Security Policy FIPS 1402 Level 1 Mobile Armor Cryptographic Module 3.0 Version: 1.5 Date: 05/4/2009 This document is provided for informational purposes about the nonproprietary structure of the Mobile Armor Cryptographic Module 3.0 as it pertains to FIPS 1402 validation. Any reproduction of this document must include the Copyright notice of Mobile Armor, Inc. Contact Mobile Armor Mobile Armor, Inc. 400 South Woods Mill Road Suite 300 St. Louis, MO, 63017 USA Telephone: +1 (314) 5900900 Fax: +1 (314) 5900995 Website: http://www.mobilearmor.com Email: sales@mobilearmor.com © Copyright 2007-2009 Mobile Armor, Inc. Page 2 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Revisions Date Version Author Description 11/12/07 0.1 Brian E Wood Initial version Updates with input from 11/13/07 0.2 Brian E Wood Brendan Johnson Updates with input from 11/27/07 0.3 Brian E Wood Brendan Johnson Updates based on Palm 12/3/07 0.4 Brian E Wood differences Updated platforms to be 4/15/08 1.0 Brian E Wood supported Updated platforms to be 10/21/08 1.1 Brian E Wood supported to final list Replaced "generic PC" with 10/31/08 1.2 Brian E Wood "IBM Compatible PC", edited Apple computer platform Updated integrity check text 11/10/08 1.3 Brian E Wood and added block diagrams Updated several section 03/30/2009 1.4 Brian E Wood based on feedback from SAIC Updated several section 05/4/2009 1.5 Brian E Wood based on feedback from SAIC © Copyright 2007-2009 Mobile Armor, Inc. Page 3 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Contents Revisions ......................................................................................................................................... 3 Contents.......................................................................................................................................... 4 Tables .............................................................................................................................................. 4 Figures............................................................................................................................................. 5 1 Security Policy Introduction .................................................................................................... 6 1.1 Security Policy, Product and Evaluation Identification .................................................... 6 1.2 Purpose............................................................................................................................. 6 1.3 References ........................................................................................................................ 6 2 Mobile Armor Cryptographic Module 3.0 ............................................................................... 7 2.1 Overview .......................................................................................................................... 7 2.2 Cryptographic Module ..................................................................................................... 7 2.3 Module Ports and Interfaces ............................................................................................ 8 2.4 Roles, Services and Authentication .................................................................................. 9 2.5 Physical Security ............................................................................................................. 11 2.6 Operational Environment............................................................................................... 11 2.7 Cryptographic Key Management ................................................................................... 11 2.8 SelfTests ........................................................................................................................ 13 2.9 Design Assurance ........................................................................................................... 14 2.10 Mitigation of Other Attacks ........................................................................................ 14 3 Operation of the Mobile Armor Cryptographic Module 3.0 ................................................. 14 Tables Table 1 ­ Acronyms......................................................................................................................... 7 Table 2 FIPS 1402 Logical Interfaces........................................................................................... 9 Table 3 FIPS Cryptographic Algorithms ...................................................................................... 12 Table 4 Key Generation............................................................................................................... 12 © Copyright 2007-2009 Mobile Armor, Inc. Page 4 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Table 5 FIPS Algorithm SelfTests ............................................................................................... 13 Figures Figure 1­ Generic PC Block Diagram of Hardware Components..... Error! Bookmark not defined. Figure 2­ Standard Mobile Device Block Diagram of Hardware Components......Error! Bookmark not defined. © Copyright 2007-2009 Mobile Armor, Inc. Page 5 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. 