Command Encryption Module MSS-FIPS-11-002C Security Policy Version 2.0 Command Encryption Module Security Policy Firmware Version: 2.0 This document may be copied without the author’s permission provided that it is copied in it’s entirety without any modification. Command Encryption Module Security Policy Version 2.0 Table of Contents Page 1. SCOPE OF DOCUMENT ...........................................................................................................................3 2. CRYPTOGRAPHIC MODULE SPECIFICATION .................................................................................3 3. MODULE PORTS AND INTERFACES ...................................................................................................4 4. ROLES, SERVICES, AND AUTHENTICATION ....................................................................................4 4.1 ACCESS CONTROL POLICY........................................................................................................................4 4.2 SERVICES ..................................................................................................................................................4 4.3 CRYPTO OFFICER ROLE .............................................................................................................................5 4.4 USER ROLE ...............................................................................................................................................5 5. PHYSICAL SECURITY ..............................................................................................................................5 6. KEY MANAGEMENT ................................................................................................................................8 6.1 KEY INPUT ................................................................................................................................................8 6.2 KEY STORAGE ...........................................................................................................................................8 6.3 KEY ZEROIZATION ....................................................................................................................................8 7. SELF-TEST ..................................................................................................................................................9 8. SECURITY POLICY ...................................................................................................................................9 9. OPERATIONAL ENVIRONMENT ..........................................................................................................9 10. MITIGATION OF OTHER ATTACKS ..................................................................................................9 11. SETUP AND INITIALIZATION PROCEDURES .................................................................................9 2 Command Encryption Module Security Policy Version 2.0 1. Scope of Document This document defines the security policy for the Command Encryption Module, also referenced as the cryptographic module. This security policy follows the requirements of Federal Information Processing Standards pubulication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules. 2. Cryptographic Module Specification The cryptographic module (Module) is a firmware module as defined by FIPS PUB 140-2 submitted for FIPS 140-2 Level 2 validation. The purpose of the Module is to encrypt the commands transmitted to other systems. The Module does not perform any other cryptographic function. The Module is a Multi-Chip Standalone module as defined by FIPS PUB 140-2. The cryptographic boundary of the Module is the case of the hardware computing platform. Table 1 Module Compliance Table Security Requirements Section Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles and Services and Authentication 2 Finite State Machine Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 3 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 2 Overall Level of validation 2 3 Command Encryption Module Security Policy Version 2.0 3. Module Ports and Interfaces The table below describes a mapping of logical interfaces to physical ports: Table 2 Mapping Logical Interfaces to Physical Ports FIPS 140-2 Interface Logical Interface Physical Interface Data Input Interface Input parameters of module function calls Ethernet/Network Port Data Output Interface Output parameters and return values of Ethernet/Network Port module function calls Control Input Interface Module control function calls Ethernet/Network Port Status Output Interface Return values from module status function Monitor calls Ethernet/Network Port Power Interface Initialization function Power Interface 4. Roles, Services, and Authentication 4.1 Access Control Policy The Module supports two roles: User and Crypto-Officer. Table 3 below describes the authenticaion mechanism: Table 3: Roles and Required Identification and Authentication Approved Operators Type of Authentication Authentication Data Strength of Authentication User Role Based 24 bit Password 1:16,777,216 in guessing the password Crypto-Officer Role Based 8 alpha/numeric/special The length of password has to be 8 characters characters. The characters contain alphabet, number, and special characters. Therefore the password has more than 6,095,689,385,410,816 (= 94^8) patterns. 