FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) FIPS 140-2 Non-Proprietary Security Policy IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Document Version 2.3 August 5, 2010 Document Version 2.3 © IBM Internet Security Systems Page 1 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Prepared For: Prepared By: IBM Internet Security Systems, Inc. Apex Assurance Group, LLC 6303 Barfield Road 555 Bryant Street, Ste. 804 Atlanta, GA 30328 Palo Alto, CA 94301 www.iss.net www.apexassurance.com Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for the SiteProtector Cryptographic Module (Version 1.0). Document Version 2.3 © IBM Internet Security Systems Page 2 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Table of Contents 1 Introduction ........................................................................................................................................5 1.1 About FIPS 140 ................................................................................................................................ 5 1.2 About this Document .................................................................................................................... 5 1.3 External Resources ......................................................................................................................... 5 1.4 Notices ............................................................................................................................................ 6 1.5 Acronyms ........................................................................................................................................ 6 2 IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) ......................7 2.1 Product Overview .......................................................................................................................... 7 2.2 Cryptographic Module Specification ......................................................................................... 7 2.3 Validation Level Detail .................................................................................................................. 8 2.4 Cryptographic Algorithms ............................................................................................................ 8 2.4.1 Algorithm Implementation Certificates ................................................................................. 8 2.4.2 Non-Approved Algorithms ....................................................................................................... 9 2.5 Module Interfaces.......................................................................................................................... 9 2.6 Roles, Services, and Authentication .......................................................................................... 11 2.6.1 Operator Services and Descriptions..................................................................................... 11 2.6.2 Operator Authentication ....................................................................................................... 13 2.7 Physical Security........................................................................................................................... 13 2.8 Operational Environment ........................................................................................................... 13 2.9 Cryptographic Key Management............................................................................................. 15 2.10 Self-Tests....................................................................................................................................... 20 2.10.1 Power-On Self-Tests ............................................................................................................... 20 2.10.2 Conditional Self-Tests ............................................................................................................ 21 2.11 Mitigation of Other Attacks ...................................................................................................... 21 3 Guidance and Secure Operation...................................................................................................22 3.1 Crypto Officer Guidance............................................................................................................ 22 3.1.1 Software Packaging ............................................................................................................... 22 3.1.2 Enabling FIPS Mode................................................................................................................. 22 3.1.3 Additional Rules of Operation ............................................................................................... 23 3.2 User Guidance ............................................................................................................................. 24 3.2.1 General Guidance.................................................................................................................. 24 Document Version 2.3 © IBM Internet Security Systems Page 3 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) List of Tables Table 1 – Acronyms and Terms.................................................................................................................... 6 Table 2 – Validation Level by DTR Section................................................................................................. 8 Table 3 – FIPS-Approved Algorithm Certificates ....................................................................................... 9 Table 4 – Logical Interface / Physical Interface Mapping.................................................................... 