Reflection Security Component for Java FIPS 140-2 Security Policy, version 1.21 29 July 2005 © WRQ, Inc. All rights reserved. May be reproduced only in its original entirety [without revision]. table of contents 1 Module Overview.................................................................................................... 3 2 Security Level ......................................................................................................... 6 3 Identification and Authentication Policy .................................................................. 7 4 Access Control Policy ............................................................................................. 9 4.1 Roles and Services........................................................................................... 9 4.2 Definition of Cryptographic Keys and Critical Security Parameters ............... 12 4.3 Definition of CSPs Modes of Access ............................................................. 15 4.3.1 Access Operations.................................................................................. 15 4.3.2 Services and Access Operations ............................................................. 17 5 Security Rules ....................................................................................................... 18 6 Non-Approved Mode of Operation ........................................................................ 21 6.1 Client Private Key Distribution...................................................................... 21 6.2 DES............................................................................................................... 21 6.3 SSL ............................................................................................................... 21 6.4 Short Keys..................................................................................................... 21 7 Physical Security Policy ........................................................................................ 22 8 Mitigation of Other Attacks ................................................................................... 23 9 Acronym List ........................................................................................................ 24 10 References......................................................................................................... 25 1 Module Overview Reflection Security Component for Java is a software component that provides data encryption and integrity services through its implementation of the SSL/TLS protocols for secure communication over TCP/IP networks. Its primary use is as a building block in software systems that require such services. It provides data input and output, control input, and status output logical interfaces via a Java-based Application Programming Interface. Interface separation is provided and enforced through single-purpose, type- checked, minimally-scoped API methods and parameters. For FIPS 140-2 classification purposes the module is considered to be a "multi-chip standalone module." The module may be used for implementation of SSL/TLS clients, SSL/TLS servers, or both. Server authentication and client authentication are supported. All data are encrypted over the SSL/TLS connection using AES, DES or Triple-DES ciphers. A typical implementation of a system for end-to-end encryption employs one instance of the module as a client and another instance of the module as a server. Client and server negotiate a secure connection, after which plaintext data written to the data input interface of one module instance are encrypted for transport over the network, then decrypted for reading as plaintext through the data output interface of the second module instance. The module also fully supports interoperability as a client or server with other implementations of the SSL/TLS protocol. The module supports both an Approved and a non-Approved mode of operation. In Approved mode the module performs power-up self-tests, operator authentication, enforces Level 1 or Level 2 security requirements, and prohibits the use of SSL. This Security Policy applies to both Level 1 and Level 2 operation of the module. The mode of operation and enforcement level are selected at power-up (module instantiation) and are in effect for the lifetime of the instance. Approved mode is selected by providing a value of true for the inApprovedMode argument of the module's TLSModule constructor. The security level is selected by providing a value of FIPS140_LEVEL_1 or FIPS140_LEVEL_2 for the inEnforcedSecurityLevel argument of the module's TLSModule constructor. The module indicates whether it is in an Approved mode of operation and the enforced security level when the operator invokes the Show Status service. The module supports the following cryptographic algorithms in both modes of operation: a. AES b. DES (for use with legacy systems only; transitional phase only ­ valid until May 19, 2007) c. Triple-DES d. RSA encryption (for use with the TLS key establishment protocol only) e. RSA PKCS#1 digital signature f. DSA digital signature g. SHA-1 h. MD5 (for use with the TLS key establishment protocol only) i. HMAC-SHA-1 j. Diffie-Hellman (for use with the TLS key establishment protocol only) k. FIPS 186-2 Appendix 3.1 PRNG 3 l. HMAC-MD5 (for use with