Mocana Cryptographic Suite B Module Software Version 5.4fm Security Policy Document Version 1.0 Mocana Corporation August 4, 2011 Copyright Mocana Corporation 2011. May be reproduced only in its original entirety [without revision]. Mocana Corporation Mocana Cryptographic Suite B Module Security Policy TABLE OF CONTENTS 1. MODULE OVERVIEW.......................................................................................................................................... 3 2. SECURITY LEVEL ................................................................................................................................................ 4 3. MODES OF OPERATION ..................................................................................................................................... 5 APPROVED MODE OF OPERATION ............................................................................................................................... 5 NON-FIPS APPROVED ALGORITHMS ......................................................................................................................... 5 4. PORTS AND INTERFACES.................................................................................................................................. 6 5. IDENTIFICATION AND AUTHENTICATION POLICY ................................................................................ 6 ASSUMPTION OF ROLES .............................................................................................................................................. 6 6. ACCESS CONTROL POLICY .............................................................................................................................. 7 ROLES AND SERVICES ................................................................................................................................................ 7 OTHER SERVICES ....................................................................................................................................................... 8 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)........................................................................................ 8 DEFINITION OF PUBLIC KEYS: ................................................................................................................................. 10 DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................ 11 7. OPERATIONAL ENVIRONMENT .................................................................................................................... 13 8. SECURITY RULES ............................................................................................................................................. 13 9. PHYSICAL SECURITY ....................................................................................................................................... 14 10. MITIGATION OF OTHER ATTACKS POLICY ........................................................................................... 14 11. CRYPTOGRAPHIC OFFICER GUIDANCE .................................................................................................. 14 KEY DESTRUCTION SERVICE ................................................................................................................................... 14 12. DEFINITIONS AND ACRONYMS ................................................................................................................... 15 Page 2 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 1. Module Overview The Mocana Cryptographic Suite B Module (Software Version 5.4fm) is a software only, multi- chip standalone cryptographic module that runs on a general purpose computer. The primary purpose of this module is to provide FIPS Approved cryptographic routines to consuming applications via an Application Programming Interface. The physical boundary of the module is the case of the general purpose computer. The logical boundary of the cryptographic module is the single shared object (SO). The cryptographic module runs on the following operating environments: - Android 2.3 (single-user mode) Application 1 Application 2 Application 3 Mocana Cryptographic Module Operating System Hardware Figure 1 – Cryptographic Module Interface Diagram Page 3 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Figure 2 – Logical Cryptographic Boundary 2. Security Level The cryptographic module meets the overall requirements applicable to Security Level 1 of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Page 4 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 3. Modes of Operation Approved mode of operation The module supports a FIPS Approved mode of operation. By default, the module is running in the FIPS Approved mode of operation after installation. The following FIPS Approved algorithms are supported: - AES (ECB, CBC, CFB, CTR and GCM modes; E/D; 128, 192 and 256) - AES (CCM, CMAC; 128, 192 and 256) - AES XTS (128 and 256) - Triple-DES (3-key and 2-key; TCBC mode; E/D) - HMAC-SHA-1 - HMAC-SHA-224 - HMAC-SHA-256 - HMAC-SHA-384 - HMAC-SHA-512 - SHA-1 - SHA-224 - SHA-256 - SHA-384 - SHA-512 - RSA key generation, signature generation and verification (Gen Key X9.31; PKCS #1 1.5, Sig Gen and Sig Ver: 1024, 1536, 2048, 3072, 4096; PSS Sig Gen and Sig Ver: 1024, 1536, 2048, 3072, 4096) - DSA key generation, signature generation and verification (PQG Gen/Ver, Key Pair Gen, Sig Gen/Ver; 1024) - FIPS 186-2 RNG Non-FIPS Approved Algorithms Within the FIPS Approved mode of operation, the module supports the following allowed algorithms: - Diffie-Hellman (for key agreement; provides 80 or 112 bits of encryption strength) - RSA Key Wrapping (provides between 80 and 150 bits of encryption strength) In addition to the above algorithms, the following algorithms are available in the non-FIPS Approved mode of operation: - DES, Blowfish, ARC2, ARC4, MD2, MD4, MD5, HMAC-MD5, AES EAX, AES XCBC - RSA PKCS #1 v2.1 RSAES-OAEP encryption/decryption Page 5 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 4. Ports and Interfaces The physical ports of the module are provided by the general purpose computer on which the module is installed. The logical interfaces are defined as the API of the cryptographic module. The module’s API supports the following logical interfaces: data input, data output, control input, and status output. 