VT iDirect, Inc.
Secure Satellite Broadband Solutions
Modules Names: Evolution e8350 – Satellite Router [1], iConnex e800 –Satellite Router Board [2],
iConnex e850MP – Satellite Router Board [3], iConnex e850MP-IND Satellite Router Board [4],
iConnex e850MP-IND with Heat Sink Satellite Router Board [5], Evolution eM1D1 – Line Card [6],
and Evolution eM0DM – Line Card [7]
Firmware Version: iDX version 2.3.1
Hardware Versions: E0000051-0003 [1], E0001340-0002 [2], E0000731-0001 [3], E0000731-0002 [4],
E0000731-0003 [5], E0000080-0002 [6], and E0000080-0005 [7]
FIPS 140-2 Non-Proprietary Security Policy
FIPS Security Level: 1
Document Version: 1.2
Prepared for: Prepared by:
VT iDirect, Inc. Corsec Security, Inc.
13921 Park Center Road, Suite 600 13135 Lee Jackson Memorial Highway, Suite 220
Herndon, VA 20171 Fairfax, VA 22033
United States of America United States of America
Phone: +1 (866) 345-0983 Phone: +1 (703) 267-6050
http://www.idirect.net http://www.corsec.com
Security Policy, Version 1.2 April 15, 2012
Table of Contents
1 INTRODUCTION ................................................................................................................... 4
1.1 PURPOSE ................................................................................................................................................................ 4
1.2 REFERENCES .......................................................................................................................................................... 4
1.3 DOCUMENT ORGANIZATION ............................................................................................................................ 4
2 SECURE SATELLITE BROADBAND SOLUTIONS ............................................................ 5
2.1 OVERVIEW ............................................................................................................................................................. 5
2.2 MODULE SPECIFICATION ..................................................................................................................................... 7
2.3 MODULE INTERFACES .......................................................................................................................................... 8
2.4 ROLES, SERVICES, AND AUTHENTICATION .....................................................................................................10
2.4.1 Crypto-Officer Role.............................................................................................................................................. 10
2.4.2 User Role ................................................................................................................................................................ 11
2.4.3 Client User Role ................................................................................................................................................... 11
2.4.4 Services ................................................................................................................................................................... 11
2.5 PHYSICAL SECURITY ...........................................................................................................................................26
2.6 OPERATIONAL ENVIRONMENT.........................................................................................................................28
2.7 CRYPTOGRAPHIC KEY MANAGEMENT ............................................................................................................28
2.8 SELF-TESTS ..........................................................................................................................................................32
2.8.1 Power-Up Self-Tests ............................................................................................................................................ 32
2.8.2 Conditional Self-Tests ......................................................................................................................................... 33
2.9 DESIGN ASSURANCE ..........................................................................................................................................33
2.10 MITIGATION OF OTHER ATTACKS ..................................................................................................................33
3 SECURE OPERATION ......................................................................................................... 34
3.1 CRYPTO-OFFICER GUIDANCE ..........................................................................................................................34
3.1.1 Initialization ........................................................................................................................................................... 34
3.1.2 Management ........................................................................................................................................................ 34
3.2 USER GUIDANCE ................................................................................................................................................35
3.3 CLIENT USER GUIDANCE ..................................................................................................................................35
4 ACRONYMS .......................................................................................................................... 36
Table of Figures
FIGURE 1 – IDIRECT NETWORK DEPLOYMENT .....................................................................................................................5
FIGURE 2 – CRYPTOGRAPHIC MODULE BLOCK DIAGRAM..................................................................................................8
FIGURE 3 – E8000 SERIES ENCLOSURE................................................................................................................................. 26
FIGURE 4 – ICONNEX E800 SATELLITE ROUTER BOARD .................................................................................................. 27
FIGURE 5 – ICONNEX E850MP SATELLITE ROUTER BOARD ............................................................................................ 27
FIGURE 6 – EVOLUTION EM1D1 LINE CARD ..................................................................................................................... 28
List of Tables
TABLE 1 – SECURITY LEVEL PER FIPS 140-2 SECTION ..........................................................................................................6
TABLE 2 – MAPPING OF THE E800 AND E8350 PHYSICAL PORTS ......................................................................................8
TABLE 3 – MAPPING OF THE E850MP, E850MP-IND, AND E850MP-IND WITH HEAT SINK PHYSICAL PORTS ........9
TABLE 4 – MAPPING OF THE EM1D1 AND EM0DM PHYSICAL PORTS ..............................................................................9
TABLE 5 – FIPS 140-2 LOGICAL INTERFACES ..................................................................................................................... 10
TABLE 6 – MAPPING OF GENERAL SERVICES TO ROLES, CSPS, AND TYPE OF ACCESS ................................................ 11
TABLE 7 – MAPPING OF LINE CARD SPECIFIC SERVICES TO ROLES, CSPS, AND TYPE OF ACCESS ............................. 18
TABLE 8 – MAPPING OF REMOTE PLATFORM SPECIFIC SERVICES TO ROLES, CSPS, AND TYPE OF ACCESS............... 20
TABLE 9 – MAPPING OF CLIENT USER ROLE'S SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS ........ 26
TABLE 10 – FIPS-APPROVED ALGORITHM IMPLEMENTATIONS ........................................................................................ 28
VT iDirect Secure Satellite Broadband Solutions Page 2 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
TABLE 11 – LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS .............................. 29
TABLE 12 – ACRONYMS ........................................................................................................................................................ 36
VT iDirect Secure Satellite Broadband Solutions Page 3 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
1 Introduction
1.1 Purpose
This is a non-proprietary Cryptographic Module Security Policy for the following cryptographic modules
from VT iDirect, Inc.:
• Evolution e8350TM - Satellite Router (Part #E0000051-0003)
• iConnex e800TM - Satellite Router Board (Part # E0001340-0002)
• iConnex e850MPTM - Satellite Router Board (Part # E0000731-0001, E0000731-0002, E0000731 -
0003)
• Evolution eM1D1TM - Line Card (Part #E0000080-0002)
• Evolution eM0DMTM - Line Card (Part #E0000080-0005)
This Security Policy describes how the modules listed above meet the security requirements of Federal
Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian
Government requirements for cryptographic modules. More information about the FIPS 140-2 standard
and validation program is available on the National Institute of Standards and Technology (NIST) and the
Communications Security Establishment Canada (CSEC) Cryptographic Module Validation Program
(CMVP) website at http://csrc.nist.gov/groups/STM/cmvp.
This document also describes how to run the modules in a secure FIPS-Approved mode of operation. This
policy was prepared as part of the Level 1 FIPS 140-2 validation of the modules. The Evolution e8350
Satellite Router, iConnex e800 Satellite Router Board, iConnex e850MP Satellite Router Board, iConnex
e850MP-IND Satellite Router Board, iConnex e850MP-IND with Heat Sink Satellite Router Board,
Evolution eM1D1 Line Card, and Evolution eM0DM Line Card are collectively referred to in this
document as Secure Satellite Broadband Solutions, cryptographic modules, or modules.
1.2 References
This document deals only with operations and capabilities of the module in the technical terms of a FIPS
140-2 cryptographic module security policy. More information is available on the module from the
following sources:
• The VT iDirect website (http://www.idirect.net) contains information on the full line of products
from VT iDirect.
• The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm)
contains contact information for individuals to answer technical or sales-related questions for the
module.