1 Security Policy Introduction 1.1 Security Policy, Product and Evaluation Identification SP Title: Mobile Armor Cryptographic Module 3.0 Security Policy SP Version: Version 1.3 Product Identification: Mobile Armor Cryptographic Module 3.0 FIPS Evaluation Identification: FIPS 1402 Evaluation Level: 1 1.2 Purpose This is a nonproprietary Cryptographic Module Security Policy for the Mobile Armor Cryptographic Module 3.0. This security policy describes how the Mobile Armor Cryptographic Module 3.0 meets the Level 1 security requirements of FIPS 1402. While the product will be evaluated on Microsoft Windows Vista, Microsoft Windows Mobile 6, Mac OS 10.4, Red Hat Enterprise Linux 5.0 and Ubuntu 7.10, it is a crossplatform module also capable of running on Microsoft Windows 2000/XP, Microsoft Windows Mobile 5, Mac OS 10.5 and other platforms with no modifications. This policy was prepared as part of FIPS 1402 validation of the Mobile Armor Cryptographic Module 3.0. FIPS 1402 (Federal Information Processing Standards Publication 1402 Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 1402 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.3 References This document deals only with operations and capabilities of the Mobile Armor Cryptographic Module 3.0 in the technical terms of a FIPS 1402 cryptographic module security policy. More information is available on the Mobile Armor Cryptographic Module 3.0 application from the following sources: Overview information of Mobile Armor products and services as well as answers to technical or sales related questions, refer to: http://www.mobilearmor.com. Acronym Definition AES Advanced Encryption Standard TripleDES Triple Data Encryption Standard PRNG Pseudo Random Number Generator SHA Secure Hash Algorithm © Copyright 2007-2009 Mobile Armor, Inc. Page 6 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Acronym Definition HMAC Hash Message Authentication Code API Application Programming Interface DLL Dynamic Link Library Table 1 ­ Acronyms For the purposes of this document, the term "mobile device" will be used to designate a device such as a PDA or smartphone, as opposed to a PC. These devices run the Windows Mobile OS. 2 Mobile Armor Cryptographic Module 3.0 2.1 Overview The Mobile Armor Cryptographic Module 3.0 provides cryptographic support for all Mobile Armor products. The Cryptographic Module is used to create, manage and delete cryptographic keys as well as to perform cryptographic operations. To provide cryptographic security services, the Cryptographic Module provides access to symmetric key based encryption algorithms, message digest, message authentication code, and pseudo random number generation functions. The keys and information provided by the user is used by the Cryptographic Module for encryption/decryption operations. The Cryptographic Module is designed for multiple functions within Mobile Armor applications. It provides a structured set of APIs to expose these functions, giving flexibility to add new applications for the Cryptographic Module functions in the future without changing the module itself. 2.2 Cryptographic Module The Mobile Armor Cryptographic Module 3.0 is classified as a multichip standalone module for FIPS 1402 purposes. The cryptographic module is capable of running on any commercially available IBM compatible PC running the following list of Operating Systems (OS). · Microsoft Windows Vista · Microsoft Windows Vista 64bit · Microsoft Windows Mobile 6 · Apple Mac OS X 10 on Intel hardware · Red Hat Enterprise Linux 5.1 · Red Hat Enterprise Linux 5.1 64bit · Fedora Core 8 · Fedora Core 8 64bit · Ubuntu 7.10 · Ubuntu 7.10 64bit © Copyright 2007-2009 Mobile Armor, Inc. Page 7 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. The module is capable of running on any commercially available Microsoft Windows Mobile based device (note the device must be capable of running Windows Mobile 5 or 6, and not earlier versions of the OS). A partial list of devices currently available (in the United States) that meet this requirement can be found at http://www.microsoft.com/windowsmobile/devices/default.mspx. The module is capable of running on the commercially available Intelbased Apple Mac computers. NonIntelbased Apple systems are not supported. The module was tested for FIPS 1402 compliance on the following platforms: · An IBM compatible PC running Microsoft Windows Vista configured in the single user mode · An IBM compatible PC running Microsoft Windows Vista 64bit configured in the single user mode · An IBM compatible PC running Red Hat Enterprise Linux 5.1 configured in single user mode · An IBM compatible PC running Red Hat Enterprise Linux 5.1 64bit configured in single user mode · An IBM compatible PC running Fedora Core 8 configured in single user mode · An IBM compatible PC running Fedora Core 8 64bit configured in single user mode · An IBM compatible PC running Ubuntu 7.10 configured in single user mode · An IBM compatible PC running Ubuntu 7.10 64bit configured in single user mode · An Applebased computer with an Intel processor running OSX 10.5 · A mobile device running Windows Mobile 6 The module is compiled into libraries that are specific to each platform. The only changes between these platforms are those necessary for porting the Cryptographic Module, and these are handled through compiler options. 