the TLS key establishment protocol only) Operation in Approved mode at Level 2 is permitted when the module is installed on a tested hardware and software configuration that includes a Common Criteria evaluated operating system. Operation in Approved mode at Level 1 is permitted when the module is installed on any tested hardware and software configuration, or on any hardware and software configuration on which the module executes without modification. Reflection Security Component for Java has been tested on the following systems: · Dell Optiplex GX 400 running Microsoft Windows 2000 Professional with SP3 and Q326886 Hotfix and Sun Microsystems Java Runtime Environment version 1.4.1. This configuration meets Level 2 security requirements. Additional information is available in the validation report at http://niap.nist.gov/cc- scheme/st/ST_VID4002-VR.pdf. · HP Proliant ML 330 running Microsoft Windows 2000 Server with SP3 and Q326886 Hotfix and Sun Microsystems Java Runtime Environment version 1.4.1. This configuration meets Level 2 security requirements. Additional information is available in the validation report at http://niap.nist.gov/cc- scheme/st/ST_VID4002-VR.pdf. · Apple Power Macintosh G4 running Mac OS X 10.3.5 and Apple Java Runtime Environment 1.4.2. 4 Figure 1-1 is a block diagram illustrating the cryptographic module, its relationships to other components, and the cryptographic boundaries. The cryptographic module includes Reflection Cryptographic Library for Java (RCLJ) which implements the validated cryptographic algorithms. The logical cryptographic boundary is denoted by the dotted blue line. The cryptographic module client component outside the logical boundary illustrates the means by which the module may be used to secure data over a network. The physical cryptographic boundary is denoted by the dotted red line. Figure 1-1: module block diagram 5 2 Security Level The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2 when installed on a tested hardware and software configuration that includes a Common Criteria evaluated operating system, and Level 1 otherwise. It has been tested in both Level 1 and Level 2 operating environments and can be configured to enforce either Level 1 or Level 2 requirements. The following table identifies the level attained for each security requirements section. Table 2-1: Module Security Level Specification Security Requirements Section Level 2 Level 1 environment environment Cryptographic Module Specification 3 3 Module Ports and Interfaces 2 1 Roles, Services, and Authentication 2 2 Finite State Model 2 1 Physical Security N/A N/A Operational Environment 2 1 Cryptographic Key Management 2 1 EMI/EMC 3 3 Self-Tests 2 1 Design Assurance 3 3 Mitigation of Other Attacks N/A N/A 6 3 Identification and Authentication Policy The cryptographic module shall support a User operator role and a Cryptographic Officer operator role. The module shall support role-based authentication. Only one role at a time shall be active. The module shall not allow concurrent operators. The module shall not support a maintenance role. The User role permits access to basic TLS services: opening sockets, reading and writing data, etc. It also permits access to a set of services for basic module operation: power management, status reporting, etc. The Cryptographic Officer role permits access to services for configuring and testing the module: generating and importing cryptographic keys and certificates, executing self tests, etc. It also permits access to a set of services for basic module operation: power management, status reporting, etc. The module supports role-based authentication through digital signatures. In order to instantiate the module for the purpose of invoking services the operator (a programmatic entity, e.g. a WRQ, Inc. application or other WRQ-authorized application) must supply to the module a digitally signed value derived from its executable bytecode. The module computes this value independently by examining the bytecode of the caller, and ensures that it matches the digitally signed value. Module instantiation will succeed only in the event that this WRQ-signed bytecode is authenticated. Operator code must implement one or more tagging interfaces identifying the roles for which it has been authorized. Module services will refuse to execute if they are not permitted for the roles implemented by the instantiating operator. Operator code that requires User role services must implement the com.wrq.fipsmodule.roles.IFipsUserRole interface. Operator code that requires Cryptographic Officer services must implement the com.wrq.fipsmodule.roles.IFipsCryptoOfficerRole interface. The public key corresponding to the private key used to sign the authentication data is stored within the module. The digital signature algorithm used by the signing certificate may be either RSA or DSA. There is no method of manual data entry for purposes of authentication. If an attempt is made to instantiate the module with incorrect authentication data then the module throws an exception following a one second delay. This exception contains no sensitive data that could weaken the strength of the authentication method. No authentication state survives power cycling. The digital signature employs a 20 byte SHA-1 hash, or 2160 discrete values. A single authentication attempt therefore has approximately a 1 in 2160 chance of false acceptance. The module operator authentication process delays for one second before responding to a 7 failed authentication attempt, preventing more than one attempt per second. The Java synchronization mechanism is employed during the delay to prevent a multithreaded attack. The chance of a false acceptance in the period of one second is therefore equal to the chance of any single attempt resulting in false acceptance. The chances of a false acceptance in the period of one minute are therefore 60 in 2160. 