Nortel Contivity® VPN Client (Software Version 5.11_021) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 0.14 December 2004 © 2004 Nortel This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. INTRODUCTION......................................................................................................... 3 1.1 PURPOSE ................................................................................................................. 3 1.2 REFERENCES ........................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ....................................................................................... 3 2. CONTIVITY® VPN CLIENT ......................................................................................... 5 2.1 OVERVIEW ............................................................................................................... 5 2.2 MODULE INTERFACES................................................................................................ 6 2.3 ROLES AND SERVICES ............................................................................................... 7 2.3.1 Crypto Officer Role........................................................................................... 7 2.3.2 User Role ......................................................................................................... 9 2.4 PHYSICAL SECURITY ................................................................................................. 9 2.5 OPERATIONAL ENVIRONMENT .................................................................................... 9 2.6 CRYPTOGRAPHIC KEY MANAGEMENT ......................................................................... 9 2.7 SELF-TESTS ........................................................................................................... 11 2.8 DESIGN ASSURANCE ............................................................................................... 12 2.9 MITIGATION OF OTHER ATTACKS .............................................................................. 12 3. SECURE OPERATION ............................................................................................. 13 3.1 CRYPTO OFFICER GUIDANCE ................................................................................... 13 3.1.1 Installation ...................................................................................................... 13 3.1.2 Management .................................................................................................. 13 3.1.3 Zeroization...................................................................................................... 14 3.2 USER GUIDANCE .................................................................................................... 14 4. ACRONYMS ............................................................................................................. 15 © 2004 Nortel www.nortel.com Page 2 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy 1. Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Contivity VPN Client from Nortel. This Security Policy describes how the Contivity VPN Client meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/cryptval. The Contivity VPN Client is referred to in this document as VPN Client, Client, or the module. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: · The Nortel website (http://www.nortel.com) contains information on the full line of products from Nortel. · The CMVP website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module. 1.3 Document Organization The Security Policy document is one document in the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Nortel. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 © 2004 Nortel www.nortel.com Page 3 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy Validation Documentation is proprietary to Nortel and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Nortel. © 2004 Nortel www.nortel.com Page 4 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy ® 2. CONTIVITY VPN CLIENT 2.1 Overview The Contivity VPN Client provides the user-side functionality for secure remote access over IP networks using Contivity IP access routers and VPN servers. The Contivity VPN Client ensures end-to-end network security by establishing a fully encrypted and authenticated VPN connection from a user's desktop across the Internet, terminating on a Contivity VPN switch located at a trusted enterprise location. The following table details the security level achieved by the Contivity VPN Client in each of the eleven sections of FIPS 140-2. Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 3 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 1 ­ Security Level Per FIPS 140-2 Section The Contivity VPN Client is a software module composed of a set of binaries running on the Windows 2000 or XP Operating System (OS) on a general-purpose personal computer (PC). In FIPS 140-2 terminology, the Contivity VPN Client is a multi-chip standalone module that meets the level 1 FIPS 140-2 requirements. The module was tested for FIPS 140-2 requirements on Windows XP Professional with Service Pack 2. Physically, the module is composed of the components of a general purpose PC, and the physical cryptographic boundary is the case of the PC. The PC or motherboard manufacturer could provide a block diagram for the exact hardware on which the module is installed, and the physical cryptographic boundary surrounds all of those components. Logically, Contivity VPN Client consists of four binaries running on the Windows 2000 or XP Operating System, and the logical cryptographic boundary includes these four components, as depicted in Figure 1. · CVC Application ­ Performs IKE and provides a GUI. · IPSec Driver ­ Performs IPSec. © 2004 Nortel www.nortel.com Page 5 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy · Filter Driver ­ Filters traffic other than IKE and IPSec communications. · Library ­ Interfaces with MSCAPI for authentication using digital certificates. Figure 1 ­ Logical Block Diagram 2.2 Module Interfaces The Contivity VPN Client's physical ports are those provided by the general purpose PC, including the Ethernet ports and mouse/keyboard ports. The Client's logical interfaces are composed of graphical user interfaces (GUIs), command line interfaces (CLIs), application programming interfaces (APIs), configuration and log files, and packets traversing the network stack. A mapping of the FIPS 140-2 logical interfaces to the VPN Client's logical interfaces and the physical ports of the PC can be found in the following table. © 2004 Nortel www.nortel.com Page 6 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy FIPS 140-2 Contivity VPN Client Logical Interface PC Physical Logical Interface Port Data Input The data input is any data sent into the module Network ports Interface through the network stack to an application on the PC (such as email, browser, etc), and any data coming into the module through the network stack from the network ports. Also, data input from the module by MSCAPI for certificate processing and RSA operations. Data Output The data output is any data going out of the module Network ports Interface through the network stack from an application on the PC (such as email, browser, etc), and any data going out of the module through the network stack out the network ports. Also, data output from the module to MSCAPI for certificate processing and RSA operations. Control Input Data read from configuration files, data input via the Keyboard ports, Interface CVC GUI or command line interface. hard disk, mouse ports Status Output The Status Output is all messages either logged by Hard disk, Interface the module or the messages in the GUI. The error monitor ports messages from IKE negotiations are also status output. The logged informational and error messages can be seen through the log files provided. Table 2 ­ Physical Ports and FIPS 140-2 Logical Interfaces 2.3 Roles and Services There are two roles that operators may assume within the Contivity VPN Client, the Crypto Officer role and the User role. The Crypto Officer is responsible for installation and local configuration of the Client. The User access the module's VPN services. Operators can be authenticated by the Windows Operating System. Authentication to the Server is performed during IKE using pre-shared keys and digital certificates. However, these authentication mechanisms are not tested on a level 1 FIPS 140-2 validation. 2.3.1 Crypto Officer Role The Crypto Officer role has the ability to install and configure the Contivity VPN Client. Descriptions of the services available to the Crypto Officer role are provided in the table below. Service Description Input Output CSP CSP Access Installation Installing the VPN Command Result of HMAC-SHA1 Read Client options or installation for Integrity © 2004 Nortel www.nortel.com Page 7 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy Service Description Input Output CSP CSP Access Commands check Client Client software Installation installation Customization customization using setup.ini Create a To configure Command Status of Authentication Read/Write connection connection options command, Data parameters response and results Profile data Add/Edit/Delete a Command Status of profile options command, response and results Authentication Authentication to the Command Command Authentication Write Options Contivity Gateway options or response Data Commands Name Server To specify a DNS or Command Options WINS server, option overriding the Contivity Gateway KeepAlives To enable or disable Command Command KeepAlive packets options response that maintain a connection during idle periods Auto Connect Install/Uninstall Auto Command Command Connect feature options response Connect To enable or disable Command Command before Logon the Contivity VPN options response Client GINA dialog box on logon Uninstall To uninstall the client Command Command software options response Start/Stop Starts/stops the CVC Menu Status of HMAC-SHA1 Read services. The self tests options or command for Integrity are performed during Commands check the module start/restart. Show status Status messages for Commands Status info in the module written to log file log file and Event Viewer. Zeroization Zeroizing CSPs Uninstalling All Write the module and reformatting the hard drive