11 Table 5 – Module Services and Descriptions ........................................................................................... 13 Table 6 – Module Keys/CSPs ...................................................................................................................... 18 List of Figures Figure 1 – Module Interfaces Diagram..................................................................................................... 10 Document Version 2.3 © IBM Internet Security Systems Page 4 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Communications Security Establishment of Canada (CSEC) Cryptographic Module Validation Program (CMVP) runs the FIPS 140 program. The CMVP accredits independent testing labs to perform FIPS 140 testing; the CMVP also validates test reports for products meeting FIPS 140 validation. Validated is the term given to a product that is documented and tested against the FIPS 140 criteria. More information is available on the CMVP website at http://csrc.nist.gov/groups/STM/cmvp/index.html. 1.2 About this Document This non-proprietary Cryptographic Module Security Policy for the SiteProtector Cryptographic Module (Version 1.0) from IBM Internet Security Systems provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-2. This document contains details on the module’s cryptographic keys and critical security parameters. This Security Policy concludes with instructions and guidance on running the module in a FIPS 140-2 mode of operation. The IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) may also be referred to as the “module” in this document. 1.3 External Resources The IBM Internet Security Systems website (http://www.iss.net) contains information on the full line of products from IBM Internet Security Systems, including a detailed overview of the SiteProtector Cryptographic Module (Version 1.0) solution. The Cryptographic Module Validation Program website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2010.htm) contains links to the FIPS 140-2 certificate and IBM Internet Security Systems contact information. Document Version 2.3 © IBM Internet Security Systems Page 5 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 1.4 Notices This document may be freely reproduced and distributed in its entirety without modification. 1.5 Acronyms The following table defines acronyms found in this document: Acronym Term AES Advanced Encryption Standard CBC Cipher Block Chaining CSEC Communications Security Establishment of Canada CSP Critical Security Parameter DTR Derived Testing Requirement FIPS Federal Information Processing Standard GPC General Purpose Computer GPOS General Purpose Operating System GUI Graphical User Interface HMAC Hashed Message Authentication Code IBM International Business Machines ISS Internet Security Systems KAT Known Answer Test NIST National Institute of Standards and Technology RSA Rivest Shamir Adelman SHA Secure Hashing Algorithm Table 1 – Acronyms and Terms Document Version 2.3 © IBM Internet Security Systems Page 6 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 2 IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 2.1 Product Overview SiteProtector is a centralized management system that unifies management and analysis for network, server, and desktop protection agents and small networks or appliances. The SiteProtector is used as the central controlling point for IBM ISS appliances deployed on the network. The SiteProtector performs the following functionality: • Manages and monitors Sensors and SiteProtector sub-components; • Enables an administrator to view configuration data of a GX series appliance; • Displays audit and system data records; and • Monitors the network connection between SiteProtector and the Sensors it is configured to monitor. 2.2 Cryptographic Module Specification The module is the IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0), provides the SiteProtector application with the means to encrypt management session to a managed Sensor. The module is a software-only module installed on a multi-chip standalone device, such as a General Purpose Computer running a General Purpose Operating System and provides cryptographic services to the IBM Internet Security Systems SiteProtector application. The module is a uniquely identifiable library that is linked into the SiteProtector application. All operations of the module occur via calls from the SiteProtector application, which occur only when an operator is successfully authenticated to the host operating system. As such there are no untrusted services or daemons calling the services of the module. No security functions outside the cryptographic module provide FIPS-relevant functionality to the module. The module is comprised of the following files: • \ISS\SiteProtector\Agent Manager\agentmgr.dll • \ISS\SiteProtector\Agent Manager\issSessionConfigSvcs5.dll Document Version 2.3 © IBM Internet Security Systems Page 7 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) • \ISS\SiteProtector\Application Server\webserver\Apache2\bin\issSessionConfigSvcs5.dll • \ISS\SiteProtector\Application Server\webserver\Apache2\modules\mod_ssl.so • \ISS\SiteProtector\Event Collector\issSessionConfigSvcs5.dll • \ISS\SiteProtector\FIPS Service\FipsService.exe This module provides no non-FIPS approved mode of operation. Although the module requires no further configuration or compilation, the procedures in the Guidance and Secure Operation must be followed. 2.3 Validation Level Detail The following table lists the level of validation for each area in FIPS 140-2: Validation FIPS 140-2 Section Title Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security N/A Operational Environment 2 Cryptographic Key Management 2 Electromagnetic Interference / Electromagnetic 2 Compatibility Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 – Validation Level by DTR Section The “Mitigation of Other Attacks” section is not relevant as the module does not implement any countermeasures towards special attacks. 