8 4 Access Control Policy 4.1 Roles and Services The User role has no access to cryptographic parameters or keys. All services are programmatically invoked through a Java-based Application Programming Interface. The following services are available to operators in the User role: Open Connection ­ This service opens an SSL/TLS connection. The operator supplies an open socket over which SSL/TLS negotiation will occur and SSL/TLS configuration parameters. The service returns an instance of a socket which has been secured with SSL/TLS. This service makes use of DSA signature, RSA signature, RSA encryption, Diffie-Hellman key establishment, SHA-1, MD5, HMAC, and PRNG security functions. The PRNG implements a FIPS 186 approved algorithm. Key establishment has at least 80 bits of strength. Close Connection ­ This service closes an SSL/TLS connection. The operator supplies a socket created by the Open Connection service. Export Keys - This service exports one or more public key certificates from a PKCS #12 keystore. The operator provides the type of key, the key's alias, and a destination file specification. Certificates can be written to a file or returned directly to the caller of the API. The operator or an interactive user supplies passphases for encrypted keystores. This service makes use of Triple-DES security functions for managing encrypted PKCS #12 keystores. This encryption is not used to fulfill any FIPS requirements and for the purposes of FIPS 140-2 the keystores are considered to be plaintext. Power-Down - This service shuts down the module, performing any necessary zeroization. This service does not make use of any security functions. Preflight ­ This service is used to instruct an instance of the module to acquire keystore passphrases for subsequent use. The operator specifies the type of keystore. Read Data ­ This service receives encrypted data from an SSL/TLS socket and decrypts it. The operator provides a buffer into which the service stores the plaintext. This service makes use of AES and DES or Triple-DES decryption security functions. Show Status ­ This service presents the status of the module through a logging facility, by setting properties which may be accessed programmatically by the operator, and by direct return of results to API method calls. This service does not use any security functions. Write Data ­ This service encrypts data and transmits the encrypted data over an SSL/TLS socket. The operator provides a buffer of plaintext data for encryption and transmission. This service makes use of AES and DES or Triple-DES encryption security functions. 9 The following services are available to operators in the Cryptographic Officer role: Delete Keys - This service deletes a key entry (public key or public/private keypair) from a module keystore. The operator provides the type of key and the key's alias. The operator or an interactive user supplies passphases for encrypted keystores. This service makes use of Triple-DES security functions for managing encrypted PKCS #12 keystores. This encryption is not used to fulfill any FIPS requirements and for the purposes of FIPS 140-2 the keystores are considered to be plaintext. Enter Keys - This service imports a public key or public/private key pair from a keystore within the physical boundary and adds it to a module keystore. The operator or an interactive user supplies passphases for encrypted keystores. This service makes use of Triple-DES security functions for managing encrypted PKCS #12 keystores. This encryption is not used to fulfill any FIPS requirements and for the purposes of FIPS 140-2 the keystores are considered to be plaintext. Export Keys - This service exports one or more public key certificates from a PKCS #12 keystore. The operator provides the type of key, the key's alias, and a destination file specification. Certificates can be written to a file or returned directly to the caller of the API. The operator or an interactive user supplies passphases for encrypted keystores. This service makes use of Triple-DES security functions for managing encrypted PKCS #12 keystores. This encryption is not used to fulfill any FIPS requirements and for the purposes of FIPS 140-2 the keystores are considered to be plaintext. Generate Keys - This service generates public/private key pairs, saving the private key and public key certificate in a module keystore. The operator supplies all pertinent certificate data and the type of key. The operator or an interactive user supplies passphases for encrypted keystores. This service makes use of RSA and DSA signature, PRNG, and Triple-DES security functions. The PRNG implements a FIPS 186 approved algorithm. This encryption is not used to fulfill any FIPS requirements and