1.3 Document Organization
The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this
document, the Submission Package contains:
• Vendor Evidence document
• Finite State Model document
• Other supporting documentation as additional references
This Security Policy and the other validation submission documentation were produced by Corsec Security,
Inc. under contract to VT iDirect. With the exception of this Non-Proprietary Security Policy, the FIPS
140-2 Submission Package is proprietary to VT iDirect and is releasable only under appropriate non-
disclosure agreements. For access to these documents, please contact VT iDirect.
VT iDirect Secure Satellite Broadband Solutions Page 4 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
2 Secure Satellite Broadband Solutions
2.1 Overview
VT iDirect’s satellite-based IP1 communications technology enables constant connectivity for voice, video,
and data applications in any environment. VT iDirect has developed the leading TRANSEC-compliant
bandwidth-efficient satellite platforms for government and military communications. The Secure Satellite
Broadband Solutions have uses across a wide range of applications, including maritime connectivity,
aeronautical connectivity, military defense, and emergency relief.
VT iDirect Secure Satellite Broadband Solutions support a deterministic Time Division Multiple Access
(TDMA) upstream carrier and DVB-S22 downstream carrier. The VT iDirect TDMA network is optimized
for satellite transmissions, squeezing the maximum performance out of the bandwidth provided by satellite
links. The system is fully integrated with VT iDirect’s Network Management System that provides
configuration and monitoring functions. The VT iDirect network components consist of the Network
Management Server, Protocol Processor, Hub Line Card, and the Ethernet switch with remote modem. In a
star topology, the protocol processor acts as the central network controller, the Hubl Line Card is
responsible for the hub side modulation and demodulation (modem) functions, and the remote modem
provides modem functionalities for the Ethernet switch. A common deployment of the VT iDirect network
components is shown below.
Figure 1 – iDirect Network Deployment
1
IP – Internet Protocol
2
DVB-S2 – Digital Video Broadcast - Satellite - Second Generation
VT iDirect Secure Satellite Broadband Solutions Page 5 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
VT iDirect’s hardware modules offer the Transmission Security (TRANSEC) feature that enables
encryption to all Data Link Layer traffic including all control and management data flowing between the
ULC and Remote modem using the Advanced Encryption Standard (AES). VT iDirect achieves full
TRANSEC compliance by presenting to an adversary eavesdropping on the RF3 link a constant wall of
fixed-sized, strongly-encrypted traffic segments, the frequency of which do not vary with network activity.
All network messages, including those that control the admission of a remote terminal into the TRANSEC
network, are encrypted and their original size is hidden. The content and size of all user traffic (Layer 3
and above), as well as all network link layer traffic (Layer 2), is completely indeterminate from an
adversary’s perspective. In addition, no higher-layer information can be ascertained by monitoring the
physical layer (Layer 1) signal. VT iDirect TRANSEC includes a remote-to-hub and a hub-to-remote
authentication protocol, based on X.509 certificates, designed to prevent man-in-the-middle attacks. This
authentication mechanism prevents an adversary’s remote from joining a VT iDirect TRANSEC network.
In a similar manner, it prevents an adversary from coercing a TRANSEC remote into joining the
adversary’s network.
TRANSEC is managed by the module firmware. A key set is created for each TRANSEC controller and all
participants in a Star network then share their exclusive key set. Encryption of data occurs in FPGA4
firmware. TRANSEC encrypts all data in Layer 2, so even the High-level Data Link Control (HDLC)
sources and destinations of packets are encrypted. Multicast and broadcast data is also encrypted. Since
the key set is shared among the network, every member of the network can receive and decrypt all data.
TRANSEC is designed to prevent traffic analysis by outside parties.
Link Encryption occurs completely in the module firmware. Each remote and its counter-part layer in the
protocol processor creates a transmit key (Link Encryption Key, See Table 11) and distributes this to its
peer, using the same key transport method as TRANSEC. Link Encryption is point-to-point, so each
remote has a unique key for receiving and transmitting data. Layer 2 data, such as source and destination
link addresses, is not encrypted. When used without TRANSEC, broadcast and multicast traffic is not
encrypted. Therefore, link level information, such as HDLC destinations, is not protected by Link
Encryption.
The cryptographic modules provide secure traffic routing services. The platforms for the cryptographic
modules are Printed Circuit Boards (PCBs) for the following:
• Evolution e8350TM Satellite Router (Part # E0000051-0003)
• iConnex e800TM Satellite Router Board (Part # E0001340-0002)
• iConnex e850MPTM Satellite Router Board (Part # E0000731-0001, E0000731-0002, E0000731-
0003)
• Evolution eM1D1TM Line Card (Part # E0000080-0002)
• Evolution eM0DMTM Line Card (Part # E0000080-0005)
The module firmware runs on version 2.6.17.8-uc0-iDirect0of the Linux Operating System (OS) for all the
platforms. The Secure Satellite Broadband Solutions are validated at the following FIPS 140-2 Section
levels:
Table 1 – Security Level per FIPS 140-2 Section
Section Section Title Level
1 Cryptographic Module Specification 1
2 Cryptographic Module Ports and Interfaces 1
3
RF – Radio Frequency
4
FPGA – Field Programmable Gate Array
VT iDirect Secure Satellite Broadband Solutions Page 6 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Section Section Title Level
3 Roles, Services, and Authentication 1
4 Finite State Model 1
5 Physical Security 1
6 Operational Environment 1
7 Cryptographic Key Management 1
5
8 EMI/EMC 1
9 Self-tests 1
10 Design Assurance 1
11 Mitigation of Other Attacks N/A
2.2 Module Specification
The cryptographic boundary of the modules is the VT iDirect PCBs that run the iDX firmware, which is
referred to as “FALCONâ€. Per FIPS 140-2 terminology, the Secure Satellite Broadband Solutions are
multi-chip embedded modules that meet overall level 1 security requirements. Physically, the PCB is the
cryptographic boundary.
Figure 2 depicts the physical block diagram and the cryptographic boundary of the modules, which is
indicated below using the red dotted line. The diagram also shows the logical interfaces with the modules.
The red arrow indicates control input. The blue arrow indicates data output. The green arrow indicates data
input. The purple arrow indicates status output.
5
EMI/EMC – Electromagnetic Interference / Electromagnetic Compatibility
VT iDirect Secure Satellite Broadband Solutions Page 7 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Figure 2 – Cryptographic Module Block Diagram
The VT iDirect Secure Satellite Broadband Solutions router, router board, and line card cryptographic
modules share a common design and functionality. Each module uses the same processor and FPGA
configuration (shown in Figure 2) to provide secure encryption and decryption of satellite data, voice, and
video communications. The cryptographic services and functions provided by each module are provided
by the same FALCON firmware release (iDX 2.3.1). Slight non-security relevant differences in the module
hardware implementation are indentified by different part numbers, including different form factors, heat
dissipation, quantities of LAN6 ports and LEDs7, and other part differences.
2.3 Module Interfaces
The Secure Satellite Broadband Solutions are multi-chip embedded cryptographic modules that meet
overall Level 1 FIPS 140-2 requirements. The physical port mapping for the modules are listed in the
tables below:
Table 2 – Mapping of the e800 and e8350 Physical Ports
Enabled in FIPS
Physical Port Description Mode of Operation.
Power Connector MOLEX P/N 501844-1410 Yes
Transmitter (TX Out) Female coaxial connector Yes
6
LAN – Local Area Network
7
LED – Light Emitting Diode
VT iDirect Secure Satellite Broadband Solutions Page 8 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Enabled in FIPS
Physical Port Description Mode of Operation.