2.3 Module Ports and Interfaces The Mobile Armor Cryptographic Module 3.0 is classified as a multichip standalone module for FIPS 1402 purposes. As such, the module's logical cryptographic boundary includes the library binary. The physical boundary includes a PC or mobile device running an operating system and interfacing with the device, and external components such as keyboard, mouse, touch screen, screen, floppy drive, CDROM drive, speaker, serial ports, parallel ports, USB ports and power plug. This boundary is shown in Error! Reference source not found.. © Copyright 2007-2009 Mobile Armor, Inc. Page 8 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Physical Boundary ­ General Purpose Computer or Mobile Device (for illustration) Logical Boundary (DLL or Shared Object) Storage Mobile Armor Cryptographic Module Memory CPU I/O Port Keyboard, Mouse, Network Video Touch screen Figure 1­ Logical Block Diagram The Mobile Armor Cryptographic Module 3.0 provides a logical interface via an Application Programming Interface (API). The API provided by the module is mapped to the FIPS 1402 logical interfaces: data input, data output, control input, and status output. All of these physical interfaces are separated into the logical interfaces from FIPS as described in the following table: FIPS 1402 Logical Interface Module Mapping Data Input Interface Parameters passed to the module via API calls Data Output Interface Data returned by the module via the API Control Input Interface Control input through the API function calls Status Output Interface Information returned via exceptions and calls Does not provide a separate power or maintenance Power Interface access interface beyond the power interface provided by the computer itself Table 2 FIPS 1402 Logical Interfaces 2.4 Roles, Services and Authentication The Mobile Armor Cryptographic Module 3.0 does not provide any identification or authentication for any user that is accessing the module, and is only acceptable for FIPS 1402 level 1 validation. The module provides a Crypto Officer and a User role (there is no Maintenance role). Since the module does not provide any identification or authentication services, the level of access granted to any functionality of the module is implicitly determined © Copyright 2007-2009 Mobile Armor, Inc. Page 9 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. by the service calling the module; the module itself makes no determination about the role itself. The Crypto Officer is expected to install and uninstall the module. Table 3 Cryptographic Module Services provides a description of the services which are made available by the module to the calling application. Service API Calls Purpose and Use aes_encrypt aes_encrypt_padded aes_decrypt aes_decrypt padded Allows Users to encrypt/decrypt AES aes_cbc_encrypt data using AES algorithm aes_cbc_decrypt aes_cfb_encrypt aes_cfb_decrypt des3_encrypt des3_decrypt Allows Users to encrypt/decrypt TripleDES des3_cbc_encrypt data using TripleDES algorithm des3_cbc_decrypt sha1 sha224 Allows Users to generate SHS sha256 message digests sha384 sha512 sha1_hmac sha224_hmac Allows Users to generate MAC HMAC sha256_hmac values sha384_hmac sha512_hmac Allows Users to generate deterministic random numbers RNG CryptGenRand which can be used for algorithm keys Allows Users to determine if the Initialization Self module is functioning properly FIPS_SelfTests Tests (this service only executes when the module is started) API function return Allow Users to observe module Show Status values operation status aes_clear_context Zeroization Allows Users to zeroize key data des3_clear_context Table 3 Cryptographic Module Services © Copyright 2007-2009 Mobile Armor, Inc. Page 10 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. 2.5 Physical Security The Mobile Armor Cryptographic Module 3.0 is a software module intended for use with Microsoft Windows Vista, Fedora Core 8, Ubuntu 7.10 and Red Hat Enterprise Linux 5.0 in single user modes on a PC, an Intelbased Mac and Microsoft Windows Mobile on a mobile device. Since the module is implemented solely in software, the physical security section of FIPS 1402 is not applicable. 2.6 Operational Environment The Mobile Armor Cryptographic Module 3.0 is compiled into separate modules for each supported platform from the same cryptographic source. The only differences are those necessary to port the Cryptographic Module between platforms. Platform Implementation Microsoft Windows Normal C Dll (MAFips.dll) Vista Microsoft Windows Normal C Dll (MAFips64.dll) Vista 64 Microsoft Windows Normal C Dll (MAFips.dll) Mobile Linux (all) Shared Object (libMAFips.so) Shared Object Linux (all) 64bit (libMAFips64.so) Shared Object Mac OS X (libMAFips.dylib) Shared Object Mac OS X (libMAFips64.dylib) Table 4 ­ Cryptographic Module Implementations The only differences in the Cryptographic Module are those necessary to port the Cryptographic Module between the different platforms. The Mobile Armor Cryptographic Module 3.0 is a single user module that is always distributed in binary form to discourage unauthorized access or modification to source. Additionally, an HMAC SHA1 software integrity check is run when the modules are loaded to help ensure that the code has not been modified from its validated configuration. 