for the purposes of FIPS 140-2 the keystores are considered to be plaintext. Manage Keystores - This service returns keystore passphrases to the operator or modifies passphrases of existing keystores. The operator specifies the type of keystore. Perform Self-Tests - This service initiates the power-up self-tests. This service makes use of all security functions supported by the module. Power-Down - This service shuts down the module, performing any necessary zeroization. This service does not make use of any security functions. Preflight ­ This service is used to instruct an instance of the module to acquire keystore passphrases for subsequent use. The operator specifies the type of keystore. Show Status ­ This service presents the status of the module through a logging facility, by setting properties which may be accessed programmatically by the 10 operator, and by direct return of results to API method calls. This service does not use any security functions. Zeroize - This service zeroizes all cryptographic keys and critical security parameters in both volatile memory and the nonvolatile keystore. This service does not make use of any security functions. Keys are segregated into distinct keystores for client keys, server keys, CA root certificates, and trusted certificates. The services involving keystores require the operator to specify one of those types. 11 4.2 Definition of Cryptographic Keys and Critical Security Parameters The following table lists the critical security parameters, including secret and private cryptographic keys, contained in the module. Table 4-1: Critical Security Parameters Critical Security Parameter Description An instance of the module acting as an authenticated SSL/TLS client must have access to its private key to encrypt authentication data during the SSL/TLS SSL/TLS client private key handshake. RSA keys between 512 and 2048 bits in length or DSA keys between 512 and 1024 bits in length may be used. In Approved mode RSA keys of less than 1024 bits may not be used. An instance of the module acting as an SSL/TLS server must have access to its private key to decrypt data encrypted by the client with the server's public key during the SSL/TLS handshake. RSA keys SSL/TLS server private key between 512 and 2048 bits in length or DSA keys between 512 and 1024 bits in length may be used. In Approved mode RSA keys of less than 1024 bits may not be used. SSL/TLS client keystore Passphrase with which the PKCS #12 keystore passphrase containing client key entries is protected. SSL/TLS server keystore Passphrase with which the PKCS #12 keystore passphrase containing server key entries is protected. CA root certificate keystore Passphrase with which the PKCS #12 keystore passphrase containing CA root certificates is protected. SSL/TLS client trusted Passphrase with which the PKCS #12 keystore certificate keystore passphrase containing trusted public key certificates for an SSL/TLS client is protected. SSL/TLS server trusted Passphrase with which the PKCS #12 keystore certificate keystore passphrase containing trusted public key certificates for an SSL/TLS server is protected. DH public/private keys between 512 and 2048 bits in length are used for key exchange and session key Diffie-Hellman private keys generation during the SSL/TLS handshake. In Approved mode DH keys of less than 1024 bits may not be used. Passphrase with which dynamically delivered PKCS dynamic SSL/TLS client #12 keystore containing client keys has been keystore passphrase protected. Session keys are used for encryption and decryption SSL/TLS session key of transmitted data using AES (128-bit or 256-bit key), DES (56-bit key), and Triple-DES (168-bit key) ciphers. 12 ciphers. HMAC keys are used for authentication of SSL/TLS HMAC key transmitted session data. The key size is the same as the SSL/TLS session key size. master secret The master secret is used for session key and message initialization vector generation. message initialization vector (IV) The cipherwith aby each IV. initialized used unique SSL/TLS socket is PRNG state The internal state of the pseudo random number generator. The following table lists the public cryptographic keys contained in the module. Table 4-2: Public Cryptographic Keys Cryptographic Key Description CA root certificate Certificate Authority root certificates are used in establishing the validity of other public key certificates. trusted certificate Trusted certificates are used in establishing the validity of other public key certificates. RSA keys between 512 and 2048 bits in length or DSA keys between 512 and 1024 bits in length may be used. In Approved mode RSA keys of less than 1024 bits may not be used. An instance of the module acting as an SSL/TLS server must provide a certificate containing its public key for server authentication during the SSL/TLS handshake. An instance of the module acting as an SSL/TLS client receives a server's public key and uses it for SSL/TLS server authentication and encryption during the SSL/TLS handshake. RSA keys between 512 and 2048 bits in length or DSA keys between 512 and 1024 bits in length may be used. In Approved mode RSA keys of less than 1024 bits may not be used. An instance of the module acting as an SSL/TLS client must provide a certificate containing its public key for client authentication during the SSL/TLS handshake if the server is configured for client authentication. SSL/TLS client An instance of the module acting as an SSL/TLS server receives a client's public key and uses it for authentication during the SSL/TLS handshake. 