Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24th, 2012 © 2011 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. Table Of Contents 1 INTRODUCTION .......................................................................................................... 3 1.1 Purpose ..................................................................................................................... 3 1.2 References ................................................................................................................ 3 1.3 Document History ...................................................................................................... 3 2 PRODUCT DESCRIPTION .......................................................................................... 4 2.1 Cryptographic Boundary ............................................................................................ 4 3 MODULE PORTS AND INTERFACES ........................................................................ 5 4 ROLES, SERVICES AND AUTHENTICATION ............................................................ 6 4.1 Identification and Authentication................................................................................ 6 4.2 Strengths of Authentication Mechanisms .................................................................. 7 4.3 Roles and Services ................................................................................................... 7 5 PHYSICAL SECURITY ................................................................................................ 8 6 Operational Environment .............................................................................................. 9 7 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................... 9 7.1 Cryptographic Keys and CSPs .................................................................................. 9 7.2 Key Destruction/Zeroization .................................................................................... 11 7.3 Approved or Allowed Security Functions ................................................................. 12 8 SELF-TEST ................................................................................................................ 12 8.1 Power-up Self-Tests ................................................................................................ 12 8.2 Conditional Self-Tests ............................................................................................. 13 9 Crypto-Officer and User Guidance ............................................................................. 13 9.1 Secure Setup and Initialization ................................................................................ 13 9.2 Module Security Policy Rules .................................................................................. 13 10 Design Assurance .................................................................................................... 13 11 Mitigation of Other Attacks ....................................................................................... 13 © 2011 Vormetric Inc. All rights reserved. www.vormetric.com This document may be freely reproduced and distributed whole and intact including this copyright notice. 1 INTRODUCTION 1.1 Purpose This is a non-proprietary FIPS 140-2 Security Policy for the Vormetric Data Security Server firmware version 4.4.1 cryptographic module. It describes how this module meets all the requirements as specified in the FIPS 140-2 Level 2 requirements. This Policy forms a part of the submission package to the validating lab. FIPS 140-2 (Federal Information Processing Standards Publication 140-2) specifies the security requirements for a cryptographic module protecting sensitive information. Based on four security levels for cryptographic modules this standard identifies requirements in eleven sections. 1.2 References This Security Policy describes how this module complies with the eleven sections of the Standard: • For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at csrc.nist.gov/groups/STM/cmvp/index.html • For more information about Vormetric, please visit www.vormetric.com 1.3 Document History Authors Date Version Comment Mike Yoder August 19th, 2010 0.1 First Draft th Mike Yoder September 27 , 2010 0.2 Second Draft th Mike Yoder October 27 , 2011 0.3 Third Draft th Mike Yoder May 24 , 2012 1.0 Final Version Non-Proprietary Security Policy 3 Vormetric Data Security Server v 4.4.1 2 PRODUCT DESCRIPTION The Vormetric Data Security Server is a multi-chip standalone cryptographic module. The Vormetric Data Security Server is the central point of management for the Vormetric Data Security product. It manages keys and policies, and controls Vormetric Encryption Expert Agents. These agents contain the Vormetric Encryption Expert Cryptographic Module, which has been validated separately from this module. The module implements AES, Triple DES, RSA, an X9.31 PRNG, SHA-1, SHA-256, HMAC-SHA-1, and