Receiver (RX Out) Female coaxial connector Yes
Receiver (RX In) Female coaxial connector Yes
10 MHz8 BNC9 external 10MHz connector (future use) No
USB10 Future Use No
RJ11-45, Serial, RS-23212
Console Yes
LAN A/B RJ-45, 10/100 Base-T (2 on the e800, 9 on the Yes
e8350)
RS-232/GPIO13 HD-15, GPIO, Serial No
Power Control 3-pin jumper Yes
Table 3 – Mapping of the e850MP, e850MP-IND, and e850MP-IND with Heat Sink Physical
Ports
Enabled in FIPS
Physical Port Description Mode of Operation?
Power Connector 4 pin interface; MOLEX 43650-0400 Yes
Power Control Connector 2 pin interface; MOLEX 43650-0200 Yes
Transmitter, Receivers, GPS Coaxial Connection Yes
RS-232/GPIO 20-pin interface: HARWIN M80-8662022 No
LED Connector 20 pin interface; MOLEX 55456-2059 Yes
Ethernet RJ-45 Yes
Table 4 – Mapping of the eM1D1 and eM0DM Physical Ports
Enabled in FIPS
Physical Port Description Mode of Operation?
Transmitter (TX Out) Female coaxial connector Yes
Receiver (RX Out) Female coaxial connector Yes
8
MHz – Megahertz
9
BNC – Bayonet Neill-Concelman connector
10
USB – Universal Serial Bus
11
RJ – Registered Jack
12
RS-232 – Recommended Standard 232
13
GPIO – General Purpose Input/Output
VT iDirect Secure Satellite Broadband Solutions Page 9 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Enabled in FIPS
Physical Port Description Mode of Operation?
Receiver (RX In) Female Coaxial Connector Yes
LAN A/B, 10/100 LAN RJ-45, 10/100 Base-T Yes
Console LAN RJ-45, Configuration Port Yes
(4) LEDs Status Indication Yes
PCI14 interface
Power Connector Yes
The choice of how to display the LEDs on the modules is determined by the integrator of the PCBs. The
LED functions are handled by the FALCON application.
All of the interfaces that are enabled, as well as physical interfaces, can be categorized into logical
interfaces defined by FIPS 140-2, as described in the following table:
Table 5 – FIPS 140-2 Logical Interfaces
FIPS 140-2 Logical Secure Satellite Broadband
Interface Solutions Port/Interface
Data Input Rx, Ethernet ports, console port
Data Output Tx, Ethernet ports, console port
Control Input Rx, Ethernet ports, console port
Status Output Tx, Ethernet ports, console port
Power Power connector
2.4 Roles, Services, and Authentication
There are three roles in the module that operators may assume: Crypto-Officer role, User role, and Client
User role. Please note that, as the cryptographic modules were validated against Level 1 requirements, they
do not support role-based or identity-based authentication.
2.4.1 Crypto-Officer Role
The Crypto-Officer role is implicitly assumed when performing installation, configuration, or monitoring
services for the modules. The Crypto-Officer accesses the modules locally over the console port or
remotely over a secured session. There are four different interfaces that can be used for management
purposes:
• Console – The Crypto-Officer locally manages the modules by directly connecting through the
console port (Serial over RJ45). The Crypto-Officer has to use an account name of “admin†and a
password to access any services. The Crypto-Officer is authorized to change its own password
and the passwords of User Role accounts (“user†and “diagnosticâ€).
14
PCI – Peripheral Component Interconnect
VT iDirect Secure Satellite Broadband Solutions Page 10 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
• Remote Command Line Interface (CLI) – The modules can be configured and monitored over a
remote CLI management interface using Secure Shell (SSH) version 1.3, 1.5 and 2.0. The Crypto-
Officer uses a password to access any services. The modules perform a Diffie-Hellman (DH) key
agreement mechanism to initialize the SSH session. When the Crypto-Officer accesses the module
via SSH, he is able to log into the CLI interface directly with the “admin†account and the
appropriate password.
• Management Interface over Transport Layer Security (TLS) – The modules can also be configured
and monitored using a Graphical User Interface (GUI) over a TLS version 1.0 session, such as the
iBuilder and iMonitor applications which require a user name and password for access. The
modules perform RSA authentication and key transport during the TLS handshake.
• Management over Satellite – Over the satellite channel, the modules can perform low-level
configuration and monitoring (all non-security-relevant). This consists of low-level link
management (such as timeplans) sent by the protocol processor to the modules for which
authentication is not required. The protocol processor will only send Layer 2 Reset messages
when prompted to do so by a password privileged user.
2.4.2 User Role
The User has the ability to access the falcon console over the satellite network. On the console, the User is
enabled with account name “user†or “diagnostic†and a password to access any services. Accounts
“user†and “diagnostic†employ the same password mechanism. Passwords are configured and controlled
by the Crypto-Officer with the “admin†account. The “user†and “diagnostic†accounts do not have the
privilege to change passwords. The services available to the User role (“user†and “diagnostic†accounts)
do not involve viewing or modifying CSPs. See Table 6, Table 7, and Table 8 for a list of User services.
2.4.3 Client User Role
The Client User accesses the modules over the Ethernet ports and utilizes the modules’ traffic routing and
link encryption services. The Client User role is implicitly assumed by a network device or application
routing traffic through the modules.
2.4.4 Services
Table 6, Table 7, and Table 8 list all CLI services available to a Crypto-Officer and User. The CLI services
can be categorized in three different groups as follows:
1. General Services: Common functions to the iDX firmware.
2. Hub Specific Services: These services are only accessible on the eM1D1 and eM0DM Line Card
platforms.
3. Remote Specific Services: Services specific to the Evolution e8350 Satellite Router, iConnex e800,
iConnex e850MP, iConnex e850MP-IND, and iConnex e850MP-IND with Heat Sink Satellite
Router Boards.
Descriptions of the services available are provided in the tables below. The following tables also list all
Critical Security Parameters (CSPs) involved in the services and associated access controls.
