Nokia VPN Appliance FIPS 140-2 Cryptographic Module Security Policy Level 2 Validation Version 1.2 November 2008 Module Hardware Versions: IP390 and IP560 Firmware Version: IPSO v4.1 and Check Point VPN-1 NGX (R60) [HFA-03] © Copyright 2006, 2007, 2008 Nokia This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION....................................................................................................... 3 1.1 PURPOSE .............................................................................................................. 3 1.2 REFERENCES ........................................................................................................ 3 2 NOKIA VPN APPLIANCE......................................................................................... 4 2.1 OVERVIEW ............................................................................................................ 4 2.2 CRYPTOGRAPHIC MODULE ..................................................................................... 5 2.3 MODULE INTERFACES............................................................................................. 7 2.4 ROLES AND SERVICES ............................................................................................ 9 2.4.1 Crypto Officer Role........................................................................................ 9 2.4.2 User Role .................................................................................................... 14 2.4.3 Authentication Mechanisms......................................................................... 15 2.5 ELECTROMECHANICAL INTERFERENCE/COMPATIBILITY (FCC COMPLIANCE) ............. 17 2.6 PHYSICAL SECURITY ............................................................................................ 17 2.7 OPERATIONAL ENVIRONMENT ............................................................................... 17 2.8 CRYPTOGRAPHIC KEY MANAGEMENT .................................................................... 17 2.8.1 Key Generation ........................................................................................... 23 2.8.2 Key Establishment....................................................................................... 23 2.8.3 Key Entry and Output .................................................................................. 23 2.8.4 Key Storage................................................................................................. 24 2.8.5 Key Zeroization ........................................................................................... 24 2.9 SELF-TESTS ........................................................................................................ 25 2.10 DESIGN ASSURANCE ............................................................................................ 26 2.11 MITIGATION OF OTHER ATTACKS ........................................................................... 26 3 SECURE OPERATION (APPROVED MODE) ........................................................ 27 3.1 CRYPTO OFFICER GUIDANCE ................................................................................ 27 3.1.1 Hardware Setup .......................................................................................... 27 3.1.2 Installing the Module Firmware.................................................................... 30 3.1.3 Initializing Check Point Modules.................................................................. 30 3.1.4 Setting the Module to FIPS Mode................................................................ 31 3.1.5 Initializing the Remote Management of the Module..................................... 31 3.1.6 Management and Monitoring....................................................................... 33 3.2 USER GUIDANCE ................................................................................................. 38 APPENDIX A ­ DISABLED MECHANISMS................................................................. 40 APPENDIX B ­ ALGORITHM VALIDATION CERTIFICATE NUMBERS .................... 41 APPENDIX C ­ ACRONYM DEFINITIONS ................................................................. 43 © Copyright 2006, 2007, 2008 Nokia Page 2 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 INTRODUCTION 1.1 Purpose This document is a nonproprietary Cryptographic Module Security Policy supporting the Nokia VPN Appliance family that has been designed to meet the Reduction of Hazardous Material Standard (RoHS). This security policy describes the Nokia VPN Appliance and describes how it meets the security requirements of FIPS 140-2. It also describes how to run the module in an Approved FIPS 140-2 mode of operation. This document was prepared as part of the FIPS 140-2 Level 2 validation of the module. The modules covered in this Security Policy are the IP390 and the IP560. These modules implement the IPSO 4.1 operating system and the Check Point VPN -1 NGX (R60) firmware. The Nokia VPN Appliances are referenced collectively in this document as IP security platforms, security platforms, platforms, and the module(s). Specific differences between module hardware versions are pointed out where relevant. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. The Nokia Web site (http://www.nokia.com/) contains information on the full line of products from Nokia. Additional information regarding the Check Point VPN-1 firmware that is used inside the Nokia VPN Appliances, including specific configuration instructions for the firmware can be found by referencing the Check Point VPN-1 FIPS 140-2 security policy, available at the following URL: http://csrc.nist.gov/groups/STM/cmvp/documents/140- 1/140sp/140sp722.pdf © Copyright 2006, 2007, 2008 Nokia Page 3 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 NOKIA VPN APPLIANCE 2.1 Overview The Nokia VPN Appliances are IP security platforms designed to provide a secure, reliable, and manageable integrated security solution for secure Internet communication and access control for networks. The security platforms combine the security-hardened operating system, IPSO, with the market-leading Check Point VPN-1 firmware suite on a purpose-built security hardware platform. As network devices, the Nokia VPN Appliances support a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2, IGRP, OSPF and BGP4 for unicast traffic and DVMRP for multicast traffic. Some highlighted security features of the Nokia VPN Appliances are: · Read/write and read-only access modes · Screening of all incoming communications to ensure authorized user access · SSH-secured remote management of the modules (IPSO) · SSHv2 supported · TLS-secured remote management of Check Point applications · Secure VPN between subsystems · Multiple layers of authentication required when accessing the remote management interface for IPSO The Nokia VPN Appliances are rack mounted devices that are differenti- ated through their internal CPU processors and performance levels. The modules are designed to efficiently support real-world, mixed traffic solutions. As VPN platforms, all modules greatly accelerate the embedded Check Point VPN-1/FireWall-1 performance by using the Nokia Firewall Flows. VPN performance is enhanced through the use of internal hardware cryptographic acceleration. The following chart illustrates the performance differences of the modules covered by this Security Policy: Model CPU Type Firewall Speed VPN Speed (AES) IP390 Celeron M 3.0 Gbps 500 Mbps IP560 Xeon 6.0 Gbps 1.78 Gbps © Copyright 2006, 2007, 2008 Nokia Page 4 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.2 Cryptographic Module The Nokia VPN Appliances were tested as multi-chip standalone cryptographic modules. Each module's metal enclosure physically encloses the complete set of hardware and firmware components, and represents the cryptographic boundary of each module. The cryptographic module supports the