5. Identification and Authentication Policy Assumption of roles The Mocana Cryptographic Suite B Module shall support two distinct roles (User and Cryptographic Officer). The cryptographic module does not provide any identification or authentication methods of its own. The Cryptographic Officer and the User roles are implicitly assumed based on the service requested. Table 2 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User N/A N/A Cryptographic Officer N/A N/A Page 6 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 6. Access Control Policy Roles and Services Table 3 – Services Authorized for Roles Role Authorized Services User  Self-tests  Show Status Cryptographic-Officer  DH Key Generation  DH Key Exchange  RSA Key Generation  RSA Signature Generation  RSA Signature Verification  RSA Key Wrapping Encryption  RSA Key Wrapping Decryption  DSA Key Generation  DSA Signature Generation  DSA Signature Verification  AES Encryption  AES Decryption  AES Message Authentication Code  TDES Encryption  TDES Decryption  SHA-1  SHA-224/256  SHA-384/512  HMAC-SHA1 Message Authentication Code  HMAC-SHA224/256 Message Authentication Code  HMAC-SHA384/512 Message Authentication Code  FIPS 186-2 Random Number Generation  Key Destruction Page 7 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Other Services The cryptographic module supports the following service that does not require an operator to assume an authorized role:  Self-tests: This service executes the suite of self-tests required by FIPS 140-2. It is invoked by reloading the library into executable memory. Definition of Critical Security Parameters (CSPs) The following are CSPs that may be contained in the module: Table 4: CSP Information Key Description/Usage Generation Storage Entry / Destruction Output DH Private Used to derive the Internally using Temporarily in N/A An application Components secret session key the FIPS 186-2 volatile RAM program which uses during DH key RNG the API may destroy agreement protocol the key. The Key Destruction service zeroizes this CSP. DRNG Seed Key Used to seed the RNG Externally Temporarily in Entry: Automatically after for key generation volatile RAM Plaintext use Output: N/A DRNG Seed Used to seed the RNG Externally Temporarily in Entry: Automatically after for key generation volatile RAM Plaintext use Output: N/A RSA Private Key Used to create RSA May be Temporarily in Entry: An application digital signatures generated volatile RAM Plaintext if program which uses internally using generated the API may destroy the FIPS 186-2 externally the key. The Key RNG or Destruction service Output: generated zeroizes this CSP. Plaintext externally. RSA Key Used for RSA Key May be Temporarily in Entry: An application Wrapping Private Wrapping decryption generated volatile RAM Plaintext if program which uses Key operation internally using generated the API may destroy the FIPS 186-2 externally the key. The Key RNG or Destruction service Output: generated zeroizes this CSP. Plaintext externally. DSA Private Key Used to create DSA May be Temporarily in Entry: An application digital signatures generated volatile RAM Plaintext if program which uses internally using generated the API may destroy the FIPS 186-2 externally the key. The Key RNG or Destruction service Output: generated zeroizes this CSP. Plaintext externally Page 8 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Key Description/Usage Generation Storage Entry / Destruction Output TDES Key Used during TDES Externally. Temporarily in Entry: An application encryption and volatile RAM Plaintext program which uses decryption the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. AES Keys Used during AES Externally. Temporarily in Entry: An application encryption, volatile RAM Plaintext program which uses decryption, and the API may destroy Output: CMAC operations the key. The Key N/A Destruction service zeroizes this CSP. HMAC Keys Used during HMAC- Externally. Temporarily in Entry: An application SHA-1, 224, 256, 384, volatile RAM Plaintext program which uses 512 operations the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. Page 9 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Definition of Public Keys: The following are the public keys contained in the module: Table 5: Public Key Information Key Description/Usage Generation Storage Entry/Output DH Public Used to derive the secret Internally using Temporarily in Entry: Receive Client Component session key during DH key the FIPS 186-2 volatile RAM Public Component agreement protocol RNG during DH exchange. Output: Transmit Host Public Component during DH exchange RSA Public Used to verify RSA May be Temporarily in Input: Plaintext if Keys signatures generated volatile RAM generated externally internally using Output: Plaintext the FIPS 186-2 RNG or generated externally. RSA Key Used for RSA Key May be Temporarily in Input: Plaintext if Wrapping Public Wrapping encryption generated volatile RAM generated externally Keys operation internally using Output: Plaintext the FIPS 186-2 RNG or generated externally. DSA Public Used to verify