2.4 Cryptographic Algorithms 2.4.1 Algorithm Implementation Certificates The module’s cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program: Document Version 2.3 © IBM Internet Security Systems Page 8 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Algorithm CAVP Algorithm Standard Use Type Certificate Asymmetric RSA with 1536-bit RFC2246 562 Sign / verify Key modulus (TLS v1.0, operations PKCS1.5) Key establishment Hashing SHA-1, SHA-224, FIPS 186-3 1090 Message digest in SHA-256, SHA- TLS sessions 384, SHA-512 Keyed Hash HMAC-SHA1 FIPS 198 681 Message integrity in TLS sessions and module integrity check Symmetric AES 256 in CBC FIPS 197 1181 Data encryption/ Key mode decryption Random ANSI X9.31 X9.31 652 Random Number Number (TDES) Generation Generation Table 3 – FIPS-Approved Algorithm Certificates 2.4.2 Non-Approved Algorithms The module implements the following non-FIPS approved algorithms: • Software-based random number generator (rand_win.c) This RNG is used only as a seeding mechanism to the FIPS-approved o PRNG. • RSA (key agreement; key establishment methodology provides 96 bits of encryption strength) 2.5 Module Interfaces The figure below shows the module’s physical and logical block diagram: Document Version 2.3 © IBM Internet Security Systems Page 9 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Figure 1 – Module Interfaces Diagram The interfaces (ports) for the physical boundary include the computer keyboard port, CDROM drive, floppy disk, mouse, network port, parallel port, USB ports, monitor port and power plug. When operational, the module does not transmit any information across these physical ports because it is a software cryptographic module. Therefore, the module’s interfaces are purely logical and are provided through the Application Programming Interface (API) that a calling daemon can operate. The logical interfaces expose services that applications directly call, and the API provides functions that may be called by a referencing application (see Section 2.6 – Roles, Services, and Authentication for the list of available functions). The API provided by the module is mapped onto the FIPS 140- 2 logical interfaces: data input, data output, control input, and status output. Each of the FIPS 140- 2 logical interfaces relates to the module's callable interface, as follows: FIPS 140-2 Interface Logical Interface Module Physical Interface Data Input Input parameters of API Ethernet/Network port function calls Data Output Output parameters of API Ethernet/Network port function calls Control Input API function calls Keyboard and mouse Document Version 2.3 © IBM Internet Security Systems Page 10 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) FIPS 140-2 Interface Logical Interface Module Physical Interface Status Output For FIPS mode, function calls Monitor returning status information and return codes provided by API function calls. FIPS_mode_set returns true or false. False values are logged. Power None Power supply/connector Table 4 – Logical Interface / Physical Interface Mapping The module’s logical interfaces are provided only through the Application Programming Interface (API) that a calling daemon can operate. The module distinguishes between logical interfaces by logically separating the information according to the defined API. As shown in Figure 1 – Module Interfaces Diagram and Table 5 – Module Services and Descriptions , the output data path is provided by the data interfaces and is logically disconnected from processes performing key generation or zeroization. No key information will be output through the data output interface when the module zeroizes keys. 2.6 Roles, Services, and Authentication The module supports a Crypto Officer and a User role. The Crypto Officer (i.e., a human operator) can initialize and configure the module while the User role (i.e., SiteProtector) can only access the services of the module. The module does not support a Maintenance role. 2.6.1 Operator Services and Descriptions The services available to the User and Crypto Officer roles in the module are as follows: Document Version 2.3 © IBM Internet Security Systems Page 11 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Key/CSP Service Description Service Input/Output (API) Roles Access Configure Initializes the Specified in Section 3 None Crypto module for FIPS_check_incore_fingerprint Officer FIPS mode of FIPS_check_rsa operation FIPS_incore_fingerprint FIPS_mode_set FIPS_rand_check ERR_load_FIPS_strings Session Key Decrypt Decrypts a AES_decrypt User block of data Using AES Session Key Encrypt Encrypts a AES_encrypt User block of data Using AES PRNG Seed Random Generates FIPS_rand_method User PRNG Seed Number random FIPS_rand_seed Key Generation numbers for FIPS_rand_seeded crypto FIPS_set_prng_key operations Establish Provides a RSA_generate_key Private Key User Session protected RSA_PKCS1_SSLeay session for RSA_X931_derive Public Key establishment RSA_X931_generate_key HMAC Key of AES keys SHA1 Premaster with peers sha1_block_asm_data_order Secret (48 sha1_block_asm_host_order Bytes) SHA1_Final SHA1_Init Master SHA1_Transform Secret (48 SHA1_Update Bytes) Self Test Performs self FIPS_selftest None User tests on FIPS_selftest_aes critical FIPS_selftest_failed functions of FIPS_selftest_hmac module FIPS_selftest_rng FIPS_selftest_rsa FIPS_selftest_sha1 Show Status Shows status FIPS_mode None User of the module FIPS_mode_set Document Version 2.3 © IBM Internet Security Systems Page 12 