following hardware versions: IP390 ­ full width 1U rack mount IP560 ­ full width 1U rack mount The Nokia VPN Appliances run the Nokia proprietary, security-hardened IPSO operating system along with a binary image of the Check Point VPN-1 cryptographic firmware for VPN and firewall functionalities. The IP560 hardware chassis includes support for Field Replaceable Unit (FRU) upgrades to fans and power supplies (replaced with identical components). However, all FRU upgrades are performed by the factory or a reseller prior to delivery of the module to the end user. The end-user has no option to service or install these internal components. All FRU component slots are secured with tamper seals (see Section 3.1.1.1) for FIPS mode. The IPSO OS and the module's physical hardware chassis and computing platform provide the operational environment upon which the Check Point VPN-1 application binary executes. The following firmware combination was used for the FIPS 140-2 validation testing covered by this Security Policy: IPSO v4.1[build 020] with Check Point VPN-1 NGX (R60) [HFA-03] The cryptographic modules implement a version of Check Point firmware that has been previously validated under FIPS 140-2. However, the Nokia IPSO operating system and VPN Appliance hardware combination constitute different operational environments for the Check Point firmware; therefore the Check Point module binary image was packaged into each of the Nokia VPN Appliance configurations and was retested as part of the complete Nokia VPN Appliance FIPS 140-2 solution. FIPS Algorithm validation testing was performed and validation certificates obtained for all Approved cryptographic functions implemented by the modules covering all hardware and firmware configurations listed in this document. This includes separate algorithm validations for algorithms implemented by IPSO, the Check Point VPN-1 firmware, and hardware accelerator chips. See Section 2.8 for a list of algorithms implemented. See Appendix B for a list of the Approved algorithm validation certificate numbers. © Copyright 2006, 2007, 2008 Nokia Page 5 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The modules operate in both a non-Approved and Approved FIPS 140-2 mode of operation. Only approved cryptographic algorithms and security functions are allowed in the approved mode of operation. The modules are intended to meet overall FIPS 140-2 Level 2 requirements. The following table presents the individual FIPS 140-2 compliance areas and the Security Levels to which the modules were tested: FIPS 140-2 Level DTR Requirements Section Title Tested Section 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key Management 2 8 EMI/EMC 2 9 Self-tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Table 1 ­ Intended Level Per FIPS 140-2 © Copyright 2006, 2007, 2008 Nokia Page 6 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.3 Module Interfaces The security platforms provide a number of physical ports: IP390 IP560 10/100/1000 Ethernet Ports (standard) 4 4 Auxiliary Port (Disabled) 1 1 Console Port 1 1 I/O Option Slots (for adding 1000BaseT 2 4 or 1000 Mbps fiber Ethernet, V.35, or X.21 protocol options) PCMCIA Slots (Not present in IP560; 2 N/A Disabled by IPSO in IP390) Power Switch 1 1 Reset Switch 1 1 Status LEDs Rear Power Indicator (no LED) 1 labeled 1 power led build into toggle switch built into the removable fan and power supply power supply (The power supply also has 1 power supply fault and 1 power supply overtemp LED) Front Power Indicator (Logo illuminates) (Logo illuminates) Front Fault Indicator (see Table 3) 1 1 Ethernet Port status (green indicates 1 1 built in, additional connection, yellow blinking indicates depending on number data being transmitted) of I/O option cards installed Table 2 ­ FIPS 140-2 Physical Ports © Copyright 2006, 2007, 2008 Nokia Page 7 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table 3 ­Descriptions of the Fault Status © Copyright 2006, 2007, 2008 Nokia Page 8 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The physical ports are separated into logical interfaces defined by FIPS 140-2, as described in Table 4. Module Physical Port FIPS 140-2 Logical Interface Network ports Data input interface Network ports Data output interface Network ports, console port, Control input interface power switch, reset switch Network ports, console port, Status output interface LEDs Power plug, Power switch Power interface Table 4 ­ FIPS 140-2 Logical Interfaces Data input and output, control input, and status output are defined as follows: · Data input and output are the packets that use the firewall, VPN, and routing functionalities of the modules. · Control input consists of manual control inputs for power and reset through the power and reset switch. It also consists of all of the data that is entered into the module while using the management interfaces. · Status output consists of the status indicators displayed through the LEDs and the status data that is output from the modules while using the management interfaces. The modules distinguish between different forms of data, control, and status traffic over the network ports by analyzing the packets header information and contents. 2.4 Roles and Services The modules support role-based authentication. The two main roles in the modules (as required by FIPS 140-2) that operators can assume are: a Crypto Officer role and a User role. 2.4.1 Crypto Officer Role The Crypto Officer role can configure, manage, and monitor the module. Three management interfaces can be used for this purpose: · CLI ­ the Crypto Officer can use the CLI to configure and monitor IPSO systems. There are two ways to access the Crypto Officer role through the CLI. Access can be provided for the Crypto Officer locally by using the console port or remotely by using the SSH secured management session. © Copyright 2006, 2007, 2008 Nokia Page 9 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · SmartDashBoard ­ the Check Point TLS-secured management interface. The Crypto Officer can use this interface after the initial configuration of the Check Point module through the CLI. The TLS client RSA public key is used for authentication during TLS session establishment. Figure 1 ­ Easy to Use Check Point Management Tools Descriptions of the services available to the Crypto Officer role are provided in Table . Service Description Input Output Critical Security Parameter (CSP) Access Startup Provide network connectivity and set Commands Status of Admin password configuration a password for the admin account and commands (read/write access) configuration and data(via local configuration console) data Firmware loading Provide for the loading of firmware Commands Status of Admin password and commands (read/write access) (Not allowed in configuration and FIPS mode) data(via local configuration console) data SSH Provide authenticated and encrypted SSH key SSH outputs RSA or DSA host key sessions while using the CLI agreement and data pair (read access); (SSHv2) RSA or DSA parameters, authorized key (read SSH inputs, access); Diffie- and data Hellman key pair for SSHv2 key exchange © Copyright 2006, 2007, 2008 Nokia Page 10 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access (read/write access); session key for SSH (read/write access); X9.31 PRNG keys (read access) TLS Provide authenticated and encrypted TLS TLS outputs RSA key pair for TLS sessions while using the Check Point handshake and data key transport (read management interface parameters, access); session TLS inputs, keys for TLS and data (read/write access); X9.31 PRNG keys (read access) Boot manager Control the boot-up process and Commands Status of Password (read/write commands obtain system information and commands access) configuration and configur- data ation data Interface Configure, manage, and view Commands Status of None commands physical and logical