Mocana Cryptographic Suite B Module Software Version 5.3.1v Security Policy Document Version 1.0 Mocana Corporation July 22, 2011 Copyright Mocana Corporation 2011. May be reproduced only in its original entirety [without revision]. Mocana Corporation Mocana Cryptographic Suite B Module Security Policy TABLE OF CONTENTS 1. MODULE OVERVIEW.......................................................................................................................................... 3 2. SECURITY LEVEL ................................................................................................................................................ 4 3. MODES OF OPERATION ..................................................................................................................................... 5 APPROVED MODE OF OPERATION ............................................................................................................................... 5 NON-FIPS APPROVED ALGORITHMS ......................................................................................................................... 5 4. PORTS AND INTERFACES.................................................................................................................................. 6 5. IDENTIFICATION AND AUTHENTICATION POLICY ................................................................................ 6 ASSUMPTION OF ROLES .............................................................................................................................................. 6 6. ACCESS CONTROL POLICY .............................................................................................................................. 7 ROLES AND SERVICES ................................................................................................................................................ 7 OTHER SERVICES ....................................................................................................................................................... 8 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)........................................................................................ 8 DEFINITION OF PUBLIC KEYS: ................................................................................................................................. 10 DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................ 11 7. OPERATIONAL ENVIRONMENT .................................................................................................................... 13 8. SECURITY RULES ............................................................................................................................................. 13 9. PHYSICAL SECURITY ....................................................................................................................................... 14 10. MITIGATION OF OTHER ATTACKS POLICY ........................................................................................... 14 11. CRYPTOGRAPHIC OFFICER GUIDANCE .................................................................................................. 14 KEY DESTRUCTION SERVICE ................................................................................................................................... 15 12. DEFINITIONS AND ACRONYMS ................................................................................................................... 15 Page 2 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 1. Module Overview The Mocana Cryptographic Suite B Module (Software Version 5.3.1v) is a multi-chip standalone cryptographic module that runs on an embedded computer. The purpose of this module is to provide FIPS Approved cryptographic routines to consuming applications via an Application Programming Interface. The physical boundary of the module is the case of the general purpose computer. The logical boundary of the cryptographic module is the single shared object (SO). The cryptographic module runs on the following operating environments: - ThreadX v5.3 (single-user mode) Application 1 Application 2 Application 3 Mocana Cryptographic Module Operating System Hardware Figure 1 – Cryptographic Module Interface Diagram Page 3 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Figure 2 – Logical Cryptographic Boundary 2. Security Level The cryptographic module meets the overall requirements applicable to Security Level 1 of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Page 4 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 3. Modes of Operation Approved mode of operation The module supports a FIPS Approved mode of operation. The following FIPS Approved algorithms are supported: - AES (ECB, CBC, CTR and GCM modes; E/D; 128, 192 and 256) - AES (CCM, CMAC;128, 192 and 256) - Triple-DES (3-key and 2-key; TCBC mode; E/D) - HMAC-SHA-1 - HMAC-SHA-224 - HMAC-SHA-256 - HMAC-SHA-384 - HMAC-SHA-512 - SHA-1 - SHA-224 - SHA-256 - SHA-384 - SHA-512 - RSA key generation, signature generation and verification (Gen Key 9.31; PKCS #1 1.5, Sig Gen and Sig Ver: 1024, 1536, 2048; PSS Sig Gen and Sig Ver: 1024, 1536, 2048) - DSA key generation, signature generation and verification (PQG Gen/Ver, Key Pair Gen, Sig Gen/Ver; 1024) - ECDSA key generation, signature generation and verification (CURVES P; 192, 224, 256, 384, 521) - FIPS 186-2 RNG Non-FIPS Approved Algorithms Within the FIPS Approved mode of operation, the module supports the following allowed algorithms: - AES Key wrapping (AES Cert. #1717, key wrapping; key establishment methodology provides 128, 192, or 256 bits of encryption strength) - Diffie-Hellman (for key agreement; provides 80 or 112 bits of encryption strength) - RSA Key Wrapping (provides between 80 and 112 bits of encryption strength) - ECDH (for key agreement; provides between 80 and 256 bits of encryption strength) In addition to the algorithms listed above, the module also supports the following non-Approved algorithm for use in the non-FIPS approved mode of operation only: Page 5 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy - DES, MD5, HMAC-MD5, RC2, RC4, AES XCBC - RSA PKCS #1 v2.1 RSAES-OAEP encryption/decryption 4. Ports and Interfaces The physical ports of the module are provided by the general purpose computer on which the module is installed. The logical interfaces are defined as the API of the cryptographic module. The module’s API supports the following logical interfaces: data input, data output, control input, and status output. 