Table 6 – Mapping of General Services to Roles, CSPs, and Type of Access
Operator
Service Description Type of Access
CO User
Antenna/debug AntennaClient st Secured Session Key –
Read
Antenna/params Stats| params | debug Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 11 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
Antenna/point Points to currently defined Secured Session Key –
settings in [SATELLITE] Read
group
arp Address Resolution Secured Session Key –
Protocol (ARP) control Read
beam/debug Sets debug level for beam Secured Session Key –
switch module Read
beamselector/control Beam selector control Secured Session Key –
command Read
beamselector/list List known beams Secured Session Key –
Read
beamselector/lock Suppress the timer and stay Secured Session Key –
on this beam Read
beamselector/mapsize Print or change the map Secured Session Key –
size request params Read
beamselector/newmap Force a request for a new Secured Session Key –
map Read
beamselector/params Stats | params | debug Secured Session Key –
Read
beamselector/switch Switch to new beam Secured Session Key –
Read
clear Clear screen Secured Session Key –
Read
console Console control Secured Session Key –
Read
date Get the downstream time Secured Session Key –
information Read
delay Usage: delay <msecs to Secured Session Key –
sleep> Read
dgm_pkg_rx Datagram Package Secured Session Key –
Download Receiver control Read
dma Direct Memory Access Secured Session Key –
(DMA) statistics Read
eloop Display event loop status Secured Session Key –
Read
ENTER_ERROR_STATE Enter Error state Secured Session Key –
Read
ENTER_RECOVERY_STATE Start recovery falcon Secured Session Key –
Read
error_status Display error status string Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 12 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
eth Configure a network Secured Session Key –
interface Read
eth_monitor Ethernet Interface Monitor Secured Session Key –
Read
extras Extras option file Secured Session Key –
manipulation Read
fll Allows to query the status Secured Session Key –
of the hardware's frequency Read
lock loop
fpga FPGA Rx1 driver Secured Session Key –
Read
fpga/rx FPGA Rx Driver Secured Session Key –
Read
fpga/tx FPGA Tx Driver Secured Session Key –
Read
gecho Global echo Secured Session Key –
Read
heap Memory usage Secured Session Key –
Read
hub_fsd Hub FSD Secured Session Key –
Read
igmp Multicast control Secured Session Key –
Read
ip Router control Secured Session Key –
Read
keyroll_mgr Keyroll manager command Dynamic Ciphertext
Channel Key –
Read/Write
Acquisition Ciphertext
Channel Key –
Read/Write
Secured Session Key –
Read
laninfo View IP address/netmask Secured Session Key –
Read
latlong LAT LONG Secured Session Key –
Read
license Get license Secured Session Key –
Read
licensestat Remote license status Secured Session Key –
information Read
VT iDirect Secure Satellite Broadband Solutions Page 13 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
mac Media Access Control Secured Session Key –
(MAC) control Read
mapclient/control Map client control Secured Session Key –
command Read
mapclient/params Stats | params | debug Secured Session Key –
Read
maphandler/control Map handler control Secured Session Key –
command Read
maphandler/params Stats | params | debug Secured Session Key –
Read
mem Resource information Secured Session Key –
Read
netstat Checks network Secured Session Key –
configuration and activity Read
nms_echo NMS event echo Secured Session Key –
Read
nmsr Debug network Secured Session Key –
management system Read
Reporting object (event
message sender)
oob Out of Band (OOB) control Secured Session Key –
Read
options Options file manipulation Secured Session Key –
Read
packages Show list of installed Secured Session Key –
software packages and their Read
versions
params View/edit global parameters Secured Session Key –
Read
pasoc Command for the packet Secured Session Key –
socket layer Read
passwd Change password Password – Read,
Write
Secured Session Key –
Read
pcmd Periodic console Command Secured Session Key –
Read
ping Utility Secured Session Key –
Read
profiling Profiling the Utils Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 14 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
ps Show the output of the ps Secured Session Key –
command Read
reset Reset machine or restart Secured Session Key –
service Read
rx/enable Rx Enable Secured Session Key –
Read
rx/frequency Rx Frequency Secured Session Key –
Read
rx/ifl10 Rx IFL 10M Secured Session Key –
Read
rx/iflDC Rx IFL DC Secured Session Key –
Read
rx/ifltone Rx IFL 22k tone Secured Session Key –
Read
rx/power Rx Power Secured Session Key –
Read
rx/symrate Rx Symbol rate Secured Session Key –
Read
rx2/agc Rx AGC Secured Session Key –
Read
rx2/bitrate Rx BitRate Secured Session Key –
Read
rx2/cof Rx Frequency Offset Secured Session Key –
Read
rx2/ enable Rx enable Secured Session Key –
Read
rx2/frequency Rx Frequency Secured Session Key –
Read
rx2/symrate Rx Symbolrate Secured Session Key –
Read
rxdiag/14DCVoltage 14 DC Voltage Secured Session Key –
Read
rxdiag/6DCVoltage 6 DC Voltage Secured Session Key –
Read
rxdiag/7DCVoltage 7 DC Voltage Secured Session Key –
Read
rxdiag/rxpower Rx RF Composite Power Secured Session Key –
Read
rxdiag/temperature Board temperature Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 15 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
rxdiag/tx10M Tx 10M output Secured Session Key –
Read
rxdiag/txpower Tx RF Composite Power Secured Session Key –
Read
service Service start/stop command Secured Session Key –
Read
sn Show modem serial number Secured Session Key –
Read
Stats View/Edit global stats Secured Session Key –
Read
status Show status of stack Secured Session Key –
Read
sys_time Sys Time Tick Secured Session Key –
Read
systray Debugs systray messages Secured Session Key –
(mulicast messages sent on Read
the Local Access Network
or LAN)
tick Get time tick Secured Session Key –
Read
timer Timer control Secured Session Key –
Read
tlev Trace control Secured Session Key –
Read
tls Transport Layer Security Secured Session Key –
(TLS) control Read
tls_mnc Debugs the secure MnC Secured Session Key –
control server Read
transec TRANSEC related Field Secured Session Key –
Programmable Gate Array Read
(FPGA) registers stats
tx/alcdac Tx ALCDAC Secured Session Key –
Read
tx/atten Tx Atten Secured Session Key –
Read
tx/atten1 Tx Atten1 Secured Session Key –
Read
tx/atten2 Tx Atten2 Secured Session Key –
Read
tx/cw Tx CW Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 16 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
tx/enable Tx Enable Secured Session Key –
Read
tx/freq Tx frequency Secured Session Key –
Read
tx/halfdb Tx Halfdb Atten Secured Session Key –
Read
tx/ifl10 Tx IFL 10M Secured Session Key –
Read
tx/iflDC Tx IFL DC Secured Session Key –
Read
tx/iqoffset TX IQ Offset Secured Session Key –
Read
tx/pn Tx PN Secured Session Key –
Read
tx/power Tx Power Secured Session Key –
Read
tx/ssb Tx ssb Pattern Secured Session Key –
Read
tx/symrate Tx Symbolrate Secured Session Key –
Read
uptime System and application Secured Session Key –
uptime Read
version Build information Secured Session Key –
Read
versions_report Full operating environment Secured Session Key –
report Read
x509 Manage X509 Certificates RSA Private Key –
and RSA keys Read/Write
RSA Private Key –
Read/Write
Secured Session Key –
Read
xoff Disallow messages from Secured Session Key –
other processes Read
xon Allow messages from other Secured Session Key –
processes Read
zeroize Zeroize all CSPs All CSPs – Delete
VT iDirect Secure Satellite Broadband Solutions Page 17 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Table 7 lists the services that are provided on the Line Card platforms.
