Voltage IBE Cryptographic Module Security Policy Document Version 2.5 Voltage Security, Inc. April 12, 2005 Copyright 2005 Voltage Security. May be reproduced only in its original entirety without revision. Voltage IBE Cryptographic Module Security Policy Revision History The following table presents the history of changes to this document. Document History Date Version Changes 2004-05-24 0.1 Created 2004-06-2 01.5 First draft complete 2004-06-07 01.7 Ready for client review 2004-06-16 01.8 Revised to include Create, Destroy, and Set Random Object. Revised to specify "Show Status" as User Service 2004-08-19 2.0 Revised to reflect Module logical interface changes 2004-09-15 2.1 Incorporate feedback from InfoGard review 2004-11-03 2.2 Add algorithm certificate numbers and test platform information. Corrected the Module API and DLL file names. Added information on test hardware and operating systems. Added information about limited processing when a FIPS error occurs. Clarified the public keys used in the Module. Made module name consistent. 2005-03-14 2.3 Updated section 4: clarified FIPS error state 2005-04-01 2.4 Updated Section 6.4: Clarified "create" definition 2005-04-12 2.5 Updated section 6.4: Added explanatory text for Table 5. Page 2 Voltage IBE Cryptographic Module Security Policy TABLE OF CONTENTS REVISION HISTORY................................................................................................................................................2 1. MODULE OVERVIEW .........................................................................................................................................4 2. SECURITY LEVEL................................................................................................................................................6 3. MODES OF OPERATION.....................................................................................................................................7 3.1 FIPS APPROVED MODE OF OPERATION .................................................................................................................7 3.2 NON-FIPS MODE OF OPERATION ..........................................................................................................................7 4. PORTS AND INTERFACES .................................................................................................................................8 5. IDENTIFICATION AND AUTHENTICATION POLICY................................................................................9 6. ACCESS CONTROL POLICY...........................................................................................................................10 6.1 ROLES AND SERVICES ........................................................................................................................................10 6.2 SERVICE INPUTS AND OUTPUTS .........................................................................................................................12 6.3 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS) ................................................................................15 6.4 DEFINITION OF CSPS MODES OF ACCESS ...........................................................................................................15 7. OPERATIONAL ENVIRONMENT....................................................................................................................18 8. SECURITY RULES ..............................................................................................................................................19 9. PHYSICAL SECURITY POLICY .....................................................................................................................19 10. MITIGATION OF OTHER ATTACKS POLICY...........................................................................................19 11. REFERENCES ....................................................................................................................................................20 12. DEFINITIONS AND ACRONYMS...................................................................................................................21 Page 3 Voltage IBE Cryptographic Module Security Policy 1. Module Overview The Voltage IBE Cryptographic Module is a FIPS 140-2 Level 1 compliant software module, which is also referred to by the acronym VIBECM, or the capitalized word Module. The Voltage IBE Developers Toolkit product includes the VIBECM along with supporting documentation and tools supporting non-FIPS functionality (see section 3.2 Non-FIPS mode of