HMAC-SHA-256 algorithms in the approved mode. The module also implements the non-approved SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher mode. The product meets the overall requirements applicable to Level 2 security for FIPS 140-2, with Key Management, Roles, Services and Authentication, and Design Assurance meeting the Level 3 requirements. Security Requirements Section Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles and Services and Authentication 3 Finite State Machine Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 2 Overall Level of Certification 2 Table 1 - Module Compliance 2.1 Cryptographic Boundary The Vormetric Data Security Server is a 2U rack-mount hardware module. The cryptographic boundary is the physical boundary of the hardware module, the removable power supplies and power connectors are excluded from the cryptographic boundary. The physical design of the module is shown in the following two graphics: Non-Proprietary Security Policy 4 Vormetric Data Security Server v 4.4.1 Figure 1 – Hardware Module Cryptographic Boundary (with power supplies removed) 3 MODULE PORTS AND INTERFACES The module is considered to be a multi chip standalone module designed to meet FIPS 140-2 Level 2 requirements. The module has the following interfaces Data Input interface: The network interface cards are defined as the data input interface through which data is input to the module. Data Output Interface: The network interface cards are defined as the data output interface through which data is output from the module. Control input interface: The network interface cards and serial port are interfaces by which the module can be controlled. Non-Proprietary Security Policy 5 Vormetric Data Security Server v 4.4.1 Status output interface: The network interface cards, serial port, the LCD on the front panel, LEDs, and an audible power alarm are status output interfaces. The LEDs are located as follows: two status LEDs for each of the two Ethernet ports on the front panel, and two LEDs in the rear, one for each power supply. Power Interface: Two removable redundant 110 volt external power supplies. The table below describes the relationship between the logical and physical interfaces. FIPS 140-2 Interface Logical Interface Physical Interface Data Input interface Data input parameters of API Ethernet function calls Data Output interface Data output parameters of Ethernet API function calls Control Input interface Control input parameters of Ethernet, Serial Port API function calls that command the module Status Output interface Status output parameters of Ethernet, Serial Port, LED, API function calls that show LCD, audible power alarm the status of the module Power Interface 110v power interface Table 2 – Mapping Physical and Logical Interfaces 4 ROLES, SERVICES AND AUTHENTICATION The Vormetric Data Security Server module supports five distinct roles: System Administrator, Network Administrator, Domain Administrator, Security Administrator, and Network user. Within the Security Administrator role there are four sub-roles: audit, key, policy, and host. The module implements identity based authentication using passwords for the Crypto-Officer accounts. 2048 bit RSA certificates are used for the “Network user” account – these correspond to a Vormetric Encryption Expert Agent instance, which is a separately validated product. 4.1 Identification and Authentication Role Group Type of Authentication Data Authentication System Crypto-Officer Identity Based 8-20 character alpha/numeric password Administrator Network Crypto-Officer Identity Based 8-20 character alpha/numeric password Administrator Domain Crypto-Officer Identity Based 8-20 character alpha/numeric password Administrator Security Crypto-Officer Identity Based 8-20 character alpha/numeric password Administrator Network User User Identity Based 2048 bit RSA Certificate Table 3 - Authentication Types Non-Proprietary Security Policy 6 Vormetric Data Security Server v 4.4.1 4.2 Strengths of Authentication Mechanisms Authentication Strength of Mechanism Mechanism Username and The module enforces at minimum 8-character passwords chosen from 78 human readable password ASCII characters. The maximum password length is 20 characters. The module enforces an account lockout after a certain number of failed login attempts. This is configurable by a System Administrator; the default is that after 3 failed login attempts the account is locked for 30 minutes. The most lenient that it can be configured is to lock the account for 1 minute after 10 failed login attempts. This leads to a theoretical maximum for an attacker to attempt password entry 10 times per minute. 