5. Identification and Authentication Policy Assumption of roles The Mocana Cryptographic Suite B Module shall support two distinct roles (User and Cryptographic Officer). The cryptographic module does not provide any identification or authentication methods of its own. The Cryptographic Officer and the User roles are implicitly assumed based on the service requested. Table 2 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User N/A N/A Cryptographic Officer N/A N/A Page 6 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 6. Access Control Policy Roles and Services Table 3 – Services Authorized for Roles Role Authorized Services User • Self-tests • Show Status Cryptographic-Officer • DH Key Generation • DH Key Exchange • ECDH Key Exchange • RSA Key Generation • RSA Signature Generation • RSA Signature Verification • RSA Key Wrapping Encryption • RSA Key Wrapping Decryption • DSA Key Generation • DSA Signature Generation • DSA Signature Verification • ECDSA Key Generation • ECDSA Signature Generation • ECDSA Signature Verification • AES Encryption • AES Decryption • AES Message Authentication Code • TDES Encryption • TDES Decryption • SHA-1 • SHA-224/256 • SHA-384/512 • HMAC-SHA1 Message Authentication Code • HMAC-SHA224/256 Message Authentication Code • HMAC-SHA384/512 Message Authentication Code • FIPS 186-2 Random Number Generation • Key Destruction Page 7 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Other Services The cryptographic module supports the following service that does not require an operator to assume an authorized role: • Self-tests: This service executes the suite of self-tests required by FIPS 140-2. It is invoked by reloading the library into executable memory. Definition of Critical Security Parameters (CSPs) The following are CSPs that may be contained in the module: Table 4: CSP Information Key Description/Usage Generation Storage Entry / Destruction Output DH Private Used to derive the Internally using Temporarily in N/A An application Components secret session key the FIPS 186-2 volatile RAM program which uses during DH key RNG the API may destroy agreement protocol the key. The Key Destruction service zeroizes this CSP. ECDH Private Used to derive the Internally using Temporarily in N/A An application Components secret session key the FIPS 186-2 volatile RAM program which uses during ECDH key RNG the API may destroy agreement protocol the key. The Key Destruction service zeroizes this CSP. DRNG Seed Key Used to seed the RNG Internally using Temporarily in Entry: Automatically after for key generation the FIPS 186-2 volatile RAM Plaintext use RNG Output: N/A RSA Private Key Used to create RSA Externally Temporarily in Entry: An application digital signatures volatile RAM Plaintext program which uses the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. RSA Key Used for RSA Key Externally Temporarily in Entry: An application Wrapping Private Wrapping decryption volatile RAM Plaintext program which uses Key operation the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. DSA Private Key Used to create DSA May be Temporarily in Entry: An application digital signatures generated volatile RAM Plaintext if program which uses internally using generated the API may destroy the FIPS 186-2 externally the key. The Key RNG, or Destruction service Output: generated zeroizes this CSP. Plaintext externally Page 8 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Key Description/Usage Generation Storage Entry / Destruction Output ECDSA Private Used to create DSA May be Temporarily in Entry: An application Key digital signatures generated volatile RAM Plaintext if program which uses internally using generated the API may destroy the FIPS 186-2 externally the key. The Key RNG or Destruction service Output: generated zeroizes this CSP. Plaintext externally TDES Key Used during TDES Externally. Temporarily in Entry: An application encryption and volatile RAM Plaintext program which uses decryption the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. AES Keys Used during AES Externally. Temporarily in Entry: An application encryption, volatile RAM Plaintext program which uses decryption, and the API may destroy Output: CMAC operations the key. The Key N/A Destruction service zeroizes this CSP. HMAC Keys Used during HMAC- Externally. Temporarily in Entry: An application SHA-1, 224, 256, 384, volatile RAM Plaintext program which uses 512 operations the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. Page 9 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Definition of Public Keys: The following are the public keys contained in the module: Table 5: Public Key Information Key Description/Usage Generation Storage Entry/Output DH Public Used to derive the secret Internally using Temporarily in Entry: Receive Client Component session key during DH key the FIPS 186-2 volatile RAM Public Component agreement protocol RNG during DH exchange. Output: Transmit Host Public Component during DH exchange ECDH Public Used to derive the secret Internally using Temporarily in Entry: Receive Client Component session key during ECDH the FIPS 186-2 volatile RAM Public Component key agreement protocol RNG during DH exchange. Output: Transmit Host Public Component during DH exchange RSA Public Used to verify RSA Externally Temporarily in Input: Plaintext Keys signatures volatile RAM Output: N/A RSA Key Used for RSA Key Externally Temporarily in Input: Plaintext Wrapping Public Wrapping encryption volatile RAM Output: N/A Keys operation DSA Public Used to verify DSA May be Temporarily in Input: Plaintext if Keys signatures generated volatile RAM generated externally internally using Output: Plaintext the