Table 3 ­ Crypto Officer Services, Descriptions, CSPs © 2004 Nortel www.nortel.com Page 8 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy 2.3.2 User Role The User role accesses the module's VPN functionality by initiating an IPSec connection with the Server. The service descriptions and inputs/outputs are listed in the following table: Service Description Input Output CSP CSP Access VPN Use the VPN Encrypted/decr Encrypt/decry Session keys Read/Write session services within an ypted data pted data IPSec tunnel Connect To establish VPN Authentication Result of login Authentication Read/Write session by Information attempt Data authenticating to the Contivity Gateway Edit profile Edit the profile Command Updated Authentication Read/Write information on the options profile Data Client information Change Change the current Current Updated Password Write password password used on password password the Contivity Gateway Monitor To monitor Command Status of Status connection status options command Disconnect To end the VPN Command Status of Session keys Write session options command Table 4 ­ User Services, Descriptions, Inputs and Outputs 2.4 Physical Security Contivity VPN Client v5.11_021 is a software module and does not implement any physical security mechanisms. Although Contivity VPN Client v5.11_021 consists entirely of software, the FIPS 140-2 tested platform is a standard PC which has been tested for and meets applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for home and business use as defined in Subpart B of FCC Part 15. 2.5 Operational Environment The Contivity VPN Client runs on the general purpose Windows 2000 or XP Operating System, which are considered to be single user mode Operating Systems for FIPS 140-2 compliance. The module was tested on the Windows XP Service Pack 2 operating system. 2.6 Cryptographic Key Management The Contivity VPN Client implements the following FIPS-approved algorithms: © 2004 Nortel www.nortel.com Page 9 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy · AES-CBC (128, 256 bits) ­ FIPS 197 (certificate #218) · Triple DES-CBC (168 bits) ­ FIPS 46-3 (certificate #310) · SHA-1 ­ FIPS 180-2 (certificate #299) · HMAC-SHA1 ­ FIPS 198 (certificate #28) · PRNG ­ General purpose implementation of FIPS 186-2 [(x- Original); (SHA-1)] (certificate #62) Additionally, the module utilizes the following non-FIPS-approved algorithm implementation in a FIPS mode of operation as allowed by Annex D of FIPS 140-2: · Diffie-Hellman Group 2 (1024 bit) · Diffie-Hellman Group 5 (1536 bit) The following algorithms are disabled within the module in a FIPS mode of operation: · Diffie_Hellman Group 8 (ECDH) · Diffie-Hellman Group 1 (768 bit) · DES · 40-bit DES · MD5 · HMAC-MD5 The module supports the following critical security parameters: Key Key type/size Generation Storage Use Integrity check HMAC (160 Externally generated Non-volatile Software HMAC-SHA1 bits) predetermined value memory (hard integrity check key hard-coded into the drive ­ plaintext) module FIPS 186-2 160 bits Internally generated by Not stored ­ in Used by FIPS PRNG Seed gathering system volatile memory 186-2 PRNG key entropy only (plaintext) Passwords Alphanumeric Externally created by an Not stored ­ in Generate pre- (Group and string operator and entered volatile memory shared keys for User) (minimum of 6 into the module only; or non- authentication characters) volatile memory during IKE (hard drive ­ plaintext) IPSec pre- 160 bits Internally generated by Not stored ­ in Mutual shared keys hashing user id and volatile memory authentication password only (plaintext) between the module and the server RSA public RSA public key Externally generated Not stored ­ in Mutual keys (1024 bits ­ and input into and volatile memory authentication (Certificates) 4096 bits) output from the module only (plaintext) between the during IKE module and the server © 2004 Nortel www.nortel.com Page 10 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy IKE DH key Diffie Hellman Internally generated for Not stored ­ in Used for pair Group 2 (1024 use during IKE volatile memory session key bits) or Group only (plaintext) agreement ­ 5 (1536 bits) public key sent to server IKE DH public Diffie Hellman Externally generated Not stored ­ in Used for key Group 2 (1024 and loaded into the volatile memory session key bits) or Group module during IKE only (plaintext) agreement ­ 5 (1536 bits) received from server IPSec session AES (128, 256 Negotiated during IKE Not stored ­ in Used to keys bits) using Diffie-Hellman key volatile memory encrypt/decrypt/ Triple-DES agreement only (plaintext) HMAC tunnel (168 bits), traffic HMAC SHA-1 keys (160 bits) Table 5 ­ Listing of Key and Critical Security Parameters All the keys contained only in volatile memory are not stored in the module and are zeroized immediately after use. All other CSPs can be zeroized by uninstalling the module and reformatting the hard drive. 