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Key/CSP Service Description Service Input/Output (API) Roles Access Zeroization Zeroizes keys Ephemeral CSPs are zeroized None User by the RAM clearing processes, and static CSPs are zeroized by uninstalling the module and formatting the hard drive. Table 5 – Module Services and Descriptions 2.6.2 Operator Authentication Operators authenticate to the module via the General Purpose Operating System, which implements a username/password authentication mechanism and enforces operator authentication prior to the operator utilizing any system services. Further, the GPOS authentication mechanism distinguishes operators that have administrator rights on a computer system. The modules rely on this mechanism to distinguish an operator between the two supported roles. The module itself does not contain authentication data. The GPOS will allow an operator to change roles only if the User knows the Crypto Officer password and vice versa. The operating system is responsible for ensuring previous authentication data is cleared upon powering off of the module. Passwords must be a minimum of 8 characters (see Secure Operation section of this document). The password can consist of alphanumeric values, a-z A-Z 0-9, yielding 62 choices per character. The probability of a successful random attempt is 1/628, which is less than 1/1,000,000. The GPOS module will lock an account after 5 failed authentication attempts; thus, the maximum number of attempts in one minute is 5. Therefore, the probability of a success with multiple consecutive attempts in a one minute period is 5/628 which is less than 1/100,000. 2.7 Physical Security This section of requirements does not apply to this module. The module is a software- only module and does not implement any physical security mechanisms. 2.8 Operational Environment The cryptographic module were tested and validated on the following hardware platform: Document Version 2.3 © IBM Internet Security Systems Page 13 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) • IBM eServer 326m 2.0 GHz AMD Opteron Processor 270 (1 Dual-Core 32-bit CPU) The module runs on Microsoft Windows Server 2003 R2 Standard, Version 5.2 SP2, which has met Common Criteria EAL 4+ certification. The module’s software is entirely encapsulated by the cryptographic boundary shown in Figure 1. Please note that this operating system must meet installation and configuration requirements specified in the operating system’s Common Criteria Security Target (http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-st.pdf). The GPC(s) used during testing are assumed to have met Federal Communications Commission (FCC) FCC Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. Document Version 2.3 © IBM Internet Security Systems Page 14 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 2.9 Cryptographic Key Management The table below provides a complete list of Critical Security Parameters used within the module: Key/CSP Establishment / Description / Use Generation Storage Interface Privileges Name Export Session AES CBC 256-bit key Derived from the Storage: RAM plaintext Agreement: Via Decrypt Crypto Key for encryption / Master Secret secure TLS tunnel Encrypt Officer decryption of session Type: Ephemeral RWD traffic Entry: NA Association: The system is the one and only owner. Output: Key handle User Relationship is from API request is R maintained by the output only to the Session Key Certificate SiteProtector and the SiteProtector application management of the session. PRNG System Entropy to Generated Storage: RAM plaintext Agreement: NA Establish Crypto Seed seed the X9.31 PRNG internally by non- Session Officer Approved RNG Type: Ephemeral Entry: NA None Association: The system is Output: NA User the one and only owner. None Relationship is maintained by the operating system via protected memory. Document Version 2.3 © IBM Internet Security Systems Page 15 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Key/CSP Establishment / Description / Use Generation Storage Interface Privileges Name Export Private RSA Private 1536-bit Internal generation Storage: RAM plaintext Agreement: NA Establish Crypto Key for sign / verify by X9.31 PRNG Session Officer operations and Type: Static Entry: NA RWD key establishment1 for SiteProtector to GX Association: The system is Output: Key handle User appliances over TLS the one and only owner. from API request is R elationship is maintained output only to the by the operating system SiteProtector via protected memory. application Public RSA Public 1536-bit for Internal generation Storage: RAM plaintext Agreement: NA Establish Crypto Key sign / verify operations by X9.31 PRNG Session Officer and Type: Static Entry: NA` RWD key establishment2 for User SiteProtector to GX Association: The system is Output: Key handle R appliances over TLS. the one and only owner. from API request is Relationship is output only to the Encryption/Decryption maintained by the SiteProtector of the Premaster operating system via application Secret for X509 certificates. entry/output PRNG 256-bit value to seed Generated Storage: RAM plaintext Agreement: NA Establish Crypto Seed Key the FIPS-approved internally by non- Session Officer ANSI X9.31 PRNG Approved RNG Type: Ephemeral Entry: NA None Key establishment methodology provides at least 96-bits of encryption strength 1 Key establishment methodology provides at least 96-bits of encryption strength 2 Document Version 2.3 © IBM Internet Security Systems Page 16 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Key/CSP Establishment / Description / Use Generation Storage Interface Privileges Name Export Association: The system is Output: NA User the one and only owner. None Relationship is