interfaces and commands through the CLI: view all interfaces; configuration and delete any logical interface; view data configuration IPsec VPN tunnels; view status and data statistics; configure ARP behavior, physical and logical ATM interfaces, physical and logical Ethernet interfaces, physical and logical FDDI interfaces, physical and logical ISDN interfaces, physical or logical loopback interfaces, and physical and logical serial interfaces Routing Configure, manage, and view the Commands Status of None commands routing protocols through the CLI: and commands configure, manage, and view BGB configuration and BGP, OSPF, RIP, IGRP, IGMP, PIM, data configuration route aggregation, BOOTP, DVMRP, data static routes,, ICMP router discovery, IP broadcast helper, Network Time Protocol, and dial on demand routing; configure a variety of miscellaneous options that affect routing; configure trace routing settings; view summary information about routes on the system; view general information that the IPSO routing daemon records; view information about multicast forwarding cache © Copyright 2006, 2007, 2008 Nokia Page 11 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access Network Security Configure, manage, and view the Commands Status of Admin, monitor, user and Access security and access features through and commands passwords; shared commands the CLI: configure and view network configuration and secret for RADIUS; access; add firmware licenses to the data configuration shared secret for platform; configure Authentication, data TACPLUS; SSH host Authorization, and Accounting (AAA); keys; SSH authorized enable and disable and configure keys; Read/write SSH services; add and delete new access for all CSPs system users; create and delete groups, and add and remove members; enable and disable a VPN accelerator card; display VPN accelerator status or statistics Traffic Configure, manage, and view traffic Commands Status of None management management functionality through and commands commands the CLI: configure an access list to configuration and control the traffic from one or more data configuration interfaces; create or delete existing data aggregation classes and modify the mean rate or burst size; configure depth of queues, assign logical names to some of the queues, and set up a queue specifier; add, delete, or show ATM QoS descriptors; add, delete, or show association of ATM QoS descriptors with ATM VCs; show available or reserved bandwidth on an ATM interface; enable and disable DSCP to VLAN mapping System Configure, manage, and view system Commands Status of None configuration configuration settings through the and commands commands CLI: view the platform configuration; configuration and configure the system to perform data configuration regularly scheduled backups (manual data backups not allowed in FIPS mode); schedule regular jobs; configure system failure; configure domain name and domain name servers; configure static host names for particular IP addresses; configure host name of platform; manage IPSO images; manage configuration sets; manage relay configuration; configure network system logging; configure the date and time; view date and time settings; view the disks that IPSO detects on local system; specify other systems as network time protocol servers or peers; display information about packages © Copyright 2006, 2007, 2008 Nokia Page 12 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access installed on the local system IPv6 commands Configure, manage, and view IPv6 Commands Status of None settings through the CLI: show a and commands (the use of IPv6 summary of IPv6 configuration; configuration and tunneling* is associate and disassociate an IPv6 data configuration independent of address with a logical interface, data encryption. The IKE anycast address, or IPv6 address service handles any family; map an IPv6 address to a encryption for a physical machine address route) recognized in the local network; *encapsulating IPv6 create IPsec VPN tunnels by using packets into IPv4 specific encapsulation schemes; packets for configure and delete an IPv6 transmission across interface to IPv4 interface; create, networks that are not enable, or disable an IPv6 interface IPv6 aware attached to an IPv4 network that does not have IPv6 native support; configure IPv6 routing; add and delete logical IPv6 hosts; enable and disable network access and view current status of network access Monitoring Configure, manage, and view Commands Status of None commands monitoring settings through the CLI: and commands, configure CPU utilization reports, configuration configuration memory utilization reports, interface data data, and linkstate reports, rate shaping status bandwidth reports, interface information throughput reports by turning data collection on or off and setting the data collection time interval; display interface settings, system logs, system statistics, interface monitor, resource statistics, forwarding table, system status information Check Point's CLI Initial configuration of the Check Command Status of One-time SIC commands Point firmware: install licenses, (cpconfig), commands password (read/write modify the list of UNIX groups menu options, and menu access) authorized to run VPN-1 services, and options and register a cryptographic token, configuration status configure the one-time SIC information information password, and specify whether the (configuration VPN-1 services should automatically information) start at boot time Check Point Create and configure users and user Commands Status of None SmartDashBoard groups: define users and user and commands services groups; create permission for configuration and © Copyright 2006, 2007, 2008 Nokia Page 13 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output Critical Security Parameter (CSP) Access individual users or a whole group of data (policy configuration users; set permissions such as files) data (policy access hours, user priority, files) authentication mechanisms, protocols allowed, filters applied, and types of encryption Define and implement security Commands Status of None policies: configure and install security and commands policies that are applied to the configuration and network and users. These policies data (policy configuration contain a set of rules that govern the files) data (policy communications flowing into and out files) of the module, and provide the Crypto Officer with a means to control the types of traffic permitted to flow through the module. Management of keys: configure the Commands Status of RSA key pair for IKE digital certificates and/or pre-shared and commands (read/write access); keys for use by IKE for authentication configuration and pre-shared keys for data (policy configuration IKE (read/write files) data (policy access) files) Initialization of Secure Internal Commands Status of RSA key pair for TLS Communication (SIC): establish trust and commands (read/write access) between management server and the configuration module to allow configuration of the data (SIC module's services policy) Monitoring: provides detailed Commands Status of None information for both monitoring of commands connection activities and the system and status status information (logs) Table 5 ­ Crypto Officer Services, Descriptions, Inputs, and Outputs 2.4.2 User Role The User role accesses the module IPSec and IKE services. Service descriptions, inputs, and outputs are listed in Table . Service Description Input Output CSP IKE Access the module IKE IKE inputs and data IKE outputs, RSA key pair for functionality to status, and data IKE (read authenticate to the access); Diffie- module and negotiate IKE Hellman key and IPSec session keys pair for IKE (read/write access); pre- shared keys for © Copyright 2006, 2007, 2008 Nokia Page 14 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Service Description Input Output CSP IKE (read access) IPSec Access the module's IPSec inputs, IPSec outputs, Session keys for IPSec services in commands, and status, and data IPSec order to secure data (read/write network traffic access) Table 6 ­ User Services, Descriptions, Inputs and Outputs 2.4.3 Authentication Mechanisms The modules implement password-based authentication (console and SSH), RSA-based authentication (TLS, IKE and SSH), DSA-based authentication (SSH). HMAC SHA-1 is used for data packet integrity during authentication functions (IKE with pre-shared keys). 