2.7 Self-Tests The Contivity VPN Client performs the following self-tests at power-up: · Software integrity check: Verifying the integrity of the software binaries of the module using an HMAC-SHA1 keyed hash. · AES Known Answer Test (KAT): Verifying the correct operation of the AES algorithm implementation. · Triple-DES KAT: Verifying the correct operation of the Triple-DES algorithm implementation. · SHA-1 KAT: Verifying the correct operation of the SHA-1 algorithm implementation. · HMAC-SHA1 KAT: Verifying the correct operation of the HMAC- SHA1 algorithm implementation. · FIPS 186-2 RNG KAT: Verifying the correct operation of the FIPS 186-2 RNG implementation. · Alternating bypass mode test: Verifying the integrity of the modules bypass capability hardcoded in the filter driver. The Contivity VPN Client performs the following conditional self-tests: © 2004 Nortel www.nortel.com Page 11 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy · FIPS 186-2 Continuous RNG: Verifying that the Approved RNG has not failed to a constant value. · Continuous RNG for entropy gathering: Verifying that the seed for the FIPS 182-2 PRNG has not failed to a constant value. The Contivity VPN Client will start its services only after all the self tests have passed. If the self tests have not passed, it enters an error state and logs the failure. All error conditions can be cleared by restarting the module. 2.8 Design Assurance Nortel follows highly stabilized and popular design procedures. The design goes through many phases of review and inspections, and implementations undergo rigorous quality assurance testing. Additionally, ClearCase Version 5.0 is used to provide configuration management for the Contivity VPN Client's software and documentation. This software provides access control, versioning, and logging. 2.9 Mitigation of Other Attacks This section is not applicable. The Contivity VPN Client v5.11_021 does not claim to mitigate any attacks beyond the FIPS 140-2 level 1 requirements for this validation. © 2004 Nortel www.nortel.com Page 12 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy 3. SECURE OPERATION The Contivity VPN Client meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in FIPS- approved mode of operation. 3.1 Crypto Officer Guidance The Crypto Officer is responsible for installation, customization configuration, management of the module, and removal of the module. More details on how to use the module can be found in Configuring the Contivity VPN Client and Using the Contivity VPN Client in FIPS Mode documents. 3.1.1 Installation The module performs RSA operations and digital certificate processing using MSCAPI. In a FIPS mode of operation, the module must be installed on a Microsoft Windows 2000 or XP (Home or Professional) Operating System that has a FIPS-validated MSCAPI module. Currently the following versions of MSCAPI are FIPS validated: FIPS Cert # Windows platform rasenh.dll version 238 Windows XP 5.1.2518.0 5.1.2600.1029 [SP1] and 5.1.2600.2161 [SP2] 103 Windows 2000 SPx 5.0.2150.1391 [SP1], 5.0.2195.2228 [SP2] and 5.0.2195.3839 [SP3] 76 Windows 2000 5.0.2150.1 Table 6 ­ Current FIPS validated MSCAPI and their platforms The testing was performed on Windows XP Professional SP2 which ran v 5.1.2600.2161 of rsaenh.dll 3.1.2 Management By default, the Contivity VPN Client v5.11_021 is configured for a FIPS mode of operation. The module can be put in a non-FIPS mode during custom installation or configuration. When switching between FIPS and non-FIPS modes the operator must zeroize the group and user passwords by overwriting them with new values. However, an operator must not perform switching between FIPS and non-FIPS mode when using the module in a FIPS mode of operation. © 2004 Nortel www.nortel.com Page 13 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy 3.1.3 Zeroization At the end of the life cycle of the module, the Crypto-Officer must uninstall the module's software and then overwrite all addressable locations with a single character and reformat the hard drive which contained the software. This will zeroize all hard coded keys or CSP's stored within files. 3.2 User Guidance The User accesses the module's VPN functionality. The User must not modify the configuration of the module as established by the Crypto Officer, nor should a User reveal any of the CSPs (such as group and user passwords) used by the module to other parties. © 2004 Nortel www.nortel.com Page 14 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Contivity® VPN Client FIPS 140-2 Non-Proprietary Security Policy 4. ACRONYMS API Application Programming Interface CLI Command Line Interface CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Digital Encryption Standard EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESP Encapsulating Security Payload FCC Federal Communication Commission FIPS Federal Information Processing Standard HMAC (Keyed-) Hash MAC IKE Internet Key Exchange IP Internet Protocol IPSec IP Security KAT Known Answer Test MAC Message Authentication Code MSCAPI Microsoft Cryptographic API NIST National Institute of Standards and Technology OS Operating System PC Personal Computer PRNG Pseudo Random Number RNG Random Number Generator RSA Rivest Shamir and Adleman SA Security Association SHA Secure Hash Algorithm SP Service Pack VPN Virtual Private Network © 2004 Nortel www.nortel.com Page 15 of 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.