SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.3 Schweitzer Engineering Laboratories, Inc. July 12, 2005 Copyright 2005 Schweitzer Engineering Laboratories, Inc. May be reproduced only in its original entirety [without revision]. Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 TABLE OF CONTENTS 1. MODULE OVERVIEW .........................................................................................................................................3 2. SECURITY LEVEL................................................................................................................................................3 3. MODES OF OPERATION.....................................................................................................................................4 4. PORTS AND INTERFACES .................................................................................................................................5 5. IDENTIFICATION AND AUTHENTICATION POLICY................................................................................7 6. ACCESS CONTROL POLICY............................................................................................................................10 ROLES AND SERVICES ..............................................................................................................................................10 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)......................................................................................12 DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................12 7. OPERATIONAL ENVIRONMENT....................................................................................................................14 8. SECURITY RULES .............................................................................................................................................14 9. PHYSICAL SECURITY POLICY ......................................................................................................................16 PHYSICAL SECURITY MECHANISMS .........................................................................................................................16 OPERATOR REQUIRED ACTIONS ..............................................................................................................................16 10. MITIGATION OF OTHER ATTACKS POLICY...........................................................................................16 11. REFERENCES ....................................................................................................................................................16 12. DEFINITIONS AND ACRONYMS...................................................................................................................16 Page 2 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 1. Module Overview The SEL-3021 Serial Encrypting Transceiver is a multi-chip standalone cryptographic module (Hardware P/N SEL-3021 Version 00004CA8, Firmware Version SEL-3021-R105-V0-Z002001- D20050701) encased in a hard opaque, tamper evident commercial grade plastic case. The cryptographic boundary is the entire module. The SEL-3021 is an EIA-232 "bump in the wire" encryption module. The SEL-3021 is designed to protect latency-sensitive devices that send and receive critical, sensitive data such as electric power revenue meters, protective relays, Programming Logic Controllers (PLC), Remote Terminal Units (RTU), and Supervisory Control and Data Acquisition (SCADA) equipment from unauthorized access, control, monitoring, and malicious attack. Figure 1 shows a SEL-3021 Serial Encrypting Transceiver. Figure 1 ­ Image of the SEL-3021 Serial Encrypting Transceiver The SEL­3021 consists of two EIA-232 ports, referred to as the Local Interface and the Remote Interface. The Local Interface connects to a device that requires data protection, e.g. the SCADA master, RTU or computer serial port. The Remote Interface connects to an untrusted channel, e.g. a modem connected to a leased phone line or network connection device. The Local Interface exchanges plaintext (unencrypted) data between the protected device and the SEL­ 3021. The Remote Interface exchanges encrypted data between the local SEL-3021 device and one, or more remote SEL­3021 devices. Page 3 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 The SEL­3021 also incorporates a secured IEEE 802.11b wireless operator interface. The wireless interface is secured by cryptographic authentication and encryption: 128-bit AES encryption and HMAC-SHA-1 for authentication. This encrypted operator interface allows system operators to securely monitor the Local and Remote Interface channel health and to program system parameters without removing the SEL­3021 from service. 2. Security Level The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A 3. Modes of Operation Approved mode of operation In FIPS mode, the cryptographic module only supports FIPS Approved algorithms as follows: · 128-bit AES CBC mode encryption for securing all messages on the wireless operator interface. · HMAC-SHA-1, with 128-bit key strength, for authenticating all messages on the wireless operator interface. · 128-bit AES CTR mode encryption for securing In-Band data transmission on the untrusted, serial interface. · 128-bit AES Key Wrap for securing all Out-Of-Band session key transports on the untrusted, serial interface. Page 4 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 · 128-bit AES ECB mode · SHA-1 The SEL-3021 cryptographic module relies on the implemented deterministic random number generator (DRNG) that is compliant with FIPS 186-2 Appendix 3.1with 160-bit seed key (XKEY) value. The DRNG seed key (XKEY) is supplied by a non-deterministic random number generator (NDRNG) comprised of a hardware-implemented, amplified noise sampler. The SEL-3021 cryptographic module only runs in FIPS mode. 4. Ports