8 Thus the probability of a successful random attempt is 1/78 , which is less than 1 in 1 million. The probability of success with multiple consecutive attempts in a one minute period is 8 10/(78 ), which is less than 1 in 100,000. RSA Certificate The module supports RSA 2048-bit certificates, which have a minimum equivalent 112 computational resistance to attack of 2 . There is no programmatic limit to the number of attempts in a given time frame, but it is limited to hardware and network latency. We can use an unrealistically high rate of one million attempts per second (60 million per minute) for our purposes in this calculation. 112 Thus the probability of a successful random attempt is 2 , which is less than 1 in 1 million. The probability of success with multiple consecutive attempts in a one minute period is 112 60,000,000/2 , which is less than 1/100,000. Table 4 – Strengths of Authentication Mechanisms 4.3 Roles and Services Roles in the Vormetric Data Security Server apply to Administrative Domains. An administrative domain is a logical partition that is used to separate administrators, and the data they access, from other administrators. Administrative tasks are performed in each domain based upon each administrator’s assigned role. • The System Administrator role operates outside of domains. It creates domains and assigns administrators of the Domain Administrator role to the domains. • The Domain Administrator role primarily serves to assign administrators into a domain. • Security Administrators exist inside a domain, and are responsible for managing hosts, policies, keys, and audit settings. • The Network Administrator role is used for network and system configuration only. It is a special, low-level type of administrator that does not interact with the other roles. • The Network User corresponds to an instance of a Vormetric Encryption Expert Agent. The Vormetric Data Security Server supports the services listed in the following table. The table shows the privileges of each role on a per-service basis. The privileges are divided into: • R: The item is read or referenced by the service. • W: The item is written or updated by the service. • E: The item is executed by the service. (The item is used as part of a cryptographic function.) The mapping between Authorized Services and Keys can be found in Table 8. Non-Proprietary Security Policy 7 Vormetric Data Security Server v 4.4.1 Authorized Services Administrator Administrator Administrator Administrator Network User Network Security Domain System Run Power-On Self Test W Show basic status on dashboard R R R Create and delete administrator accounts; reset passwords RWE Backup and restore RWE Firmware upgrade RWE RWE Shutdown, reboot, restart Security Server RW Generate CA certificate RWE Generate server certificate RWE Configure High Availability RWE RWE Zeroize all data and all key material WE Create File System Keys RWE Create Database Backup Keys RWE Create, modify, and delete file system policies RW Create, modify, and delete database backup policies RW Import and export keys RWE Apply guard points using policies (and remove them) RW Submit a CSR and obtain a certificate RWE Obtain host/policy/key info RE Table 5 - Privileges of each role 5 PHYSICAL SECURITY The module is a “multiple-chip standalone cryptographic module”. The module consists of production grade components which include standard passivation techniques. The module is enclosed in an opaque production-grade enclosure with tamper-evident seals placed on both sides of the module to indicate attempts at removing the cryptographic module’s cover. Physical Recommended Inspection / Test Guidance Details Security Frequency of Mechanism Inspection / Test Tamper 3 months The tamper evident seals are only installed by the module Evident manufacturer. A System or Network Administrator is required to Seals inspect the tamper evident seals for visible signs of malice. Upon viewing any signs of tampering, the administrator must assume that the device has been fully compromised. The administrator is required to zeroize the cryptographic module and shall return the device to the factory. Table 6 – Inspection/Testing of Physical Security Mechanisms Non-Proprietary Security Policy 8 Vormetric Data Security Server v 4.4.1 Figure 2 – Location of Tamper-Evident Seals 6 Operational Environment The Vormetric Data Security Server is a limited operational environment. Since the operational environment is not modifiable, this section is not applicable. 7 CRYPTOGRAPHIC KEY MANAGEMENT 7.1 Cryptographic Keys and CSPs The following table summarizes the module’s keys and CSPs (Critical Security Parameters): Key Generation / Input Storage Use Seed Internally gathered - PRNG initialization Seed Key Internally gathered - PRNG initialization Keystore Key Internally gathered Non- Protects the keystore using Triple volatile DES. Certificate Generated internally using a Keystore Signs certificates Authority Key PRNG compliant to ANSI X9.31 2048-bit RSA Server Key Generated internally using a Keystore Identifies the server in a TLS 2048-bit RSA PRNG compliant to ANSI X9.31 session; wraps the Master Key when transported to a failover server. Key establishment methodology provides 112 bits of encryption strength. Master Key