13 RSA keys between 512 and 2048 bits in length or DSA keys between 512 and 1024 bits in length may be used. In Approved mode RSA keys of less than 1024 bits may not be used. DH keys between 512 and 2048 bits in length are used for key exchange and session key generation during the Diffie-Hellman public keys SSL/TLS handshake. In Approved mode DH keys of less than 1024 bits may not be used. WRQ signing certificate The module must have access to the public key of the WRQ signing certificate for authentication of digitally signed operator code. This is a 2048-bit RSA key. 14 4.3 Definition of CSPs Modes of Access 4.3.1 Access Operations Cryptographic keys and critical security parameters are accessed during the performance of a number of module services. The access operations are defined below, including the type of access (in bold type) for each key and CSP. Refer to Section 4.2 for definitions of the keys and CSPs. Authenticate Client: This operation reads the SSL/TLS client public key and SSL/TLS client private key and uses them to authenticate a client to a server. This operation is optionally performed when an SSL/TLS socket is created. Authenticate Server: This operation reads the SSL/TLS server public key and SSL/TLS server private key uses them to authenticate a server to a client. This operation is performed when an SSL/TLS socket is created. Create IV: This operation creates and writes the message initialization vector that will be used to initialize a cipher. This operation is performed when an SSL/TLS socket is created. Create Master Secret: This operation creates and writes the master secret used for generating session keys and initialization vectors. This operation is performed when an SSL/TLS socket is created. Decrypt Data: This operation reads the SSL/TLS session key and uses it to decrypt data received from an SSL/TLS connection. Delete Key: This operation erases an SSL/TLS client private key or SSL/TLS server private key from a keystore. Destroy Diffie-Hellman Keys: This operation erases the Diffie-Hellman keys for an SSL/TLS socket. This operation is performed when the master secret is generated. Destroy HMAC Key: This operation erases the SSL/TLS HMAC key for an SSL/TLS socket. This operation is performed when the socket is closed. Destroy IV: This operation erases the message initialization vector for an initialized encryption algorithm. This operation is performed when cipher initialization is completed. Destroy Keystore Passphrase: This operation erases an SSL/TLS client keystore passphrase, SSL/TLS server keystore passphrase, trusted certificate keystore passphrase, or CA root certificate keystore passphrase stored within the module. Destroy Master Secret: This operation erases the master secret for an SSL/TLS socket. This operation is performed when an SSL/TLS handshake is completed. Destroy Nonvolatile Keys: This operation erases all cryptographic keys and critical security parameters in nonvolatile storage within the module. This operation is performed on command of the Crypto Officer. Destroy Session Key: This operation erases the SSL/TLS session key for an SSL/TLS 15 socket. This operation is performed when the socket is closed. Destroy Volatile Keys: This operation erases all cryptographic keys and critical security parameters in volatile storage within the module. This operation is performed during power-down or on command of the Crypto Officer. Encrypt Data: This operation reads the SSL/TLS session key and uses it to encrypt data for transmission over an SSL/TLS connection. Generate Diffie-Hellman Keys: This operation generates and writes the Diffie- Hellman public/private keys used for session key establishment. This operation is performed when an SSL/TLS socket is created. The PRNG implements a FIPS 186 approved algorithm. Generate HMAC Key: This operation establishes through SSL/TLS and writes the SSL/TLS HMAC key for authenticating SSL/TLS connection data. This operation is performed when an SSL/TLS socket is created. The PRNG used in this operation implements a FIPS 186 approved algorithm. Generate Random Number: This operation reads and writes the PRNG state. The PRNG implements a FIPS 186 approved algorithm. Generate Session Key: This operation establishes through SSL/TLS and writes the SSL/TLS session key for encrypting and decrypting SSL/TLS connection data. This operation is performed when an SSL/TLS socket is created. The PRNG used in this operation implements a FIPS 186 approved algorithm. Generate Server Keys: This operation generates and writes the SSL/TLS server private key and corresonding self-signed public key certificate for an SSL/TLS server. The PRNG implements a FIPS 186 approved algorithm. Initialize Cipher: This operation reads the SSL/TLS session key and message initialization vector and uses them to initialize the cipher for SSL/TLS data encryption and decryption. This operation is performed when an SSL/TLS socket is created. Load Key: This operation reads an SSL/TLS client private key or SSL/TLS server private key from nonvolatile storage within the module. Load Keystore Passphrase: This operation reads the SSL/TLS client keystore passphrase, SSL/TLS server keystore passphrase, CA root certificate keystore passphrase, or trusted certificate keystore passphrase from an operator-supplied service or a locally attached keyboard. Store Key: This operation writes the SSL/TLS server private key or SSL/TLS server private key and corresponding public keys to nonvolatile storage within the module. 