DSA May be Temporarily in Input: Plaintext if Keys signatures generated volatile RAM generated externally internally using Output: Plaintext the FIPS 186-2 RNG or generated externally Page 10 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Definition of CSPs Modes of Access Table 6 defines the relationship between access to CSPs and the different module services. Table 6 – CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User X DH Key Use DH Parameters Generation Generate DH Key pair X DH Key Exchange Use DH Private Component Generate DH shared secret X RSA Key Generate RSA Public/Private Key pair Generation X RSA Signature Use RSA Private Key Generation Generate RSA Signature X RSA Signature Use RSA Public Key Verification Verify RSA Signature X RSA Key Use RSA Public Key Wrapping Performs Key Wrapping Encryption Encryption X RSA Key Use RSA Private Key Wrapping Performs Key Wrapping Decryption Decryption X DSA Key Generate DSA Key Pair for Signature Generation/Verification Generation X DSA Signature Use DSA Private Key Generation Generate DSA Signature X DSA Signature Use DSA Public Key Verification Verify DSA Signature X AES Encryption Use AES Key X AES Decryption Use AES Key X AES Message Use AES Key Authentication Code X TDES Encryption Use TDES Key X TDES Decryption Use TDES Key X SHA-1 Generate SHA-1 Output; no CSP access X SHA-224/256 Generate SHA-224/256 Output; no CSP access X SHA-384/512 Generate SHA-384/512 Output; no CSP access X HMAC-SHA-1 Use HMAC-SHA-1 Key Message Page 11 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy Role Service Cryptographic Keys and CSPs Access Operation C.O. User Authentication Generate HMAC-SHA-1 Output Code X HMAC-SHA- Use HMAC-SHA-224/256 Key 224/256 Message Generate HMAC-SHA-224/256 Output Authentication Code X HMAC-SHA- Use HMAC-SHA-384/512 Key 384/512 Message Generate HMAC-SHA-384/512 Output Authentication Code X FIPS 186-2 Use Seed and Seed Key to generate random number Random Number Destroy Seed and Seed Key after use Generation X Key Destruction Destroy All CSPs X Show Status N/A X Self-Tests N/A Page 12 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are applicable because the Mocana Cryptographic Suite B Module operates in a modifiable operational environment. Operational testing of the module was performed on the following environments: - Android 2.3 (single-user mode) 8. Security Rules The Mocana Cryptographic Suite B Module design corresponds to the following security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1 module. 1. The cryptographic module shall provide two distinct roles. These are the User role and the Cryptographic Officer role. 2. The cryptographic module does not provide any operator authentication. 3. The cryptographic module shall encrypt/decrypt message traffic using the Triple-DES or AES algorithms. 4. The cryptographic module shall perform the following self-tests: Power-up Self-Tests:  Cryptographic Algorithm Tests: - AES-ECB, CBC, CFB, CCM, CMAC, CTR, GCM, and XTS Known Answer Test - Triple-DES Known Answer Test - HMAC-SHA-1 Known Answer Test - HMAC-SHA-224 Known Answer Test - HMAC-SHA-256 Known Answer Test - HMAC-SHA-384 Known Answer Test - HMAC-SHA-512 Known Answer Test - SHA-1 Known Answer Test - SHA-224 Known Answer Test - SHA-256 Known Answer Test - SHA-384 Known Answer Test - SHA-512 Known Answer Test - RSA Pairwise Consistency Test - RSA Encrypt/Decrypt Known Answer Test - DSA Pairwise Consistency Test - DH Pairwise Consistency Test - FIPS 186-2 RNG Known Answer Test  Software Integrity Test: HMAC-SHA-1 Page 13 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy  Critical Functions Tests: N/A Conditional Tests:  DSA Pairwise Consistency Test  RSA Pairwise Consistency Test  FIPS 186-2 RNG Continuous Test 5. At any time, the operator shall be capable of commanding the module to perform the power- up self-tests by reloading the cryptographic module into memory. 6. The cryptographic module is available to perform services only after successfully completing the power-up self-tests. 7. Data output shall be inhibited during key generation, self-tests, zeroization, and error states. 8. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. The module shall not support concurrent operators. 10. DES, Blowfish, ARC2, ARC4, MD2, MD4, MD5, HMAC-MD5, AES EAX, AES XCBC, and RSA PKCS #1 v2.1 RSAES-OAEP encryption/decryption are not allowed for use in the FIPS Approved mode of operation. 9. Physical Security The FIPS 140-2 Area 5 Physical Security requirements are not applicable because the Mocana Cryptographic Suite B Module is software only. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. 11. Cryptographic Officer Guidance The operating system running the Mocana Cryptographic Suite B Module must be configured in a single-user mode of operation. Key Destruction Service There is a context structure associated with every cryptographic algorithm available in this module. Context structures hold sensitive information such as cryptographic keys. These context structures must be destroyed via respective API calls when the application software no longer needs to use a specific algorithm any more. This API call will zeroize all sensitive information including cryptographic keys before freeing the dynamically allocated memory. See the Mocana Cryptographic API Reference for additional information. Page 14 Mocana Corporation Mocana Cryptographic Suite B Module Security Policy 12. Definitions and Acronyms AES Advanced Encryption Standard API Application Program Interface CO Cryptographic Officer CSP Critical Security Parameter DES Data Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir and Adleman Algorithm TDES Triple-DES SHA Secure Hash Algorithm SO Shared Object Page 15