Generated internally using a Keystore Protects the Master Key Encrypting Key PRNG compliant to ANSI X9.31 AES 256 TLS Session Keys Generated internally using a None Negotiated as part of the TLS AES 256 PRNG compliant to ANSI X9.31 handshake Master Key Generated internally using a Database Protects symmetric filesystem keys, AES 256 PRNG compliant to ANSI X9.31 RSA keys for database backups, password hashes, backup wrapper keys Administrator At least 8-character Database Authentication of administrators; Passwords alphanumeric stored as a SHA-256 hash encrypted by the Master Key Non-Proprietary Security Policy 9 Vormetric Data Security Server v 4.4.1 Key Generation / Input Storage Use File System Keys Generated internally using a Database Protects data inside a guard point Triple DES, AES PRNG compliant to ANSI X9.31 in a Vormetric Encryption Expert 128, AES 256 Agent. Stored encrypted by the Master Key Database Agent Generated internally using a Database Protects data inside a database Backup Keys PRNG compliant to ANSI X9.31 backup protected by a Vormetric RSA 2048, 4096 Encryption Expert Agent. Stored bits encrypted by the Master Key Server Backup Generated internally using a Non- Protects backup information and Key PRNG compliant to ANSI X9.31 volatile key import/export. Also known as AES 256 the “wrapper key”. Vormetric At vendor facility Non- Ensures that security server Upgrade volatile patches, upgrades, and licenses Verification Key originate only from Vormetric. RSA 2048 Agent Public Key Externally input to the module Database Vormetric Encryption Expert Agents RSA 2048 create a 2048-bit RSA key pair. This is the public part. The private part is known as the “SECFS private key” in the Vormetric Encryption Expert Cryptographic Module. Usage: key wrapping; key establishment methodology provides 112 bits of encryption strength. File System Key Generated internally using a None. Encrypts file system keys when Encrypting Key PRNG compliant to ANSI X9.31 This is a output to a Vormetric Encryption AES 256 one-time- Expert Cryptographic Module. use key Table 7 – Keys and CSPs All of the keys in the above table can be input/output to/from the module except the TLS Session Keys and the Server Backup Key. The following table shows the keys that are used in the Authorized Services from table 5. Note that the TLS Session Key is used implicitly in all Authorized Services because TLS is used to connect to the cryptographic module. Note also that Administrator Passwords are used implicitly in all Authorized Services because the administrators have to enter their passwords in order to perform actions. Authorized Service Cryptographic Modes of Access Key/CSP Show basic status on dashboard N/A N/A Create and delete administrator Administrator Account passwords are created by human accounts; reset passwords Passwords entry, and are at least 8 alphanumeric Master Key characters. A SHA-256 hash of the password plus a salt is created, encrypted with the Master Key, and stored. Backup and restore Server Backup Key Backups are encrypted using the private key, and are restored using the public key. This key is split in an M-of-N fashion using the “Shamir's Secret Sharing” scheme. Non-Proprietary Security Policy 10 Vormetric Data Security Server v 4.4.1 Authorized Service Cryptographic Modes of Access Key/CSP Firmware upgrade Vormetric Upgrade Upgrade packages are signed by Vormetric Verification Key in the factory using this key. The module contains the public key, which is used to verify the authenticity of the upgrade package. Shutdown, reboot, restart Security N/A N/A Server Generate CA certificate Certificate Authority This key is generated and used to sign other Key certificates using RSA. Generate server certificate Server Key The Server Key is generated, and a Certificate Authority certificate using that key is signed by the Key Certificate Authority Key. Configure High Availability Server Key (of the The Master Key is encrypted with the Server failover node), Key of the Failover Node for transport, and Master Key the Master Key is stored encrypted with the Encrypting Key, Master Key Encrypting Key. Master Key Zeroize all data and all key All All data and key material are destroyed. material Create File System Keys File System Keys, Generation of the File System Keys. Master Key The File System Keys are encrypted using the Master Key before being stored. Create Database Backup Keys Database Backup Generation of the Database Backup Key. Keys, The Database Backup Keys are encrypted Master Key using the Master Key before being stored. Create, modify, and delete file N/A N/A system policies Create, modify, and delete N/A N/A database backup policies Import and export keys Server Backup Key Keys (File System Keys and Database Backup Keys) are encrypted using the Server Backup key during export. During import they’re decrypted using this key. Apply guard points using policies N/A N/A (and remove them) Submit a CSR and obtain a