maintained by the operating system via protected memory. HMAC 160-bit HMAC-SHA1 Partitioned from Storage: RAM plaintext Agreement: NA Establish Crypto key for message Master Secret Session Officer verification in TLS Type: Ephemeral Entry: NA RWD sessions Association: The system is Output: Key handle User the one and only owner. from API request is R Relationship is output only to the maintained by the SiteProtector operating system via application protected memory. Crypto Alphanumeric Not generated by Storage: on Agreement: NA Configure Crypto Officer passwords externally the module; disk/obfuscated Officer Password generated by a defined by the Entry: Manual entry RWD human user for human user of the Type: Static via operating authentication to the workstation system operating system. Association: controlled by the operating system Output: NA User Alphanumeric Not generated by Storage: on Agreement: NA Configure Crypto Password passwords externally the module; disk/obfuscated Officer generated by a defined by the Entry: Manual entry D human user for human user of the Type: Static via operating User authentication to the workstation system RWD operating system. Association: controlled by the operating system Output: NA Document Version 2.3 © IBM Internet Security Systems Page 17 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) Key/CSP Establishment / Description / Use Generation Storage Interface Privileges Name Export Premaster RSA-Encrypted Internal generation Storage: RAM plaintext Agreement: NA Establish Crypto Secret (48 Premaster Secret by X9.31 PRNG Session Officer Bytes) Message Type: Ephemeral Entry: Input during None TLS negotiation User Association: The system is None the one and only owner. Output: Output to Relationship is server encrypted maintained by the by Public Key operating system via protected memory. Master Used for computing Internal generation Storage: RAM plaintext Agreement: NA Establish Crypto Secret (48 the Session Key by X9.31 PRNG Session Officer Bytes) Type: Ephemeral Entry: NA None User Association: The system is Output: NA None the one and only owner. Relationship is maintained by the operating system via protected memory. R = Read W = Write D = Delete Table 6 – Module Keys/CSPs Secret keys, public/private keys, and CSPs are protected from unauthorized disclosure, unauthorized modification, and unauthorized substitution because only authorized users are allowed access to the GPOS and SiteProtector application. The SiteProtector application ensures that no keys or CSPs leave the physical boundary of the module in plaintext. The module does not output intermediate key values, nor does it generate keys with non-Approved key generation methods. Ephemeral CSPs are zeroized by the RAM clearing processes, and static CSPs are zeroized by uninstalling the module and formatting the hard drive. All keys and CSPs are stored in memory, and zeroization has been implemented to ensure no Document Version 2.3 © IBM Internet Security Systems Page 18 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) traces are left of any CSPs upon termination of the service using the CSP. Zeroization has been implemented by overwriting the allocated memory buffer with zeros before freeing the memory to other uses. Any service using a CSP will zeroize the CSP upon normal termination and when transitioning into error states. Zeroization is initiated by terminating the process and powering off the module. Zeroization will complete before any other malicious command could compromise the keys currently being zeroized because the module will not process additional commands until it finishes executing the current command. Document Version 2.3 © IBM Internet Security Systems Page 19 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 2.10 Self-Tests The module includes an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to ensure all components are functioning correctly. In the event of any self-test failure, the module/SiteProtector application will output an error to the audit log and will shutdown. In addition to self-test failures, successful loading of the module is also logged. To access status of self-tests, success or failure, the application provides access to the audit log. Status is viewable via operating environment’s audit mechanism and by verifying proper loading and operation of the SiteProtector application. While the module is running self-tests, the module will not output data. The SiteProtector application makes calls to the SiteProtector Cryptographic Module (Version 1.0), and data will not be returned until the self-tests complete. No keys or CSPs will be output when the module is in an error state. The module will halt and the process will terminate; as such, no data will be output via the data output interface. Additionally, the module does not support a bypass function, and the module does not allow plaintext cryptographic key components or other unprotected CSPs to be output on physical ports. No external software or firmware is allowed to be loaded in a FIPS mode of operation. The following sections discuss the module’s self-tests in more detail. 