Mocana Cryptographic Loadable Kernel Module Software Version 5.5f Security Policy Document Version 2.4 Mocana Corporation March 21, 2013 Copyright Mocana Corporation 2013. May be reproduced only in its original entirety [without revision]. TABLE OF CONTENTS 1. MODULE OVERVIEW.......................................................................................................................................... 3  2. SECURITY LEVEL ................................................................................................................................................ 5  3. MODES OF OPERATION ..................................................................................................................................... 6  APPROVED MODE OF OPERATION ............................................................................................................................... 6  NON-APPROVED BUT ALLOWED ALGORITHMS .......................................................................................................... 6  NON-FIPS APPROVED MODE OF OPERATION.............................................................................................................. 6  4. PORTS AND INTERFACES.................................................................................................................................. 7  5. IDENTIFICATION AND AUTHENTICATION POLICY ................................................................................. 7  ASSUMPTION OF ROLES .............................................................................................................................................. 7  6. ACCESS CONTROL POLICY .............................................................................................................................. 7  ROLES AND SERVICES ................................................................................................................................................ 7  OTHER SERVICES ....................................................................................................................................................... 8  DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS)...................................................................................... 10  DEFINITION OF PUBLIC KEYS: ................................................................................................................................. 11  DEFINITION OF CSPS MODES OF ACCESS ................................................................................................................ 11  7. OPERATIONAL ENVIRONMENT .................................................................................................................... 13  8. SECURITY RULES .............................................................................................................................................. 13  9. PHYSICAL SECURITY ....................................................................................................................................... 15  10. MITIGATION OF OTHER ATTACKS POLICY ........................................................................................... 15  11. CRYPTOGRAPHIC OFFICER GUIDANCE .................................................................................................. 15  KEY DESTRUCTION SERVICE ................................................................................................................................... 15  12. DEFINITIONS AND ACRONYMS ................................................................................................................... 16  Copyright Mocana Corporation 2013. May be reproduced only in its original entirety [without revision]. Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy 1. Module Overview The Mocana Cryptographic Loadable Kernel Module (Software Version 5.5f) is a software only, multi-chip standalone cryptographic module that runs on a general purpose computer. The primary purpose of this module is to provide FIPS Approved cryptographic routines to consuming applications via an Application Programming Interface. The physical boundary of the module is the case of the general purpose computer. The logical boundary of the cryptographic module is the kernel module, moc_crypto.ko. The cryptographic module runs on the following operating environments: - Android 2.2 (single-user mode) - Android 2.3 (single-user mode) - Android 4.0 (single-user mode) - Android 4.1 (single-user mode) - Ubuntu Linux 32 bit (single-user mode) - Ubuntu Linux 64 bit (single-user mode) The cryptographic module is also