Agent Public Key, The Vormetric Encryption Expert Agent certificate Certificate Authority creates a CSR; it is signed by the Certificate Key Authority Key using RSA. Obtain host/policy/key info File System Key A single-use File System Key Encrypting Key Encrypting Key, is generated. It is used to encrypt the File Agent Public Key, System Keys. It is itself encrypted by the File System Keys Agent Public Key for transport. Table 8 - Mapping of Cryptographic Keys and CSPs to Services 7.2 Key Destruction/Zeroization All key material can be zeroized by any administrator with the Network Administrator role. When this action is performed, all key material and CSPs are removed, and the system enters a state that is indistinguishable from the state in which it was shipped to the customer. Non-Proprietary Security Policy 11 Vormetric Data Security Server v 4.4.1 7.3 Approved or Allowed Security Functions The module keys map to the following algorithms certificates: Approved or Allowed Security Functions Certificate Symmetric Encryption/Decryption AES: (CBC Mode; Encrypt/Decrypt; Key Size = 128, 256) 1838 Triple DES (3-key) (CBC Mode, Encrypt/Decrypt) 1192 Secure Hash Standard (SHS) SHA-1, SHA-256 1620 Data Authentication Code HMAC-SHA-1, HMAC-SHA-256 1093 Asymmetric Signature Keys RSA Key Generation (X9.31, 2048 and 4096 bits) 928 RSA Signature creation and verification (PKCS#1.5 Sig Gen and Sig Verify, 928 2048 bits) Random Number Generation ANSI X9.31 965 Non-Approved Security Function SSL v3.0 cipher mode SSL_RSA_WITH_3DES_EDE_CBC_SHA Table 9 - FIPS Algorithms 8 SELF-TEST The module performs power-up self-tests and conditional self-tests. 8.1 Power-up Self-Tests The power-up self tests are performed upon module startup prior to any data or control interface being available. All other processing is inhibited while the tests are in progress. If any test fails, an error status such as “FIPS Integrity Check Failed; Appliance halting” is displayed to the LCD on the front console, and the module will immediately power off. When all tests run to completion, the message “FIPS Integrity Check Completed OK” is displayed to the LCD on the front console, and the module continues normal startup. Cryptographic Algorithm KATs: Known Answer Tests (KATs) are run at power-up for: • AES (CBC mode for Encrypt/Decrypt) • Triple DES (CBC mode for Encrypt/Decrypt) • RSA (Sign/Verify) • SHA-1, SHA-256 • HMAC SHA-1, HMAC-SHA-256 • RNG KAT Firmware Integrity Tests: The module checks the integrity of its components using HMAC-SHA-256 during power on. Non-Proprietary Security Policy 12 Vormetric Data Security Server v 4.4.1 8.2 Conditional Self-Tests The module performs the following conditional self-tests: Firmware Load Test: This test is run when the firmware is upgraded to verify that the firmware came from a trusted source and hasn’t been modified during delivery and installation. It uses RSA signature verification using an RSA 2048-bit key. Continuous RNG Test: A continuous RNG test (that is, ensuring that two successive outputs from the RNG are not equal) is performed each time a pseudo-random number is requested. Pairwise Consistency Test: Pairwise consistency tests are run automatically when the module generates RSA key pairs. The module performs a sign operation with the private key and verifies it with the public key. 9 Crypto-Officer and User Guidance This section shall describe the configuration, maintenance, and administration of the cryptographic module. 9.1 Secure Setup and Initialization The following steps must be taken to securely initialize the module: • A user in the Network Administrator role must configure networking so that the module has a valid IP address and host name • A user in the Network Administrator role must generate a CA certificate • A user in the System Administrator role must log into the UI as the default user “admin”; an immediate password change is required 9.2 Module Security Policy Rules The module is always operating in FIPS mode. There is a non-approved algorithm that is utilized by the SSL v3.0 cipher mode SSL_RSA_WITH_3DES_EDE_CBC_SHA. This occurs when using the Internet Explorer web browser on Microsoft Windows 2000, 2003, and XP. When using Microsoft Windows Vista, 2008, 7, and the Firefox and Chrome web browsers, ensure that TLS is enabled. All data passing through the SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher mode will be considered plaintext. 10 Design Assurance Vormetric utilizes Concurrent Versioning System (CVS) for configuration management of product source code. Vormetric also utilizes Confluence, an internal wiki for configuration management of functional specifications and documentation. Both support authentication, access control, and logging. A high-level language is used for all firmware components within the module. 11 Mitigation of Other Attacks The module does not mitigate against any specific attacks. Non-Proprietary Security Policy 13 Vormetric Data Security Server v 4.4.1