2.10.1 Power-On Self-Tests Power-on self-tests are run upon every initialization of the module and if any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the users. The module implements the following power-on self- tests: • Module integrity check3 via HMAC-SHA1 • RSA pairwise consistency key (signing and signature verification) • AES KAT (encryption and decryption) • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 KAT • HMAC-SHA1 KAT • KAT for Approved PRNG The integrity of the FIPS module (i.e., all files within the cryptographic boundary listed in Section 3 2.2) is protected by a single HMAC SHA-1 digest that is calculated over the module at the time it is created. This digest is verified when the module is initialized. Document Version 2.3 © IBM Internet Security Systems Page 20 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) • KAT for non-approved software RNG The module performs all power-on self-tests automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The Power-on self-tests can be run on demand by reinitializing the module in FIPS approved Mode of Operation. Upon passing the power-on self-tests, the module will log the success and will continue to boot normally; successful loading of the SiteProtector application will indicate that all self-tests have passed. If a self-test fails, the module will not load and the SiteProtector application will halt. 2.10.2 Conditional Self-Tests Conditional self-tests are on-demand tests and tests run continuously during operation of the module. If any of these tests fail, the module will enter an error state and no services can be accessed by the users. The module can be re-initialized to clear the error and resume FIPS mode of operation. The module performs the following conditional self-tests: • Pairwise consistency test for RSA • Continuous RNG test run on output of ANSI X9.31 PRNG • Continuous test on output of ANSI X9.31 PRNG seed mechanism • Test to ensure ANSI X9.31 PRNG output and seed do not match The module will inhibit data output via the output interface when conditional tests are performed. Once the tests have passed and the keys have been generated, the module will pass the key to the calling daemon. 2.11 Mitigation of Other Attacks The module does not mitigate other attacks. Document Version 2.3 © IBM Internet Security Systems Page 21 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 3 Guidance and Secure Operation This section describes how to configure the module for FIPS-approved mode of operation. Operating the module without maintaining the following settings will remove the module from the FIPS-approved mode of operation. 3.1 Crypto Officer Guidance 3.1.1 Software Packaging The module is included with SiteProtector Version 2.0 Service Pack 8.0 and is not available for direct download. The SiteProtector application (and subsequently the module) is to be installed on a Microsoft Windows Server 2003 R2 Standard, Version 5.2 SP2 operating system. Please note that this operating system must meet installation and configuration requirements specified in the operating system’s Common Criteria Security Target (http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-st.pdf). This includes configuring the General Purpose Operating System to lock an account after 5 failed authentication attempts. 3.1.2 Enabling FIPS Mode To meet the cryptographic security requirements, especially for secure communication, certain restrictions on the installation and use of SiteProtector must be followed. The steps below will ensure that the module implements all required self-tests and uses only approved algorithms. 3.1.2.1 Installation 1. Only the Express install package is supported. Other installation options are not valid. To install SiteProtector, please follow these steps: • Log in to the ISS support site at https://webapp.iss.net/myiss/login.jsp • Select Downloads from the menu • Choose FIPS enabled systems from the Select a Product dropdown menu and then select Go • Select GX6116 FW 3.1 and SiteProtector 2.0 SP 8.0 from the Version dropdown menu then select Go Document Version 2.3 © IBM Internet Security Systems Page 22 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) • Select Other Updates and select Continue next to the bundle listing for the Proventia Management SiteProtector 2.0 Service Pack 8.0 FIPS 140-2 service software • Accept the End User License and select Submit • Download FIPSService-Setup.exe (SiteProtector Installation) and install on the machine intended to run SiteProtector. 2. All SiteProtector components must be installed on a single hardware / OS platform. The only exception to this rule is that the management Console may be installed and used remotely. 3. The installation must be a new install. Upgrading from a previous version of SiteProtector is not valid. 4. The Update Server's XPU Settings policy must be modified to disable Install of automatic Product Updates. 5. The optional Event Archiver package must not be installed. 6. The following keys must be deleted from the platform hosting SiteProtector after installation: • \rs_eng_siteprotector_1024.Pubkey • \sp_con_siteprotector_1024.Pubkey These files can be found in the ISS\SiteProtector\AgentManger\Keys\RSA directory. 3.1.3 Additional Rules of Operation 1. All host system components that can contain sensitive cryptographic data (main memory, system bus, disk storage) must be located in a secure environment. 2. The writable memory areas of the Module (data and stack segments) are accessible only by the SiteProtector application so that the Module is in "single user" mode, i.e. only the SiteProtector application has access to that instance of the Module. 3. The operating system is responsible for multitasking operations so that other processes cannot access the address space of the process containing the Module. Document Version 2.3 © IBM Internet Security Systems Page 23 of 24 FIPS 140-2 Non-Proprietary Security Policy: IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0) 3.2 User Guidance 3.2.1 General Guidance The User must configure and enforce the following initialization procedures in order to operate in FIPS approved mode of operation: 1. The end user of the operating system is responsible for zeroizing CSPs by via wipe/secure delete procedures. Document Version 2.3 © IBM Internet Security Systems Page 24 of 24