supported on the following operating environments for which operational testing was not performed: - Linux Kernel version 3.0.31 - Linux Kernel version 2.6.32 - Linux Kernel version 3.0.27 - Linux Kernel version 2.6.32.45 - Linux Kernel version 2.6.35.7 - Android 4.2 Note: the CMVP makes no statement as to the correct operation of the module on the operational environments for which operational testing was not performed. Page 3 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy Figure 1 – Cryptographic Module Interface Diagram Page 4 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy Information Flow Cryptographic Boundary Hash and Message Authentication Code Bulk Encryption/ SHA-1, SHA- Decryption ARC2, 224/256, SHA- ARC4, DES, 384/512, HMAC- Blowfish. SHA-1, HMAC- Bulk Encryption/ SHA-224/256, Bulk hash and Decryption with HMAC-SHA- Random Number HMAC of MD2, AES and TDES 384/512 Generator MD4, MD5 FIPS 186-2 RNG AES SHA-1, SHA-224/256, ARCs, DES, AES-CTR-DRBG SHA-384/512 Blowfish, MDs and Dual EC DRBG TDES HMAC MDs HMAC-SHA-1, HMAC-SHA-224/256, HMAC-SHA-384/512 AES-CCM/CMAC Figure 2 – Logical Cryptographic Boundary 2. Security Level The cryptographic module meets the overall requirements applicable to Security Level 1 of FIPS 140-2. Table 1 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 Page 5 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A 3. Modes of Operation Approved mode of operation The module supports multiple Approved modes of operation. Upon module initialization, a consuming application can configure the module to utilize all, or any subset of the following FIPS Approved algorithms: - AES (ECB, CBC, OFB, CFB, CTR and GCM modes; E/D; 128, 192 and 256) – Certs. #2039 and #2272 - AES (CCM, CMAC; 128, 192 and 256) – Certs. #2039 and #2272 - AES XTS (128 and 256) – Certs. #2039 and #2272 - Triple-DES (3-key and 2-key; TCBC mode; E/D) – Cert. #1316 - HMAC-SHA-1 – Cert. #1238 - HMAC-SHA-224 – Cert. #1238 - HMAC-SHA-256 – Cert. #1238 - HMAC-SHA-384 – Cert. #1238 - HMAC-SHA-512 – Cert. #1238 - SHA-1 – Cert. #1785 - SHA-224 – Cert. #1785 - SHA-256 – Cert. #1785 - SHA-384 – Cert. #1785 - SHA-512 – Cert. #1785 - FIPS 186-2 RNG – Cert. #1065 - AES-CTR based DRBG – Cert. #201 - Dual EC DRBG – Cert. #201 Non-Approved but Allowed Algorithms Within the FIPS Approved mode of operation, the module supports the following allowed algorithms: - NDRNG – Used to seed the Approved RNG and DRBG’s Non-FIPS Approved mode of operation Page 6 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy In addition to the above algorithms, the following algorithms are available in the non-FIPS Approved mode of operation: - DES, Blowfish, ARC2, ARC4, MD2, MD4, MD5, HMAC-MD5, AES EAX, AES XCBC During module initialization, the module may be configured to use one of these non-Approved security functions in lieu of an Approved one. In this case, during operation, the module can switch service by service between an Approved mode of operation and a non-Approved mode of operation. The module will transition to the non-Approved mode of operation when one of the above algorithms is utilized. The module can transition back to the Approved mode of operation by utilizing an Approved security function. 4. Ports and Interfaces The physical ports of the module are provided by the general purpose computer on which the module is installed. The logical interfaces are defined as the API of the cryptographic module. The module’s API supports the following logical interfaces: data input, data output, control input, and status output. 5. Identification and Authentication Policy Assumption of roles The Mocana Cryptographic Loadable Kernel Module shall support two distinct roles (User and Cryptographic Officer). The cryptographic module does not provide any identification or authentication methods of its own. The Cryptographic Officer and the User roles are implicitly assumed based on the service requested. Table 2 - Roles and Required Identification and Authentication Role Type of Authentication Authentication Data User N/A N/A Cryptographic Officer N/A N/A 6. Access Control Policy Roles and Services Table 3 – Services Authorized for Use in the Approved modes of operation Role Authorized Services User  Self-tests Page 7 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy  Show Status  Read Version Cryptographic-Officer  AES Encryption  AES Decryption  AES Message Authentication Code  TDES Encryption  TDES Decryption  SHA-1  SHA-224/256  SHA-384/512  HMAC-SHA-1 Message Authentication Code  HMAC-SHA-224/256 Message Authentication Code  HMAC-SHA-384/512 Message Authentication Code  FIPS 186-2 