Table 7 – Mapping of Line Card Specific Services to Roles, CSPs, and Type of Access
Operator
Service Description Type of Access
CO User
agents View console agents Secured Session Key –
Read
btp Burst Time Plan (BTP) Secured Session Key –
statistics Read
cert_mgr Certificate Manager RSA Private Key –
command Read/Write
RSA Public Key –
Read/Write
Secured Session Key –
Read
da_tunnel Shows statistics for the Secured Session Key –
tunnel between an external Read
process and the hub line card
diagnostic Diagnostic Command Secured Session Key –
Read
DID Show modem identification Secured Session Key –
number Read
dumpb Dump bursts received on hub Secured Session Key –
Read
gige_mon Gige monitor command Secured Session Key –
Read
hdlc HDLC Status Secured Session Key –
Read
key_ctrl Crypto key controller
Dynamic Ciphertext
Channel Key –
Read/Write
key_mgr Key manager
Acquisition Ciphertext
Channel Key –
Read/Write
na_tunnel Shows the statistics Secured Session Key –
parameters for a tunnel from Read
the hub line card and an
external process
rx/agc Rx AGC Secured Session Key –
Read
rx/band Rx Band Secured Session Key –
Read
rx/ber/stats BER Stats Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 18 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
rx/bitrate Rx BitRate Secured Session Key –
Read
rx/blklen Rx BlockLength Secured Session Key –
Read
rx/mod Rx Modulation Secured Session Key –
Read
rx/payloadlen Rx PayloadLength Secured Session Key –
Read
rx/refclkdac Rx Ref Clock DAC Secured Session Key –
Read
rx2/demodkick Rx DemodKick Secured Session Key –
Read
rx2/snr Rx SNR Secured Session Key –
Read
rx2/tdmlost Rx tdm lock lost Secured Session Key –
Read
rxdiag/19DCVoltage 19 Volts Supply Monitor Secured Session Key –
Read
rxdiag/inputdcvoltage Input DC Voltage Secured Session Key –
Read
rxdiag/mcifpower Multichannel IF Power Secured Session Key –
Read
rxdiag/mcrfpower Multichannel RF Power Secured Session Key –
Read
standby Standby Command Secured Session Key –
Read
swbpfll Software FLL Secured Session Key –
Read
swfll Software FLL Secured Session Key –
Read
sync_mgr Check options file sync msg Secured Session Key –
list Read
sync_rsp_mgr Check response msg list Secured Session Key –
Read
TERMINATE Kill process Secured Session Key –
Read
tplog Timeplan Log Secured Session Key –
Read
tunnel Tunnel control Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 19 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
tunnel_control Tunnel controller command Secured Session Key –
Read
tx/band Tx Band Selection Secured Session Key –
Read
tx/band Tx Band Select Secured Session Key –
Read
tx/fllref Tx FLL Ref Clock Secured Session Key –
Read
tx/lock Tx Lock Status Secured Session Key –
Read
tx/powermode Tx Power Mode Secured Session Key –
Read
tx/raven Tx Raven Secured Session Key –
Read
wam wam Secured Session Key –
Read
Table 8 lists services that are provided on the Evolution e8350 Satellite Router, iConnex e800,iConnex
e850MP, iConnex e850MP-INd, and iConnex e850MP-IND with Heat Sink platforms.
Table 8 – Mapping of Remote Platform Specific Services to Roles, CSPs, and Type of Access
Operator
Service Description Type of Access
CO User
acq Enables acquisition debugging Secured Session Key –
Read
ber/stats BER Stats Secured Session Key –
Read
btp Tx Debug Secured Session Key –
Read
classifier Classifier command Secured Session Key –
Read
cpu Show CPU utilization Secured Session Key –
percentage Read
csp Enables/disables csp mode Secured Session Key –
Read
dfoe Dynamic Features and Secured Session Key –
Options Exchange Read
dhcp DHCP server command Secured Session Key –
Read
dns DNS control Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 20 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
dubmpb Dump bursts received on Secured Session Key –
TDMA Rx2 of the remote Read
dvbs2 dvbs2 st Secured Session Key –
Read
enc Encryption control command Secured Session Key –
Read
encs Encryption session control Secured Session Key –
command Read
fake_acq Fake ACQ control Secured Session Key –
Read
fan/rpm Fan RPM Secured Session Key –
Read
fan/status Fan Status Secured Session Key –
Read
fpga/rx1 FPGA Rx1 Driver Secured Session Key –
Read
fpga/rx2 FPGA Rx2 Driver Secured Session Key –
Read
gpspollinterval seconds Secured Session Key –
Read
gpsvalidationstatus Status of GPS validation Secured Session Key –
Read
gre Generic Routine Secured Session Key –
Encapsulation (GRE) protocol Read
icmp Internet Control Message Secured Session Key –
Protocol (ICMP) inspection Read
layer console command
inroute_list Inroute List Secured Session Key –
Read
ipv4 IPv4 protocol acceleration Secured Session Key –
control layer Read
ktun Kernel Tunnel Command Secured Session Key –
Read
l2tp_compress L2TP payload compress Secured Session Key –
Read
lfc Local Secured Session Key –
Read
ll Link Layer control Secured Session Key –
Read
mcqos Multicast QoS Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 21 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
mesh Forces the remote out of Secured Session Key –
mesh Read
mesh_marker mesh_marker layer command Secured Session Key –
Read
meshdebug Mesh Debug Secured Session Key –
Read
nat NAT Control Secured Session Key –
Read
offline Offline Secured Session Key –
Read
online Online Secured Session Key –
Read
oobc Out of Band Control layer Secured Session Key –
stats and params Read
ota Over-The-Air statistics Secured Session Key –
Read
phy Read PHY status register Secured Session Key –
Read
pm Pad upper Mux stats Secured Session Key –
Read
powermgmt Power Management Secured Session Key –
Read
pull_engine PullDown Engine Control Secured Session Key –
Read
qos Quality of Service (QoS) Secured Session Key –
control Read
remotestate Displays the current remote Secured Session Key –
state Read
rmtarp Mesh ARP table Secured Session Key –
Read
rmtlock Locks the remote to work in Secured Session Key –
a specific network Read
rmtstat Toggle printing Remote Secured Session Key –
Status messages Read
rx/cof Rx Carrier Offset Secured Session Key –
Read
rx/demod Rx Demod Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 22 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
rx/demodkick Rx DemodKick Secured Session Key –
Read
rx/demodsel Rx Demod Select Secured Session Key –
Read
rx/dvbs2/debug Sets debug level for Rx dvbs2 Secured Session Key –
Read
rx/fastfll Rx Fast FLL Secured Session Key –
Read
rx/flm Rx False Lock Monitor Secured Session Key –
Read
rx/gdc GD Compensation and Secured Session Key –
Monitor Read
rx/griffin Rx Griffin Secured Session Key –
Read
rx/groundelay Rx Ground Delay Secured Session Key –
Read
rx/pointing Rx Pointing Secured Session Key –
Read
rx/snr Rx SNR Secured Session Key –
Read
rx/stv STV Support Secured Session Key –
Read
rx/swfll Software SCPC FLL Secured Session Key –
Read
rx/tdmlost Rx tdm lock lost Secured Session Key –
Read
rx/ts_stats Rx Transport Stream Lock Secured Session Key –
Stats Read
rx2/blklen Rx BlockLength Secured Session Key –
Read
rx2/crc Rx2 CRC Count Secured Session Key –
Read
rx2/fec Tx FECRate Secured Session Key –
Read
rx2/meshfsd Mesh FSD Secured Session Key –
Read
rx2/mod Rx Modulation Secured Session Key –
Read
rx2/payloadlen Rx PayloadLength Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 23 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
rxdiag/14rxanalog 14-Analog-Rx (AIN6) Secured Session Key –
Read
rxdiag/14txanalog 14-Analog-Rx (AIN5) Secured Session Key –
Read
rxdiag/24DCVoltage 24 DC Voltage Secured Session Key –
Read
rxdiag/5DCVoltage 5 DC Voltage Secured Session Key –
Read
rxdiag/consolevoltage Console Voltage Secured Session Key –
Read
rxdiag/rxvoltage Rx IFL DC Voltage Secured Session Key –
Read
rxdiag/txcurrent Tx IFL DC VOltage Secured Session Key –
Read
rxdiag/txpll Tx PLL VCC (AIN4) Secured Session Key –
Read
rxdiag/txvoltage Tx IFL DC Voltage Secured Session Key –
Read
rxdiag/vinps Input Voltage PS (AIN3) Secured Session Key –
Read
sar Segmentation and Reassembly Secured Session Key –
(SAR) control Read
satmac Debugs the satellite MAC Secured Session Key –
layer Read
sd Sar lower Mux stats Secured Session Key –
Read
switch/status Marvell Switch Status Secured Session Key –
Read
switch/vlans Marvell Switch VLAN Secured Session Key –
configuration Read
switch/pvid Marvell Switch Port PVID Secured Session Key –
values Read
switch/fwmap Marvell Switch Port FW Map Secured Session Key –
Read
switch/power Marvell Switch Power Secured Session Key –
Control Read
switch/params Marvell Switch option file Secured Session Key –
params Read
transec_layer TRANSEC layer command Secured Session Key –
Read
VT iDirect Secure Satellite Broadband Solutions Page 24 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
tx/10 Tx Pattern 1-0 Secured Session Key –
Read
Secured Session Key –
tx/bitrate Tx Bitrate Read
Secured Session Key –
tx/blklen Tx BlockLength Read
Secured Session Key –
tx/debug Tx Debug Read
Secured Session Key –
tx/fecrate Tx FECRate Read
Tx Freq Record Program Secured Session Key –
tx/freq_val Values Read
Secured Session Key –
tx/fsd Tx FSD Read
Secured Session Key –
tx/keyline Tx Keyline Read
Secured Session Key –
tx/lfo Tx Local Frequency Offset Read
Secured Session Key –
tx/mod Tx Modulation Read
Secured Session Key –
tx/payloadlen Tx PayloadLength Read
Secured Session Key –
tx/power Tx Power Read
Secured Session Key –
tx/ssb Tx SSB Read
Secured Session Key –
tx/status Tx Status Read
Secured Session Key –
tx/tdma/debug sets debug level for tx tdma Read
Tx Num of Tpc Blocks Per Secured Session Key –
tx/tpcblocks Frame Read
ucp Display UCP information Secured Session Key –
Read
udp UDP Command Secured Session Key –
Read
udp_compress UDP Payload compress Secured Session Key –
Read
vlan Virtual Local Area Network Secured Session Key –
(VLAN) control Read
VT iDirect Secure Satellite Broadband Solutions Page 25 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Operator
Service Description Type of Access
CO User
wam2 wam Secured Session Key –
Read
Table 9 maps Client User Role services to inputs, outputs and CSPs.