16 4.3.2 Services and Access Operations The following table defines the relationships between module services defined in Section 4.1, the keys and the access operations defined in Section 4.3.1. Table 4-3: Access Operations for Services Service Access Operation(s) Close Connection Destroy HMAC Key Destroy Session Key Delete Keys Delete Key Load Keystore Passphrase Enter Keys Load Keystore Passphrase Store Key Export Keys Load Keystore Passphrase Generate Random Number Generate Keys Generate Server Keys Load Keystore Passphrase Store Key Authenticate Client Authenticate Server Create IV Destroy Diffie-Hellman keys Destroy IV Destroy Master Secret Open Connection Generate HMAC Key Generate Master Secret Generate Random Number Generate Session Key Initialize Cipher Load Key Load Keystore Passphrase Perform Self-Tests N/A Power-Down Destroy Volatile Keys Preflight Load Keystore Passphrase Read Data Decrypt Data Show Status N/A Write Data Encrypt Data Destroy Nonvolatile Keys Zeroize Destroy Volatile Keys 17 5 Security Rules The following rules are enforced by the cryptographic module in order to implement FIPS 140-2 Level 1 and 2 security requirements. 1. The design of the cryptographic module shall correspond to these security rules. 2. The cryptographic module shall provide two distinct operator roles. These are the User role and the Cryptographic Officer role. 3. The cryptographic module shall provide role-based authentication. 4. An operator may be authorized for one or both roles. 5. At power-up (cryptographic module instantiation) the cryptographic module instance shall be instructed to assume either non-Approved or Approved mode of operation. 6. The cryptographic module shall not permit instantiation in Approved mode unless the operator has been authenticated. 7. The cryptographic module instance shall not perform any service for which the operator is not authorized. 8. The cryptographic module instance shall remain in the non-Approved or Approved mode of operation determined at power-up until power-down. 9. The cryptographic module instance shall indicate whether it is in non-Approved or Approved mode via the status output interface. 10. At power-up the cryptographic module instance shall be instructed to enforce Level 1 or Level 2 security requirements if operating in Approved mode. 11. The cryptographic module instance shall enforce the Level 1 or Level 2 security requirements determined at power-up until power-down. 12. If the cryptographic module instance has been instructed to enforce Level 2 security requirements then it shall not permit instantiation unless an approved operating environment audit mechanism is available. The tested Level 2 operating environment is Microsoft Windows 2000 Server with SP3 and Q326886 Hotfix. 13. If the cryptographic module instance has been instructed to operate in its Approved mode of operation then it shall establish only TLS connections and refuse to establish SSL connections. 14. When the cryptographic module instance is in Approved mode the DES cipher shall be used only for compatibility with legacy systems and may not be used with new systems. 15. Upon cryptographic module instance power-down the cryptographic module instance shall zeroize all memory-resident cryptographic keys and critical security parameters. 16. Upon cryptographic module instance power-down the cryptographic module instance 18 shall inhibit all cryptographic operations. 17. Upon cryptographic module instance power-down the cryptographic module instance shall inhibit the data output interface. 18. The cryptographic module shall perform cryptographic functions when operating in Approved mode using the following FIPS Approved algorithms: a. AES b. DES (for use with legacy systems only; transitional phase only ­ valid until May 19, 2007) c. Triple-DES d. DSA digital signature e. HMAC-SHA-1 f. RSA PKCS#1 digital signature g. SHA-1 h. FIPS 186-2 Appendix 3.1 PRNG 19. The cryptographic module shall perform cryptographic functions when operating in Approved mode using the following non-FIPS Approved algorithms: a. Diffie-Hellman (for use with the TLS key establishment protocol only) b. MD5 (for use with the TLS key establishment protocol only) c. RSA encryption (for use with the TLS key establishment protocol only) d. HMAC-MD5 (for use with the TLS key establishment protocol only) 20. The cryptographic module shall perform random number generation using a FIPS 186-2 Approved algorithm. 21. The cryptographic module shall perform a continuous random number generation conditional self-test. 22. All keys shall be generated using the FIPS 186-2 PRNG. 23. All DSA keys shall be generated in accordance with the FIPS 186-2 DSA key generation requirements. 24. All Diffie-Hellman and RSA keys shall be generated through good commercial practice. The RSA key generation process is compliant with PKCS #1. 