4.2 Services The Module supports the services listed in table 4. The table groups the authorized services by the operator roles and identifies the Cryptographic Keys and CSPs associated with the services. The access type is also identified per service. R - The item is read or referenced by the service. W - The item is written or updated by the service. E - The item is executed by the service. (The item is used as part of a cryptographic function.) 4 Command Encryption Module Security Policy Version 2.0 Table 4: Services for Authorized for Roles Authorized Services Cryptographic Keys and CSPs Access Type Role Setup and Initialization Password W, E Crypto-Officer Run Self Tests None E Change Own Password Password W, E View Audit Data None R Key Zeroization Triple-DES key W Module Zeroization Triple-DES key, Password W Show Status None R Symmetric Encryption Triple-DES key, Password E User Key Change Triple-DES key, Password W, E Show Status None R 4.3 Crypto Officer role Setup and Initialization: The Crypto-Officer is responsible for the secure setup and initialization of the module. This includes inputting the cryptographic keys from ROM reader, turnning on the key change service, turnning on the encryption service, change password, and set physical secuirty parameters. Run Self-Tests: The module is located in a locked rackmount cabinet with access only by the Crypto-Officer. The Crypto-Officer must unlock the cabinet to power-on the device to run all self-tests automatically. Change Own Password: The Crypto-Officer can change their own password. View Audit Data: The Crypto-Officer can view the encryption start and stop logs and view the key change logs. Key Zeroization: The Crypto-Officer can perform the zeroization of all keys by issuing the zeroize service. Module Zeroization: The Crypto-Officer can perform the zeroization of all keys and CSPs by overwriting the hard drive. Show Status: The Crypto-Officer can view the status of the symmetric encryption service. 4.4 User Role Symmetric Encryption: The User can perform symmetric encryption of command data signals input into the Module. Key Change: The User role can issue the key change command to force a key change for the Module. Show Status: The User can view status of the key change service. 5. Physical Security The Module was tested on a HP Compaq 6000 Pro hardware computing platform with the following configuration: Intel® Celeron® E3300 2.5 GHz Processor • • 2GB DDR3-1333MHz SDRAM DIMM 5 Command Encryption Module Security Policy Version 2.0 • 160GB Disk Drive • 16x DVD-ROM Drive Intel® Q43 Express Chipset • Intel® Graphics Media Accelerator 4500 • Intel® 82567LM Gigabit Ethernet Controller • • RS-232C D-Sub 9 PIN • RGB Mini D-Sub 15 PIN (Monitor Port) • DVI (Display Port) • 10 – USB 2.0 ports (4 in Front, 6 in Rear) • 2 – PS/2 Compatible 6 PIN Mini DIN • 4 – Stereo Mini Port (2 in Front, 2 in Rear) The Module's removable cover and all external physical ports except the ports used in FIPS 140-2 mode (RGB Mini D-Sub 15 PIN Monitor port and Ethernet RJ45 port) are protected with 5 tamper evident seals as part of the setup and initialization procedure. The tamper evident seals shall be installed for the module to operate in a FIPS Approved mode of operation. Figures 1, 2 and 3 indicate the exact locations of the tamper evident seals. Note that one seal (#4) is split 2/3 and attached at left and right of the RGB Mini D-Sub 15 PIN Monitor port, to allow the use of this port in FIPS 140-2 mode. Figure 1 Front 6 Command Encryption Module Security Policy Version 2.0 Figure 2 Back Figure 3 Right Side There is no tamper evident seal on the left side. The filler panels that cover the unpopulated slots on the back of the chassis shown in Figure 2 cannot be removed without opening the top cover, which is protected with a tamper evident seal as shown in Figure 3. The black plastic filler panel that covers the unpopulated bay of the 3.5 inch Floppy Drive on the front of the chassis is protected with a tamper evident seal (seal #2), which protects also the DVD-drive as shown in Figure 1. To replace a tamper evident seal, all traces of the previously removed seal must be first eliminated. The surface must be cleaned with a solution consisting of alcohol and distilled water in the areas where the tamper evident seals are to be applied. The seals must be applied on clean and dry surfaces only. It is the responsibility of the Crypto Officer to perform the inspection and testing of the physical security mechanisms as described in Table 5. Also, it is the responsibility of the Crypto Officer to secure and have control of any unused seals. Refer to the Crypto Officer Guidance document for information on how to order new tamper evident labels. 