Random Number Generation  AES-CTR-DRBG Random Number Generation  Dual EC DRBG Random Number Generation  Key Destruction Note: The module may be configured to support only a subset of the Approved security functions listed in Section 3 above. In this case, not all of the services listed in Table 3 would be available. Other Services Table 4 – Services Authorized for Use in the non-Approved mode of operation Role Authorized Services User  Self-tests  Show Status  Read Version Cryptographic-Officer  DES Encryption  DES Decryption  AES Message Authentication Code  Blowfish Encryption  Blowfish Decryption  ARC2, ARC4 Encryption  ARC2, ARC4 Decryption  MD2 Hash  MD4 Hash  MD5 Hash  HMAC-MD5 Message Authentication Code  AES EAX Encryption Page 8 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy  AES EAX Decryption  AES XCBC Encryption  AES XCBC Decryption The cryptographic module supports the following service that does not require an operator to assume an authorized role:  Self-tests: This service executes the suite of self-tests required by FIPS 140-2. It is invoked by reloading the library into executable memory. Page 9 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy Definition of Critical Security Parameters (CSPs) The following are CSPs that may be contained in the module: Table 5 - CSP Information Key Description/Usage Generation Storage Entry / Destruction Output TDES Keys Used during TDES Externally. Temporarily in Entry: An application encryption and volatile RAM Plaintext program which uses decryption the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. AES Keys Used during AES Externally. Temporarily in Entry: An application encryption, volatile RAM Plaintext program which uses decryption, and the API may destroy Output: CMAC operations the key. The Key N/A Destruction service zeroizes this CSP. HMAC Keys Used during HMAC- Externally. Temporarily in Entry: An application SHA-1, 224, 256, 384, volatile RAM Plaintext program which uses 512 operations the API may destroy Output: the key. The Key N/A Destruction service zeroizes this CSP. Seed and Seed Used to seed the RNG Internally via Temporarily in Entry: Automatically after Keys and DRBGs for NDRNG or volatile RAM Plaintext if use random number externally generated generation externally Output: N/A Note: Key Entry and Output refers to keys crossing the logical boundary of the cryptographic module, and not the physical boundary of the GPC. Page 10 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy Definition of Public Keys: The module does not contain any public keys. Definition of CSPs Modes of Access Table 5 defines the relationship between access to CSPs and the different module services. Table 6 – CSP Access Rights within Roles & Services Role Service Cryptographic Keys and CSPs Access Operation C.O. User X AES Encryption Use AES Key X AES Decryption Use AES Key X AES Message Use AES Key Authentication Code X TDES Encryption Use TDES Key X TDES Decryption Use TDES Key X SHA-1 Generate SHA-1 Output; no CSP access X SHA-224/256 Generate SHA-224/256 Output; no CSP access X SHA-384/512 Generate SHA-384/512 Output; no CSP access X HMAC-SHA-1 Use HMAC-SHA-1 Key Message Generate HMAC-SHA-1 Output Authentication Code X HMAC-SHA- Use HMAC-SHA-224/256 Key 224/256 Message Generate HMAC-SHA-224/256 Output Authentication Code X HMAC-SHA- Use HMAC-SHA-384/512 Key 384/512 Message Generate HMAC-SHA-384/512 Output Authentication Code X FIPS 186-2 Use Seed and Seed Key to generate random number Random Number Destroy Seed and Seed Key after use Generation X AES-CTR-DRBG Use Seed and Seed Key to generate random number Random Number Destroy Seed and Seed Key after use Generation X Dual EC DRBG Use Seed and Seed Key to generate random number Random Number Destroy Seed and Seed Key after use Generation X Key Destruction Destroy All CSPs X Show Status N/A Page 11 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy Role Service Cryptographic Keys and CSPs Access Operation C.O. User X Self-Tests N/A Page 12 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy 7. Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are applicable because the Mocana Cryptographic Loadable Kernel Module operates in a modifiable operational environment. The module was operational tested on the following platforms: - Android 2.2 - Android 2.3 - Android 4.0 - Android 4.1 (single-user mode) - Ubuntu Linux 32 bit (single-user mode) - Ubuntu Linux 64 bit (single-user mode) 8. Security Rules The Mocana Cryptographic Loadable Kernel Module design corresponds to the following security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 1 module. 