2.4.3.1 Crypto Officer Authentication The Crypto Officer must successfully authenticate before a management interface can be accessed. The authentication methods are described below. · CLI (local) ­ the Crypto Officer must authenticate by using user ID and password. The password must be at least six characters long. Numeric, alphabetic (upper and lowercase), and keyboard and extended characters can be used. The local interface is also used to establish the keys necessary for authentication when using the two alternate methods of communication to perform. Before the alternate methods can be used key pairs are generated outside the module and then the public key is loaded by the Crypto Officer after local authentication. The SSH session requires that the client Diffie-Hellman public key is loaded into the module. For TLS the client RSA public key is loaded. · CLI (remote) ­The Crypto Officer authenticates during the SSH session establishment. Once a session is established, the Crypto Officer can also be asked to authenticate again by using the user ID and password before the management interface can finally be accessed. · SmartDashBoard (Check Point Management Station) ­ A TLS session is established between the Check Point management station and the VPN Appliance, the Crypto Officer must authenticate with his private key against his pre-loaded digital certificate, issued by a trusted Certification Authority (CA). A TLS © Copyright 2006, 2007, 2008 Nokia Page 15 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. RSA key pair is used for authentication during TLS session establishment. 2.4.3.2 User Authentication User authentication to the module is performed during IKE using digital certificates or pre-shared secret keys. The pre-shared keys must be at least six characters long and use at least four different characters. 2.4.3.3 Estimated Strength of the Authentication Mechanisms The estimated strength of each authentication mechanism implemented by the module is described in Table 7. Authentication One-Time Strength Multiple Attempts Type Strength DSA-based DSA signing and verification is used to authenticate 1500 attempts per minute authentication the module during SSHv2. This mechanism is as possible, resulting in a less (SSHv2) strong as the DSA algorithm using a 1024 bit key than 1 in 8.05*10^20 pair and provides 80 bits of equivalent security. chance per minute RSA-based RSA encryption and decryption is used to 1500 attempts per minute authentication (SSHv2 authenticate the module during SSHv2, and the TLS possible, resulting in a less and TLS handshake) handshake. This mechanism is as strong as the RSA than 1 in 8.05*10^20 algorithm using a 1024 bit key pair and provides 80 chance per minute bits of equivalent security. RSA-based RSA signing and verification is used to authenticate Less than 2 attempts per authentication (IKE) to the module during IKE. This mechanism is as minute possible, resulting strong as the RSA algorithm using a 1024 bit key in a less than 1 in pair and provides 80 bits of equivalent security. 6.04*10^23 chance per minute Pre-shared key-based Pre-shared keys must be at least six characters long Less than 2 attempts per authentication (IKE) and use at least four different characters. Even if minute possible, resulting only uppercase letters were used without repetition in a less than 1 in for a six character pre-shared key, the probability of 82,882,800 chance per randomly guessing the correct sequence is one in minute 165,765,600. HMAC SHA-1 verification is used for additional data packet integrity during IKE negotiations with pre-shared keys. Password-based Passwords are required to be at least six characters Less than 36 attempts per authentication long. Numeric, alphabetic (upper and lowercase), minute possible, resulting and keyboard and extended characters can be used, in a less than 1 in which gives a total of 95 characters to choose from. 8,580,993 chance per Considering only the case-insensitive alphabet using minute a password with repetition, the number of potential passwords is 26^6. Table 7 ­ Estimated Strength of Authentication Mechanisms © Copyright 2006, 2007, 2008 Nokia Page 16 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.5 Electromechanical Interference/Compatibility (FCC Compliance) Each module hardware configuration was tested and found compliant with requirements for a Class A digital device, pursuant to Part 15 of the FCC rules and thus the FIPS 140-2 Level 2 EMI/EMC requirements. 2.6 Physical Security The Nokia VPN Appliances are multi-chip, standalone cryptographic modules. The modules are entirely contained within their respective hard metal enclosure. The enclosures are resistant to probing and are opaque within the visible spectrum. The FIPS hardware configuration(s) of the module include factory-installed lance baffle inserts to protect the front and side vent holes of all enclosures from direct viewing or probing of the module's interior components. Rear vent holes are likewise obscured by internal fan or power supply components. Serially numbered tamper-evident seals provide additional protection to those parts of the module chassis that can be opened or disassembled. The seals provide indications of attempts to tamper with the modules. The tamper-evident seals are affixed to the module by the Crypto Officer in numbers and locations that vary depending on the module hardware version. Specific quantities and locations are described in Section 3.1 "Crypto Officer Guidance" of this document. 2.7 Operational Environment The FIPS 140-2 operational environment requirements do not apply to these modules. The Nokia VPN Appliances do not provide a general- purpose operating system nor do they provide a mechanism to load software. The module operator interacts with the module through customized interfaces that provide only specific command options. 2.8 Cryptographic Key Management Cryptographic algorithms are implemented in firmware by IPSO and Check Point VPN-1 and in hardware by the encryption accelerators. The IPSO operating system provides the capability to use SSHv2 to secure the remote CLI management sessions. The implemented FIPS- approved algorithms include RSA and DSA (SSHv2) for authentication, Triple-DES for data encryption, SHA-1 for data hashing, and HMAC SHA- 1 for data packet integrity. Key establishment is performed by using the Diffie-Hellman key agreement for SSHv2. Check Point provides the capability to use TLSv1 to secure management sessions. The implemented FIPS-approved algorithms include RSA for authentication; DES, Triple-DES, and AES for data encryption; SHA-1 for data hashing; and HMAC SHA-1 for data packet integrity. Key © Copyright 2006, 2007, 2008 Nokia Page 17 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. establishment is performed by using RSA key wrapping. The embedded Check Point application supports IPSec/ESP for data encryption and IPSec/AH for data integrity. The Check Point module implements all IKE modes: main, aggressive, and quick, using ISAKMP according to the standard. IKE uses RSA signatures or pre-shared keys for authentication. Key establishment in IKE is performed by using the Diffie-Hellman key agreement technique. Enhanced VPN performance is achieved by accelerating DES, AES, Triple-DES, and Diffie-Hellman modular exponentiation processing