Table 9 – Mapping of Client User Role's Services to Inputs, Outputs, CSPs, and Type of
Access
Service Description Input Output Type of Access
Traffic Routing Secured traffic routing at the Data Link Data Link Dynamic Ciphertext
data-link layer layer layer Channel key - Read
packet packet
Multicast Packet Reset After individual component of “Reset†Command None
the multicast packet is option is status
extracted and written to the checked
modem’s flash memory, the
modem resets if the “Resetâ€
option was checked.
2.5 Physical Security
The cryptographic modules are multi-chip embedded cryptographic modules per FIPS 140-2 terminology.
The modules are PCBs that consist of production grade components and meet level 1 physical security
requirements using clear coating over the boards and their physical components to protect against
environment and physical damage. The boards will be enclosed in production-grade enclosures for added
physical security. A sample enclosure can be seen in Figure 3.
Figure 3 – e8000 Series Enclosure
Figure 4 below show the iConnex e800 Satellite Router Board. Please note that the e800 and e8350 boards
have the same appearance; the only difference is that the e8350 has an 8 port Ethernet switch that is
mounted to the back of the metal chassis that it fits into.
VT iDirect Secure Satellite Broadband Solutions Page 26 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Figure 4 – iConnex e800 Satellite Router Board
Figure 5 below shows the iConnex e850MP Satellite Router Board.
Figure 5 – iConnex e850MP Satellite Router Board
Figure 6 below show the Evolution eM1D1 Line Card. Please note that Evolution eM1D1 and Evolution
eM0DM Line Cards have the same appearance.
VT iDirect Secure Satellite Broadband Solutions Page 27 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Figure 6 – Evolution eM1D1 Line Card
2.6 Operational Environment
The modules’ firmware, iDX version 2.3.1, runs on Linux OS version 2.6.17.8-uc0-iDirect0 for all the
platforms. The operating system protects memory and process space from unauthorized access. The
firmware integrity test protects against unauthorized modification of the modules itself.
2.7 Cryptographic Key Management
The cryptographic modules implement the FIPS-Approved algorithms shown in Table 10:
Table 10 – FIPS-Approved Algorithm Implementations
Certificate
Algorithm
Number
AES15 in CBC16 and CFB17 modes – encrypt/decrypt 256-bit key 1944
(Software Implementation)
AES in CBC mode – encrypt/decrypt 256-bit key (Hardware 1945
Implementation)
15
AES – Advanced Encryption Standard
16
CBC – Cipher-Block Chaining
17
CFB – Cipher Feedback Mode
VT iDirect Secure Satellite Broadband Solutions Page 28 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Certificate
Algorithm
Number
SHA18-1 1709
HMAC SHA-1 1173
19
RSA ANSI X9.31 Key Generation – 2048-bit key 1007
RSA sign/verify – 1024-bit to 2048-bit keys 1007
ANSI20 x9.31 Appendix A.2.4 Pseudo Random Number 1024
Generator (PRNG)
Additionally, the modules utilize the following non-FIPS-Approved algorithm implementation, which are
allowed in a FIPS-Approved mode of operation:
• Diffie-Hellman 1024 bits key (PKCS#3, key agreement/key establishment methodology provides
80 bits of encryption strength)
• Non-FIPS Approved PRNG for seeding the ANSI X9.31 PRNG
• RSA 2048 bits key encrypt/decrypt (PKCS#1, key wrapping; key establishment methodology
provides 112 bits of encryption strength)
• PBKDF21 (SP800-132, Non-Approved)
Additional information concerning SHA-1, Diffie-Hellman key agreement/key establishment, RSA key
signatures and ANSI X9.31 and specific guidance on transitions to the use of stronger cryptographic keys
and more robust algorithms is contained in NIST Special Publication 800-131A.
The modules support the following critical security parameters a described in Table 11.
