 4.1, click the General Settings item. 3. Click the trackwheel. A menu appears. 4. Click the Verify Security Software menu item. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 10 When the self-tests are executed in this manner, the module displays the list of self-tests that are being executed and their pass/fail status upon completion. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 11 Mitigation of Other Attacks The module is not designed to mitigate any specialised attacks, thus the FIPS 140-2 requirements for mitigation of other attacks are not applicable. www.blackberry.com FIPS 140-2 Security Policy BlackBerry Cryptographic Kernel 12 Glossary AES Advanced Encryption Standard CBC Cipher block chaining CSP Critical security parameter DES Data Encryption Standard EC Elliptic curve FIPS Federal Information Processing Standard HMAC Keyed-hashed message authentication code IEEE Institute of Electrical and Electronics Engineers LCD Liquid crystal display LED Light emitting diode MQV Menezes, Qu, Vanstone PIN Personal identification number PKCS Public Key Cryptography Standard PUB Publication RIM Research In Motion RNG Random number generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard USB Universal serial bus www.blackberry.com