operation). The VIBECM is a software-only cryptographic module packaged as a single DLL (vibecryptofips.dll Version 2.0) and is supported on Windows 2000 Server, Windows 2003 Server, and Windows XP Service Pack 2. The primary purpose for this cryptographic module is to provide encrypt/decrypt and cryptographic signature services for Internet Protocol (IP) traffic. The VIBECM provides status output via the "Show Status" command. The VIBECM provides program interfaces for data input and output. The diagram below illustrates these interfaces as well as defining the cryptographic boundary. Module Physical Boundary (PC Physical Boundary) Microsoft Windows Operating System Module Logical Boundary DSA, SHA-1 VIBECM API Interface DES, TDES, AES vibecrypto.h Key Management, DRNG, DSA Key Generation Figure 1 ­ Image of the Cryptographic Module The physical cryptographic boundary for the Module is defined as the enclosure of the computer system on which the cryptographic module is to be executed. The physical embodiment of the Module, as defined in FIPS 140-2, is Multi-Chip Standalone. Persistent storage of keys is not supported by the VIBECM. Page 4 Voltage IBE Cryptographic Module Security Policy The Module was tested on Dell Dimension 2400 hardware running the Microsoft Windows XP Service Pack 2, Windows 2003 Server, and Windows 2000 Server operating systems. Page 5 Voltage IBE Cryptographic Module Security Policy 2. Security Level The VIBECM meets the overall requirements applicable to Level 1 security of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 3 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Page 6 Voltage IBE Cryptographic Module Security Policy 3. Modes of Operation The VIBECM supports two modes of operation, FIPS approved mode and non-FIPS approved mode. 3.1 FIPS approved mode of operation In FIPS mode, the VIBECM only supports FIPS Approved algorithms as follows: Table 2 ­ FIPS Approved Algorithms with Modes of Operation Algorithm Modes of Operation Certificate # DSA with 1024 bit keys Sign/Verify Cert. #124 DES (Legacy Systems Only) ECB, CBC, OFB, CFB Cert. #282 TDES ­ 3 key mode ECB, CBC, OFB, CFB Cert. #291 SHA-1 Byte Oriented Cert. #277 AES - 128 and 192 and 256 ECB, CBC, OFB, CFB Cert. #199 key sizes are supported DRNG ­ FIPS 186-2 X-Change Notice (SHA-1) Cert. #43 K-Change Notice (SHA-1) The VIBECM includes a deterministic random number generator (DRNG) that is compliant with FIPS 186-2 with 256-bit XKEY and underlying G function constructed from SHA-1 for generation of all cryptographic keys. FIPS-186-2 requires that the DRNG for DSA X values is slightly different from the algorithm for DSA K values (Appendix 3.1 and 3.2 respectively). The VIBECM implements both of these algorithms and they are used appropriately. To operate the VIBECM in the FIPS approved mode operators must run VIBECM on Microsoft Windows XP Service Pack 2, Windows 2003 Server, and Windows 2000 Server operating systems, use only FIPS approved algorithms and access only the service listed in Table 3 below. 3.2 Non-FIPS mode of operation In non-FIPS mode, the VIBECM provides non-FIPS approved algorithms as follows: · MD5 · Identity Based Encryption (IBE) Page 7 Voltage IBE Cryptographic Module Security Policy 4. Ports and Interfaces The logical interface of the Module is accessed through the API (VIBECM API) as defined in the header file vibecrypto.h. The API function calls, which represent the services provided by the Module, act as the Control Input. Data Input is provided by the variables passed with the function calls. These variables are passed on the program stack either directly on the stack or as a pointer on the stack that points to memory allocated in a heap. Both stack and heap are located in RAM. Data Output is provided by variables returned from a function call. As with Data Input, these variables are located either on the program stack or in a heap. The Status Output is provided in the return values and error codes provided by a function. All data output is inhibited during the self-test process, and during key generation. Only limited data processing will be allowed when the module is in a FIPS error state.. During this limited processing no cryptographic operations are allowed. The only FIPS services available during limited process are Zeroize and Show Status. The only operations available during limited processing that output data provide Base64 encoding and decoding. There is no output of any critical security parameters during limited data processing. The only way to reset the Module from this limited processing state is to unload the Module or