FIPS 140-2 Security Policy BlackBerry Enterprise Server Cryptographic Kernel Versions 1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 Document Version 1.6 Security Certifications Team Research In Motion © 2007 Research In Motion Limited. All rights reserved. www.blackberry.com This document may be freely reproduced and distributed whole and intact including this Copyright Notice. BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 Document and Contact Information Version Date Author Description 1.0 21 June 2005 David MacFarlane Document creation. 1.1 27 June 2005 David MacFarlane Updated to module version 1.0.2.5. 1.2 13 July 2005 David MacFarlane Updated during conformance testing. 1.3 19 July 2005 David MacFarlane Algorithm certificate information updated. Corrected AES information and updated per CMVP 1.4 27 October 2005 David MacFarlane feedback. Updated Kernel Versions and various minor 1.5 8 May 2007 Sean Sandrock modifications. Updated to include module versions 1.0.2.9 and 1.6 22 May 2007 Sean Sandrock 1.0.2.10. Contact Corporate Office Security Certifications Team Research In Motion certifications@rim.com 295 Phillip Street (519) 888-7465 ext. 2921 Waterloo, Ontario Canada N2L 3W8 www.rim.com www.blackberry.com © 2007 Research In Motion Limited. All rights reserved. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 Contents Introduction ....................................................................................................................... 1 Cryptographic Module Specification.................................................................................. 2 Cryptographic Module Ports and Interfaces...................................................................... 5 Roles, Services, and Authentication ................................................................................. 6 Physical Security............................................................................................................... 8 Operational Environment .................................................................................................. 9 Cryptographic Keys and Critical Security Parameters .................................................... 10 Self-Tests ........................................................................................................................ 11 Mitigation of Other Attacks .............................................................................................. 12 Installation and Start-Up.................................................................................................. 13 FIPS 140-2 Mode of Operation ....................................................................................... 14 Glossary .......................................................................................................................... 15 © 2007 Research In Motion Limited. All rights reserved. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 List of Tables Table 1. Implementation of FIPS 140-2 Interfaces......................................................................... 5 Table 2. Module Services ............................................................................................................... 6 Table 3. Role Selection by Module Service.................................................................................... 6 Table 4. BlackBerry Enterprise Server Operational Environments ................................................ 9 Table 5. Cryptographic Keys and CSPs....................................................................................... 10 Table 6. Module Self-Tests........................................................................................................... 11 © 2007 Research In Motion Limited. All rights reserved. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 List of Figures Figure 1. BlackBerry Solution Architecture..................................................................................... 1 Figure 2. Physical Boundary........................................................................................................... 4 © 2007 Research In Motion Limited. All rights reserved. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 1 Introduction BlackBerry® is the leading wireless solution that allows users to stay connected to a full suite of applications, including email, phone, enterprise applications, Internet, Short Messaging Service (SMS), and organiser information. BlackBerry is a totally integrated package that includes innovative software, advanced BlackBerry Wireless HandheldsTM and wireless network service, providing a seamless solution. The BlackBerry architecture is shown in the following figure. Figure 1. BlackBerry Solution Architecture BlackBerry Enterprise ServerTM software tightly integrates with Microsoft® Exchange, IBM® Lotus® Domino®, and Novell® GroupWise® while working with other existing enterprise systems to enable push-based access of wireless email and data. It allows users to securely send and receive email and information from enterprise data stores and applications. BlackBerry Enterprise Server provides simplified management and centralised control of the wireless environment with industry-standard performance monitoring capabilities, administrative tools, and wirelessly-enabled IT policies. BlackBerry Enterprise Server also enables several other productivity