implemented by the Check Point firmware. Hardware acceleration is accomplished either by hard-wired accelerator chips or by optional version-specific internal accelerator cards that are installed by the factory or reseller prior to delivery to the end-user. The IP390 has an onboard accelerator chip and the IP560 uses an accelerator card. Accelerated DES and 1 key Triple DES are non-compliant. Only the FIPS approved Triple- DES and AES encryption algorithms shall be used. Accelerator chips differ only in performance. The module operating system automatically senses the accelerator chip at power on and performs power on self tests on all the functions provided by the appropriate accelerator chip as well as self-tests for all firmware-based cryptographic functions. To summarize, the modules implement the following FIPS-approved and non FIPS-approved algorithms (see Appendix B ­ Algorithm Validation Certificate Numbers for the algorithm certificate numbers of the validated FIPS-approved algorithms): Non FIPS-Approved Data encryption: · Data Encryption Standard (DES) in CBC mode (56 bit keys) ­ according to NIST FIPS PUB 46-3 (withdrawn). · Triple DES (TDES), Keying Option 3 (K3 mode): 1 key Triple DES (non-compliant) ­ according NIST FIPS PUB 46-3 (withdrawn) and NIST Special Publication 800-67. · CAST - Disabled · DES (40 bits) - Disabled · Arcfour - Disabled © Copyright 2006, 2007, 2008 Nokia Page 18 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Twofish - Disabled · Blowfish - Disabled Data packet integrity: · HMAC MD5 - Disabled Data hashing: · MD5 - Disabled Digital signatures: · DSA (Public key sizes under 1024-bits, private key sizes under 160-bits) Digital signatures and Key transport: · RSA (Key sizes under 1024-bits) Key agreement / Key establishment: · Diffie-Hellman (Public key sizes under 1024-bits, private key sizes under 160-bits) FIPS-Approved Data encryption: · Advanced Encryption Standard (AES) in CBC mode (128 or 256 bit keys) ­ according to NIST FIPS PUB 197. · Triple DES (TDES) in CBC modes (168 bit keys) ­ according NIST FIPS PUB 46-3 (withdrawn) and NIST Special Publication 800-67. Only the FIPS-approved Triple DES and AES encryption algorithms are to be used in FIPS mode. DES and 1 key Triple DES are not FIPS-approved algorithms and should not be used in FIPS mode. Data packet integrity: · HMAC-SHA-1 (20 byte) ­ per NIST FIPS PUB 198, RFC 2104 (HMAC: Keyed-Hashing for Message Authentication), and RFC 2404 (using HMAC-SHA-1-96 within ESP and AH). Data hashing: © Copyright 2006, 2007, 2008 Nokia Page 19 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Secure Hash Algorithm (SHA-1) ­ according to NIST FIPS PUB 180-1 Digital signature: · Digital Signature Algorithm (DSA) ­ according to NIST FIPS PUB 186-2 with Change Notice 1 Digital signatures and Key transport: · RSA ­ all digital signature implementations are according to PKCS #1 The RSA key wrapping methodologies provide the following encryption strengths during key transport: TLS: provides 80 bits of encryption strength. Only methodologies providing a minimum of 80 bits of encryption strength are allowed in FIPS mode. Encryption strength is determined in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57 (Part 1). Key agreement / Key establishment: · The Diffie-Hellman key agreement key establishment methodology used by the different firmware implementations present in the module (used for IKE and SSHv2) provides the following encryption strengths: o IPSO: methodology provides between 57 and 112 bits of encryption strength o Check Point VPN-1 NGX (R60): methodology provides between 70 and 128 bits of encryption strength. Only methodologies providing a minimum of 80 bits of encryption strength are allowed in FIPS mode. Encryption strength is determined in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57 (Part 1). Pseudo-Random Number Generation: · ANSI X9.31 PRNG This module also implements the following PRNGs, which are not used for cryptographic purposes: © Copyright 2006, 2007, 2008 Nokia Page 20 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · ARC4-based PRNG (used to create "unpredictable" sequence numbers) · Simple Linear Congruential PRNG (used for random head/tail packet discard and salt generation) The module implements the following protocols permitted for use in a FIPS-approved mode of operation: Session security: · SSHv2 (configured to use FIPS-approved algorithms) · TLS v1.0 (configured to use FIPS-approved algorithms) according to RFC 2246 · IPSec (configured to use FIPS-approved algorithms) The module supports the following critical security parameters (Table 8): CSPs CSPs type Generation Storage Use Host RSA v2 key 512-, 640-, 768- Internal ­ Stored in plaintext SSH server pair (default), 864-, 1024-bit using X9.31 on disk authentication (via IPSO) private and public key PRNG (SSHv2) [See footnote 1 pair below table.] Host DSA key pair 160-bit DSA private key Internal ­ Stored in plaintext SSH server (via IPSO) and 1024-bit DSA using X9.31 on disk authentication to public key PRNG client (SSHv2) Authorized RSA v2 1024-bit RSA public External Stored in plaintext Client key key on disk authentication to (via IPSO) SSH server (SSH v2) Authorized DSA 1024-bit DSA public External Stored in plaintext Client key key on disk authentication to SSH server (via IPSO) (SSHv2) TLS RSA key pair 1024-bit RSA private External Stored in plaintext TLS server and public key pair on disk authentication and (via Check Point key transport VPN-1) during TLS handshake TLS client RSA 1024-bit RSA public External Stored in plaintext Client public key key on disk authentication (via Check Point during TLS VPN-1) handshake IKE RSA key pair 1024-bit RSA private External Stored in plaintext Server (via Check Point and public key pair on disk authentication VPN-1) during IKE IKE client RSA 1024-bit RSA public External Stored in plaintext Client © Copyright 2006, 2007, 2008 Nokia Page 21 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. CSPs CSPs type Generation Storage Use public key key on disk authentication (via Check Point during IKE VPN-1) Pre-shared keys 6-character pre-shared External Stored in plaintext Client and server (passwords) key on disk authentication (via Check Point during IKE VPN-1) IKE Diffie-Hellman Diffie-Hellman (160 to External Stored in plaintext Key agreement key pair 256-bit) private/(1024 in memory during IKE (via Check Point to 8192 bit) public key VPN-1) pair [See footnote 2 below table.] Less than 1024-bit public is non-Approved IKE client Diffie- Diffie-Hellman 1024 to External Stored in plaintext Key agreement Hellman public key 8192-bit public key in memory during IKE (via Check Point VPN-1) [See footnote 2 Less than 1024-bit below table.] public is non-Approved SSHv2 Diffie- Diffie-Hellman (320 to Internal ­ Stored in plaintext Key agreement Hellman key pair 384-bit) private/(1024 using X9.31 in memory during SSHv2 (via IPSO) to 2048-bit) public key PRNG [See footnote 2 pair below table.] Less than 1024-bit public is non-Approved SSHv2 client Diffie-Hellman 1024 to External Stored in plaintext Key agreement Diffie-Hellman 2048-bit public key in memory during SSHv2 public key (via IPSO) [See footnote 2 Less than 1024-bit is below table.] non-Approved SSH session keys 168-bit Triple-DES Established Stored in plaintext Secure SSH traffic (via IPSO) keys; HMAC SHA-1 during the in memory keys SSH key exchange using Diffie- Hellman key agreement (SSHv2) TLS session keys 56-bit DES or 168-bit Established Cached to disk Secure TLS traffic (via Check Point Triple-DES keys; during the VPN-1) HMAC SHA-1 key TLS [See footnote 3 handshake below table.] using RSA key transport IPSec session 56-bit DES, 128-bit Established Stored in plaintext Secure IPSec keys Triple-DES, or 128-, during the in memory traffic (via Check Point 256-bit AES keys; Diffie-Hellman VPN-1) HMAC SHA-1 key key [See footnote 3 agreement below table.] © Copyright 2006, 2007, 2008 Nokia Page 22 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. CSPs CSPs type Generation Storage Use IPSO X9.31 PRNG 128-bit Triple-DES keys Internal ­ by Stored in plaintext IPSO pseudo- keys gathering in memory random number entropy generator for RSA, (via IPSO) DSA, and Diffie- Hellman keys Check Point X9.31 128-bit Triple-DES keys Internal ­ by Stored in plaintext Check Point PRNG keys gathering in memory, but pseudo-random (via Check Point entropy entropy used to number generator VPN-1) generate keys is for Diffie-Hellman cached to disk keys Passwords Six-character password External Stored in plaintext Authentication for on disk accessing the (via IPSO) management interfaces (CLI); boot manager authentication; RADIUS authentication; TACPLUS authentication Table 8 ­ Listing CSPs for the Module Note: 1. Only 1024-bit keys, or higher, should be used for RSA in FIPS mode. 1024-bit RSA keys provide 80-bit equivalent security as calculated by IG7.5. 