and Interfaces The SEL-3021 cryptographic module provides the following physical ports and logical interfaces: Page 5 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 Physical Port Protocol Logical Interface DB9 DTE EIA-232 Data input/output (switchable trusted or untrusted data port) DB9 DCE EIA-232 Data input/output (switchable trusted or untrusted data port) Wireless 802.11b Control operator input/Status interface output(operato r interface) Power N/A Power (5 to 24 volt range DC, 1 ½ mm jack connector) Reset button N/A Control input, used for zeroization Compression N/A Power terminal, for power (5 to 24 Volts DC) Alarm N/A Status output contact (compression terminal connector) LED N/A Status output (Green LED located on the rear of the module) Page 6 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 Trusted Data Port The Trusted EIA-232 interface receives plain text data from the trusted source and passes it to the encrypting data path. The Trusted EIA-232 interface receives decrypted data from the decryption data path and transmits it to the trusted source. The user is allowed to select whether the DTE or DCE physical DB9 serial port is the trusted port. The other port is set as the Untrusted interface. Untrusted Data Port The Untrusted EIA-232 interface receives cipher text data from the encrypting data path and sends it to an untrusted source. The Untrusted EIA-232 interface receives encrypted data from an untrusted source. The untrusted port passes the encrypted message to the decrypting data path. The decrypting data path then decrypts the received message and transmits it to the trusted source. Wireless Operator Interface The Operator Interface consists of an IEEE 802.11b wireless interface and PC/Handheld SW (the software is not included in the module boundary). The Operator Interface exists for the sole purpose of monitoring and setting the module. 5. Identification and Authentication Policy Assumption of roles The SEL-3021 Serial Encrypting Transceiver supports three distinct operator roles; the Security Officer, the Operator, and the Remote Device (User). The cryptographic module enforces the separation of roles using role-based user authentication. A user must prove knowledge of the appropriate key in order to authenticate to the module. Table 2 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data Security Officer Role-based user authentication Knowledge of Security Officer Encryption Key (128-bit AES key), the Security Officer Authentication Key (128- bit HMAC-SHA-1 key) and the Security Officer Password (6-80 printable ASCII characters) Page 7 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 Operator Role-based user authentication Knowledge of Operator encryption key (128-bit AES key), the Operator authentication key (128- bit HMAC-SHA-1 key) and the Operator password (6-80 printable ASCII characters). Remote Device (User) Role-based user authentication Knowledge of System Encryption Key (128-bit AES key). Table 3 ­ Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism Encryption Key, Authentication Key, and In order to authenticate as the Security Officer Password (Security Officer and Operator roles) or Operator, an attacker must know the values of the cryptographic security parameters (CSPs) associated with the desired role (128 bit encryption key, the 128 bit authentication key, and the password). Assuming that all parameters are independent, and that a minimum-length, six-byte password is used, the probability that a random attempt will succeed or a false acceptance will occur is 1/(2^128*2^128*92^6) = 1.42 E -89. This analysis assumes that a random password is selected from a 92-character printable ASCII alphabet. We also assume that the exact value of all CSPs must be correctly guessed in order to successfully authenticate (i.e. the individual CSPs cannot be guessed or broken separately). This assumption is true for the SEL-3021 because the device does not give any feedback indicating the success or failure of any one CSP value. Assuming that the SEL-3021 can process 1000 guesses per second (this is a very conservative value as the SEL-3021 will not be able to process authentication attempts at anywhere near this rate), the probability of successfully Page 8 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 authenticating to the module within one minute is 8.54 E -85. Encryption Key (Remote Device role) The probability that a random attempt will succeed or a false acceptance will occur is 1/(2^128) = 2.94 E -39. The module is capable of performing approximately one authentication every .02 seconds (based on the size of the authentication dialog frames and the maximum baud rate of the SEL-3021). This results in a maximum authentication dialog processing rate of 3000 attempts per minute. The probability of successfully authenticating to the module within one minute is 8.82 E -36. Page 9 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 6. Access Control Policy Roles and Services Table 4 ­ Services Authorized for Roles Role Authorized Services Security Officer: · Initiate Security Officer Session on the Wireless Operator Interface: This service opens an authenticated Security The Security Officer role is Officer role session on the wireless operator interface. only available on the wireless interface. This · View all Settings Except CSPs: This service allows the role shall provide all of the authenticated user to view all device settings except those services necessary to listed below as CSPs. This service is only available via the program all of the SEL- Wireless Operator Interface. 