FIPS 186-2 RNG or generated externally ECDSA Public Used to verify ECDSA May be Temporarily in Input: Plaintext if Keys signatures generated volatile RAM generated externally internally using Output: Plaintext the FIPS 186-2 RNG or generated externally Page 10 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Definition of CSPs Modes of Access Table 6 defines the relationship between access to CSPs and the different module services. Table 6 – CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User X DH Key Use DH Parameters Generation Generate DH Key pair X DH Key Exchange Use DH Private Component Generate DH shared secret X ECDH Key Use ECDH Private Component Exchange Generate ECDH shared secret X RSA Key Generate RSA Public/Private Key pair Generation X RSA Signature Use RSA Private Key Generation Generate RSA Signature X RSA Signature Use RSA Public Key Verification Verify RSA Signature X RSA Key Use RSA Public Key Wrapping Performs Key Wrapping Encryption Encryption X RSA Key Use RSA Private Key Wrapping Performs Key Wrapping Decryption Decryption X DSA Key Generate DSA Key Pair for Signature Generation/Verification Generation X DSA Signature Use DSA Private Key Generation Generate DSA Signature X DSA Signature Use DSA Public Key Verification Verify DSA Signature X ECDSA Key Generate ECDSA Key Pair for Signature Generation/Verification Generation X ECDSA Signature Use DSA Private Key Generation Generate ECDSA Signature X ECDSA Signature Use ECDSA Public Key Verification Verify ECDSA Signature X AES Encryption Use AES Key X AES Decryption Use AES Key X AES Message Use AES Key Authentication Page 11 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Role Service Cryptographic Keys and CSPs Access Operation C.O. User Code X TDES Encryption Use TDES Key X TDES Decryption Use TDES Key X SHA-1 Generate SHA-1 Output; no CSP access X SHA-224/256 Generate SHA-224/256 Output; no CSP access X SHA-384/512 Generate SHA-384/512 Output; no CSP access X HMAC-SHA-1 Use HMAC-SHA-1 Key Message Generate HMAC-SHA-1 Output Authentication Code X HMAC-SHA- Use HMAC-SHA-224/256 Key 224/256 Message Generate HMAC-SHA-224/256 Output Authentication Code X HMAC-SHA- Use HMAC-SHA-384/512 Key 384/512 Message Generate HMAC-SHA-384/512 Output Authentication Code X FIPS 186-2 Use Seed Key to generate random number Random Number Destroy Seed Key after use Generation X Key Destruction Destroy All CSPs X Show Status N/A X Self-Tests N/A Page 12 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are applicable because the Mocana Cryptographic Suite B Module operates in a modifiable operational environment. Operational testing of the module was performed on the following environments: - ThreadX v5.3 (single-user mode) 8. Security Rules The Mocana Cryptographic Suite B Module design corresponds to the following security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1 module. 1. The cryptographic module shall provide two distinct roles. These are the User role and the Cryptographic Officer role. 2. The cryptographic module does not provide any operator authentication. 3. The cryptographic module shall encrypt/decrypt message traffic using the Triple-DES or AES algorithms. 4. The cryptographic module shall perform the following self-tests: Power-up Self-Tests: Cryptographic Algorithm Tests: - AES Known Answer Test - Triple-DES Known Answer Test - HMAC-SHA-1 Known Answer Test - HMAC-SHA-224 Known Answer Test - HMAC-SHA-256 Known Answer Test - HMAC-SHA-384 Known Answer Test - HMAC-SHA-512 Known Answer Test - SHA-1 Known Answer Test - SHA-224 Known Answer Test - SHA-256 Known Answer Test - SHA-384 Known Answer Test - SHA-512 Known Answer Test - RSA Pairwise Consistency Test - RSA Encrypt/Decrypt Known Answer Test - DSA Pairwise Consistency Test - ECDSA Pairwise Consistency Test - ECDH Pairwise Consistency Test - DH Pairwise Consistency Test - FIPS 186-2 RNG Known Answer Test Page 13 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Software Integrity Test: HMAC-SHA-1 Critical Functions Tests: N/A Conditional Tests: DSA Pairwise Consistency Test RSA Pairwise Consistency Test ECDSA Pairwise Consistency Test Continuous Test FIPS 186-2 RNG Continuous Test 5. At any time, the operator shall be capable of commanding the module to perform the power- up self-tests by reloading the cryptographic module into memory. 6. The cryptographic module is available to perform services only after successfully completing the power-up self-tests. 7. Data output shall be inhibited during key generation, self-tests, zeroization, and error states. 8. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. The module shall not support concurrent operators. 10. DES, MD5, HMAC-MD5, RC2, RC4, AES XCBC, and RSA PKCS #1 v2.1 RSAES-OAEP encryption/decryption are not allowed for use in the FIPS Approved mode of operation. 9. Physical Security The FIPS 140-2 Area 5 Physical Security requirements are not applicable because the Mocana Cryptographic Suite B Module is software only. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. 11. Cryptographic Officer Guidance The operating system running the Mocana Cryptographic Suite B Module must be configured in a single-user mode of operation. Page 14 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Key Destruction Service There is a context structure associated with every cryptographic algorithm available in this module. Context structures hold sensitive information such as cryptographic keys. These context structures must be destroyed via respective API calls when the application software no longer needs to use a specific algorithm any more. This API call will zeroize all sensitive information including cryptographic keys before freeing the dynamically allocated memory. See the Mocana Cryptographic API Reference for additional information. 12. Definitions and Acronyms AES Advanced Encryption Standard API Application Program Interface CO Cryptographic Officer CSP Critical Security Parameter DES Data Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir and Adleman Algorithm TDES Triple-DES SHA Secure Hash Algorithm SO Shared Object Page 15