2. Only 1024-bit public keys and 160-bit private keys, or higher, can be used for DSA and Diffie-Hellman in FIPS mode. 1024/160-bit DSA and Diffie-Hellman keys provide 80-bit equivalent security as calculated by IG7.5. 3. DES must not be used in FIPS mode. 2.8.1 Key Generation The only keys that can be generated by the modules are RSA public and private keys and DSA public and private keys for SSHv2. The FIPS- approved X9.31 PRNG is used to generate these keys. 2.8.2 Key Establishment The modules implement IKE, SSH, and the TLS handshake for automatic key establishment. Two types of key establishment techniques are employed by the modules: the Diffie-Hellman key agreement and the RSA key wrapping. The Diffie-Hellman key agreement establishes shared secrets during SSHv2 and IKE. The RSA key wrapping/key transport generates shared secrets during TLS. 2.8.3 Key Entry and Output All private and secret keys entered into the module are electronically entered and encrypted during RSA key transport or during a Diffie- © Copyright 2006, 2007, 2008 Nokia Page 23 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Hellman key agreement using derived Triple-DES session keys. No private or secret keys are output from the module. 2.8.4 Key Storage All RSA and DSA keys, pre-shared keys, and passwords are stored in plaintext on disk. The TLS session keys and the gathered entropy for the Check Point PRNG keys are cached to disk. All other keys are ephemeral keys and are stored in plaintext in memory. 2.8.5 Key Zeroization Ephemeral keys can be zeroized by rebooting. All other keys can be zeroized by overwriting or deleting them. © Copyright 2006, 2007, 2008 Nokia Page 24 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.9 Self-Tests The modules perform a set of self-tests to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional self- tests). Self tests are performed by both IPSO and the Check Point VPN-1 firmware components as appropriate. IPSO also implements self tests on the algorithms provided by the hardware encryption accelerator chips. All module versions were functionally tested during FIPS 140-2 conformance testing. Power-up Self-tests: · Integrity tests: the modules use a CRC-32 to check the integrity of its various firmware components, including verifying the integrity of the Check Point VPN-1 binary code. · Cryptographic algorithm tests: o AES-CBC KAT o DES-CBC KAT o Triple-DES-CBC KAT o ANSI X9.31 PRNG KAT o RSA sign/verify and encrypt/decrypt KAT o DSA sign/verify pair-wise consistency test o SHA-1 KAT o HMAC SHA-1 KAT · Policy file integrity test (bypass mode test): the module performs a SHA-1 check value verification to ensure that the policy files are not modified. Conditional Self-tests: · RSA pair-wise consistency test: this test is performed when RSA keys are generated for SSHv2. · DSA pair-wise consistency test: this test is performed when DSA keys are generated for SSHv2. · Continuous random number generator tests: these tests are constantly run to detect failure of the random number generators of the module. © Copyright 2006, 2007, 2008 Nokia Page 25 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Policy file integrity test (bypass mode test): the module performs a SHA-1 check value verification to ensure that the policy files are not modified. Self Test Error Handling · If the integrity tests fail, the module enters the bootloader error state and reboots. If the IPSO kernel modules cryptographic algorithm tests fail, the module enters the kernel panic error state and reboots. If the Check Point kernel module cryptographic algorithm tests fail, the module enters the kernel panic error state and must be rebooted by the Crypto Officer to clear the error. · If the IPSO conditional self-tests fail, the module enters the error state and reboots. If the Check Point continuous RNG test fails, the module enters the error state and reboots. All other self-test errors cause the module to enter the error state, where all cryptographic services and data output for the problem service is halted until the error state is cleared. Restarting the module or the failed service can clear the error state. All errors are logged and produce error indicators. 2.10 Design Assurance Nokia and Check Point manage and record their respective source code and associated documentation files. Nokia implements the Concurrent Versions System (CVS) for document and source code management. The Check Point code is maintained by Nokia as a compiled binary file. The Nokia module hardware data, which includes descriptions, parts data, part types, bills of materials, manufacturers, changes, history, and hardware documentation are managed and recorded using Agile Workplace. Additionally, Microsoft Visual Source Safe (VSS) version 6.0 and Microsoft SharePoint was used to provide configuration management for the module's FIPS documentation. These document management utilities provide access control, versioning, and logging. 2.11 Mitigation of Other Attacks The modules do not employ security mechanisms to mitigate specific attacks. © Copyright 2006, 2007, 2008 Nokia Page 26 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 SECURE OPERATION (APPROVED MODE) The Nokia VPN Appliances meet Level 2 requirements for FIPS 140-2. The following subsections describe how to place and keep the module in FIPS-approved mode of operation. The Crypto Officer must ensure that the module is kept in a FIPS-approved mode of operation. The procedures are described in "Crypto Officer Guidance". The User can use the module after the Crypto Officer changes the mode of operation to FIPS-Approved. The secure operation for the User is described in Section 3.2, "User Guidance". 3.1 Crypto Officer Guidance The secure operation procedures include the initial setup, configuring the Check Point modules in a FIPS compliant manner, and keeping the module in a FIPS-approved mode of operation. These procedures are described in the following sections. 