2.7 Cryptographic Key Management The Mobile Armor Cryptographic Module 3.0 implements the following algorithms. The FIPS approved column specifies whether the algorithm is available in the FIPSmode. Algorithm FIPS Approved Certificate # AES (CBC, ECB 256bit Yes 820 © Copyright 2007-2009 Mobile Armor, Inc. Page 11 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Algorithm FIPS Approved Certificate # keys) TripleDES (CBC, ECB Yes 692 168bit keys) SHA1 Yes 818 HMAC SHA1 Yes 453 SHA256 (SHA224) Yes 818 HMAC SHA256 Yes 453 SHA512 (SHA384) Yes 818 HMAC SHA512 Yes 453 ANSI X9.31 PRNG Yes 472 Table 5 FIPS Cryptographic Algorithms All keys are generated by using the ANSI X9.31 PRNG which is based on the validated TripleDES algorithm. The following list of keys and CSPs is used by the module. They are generated or inserted as specified and stored within the Cryptographic Module as necessary. Here inserted is used to mean the key is provided be the calling application, as opposed to internally generated. Size(s) in Name Created Purpose Zeroization method bits Data 128, 192, Function AESkey Generated/Inserted Encryption, 256 aes_clear_context Decryption Data Function TripleDESkey Generated/Inserted 112, 168 Encryption, des3_clear_context Decryption SHA1 HMAC Verify driver Uninstallation of integrity check Hard coded 112 integrity module key Random Unload module from PRNG key Generated 168 Number memory Generation Random Unload module from PRNG seed Generated 64 Number memory Generation Functions sha1_clear_context, sha256_clear_conte HMAC key Generated/Inserted N/A MAC xt, sha512_clear_conte xt, and memset © Copyright 2007-2009 Mobile Armor, Inc. Page 12 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Table 6 Key Generation Keys are stored in the Cryptographic Module's internal data structures, which are not exposed to external access. When keys are set for deletion, the key is zeroized by overwriting the key once with zeroes to ensure it cannot be retrieved. This function is only used for securely wiping keys in memory, not from magnetic media. The Cryptographic Module implements the following access control policy on keys and CSPs in the module shown in Table 7 ­ Cryptographic Module CSP Access Control Policy. The Access Policy is noted by R=Read, W=Write and X=Execute. Services CSP Access Access Rights AES AESkey RX TripleDES TripleDESkey RX SHS HMAC HMAC key RX RNG PRNG key, PRNG seed RWX SHA1 HMAC integrity Initialization SelfTests RX check key SHA1 HMAC integrity Ondemand SelfTests RX check key Zeroization AESkey, TripleDESkey RW Table 7 ­ Cryptographic Module CSP Access Control Policy 2.8 SelfTests Upon startup, the Mobile Armor Cryptographic Module 3.0 performs several powerup self tests including known answer tests for all algorithms. The Cryptographic Module performs an HMAC SHA1 selfintegrity check to verify the module has not been damaged or tampered with. The hash value for this integrity check is stored in a hidden file kept in the same directory as the module. The file is hidden according to standard file handling practices for the operating system. The Cryptographic Module performs continuous tests on the PRNG (approved as well as non approved) each time it is used to generate random data. Known Answer Monte Carlo Algorithm Tests Tests AES Yes Yes TripleDES Yes Yes SHA1 Yes No HMAC SHA1 Yes No SHA224 Yes No HMAC SHA224 Yes No SHA256 Yes No © Copyright 2007-2009 Mobile Armor, Inc. Page 13 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process. Known Answer Monte Carlo Algorithm Tests Tests HMAC SHA256 Yes No SHA384 Yes No HMAC SHA384 Yes No SHA512 Yes No HMAC SHA512 Yes No Integrity Test (HMAC Yes No SHA1) ANSI X9.31 PRNG Yes Yes Table 8 FIPS Algorithm SelfTests Upon failure of a selftest, an error message indicating the failure is sent to the calling application and the module enters the Error state where no operations are permitted. To transition out of the Error state, the module must be uninstalled and installed by the crypto officer only. The module does not provide a direct means for executing an ondemand selftest, though every time the calling application is restarted, the module is also restarted, and the selftests are automatically executed. To run selftests on request, restart the application which is using the module. 2.9 Design Assurance Mobile Armor maintains versioning for all source code through Subversion 1.4. Documentation is managed through Microsoft SharePoint Portals. 2.10 Mitigation of Other Attacks The Mobile Armor Cryptographic Module 3.0 does not employ security mechanisms to mitigate specific attacks. 3 Operation of the Mobile Armor Cryptographic Module 3.0 The Mobile Armor Cryptographic Module 3.0 contains only FIPSapproved algorithms and operates only in FIPS mode after installation. The Mobile Armor Cryptographic Module 3.0 is designed for installation and use on a computer or mobile device configured in single user mode, and is not designed for use on systems where multiple, concurrent users are active. © Copyright 2007-2009 Mobile Armor, Inc. Page 14 of 14 This document may be freely reproduced and distributed whole and intact including this copyright notice as part of Mobile Armor's FIPS 140-2 application review process.