to power down the computer. Page 8 Voltage IBE Cryptographic Module Security Policy 5. Identification and Authentication Policy This section describes the identification and authentication policy of the Module. The VIBECM supports two distinct operator roles (User and Cryptographic-Officer). The User role provides the basic services to process data (encryption, decryption, and key management), whereas the Crypto Officer role provides the services to perform integrity checking self-tests, and zeroize. VIBECM does not support a Maintenance role. The role of the operator of VIBECM is identified implicitly on the library function being called, as shown in Table 3 in the next section. There is no operator authentication. Page 9 Voltage IBE Cryptographic Module Security Policy 6. Access Control Policy This section describes the access control policy of the Module. 6.1 Roles and Services The services available to each role are described in the following table. Table 3 ­ Services Authorized for Roles Role Authorized Services User Role: · Create Algorithm Object: Creates a new algorithm object. This role shall provide all · Destroy Algorithm Object: Destroys an algorithm object. of the services necessary to: · Create Random Object: Creates a new random number generator object. · Examine and set the attributes of the · Destroy Random Object: Destroys a random number Voltage IBE generator object. Cryptographic Module. · Create Key Object: Creates a new key object. · Support data encryption and decryption · Destroy Key Object: Destroys a key object. operations. · Set Key Object: Sets the key object with information. · Compute hashes and create and verify digital · Get Key Info: Returns key information. signatures. · Create Parameter Object: Creates a new parameter object. · Generate DSA key pairs for signatures · Destroy Parameter Object: Destroys a parameter object. · Set Parameter Object: Sets a parameter object with information. · Get Parameter Info: Returns parameter information. · Generate Parameters: Generates default DSA parameters. · Digest Data: Initializes an object for digesting. Finishes the digest process, generating the final digest output. · Encrypt Data: Initializes an object for encrypting. Encrypts a data stream. · Decrypt Data: Initializes the object for decrypting. Decrypts Page 10 Voltage IBE Cryptographic Module Security Policy Role Authorized Services a data stream. · Seed Random: Add seed material to a DRNG object. · Generate Random Bytes: Generates bytes of random data. · Sign: Creates a DSA signature. · Verify: Verifies a DSA signature. · Generate Key Pair: Generates a DSA key pair. · Show Status: Returns the current status of the Module. Cryptographic-Officer · Perform Self-Tests: Executes the suite of self-tests required Role: by FIPS 140-2. This role shall provide the · Zeroize: Actively destroys all plaintext critical security services necessary for: parameters. · Performing module Self-Tests · Zeroizing and destroying CSPs The Perform Self-Tests service is automatically run when the VIBECM is powered on/initialized. The operator can cause this service to be run by calling the VtCreateLibCtxFips function in the C language API vibecrypto.h. Page 11 Voltage IBE Cryptographic Module Security Policy 6.2 Service Inputs and Outputs The following table specifies the inputs and output for each service. Table 4 - Specification of Service Inputs & Outputs Service Control Input Data Input Data Output Status Output Create VtCreateAlgorithmObject Algorithm Algorithm Succeed / Algorithm function call specific Object Fail Object information Destroy VtDestroyAlgorithmObjec Pointer to None Succeed / Algorithm t function call Algorithm Fail Object Object Create Random VtCreateRandomObject XKEY DRNG Object Succeed / Object function call Fail Destroy VtDestroyRandomObject Pointer to None Succeed / Random function call DRNG Object Fail Object Create Key VtCreateKeyObject None Key Object Succeed / Object function call Fail Destroy Key VtDestroyKeyObject Pointer to Key None Success / Object function call Object Fail Set Key Object VtSetKeyParam function Key data None Succeed / call Fail Get Key Info VtGetKeyParam function Pointer to Key Key data Succeed / call Object Fail Create VtCreateParameterObject None Parameter Succeed / Parameter function call Object Fail Object Destroy VtDestroyParameterObject Pointer to None Succeed / Parameter function call Parameter Fail Object Object Set Parameter VtSetParameterParam Parameter data. None Succeed / Object function call Fail Page 12 Voltage IBE Cryptographic Module Security Policy Service Control Input Data Input