3.1.1 Hardware Setup The Crypto Officer receives the module in a carton. Within the carton the module is placed inside a sealed ESD bag to show tamper evidence during delivery; two foam end caps are placed on both sides of the chassis, protecting the module during shipping. The Crypto Officer should examine the carton and the ESD bag for evidence of tampering. Tamper- evidence includes tears, scratches, and other irregularities in the packaging. Since the module does not enforce an access control mechanism before it is initialized, the Crypto Officer must maintain control of the module at all times until the initial setup is complete. Before turning on the module, the Crypto Officer must ensure that the module meets Level 2 physical security requirements. To satisfy these requirements, the Crypto Officer must install three tamper-evident seals (also called "FIPS Tape") provided in the module's FIPS kit. Three (3) seals should be applied to both the IP390 and IP560 modules. · N431174001 (12 pc) ­ Tamper-evident seal kit After the seal(s) are in place, the Crypto Officer must initialize the module and set the module to FIPS mode. 3.1.1.1 Applying the Tamper-Evident Seal(s) Three (3) seals should be applied as shown in the figures below to both the IP390 and IP560 modules. The tamper-evident seals each contain a unique serial number which aids the Crypto Officer in determining whether © Copyright 2006, 2007, 2008 Nokia Page 27 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. the original labels have been replaced. Refer to Section 2.2 for a list of the module hardware versions and their respective chassis type. To apply the serialized seal 1. Depending on the module hardware version, apply one or more tamper seals to the module chassis at the front, top, or rear of the module as indicated in the figures below. 2. On hardware version IP390, the PCMCIA slots are disabled and do not contain cards. Affix two large tamper seals so that they cover the empty PCMCIA bay at the front of the chassis (see Figure 4). The tamper seals are used to block visual access to the chassis interior. Insure that there is proper adhesion to the faceplate on the edges. A minimum one inch overlap of tape is recommended to cover the whole opening, taking care not to cover the vent holes. 3. Record the serial number of the applied seal(s) in a security log. 4. Allow 24 hours for the adhesive in the tamper-evident seal(s) to completely cure. Figure 2 ­ Tamper Seal Placement on IP390 Chassis © Copyright 2006, 2007, 2008 Nokia Page 28 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 3 ­Tamper Seal Placement on IP560 Chassis (3 Seals) Shown are (2x) 2.00"x.75" FIPS labels (for PCMCIA slot on IP390) Figure 4 ­Tamper Seal Location for PCMCIA Flash Memory Bay (IP390 only) © Copyright 2006, 2007, 2008 Nokia Page 29 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3.1.1.2 Module Initialization Before performing the initial configuration, the Crypto Officer must set the boot manager password to prevent unauthorized access to the module hard disk. To be compliance with FIPS 140-2 requirements the Crypto Officer shall use a non-networked general purpose computer to initialize the appliance. To initialize the appliance 1. Connect the supplied console cable to the local console port on the front panel of the appliance. 2. Connect the other end of the cable to a non-networked GPC running a terminal emulation program or a standalone VT100 console. 3. Press Return. 4. At the boot manager prompt, enter: BOOTMGR [0] > passwd 5. At the prompt, enter the new password. 6. At the prompt, re-enter the new password for verification. 7. IPSO can now be started by entering the boot command. 8. Follow the initial configuration procedures described in the appropriate Appliance Installation Guide. 3.1.2 Installing the Module Firmware New modules come preinstalled with the Nokia IPSO operating system and a version of the Check Point VPN-1 application. The FIPS 140-2 conformant configuration consists of IPSO 4.1 and Check Point VPN-1 version NGX (R60) with Hotfix HFA-03. 3.1.3 Initializing Check Point Modules Before the User can use the Check Point VPN-1 functionalities (also before he can enable FIPS mode), the Check Point module must be enabled and initialized using the CLI. The initialization process requires that the Crypto Officer establishes the SIC configuration. This is done via the cpconfig command. Once you have © Copyright 2006, 2007, 2008 Nokia Page 30 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. rebooted the device after installing the correct IPSO and VPN-1 versions, run `cpconfig' and follow the instructions. Be sure to choose the following options during cpconfig: Distributed Installation (option 2) and Enforcement Module (option 1). You will also be prompted to initialize the SIC (Secure Internal Communication). This is used to initialize secure communication with the Check Point SmartCenter Management Station. Also enter a valid Check Point license. NGX (R60) includes support for Diffie-Hellman Group 14 (2048 bit modulus) key sizes. Groups 15-18 (3072 bits to 8192 bits) can also be optionally configured. To support Groups 15-18, the Local Crypto-Officer must obtain the optional patch SK27054 from Check Point support before beginning the initialization of the module. The optional patch contains instructions for enabling the additional groups and will be installed during the initialization process. The optional patch only allows for the functionality of providing support for those additional Diffie-Hellman groups. Using the SmartDashboard application, the Check Point module should be configured for FIPS mode by selecting the screens and options shown in the screen shots included in Section 3.1.6 of this document. Only the screens shown should be configured. Once this is completed, the module is adequately initialized and can be managed from the management server. FIPS mode can be enabled only after the Check Point initialization is complete 3.1.4 Setting the Module to FIPS Mode After installing or upgrading to the appropriate Check Point module and initializing the Check Point module, the Crypto Officer must set the mode of operation to FIPS mode. To set the mode of operation to FIPS mode 1. Use the CLI from the console port to enter the set fips on restart command. This will reboot the device and bring it up in FIPS mode 2. If desired, enter the show fips command to verify that the device is in FIPS mode. For the list of disabled access and feature mechanisms, see Appendix A on page 40. 3.1.5 Initializing the Remote Management of the Module Before the Crypto Officer can manage the module remotely, SSH must be enabled, the Crypto Officer's authorized SSH public key must be entered, only SSHv2 shall be used and only FIPS-approved algorithms can be selected. To initialize the remote management of the module © Copyright 2006, 2007, 2008 Nokia Page 31 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1. Using the CLI through the console port, enter the following commands: a. set ssh server protocol 2 b. set ssh server enable 1 2. To ensure that the Crypto Officer can log in (with a password) using SSH, enter the following command: set ssh server permit-root-login yes 3. Configure the type of authentication that the server will use to authenticate the Crypto Officer by entering the following commands: set ssh server dsa-authentication 1 password-authentication 1 rhosts-authentication 0 rhosts-authentication 0 rsa-authentication 1 4. Allow only FIPS-approved algorithms for encryption and configure the SSH protocol by entering the following commands: set ssh server ciphers 3des-cbc ` keepalives <0 1> listen-addr IPv4/IPv6 address listen-addr2 IPv4/IPv6 address port <1 2 1,2> server-key-bits 1024 5. Generate host keys for SSHv2 by entering the following commands: set ssh hostkey v2 rsa size 1024 ` v2 dsa size 1024 6. Enter the Crypto Officer's authorized public key for SSHv2 with the following commands: add ssh authkeys v2 rsa user name comment name v2 dsa user name comment name 7. For optional configuration settings, see the CLI Reference Guide for IPSO 4.1. © Copyright 2006, 2007, 2008 Nokia Page 32 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The module can now be managed remotely with SSH-secured management sessions. When changing the configuration, the preceding settings denoted by bold letters and numbers must not be changed. 