Table 11 – List of Cryptographic Keys, Cryptographic Key Components, and CSPs
Key
Generation
/Component/ Key Type Output Storage Zeroization Use
/ Input
CSP
iDirect Signed RSA 2048-bit Externally Never exits Hard-coded Never Performs firmware
Key public key generated the module in the module zeroized integrity check
during power-up
and upgrade
Dynamic AES-256 CBC Externally Never exits Resides in By global Provides
Ciphertext key generated, the module volatile zeroize confidentiality to
Channel (DCC) entered in memory in command data over Satellite
Key encrypted plaintext channel
form
Secured Session AES-256 CBC Generated Never Resides in Zeroized Provides secured
Key key internally volatile after session channel for
using Diffie- memory in is over management
Hellman plaintext
18
SHA – Secure Hash Algorithm
19
RSA – Rivest, Shamir, and Adleman
20
ANSI – American National Standards Institute
21
PBKDF – Password Based Key Derivation Function
VT iDirect Secure Satellite Broadband Solutions Page 29 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Key
Generation
/Component/ Key Type Output Storage Zeroization Use
/ Input
CSP
Acquisition AES-256 CBC Externally Never exits Resides in By global Encrypts all traffic
Ciphertext key generated, the module volatile zeroize and traffic headers
Channel (ACC) entered in memory in command required for a
Key plaintext form plaintext; remote to acquire
resides in the network
plaintext in
non-volatile
memory
Link Encryption AES-256 CBC Internally Exits in Resides in Zeroized Provides
Key and CFB key generated or encrypted volatile after session confidentiality to
entered in form memory in is over Layer 3 data
encrypted plaintext
form
RSA Private Key RSA 2048-bit Internally Exits in In flash in By global Authenticates TLS
private key generated plaintext, plaintext zeroize channel and
can be command transports Global
viewed by Session Key and
the Crypto- Link Encryption
Officer in Key
plaintext
RSA Public Key RSA 2048-bit Internally Exits in In flash in By global Authenticates TLS
public key generated plaintext, plaintext zeroize channel and
can be command transports Global
viewed by Session Key &
the Crypto- Link Encryption
Officer in Key
plaintext
Certificates X.509 digital Externally Exits in In flash in By global Used for hub and
issued by the certificates generated, encrypted plaintext zeroize remote unit
iDirect entered in form command validation
Certificate encrypted
Authority (CA) form
Foundry
Diffie-Hellman 1024-bit DH Internally Never exits Resides in Zeroized Establishes
private key private generated the module volatile after session Secured Session
exponent memory in is over Key during SSH or
plaintext TLS sessions
Diffie-Hellman 1024-bit DH Internally Exits Resides in Zeroized Establishes
public key public exponent generated electronicall volatile after session Secured Session
y in plaintext memory in is over Key during SSH or
form plaintex TLS sessions
SSH
HMAC-SHA1 Generated Never exits Stored inside By global It is used for data
Authentication
internally the module the volatile zeroize authentication
Key
memory in command during SSH
plaintext, sessions
inside the
module
Crypto-Officer Password Entered in Never exits Hash value of By global Enables Crypto-
Password plaintext the module the password zeroize Officer role
is stored in command
flash
VT iDirect Secure Satellite Broadband Solutions Page 30 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Key
Generation
/Component/ Key Type Output Storage Zeroization Use
/ Input
CSP
User Password Password Entered in Never exits Hash value of By global Enables the User
plaintext the module the password zeroize role
is stored in command
flash
ANSI X9.31 16 bytes of seed Independently Never exits Resides in Zeroized Seeds the ANSI
PRNG Seed generated by the module volatile after session X9.31 PRNG
the non- memory in is over
approved plaintext
PRNG
ANSI X9.31 32 bytes of seed Independently Never exits Resides in Zeroized Seeds the ANSI
PRNG Seed key generated by the module volatile after session X9.31 PRNG
Key the non- memory in is over
approved plaintext
PRNG
HMAC Key HMAC SHA-1 Internally Exits in Resides in Zeroized Securely exchange
Generated plaintext volatile after session information during
memory in is over SSH session
plaintext
The iDirect Signed Key is a 2048-bit RSA public key hard-coded into the modules. This key is externally
generated and is used for verifying the integrity of the modules’ firmware during power-up and upgrade.
The iDirect Signed Key is stored in flash and never zeroized.
DCC keys are AES CBC 256-bit keys that are used to encrypt/decrypt routing traffic flowing across the
satellite network. AES cipher operation using DCC keys is performed by the FPGA implementation of the
modules. These keys are generated by the Protocol Processor blade, external to the cryptographic boundary
and entered into the modules in encrypted form (RSA key transport). The modules do not provide any
Application Programming Interface (API) access to the DCC keys. These AES keys are stored in volatile
memory in plaintext and can be zeroized by using the global zeroize command issued from the CLI.
Secured Session keys are also AES CBC 256-bit keys that are used to provide a secure management session
over SSH and TLS. The Secured Session Key is generated internally during DH key agreement. The AES
key is stored only in volatile memory and is zeroized upon session termination.
ACC keys are AES CBC 256-bit keys used to encrypt all traffic and traffic headers that are required for a
remote to acquire the network. AES cipher operation using ACC keys is performed by the FPGA
implementation of the module. These keys are generated by the Protocol Processor blade, external to the
cryptographic boundary and entered into the module in encrypted form. When a remote has not been in the
network for a long period of time (approx. 2 months) or when a new remote joins the network, it cannot
transmit and receive data without the ACC key. In such cases, the ACC key has to be entered by the
Crypto-Officer through the secure console port. The AES keys are stored in volatile memory and in non-
volatile memory in plaintext. The modules do not provide any Application Programming Interface (API)
access to the ACC keys. They can be zeroized by using the global zeroize command issued from the CLI.
When a modem is configured to have link encryption enabled, it will generate a Link Encryption Key upon
initialization. A Link Encryption Key is a 256-bit AES key with CBC or CFB mode. A link Encryption
Key is the unique key used to encrypt and decrypt Layer 3 data with a remote. Each remote uses a different
Link Encryption Key. Notice that in the FIPS mode of operation, link encryption without TRANSEC is not
allowed.
VT iDirect Secure Satellite Broadband Solutions Page 31 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
The RSA public and private key pair is generated internally by the modules and is used for TLS
authentication, key transport. The key pair is stored in flash in plaintext and zeroized by the global zeroize
command (“zeroize allâ€). The RSA key pair can be viewed by the Crypto-Officer in plaintext. At least two
independent actions are required to view the RSA private key.
The X.509 certificates on the hubs and remotes are issued by iDirect’s CA Foundry as per the instructions
in the iBuilder User Guide. These certificates are used in a TRANSEC network for remote and hub unit
validation. The certificates are stored in flash in plaintext and zeroized by the global zeroize command
(“zeroize allâ€).
The modules perform key agreement during SSH sessions using DH (1024-bit exponent) mechanism. The
DH private key is calculated during session initialization and resides only in volatile memory in plaintext.
The modules do not provide any API to access the DH private key. The private key is zeroized after the
session is over.
The Crypto-Officer and the User enters passwords to request access. The modules store a SHA-1 based
hash value for each password onto the flash and never exports it. The hash value can be zeroized by using
the modules’ zeroization command.
The X9.31 PRNG seed and seed keys are generated from the internal non-FIPS Approved PRNG. These
values are stored in volatile memory and can be destroyed by powering down the modules.
2.8 Self-Tests
If any of the power-up or conditional self-tests fail, the modules write an indicator message in the Event
log, and transitions to an error state in which all interfaces except the console port are disabled. At this
point, data input and data output are inhibited.
An exception to the above paragraph is if the module fails a firmware upgrade test. The firmware upgrade
test causes the module to enter a transient error state, which outputs an error indicator and then transitions
the module to a normal operational state.
The Crypto-Officer may execute on demand self-tests by resetting the module or cycling the modules’
power.
2.8.1 Power-Up Self-Tests
The Secure Satellite Broadband Solutions perform the following self-tests at power-up:
• Firmware integrity check using a RSA digital signature
• Known Answer Tests (KATs)
AES CBC 256-bit key KAT for encrypt/decrypt (FPGA)
AES CFB 256-bit key KAT for encrypt/decrypt (Firmware)
Triple-DES CBC KAT for encrypt/decrypt22
RSA KAT for sign/verify
X9.31 PRNG KAT
The modules do not perform an independent SHA-1 KAT. The full functionality of the SHA-1
implementation is tested as part of the modules’ firmware integrity test, which uses a FIPS-Approved RSA
digital signature verification mechanism.
22
The Triple-DES algorithm is not available for use even though the KAT is performed. Failure of this KAT will result
in an error.