3021 settings including all cryptographic security · Change all Settings: This service allows the authenticated parameters (CSPs). In user to change the value of all device settings including all addition, the Security CSPs. This service is only available via the Wireless Officer role can view all Operator Interface. settings (except CSPs) and all device status variables. · Show Status via Wireless Operator Interface: This service allows the authenticated user to view the operational status of the device. This service is only available via the Wireless Operator Interface. · Clear Status Log: This service allows the authenticated user to reset all device status variables. This service is only available via the Wireless Operator Interface. · Initiate Bypass Mode: This service allows the user to change settings that force the device to pass data received on the Trusted and Untrusted Interfaces through the module without encrypting or decrypting the data. Operator: · Initiate Operator Session on the Wireless Operator Interface: This service opens an authenticated Operator role session on The Operator role is only the wireless operator interface. available on the wireless interface. This role shall · View Non-Critical Settings: This service allows the provide all of the services authenticated user to view all device settings that do not Page 10 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 necessary to program all compromise the security of the network. This service is non-sensitive SEL-3021 only available via the Wireless Operator Interface. settings. The Operator role will not have access to · Change Non-Critical Settings: This service allows the sensitive settings including authenticated user to change the value of all device settings all cryptographic security that do not compromise the security of the network. This parameters (CSPs). In service is only available via the Wireless Operator Interface. addition, the Operator role can view all non-sensitive · Show Status via Wireless Operator Interface: See above. settings and all device status variables. · Clear Status Log: See above. Remote Device (User): · Initiate Remote Device Session on the Untrusted Interface: This service opens an authenticated Remote Device role This role shall provide all session on the Untrusted interface. of the services necessary for the secure, reliable · Encrypt User Data: This service AES encrypts data passed transport of data over an into the cryptographic module from the Trusted Interface. insecure network The encrypted data is then transmitted on the Untrusted Interface. · Decrypt User Data: This service AES decrypts data passed into the cryptographic module from the Untrusted Interface. The decrypted data is then transmitted on the Trusted Interface. · Encrypt Management Data: This service encrypts session keys (using the AES key wrap algorithm). The encrypted management frames are then transmitted on the Untrusted Interface. · Decrypt Management Data: This service decrypts session keys received on the Untrusted Interface (using the AES key wrap algorithm). Unauthenticated Services The SEL-3021 cryptographic module supports the following unauthenticated services: · Show status via LED: This service provides the current status of the cryptographic module. · Self-tests: This service executes the suite of self-tests required by FIPS 140-2 via a power-cycle. Page 11 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 · Zeroize: This service actively destroys all plaintext critical security parameters stored in the module. The zeroize service is activated via the reset button. Definition of Critical Security Parameters (CSPs) The following are CSPs contained in the module: Security Officer Encryption Key: Used during the Security Officer authentication and session key exchange handshake process. Security Officer Authentication Key: Used during the Security Officer authentication and session key exchange handshake process. Security Officer Password: Used during the Security Officer authentication and session key exchange handshake process. Operator Encryption Key: Used during the Operator authentication and session key exchange handshake process. Operator Authentication Key: Used during the Operator authentication and session key exchange handshake process. Operator Password: Used during the Operator authentication and session key exchange handshake process. Wireless Session Encryption Key: Used to encrypt wireless interface data during Security Officer or Operator role sessions on the Wireless Operator Interface (after authentication and session key exchange handshake). Wireless Session Authentication Key: Used to authenticate wireless interface frames during Security Officer or Operator role sessions on the Wireless Operator Interface (after authentication and session key exchange handshake). System Encryption Key: Used to encrypt all control frames (out-of-band frames) transmitted over the Untrusted Interface (including the Remote Device authentication handshake and session key exchange frames). Data Session Encryption/Decryption Key: Used to encrypt user data frames (in-band frames) transmitted over the Untrusted Interface (after Remote Device authentication and key exchange). DRNG State: State maintained by the FIPS 186-2 DRNG. DRNG Seed key: Key used to seed the FIPS 186-2 DRNG. Definition of CSPs Modes of Access Table 6 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as follows: G: Generate S: Set Page 12 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 U: Use D: Delete Table 6 ­ CSP Access Rights within Roles & Services Service CSP Access Operations Security Remote Officer Operator Device U ­ Security Officer Encryption Key U ­ Security Officer Authentication Key Initiate Security Officer Session U ­ Security Officer Password on the Wireless Operator G ­ Wireless Session Encryption Key X Interface G ­ Wireless Session Authentication Key U ­ Operator Encryption Key U ­ Operator Authentication Key U ­ Operator Password Initiate Operator Session on the G ­ Wireless Session Encryption Key X Wireless Operator Interface G ­ Wireless Session Authentication Key U ­ Wireless Session Encryption Key X View all Settings Except CSPs U ­ Wireless Session