3.1.6 Management and Monitoring After the initial setup, the Crypto Officer can locally or remotely manage, configure, and monitor the IPSO module with the CLI. The Crypto Officer can manage the Check Point module with the remote management server via the Check Point SmartDashboard application. Through this server, the Crypto Officer can configure policies for the module. These policies determine how the firewall and VPN services of the module function. Screen shots from the Check Point SmartDashboard application are included to aid in illustration of the steps described below. During the management of the module, the Crypto Officer must satisfy the following: · The SSH configuration settings specified in Section 3.1.5 must be satisfied. · Authorized public keys must be entered into the module with the SSH-secured management session. · The AUX port must not be enabled. · The module logs must be monitored. If a strange activity is found, the Crypto Officer should take the module off line and investigate. · The tamper-evident seal must be regularly examined for signs of tampering. · No keys or CSPs should be shared between the non-Approved mode and the Approved mode of operation when switching between modes of operation. To ensure that no sharing occurs, all keys must be zeroized while in one mode of operation before switching to another mode of operation. The VPN functionality must be configured to use only FIPS-approved algorithms. The following pages denote sample screen shots of the various Check Point configuration screens. Authentication during IKE must employ pre-shared keys or digital certificates. IPSec and IKE can use only the following FIPS-approved algorithms: Data encryption · Triple DES © Copyright 2006, 2007, 2008 Nokia Page 33 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · AES Data packet integrity · HMAC with SHA1 Authentication · Certificates · Pre-shared keys Figure 5 ­ Only FIPS-Approved Algorithms Can Be Used with IKE © Copyright 2006, 2007, 2008 Nokia Page 34 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 6 ­ Only Pre-shared Keys or Digital Certificates Can Be Used to Authenticate Clients Notes: Only 1024-bit or higher DSA and RSA key sizes should be used in FIPS mode. © Copyright 2006, 2007, 2008 Nokia Page 35 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 7 ­ Only FIPS-Approved Algorithms Can Be Used with IKE Notes: 1. Only Diffie-Hellman Groups 2 or higher (1024-bits), providing 80 or more bits of encryption strength should be used in the FIPS approved mode of operation. 2. When Check Point VPN-1 NGX (R60) is used, additional Diffie-Hellman groups 15-18 (2048 bits to 8192 bits) are selectable as options. © Copyright 2006, 2007, 2008 Nokia Page 36 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 8 ­ Only FIPS-Approved Algorithms Can Be Used with IPSec © Copyright 2006, 2007, 2008 Nokia Page 37 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 9 ­ Only FIPS-Approved Algorithms Can Be Used with IPSec or IKE Note: This applies equally for either star or meshed VPN community properties 3.2 User Guidance The User accesses the module VPN functionality as an IPSec client. Although outside the boundary of the module, the User should be careful not to provide authentication information and session keys to other parties. The User should also make certain that no keys or CSPs are shared between the non-Approved mode and the Approved mode of operation when switching between modes of operation. To ensure that no sharing occurs, a User must zeroize all keys while in one mode of operation before switching to another mode of operation. The User should only use © Copyright 2006, 2007, 2008 Nokia Page 38 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1024-bit keys or higher for RSA and Diffie-Hellman in FIPS mode. The DES algorithm, 1 key Triple-DES, and public key sizes less than 1024-bits are not allowed in FIPS mode. © Copyright 2006, 2007, 2008 Nokia Page 39 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. APPENDIX A ­ DISABLED MECHANISMS Warning: When running in a FIPS mode of operation, many of the existing and new features of Nokia IPSO are disabled as required for FIPS compliance. The following list shows all the access and feature mechanisms that are disabled when the module is in FIPS mode: · HTTP access · FTP access · Telnet access · TFTP access · Load Sharing (Nokia IPSO Clustering) and High Availability (VRRP) · NTP · Check Point remote installation daemon · SSLv3 · SSHv1 · Front PCMCIA Bays ­ IP390 only; Disabled by IPSO (both FIPS and non-FIPS modes); covered with Tamper Seal; Port bay is unavailable on IP560 · Disabled algorithms: o CAST o DES (40 bits) o MD5 o HMAC MD5 o Arcfour o Twofish o Blowfish © Copyright 2006, 2007, 2008 Nokia Page 40 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. APPENDIX B ­ ALGORITHM VALIDATION CERTIFICATE NUMBERS The module supports several independent implementations of the same FIPS- Approved algorithms. The following table lists the certificate numbers for the validated FIPS-approved algorithms implemented in IPSO, the Check Point VPN-1 firmware, and the cryptographic accelerator chips. Accelerator cards (when used) accelerate the Check Point firmware DES, Triple-DES, or AES VPN functions as indicated. Accelerated DES and 1 key Triple DES are non- compliant. To remain in the FIPS Approved mode, only the FIPS approved Triple-DES and AES encryption algorithms should be used. Cryptographic Nokia Check Accelerator Firmware Point Chips Firmware IPSO 4.1 NGX (R60) IP390 IP560 w/HFA-03 IP390 | IP560 IP390 | IP560 AES N/A #497 #442 #397 #342 DES1 N/A #314 N/A N/A Triple-DES2 #507, #465 #510 #466 #435 #406 HMAC #248, #207 #251 #208 #176 #146 SHS #564, #508 #567 #509 #469 #417 DSA #202, #204 N/A N/A N/A RSA #211, #215 #213 #167 N/A N/A RNG #275, #229 #277 #230 N/A N/A Key Establishment Methodologies: The following key establishment (Key Agreement or Key Wrapping) methodologies are implemented by the module. The relative encryption strengths provided by the mechan- isms described are calculated in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57. Diffie-Hellman Key Agreement: · NGX (R60): provides between 70 and 128 bits of encryption strength · IPSO (4.1): provides between 57 and 112 bits of encryption strength RSA Key Wrapping: · TLS: provides 80 bits of encryption strength 1 DES is a non-FIPS Approved algorithm (not to be used in FIPS mode) and should not be selected for use. See Section 3.1.6 for configuration instructions. 2 1 Key Triple-DES is non-compliant (not to be used in FIPS mode) and should not be selected for use. See Section 3.1.6 for configuration instructions. © Copyright 2006, 2007, 2008 Nokia Page 41 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Note that only methodologies providing 80 or more bits of encryption strength are FIPS Approved. Sections 3.1.5 and 3.1.6 include instructions for configuring the module into approved mode. © Copyright 2006, 2007, 2008 Nokia Page 42 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. APPENDIX C ­ ACRONYM DEFINITIONS AH Authentication Header AI Application Intelligence ANSI American National Standards Institute BGP Border Gateway Protocol CBC Cipher Block Chaining CLI Command-Line Interface CMVP Cryptographic Module Validation Program CRC Cyclical Redundancy Check CSP Critical Security Parameter DSA Digital Signature Standard DVMRP Distance Vector Multicast Routing Protocol EDC Error Detection Code EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESP Encapsulating Security Payload FCC Federal Communication Commission FIPS Federal Information Processing Standard FP Feature Pack IGRP Inter-Gateway Routing Protocol IKE Internet Key Exchange IPSec IP Security KAT Known Answer Test LED Light Emitting Diode MAC Message Authentication Code NIST National Institute of Standards and Technology OSPF Open Shortest Path First PRNG Pseudo Random Number Generator RAM Random Access Memory RIP Routing Information Protocol RSA Rivest Shamir and Adleman SA Security Association SHA Secure Hash Algorithm SIC Secure Internal Communications SSH Secure Shell SSL Secure Socket Layer TLS Transport Layer Security VPN Virtual Private Network © Copyright 2006, 2007, 2008 Nokia Page 43 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.