VT iDirect Secure Satellite Broadband Solutions Page 32 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
2.8.2 Conditional Self-Tests
The Secure Satellite Broadband Solutions perform the following conditional self-tests:
• Continuous random number generator test
• Continuous random number generator test for the entropy gathering
• RSA pair wise consistency check
• Firmware upgrade test
2.9 Design Assurance
VT iDirect utilizes Concurrent Versioning Systems (CVS) for its version control system. VT iDirect
maintains a unique branch for each major release and on occasion creates branches for special or
experimental releases. The FIPS-specific version of VT iDirect firmware is maintained on a dedicated
branch, with strict controls on any modification. VT iDirect refers to its entire firmware package as iDX.
VT iDirect maintains all project software, configuration files, documentation, FPGA code, bill of material),
3rd party software, and 3rd party binary executables within its Configuration Management system.
Additionally, Microsoft Visual SourceSafe version 6.0 was used to provide configuration management for
the modules’ FIPS documentation. A revision history is maintained by Visual SourceSafe.
2.10 Mitigation of Other Attacks
This section is not applicable. The modules do not claim to mitigate any attacks beyond the FIPS 140-2
Level 1 requirements for this validation.
VT iDirect Secure Satellite Broadband Solutions Page 33 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
3 Secure Operation
The Secure Satellite Broadband Solutions meet overall Level 1 requirements for FIPS 140-2. The sections
below describe how to place and keep the module in FIPS-approved mode of operation.
3.1 Crypto-Officer Guidance
The Crypto-Officer is responsible for installing, configuring, and monitoring the modules. For any
questions or if issues arise at any point during the installation, configuration, and daily operation of
the modules, contact the VT iDirect support teams:
• For iDirect Government Technologies (iGT) customers, at +1 703 648-8111 or
http://tac.idirectgt.com.
• For VT iDirect Customers, +1 703-648-8151 or http://tac.idirect.net.
The Crypto-Officer can access the modules locally over the console port or remotely over a secured
session. Remote secured sessions are provided via TLS, SSH, or the satellite channel.
3.1.1 Initialization
While the modules are shipped with the Linux OS configured for single user mode, they must be
configured for use in a TRANSEC-enabled network using a TRANSEC-enabled Protocol Processor and the
iBuilder application. All network elements that subsequently created under a TRANSEC-enabled protocol
processor will become part of the TRANSEC-compliant network.
This process involves configuring each respective module in iBuilder (entering the device type, serial
number, Satellite and LAN23 IP addresses, db threshold, etc.), uploading the resulting “options fileâ€, issuing
the Certificate Authority (CA) via the CA Foundry utility in the Network Management Server (NMS), un-
checking the “Disable Authentication†option in iBuilder and finally re-uploading the new options file and
resetting each module. The resulting TRANSEC-enabled network operates in the FIPS-Approved mode.
Note that, while operating in the FIPS-Approved mode of operation, no bypass services are supported. In-
depth and detailed guidance for configuring, operating, and maintaining an iDirect satellite network is
detailed in the iDirect Network Management System iBuilder's User Guide.
The Crypto-Officer should monitor the modules’ status by regularly checking the Statistics log information.
If any irregular activity is noticed or the module is consistently having errors, then iDirect Technologies
customer support should be contacted.
3.1.2 Management
According to FIPS 140-2 requirements, the operating system of the modules must be configured in the
single user mode. For a Linux operating system to be in the single user mode, it must meet the following
requirements:
• All login accounts except “root†should be removed.
• Network Information Service (NIS) and other named services for users and groups need to be
disabled.
• All remote login, remote command execution, and file transfer daemons should be turned off.
iDirect follows the following procedures to configure Linux operating system in single user mode:
1. Log in as the “root†user.
23
LAN – Local Area Network
VT iDirect Secure Satellite Broadband Solutions Page 34 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
2. Edit the system files /etc/passwd and /etc/shadow and remove all the users except “root†and the
pseudo-users. Make sure the password fields in /etc/shadow for the pseudo-users are either a star
(*) or double exclamation mark (!!). This prevents login as the pseudo-users.
3. Edit the system file /etc/nsswitch.conf and make “files†the only option for “passwdâ€, “groupâ€, and
“shadowâ€. This disables NIS and other name services for users and groups.
4. Reboot the system for the changes to take effect.
When the modules are received by the Crypto-Officer, the Linux operating system has already been
configured in the single user mode. It is suggested that the Crypto-Officer confirm that the above steps
have been taken in order to ensure that the operating system is in fact running in single user mode.
By default the modules are not usable in the network. In order to initialize the modules, the Crypto-Officer
must define the modules in their iBuilder under a TRANSEC enabled protocol processor and generate
options for the modules. For detailed information on initialization, please refer to the iDirect Network
Management System iBuilder's User Guide.
3.2 User Guidance
The User role is able to access the modules over the satellite network and execute commands that are not
security-relevant. See Table 6, Table 7, and Table 8 for a list of commands available to the User role.
3.3 Client User Guidance
The Client User role utilizes the modules’ traffic routing services. The Client User role is implicitly
assumed by a network device or application routing traffic through the modules. There are no special
instructions for the Client User to use the modules securely. The Client User should make sure the network
is configured with TRANSEC feature (i.e. the FIPS mode of operation) before participating in the network.
VT iDirect Secure Satellite Broadband Solutions Page 35 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
4 Acronyms
Table 12 lists all of the acronyms used throughout this document.
Table 12 – Acronyms
Acronym Definition
AES Advanced Encryption Standard
ANSI American National Standards Institute
API Application Programming Interface
BNC Bayonet Neill-Concelman connector
BUC Block Up-Converter
CA Certificate Authority
CBC Cipher Block Chaining
CFB Cipher Feedback Mode
CLI Command Line Interface
CMVP Cryptographic Module Validation Program
CPU Central Processing Unit
CSEC Communications Security Establishment Canada
CSP Critical Security Parameter
CVS Concurrent Versioning System
DH Diffie-Hellman
DVB-S2 Digital Video Broadcast – Satellite – Second Generation
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FIPS Federal Information Processing Standard
FPGA Field Programmable Gate Array
GPIO General Purpose Input/Output
GPS Global Positioning System
HDLC High-Level Data Link Control
ICMP Internet Control Message Protocol
IP Internet Protocol
KAT Known Answer Test
LAN Local Area Network
LC Line Card
LED Light Emitting Diode
LNB Low Noise Block
VT iDirect Secure Satellite Broadband Solutions Page 36 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Security Policy, Version 1.2 April 15, 2012
Acronym Definition
MAC Media Access Control
MHz Mega Hertz
MUX Multiplexer
NIS Network Information Service
NIST National Institute of Standards and Technology
NMS Network Management Server
OOB Out of Band
OS Operating System
PCB Printed Circuit Board
PCI Peripheral Component Interconnect
PKCS Public Key Cryptography Standard
PRNG Pseudo Random Number Generator
QoS Quality of Service
RF Radio Frequency
RJ Registered Jack
RS-232 Recommended Standard 232
RSA Rivest Shamir and Adleman
Rx Receiver Coaxial Connector
SHA Secure Hash Algorithm
SMA SubMiniature version A
SSH Secure Shell
TDES Triple Data Encryption Standard
TDMA Time Division Multiple Access
TLS Transport Layer Security
TRANSEC Transmission Security
Tx Transmitter Coaxial Connector
ULC Universal Line Card
VPN Virtual Private Network
VT iDirect Secure Satellite Broadband Solutions Page 37 of 38
© 2012 VT iDirect, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
Prepared by:
Corsec Security, Inc.
13135 Lee Jackson Memorial Hwy, Suite 220
Fairfax, VA 22033
United States of America
Phone: +1 (703) 267-6050
Email: info@corsec.com
http://www.corsec.com