7 Command Encryption Module Security Policy Version 2.0 Table 5: Inspection/Testing of Physical Security Mechanisms Physical Security Mechanisms Recommended Frequency of Inspection/Test Guidance Details Inspection/Test • Once a day: During operations Tamper evident Seals Compare the record with the • Once a month: Others condition of tamper evident seal • Once a day: During operations Rack with Combination dial lock Compare the record with the • Once a month: Others condition of combination lock number 6. Key Management and CSP’s The Module employs the Triple-DES encryption. Characteristics of Triple-DES implemented in the Module are as follows: - CFB (Cipher Feed Back) Mode - 3 independent keys The algorithm certificate number is 1119. Table 6: Keys and CSP Table Key and CSP CSP Type Storage Use Role Symmetric Keys Triple-DES Plaintext Data encryption User Password Password Plaintext Authentication User, CO 6.1 Key Input As the module does not support key generation, keys are input into the Module via USB on PC as part of the setup and initialization procedure. Keys are never input or output while the Module is operational. 6.2 Key Storage Keys are stored in the hard drive when keys are input from ROM reader. A key is temporarily stored in RAM during a encryption state. When power is removed from the Module the key in RAM is destroyed. 6.3 Key Zeroization Each key can be zeroized by using the key zeroization command. This command is allocated to the Crypto-Officer. All persistently-stored keys and CSPs can be zeroized by uninstalling the cryptographic module software and securely overwriting the hard drive. The secure overwrite process is allocated to the Crypto-Officer role and must be performed by or under the direct 8 Command Encryption Module Security Policy Version 2.0 supervision of the Crypto-Officer. 7. Self-Test The Module performs power-up self-tests as follows when the Module is power up. - Software/firmware integrity test. This is the Error Detection Code (EDC) peformed on the Module. - Cryptographic algorithm test. This is the known answer test for Triple DES CFB mode for encryption only. And the above mentioned power-up tests can perform if authenticated operator requires the tests on demand. 8. Security Policy The Module provides the following security policy: 1) Crypto-Officer is responsible for secure setup and initialization of the Module. 2) Only one Crypto-Officer is defined for the Module. 3) The Crypto-Officer is the only Role with physical access to the Module. 4) When the module has been configured, the Crypto-Officer must remove the keyboard and mouse and install tamper evident seals over the exposed ports (USB, Serial, Stereo Mini Port and DVD drive) 5) If tamper seals are removed, keys must be zerozied and the Module must be reinitialized with new keys and any seals that have been destroyed must be replaced. Before any tamper seal can be replaced, the surface must be cleaned and a new tamper seal must be reapplied. 6) Password for the Crypto-Officer must be at least 8 alpha/numeric and special characters long. The Crypto-Officer account must locked out after 10 failed login attempts. 9. Operational Environment The operational environment is non-modifiable. The Module integrity is protected by disconnecting the ROM reader, keyboard and mouse after the application has been configured and loaded with keys, and also all of the open physical ports and the covers/doors are sealed with tamper evident seals. The hardware platform is also secured in a combination locked cabinet when operational. The operating system also has a firewall installed to prevent remote access to the Module. The module is never connected to the Internet. 10. Mitigation of Other Attacks The Module will not implement security mechanisms to mitigate the other attacks. 11. Setup and Initialization Procedures When the Module has been received from the factory, the following procedures must be performed in order to configure the Module in FIPS Mode of operation: 9 Command Encryption Module Security Policy Version 2.0 1. The Crypto-Officer must be authenticated to the Module. 2. The Crypto-Officer must configure a firewall to permit remote access only for IP address and dedicated TCP ports of the Server and deny any other incoming or outgoing connections. The procedures for configuring the firewall rules can be found in the Command Encryption Module Installation Guidance document. 3. The Crypto-Officer must connect the ROM reader to the hardware platform via the USB port. 4. The Crypto-Officer must load the triple-DES encryption keys. 5. The Crypto-Officer must turn on the key change service. 6. The Crypto-Officer must turn on the Encryption Service. 7. The Crypto-Officer must disconnect the ROM reader, mouse and keyboard and insert tamper seals over the USB, Serial, Stereo Mini Port and DVD drive ports. 8. The User must send the authenticated Key Change command from the Server to initialize the key into memory. 9. The User must view that the encryption key has been successfully initialized. 10. It is the User’s responsibility to verify that the module returns “Encryption key update success” in order to confirm the encryption key change completed successfully. 10