enhancements, including attachment viewing for popular file formats, wireless calendar synchronisation, and remote address lookup. BlackBerry Enterprise Server provides simplified management and centralised control of the wireless environment with industry-standard performance monitoring capabilities, administrative tools and wirelessly-enabled IT policies. It also allows IT departments to benefit from a scalable and flexible solution that meets their evolving wireless requirements. For more information on the BlackBerry solution, visit http://www.blackberry.com/. The BlackBerry Enterprise Server Cryptographic Kernel, hereafter referred to as cryptographic module or module, is a software cryptographic module that provides the following cryptographic services to the BlackBerry Enterprise Server: · Data encryption and decryption · Message digest and authentication code generation · Random data generation · Elliptic curve key pair generation · Elliptic curve digital signature generation and verification · Elliptic curve key agreement www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 2 Cryptographic Module Specification Security Functions The cryptographic module is a software module in the form of a dynamically linked library (DLL) file that implements the following FIPS-Approved security functions1: · AES-128, -192, and -256 (encrypt and decrypt), as specified in FIPS 197. The implementation supports the ECB and CBC modes of operation. Certificates Awarded http://csrc.nist.gov/cryptval/aes/aesval.html Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 289 1.0.2.9 and 1.0.2.10 561 · Triple DES (encrypt and decrypt), as specified in FIPS 46-3. The implementation supports the ECB and CBC modes of operation. Certificates Awarded http://csrc.nist.gov/cryptval/des/tripledesval.html Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 364 1.0.2.9 and 1.0.2.10 554 · SHA-1, -224, -256, -384, and -512, as specified in FIPS 180-2. Certificates Awarded http://csrc.nist.gov/cryptval/shs/shaval.htm Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 363 1.0.2.9 and 1.0.2.10 626 · HMAC SHA-1, -224, -256, -384, and -512, as specified in FIPS 198. Certificates Awarded http://csrc.nist.gov/cryptval/mac/hmacval.html Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 98 1.0.2.9 and 1.0.2.10 296 1 A security function is FIPS-Approved if it is explicitly listed in FIPS 140-2 Annex A: Approved Security Functions for FIPS PUB 140-2. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 3 · FIPS 186-2 RNG, as specified in FIPS 186-2. Certificates Awarded http://csrc.nist.gov/cryptval/rng/rngval.html Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 114 1.0.2.9 and 1.0.2.10 324 · ECDSA, as specified in FIPS 186-2 and ANSI X9.62. The implementation supports elliptic curves P-521 and K-571. Certificates Awarded http://csrc.nist.gov/cryptval/dss/ecdsaval.html Kernel Version Certificate Numbers 1.0.2.5, 1.0.2.7, 1.0.2.8 8 1.0.2.9 and 1.0.2.10 59 The module implements the following non-Approved security functions: · EC Diffie-Hellman (key agreement, key establishment methodology provides 256 bits of encryption strength), as specified in IEEE P1363 Draft 13. Per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, the implementation may presently be used in a FIPS-Approved mode of operation. The implementation supports elliptic curves P-521 and K-571. · ECMQV (key agreement, key establishment methodology provides 256 bits of encryption strength), as specified in IEEE P1363 Draft 13. Per FIPS 140-2 Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, the implementation may presently be used in a FIPS-Approved mode of operation. The implementation supports elliptic curves P-521 and K-571. · Rijndael. The implementation supports the ECB and CBC modes of operation; key lengths of 128, 160, 192, 224, and 256 bits; and block lengths of 1282, 160, 192, 224, and 256 bits. 2 Supported for key lengths of 160 and 224 bits only. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 4 Cryptographic Boundary The physical boundary of the module is the physical boundary of the general purpose computer (GPC) that executes the module and is shown in the following figure. Application Module External Hardware Operating (keyboard, video monitor, etc.) System Figure 2. Physical Boundary Determining the Module Version The operator may determine the version of the module by viewing the properties screen on the DLL file: 1. Navigate to and right-click on the module file, i.e. CE.dll. 2. Select Properties from the resulting context menu. 3. Select the Version tab. 4. The versioning information screen appears and displays the module version, e.g. "1.0.2.5". www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 5 Cryptographic Module Ports and Interfaces The physical ports of the module correspond to the ports of the GPC that executes the module, and the logical interface of the module is its application programming interface (API). The module implements the FIPS 140-2 interfaces as described in the following table. Table 1. Implementation of FIPS 140-2 Interfaces FIPS 140-2 Module Ports Module Interfaces Interface Data Input GPC input ports (e.g. keyboard, mouse) Input parameters of API function calls Data Output GPC output ports (e.g. video display) Output parameters of API function calls GPC control input ports (e.g. keyboard, Control Input API function calls power switch) Function