Data Output Status Output Get Parameter VtGetParameterParam Pointer to Parameter data Succeed / Info function call Parameter Fail Object Generate VtGenerateParameters Size of DSA Parameter Succeed / Parameters function call Prime Object filled Fail with generated parameters Digest Data VtDigestInit, Data to hash Hashed data Succeed / VtDigestUpdate, and Fail VtDigestFinal function calls Encrypt Data VtEncryptInit, Data to Encrypted data Succeed / VtEncryptUpdate, and Encrypt, Key Fail VtEncryptFinal function Object, calls Random Number Generator Object Decrypt Data VtDecryptInit, Encrypted data, Decrypted Data Succeed / VtDecryptUpdate, and Key Object, Fail VtDecryptFinal function Random calls Number Generator Object Seed Random VtSeedRandom function DRNG Seed None Succeed / call Data Fail Generate VtGenerateRandomBytes None Random Data Succeed / Random Bytes function call Fail Sign VtSign function call Key Object, Cryptographic Succeed / Hashed Data, Signature Fail Random Number Generator Object Page 13 Voltage IBE Cryptographic Module Security Policy Service Control Input Data Input Data Output Status Output Verify VtVerifySignature Cryptographic Verification Succeed / function call Signature, Key result Fail Object, Hashed Data, Random Number Generator Object Generate Key VtGenerateKeyPair Algorithm DSA Public and Succeed / Pair function call Object, Private Key Fail Random Objects Number Generator Object Show Status VtGetFipsError function None Cryptographic Succeed / call Module Status Fail Perform Self VtCreateLibCtxFips None None Succeed / Test function call Fail Zeroize VtDestroyLibCtx function None None Succeed / call Fail Page 14 Voltage IBE Cryptographic Module Security Policy 6.3 Definition of Critical Security Parameters (CSPs) The following are the critical security parameters contained in the module: · AES Keys: These keys are imported into the Module by the operator using VIBECM services. · Triple-DES Keys: These keys are imported into the Module by the operator using VIBECM services. · DES Keys: These keys are imported into the Module by the operator using VIBECM services. · DSA Private Keys. These keys are generated by, or imported into the Module by the operator using VIBECM services. · DRNG XKEY: This key is imported into the Module by the operator using VIBECM services and is the initial XKEY value for the FIPS 186-2 DRNG. · DRNG Seed. This key is imported into the Module by the operator using VIBECM services and is the optional user input seed for the FIPS 186-2 DRNG. Definition of Public Keys: The following are the public keys contained in the module: · DSA Software Signing Public Key: This key is the DSA public key associated with the DSA private key used to sign the Module DLL for software integrity checking. · DSA Public Keys. These keys are generated by, or imported into the Module by the operator using VIBECM services. 6.4 Definition of CSPs Modes of Access The modes of access shown in the table are defined as follows: · Create: Creates two key objects, and then fills the key objects with cryptographic keys, using previously created random object as input. One key object contains the private key, and the other key object contains the public key. · Zeroize: Destroys a cryptographic key object, freeing memory allocated for this object. · Write: Sets a cryptographic key object with key data. · Read: Accesses a CSP to obtain information about the CSP. The following table describes how the services performed by each role access the CSP. The mode of access that a service has to a CSP is indicated in the column "Cryptographic Keys and CSPs Access Operation". An "X" in a "Role" column means that the service is allowed by the role in that mode. Page 15 Voltage IBE Cryptographic Module Security Policy Table 5 ­ CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation Crypto User graphic Officer X Create None Algorithm Object X Destroy None Algorithm Object X Create Random Writes a DRNG XKEY key to a Random Number Object Generator Object X Destroy None Random Object X Create Key None Object X Destroy Key Zeroizes AES Key, Triple-DES Key, DES Key, or DSA Object Key X Set Key Object Writes to a key object with key data X Get Key Info Reads key data X Create None Parameter Object X Destroy None Parameter Object X Set Parameter None Object X Get Parameter None Info X Generate None Parameters X Digest Data None Page 16 Voltage IBE Cryptographic Module Security Policy Role Service Cryptographic Keys and CSPs Access Operation Crypto User graphic Officer X Encrypt Data Reads key for selected algorithm (AES Key, Triple-DES Key, or DES