25. Upon power-up in Approved mode or when commanded by the operator the cryptographic module shall perform the following self-tests: a. software integrity test through a power-up CRC 32 check and a DSA signature verification b. DES encryption algorithm known answer test (encryption and decryption) c. Triple-DES encryption algorithm known answer test (encryption and decryption) d. AES encryption algorithm known answer test (encryption and decryption) e. RSA encryption algorithm pair-wise consistency test f. SHA-1 hash known answer test (verify) g. MD5 known answer test (verify) h. HMAC-SHA-1 known answer test (verify) i. HMAC-MD5 known answer test (verify) j. DSA signature pair-wise consistency test k. RSA signature pair-wise consistency test l. Diffie-Hellman pair-wise consistency test 19 m. PRNG known answer test 26. Upon completion or failure of power-up self-tests the cryptographic module shall output the results via the status output interface. 27. During self-test the cryptographic module shall inhibit the data output interface for all instances of the cryptographic module. 28. Upon failure of one or more self-tests the cryptographic module shall enter an error state. 29. When in an error state the cryptographic module shall inhibit the data output interface of all instances of the cryptographic module. 30. When in an error state the cryptographic module shall not permit additional instantiations of the module. 31. Upon failing to authenticate an operator requesting instantiation of the module, the cryptographic module shall delay for a period of one second before denying the request. 32. Private keys and public key certificates shall be stored within the cryptographic module in PKCS #12 format. 33. The cryptographic module shall permit encryption of all PKCS #12 keystores using password privacy mode and password integrity mode. (Note that this does not provide FIPS-approved confidentiality.) 34. Access to the cryptographic module shall be controlled by the authorization and discretionary access control mechanisms of the operating environment. 35. Private keys shall have been manually established prior to electronic entry into the cryptographic module. 20 6 Non-Approved Mode of Operation The following security functions are supported by the module but are permissible only when the module is not being operated in Approved mode. 6.1 Client Private Key Distribution The SSL/TLS client may be configured to request that a keypair for client authentication be delivered to it on-demand from an HTTP(S) server prior to performing the SSL/TLS handshake. The keys are not encrypted using an Approved method, and the HTTPS implementation is provided by the JRE or web browser, not the module itself. Entering private keys into the module in this manner is a non-Approved security function unless the underlying HTTPS implementation has been independently Approved. 6.2 DES The DES encryption algorithm is approved only for connections to legacy systems during a transitional phase lasting until May 19, 2007. TLS with DES is a non-Approved security function when connecting to a new system. 6.3 SSL In non-Approved mode SSL may be configured and used in addition to TLS. 6.4 Short Keys The SSL/TLS client supports the use of RSA and DH keys with lengths less than 1024 bits. When the module is operated in Approved mode it must be configured to use RSA and DH keys of 1024 bits or more. 21 7 Physical Security Policy Reflection Security Component for Java is a cryptographic module that is implemented completely in software such that the physical security is provided solely by the host platform. It is not subject to the physical security requirements of FIPS 140-2. Although the Reflection Security Component for Java module is software only, the tested platform is a personal computer that meets applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined in Subpart B of FCC Part 15. 22 8 Mitigation of Other Attacks The Reflection Security Component for Java module is not designed to mitigate attacks outside the scope of the FIPS 140-2 requirements. 23 9 Acronym List AES ­ Advanced Encryption Standard API ­ Application Programming Interface CA ­ Certificate Authority CSP ­ Critical Security Parameter DES ­ Data Encryption Standard DH ­ Diffie-Hellman DSA ­ Digital Signature Algorithm EMI/EMC ­ Electromagnetic Interference/Electromagnetic Compatibility FIPS ­ Federal Information Processing Standard FSM ­ Finite State Model/Machine HMAC ­ Keyed-Hash Message Authentication Code HTTP ­ HyperText Transmission Protocol HTTPS ­ HyperText Transmission Protocol, Secure IV ­ Initialization Vector JRE ­ Java Runtime Environment MD5 ­ Message Digest algorithm PKCS ­ Public Key Cryptography Standard PRNG ­ Pseudo Random Number Generator RSA ­ Rivest-Shamir-Adelman SHA-1 ­ Secure Hash Algorithm SSL ­ Secure Socket Layer TLS ­ Transport Layer Security 24 10 References FIPS PUB 46-3, Data Encryption Standard (DES). FIPS PUB 197, Advanced Encryption Standard (AES). FIPS PUB 186-2, Digital Signature Standard (DSS). FIPS PUB 198, The Keyed-Hash Message Authentication Code (HMAC). FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules. PKCS #1 v2.1: RSA Cryptography Standard. RSA Laboratories, June 14, 2002. ANSI X9.42, Agreement of Symmetric Keys Using Discrete Logarithm Cryptography. RFC 1321, The MD5 Message-Digest Algorithm. 25