calls that return status information GPC status output ports (e.g. video display, Status Output and return code provided by each API LED) function call Power Input GPC power input ports (e.g. power supply) Not supported Maintenance GPC maintenance port (e.g. access panel) Not supported www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 6 Roles, Services, and Authentication Roles The module supports a User and Crypto Officer role. The module does not support a maintenance role, nor does it support concurrent operators. Services The services described in the following table are available to the operator. Table 2. Module Services Service Description Show Status Displays the status of the module. If invoked via the SelfTest function call, executes the cryptographic algorithm known Perform Self-Tests answer tests. If invoked by powering on the module, executes the power-up self-tests. Encrypt Data Encrypts data using AES, Triple DES, or Rijndael, as specified by the operator. Decrypt Data Decrypts data using AES, Triple DES, or Rijndael, as specified by the operator. Calculates a message digest using SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512, Create Message Digest as specified by the operator. Calculates a message authentication code using HMAC SHA-1, HMAC SHA-224, HMAC Create MAC SHA-256, HMAC SHA-384, or HMAC SHA-512, as specified by the operator. Generate Random Data Generates random data using the FIPS 186-2 RNG. Generate Key Pair Generates an elliptic curve key pair, consisting of a public and private key. Generate Signature Generates a digital signature using ECDSA. Verify Signature Verifies an ECDSA digital signature. Cooperatively calculates a symmetric key with another party through elliptic curve Diffie- Perform Key Agreement Hellman or elliptic curve MQV key agreement. Authentication The module does not support operator authentication. Roles are implicitly selected based on the service performed by the operator. Implicit role selection is summarised in the following table, as are the keys and critical security parameters (CSPs) that are affected by each service. Table 3. Role Selection by Module Service Role Implicitly Affected Keys and Access to Keys and Service Selected CSPs CSPs Show Status User N/A N/A Perform Self-Tests Crypto Officer Software Integrity Key Execute AES Key Encrypt Data User Triple DES Key Execute Rijndael Key AES Key Decrypt Data User Triple DES Key Execute Rijndael Key Create Message Digest User N/A N/A Create MAC User HMAC Key Execute Generate Random Data User N/A N/A www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 7 Role Implicitly Affected Keys and Access to Keys and Service Selected CSPs CSPs Generate Key Pair User ECC Key Pair Write Generate Signature User ECC Private Key Execute Verify Signature User ECC Public Key Execute ECC Key Pair Execute Perform Key Agreement User AES Key Triple DES Key Write Rijndael Key www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 8 Physical Security The module is implemented entirely in software, thus the FIPS 140-2 physical security requirements are not applicable. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 9 Operational Environment The module is designed to execute on a GPC in conjunction with the BlackBerry Enterprise Server application. The minimum requirements for the operational environment of the BlackBerry Enterprise Server application are listed in the following table, based on the enterprise messaging environment. Table 4. BlackBerry Enterprise Server Operational Environments Messaging Environment Minimum Operational Environment · Microsoft Windows® 2000 Server; or Microsoft Exchange · Microsoft Windows 2000 Advanced Server; or · Microsoft Windows ServerTM 2003 · Microsoft Windows 2000 Server; or IBM Lotus Domino · Microsoft Windows 2000 Advanced Server; or · Microsoft Windows Server 2003 · Microsoft Windows 2000 Server Service Pack 4; or Novell GroupWise · Microsoft Windows 2000 Advanced Server Service Pack 4; or · Microsoft Windows Servers 2003 The operating system is restricted to a single user mode of operation per FIPS 140-2 Implementation Guidance 6.1, i.e. the BlackBerry Enterprise Server application is the single user of the module, even when the server application is serving multiple clients. For the purposes of FIPS 140-2 conformance testing, the module was tested on Windows 2000 Server SP 4, however the module may be executed on any of the supported operating systems and remain FIPS-compliant. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 10 Cryptographic Keys and Critical Security Parameters The following table describes the cryptographic keys, key components, and CSPs utilised by the module. Table 5. Cryptographic Keys and CSPs Key / CSP Description A symmetric key used to encrypt and decrypt data using the AES algorithm. AES Key The module supports AES key lengths of 128, 192, and 256 bits. A symmetric key used to encrypt and decrypt data using the Triple DES Triple DES Key algorithm. Per the specification of Triple DES, all Triple DES keys are 192 bits in length. A key used to calculate a message authentication code using the HMAC HMAC Key algorithm. The length of the HMAC key is dependent on the underlying hash algorithm. Software Integrity Key A 128-bit HMAC SHA-1 key used to verify the integrity of the module. A key pair used to generate and verify digital signatures or to perform key ECC Key Pair agreement over elliptic curves. A symmetric key used to encrypt and decrypt data using the Rijndael Rijndael Key algorithm. The module supports Rijndael key lengths of 160 and 224 bits. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 11 Self-Tests The module implements the self-tests described in the following table. Table 6. Module Self-Tests Test Description The Software Integrity Test verifies the integrity of the module software using Software Integrity Test HMAC SHA-1. The FIPS 186-2 RNG known answer test (KAT) verifies that the RNG is FIPS 186-2 RNG Known Answer Test operating correctly. The AES KAT verifies that the AES encryption and decryption functions are AES Known Answer Test operating correctly. The Triple DES KAT verifies that the Triple DES encryption and decryption Triple DES Known Answer Test functions are operating correctly. The SHA-1 KAT verifies that the SHA-1 hashing function is operating SHA-1 Known Answer Test correctly. The SHA-224 KAT verifies that the SHA-224 hashing function is operating SHA-224 Known Answer Test correctly. The SHA-256 KAT verifies that the SHA-256 hashing function is operating SHA-256 Known Answer Test correctly. The SHA-384 KAT verifies that the SHA-384 hashing function is operating SHA-384 Known Answer Test correctly. The SHA-512 KAT verifies that the SHA-512 hashing function is operating SHA-512 Known Answer Test correctly. The HMAC SHA-1 KAT verifies that the HMAC SHA-1 function is operating HMAC SHA-1 Known Answer Test correctly. The HMAC SHA-224 KAT verifies that the HMAC SHA-224 function is HMAC SHA-224 Known Answer Test operating correctly. The HMAC SHA-256 KAT verifies that the HMAC SHA-256 function is HMAC SHA-256 Known Answer Test operating correctly. The HMAC SHA384 KAT verifies that the HMAC SHA-384 function is HMAC SHA-384 Known Answer Test operating correctly. The HMAC SHA-512 KAT verifies that the HMAC SHA-512 function is HMAC SHA-512 Known Answer Test operating correctly. The module implements a continuous RNG test, as specified in FIPS 140-2, Continuous RNG Test for the implemented FIPS 186-2 RNG. The module executes a pair-wise consistency test for each newly created ECC Pair-Wise Consistency Test ECC key pair. The ECDSA pair-wise consistency test verifies that the ECDSA signature ECDSA Pair-Wise Consistency Test creation and verification functions are operating correctly. When an operator attempts to load the module into GPC memory, the power-up self-tests are executed. The power-up self-tests comprise of all the tests identified above with the exception of the Continuous RNG Test and the ECC Pair-Wise Consistency Test. The Software Integrity Test is the first self-test executed, and if it fails then the attempt to load the module fails. If a cryptographic algorithm KAT fails then the operator may not access the corresponding algorithm until the KAT is executed successfully. The operator may invoke the power-up self-tests by unloading and reloading the module into GPC memory. The operator may also invoke all of the power-up self-tests, except the Software Integrity Test, by invoking the Perform Self-Tests service. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 12 Mitigation of Other Attacks The module is not designed to mitigate any specialised attacks, thus the FIPS 140-2 requirements for mitigation of other attacks are not applicable. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 13 Installation and Start-Up The module is installed as part of the BlackBerry Enterprise Server application, thus there are no module-specific installation instructions. The installation instructions for the BlackBerry Enterprise Server application for the appropriate messaging environment should be followed and are given in the following documents, available from http://www.blackberry.com/: · BlackBerry Enterprise Server for IBM Lotus Domino Installation Guide · BlackBerry Enterprise Server for Microsoft Exchange Installation Guide · BlackBerry Enterprise Server for Novell GroupWise Installation Guide www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 14 FIPS 140-2 Mode of Operation In order to operate the module in a FIPS-Approved manner, the following conditions must be met: 1. The Rijndael algorithm is not used for data encryption or decryption. More specifically, the following input parameters are not used in any of the AES API function calls: o Keys that are 160 or 224 bits in length o Keys that are 128, 192, or 256 bits in length when a block size of 160, 192, 224, or 256 bits is specified. www.blackberry.com BlackBerry Enterprise Server Cryptographic Kernel v1.0.2.5, 1.0.2.7, 1.0.2.8, 1.0.2.9, and 1.0.2.10 15 Glossary AES Advanced Encryption Standard ANSI American National Standards Institute API Application programming interface CBC Cipher block chaining CSP Critical security parameter DES Data Encryption Standard EC Elliptic curve ECB Electronic code book ECC Elliptic curve cryptography ECDSA Elliptic curve Digital Signature Algorithm ECMQV Elliptic curve Menezes, Qu, Vanstone FIPS Federal Information Processing Standard GPC General purpose computer HMAC Keyed-hashed message authentication code IEEE Institute of Electrical and Electronics Engineers KAT Known answer test MAC Message authentication code PUB Publication RIM Research In Motion RNG Random number generator SHA Secure Hash Algorithm SHS Secure Hash Standard SMS Short Messaging Service www.blackberry.com