Key.) X Decrypt Data Reads key for selected algorithm (AES Key, Triple-DES Key, or DES Key.) X Seed Random Writes DRNG seed into a Random Number Generator Object X Generate None Random Bytes X Sign Reads DSA key X Verify Reads DSA key X Generate Key Creates DSA key pair Pair X Show Status None X Perform Self None Test X Zeroize Zeroize all CSPs Page 17 Voltage IBE Cryptographic Module Security Policy 7. Operational Environment The operating environment for the Module is a "modifiable operational environment". The FIPS 140-2 Area 6 Operational Environment requirements for Security Level 1 are satisfied in the following ways: When the Module is operated in FIPS approved mode, the environment is restricted to a single operator mode of operation (i.e., concurrent operators are explicitly excluded). The Module prevents access by other processes to plaintext private and secret keys, CSPs, and intermediate key generation values during the time the cryptographic Module is executing/operational; using address space separation mechanisms of the operational environment. Processes that are spawned by the Module are owned by the Module and are not owned by external processes/operators. Noncryptographic processes shall not interrupt the Module during execution. The Module software is installed in a form that protects the software and executable code from unauthorized disclosure and modification. Cryptographic algorithm integrity tests are performed using Power-Up Self-Tests, Software Integrity Tests, and Conditional Self Tests. (See Section 8 - Security Rules) Page 18 Voltage IBE Cryptographic Module Security Policy 8. Security Rules 1. The Module design corresponds to the VIBECM security rules. This section documents the security rules enforced by the Module to implement the security requirements of this FIPS 140-2 Level 1 module. 2. The VIBECM performs all of the tests listed below. A. Power up Self-Tests: This are performed without any operator intervention. 1. Cryptographic algorithm tests a. DSA Sign/Verify Known Answer Test b. SHA-1 Known Answer Test c. AES, CBC mode, 128 bit key size Known Answer Test d. DES, CBC mode, Known Answer Test e. TDES, CBC mode, Known Answer Test f. DRNG, X values, Known Answer Test g. DRNG, K values, Known Answer Test 2. Software Integrity Test a. Software integrity test via DSA Signature verification of the vibecryptofips.dll. B. Conditional Self-Tests: These tests are performed during the appropriate services. 1. Continuous Random Number Generator (DRNG) tests ­ initiated at random number generation and performed by both the FIPS 186- 2 appendix 3.1 (DRNG, X values) and the FIPS 186-2 appendix 3.2 (DRNG, K values) random number generators 2. Pairwise consistency test for newly generated DSA key pairs 9. Physical Security Policy VIBECM is a software module and the physical security requirements are not applicable. 10. Mitigation of Other Attacks Policy The Module is not designed to mitigate any other attacks. Page 19 Voltage IBE Cryptographic Module Security Policy 11. References This section contains informative references that provide helpful background information. [FIPS-140-2] "Security Requirements for Cryptographic Modules" Version 2, May 25, 2001. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf [FIPS-180-2] "Secure Hash Standard" Version 2, August 1, 2002. http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf [FIPS-186-2] "Digital Signature Standard (DSS)" Version 2, January 27, 2000. http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf [FIPS-197] "Advanced Encryption Standard (AES)" November 26, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf [FIPS-46-3] "Data Encryption Standard" October 25, 1999. http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf Page 20 Voltage IBE Cryptographic Module Security Policy 12. Definitions and Acronyms The following paragraphs define the acronyms used in this document. AES. Advanced Encryption Standard secret key algorithm. See [FIPS-197]. API. Application Program Interface CBC. Cipher Block Chaining mode CFB. Cipher Feed Back mode CSP. Critical Security Parameters DES. Data Encryption Standard. See [FIPS-46-3]. DRNG. Deterministic Random Number Generator. DSS. Digital Signature Standard. See [FIPS-186-2] ECB. Electronic Codebook mode EMI. Electromagnetic Interference EMC. Electromagnetic Compatibility FIPS. Federal Information Processing Standards of NIST. IV. Initialization Vector NIST. National Institute of Standards and Technologies. OFB. Output Feed Back mode SHA-1. Secure Hash Algorithm revision 1. See [FIPS-180-2]. TDES. Triple DES. See [FIPS-43-3]. Page 21