1. The cryptographic module shall provide two distinct roles. These are the User role and the Cryptographic Officer role. 2. The cryptographic module does not provide any operator authentication. 3. The cryptographic module shall encrypt/decrypt message traffic using the Triple-DES or AES algorithms. 4. The cryptographic module shall perform the following self-tests: Power-up Self-Tests:  Cryptographic Algorithm Tests: - AES-ECB, CBC, OFB. CFB, CCM, CMAC, CTR, GCM, and XTS Known Answer Test - Triple-DES Known Answer Test - HMAC-SHA-1 Known Answer Test - HMAC-SHA-224 1 Known Answer Test - HMAC-SHA-256 Known Answer Test - HMAC-SHA-384 Known Answer Test - HMAC-SHA-512 Known Answer Test - SHA-1 Known Answer Test - SHA-224 Known Answer Test - SHA-256 Known Answer Test Page 13 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy - SHA-384 Known Answer Test - SHA-512 Known Answer Test - FIPS 186-2 RNG Known Answer Test - AES-CTR DRBG Known Answer Test - Dual EC DRBG Known Answer Test  Software Integrity Test: HMAC-SHA-1  Critical Functions Tests: N/A Conditional Tests:  FIPS 186-2 RNG Continuous Test  AES-CTR DRBG Continuous Test  Dual EC DRBG Continuous Test  NDRNG Continuous Test The module can be configured to utilize all or only a subset of the Approved security functions listed in Section 3 above. Only the self-tests of the algorithms that are to be utilized will be run at power up. When reconfigured, the module will run all self-tests associated with the new configuration. 5. At any time, the operator shall be capable of commanding the module to perform the power- up self-tests by reloading the cryptographic module into memory. 6. The cryptographic module is available to perform services only after successfully completing the power-up self-tests. 7. Data output shall be inhibited during self-tests, zeroization, and error states. 8. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. In the event of a self-test failure, the module will enter an error state and a specific error code will be returned indicating which self-test or conditional test has failed. The module will not provide any cryptographic services while in this state. 10. The module shall not support concurrent operators. 11. The module does not support key generation. 12. The module supports multiple approved modes of operation. 13. Upon re-configuration from one Approved mode of operation to another, the cryptographic module shall reinitialize and preform all power-up self-tests associated with the new Approved mode of operation. 14. DES, Blowfish, ARC2, ARC4, MD2, MD4, MD5, HMAC-MD5, AES EAX, and AES XCBC are not allowed for use in the FIPS Approved mode of operation. When these algorithms are used, the module is no longer operating in the FIPS Approved mode of operation. It is the responsibility of the consuming application to zeroize all keys and CSPs Page 14 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy prior to and after utilizing these non-Approved algorithms. CSPs shall not be shared between the Approved and non-Approved modes of operation. 9. Physical Security The FIPS 140-2 Area 5 Physical Security requirements are not applicable because the Mocana Cryptographic Loadable Kernel Module is software only. 10. Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. 11. Cryptographic Officer Guidance The operating systems running the Mocana Cryptographic Loadable Kernel Module must be configured in a single-user mode of operation. Key Destruction Service There is a context structure associated with every cryptographic algorithm available in this module. Context structures hold sensitive information such as cryptographic keys. These context structures must be destroyed via respective API calls when the application software no longer needs to use a specific algorithm any more. This API call will zeroize all sensitive information including cryptographic keys before freeing the dynamically allocated memory. See the Mocana Cryptographic API Reference for additional information. Page 15 Mocana Corporation Mocana Cryptographic Loadable Kernel Module Security Policy 12. Definitions and Acronyms AES Advanced Encryption Standard API Application Program Interface CO Cryptographic Officer CSP Critical Security Parameter DES Data Encryption Standard DRBG Deterministic Random Bit Generator DLL Dynamic Link Library ECDSA Elliptic Curve Digitial Signature Standard RNG Random Number Generator EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code LKM Loadable Kernel Module RAM Random Access Memory RNG Random Number Generator TDES Triple-DES SHA Secure Hash Algorithm SO Shared Object Page 16