Authentication Key U ­ Wireless Session Encryption Key X X View Non-Critical Settings U ­ Wireless Session Authentication Key U ­ Wireless Session Encryption Key U ­ Wireless Session Authentication Key S ­ Security Officer Encryption Key S ­ Security Officer Authentication Key S ­ Security Officer Password S ­ Operator Encryption Key S ­ Operator Authentication Key S ­ Operator Password X Change all Settings S ­ System Encryption Key U ­ Wireless Session Encryption Key X X Change Non-Critical Settings U ­ Wireless Session Authentication Key Show Status via Wireless U ­ Wireless Session Encryption Key X X Operator Interface U ­ Wireless Session Authentication Key U ­ Wireless Session Encryption Key X X Clear Status Log U ­ Wireless Session Authentication Key U ­ Wireless Session Encryption Key X Initiate Bypass Mode U ­ Wireless Session Authentication Key X Initiate Remote Device Session U ­ System Encryption Key Page 13 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 on the Untrusted Interface G ­ Data Session Encryption Key X Encrypt User Data U ­ Data Session Encryption Key X Decrypt User Data U ­ Data Session Encryption Key X Encrypt Management Data U ­ System Encryption Key X Decrypt Management Data U ­ System Encryption Key 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the SEL-3021 does not contain a modifiable operational environment. 8. Security Rules The SEL-3021 cryptographic module's design corresponds to the module's security rules. This section documents the security rules enforced by the SEL-3021 to implement the security requirements of this FIPS 140-2 Level 2 module. 1. The cryptographic module provides three distinct operator roles. These are the Security Officer role, the Operator role, and the Remote Device role. 2. The cryptographic module provides role-based authentication. 3. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services. 4. The cryptographic module encrypts message traffic using the AES algorithm. 5. The cryptographic module performs the following tests: A. Power up Self-Tests: 1. Cryptographic algorithm tests: a. AES (ECB, CTR and CBC) Known Answer Test b. AES Key Wrap Known Answer Test c. DRNG (FIPS 186-2) Known Answer Test d. HMAC SHA-1 Known Answer Test e. SHA-1 Known Answer Test 2. Software Integrity Test : CRC calculated over the program image. If the calculated CRC value does not match the value in FLASH, the device declares a FLASH failure and disables itself. 3. Settings Integrity Test : CRC calculated over the settings image. If the calculated Page 14 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 CRC value does not match the value in FLASH, the device declares a FLASH failure and disables itself. B. Conditional Self-Tests: 1. Continuous Random Number Generator Test (RNG test is performed on NDRNG and DRNG): This test compares the last 32 bit NDRNG (160 bit for DRNG) output with the current 32 bit NDRNG (160 bit for DRNG) output. If the two values are equal, there are two further attempts to generate a different (N)DRNG output. If all three attempts fail, the device declares an (N)DRNG failure and the device is disabled. 2. Bypass Mode Test (performed when the module goes from bypass mode to secure mode, or from secure mode to bypass mode): Known answer test on the entire encrypt and decrypt data paths. C. Critical Functions Tests: 1. Runtime SDRAM Failure Tests: Read and write tests are performed on the system SDRAM. This continuously checks the SDRAM address space during runtime. If an error is detected, the device declares a RAM failure and disables itself. 6. At any time the operator is capable of commanding the module to perform the power-up self-tests by power-cycling the module. 7. Prior to each use, the internal RNG shall be tested using the conditional test specified in FIPS 140-2 §4.9.2. 8. Data output is inhibited during self-tests, zeroization, and error states, and logically separate from the key generation process. 9. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 10. The module does not support multiple concurrent operators via the wireless operator interface. The module maintains logical separation of multiple, concurrent Remote Devices (Users) by maintaining a unique identification field for each User. 11. The module supports a bypass mode that requires two, independent internal actions to activate. An operator can obtain the bypass status of the module via the LED or the system diagnostics option, via the wireless operator interface. 12. Upon power-cycle, the module clears all previous authentications. The authentication procedure is reset and must be re-established. 13. The CSPs and authentication data are physically and logically protected from unauthorized disclosure, modification, and substitution as they are not accessible to unauthenticated users from outside of the module boundary. Page 15 Schweitzer Engineering Laboratories, Inc. SEL-3021 Serial Encrypting Transceiver Security Policy Version 1.3, 7/12/05 9. Physical Security Policy Physical Security Mechanisms The SEL-3021 multi-chip standalone cryptographic module includes the following physical security mechanisms: · Production-grade components entirely enclosed within an opaque enclosure. The enclosure cannot be penetrated without causing tamper evidence via the tamper evident labels. The enclosure is sonically welded to prevent undetected access. Operator Required Actions The operator is required to periodically inspect the enclosure for tamper evidence. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any attacks outside of the scope of FIPS 140-2. 11. References 12. Definitions and Acronyms 14. Secure Delivery and Operation The security of the SEL-3021 cannot be assured if the device is received from the factory with evidence of tampering. If the shipping packaging or the tamper evident seal on the SEL-3021 show signs of tampering, contact an SEL customer service representative. Page 16